aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
committerDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
commitb0e69f719c1db2c19fcfba96f0dac9a5a2277350 (patch)
tree72d567a9bc3fb8adcfcbaa9baedc122d53071209 /lib
parentfe9c1406ede29d1f2b9969c75785beef87a4bf87 (diff)
downloadsrc-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.tar.gz
src-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.zip
Vendor import of BIND 9.6.1rc1
Notes
Notes: svn path=/vendor/bind9/dist/; revision=193141
Diffstat (limited to 'lib')
-rw-r--r--lib/Makefile.in6
-rw-r--r--lib/bind9/Makefile.in6
-rw-r--r--lib/bind9/api6
-rw-r--r--lib/bind9/check.c432
-rw-r--r--lib/bind9/getaddresses.c6
-rw-r--r--lib/bind9/include/Makefile.in6
-rw-r--r--lib/bind9/include/bind9/Makefile.in6
-rw-r--r--lib/bind9/include/bind9/check.h8
-rw-r--r--lib/bind9/include/bind9/getaddresses.h12
-rw-r--r--lib/bind9/include/bind9/version.h8
-rw-r--r--lib/bind9/version.c6
-rw-r--r--lib/dns/Makefile.in32
-rw-r--r--lib/dns/acache.c4
-rw-r--r--lib/dns/acl.c557
-rw-r--r--lib/dns/adb.c693
-rw-r--r--lib/dns/api6
-rw-r--r--lib/dns/byaddr.c6
-rw-r--r--lib/dns/cache.c127
-rw-r--r--lib/dns/callbacks.c6
-rw-r--r--lib/dns/compress.c6
-rw-r--r--lib/dns/db.c125
-rw-r--r--lib/dns/dbiterator.c6
-rw-r--r--lib/dns/dbtable.c6
-rw-r--r--lib/dns/diff.c130
-rw-r--r--lib/dns/dispatch.c190
-rw-r--r--lib/dns/dlz.c10
-rw-r--r--lib/dns/dnssec.c39
-rw-r--r--lib/dns/ds.c6
-rw-r--r--lib/dns/dst_api.c152
-rw-r--r--lib/dns/dst_internal.h85
-rw-r--r--lib/dns/dst_lib.c6
-rw-r--r--lib/dns/dst_openssl.h12
-rw-r--r--lib/dns/dst_parse.c59
-rw-r--r--lib/dns/dst_parse.h22
-rw-r--r--lib/dns/dst_result.c9
-rw-r--r--lib/dns/forward.c6
-rw-r--r--lib/dns/gen-unix.h8
-rw-r--r--lib/dns/gen.c46
-rw-r--r--lib/dns/gssapi_link.c178
-rw-r--r--lib/dns/gssapictx.c684
-rw-r--r--lib/dns/hmac_link.c337
-rw-r--r--lib/dns/include/Makefile.in6
-rw-r--r--lib/dns/include/dns/Makefile.in12
-rw-r--r--lib/dns/include/dns/acache.h6
-rw-r--r--lib/dns/include/dns/acl.h114
-rw-r--r--lib/dns/include/dns/adb.h19
-rw-r--r--lib/dns/include/dns/bit.h8
-rw-r--r--lib/dns/include/dns/byaddr.h16
-rw-r--r--lib/dns/include/dns/cache.h8
-rw-r--r--lib/dns/include/dns/callbacks.h8
-rw-r--r--lib/dns/include/dns/cert.h8
-rw-r--r--lib/dns/include/dns/compress.h12
-rw-r--r--lib/dns/include/dns/db.h210
-rw-r--r--lib/dns/include/dns/dbiterator.h8
-rw-r--r--lib/dns/include/dns/dbtable.h8
-rw-r--r--lib/dns/include/dns/diff.h31
-rw-r--r--lib/dns/include/dns/dispatch.h23
-rw-r--r--lib/dns/include/dns/dlz.h16
-rw-r--r--lib/dns/include/dns/dnssec.h8
-rw-r--r--lib/dns/include/dns/ds.h6
-rw-r--r--lib/dns/include/dns/events.h9
-rw-r--r--lib/dns/include/dns/fixedname.h8
-rw-r--r--lib/dns/include/dns/forward.h8
-rw-r--r--lib/dns/include/dns/iptable.h70
-rw-r--r--lib/dns/include/dns/journal.h26
-rw-r--r--lib/dns/include/dns/keyflags.h8
-rw-r--r--lib/dns/include/dns/keytable.h6
-rw-r--r--lib/dns/include/dns/keyvalues.h12
-rw-r--r--lib/dns/include/dns/lib.h8
-rw-r--r--lib/dns/include/dns/log.h11
-rw-r--r--lib/dns/include/dns/lookup.h12
-rw-r--r--lib/dns/include/dns/master.h39
-rw-r--r--lib/dns/include/dns/masterdump.h34
-rw-r--r--lib/dns/include/dns/message.h24
-rw-r--r--lib/dns/include/dns/name.h23
-rw-r--r--lib/dns/include/dns/ncache.h28
-rw-r--r--lib/dns/include/dns/nsec.h19
-rw-r--r--lib/dns/include/dns/nsec3.h194
-rw-r--r--lib/dns/include/dns/opcode.h8
-rw-r--r--lib/dns/include/dns/order.h8
-rw-r--r--lib/dns/include/dns/peer.h21
-rw-r--r--lib/dns/include/dns/portlist.h8
-rw-r--r--lib/dns/include/dns/rbt.h769
-rw-r--r--lib/dns/include/dns/rcode.h23
-rw-r--r--lib/dns/include/dns/rdata.h20
-rw-r--r--lib/dns/include/dns/rdataclass.h8
-rw-r--r--lib/dns/include/dns/rdatalist.h29
-rw-r--r--lib/dns/include/dns/rdataset.h68
-rw-r--r--lib/dns/include/dns/rdatasetiter.h8
-rw-r--r--lib/dns/include/dns/rdataslab.h19
-rw-r--r--lib/dns/include/dns/rdatatype.h11
-rw-r--r--lib/dns/include/dns/request.h18
-rw-r--r--lib/dns/include/dns/resolver.h50
-rw-r--r--lib/dns/include/dns/result.h11
-rw-r--r--lib/dns/include/dns/rootns.h8
-rw-r--r--lib/dns/include/dns/sdb.h12
-rw-r--r--lib/dns/include/dns/sdlz.h12
-rw-r--r--lib/dns/include/dns/secalg.h8
-rw-r--r--lib/dns/include/dns/secproto.h8
-rw-r--r--lib/dns/include/dns/soa.h8
-rw-r--r--lib/dns/include/dns/ssu.h58
-rw-r--r--lib/dns/include/dns/stats.h319
-rw-r--r--lib/dns/include/dns/tcpmsg.h8
-rw-r--r--lib/dns/include/dns/time.h8
-rw-r--r--lib/dns/include/dns/timer.h8
-rw-r--r--lib/dns/include/dns/tkey.h78
-rw-r--r--lib/dns/include/dns/tsig.h13
-rw-r--r--lib/dns/include/dns/ttl.h8
-rw-r--r--lib/dns/include/dns/types.h37
-rw-r--r--lib/dns/include/dns/validator.h20
-rw-r--r--lib/dns/include/dns/version.h8
-rw-r--r--lib/dns/include/dns/view.h103
-rw-r--r--lib/dns/include/dns/xfrin.h10
-rw-r--r--lib/dns/include/dns/zone.h224
-rw-r--r--lib/dns/include/dns/zonekey.h8
-rw-r--r--lib/dns/include/dns/zt.h8
-rw-r--r--lib/dns/include/dst/Makefile.in8
-rw-r--r--lib/dns/include/dst/dst.h36
-rw-r--r--lib/dns/include/dst/gssapi.h175
-rw-r--r--lib/dns/include/dst/lib.h8
-rw-r--r--lib/dns/include/dst/result.h11
-rw-r--r--lib/dns/iptable.c188
-rw-r--r--lib/dns/journal.c67
-rw-r--r--lib/dns/key.c6
-rw-r--r--lib/dns/keytable.c6
-rw-r--r--lib/dns/lib.c6
-rw-r--r--lib/dns/log.c11
-rw-r--r--lib/dns/lookup.c2
-rw-r--r--lib/dns/master.c101
-rw-r--r--lib/dns/masterdump.c35
-rw-r--r--lib/dns/message.c134
-rw-r--r--lib/dns/name.c36
-rw-r--r--lib/dns/ncache.c217
-rw-r--r--lib/dns/nsec.c69
-rw-r--r--lib/dns/nsec3.c1377
-rw-r--r--lib/dns/openssl_link.c246
-rw-r--r--lib/dns/openssldh_link.c58
-rw-r--r--lib/dns/openssldsa_link.c205
-rw-r--r--lib/dns/opensslrsa_link.c525
-rw-r--r--lib/dns/order.c6
-rw-r--r--lib/dns/peer.c63
-rw-r--r--lib/dns/portlist.c6
-rw-r--r--lib/dns/rbt.c213
-rw-r--r--lib/dns/rbtdb.c2651
-rw-r--r--lib/dns/rbtdb.h6
-rw-r--r--lib/dns/rbtdb64.c6
-rw-r--r--lib/dns/rbtdb64.h6
-rw-r--r--lib/dns/rcode.c27
-rw-r--r--lib/dns/rdata.c57
-rw-r--r--lib/dns/rdata/any_255/tsig_250.c6
-rw-r--r--lib/dns/rdata/any_255/tsig_250.h6
-rw-r--r--lib/dns/rdata/ch_3/a_1.c6
-rw-r--r--lib/dns/rdata/ch_3/a_1.h6
-rw-r--r--lib/dns/rdata/generic/afsdb_18.c6
-rw-r--r--lib/dns/rdata/generic/afsdb_18.h6
-rw-r--r--lib/dns/rdata/generic/cert_37.c6
-rw-r--r--lib/dns/rdata/generic/cert_37.h6
-rw-r--r--lib/dns/rdata/generic/cname_5.c6
-rw-r--r--lib/dns/rdata/generic/cname_5.h6
-rw-r--r--lib/dns/rdata/generic/dlv_32769.c2
-rw-r--r--lib/dns/rdata/generic/dlv_32769.h6
-rw-r--r--lib/dns/rdata/generic/dname_39.c6
-rw-r--r--lib/dns/rdata/generic/dname_39.h6
-rw-r--r--lib/dns/rdata/generic/dnskey_48.c6
-rw-r--r--lib/dns/rdata/generic/dnskey_48.h6
-rw-r--r--lib/dns/rdata/generic/ds_43.c2
-rw-r--r--lib/dns/rdata/generic/ds_43.h6
-rw-r--r--lib/dns/rdata/generic/gpos_27.c6
-rw-r--r--lib/dns/rdata/generic/gpos_27.h6
-rw-r--r--lib/dns/rdata/generic/hinfo_13.c6
-rw-r--r--lib/dns/rdata/generic/hinfo_13.h6
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.c22
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.h6
-rw-r--r--lib/dns/rdata/generic/isdn_20.c6
-rw-r--r--lib/dns/rdata/generic/isdn_20.h6
-rw-r--r--lib/dns/rdata/generic/key_25.c6
-rw-r--r--lib/dns/rdata/generic/key_25.h6
-rw-r--r--lib/dns/rdata/generic/loc_29.c13
-rw-r--r--lib/dns/rdata/generic/loc_29.h6
-rw-r--r--lib/dns/rdata/generic/mb_7.c6
-rw-r--r--lib/dns/rdata/generic/mb_7.h6
-rw-r--r--lib/dns/rdata/generic/md_3.c6
-rw-r--r--lib/dns/rdata/generic/md_3.h6
-rw-r--r--lib/dns/rdata/generic/mf_4.c6
-rw-r--r--lib/dns/rdata/generic/mf_4.h6
-rw-r--r--lib/dns/rdata/generic/mg_8.c6
-rw-r--r--lib/dns/rdata/generic/mg_8.h6
-rw-r--r--lib/dns/rdata/generic/minfo_14.c6
-rw-r--r--lib/dns/rdata/generic/minfo_14.h6
-rw-r--r--lib/dns/rdata/generic/mr_9.c6
-rw-r--r--lib/dns/rdata/generic/mr_9.h6
-rw-r--r--lib/dns/rdata/generic/mx_15.c6
-rw-r--r--lib/dns/rdata/generic/mx_15.h6
-rw-r--r--lib/dns/rdata/generic/ns_2.c6
-rw-r--r--lib/dns/rdata/generic/ns_2.h6
-rw-r--r--lib/dns/rdata/generic/nsec3_50.c481
-rw-r--r--lib/dns/rdata/generic/nsec3_50.h93
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.c314
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.h38
-rw-r--r--lib/dns/rdata/generic/nsec_47.c4
-rw-r--r--lib/dns/rdata/generic/nsec_47.h4
-rw-r--r--lib/dns/rdata/generic/null_10.c6
-rw-r--r--lib/dns/rdata/generic/null_10.h6
-rw-r--r--lib/dns/rdata/generic/nxt_30.c6
-rw-r--r--lib/dns/rdata/generic/nxt_30.h6
-rw-r--r--lib/dns/rdata/generic/opt_41.c6
-rw-r--r--lib/dns/rdata/generic/opt_41.h6
-rw-r--r--lib/dns/rdata/generic/proforma.c6
-rw-r--r--lib/dns/rdata/generic/proforma.h6
-rw-r--r--lib/dns/rdata/generic/ptr_12.c6
-rw-r--r--lib/dns/rdata/generic/ptr_12.h6
-rw-r--r--lib/dns/rdata/generic/rp_17.c6
-rw-r--r--lib/dns/rdata/generic/rp_17.h6
-rw-r--r--lib/dns/rdata/generic/rrsig_46.c6
-rw-r--r--lib/dns/rdata/generic/rrsig_46.h6
-rw-r--r--lib/dns/rdata/generic/rt_21.c6
-rw-r--r--lib/dns/rdata/generic/rt_21.h6
-rw-r--r--lib/dns/rdata/generic/sig_24.c6
-rw-r--r--lib/dns/rdata/generic/sig_24.h6
-rw-r--r--lib/dns/rdata/generic/soa_6.c35
-rw-r--r--lib/dns/rdata/generic/soa_6.h6
-rw-r--r--lib/dns/rdata/generic/spf_99.c6
-rw-r--r--lib/dns/rdata/generic/spf_99.h6
-rw-r--r--lib/dns/rdata/generic/sshfp_44.c6
-rw-r--r--lib/dns/rdata/generic/sshfp_44.h6
-rw-r--r--lib/dns/rdata/generic/tkey_249.c6
-rw-r--r--lib/dns/rdata/generic/tkey_249.h6
-rw-r--r--lib/dns/rdata/generic/txt_16.c4
-rw-r--r--lib/dns/rdata/generic/txt_16.h6
-rw-r--r--lib/dns/rdata/generic/unspec_103.c6
-rw-r--r--lib/dns/rdata/generic/unspec_103.h6
-rw-r--r--lib/dns/rdata/generic/x25_19.c6
-rw-r--r--lib/dns/rdata/generic/x25_19.h6
-rw-r--r--lib/dns/rdata/hs_4/a_1.c6
-rw-r--r--lib/dns/rdata/hs_4/a_1.h6
-rw-r--r--lib/dns/rdata/in_1/a6_38.c6
-rw-r--r--lib/dns/rdata/in_1/a6_38.h6
-rw-r--r--lib/dns/rdata/in_1/a_1.c6
-rw-r--r--lib/dns/rdata/in_1/a_1.h6
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.c6
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.h6
-rw-r--r--lib/dns/rdata/in_1/apl_42.c4
-rw-r--r--lib/dns/rdata/in_1/apl_42.h6
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.c229
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.h30
-rw-r--r--lib/dns/rdata/in_1/kx_36.c6
-rw-r--r--lib/dns/rdata/in_1/kx_36.h6
-rw-r--r--lib/dns/rdata/in_1/naptr_35.c4
-rw-r--r--lib/dns/rdata/in_1/naptr_35.h6
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.c6
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.h6
-rw-r--r--lib/dns/rdata/in_1/nsap_22.c6
-rw-r--r--lib/dns/rdata/in_1/nsap_22.h6
-rw-r--r--lib/dns/rdata/in_1/px_26.c6
-rw-r--r--lib/dns/rdata/in_1/px_26.h6
-rw-r--r--lib/dns/rdata/in_1/srv_33.c6
-rw-r--r--lib/dns/rdata/in_1/srv_33.h6
-rw-r--r--lib/dns/rdata/in_1/wks_11.c10
-rw-r--r--lib/dns/rdata/in_1/wks_11.h6
-rw-r--r--lib/dns/rdata/rdatastructpre.h6
-rw-r--r--lib/dns/rdata/rdatastructsuf.h6
-rw-r--r--lib/dns/rdatalist.c172
-rw-r--r--lib/dns/rdatalist_p.h15
-rw-r--r--lib/dns/rdataset.c43
-rw-r--r--lib/dns/rdatasetiter.c6
-rw-r--r--lib/dns/rdataslab.c111
-rw-r--r--lib/dns/request.c8
-rw-r--r--lib/dns/resolver.c993
-rw-r--r--lib/dns/result.c9
-rw-r--r--lib/dns/rootns.c11
-rw-r--r--lib/dns/sdb.c28
-rw-r--r--lib/dns/sdlz.c34
-rw-r--r--lib/dns/soa.c6
-rw-r--r--lib/dns/spnego.asn152
-rw-r--r--lib/dns/spnego.c1792
-rw-r--r--lib/dns/spnego.h71
-rw-r--r--lib/dns/spnego_asn1.c885
-rwxr-xr-xlib/dns/spnego_asn1.pl200
-rw-r--r--lib/dns/ssu.c220
-rw-r--r--lib/dns/stats.c353
-rw-r--r--lib/dns/tcpmsg.c6
-rw-r--r--lib/dns/time.c8
-rw-r--r--lib/dns/timer.c6
-rw-r--r--lib/dns/tkey.c337
-rw-r--r--lib/dns/tsig.c157
-rw-r--r--lib/dns/ttl.c6
-rw-r--r--lib/dns/validator.c770
-rw-r--r--lib/dns/version.c6
-rw-r--r--lib/dns/view.c118
-rw-r--r--lib/dns/xfrin.c57
-rw-r--r--lib/dns/zone.c3742
-rw-r--r--lib/dns/zonekey.c6
-rw-r--r--lib/dns/zt.c9
-rw-r--r--lib/isc/Makefile.in34
-rw-r--r--lib/isc/alpha/Makefile.in2
-rw-r--r--lib/isc/alpha/include/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/atomic.h42
-rw-r--r--lib/isc/api6
-rw-r--r--lib/isc/assertions.c4
-rw-r--r--lib/isc/base32.c371
-rw-r--r--lib/isc/base64.c6
-rw-r--r--lib/isc/bitstring.c6
-rw-r--r--lib/isc/buffer.c84
-rw-r--r--lib/isc/bufferlist.c6
-rw-r--r--lib/isc/commandline.c11
-rw-r--r--lib/isc/entropy.c21
-rw-r--r--lib/isc/error.c6
-rw-r--r--lib/isc/event.c6
-rw-r--r--lib/isc/fsaccess.c6
-rw-r--r--lib/isc/hash.c12
-rw-r--r--lib/isc/heap.c18
-rw-r--r--lib/isc/hex.c10
-rw-r--r--lib/isc/hmacmd5.c6
-rw-r--r--lib/isc/hmacsha.c2
-rw-r--r--lib/isc/httpd.c987
-rw-r--r--lib/isc/ia64/Makefile.in2
-rw-r--r--lib/isc/ia64/include/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/atomic.h24
-rw-r--r--lib/isc/include/Makefile.in6
-rw-r--r--lib/isc/include/isc/Makefile.in20
-rw-r--r--lib/isc/include/isc/app.h8
-rw-r--r--lib/isc/include/isc/assertions.h6
-rw-r--r--lib/isc/include/isc/base32.h128
-rw-r--r--lib/isc/include/isc/base64.h8
-rw-r--r--lib/isc/include/isc/bitstring.h8
-rw-r--r--lib/isc/include/isc/boolean.h8
-rw-r--r--lib/isc/include/isc/buffer.h107
-rw-r--r--lib/isc/include/isc/bufferlist.h8
-rw-r--r--lib/isc/include/isc/commandline.h8
-rw-r--r--lib/isc/include/isc/entropy.h31
-rw-r--r--lib/isc/include/isc/error.h8
-rw-r--r--lib/isc/include/isc/event.h8
-rw-r--r--lib/isc/include/isc/eventclass.h6
-rw-r--r--lib/isc/include/isc/file.h12
-rw-r--r--lib/isc/include/isc/formatcheck.h8
-rw-r--r--lib/isc/include/isc/fsaccess.h25
-rw-r--r--lib/isc/include/isc/hash.h12
-rw-r--r--lib/isc/include/isc/heap.h10
-rw-r--r--lib/isc/include/isc/hex.h10
-rw-r--r--lib/isc/include/isc/hmacmd5.h8
-rw-r--r--lib/isc/include/isc/hmacsha.h8
-rw-r--r--lib/isc/include/isc/httpd.h64
-rw-r--r--lib/isc/include/isc/interfaceiter.h8
-rw-r--r--lib/isc/include/isc/ipv6.h6
-rw-r--r--lib/isc/include/isc/iterated_hash.h47
-rw-r--r--lib/isc/include/isc/lang.h8
-rw-r--r--lib/isc/include/isc/lex.h4
-rw-r--r--lib/isc/include/isc/lfsr.h8
-rw-r--r--lib/isc/include/isc/lib.h8
-rw-r--r--lib/isc/include/isc/list.h6
-rw-r--r--lib/isc/include/isc/log.h29
-rw-r--r--lib/isc/include/isc/magic.h8
-rw-r--r--lib/isc/include/isc/md5.h8
-rw-r--r--lib/isc/include/isc/mem.h84
-rw-r--r--lib/isc/include/isc/msgcat.h6
-rw-r--r--lib/isc/include/isc/msgs.h6
-rw-r--r--lib/isc/include/isc/mutexblock.h8
-rw-r--r--lib/isc/include/isc/netaddr.h21
-rw-r--r--lib/isc/include/isc/netscope.h8
-rw-r--r--lib/isc/include/isc/ondestroy.h8
-rw-r--r--lib/isc/include/isc/os.h8
-rw-r--r--lib/isc/include/isc/parseint.h8
-rw-r--r--lib/isc/include/isc/platform.h.in130
-rw-r--r--lib/isc/include/isc/portset.h6
-rw-r--r--lib/isc/include/isc/print.h8
-rw-r--r--lib/isc/include/isc/quota.h6
-rw-r--r--lib/isc/include/isc/radix.h240
-rw-r--r--lib/isc/include/isc/random.h10
-rw-r--r--lib/isc/include/isc/ratelimiter.h14
-rw-r--r--lib/isc/include/isc/refcount.h8
-rw-r--r--lib/isc/include/isc/region.h8
-rw-r--r--lib/isc/include/isc/resource.h6
-rw-r--r--lib/isc/include/isc/result.h11
-rw-r--r--lib/isc/include/isc/resultclass.h8
-rw-r--r--lib/isc/include/isc/rwlock.h8
-rw-r--r--lib/isc/include/isc/serial.h10
-rw-r--r--lib/isc/include/isc/sha1.h8
-rw-r--r--lib/isc/include/isc/sha2.h6
-rw-r--r--lib/isc/include/isc/sockaddr.h11
-rw-r--r--lib/isc/include/isc/socket.h183
-rw-r--r--lib/isc/include/isc/stats.h121
-rw-r--r--lib/isc/include/isc/stdio.h8
-rw-r--r--lib/isc/include/isc/stdlib.h8
-rw-r--r--lib/isc/include/isc/string.h6
-rw-r--r--lib/isc/include/isc/symtab.h10
-rw-r--r--lib/isc/include/isc/task.h26
-rw-r--r--lib/isc/include/isc/taskpool.h8
-rw-r--r--lib/isc/include/isc/timer.h6
-rw-r--r--lib/isc/include/isc/types.h26
-rw-r--r--lib/isc/include/isc/util.h8
-rw-r--r--lib/isc/include/isc/version.h8
-rw-r--r--lib/isc/include/isc/xml.h41
-rw-r--r--lib/isc/inet_aton.c14
-rw-r--r--lib/isc/inet_ntop.c6
-rw-r--r--lib/isc/inet_pton.c6
-rw-r--r--lib/isc/iterated_hash.c48
-rw-r--r--lib/isc/lex.c12
-rw-r--r--lib/isc/lfsr.c6
-rw-r--r--lib/isc/lib.c6
-rw-r--r--lib/isc/log.c29
-rw-r--r--lib/isc/md5.c6
-rw-r--r--lib/isc/mem.c254
-rw-r--r--lib/isc/mips/Makefile.in2
-rw-r--r--lib/isc/mips/include/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/atomic.h6
-rw-r--r--lib/isc/mutexblock.c6
-rw-r--r--lib/isc/netaddr.c8
-rw-r--r--lib/isc/netscope.c6
-rw-r--r--lib/isc/nls/Makefile.in6
-rw-r--r--lib/isc/nls/msgcat.c6
-rw-r--r--lib/isc/noatomic/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/atomic.h6
-rw-r--r--lib/isc/nothreads/Makefile.in6
-rw-r--r--lib/isc/nothreads/condition.c6
-rw-r--r--lib/isc/nothreads/include/Makefile.in6
-rw-r--r--lib/isc/nothreads/include/isc/Makefile.in6
-rw-r--r--lib/isc/nothreads/include/isc/condition.h6
-rw-r--r--lib/isc/nothreads/include/isc/mutex.h6
-rw-r--r--lib/isc/nothreads/include/isc/once.h6
-rw-r--r--lib/isc/nothreads/include/isc/thread.h6
-rw-r--r--lib/isc/nothreads/mutex.c6
-rw-r--r--lib/isc/nothreads/thread.c6
-rw-r--r--lib/isc/ondestroy.c6
-rw-r--r--lib/isc/parseint.c6
-rw-r--r--lib/isc/portset.c2
-rw-r--r--lib/isc/powerpc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/atomic.h2
-rw-r--r--lib/isc/print.c4
-rw-r--r--lib/isc/pthreads/Makefile.in6
-rw-r--r--lib/isc/pthreads/condition.c6
-rw-r--r--lib/isc/pthreads/include/Makefile.in6
-rw-r--r--lib/isc/pthreads/include/isc/Makefile.in6
-rw-r--r--lib/isc/pthreads/include/isc/condition.h6
-rw-r--r--lib/isc/pthreads/include/isc/mutex.h6
-rw-r--r--lib/isc/pthreads/include/isc/once.h6
-rw-r--r--lib/isc/pthreads/include/isc/thread.h6
-rw-r--r--lib/isc/pthreads/mutex.c4
-rw-r--r--lib/isc/pthreads/thread.c6
-rw-r--r--lib/isc/quota.c6
-rw-r--r--lib/isc/radix.c706
-rw-r--r--lib/isc/random.c6
-rw-r--r--lib/isc/ratelimiter.c6
-rw-r--r--lib/isc/refcount.c6
-rw-r--r--lib/isc/region.c6
-rw-r--r--lib/isc/result.c9
-rw-r--r--lib/isc/rwlock.c26
-rw-r--r--lib/isc/serial.c6
-rw-r--r--lib/isc/sha1.c6
-rw-r--r--lib/isc/sha2.c44
-rw-r--r--lib/isc/sockaddr.c6
-rw-r--r--lib/isc/sparc64/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/atomic.h6
-rw-r--r--lib/isc/stats.c326
-rw-r--r--lib/isc/string.c6
-rw-r--r--lib/isc/strtoul.c6
-rw-r--r--lib/isc/symtab.c6
-rw-r--r--lib/isc/task.c124
-rw-r--r--lib/isc/task_p.h6
-rw-r--r--lib/isc/taskpool.c7
-rw-r--r--lib/isc/timer.c11
-rw-r--r--lib/isc/timer_p.h6
-rw-r--r--lib/isc/unix/Makefile.in6
-rw-r--r--lib/isc/unix/app.c4
-rw-r--r--lib/isc/unix/dir.c14
-rw-r--r--lib/isc/unix/entropy.c29
-rw-r--r--lib/isc/unix/errno2result.c6
-rw-r--r--lib/isc/unix/errno2result.h6
-rw-r--r--lib/isc/unix/file.c21
-rw-r--r--lib/isc/unix/fsaccess.c6
-rw-r--r--lib/isc/unix/ifiter_getifaddrs.c59
-rw-r--r--lib/isc/unix/ifiter_ioctl.c166
-rw-r--r--lib/isc/unix/ifiter_sysctl.c6
-rw-r--r--lib/isc/unix/include/Makefile.in6
-rw-r--r--lib/isc/unix/include/isc/Makefile.in6
-rw-r--r--lib/isc/unix/include/isc/dir.h6
-rw-r--r--lib/isc/unix/include/isc/int.h6
-rw-r--r--lib/isc/unix/include/isc/keyboard.h6
-rw-r--r--lib/isc/unix/include/isc/net.h7
-rw-r--r--lib/isc/unix/include/isc/netdb.h6
-rw-r--r--lib/isc/unix/include/isc/offset.h7
-rw-r--r--lib/isc/unix/include/isc/stat.h6
-rw-r--r--lib/isc/unix/include/isc/stdtime.h6
-rw-r--r--lib/isc/unix/include/isc/strerror.h8
-rw-r--r--lib/isc/unix/include/isc/syslog.h6
-rw-r--r--lib/isc/unix/include/isc/time.h50
-rw-r--r--lib/isc/unix/interfaceiter.c96
-rw-r--r--lib/isc/unix/ipv6.c6
-rw-r--r--lib/isc/unix/keyboard.c6
-rw-r--r--lib/isc/unix/net.c2
-rw-r--r--lib/isc/unix/os.c6
-rw-r--r--lib/isc/unix/resource.c10
-rw-r--r--lib/isc/unix/socket.c686
-rw-r--r--lib/isc/unix/socket_p.h4
-rw-r--r--lib/isc/unix/stdio.c6
-rw-r--r--lib/isc/unix/stdtime.c6
-rw-r--r--lib/isc/unix/strerror.c10
-rw-r--r--lib/isc/unix/syslog.c2
-rw-r--r--lib/isc/unix/time.c28
-rw-r--r--lib/isc/version.c6
-rw-r--r--lib/isc/x86_32/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/atomic.h32
-rw-r--r--lib/isc/x86_64/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/atomic.h34
-rw-r--r--lib/isccc/Makefile.in6
-rw-r--r--lib/isccc/alist.c19
-rw-r--r--lib/isccc/api4
-rw-r--r--lib/isccc/base64.c19
-rw-r--r--lib/isccc/cc.c19
-rw-r--r--lib/isccc/ccmsg.c19
-rw-r--r--lib/isccc/include/Makefile.in6
-rw-r--r--lib/isccc/include/isccc/Makefile.in6
-rw-r--r--lib/isccc/include/isccc/alist.h21
-rw-r--r--lib/isccc/include/isccc/base64.h21
-rw-r--r--lib/isccc/include/isccc/cc.h21
-rw-r--r--lib/isccc/include/isccc/ccmsg.h21
-rw-r--r--lib/isccc/include/isccc/events.h21
-rw-r--r--lib/isccc/include/isccc/lib.h21
-rw-r--r--lib/isccc/include/isccc/result.h21
-rw-r--r--lib/isccc/include/isccc/sexpr.h21
-rw-r--r--lib/isccc/include/isccc/symtab.h21
-rw-r--r--lib/isccc/include/isccc/symtype.h21
-rw-r--r--lib/isccc/include/isccc/types.h21
-rw-r--r--lib/isccc/include/isccc/util.h21
-rw-r--r--lib/isccc/include/isccc/version.h8
-rw-r--r--lib/isccc/lib.c19
-rw-r--r--lib/isccc/result.c19
-rw-r--r--lib/isccc/sexpr.c19
-rw-r--r--lib/isccc/symtab.c15
-rw-r--r--lib/isccc/version.c6
-rw-r--r--lib/isccfg/Makefile.in6
-rw-r--r--lib/isccfg/aclconf.c289
-rw-r--r--lib/isccfg/api4
-rw-r--r--lib/isccfg/include/Makefile.in6
-rw-r--r--lib/isccfg/include/isccfg/Makefile.in6
-rw-r--r--lib/isccfg/include/isccfg/aclconf.h8
-rw-r--r--lib/isccfg/include/isccfg/cfg.h16
-rw-r--r--lib/isccfg/include/isccfg/grammar.h16
-rw-r--r--lib/isccfg/include/isccfg/log.h10
-rw-r--r--lib/isccfg/include/isccfg/namedconf.h8
-rw-r--r--lib/isccfg/include/isccfg/version.h8
-rw-r--r--lib/isccfg/log.c10
-rw-r--r--lib/isccfg/namedconf.c245
-rw-r--r--lib/isccfg/parser.c82
-rw-r--r--lib/isccfg/version.c6
-rw-r--r--lib/lwres/Makefile.in6
-rw-r--r--lib/lwres/api4
-rw-r--r--lib/lwres/assert_p.h6
-rw-r--r--lib/lwres/context.c30
-rw-r--r--lib/lwres/context_p.h8
-rw-r--r--lib/lwres/gai_strerror.c6
-rw-r--r--lib/lwres/getaddrinfo.c54
-rw-r--r--lib/lwres/gethost.c6
-rw-r--r--lib/lwres/getipnode.c2
-rw-r--r--lib/lwres/getnameinfo.c6
-rw-r--r--lib/lwres/getrrset.c6
-rw-r--r--lib/lwres/herror.c6
-rw-r--r--lib/lwres/include/Makefile.in6
-rw-r--r--lib/lwres/include/lwres/Makefile.in6
-rw-r--r--lib/lwres/include/lwres/context.h15
-rw-r--r--lib/lwres/include/lwres/int.h8
-rw-r--r--lib/lwres/include/lwres/ipv6.h8
-rw-r--r--lib/lwres/include/lwres/lang.h8
-rw-r--r--lib/lwres/include/lwres/list.h8
-rw-r--r--lib/lwres/include/lwres/lwbuffer.h8
-rw-r--r--lib/lwres/include/lwres/lwpacket.h8
-rw-r--r--lib/lwres/include/lwres/lwres.h8
-rw-r--r--lib/lwres/include/lwres/netdb.h.in8
-rw-r--r--lib/lwres/include/lwres/platform.h.in6
-rw-r--r--lib/lwres/include/lwres/result.h8
-rw-r--r--lib/lwres/include/lwres/stdlib.h8
-rw-r--r--lib/lwres/include/lwres/version.h8
-rw-r--r--lib/lwres/lwbuffer.c6
-rw-r--r--lib/lwres/lwconfig.c31
-rw-r--r--lib/lwres/lwinetaton.c6
-rw-r--r--lib/lwres/lwinetntop.c6
-rw-r--r--lib/lwres/lwinetpton.c6
-rw-r--r--lib/lwres/lwpacket.c6
-rw-r--r--lib/lwres/lwres_gabn.c6
-rw-r--r--lib/lwres/lwres_gnba.c2
-rw-r--r--lib/lwres/lwres_grbn.c6
-rw-r--r--lib/lwres/lwres_noop.c6
-rw-r--r--lib/lwres/lwresutil.c6
-rw-r--r--lib/lwres/man/Makefile.in6
-rw-r--r--lib/lwres/man/lwres.32
-rw-r--r--lib/lwres/man/lwres.docbook2
-rw-r--r--lib/lwres/man/lwres.html2
-rw-r--r--lib/lwres/man/lwres_buffer.32
-rw-r--r--lib/lwres/man/lwres_buffer.docbook2
-rw-r--r--lib/lwres/man/lwres_buffer.html2
-rw-r--r--lib/lwres/man/lwres_config.32
-rw-r--r--lib/lwres/man/lwres_config.docbook2
-rw-r--r--lib/lwres/man/lwres_config.html2
-rw-r--r--lib/lwres/man/lwres_context.32
-rw-r--r--lib/lwres/man/lwres_context.docbook2
-rw-r--r--lib/lwres/man/lwres_context.html2
-rw-r--r--lib/lwres/man/lwres_gabn.32
-rw-r--r--lib/lwres/man/lwres_gabn.docbook2
-rw-r--r--lib/lwres/man/lwres_gabn.html2
-rw-r--r--lib/lwres/man/lwres_gai_strerror.32
-rw-r--r--lib/lwres/man/lwres_gai_strerror.docbook2
-rw-r--r--lib/lwres/man/lwres_gai_strerror.html2
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.32
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.docbook2
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.html2
-rw-r--r--lib/lwres/man/lwres_gethostent.32
-rw-r--r--lib/lwres/man/lwres_gethostent.docbook2
-rw-r--r--lib/lwres/man/lwres_gethostent.html2
-rw-r--r--lib/lwres/man/lwres_getipnode.32
-rw-r--r--lib/lwres/man/lwres_getipnode.docbook2
-rw-r--r--lib/lwres/man/lwres_getipnode.html2
-rw-r--r--lib/lwres/man/lwres_getnameinfo.32
-rw-r--r--lib/lwres/man/lwres_getnameinfo.docbook2
-rw-r--r--lib/lwres/man/lwres_getnameinfo.html2
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.32
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.docbook2
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.html2
-rw-r--r--lib/lwres/man/lwres_gnba.32
-rw-r--r--lib/lwres/man/lwres_gnba.docbook2
-rw-r--r--lib/lwres/man/lwres_gnba.html2
-rw-r--r--lib/lwres/man/lwres_hstrerror.32
-rw-r--r--lib/lwres/man/lwres_hstrerror.docbook2
-rw-r--r--lib/lwres/man/lwres_hstrerror.html2
-rw-r--r--lib/lwres/man/lwres_inetntop.32
-rw-r--r--lib/lwres/man/lwres_inetntop.docbook2
-rw-r--r--lib/lwres/man/lwres_inetntop.html2
-rw-r--r--lib/lwres/man/lwres_noop.32
-rw-r--r--lib/lwres/man/lwres_noop.docbook2
-rw-r--r--lib/lwres/man/lwres_noop.html2
-rw-r--r--lib/lwres/man/lwres_packet.32
-rw-r--r--lib/lwres/man/lwres_packet.docbook2
-rw-r--r--lib/lwres/man/lwres_packet.html2
-rw-r--r--lib/lwres/man/lwres_resutil.32
-rw-r--r--lib/lwres/man/lwres_resutil.docbook2
-rw-r--r--lib/lwres/man/lwres_resutil.html2
-rw-r--r--lib/lwres/print.c6
-rw-r--r--lib/lwres/print_p.h6
-rw-r--r--lib/lwres/strtoul.c6
-rw-r--r--lib/lwres/unix/Makefile.in6
-rw-r--r--lib/lwres/unix/include/Makefile.in6
-rw-r--r--lib/lwres/unix/include/lwres/Makefile.in6
-rw-r--r--lib/lwres/unix/include/lwres/net.h6
-rw-r--r--lib/lwres/version.c6
655 files changed, 28627 insertions, 5661 deletions
diff --git a/lib/Makefile.in b/lib/Makefile.in
index e8be2945ca31..e46aef26d093 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001, 2003 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.19 2004/03/05 05:05:00 marka Exp $
+# $Id: Makefile.in,v 1.21 2007/06/19 23:47:13 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
index 270e9ae67d45..7c1e5b0b9d17 100644
--- a/lib/bind9/Makefile.in
+++ b/lib/bind9/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.4.18.5 2004/12/10 00:11:50 marka Exp $
+# $Id: Makefile.in,v 1.11 2007/06/19 23:47:16 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/lib/bind9/api b/lib/bind9/api
index 3a74aee14444..39934b4fbd2c 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 31
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 50
+LIBREVISION = 2
+LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 2967650ef055..800cbf9bcdb3 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.44.18.41 2008/03/29 23:46:10 tbox Exp $ */
+/* $Id: check.c,v 1.95.12.3 2009/02/17 03:43:07 marka Exp $ */
/*! \file */
@@ -46,10 +46,6 @@
#include <bind9/check.h>
-#ifndef DNS_RDATASET_FIXED
-#define DNS_RDATASET_FIXED 1
-#endif
-
static void
freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
UNUSED(type);
@@ -128,7 +124,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
#if !DNS_RDATASET_FIXED
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
- "rrset-order: order 'fixed' not fully implemented");
+ "rrset-order: order 'fixed' was disabled at "
+ "compilation time");
#endif
} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
@@ -390,7 +387,8 @@ checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
}
if (aclobj == NULL)
return (ISC_R_SUCCESS);
- result = cfg_acl_fromconfig(aclobj, config, logctx, actx, mctx, &acl);
+ result = cfg_acl_fromconfig(aclobj, config, logctx,
+ actx, mctx, 0, &acl);
if (acl != NULL)
dns_acl_detach(&acl);
return (result);
@@ -403,9 +401,10 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
isc_result_t result = ISC_R_SUCCESS, tresult;
int i = 0;
- static const char *acls[] = { "allow-query", "allow-query-cache",
- "allow-recursion", "blackhole", "match-clients",
- "match-destinations", "sortlist", NULL };
+ static const char *acls[] = { "allow-query", "allow-query-on",
+ "allow-query-cache", "allow-query-cache-on",
+ "blackhole", "match-clients", "match-destinations",
+ "sortlist", NULL };
while (acls[i] != NULL) {
tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -416,6 +415,81 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
return (result);
}
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+ const char *viewname, const cfg_obj_t *config,
+ isc_log_t *logctx, isc_mem_t *mctx)
+{
+ const cfg_obj_t *options, *aclobj, *obj = NULL;
+ dns_acl_t *acl = NULL;
+ isc_result_t result = ISC_R_SUCCESS, tresult;
+ isc_boolean_t recursion;
+ const char *forview = " for view ";
+ int i = 0;
+
+ static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+ NULL };
+
+ if (voptions != NULL)
+ cfg_map_get(voptions, "recursion", &obj);
+ if (obj == NULL && config != NULL) {
+ options = NULL;
+ cfg_map_get(config, "options", &options);
+ if (options != NULL)
+ cfg_map_get(options, "recursion", &obj);
+ }
+ if (obj == NULL)
+ recursion = ISC_TRUE;
+ else
+ recursion = cfg_obj_asboolean(obj);
+
+ if (viewname == NULL) {
+ viewname = "";
+ forview = "";
+ }
+
+ for (i = 0; acls[i] != NULL; i++) {
+ aclobj = options = NULL;
+ acl = NULL;
+
+ if (voptions != NULL)
+ cfg_map_get(voptions, acls[i], &aclobj);
+ if (config != NULL && aclobj == NULL) {
+ options = NULL;
+ cfg_map_get(config, "options", &options);
+ if (options != NULL)
+ cfg_map_get(options, acls[i], &aclobj);
+ }
+ if (aclobj == NULL)
+ continue;
+
+ tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+ actx, mctx, 0, &acl);
+
+ if (tresult != ISC_R_SUCCESS)
+ result = tresult;
+
+ if (acl == NULL)
+ continue;
+
+ if (recursion == ISC_FALSE && !dns_acl_isnone(acl)) {
+ cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+ "both \"recursion no;\" and "
+ "\"%s\" active%s%s",
+ acls[i], forview, viewname);
+ }
+
+ if (acl != NULL)
+ dns_acl_detach(&acl);
+ }
+
+ return (result);
+}
+
typedef struct {
const char *name;
unsigned int scale;
@@ -428,6 +502,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
isc_result_t tresult;
unsigned int i;
const cfg_obj_t *obj = NULL;
+ const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
dns_fixedname_t fixed;
@@ -443,7 +518,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
{ "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-in", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */
- { "sig-validity-interval", 86400, 10 * 366 }, /* 10 years */
{ "statistics-interval", 60, 28 * 24 * 60 }, /* 28 days */
};
@@ -471,6 +545,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
result = ISC_R_RANGE;
}
}
+
+ obj = NULL;
+ cfg_map_get(options, "sig-validity-interval", &obj);
+ if (obj != NULL) {
+ isc_uint32_t validity, resign = 0;
+
+ validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+ resignobj = cfg_tuple_get(obj, "re-sign");
+ if (!cfg_obj_isvoid(resignobj))
+ resign = cfg_obj_asuint32(resignobj);
+
+ if (validity > 3660 || validity == 0) { /* 10 years */
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "%s '%u' is out of range (1..3660)",
+ "sig-validity-interval", validity);
+ result = ISC_R_RANGE;
+ }
+
+ if (!cfg_obj_isvoid(resignobj)) {
+ if (resign > 3660 || resign == 0) { /* 10 years */
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "%s '%u' is out of range (1..3660)",
+ "sig-validity-interval (re-sign)",
+ validity);
+ result = ISC_R_RANGE;
+ } else if ((validity > 7 && validity < resign) ||
+ (validity <= 7 && validity * 24 < resign)) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "validity interval (%u days) "
+ "less than re-signing interval "
+ "(%u %s)", validity, resign,
+ (validity > 7) ? "days" : "hours");
+ result = ISC_R_RANGE;
+ }
+ }
+ }
+
obj = NULL;
(void)cfg_map_get(options, "preferred-glue", &obj);
if (obj != NULL) {
@@ -483,6 +594,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
"preferred-glue unexpected value '%s'",
str);
}
+
obj = NULL;
(void)cfg_map_get(options, "root-delegation-only", &obj);
if (obj != NULL) {
@@ -543,7 +655,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
(void)cfg_map_get(options, "dnssec-lookaside", &obj);
if (obj != NULL) {
tresult = isc_symtab_create(mctx, 100, freekey, mctx,
- ISC_TRUE, &symtab);
+ ISC_FALSE, &symtab);
if (tresult != ISC_R_SUCCESS)
result = tresult;
for (element = cfg_list_first(obj);
@@ -680,6 +792,19 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
}
}
+ /*
+ * Check that server-id is not too long.
+ * 1024 bytes should be big enough.
+ */
+ obj = NULL;
+ (void)cfg_map_get(options, "server-id", &obj);
+ if (obj != NULL && cfg_obj_isstring(obj) &&
+ strlen(cfg_obj_asstring(obj)) > 1024U) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'server-id' too big (>1024 bytes)");
+ result = ISC_R_FAILURE;
+ }
+
return (result);
}
@@ -784,8 +909,11 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
if (new == NULL)
goto cleanup;
if (stackcount != 0) {
+ void *ptr;
+
+ DE_CONST(stack, ptr);
memcpy(new, stack, oldsize);
- isc_mem_put(mctx, stack, oldsize);
+ isc_mem_put(mctx, ptr, oldsize);
}
stack = new;
stackcount = newlen;
@@ -798,8 +926,12 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
goto resume;
}
cleanup:
- if (stack != NULL)
- isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+ if (stack != NULL) {
+ void *ptr;
+
+ DE_CONST(stack, ptr);
+ isc_mem_put(mctx, ptr, stackcount * sizeof(*stack));
+ }
isc_symtab_destroy(&symtab);
*countp = count;
return (result);
@@ -936,6 +1068,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "max-refresh-time", SLAVEZONE | STUBZONE },
{ "min-refresh-time", SLAVEZONE | STUBZONE },
{ "sig-validity-interval", MASTERZONE },
+ { "sig-re-signing-interval", MASTERZONE },
+ { "sig-signing-nodes", MASTERZONE },
+ { "sig-signing-type", MASTERZONE },
+ { "sig-signing-signatures", MASTERZONE },
{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
{ "allow-update", MASTERZONE | CHECKACL },
{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
@@ -955,6 +1091,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "check-srv-cname", MASTERZONE },
{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
{ "update-check-ksk", MASTERZONE },
+ { "try-tcp-refresh", SLAVEZONE },
};
static optionstable dialups[] = {
@@ -1020,7 +1157,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
/*
* Look for an already existing zone.
- * We need to make this cannonical as isc_symtab_define()
+ * We need to make this canonical as isc_symtab_define()
* deals with strings.
*/
dns_fixedname_init(&fixedname);
@@ -1125,6 +1262,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
} else if (res2 == ISC_R_SUCCESS &&
check_update_policy(obj, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
+ obj = NULL;
+ res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
+ if (res1 == ISC_R_SUCCESS) {
+ isc_uint32_t type = cfg_obj_asuint32(obj);
+ if (type < 0xff00U || type > 0xffffU)
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "sig-signing-type: %u out of "
+ "range [%u..%u]", type,
+ 0xff00U, 0xffffU);
+ result = ISC_R_FAILURE;
+ }
}
/*
@@ -1297,27 +1445,56 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
return (ISC_R_SUCCESS);
}
+/*
+ * Check key list for duplicates key names and that the key names
+ * are valid domain names as these keys are used for TSIG.
+ *
+ * Check the key contents for validity.
+ */
static isc_result_t
-check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
+ isc_mem_t *mctx, isc_log_t *logctx)
+{
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_fixedname_t fname;
+ dns_name_t *name;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
const cfg_listelt_t *element;
+ dns_fixedname_init(&fname);
+ name = dns_fixedname_name(&fname);
for (element = cfg_list_first(keys);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *key = cfg_listelt_value(element);
- const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+ const char *keyid = cfg_obj_asstring(cfg_map_getname(key));
isc_symvalue_t symvalue;
+ isc_buffer_t b;
+ char *keyname;
+ isc_buffer_init(&b, keyid, strlen(keyid));
+ isc_buffer_add(&b, strlen(keyid));
+ tresult = dns_name_fromtext(name, &b, dns_rootname,
+ ISC_FALSE, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+ "key '%s': bad key name", keyid);
+ result = tresult;
+ continue;
+ }
tresult = bind9_check_key(key, logctx);
if (tresult != ISC_R_SUCCESS)
return (tresult);
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ keyname = isc_mem_strdup(mctx, namebuf);
+ if (keyname == NULL)
+ return (ISC_R_NOMEMORY);
symvalue.as_cpointer = key;
- tresult = isc_symtab_define(symtab, keyname, 1,
- symvalue, isc_symexists_reject);
+ tresult = isc_symtab_define(symtab, keyname, 1, symvalue,
+ isc_symexists_reject);
if (tresult == ISC_R_EXISTS) {
const char *file;
unsigned int line;
@@ -1332,10 +1509,13 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"key '%s': already exists "
"previous definition: %s:%u",
- keyname, file, line);
+ keyid, file, line);
+ isc_mem_free(mctx, keyname);
result = tresult;
- } else if (tresult != ISC_R_SUCCESS)
+ } else if (tresult != ISC_R_SUCCESS) {
+ isc_mem_free(mctx, keyname);
return (tresult);
+ }
}
return (result);
}
@@ -1350,18 +1530,60 @@ static struct {
{ NULL, NULL }
};
+/*
+ * RNDC keys are not normalised unlike TSIG keys.
+ *
+ * "foo." is different to "foo".
+ */
+static isc_boolean_t
+rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
+ const cfg_listelt_t *element;
+ const cfg_obj_t *obj;
+ const char *str;
+
+ if (keylist == NULL)
+ return (ISC_FALSE);
+
+ for (element = cfg_list_first(keylist);
+ element != NULL;
+ element = cfg_list_next(element))
+ {
+ obj = cfg_listelt_value(element);
+ str = cfg_obj_asstring(cfg_map_getname(obj));
+ if (!strcasecmp(str, keyname))
+ return (ISC_TRUE);
+ }
+ return (ISC_FALSE);
+}
+
static isc_result_t
-check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
+check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
+ isc_symtab_t *symtab, isc_log_t *logctx)
+{
+ dns_fixedname_t fname;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
const cfg_listelt_t *e1, *e2;
- const cfg_obj_t *v1, *v2;
+ const cfg_obj_t *v1, *v2, *keys;
+ const cfg_obj_t *servers;
isc_netaddr_t n1, n2;
unsigned int p1, p2;
const cfg_obj_t *obj;
char buf[ISC_NETADDR_FORMATSIZE];
+ char namebuf[DNS_NAME_FORMATSIZE];
const char *xfr;
+ const char *keyval;
+ isc_buffer_t b;
int source;
+ dns_name_t *keyname;
+
+ servers = NULL;
+ if (voptions != NULL)
+ (void)cfg_map_get(voptions, "server", &servers);
+ if (servers == NULL)
+ (void)cfg_map_get(config, "server", &servers);
+ if (servers == NULL)
+ return (ISC_R_SUCCESS);
for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
v1 = cfg_listelt_value(e1);
@@ -1389,8 +1611,8 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
if (obj != NULL) {
isc_netaddr_format(&n1, buf, sizeof(buf));
cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
- "server '%s': %s not legal",
- buf, xfr);
+ "server '%s/%u': %s not legal",
+ buf, p1, xfr);
result = ISC_R_FAILURE;
}
} while (sources[++source].v4 != NULL);
@@ -1413,15 +1635,42 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
result = ISC_R_FAILURE;
}
}
+ keys = NULL;
+ cfg_map_get(v1, "keys", &keys);
+ if (keys != NULL) {
+ /*
+ * Normalize key name.
+ */
+ keyval = cfg_obj_asstring(keys);
+ dns_fixedname_init(&fname);
+ isc_buffer_init(&b, keyval, strlen(keyval));
+ isc_buffer_add(&b, strlen(keyval));
+ keyname = dns_fixedname_name(&fname);
+ tresult = dns_name_fromtext(keyname, &b, dns_rootname,
+ ISC_FALSE, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+ "bad key name '%s'", keyval);
+ result = ISC_R_FAILURE;
+ continue;
+ }
+ dns_name_format(keyname, namebuf, sizeof(namebuf));
+ tresult = isc_symtab_lookup(symtab, namebuf, 1, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+ "unknown key '%s'", keyval);
+ result = ISC_R_FAILURE;
+ }
+ }
}
return (result);
}
static isc_result_t
check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
- dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
+ const char *viewname, dns_rdataclass_t vclass,
+ isc_log_t *logctx, isc_mem_t *mctx)
{
- const cfg_obj_t *servers = NULL;
const cfg_obj_t *zones = NULL;
const cfg_obj_t *keys = NULL;
const cfg_listelt_t *element;
@@ -1464,37 +1713,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_symtab_destroy(&symtab);
/*
- * Check that all key statements are syntactically correct and
- * there are no duplicate keys.
- */
- tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
- if (tresult != ISC_R_SUCCESS)
- return (ISC_R_NOMEMORY);
-
- (void)cfg_map_get(config, "key", &keys);
- tresult = check_keylist(keys, symtab, logctx);
- if (tresult == ISC_R_EXISTS)
- result = ISC_R_FAILURE;
- else if (tresult != ISC_R_SUCCESS) {
- isc_symtab_destroy(&symtab);
- return (tresult);
- }
-
- if (voptions != NULL) {
- keys = NULL;
- (void)cfg_map_get(voptions, "key", &keys);
- tresult = check_keylist(keys, symtab, logctx);
- if (tresult == ISC_R_EXISTS)
- result = ISC_R_FAILURE;
- else if (tresult != ISC_R_SUCCESS) {
- isc_symtab_destroy(&symtab);
- return (tresult);
- }
- }
-
- isc_symtab_destroy(&symtab);
-
- /*
* Check that forwarding is reasonable.
*/
if (voptions == NULL) {
@@ -1508,6 +1726,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if (check_forward(voptions, NULL, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
+
/*
* Check that dual-stack-servers is reasonable.
*/
@@ -1530,14 +1749,45 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
result = ISC_R_FAILURE;
}
+ /*
+ * Check that all key statements are syntactically correct and
+ * there are no duplicate keys.
+ */
+ tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+ ISC_FALSE, &symtab);
+ if (tresult != ISC_R_SUCCESS)
+ return (ISC_R_NOMEMORY);
+
+ (void)cfg_map_get(config, "key", &keys);
+ tresult = check_keylist(keys, symtab, mctx, logctx);
+ if (tresult == ISC_R_EXISTS)
+ result = ISC_R_FAILURE;
+ else if (tresult != ISC_R_SUCCESS) {
+ isc_symtab_destroy(&symtab);
+ return (tresult);
+ }
+
if (voptions != NULL) {
- (void)cfg_map_get(voptions, "server", &servers);
- if (servers != NULL &&
- check_servers(servers, logctx) != ISC_R_SUCCESS)
+ keys = NULL;
+ (void)cfg_map_get(voptions, "key", &keys);
+ tresult = check_keylist(keys, symtab, mctx, logctx);
+ if (tresult == ISC_R_EXISTS)
result = ISC_R_FAILURE;
+ else if (tresult != ISC_R_SUCCESS) {
+ isc_symtab_destroy(&symtab);
+ return (tresult);
+ }
}
/*
+ * Global servers can refer to keys in views.
+ */
+ if (check_servers(config, voptions, symtab, logctx) != ISC_R_SUCCESS)
+ result = ISC_R_FAILURE;
+
+ isc_symtab_destroy(&symtab);
+
+ /*
* Check that dnssec-enable/dnssec-validation are sensible.
*/
obj = NULL;
@@ -1575,6 +1825,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if (tresult != ISC_R_SUCCESS)
result = tresult;
+ tresult = check_recursionacls(&actx, voptions, viewname,
+ config, logctx, mctx);
+ if (tresult != ISC_R_SUCCESS)
+ result = tresult;
+
cfg_aclconfctx_destroy(&actx);
return (result);
@@ -1698,33 +1953,14 @@ bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
}
static isc_result_t
-key_exists(const cfg_obj_t *keylist, const char *keyname) {
- const cfg_listelt_t *element;
- const char *str;
- const cfg_obj_t *obj;
-
- if (keylist == NULL)
- return (ISC_R_NOTFOUND);
- for (element = cfg_list_first(keylist);
- element != NULL;
- element = cfg_list_next(element))
- {
- obj = cfg_listelt_value(element);
- str = cfg_obj_asstring(cfg_map_getname(obj));
- if (strcasecmp(str, keyname) == 0)
- return (ISC_R_SUCCESS);
- }
- return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
isc_log_t *logctx)
{
- isc_result_t result = ISC_R_SUCCESS, tresult;
+ isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *control_keylist;
const cfg_listelt_t *element;
const cfg_obj_t *key;
+ const char *keyval;
control_keylist = cfg_tuple_get(control, "keys");
if (cfg_obj_isvoid(control_keylist))
@@ -1735,11 +1971,12 @@ bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
element = cfg_list_next(element))
{
key = cfg_listelt_value(element);
- tresult = key_exists(keylist, cfg_obj_asstring(key));
- if (tresult != ISC_R_SUCCESS) {
+ keyval = cfg_obj_asstring(key);
+
+ if (!rndckey_exists(keylist, keyval)) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
- "unknown key '%s'", cfg_obj_asstring(key));
- result = tresult;
+ "unknown key '%s'", keyval);
+ result = ISC_R_NOTFOUND;
}
}
return (result);
@@ -1791,7 +2028,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
control = cfg_listelt_value(element2);
allow = cfg_tuple_get(control, "allow");
tresult = cfg_acl_fromconfig(allow, config, logctx,
- &actx, mctx, &acl);
+ &actx, mctx, 0, &acl);
if (acl != NULL)
dns_acl_detach(&acl);
if (tresult != ISC_R_SUCCESS)
@@ -1847,7 +2084,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
isc_mem_t *mctx)
{
const cfg_obj_t *options = NULL;
- const cfg_obj_t *servers = NULL;
const cfg_obj_t *views = NULL;
const cfg_obj_t *acls = NULL;
const cfg_obj_t *kals = NULL;
@@ -1866,11 +2102,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
check_options(options, logctx, mctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
- (void)cfg_map_get(config, "server", &servers);
- if (servers != NULL &&
- check_servers(servers, logctx) != ISC_R_SUCCESS)
- result = ISC_R_FAILURE;
-
if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
@@ -1888,7 +2119,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
result = ISC_R_FAILURE;
if (views == NULL) {
- if (check_viewconf(config, NULL, dns_rdataclass_in,
+ if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
logctx, mctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
} else {
@@ -1960,7 +2191,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
}
}
if (tresult == ISC_R_SUCCESS)
- tresult = check_viewconf(config, voptions,
+ tresult = check_viewconf(config, voptions, key,
vclass, logctx, mctx);
if (tresult != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
@@ -1979,8 +2210,9 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
}
}
- tresult = cfg_map_get(config, "acl", &acls);
- if (tresult == ISC_R_SUCCESS) {
+ cfg_map_get(config, "acl", &acls);
+
+ if (acls != NULL) {
const cfg_listelt_t *elt;
const cfg_listelt_t *elt2;
const char *aclname;
@@ -1989,6 +2221,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
elt != NULL;
elt = cfg_list_next(elt)) {
const cfg_obj_t *acl = cfg_listelt_value(elt);
+ unsigned int line = cfg_obj_line(acl);
unsigned int i;
aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
@@ -2013,7 +2246,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
"name"));
if (strcasecmp(aclname, name) == 0) {
const char *file = cfg_obj_file(acl);
- unsigned int line = cfg_obj_line(acl);
if (file == NULL)
file = "<unknown file>";
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
index b6edce042f06..a75e14ef650e 100644
--- a/lib/bind9/getaddresses.c
+++ b/lib/bind9/getaddresses.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: getaddresses.c,v 1.15.18.5 2005/10/14 01:28:24 marka Exp $ */
+/* $Id: getaddresses.c,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/bind9/include/Makefile.in b/lib/bind9/include/Makefile.in
index 6c6611e672bb..65eecb05b5fb 100644
--- a/lib/bind9/include/Makefile.in
+++ b/lib/bind9/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.2 2004/03/05 05:09:08 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:16 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/lib/bind9/include/bind9/Makefile.in b/lib/bind9/include/bind9/Makefile.in
index 8ef5c32f5d1f..8abfaf65a25e 100644
--- a/lib/bind9/include/bind9/Makefile.in
+++ b/lib/bind9/include/bind9/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.6 2004/03/05 05:09:10 marka Exp $
+# $Id: Makefile.in,v 1.8 2007/06/19 23:47:16 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
index 25a8e0c1b9a9..1647568c72ef 100644
--- a/lib/bind9/include/bind9/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.h,v 1.2.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: check.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
#ifndef BIND9_CHECK_H
#define BIND9_CHECK_H 1
-/*! \file */
+/*! \file bind9/check.h */
#include <isc/lang.h>
#include <isc/types.h>
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
index e6d030d76189..736feb68fbdd 100644
--- a/lib/bind9/include/bind9/getaddresses.h
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: getaddresses.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: getaddresses.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */
#ifndef BIND9_GETADDRESSES_H
#define BIND9_GETADDRESSES_H 1
-/*! \file */
+/*! \file bind9/getaddresses.h */
#include <isc/lang.h>
#include <isc/types.h>
@@ -40,7 +40,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
* first 'addrsize' are returned and the remainder silently truncated.
*
* This routine may block. If called by a program using the isc_app
- * framework, it should be surounded by isc_app_block()/isc_app_unblock().
+ * framework, it should be surrounded by isc_app_block()/isc_app_unblock().
*
* Requires:
*\li 'hostname' is not NULL.
@@ -48,7 +48,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
*\li 'addrsize' > 0
*\li 'addrcount' is not NULL.
*
- *
+ *
* Returns:
*\li #ISC_R_SUCCESS
*\li #ISC_R_NOTFOUND
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
index 154e240d79f2..5b08b7c1fb5b 100644
--- a/lib/bind9/include/bind9/version.h
+++ b/lib/bind9/include/bind9/version.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,9 +15,9 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
-/*! \file */
+/*! \file bind9/version.h */
#include <isc/platform.h>
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
index 2cc17daff6ac..d5934cced860 100644
--- a/lib/bind9/version.c
+++ b/lib/bind9/version.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: version.c,v 1.4.18.2 2005/04/29 00:15:47 marka Exp $ */
+/* $Id: version.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 286a5f9ee345..ef5c12a5d0d7 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2003 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.144.18.10 2006/01/06 00:01:43 marka Exp $
+# $Id: Makefile.in,v 1.163 2008/09/24 02:46:22 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -29,10 +29,14 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
+USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \
${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+ ${USE_ISC_SPNEGO}
+
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@
@@ -43,7 +47,8 @@ LIBS = @LIBS@
# Alphabetically
-DSTOBJS = dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+DSTOBJS = @DST_EXTRA_OBJS@ \
+ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
opensslrsa_link.@O@
@@ -52,10 +57,10 @@ DSTOBJS = dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
cache.@O@ callbacks.@O@ compress.@O@ \
db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
- dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
- lib.@O@ log.@O@ lookup.@O@ \
+ dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ journal.@O@ \
+ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
master.@O@ masterdump.@O@ message.@O@ \
- name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
+ name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ portlist.@O@ \
rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
rdatalist.@O@ \
rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
@@ -68,7 +73,8 @@ DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
# Alphabetically
-DSTSRCS = dst_api.c dst_lib.c dst_parse.c \
+DSTSRCS = @DST_EXTRA_SRCS@ \
+ dst_api.c dst_lib.c dst_parse.c \
dst_result.c gssapi_link.c gssapictx.c \
hmac_link.c key.c \
openssl_link.c openssldh_link.c \
@@ -77,10 +83,10 @@ DSTSRCS = dst_api.c dst_lib.c dst_parse.c \
DNSSRCS = acache.c acl.c adb.c byaddr.c \
cache.c callbacks.c compress.c \
db.c dbiterator.c dbtable.c diff.c dispatch.c \
- dlz.c dnssec.c ds.c forward.c journal.c keytable.c \
- lib.c log.c lookup.c \
+ dlz.c dnssec.c ds.c forward.c iptable.c journal.c \
+ keytable.c lib.c log.c lookup.c \
master.c masterdump.c message.c \
- name.c ncache.c nsec.c order.c peer.c portlist.c \
+ name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
rdatalist.c \
rdataset.c rdatasetiter.c rdataslab.c request.c \
@@ -169,3 +175,5 @@ subdirs: include/dns/enumtype.h include/dns/enumclass.h \
include/dns/rdatastruct.h code.h
${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
include/dns/rdatastruct.h
+
+spnego.@O@: spnego_asn1.c spnego.h
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index cd56c3c8bbff..2ad4981de69b 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acache.c,v 1.3.2.18 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: acache.c,v 1.22 2008/02/07 23:46:54 tbox Exp $ */
#include <config.h>
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 844c1325c5fa..3af8dd39405e 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,18 +15,25 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acl.c,v 1.25.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.c,v 1.50.44.3 2009/01/18 23:47:35 tbox Exp $ */
/*! \file */
#include <config.h>
#include <isc/mem.h>
+#include <isc/once.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/acl.h>
+#include <dns/iptable.h>
+/*
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements. The elements are uninitialized and the
+ * length is 0.
+ */
isc_result_t
dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
isc_result_t result;
@@ -43,14 +50,23 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
return (ISC_R_NOMEMORY);
acl->mctx = mctx;
acl->name = NULL;
+
result = isc_refcount_init(&acl->refcount, 1);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, acl, sizeof(*acl));
return (result);
}
+
+ result = dns_iptable_create(mctx, &acl->iptable);
+ if (result != ISC_R_SUCCESS) {
+ isc_mem_put(mctx, acl, sizeof(*acl));
+ return (result);
+ }
+
acl->elements = NULL;
acl->alloc = 0;
acl->length = 0;
+ acl->has_negatives = ISC_FALSE;
ISC_LINK_INIT(acl, nextincache);
/*
@@ -73,111 +89,282 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
return (result);
}
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
- if (acl->length + 1 > acl->alloc) {
- /*
- * Resize the ACL.
- */
- unsigned int newalloc;
- void *newmem;
-
- newalloc = acl->alloc * 2;
- if (newalloc < 4)
- newalloc = 4;
- newmem = isc_mem_get(acl->mctx,
- newalloc * sizeof(dns_aclelement_t));
- if (newmem == NULL)
- return (ISC_R_NOMEMORY);
- memcpy(newmem, acl->elements,
- acl->length * sizeof(dns_aclelement_t));
- isc_mem_put(acl->mctx, acl->elements,
- acl->alloc * sizeof(dns_aclelement_t));
- acl->elements = newmem;
- acl->alloc = newalloc;
- }
- /*
- * Append the new element.
- */
- acl->elements[acl->length++] = *elt;
-
- return (ISC_R_SUCCESS);
-}
-
+/*
+ * Create a new ACL and initialize it with the value "any" or "none",
+ * depending on the value of the "neg" parameter.
+ * "any" is a positive iptable entry with bit length 0.
+ * "none" is the same as "!any".
+ */
static isc_result_t
dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
isc_result_t result;
dns_acl_t *acl = NULL;
- result = dns_acl_create(mctx, 1, &acl);
+ result = dns_acl_create(mctx, 0, &acl);
if (result != ISC_R_SUCCESS)
return (result);
- acl->elements[0].negative = neg;
- acl->elements[0].type = dns_aclelementtype_any;
- acl->length = 1;
+
+ result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
+ if (result != ISC_R_SUCCESS) {
+ dns_acl_detach(&acl);
+ return (result);
+ }
+
*target = acl;
return (result);
}
+/*
+ * Create a new ACL that matches everything.
+ */
isc_result_t
dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
return (dns_acl_anyornone(mctx, ISC_FALSE, target));
}
+/*
+ * Create a new ACL that matches nothing.
+ */
isc_result_t
dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
return (dns_acl_anyornone(mctx, ISC_TRUE, target));
}
+/*
+ * If pos is ISC_TRUE, test whether acl is set to "{ any; }"
+ * If pos is ISC_FALSE, test whether acl is set to "{ none; }"
+ */
+static isc_boolean_t
+dns_acl_isanyornone(dns_acl_t *acl, isc_boolean_t pos)
+{
+ /* Should never happen but let's be safe */
+ if (acl == NULL ||
+ acl->iptable == NULL ||
+ acl->iptable->radix == NULL ||
+ acl->iptable->radix->head == NULL ||
+ acl->iptable->radix->head->prefix == NULL)
+ return (ISC_FALSE);
+
+ if (acl->length != 0 || acl->node_count != 1)
+ return (ISC_FALSE);
+
+ if (acl->iptable->radix->head->prefix->bitlen == 0 &&
+ acl->iptable->radix->head->data[0] != NULL &&
+ acl->iptable->radix->head->data[0] ==
+ acl->iptable->radix->head->data[1] &&
+ *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+ return (ISC_TRUE);
+
+ return (ISC_FALSE); /* All others */
+}
+
+/*
+ * Test whether acl is set to "{ any; }"
+ */
+isc_boolean_t
+dns_acl_isany(dns_acl_t *acl)
+{
+ return (dns_acl_isanyornone(acl, ISC_TRUE));
+}
+
+/*
+ * Test whether acl is set to "{ none; }"
+ */
+isc_boolean_t
+dns_acl_isnone(dns_acl_t *acl)
+{
+ return (dns_acl_isanyornone(acl, ISC_FALSE));
+}
+
+/*
+ * Determine whether a given address or signer matches a given ACL.
+ * For a match with a positive ACL element or iptable radix entry,
+ * return with a positive value in match; for a match with a negated ACL
+ * element or radix entry, return with a negative value in match.
+ */
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
- dns_aclelement_t const**matchelt)
+ const dns_aclelement_t **matchelt)
{
+ isc_uint16_t bitlen, family;
+ isc_prefix_t pfx;
+ isc_radix_node_t *node = NULL;
+ const isc_netaddr_t *addr;
+ isc_netaddr_t v4addr;
+ isc_result_t result;
+ int match_num = -1;
unsigned int i;
REQUIRE(reqaddr != NULL);
REQUIRE(matchelt == NULL || *matchelt == NULL);
-
+
+ if (env == NULL || env->match_mapped == ISC_FALSE ||
+ reqaddr->family != AF_INET6 ||
+ !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
+ addr = reqaddr;
+ else {
+ isc_netaddr_fromv4mapped(&v4addr, reqaddr);
+ addr = &v4addr;
+ }
+
+ /* Always match with host addresses. */
+ family = addr->family;
+ bitlen = family == AF_INET6 ? 128 : 32;
+ NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
+
+ /* Assume no match. */
+ *match = 0;
+
+ /* Search radix. */
+ result = isc_radix_search(acl->iptable->radix, &node, &pfx);
+
+ /* Found a match. */
+ if (result == ISC_R_SUCCESS && node != NULL) {
+ match_num = node->node_num[ISC_IS6(family)];
+ if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
+ *match = match_num;
+ else
+ *match = -match_num;
+ }
+
+ /* Now search non-radix elements for a match with a lower node_num. */
for (i = 0; i < acl->length; i++) {
dns_aclelement_t *e = &acl->elements[i];
+ /* Already found a better match? */
+ if (match_num != -1 && match_num < e->node_num) {
+ isc_refcount_destroy(&pfx.refcount);
+ return (ISC_R_SUCCESS);
+ }
+
if (dns_aclelement_match(reqaddr, reqsigner,
e, env, matchelt)) {
- *match = e->negative ? -((int)i+1) : ((int)i+1);
+ if (match_num == -1 || e->node_num < match_num) {
+ if (e->negative == ISC_TRUE)
+ *match = -e->node_num;
+ else
+ *match = e->node_num;
+ }
+ isc_refcount_destroy(&pfx.refcount);
return (ISC_R_SUCCESS);
}
}
- /* No match. */
- *match = 0;
+
+ isc_refcount_destroy(&pfx.refcount);
return (ISC_R_SUCCESS);
}
+/*
+ * Merge the contents of one ACL into another. Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated. This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
isc_result_t
-dns_acl_elementmatch(const dns_acl_t *acl,
- const dns_aclelement_t *elt,
- const dns_aclelement_t **matchelt)
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
{
- unsigned int i;
+ isc_result_t result;
+ unsigned int newalloc, nelem, i;
+ int max_node = 0, nodes;
- REQUIRE(elt != NULL);
- REQUIRE(matchelt == NULL || *matchelt == NULL);
-
- for (i = 0; i < acl->length; i++) {
- dns_aclelement_t *e = &acl->elements[i];
+ /* Resize the element array if needed. */
+ if (dest->length + source->length > dest->alloc) {
+ void *newmem;
- if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
- if (matchelt != NULL)
- *matchelt = e;
- return (ISC_R_SUCCESS);
+ newalloc = dest->alloc + source->alloc;
+ if (newalloc < 4)
+ newalloc = 4;
+
+ newmem = isc_mem_get(dest->mctx,
+ newalloc * sizeof(dns_aclelement_t));
+ if (newmem == NULL)
+ return (ISC_R_NOMEMORY);
+
+ /* Copy in the original elements */
+ memcpy(newmem, dest->elements,
+ dest->length * sizeof(dns_aclelement_t));
+
+ /* Release the memory for the old elements array */
+ isc_mem_put(dest->mctx, dest->elements,
+ dest->alloc * sizeof(dns_aclelement_t));
+ dest->elements = newmem;
+ dest->alloc = newalloc;
+ }
+
+ /*
+ * Now copy in the new elements, increasing their node_num
+ * values so as to keep the new ACL consistent. If we're
+ * negating, then negate positive elements, but keep negative
+ * elements the same for security reasons.
+ */
+ nelem = dest->length;
+ dest->length += source->length;
+ for (i = 0; i < source->length; i++) {
+ if (source->elements[i].node_num > max_node)
+ max_node = source->elements[i].node_num;
+
+ /* Copy type. */
+ dest->elements[nelem + i].type = source->elements[i].type;
+
+ /* Adjust node numbering. */
+ dest->elements[nelem + i].node_num =
+ source->elements[i].node_num + dest->node_count;
+
+ /* Duplicate nested acl. */
+ if (source->elements[i].type == dns_aclelementtype_nestedacl &&
+ source->elements[i].nestedacl != NULL)
+ dns_acl_attach(source->elements[i].nestedacl,
+ &dest->elements[nelem + i].nestedacl);
+
+ /* Duplicate key name. */
+ if (source->elements[i].type == dns_aclelementtype_keyname) {
+ dns_name_init(&dest->elements[nelem+i].keyname, NULL);
+ result = dns_name_dup(&source->elements[i].keyname,
+ dest->mctx,
+ &dest->elements[nelem+i].keyname);
+ if (result != ISC_R_SUCCESS)
+ return result;
+ }
+
+ /* reverse sense of positives if this is a negative acl */
+ if (!pos && source->elements[i].negative == ISC_FALSE) {
+ dest->elements[nelem + i].negative = ISC_TRUE;
+ } else {
+ dest->elements[nelem + i].negative =
+ source->elements[i].negative;
}
}
- return (ISC_R_NOTFOUND);
+
+ /*
+ * Merge the iptables. Make sure the destination ACL's
+ * node_count value is set correctly afterward.
+ */
+ nodes = max_node + dest->node_count;
+ result = dns_iptable_merge(dest->iptable, source->iptable, pos);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ if (nodes > dest->node_count)
+ dest->node_count = nodes;
+
+ return (ISC_R_SUCCESS);
}
+/*
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns ISC_TRUE iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative. Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
@@ -186,92 +373,68 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_aclelement_t **matchelt)
{
dns_acl_t *inner = NULL;
- const isc_netaddr_t *addr;
- isc_netaddr_t v4addr;
int indirectmatch;
isc_result_t result;
switch (e->type) {
- case dns_aclelementtype_ipprefix:
- if (env == NULL ||
- env->match_mapped == ISC_FALSE ||
- reqaddr->family != AF_INET6 ||
- !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
- addr = reqaddr;
- else {
- isc_netaddr_fromv4mapped(&v4addr, reqaddr);
- addr = &v4addr;
- }
-
- if (isc_netaddr_eqprefix(addr,
- &e->u.ip_prefix.address,
- e->u.ip_prefix.prefixlen))
- goto matched;
- break;
-
case dns_aclelementtype_keyname:
if (reqsigner != NULL &&
- dns_name_equal(reqsigner, &e->u.keyname))
- goto matched;
- break;
-
+ dns_name_equal(reqsigner, &e->keyname)) {
+ if (matchelt != NULL)
+ *matchelt = e;
+ return (ISC_TRUE);
+ } else {
+ return (ISC_FALSE);
+ }
+
case dns_aclelementtype_nestedacl:
- inner = e->u.nestedacl;
- nested:
- result = dns_acl_match(reqaddr, reqsigner,
- inner,
- env,
- &indirectmatch, matchelt);
- INSIST(result == ISC_R_SUCCESS);
-
- /*
- * Treat negative matches in indirect ACLs as
- * "no match".
- * That way, a negated indirect ACL will never become
- * a surprise positive match through double negation.
- * XXXDCL this should be documented.
- */
- if (indirectmatch > 0)
- goto matchelt_set;
-
- /*
- * A negative indirect match may have set *matchelt,
- * but we don't want it set when we return.
- */
- if (matchelt != NULL)
- *matchelt = NULL;
+ inner = e->nestedacl;
break;
-
- case dns_aclelementtype_any:
- matched:
- if (matchelt != NULL)
- *matchelt = e;
- matchelt_set:
- return (ISC_TRUE);
-
+
case dns_aclelementtype_localhost:
- if (env != NULL && env->localhost != NULL) {
- inner = env->localhost;
- goto nested;
- } else {
- break;
- }
-
+ if (env == NULL || env->localhost == NULL)
+ return (ISC_FALSE);
+ inner = env->localhost;
+ break;
+
case dns_aclelementtype_localnets:
- if (env != NULL && env->localnets != NULL) {
- inner = env->localnets;
- goto nested;
- } else {
- break;
- }
-
+ if (env == NULL || env->localnets == NULL)
+ return (ISC_FALSE);
+ inner = env->localnets;
+ break;
+
default:
+ /* Should be impossible. */
INSIST(0);
- break;
}
+ result = dns_acl_match(reqaddr, reqsigner, inner, env,
+ &indirectmatch, matchelt);
+ INSIST(result == ISC_R_SUCCESS);
+
+ /*
+ * Treat negative matches in indirect ACLs as "no match".
+ * That way, a negated indirect ACL will never become a
+ * surprise positive match through double negation.
+ * XXXDCL this should be documented.
+ */
+
+ if (indirectmatch > 0) {
+ if (matchelt != NULL)
+ *matchelt = e;
+ return (ISC_TRUE);
+ }
+
+ /*
+ * A negative indirect match may have set *matchelt, but we don't
+ * want it set when we return.
+ */
+
+ if (matchelt != NULL)
+ *matchelt = NULL;
+
return (ISC_FALSE);
-}
+}
void
dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
@@ -285,15 +448,10 @@ destroy(dns_acl_t *dacl) {
unsigned int i;
for (i = 0; i < dacl->length; i++) {
dns_aclelement_t *de = &dacl->elements[i];
- switch (de->type) {
- case dns_aclelementtype_keyname:
- dns_name_free(&de->u.keyname, dacl->mctx);
- break;
- case dns_aclelementtype_nestedacl:
- dns_acl_detach(&de->u.nestedacl);
- break;
- default:
- break;
+ if (de->type == dns_aclelementtype_keyname) {
+ dns_name_free(&de->keyname, dacl->mctx);
+ } else if (de->type == dns_aclelementtype_nestedacl) {
+ dns_acl_detach(&de->nestedacl);
}
}
if (dacl->elements != NULL)
@@ -301,6 +459,8 @@ destroy(dns_acl_t *dacl) {
dacl->alloc * sizeof(dns_aclelement_t));
if (dacl->name != NULL)
isc_mem_free(dacl->mctx, dacl->name);
+ if (dacl->iptable != NULL)
+ dns_iptable_detach(&dacl->iptable);
isc_refcount_destroy(&dacl->refcount);
dacl->magic = 0;
isc_mem_put(dacl->mctx, dacl, sizeof(*dacl));
@@ -317,69 +477,83 @@ dns_acl_detach(dns_acl_t **aclp) {
*aclp = NULL;
}
-isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
- if (ea->type != eb->type)
- return (ISC_FALSE);
- switch (ea->type) {
- case dns_aclelementtype_ipprefix:
- if (ea->u.ip_prefix.prefixlen !=
- eb->u.ip_prefix.prefixlen)
- return (ISC_FALSE);
- return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
- &eb->u.ip_prefix.address,
- ea->u.ip_prefix.prefixlen));
- case dns_aclelementtype_keyname:
- return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
- case dns_aclelementtype_nestedacl:
- return (dns_acl_equal(ea->u.nestedacl, eb->u.nestedacl));
- case dns_aclelementtype_localhost:
- case dns_aclelementtype_localnets:
- case dns_aclelementtype_any:
- return (ISC_TRUE);
- default:
- INSIST(0);
- return (ISC_FALSE);
- }
+
+static isc_once_t insecure_prefix_once = ISC_ONCE_INIT;
+static isc_mutex_t insecure_prefix_lock;
+static isc_boolean_t insecure_prefix_found;
+
+static void
+initialize_action(void) {
+ RUNTIME_CHECK(isc_mutex_init(&insecure_prefix_lock) == ISC_R_SUCCESS);
}
-isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
- unsigned int i;
- if (a == b)
- return (ISC_TRUE);
- if (a->length != b->length)
- return (ISC_FALSE);
- for (i = 0; i < a->length; i++) {
- if (! dns_aclelement_equal(&a->elements[i],
- &b->elements[i]))
- return (ISC_FALSE);
+/*
+ * Called via isc_radix_walk() to find IP table nodes that are
+ * insecure.
+ */
+static void
+is_insecure(isc_prefix_t *prefix, void **data) {
+ isc_boolean_t secure;
+ int bitlen, family;
+
+ bitlen = prefix->bitlen;
+ family = prefix->family;
+
+ /* Negated entries are always secure. */
+ secure = * (isc_boolean_t *)data[ISC_IS6(family)];
+ if (!secure) {
+ return;
}
- return (ISC_TRUE);
-}
-static isc_boolean_t
-is_loopback(const dns_aclipprefix_t *p) {
- switch (p->address.family) {
+ /* If loopback prefix found, return */
+ switch (family) {
case AF_INET:
- if (p->prefixlen == 32 &&
- htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
- return (ISC_TRUE);
+ if (bitlen == 32 &&
+ htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK)
+ return;
break;
case AF_INET6:
- if (p->prefixlen == 128 &&
- IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
- return (ISC_TRUE);
+ if (bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6))
+ return;
break;
default:
break;
}
- return (ISC_FALSE);
+
+ /* Non-negated, non-loopback */
+ insecure_prefix_found = ISC_TRUE; /* LOCKED */
+ return;
}
+/*
+ * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions. We make no guarantee that an ACL for which
+ * this function returns ISC_FALSE is safe.
+ */
isc_boolean_t
dns_acl_isinsecure(const dns_acl_t *a) {
unsigned int i;
+ isc_boolean_t insecure;
+
+ RUNTIME_CHECK(isc_once_do(&insecure_prefix_once,
+ initialize_action) == ISC_R_SUCCESS);
+
+ /*
+ * Walk radix tree to find out if there are any non-negated,
+ * non-loopback prefixes.
+ */
+ LOCK(&insecure_prefix_lock);
+ insecure_prefix_found = ISC_FALSE;
+ isc_radix_process(a->iptable->radix, is_insecure);
+ insecure = insecure_prefix_found;
+ UNLOCK(&insecure_prefix_lock);
+ if (insecure)
+ return(ISC_TRUE);
+
+ /* Now check non-radix elements */
for (i = 0; i < a->length; i++) {
dns_aclelement_t *e = &a->elements[i];
@@ -388,23 +562,16 @@ dns_acl_isinsecure(const dns_acl_t *a) {
continue;
switch (e->type) {
- case dns_aclelementtype_ipprefix:
- /* The loopback address is considered secure. */
- if (! is_loopback(&e->u.ip_prefix))
- return (ISC_TRUE);
- continue;
-
case dns_aclelementtype_keyname:
case dns_aclelementtype_localhost:
continue;
case dns_aclelementtype_nestedacl:
- if (dns_acl_isinsecure(e->u.nestedacl))
+ if (dns_acl_isinsecure(e->nestedacl))
return (ISC_TRUE);
continue;
-
+
case dns_aclelementtype_localnets:
- case dns_aclelementtype_any:
return (ISC_TRUE);
default:
@@ -412,10 +579,14 @@ dns_acl_isinsecure(const dns_acl_t *a) {
return (ISC_TRUE);
}
}
+
/* No insecure elements were found. */
return (ISC_FALSE);
}
+/*
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
isc_result_t
dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
isc_result_t result;
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index ae5dec85ec33..70562159dd8d 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: adb.c,v 1.215.18.24 2008/10/17 03:35:14 marka Exp $ */
+/* $Id: adb.c,v 1.243.42.4 2009/02/03 22:34:28 jinmei Exp $ */
/*! \file
*
@@ -26,13 +26,6 @@
*
*/
-/*%
- * After we have cleaned all buckets, dump the database contents.
- */
-#if 0
-#define DUMP_ADB_AFTER_CLEANING
-#endif
-
#include <config.h>
#include <limits.h>
@@ -40,9 +33,9 @@
#include <isc/mutexblock.h>
#include <isc/netaddr.h>
#include <isc/random.h>
-#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/stats.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
#include <isc/task.h>
-#include <isc/timer.h>
#include <isc/util.h>
#include <dns/adb.h>
@@ -55,28 +48,29 @@
#include <dns/rdatatype.h>
#include <dns/resolver.h>
#include <dns/result.h>
+#include <dns/stats.h>
-#define DNS_ADB_MAGIC ISC_MAGIC('D', 'a', 'd', 'b')
-#define DNS_ADB_VALID(x) ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
-#define DNS_ADBNAME_MAGIC ISC_MAGIC('a', 'd', 'b', 'N')
-#define DNS_ADBNAME_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
-#define DNS_ADBNAMEHOOK_MAGIC ISC_MAGIC('a', 'd', 'N', 'H')
+#define DNS_ADB_MAGIC ISC_MAGIC('D', 'a', 'd', 'b')
+#define DNS_ADB_VALID(x) ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
+#define DNS_ADBNAME_MAGIC ISC_MAGIC('a', 'd', 'b', 'N')
+#define DNS_ADBNAME_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
+#define DNS_ADBNAMEHOOK_MAGIC ISC_MAGIC('a', 'd', 'N', 'H')
#define DNS_ADBNAMEHOOK_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
-#define DNS_ADBLAMEINFO_MAGIC ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBLAMEINFO_MAGIC ISC_MAGIC('a', 'd', 'b', 'Z')
#define DNS_ADBLAMEINFO_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
-#define DNS_ADBENTRY_MAGIC ISC_MAGIC('a', 'd', 'b', 'E')
-#define DNS_ADBENTRY_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
-#define DNS_ADBFETCH_MAGIC ISC_MAGIC('a', 'd', 'F', '4')
-#define DNS_ADBFETCH_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
-#define DNS_ADBFETCH6_MAGIC ISC_MAGIC('a', 'd', 'F', '6')
-#define DNS_ADBFETCH6_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
+#define DNS_ADBENTRY_MAGIC ISC_MAGIC('a', 'd', 'b', 'E')
+#define DNS_ADBENTRY_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
+#define DNS_ADBFETCH_MAGIC ISC_MAGIC('a', 'd', 'F', '4')
+#define DNS_ADBFETCH_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
+#define DNS_ADBFETCH6_MAGIC ISC_MAGIC('a', 'd', 'F', '6')
+#define DNS_ADBFETCH6_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
/*!
* The number of buckets needs to be a prime (for good hashing).
*
* XXXRTH How many buckets do we need?
*/
-#define NBUCKETS 1009 /*%< how many buckets for names/addrs */
+#define NBUCKETS 1009 /*%< how many buckets for names/addrs */
/*!
* For type 3 negative cache entries, we will remember that the address is
@@ -84,26 +78,25 @@
* The intent is to keep us from constantly asking about A/AAAA records
* if the zone has extremely low TTLs.
*/
-#define ADB_CACHE_MINIMUM 10 /*%< seconds */
-#define ADB_CACHE_MAXIMUM 86400 /*%< seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW 1800 /*%< seconds */
+#define ADB_CACHE_MINIMUM 10 /*%< seconds */
+#define ADB_CACHE_MAXIMUM 86400 /*%< seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW 1800 /*%< seconds */
/*%
- * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
- * buckets are cleaned in CLEAN_PERIOD seconds.
+ * The period in seconds after which an ADB name entry is regarded as stale
+ * and forced to be cleaned up.
+ * TODO: This should probably be configurable at run-time.
*/
-#define CLEAN_PERIOD 3600
-/*% See #CLEAN_PERIOD */
-#define CLEAN_SECONDS 30
-/*% See #CLEAN_PERIOD */
-#define CLEAN_BUCKETS ((NBUCKETS * CLEAN_SECONDS) / CLEAN_PERIOD)
+#ifndef ADB_STALE_MARGIN
+#define ADB_STALE_MARGIN 1800
+#endif
-#define FREE_ITEMS 64 /*%< free count for memory pools */
-#define FILL_COUNT 16 /*%< fill count for memory pools */
+#define FREE_ITEMS 64 /*%< free count for memory pools */
+#define FILL_COUNT 16 /*%< fill count for memory pools */
-#define DNS_ADB_INVALIDBUCKET (-1) /*%< invalid bucket address */
+#define DNS_ADB_INVALIDBUCKET (-1) /*%< invalid bucket address */
-#define DNS_ADB_MINADBSIZE (1024*1024) /*%< 1 Megabyte */
+#define DNS_ADB_MINADBSIZE (1024*1024) /*%< 1 Megabyte */
typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
typedef struct dns_adbnamehook dns_adbnamehook_t;
@@ -115,61 +108,62 @@ typedef struct dns_adbfetch6 dns_adbfetch6_t;
/*% dns adb structure */
struct dns_adb {
- unsigned int magic;
+ unsigned int magic;
- isc_mutex_t lock;
- isc_mutex_t reflock; /*%< Covers irefcnt, erefcnt */
+ isc_mutex_t lock;
+ isc_mutex_t reflock; /*%< Covers irefcnt, erefcnt */
isc_mutex_t overmemlock; /*%< Covers overmem */
- isc_mem_t *mctx;
- dns_view_t *view;
- isc_timermgr_t *timermgr;
- isc_timer_t *timer;
- isc_taskmgr_t *taskmgr;
- isc_task_t *task;
- isc_boolean_t overmem;
-
- isc_interval_t tick_interval;
- int next_cleanbucket;
-
- unsigned int irefcnt;
- unsigned int erefcnt;
-
- isc_mutex_t mplock;
- isc_mempool_t *nmp; /*%< dns_adbname_t */
- isc_mempool_t *nhmp; /*%< dns_adbnamehook_t */
- isc_mempool_t *limp; /*%< dns_adblameinfo_t */
- isc_mempool_t *emp; /*%< dns_adbentry_t */
- isc_mempool_t *ahmp; /*%< dns_adbfind_t */
- isc_mempool_t *aimp; /*%< dns_adbaddrinfo_t */
- isc_mempool_t *afmp; /*%< dns_adbfetch_t */
+ isc_mem_t *mctx;
+ dns_view_t *view;
+
+ isc_taskmgr_t *taskmgr;
+ isc_task_t *task;
+ isc_boolean_t overmem;
+
+ isc_interval_t tick_interval;
+ int next_cleanbucket;
+
+ unsigned int irefcnt;
+ unsigned int erefcnt;
+
+ isc_mutex_t mplock;
+ isc_mempool_t *nmp; /*%< dns_adbname_t */
+ isc_mempool_t *nhmp; /*%< dns_adbnamehook_t */
+ isc_mempool_t *limp; /*%< dns_adblameinfo_t */
+ isc_mempool_t *emp; /*%< dns_adbentry_t */
+ isc_mempool_t *ahmp; /*%< dns_adbfind_t */
+ isc_mempool_t *aimp; /*%< dns_adbaddrinfo_t */
+ isc_mempool_t *afmp; /*%< dns_adbfetch_t */
/*!
* Bucketized locks and lists for names.
*
* XXXRTH Have a per-bucket structure that contains all of these?
*/
- dns_adbnamelist_t names[NBUCKETS];
+ dns_adbnamelist_t names[NBUCKETS];
+ dns_adbnamelist_t deadnames[NBUCKETS];
/*% See dns_adbnamelist_t */
- isc_mutex_t namelocks[NBUCKETS];
+ isc_mutex_t namelocks[NBUCKETS];
/*% See dns_adbnamelist_t */
- isc_boolean_t name_sd[NBUCKETS];
+ isc_boolean_t name_sd[NBUCKETS];
/*% See dns_adbnamelist_t */
- unsigned int name_refcnt[NBUCKETS];
+ unsigned int name_refcnt[NBUCKETS];
/*!
* Bucketized locks for entries.
*
* XXXRTH Have a per-bucket structure that contains all of these?
*/
- dns_adbentrylist_t entries[NBUCKETS];
- isc_mutex_t entrylocks[NBUCKETS];
- isc_boolean_t entry_sd[NBUCKETS]; /*%< shutting down */
- unsigned int entry_refcnt[NBUCKETS];
-
- isc_event_t cevent;
- isc_boolean_t cevent_sent;
- isc_boolean_t shutting_down;
- isc_eventlist_t whenshutdown;
+ dns_adbentrylist_t entries[NBUCKETS];
+ dns_adbentrylist_t deadentries[NBUCKETS];
+ isc_mutex_t entrylocks[NBUCKETS];
+ isc_boolean_t entry_sd[NBUCKETS]; /*%< shutting down */
+ unsigned int entry_refcnt[NBUCKETS];
+
+ isc_event_t cevent;
+ isc_boolean_t cevent_sent;
+ isc_boolean_t shutting_down;
+ isc_eventlist_t whenshutdown;
};
/*
@@ -178,34 +172,35 @@ struct dns_adb {
/*% dns_adbname structure */
struct dns_adbname {
- unsigned int magic;
- dns_name_t name;
- dns_adb_t *adb;
- unsigned int partial_result;
- unsigned int flags;
- int lock_bucket;
- dns_name_t target;
- isc_stdtime_t expire_target;
- isc_stdtime_t expire_v4;
- isc_stdtime_t expire_v6;
- unsigned int chains;
- dns_adbnamehooklist_t v4;
- dns_adbnamehooklist_t v6;
- dns_adbfetch_t *fetch_a;
- dns_adbfetch_t *fetch_aaaa;
- unsigned int fetch_err;
- unsigned int fetch6_err;
- dns_adbfindlist_t finds;
- ISC_LINK(dns_adbname_t) plink;
+ unsigned int magic;
+ dns_name_t name;
+ dns_adb_t *adb;
+ unsigned int partial_result;
+ unsigned int flags;
+ int lock_bucket;
+ dns_name_t target;
+ isc_stdtime_t expire_target;
+ isc_stdtime_t expire_v4;
+ isc_stdtime_t expire_v6;
+ unsigned int chains;
+ dns_adbnamehooklist_t v4;
+ dns_adbnamehooklist_t v6;
+ dns_adbfetch_t *fetch_a;
+ dns_adbfetch_t *fetch_aaaa;
+ unsigned int fetch_err;
+ unsigned int fetch6_err;
+ dns_adbfindlist_t finds;
+ /* for LRU-based management */
+ isc_stdtime_t last_used;
+
+ ISC_LINK(dns_adbname_t) plink;
};
/*% The adbfetch structure */
struct dns_adbfetch {
- unsigned int magic;
- dns_adbnamehook_t *namehook;
- dns_adbentry_t *entry;
- dns_fetch_t *fetch;
- dns_rdataset_t rdataset;
+ unsigned int magic;
+ dns_fetch_t *fetch;
+ dns_rdataset_t rdataset;
};
/*%
@@ -214,9 +209,9 @@ struct dns_adbfetch {
* namehook that will contain the next address this host has.
*/
struct dns_adbnamehook {
- unsigned int magic;
- dns_adbentry_t *entry;
- ISC_LINK(dns_adbnamehook_t) plink;
+ unsigned int magic;
+ dns_adbentry_t *entry;
+ ISC_LINK(dns_adbnamehook_t) plink;
};
/*%
@@ -225,13 +220,13 @@ struct dns_adbnamehook {
* extended to other types of information about zones.
*/
struct dns_adblameinfo {
- unsigned int magic;
+ unsigned int magic;
- dns_name_t qname;
- dns_rdatatype_t qtype;
- isc_stdtime_t lame_timer;
+ dns_name_t qname;
+ dns_rdatatype_t qtype;
+ isc_stdtime_t lame_timer;
- ISC_LINK(dns_adblameinfo_t) plink;
+ ISC_LINK(dns_adblameinfo_t) plink;
};
/*%
@@ -240,16 +235,16 @@ struct dns_adblameinfo {
* the host.
*/
struct dns_adbentry {
- unsigned int magic;
+ unsigned int magic;
- int lock_bucket;
- unsigned int refcnt;
+ int lock_bucket;
+ unsigned int refcnt;
- unsigned int flags;
- unsigned int srtt;
- isc_sockaddr_t sockaddr;
+ unsigned int flags;
+ unsigned int srtt;
+ isc_sockaddr_t sockaddr;
- isc_stdtime_t expires;
+ isc_stdtime_t expires;
/*%<
* A nonzero 'expires' field indicates that the entry should
* persist until that time. This allows entries found
@@ -258,8 +253,8 @@ struct dns_adbentry {
* name.
*/
- ISC_LIST(dns_adblameinfo_t) lameinfo;
- ISC_LINK(dns_adbentry_t) plink;
+ ISC_LIST(dns_adblameinfo_t) lameinfo;
+ ISC_LINK(dns_adbentry_t) plink;
};
/*
@@ -284,7 +279,8 @@ static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
unsigned int, int *);
static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
- isc_sockaddr_t *, int *);
+ isc_sockaddr_t *, int *,
+ isc_stdtime_t);
static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug, isc_stdtime_t);
static void print_dns_name(FILE *, dns_name_t *);
static void print_namehook_list(FILE *, const char *legend,
@@ -305,15 +301,15 @@ static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
static void clean_target(dns_adb_t *, dns_name_t *);
static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
unsigned int);
-static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t,
- isc_boolean_t);
+static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
+ isc_stdtime_t);
static void cancel_fetches_at_name(dns_adbname_t *);
static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
dns_rdatatype_t);
static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
dns_rdatatype_t);
static inline void check_exit(dns_adb_t *);
-static void timer_cleanup(isc_task_t *, isc_event_t *);
static void destroy(dns_adb_t *);
static isc_boolean_t shutdown_names(dns_adb_t *);
static isc_boolean_t shutdown_entries(dns_adb_t *);
@@ -328,28 +324,34 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
/*
* MUST NOT overlap DNS_ADBFIND_* flags!
*/
-#define FIND_EVENT_SENT 0x40000000
-#define FIND_EVENT_FREED 0x80000000
-#define FIND_EVENTSENT(h) (((h)->flags & FIND_EVENT_SENT) != 0)
-#define FIND_EVENTFREED(h) (((h)->flags & FIND_EVENT_FREED) != 0)
-
-#define NAME_NEEDS_POKE 0x80000000
-#define NAME_IS_DEAD 0x40000000
-#define NAME_HINT_OK DNS_ADBFIND_HINTOK
-#define NAME_GLUE_OK DNS_ADBFIND_GLUEOK
-#define NAME_STARTATZONE DNS_ADBFIND_STARTATZONE
-#define NAME_DEAD(n) (((n)->flags & NAME_IS_DEAD) != 0)
-#define NAME_NEEDSPOKE(n) (((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_GLUEOK(n) (((n)->flags & NAME_GLUE_OK) != 0)
-#define NAME_HINTOK(n) (((n)->flags & NAME_HINT_OK) != 0)
+#define FIND_EVENT_SENT 0x40000000
+#define FIND_EVENT_FREED 0x80000000
+#define FIND_EVENTSENT(h) (((h)->flags & FIND_EVENT_SENT) != 0)
+#define FIND_EVENTFREED(h) (((h)->flags & FIND_EVENT_FREED) != 0)
+
+#define NAME_NEEDS_POKE 0x80000000
+#define NAME_IS_DEAD 0x40000000
+#define NAME_HINT_OK DNS_ADBFIND_HINTOK
+#define NAME_GLUE_OK DNS_ADBFIND_GLUEOK
+#define NAME_STARTATZONE DNS_ADBFIND_STARTATZONE
+#define NAME_DEAD(n) (((n)->flags & NAME_IS_DEAD) != 0)
+#define NAME_NEEDSPOKE(n) (((n)->flags & NAME_NEEDS_POKE) != 0)
+#define NAME_GLUEOK(n) (((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n) (((n)->flags & NAME_HINT_OK) != 0)
+
+/*
+ * Private flag(s) for entries.
+ * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ */
+#define ENTRY_IS_DEAD 0x80000000
/*
* To the name, address classes are all that really exist. If it has a
* V6 address it doesn't care if it came from a AAAA query.
*/
-#define NAME_HAS_V4(n) (!ISC_LIST_EMPTY((n)->v4))
-#define NAME_HAS_V6(n) (!ISC_LIST_EMPTY((n)->v6))
-#define NAME_HAS_ADDRS(n) (NAME_HAS_V4(n) || NAME_HAS_V6(n))
+#define NAME_HAS_V4(n) (!ISC_LIST_EMPTY((n)->v4))
+#define NAME_HAS_V6(n) (!ISC_LIST_EMPTY((n)->v6))
+#define NAME_HAS_ADDRS(n) (NAME_HAS_V4(n) || NAME_HAS_V6(n))
/*
* Fetches are broken out into A and AAAA types. In some cases,
@@ -358,34 +360,34 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
* Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
* are now equal to FETCH_V4 and FETCH_V6, respectively.
*/
-#define NAME_FETCH_A(n) ((n)->fetch_a != NULL)
-#define NAME_FETCH_AAAA(n) ((n)->fetch_aaaa != NULL)
-#define NAME_FETCH_V4(n) (NAME_FETCH_A(n))
-#define NAME_FETCH_V6(n) (NAME_FETCH_AAAA(n))
-#define NAME_FETCH(n) (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
+#define NAME_FETCH_A(n) ((n)->fetch_a != NULL)
+#define NAME_FETCH_AAAA(n) ((n)->fetch_aaaa != NULL)
+#define NAME_FETCH_V4(n) (NAME_FETCH_A(n))
+#define NAME_FETCH_V6(n) (NAME_FETCH_AAAA(n))
+#define NAME_FETCH(n) (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
/*
* Find options and tests to see if there are addresses on the list.
*/
-#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
-#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
!= 0)
-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
!= 0)
-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
/*
* These are currently used on simple unsigned ints, so they are
* not really associated with any particular type.
*/
-#define WANT_INET(x) (((x) & DNS_ADBFIND_INET) != 0)
-#define WANT_INET6(x) (((x) & DNS_ADBFIND_INET6) != 0)
+#define WANT_INET(x) (((x) & DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x) (((x) & DNS_ADBFIND_INET6) != 0)
-#define EXPIRE_OK(exp, now) ((exp == INT_MAX) || (exp < now))
+#define EXPIRE_OK(exp, now) ((exp == INT_MAX) || (exp < now))
/*
* Find out if the flags on a name (nf) indicate if it is a hint or
@@ -398,19 +400,19 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
#define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
((o) & DNS_ADBFIND_STARTATZONE))
-#define ENTER_LEVEL ISC_LOG_DEBUG(50)
-#define EXIT_LEVEL ENTER_LEVEL
-#define CLEAN_LEVEL ISC_LOG_DEBUG(100)
-#define DEF_LEVEL ISC_LOG_DEBUG(5)
-#define NCACHE_LEVEL ISC_LOG_DEBUG(20)
+#define ENTER_LEVEL ISC_LOG_DEBUG(50)
+#define EXIT_LEVEL ENTER_LEVEL
+#define CLEAN_LEVEL ISC_LOG_DEBUG(100)
+#define DEF_LEVEL ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL ISC_LOG_DEBUG(20)
-#define NCACHE_RESULT(r) ((r) == DNS_R_NCACHENXDOMAIN || \
+#define NCACHE_RESULT(r) ((r) == DNS_R_NCACHENXDOMAIN || \
(r) == DNS_R_NCACHENXRRSET)
-#define AUTH_NX(r) ((r) == DNS_R_NXDOMAIN || \
+#define AUTH_NX(r) ((r) == DNS_R_NXDOMAIN || \
(r) == DNS_R_NXRRSET)
-#define NXDOMAIN_RESULT(r) ((r) == DNS_R_NXDOMAIN || \
+#define NXDOMAIN_RESULT(r) ((r) == DNS_R_NXDOMAIN || \
(r) == DNS_R_NCACHENXDOMAIN)
-#define NXRRSET_RESULT(r) ((r) == DNS_R_NCACHENXRRSET || \
+#define NXRRSET_RESULT(r) ((r) == DNS_R_NCACHENXRRSET || \
(r) == DNS_R_NXRRSET || \
(r) == DNS_R_HINTNXRRSET)
@@ -418,14 +420,14 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
* Error state rankings.
*/
-#define FIND_ERR_SUCCESS 0 /* highest rank */
-#define FIND_ERR_CANCELED 1
-#define FIND_ERR_FAILURE 2
-#define FIND_ERR_NXDOMAIN 3
-#define FIND_ERR_NXRRSET 4
-#define FIND_ERR_UNEXPECTED 5
-#define FIND_ERR_NOTFOUND 6
-#define FIND_ERR_MAX 7
+#define FIND_ERR_SUCCESS 0 /* highest rank */
+#define FIND_ERR_CANCELED 1
+#define FIND_ERR_FAILURE 2
+#define FIND_ERR_NXDOMAIN 3
+#define FIND_ERR_NXRRSET 4
+#define FIND_ERR_UNEXPECTED 5
+#define FIND_ERR_NOTFOUND 6
+#define FIND_ERR_MAX 7
static const char *errnames[] = {
"success",
@@ -437,7 +439,7 @@ static const char *errnames[] = {
"not_found"
};
-#define NEWERR(old, new) (ISC_MIN((old), (new)))
+#define NEWERR(old, new) (ISC_MIN((old), (new)))
static isc_result_t find_err_map[FIND_ERR_MAX] = {
ISC_R_SUCCESS,
@@ -446,7 +448,7 @@ static isc_result_t find_err_map[FIND_ERR_MAX] = {
DNS_R_NXDOMAIN,
DNS_R_NXRRSET,
ISC_R_UNEXPECTED,
- ISC_R_NOTFOUND /* not YET found */
+ ISC_R_NOTFOUND /* not YET found */
};
static void
@@ -463,6 +465,15 @@ DP(int level, const char *format, ...) {
va_end(args);
}
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static inline void
+inc_stats(dns_adb_t *adb, isc_statscounter_t counter) {
+ if (adb->view->resstats != NULL)
+ isc_stats_increment(adb->view->resstats, counter);
+}
+
static inline dns_ttl_t
ttlclamp(dns_ttl_t ttl) {
if (ttl < ADB_CACHE_MINIMUM)
@@ -536,7 +547,8 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
goto fail;
}
- foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket);
+ foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket,
+ now);
if (foundentry == NULL) {
dns_adbentry_t *entry;
@@ -617,6 +629,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
dns_adbname_t *name;
isc_boolean_t result = ISC_FALSE;
isc_boolean_t result4, result6;
+ int bucket;
dns_adb_t *adb;
INSIST(n != NULL);
@@ -661,8 +674,13 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
if (result)
result = dec_adb_irefcnt(adb);
} else {
- name->flags |= NAME_IS_DEAD;
cancel_fetches_at_name(name);
+ if (!NAME_DEAD(name)) {
+ bucket = name->lock_bucket;
+ ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+ ISC_LIST_APPEND(adb->deadnames[bucket], name, plink);
+ name->flags |= NAME_IS_DEAD;
+ }
}
return (result);
}
@@ -671,11 +689,8 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
* Requires the name's bucket be locked and no entry buckets be locked.
*/
static isc_boolean_t
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
- isc_boolean_t overmem)
-{
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
dns_adb_t *adb;
- isc_boolean_t expire;
isc_boolean_t result4 = ISC_FALSE;
isc_boolean_t result6 = ISC_FALSE;
@@ -683,20 +698,10 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
adb = name->adb;
INSIST(DNS_ADB_VALID(adb));
- if (overmem) {
- isc_uint32_t val;
-
- isc_random_get(&val);
-
- expire = ISC_TF((val % 4) == 0);
- } else
- expire = ISC_FALSE;
-
/*
* Check to see if we need to remove the v4 addresses
*/
- if (!NAME_FETCH_V4(name) &&
- (expire || EXPIRE_OK(name->expire_v4, now))) {
+ if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
if (NAME_HAS_V4(name)) {
DP(DEF_LEVEL, "expiring v4 for name %p", name);
result4 = clean_namehooks(adb, &name->v4);
@@ -709,8 +714,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
/*
* Check to see if we need to remove the v6 addresses
*/
- if (!NAME_FETCH_V6(name) &&
- (expire || EXPIRE_OK(name->expire_v6, now))) {
+ if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
if (NAME_HAS_V6(name)) {
DP(DEF_LEVEL, "expiring v6 for name %p", name);
result6 = clean_namehooks(adb, &name->v6);
@@ -723,7 +727,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
/*
* Check to see if we need to remove the alias target.
*/
- if (expire || EXPIRE_OK(name->expire_target, now)) {
+ if (EXPIRE_OK(name->expire_target, now)) {
clean_target(adb, &name->target);
name->expire_target = INT_MAX;
}
@@ -753,7 +757,10 @@ unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
bucket = name->lock_bucket;
INSIST(bucket != DNS_ADB_INVALIDBUCKET);
- ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+ if (NAME_DEAD(name))
+ ISC_LIST_UNLINK(adb->deadnames[bucket], name, plink);
+ else
+ ISC_LIST_UNLINK(adb->names[bucket], name, plink);
name->lock_bucket = DNS_ADB_INVALIDBUCKET;
INSIST(adb->name_refcnt[bucket] > 0);
adb->name_refcnt[bucket]--;
@@ -767,6 +774,26 @@ unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
*/
static inline void
link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
+ int i;
+ dns_adbentry_t *e;
+
+ if (adb->overmem) {
+ for (i = 0; i < 2; i++) {
+ e = ISC_LIST_TAIL(adb->entries[bucket]);
+ if (e == NULL)
+ break;
+ if (e->refcnt == 0) {
+ unlink_entry(adb, e);
+ free_adbentry(adb, &e);
+ continue;
+ }
+ INSIST((e->flags & ENTRY_IS_DEAD) == 0);
+ e->flags |= ENTRY_IS_DEAD;
+ ISC_LIST_UNLINK(adb->entries[bucket], e, plink);
+ ISC_LIST_PREPEND(adb->deadentries[bucket], e, plink);
+ }
+ }
+
ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
entry->lock_bucket = bucket;
adb->entry_refcnt[bucket]++;
@@ -783,7 +810,10 @@ unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
bucket = entry->lock_bucket;
INSIST(bucket != DNS_ADB_INVALIDBUCKET);
- ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+ if ((entry->flags & ENTRY_IS_DEAD) != 0)
+ ISC_LIST_UNLINK(adb->deadentries[bucket], entry, plink);
+ else
+ ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
INSIST(adb->entry_refcnt[bucket] > 0);
adb->entry_refcnt[bucket]--;
@@ -862,7 +892,7 @@ shutdown_entries(dns_adb_t *adb) {
adb->entry_sd[bucket] = ISC_TRUE;
entry = ISC_LIST_HEAD(adb->entries[bucket]);
- if (entry == NULL) {
+ if (adb->entry_refcnt[bucket] == 0) {
/*
* This bucket has no entries. We must decrement the
* irefcnt ourselves, since it will not be
@@ -1140,7 +1170,7 @@ check_exit(dns_adb_t *adb) {
* If there aren't any external references either, we're
* done. Send the control event to initiate shutdown.
*/
- INSIST(!adb->cevent_sent); /* Sanity check. */
+ INSIST(!adb->cevent_sent); /* Sanity check. */
event = &adb->cevent;
isc_task_send(adb->task, &event);
adb->cevent_sent = ISC_TRUE;
@@ -1220,7 +1250,8 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
destroy_entry = ISC_FALSE;
if (entry->refcnt == 0 &&
- (adb->entry_sd[bucket] || entry->expires == 0)) {
+ (adb->entry_sd[bucket] || entry->expires == 0 || adb->overmem ||
+ (entry->flags & ENTRY_IS_DEAD) != 0)) {
destroy_entry = ISC_TRUE;
result = unlink_entry(adb, entry);
}
@@ -1235,7 +1266,7 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
free_adbentry(adb, &entry);
if (result)
- result =dec_adb_irefcnt(adb);
+ result = dec_adb_irefcnt(adb);
return (result);
}
@@ -1463,31 +1494,13 @@ new_adbfetch(dns_adb_t *adb) {
return (NULL);
f->magic = 0;
- f->namehook = NULL;
- f->entry = NULL;
f->fetch = NULL;
- f->namehook = new_adbnamehook(adb, NULL);
- if (f->namehook == NULL)
- goto err;
-
- f->entry = new_adbentry(adb);
- if (f->entry == NULL)
- goto err;
-
dns_rdataset_init(&f->rdataset);
f->magic = DNS_ADBFETCH_MAGIC;
return (f);
-
- err:
- if (f->namehook != NULL)
- free_adbnamehook(adb, &f->namehook);
- if (f->entry != NULL)
- free_adbentry(adb, &f->entry);
- isc_mempool_put(adb->afmp, f);
- return (NULL);
}
static inline void
@@ -1500,11 +1513,6 @@ free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
f->magic = 0;
- if (f->namehook != NULL)
- free_adbnamehook(adb, &f->namehook);
- if (f->entry != NULL)
- free_adbentry(adb, &f->entry);
-
if (dns_rdataset_isassociated(&f->rdataset))
dns_rdataset_disassociate(&f->rdataset);
@@ -1622,8 +1630,10 @@ find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
* the bucket changes.
*/
static inline dns_adbentry_t *
-find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
- dns_adbentry_t *entry;
+find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp,
+ isc_stdtime_t now)
+{
+ dns_adbentry_t *entry, *entry_next;
int bucket;
bucket = isc_sockaddr_hash(addr, ISC_TRUE) % NBUCKETS;
@@ -1637,11 +1647,18 @@ find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
*bucketp = bucket;
}
- entry = ISC_LIST_HEAD(adb->entries[bucket]);
- while (entry != NULL) {
- if (isc_sockaddr_equal(addr, &entry->sockaddr))
+ /* Search the list, while cleaning up expired entries. */
+ for (entry = ISC_LIST_HEAD(adb->entries[bucket]);
+ entry != NULL;
+ entry = entry_next) {
+ entry_next = ISC_LIST_NEXT(entry, plink);
+ (void)check_expire_entry(adb, &entry, now);
+ if (entry != NULL &&
+ isc_sockaddr_equal(addr, &entry->sockaddr)) {
+ ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+ ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
return (entry);
- entry = ISC_LIST_NEXT(entry, plink);
+ }
}
return (NULL);
@@ -1775,19 +1792,12 @@ shutdown_task(isc_task_t *task, isc_event_t *ev) {
adb = ev->ev_arg;
INSIST(DNS_ADB_VALID(adb));
+ isc_event_free(&ev);
/*
* Wait for lock around check_exit() call to be released.
*/
LOCK(&adb->lock);
- /*
- * Kill the timer, and then the ADB itself. Note that this implies
- * that this task was the one scheduled to get timer events. If
- * this is not true (and it is unfortunate there is no way to INSIST()
- * this) badness will occur.
- */
- isc_timer_detach(&adb->timer);
UNLOCK(&adb->lock);
- isc_event_free(&ev);
destroy(adb);
}
@@ -1826,6 +1836,62 @@ check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
return (result);
}
+/*%
+ * Examine the tail entry of the LRU list to see if it expires or is stale
+ * (unused for some period); if so, the name entry will be freed. If the ADB
+ * is in the overmem condition, the tail and the next to tail entries
+ * will be unconditionally removed (unless they have an outstanding fetch).
+ * We don't care about a race on 'overmem' at the risk of causing some
+ * collateral damage or a small delay in starting cleanup, so we don't bother
+ * to lock ADB (if it's not locked).
+ *
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static void
+check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+ int victims, max_victims;
+ isc_boolean_t result;
+ dns_adbname_t *victim, *next_victim;
+ isc_boolean_t overmem = adb->overmem;
+ int scans = 0;
+
+ INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+ max_victims = overmem ? 2 : 1;
+
+ /*
+ * We limit the number of scanned entries to 10 (arbitrary choice)
+ * in order to avoid examining too many entries when there are many
+ * tail entries that have fetches (this should be rare, but could
+ * happen).
+ */
+ victim = ISC_LIST_TAIL(adb->names[bucket]);
+ for (victims = 0;
+ victim != NULL && victims < max_victims && scans < 10;
+ victim = next_victim) {
+ INSIST(!NAME_DEAD(victim));
+ scans++;
+ next_victim = ISC_LIST_PREV(victim, plink);
+ result = check_expire_name(&victim, now);
+ if (victim == NULL) {
+ victims++;
+ goto next;
+ }
+
+ if (!NAME_FETCH(victim) &&
+ (overmem || victim->last_used + ADB_STALE_MARGIN <= now)) {
+ RUNTIME_CHECK(kill_name(&victim,
+ DNS_EVENT_ADBCANCELED) ==
+ ISC_FALSE);
+ victims++;
+ }
+
+ next:
+ if (!overmem)
+ break;
+ }
+}
+
/*
* Entry bucket must be locked; adb may be locked; no other locks held.
*/
@@ -1833,7 +1899,6 @@ static isc_boolean_t
check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
{
dns_adbentry_t *entry;
- isc_boolean_t expire;
isc_boolean_t result = ISC_FALSE;
INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
@@ -1842,16 +1907,7 @@ check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
if (entry->refcnt != 0)
return (result);
- if (adb->overmem) {
- isc_uint32_t val;
-
- isc_random_get(&val);
-
- expire = ISC_TF((val % 4) == 0);
- } else
- expire = ISC_FALSE;
-
- if (entry->expires == 0 || (! expire && entry->expires > now))
+ if (entry->expires == 0 || entry->expires > now)
return (result);
/*
@@ -1888,7 +1944,7 @@ cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
while (name != NULL) {
next_name = ISC_LIST_NEXT(name, plink);
INSIST(result == ISC_FALSE);
- result = check_expire_namehooks(name, now, adb->overmem);
+ result = check_expire_namehooks(name, now);
if (!result)
result = check_expire_name(&name, now);
name = next_name;
@@ -1920,66 +1976,9 @@ cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
}
static void
-timer_cleanup(isc_task_t *task, isc_event_t *ev) {
- dns_adb_t *adb;
- isc_stdtime_t now;
- unsigned int i;
- isc_interval_t interval;
-
- UNUSED(task);
-
- adb = ev->ev_arg;
- INSIST(DNS_ADB_VALID(adb));
-
- LOCK(&adb->lock);
-
- isc_stdtime_get(&now);
-
- for (i = 0; i < CLEAN_BUCKETS; i++) {
- /*
- * Call our cleanup routines.
- */
- RUNTIME_CHECK(cleanup_names(adb, adb->next_cleanbucket, now) ==
- ISC_FALSE);
- RUNTIME_CHECK(cleanup_entries(adb, adb->next_cleanbucket, now)
- == ISC_FALSE);
-
- /*
- * Set the next bucket to be cleaned.
- */
- adb->next_cleanbucket++;
- if (adb->next_cleanbucket >= NBUCKETS) {
- adb->next_cleanbucket = 0;
-#ifdef DUMP_ADB_AFTER_CLEANING
- dump_adb(adb, stdout, ISC_TRUE, now);
-#endif
- }
- }
-
- /*
- * Reset the timer.
- * XXXDCL isc_timer_reset might return ISC_R_UNEXPECTED or
- * ISC_R_NOMEMORY, but it isn't clear what could be done here
- * if either one of those things happened.
- */
- interval = adb->tick_interval;
- if (adb->overmem)
- isc_interval_set(&interval, 0, 1);
- (void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
- &interval, ISC_FALSE);
-
- UNLOCK(&adb->lock);
-
- isc_event_free(&ev);
-}
-
-static void
destroy(dns_adb_t *adb) {
adb->magic = 0;
- /*
- * The timer is already dead, from the task's shutdown callback.
- */
isc_task_detach(&adb->task);
isc_mempool_destroy(&adb->nmp);
@@ -2016,10 +2015,12 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
REQUIRE(mem != NULL);
REQUIRE(view != NULL);
- REQUIRE(timermgr != NULL);
+ REQUIRE(timermgr != NULL); /* this is actually unused */
REQUIRE(taskmgr != NULL);
REQUIRE(newadb != NULL && *newadb == NULL);
+ UNUSED(timermgr);
+
adb = isc_mem_get(mem, sizeof(dns_adb_t));
if (adb == NULL)
return (ISC_R_NOMEMORY);
@@ -2039,10 +2040,8 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
adb->aimp = NULL;
adb->afmp = NULL;
adb->task = NULL;
- adb->timer = NULL;
adb->mctx = NULL;
adb->view = view;
- adb->timermgr = timermgr;
adb->taskmgr = taskmgr;
adb->next_cleanbucket = 0;
ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
@@ -2080,12 +2079,14 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
goto fail1;
for (i = 0; i < NBUCKETS; i++) {
ISC_LIST_INIT(adb->names[i]);
+ ISC_LIST_INIT(adb->deadnames[i]);
adb->name_sd[i] = ISC_FALSE;
adb->name_refcnt[i] = 0;
adb->irefcnt++;
}
for (i = 0; i < NBUCKETS; i++) {
ISC_LIST_INIT(adb->entries[i]);
+ ISC_LIST_INIT(adb->deadentries[i]);
adb->entry_sd[i] = ISC_FALSE;
adb->entry_refcnt[i] = 0;
adb->irefcnt++;
@@ -2118,25 +2119,12 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
#undef MPINIT
/*
- * Allocate a timer and a task for our periodic cleanup.
+ * Allocate an internal task.
*/
result = isc_task_create(adb->taskmgr, 0, &adb->task);
if (result != ISC_R_SUCCESS)
goto fail3;
isc_task_setname(adb->task, "ADB", adb);
- /*
- * XXXMLG When this is changed to be a config file option,
- */
- isc_interval_set(&adb->tick_interval, CLEAN_SECONDS, 0);
- result = isc_timer_create(adb->timermgr, isc_timertype_once,
- NULL, &adb->tick_interval, adb->task,
- timer_cleanup, adb, &adb->timer);
- if (result != ISC_R_SUCCESS)
- goto fail3;
-
- DP(ISC_LOG_DEBUG(5), "cleaning interval for adb: "
- "%u buckets every %u seconds, %u buckets in system, %u cl.interval",
- CLEAN_BUCKETS, CLEAN_SECONDS, NBUCKETS, CLEAN_PERIOD);
/*
* Normal return.
@@ -2148,8 +2136,6 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
fail3:
if (adb->task != NULL)
isc_task_detach(&adb->task);
- if (adb->timer != NULL)
- isc_timer_detach(&adb->timer);
/* clean up entrylocks */
DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
@@ -2328,18 +2314,18 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
*
* Possibilities: Note that these are not always exclusive.
*
- * No name found. In this case, allocate a new name header and
- * an initial namehook or two. If any of these allocations
- * fail, clean up and return ISC_R_NOMEMORY.
+ * No name found. In this case, allocate a new name header and
+ * an initial namehook or two. If any of these allocations
+ * fail, clean up and return ISC_R_NOMEMORY.
*
- * Name found, valid addresses present. Allocate one addrinfo
- * structure for each found and append it to the linked list
- * of addresses for this header.
+ * Name found, valid addresses present. Allocate one addrinfo
+ * structure for each found and append it to the linked list
+ * of addresses for this header.
*
- * Name found, queries pending. In this case, if a task was
- * passed in, allocate a job id, attach it to the name's job
- * list and remember to tell the caller that there will be
- * more info coming later.
+ * Name found, queries pending. In this case, if a task was
+ * passed in, allocate a job id, attach it to the name's job
+ * list and remember to tell the caller that there will be
+ * more info coming later.
*/
find = new_adbfind(adb);
@@ -2374,6 +2360,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
* Nothing found. Allocate a new adbname structure for this name.
*/
if (adbname == NULL) {
+ /*
+ * See if there is any stale name at the end of list, and purge
+ * it if so.
+ */
+ check_stale_name(adb, bucket, now);
+
adbname = new_adbname(adb, name);
if (adbname == NULL) {
RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
@@ -2387,13 +2379,17 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
adbname->flags |= NAME_GLUE_OK;
if (FIND_STARTATZONE(find))
adbname->flags |= NAME_STARTATZONE;
+ } else {
+ /* Move this name forward in the LRU list */
+ ISC_LIST_UNLINK(adb->names[bucket], adbname, plink);
+ ISC_LIST_PREPEND(adb->names[bucket], adbname, plink);
}
+ adbname->last_used = now;
/*
* Expire old entries, etc.
*/
- RUNTIME_CHECK(check_expire_namehooks(adbname, now, adb->overmem) ==
- ISC_FALSE);
+ RUNTIME_CHECK(check_expire_namehooks(adbname, now) == ISC_FALSE);
/*
* Do we know that the name is an alias?
@@ -2953,8 +2949,8 @@ print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
static inline void
print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
- fprintf(f, "\t\tFetch(%s): %p -> { nh %p, entry %p, fetch %p }\n",
- type, ft, ft->namehook, ft->entry, ft->fetch);
+ fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n",
+ type, ft, ft->fetch);
}
static void
@@ -2991,7 +2987,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
dns_fixedname_init(&foundname);
- fname = dns_fixedname_name(&foundname);
+ fname = dns_fixedname_name(&foundname);
dns_rdataset_init(&rdataset);
if (rdtype == dns_rdatatype_a)
@@ -3202,6 +3198,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
name->fetch_err = FIND_ERR_NXDOMAIN;
else
name->fetch_err = FIND_ERR_NXRRSET;
+ inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
} else {
DP(NCACHE_LEVEL, "adb fetch name %p: "
"caching negative entry for AAAA (ttl %u)",
@@ -3212,6 +3209,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
name->fetch6_err = FIND_ERR_NXDOMAIN;
else
name->fetch6_err = FIND_ERR_NXRRSET;
+ inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
}
goto out;
}
@@ -3251,9 +3249,11 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
if (address_type == DNS_ADBFIND_INET) {
name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
name->fetch_err = FIND_ERR_FAILURE;
+ inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
} else {
name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
name->fetch6_err = FIND_ERR_FAILURE;
+ inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
}
goto out;
}
@@ -3338,10 +3338,13 @@ fetch_name(dns_adbname_t *adbname,
if (result != ISC_R_SUCCESS)
goto cleanup;
- if (type == dns_rdatatype_a)
+ if (type == dns_rdatatype_a) {
adbname->fetch_a = fetch;
- else
+ inc_stats(adb, dns_resstatscounter_gluefetchv4);
+ } else {
adbname->fetch_aaaa = fetch;
+ inc_stats(adb, dns_resstatscounter_gluefetchv6);
+ }
fetch = NULL; /* Keep us from cleaning this up below. */
cleanup:
@@ -3464,7 +3467,7 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
result = ISC_R_SUCCESS;
bucket = DNS_ADB_INVALIDBUCKET;
- entry = find_entry_and_lock(adb, sa, &bucket);
+ entry = find_entry_and_lock(adb, sa, &bucket, now);
if (adb->entry_sd[bucket]) {
result = ISC_R_SHUTTINGDOWN;
goto unlock;
@@ -3590,7 +3593,6 @@ static void
water(void *arg, int mark) {
dns_adb_t *adb = arg;
isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
- isc_interval_t interval;
REQUIRE(DNS_ADB_VALID(adb));
@@ -3604,11 +3606,6 @@ water(void *arg, int mark) {
LOCK(&adb->overmemlock);
if (adb->overmem != overmem) {
adb->overmem = overmem;
- if (overmem) {
- isc_interval_set(&interval, 0, 1);
- (void)isc_timer_reset(adb->timer, isc_timertype_once,
- NULL, &interval, ISC_TRUE);
- }
isc_mem_waterack(adb->mctx, mark);
}
UNLOCK(&adb->overmemlock);
diff --git a/lib/dns/api b/lib/dns/api
index 0b8a3bc5beea..5ef8dc035a3e 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 36
-LIBREVISION = 2
-LIBAGE = 0
+LIBINTERFACE = 51
+LIBREVISION = 1
+LIBAGE = 1
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 38d6e8bf00d5..234d6b2cd097 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: byaddr.c,v 1.34.18.3 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: byaddr.c,v 1.39 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index c9b4a9588558..aee824e5135c 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,13 +15,14 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: cache.c,v 1.57.18.18 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: cache.c,v 1.80.50.3 2009/05/06 23:34:30 jinmei Exp $ */
/*! \file */
#include <config.h>
#include <isc/mem.h>
+#include <isc/string.h>
#include <isc/task.h>
#include <isc/time.h>
#include <isc/timer.h>
@@ -47,7 +48,7 @@
* DNS_CACHE_MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
* See also DNS_CACHE_CLEANERINCREMENT
*/
-#define DNS_CACHE_MINSIZE 2097152 /*%< Bytes. 2097152 = 2 MB */
+#define DNS_CACHE_MINSIZE 2097152 /*%< Bytes. 2097152 = 2 MB */
/*!
* Control incremental cleaning.
* CLEANERINCREMENT is how many nodes are examined in one pass.
@@ -60,7 +61,7 @@
***/
/*
- * A cache_cleaner_t encapsulsates the state of the periodic
+ * A cache_cleaner_t encapsulates the state of the periodic
* cache cleaning.
*/
@@ -69,7 +70,7 @@ typedef struct cache_cleaner cache_cleaner_t;
typedef enum {
cleaner_s_idle, /*%< Waiting for cleaning-interval to expire. */
cleaner_s_busy, /*%< Currently cleaning. */
- cleaner_s_done /*%< Freed enough memory after being overmem. */
+ cleaner_s_done /*%< Freed enough memory after being overmem. */
} cleaner_state_t;
/*
@@ -95,19 +96,19 @@ struct cache_cleaner {
*/
dns_cache_t *cache;
- isc_task_t *task;
+ isc_task_t *task;
unsigned int cleaning_interval; /*% The cleaning-interval from
named.conf, in seconds. */
- isc_timer_t *cleaning_timer;
+ isc_timer_t *cleaning_timer;
isc_event_t *resched_event; /*% Sent by cleaner task to
itself to reschedule */
isc_event_t *overmem_event;
dns_dbiterator_t *iterator;
- unsigned int increment; /*% Number of names to
+ unsigned int increment; /*% Number of names to
clean in one increment */
- cleaner_state_t state; /*% Idle/Busy. */
- isc_boolean_t overmem; /*% The cache is in an overmem state. */
+ cleaner_state_t state; /*% Idle/Busy. */
+ isc_boolean_t overmem; /*% The cache is in an overmem state. */
isc_boolean_t replaceiterator;
};
@@ -133,7 +134,7 @@ struct dns_cache {
char **db_argv;
/* Locked by 'filelock'. */
- char * filename;
+ char *filename;
/* Access to the on-disk cache file is also locked by 'filelock'. */
};
@@ -157,79 +158,6 @@ cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
static void
overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
-/*%
- * Work out how many nodes can be cleaned in the time between two
- * requests to the nameserver. Smooth the resulting number and use
- * it as a estimate for the number of nodes to be cleaned in the next
- * iteration.
- */
-static void
-adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
- isc_time_t *start)
-{
- isc_time_t end;
- isc_uint64_t usecs;
- isc_uint64_t new;
- unsigned int pps = dns_pps;
- unsigned int interval;
- unsigned int names;
-
- /*
- * Tune for minumum of 100 packets per second (pps).
- */
- if (pps < 100)
- pps = 100;
-
- isc_time_now(&end);
-
- interval = 1000000 / pps; /* Interval between packets in usecs. */
- if (interval == 0)
- interval = 1;
-
- INSIST(cleaner->increment >= remaining);
- names = cleaner->increment - remaining;
- usecs = isc_time_microdiff(&end, start);
-
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
- ISC_LOG_DEBUG(1), "adjust_increment interval=%u "
- "names=%u usec=%" ISC_PLATFORM_QUADFORMAT "u",
- interval, names, usecs);
-
- if (usecs == 0) {
- /*
- * If we cleaned all the nodes in unmeasurable time
- * double the number of nodes to be cleaned next time.
- */
- if (names == cleaner->increment) {
- cleaner->increment *= 2;
- if (cleaner->increment > DNS_CACHE_CLEANERINCREMENT)
- cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
- DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
- "%p:new cleaner->increment = %u\n",
- cleaner, cleaner->increment);
- }
- return;
- }
-
- new = (names * interval);
- new /= (usecs * 2);
- if (new == 0)
- new = 1;
-
- /* Smooth */
- new = (new + cleaner->increment * 7) / 8;
-
- if (new > DNS_CACHE_CLEANERINCREMENT)
- new = DNS_CACHE_CLEANERINCREMENT;
-
- cleaner->increment = (unsigned int)new;
-
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
- ISC_LOG_DEBUG(1), "%p:new cleaner->increment = %u\n",
- cleaner, cleaner->increment);
-}
-
static inline isc_result_t
cache_create_db(dns_cache_t *cache, dns_db_t **db) {
return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
@@ -246,6 +174,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_result_t result;
dns_cache_t *cache;
int i;
+ isc_task_t *dbtask;
REQUIRE(cachep != NULL);
REQUIRE(*cachep == NULL);
@@ -301,12 +230,29 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
result = cache_create_db(cache, &cache->db);
if (result != ISC_R_SUCCESS)
goto cleanup_dbargv;
+ if (taskmgr != NULL) {
+ dbtask = NULL;
+ result = isc_task_create(taskmgr, 1, &dbtask);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_db;
+ dns_db_settask(cache->db, dbtask);
+ isc_task_detach(&dbtask);
+ }
cache->filename = NULL;
cache->magic = CACHE_MAGIC;
- result = cache_cleaner_init(cache, taskmgr, timermgr, &cache->cleaner);
+ /*
+ * RBT-type cache DB has its own mechanism of cache cleaning and doesn't
+ * need the control of the generic cleaner.
+ */
+ if (strcmp(db_type, "rbt") == 0)
+ result = cache_cleaner_init(cache, NULL, NULL, &cache->cleaner);
+ else {
+ result = cache_cleaner_init(cache, taskmgr, timermgr,
+ &cache->cleaner);
+ }
if (result != ISC_R_SUCCESS)
goto cleanup_db;
@@ -603,8 +549,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
cleaner->cleaning_interval = 0; /* Initially turned off. */
result = isc_timer_create(timermgr, isc_timertype_inactive,
- NULL, NULL,
- cleaner->task,
+ NULL, NULL, cleaner->task,
cleaning_timer_action, cleaner,
&cleaner->cleaning_timer);
if (result != ISC_R_SUCCESS) {
@@ -848,7 +793,6 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
"cache cleaner: dns_dbiterator_current() "
"failed: %s", dns_result_totext(result));
- adjust_increment(cleaner, n_names, &start);
end_cleaning(cleaner, event);
return;
}
@@ -892,14 +836,11 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
}
}
- adjust_increment(cleaner, n_names, &start);
end_cleaning(cleaner, event);
return;
}
}
- adjust_increment(cleaner, 0U, &start);
-
/*
* We have successfully performed a cleaning increment but have
* not gone through the entire cache. Free the iterator locks
@@ -929,7 +870,7 @@ dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
REQUIRE(VALID_CACHE(cache));
- result = dns_db_createiterator(cache->db, ISC_FALSE, &iterator);
+ result = dns_db_createiterator(cache->db, 0, &iterator);
if (result != ISC_R_SUCCESS)
return result;
@@ -1002,7 +943,7 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
REQUIRE(VALID_CACHE(cache));
/*
- * Impose a minumum cache size; pathological things happen if there
+ * Impose a minimum cache size; pathological things happen if there
* is too little room.
*/
if (size != 0 && size < DNS_CACHE_MINSIZE)
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
index a487ed0412df..928f37df7809 100644
--- a/lib/dns/callbacks.c
+++ b/lib/dns/callbacks.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: callbacks.c,v 1.13.18.2 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: callbacks.c,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 2103767f2d9f..11473ee95f8b 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: compress.c,v 1.52.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.c,v 1.59 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 32ff6aebb7bd..a4c28641701f 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: db.c,v 1.74.18.6 2005/10/13 02:12:24 marka Exp $ */
+/* $Id: db.c,v 1.88 2008/09/24 02:46:22 marka Exp $ */
/*! \file */
@@ -95,7 +95,7 @@ static inline dns_dbimplementation_t *
impfind(const char *name) {
dns_dbimplementation_t *imp;
- for (imp = ISC_LIST_HEAD(implementations);
+ for (imp = ISC_LIST_HEAD(implementations);
imp != NULL;
imp = ISC_LIST_NEXT(imp, link))
if (strcasecmp(name, imp->name) == 0)
@@ -229,6 +229,21 @@ dns_db_isstub(dns_db_t *db) {
}
isc_boolean_t
+dns_db_isdnssec(dns_db_t *db) {
+
+ /*
+ * Is 'db' secure or partially secure?
+ */
+
+ REQUIRE(DNS_DB_VALID(db));
+ REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+ if (db->methods->isdnssec != NULL)
+ return ((db->methods->isdnssec)(db));
+ return ((db->methods->issecure)(db));
+}
+
+isc_boolean_t
dns_db_issecure(dns_db_t *db) {
/*
@@ -450,6 +465,21 @@ dns_db_findnode(dns_db_t *db, dns_name_t *name,
}
isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+ isc_boolean_t create, dns_dbnode_t **nodep)
+{
+
+ /*
+ * Find the node with name 'name'.
+ */
+
+ REQUIRE(DNS_DB_VALID(db));
+ REQUIRE(nodep != NULL && *nodep == NULL);
+
+ return ((db->methods->findnsec3node)(db, name, create, nodep));
+}
+
+isc_result_t
dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
dns_dbnode_t **nodep, dns_name_t *foundname,
@@ -527,6 +557,30 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
ENSURE(*nodep == NULL);
}
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+ dns_dbnode_t **targetp)
+{
+ REQUIRE(DNS_DB_VALID(db));
+ REQUIRE(targetp != NULL && *targetp == NULL);
+ /*
+ * This doesn't check the implementation magic. If we find that
+ * we need such checks in future then this will be done in the
+ * method.
+ */
+ REQUIRE(sourcep != NULL && *sourcep != NULL);
+
+ UNUSED(db);
+
+ if (db->methods->transfernode == NULL) {
+ *targetp = *sourcep;
+ *sourcep = NULL;
+ } else
+ (db->methods->transfernode)(db, sourcep, targetp);
+
+ ENSURE(*sourcep == NULL);
+}
+
isc_result_t
dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
@@ -559,7 +613,7 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
***/
isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+dns_db_createiterator(dns_db_t *db, unsigned int flags,
dns_dbiterator_t **iteratorp)
{
/*
@@ -569,7 +623,7 @@ dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
REQUIRE(DNS_DB_VALID(db));
REQUIRE(iteratorp != NULL && *iteratorp == NULL);
- return (db->methods->createiterator(db, relative_names, iteratorp));
+ return (db->methods->createiterator(db, flags, iteratorp));
}
/***
@@ -687,7 +741,7 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
type, covers));
}
-void
+void
dns_db_overmem(dns_db_t *db, isc_boolean_t overmem) {
REQUIRE(DNS_DB_VALID(db));
@@ -713,11 +767,11 @@ dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
dns_rdataset_init(&rdataset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
(isc_stdtime_t)0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS)
goto freenode;
result = dns_rdataset_first(&rdataset);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS)
goto freerdataset;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdataset_next(&rdataset);
@@ -770,7 +824,7 @@ dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
RWUNLOCK(&implock, isc_rwlocktype_write);
return (ISC_R_EXISTS);
}
-
+
imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
if (imp == NULL) {
RWUNLOCK(&implock, isc_rwlocktype_write);
@@ -819,3 +873,54 @@ dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
return (ISC_R_NOTFOUND);
}
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db) {
+ REQUIRE(DNS_DB_VALID(db));
+
+ if (db->methods->getrrsetstats != NULL)
+ return ((db->methods->getrrsetstats)(db));
+
+ return (NULL);
+}
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+ dns_hash_t *hash, isc_uint8_t *flags,
+ isc_uint16_t *iterations,
+ unsigned char *salt, size_t *salt_length)
+{
+ REQUIRE(DNS_DB_VALID(db));
+ REQUIRE(dns_db_iszone(db) == ISC_TRUE);
+
+ if (db->methods->getnsec3parameters != NULL)
+ return ((db->methods->getnsec3parameters)(db, version, hash,
+ flags, iterations,
+ salt, salt_length));
+
+ return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+ isc_stdtime_t resign)
+{
+ if (db->methods->setsigningtime != NULL)
+ return ((db->methods->setsigningtime)(db, rdataset, resign));
+ return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
+{
+ if (db->methods->getsigningtime != NULL)
+ return ((db->methods->getsigningtime)(db, rdataset, name));
+ return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+{
+ if (db->methods->resigned != NULL)
+ (db->methods->resigned)(db, rdataset, version);
+}
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
index d462ad5587e8..8981e49c2646 100644
--- a/lib/dns/dbiterator.c
+++ b/lib/dns/dbiterator.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dbiterator.c,v 1.14.18.2 2005/04/29 00:15:50 marka Exp $ */
+/* $Id: dbiterator.c,v 1.18 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
index b091e42c7821..57bbfc1ef81e 100644
--- a/lib/dns/dbtable.c
+++ b/lib/dns/dbtable.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -16,7 +16,7 @@
*/
/*
- * $Id: dbtable.c,v 1.28.18.3 2005/07/12 01:22:19 marka Exp $
+ * $Id: dbtable.c,v 1.33 2007/06/19 23:47:16 tbox Exp $
*/
/*! \file
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 22a3938790e2..9489821ca615 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: diff.c,v 1.9.18.3 2005/04/27 05:01:15 sra Exp $ */
+/* $Id: diff.c,v 1.18.50.2 2009/01/05 23:47:22 tbox Exp $ */
/*! \file */
@@ -35,6 +35,7 @@
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/result.h>
@@ -120,6 +121,7 @@ dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
void
dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
diff->mctx = mctx;
+ diff->resign = 0;
ISC_LIST_INIT(diff->tuples);
diff->magic = DNS_DIFF_MAGIC;
}
@@ -192,6 +194,40 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
ENSURE(*tuplep == NULL);
}
+static isc_stdtime_t
+setresign(dns_rdataset_t *modified, isc_uint32_t delta) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_rrsig_t sig;
+ isc_stdtime_t when;
+ isc_result_t result;
+
+ result = dns_rdataset_first(modified);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_rdataset_current(modified, &rdata);
+ (void)dns_rdata_tostruct(&rdata, &sig, NULL);
+ if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
+ when = 0;
+ else
+ when = sig.timeexpire - delta;
+ dns_rdata_reset(&rdata);
+
+ result = dns_rdataset_next(modified);
+ while (result == ISC_R_SUCCESS) {
+ dns_rdataset_current(modified, &rdata);
+ (void)dns_rdata_tostruct(&rdata, &sig, NULL);
+ if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+ goto next_rr;
+ }
+ if (when == 0 || sig.timeexpire - delta < when)
+ when = sig.timeexpire - delta;
+ next_rr:
+ dns_rdata_reset(&rdata);
+ result = dns_rdataset_next(modified);
+ }
+ INSIST(result == ISC_R_NOMORE);
+ return (when);
+}
+
static isc_result_t
diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_boolean_t warn)
@@ -220,14 +256,15 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
* but such diffs should never be created in the first
* place.
*/
- node = NULL;
- CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
while (t != NULL && dns_name_equal(&t->name, name)) {
dns_rdatatype_t type, covers;
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
+ dns_rdataset_t ardataset;
+ dns_rdataset_t *modified = NULL;
+ isc_boolean_t offline;
op = t->op;
type = t->rdata.type;
@@ -255,6 +292,16 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
+ node = NULL;
+ if (type != dns_rdatatype_nsec3 &&
+ covers != dns_rdatatype_nsec3)
+ CHECK(dns_db_findnode(db, name, ISC_TRUE,
+ &node));
+ else
+ CHECK(dns_db_findnsec3node(db, name, ISC_TRUE,
+ &node));
+
+ offline = ISC_FALSE;
while (t != NULL &&
dns_name_equal(&t->name, name) &&
t->op == op &&
@@ -269,13 +316,15 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
sizeof(classbuf));
if (t->ttl != rdl.ttl && warn)
isc_log_write(DIFF_COMMON_LOGARGS,
- ISC_LOG_WARNING,
+ ISC_LOG_WARNING,
"'%s/%s/%s': TTL differs in "
"rdataset, adjusting "
"%lu -> %lu",
namebuf, typebuf, classbuf,
(unsigned long) t->ttl,
(unsigned long) rdl.ttl);
+ if (t->rdata.flags & DNS_RDATA_OFFLINE)
+ offline = ISC_TRUE;
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
@@ -285,28 +334,52 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+ if (rds.type == dns_rdatatype_rrsig)
+ switch (op) {
+ case DNS_DIFFOP_ADDRESIGN:
+ case DNS_DIFFOP_DELRESIGN:
+ modified = &ardataset;
+ dns_rdataset_init(modified);
+ break;
+ default:
+ break;
+ }
rds.trust = dns_trust_ultimate;
/*
* Merge the rdataset into the database.
*/
- if (op == DNS_DIFFOP_ADD) {
+ switch (op) {
+ case DNS_DIFFOP_ADD:
+ case DNS_DIFFOP_ADDRESIGN:
result = dns_db_addrdataset(db, node, ver,
0, &rds,
DNS_DBADD_MERGE|
DNS_DBADD_EXACT|
DNS_DBADD_EXACTTTL,
- NULL);
- } else if (op == DNS_DIFFOP_DEL) {
+ modified);
+ break;
+ case DNS_DIFFOP_DEL:
+ case DNS_DIFFOP_DELRESIGN:
result = dns_db_subtractrdataset(db, node, ver,
&rds,
DNS_DBSUB_EXACT,
- NULL);
- } else {
+ modified);
+ break;
+ default:
INSIST(0);
}
- if (result == DNS_R_UNCHANGED) {
- /*
+
+ if (result == ISC_R_SUCCESS) {
+ if (modified != NULL) {
+ isc_stdtime_t resign;
+ resign = setresign(modified,
+ diff->resign);
+ dns_db_setsigningtime(db, modified,
+ resign);
+ }
+ } else if (result == DNS_R_UNCHANGED) {
+ /*
* This will not happen when executing a
* dynamic update, because that code will
* generate strictly minimal diffs.
@@ -318,16 +391,21 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"update with no effect");
- } else if (result == ISC_R_SUCCESS ||
- result == DNS_R_NXRRSET) {
+ } else if (result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
+ if (modified != NULL &&
+ dns_rdataset_isassociated(modified))
+ dns_rdataset_disassociate(modified);
CHECK(result);
}
+ dns_db_detachnode(db, &node);
+ if (modified != NULL &&
+ dns_rdataset_isassociated(modified))
+ dns_rdataset_disassociate(modified);
}
- dns_db_detachnode(db, &node);
}
return (ISC_R_SUCCESS);
@@ -455,7 +533,7 @@ dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
/*
* Create an rdataset containing the single RR of the given
- * tuple. The caller must allocate the the rdata, rdataset and
+ * tuple. The caller must allocate the rdata, rdataset and
* an rdatalist structure for it to refer to.
*/
@@ -485,6 +563,7 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
dns_difftuple_t *t;
char *mem = NULL;
unsigned int size = 2048;
+ const char *op = NULL;
REQUIRE(DNS_DIFF_VALID(diff));
@@ -536,15 +615,20 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
buf.used--;
isc_buffer_usedregion(&buf, &r);
+ switch (t->op) {
+ case DNS_DIFFOP_EXISTS: op = "exists"; break;
+ case DNS_DIFFOP_ADD: op = "add"; break;
+ case DNS_DIFFOP_DEL: op = "del"; break;
+ case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
+ case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
+ }
if (file != NULL)
- fprintf(file, "%s %.*s\n",
- t->op == DNS_DIFFOP_ADD ? "add" : "del",
- (int) r.length, (char *) r.base);
+ fprintf(file, "%s %.*s\n", op, (int) r.length,
+ (char *) r.base);
else
isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
- "%s %.*s",
- t->op == DNS_DIFFOP_ADD ? "add" : "del",
- (int) r.length, (char *) r.base);
+ "%s %.*s", op, (int) r.length,
+ (char *) r.base);
}
result = ISC_R_SUCCESS;
cleanup:
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 794cdb5e5aac..9b4e9685f408 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dispatch.c,v 1.116.18.37 2008/09/04 00:24:41 jinmei Exp $ */
+/* $Id: dispatch.c,v 1.155.12.7 2009/04/28 21:39:45 jinmei Exp $ */
/*! \file */
@@ -32,6 +32,7 @@
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
+#include <isc/stats.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/time.h>
@@ -43,14 +44,18 @@
#include <dns/log.h>
#include <dns/message.h>
#include <dns/portlist.h>
+#include <dns/stats.h>
#include <dns/tcpmsg.h>
#include <dns/types.h>
typedef ISC_LIST(dns_dispentry_t) dns_displist_t;
-typedef struct dispsocket dispsocket_t;
+typedef struct dispsocket dispsocket_t;
typedef ISC_LIST(dispsocket_t) dispsocketlist_t;
+typedef struct dispportentry dispportentry_t;
+typedef ISC_LIST(dispportentry_t) dispportlist_t;
+
/* ARC4 Random generator state */
typedef struct arc4ctx {
isc_uint8_t i;
@@ -76,6 +81,7 @@ struct dns_dispatchmgr {
isc_mem_t *mctx;
dns_acl_t *blackhole;
dns_portlist_t *portlist;
+ isc_stats_t *stats;
isc_entropy_t *entropy; /*%< entropy source */
/* Locked by "lock". */
@@ -170,7 +176,8 @@ struct dispsocket {
isc_socket_t *socket;
dns_dispatch_t *disp;
isc_sockaddr_t host;
- in_port_t localport;
+ in_port_t localport; /* XXX: should be removed later */
+ dispportentry_t *portentry;
dns_dispentry_t *resp;
isc_task_t *task;
ISC_LINK(dispsocket_t) link;
@@ -178,6 +185,21 @@ struct dispsocket {
ISC_LINK(dispsocket_t) blink;
};
+/*%
+ * A port table entry. We remember every port we first open in a table with a
+ * reference counter so that we can 'reuse' the same port (with different
+ * destination addresses) using the SO_REUSEADDR socket option.
+ */
+struct dispportentry {
+ in_port_t port;
+ unsigned int refs;
+ ISC_LINK(struct dispportentry) link;
+};
+
+#ifndef DNS_DISPATCH_PORTTABLESIZE
+#define DNS_DISPATCH_PORTTABLESIZE 1024
+#endif
+
#define INVALID_BUCKET (0xffffdead)
/*%
@@ -227,6 +249,8 @@ struct dns_dispatch {
dns_tcpmsg_t tcpmsg; /*%< for tcp streams */
dns_qid_t *qid;
arc4ctx_t arc4ctx; /*%< for QID/UDP port num */
+ dispportlist_t *port_table; /*%< hold ports 'owned' by us */
+ isc_mempool_t *portpool; /*%< port table entries */
};
#define QID_MAGIC ISC_MAGIC('Q', 'i', 'd', ' ')
@@ -330,6 +354,12 @@ mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
level, "dispatchmgr %p: %s", mgr, msgbuf);
}
+static inline void
+inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+ if (mgr->stats != NULL)
+ isc_stats_increment(mgr->stats, counter);
+}
+
static void
dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
ISC_FORMAT_PRINTF(3, 4);
@@ -677,6 +707,64 @@ destroy_disp(isc_task_t *task, isc_event_t *event) {
}
/*%
+ * Manipulate port table per dispatch: find an entry for a given port number,
+ * create a new entry, and decrement a given entry with possible clean-up.
+ */
+static dispportentry_t *
+port_search(dns_dispatch_t *disp, in_port_t port) {
+ dispportentry_t *portentry;
+
+ REQUIRE(disp->port_table != NULL);
+
+ portentry = ISC_LIST_HEAD(disp->port_table[port %
+ DNS_DISPATCH_PORTTABLESIZE]);
+ while (portentry != NULL) {
+ if (portentry->port == port)
+ return (portentry);
+ portentry = ISC_LIST_NEXT(portentry, link);
+ }
+
+ return (NULL);
+}
+
+static dispportentry_t *
+new_portentry(dns_dispatch_t *disp, in_port_t port) {
+ dispportentry_t *portentry;
+
+ REQUIRE(disp->port_table != NULL);
+
+ portentry = isc_mempool_get(disp->portpool);
+ if (portentry == NULL)
+ return (portentry);
+
+ portentry->port = port;
+ portentry->refs = 0;
+ ISC_LINK_INIT(portentry, link);
+ ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE],
+ portentry, link);
+
+ return (portentry);
+}
+
+static void
+deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
+ dispportentry_t *portentry = *portentryp;
+
+ REQUIRE(disp->port_table != NULL);
+ REQUIRE(portentry != NULL && portentry->refs > 0);
+
+ portentry->refs--;
+ if (portentry->refs == 0) {
+ ISC_LIST_UNLINK(disp->port_table[portentry->port %
+ DNS_DISPATCH_PORTTABLESIZE],
+ portentry, link);
+ isc_mempool_put(disp->portpool, portentry);
+ }
+
+ *portentryp = NULL;
+}
+
+/*%
* Find a dispsocket for socket address 'dest', and port number 'port'.
* Return NULL if no such entry exists.
*/
@@ -692,7 +780,7 @@ socket_search(dns_qid_t *qid, isc_sockaddr_t *dest, in_port_t port,
while (dispsock != NULL) {
if (isc_sockaddr_equal(dest, &dispsock->host) &&
- dispsock->localport == port)
+ dispsock->portentry->port == port)
return (dispsock);
dispsock = ISC_LIST_NEXT(dispsock, blink);
}
@@ -720,6 +808,8 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
dispsocket_t *dispsock;
unsigned int nports;
in_port_t *ports;
+ unsigned int bindoptions;
+ dispportentry_t *portentry = NULL;
if (isc_sockaddr_pf(&disp->local) == AF_INET) {
nports = disp->mgr->nv4ports;
@@ -745,6 +835,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
dispsock->socket = NULL;
dispsock->disp = disp;
dispsock->resp = NULL;
+ dispsock->portentry = NULL;
isc_random_get(&r);
dispsock->task = NULL;
isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task);
@@ -767,16 +858,29 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
bucket = dns_hash(qid, dest, 0, port);
if (socket_search(qid, dest, port, bucket) != NULL)
continue;
-
- result = open_socket(sockmgr, &localaddr, 0, &sock);
- if (result == ISC_R_SUCCESS || result != ISC_R_ADDRINUSE)
+ bindoptions = 0;
+ portentry = port_search(disp, port);
+ if (portentry != NULL)
+ bindoptions |= ISC_SOCKET_REUSEADDRESS;
+ result = open_socket(sockmgr, &localaddr, bindoptions, &sock);
+ if (result == ISC_R_SUCCESS) {
+ if (portentry == NULL) {
+ portentry = new_portentry(disp, port);
+ if (portentry == NULL) {
+ result = ISC_R_NOMEMORY;
+ break;
+ }
+ }
+ portentry->refs++;
+ break;
+ } else if (result != ISC_R_ADDRINUSE)
break;
}
if (result == ISC_R_SUCCESS) {
dispsock->socket = sock;
dispsock->host = *dest;
- dispsock->localport = port;
+ dispsock->portentry = portentry;
dispsock->bucket = bucket;
ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
*dispsockp = dispsock;
@@ -813,6 +917,8 @@ destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
disp->nsockets--;
dispsock->magic = 0;
+ if (dispsock->portentry != NULL)
+ deref_portentry(disp, &dispsock->portentry);
if (dispsock->socket != NULL)
isc_socket_detach(&dispsock->socket);
if (ISC_LINK_LINKED(dispsock, blink)) {
@@ -847,6 +953,9 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
dispsock->resp->dispsocket = NULL;
}
+ INSIST(dispsock->portentry != NULL);
+ deref_portentry(disp, &dispsock->portentry);
+
if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
destroy_dispsocket(disp, &dispsock);
else {
@@ -1161,6 +1270,7 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
bucket, (resp == NULL ? "not found" : "found"));
if (resp == NULL) {
+ inc_stats(mgr, dns_resstatscounter_mismatch);
free_buffer(disp, ev->region.base, ev->region.length);
goto unlock;
}
@@ -1168,6 +1278,7 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
&resp->host)) {
dispatch_log(disp, LVL(90),
"response to an exclusive socket doesn't match");
+ inc_stats(mgr, dns_resstatscounter_mismatch);
free_buffer(disp, ev->region.base, ev->region.length);
goto unlock;
}
@@ -1603,6 +1714,9 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) {
if (mgr->blackhole != NULL)
dns_acl_detach(&mgr->blackhole);
+ if (mgr->stats != NULL)
+ isc_stats_detach(&mgr->stats);
+
if (mgr->v4ports != NULL) {
isc_mem_put(mctx, mgr->v4ports,
mgr->nv4ports * sizeof(in_port_t));
@@ -1628,6 +1742,7 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
isc_sockettype_udp, &sock);
if (result != ISC_R_SUCCESS)
return (result);
+ isc_socket_setname(sock, "dispatcher", NULL);
} else {
result = isc_socket_open(sock);
if (result != ISC_R_SUCCESS)
@@ -1692,6 +1807,7 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
isc_mem_attach(mctx, &mgr->mctx);
mgr->blackhole = NULL;
+ mgr->stats = NULL;
result = isc_mutex_init(&mgr->lock);
if (result != ISC_R_SUCCESS)
@@ -2001,6 +2117,15 @@ dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
destroy_mgr(&mgr);
}
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats) {
+ REQUIRE(VALID_DISPATCHMGR(mgr));
+ REQUIRE(ISC_LIST_EMPTY(mgr->list));
+ REQUIRE(mgr->stats == NULL);
+
+ isc_stats_attach(stats, &mgr->stats);
+}
+
static int
port_cmp(const void *key, const void *ent) {
in_port_t p1 = *(const in_port_t *)key;
@@ -2269,6 +2394,8 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
ISC_LIST_INIT(disp->inactivesockets);
disp->nsockets = 0;
dispatch_arc4init(&disp->arc4ctx, mgr->entropy, NULL);
+ disp->port_table = NULL;
+ disp->portpool = NULL;
result = isc_mutex_init(&disp->lock);
if (result != ISC_R_SUCCESS)
@@ -2298,13 +2425,14 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
/*
- * MUST be unlocked, and not used by anthing.
+ * MUST be unlocked, and not used by anything.
*/
static void
dispatch_free(dns_dispatch_t **dispp)
{
dns_dispatch_t *disp;
dns_dispatchmgr_t *mgr;
+ int i;
REQUIRE(VALID_DISPATCH(*dispp));
disp = *dispp;
@@ -2329,6 +2457,18 @@ dispatch_free(dns_dispatch_t **dispp)
if (disp->qid != NULL)
qid_destroy(mgr->mctx, &disp->qid);
+
+ if (disp->port_table != NULL) {
+ for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+ INSIST(ISC_LIST_EMPTY(disp->port_table[i]));
+ isc_mem_put(mgr->mctx, disp->port_table,
+ sizeof(disp->port_table[0]) *
+ DNS_DISPATCH_PORTTABLESIZE);
+ }
+
+ if (disp->portpool != NULL)
+ isc_mempool_destroy(&disp->portpool);
+
disp->mgr = NULL;
DESTROYLOCK(&disp->lock);
disp->magic = 0;
@@ -2462,9 +2602,8 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
}
/*
- * First, see if we have a dispatcher that matches.
+ * See if we have a dispatcher that matches.
*/
- disp = NULL;
result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
if (result == ISC_R_SUCCESS) {
disp->refcount++;
@@ -2569,6 +2708,15 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
* If this fails 1024 times, we then ask the kernel for
* choosing one.
*/
+ } else {
+ /* Allow to reuse address for non-random ports. */
+ result = open_socket(sockmgr, localaddr,
+ ISC_SOCKET_REUSEADDRESS, &sock);
+
+ if (result == ISC_R_SUCCESS)
+ *sockp = sock;
+
+ return (result);
}
memset(held, 0, sizeof(held));
@@ -2650,6 +2798,21 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
if (result != ISC_R_SUCCESS)
goto deallocate_dispatch;
}
+
+ disp->port_table = isc_mem_get(mgr->mctx,
+ sizeof(disp->port_table[0]) *
+ DNS_DISPATCH_PORTTABLESIZE);
+ if (disp->port_table == NULL)
+ goto deallocate_dispatch;
+ for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+ ISC_LIST_INIT(disp->port_table[i]);
+
+ result = isc_mempool_create(mgr->mctx, sizeof(dispportentry_t),
+ &disp->portpool);
+ if (result != ISC_R_SUCCESS)
+ goto deallocate_dispatch;
+ isc_mempool_setname(disp->portpool, "disp_portpool");
+ isc_mempool_setfreemax(disp->portpool, 128);
}
disp->socktype = isc_sockettype_udp;
disp->socket = sock;
@@ -2829,6 +2992,8 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
oldestresp->item_out = ISC_TRUE;
isc_task_send(oldestresp->task,
ISC_EVENT_PTR(&rev));
+ inc_stats(disp->mgr,
+ dns_resstatscounter_dispabort);
}
}
@@ -2852,6 +3017,7 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
if (result != ISC_R_SUCCESS) {
UNLOCK(&qid->lock);
UNLOCK(&disp->lock);
+ inc_stats(disp->mgr, dns_resstatscounter_dispsockfail);
return (result);
}
} else {
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
index ee6c03b08121..75486af41117 100644
--- a/lib/dns/dlz.c
+++ b/lib/dns/dlz.c
@@ -1,8 +1,8 @@
/*
- * Portions Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -50,7 +50,7 @@
* USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dlz.c,v 1.2.2.2 2005/09/06 03:47:17 marka Exp $ */
+/* $Id: dlz.c,v 1.5.332.2 2009/01/18 23:47:35 tbox Exp $ */
/*! \file */
@@ -126,7 +126,7 @@ dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
dlzdatabase = view->dlzdatabase;
allowzonexfr = dlzdatabase->implementation->methods->allowzonexfr;
result = (*allowzonexfr)(dlzdatabase->implementation->driverarg,
- dlzdatabase->dbdata, dlzdatabase->mctx,
+ dlzdatabase->dbdata, dlzdatabase->mctx,
view->rdclass, name, clientaddr, dbp);
if (result == ISC_R_NOTIMPLEMENTED)
@@ -275,7 +275,7 @@ dns_dlzfindzone(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
* trying shorter names portions of the name until we find a
* match, have an error, or are below the 'minlabels'
* threshold. minlabels is 0, if the standard database didn't
- * have a zone name match. Otherwise minlables is the number
+ * have a zone name match. Otherwise minlabels is the number
* of labels in that name. We need to beat that for a
* "better" match for the DLZ database to be authoritative
* instead of the standard database.
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 75ca44045359..f06d715c4d32 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
*/
/*
- * $Id: dnssec.c,v 1.81.18.10 2007/09/14 04:35:42 marka Exp $
+ * $Id: dnssec.c,v 1.93 2008/11/14 23:47:33 tbox Exp $
*/
/*! \file */
@@ -366,6 +366,9 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
if (ret != ISC_R_SUCCESS)
return (ret);
+ if (set->type != sig.covered)
+ return (DNS_R_SIGINVALID);
+
if (isc_serial_lt(sig.timeexpire, sig.timesigned))
return (DNS_R_SIGINVALID);
@@ -382,6 +385,27 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
}
/*
+ * NS, SOA and DNSSKEY records are signed by their owner.
+ * DS records are signed by the parent.
+ */
+ switch (set->type) {
+ case dns_rdatatype_ns:
+ case dns_rdatatype_soa:
+ case dns_rdatatype_dnskey:
+ if (!dns_name_equal(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ break;
+ case dns_rdatatype_ds:
+ if (dns_name_equal(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ /* FALLTHROUGH */
+ default:
+ if (!dns_name_issubdomain(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ break;
+ }
+
+ /*
* Is the key allowed to sign data?
*/
flags = dst_key_flags(key);
@@ -407,7 +431,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
dns_fixedname_init(&fnewname);
labels = dns_name_countlabels(name) - 1;
RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
- NULL) == ISC_R_SUCCESS);
+ NULL) == ISC_R_SUCCESS);
if (labels - sig.labels > 0)
dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
NULL, dns_fixedname_name(&fnewname));
@@ -487,9 +511,9 @@ cleanup_struct:
dns_rdata_freestruct(&sig);
if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
- if (wild != NULL)
+ if (wild != NULL)
RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
- dns_fixedname_name(&fnewname),
+ dns_fixedname_name(&fnewname),
wild, NULL) == ISC_R_SUCCESS);
ret = DNS_R_FROMWILDCARD;
}
@@ -541,6 +565,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto next;
+ /* Corrupted .key file? */
+ if (!dns_name_equal(name, dst_key_name(pubkey)))
+ goto next;
keys[count] = NULL;
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
@@ -802,7 +829,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
RETERR(dst_context_create(key, mctx, &ctx));
/*
- * Digest the SIG(0) record, except for the signature.
+ * Digest the SIG(0) record, except for the signature.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index 7cd160955113..e994cc560c90 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2002, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ds.c,v 1.4.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7d98e10a7f3a..144c685e1089 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1,9 +1,22 @@
/*
- * Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -18,7 +31,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.6.7 2006/01/27 23:57:44 marka Exp $
+ * $Id: dst_api.c,v 1.16.12.3 2009/03/02 02:00:34 marka Exp $
*/
/*! \file */
@@ -60,6 +73,8 @@ static isc_entropy_t *dst_entropy_pool = NULL;
static unsigned int dst_entropy_flags = 0;
static isc_boolean_t dst_initialized = ISC_FALSE;
+void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
isc_mem_t *dst__memory_pool = NULL;
/*
@@ -110,19 +125,21 @@ static isc_result_t addsuffix(char *filename, unsigned int len,
return (_r); \
} while (0); \
+#ifdef OPENSSL
static void *
default_memalloc(void *arg, size_t size) {
- UNUSED(arg);
- if (size == 0U)
- size = 1;
- return (malloc(size));
+ UNUSED(arg);
+ if (size == 0U)
+ size = 1;
+ return (malloc(size));
}
static void
default_memfree(void *arg, void *ptr) {
- UNUSED(arg);
- free(ptr);
+ UNUSED(arg);
+ free(ptr);
}
+#endif
isc_result_t
dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
@@ -147,6 +164,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
NULL, &dst__memory_pool, 0);
if (result != ISC_R_SUCCESS)
return (result);
+ isc_mem_setname(dst__memory_pool, "dst", NULL);
isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
#else
isc_mem_attach(mctx, &dst__memory_pool);
@@ -167,8 +185,10 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
RETERR(dst__openssl_init());
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
#ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
+ RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
#endif
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#endif /* OPENSSL */
@@ -223,7 +243,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
if (key->func->createctx == NULL)
return (DST_R_UNSUPPORTEDALG);
- if (key->opaque == NULL)
+ if (key->keydata.generic == NULL)
return (DST_R_NULLKEY);
dctx = isc_mem_get(mctx, sizeof(dst_context_t));
@@ -273,8 +293,9 @@ dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
key = dctx->key;
CHECKALG(key->key_alg);
- if (key->opaque == NULL)
+ if (key->keydata.generic == NULL)
return (DST_R_NULLKEY);
+
if (key->func->sign == NULL)
return (DST_R_NOTPRIVATEKEY);
if (key->func->isprivate == NULL ||
@@ -290,7 +311,7 @@ dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
REQUIRE(sig != NULL);
CHECKALG(dctx->key->key_alg);
- if (dctx->key->opaque == NULL)
+ if (dctx->key->keydata.generic == NULL)
return (DST_R_NULLKEY);
if (dctx->key->func->verify == NULL)
return (DST_R_NOTPUBLICKEY);
@@ -309,7 +330,7 @@ dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
CHECKALG(pub->key_alg);
CHECKALG(priv->key_alg);
- if (pub->opaque == NULL || priv->opaque == NULL)
+ if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
return (DST_R_NULLKEY);
if (pub->key_alg != priv->key_alg ||
@@ -383,10 +404,8 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
return (result);
}
- if (!dns_name_equal(name, key->key_name) ||
- id != key->key_id ||
- alg != key->key_alg)
- {
+ if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
+ alg != key->key_alg) {
dst_key_free(&key);
return (DST_R_INVALIDPRIVATEKEY);
}
@@ -427,8 +446,7 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
return (result);
if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
- (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
- {
+ (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
result = computeid(pubkey);
if (result != ISC_R_SUCCESS) {
dst_key_free(&pubkey);
@@ -512,7 +530,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
& 0xffff));
}
- if (key->opaque == NULL) /*%< NULL KEY */
+ if (key->keydata.generic == NULL) /*%< NULL KEY */
return (ISC_R_SUCCESS);
return (key->func->todns(key, target));
@@ -620,20 +638,71 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
return (result);
}
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key)
+{
+ REQUIRE(key != NULL);
+
+ return (key->keydata.gssctx);
+}
+
isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
dst_key_t **keyp)
{
dst_key_t *key;
- REQUIRE(opaque != NULL);
+ REQUIRE(gssctx != NULL);
REQUIRE(keyp != NULL && *keyp == NULL);
key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
0, dns_rdataclass_in, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);
- key->opaque = opaque;
+
+ key->keydata.gssctx = gssctx;
+ *keyp = key;
+ return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
+ unsigned int protocol, dns_rdataclass_t rdclass,
+ const char *engine, const char *label, const char *pin,
+ isc_mem_t *mctx, dst_key_t **keyp)
+{
+ dst_key_t *key;
+ isc_result_t result;
+
+ REQUIRE(dst_initialized == ISC_TRUE);
+ REQUIRE(dns_name_isabsolute(name));
+ REQUIRE(mctx != NULL);
+ REQUIRE(keyp != NULL && *keyp == NULL);
+ REQUIRE(label != NULL);
+
+ CHECKALG(alg);
+
+ key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+ if (key == NULL)
+ return (ISC_R_NOMEMORY);
+
+ if (key->func->fromlabel == NULL) {
+ dst_key_free(&key);
+ return (DST_R_UNSUPPORTEDALG);
+ }
+
+ result = key->func->fromlabel(key, engine, label, pin);
+ if (result != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ return (result);
+ }
+
+ result = computeid(key);
+ if (result != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ return (result);
+ }
+
*keyp = key;
return (ISC_R_SUCCESS);
}
@@ -734,11 +803,14 @@ dst_key_free(dst_key_t **keyp) {
key = *keyp;
mctx = key->mctx;
- if (key->opaque != NULL) {
+ if (key->keydata.generic != NULL) {
INSIST(key->func->destroy != NULL);
key->func->destroy(key);
}
-
+ if (key->engine != NULL)
+ isc_mem_free(mctx, key->engine);
+ if (key->label != NULL)
+ isc_mem_free(mctx, key->label);
dns_name_free(key->key_name, mctx);
isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
memset(key, 0, sizeof(dst_key_t));
@@ -775,9 +847,11 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
*n = (key->key_size + 7) / 8;
break;
case DST_ALG_DSA:
+ case DST_ALG_NSEC3DSA:
*n = DNS_SIG_DSASIGSIZE;
break;
case DST_ALG_HMACMD5:
@@ -860,7 +934,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
key->key_flags = flags;
key->key_proto = protocol;
key->mctx = mctx;
- key->opaque = NULL;
+ key->keydata.generic = NULL;
key->key_size = bits;
key->key_class = rdclass;
key->func = dst_t_func[alg];
@@ -925,6 +999,13 @@ dst_key_read_public(const char *filename, int type,
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
+
+ /*
+ * We don't support "@" in .key files.
+ */
+ if (!strcmp(DST_AS_STR(token), "@"))
+ BADTOKEN();
+
dns_fixedname_init(&name);
isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
isc_buffer_add(&b, strlen(DST_AS_STR(token)));
@@ -990,7 +1071,9 @@ issymmetric(const dst_key_t *key) {
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
case DST_ALG_DSA:
+ case DST_ALG_NSEC3DSA:
case DST_ALG_DH:
return (ISC_FALSE);
case DST_ALG_HMACMD5:
@@ -1080,9 +1163,12 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
fwrite(r.base, 1, r.length, fp);
fputc('\n', fp);
+ fflush(fp);
+ if (ferror(fp))
+ ret = DST_R_WRITEERROR;
fclose(fp);
- return (ISC_R_SUCCESS);
+ return (ret);
}
static isc_result_t
@@ -1116,8 +1202,10 @@ buildfilename(dns_name_t *name, dns_keytag_t id,
len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
if (isc_buffer_availablelength(out) < len)
return (ISC_R_NOSPACE);
- sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
+ sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
+ suffix);
isc_buffer_add(out, len);
+
return (ISC_R_SUCCESS);
}
@@ -1186,7 +1274,8 @@ algorithm_status(unsigned int alg) {
#ifndef OPENSSL
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH ||
- alg == DST_ALG_HMACMD5)
+ alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
+ alg == DST_ALG_NSEC3RSASHA1)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);
@@ -1219,3 +1308,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
}
+
+unsigned int
+dst__entropy_status(void) {
+ return (isc_entropy_status(dst_entropy_pool));
+}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index f2deb729e545..0c1a71c22560 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -1,9 +1,22 @@
/*
- * Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2000-2002 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -16,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst_internal.h,v 1.11 2008/04/01 23:47:10 tbox Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@@ -27,9 +40,22 @@
#include <isc/magic.h>
#include <isc/region.h>
#include <isc/types.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
#include <dst/dst.h>
+#ifdef OPENSSL
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#endif
+
ISC_LANG_BEGINDECLS
#define KEY_MAGIC ISC_MAGIC('D','S','T','K')
@@ -46,6 +72,13 @@ extern isc_mem_t *dst__memory_pool;
typedef struct dst_func dst_func_t;
+typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
+typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
+typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
+typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
+typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
+typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
+
/*% DST Key Structure */
struct dst_key {
unsigned int magic;
@@ -58,7 +91,27 @@ struct dst_key {
isc_uint16_t key_bits; /*%< hmac digest bits */
dns_rdataclass_t key_class; /*%< class of the key record */
isc_mem_t *mctx; /*%< memory context */
- void * opaque; /*%< pointer to key in crypto pkg fmt */
+ char *engine; /*%< engine name (HSM) */
+ char *label; /*%< engine label (HSM) */
+ union {
+ void *generic;
+ gss_ctx_id_t gssctx;
+#ifdef OPENSSL
+#if USE_EVP_RSA
+ RSA *rsa;
+#endif
+ DSA *dsa;
+ DH *dh;
+ EVP_PKEY *pkey;
+#endif
+ dst_hmacmd5_key_t *hmacmd5;
+ dst_hmacsha1_key_t *hmacsha1;
+ dst_hmacsha224_key_t *hmacsha224;
+ dst_hmacsha256_key_t *hmacsha256;
+ dst_hmacsha384_key_t *hmacsha384;
+ dst_hmacsha512_key_t *hmacsha512;
+
+ } keydata; /*%< pointer to key in crypto pkg fmt */
dst_func_t * func; /*%< crypto package specific functions */
};
@@ -66,7 +119,21 @@ struct dst_context {
unsigned int magic;
dst_key_t *key;
isc_mem_t *mctx;
- void *opaque;
+ union {
+ void *generic;
+ dst_gssapi_signverifyctx_t *gssctx;
+ isc_md5_t *md5ctx;
+ isc_sha1_t *sha1ctx;
+ isc_hmacmd5_t *hmacmd5ctx;
+ isc_hmacsha1_t *hmacsha1ctx;
+ isc_hmacsha224_t *hmacsha224ctx;
+ isc_hmacsha256_t *hmacsha256ctx;
+ isc_hmacsha384_t *hmacsha384ctx;
+ isc_hmacsha512_t *hmacsha512ctx;
+#ifdef OPENSSL
+ EVP_MD_CTX *evp_md_ctx;
+#endif
+ } ctxdata;
};
struct dst_func {
@@ -100,6 +167,9 @@ struct dst_func {
/* cleanup */
void (*cleanup)(void);
+
+ isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
+ const char *label, const char *pin);
};
/*%
@@ -136,6 +206,11 @@ void * dst__mem_realloc(void *ptr, size_t size);
isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
isc_boolean_t pseudo);
+/*
+ * Entropy status hook.
+ */
+unsigned int dst__entropy_status(void);
+
ISC_LANG_ENDDECLS
#endif /* DST_DST_INTERNAL_H */
diff --git a/lib/dns/dst_lib.c b/lib/dns/dst_lib.c
index 305051c14f22..f1021d338dee 100644
--- a/lib/dns/dst_lib.c
+++ b/lib/dns/dst_lib.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.6.3 2005/04/29 00:15:51 marka Exp $
+ * $Id: dst_lib.c,v 1.5 2007/06/19 23:47:16 tbox Exp $
*/
/*! \file */
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index 79e10b05ba4c..80eef9349655 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_openssl.h,v 1.1.4.3 2005/04/29 00:15:52 marka Exp $ */
+/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
#ifndef DST_OPENSSL_H
#define DST_OPENSSL_H 1
@@ -28,6 +28,12 @@ ISC_LANG_BEGINDECLS
isc_result_t
dst__openssl_toresult(isc_result_t fallback);
+ENGINE *
+dst__openssl_getengine(const char *name);
+
+isc_result_t
+dst__openssl_setdefault(const char *name);
+
ISC_LANG_ENDDECLS
#endif /* DST_OPENSSL_H */
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index ce361ef2d128..2da72ae6415a 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -1,6 +1,19 @@
/*
- * Portions Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2002 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +31,7 @@
/*%
* Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.6.9 2008/01/22 23:27:05 tbox Exp $
+ * $Id: dst_parse.c,v 1.14.120.2 2009/03/02 23:47:11 tbox Exp $
*/
#include <config.h>
@@ -54,6 +67,9 @@ static struct parse_map map[] = {
{TAG_RSA_EXPONENT1, "Exponent1:"},
{TAG_RSA_EXPONENT2, "Exponent2:"},
{TAG_RSA_COEFFICIENT, "Coefficient:"},
+ {TAG_RSA_ENGINE, "Engine:" },
+ {TAG_RSA_LABEL, "Label:" },
+ {TAG_RSA_PIN, "PIN:" },
{TAG_DH_PRIME, "Prime(p):"},
{TAG_DH_GENERATOR, "Generator(g):"},
@@ -115,16 +131,39 @@ find_tag(const int value) {
static int
check_rsa(const dst_private_t *priv) {
int i, j;
- if (priv->nelements != RSA_NTAGS)
- return (-1);
- for (i = 0; i < RSA_NTAGS; i++) {
- for (j = 0; j < priv->nelements; j++)
+ isc_boolean_t have[RSA_NTAGS];
+ isc_boolean_t ok;
+ unsigned int mask;
+
+ for (i = 0; i < RSA_NTAGS; i++)
+ have[i] = ISC_FALSE;
+ for (j = 0; j < priv->nelements; j++) {
+ for (i = 0; i < RSA_NTAGS; i++)
if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
break;
- if (j == priv->nelements)
+ if (i == RSA_NTAGS)
return (-1);
+ have[i] = ISC_TRUE;
}
- return (0);
+
+ mask = ~0;
+ mask <<= sizeof(mask) * 8 - TAG_SHIFT;
+ mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+
+ if (have[TAG_RSA_ENGINE & mask])
+ ok = have[TAG_RSA_MODULUS & mask] &&
+ have[TAG_RSA_PUBLICEXPONENT & mask] &&
+ have[TAG_RSA_LABEL & mask];
+ else
+ ok = have[TAG_RSA_MODULUS & mask] &&
+ have[TAG_RSA_PUBLICEXPONENT & mask] &&
+ have[TAG_RSA_PRIVATEEXPONENT & mask] &&
+ have[TAG_RSA_PRIME1 & mask] &&
+ have[TAG_RSA_PRIME2 & mask] &&
+ have[TAG_RSA_EXPONENT1 & mask] &&
+ have[TAG_RSA_EXPONENT2 & mask] &&
+ have[TAG_RSA_COEFFICIENT & mask];
+ return (ok ? 0 : -1 );
}
static int
@@ -486,8 +525,10 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
fprintf(fp, "\n");
}
+ fflush(fp);
+ iret = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
fclose(fp);
- return (ISC_R_SUCCESS);
+ return (iret);
}
/*! \file */
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index 665fcfc0c98c..27c7580e54be 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -1,6 +1,19 @@
/*
- * Portions Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2000-2002 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_parse.h,v 1.1.6.7 2008/05/15 23:46:06 tbox Exp $ */
+/* $Id: dst_parse.h,v 1.11 2008/05/15 00:50:26 each Exp $ */
/*! \file */
#ifndef DST_DST_PARSE_H
@@ -37,7 +50,7 @@
#define TAG(alg, off) (((alg) << TAG_SHIFT) + (off))
/* These are used by both RSA-MD5 and RSA-SHA1 */
-#define RSA_NTAGS 8
+#define RSA_NTAGS 11
#define TAG_RSA_MODULUS ((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
@@ -46,6 +59,9 @@
#define TAG_RSA_EXPONENT1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
#define TAG_RSA_EXPONENT2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
#define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
+#define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
+#define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
+#define TAG_RSA_PIN ((DST_ALG_RSAMD5 << TAG_SHIFT) + 10)
#define DH_NTAGS 4
#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c
index c9bf0732d8c2..429dbb2fc1cf 100644
--- a/lib/dns/dst_result.c
+++ b/lib/dns/dst_result.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -17,7 +17,7 @@
/*%
* Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.6.3 2005/04/29 00:15:52 marka Exp $
+ * $Id: dst_result.c,v 1.7 2008/04/01 23:47:10 tbox Exp $
*/
#include <config.h>
@@ -49,7 +49,8 @@ static const char *text[DST_R_NRESULTS] = {
"not a key that can compute a secret", /*%< 17 */
"failure computing a shared secret", /*%< 18 */
"no randomness available", /*%< 19 */
- "bad key type" /*%< 20 */
+ "bad key type", /*%< 20 */
+ "no engine" /*%< 21 */
};
#define DST_RESULT_RESULTSET 2
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index e80a4773d556..39e2ef5df04f 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: forward.c,v 1.6.18.4 2005/07/12 01:22:20 marka Exp $ */
+/* $Id: forward.c,v 1.12 2007/06/19 23:47:16 tbox Exp $ */
/*! \file */
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index fc2dbf27920b..4186f6343236 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: gen-unix.h,v 1.14.18.3 2005/06/08 02:07:54 marka Exp $ */
+/* $Id: gen-unix.h,v 1.19.332.2 2009/01/18 23:47:35 tbox Exp $ */
/*! \file
* \brief
@@ -23,7 +23,7 @@
* directly portable between Unix-like systems and Windows NT, option
* parsing and directory scanning. It is here because it was decided
* that the "gen" build utility was not to depend on libisc.a, so
- * the functions delcared in isc/commandline.h and isc/dir.h could not
+ * the functions declared in isc/commandline.h and isc/dir.h could not
* be used.
*
* The commandline stuff is really just a wrapper around getopt().
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index 1e6212a5ade7..ede8bc0962c1 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: gen.c,v 1.73.18.6 2006/10/02 06:36:43 marka Exp $ */
+/* $Id: gen.c,v 1.83 2008/09/25 04:02:38 tbox Exp $ */
/*! \file */
@@ -41,6 +41,8 @@
#include "gen-unix.h"
#endif
+#define TYPECLASSLEN 21
+
#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
#define FROMTEXTCLASS "rdclass"
#define FROMTEXTTYPE "type"
@@ -134,21 +136,21 @@ const char copyright[] =
struct cc {
struct cc *next;
int rdclass;
- char classname[11];
+ char classname[TYPECLASSLEN];
} *classes;
struct tt {
struct tt *next;
int rdclass;
int type;
- char classname[11];
- char typename[11];
+ char classname[TYPECLASSLEN];
+ char typename[TYPECLASSLEN];
char dirname[256]; /* XXX Should be max path length */
} *types;
struct ttnam {
- char typename[11];
- char macroname[11];
+ char typename[TYPECLASSLEN];
+ char macroname[TYPECLASSLEN];
char attr[256];
unsigned int sorted;
int type;
@@ -215,7 +217,7 @@ doswitch(const char *name, const char *function, const char *args,
int first = 1;
int lasttype = 0;
int subswitch = 0;
- char buf1[11], buf2[11];
+ char buf1[TYPECLASSLEN], buf2[TYPECLASSLEN];
const char *result = " result =";
if (res == NULL)
@@ -281,7 +283,7 @@ doswitch(const char *name, const char *function, const char *args,
void
dodecl(char *type, char *function, char *args) {
struct tt *tt;
- char buf1[11], buf2[11];
+ char buf1[TYPECLASSLEN], buf2[TYPECLASSLEN];
fputs("\n", stdout);
for (tt = types; tt; tt = tt->next)
@@ -332,7 +334,7 @@ insert_into_typenames(int type, const char *typename, const char *attr) {
fprintf(stderr, "Error: typenames array too small\n");
exit(1);
}
-
+
if (strlen(typename) > sizeof(ttn->typename) - 1) {
fprintf(stderr, "Error: type name %s is too long\n",
typename);
@@ -392,6 +394,8 @@ add(int rdclass, const char *classname, int type, const char *typename,
newtt->type = type;
strcpy(newtt->classname, classname);
strcpy(newtt->typename, typename);
+ if (strncmp(dirname, "./", 2) == 0)
+ dirname += 2;
strcpy(newtt->dirname, dirname);
tt = types;
@@ -449,16 +453,16 @@ add(int rdclass, const char *classname, int type, const char *typename,
void
sd(int rdclass, const char *classname, const char *dirname, char filetype) {
- char buf[sizeof("0123456789_65535.h")];
- char fmt[sizeof("%10[-0-9a-z]_%d.h")];
+ char buf[sizeof("01234567890123456789_65535.h")];
+ char fmt[sizeof("%20[-0-9a-z]_%d.h")];
int type;
- char typename[11];
+ char typename[TYPECLASSLEN];
isc_dir_t dir;
if (!start_directory(dirname, &dir))
return;
- sprintf(fmt,"%s%c", "%10[-0-9a-z]_%d.", filetype);
+ sprintf(fmt,"%s%c", "%20[-0-9a-z]_%d.", filetype);
while (next_file(&dir)) {
if (sscanf(dir.filename, fmt, typename, &type) != 2)
continue;
@@ -495,7 +499,7 @@ main(int argc, char **argv) {
char buf[256]; /* XXX Should be max path length */
char srcdir[256]; /* XXX Should be max path length */
int rdclass;
- char classname[11];
+ char classname[TYPECLASSLEN];
struct tt *tt;
struct cc *cc;
struct ttnam *ttn, *ttn2;
@@ -510,7 +514,7 @@ main(int argc, char **argv) {
int structs = 0;
int depend = 0;
int c, i, j;
- char buf1[11];
+ char buf1[TYPECLASSLEN];
char filetype = 'c';
FILE *fd;
char *prefix = NULL;
@@ -594,7 +598,7 @@ main(int argc, char **argv) {
sd(0, "", buf, filetype);
if (time(&now) != -1) {
- if ((tm = localtime(&now)) != NULL && tm->tm_year > 104)
+ if ((tm = localtime(&now)) != NULL && tm->tm_year > 104)
sprintf(year, "-%d", tm->tm_year + 1900);
else
year[0] = 0;
@@ -692,7 +696,7 @@ main(int argc, char **argv) {
"\t\t strncasecmp(_s,(_tn),"
"(sizeof(_s) - 1)) == 0) { \\\n");
fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
- "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+ "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
@@ -743,7 +747,7 @@ main(int argc, char **argv) {
if (ttn == NULL)
continue;
fprintf(stdout, "\tcase %u: return (%s); \\\n",
- i, upper(ttn->attr));
+ i, upper(ttn->attr));
}
fprintf(stdout, "\t}\n");
@@ -755,7 +759,7 @@ main(int argc, char **argv) {
continue;
fprintf(stdout, "\tcase %u: return "
"(str_totext(\"%s\", target)); \\\n",
- i, upper(ttn->typename));
+ i, upper(ttn->typename));
}
fprintf(stdout, "\t}\n");
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
index a6a367a952c8..0dd27bbea3e9 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/gssapi_link.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -16,13 +16,13 @@
*/
/*
- * $Id: gssapi_link.c,v 1.1.6.3 2005/04/29 00:15:53 marka Exp $
+ * $Id: gssapi_link.c,v 1.12 2008/11/11 03:55:01 marka Exp $
*/
-#ifdef GSSAPI
-
#include <config.h>
+#ifdef GSSAPI
+
#include <isc/buffer.h>
#include <isc/mem.h>
#include <isc/string.h>
@@ -33,60 +33,73 @@
#include "dst_internal.h"
#include "dst_parse.h"
-#include <gssapi/gssapi.h>
+#include <dst/gssapi.h>
#define INITIAL_BUFFER_SIZE 1024
#define BUFFER_EXTRA 1024
#define REGION_TO_GBUFFER(r, gb) \
do { \
- (gb).length = (r).length; \
- (gb).value = (r).base; \
+ (gb).length = (r).length; \
+ (gb).value = (r).base; \
} while (0)
-typedef struct gssapi_ctx {
- isc_buffer_t *buffer;
- gss_ctx_id_t *context_id;
-} gssapi_ctx_t;
+struct dst_gssapi_signverifyctx {
+ isc_buffer_t *buffer;
+};
+/*%
+ * Allocate a temporary "context" for use in gathering data for signing
+ * or verifying.
+ */
static isc_result_t
-gssapi_createctx(dst_key_t *key, dst_context_t *dctx) {
- gssapi_ctx_t *ctx;
+gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
+ dst_gssapi_signverifyctx_t *ctx;
isc_result_t result;
UNUSED(key);
- ctx = isc_mem_get(dctx->mctx, sizeof(gssapi_ctx_t));
+ ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
if (ctx == NULL)
return (ISC_R_NOMEMORY);
ctx->buffer = NULL;
result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
INITIAL_BUFFER_SIZE);
if (result != ISC_R_SUCCESS) {
- isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
+ isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
return (result);
}
- ctx->context_id = key->opaque;
- dctx->opaque = ctx;
+
+ dctx->ctxdata.gssctx = ctx;
+
return (ISC_R_SUCCESS);
}
+/*%
+ * Destroy the temporary sign/verify context.
+ */
static void
-gssapi_destroyctx(dst_context_t *dctx) {
- gssapi_ctx_t *ctx = dctx->opaque;
+gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
+ dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
if (ctx != NULL) {
if (ctx->buffer != NULL)
isc_buffer_free(&ctx->buffer);
- isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
- dctx->opaque = NULL;
+ isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
+ dctx->ctxdata.gssctx = NULL;
}
}
+/*%
+ * Add data to our running buffer of data we will be signing or verifying.
+ * This code will see if the new data will fit in our existing buffer, and
+ * copy it in if it will. If not, it will attempt to allocate a larger
+ * buffer and copy old+new into it, and free the old buffer.
+ */
static isc_result_t
gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
- gssapi_ctx_t *ctx = dctx->opaque;
+ dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
isc_buffer_t *newbuffer = NULL;
isc_region_t r;
unsigned int length;
@@ -103,8 +116,8 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
return (result);
isc_buffer_usedregion(ctx->buffer, &r);
- (void) isc_buffer_copyregion(newbuffer, &r);
- (void) isc_buffer_copyregion(newbuffer, data);
+ (void)isc_buffer_copyregion(newbuffer, &r);
+ (void)isc_buffer_copyregion(newbuffer, data);
isc_buffer_free(&ctx->buffer);
ctx->buffer = newbuffer;
@@ -112,56 +125,129 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
return (ISC_R_SUCCESS);
}
+/*%
+ * Sign.
+ */
static isc_result_t
gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- gssapi_ctx_t *ctx = dctx->opaque;
+ dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
isc_region_t message;
gss_buffer_desc gmessage, gsig;
OM_uint32 minor, gret;
+ gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+ char buf[1024];
+ /*
+ * Convert the data we wish to sign into a structure gssapi can
+ * understand.
+ */
isc_buffer_usedregion(ctx->buffer, &message);
REGION_TO_GBUFFER(message, gmessage);
- gret = gss_get_mic(&minor, ctx->context_id,
- GSS_C_QOP_DEFAULT, &gmessage, &gsig);
- if (gret != 0)
+ /*
+ * Generate the signature.
+ */
+ gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
+ &gsig);
+
+ /*
+ * If it did not complete, we log the result and return a generic
+ * failure code.
+ */
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "GSS sign error: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
return (ISC_R_FAILURE);
+ }
+ /*
+ * If it will not fit in our allocated buffer, return that we need
+ * more space.
+ */
if (gsig.length > isc_buffer_availablelength(sig)) {
gss_release_buffer(&minor, &gsig);
return (ISC_R_NOSPACE);
}
+ /*
+ * Copy the output into our buffer space, and release the gssapi
+ * allocated space.
+ */
isc_buffer_putmem(sig, gsig.value, gsig.length);
-
- gss_release_buffer(&minor, &gsig);
+ if (gsig.length != 0)
+ gss_release_buffer(&minor, &gsig);
return (ISC_R_SUCCESS);
}
+/*%
+ * Verify.
+ */
static isc_result_t
gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
- gssapi_ctx_t *ctx = dctx->opaque;
- isc_region_t message;
+ dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+ isc_region_t message, r;
gss_buffer_desc gmessage, gsig;
OM_uint32 minor, gret;
-
+ gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+ unsigned char *buf;
+ char err[1024];
+
+ /*
+ * Convert the data we wish to sign into a structure gssapi can
+ * understand.
+ */
isc_buffer_usedregion(ctx->buffer, &message);
REGION_TO_GBUFFER(message, gmessage);
- REGION_TO_GBUFFER(*sig, gsig);
-
- gret = gss_verify_mic(&minor, ctx->context_id, &gmessage, &gsig, NULL);
- if (gret != 0)
+ /*
+ * XXXMLG
+ * It seem that gss_verify_mic() modifies the signature buffer,
+ * at least on Heimdal's implementation. Copy it here to an allocated
+ * buffer.
+ */
+ buf = isc_mem_allocate(dst__memory_pool, sig->length);
+ if (buf == NULL)
return (ISC_R_FAILURE);
+ memcpy(buf, sig->base, sig->length);
+ r.base = buf;
+ r.length = sig->length;
+ REGION_TO_GBUFFER(r, gsig);
+
+ /*
+ * Verify the data.
+ */
+ gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
+
+ isc_mem_free(dst__memory_pool, buf);
+
+ /*
+ * Convert return codes into something useful to us.
+ */
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "GSS verify error: %s",
+ gss_error_tostring(gret, minor, err, sizeof(err)));
+ if (gret == GSS_S_DEFECTIVE_TOKEN ||
+ gret == GSS_S_BAD_SIG ||
+ gret == GSS_S_DUPLICATE_TOKEN ||
+ gret == GSS_S_OLD_TOKEN ||
+ gret == GSS_S_UNSEQ_TOKEN ||
+ gret == GSS_S_GAP_TOKEN ||
+ gret == GSS_S_CONTEXT_EXPIRED ||
+ gret == GSS_S_NO_CONTEXT ||
+ gret == GSS_S_FAILURE)
+ return(DST_R_VERIFYFAILURE);
+ else
+ return (ISC_R_FAILURE);
+ }
return (ISC_R_SUCCESS);
}
static isc_boolean_t
gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
- gss_ctx_id_t gsskey1 = key1->opaque;
- gss_ctx_id_t gsskey2 = key2->opaque;
+ gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
+ gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
/* No idea */
return (ISC_TF(gsskey1 == gsskey2));
@@ -179,18 +265,19 @@ gssapi_generate(dst_key_t *key, int unused) {
static isc_boolean_t
gssapi_isprivate(const dst_key_t *key) {
UNUSED(key);
- return (ISC_TRUE);
+ return (ISC_TRUE);
}
static void
gssapi_destroy(dst_key_t *key) {
- UNUSED(key);
- /* No idea */
+ REQUIRE(key != NULL);
+ dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
+ key->keydata.gssctx = NULL;
}
static dst_func_t gssapi_functions = {
- gssapi_createctx,
- gssapi_destroyctx,
+ gssapi_create_signverify_ctx,
+ gssapi_destroy_signverify_ctx,
gssapi_adddata,
gssapi_sign,
gssapi_verify,
@@ -205,6 +292,7 @@ static dst_func_t gssapi_functions = {
NULL, /*%< tofile */
NULL, /*%< parse */
NULL, /*%< cleanup */
+ NULL /*%< fromlabel */
};
isc_result_t
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index ce5d6fa3ddbd..11eadb9675bb 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,11 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: gssapictx.c,v 1.1.6.3 2005/04/29 00:15:54 marka Exp $ */
+/* $Id: gssapictx.c,v 1.12 2008/04/03 06:09:04 tbox Exp $ */
#include <config.h>
#include <stdlib.h>
+#include <string.h>
#include <isc/buffer.h>
#include <isc/dir.h>
@@ -27,6 +28,7 @@
#include <isc/lex.h>
#include <isc/mem.h>
#include <isc/once.h>
+#include <isc/print.h>
#include <isc/random.h>
#include <isc/string.h>
#include <isc/time.h>
@@ -39,34 +41,76 @@
#include <dns/result.h>
#include <dns/types.h>
#include <dns/keyvalues.h>
+#include <dns/log.h>
#include <dst/gssapi.h>
#include <dst/result.h>
#include "dst_internal.h"
-#ifdef GSSAPI
+/*
+ * If we're using our own SPNEGO implementation (see configure.in),
+ * pull it in now. Otherwise, we just use whatever GSSAPI supplies.
+ */
+#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
+#include "spnego.h"
+#define gss_accept_sec_context gss_accept_sec_context_spnego
+#define gss_init_sec_context gss_init_sec_context_spnego
+#endif
-#include <gssapi/gssapi.h>
+/*
+ * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
+ * one for anything but Kerberos. Supplying an explicit OID set
+ * doesn't appear to hurt anything in other implementations, so we
+ * always use one. If we're not using our own SPNEGO implementation,
+ * we include SPNEGO's OID.
+ */
+#if defined(GSSAPI)
-#define RETERR(x) do { \
- result = (x); \
- if (result != ISC_R_SUCCESS) \
- goto out; \
+static unsigned char krb5_mech_oid_bytes[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+#ifndef USE_ISC_SPNEGO
+static unsigned char spnego_mech_oid_bytes[] = {
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+#endif
+
+static gss_OID_desc mech_oid_set_array[] = {
+ { sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
+#ifndef USE_ISC_SPNEGO
+ { sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
+#endif
+};
+
+static gss_OID_set_desc mech_oid_set = {
+ sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
+ mech_oid_set_array
+};
+
+#endif
+
+#define REGION_TO_GBUFFER(r, gb) \
+ do { \
+ (gb).length = (r).length; \
+ (gb).value = (r).base; \
} while (0)
-#define REGION_TO_GBUFFER(r, gb) \
- do { \
- (gb).length = (r).length; \
- (gb).value = (r).base; \
+#define GBUFFER_TO_REGION(gb, r) \
+ do { \
+ (r).length = (gb).length; \
+ (r).base = (gb).value; \
} while (0)
-#define GBUFFER_TO_REGION(gb, r) \
- do { \
- (r).length = (gb).length; \
- (r).base = (gb).value; \
+
+#define RETERR(x) do { \
+ result = (x); \
+ if (result != ISC_R_SUCCESS) \
+ goto out; \
} while (0)
+#ifdef GSSAPI
static inline void
name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
gss_buffer_desc *gbuffer)
@@ -77,22 +121,81 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
if (!dns_name_isabsolute(name))
namep = name;
- else {
+ else
+ {
unsigned int labels;
dns_name_init(&tname, NULL);
labels = dns_name_countlabels(name);
dns_name_getlabelsequence(name, 0, labels - 1, &tname);
namep = &tname;
}
-
+
result = dns_name_totext(namep, ISC_FALSE, buffer);
isc_buffer_putuint8(buffer, 0);
isc_buffer_usedregion(buffer, &r);
REGION_TO_GBUFFER(r, *gbuffer);
}
+static void
+log_cred(const gss_cred_id_t cred) {
+ OM_uint32 gret, minor, lifetime;
+ gss_name_t gname;
+ gss_buffer_desc gbuffer;
+ gss_cred_usage_t usage;
+ const char *usage_text;
+ char buf[1024];
+
+ gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "failed gss_inquire_cred: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+ return;
+ }
+
+ gret = gss_display_name(&minor, gname, &gbuffer, NULL);
+ if (gret != GSS_S_COMPLETE)
+ gss_log(3, "failed gss_display_name: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+ else {
+ switch (usage) {
+ case GSS_C_BOTH:
+ usage_text = "GSS_C_BOTH";
+ break;
+ case GSS_C_INITIATE:
+ usage_text = "GSS_C_INITIATE";
+ break;
+ case GSS_C_ACCEPT:
+ usage_text = "GSS_C_ACCEPT";
+ break;
+ default:
+ usage_text = "???";
+ }
+ gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
+ usage_text, (unsigned long)lifetime);
+ }
+
+ if (gret == GSS_S_COMPLETE) {
+ if (gbuffer.length != 0) {
+ gret = gss_release_buffer(&minor, &gbuffer);
+ if (gret != GSS_S_COMPLETE)
+ gss_log(3, "failed gss_release_buffer: %s",
+ gss_error_tostring(gret, minor, buf,
+ sizeof(buf)));
+ }
+ }
+
+ gret = gss_release_name(&minor, &gname);
+ if (gret != GSS_S_COMPLETE)
+ gss_log(3, "failed gss_release_name: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+}
+#endif
+
isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+ gss_cred_id_t *cred)
+{
+#ifdef GSSAPI
isc_buffer_t namebuf;
gss_name_t gname;
gss_buffer_desc gnamebuf;
@@ -101,164 +204,535 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
gss_OID_set mechs;
OM_uint32 lifetime;
gss_cred_usage_t usage;
+ char buf[1024];
REQUIRE(cred != NULL && *cred == NULL);
+ /*
+ * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
+ * here when we're in the acceptor role, which would let us
+ * default the hostname and use a compiled in default service
+ * name of "DNS", giving one less thing to configure in
+ * named.conf. Unfortunately, this creates a circular
+ * dependency due to DNS-based realm lookup in at least one
+ * GSSAPI implementation (Heimdal). Oh well.
+ */
if (name != NULL) {
isc_buffer_init(&namebuf, array, sizeof(array));
name_to_gbuffer(name, &namebuf, &gnamebuf);
- gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID,
- &gname);
- if (gret != GSS_S_COMPLETE)
+ gret = gss_import_name(&minor, &gnamebuf,
+ GSS_C_NO_OID, &gname);
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "failed gss_import_name: %s",
+ gss_error_tostring(gret, minor, buf,
+ sizeof(buf)));
return (ISC_R_FAILURE);
+ }
} else
gname = NULL;
+ /* Get the credentials. */
+ if (gname != NULL)
+ gss_log(3, "acquiring credentials for %s",
+ (char *)gnamebuf.value);
+ else {
+ /* XXXDCL does this even make any sense? */
+ gss_log(3, "acquiring credentials for ?");
+ }
+
if (initiate)
usage = GSS_C_INITIATE;
else
usage = GSS_C_ACCEPT;
gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, usage,
- cred, &mechs, &lifetime);
- if (gret != GSS_S_COMPLETE)
+ &mech_oid_set,
+ usage, cred, &mechs, &lifetime);
+
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "failed to acquire %s credentials for %s: %s",
+ initiate ? "initiate" : "accept",
+ (char *)gnamebuf.value,
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
return (ISC_R_FAILURE);
+ }
+
+ gss_log(4, "acquired %s credentials for %s",
+ initiate ? "initiate" : "accept",
+ (char *)gnamebuf.value);
+
+ log_cred(*cred);
+
return (ISC_R_SUCCESS);
+#else
+ UNUSED(name);
+ UNUSED(initiate);
+ UNUSED(cred);
+
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
+ dns_name_t *realm)
+{
+#ifdef GSSAPI
+ char sbuf[DNS_NAME_FORMATSIZE];
+ char nbuf[DNS_NAME_FORMATSIZE];
+ char rbuf[DNS_NAME_FORMATSIZE];
+ char *sname;
+ char *rname;
+
+ /*
+ * It is far, far easier to write the names we are looking at into
+ * a string, and do string operations on them.
+ */
+ dns_name_format(signer, sbuf, sizeof(sbuf));
+ if (name != NULL)
+ dns_name_format(name, nbuf, sizeof(nbuf));
+ dns_name_format(realm, rbuf, sizeof(rbuf));
+
+ /*
+ * Find the realm portion. This is the part after the @. If it
+ * does not exist, we don't have something we like, so we fail our
+ * compare.
+ */
+ rname = strstr(sbuf, "\\@");
+ if (rname == NULL)
+ return (isc_boolean_false);
+ *rname = '\0';
+ rname += 2;
+
+ /*
+ * Find the host portion of the signer's name. We do this by
+ * searching for the first / character. We then check to make
+ * certain the instance name is "host"
+ *
+ * This will work for
+ * host/example.com@EXAMPLE.COM
+ */
+ sname = strchr(sbuf, '/');
+ if (sname == NULL)
+ return (isc_boolean_false);
+ *sname = '\0';
+ sname++;
+ if (strcmp(sbuf, "host") != 0)
+ return (isc_boolean_false);
+
+ /*
+ * Now, we do a simple comparison between the name and the realm.
+ */
+ if (name != NULL) {
+ if ((strcasecmp(sname, nbuf) == 0)
+ && (strcmp(rname, rbuf) == 0))
+ return (isc_boolean_true);
+ } else {
+ if (strcmp(rname, rbuf) == 0)
+ return (isc_boolean_true);
+ }
+
+ return (isc_boolean_false);
+#else
+ UNUSED(signer);
+ UNUSED(name);
+ UNUSED(realm);
+ return (isc_boolean_false);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
+ dns_name_t *realm)
+{
+#ifdef GSSAPI
+ char sbuf[DNS_NAME_FORMATSIZE];
+ char nbuf[DNS_NAME_FORMATSIZE];
+ char rbuf[DNS_NAME_FORMATSIZE];
+ char *sname;
+ char *nname;
+ char *rname;
+
+ /*
+ * It is far, far easier to write the names we are looking at into
+ * a string, and do string operations on them.
+ */
+ dns_name_format(signer, sbuf, sizeof(sbuf));
+ if (name != NULL)
+ dns_name_format(name, nbuf, sizeof(nbuf));
+ dns_name_format(realm, rbuf, sizeof(rbuf));
+
+ /*
+ * Find the realm portion. This is the part after the @. If it
+ * does not exist, we don't have something we like, so we fail our
+ * compare.
+ */
+ rname = strstr(sbuf, "\\@");
+ if (rname == NULL)
+ return (isc_boolean_false);
+ sname = strstr(sbuf, "\\$");
+ if (sname == NULL)
+ return (isc_boolean_false);
+
+ /*
+ * Verify that the $ and @ follow one another.
+ */
+ if (rname - sname != 2)
+ return (isc_boolean_false);
+
+ /*
+ * Find the host portion of the signer's name. Zero out the $ so
+ * it terminates the signer's name, and skip past the @ for
+ * the realm.
+ *
+ * All service principals in Microsoft format seem to be in
+ * machinename$@EXAMPLE.COM
+ * format.
+ */
+ *rname = '\0';
+ rname += 2;
+ *sname = '\0';
+ sname = sbuf;
+
+ /*
+ * Find the first . in the target name, and make it the end of
+ * the string. The rest of the name has to match the realm.
+ */
+ if (name != NULL) {
+ nname = strchr(nbuf, '.');
+ if (nname == NULL)
+ return (isc_boolean_false);
+ *nname++ = '\0';
+ }
+
+ /*
+ * Now, we do a simple comparison between the name and the realm.
+ */
+ if (name != NULL) {
+ if ((strcasecmp(sname, nbuf) == 0)
+ && (strcmp(rname, rbuf) == 0)
+ && (strcasecmp(nname, rbuf) == 0))
+ return (isc_boolean_true);
+ } else {
+ if (strcmp(rname, rbuf) == 0)
+ return (isc_boolean_true);
+ }
+
+
+ return (isc_boolean_false);
+#else
+ UNUSED(signer);
+ UNUSED(name);
+ UNUSED(realm);
+ return (isc_boolean_false);
+#endif
}
isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
- isc_region_t *intoken, isc_buffer_t *outtoken,
- void **context)
+dst_gssapi_releasecred(gss_cred_id_t *cred) {
+#ifdef GSSAPI
+ OM_uint32 gret, minor;
+ char buf[1024];
+
+ REQUIRE(cred != NULL && *cred != NULL);
+
+ gret = gss_release_cred(&minor, cred);
+ if (gret != GSS_S_COMPLETE) {
+ /* Log the error, but still free the credential's memory */
+ gss_log(3, "failed releasing credential: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+ }
+ *cred = NULL;
+
+ return(ISC_R_SUCCESS);
+#else
+ UNUSED(cred);
+
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+ isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
{
+#ifdef GSSAPI
isc_region_t r;
isc_buffer_t namebuf;
- gss_buffer_desc gnamebuf, gintoken, *gintokenp, gouttoken;
- OM_uint32 gret, minor, flags, ret_flags;
- gss_OID mech_type, ret_mech_type;
- OM_uint32 lifetime;
gss_name_t gname;
+ OM_uint32 gret, minor, ret_flags, flags;
+ gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
isc_result_t result;
+ gss_buffer_desc gnamebuf;
unsigned char array[DNS_NAME_MAXTEXT + 1];
+ char buf[1024];
+
+ /* Client must pass us a valid gss_ctx_id_t here */
+ REQUIRE(gssctx != NULL);
isc_buffer_init(&namebuf, array, sizeof(array));
name_to_gbuffer(name, &namebuf, &gnamebuf);
+
+ /* Get the name as a GSS name */
gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
- if (gret != GSS_S_COMPLETE)
- return (ISC_R_FAILURE);
+ if (gret != GSS_S_COMPLETE) {
+ result = ISC_R_FAILURE;
+ goto out;
+ }
if (intoken != NULL) {
+ /* Don't call gss_release_buffer for gintoken! */
REGION_TO_GBUFFER(*intoken, gintoken);
gintokenp = &gintoken;
- } else
+ } else {
gintokenp = NULL;
+ }
- if (*context == NULL)
- *context = GSS_C_NO_CONTEXT;
flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG;
- mech_type = GSS_C_NO_OID;
-
- gret = gss_init_sec_context(&minor, cred, context, gname,
- mech_type, flags, 0,
- GSS_C_NO_CHANNEL_BINDINGS, gintokenp,
- &ret_mech_type, &gouttoken, &ret_flags,
- &lifetime);
- if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED)
- return (ISC_R_FAILURE);
+ GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
+
+ gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+ gname, GSS_SPNEGO_MECHANISM, flags,
+ 0, NULL, gintokenp,
+ NULL, &gouttoken, &ret_flags, NULL);
+
+ if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
+ gss_log(3, "Failure initiating security context");
+ gss_log(3, "%s", gss_error_tostring(gret, minor,
+ buf, sizeof(buf)));
+ result = ISC_R_FAILURE;
+ goto out;
+ }
- GBUFFER_TO_REGION(gouttoken, r);
- RETERR(isc_buffer_copyregion(outtoken, &r));
+ /*
+ * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
+ * MUTUAL and INTEG flags, fail if either not set.
+ */
+
+ /*
+ * RFC 2744 states the a valid output token has a non-zero length.
+ */
+ if (gouttoken.length != 0) {
+ GBUFFER_TO_REGION(gouttoken, r);
+ RETERR(isc_buffer_copyregion(outtoken, &r));
+ (void)gss_release_buffer(&minor, &gouttoken);
+ }
+ (void)gss_release_name(&minor, &gname);
if (gret == GSS_S_COMPLETE)
- return (ISC_R_SUCCESS);
+ result = ISC_R_SUCCESS;
else
- return (DNS_R_CONTINUE);
+ result = DNS_R_CONTINUE;
out:
- return (result);
+ return (result);
+#else
+ UNUSED(name);
+ UNUSED(intoken);
+ UNUSED(outtoken);
+ UNUSED(gssctx);
+
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
}
isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
- isc_region_t *intoken, isc_buffer_t *outtoken,
- void **context)
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+ isc_region_t *intoken, isc_buffer_t **outtoken,
+ gss_ctx_id_t *ctxout, dns_name_t *principal,
+ isc_mem_t *mctx)
{
+#ifdef GSSAPI
isc_region_t r;
isc_buffer_t namebuf;
- gss_buffer_desc gnamebuf, gintoken, gouttoken;
- OM_uint32 gret, minor, flags;
- gss_OID mech_type;
- OM_uint32 lifetime;
- gss_cred_id_t delegated_cred;
- gss_name_t gname;
+ gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
+ gouttoken = GSS_C_EMPTY_BUFFER;
+ OM_uint32 gret, minor;
+ gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+ gss_name_t gname = NULL;
isc_result_t result;
- unsigned char array[DNS_NAME_MAXTEXT + 1];
+ char buf[1024];
- isc_buffer_init(&namebuf, array, sizeof(array));
- name_to_gbuffer(name, &namebuf, &gnamebuf);
- gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
- if (gret != GSS_S_COMPLETE)
- return (ISC_R_FAILURE);
+ REQUIRE(outtoken != NULL && *outtoken == NULL);
+
+ log_cred(cred);
REGION_TO_GBUFFER(*intoken, gintoken);
- if (*context == NULL)
- *context = GSS_C_NO_CONTEXT;
+ if (*ctxout == NULL)
+ context = GSS_C_NO_CONTEXT;
+ else
+ context = *ctxout;
+
+ gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
+ GSS_C_NO_CHANNEL_BINDINGS, &gname,
+ NULL, &gouttoken, NULL, NULL, NULL);
+
+ result = ISC_R_FAILURE;
+
+ switch (gret) {
+ case GSS_S_COMPLETE:
+ result = ISC_R_SUCCESS;
+ break;
+ case GSS_S_CONTINUE_NEEDED:
+ result = DNS_R_CONTINUE;
+ break;
+ case GSS_S_DEFECTIVE_TOKEN:
+ case GSS_S_DEFECTIVE_CREDENTIAL:
+ case GSS_S_BAD_SIG:
+ case GSS_S_DUPLICATE_TOKEN:
+ case GSS_S_OLD_TOKEN:
+ case GSS_S_NO_CRED:
+ case GSS_S_CREDENTIALS_EXPIRED:
+ case GSS_S_BAD_BINDINGS:
+ case GSS_S_NO_CONTEXT:
+ case GSS_S_BAD_MECH:
+ case GSS_S_FAILURE:
+ result = DNS_R_INVALIDTKEY;
+ /* fall through */
+ default:
+ gss_log(3, "failed gss_accept_sec_context: %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+ return (result);
+ }
- gret = gss_accept_sec_context(&minor, context, cred, &gintoken,
- GSS_C_NO_CHANNEL_BINDINGS, gname,
- &mech_type, &gouttoken, &flags,
- &lifetime, &delegated_cred);
- if (gret != GSS_S_COMPLETE)
- return (ISC_R_FAILURE);
+ if (gouttoken.length > 0) {
+ RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
+ GBUFFER_TO_REGION(gouttoken, r);
+ RETERR(isc_buffer_copyregion(*outtoken, &r));
+ (void)gss_release_buffer(&minor, &gouttoken);
+ }
- GBUFFER_TO_REGION(gouttoken, r);
- RETERR(isc_buffer_copyregion(outtoken, &r));
+ if (gret == GSS_S_COMPLETE) {
+ gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "failed gss_display_name: %s",
+ gss_error_tostring(gret, minor,
+ buf, sizeof(buf)));
+ RETERR(ISC_R_FAILURE);
+ }
+
+ /*
+ * Compensate for a bug in Solaris8's implementation
+ * of gss_display_name(). Should be harmless in any
+ * case, since principal names really should not
+ * contain null characters.
+ */
+ if (gnamebuf.length > 0 &&
+ ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+ gnamebuf.length--;
+
+ gss_log(3, "gss-api source name (accept) is %.*s",
+ (int)gnamebuf.length, (char *)gnamebuf.value);
+
+ GBUFFER_TO_REGION(gnamebuf, r);
+ isc_buffer_init(&namebuf, r.base, r.length);
+ isc_buffer_add(&namebuf, r.length);
+
+ RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
+ ISC_FALSE, NULL));
+
+ if (gnamebuf.length != 0) {
+ gret = gss_release_buffer(&minor, &gnamebuf);
+ if (gret != GSS_S_COMPLETE)
+ gss_log(3, "failed gss_release_buffer: %s",
+ gss_error_tostring(gret, minor, buf,
+ sizeof(buf)));
+ }
+ }
- return (ISC_R_SUCCESS);
+ *ctxout = context;
out:
- return (result);
-}
+ if (gname != NULL) {
+ gret = gss_release_name(&minor, &gname);
+ if (gret != GSS_S_COMPLETE)
+ gss_log(3, "failed gss_release_name: %s",
+ gss_error_tostring(gret, minor, buf,
+ sizeof(buf)));
+ }
+ return (result);
#else
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
- UNUSED(name);
- UNUSED(initiate);
- UNUSED(cred);
- return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
- isc_region_t *intoken, isc_buffer_t *outtoken,
- void **context)
-{
- UNUSED(name);
UNUSED(cred);
UNUSED(intoken);
UNUSED(outtoken);
- UNUSED(context);
+ UNUSED(ctxout);
+ UNUSED(principal);
+ UNUSED(mctx);
+
return (ISC_R_NOTIMPLEMENTED);
+#endif
}
isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
- isc_region_t *intoken, isc_buffer_t *outtoken,
- void **context)
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
{
- UNUSED(name);
- UNUSED(cred);
- UNUSED(intoken);
- UNUSED(outtoken);
- UNUSED(context);
+#ifdef GSSAPI
+ OM_uint32 gret, minor;
+ char buf[1024];
+
+ UNUSED(mctx);
+
+ REQUIRE(gssctx != NULL && *gssctx != NULL);
+
+ /* Delete the context from the GSS provider */
+ gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
+ if (gret != GSS_S_COMPLETE) {
+ /* Log the error, but still free the context's memory */
+ gss_log(3, "Failure deleting security context %s",
+ gss_error_tostring(gret, minor, buf, sizeof(buf)));
+ }
+ return(ISC_R_SUCCESS);
+#else
+ UNUSED(mctx);
+ UNUSED(gssctx);
return (ISC_R_NOTIMPLEMENTED);
+#endif
}
+char *
+gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
+ char *buf, size_t buflen) {
+#ifdef GSSAPI
+ gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
+ msg_major = GSS_C_EMPTY_BUFFER;
+ OM_uint32 msg_ctx, minor_stat;
+
+ /* Handle major status */
+ msg_ctx = 0;
+ (void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
+ GSS_C_NULL_OID, &msg_ctx, &msg_major);
+
+ /* Handle minor status */
+ msg_ctx = 0;
+ (void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
+ GSS_C_NULL_OID, &msg_ctx, &msg_minor);
+
+ snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
+ (char *)msg_major.value, (char *)msg_minor.value);
+
+ if (msg_major.length != 0)
+ (void)gss_release_buffer(&minor_stat, &msg_major);
+ if (msg_minor.length != 0)
+ (void)gss_release_buffer(&minor_stat, &msg_minor);
+ return(buf);
+#else
+ snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
+ major, minor);
+
+ return (buf);
#endif
+}
+
+void
+gss_log(int level, const char *fmt, ...) {
+ va_list ap;
+
+ va_start(ap, fmt);
+ isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
+ va_end(ap);
+}
/*! \file */
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 9655c8958a30..fce98d708f31 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -1,9 +1,22 @@
/*
- * Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2002 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -18,7 +31,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $
+ * $Id: hmac_link.c,v 1.11 2008/04/01 23:47:10 tbox Exp $
*/
#include <config.h>
@@ -43,9 +56,9 @@
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct hmackey {
+struct dst_hmacmd5_key {
unsigned char key[HMAC_LEN];
-} HMAC_Key;
+};
static isc_result_t
getkeybits(dst_key_t *key, struct dst_private_element *element) {
@@ -61,30 +74,30 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) {
static isc_result_t
hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacmd5_t *hmacmd5ctx;
- HMAC_Key *hkey = key->opaque;
+ dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
if (hmacmd5ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
- dctx->opaque = hmacmd5ctx;
+ dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
return (ISC_R_SUCCESS);
}
static void
hmacmd5_destroyctx(dst_context_t *dctx) {
- isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+ isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
if (hmacmd5ctx != NULL) {
isc_hmacmd5_invalidate(hmacmd5ctx);
isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacmd5ctx = NULL;
}
}
static isc_result_t
hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+ isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -92,7 +105,7 @@ hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+ isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
@@ -106,7 +119,7 @@ hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+ isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
if (sig->length > ISC_MD5_DIGESTLENGTH)
return (DST_R_VERIFYFAILURE);
@@ -119,10 +132,10 @@ hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMAC_Key *hkey1, *hkey2;
+ dst_hmacmd5_key_t *hkey1, *hkey2;
- hkey1 = (HMAC_Key *)key1->opaque;
- hkey2 = (HMAC_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacmd5;
+ hkey2 = key2->keydata.hmacmd5;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -170,20 +183,20 @@ hmacmd5_isprivate(const dst_key_t *key) {
static void
hmacmd5_destroy(dst_key_t *key) {
- HMAC_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMAC_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMAC_Key));
- key->opaque = NULL;
+ dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+ memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
+ key->keydata.hmacmd5 = NULL;
}
static isc_result_t
hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMAC_Key *hkey;
+ dst_hmacmd5_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacmd5 != NULL);
- hkey = (HMAC_Key *) key->opaque;
+ hkey = key->keydata.hmacmd5;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -195,7 +208,7 @@ hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMAC_Key *hkey;
+ dst_hmacmd5_key_t *hkey;
int keylen;
isc_region_t r;
isc_md5_t md5ctx;
@@ -204,7 +217,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMAC_Key *) isc_mem_get(key->mctx, sizeof(HMAC_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -222,7 +235,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacmd5 = hkey;
return (ISC_R_SUCCESS);
}
@@ -230,15 +243,15 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacmd5_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMAC_Key *hkey;
+ dst_hmacmd5_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacmd5 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMAC_Key *) key->opaque;
+ hkey = key->keydata.hmacmd5;
priv.elements[cnt].tag = TAG_HMACMD5_KEY;
priv.elements[cnt].length = bytes;
@@ -272,7 +285,7 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACMD5_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacmd5_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -310,6 +323,7 @@ static dst_func_t hmacmd5_functions = {
hmacmd5_tofile,
hmacmd5_parse,
NULL, /*%< cleanup */
+ NULL, /*%< fromlabel */
};
isc_result_t
@@ -322,37 +336,37 @@ dst__hmacmd5_init(dst_func_t **funcp) {
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct {
+struct dst_hmacsha1_key {
unsigned char key[ISC_SHA1_DIGESTLENGTH];
-} HMACSHA1_Key;
+};
static isc_result_t
hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacsha1_t *hmacsha1ctx;
- HMACSHA1_Key *hkey = key->opaque;
+ dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
if (hmacsha1ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
- dctx->opaque = hmacsha1ctx;
+ dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
return (ISC_R_SUCCESS);
}
static void
hmacsha1_destroyctx(dst_context_t *dctx) {
- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+ isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
if (hmacsha1ctx != NULL) {
isc_hmacsha1_invalidate(hmacsha1ctx);
isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacsha1ctx = NULL;
}
}
static isc_result_t
hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+ isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -360,7 +374,7 @@ hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+ isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
@@ -374,7 +388,7 @@ hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+ isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
return (DST_R_VERIFYFAILURE);
@@ -387,10 +401,10 @@ hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMACSHA1_Key *hkey1, *hkey2;
+ dst_hmacsha1_key_t *hkey1, *hkey2;
- hkey1 = (HMACSHA1_Key *)key1->opaque;
- hkey2 = (HMACSHA1_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacsha1;
+ hkey2 = key2->keydata.hmacsha1;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -438,20 +452,20 @@ hmacsha1_isprivate(const dst_key_t *key) {
static void
hmacsha1_destroy(dst_key_t *key) {
- HMACSHA1_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMACSHA1_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA1_Key));
- key->opaque = NULL;
+ dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+ memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
+ key->keydata.hmacsha1 = NULL;
}
static isc_result_t
hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMACSHA1_Key *hkey;
+ dst_hmacsha1_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacsha1 != NULL);
- hkey = (HMACSHA1_Key *) key->opaque;
+ hkey = key->keydata.hmacsha1;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -463,7 +477,7 @@ hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMACSHA1_Key *hkey;
+ dst_hmacsha1_key_t *hkey;
int keylen;
isc_region_t r;
isc_sha1_t sha1ctx;
@@ -472,7 +486,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMACSHA1_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA1_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha1_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -490,7 +504,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacsha1 = hkey;
return (ISC_R_SUCCESS);
}
@@ -498,15 +512,15 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha1_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMACSHA1_Key *hkey;
+ dst_hmacsha1_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacsha1 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMACSHA1_Key *) key->opaque;
+ hkey = key->keydata.hmacsha1;
priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
priv.elements[cnt].length = bytes;
@@ -541,7 +555,7 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACSHA1_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacsha1_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -579,6 +593,7 @@ static dst_func_t hmacsha1_functions = {
hmacsha1_tofile,
hmacsha1_parse,
NULL, /* cleanup */
+ NULL, /* fromlabel */
};
isc_result_t
@@ -591,37 +606,37 @@ dst__hmacsha1_init(dst_func_t **funcp) {
static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct {
+struct dst_hmacsha224_key {
unsigned char key[ISC_SHA224_DIGESTLENGTH];
-} HMACSHA224_Key;
+};
static isc_result_t
hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacsha224_t *hmacsha224ctx;
- HMACSHA224_Key *hkey = key->opaque;
+ dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
if (hmacsha224ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
- dctx->opaque = hmacsha224ctx;
+ dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
return (ISC_R_SUCCESS);
}
static void
hmacsha224_destroyctx(dst_context_t *dctx) {
- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+ isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
if (hmacsha224ctx != NULL) {
isc_hmacsha224_invalidate(hmacsha224ctx);
isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacsha224ctx = NULL;
}
}
static isc_result_t
hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+ isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -629,7 +644,7 @@ hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+ isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
@@ -643,7 +658,7 @@ hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+ isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
return (DST_R_VERIFYFAILURE);
@@ -656,10 +671,10 @@ hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMACSHA224_Key *hkey1, *hkey2;
+ dst_hmacsha224_key_t *hkey1, *hkey2;
- hkey1 = (HMACSHA224_Key *)key1->opaque;
- hkey2 = (HMACSHA224_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacsha224;
+ hkey2 = key2->keydata.hmacsha224;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -707,20 +722,20 @@ hmacsha224_isprivate(const dst_key_t *key) {
static void
hmacsha224_destroy(dst_key_t *key) {
- HMACSHA224_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMACSHA224_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA224_Key));
- key->opaque = NULL;
+ dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+ memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
+ key->keydata.hmacsha224 = NULL;
}
static isc_result_t
hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMACSHA224_Key *hkey;
+ dst_hmacsha224_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacsha224 != NULL);
- hkey = (HMACSHA224_Key *) key->opaque;
+ hkey = key->keydata.hmacsha224;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -732,7 +747,7 @@ hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMACSHA224_Key *hkey;
+ dst_hmacsha224_key_t *hkey;
int keylen;
isc_region_t r;
isc_sha224_t sha224ctx;
@@ -741,7 +756,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMACSHA224_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA224_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha224_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -759,7 +774,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacsha224 = hkey;
return (ISC_R_SUCCESS);
}
@@ -767,15 +782,15 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha224_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMACSHA224_Key *hkey;
+ dst_hmacsha224_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacsha224 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMACSHA224_Key *) key->opaque;
+ hkey = key->keydata.hmacsha224;
priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
priv.elements[cnt].length = bytes;
@@ -810,7 +825,7 @@ hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACSHA224_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacsha224_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -848,6 +863,7 @@ static dst_func_t hmacsha224_functions = {
hmacsha224_tofile,
hmacsha224_parse,
NULL, /* cleanup */
+ NULL, /* fromlabel */
};
isc_result_t
@@ -860,37 +876,37 @@ dst__hmacsha224_init(dst_func_t **funcp) {
static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct {
+struct dst_hmacsha256_key {
unsigned char key[ISC_SHA256_DIGESTLENGTH];
-} HMACSHA256_Key;
+};
static isc_result_t
hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacsha256_t *hmacsha256ctx;
- HMACSHA256_Key *hkey = key->opaque;
+ dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
if (hmacsha256ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
- dctx->opaque = hmacsha256ctx;
+ dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
return (ISC_R_SUCCESS);
}
static void
hmacsha256_destroyctx(dst_context_t *dctx) {
- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+ isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
if (hmacsha256ctx != NULL) {
isc_hmacsha256_invalidate(hmacsha256ctx);
isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacsha256ctx = NULL;
}
}
static isc_result_t
hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+ isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -898,7 +914,7 @@ hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+ isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
@@ -912,7 +928,7 @@ hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+ isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
return (DST_R_VERIFYFAILURE);
@@ -925,10 +941,10 @@ hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMACSHA256_Key *hkey1, *hkey2;
+ dst_hmacsha256_key_t *hkey1, *hkey2;
- hkey1 = (HMACSHA256_Key *)key1->opaque;
- hkey2 = (HMACSHA256_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacsha256;
+ hkey2 = key2->keydata.hmacsha256;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -976,20 +992,20 @@ hmacsha256_isprivate(const dst_key_t *key) {
static void
hmacsha256_destroy(dst_key_t *key) {
- HMACSHA256_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMACSHA256_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA256_Key));
- key->opaque = NULL;
+ dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+ memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
+ key->keydata.hmacsha256 = NULL;
}
static isc_result_t
hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMACSHA256_Key *hkey;
+ dst_hmacsha256_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacsha256 != NULL);
- hkey = (HMACSHA256_Key *) key->opaque;
+ hkey = key->keydata.hmacsha256;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -1001,7 +1017,7 @@ hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMACSHA256_Key *hkey;
+ dst_hmacsha256_key_t *hkey;
int keylen;
isc_region_t r;
isc_sha256_t sha256ctx;
@@ -1010,7 +1026,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMACSHA256_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA256_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha256_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -1028,7 +1044,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacsha256 = hkey;
return (ISC_R_SUCCESS);
}
@@ -1036,15 +1052,15 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha256_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMACSHA256_Key *hkey;
+ dst_hmacsha256_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacsha256 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMACSHA256_Key *) key->opaque;
+ hkey = key->keydata.hmacsha256;
priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
priv.elements[cnt].length = bytes;
@@ -1079,7 +1095,7 @@ hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACSHA256_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacsha256_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -1117,6 +1133,7 @@ static dst_func_t hmacsha256_functions = {
hmacsha256_tofile,
hmacsha256_parse,
NULL, /* cleanup */
+ NULL, /* fromlabel */
};
isc_result_t
@@ -1129,37 +1146,37 @@ dst__hmacsha256_init(dst_func_t **funcp) {
static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct {
+struct dst_hmacsha384_key {
unsigned char key[ISC_SHA384_DIGESTLENGTH];
-} HMACSHA384_Key;
+};
static isc_result_t
hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacsha384_t *hmacsha384ctx;
- HMACSHA384_Key *hkey = key->opaque;
+ dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
if (hmacsha384ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
- dctx->opaque = hmacsha384ctx;
+ dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
return (ISC_R_SUCCESS);
}
static void
hmacsha384_destroyctx(dst_context_t *dctx) {
- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+ isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
if (hmacsha384ctx != NULL) {
isc_hmacsha384_invalidate(hmacsha384ctx);
isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacsha384ctx = NULL;
}
}
static isc_result_t
hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+ isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -1167,7 +1184,7 @@ hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+ isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
@@ -1181,7 +1198,7 @@ hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+ isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
return (DST_R_VERIFYFAILURE);
@@ -1194,10 +1211,10 @@ hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMACSHA384_Key *hkey1, *hkey2;
+ dst_hmacsha384_key_t *hkey1, *hkey2;
- hkey1 = (HMACSHA384_Key *)key1->opaque;
- hkey2 = (HMACSHA384_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacsha384;
+ hkey2 = key2->keydata.hmacsha384;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -1245,20 +1262,20 @@ hmacsha384_isprivate(const dst_key_t *key) {
static void
hmacsha384_destroy(dst_key_t *key) {
- HMACSHA384_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMACSHA384_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA384_Key));
- key->opaque = NULL;
+ dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+ memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
+ key->keydata.hmacsha384 = NULL;
}
static isc_result_t
hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMACSHA384_Key *hkey;
+ dst_hmacsha384_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacsha384 != NULL);
- hkey = (HMACSHA384_Key *) key->opaque;
+ hkey = key->keydata.hmacsha384;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -1270,7 +1287,7 @@ hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMACSHA384_Key *hkey;
+ dst_hmacsha384_key_t *hkey;
int keylen;
isc_region_t r;
isc_sha384_t sha384ctx;
@@ -1279,7 +1296,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMACSHA384_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA384_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha384_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -1297,7 +1314,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacsha384 = hkey;
return (ISC_R_SUCCESS);
}
@@ -1305,15 +1322,15 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha384_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMACSHA384_Key *hkey;
+ dst_hmacsha384_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacsha384 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMACSHA384_Key *) key->opaque;
+ hkey = key->keydata.hmacsha384;
priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
priv.elements[cnt].length = bytes;
@@ -1348,7 +1365,7 @@ hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACSHA384_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacsha384_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -1386,6 +1403,7 @@ static dst_func_t hmacsha384_functions = {
hmacsha384_tofile,
hmacsha384_parse,
NULL, /* cleanup */
+ NULL, /* fromlabel */
};
isc_result_t
@@ -1398,37 +1416,37 @@ dst__hmacsha384_init(dst_func_t **funcp) {
static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
-typedef struct {
+struct dst_hmacsha512_key {
unsigned char key[ISC_SHA512_DIGESTLENGTH];
-} HMACSHA512_Key;
+};
static isc_result_t
hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacsha512_t *hmacsha512ctx;
- HMACSHA512_Key *hkey = key->opaque;
+ dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
if (hmacsha512ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
- dctx->opaque = hmacsha512ctx;
+ dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
return (ISC_R_SUCCESS);
}
static void
hmacsha512_destroyctx(dst_context_t *dctx) {
- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+ isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
if (hmacsha512ctx != NULL) {
isc_hmacsha512_invalidate(hmacsha512ctx);
isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
- dctx->opaque = NULL;
+ dctx->ctxdata.hmacsha512ctx = NULL;
}
}
static isc_result_t
hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+ isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
return (ISC_R_SUCCESS);
@@ -1436,7 +1454,7 @@ hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
static isc_result_t
hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+ isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
unsigned char *digest;
if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
@@ -1450,7 +1468,7 @@ hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
static isc_result_t
hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+ isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
return (DST_R_VERIFYFAILURE);
@@ -1463,10 +1481,10 @@ hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
static isc_boolean_t
hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
- HMACSHA512_Key *hkey1, *hkey2;
+ dst_hmacsha512_key_t *hkey1, *hkey2;
- hkey1 = (HMACSHA512_Key *)key1->opaque;
- hkey2 = (HMACSHA512_Key *)key2->opaque;
+ hkey1 = key1->keydata.hmacsha512;
+ hkey2 = key2->keydata.hmacsha512;
if (hkey1 == NULL && hkey2 == NULL)
return (ISC_TRUE);
@@ -1514,20 +1532,20 @@ hmacsha512_isprivate(const dst_key_t *key) {
static void
hmacsha512_destroy(dst_key_t *key) {
- HMACSHA512_Key *hkey = key->opaque;
- memset(hkey, 0, sizeof(HMACSHA512_Key));
- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA512_Key));
- key->opaque = NULL;
+ dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+ memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
+ isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
+ key->keydata.hmacsha512 = NULL;
}
static isc_result_t
hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
- HMACSHA512_Key *hkey;
+ dst_hmacsha512_key_t *hkey;
unsigned int bytes;
- REQUIRE(key->opaque != NULL);
+ REQUIRE(key->keydata.hmacsha512 != NULL);
- hkey = (HMACSHA512_Key *) key->opaque;
+ hkey = key->keydata.hmacsha512;
bytes = (key->key_size + 7) / 8;
if (isc_buffer_availablelength(data) < bytes)
@@ -1539,7 +1557,7 @@ hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
- HMACSHA512_Key *hkey;
+ dst_hmacsha512_key_t *hkey;
int keylen;
isc_region_t r;
isc_sha512_t sha512ctx;
@@ -1548,7 +1566,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (r.length == 0)
return (ISC_R_SUCCESS);
- hkey = (HMACSHA512_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA512_Key));
+ hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha512_key_t));
if (hkey == NULL)
return (ISC_R_NOMEMORY);
@@ -1566,7 +1584,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
key->key_size = keylen * 8;
- key->opaque = hkey;
+ key->keydata.hmacsha512 = hkey;
return (ISC_R_SUCCESS);
}
@@ -1574,15 +1592,15 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
static isc_result_t
hmacsha512_tofile(const dst_key_t *key, const char *directory) {
int cnt = 0;
- HMACSHA512_Key *hkey;
+ dst_hmacsha512_key_t *hkey;
dst_private_t priv;
int bytes = (key->key_size + 7) / 8;
unsigned char buf[2];
- if (key->opaque == NULL)
+ if (key->keydata.hmacsha512 == NULL)
return (DST_R_NULLKEY);
- hkey = (HMACSHA512_Key *) key->opaque;
+ hkey = key->keydata.hmacsha512;
priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
priv.elements[cnt].length = bytes;
@@ -1617,7 +1635,7 @@ hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {
switch (priv.elements[i].tag) {
case TAG_HMACSHA512_KEY:
isc_buffer_init(&b, priv.elements[i].data,
- priv.elements[i].length);
+ priv.elements[i].length);
isc_buffer_add(&b, priv.elements[i].length);
tresult = hmacsha512_fromdns(key, &b);
if (tresult != ISC_R_SUCCESS)
@@ -1655,6 +1673,7 @@ static dst_func_t hmacsha512_functions = {
hmacsha512_tofile,
hmacsha512_parse,
NULL, /* cleanup */
+ NULL, /* fromlabel */
};
isc_result_t
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
index 593ad5aa96f1..b52cb980d550 100644
--- a/lib/dns/include/Makefile.in
+++ b/lib/dns/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.12.18.1 2004/12/09 04:41:46 marka Exp $
+# $Id: Makefile.in,v 1.15 2007/06/19 23:47:16 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index 3f367bc79204..e9e049e29825 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2003 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.50 2004/03/05 05:09:40 marka Exp $
+# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -23,14 +23,14 @@ top_srcdir = @top_srcdir@
HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h \
cert.h compress.h \
- db.h dbiterator.h dbtable.h diff.h dispatch.h \
- dnssec.h ds.h events.h fixedname.h journal.h keyflags.h \
+ db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
+ dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
message.h name.h ncache.h \
nsec.h peer.h portlist.h rbt.h rcode.h \
rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
rdataslab.h rdatatype.h request.h resolver.h result.h \
- rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \
+ rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
tcpmsg.h time.h tkey.h \
tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
zone.h zonekey.h zt.h
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
index 50d7fc1a7b78..28990c2aab0c 100644
--- a/lib/dns/include/dns/acache.h
+++ b/lib/dns/include/dns/acache.h
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC")
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acache.h,v 1.3.2.4 2006/05/03 00:07:49 marka Exp $ */
+/* $Id: acache.h,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_ACACHE_H
#define DNS_ACACHE_H 1
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 34e394f36b0d..721fe51dfb4e 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acl.h,v 1.22.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.h,v 1.31.206.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_ACL_H
#define DNS_ACL_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/acl.h
* \brief
* Address match list handling.
*/
@@ -40,6 +40,7 @@
#include <dns/name.h>
#include <dns/types.h>
+#include <dns/iptable.h>
/***
*** Types
@@ -62,20 +63,21 @@ struct dns_aclipprefix {
};
struct dns_aclelement {
- dns_aclelemettype_t type;
- isc_boolean_t negative;
- union {
- dns_aclipprefix_t ip_prefix;
- dns_name_t keyname;
- dns_acl_t *nestedacl;
- } u;
+ dns_aclelemettype_t type;
+ isc_boolean_t negative;
+ dns_name_t keyname;
+ dns_acl_t *nestedacl;
+ int node_num;
};
struct dns_acl {
unsigned int magic;
isc_mem_t *mctx;
isc_refcount_t refcount;
+ dns_iptable_t *iptable;
+#define node_count iptable->radix->num_added_node
dns_aclelement_t *elements;
+ isc_boolean_t has_negatives;
unsigned int alloc; /*%< Elements allocated */
unsigned int length; /*%< Elements initialized */
char *name; /*%< Temporary use only */
@@ -100,14 +102,9 @@ ISC_LANG_BEGINDECLS
isc_result_t
dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
/*%<
- * Create a new ACL with room for 'n' elements.
- * The elements are uninitialized and the length is 0.
- */
-
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
-/*%<
- * Append an element to an existing ACL.
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements. The elements are uninitialized and the
+ * length is 0.
*/
isc_result_t
@@ -122,6 +119,30 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
* Create a new ACL that matches nothing.
*/
+isc_boolean_t
+dns_acl_isany(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ any; }"
+ */
+
+isc_boolean_t
+dns_acl_isnone(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ none; }"
+ */
+
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
+/*%<
+ * Merge the contents of one ACL into another. Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated. This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+
void
dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
@@ -129,17 +150,11 @@ void
dns_acl_detach(dns_acl_t **aclp);
isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
-
-isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
-
-isc_boolean_t
dns_acl_isinsecure(const dns_acl_t *a);
/*%<
* Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
* if it contains IP addresses other than those of the local host.
- * This is intended for applications such as printing warning
+ * This is intended for applications such as printing warning
* messages for suspect ACLs; it is not intended for making access
* control decisions. We make no guarantee that an ACL for which
* this function returns #ISC_FALSE is safe.
@@ -147,6 +162,9 @@ dns_acl_isinsecure(const dns_acl_t *a);
isc_result_t
dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+/*%<
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
void
dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
@@ -168,19 +186,17 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
* Match the address 'reqaddr', and optionally the key name 'reqsigner',
* against 'acl'. 'reqsigner' may be NULL.
*
- * If there is a positive match, '*match' will be set to a positive value
- * indicating the distance from the beginning of the list.
- *
- * If there is a negative match, '*match' will be set to a negative value
- * whose absolute value indicates the distance from the beginning of
- * the list.
- *
- * If there is a match (either positive or negative) and 'matchelt' is
- * non-NULL, *matchelt will be attached to the primitive
- * (non-indirect) address match list element that matched.
+ * If there is a match, '*match' will be set to an integer whose absolute
+ * value corresponds to the order in which the matching value was inserted
+ * into the ACL. For a positive match, this value will be positive; for a
+ * negative match, it will be negative.
*
* If there is no match, *match will be set to zero.
*
+ * If there is a match in the element list (either positive or negative)
+ * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
+ * element.
+ *
* Returns:
*\li #ISC_R_SUCCESS Always succeeds.
*/
@@ -189,34 +205,18 @@ isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const dns_aclelement_t *e,
- const dns_aclenv_t *env,
+ const dns_aclenv_t *env,
const dns_aclelement_t **matchelt);
/*%<
* Like dns_acl_match, but matches against the single ACL element 'e'
- * rather than a complete list and returns ISC_TRUE iff it matched.
- * To determine whether the match was prositive or negative, the
+ * rather than a complete ACL, and returns ISC_TRUE iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
* caller should examine e->negative. Since the element 'e' may be
- * a reference to a named ACL or a nested ACL, the matching element
+ * a reference to a named ACL or a nested ACL, a matching element
* returned through 'matchelt' is not necessarily 'e' itself.
*/
-isc_result_t
-dns_acl_elementmatch(const dns_acl_t *acl,
- const dns_aclelement_t *elt,
- const dns_aclelement_t **matchelt);
-/*%<
- * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
- * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
- * to the entry.
- *
- * This function is intended to be used for avoiding duplicated ACL entries
- * before adding an entry.
- *
- * Returns:
- *\li #ISC_R_SUCCESS Match succeeds.
- *\li #ISC_R_NOTFOUND Match fails.
- */
-
ISC_LANG_ENDDECLS
#endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index 1e3cd6170dc1..d4ac40c8c98d 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: adb.h,v 1.76.18.3 2005/06/23 04:23:16 marka Exp $ */
+/* $Id: adb.h,v 1.85 2008/04/03 06:09:04 tbox Exp $ */
#ifndef DNS_ADB_H
#define DNS_ADB_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/adb.h
*\brief
* DNS Address Database
*
@@ -99,7 +99,7 @@ ISC_LANG_BEGINDECLS
typedef struct dns_adbname dns_adbname_t;
-/*!
+/*!
*\brief
* Represents a lookup for a single name.
*
@@ -220,7 +220,7 @@ struct dns_adbaddrinfo {
ISC_LINK(dns_adbaddrinfo_t) publink;
};
-/*!<
+/*!<
* The event sent to the caller task is just a plain old isc_event_t. It
* contains no data other than a simple status, passed in the "type" field
* to indicate that another address resolved, or all partially resolved
@@ -345,7 +345,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
*
* If no events will be generated, the *find->result_v4 and/or result_v6
* members may be examined for address lookup status. The usual #ISC_R_SUCCESS,
- * #ISC_R_FAILURE, and #DNS_R_NX{DOMAIN,RRSET} are returned, along with
+ * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
* #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values. In this
* latter case, retrying may produce more addresses.
*
@@ -520,7 +520,7 @@ void
dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
unsigned int rtt, unsigned int factor);
/*%<
- * Mix the round trip time into the existing smoothed rtt.
+ * Mix the round trip time into the existing smoothed rtt.
* The formula used
* (where srtt is the existing rtt value, and rtt and factor are arguments to
@@ -623,13 +623,12 @@ void
dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
/*%<
* Flush 'name' from the adb cache.
- *
+ *
* Requires:
*\li 'adb' is valid.
*\li 'name' is valid.
*/
-
ISC_LANG_ENDDECLS
#endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
index 770f294b0a2a..28c733d486d9 100644
--- a/lib/dns/include/dns/bit.h
+++ b/lib/dns/include/dns/bit.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: bit.h,v 1.8.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: bit.h,v 1.14 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_BIT_H
#define DNS_BIT_H 1
-/*! \file */
+/*! \file dns/bit.h */
#include <isc/int.h>
#include <isc/boolean.h>
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
index 1f1e88c355ab..edf843083af5 100644
--- a/lib/dns/include/dns/byaddr.h
+++ b/lib/dns/include/dns/byaddr.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: byaddr.h,v 1.16.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: byaddr.h,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_BYADDR_H
#define DNS_BYADDR_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/byaddr.h
* \brief
* The byaddr module provides reverse lookup services for IPv4 and IPv6
* addresses.
@@ -121,8 +121,8 @@ dns_byaddr_cancel(dns_byaddr_t *byaddr);
*
* Notes:
*
- *\li If 'byaddr' has not completed, post its #BYADDRDONE event with a
- * result code of #ISC_R_CANCELED.
+ *\li If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
+ * event with a result code of #ISC_R_CANCELED.
*
* Requires:
*
@@ -138,8 +138,8 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp);
*
*\li '*byaddrp' is a valid byaddr.
*
- *\li The caller has received the BYADDRDONE event (either because the
- * byaddr completed or because dns_byaddr_cancel() was called).
+ *\li The caller has received the #DNS_EVENT_BYADDRDONE event (either because
+ * the byaddr completed or because dns_byaddr_cancel() was called).
*
* Ensures:
*
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index fc4f78e7c582..7b372357d76b 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: cache.h,v 1.19.18.3 2005/08/23 02:31:38 marka Exp $ */
+/* $Id: cache.h,v 1.26 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_CACHE_H
#define DNS_CACHE_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/cache.h
* \brief
* Defines dns_cache_t, the cache object.
*
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
index 6aee70bf4794..8a8385a99534 100644
--- a/lib/dns/include/dns/callbacks.h
+++ b/lib/dns/include/dns/callbacks.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: callbacks.h,v 1.18.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: callbacks.h,v 1.24 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_CALLBACKS_H
#define DNS_CALLBACKS_H 1
-/*! \file */
+/*! \file dns/callbacks.h */
/***
*** Imports
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
index 4de1aec7fc11..1cda84875c38 100644
--- a/lib/dns/include/dns/cert.h
+++ b/lib/dns/include/dns/cert.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: cert.h,v 1.13.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: cert.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_CERT_H
#define DNS_CERT_H 1
-/*! \file */
+/*! \file dns/cert.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 4d9c0119cc2c..4632aff42bfb 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: compress.h,v 1.32.18.6 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.h,v 1.40.332.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_COMPRESS_H
#define DNS_COMPRESS_H 1
@@ -32,7 +32,7 @@ ISC_LANG_BEGINDECLS
#define DNS_COMPRESS_ALL 0x01 /*%< all compression. */
#define DNS_COMPRESS_CASESENSITIVE 0x02 /*%< case sensitive compression. */
-/*! \file
+/*! \file dns/compress.h
* Direct manipulation of the structures is strongly discouraged.
*/
@@ -77,7 +77,7 @@ struct dns_decompress {
isc_result_t
dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
/*%<
- * Inialise the compression context structure pointed to by 'cctx'.
+ * Initialise the compression context structure pointed to by 'cctx'.
*
* Requires:
* \li 'cctx' is a valid dns_compress_t structure.
@@ -136,7 +136,7 @@ dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive);
isc_boolean_t
dns_compress_getsensitive(dns_compress_t *cctx);
/*
- * Return whether case is to be preservered when compressing
+ * Return whether case is to be preserved when compressing
* domain names.
*
* Requires:
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index b03ae5748a2e..3b78208943b4 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: db.h,v 1.76.18.10 2007/08/28 07:20:05 tbox Exp $ */
+/* $Id: db.h,v 1.93.50.3 2009/01/18 23:25:17 marka Exp $ */
#ifndef DNS_DB_H
#define DNS_DB_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/db.h
* \brief
* The DNS DB interface allows named rdatasets to be stored and retrieved.
*
@@ -111,8 +111,7 @@ typedef struct dns_dbmethods {
isc_stdtime_t now);
void (*printnode)(dns_db_t *db, dns_dbnode_t *node,
FILE *out);
- isc_result_t (*createiterator)(dns_db_t *db,
- isc_boolean_t relative_names,
+ isc_result_t (*createiterator)(dns_db_t *db, unsigned int options,
dns_dbiterator_t **iteratorp);
isc_result_t (*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
dns_dbversion_t *version,
@@ -146,6 +145,28 @@ typedef struct dns_dbmethods {
void (*overmem)(dns_db_t *db, isc_boolean_t overmem);
void (*settask)(dns_db_t *db, isc_task_t *);
isc_result_t (*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
+ void (*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
+ dns_dbnode_t **targetp);
+ isc_result_t (*getnsec3parameters)(dns_db_t *db,
+ dns_dbversion_t *version,
+ dns_hash_t *hash,
+ isc_uint8_t *flags,
+ isc_uint16_t *iterations,
+ unsigned char *salt,
+ size_t *salt_len);
+ isc_result_t (*findnsec3node)(dns_db_t *db, dns_name_t *name,
+ isc_boolean_t create,
+ dns_dbnode_t **nodep);
+ isc_result_t (*setsigningtime)(dns_db_t *db,
+ dns_rdataset_t *rdataset,
+ isc_stdtime_t resign);
+ isc_result_t (*getsigningtime)(dns_db_t *db,
+ dns_rdataset_t *rdataset,
+ dns_name_t *name);
+ void (*resigned)(dns_db_t *db, dns_rdataset_t *rdataset,
+ dns_dbversion_t *version);
+ isc_boolean_t (*isdnssec)(dns_db_t *db);
+ dns_stats_t *(*getrrsetstats)(dns_db_t *db);
} dns_dbmethods_t;
typedef isc_result_t
@@ -153,7 +174,7 @@ typedef isc_result_t
dns_dbtype_t type, dns_rdataclass_t rdclass,
unsigned int argc, char *argv[], void *driverarg,
dns_db_t **dbp);
-
+
#define DNS_DB_MAGIC ISC_MAGIC('D','N','S','D')
#define DNS_DB_VALID(db) ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
@@ -191,6 +212,7 @@ struct dns_db {
#define DNS_DBFIND_NOEXACT 0x10
#define DNS_DBFIND_FORCENSEC 0x20
#define DNS_DBFIND_COVERINGNSEC 0x40
+#define DNS_DBFIND_FORCENSEC3 0x80
/*@}*/
/*@{*/
@@ -208,6 +230,15 @@ struct dns_db {
*/
#define DNS_DBSUB_EXACT 0x01
+/*@{*/
+/*%
+ * Iterator options
+ */
+#define DNS_DB_RELATIVENAMES 0x1
+#define DNS_DB_NSEC3ONLY 0x2
+#define DNS_DB_NONSEC3 0x4
+/*@}*/
+
/*****
***** Methods
*****/
@@ -355,6 +386,20 @@ dns_db_issecure(dns_db_t *db);
* \li #ISC_FALSE 'db' is not secure.
*/
+isc_boolean_t
+dns_db_isdnssec(dns_db_t *db);
+/*%<
+ * Is 'db' secure or partially secure?
+ *
+ * Requires:
+ *
+ * \li 'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li #ISC_TRUE 'db' is secure or is partially.
+ * \li #ISC_FALSE 'db' is not secure.
+ */
+
dns_name_t *
dns_db_origin(dns_db_t *db);
/*%<
@@ -626,7 +671,7 @@ dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
*
* \li #ISC_R_SUCCESS
* \li #ISC_R_NOTFOUND If !create and name not found.
- * \li #ISC_R_NOMEMORY Can only happen if create is ISC_TRUE.
+ * \li #ISC_R_NOMEMORY Can only happen if create is ISC_TRUE.
*
* \li Other results are possible, depending upon the database
* implementation used.
@@ -785,8 +830,8 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
* name, and 'rdataset' contains
* the negative caching proof.
*
- * \li #DNS_R_EMPTYNAME The name exists but there is
- * no data at the name.
+ * \li #DNS_R_EMPTYNAME The name exists but there is
+ * no data at the name.
*
* \li #DNS_R_COVERINGNSEC The returned data is a NSEC
* that potentially covers 'name'.
@@ -883,6 +928,27 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
* \li *nodep is NULL.
*/
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+ dns_dbnode_t **targetp);
+/*%<
+ * Transfer a node between pointer.
+ *
+ * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
+ *
+ * Requires:
+ *
+ * \li 'db' is a valid database.
+ *
+ * \li '*sourcep' is a valid node.
+ *
+ * \li 'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li '*sourcep' is NULL.
+ */
+
isc_result_t
dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
/*%<
@@ -917,16 +983,17 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
***/
isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+dns_db_createiterator(dns_db_t *db, unsigned int options,
dns_dbiterator_t **iteratorp);
/*%<
* Create an iterator for version 'version' of 'db'.
*
* Notes:
*
- * \li If 'relative_names' is ISC_TRUE, then node names returned by the
- * iterator will be relative to the iterator's current origin. If
- * #ISC_FALSE, then the node names will be absolute.
+ * \li One or more of the following options can be set.
+ * #DNS_DB_RELATIVENAMES
+ * #DNS_DB_NSEC3ONLY
+ * #DNS_DB_NONSEC3
*
* Requires:
*
@@ -1005,7 +1072,7 @@ isc_result_t
dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
/*%<
- * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
+ * Make '*iteratorp' an rdataset iterator for all rdatasets at 'node' in
* version 'version' of 'db'.
*
* Notes:
@@ -1192,7 +1259,7 @@ dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
void
dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
/*%<
- * Enable / disable agressive cache cleaning.
+ * Enable / disable aggressive cache cleaning.
*/
unsigned int
@@ -1262,7 +1329,7 @@ dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
void
dns_db_unregister(dns_dbimplementation_t **dbimp);
/*%<
- * Remove a database implementation from the the list of supported
+ * Remove a database implementation from the list of supported
* implementations. No databases of this type can be active when this
* is called.
*
@@ -1294,6 +1361,117 @@ dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
* \li #ISC_R_NOTFOUND - the DB implementation does not support this feature.
*/
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+ dns_hash_t *hash, isc_uint8_t *flags,
+ isc_uint16_t *interations,
+ unsigned char *salt, size_t *salt_length);
+/*%<
+ * Get the NSEC3 parameters that are associated with this zone.
+ *
+ * Requires:
+ * \li 'db' is a valid zone database.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS
+ * \li #ISC_R_NOTFOUND - the DB implementation does not support this feature
+ * or this zone does not have NSEC3 records.
+ */
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+ isc_boolean_t create, dns_dbnode_t **nodep);
+/*%<
+ * Find the NSEC3 node with name 'name'.
+ *
+ * Notes:
+ * \li If 'create' is ISC_TRUE and no node with name 'name' exists, then
+ * such a node will be created.
+ *
+ * Requires:
+ *
+ * \li 'db' is a valid database.
+ *
+ * \li 'name' is a valid, non-empty, absolute name.
+ *
+ * \li nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li #ISC_R_SUCCESS
+ * \li #ISC_R_NOTFOUND If !create and name not found.
+ * \li #ISC_R_NOMEMORY Can only happen if create is ISC_TRUE.
+ *
+ * \li Other results are possible, depending upon the database
+ * implementation used.
+ */
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+ isc_stdtime_t resign);
+/*%<
+ * Sets the re-signing time associated with 'rdataset' to 'resign'.
+ *
+ * Requires:
+ * \li 'db' is a valid zone database.
+ * \li 'rdataset' to be associated with 'db'.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS
+ * \li #ISC_R_NOMEMORY
+ * \li #ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Return the rdataset with the earliest signing time in the zone.
+ * Note: the rdataset is version agnostic.
+ *
+ * Requires:
+ * \li 'db' is a valid zone database.
+ * \li 'rdataset' to be initialized but not associated.
+ * \li 'name' to be NULL or have a buffer associated with it.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS
+ * \li #ISC_R_NOTFOUND - No dataset exists.
+ */
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+ dns_dbversion_t *version);
+/*%<
+ * Mark 'rdataset' as not being available to be returned by
+ * dns_db_getsigningtime(). If the changes associated with 'version'
+ * are committed this will be permanent. If the version is not committed
+ * this change will be rolled back when the version is closed.
+ *
+ * Requires:
+ * \li 'db' is a valid zone database.
+ * \li 'rdataset' to be associated with 'db'.
+ * \li 'version' to be open for writing.
+ */
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db);
+/*%<
+ * Get statistics information counting RRsets stored in the DB, when available.
+ * The statistics may not be available depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li 'db' is a valid database (zone or cache).
+ *
+ * Returns:
+ * \li when available, a pointer to a statistics object created by
+ * dns_rdatasetstats_create(); otherwise NULL.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
index 47ce0824ec13..366d6767a79f 100644
--- a/lib/dns/include/dns/dbiterator.h
+++ b/lib/dns/include/dns/dbiterator.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dbiterator.h,v 1.19.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbiterator.h,v 1.25 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_DBITERATOR_H
#define DNS_DBITERATOR_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/dbiterator.h
* \brief
* The DNS DB Iterator interface allows iteration of all of the nodes in a
* database.
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
index 18d3e509476e..503de95107a9 100644
--- a/lib/dns/include/dns/dbtable.h
+++ b/lib/dns/include/dns/dbtable.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dbtable.h,v 1.17.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbtable.h,v 1.23 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_DBTABLE_H
#define DNS_DBTABLE_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/dbtable.h
* \brief
* DNS DB Tables
*
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index cd96a0b088b5..a13b67806875 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: diff.h,v 1.6.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: diff.h,v 1.15.120.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_DIFF_H
#define DNS_DIFF_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/diff.h
* \brief
* A diff is a convenience type representing a list of changes to be
* made to a database.
@@ -59,12 +59,18 @@
* individual RRs of a "RRset exists (value dependent)"
* prerequisite set. In this case, op==DNS_DIFFOP_EXISTS,
* and the TTL is ignored.
+ *
+ * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
+ * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
+ * timeexpire.
*/
typedef enum {
- DNS_DIFFOP_ADD, /*%< Add an RR. */
- DNS_DIFFOP_DEL, /*%< Delete an RR. */
- DNS_DIFFOP_EXISTS /*%< Assert RR existence. */
+ DNS_DIFFOP_ADD = 0, /*%< Add an RR. */
+ DNS_DIFFOP_DEL = 1, /*%< Delete an RR. */
+ DNS_DIFFOP_EXISTS = 2, /*%< Assert RR existence. */
+ DNS_DIFFOP_ADDRESIGN = 4, /*%< ADD + RESIGN. */
+ DNS_DIFFOP_DELRESIGN = 5, /*%< DEL + RESIGN. */
} dns_diffop_t;
typedef struct dns_difftuple dns_difftuple_t;
@@ -73,7 +79,7 @@ typedef struct dns_difftuple dns_difftuple_t;
#define DNS_DIFFTUPLE_VALID(t) ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
struct dns_difftuple {
- unsigned int magic;
+ unsigned int magic;
isc_mem_t *mctx;
dns_diffop_t op;
dns_name_t name;
@@ -96,10 +102,15 @@ typedef struct dns_diff dns_diff_t;
struct dns_diff {
unsigned int magic;
isc_mem_t * mctx;
+ /*
+ * Set the 'resign' attribute to this many second before the
+ * earliest RRSIG timeexpire.
+ */
+ isc_uint32_t resign;
ISC_LIST(dns_difftuple_t) tuples;
};
-/* Type of comparision function for sorting diffs. */
+/* Type of comparison function for sorting diffs. */
typedef int dns_diff_compare_func(const void *, const void *);
/***
@@ -110,7 +121,7 @@ ISC_LANG_BEGINDECLS
/**************************************************************************/
/*
- * Maniuplation of diffs and tuples.
+ * Manipulation of diffs and tuples.
*/
isc_result_t
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 8c143207b9ea..96a44fee3ff5 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dispatch.h,v 1.48.18.9 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: dispatch.h,v 1.60.82.2 2009/01/29 23:47:44 tbox Exp $ */
#ifndef DNS_DISPATCH_H
#define DNS_DISPATCH_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/dispatch.h
* \brief
* DNS Dispatch Management
* Shared UDP and single-use TCP dispatches for queries and responses.
@@ -55,7 +55,7 @@
#include <isc/buffer.h>
#include <isc/lang.h>
#include <isc/socket.h>
-#include <dns/types.h>
+#include <isc/types.h>
#include <dns/types.h>
@@ -222,6 +222,21 @@ dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
*\li v6portset is NULL or a valid port set
*/
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats);
+/*%<
+ * Sets statistics counter for the dispatchmgr. This function is expected to
+ * be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced. Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ *\li mgr is a valid dispatchmgr with no managed dispatch.
+ *\li stats is a valid statistics supporting resolver statistics counters
+ * (see dns/stats.h).
+ */
+
isc_result_t
dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
index 4c61c91cf296..75ba99fbce2a 100644
--- a/lib/dns/include/dns/dlz.h
+++ b/lib/dns/include/dns/dlz.h
@@ -1,8 +1,8 @@
/*
- * Portions Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -50,9 +50,9 @@
* USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dlz.h,v 1.2.2.2 2005/09/06 03:47:18 marka Exp $ */
+/* $Id: dlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
-/*! \file */
+/*! \file dns/dlz.h */
#ifndef DLZ_H
#define DLZ_H 1
@@ -133,7 +133,7 @@ typedef void
/*%<
* Method prototype. Drivers implementing the DLZ interface MUST
* supply a destroy method. This method is called when the DNS server
- * is shuting down and no longer needs the driver.
+ * is shutting down and no longer needs the driver.
*/
typedef isc_result_t
@@ -157,7 +157,7 @@ typedef isc_result_t
* \li 3) we run out of domain name labels. I.E. we have tried the
* shortest domain name
* \li 4) the number of labels in the domain name is less than
- * min_lables for dns_dlzfindzone
+ * min_labels for dns_dlzfindzone
*
* The driver's find zone method should return ISC_R_SUCCESS and a
* database pointer to the name server if the zone is supported by the
@@ -202,7 +202,7 @@ dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
/*%<
* This method is called when the DNS server is performing a zone
- * transfer query. It will call the DLZ driver's allow zone tranfer
+ * transfer query. It will call the DLZ driver's allow zone transfer
* method.
*/
@@ -223,7 +223,7 @@ void
dns_dlzdestroy(dns_dlzdb_t **dbp);
/*%<
- * This method is called when the DNS server is shuting down and no
+ * This method is called when the DNS server is shutting down and no
* longer needs the driver. If the DLZ driver supplies a destroy
* methods, this function will call it.
*/
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 2804e03fdd96..f8a59d05f87f 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec.h,v 1.26.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: dnssec.h,v 1.32 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
-/*! \file */
+/*! \file dns/dnssec.h */
#include <isc/lang.h>
#include <isc/stdtime.h>
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 5e4cc40473a4..b59fb8390258 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ds.h,v 1.3.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.h,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_DS_H
#define DNS_DS_H 1
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index d1ebef3cc9e3..bb61b9d40a01 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,14 +15,14 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: events.h,v 1.42.18.3 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: events.h,v 1.49.332.2 2009/05/07 23:47:12 tbox Exp $ */
#ifndef DNS_EVENTS_H
#define DNS_EVENTS_H 1
#include <isc/eventclass.h>
-/*! \file
+/*! \file dns/events.h
* \brief
* Registry of DNS event numbers.
*/
@@ -68,6 +68,7 @@
#define DNS_EVENT_ACACHECONTROL (ISC_EVENTCLASS_DNS + 38)
#define DNS_EVENT_ACACHECLEAN (ISC_EVENTCLASS_DNS + 39)
#define DNS_EVENT_ACACHEOVERMEM (ISC_EVENTCLASS_DNS + 40)
+#define DNS_EVENT_RBTPRUNE (ISC_EVENTCLASS_DNS + 41)
#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
#define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535)
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
index 8380de604125..5a2aaf333e48 100644
--- a/lib/dns/include/dns/fixedname.h
+++ b/lib/dns/include/dns/fixedname.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: fixedname.h,v 1.13.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: fixedname.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_FIXEDNAME_H
#define DNS_FIXEDNAME_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/fixedname.h
* \brief
* Fixed-size Names
*
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index ddf6d7fc7e7c..512c5e3c6ed2 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: forward.h,v 1.3.18.3 2005/04/27 05:01:33 sra Exp $ */
+/* $Id: forward.h,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_FORWARD_H
#define DNS_FORWARD_H 1
-/*! \file */
+/*! \file dns/forward.h */
#include <isc/lang.h>
#include <isc/result.h>
diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h
new file mode 100644
index 000000000000..d7eb140dc057
--- /dev/null
+++ b/lib/dns/include/dns/iptable.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: iptable.h,v 1.4 2007/09/14 01:46:05 marka Exp $ */
+
+#ifndef DNS_IPTABLE_H
+#define DNS_IPTABLE_H 1
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/radix.h>
+
+struct dns_iptable {
+ unsigned int magic;
+ isc_mem_t *mctx;
+ isc_refcount_t refcount;
+ isc_radix_tree_t *radix;
+ ISC_LINK(dns_iptable_t) nextincache;
+};
+
+#define DNS_IPTABLE_MAGIC ISC_MAGIC('T','a','b','l')
+#define DNS_IPTABLE_VALID(a) ISC_MAGIC_VALID(a, DNS_IPTABLE_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target);
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
+ isc_uint16_t bitlen, isc_boolean_t pos);
+/*
+ * Add an IP prefix to an existing IP table
+ */
+
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos);
+/*
+ * Merge one IP table into another one.
+ */
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target);
+
+void
+dns_iptable_detach(dns_iptable_t **tabp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_IPTABLE_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index b776a30a58f9..3917d8db9a0a 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: journal.h,v 1.25.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: journal.h,v 1.33.120.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_JOURNAL_H
#define DNS_JOURNAL_H 1
@@ -24,9 +24,9 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/journal.h
* \brief
- * Database journalling.
+ * Database journaling.
*/
/***
@@ -42,6 +42,11 @@
#include <dns/types.h>
/***
+ *** Defines.
+ ***/
+#define DNS_JOURNALOPT_RESIGN 0x00000001
+
+/***
*** Types
***/
@@ -188,7 +193,7 @@ dns_journal_iter_init(dns_journal_t *j,
* Returns:
*\li ISC_R_SUCCESS
*\li ISC_R_RANGE begin_serial is outside the addressable range.
- *\li ISC_R_NOTFOUND begin_serial is within the range of adressable
+ *\li ISC_R_NOTFOUND begin_serial is within the range of addressable
* serial numbers covered by the journal, but
* this particular serial number does not exist.
*/
@@ -225,17 +230,18 @@ dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
*/
isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
+ const char *filename);
/*%<
* Roll forward (play back) the journal file "filename" into the
* database "db". This should be called when the server starts
* after a shutdown or crash.
*
* Requires:
- *\li 'mctx' is a valid memory context.
+ *\li 'mctx' is a valid memory context.
*\li 'db' is a valid database which does not have a version
* open for writing.
- * \li 'filename' is the name of the journal file belonging to 'db'.
+ *\li 'filename' is the name of the journal file belonging to 'db'.
*
* Returns:
*\li DNS_R_NOJOURNAL when journal does not exist.
@@ -264,7 +270,7 @@ dns_db_diff(isc_mem_t *mctx,
isc_result_t
dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
- isc_uint32_t target_size);
+ isc_uint32_t target_size);
/*%<
* Attempt to compact the journal if it is greater that 'target_size'.
* Changes from 'serial' onwards will be preserved. If the journal
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
index 665b517c736d..74a1740bd1d7 100644
--- a/lib/dns/include/dns/keyflags.h
+++ b/lib/dns/include/dns/keyflags.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keyflags.h,v 1.10.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: keyflags.h,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_KEYFLAGS_H
#define DNS_KEYFLAGS_H 1
-/*! \file */
+/*! \file dns/keyflags.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index b8bfcc148eaa..553aa990b6d7 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */
+/* $Id: keytable.h,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index df17aceb28da..704038940366 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keyvalues.h,v 1.15.18.2 2005/04/29 00:16:14 marka Exp $ */
+/* $Id: keyvalues.h,v 1.23 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
-/*! \file */
+/*! \file dns/keyvalues.h */
/*
* Flags field of the KEY RR rdata
@@ -64,9 +64,11 @@
#define DNS_KEYALG_RSA DNS_KEYALG_RSAMD5
#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */
#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
-#define DNS_KEYALG_DSS NS_ALG_DSA
+#define DNS_KEYALG_NSEC3DSA 6
+#define DNS_KEYALG_DSS DNS_ALG_DSA
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
+#define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index d59dde3a447d..fd3325b94042 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lib.h,v 1.8.18.4 2005/09/20 04:33:48 marka Exp $ */
+/* $Id: lib.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_LIB_H
#define DNS_LIB_H 1
-/*! \file */
+/*! \file dns/lib.h */
#include <isc/types.h>
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 7bee1745a642..b7aed42ca8af 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,9 +15,9 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.h,v 1.33.18.4 2005/09/05 00:18:27 marka Exp $ */
+/* $Id: log.h,v 1.42.332.2 2009/01/18 23:47:41 tbox Exp $ */
-/*! \file
+/*! \file dns/log.h
* \author Principal Authors: DCL */
#ifndef DNS_LOG_H
@@ -41,6 +41,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
+#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11])
/* Backwards compatibility. */
#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
@@ -87,7 +88,7 @@ dns_log_init(isc_log_t *lctx);
*\li dns_log_init() is called only once.
*
* Ensures:
- * \li The catgories and modules defined above are available for
+ * \li The categories and modules defined above are available for
* use by isc_log_usechannnel() and isc_log_write().
*/
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
index aea6f844e1be..0e9a327c182a 100644
--- a/lib/dns/include/dns/lookup.h
+++ b/lib/dns/include/dns/lookup.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lookup.h,v 1.6.18.2 2005/04/29 00:16:15 marka Exp $ */
+/* $Id: lookup.h,v 1.12.332.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_LOOKUP_H
#define DNS_LOOKUP_H 1
@@ -24,11 +24,11 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/lookup.h
* \brief
* The lookup module performs simple DNS lookups. It implements
- * the full resolver algorithm, both looking for local data and
- * resoving external names as necessary.
+ * the full resolver algorithm, both looking for local data and
+ * resolving external names as necessary.
*
* MP:
*\li The module ensures appropriate synchronization of data structures it
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index 1f94c8c48739..93a782d82c1a 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: master.h,v 1.38.18.6 2005/06/20 01:19:43 marka Exp $ */
+/* $Id: master.h,v 1.51 2008/04/02 02:37:42 marka Exp $ */
#ifndef DNS_MASTER_H
#define DNS_MASTER_H 1
-/*! \file */
+/*! \file dns/master.h */
/***
*** Imports
@@ -42,7 +42,7 @@
#define DNS_MASTER_HINT 0x00000010 /*%< Loading a hint master file. */
#define DNS_MASTER_SLAVE 0x00000020 /*%< Loading a slave master file. */
#define DNS_MASTER_CHECKNS 0x00000040 /*%<
- * Check NS records to see
+ * Check NS records to see
* if they are an address
*/
#define DNS_MASTER_FATALNS 0x00000080 /*%<
@@ -55,6 +55,8 @@
#define DNS_MASTER_CHECKMX 0x00000800
#define DNS_MASTER_CHECKMXFAIL 0x00001000
+#define DNS_MASTER_RESIGN 0x00002000
+
ISC_LANG_BEGINDECLS
/*
@@ -113,6 +115,17 @@ dns_master_loadfile2(const char *master_file,
dns_masterformat_t format);
isc_result_t
+dns_master_loadfile3(const char *master_file,
+ dns_name_t *top,
+ dns_name_t *origin,
+ dns_rdataclass_t zclass,
+ unsigned int options,
+ isc_uint32_t resign,
+ dns_rdatacallbacks_t *callbacks,
+ isc_mem_t *mctx,
+ dns_masterformat_t format);
+
+isc_result_t
dns_master_loadstream(FILE *stream,
dns_name_t *top,
dns_name_t *origin,
@@ -163,6 +176,19 @@ dns_master_loadfileinc2(const char *master_file,
dns_masterformat_t format);
isc_result_t
+dns_master_loadfileinc3(const char *master_file,
+ dns_name_t *top,
+ dns_name_t *origin,
+ dns_rdataclass_t zclass,
+ unsigned int options,
+ isc_uint32_t resign,
+ dns_rdatacallbacks_t *callbacks,
+ isc_task_t *task,
+ dns_loaddonefunc_t done, void *done_arg,
+ dns_loadctx_t **ctxp, isc_mem_t *mctx,
+ dns_masterformat_t format);
+
+isc_result_t
dns_master_loadstreaminc(FILE *stream,
dns_name_t *top,
dns_name_t *origin,
@@ -212,6 +238,9 @@ dns_master_loadlexerinc(isc_lex_t *lex,
* is completed or has failed. If the initial setup fails 'done' is
* not called.
*
+ * 'resign' the number of seconds before a RRSIG expires that it should
+ * be re-signed. 0 is used if not provided.
+ *
* Requires:
*\li 'master_file' points to a valid string.
*\li 'lexer' points to a valid lexer.
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 8cf5c132c6e3..42521b33596e 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: masterdump.h,v 1.31.14.4 2005/09/01 03:04:28 marka Exp $ */
+/* $Id: masterdump.h,v 1.42 2008/09/24 02:46:23 marka Exp $ */
#ifndef DNS_MASTERDUMP_H
#define DNS_MASTERDUMP_H 1
-/*! \file */
+/*! \file dns/masterdump.h */
/***
*** Imports
@@ -91,11 +91,14 @@ typedef struct dns_master_style dns_master_style_t;
/*% Print negative caching entries. */
#define DNS_STYLEFLAG_NCACHE 0x00800000U
-/*% Never print the TTL */
+/*% Never print the TTL. */
#define DNS_STYLEFLAG_NO_TTL 0x01000000U
-
-/*% Never print the CLASS */
-#define DNS_STYLEFLAG_NO_CLASS 0x02000000U
+
+/*% Never print the CLASS. */
+#define DNS_STYLEFLAG_NO_CLASS 0x02000000U
+
+/*% Report re-signing time. */
+#define DNS_STYLEFLAG_RESIGN 0x04000000U
ISC_LANG_BEGINDECLS
@@ -119,8 +122,8 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
/*%
- * A master file style that prints explicit TTL values on each
- * record line, never using $TTL statements. The TTL has a tab
+ * A master file style that prints explicit TTL values on each
+ * record line, never using $TTL statements. The TTL has a tab
* stop of its own, but the class and type share one.
*/
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
@@ -133,9 +136,9 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
/*%
- * A master style that prints name, ttl, class, type, and value on
- * every line. Similar to explicitttl above, but more verbose.
- * Intended for generating master files which can be easily parsed
+ * A master style that prints name, ttl, class, type, and value on
+ * every line. Similar to explicitttl above, but more verbose.
+ * Intended for generating master files which can be easily parsed
* by perl scripts and similar applications.
*/
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
@@ -231,7 +234,7 @@ dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
*\li 'task' to be valid.
*\li 'done' to be non NULL.
*\li 'dctxp' to be non NULL && '*dctxp' to be NULL.
- *
+ *
* Returns:
*\li ISC_R_SUCCESS
*\li ISC_R_CONTINUE dns_master_dumptostreaminc() only.
@@ -329,6 +332,9 @@ dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
void
dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
+const char *
+dns_trust_totext(dns_trust_t trust);
+
ISC_LANG_ENDDECLS
#endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 9002b83f710b..f880095c9dc1 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: message.h,v 1.114.18.6 2006/03/02 23:19:20 marka Exp $ */
+/* $Id: message.h,v 1.125.118.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_MESSAGE_H
#define DNS_MESSAGE_H 1
@@ -33,7 +33,7 @@
#include <dst/dst.h>
-/*! \file
+/*! \file dns/message.h
* \brief Message Handling Module
*
* How this beast works:
@@ -101,8 +101,12 @@
#define DNS_MESSAGEFLAG_AD 0x0020U
#define DNS_MESSAGEFLAG_CD 0x0010U
+/*%< EDNS0 extended message flags */
#define DNS_MESSAGEEXTFLAG_DO 0x8000U
+/*%< EDNS0 extended OPT codes */
+#define DNS_OPT_NSID 0x0003 /*%< NSID opt code */
+
#define DNS_MESSAGE_REPLYPRESERVE (DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
@@ -157,7 +161,7 @@ typedef int dns_messagetextflag_t;
occurs */
#define DNS_MESSAGEPARSE_CLONEBUFFER 0x0004 /*%< save a copy of the
source buffer */
-#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< trucation errors are
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< truncation errors are
* not fatal. */
/*
@@ -771,7 +775,7 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
void
dns_message_removename(dns_message_t *msg, dns_name_t *name,
- dns_section_t section);
+ dns_section_t section);
/*%<
* Remove a existing name from a given section.
*
@@ -1031,7 +1035,7 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
*\li The OPT record has either been freed or ownership of it has
* been transferred to the message.
*
- *\li If ISC_R_SUCCESS was returned, the OPT record will be rendered
+ *\li If ISC_R_SUCCESS was returned, the OPT record will be rendered
* when dns_message_renderend() is called.
*
* Returns:
@@ -1195,7 +1199,7 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
*\li msg be a valid message.
*
*\li buffer != NULL && *buffer is a valid isc_buffer_t, which was
- * dynamincally allocated via isc_buffer_allocate().
+ * dynamically allocated via isc_buffer_allocate().
*/
isc_result_t
@@ -1315,7 +1319,7 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
*\li order_arg is NULL if and only if order is NULL.
*/
-void
+void
dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
/*%<
* Adjust the time used to sign/verify a message by timeadjust.
@@ -1325,7 +1329,7 @@ dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
*\li msg be a valid message.
*/
-int
+int
dns_message_gettimeadjust(dns_message_t *msg);
/*%<
* Return the current time adjustment.
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 038ae05e6ab5..0149301dcfbd 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: name.h,v 1.107.18.15 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: name.h,v 1.126.332.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_NAME_H
#define DNS_NAME_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/name.h
* \brief
* Provides facilities for manipulating DNS names and labels, including
* conversions to and from wire format and text format.
@@ -131,6 +131,7 @@ struct dns_name {
#define DNS_NAMEATTR_READONLY 0x0002
#define DNS_NAMEATTR_DYNAMIC 0x0004
#define DNS_NAMEATTR_DYNOFFSETS 0x0008
+#define DNS_NAMEATTR_NOCOMPRESS 0x0010
/*
* Attributes below 0x0100 reserved for name.c usage.
*/
@@ -242,7 +243,7 @@ dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
*
* Notes:
* \li Specification of a target buffer in dns_name_fromwire(),
- * dns_name_fromtext(), and dns_name_concatentate() is optional if
+ * dns_name_fromtext(), and dns_name_concatenate() is optional if
* 'name' has a dedicated buffer.
*
* \li The caller must not write to buffer until the name has been
@@ -721,7 +722,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
isc_result_t
dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
- isc_buffer_t *target);
+ isc_buffer_t *target);
/*%<
* Convert 'name' into wire format, compressing it as specified by the
* compression context 'cctx', and storing the result in 'target'.
@@ -840,7 +841,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
* name as generated by dns_name_totext(). This does not
* include space for a terminating NULL.
*
- * This definition is conservative - the actual maximum
+ * This definition is conservative - the actual maximum
* is 1004, derived as follows:
*
* A backslash-decimal escaped character takes 4 bytes.
@@ -952,7 +953,7 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
*
* Notes:
* \li 'name' is split such that 'suffix' holds the most significant
- * 'suffixlabels' labels. All other labels are stored in 'prefix'.
+ * 'suffixlabels' labels. All other labels are stored in 'prefix'.
*
*\li Copying name data is avoided as much as possible, so 'prefix'
* and 'suffix' will end up pointing at the data for 'name'.
@@ -1082,7 +1083,7 @@ dns_name_dynamic(dns_name_t *name);
*
* Returns:
*
- *\li 'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
+ *\li 'ISC_TRUE' if the name is dynamic otherwise 'ISC_FALSE'.
*/
isc_result_t
@@ -1185,7 +1186,7 @@ dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
* Requires:
* 'name' to be valid.
*/
-
+
isc_boolean_t
dns_name_ismailbox(const dns_name_t *name);
@@ -1220,7 +1221,7 @@ dns_name_destroy(void);
ISC_LANG_ENDDECLS
/*
- *** High Peformance Macros
+ *** High Performance Macros
***/
/*
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 459effb909d7..a818fe63cce5 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ncache.h,v 1.17.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_NCACHE_H
#define DNS_NCACHE_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/ncache.h
*\brief
* DNS Ncache
*
@@ -63,6 +63,11 @@ isc_result_t
dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
dns_rdataset_t *addedrdataset);
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+ dns_dbnode_t *node, dns_rdatatype_t covers,
+ isc_stdtime_t now, dns_ttl_t maxttl,
+ isc_boolean_t optout, dns_rdataset_t *addedrdataset);
/*%<
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node' with a TTL limited to
@@ -71,6 +76,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
* The 'covers' argument is the RR type whose nonexistence we are caching,
* or dns_rdatatype_any when caching a NXDOMAIN response.
*
+ * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set.
+ *
* Note:
*\li If 'addedrdataset' is not NULL, then it will be attached to the added
* rdataset. See dns_db_addrdataset() for more details.
@@ -154,6 +161,19 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
*
*/
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+ dns_rdataset_t *rdataset);
+
+/*%<
+ * Extract the current rdataset and name from a ncache entry.
+ *
+ * Requires:
+ * \li 'ncacherdataset' to be valid and to be a negative cache entry
+ * \li 'found' to be valid.
+ * \li 'rdataset' to be unassociated.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h
index 46b75fa51155..335a46346787 100644
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsec.h,v 1.4.20.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: nsec.h,v 1.12 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_NSEC_H
#define DNS_NSEC_H 1
-/*! \file */
+/*! \file dns/nsec.h */
#include <isc/lang.h>
@@ -64,6 +64,17 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
*\li 'nsec' points to a valid rdataset of type NSEC
*/
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
+ isc_boolean_t *answer);
+/*
+ * Report whether the DNSKEY RRset has a NSEC only algorithm. Unknown
+ * algorithms are assumed to support NSEC3.
+ *
+ * Requires:
+ * 'answer' to be non NULL.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_NSEC_H */
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
new file mode 100644
index 000000000000..2d6a8dde8a72
--- /dev/null
+++ b/lib/dns/include/dns/nsec3.h
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3.h,v 1.5.48.2 2009/01/18 23:47:41 tbox Exp $ */
+
+#ifndef DNS_NSEC3_H
+#define DNS_NSEC3_H 1
+
+#include <isc/lang.h>
+#include <isc/iterated_hash.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+/*
+ * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
+ * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
+ */
+#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
+/*
+ * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
+ */
+#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
+
+/*
+ * Test "unknown" algorithm. Is mapped to dns_hash_sha1.
+ */
+#define DNS_NSEC3_UNKNOWNALG 245U
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+ dns_dbnode_t *node, unsigned int hashalg,
+ unsigned int optin, unsigned int iterations,
+ const unsigned char *salt, size_t salt_length,
+ const unsigned char *nexthash, size_t hash_length,
+ unsigned char *buffer, dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC3 record for the data at 'node'.
+ * Note: 'node' is not the node where the NSEC3 record will be stored.
+ *
+ * Requires:
+ * buffer Points to a temporary buffer of at least
+ * DNS_NSEC_BUFFERSIZE bytes.
+ * rdata Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ * *rdata Contains a valid NSEC3 rdata. The 'data' member refers
+ * to 'buffer'.
+ */
+
+isc_boolean_t
+dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC3 record.
+ *
+ * Requires:
+ * 'nsec' points to a valid rdataset of type NSEC3
+ */
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+ unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+ size_t *hash_length, dns_name_t *name, dns_name_t *origin,
+ dns_hash_t hashalg, unsigned int iterations,
+ const unsigned char *salt, size_t saltlength);
+/*%<
+ * Make a hashed domain name from an unhashed one. If rethash is not NULL
+ * the raw hash is stored there.
+ */
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash);
+/*%<
+ * Return the length of the hash produced by the specified algorithm
+ * or zero when unknown.
+ */
+
+isc_boolean_t
+dns_nsec3_supportedhash(dns_hash_t hash);
+/*%<
+ * Return whether we support this hash algorithm or not.
+ */
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+ dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
+ dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+ dns_name_t *name, dns_ttl_t nsecttl,
+ isc_boolean_t unsecure, dns_diff_t *diff);
+/*%<
+ * Add NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the addition.
+ * The existing NSEC3 records are removed.
+ *
+ * dns_nsec3_addnsec3() will only add records to the chain identified by
+ * 'nsec3param'.
+ *
+ * 'unsecure' should be set to reflect if this is a potentially
+ * unsecure delegation (no DS record).
+ *
+ * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
+ * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
+ * will be preferentially chosen over NSEC3PARAM records without
+ * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
+ * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE
+ * is set then the new NSEC3 will have OPTOUT set to match the that in the
+ * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
+ * record in the chain.
+ *
+ * Requires:
+ * 'db' to be valid.
+ * 'version' to be valid or NULL.
+ * 'name' to be valid.
+ * 'nsec3param' to be valid.
+ * 'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+ const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+ dns_diff_t *diff);
+/*%<
+ * Remove NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the removal.
+ *
+ * dns_nsec3_delnsec3() performs the above for the chain identified by
+ * 'nsec3param'.
+ *
+ * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
+ * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3
+ * records have the OPTOUT flag preserved.
+ *
+ * Requires:
+ * 'db' to be valid.
+ * 'version' to be valid or NULL.
+ * 'name' to be valid.
+ * 'nsec3param' to be valid.
+ * 'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
+ isc_boolean_t complete, isc_boolean_t *answer);
+/*%<
+ * Check if there are any complete/to be built NSEC3 chains.
+ * If 'complete' is ISC_TRUE only complete chains will be recognized.
+ *
+ * Requires:
+ * 'db' to be valid.
+ * 'version' to be valid or NULL.
+ * 'answer' to be non NULL.
+ */
+
+isc_result_t
+dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+ isc_mem_t *mctx, unsigned int *iterationsp);
+/*%<
+ * Find the maximum permissible number of iterations allowed based on
+ * the key strength.
+ *
+ * Requires:
+ * 'db' to be valid.
+ * 'version' to be valid or NULL.
+ * 'mctx' to be valid.
+ * 'iterationsp' to be non NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC3_H */
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
index 4796dba4da43..368b2b2c24dc 100644
--- a/lib/dns/include/dns/opcode.h
+++ b/lib/dns/include/dns/opcode.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: opcode.h,v 1.2.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: opcode.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_OPCODE_H
#define DNS_OPCODE_H 1
-/*! \file */
+/*! \file dns/opcode.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
index 6458db0984b2..85663c37cbb1 100644
--- a/lib/dns/include/dns/order.h
+++ b/lib/dns/include/dns/order.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: order.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: order.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_ORDER_H
#define DNS_ORDER_H 1
-/*! \file */
+/*! \file dns/order.h */
#include <isc/lang.h>
#include <isc/types.h>
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index be5a8c3a2230..9e7a188613d3 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: peer.h,v 1.20.18.8 2006/02/28 03:10:48 marka Exp $ */
+/* $Id: peer.h,v 1.33.118.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_PEER_H
#define DNS_PEER_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/peer.h
* \brief
* Data structures for peers (e.g. a 'server' config file statement)
*/
@@ -73,11 +73,12 @@ struct dns_peer {
isc_boolean_t provide_ixfr;
isc_boolean_t request_ixfr;
isc_boolean_t support_edns;
+ isc_boolean_t request_nsid;
dns_name_t *key;
isc_sockaddr_t *transfer_source;
- isc_sockaddr_t *notify_source;
- isc_sockaddr_t *query_source;
- isc_uint16_t udpsize; /* recieve size */
+ isc_sockaddr_t *notify_source;
+ isc_sockaddr_t *query_source;
+ isc_uint16_t udpsize; /* receive size */
isc_uint16_t maxudp; /* transmit size */
isc_uint32_t bitflags;
@@ -150,6 +151,12 @@ isc_result_t
dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval);
isc_result_t
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
index 2d400d467951..f76731aa7672 100644
--- a/lib/dns/include/dns/portlist.h
+++ b/lib/dns/include/dns/portlist.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,9 +15,9 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: portlist.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: portlist.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
-/*! \file */
+/*! \file dns/portlist.h */
#include <isc/lang.h>
#include <isc/net.h>
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index a1edf0c7912d..6eea787af888 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rbt.h,v 1.59.18.5 2005/10/13 01:26:07 marka Exp $ */
+/* $Id: rbt.h,v 1.71.48.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_RBT_H
#define DNS_RBT_H 1
-/*! \file */
+/*! \file dns/rbt.h */
#include <isc/lang.h>
#include <isc/magic.h>
@@ -37,10 +37,10 @@ ISC_LANG_BEGINDECLS
* Option values for dns_rbt_findnode() and dns_rbt_findname().
* These are used to form a bitmask.
*/
-#define DNS_RBTFIND_NOOPTIONS 0x00
-#define DNS_RBTFIND_EMPTYDATA 0x01
-#define DNS_RBTFIND_NOEXACT 0x02
-#define DNS_RBTFIND_NOPREDECESSOR 0x04
+#define DNS_RBTFIND_NOOPTIONS 0x00
+#define DNS_RBTFIND_EMPTYDATA 0x01
+#define DNS_RBTFIND_NOEXACT 0x02
+#define DNS_RBTFIND_NOPREDECESSOR 0x04
/*@}*/
#ifndef DNS_RBT_USEISCREFCOUNT
@@ -52,14 +52,14 @@ ISC_LANG_BEGINDECLS
/*
* These should add up to 30.
*/
-#define DNS_RBT_LOCKLENGTH 10
-#define DNS_RBT_REFLENGTH 20
+#define DNS_RBT_LOCKLENGTH 10
+#define DNS_RBT_REFLENGTH 20
-#define DNS_RBTNODE_MAGIC ISC_MAGIC('R','B','N','O')
+#define DNS_RBTNODE_MAGIC ISC_MAGIC('R','B','N','O')
#if DNS_RBT_USEMAGIC
-#define DNS_RBTNODE_VALID(n) ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#define DNS_RBTNODE_VALID(n) ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
#else
-#define DNS_RBTNODE_VALID(n) ISC_TRUE
+#define DNS_RBTNODE_VALID(n) ISC_TRUE
#endif
/*%
@@ -69,22 +69,31 @@ ISC_LANG_BEGINDECLS
* appended to this structure. Allocating a contiguous block of memory for
* multiple dns_rbtnode structures will not work.
*/
-typedef struct dns_rbtnode {
+typedef struct dns_rbtnode dns_rbtnode_t;
+struct dns_rbtnode {
#if DNS_RBT_USEMAGIC
unsigned int magic;
#endif
- struct dns_rbtnode *parent;
- struct dns_rbtnode *left;
- struct dns_rbtnode *right;
- struct dns_rbtnode *down;
+ dns_rbtnode_t *parent;
+ dns_rbtnode_t *left;
+ dns_rbtnode_t *right;
+ dns_rbtnode_t *down;
#ifdef DNS_RBT_USEHASH
- struct dns_rbtnode *hashnext;
+ dns_rbtnode_t *hashnext;
#endif
+
+ /*%
+ * Used for LRU cache. This linked list is used to mark nodes which
+ * have no data any longer, but we cannot unlink at that exact moment
+ * because we did not or could not obtain a write lock on the tree.
+ */
+ ISC_LINK(dns_rbtnode_t) deadlink;
+
/*@{*/
/*!
* The following bitfields add up to a total bitwidth of 32.
* The range of values necessary for each item is indicated,
- * but in the case of "attributes" the field is wider to accomodate
+ * but in the case of "attributes" the field is wider to accommodate
* possible future expansion. "offsetlen" could be one bit
* narrower by always adjusting its value by 1 to find the real
* offsetlen, but doing so does not gain anything (except perhaps
@@ -93,13 +102,14 @@ typedef struct dns_rbtnode {
* In each case below the "range" indicated is what's _necessary_ for
* the bitfield to hold, not what it actually _can_ hold.
*/
- unsigned int is_root : 1; /*%< range is 0..1 */
- unsigned int color : 1; /*%< range is 0..1 */
- unsigned int find_callback : 1; /*%< range is 0..1 */
- unsigned int attributes : 4; /*%< range is 0..2 */
- unsigned int namelen : 8; /*%< range is 1..255 */
- unsigned int offsetlen : 8; /*%< range is 1..128 */
- unsigned int padbytes : 9; /*%< range is 0..380 */
+ unsigned int is_root : 1; /*%< range is 0..1 */
+ unsigned int color : 1; /*%< range is 0..1 */
+ unsigned int find_callback : 1; /*%< range is 0..1 */
+ unsigned int attributes : 3; /*%< range is 0..2 */
+ unsigned int nsec3 : 1; /*%< range is 0..1 */
+ unsigned int namelen : 8; /*%< range is 1..255 */
+ unsigned int offsetlen : 8; /*%< range is 1..128 */
+ unsigned int padbytes : 9; /*%< range is 0..380 */
/*@}*/
#ifdef DNS_RBT_USEHASH
@@ -121,14 +131,14 @@ typedef struct dns_rbtnode {
isc_refcount_t references; /* note that this is not in the bitfield */
#endif
/*@}*/
-} dns_rbtnode_t;
+};
typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
dns_name_t *name,
void *callback_arg);
/*****
- ***** Chain Info
+ ***** Chain Info
*****/
/*!
@@ -145,7 +155,7 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
* tree when a node is added). The obvious implication of this is that for a
* chain to remain valid, the tree has to be locked down against writes for the
* duration of the useful life of the chain, because additions or removals can
- * change the path from the root to the node the chain has targetted.
+ * change the path from the root to the node the chain has targeted.
*
* The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
* dns_name_t parameters for the name and the origin, which can be NULL. If
@@ -182,15 +192,15 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
#define DNS_RBT_LEVELBLOCK 254
typedef struct dns_rbtnodechain {
- unsigned int magic;
- isc_mem_t * mctx;
+ unsigned int magic;
+ isc_mem_t * mctx;
/*%
* The terminal node of the chain. It is not in levels[].
* This is ostensibly private ... but in a pinch it could be
* used tell that the chain points nowhere without needing to
* call dns_rbtnodechain_current().
*/
- dns_rbtnode_t * end;
+ dns_rbtnode_t * end;
/*%
* The maximum number of labels in a name is 128; bitstrings mean
* a conceptually very large number (which I have not bothered to
@@ -199,7 +209,7 @@ typedef struct dns_rbtnodechain {
* labels in a name to 255, meaning only 254 pointers are needed
* in the worst case.
*/
- dns_rbtnode_t * levels[DNS_RBT_LEVELBLOCK];
+ dns_rbtnode_t * levels[DNS_RBT_LEVELBLOCK];
/*%
* level_count indicates how deep the chain points into the
* tree of trees, and is the index into the levels[] array.
@@ -208,7 +218,7 @@ typedef struct dns_rbtnodechain {
* a level_count of 0, the first level has a level_count of 1, and
* so on.
*/
- unsigned int level_count;
+ unsigned int level_count;
/*%
* level_matches tells how many levels matched above the node
* returned by dns_rbt_findnode(). A match (partial or exact) found
@@ -216,7 +226,7 @@ typedef struct dns_rbtnodechain {
* This is used by the rbtdb to set the start point for a recursive
* search of superdomains until the RR it is looking for is found.
*/
- unsigned int level_matches;
+ unsigned int level_matches;
} dns_rbtnodechain_t;
/*****
@@ -229,27 +239,27 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
* Initialize a red-black tree of trees.
*
* Notes:
- *\li The deleter argument, if non-null, points to a function that is
- * responsible for cleaning up any memory associated with the data
- * pointer of a node when the node is deleted. It is passed the
- * deleted node's data pointer as its first argument and deleter_arg
- * as its second argument.
+ *\li The deleter argument, if non-null, points to a function that is
+ * responsible for cleaning up any memory associated with the data
+ * pointer of a node when the node is deleted. It is passed the
+ * deleted node's data pointer as its first argument and deleter_arg
+ * as its second argument.
*
* Requires:
- * \li mctx is a pointer to a valid memory context.
- *\li rbtp != NULL && *rbtp == NULL
- *\li arg == NULL iff deleter == NULL
+ * \li mctx is a pointer to a valid memory context.
+ *\li rbtp != NULL && *rbtp == NULL
+ *\li arg == NULL iff deleter == NULL
*
* Ensures:
- *\li If result is ISC_R_SUCCESS:
- * *rbtp points to a valid red-black tree manager
+ *\li If result is ISC_R_SUCCESS:
+ * *rbtp points to a valid red-black tree manager
*
- *\li If result is failure:
- * *rbtp does not point to a valid red-black tree manager.
+ *\li If result is failure:
+ * *rbtp does not point to a valid red-black tree manager.
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #ISC_R_NOMEMORY Resource limit: Out of Memory
+ *\li #ISC_R_SUCCESS Success
+ *\li #ISC_R_NOMEMORY Resource limit: Out of Memory
*/
isc_result_t
@@ -258,38 +268,38 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
* Add 'name' to the tree of trees, associated with 'data'.
*
* Notes:
- *\li 'data' is never required to be non-NULL, but specifying it
- * when the name is added is faster than searching for 'name'
- * again and then setting the data pointer. The lack of a data pointer
- * for a node also has other ramifications regarding whether
- * dns_rbt_findname considers a node to exist, or dns_rbt_deletename
- * joins nodes.
+ *\li 'data' is never required to be non-NULL, but specifying it
+ * when the name is added is faster than searching for 'name'
+ * again and then setting the data pointer. The lack of a data pointer
+ * for a node also has other ramifications regarding whether
+ * dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ * joins nodes.
*
* Requires:
- *\li rbt is a valid rbt manager.
- *\li dns_name_isabsolute(name) == TRUE
+ *\li rbt is a valid rbt manager.
+ *\li dns_name_isabsolute(name) == TRUE
*
* Ensures:
- *\li 'name' is not altered in any way.
+ *\li 'name' is not altered in any way.
*
- *\li Any external references to nodes in the tree are unaffected by
- * node splits that are necessary to insert the new name.
+ *\li Any external references to nodes in the tree are unaffected by
+ * node splits that are necessary to insert the new name.
*
- *\li If result is #ISC_R_SUCCESS:
- * 'name' is findable in the red/black tree of trees in O(log N).
- * The data pointer of the node for 'name' is set to 'data'.
+ *\li If result is #ISC_R_SUCCESS:
+ * 'name' is findable in the red/black tree of trees in O(log N).
+ * The data pointer of the node for 'name' is set to 'data'.
*
- *\li If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
- * The tree of trees is unaltered.
+ *\li If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
+ * The tree of trees is unaltered.
*
- *\li If result is #ISC_R_NOMEMORY:
- * No guarantees.
+ *\li If result is #ISC_R_NOMEMORY:
+ * No guarantees.
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #ISC_R_EXISTS The name already exists with associated data.
- *\li #ISC_R_NOSPACE The name had more logical labels than are allowed.
- *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ *\li #ISC_R_SUCCESS Success
+ *\li #ISC_R_EXISTS The name already exists with associated data.
+ *\li #ISC_R_NOSPACE The name had more logical labels than are allowed.
+ *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory
*/
isc_result_t
@@ -299,31 +309,31 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
* Just like dns_rbt_addname, but returns the address of the node.
*
* Requires:
- *\li rbt is a valid rbt structure.
- *\li dns_name_isabsolute(name) == TRUE
- *\li nodep != NULL && *nodep == NULL
+ *\li rbt is a valid rbt structure.
+ *\li dns_name_isabsolute(name) == TRUE
+ *\li nodep != NULL && *nodep == NULL
*
* Ensures:
- *\li 'name' is not altered in any way.
+ *\li 'name' is not altered in any way.
*
- *\li Any external references to nodes in the tree are unaffected by
- * node splits that are necessary to insert the new name.
+ *\li Any external references to nodes in the tree are unaffected by
+ * node splits that are necessary to insert the new name.
*
- *\li If result is ISC_R_SUCCESS:
- * 'name' is findable in the red/black tree of trees in O(log N).
- * *nodep is the node that was added for 'name'.
+ *\li If result is ISC_R_SUCCESS:
+ * 'name' is findable in the red/black tree of trees in O(log N).
+ * *nodep is the node that was added for 'name'.
*
- *\li If result is ISC_R_EXISTS:
- * The tree of trees is unaltered.
- * *nodep is the existing node for 'name'.
+ *\li If result is ISC_R_EXISTS:
+ * The tree of trees is unaltered.
+ * *nodep is the existing node for 'name'.
*
- *\li If result is ISC_R_NOMEMORY:
- * No guarantees.
+ *\li If result is ISC_R_NOMEMORY:
+ * No guarantees.
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #ISC_R_EXISTS The name already exists, possibly without data.
- *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ *\li #ISC_R_SUCCESS Success
+ *\li #ISC_R_EXISTS The name already exists, possibly without data.
+ *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory
*/
isc_result_t
@@ -333,36 +343,36 @@ dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
* Get the data pointer associated with 'name'.
*
* Notes:
- *\li When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *\li When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
* returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
- * an exact match in the tree.
+ * an exact match in the tree.
*
*\li A node that has no data is considered not to exist for this function,
* unless the #DNS_RBTFIND_EMPTYDATA option is set.
*
* Requires:
- *\li rbt is a valid rbt manager.
- *\li dns_name_isabsolute(name) == TRUE
- *\li data != NULL && *data == NULL
+ *\li rbt is a valid rbt manager.
+ *\li dns_name_isabsolute(name) == TRUE
+ *\li data != NULL && *data == NULL
*
* Ensures:
- *\li 'name' and the tree are not altered in any way.
+ *\li 'name' and the tree are not altered in any way.
*
- *\li If result is ISC_R_SUCCESS:
- * *data is the data associated with 'name'.
+ *\li If result is ISC_R_SUCCESS:
+ * *data is the data associated with 'name'.
*
- *\li If result is DNS_R_PARTIALMATCH:
- * *data is the data associated with the deepest superdomain
- * of 'name' which has data.
+ *\li If result is DNS_R_PARTIALMATCH:
+ * *data is the data associated with the deepest superdomain
+ * of 'name' which has data.
*
- *\li If result is ISC_R_NOTFOUND:
- * Neither the name nor a superdomain was found with data.
+ *\li If result is ISC_R_NOTFOUND:
+ * Neither the name nor a superdomain was found with data.
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #DNS_R_PARTIALMATCH Superdomain found with data
- *\li #ISC_R_NOTFOUND No match
- *\li #ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ *\li #ISC_R_SUCCESS Success
+ *\li #DNS_R_PARTIALMATCH Superdomain found with data
+ *\li #ISC_R_NOTFOUND No match
+ *\li #ISC_R_NOSPACE Concatenating nodes to form foundname failed
*/
isc_result_t
@@ -374,100 +384,100 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
* Find the node for 'name'.
*
* Notes:
- *\li A node that has no data is considered not to exist for this function,
- * unless the DNS_RBTFIND_EMPTYDATA option is set. This applies to both
- * exact matches and partial matches.
- *
- *\li If the chain parameter is non-NULL, then the path through the tree
- * to the DNSSEC predecessor of the searched for name is maintained,
- * unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
- * is used. (For more details on those options, see below.)
- *
- *\li If there is no predecessor, then the chain will point to nowhere, as
- * indicated by chain->end being NULL or dns_rbtnodechain_current
- * returning ISC_R_NOTFOUND. Note that in a normal Internet DNS RBT
- * there will always be a predecessor for all names except the root
- * name, because '.' will exist and '.' is the predecessor of
- * everything. But you can certainly construct a trivial tree and a
- * search for it that has no predecessor.
- *
- *\li Within the chain structure, the 'levels' member of the structure holds
- * the root node of each level except the first.
- *
- *\li The 'level_count' of the chain indicates how deep the chain to the
- * predecessor name is, as an index into the 'levels[]' array. It does
- * not count name elements, per se, but only levels of the tree of trees,
- * the distinction arrising because multiple labels from a name can be
- * stored on only one level. It is also does not include the level
- * that has the node, since that level is not stored in levels[].
- *
- *\li The chain's 'level_matches' is not directly related to the predecessor.
- * It is the number of levels above the level of the found 'node',
- * regardless of whether it was a partial match or exact match. When
- * the node is found in the top level tree, or no node is found at all,
- * level_matches is 0.
- *
- *\li When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *\li A node that has no data is considered not to exist for this function,
+ * unless the DNS_RBTFIND_EMPTYDATA option is set. This applies to both
+ * exact matches and partial matches.
+ *
+ *\li If the chain parameter is non-NULL, then the path through the tree
+ * to the DNSSEC predecessor of the searched for name is maintained,
+ * unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
+ * is used. (For more details on those options, see below.)
+ *
+ *\li If there is no predecessor, then the chain will point to nowhere, as
+ * indicated by chain->end being NULL or dns_rbtnodechain_current
+ * returning ISC_R_NOTFOUND. Note that in a normal Internet DNS RBT
+ * there will always be a predecessor for all names except the root
+ * name, because '.' will exist and '.' is the predecessor of
+ * everything. But you can certainly construct a trivial tree and a
+ * search for it that has no predecessor.
+ *
+ *\li Within the chain structure, the 'levels' member of the structure holds
+ * the root node of each level except the first.
+ *
+ *\li The 'level_count' of the chain indicates how deep the chain to the
+ * predecessor name is, as an index into the 'levels[]' array. It does
+ * not count name elements, per se, but only levels of the tree of trees,
+ * the distinction arising because multiple labels from a name can be
+ * stored on only one level. It is also does not include the level
+ * that has the node, since that level is not stored in levels[].
+ *
+ *\li The chain's 'level_matches' is not directly related to the predecessor.
+ * It is the number of levels above the level of the found 'node',
+ * regardless of whether it was a partial match or exact match. When
+ * the node is found in the top level tree, or no node is found at all,
+ * level_matches is 0.
+ *
+ *\li When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
* returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
* there is an exact match in the tree. In this case, the chain
- * will not point to the DNSSEC predecessor, but will instead point
- * to the exact match, if there was any. Thus the preceding paragraphs
- * should have "exact match" substituted for "predecessor" to describe
- * how the various elements of the chain are set. This was done to
- * ensure that the chain's state was sane, and to prevent problems that
- * occurred when running the predecessor location code under conditions
- * it was not designed for. It is not clear *where* the chain should
- * point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
- * with this option because you want a particular node, let us know
- * where you want the chain pointed, so this can be made more firm.
+ * will not point to the DNSSEC predecessor, but will instead point
+ * to the exact match, if there was any. Thus the preceding paragraphs
+ * should have "exact match" substituted for "predecessor" to describe
+ * how the various elements of the chain are set. This was done to
+ * ensure that the chain's state was sane, and to prevent problems that
+ * occurred when running the predecessor location code under conditions
+ * it was not designed for. It is not clear *where* the chain should
+ * point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ * with this option because you want a particular node, let us know
+ * where you want the chain pointed, so this can be made more firm.
*
* Requires:
- *\li rbt is a valid rbt manager.
- *\li dns_name_isabsolute(name) == TRUE.
- *\li node != NULL && *node == NULL.
- *\li #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
- * exclusive.
+ *\li rbt is a valid rbt manager.
+ *\li dns_name_isabsolute(name) == TRUE.
+ *\li node != NULL && *node == NULL.
+ *\li #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutually
+ * exclusive.
*
* Ensures:
- *\li 'name' and the tree are not altered in any way.
+ *\li 'name' and the tree are not altered in any way.
*
- *\li If result is ISC_R_SUCCESS:
+ *\li If result is ISC_R_SUCCESS:
*\verbatim
- * *node is the terminal node for 'name'.
+ * *node is the terminal node for 'name'.
- * 'foundname' and 'name' represent the same name (though not
- * the same memory).
+ * 'foundname' and 'name' represent the same name (though not
+ * the same memory).
- * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
*
- * chain->level_matches and chain->level_count are equal.
+ * chain->level_matches and chain->level_count are equal.
*\endverbatim
*
- * If result is DNS_R_PARTIALMATCH:
+ * If result is DNS_R_PARTIALMATCH:
*\verbatim
- * *node is the data associated with the deepest superdomain
- * of 'name' which has data.
+ * *node is the data associated with the deepest superdomain
+ * of 'name' which has data.
*
- * 'foundname' is the name of deepest superdomain (which has
- * data, unless the DNS_RBTFIND_EMPTYDATA option is set).
+ * 'foundname' is the name of deepest superdomain (which has
+ * data, unless the DNS_RBTFIND_EMPTYDATA option is set).
*
- * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
*\endverbatim
*
- *\li If result is ISC_R_NOTFOUND:
+ *\li If result is ISC_R_NOTFOUND:
*\verbatim
- * Neither the name nor a superdomain was found. *node is NULL.
+ * Neither the name nor a superdomain was found. *node is NULL.
*
- * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ * 'chain' points to the DNSSEC predecessor, if any, of 'name'.
*
- * chain->level_matches is 0.
+ * chain->level_matches is 0.
*\endverbatim
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #DNS_R_PARTIALMATCH Superdomain found with data
- *\li #ISC_R_NOTFOUND No match, or superdomain with no data
- *\li #ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ *\li #ISC_R_SUCCESS Success
+ *\li #DNS_R_PARTIALMATCH Superdomain found with data
+ *\li #ISC_R_NOTFOUND No match, or superdomain with no data
+ *\li #ISC_R_NOSPACE Concatenating nodes to form foundname failed
*/
isc_result_t
@@ -476,41 +486,41 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
* Delete 'name' from the tree of trees.
*
* Notes:
- *\li When 'name' is removed, if recurse is ISC_TRUE then all of its
+ *\li When 'name' is removed, if recurse is ISC_TRUE then all of its
* subnames are removed too.
*
* Requires:
- *\li rbt is a valid rbt manager.
- *\li dns_name_isabsolute(name) == TRUE
+ *\li rbt is a valid rbt manager.
+ *\li dns_name_isabsolute(name) == TRUE
*
* Ensures:
- *\li 'name' is not altered in any way.
+ *\li 'name' is not altered in any way.
*
- *\li Does NOT ensure that any external references to nodes in the tree
- * are unaffected by node joins.
+ *\li Does NOT ensure that any external references to nodes in the tree
+ * are unaffected by node joins.
*
- *\li If result is ISC_R_SUCCESS:
- * 'name' does not appear in the tree with data; however,
- * the node for the name might still exist which can be
- * found with dns_rbt_findnode (but not dns_rbt_findname).
+ *\li If result is ISC_R_SUCCESS:
+ * 'name' does not appear in the tree with data; however,
+ * the node for the name might still exist which can be
+ * found with dns_rbt_findnode (but not dns_rbt_findname).
*
- *\li If result is ISC_R_NOTFOUND:
- * 'name' does not appear in the tree with data, because
- * it did not appear in the tree before the function was called.
+ *\li If result is ISC_R_NOTFOUND:
+ * 'name' does not appear in the tree with data, because
+ * it did not appear in the tree before the function was called.
*
- *\li If result is something else:
- * See result codes for dns_rbt_findnode (if it fails, the
- * node is not deleted) or dns_rbt_deletenode (if it fails,
- * the node is deleted, but the tree is not optimized when
- * it could have been).
+ *\li If result is something else:
+ * See result codes for dns_rbt_findnode (if it fails, the
+ * node is not deleted) or dns_rbt_deletenode (if it fails,
+ * the node is deleted, but the tree is not optimized when
+ * it could have been).
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #ISC_R_NOTFOUND No match
- *\li something_else Any return code from dns_rbt_findnode except
- * DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
- * to be returned instead), and any code from
- * dns_rbt_deletenode.
+ *\li #ISC_R_SUCCESS Success
+ *\li #ISC_R_NOTFOUND No match
+ *\li something_else Any return code from dns_rbt_findnode except
+ * DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ * to be returned instead), and any code from
+ * dns_rbt_deletenode.
*/
isc_result_t
@@ -519,32 +529,32 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
* Delete 'node' from the tree of trees.
*
* Notes:
- *\li When 'node' is removed, if recurse is ISC_TRUE then all nodes
- * in levels down from it are removed too.
+ *\li When 'node' is removed, if recurse is ISC_TRUE then all nodes
+ * in levels down from it are removed too.
*
* Requires:
- *\li rbt is a valid rbt manager.
- *\li node != NULL.
+ *\li rbt is a valid rbt manager.
+ *\li node != NULL.
*
* Ensures:
- *\li Does NOT ensure that any external references to nodes in the tree
- * are unaffected by node joins.
+ *\li Does NOT ensure that any external references to nodes in the tree
+ * are unaffected by node joins.
*
- *\li If result is ISC_R_SUCCESS:
- * 'node' does not appear in the tree with data; however,
- * the node might still exist if it serves as a pointer to
- * a lower tree level as long as 'recurse' was false, hence
- * the node could can be found with dns_rbt_findnode whem
- * that function's empty_data_ok parameter is true.
+ *\li If result is ISC_R_SUCCESS:
+ * 'node' does not appear in the tree with data; however,
+ * the node might still exist if it serves as a pointer to
+ * a lower tree level as long as 'recurse' was false, hence
+ * the node could can be found with dns_rbt_findnode when
+ * that function's empty_data_ok parameter is true.
*
- *\li If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
- * The node was deleted, but the tree structure was not
- * optimized.
+ *\li If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ * The node was deleted, but the tree structure was not
+ * optimized.
*
* Returns:
- *\li #ISC_R_SUCCESS Success
- *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
- *\li #ISC_R_NOSPACE dns_name_concatenate failed when joining nodes.
+ *\li #ISC_R_SUCCESS Success
+ *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
+ *\li #ISC_R_NOSPACE dns_name_concatenate failed when joining nodes.
*/
void
@@ -553,24 +563,24 @@ dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
* Convert the sequence of labels stored at 'node' into a 'name'.
*
* Notes:
- *\li This function does not return the full name, from the root, but
- * just the labels at the indicated node.
+ *\li This function does not return the full name, from the root, but
+ * just the labels at the indicated node.
*
- *\li The name data pointed to by 'name' is the information stored
- * in the node, not a copy. Altering the data at this pointer
- * will likely cause grief.
+ *\li The name data pointed to by 'name' is the information stored
+ * in the node, not a copy. Altering the data at this pointer
+ * will likely cause grief.
*
* Requires:
- * \li name->offsets == NULL
+ * \li name->offsets == NULL
*
* Ensures:
- * \li 'name' is DNS_NAMEATTR_READONLY.
+ * \li 'name' is DNS_NAMEATTR_READONLY.
*
- * \li 'name' will point directly to the labels stored after the
- * dns_rbtnode_t struct.
+ * \li 'name' will point directly to the labels stored after the
+ * dns_rbtnode_t struct.
*
- * \li 'name' will have offsets that also point to the information stored
- * as part of the node.
+ * \li 'name' will have offsets that also point to the information stored
+ * as part of the node.
*/
isc_result_t
@@ -579,18 +589,18 @@ dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
* Like dns_rbt_namefromnode, but returns the full name from the root.
*
* Notes:
- * \li Unlike dns_rbt_namefromnode, the name will not point directly
- * to node data. Rather, dns_name_concatenate will be used to copy
- * the name data from each node into the 'name' argument.
+ * \li Unlike dns_rbt_namefromnode, the name will not point directly
+ * to node data. Rather, dns_name_concatenate will be used to copy
+ * the name data from each node into the 'name' argument.
*
* Requires:
- * \li name != NULL
- * \li name has a dedicated buffer.
+ * \li name != NULL
+ * \li name has a dedicated buffer.
*
* Returns:
- * \li ISC_R_SUCCESS
- * \li ISC_R_NOSPACE (possible via dns_name_concatenate)
- * \li DNS_R_NAMETOOLONG (possible via dns_name_concatenate)
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOSPACE (possible via dns_name_concatenate)
+ * \li DNS_R_NAMETOOLONG (possible via dns_name_concatenate)
*/
char *
@@ -600,14 +610,14 @@ dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
* Format the full name of a node for printing, using dns_name_format().
*
* Notes:
- * \li 'size' is the length of the printname buffer. This should be
- * DNS_NAME_FORMATSIZE or larger.
+ * \li 'size' is the length of the printname buffer. This should be
+ * DNS_NAME_FORMATSIZE or larger.
*
* Requires:
- * \li node and printname are not NULL.
+ * \li node and printname are not NULL.
*
* Returns:
- * \li The 'printname' pointer.
+ * \li The 'printname' pointer.
*/
unsigned int
@@ -616,7 +626,7 @@ dns_rbt_nodecount(dns_rbt_t *rbt);
* Obtain the number of nodes in the tree of trees.
*
* Requires:
- * \li rbt is a valid rbt manager.
+ * \li rbt is a valid rbt manager.
*/
void
@@ -624,25 +634,25 @@ dns_rbt_destroy(dns_rbt_t **rbtp);
isc_result_t
dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
/*%<
- * Stop working with a red-black tree of trees.
+ * Stop working with a red-black tree of trees.
* If 'quantum' is zero then the entire tree will be destroyed.
* If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
* allowing the rbt to be incrementally destroyed by repeated calls to
* dns_rbt_destroy2(). Once dns_rbt_destroy2() has been called no other
* operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
* performed on the tree of trees.
- *
+ *
* Requires:
- * \li *rbt is a valid rbt manager.
+ * \li *rbt is a valid rbt manager.
*
* Ensures on ISC_R_SUCCESS:
- * \li All space allocated by the RBT library has been returned.
+ * \li All space allocated by the RBT library has been returned.
*
- * \li *rbt is invalidated as an rbt manager.
+ * \li *rbt is invalidated as an rbt manager.
*
* Returns:
- * \li ISC_R_SUCCESS
- * \li ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_QUOTA if 'quantum' nodes have been destroyed.
*/
void
@@ -652,10 +662,10 @@ dns_rbt_printall(dns_rbt_t *rbt);
* tree of trees.
*
* Notes:
- * \li The name stored at each node, along with the node's color, is printed.
- * Then the down pointer, left and right pointers are displayed
- * recursively in turn. NULL down pointers are silently omitted;
- * NULL left and right pointers are printed.
+ * \li The name stored at each node, along with the node's color, is printed.
+ * Then the down pointer, left and right pointers are displayed
+ * recursively in turn. NULL down pointers are silently omitted;
+ * NULL left and right pointers are printed.
*/
/*****
@@ -668,12 +678,12 @@ dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
* Initialize 'chain'.
*
* Requires:
- *\li 'chain' is a valid pointer.
+ *\li 'chain' is a valid pointer.
*
- *\li 'mctx' is a valid memory context.
+ *\li 'mctx' is a valid memory context.
*
* Ensures:
- *\li 'chain' is suitable for use.
+ *\li 'chain' is suitable for use.
*/
void
@@ -683,10 +693,10 @@ dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
* 'chain'.
*
* Requires:
- *\li 'chain' is a valid pointer.
+ *\li 'chain' is a valid pointer.
*
* Ensures:
- *\li 'chain' is suitable for use, and uses no dynamic storage.
+ *\li 'chain' is suitable for use, and uses no dynamic storage.
*/
void
@@ -695,15 +705,15 @@ dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
* Free any dynamic storage associated with 'chain', and then invalidates it.
*
* Notes:
- *\li Future calls to any dns_rbtnodechain_ function will need to call
- * dns_rbtnodechain_init on the chain first (except, of course,
- * dns_rbtnodechain_init itself).
+ *\li Future calls to any dns_rbtnodechain_ function will need to call
+ * dns_rbtnodechain_init on the chain first (except, of course,
+ * dns_rbtnodechain_init itself).
*
* Requires:
- *\li 'chain' is a valid chain.
+ *\li 'chain' is a valid chain.
*
* Ensures:
- *\li 'chain' is no longer suitable for use, and uses no dynamic storage.
+ *\li 'chain' is no longer suitable for use, and uses no dynamic storage.
*/
isc_result_t
@@ -713,37 +723,37 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
* Provide the name, origin and node to which the chain is currently pointed.
*
* Notes:
- *\li The tree need not have be locked against additions for the chain
- * to remain valid, however there are no guarantees if any deletion
- * has been made since the chain was established.
+ *\li The tree need not have be locked against additions for the chain
+ * to remain valid, however there are no guarantees if any deletion
+ * has been made since the chain was established.
*
* Requires:
- *\li 'chain' is a valid chain.
+ *\li 'chain' is a valid chain.
*
* Ensures:
- *\li 'node', if non-NULL, is the node to which the chain was pointed
- * by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
- * If none were called for the chain since it was initialized or reset,
- * or if the was no predecessor to the name searched for with
- * dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
+ *\li 'node', if non-NULL, is the node to which the chain was pointed
+ * by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ * If none were called for the chain since it was initialized or reset,
+ * or if the was no predecessor to the name searched for with
+ * dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
*
- *\li 'name', if non-NULL, is the name stored at the terminal level of
- * the chain. This is typically a single label, like the "www" of
- * "www.isc.org", but need not be so. At the root of the tree of trees,
- * if the node is "." then 'name' is ".", otherwise it is relative to ".".
- * (Minimalist and atypical case: if the tree has just the name
- * "isc.org." then the root node's stored name is "isc.org." but 'name'
- * will be "isc.org".)
+ *\li 'name', if non-NULL, is the name stored at the terminal level of
+ * the chain. This is typically a single label, like the "www" of
+ * "www.isc.org", but need not be so. At the root of the tree of trees,
+ * if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ * (Minimalist and atypical case: if the tree has just the name
+ * "isc.org." then the root node's stored name is "isc.org." but 'name'
+ * will be "isc.org".)
*
- *\li 'origin', if non-NULL, is the sequence of labels in the levels
- * above the terminal level, such as "isc.org." in the above example.
- * 'origin' is always "." for the root node.
+ *\li 'origin', if non-NULL, is the sequence of labels in the levels
+ * above the terminal level, such as "isc.org." in the above example.
+ * 'origin' is always "." for the root node.
*
*
* Returns:
- *\li #ISC_R_SUCCESS name, origin & node were successfully set.
- *\li #ISC_R_NOTFOUND The chain does not point to any node.
- *\li &lt;something_else> Any error return from dns_name_concatenate.
+ *\li #ISC_R_SUCCESS name, origin & node were successfully set.
+ *\li #ISC_R_NOTFOUND The chain does not point to any node.
+ *\li &lt;something_else> Any error return from dns_name_concatenate.
*/
isc_result_t
@@ -753,23 +763,23 @@ dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
* Set the chain to the lexically first node in the tree of trees.
*
* Notes:
- *\li By the definition of ordering for DNS names, the root of the tree of
- * trees is the very first node, since everything else in the megatree
- * uses it as a common suffix.
+ *\li By the definition of ordering for DNS names, the root of the tree of
+ * trees is the very first node, since everything else in the megatree
+ * uses it as a common suffix.
*
* Requires:
- *\li 'chain' is a valid chain.
- *\li 'rbt' is a valid rbt manager.
+ *\li 'chain' is a valid chain.
+ *\li 'rbt' is a valid rbt manager.
*
* Ensures:
- *\li The chain points to the very first node of the tree.
+ *\li The chain points to the very first node of the tree.
*
- *\li 'name' and 'origin', if non-NULL, are set as described for
- * dns_rbtnodechain_current. Thus 'origin' will always be ".".
+ *\li 'name' and 'origin', if non-NULL, are set as described for
+ * dns_rbtnodechain_current. Thus 'origin' will always be ".".
*
* Returns:
- *\li #DNS_R_NEWORIGIN The name & origin were successfully set.
- *\li &lt;something_else> Any error result from dns_rbtnodechain_current.
+ *\li #DNS_R_NEWORIGIN The name & origin were successfully set.
+ *\li &lt;something_else> Any error result from dns_rbtnodechain_current.
*/
isc_result_t
@@ -779,19 +789,19 @@ dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
* Set the chain to the lexically last node in the tree of trees.
*
* Requires:
- *\li 'chain' is a valid chain.
- *\li 'rbt' is a valid rbt manager.
+ *\li 'chain' is a valid chain.
+ *\li 'rbt' is a valid rbt manager.
*
* Ensures:
- *\li The chain points to the very last node of the tree.
+ *\li The chain points to the very last node of the tree.
*
- *\li 'name' and 'origin', if non-NULL, are set as described for
- * dns_rbtnodechain_current.
+ *\li 'name' and 'origin', if non-NULL, are set as described for
+ * dns_rbtnodechain_current.
*
* Returns:
- *\li #DNS_R_NEWORIGIN The name & origin were successfully set.
- *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory building chain.
- *\li &lt;something_else> Any error result from dns_name_concatenate.
+ *\li #DNS_R_NEWORIGIN The name & origin were successfully set.
+ *\li #ISC_R_NOMEMORY Resource Limit: Out of Memory building chain.
+ *\li &lt;something_else> Any error result from dns_name_concatenate.
*/
isc_result_t
@@ -802,26 +812,26 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
* is currently pointed.
*
* Requires:
- *\li 'chain' is a valid chain.
- *\li 'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- * dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- * dns_rbt_findnode is not guaranteed to point the chain somewhere,
- * since there may have been no predecessor to the searched for name.
+ *\li 'chain' is a valid chain.
+ *\li 'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ * dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ * dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ * since there may have been no predecessor to the searched for name.
*
* Ensures:
- *\li The chain is pointed to the predecessor of its current target.
+ *\li The chain is pointed to the predecessor of its current target.
*
- *\li 'name' and 'origin', if non-NULL, are set as described for
- * dns_rbtnodechain_current.
+ *\li 'name' and 'origin', if non-NULL, are set as described for
+ * dns_rbtnodechain_current.
*
- *\li 'origin' is only if a new origin was found.
+ *\li 'origin' is only if a new origin was found.
*
* Returns:
- *\li #ISC_R_SUCCESS The predecessor was found and 'name' was set.
- *\li #DNS_R_NEWORIGIN The predecessor was found with a different
- * origin and 'name' and 'origin' were set.
- *\li #ISC_R_NOMORE There was no predecessor.
- *\li &lt;something_else> Any error result from dns_rbtnodechain_current.
+ *\li #ISC_R_SUCCESS The predecessor was found and 'name' was set.
+ *\li #DNS_R_NEWORIGIN The predecessor was found with a different
+ * origin and 'name' and 'origin' were set.
+ *\li #ISC_R_NOMORE There was no predecessor.
+ *\li &lt;something_else> Any error result from dns_rbtnodechain_current.
*/
isc_result_t
@@ -832,26 +842,39 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
* is currently pointed.
*
* Requires:
- *\li 'chain' is a valid chain.
- *\li 'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- * dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- * dns_rbt_findnode is not guaranteed to point the chain somewhere,
- * since there may have been no predecessor to the searched for name.
+ *\li 'chain' is a valid chain.
+ *\li 'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ * dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ * dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ * since there may have been no predecessor to the searched for name.
*
* Ensures:
- *\li The chain is pointed to the successor of its current target.
+ *\li The chain is pointed to the successor of its current target.
*
- *\li 'name' and 'origin', if non-NULL, are set as described for
- * dns_rbtnodechain_current.
+ *\li 'name' and 'origin', if non-NULL, are set as described for
+ * dns_rbtnodechain_current.
*
- *\li 'origin' is only if a new origin was found.
+ *\li 'origin' is only if a new origin was found.
*
* Returns:
- *\li #ISC_R_SUCCESS The successor was found and 'name' was set.
- *\li #DNS_R_NEWORIGIN The successor was found with a different
- * origin and 'name' and 'origin' were set.
- *\li #ISC_R_NOMORE There was no successor.
- *\li &lt;something_else> Any error result from dns_name_concatenate.
+ *\li #ISC_R_SUCCESS The successor was found and 'name' was set.
+ *\li #DNS_R_NEWORIGIN The successor was found with a different
+ * origin and 'name' and 'origin' were set.
+ *\li #ISC_R_NOMORE There was no successor.
+ *\li &lt;something_else> Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+ dns_name_t *origin);
+/*%<
+ * Descend down if possible.
+ */
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
+/*%<
+ * Find the next node at the current depth in DNSSEC order.
*/
/*
@@ -862,53 +885,53 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
* hiding the back-end. The usage is the same as that of isc_refcount_xxx().
*/
#ifdef DNS_RBT_USEISCREFCOUNT
-#define dns_rbtnode_refinit(node, n) \
- do { \
- isc_refcount_init(&(node)->references, (n)); \
- } while (0)
-#define dns_rbtnode_refdestroy(node) \
- do { \
- isc_refcount_destroy(&(node)->references); \
- } while (0)
-#define dns_rbtnode_refcurrent(node) \
+#define dns_rbtnode_refinit(node, n) \
+ do { \
+ isc_refcount_init(&(node)->references, (n)); \
+ } while (0)
+#define dns_rbtnode_refdestroy(node) \
+ do { \
+ isc_refcount_destroy(&(node)->references); \
+ } while (0)
+#define dns_rbtnode_refcurrent(node) \
isc_refcount_current(&(node)->references)
-#define dns_rbtnode_refincrement0(node, refs) \
- do { \
+#define dns_rbtnode_refincrement0(node, refs) \
+ do { \
isc_refcount_increment0(&(node)->references, (refs)); \
- } while (0)
-#define dns_rbtnode_refincrement(node, refs) \
- do { \
+ } while (0)
+#define dns_rbtnode_refincrement(node, refs) \
+ do { \
isc_refcount_increment(&(node)->references, (refs)); \
- } while (0)
-#define dns_rbtnode_refdecrement(node, refs) \
- do { \
+ } while (0)
+#define dns_rbtnode_refdecrement(node, refs) \
+ do { \
isc_refcount_decrement(&(node)->references, (refs)); \
- } while (0)
+ } while (0)
#else /* DNS_RBT_USEISCREFCOUNT */
-#define dns_rbtnode_refinit(node, n) ((node)->references = (n))
-#define dns_rbtnode_refdestroy(node) (REQUIRE((node)->references == 0))
-#define dns_rbtnode_refcurrent(node) ((node)->references)
-#define dns_rbtnode_refincrement0(node, refs) \
- do { \
- unsigned int *_tmp = (unsigned int *)(refs); \
- (node)->references++; \
- if ((_tmp) != NULL) \
- (*_tmp) = (node)->references; \
- } while (0)
-#define dns_rbtnode_refincrement(node, refs) \
- do { \
- REQUIRE((node)->references > 0); \
- (node)->references++; \
- if ((refs) != NULL) \
- (*refs) = (node)->references; \
- } while (0)
-#define dns_rbtnode_refdecrement(node, refs) \
- do { \
- REQUIRE((node)->references > 0); \
- (node)->references--; \
- if ((refs) != NULL) \
- (*refs) = (node)->references; \
- } while (0)
+#define dns_rbtnode_refinit(node, n) ((node)->references = (n))
+#define dns_rbtnode_refdestroy(node) (REQUIRE((node)->references == 0))
+#define dns_rbtnode_refcurrent(node) ((node)->references)
+#define dns_rbtnode_refincrement0(node, refs) \
+ do { \
+ unsigned int *_tmp = (unsigned int *)(refs); \
+ (node)->references++; \
+ if ((_tmp) != NULL) \
+ (*_tmp) = (node)->references; \
+ } while (0)
+#define dns_rbtnode_refincrement(node, refs) \
+ do { \
+ REQUIRE((node)->references > 0); \
+ (node)->references++; \
+ if ((refs) != NULL) \
+ (*refs) = (node)->references; \
+ } while (0)
+#define dns_rbtnode_refdecrement(node, refs) \
+ do { \
+ REQUIRE((node)->references > 0); \
+ (node)->references--; \
+ if ((refs) != NULL) \
+ (*refs) = (node)->references; \
+ } while (0)
#endif /* DNS_RBT_USEISCREFCOUNT */
ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
index 03c145b67bd9..94e831bfd54e 100644
--- a/lib/dns/include/dns/rcode.h
+++ b/lib/dns/include/dns/rcode.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rcode.h,v 1.13.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rcode.h,v 1.21 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_RCODE_H
#define DNS_RCODE_H 1
-/*! \file */
+/*! \file dns/rcode.h */
#include <isc/lang.h>
@@ -93,6 +93,21 @@ isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
*\li #ISC_R_NOSPACE target buffer is too small
*/
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a has algorithm value.
+ *
+ * Requires:
+ *\li 'hashalg' is a valid pointer.
+ *
+ *\li 'source' is a valid text region.
+ *
+ * Returns:
+ *\li #ISC_R_SUCCESS on success
+ *\li #DNS_R_UNKNOWN type is unknown
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_RCODE_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index a14bde788815..126bc96c3afe 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdata.h,v 1.60.18.3 2005/05/19 04:59:56 marka Exp $ */
+/* $Id: rdata.h,v 1.70.120.3 2009/02/16 00:29:27 marka Exp $ */
#ifndef DNS_RDATA_H
#define DNS_RDATA_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/rdata.h
* \brief
* Provides facilities for manipulating DNS rdata, including conversions to
* and from wire format and text format.
@@ -49,7 +49,7 @@
* build process from a set of source files, one per rdata type. For
* portability, it's probably best that the building be done by a C
* program. Adding a new rdata type will be a simple matter of adding
- * a file to a directory and rebuilding the server. *All* knowlege of
+ * a file to a directory and rebuilding the server. *All* knowledge of
* the format of a particular rdata type is in this file.
*
* MP:
@@ -124,7 +124,8 @@ struct dns_rdata {
#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
-#define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record */
+#define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record. */
+#define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */
/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
@@ -327,11 +328,11 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
*\li 'target' is a valid region.
*
*\li 'origin' if non NULL it must be absolute.
- *
+ *
*\li 'callbacks' to be NULL or callbacks->warn and callbacks->error be
* initialized.
*
- * Ensures,
+ * Ensures,
* if result is success:
*\li If 'rdata' is not NULL, it is attached to the target.
@@ -384,7 +385,8 @@ dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
isc_result_t
dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
- unsigned int width, char *linebreak, isc_buffer_t *target);
+ unsigned int width, const char *linebreak,
+ isc_buffer_t *target);
/*%<
* Like dns_rdata_totext, but do formatted output suitable for
* database dumps. This is intended for use by dns_db_dump();
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
index fc622bfefadc..786eb6af73fa 100644
--- a/lib/dns/include/dns/rdataclass.h
+++ b/lib/dns/include/dns/rdataclass.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataclass.h,v 1.18.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rdataclass.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_RDATACLASS_H
#define DNS_RDATACLASS_H 1
-/*! \file */
+/*! \file dns/rdataclass.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
index 697386f3beaa..57debc3951c0 100644
--- a/lib/dns/include/dns/rdatalist.h
+++ b/lib/dns/include/dns/rdatalist.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdatalist.h,v 1.14.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatalist.h,v 1.22 2008/04/03 06:09:05 tbox Exp $ */
#ifndef DNS_RDATALIST_H
#define DNS_RDATALIST_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/rdatalist.h
* \brief
* A DNS rdatalist is a list of rdata of a common type and class.
*
@@ -98,6 +98,27 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
*\li #ISC_R_SUCCESS
*/
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+ dns_rdatalist_t **rdatalist);
+/*%<
+ * Point 'rdatalist' to the rdatalist in 'rdataset'.
+ *
+ * Requires:
+ *
+ *\li 'rdatalist' is a pointer to a NULL dns_rdatalist_t pointer.
+ *
+ *\li 'rdataset' is a valid rdataset associated with an rdatalist.
+ *
+ * Ensures,
+ * on success,
+ *
+ *\li 'rdatalist' is pointed to the rdatalist in rdataset.
+ *
+ * Returns:
+ *\li #ISC_R_SUCCESS
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_RDATALIST_H */
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 559759120f79..baff146fcade 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataset.h,v 1.51.18.7 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: rdataset.h,v 1.65.50.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_RDATASET_H
#define DNS_RDATASET_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/rdataset.h
* \brief
* A DNS rdataset is a handle that can be associated with a collection of
* rdata all having a common owner name, class, and type.
@@ -78,8 +78,14 @@ typedef struct dns_rdatasetmethods {
dns_name_t *name);
isc_result_t (*getnoqname)(dns_rdataset_t *rdataset,
dns_name_t *name,
- dns_rdataset_t *nsec,
- dns_rdataset_t *nsecsig);
+ dns_rdataset_t *neg,
+ dns_rdataset_t *negsig);
+ isc_result_t (*addclosest)(dns_rdataset_t *rdataset,
+ dns_name_t *name);
+ isc_result_t (*getclosest)(dns_rdataset_t *rdataset,
+ dns_name_t *name,
+ dns_rdataset_t *neg,
+ dns_rdataset_t *negsig);
isc_result_t (*getadditional)(dns_rdataset_t *rdataset,
dns_rdatasetadditional_t type,
dns_rdatatype_t qtype,
@@ -140,6 +146,11 @@ struct dns_rdataset {
* increment the counter.
*/
isc_uint32_t count;
+ /*
+ * This RRSIG RRset should be re-generated around this time.
+ * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes.
+ */
+ isc_stdtime_t resign;
/*@{*/
/*%
* These are for use by the rdataset implementation, and MUST NOT
@@ -151,7 +162,9 @@ struct dns_rdataset {
unsigned int privateuint4;
void * private5;
void * private6;
+ void * private7;
/*@}*/
+
};
/*!
@@ -184,6 +197,9 @@ struct dns_rdataset {
#define DNS_RDATASETATTR_CHECKNAMES 0x00008000 /*%< Used by resolver. */
#define DNS_RDATASETATTR_REQUIREDGLUE 0x00010000
#define DNS_RDATASETATTR_LOADORDER 0x00020000
+#define DNS_RDATASETATTR_RESIGN 0x00040000
+#define DNS_RDATASETATTR_CLOSEST 0x00080000
+#define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */
/*%
* _OMITDNSSEC:
@@ -348,8 +364,8 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
* Notes:
*\li The rdata cursor position will be changed.
*
- *\li The 'question' flag should normally be #ISC_FALSE. If it is
- * #ISC_TRUE, the TTL and rdata fields are not printed. This is
+ *\li The 'question' flag should normally be #ISC_FALSE. If it is
+ * #ISC_TRUE, the TTL and rdata fields are not printed. This is
* for use when printing an rdata representing a question section.
*
*\li This interface is deprecated; use dns_master_rdatasettottext()
@@ -411,7 +427,7 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
unsigned int *countp);
/*%<
* Like dns_rdataset_towire(), but sorting the rdatasets according to
- * the integer value returned by 'order' when called witih the rdataset
+ * the integer value returned by 'order' when called with the rdataset
* and 'order_arg' as arguments.
*
* Requires:
@@ -477,14 +493,14 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
- dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+ dns_rdataset_t *neg, dns_rdataset_t *negsig);
/*%<
* Return the noqname proof for this record.
*
* Requires:
*\li 'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
*\li 'name' to be valid.
- *\li 'nsec' and 'nsecsig' to be valid and not associated.
+ *\li 'neg' and 'negsig' to be valid and not associated.
*/
isc_result_t
@@ -493,11 +509,37 @@ dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
* Associate a noqname proof with this record.
* Sets #DNS_RDATASETATTR_NOQNAME if successful.
* Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
- * the 'nsec' and 'rrsig(nsec)' ttl.
+ * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl.
*
* Requires:
*\li 'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
- *\li 'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ *\li 'name' to be valid and have NSEC or NSEC3 and associated RRSIG
+ * rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+ dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*%<
+ * Return the closest encloser for this record.
+ *
+ * Requires:
+ *\li 'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li 'name' to be valid.
+ *\li 'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Associate a closest encloset proof with this record.
+ * Sets #DNS_RDATASETATTR_CLOSEST if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *\li 'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li 'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets.
*/
isc_result_t
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
index b2e13f8a6747..dcde367f1c85 100644
--- a/lib/dns/include/dns/rdatasetiter.h
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdatasetiter.h,v 1.15.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatasetiter.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_RDATASETITER_H
#define DNS_RDATASETITER_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/rdatasetiter.h
* \brief
* The DNS Rdataset Iterator interface allows iteration of all of the
* rdatasets at a node.
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
index b693a71355ab..3ac44b879e03 100644
--- a/lib/dns/include/dns/rdataslab.h
+++ b/lib/dns/include/dns/rdataslab.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataslab.h,v 1.25.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdataslab.h,v 1.33 2008/04/01 23:47:10 tbox Exp $ */
#ifndef DNS_RDATASLAB_H
#define DNS_RDATASLAB_H 1
-/*! \file
+/*! \file dns/rdataslab.h
* \brief
* Implements storage of rdatasets into slabs of memory.
*
@@ -57,6 +57,13 @@ ISC_LANG_BEGINDECLS
#define DNS_RDATASLAB_FORCE 0x1
#define DNS_RDATASLAB_EXACT 0x2
+#define DNS_RDATASLAB_OFFLINE 0x01 /* RRSIG is for offline DNSKEY */
+#define DNS_RDATASLAB_WARNMASK 0x0E /*%< RRSIG(DNSKEY) expired
+ * warnings number mask. */
+#define DNS_RDATASLAB_WARNSHIFT 1 /*%< How many bits to shift to find
+ * remaining expired warning number. */
+
+
/***
*** Functions
***/
@@ -146,10 +153,10 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
*/
isc_boolean_t
dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
- unsigned int reservelen, dns_rdataclass_t rdclass,
+ unsigned int reservelen, dns_rdataclass_t rdclass,
dns_rdatatype_t type);
/*%<
- * Compare two rdataslabs for DNSSEC equality.
+ * Compare two rdataslabs for DNSSEC equality.
*
* Requires:
*\li 'slab1' and 'slab2' point to slabs.
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
index 40a884d01d69..ba9a92c13f02 100644
--- a/lib/dns/include/dns/rdatatype.h
+++ b/lib/dns/include/dns/rdatatype.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdatatype.h,v 1.18.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: rdatatype.h,v 1.26 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_RDATATYPE_H
#define DNS_RDATATYPE_H 1
-/*! \file */
+/*! \file dns/rdatatype.h */
#include <isc/lang.h>
@@ -71,7 +71,8 @@ dns_rdatatype_format(dns_rdatatype_t rdtype,
* The resulting string is guaranteed to be null-terminated.
*/
-#define DNS_RDATATYPE_FORMATSIZE sizeof("TYPE65535")
+#define DNS_RDATATYPE_FORMATSIZE sizeof("NSEC3PARAM")
+
/*%<
* Minimum size of array to pass to dns_rdatatype_format().
* May need to be adjusted if a new RR type with a very long
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index b858a9e52d06..62a83cafe969 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: request.h,v 1.21.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: request.h,v 1.27.332.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_REQUEST_H
#define DNS_REQUEST_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/request.h
*
* \brief
* The request module provides simple request/response services useful for
@@ -49,7 +49,7 @@
#define DNS_REQUESTOPT_TCP 0x00000001U
typedef struct dns_requestevent {
- ISC_EVENT_COMMON(struct dns_requestevent);
+ ISC_EVENT_COMMON(struct dns_requestevent);
isc_result_t result;
dns_request_t *request;
} dns_requestevent_t;
@@ -217,7 +217,7 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
unsigned int udpretries, isc_task_t *task,
isc_taskaction_t action, void *arg,
dns_request_t **requestp);
-/*%<
+/*%<
* Create and send a request.
*
* Notes:
@@ -271,7 +271,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
unsigned int udptimeout, unsigned int udpretries,
isc_task_t *task, isc_taskaction_t action, void *arg,
dns_request_t **requestp);
-/*!<
+/*!<
* \brief Create and send a request.
*
* Notes:
@@ -280,7 +280,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
* #DNS_REQUESTOPT_TCP option is set, TCP will be used. The request
* will timeout after 'timeout' seconds. UDP requests will be resent
* at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
- *
+ *
*\li When the request completes, successfully, due to a timeout, or
* because it was canceled, a completion event will be sent to 'task'.
*
@@ -344,7 +344,7 @@ dns_request_usedtcp(dns_request_t *request);
/*%<
* Return whether this query used TCP or not. Setting #DNS_REQUESTOPT_TCP
* in the call to dns_request_create() will cause the function to return
- * #ISC_TRUE, othewise the result is based on the query message size.
+ * #ISC_TRUE, otherwise the result is based on the query message size.
*
* Requires:
*\li 'request' is a valid request.
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 4e0e6a01b774..fa837c1de4d7 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.h,v 1.40.18.11 2006/02/01 22:39:17 marka Exp $ */
+/* $Id: resolver.h,v 1.60.56.3 2009/01/29 22:40:35 jinmei Exp $ */
#ifndef DNS_RESOLVER_H
#define DNS_RESOLVER_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/resolver.h
*
* \brief
* This is the BIND 9 resolver, the module responsible for resolving DNS
@@ -93,13 +93,29 @@ typedef struct dns_fetchevent {
#define DNS_FETCHOPT_FORWARDONLY 0x10 /*%< Only use forwarders. */
#define DNS_FETCHOPT_NOVALIDATE 0x20 /*%< Disable validation. */
#define DNS_FETCHOPT_EDNS512 0x40 /*%< Advertise a 512 byte
- UDP buffer. */
+ UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID 0x80 /*%< Request NSID */
#define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
#define DNS_FETCHOPT_EDNSVERSIONMASK 0xff000000
#define DNS_FETCHOPT_EDNSVERSIONSHIFT 24
/*
+ * Upper bounds of class of query RTT (ms). Corresponds to
+ * dns_resstatscounter_queryrttX statistics counters.
+ */
+#define DNS_RESOLVER_QRYRTTCLASS0 10
+#define DNS_RESOLVER_QRYRTTCLASS0STR "10"
+#define DNS_RESOLVER_QRYRTTCLASS1 100
+#define DNS_RESOLVER_QRYRTTCLASS1STR "100"
+#define DNS_RESOLVER_QRYRTTCLASS2 500
+#define DNS_RESOLVER_QRYRTTCLASS2STR "500"
+#define DNS_RESOLVER_QRYRTTCLASS3 800
+#define DNS_RESOLVER_QRYRTTCLASS3STR "800"
+#define DNS_RESOLVER_QRYRTTCLASS4 1600
+#define DNS_RESOLVER_QRYRTTCLASS4STR "1600"
+
+/*
* XXXRTH Should this API be made semi-private? (I.e.
* _dns_resolver_create()).
*/
@@ -126,8 +142,6 @@ dns_resolver_create(dns_view_t *view,
*\li Generally, applications should not create a resolver directly, but
* should instead call dns_view_createresolver().
*
- *\li No options are currently defined.
- *
* Requires:
*
*\li 'view' is a valid view.
@@ -348,6 +362,23 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp);
*\li *fetchp == NULL.
*/
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+ isc_logcategory_t *category, isc_logmodule_t *module,
+ int level, isc_boolean_t duplicateok);
+/*%<
+ * Dump a log message on internal state at the completion of given 'fetch'.
+ * 'lctx', 'category', 'module', and 'level' are used to write the log message.
+ * By default, only one log message is written even if the corresponding fetch
+ * context serves multiple clients; if 'duplicateok' is true the suppression
+ * is disabled and the message can be written every time this function is
+ * called.
+ *
+ * Requires:
+ *
+ *\li 'fetch' is a valid fetch, and has completed.
+ */
+
dns_dispatchmgr_t *
dns_resolver_dispatchmgr(dns_resolver_t *resolver);
@@ -470,10 +501,13 @@ dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
isc_boolean_t
dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
-
+
void
dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state);
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver);
+
ISC_LANG_ENDDECLS
#endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index db5481b34c36..ed29bcd5d3f6 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: result.h,v 1.104.10.6 2005/06/17 02:04:32 marka Exp $ */
+/* $Id: result.h,v 1.116 2008/09/25 04:02:39 tbox Exp $ */
#ifndef DNS_RESULT_H
#define DNS_RESULT_H 1
-/*! \file */
+/*! \file dns/result.h */
#include <isc/lang.h>
#include <isc/resultclass.h>
@@ -147,8 +147,9 @@
#define DNS_R_COVERINGNSEC (ISC_RESULTCLASS_DNS + 101)
#define DNS_R_MXISADDRESS (ISC_RESULTCLASS_DNS + 102)
#define DNS_R_DUPLICATE (ISC_RESULTCLASS_DNS + 103)
+#define DNS_R_INVALIDNSEC3 (ISC_RESULTCLASS_DNS + 104)
-#define DNS_R_NRESULTS 104 /*%< Number of results */
+#define DNS_R_NRESULTS 105 /*%< Number of results */
/*
* DNS wire format rcodes.
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
index a3ddc48b0838..6da3f79d8b8b 100644
--- a/lib/dns/include/dns/rootns.h
+++ b/lib/dns/include/dns/rootns.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rootns.h,v 1.9.18.3 2005/04/27 05:01:38 sra Exp $ */
+/* $Id: rootns.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_ROOTNS_H
#define DNS_ROOTNS_H 1
-/*! \file */
+/*! \file dns/rootns.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
index de849f928dd3..c850028703a0 100644
--- a/lib/dns/include/dns/sdb.h
+++ b/lib/dns/include/dns/sdb.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sdb.h,v 1.15.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: sdb.h,v 1.21.332.2 2009/01/18 23:47:41 tbox Exp $ */
#ifndef DNS_SDB_H
#define DNS_SDB_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/sdb.h
* \brief
* Simple database API.
*/
@@ -127,12 +127,12 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
* The allnodes function, if non-NULL, fills in an opaque structure to be
* used by a database iterator. This allows the zone to be transferred.
* This may use a considerable amount of memory for large zones, and the
- * zone transfer may not be fully RFC1035 compliant if the zone is
+ * zone transfer may not be fully RFC1035 compliant if the zone is
* frequently changed.
*
* The create function will be called for each zone configured
* into the name server using this database type. It can be used
- * to create a "database object" containg zone specific data,
+ * to create a "database object" containing zone specific data,
* which can make use of the database arguments specified in the
* name server configuration.
*
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
index 13ba14a1297b..acb0437b4e5c 100644
--- a/lib/dns/include/dns/sdlz.h
+++ b/lib/dns/include/dns/sdlz.h
@@ -1,8 +1,8 @@
/*
- * Portions Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -50,9 +50,9 @@
* USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sdlz.h,v 1.2.2.2 2005/09/06 03:47:19 marka Exp $ */
+/* $Id: sdlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
-/*! \file */
+/*! \file dns/sdlz.h */
#ifndef SDLZ_H
#define SDLZ_H 1
@@ -148,7 +148,7 @@ typedef void
/*%<
* Method prototype. Drivers implementing the SDLZ interface may
* supply a destroy method. This method is called when the DNS server
- * is shuting down and no longer needs the driver. A SDLZ driver does
+ * is shutting down and no longer needs the driver. A SDLZ driver does
* not have to implement a destroy method.
*/
@@ -173,7 +173,7 @@ typedef isc_result_t
* \li 3) we run out of domain name labels. I.E. we have tried the
* shortest domain name
*
- * \li 4) the number of labels in the domain name is less than min_lables
+ * \li 4) the number of labels in the domain name is less than min_labels
* for dns_dlzfindzone
*
* The driver's find zone method should return ISC_R_SUCCESS if the
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 0466d91821d3..2e4fe3ee0c5b 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: secalg.h,v 1.13.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secalg.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_SECALG_H
#define DNS_SECALG_H 1
-/*! \file */
+/*! \file dns/secalg.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
index a6cfd5c08f7f..b9179c0509ad 100644
--- a/lib/dns/include/dns/secproto.h
+++ b/lib/dns/include/dns/secproto.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: secproto.h,v 1.10.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secproto.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_SECPROTO_H
#define DNS_SECPROTO_H 1
-/*! \file */
+/*! \file dns/secproto.h */
#include <isc/lang.h>
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
index 70c67253ccd7..bb563655cea7 100644
--- a/lib/dns/include/dns/soa.h
+++ b/lib/dns/include/dns/soa.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: soa.h,v 1.3.18.2 2005/04/29 00:16:22 marka Exp $ */
+/* $Id: soa.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
#ifndef DNS_SOA_H
#define DNS_SOA_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file dns/soa.h
* \brief
* SOA utilities.
*/
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
index b7090305351e..f013bd03edef 100644
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,12 +15,12 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ssu.h,v 1.13.18.4 2006/02/16 23:51:32 marka Exp $ */
+/* $Id: ssu.h,v 1.24 2008/01/18 23:46:58 tbox Exp $ */
#ifndef DNS_SSU_H
#define DNS_SSU_H 1
-/*! \file */
+/*! \file dns/ssu.h */
#include <isc/lang.h>
@@ -28,14 +28,19 @@
ISC_LANG_BEGINDECLS
-#define DNS_SSUMATCHTYPE_NAME 0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
-#define DNS_SSUMATCHTYPE_WILDCARD 2
-#define DNS_SSUMATCHTYPE_SELF 3
-#define DNS_SSUMATCHTYPE_SELFSUB 4
-#define DNS_SSUMATCHTYPE_SELFWILD 5
-#define DNS_SSUMATCHTYPE_MAX 5 /* maximum defined value */
-
+#define DNS_SSUMATCHTYPE_NAME 0
+#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
+#define DNS_SSUMATCHTYPE_WILDCARD 2
+#define DNS_SSUMATCHTYPE_SELF 3
+#define DNS_SSUMATCHTYPE_SELFSUB 4
+#define DNS_SSUMATCHTYPE_SELFWILD 5
+#define DNS_SSUMATCHTYPE_SELFKRB5 6
+#define DNS_SSUMATCHTYPE_SELFMS 7
+#define DNS_SSUMATCHTYPE_SUBDOMAINMS 8
+#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9
+#define DNS_SSUMATCHTYPE_TCPSELF 10
+#define DNS_SSUMATCHTYPE_6TO4SELF 11
+#define DNS_SSUMATCHTYPE_MAX 11 /* max value */
isc_result_t
dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -91,8 +96,8 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
* at that name.
*
* Notes:
- *\li If 'matchtype' is SELF, this rule only matches if the name
- * to be updated matches the signing identity.
+ *\li If 'matchtype' is of SELF type, this rule only matches if the
+ * name to be updated matches the signing identity.
*
*\li If 'ntypes' is 0, this rule applies to all types except
* NS, SOA, RRSIG, and NSEC.
@@ -114,16 +119,35 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
isc_boolean_t
dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
- dns_name_t *name, dns_rdatatype_t type);
+ dns_name_t *name, isc_netaddr_t *tcpaddr,
+ dns_rdatatype_t type);
/*%<
* Checks that the attempted update of (name, type) is allowed according
* to the rules specified in the simple-secure-update rule table. If
- * no rules are matched, access is denied. If signer is NULL, access
- * is denied.
+ * no rules are matched, access is denied.
+ *
+ * Notes:
+ * 'tcpaddr' should only be set if the request received
+ * via TCP. This provides a weak assurance that the
+ * request was not spoofed. 'tcpaddr' is to to validate
+ * DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
+ * rules.
+ *
+ * For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
+ * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
+ * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
+ * Section 2.5, "IP6.ARPA Domain".
+ *
+ * For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
+ * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only
+ * the top 48 bits of the IPv6 address are mapped to the reverse
+ * name. This is independent of whether the most significant 16
+ * bits match 2002::/16, assigned for 6to4 prefixes, or not.
*
* Requires:
*\li 'table' is a valid SSU table
*\li 'signer' is NULL or a valid absolute name
+ *\li 'tcpaddr' is NULL or a valid network address.
*\li 'name' is a valid absolute name
*/
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 6cd95acaed04..0b35aa8205a0 100644
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,19 +15,77 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: stats.h,v 1.5.18.4 2005/06/27 00:20:03 marka Exp $ */
+/* $Id: stats.h,v 1.18.56.2 2009/01/29 23:47:44 tbox Exp $ */
#ifndef DNS_STATS_H
#define DNS_STATS_H 1
-/*! \file */
+/*! \file dns/stats.h */
#include <dns/types.h>
/*%
- * Query statistics counter types.
+ * Statistics counters. Used as isc_statscounter_t values.
*/
-typedef enum {
+enum {
+ /*%
+ * Resolver statistics counters.
+ */
+ dns_resstatscounter_queryv4 = 0,
+ dns_resstatscounter_queryv6 = 1,
+ dns_resstatscounter_responsev4 = 2,
+ dns_resstatscounter_responsev6 = 3,
+ dns_resstatscounter_nxdomain = 4,
+ dns_resstatscounter_servfail = 5,
+ dns_resstatscounter_formerr = 6,
+ dns_resstatscounter_othererror = 7,
+ dns_resstatscounter_edns0fail = 8,
+ dns_resstatscounter_mismatch = 9,
+ dns_resstatscounter_truncated = 10,
+ dns_resstatscounter_lame = 11,
+ dns_resstatscounter_retry = 12,
+ dns_resstatscounter_gluefetchv4 = 13,
+ dns_resstatscounter_gluefetchv6 = 14,
+ dns_resstatscounter_gluefetchv4fail = 15,
+ dns_resstatscounter_gluefetchv6fail = 16,
+ dns_resstatscounter_val = 17,
+ dns_resstatscounter_valsuccess = 18,
+ dns_resstatscounter_valnegsuccess = 19,
+ dns_resstatscounter_valfail = 20,
+ dns_resstatscounter_dispabort = 21,
+ dns_resstatscounter_dispsockfail = 22,
+ dns_resstatscounter_querytimeout = 23,
+ dns_resstatscounter_queryrtt0 = 24,
+ dns_resstatscounter_queryrtt1 = 25,
+ dns_resstatscounter_queryrtt2 = 26,
+ dns_resstatscounter_queryrtt3 = 27,
+ dns_resstatscounter_queryrtt4 = 28,
+ dns_resstatscounter_queryrtt5 = 29,
+
+ dns_resstatscounter_max = 30,
+
+ /*%
+ * Zone statistics counters.
+ */
+ dns_zonestatscounter_notifyoutv4 = 0,
+ dns_zonestatscounter_notifyoutv6 = 1,
+ dns_zonestatscounter_notifyinv4 = 2,
+ dns_zonestatscounter_notifyinv6 = 3,
+ dns_zonestatscounter_notifyrej = 4,
+ dns_zonestatscounter_soaoutv4 = 5,
+ dns_zonestatscounter_soaoutv6 = 6,
+ dns_zonestatscounter_axfrreqv4 = 7,
+ dns_zonestatscounter_axfrreqv6 = 8,
+ dns_zonestatscounter_ixfrreqv4 = 9,
+ dns_zonestatscounter_ixfrreqv6 = 10,
+ dns_zonestatscounter_xfrsuccess = 11,
+ dns_zonestatscounter_xfrfail = 12,
+
+ dns_zonestatscounter_max = 13,
+
+ /*%
+ * Query statistics counters (obsolete).
+ */
dns_statscounter_success = 0, /*%< Successful lookup */
dns_statscounter_referral = 1, /*%< Referral result */
dns_statscounter_nxrrset = 2, /*%< NXRRSET result */
@@ -35,18 +93,261 @@ typedef enum {
dns_statscounter_recursion = 4, /*%< Recursion was used */
dns_statscounter_failure = 5, /*%< Some other failure */
dns_statscounter_duplicate = 6, /*%< Duplicate query */
- dns_statscounter_dropped = 7 /*%< Duplicate query */
-} dns_statscounter_t;
+ dns_statscounter_dropped = 7 /*%< Duplicate query (dropped) */
+};
#define DNS_STATS_NCOUNTERS 8
+#if 0
+/*%<
+ * Flag(s) for dns_xxxstats_dump(). DNS_STATSDUMP_VERBOSE is obsolete.
+ * ISC_STATSDUMP_VERBOSE should be used instead. These two values are
+ * intentionally defined to be the same value to ensure binary compatibility.
+ */
+#define DNS_STATSDUMP_VERBOSE 0x00000001 /*%< dump 0-value counters */
+#endif
+
+/*%<
+ * (Obsoleted)
+ */
LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
+/*%
+ * Attributes for statistics counters of RRset and Rdatatype types.
+ *
+ * _OTHERTYPE
+ * The rdata type is not explicitly supported and the corresponding counter
+ * is counted for other such types, too. When this attribute is set,
+ * the base type is of no use.
+ *
+ * _NXRRSET
+ * RRset type counters only. Indicates the RRset is non existent.
+ *
+ * _NXDOMAIN
+ * RRset type counters only. Indicates a non existent name. When this
+ * attribute is set, the base type is of no use.
+ */
+#define DNS_RDATASTATSTYPE_ATTR_OTHERTYPE 0x0001
+#define DNS_RDATASTATSTYPE_ATTR_NXRRSET 0x0002
+#define DNS_RDATASTATSTYPE_ATTR_NXDOMAIN 0x0004
+
+/*%<
+ * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t.
+ */
+#define DNS_RDATASTATSTYPE_BASE(type) ((dns_rdatatype_t)((type) & 0xFFFF))
+#define DNS_RDATASTATSTYPE_ATTR(type) ((type) >> 16)
+#define DNS_RDATASTATSTYPE_VALUE(b, a) (((a) << 16) | (b))
+
+/*%<
+ * Types of dump callbacks.
+ */
+typedef void (*dns_generalstats_dumper_t)(isc_statscounter_t, isc_uint64_t,
+ void *);
+typedef void (*dns_rdatatypestats_dumper_t)(dns_rdatastatstype_t, isc_uint64_t,
+ void *);
+typedef void (*dns_opcodestats_dumper_t)(dns_opcode_t, isc_uint64_t, void *);
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type. It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ * This function is obsolete. A more general function, isc_stats_create(),
+ * should be used.
+ *
+ * Requires:
+ *\li 'mctx' must be a valid memory context.
+ *
+ *\li 'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS -- all ok
+ *
+ *\li anything else -- failure
+ */
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per rdatatype.
+ *
+ * Requires:
+ *\li 'mctx' must be a valid memory context.
+ *
+ *\li 'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS -- all ok
+ *
+ *\li anything else -- failure
+ */
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per RRset.
+ *
+ * Requires:
+ *\li 'mctx' must be a valid memory context.
+ *
+ *\li 'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS -- all ok
+ *
+ *\li anything else -- failure
+ */
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per opcode.
+ *
+ * Requires:
+ *\li 'mctx' must be a valid memory context.
+ *
+ *\li 'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS -- all ok
+ *
+ *\li anything else -- failure
+ */
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t.
+ *
+ *\li 'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+dns_stats_detach(dns_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li 'statsp' != NULL and '*statsp' is a valid dns_stats_t.
+ */
+
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats. This function is obsolete.
+ * A more general function, isc_stats_increment(), should be used.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ *
+ *\li counter is less than the maximum available ID for the stats specified
+ * on creation.
+ */
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type);
+/*%<
+ * Increment the statistics counter for 'type'.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_rdatatypestats_create().
+ */
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Increment the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Decrement the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_opcodestats_create().
+ */
+
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+ void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way. For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg. By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * This function is obsolete. A more general function, isc_stats_dump(),
+ * should be used.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+ void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way. For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg. By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+ void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way. For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg. By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+ void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way. For each counter
+ * in stats, dump_fn is called with the corresponding opcode, the current
+ * counter value and the given argument arg. By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li 'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
isc_result_t
dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
/*%<
* Allocate an array of query statistics counters from the memory
* context 'mctx'.
+ *
+ * This function is obsoleted. Use dns_xxxstats_create() instead.
*/
void
@@ -54,6 +355,8 @@ dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
/*%<
* Free an array of query statistics counters allocated from the memory
* context 'mctx'.
+ *
+ * This function is obsoleted. Use dns_stats_destroy() instead.
*/
ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
index 075f463243a5..fe83c532c8b1 100644
--- a/lib/dns/include/dns/tcpmsg.h
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereb