upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '4-convert-to-modern-autotools-autoconf-automake-libtool' into 'master'

Browse source 
Convert to modern autotools (autoconf + automake + libtool)

Closes #4

See merge request isc-projects/bind9!985
This commit is contained in:
Ondřej Surý 2020-04-21 13:06:22 +00:00
commit 01b3495000
831 changed files with 4139 additions and 87102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -4,11 +4,13 @@
*.gcno
*.la
*.lo
*.log
*.o
*.orig
*.plist/ # ccc-analyzer store its results in .plist directories
*.rej
*.so
*.trs
*_test
*.ipch # vscode/intellisense precompiled header
*~
@ -51,6 +53,7 @@
/stamp-h1
/test-driver
Makefile
Makefile.in
ans.run
gen.dSYM/
kyua.log
@ -62,3 +65,4 @@ timestamp
/cppcheck.results
/tsan
/util/check-make-install
/INSTALL

96
.gitlab-ci.yml
View file

@ -32,6 +32,7 @@ variables:
TARBALL_EXTENSION: xz
stages:
- autoconf
- precheck
- build
- unit
@ -168,7 +169,7 @@ stages:
.autoconf: &autoconf_job
<<: *release_branch_triggering_rules
<<: *base_image
stage: precheck
stage: autoconf
script:
- autoreconf -fi
artifacts:
@ -186,6 +187,7 @@ stages:
--with-json-c \
--prefix=$HOME/.local \
--without-make-clean \
--with-python=python3 \
$EXTRA_CONFIGURE \
|| cat config.log
@ -253,8 +255,8 @@ stages:
- *setup_interfaces
- *setup_softhsm
script:
- ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
- test -s bin/tests/system/systests.output
- ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 ) || cat bin/tests/system/test-suite.log
- test -s bin/tests/system/test-suite.log
.system_test: &system_test_job
<<: *system_test_common
@ -313,9 +315,7 @@ stages:
before_script:
- *setup_softhsm
script:
- make unit
after_script:
- *kyua_report_html
- cd lib && make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
.unit_test: &unit_test_job
<<: *unit_test_common
@ -328,16 +328,12 @@ stages:
<<: *unit_test_common
allow_failure: true
after_script:
- *kyua_report_html
- find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
artifacts:
expire_in: "1 day"
paths:
- lib/*/tests/tsan.*
- tsan/
- kyua.log
- kyua.results
- kyua_html/
when: on_failure
.cppcheck_args: &run_cppcheck |
@ -377,7 +373,6 @@ autoreconf:
misc:
<<: *precheck_job
script:
- sh util/check-ans-prereq.sh
- sh util/checklibs.sh > checklibs.out
- sh util/tabify-changes < CHANGES > CHANGES.tmp
- diff -urNap CHANGES CHANGES.tmp
@ -451,16 +446,14 @@ tarball-create:
stage: precheck
<<: *base_image
script:
- source version
- export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
- git archive --prefix="${BIND_DIRECTORY}/" --output="${BIND_DIRECTORY}.tar" HEAD
- mkdir "${BIND_DIRECTORY}"
- echo "SRCID=$(git rev-list --max-count=1 HEAD | cut -b1-7)" > "${BIND_DIRECTORY}/srcid"
- tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/srcid"
- ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar"
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} dist V=1
artifacts:
paths:
- bind-*.tar.${TARBALL_EXTENSION}
- bind-*.tar.*
needs:
- job: autoreconf
artifacts: true
only:
- tags
@ -477,6 +470,7 @@ docs:
needs:
- job: autoreconf
artifacts: true
allow_failure: true
artifacts:
paths:
- doc/arm/
@ -524,7 +518,7 @@ gcc:centos6:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error"
EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error --without-python"
<<: *centos_centos6_amd64_image
<<: *build_job
@ -805,7 +799,7 @@ gcc:tumbleweed:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--with-libidn2"
EXTRA_CONFIGURE: "--with-libidn2 --with-python"
<<: *tumbleweed_latest_amd64_image
<<: *build_job
@ -1152,77 +1146,17 @@ system:clang:openbsd6.6:amd64:
- schedules
- web
# Jobs for Visual Studio 2017 builds on Windows (amd64)
msvc:windows:amd64:
<<: *windows_build_job
<<: *default_triggering_rules
variables:
VSCONF: Release
system:msvc:windows:amd64:
<<: *windows_system_test_job
variables:
VSCONF: Release
needs:
- job: msvc:windows:amd64
artifacts: true
msvc-debug:windows:amd64:
<<: *windows_build_job
variables:
VSCONF: Debug
only:
- schedules
- tags
- web
system:msvc-debug:windows:amd64:
<<: *windows_system_test_job
variables:
VSCONF: Debug
needs:
- job: msvc-debug:windows:amd64
artifacts: true
# Job producing a release tarball
release:
<<: *base_image
stage: release
script:
# Determine BIND version
- source version
- export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
# Remove redundant files and system test utilities from Windows build artifacts
- find Build/Release/ -name "*.pdb" -print -delete
- find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete
- find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete
# Create Windows zips
- openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256
- ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * )
- ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * )
# Prepare release tarball contents (tarballs + zips + documentation)
- mkdir -p release/doc/arm
- pushd release
- mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip .
- tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}"
- mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README,srcid} .
- mv "${BIND_DIRECTORY}"/doc/arm/{Bv9ARM{*.html,.pdf},man.*,notes.{html,pdf,txt}} doc/arm/
- rm -rf "${BIND_DIRECTORY}"
- cp doc/arm/notes.html "RELEASE-NOTES-${BIND_DIRECTORY}.html"
- cp doc/arm/notes.pdf "RELEASE-NOTES-${BIND_DIRECTORY}.pdf"
- cp doc/arm/notes.txt "RELEASE-NOTES-${BIND_DIRECTORY}.txt"
- popd
# Create release tarball
- tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/
needs:
- job: tarball-create
artifacts: true
- job: msvc:windows:amd64
artifacts: true
- job: msvc-debug:windows:amd64
artifacts: true
only:
- tags
artifacts:

53
AUTHORS Normal file
View file

@ -0,0 +1,53 @@
Mark Andrews
Andreas Gustafsson
Evan Hunt
Brian Wellington
Bob Halley
David Lawrence
Michael Graff
Michael Sawyer
Ondřej Surý
James Brister
Tatuya JINMEI 神明達哉
Francis Dupont
Michał Kępień
Danny Mayer
Mukund Sivaraman
Jeremy C. Reed
William King
Stephen Morris
Witold Kręcicki
Curtis Blackburn
Scott Mann
Rob Austein
Jim Reid
Eric Luce
Olafur Gudmundsson
Stephen Jacob
Damien Neil
Tony Finch
Jakob Schlyter
Petr Menšík
Vernon Schryver
Matt Nelson
Shane Kerr
Paul Ebersman
Ray Bellis
Shawn Routhier
Ben Cottrell
Tomas Hozza
johnd
Bill Parker
李昶
Kevin Chen
Jonathan Casey
Mary Stahl
Mathieu Arnold
David Hankins
Paul Hoffman
Paul Vixie
Brian Conry
Anay Panvalkar
colleen
Robert Edmonds
João Damas

79
CODE_OF_CONDUCT
View file

@ -1,79 +0,0 @@
CODE OF CONDUCT
BIND 9 Code of Conduct
Like the technical community as a whole, the BIND 9 team and community is
made up of a mixture of professionals and volunteers from all over the
world, working on every aspect of the mission - including mentorship,
teaching, and connecting people.
Diversity is one of our huge strengths, but it can also lead to
communication issues and unhappiness. To that end, we have a few ground
rules that we ask people to adhere to. This code applies equally to the
core development team, open source contributors and those seeking help and
guidance.
This isn't an exhaustive list of things that you can't do. Rather, take it
in the spirit in which it's intended - a guide to make it easier to enrich
all of us and the technical communities in which we participate.
This code of conduct applies to all spaces managed by the BIND 9 project
or Internet Systems Consortium. This includes chat, the mailing lists, the
issue tracker, and any other fora created by the project team which the
community uses for communication. In addition, violations of this code
outside these spaces may affect a person's ability to participate within
them.
If you believe someone is violating the code of conduct, we ask that you
report it by emailing conduct@isc.org. For more details please see our
Reporting Guidelines.
* Be friendly and patient.
* Be welcoming. We strive to be a community that welcomes and supports
people of all backgrounds and identities. This includes, but is not
limited to members of any race, ethnicity, culture, national origin,
colour, immigration status, social and economic class, educational
level, sex, sexual orientation, gender identity and expression, age,
size, family status, political belief, religion, and mental and
physical ability.
* Be considerate. Your work will be used by other people, and you in
turn will depend on the work of others. Any decision you take will
affect users and colleagues, and you should take those consequences
into account when making decisions. Remember that we're a world-wide
community, so you might not be communicating in someone else's primary
language.
* Be respectful. Not all of us will agree all the time, but disagreement
is no excuse for poor behavior and poor manners. We might all
experience some frustration now and then, but we cannot allow that
frustration to turn into a personal attack. It's important to remember
that a community where people feel uncomfortable or threatened is not
a productive one. Members of the BIND 9 community should be respectful
when dealing with other members as well as with people outside the
BIND 9 community.
* Be careful in the words that you choose. We are a community of
professionals, and we conduct ourselves professionally. Be kind to
others. Do not insult or put down other participants. Harassment and
other exclusionary behavior aren't acceptable. This includes, but is
not limited to:
+ Violent threats or language directed against another person.
+ Discriminatory jokes and language.
+ Posting sexually explicit or violent material.
+ Posting (or threatening to post) other people's personally
identifying information ("doxing").
+ Personal insults, especially those using racist or sexist terms.
+ Unwelcome sexual attention.
+ Advocating for, or encouraging, any of the above behavior.
+ Repeated harassment of others. In general, if someone asks you to
stop, then stop.
* When we disagree, try to understand why. Disagreements, both social
and technical, happen all the time and BIND 9 is no exception. It is
important that we resolve disagreements and differing views
constructively. Remember that we're different. The strength of BIND 9
comes from its varied community, people from a wide range of
backgrounds. Different people have different perspectives on issues.
Being unable to understand why someone holds a viewpoint doesn't mean
that they're wrong. Don't forget that it is human to err and blaming
each other doesn't get us anywhere. Instead, focus on helping to
resolve issues and learning from mistakes.
Original text courtesy of the Django Code of Conduct project.

196
CONTRIBUTING
View file

@ -1,196 +0,0 @@
CONTRIBUTING
BIND Source Access and Contributor Guidelines
Feb 22, 2018
Contents
1. Access to source code
2. Reporting bugs
3. Contributing code
Introduction
Thank you for using BIND!
BIND is open source software that implements the Domain Name System (DNS)
protocols for the Internet. It is a reference implementation of those
protocols, but it is also production-grade software, suitable for use in
high-volume and high-reliability applications. It is by far the most
widely used DNS software, providing a robust and stable platform on top of
which organizations can build distributed computing systems with the
knowledge that those systems are fully compliant with published DNS
standards.
BIND is and will always remain free and openly available. It can be used
and modified in any way by anyone.
BIND is maintained by the Internet Systems Consortium, a public-benefit
501(c)(3) nonprofit, using a "managed open source" approach: anyone can
see the source, but only ISC employees have commit access. Until recently,
the source could only be seen once ISC had published a release: read
access to the source repository was restricted just as commit access was.
That's now changing, with the opening of a public git mirror to the BIND
source tree (see below).
At Internet Systems Consortium, we're committed to building communities
that are welcoming and inclusive; environments where people are encouraged
to share ideas, treat each other with respect, and collaborate towards the
best solutions. To reinforce our commitment, the Internet Systems
Consortium has adopted the Contributor Covenant version 1.4 as our Code of
Conduct for BIND 9 project, as well as for the conduct of our developers
throughout the industry.
Access to source code
Public BIND releases are always available from the ISC FTP site.
A public-access GIT repository is also available at https://gitlab.isc.org
. This repository is a mirror, updated several times per day, of the
source repository maintained by ISC. It contains all the public release
branches; upcoming releases can be viewed in their current state at any
time. It does not contain development branches or unreviewed work in
progress. Commits which address security vulnerablilities are withheld
until after public disclosure.
You can browse the source online via https://gitlab.isc.org/isc-projects/
bind9
To clone the repository, use:
$ git clone https://gitlab.isc.org/isc-projects/bind9.git
Release branch names are of the form v9_X, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.12
branch, use:
$ git checkout v9_12
Whenever a branch is ready for publication, a tag will be placed of the
form v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
The branch in which the next major release is being developed is called
master.
Reporting bugs
Reports of flaws in the BIND package, including software bugs, errors in
the documentation, missing files in the tarball, suggested changes or
requests for new features, etc, can be filed using https://gitlab.isc.org/
isc-projects/bind9/issues.
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or low in
priority, but we will try at least to acknowledge legitimate bug reports
within a week.
ISC's ticketing system is publicly readable; however, you must have an
account to file a new issue. You can either register locally or use
credentials from an existing account at GitHub, GitLab, Google, Twitter,
or Facebook.
Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the ISC Security Officer public key.
Do not discuss undisclosed security vulnerabilities on any public mailing
list. ISC has a long history of handling reported vulnerabilities promptly
and effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at https://
kb.isc.org/article/AA-00861/0.
If you have a crash, you may want to consult ?What to do if your BIND or
DHCP server has crashed.?
Contributing code
BIND is licensed under the Mozilla Public License 2.0. Earier versions
(BIND 9.10 and earlier) were licensed under the ISC License
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to reliquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
BIND code
Patches for BIND may be submitted directly via merge requests in ISC's
Gitlab source repository for BIND.
Patches can also be submitted as diffs against a specific version of BIND
-- preferably the current top of the master branch. Diffs may be generated
using either git format-patch or git diff.
Those wanting to write code for BIND may be interested in the developer
information page, which includes information about BIND design and coding
practices, including discussion of internal APIs and overall system
architecture. (This is a work in progress, and still quite preliminary.)
Every patch submitted will be reviewed by ISC engineers following our code
review process before it is merged.
It may take considerable time to review patch submissions, especially if
they don't meet ISC style and quality guidelines. If a patch is a good
idea, we can and will do additional work to bring it up to par, but if
we're busy with other work, it may take us a long time to get to it.
To ensure your patch is acted on as promptly as possible, please:
* Try to adhere to the BIND 9 coding style.
* Run make check to ensure your change hasn't caused any functional
regressions.
* Document your work, both in the patch itself and in the accompanying
email.
* In patches that make non-trivial functional changes, include system
tests if possible; when introducing or substantially altering a
library API, include unit tests. See Testing for more information.
Changes to configure
If you need to make changes to configure, you should not edit it directly;
instead, edit configure.in, then run autoconf. Similarly, instead of
editing config.h.in directly, edit configure.in and run autoheader.
When submitting a patch as a diff, it's fine to omit the configure diffs
to save space. Just send the configure.in diffs and we'll generate the new
configure during the review process.
Documentation
All functional changes should be documented. There are three types of
documentation in the BIND source tree:
* Man pages are kept alongside the source code for the commands they
document, in files ending in .docbook; for example, the named man page
is bin/named/named.docbook.
* The BIND 9 Administrator Reference Manual is mostly in doc/arm/
Bv9ARM-book.xml, plus a few other XML files that are included in it.
* API documentation is in the header file describing the API, in
Doxygen-formatted comments.
It is not necessary to edit any documentation files other than these; all
PDF, HTML, and nroff-format man page files will be updated automatically
from the docbook and XML files after merging.
Patches to improve existing documentation are also very welcome!
Tests
BIND is a large and complex project. We rely heavily on continuous
automated testing and cannot merge new code without adequate test
coverage. Please see the 'Testing' section of doc/dev/dev.md for more
information.
Thanks
Thank you for your interest in contributing to the ongoing development of
BIND.

1
COPYING Symbolic link
View file

@ -0,0 +1 @@
LICENSE

1
ChangeLog Symbolic link
View file

@ -0,0 +1 @@
CHANGES

615
HISTORY
View file

@ -1,615 +0,0 @@
HISTORY
Functional enhancements from prior major releases of BIND 9
BIND 9.16
BIND 9.16 (a stable branch based on the 9.15 development branch) includes
a number of changes from BIND 9.14 and earlier releases. New features
include:
* New dnssec-policy statement to configure a key and signing policy for
zones, enabling automatic key regeneration and rollover.
* New network manager based on libuv.
* Added support for the new GeoIP2 geolocation API, libmaxminddb.
* Improved DNSSEC trust anchor configuration using the trust-anchors
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for dig, mdig, and delv.
BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch) includes
a number of changes from BIND 9.12 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below
which DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with libidn2.
* "named -V" now outputs the default paths for files used by named and
other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See https://dnsflagday.net for more details.
Cryptographic support has been modernized. BIND now uses the best
available pseudo-random number generator for the platform on which it's
built. Very old versions of OpenSSL are no longer supported. Cryptography
is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier
releases. New features include:
* named and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting 'max-journal-size default' now limits the size of journal
files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in rndc-confgen is now hmac-sha256.
* filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
* Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone, along
with their configuration parameters. Changes to the catalog zone are
propagated to slaves via normal AXFR/IXFR, whereupon the zones that
are listed in it are automatically added, deleted or reconfigured.
* Added support for "dnstap", a fast and flexible method of capturing
and logging DNS traffic.
* Added support for "dyndb", a new API for loading zone data from an
external database, developed by Red Hat for the FreeIPA project.
* "fetchlimit" quotas are now compiled in by default. These are for the
use of recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically adjusted
downward if the server is partially or completely non-responsive.
The algorithm used to adjust the quota can be configured via the
"fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries that
can be sent for names within a single domain. (Note: Unlike
"fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count queries spilled due to
these quotas.
* Added a new "dnssec-keymgr" key mainenance utility, which can generate
or update keys as needed to ensure that a zone's keys match a defined
DNSSEC policy.
* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
and is no longer optional. EDNS COOKIE is a mechanism enabling clients
to detect off-path spoofed responses, and servers to detect
spoofed-source queries. Clients that identify themselves using COOKIE
options are not subject to response rate limiting (RRL) and can
receive larger UDP responses.
* SERVFAIL responses can now be cached for a limited time (defaulting to
1 second, with an upper limit of 30). This can reduce the frequency of
retries when a query is persistently failing.
* Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
be skipped if a name server IP address isn't in the cache yet; the
address will be looked up and the rule will be applied on future
queries.
* Added a Python RNDC module. This allows multiple commands to sent over
a persistent RNDC channel, which saves time.
* The "controls" block in named.conf can now grant read-only "rndc"
access to specified clients or keys. Read-only clients could, for
example, check "rndc status" but could not reconfigure or shut down
the server.
* "rndc" commands can now return arbitrarily large amounts of text to
the caller.
* The zone serial number of a dynamically updatable zone can now be set
via "rndc signing -serial ". This allows inline-signing zones to be
set to a specific serial number.
* The new "rndc nta" command can be used to set a Negative Trust Anchor
(NTA), disabling DNSSEC validation for a specific domain; this can be
used when responses from a domain are known to be failing validation
due to administrative error rather than because of a spoofing attack.
Negative trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
* "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
* "rndc modzone" reconfigures a single zone, without requiring the
entire server to be reconfigured.
* "rndc showzone" displays the current configuration of a zone.
* "rndc managed-keys" can be used to check the status of RFC 5011
managed trust anchors, or to force trust anchors to be refreshed.
* "max-cache-size" can now be set to a percentage of available memory.
The default is 90%.
* Update forwarding performance has been improved by allowing a single
TCP connection to be shared by multiple updates.
* The EDNS Client Subnet (ECS) option is now supported for authoritative
servers; if a query contains an ECS option then ACLs containing
"geoip" or "ecs" elements can match against the the address encoded in
the option. This can be used to select a view for a query, so that
different answers can be provided depending on the client network.
* The EDNS EXPIRE option has been implemented on the client side,
allowing a slave server to set the expiration timer correctly when
transferring zone data from another slave server.
* The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
"-Psync" and "-Dsync" options to set the publication and deletion
times of CDS and CDNSKEY parent-synchronization records. Both named
and dnssec-signzone can now publish and remove these records at the
scheduled times.
* A new "minimal-any" option reduces the size of UDP responses for query
type ANY by returning a single arbitrarily selected RRset instead of
all RRsets.
* A new "masterfile-style" zone option controls the formatting of text
zone files: When set to "full", a zone file is dumped in
single-line-per-record format.
* "serial-update-method" can now be set to "date". On update, the serial
number will be set to the current date in YYYYMMDDNN format.
* "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
* "named -L " causes named to send log messages to the specified file by
default instead of to the system log.
* "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
s for weeks, days, hours, minutes, and seconds.
* "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
presentation format.
* "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
* "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
requests.
* "mdig" is an alternate version of dig which sends multiple pipelined
TCP queries to a server. Instead of waiting for a response after
sending a query, it sends all queries immediately and displays
responses in the order received.
* "serial-query-rate" no longer controls NOTIFY messages. These are
separately controlled by "notify-rate" and "startup-notify-rate".
* "nsupdate" now performs "check-names" processing by default on records
to be added. This can be disabled with "check-names no".
* The statistics channel now supports DEFLATE compression, reducing the
size of the data sent over the network when querying statistics.
* New counters have been added to the statistics channel to track the
sizes of incoming queries and outgoing responses in histogram buckets,
as specified in RSSAC002.
* A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
added, allowing redirection to a specified DNS namespace instead of a
single redirect zone.
* When starting up, named now ensures that no other named process is
already running.
* Files created by named to store information, including "mkeys" and
"nzf" files, are now named after their corresponding views unless the
view name contains characters incompatible with use as a filename. Old
style filenames (based on the hash of the view name) will still work.
BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
* DNS Response-rate limiting (DNS RRL), which blunts the impact of
reflection and amplification attacks, is always compiled in and no
longer requires a compile-time option to enable it.
* An experimental "Source Identity Token" (SIT) EDNS option is now
available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
these are designed to enable clients to detect off-path spoofed
responses, and to enable servers to detect spoofed-source queries.
Servers can be configured to send smaller responses to clients that
have not identified themselves using a SIT option, reducing the
effectiveness of amplification attacks. RRL processing has also been
updated; clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this feature in
BIND.
* A new zone file format, "map", stores zone data in a format that can
be mapped directly into memory, allowing significantly faster zone
loading.
* "delv" (domain entity lookup and validation) is a new tool with
dig-like semantics for looking up DNS data and performing internal
DNSSEC validation. This allows easy validation in environments where
the resolver may not be trustworthy, and assists with troubleshooting
of DNSSEC problems. (NOTE: In previous development releases of BIND
9.10, this utility was called "delve". The spelling has been changed
to avoid confusion with the "delve" utility included with the Xapian
search engine.)
* Improved EDNS(0) processing for better resolver performance and
reliability over slow or lossy connections.
* A new "configure --with-tuning=large" option tunes certain compiled-in
constants and default settings to values better suited to large
servers with abundant memory. This can improve performance on such
servers, but will consume more memory and may degrade performance on
smaller systems.
* Substantial improvement in response-policy zone (RPZ) performance. Up
to 32 response-policy zones can be configured with minimal performance
loss.
* To improve recursive resolver performance, cache records which are
still being requested by clients can now be automatically refreshed
from the authoritative server before they expire, reducing or
eliminating the time window in which no answer is available in the
cache.
* New "rpz-client-ip" triggers and drop policies allowing response
policies based on the IP address of the client.
* ACLs can now be specified based on geographic location using the
MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
* Zone data can now be shared between views, allowing multiple views to
serve the same zones authoritatively without storing multiple copies
in memory.
* New XML schema (version 3) for the statistics channel includes many
new statistics and uses a flattened XML tree for faster parsing. The
older schema is now deprecated.
* A new stylesheet, based on the Google Charts API, displays XML
statistics in charts and graphs on javascript-enabled browsers.
* The statistics channel can now provide data in JSON format as well as
XML.
* New stats counters track TCP and UDP queries received per zone, and
EDNS options received in total.
* The internal and export versions of the BIND libraries (libisc,
libdns, etc) have been unified so that external library clients can
use the same libraries as BIND itself.
* A new compile-time option, "configure --enable-native-pkcs11", allows
BIND 9 cryptography functions to use the PKCS#11 API natively, so that
BIND can drive a cryptographic hardware service module (HSM) directly
instead of using a modified OpenSSL as an intermediary. (Note: This
feature requires an HSM to have a full implementation of the PKCS#11
API; many current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness. Native
PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
version 2 from the Open DNSSEC project.)
* The new "max-zone-ttl" option enforces maximum TTLs for zones. This
can simplify the process of rolling DNSSEC keys by guaranteeing that
cached signatures will have expired within the specified amount of
time.
* "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
* "dig +expire" sends an EDNS EXPIRE option when querying. When this
option is sent with an SOA query to a server that supports it, it will
report the expiry time of a slave zone.
* New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
report if a lapse in signing coverage has been inadvertently
scheduled.
* Signing algorithm flexibility and other improvements for the "rndc"
control channel.
* "named-checkzone" and "named-compilezone" can now read journal files,
allowing them to process dynamic zones.
* Multiple DLZ databases can now be configured. Individual zones can be
configured to be served from a specific DLZ database. DLZ databases
now serve zones of type "master" and "redirect".
* "rndc zonestatus" reports information about a specified zone.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* "named" now preserves the capitalization of names when responding to
queries: for instance, a query for "example.com" may be answered with
"example.COM" if the name was configured that way in the zone file.
Some clients have a bug causing them to depend on the older behavior,
in which the case of the answer always matched the case of the query,
rather than the case of the name configured in the DNS. Such clients
can now be specified in the new "no-case-compress" ACL; this will
restore the older behavior of "named" for those clients only.
* new "dnssec-importkey" command allows the use of offline DNSSEC keys
with automatic DNSKEY management.
* New "named-rrchecker" tool to verify the syntactic correctness of
individual resource records.
* When re-signing a zone, the new "dnssec-signzone -Q" option drops
signatures from keys that are still published but are no longer
active.
* "named-checkconf -px" will print the contents of configuration files
with the shared secrets obscured, making it easier to share
configuration (e.g. when submitting a bug report) without revealing
private information.
* "rndc scan" causes named to re-scan network interfaces for changes in
local addresses.
* On operating systems with support for routing sockets, network
interfaces are re-scanned automatically whenever they change.
* "tsig-keygen" is now available as an alternate command name to use for
"ddns-confgen".
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
* Inline signing, allowing automatic DNSSEC signing of master zones
without modification of the zonefile, or "bump in the wire" signing in
slaves.
* NXDOMAIN redirection.
* New 'rndc flushtree' command clears all data under a given name from
the DNS cache.
* New 'rndc sync' command dumps pending changes in a dynamic zone to
disk without a freeze/thaw cycle.
* New 'rndc signing' command displays or clears signing status records
in 'auto-dnssec' zones.
* NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
signing, eliminating the need to initially sign with NSEC.
* Startup time improvements on large authoritative servers.
* Slave zones are now saved in raw format by default.
* Several improvements to response policy zones (RPZ).
* Improved hardware scalability by using multiple threads to listen for
queries and using finer-grained client locking
* The 'also-notify' option now takes the same syntax as 'masters', so it
can used named masterlists and TSIG keys.
* 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
* 'dnssec-signzone -R' forces removal of signatures that are not expired
but were created by a key which no longer exists.
* 'dnssec-signzone -X' allows a separate expiration date to be specified
for DNSKEY signatures from other signatures.
* New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
* dnssec-dsfromkey now supports reading from standard input, to make it
easier to convert DNSKEY to DS.
* RFC 1918 reverse zones have been added to the empty-zones table per
RFC 6303.
* Dynamic updates can now optionally set the zone's SOA serial number to
the current UNIX time.
* DLZ modules can now retrieve the source IP address of the querying
client.
* 'request-ixfr' option can now be set at the per-zone level.
* 'dig +rrcomments' turns on comments about DNSKEY records, indicating
their key ID, algorithm and function
* Simplified nsupdate syntax and added readline support
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
* Built-in trust anchor for the root zone, which can be switched on via
"dnssec-validation auto;"
* Support for DNS64.
* Support for response policy zones (RPZ).
* Support for writable DLZ zones.
* Improved ease of configuration of GSS/TSIG for interoperability with
Active Directory
* Support for GOST signing algorithm for DNSSEC.
* Removed RTT Banding from server selection algorithm.
* New "static-stub" zone type.
* Allow configuration of resolver timeouts via "resolver-query-timeout"
option.
* The DLZ "dlopen" driver is now built by default.
* Added a new include file with function typedefs for the DLZ "dlopen"
driver.
* Made "--with-gssapi" default.
* More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration. New features
include:
* Fully automatic signing of zones by "named".
* Simplified configuration of DNSSEC Lookaside Validation (DLV).
* Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
* New named option "attach-cache" that allows multiple views to share a
single cache.
* DNS rebinding attack prevention.
* New default values for dnssec-keygen parameters.
* Support for RFC 5011 automated trust anchor maintenance
* Smart signing: simplified tools for zone signing and key maintenance.
* The "statistics-channels" option is now available on Windows.
* A new DNSSEC-aware libdns API for use by non-BIND9 applications
* On some platforms, named and other binaries can now print out a stack
backtrace on assertion failure, to aid in debugging.
* A "tools only" installation mode on Windows, which only installs dig,
host, nslookup and nsupdate.
* Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
* Full NSEC3 support
* Automatic zone re-signing
* New update-policy methods tcp-self and 6to4-self
* The BIND 8 resolver library, libbind, has been removed from the BIND 9
distribution and is now available as a separate download.
* Change the default pid file location from /var/run to /var/run/
{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
* GSS-TSIG support (RFC 3645).
* DHCID support.
* Experimental http server and statistics support for named via xml.
* More detailed statistics counters including those supported in BIND 8.
* Faster ACL processing.
* Use Doxygen to generate internal documentation.
* Efficient LRU cache-cleaning mechanism.
* NSID support.
BIND 9.4.0
* Implemented "additional section caching (or acache)", an internal
cache framework for additional section content to improve response
performance. Several configuration options were provided to control
the behavior.
* New notify type 'master-only'. Enable notify for master zones only.
* Accept 'notify-source' style syntax for query-source.
* rndc now allows addresses to be set in the server clauses.
* New option "allow-query-cache". This lets "allow-query" be used to
specify the default zone access level rather than having to have every
zone override the global value. "allow-query-cache" can be set at both
the options and view levels. If "allow-query-cache" is not set then
"allow-recursion" is used if set, otherwise "allow-query" is used if
set unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
* rndc: the source address can now be specified.
* ixfr-from-differences now takes master and slave in addition to yes
and no at the options and view levels.
* Allow the journal's name to be changed via named.conf.
* 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
specified zone.
* 'dig +trace' now randomly selects the next servers to try. Report if
there is a bad delegation.
* Improve check-names error messages.
* Make public the function to read a key file, dst_key_read_public().
* dig now returns the byte count for axfr/ixfr.
* allow-update is now settable at the options / view level.
* named-checkconf now checks the logging configuration.
* host now can turn on memory debugging flags with '-m'.
* Don't send notify messages to self.
* Perform sanity checks on NS records which refer to 'in zone' names.
* New zone option "notify-delay". Specify a minimum delay between sets
of NOTIFY messages.
* Extend adjusting TTL warning messages.
* Named and named-checkzone can now both check for non-terminal wildcard
records.
* "rndc freeze/thaw" now freezes/thaws all zones.
* named-checkconf now check acls to verify that they only refer to
existing acls.
* The server syntax has been extended to support a range of servers.
* Report differences between hints and real NS rrset and associated
address records.
* Preserve the case of domain names in rdata during zone transfers.
* Restructured the data locking framework using architecture dependent
atomic operations (when available), improving response performance on
multi-processor machines significantly. x86, x86_64, alpha, powerpc,
and mips are currently supported.
* UNIX domain controls are now supported.
* Add support for additional zone file formats for improving loading
performance. The masterfile-format option in named.conf can be used to
specify a non-default format. A separate command named-compilezone was
provided to generate zone files in the new format. Additionally, the
-I and -O options for dnssec-signzone specify the input and output
formats.
* dnssec-signzone can now randomize signature end times (dnssec-signzone
-j jitter).
* Add support for CH A record.
* Add additional zone data constancy checks. named-checkzone has
extended checking of NS, MX and SRV record and the hosts they
reference. named has extended post zone load checks. New zone options:
check-mx and integrity-check.
* edns-udp-size can now be overridden on a per server basis.
* dig can now specify the EDNS version when making a query.
* Added framework for handling multiple EDNS versions.
* Additional memory debugging support to track size and mctx arguments.
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
* Raise the UDP receive buffer size to 32k if it is less than 32k.
* x86 and x86_64 now have separate atomic locking implementations.
* named-checkconf now validates update-policy entries.
* Attempt to make the amount of work performed in a iteration self
tuning. The covers nodes clean from the cache per iteration, nodes
written to disk when rewriting a master file and nodes destroyed per
iteration when destroying a zone or a cache.
* ISC string copy API.
* Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
1918 zones are not yet covered by this but are likely to be in a
future release.
* New options: empty-server, empty-contact, empty-zones-enable and
disable-empty-zone.
* dig now has a '-q queryname' and '+showsearch' options.
* host/nslookup now continue (default)/fail on SERVFAIL.
* dig now warns if 'RA' is not set in the answer when 'RD' was set in
the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
is set unless a server is explicitly set.
* Integrate contributed DLZ code into named.
* Integrate contributed IDN code from JPNIC.
* libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
* DNSSEC is now DS based (RFC 3658).
* DNSSEC lookaside validation.
* check-names is now implemented.
* rrset-order is more complete.
* IPv4/IPv6 transition support, dual-stack-servers.
* IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
* It is now possible to specify the size of a journal, max-journal-size.
* It is now possible to define a named set of master servers to be used
in masters clause, masters.
* The advertised EDNS UDP size can now be set, edns-udp-size.
* allow-v6-synthesis has been obsoleted.
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
NOTIMPL. This will have impact on scripts that are looking for
NOTIMPL.
* libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
* The size of the cache can now be limited using the "max-cache-size"
option.
* The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the new
option "allow-v6-synthesis". This allows stub resolvers that support
AAAA records but not A6 record chains or binary labels to perform
lookups in domains that make use of these IPv6 DNS features.
* Performance has been improved.
* The man pages now use the more portable "man" macros rather than the
"mandoc" macros, and are installed by "make install".
* The named.conf parser has been completely rewritten. It now supports
"include" directives in more places such as inside "view" statements,
and it no longer has any reserved words.
* The "rndc status" command is now implemented.
* rndc can now be configured automatically.
* A BIND 8 compatible stub resolver library is now included in lib/bind.
* OpenSSL has been removed from the distribution. This means that to use
DNSSEC, OpenSSL must be installed and the --with-openssl option must
be supplied to configure. This does not apply to the use of TSIG,
which does not require OpenSSL.
* The source distribution now builds on Windows. See win32utils/
readme1.txt and win32utils/win32-build.txt for details.
* This distribution also includes a new lightweight stub resolver
library and associated resolver daemon that fully support forward and
reverse lookups of both IPv4 and IPv6 addresses. This library is
considered experimental and is not a complete replacement for the BIND
8 resolver library. Applications that use the BIND 8 res_* functions
to perform DNS lookups or dynamic updates still need to be linked
against the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
* BIND 9.2 is capable of acting as an authoritative server for DNSSEC
secured zones. This functionality is believed to be stable and
complete except for lacking support for verifications involving
wildcard records in secure zones.
* When acting as a caching server, BIND 9.2 can be configured to perform
DNSSEC secure resolution on behalf of its clients. This part of the
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.

4
Kyuafile
View file

@ -1,4 +0,0 @@
syntax(2)
test_suite('bind9')
include('lib/Kyuafile')

11
Makefile.am Normal file
View file

@ -0,0 +1,11 @@
include $(top_srcdir)/Makefile.top
SUBDIRS = . libltdl lib bin # doc
BUILT_SOURCES = bind.keys.h
CLEANFILES = bind.keys.h
bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
dist_sysconf_DATA = bind.keys

114
Makefile.in
View file

@ -1,114 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
top_builddir = @top_builddir@
VERSION=@BIND9_VERSION@
SUBDIRS = make lib fuzz bin doc
TARGETS =
PREREQS = bind.keys.h
MANOBJS = README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT \
${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
newrr:
cd lib/dns; ${MAKE} newrr
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
distclean::
rm -f config.cache config.h config.log config.status TAGS
rm -f libtool configure.lineno
rm -f util/conf.sh docutil/docbook2man-wrapper.sh
# XXX we should clean libtool stuff too. Only do this after we add rules
# to make it.
maintainer-clean::
rm -f configure
rm -f bind.keys.h
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
doc man:: ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: installdirs
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
uninstall::
rm -f ${DESTDIR}${sysconfdir}/bind.keys
test check:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
force-test: test-force
test-force:
status=0; \
(cd fuzz && ${MAKE} check) || status=1; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f ${top_builddir}/unit/unittest.sh && \
$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
exit $$status
README: README.md
${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
HISTORY: HISTORY.md
${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
OPTIONS: OPTIONS.md
${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
CONTRIBUTING: CONTRIBUTING.md
${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
PLATFORMS: PLATFORMS.md
${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
unit::
sh ${top_builddir}/unit/unittest.sh
clean::

10
Makefile.tests Normal file
View file

@ -0,0 +1,10 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
AM_CPPFLAGS += \
$(CMOCKA_CFLAGS) \
-DTESTS=\"$(abs_srcdir)\" \
-DNAMED_PLUGINDIR=\"$(libdir)/named\"
LDADD = \
$(CMOCKA_LIBS)

79
Makefile.top Normal file
View file

@ -0,0 +1,79 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = \
$(STD_CPPFLAGS) \
-include $(top_builddir)/config.h \
-I$(srcdir)/include
if HAVE_GSSAPI
AM_CPPFLAGS += \
$(GSSAPI_CFLAGS)
endif
LIBISC_CFLAGS = \
-I$(top_srcdir)/include \
-I$(top_srcdir)/lib/isc/unix/include \
-I$(top_srcdir)/lib/isc/pthreads/include \
-I$(top_srcdir)/lib/isc/include \
-I$(top_builddir)/lib/isc/include
if HAVE_JSON_C
LIBISC_CFLAGS += \
$(JSON_C_CFLAGS)
endif HAVE_JSON_C
if HAVE_LIBXML2
LIBISC_CFLAGS += \
$(LIBXML2_CFLAGS)
endif HAVE_LIBXML2
LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
LIBIRS_CFLAGS = \
-I$(top_srcdir)/lib/irs/include
LIBIRS_LIBS = \
$(top_builddir)/lib/irs/libirs.la
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
LIBBIND9_CFLAGS = \
-I$(top_srcdir)/lib/bind9/include
LIBBIND9_LIBS = \
$(top_builddir)/lib/bind9/libbind9.la
LIBLTDL_CFLAGS = \
-I$(top_srcdir)/libltdl
LIBLTDL_LIBS = \
$(top_builddir)/libltdl/libltdlc.la

1
NEWS Symbolic link
View file

@ -0,0 +1 @@
CHANGES

28
OPTIONS
View file

@ -1,28 +0,0 @@
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.
Don't track memory allocations by file and line
-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
debugging more difficult.
-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
well-known ports:
-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
named-checkzone
-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
rather than ${localstatedir}/run/named/
Disable the use of inline functions to implement
-DISC_BUFFER_USEINLINE=0 the isc_buffer API: this reduces performance but
may be useful when debugging
-DISC_HEAP_CHECK Test heap consistency after every heap
operation; used when debugging

99
PLATFORMS
View file

@ -1,99 +0,0 @@
PLATFORMS
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with
RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
asynchronous I/O library, and the OpenSSL cryptography library.
The following C11 features are used in BIND 9:
* Atomic operations support from the compiler is needed, either in the
form of builtin operations, C11 atomics, or the Interlocked family of
functions on Windows.
* Thread Local Storage support from the compiler is needed, either in
the form of C11 _Thread_local/thread_local, the __thread GCC
extension, or the __declspec(thread) MSVC extension on Windows.
BIND 9.17 requires a fairly recent version of libuv (at least 1.x). For
some of the older systems listed below, you will have to install an
updated libuv package from sources such as EPEL, PPA, or other native
sources for updated packages. The other option is to build and install
libuv from source.
Certain optional BIND features have additional library dependencies. These
include libxml2 and libjson-c for statistics, libmaxminddb for
geolocation, libfstrm and libprotobuf-c for DNSTAP, and libidn2 for
internationalized domain name conversion.
ISC regularly tests BIND on many operating systems and architectures, but
lacks the resources to test all of them. Consequently, ISC is only able to
offer support on a "best effort" basis for some.
Regularly tested platforms
As of Mar 2020, BIND 9.17 is fully supported and regularly tested on the
following systems:
* Debian 9, 10
* Ubuntu LTS 16.04, 18.04
* Fedora 31
* Red Hat Enterprise Linux / CentOS 7, 8
* FreeBSD 11.3, 12.1
* OpenBSD 6.6
* Alpine Linux
The amd64, i386, armhf and arm64 CPU architectures are all fully
supported.
Best effort
The following are platforms on which BIND is known to build and run. ISC
makes every effort to fix bugs on these platforms, but may be unable to do
so quickly due to lack of hardware, less familiarity on the part of
engineering staff, and other constraints. With the exception of Windows
Server 2012 R2, none of these are tested regularly by ISC.
* Windows Server 2012 R2, 2016 / x64
* Windows 10 / x64
* macOS 10.12+
* Solaris 11
* NetBSD
* Other Linux distributions still supported by their vendors, such as:
+ Ubuntu 19.04+
+ Gentoo
+ Arch Linux
* OpenWRT/LEDE 17.01+
* Other CPU architectures (mips, mipsel, sparc, ...)
Community maintained
These systems may not all have the required dependencies for building BIND
easily available, although it will be possible in many cases to compile
those directly from source. The community and interested parties may wish
to help with maintenance, and we welcome patch contributions, although we
cannot guarantee that we will accept them. All contributions will be
assessed against the risk of adverse effect on officially supported
platforms.
* Platforms past or close to their respective EOL dates, such as:
+ Ubuntu 14.04, 18.10
+ CentOS 6
+ Debian Jessie
+ FreeBSD 10.x
Unsupported platforms
These are platforms on which BIND 9.17 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
* Windows Server 2012 and older
* Solaris 10 and older
* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
* Platforms that don't support atomic operations (via compiler or
library)
* Linux without NPTL (Native POSIX Thread Library)
* Platforms on which libuv cannot be compiled

378
README
View file

@ -1,378 +0,0 @@
README
BIND 9
Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.17 features
5. Building BIND
6. macOS
7. Dependencies
8. Compile-time options
9. Automated testing
10. Documentation
11. Change log
12. Acknowledgments
Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the DNS (Domain Name System) protocol.
The BIND name server, named, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the dig and delv DNS lookup tools,
nsupdate for dynamic DNS zone updates, rndc for remote name server
administration, and more.
BIND 9 began as a complete re-write of the BIND architecture that was used
in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
501(c)(3) public benefit corporation dedicated to providing software and
services in support of the Internet infrastructure, developed BIND 9 and
is responsible for its ongoing maintenance and improvement. BIND is open
source software licensed under the terms of the Mozilla Public License,
version 2.0.
For a summary of features introduced in past major releases of BIND, see
the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS.
Reporting bugs and getting help
To report non-security-sensitive bugs or request new features, you may
open an Issue in the BIND 9 project on the ISC GitLab server at https://
gitlab.isc.org/isc-projects/bind9.
Please note that, unless you explicitly mark the newly created Issue as
"confidential", it will be publicly readable. Please do not include any
information in bug reports that you consider to be confidential unless the
issue has been marked as such. In particular, if submitting the contents
of your configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px.
If the bug you are reporting is a potential security issue, such as an
assertion failure or other crash in named, please do NOT use GitLab to
report it. Instead, send mail to security-officer@isc.org using our
OpenPGP key to secure your message. (Information about OpenPGP and links
to our key can be found at https://www.isc.org/pgpkey.) Please do not
discuss the bug on any public mailing list.
For a general overview of ISC security policies, read the Knowledge Base
article at https://kb.isc.org/docs/aa-00861.
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
To join the BIND Users mailing list, or view the archives, visit https://
lists.isc.org/mailman/listinfo/bind-users.
If you're planning on making changes to the BIND 9 source code, you may
also want to join the BIND Workers mailing list, at https://lists.isc.org/
mailman/listinfo/bind-workers.
Contributing to BIND
ISC maintains a public git repository for BIND; details can be found at
http://www.isc.org/git/.
Information for BIND contributors can be found in the following files: -
General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
guide: doc/dev/dev.md
Patches for BIND may be submitted as merge requests in the ISC GitLab
server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
By default, external contributors don't have ability to fork BIND in the
GitLab server, but if you wish to contribute code to BIND, you may request
permission to do so. Thereafter, you can create git branches and directly
submit requests that they be reviewed and merged.
If you prefer, you may also submit code by opening a GitLab Issue and
including your patch as an attachment, preferably generated by git
format-patch.
BIND 9.17 features
BIND 9.17 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.16 and earlier releases. New features include:
* New option "max-ixfr-ratio" to limit the size of outgoing IXFR
responses before falling back to full zone transfers.
* "rndc nta -d" and "rndc secroots" now include "validate-except"
entries when listing negative trust anchors.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. BIND also requires the
libuv asynchronous I/O library, and a cryptography provider library such
as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
requires the libcap library to set process privileges, though this
requirement can be overridden by disabling capability support at compile
time. See Compile-time options below for details on other libraries that
may be required to support optional features.
Successful builds have been observed on many versions of Linux and UNIX,
including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
HP-UX, and OpenWRT.
BIND is also available for Windows Server 2012 R2 and higher. See
win32utils/build.txt for details on building for Windows systems.
To build on a UNIX or Linux system, use:
$ ./configure
$ make
If you're planning on making changes to the BIND 9 source, you should run
make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation. Significant ones are:
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
CFLAGS supported by the compiler. Please include '-g' if you need
to set CFLAGS.
System header file directories. Can be used to specify
STD_CINCLUDES where add-on thread or IPv6 support is, for example.
Defaults to empty string.
Any additional preprocessor symbols you want defined.
STD_CDEFINES Defaults to empty string. For a list of possible settings,
see the file OPTIONS.
LDFLAGS Linker flags. Defaults to empty string.
BUILD_CC Needed when cross-compiling: the native C compiler to use
when building for the target system.
BUILD_CFLAGS CFLAGS for the target system during cross-compiling.
BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
BUILD_LDFLAGS LDFLAGS for the target system during cross-compiling.
BUILD_LIBS LIBS for the target system during cross-compiling.
Additional environment variables affecting the build are listed at the end
of the configure help text, which can be obtained by running the command:
$ ./configure --help
macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/ or,
if you have Xcode already installed, you can run xcode-select --install.
(Note that an Apple ID may be required to access the download page.)
Dependencies
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
argparse, ply and distutils.core modules to be available. argparse is a
standard module as of Python 2.7 and Python 3.2. ply is available from
https://pypi.python.org/pypi/ply. distutils.core is required for
installation.
Compile-time options
To see a full list of configuration options, run configure --help.
To build shared libraries, specify --with-libtool on the configure command
line.
For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using --with-openssl=<PREFIX> on the configure command
line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using
--with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
To support the HTTP statistics channel, the server must be linked with at
least one of the following libraries: libxml2 http://xmlsoft.org or json-c
https://github.com/json-c/json-c. If these are installed at a nonstandard
location, then:
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using --with-zlib=/prefix.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in
a nonstandard location, specify the prefix using with-lmdb=/prefix.
To support MaxMind GeoIP2 location-based ACLs, the server must be linked
with libmaxminddb. This is turned on by default if the library is found;
if the library is installed in a nonstandard location, specify the prefix
using --with-maxminddb=/prefix. GeoIP2 support can be switched off with
--disable-geoip.
For DNSTAP packet logging, you must have installed libfstrm https://
github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with
--enable-dnstap.
Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
--with-tuning=small on the configure command line. This will decrease
memory usage by using smaller structures, but will degrade performance.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev
or libcap-devel package. Process capability support can also be disabled
by configuring with --disable-linux-caps.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
--enable-largefile on the configure command line.
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
command line. By default, fixed rrset-order is disabled to reduce memory
footprint.
The --enable-querytrace option causes named to log every step of
processing every query. This should only be enabled when debugging,
because it has a significant negative impact on query performance.
make install will install named and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
--prefix option when running configure.
You may specify the option --sysconfdir to set the directory where
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. --sysconfdir defaults
to $prefix/etc and --localstatedir defaults to $prefix/var.
Automated testing
A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the dnspython module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework. To
build them, use configure --with-cmocka. Execution of tests is done by the
Kyua test execution engine; if the kyua command is available, then unit
tests can be run via make test or make unit.
Documentation
The BIND 9 Administrator Reference Manual is included with the source
distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
directory.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of named are
documented in bin/named/named.8.
Frequently (and not-so-frequently) asked questions and their answers can
be found in the ISC Knowledge Base at https://kb.isc.org.
Additional information on various subjects can be found in other README
files throughout the source tree.
Change log
A detailed list of all changes that have been made throughout the
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax or other aspects of
the design are still in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root server addresses and
keys
[tuning] Changes to built-in configuration defaults and constants to
improve performance
[performance] Other changes to improve server performance
[protocol] Updates to the DNS protocol such as new RR types
[test] Changes to the automatic tests, not affecting server
functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
[contrib] Changes to the contributed tools and libraries in the
'contrib' subdirectory
Used in the master development branch to reserve change
[placeholder] numbers for use in other branches, e.g. when fixing a bug
that only exists in older releases
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security sensitive.
To look up a GitLab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
In rare cases, an issue or merge request number may be followed with the
letter "P". This indicates that the information is in the private ISC
GitLab instance, which is not visible to the public.
Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

27
README.md
View file

@ -171,14 +171,7 @@ affect compilation. Significant ones are:
|--------------------|-----------------------------------------------|
|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
Additional environment variables affecting the build are listed at the
end of the `configure` help text, which can be obtained by running the
@ -195,16 +188,6 @@ or, if you have Xcode already installed, you can run `xcode-select
--install`. (Note that an Apple ID may be required to access the download
page.)
### <a name="dependencies"/> Dependencies
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the `argparse`, `ply` and `distutils.core` modules
to be available.
`argparse` is a standard module as of Python 2.7 and Python 3.2.
`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
`distutils.core` is required for installation.
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
@ -283,7 +266,7 @@ defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
### <a name="testing"/> Automated testing
A system test suite can be run with `make test`. The system tests require
A system test suite can be run with `make check`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command
@ -294,11 +277,9 @@ and will be skipped if these are not available. Some tests require Python
and the `dnspython` module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
To build them, use `configure --with-cmocka`. Execution of tests is done
by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
`kyua` command is available, then unit tests can be run via `make test`
or `make unit`.
Unit tests are implemented using the CMocka unit testing framework. To build
them, use `configure --with-cmocka`. Execution of tests is done by the automake
parallel test driver; unit tests are also run by `make check`.
### <a name="doc"/> Documentation

388
aclocal.m4 vendored
View file

@ -1,388 +0,0 @@
# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
# serial 12 (pkg-config-0.29.2)
dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
dnl
dnl This program is free software; you can redistribute it and/or modify
dnl it under the terms of the GNU General Public License as published by
dnl the Free Software Foundation; either version 2 of the License, or
dnl (at your option) any later version.
dnl
dnl This program is distributed in the hope that it will be useful, but
dnl WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
dnl General Public License for more details.
dnl
dnl You should have received a copy of the GNU General Public License
dnl along with this program; if not, write to the Free Software
dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
dnl 02111-1307, USA.
dnl
dnl As a special exception to the GNU General Public License, if you
dnl distribute this file as part of a program that contains a
dnl configuration script generated by Autoconf, you may include it under
dnl the same distribution terms that you use for the rest of that
dnl program.
dnl PKG_PREREQ(MIN-VERSION)
dnl -----------------------
dnl Since: 0.29
dnl
dnl Verify that the version of the pkg-config macros are at least
dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
dnl installed version of pkg-config, this checks the developer's version
dnl of pkg.m4 when generating configure.
dnl
dnl To ensure that this macro is defined, also add:
dnl m4_ifndef([PKG_PREREQ],
dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
dnl
dnl See the "Since" comment for each macro you use to see what version
dnl of the macros you require.
m4_defun([PKG_PREREQ],
[m4_define([PKG_MACROS_VERSION], [0.29.2])
m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
[m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
])dnl PKG_PREREQ
dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
dnl ----------------------------------
dnl Since: 0.16
dnl
dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
dnl first found in the path. Checks that the version of pkg-config found
dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
dnl used since that's the first version where most current features of
dnl pkg-config existed.
AC_DEFUN([PKG_PROG_PKG_CONFIG],
[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
fi
if test -n "$PKG_CONFIG"; then
_pkg_min_version=m4_default([$1], [0.9.0])
AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
PKG_CONFIG=""
fi
fi[]dnl
])dnl PKG_PROG_PKG_CONFIG
dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
dnl -------------------------------------------------------------------
dnl Since: 0.18
dnl
dnl Check to see whether a particular set of modules exists. Similar to
dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
dnl
dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
dnl only at the first occurence in configure.ac, so if the first place
dnl it's called might be skipped (such as if it is within an "if", you
dnl have to call PKG_CHECK_EXISTS manually
AC_DEFUN([PKG_CHECK_EXISTS],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
if test -n "$PKG_CONFIG" && \
AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
m4_default([$2], [:])
m4_ifvaln([$3], [else
$3])dnl
fi])
dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
dnl ---------------------------------------------
dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
dnl pkg_failed based on the result.
m4_define([_PKG_CONFIG],
[if test -n "$$1"; then
pkg_cv_[]$1="$$1"
elif test -n "$PKG_CONFIG"; then
PKG_CHECK_EXISTS([$3],
[pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes ],
[pkg_failed=yes])
else
pkg_failed=untried
fi[]dnl
])dnl _PKG_CONFIG
dnl _PKG_SHORT_ERRORS_SUPPORTED
dnl ---------------------------
dnl Internal check to see if pkg-config supports short errors.
AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
_pkg_short_errors_supported=yes
else
_pkg_short_errors_supported=no
fi[]dnl
])dnl _PKG_SHORT_ERRORS_SUPPORTED
dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
dnl [ACTION-IF-NOT-FOUND])
dnl --------------------------------------------------------------
dnl Since: 0.4.0
dnl
dnl Note that if there is a possibility the first call to
dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
AC_DEFUN([PKG_CHECK_MODULES],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
pkg_failed=no
AC_MSG_CHECKING([for $2])
_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
_PKG_CONFIG([$1][_LIBS], [libs], [$2])
m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
and $1[]_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.])
if test $pkg_failed = yes; then
AC_MSG_RESULT([no])
_PKG_SHORT_ERRORS_SUPPORTED
if test $_pkg_short_errors_supported = yes; then
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
else
$1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
fi
# Put the nasty error message in config.log where it belongs
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
m4_default([$4], [AC_MSG_ERROR(
[Package requirements ($2) were not met:
$$1_PKG_ERRORS
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
_PKG_TEXT])[]dnl
])
elif test $pkg_failed = untried; then
AC_MSG_RESULT([no])
m4_default([$4], [AC_MSG_FAILURE(
[The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
_PKG_TEXT
To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
])
else
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
AC_MSG_RESULT([yes])
$3
fi[]dnl
])dnl PKG_CHECK_MODULES
dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
dnl [ACTION-IF-NOT-FOUND])
dnl ---------------------------------------------------------------------
dnl Since: 0.29
dnl
dnl Checks for existence of MODULES and gathers its build flags with
dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
dnl and VARIABLE-PREFIX_LIBS from --libs.
dnl
dnl Note that if there is a possibility the first call to
dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
dnl configure.ac.
AC_DEFUN([PKG_CHECK_MODULES_STATIC],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
_save_PKG_CONFIG=$PKG_CONFIG
PKG_CONFIG="$PKG_CONFIG --static"
PKG_CHECK_MODULES($@)
PKG_CONFIG=$_save_PKG_CONFIG[]dnl
])dnl PKG_CHECK_MODULES_STATIC
dnl PKG_INSTALLDIR([DIRECTORY])
dnl -------------------------
dnl Since: 0.27
dnl
dnl Substitutes the variable pkgconfigdir as the location where a module
dnl should install pkg-config .pc files. By default the directory is
dnl $libdir/pkgconfig, but the default can be changed by passing
dnl DIRECTORY. The user can override through the --with-pkgconfigdir
dnl parameter.
AC_DEFUN([PKG_INSTALLDIR],
[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
m4_pushdef([pkg_description],
[pkg-config installation directory @<:@]pkg_default[@:>@])
AC_ARG_WITH([pkgconfigdir],
[AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
[with_pkgconfigdir=]pkg_default)
AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
m4_popdef([pkg_default])
m4_popdef([pkg_description])
])dnl PKG_INSTALLDIR
dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
dnl --------------------------------
dnl Since: 0.27
dnl
dnl Substitutes the variable noarch_pkgconfigdir as the location where a
dnl module should install arch-independent pkg-config .pc files. By
dnl default the directory is $datadir/pkgconfig, but the default can be
dnl changed by passing DIRECTORY. The user can override through the
dnl --with-noarch-pkgconfigdir parameter.
AC_DEFUN([PKG_NOARCH_INSTALLDIR],
[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
m4_pushdef([pkg_description],
[pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
AC_ARG_WITH([noarch-pkgconfigdir],
[AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
[with_noarch_pkgconfigdir=]pkg_default)
AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
m4_popdef([pkg_default])
m4_popdef([pkg_description])
])dnl PKG_NOARCH_INSTALLDIR
dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
dnl -------------------------------------------
dnl Since: 0.28
dnl
dnl Retrieves the value of the pkg-config variable for the given module.
AC_DEFUN([PKG_CHECK_VAR],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
_PKG_CONFIG([$1], [variable="][$3]["], [$2])
AS_VAR_COPY([$1], [pkg_cv_][$1])
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_CONDITIONAL(NAME, SHELL-CONDITION)
# -------------------------------------
# Define a conditional.
AC_DEFUN([AM_CONDITIONAL],
[AC_PREREQ([2.52])dnl
m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])],
[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
AC_SUBST([$1_TRUE])dnl
AC_SUBST([$1_FALSE])dnl
_AM_SUBST_NOTMAKE([$1_TRUE])dnl
_AM_SUBST_NOTMAKE([$1_FALSE])dnl
m4_define([_AM_COND_VALUE_$1], [$2])dnl
if $2; then
$1_TRUE=
$1_FALSE='#'
else
$1_TRUE='#'
$1_FALSE=
fi
AC_CONFIG_COMMANDS_PRE(
[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
AC_MSG_ERROR([[conditional "$1" was never defined.
Usually this means the macro was only invoked conditionally.]])
fi])])
# Add --enable-maintainer-mode option to configure. -*- Autoconf -*-
# From Jim Meyering
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_MAINTAINER_MODE([DEFAULT-MODE])
# ----------------------------------
# Control maintainer-specific portions of Makefiles.
# Default is to disable them, unless 'enable' is passed literally.
# For symmetry, 'disable' may be passed as well. Anyway, the user
# can override the default with the --enable/--disable switch.
AC_DEFUN([AM_MAINTAINER_MODE],
[m4_case(m4_default([$1], [disable]),
[enable], [m4_define([am_maintainer_other], [disable])],
[disable], [m4_define([am_maintainer_other], [enable])],
[m4_define([am_maintainer_other], [enable])
m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
dnl maintainer-mode's default is 'disable' unless 'enable' is passed
AC_ARG_ENABLE([maintainer-mode],
[AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
am_maintainer_other[ make rules and dependencies not useful
(and sometimes confusing) to the casual installer])],
[USE_MAINTAINER_MODE=$enableval],
[USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
AC_MSG_RESULT([$USE_MAINTAINER_MODE])
AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
MAINT=$MAINTAINER_MODE_TRUE
AC_SUBST([MAINT])dnl
]
)
# Copyright (C) 2006-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# _AM_SUBST_NOTMAKE(VARIABLE)
# ---------------------------
# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
# This macro is traced by Automake.
AC_DEFUN([_AM_SUBST_NOTMAKE])
# AM_SUBST_NOTMAKE(VARIABLE)
# --------------------------
# Public sister of _AM_SUBST_NOTMAKE.
AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_openssl.m4])
m4_include([m4/ax_lib_lmdb.m4])
m4_include([m4/ax_posix_shell.m4])
m4_include([m4/ax_pthread.m4])
m4_include([m4/ax_restore_flags.m4])
m4_include([m4/ax_save_flags.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])

5
bin/Makefile.am Normal file
View file

@ -0,0 +1,5 @@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
if HAVE_PKCS11
SUBDIRS += pkcs11
endif

18
bin/Makefile.in
View file

@ -1,18 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
@BIND9_MAKE_RULES@

34
bin/check/Makefile.am Normal file
View file

@ -0,0 +1,34 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBBIND9_CFLAGS)
AM_CPPFLAGS += \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
noinst_LTLIBRARIES = libcheck-tool.la
libcheck_tool_la_SOURCES = \
check-tool.h \
check-tool.c
LDADD = \
libcheck-tool.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBBIND9_LIBS)
sbin_PROGRAMS = named-checkconf named-checkzone
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/named-checkzone \
$(DESTDIR)$(sbindir)/named-compilezone
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/named-compilezone

101
bin/check/Makefile.in
View file

@ -1,101 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
NSDEPENDLIBS = ../../lib/ns/libns.@A@
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS =
# Alphabetically
TARGETS = named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
# Alphabetically
SRCS = named-checkconf.c named-checkzone.c check-tool.c
MANPAGES = named-checkconf.8 named-checkzone.8
HTMLPAGES = named-checkconf.html named-checkzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkconf.c
named-checkzone.@O@: named-checkzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${NSDEPENDLIBS} ${DNSDEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
clean distclean::
rm -f ${TARGETS} r1.htm

7
bin/check/named-checkconf.c
View file

@ -16,6 +16,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/hash.h>
@ -56,8 +57,8 @@ isc_log_t *logc = NULL;
} while (0)
/*% usage */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -655,7 +656,7 @@ main(int argc, char **argv) {
break;
case 'v':
printf(VERSION "\n");
printf("%s\n", PACKAGE_VERSION);
exit(0);
case 'x':

7
bin/check/named-checkzone.c
View file

@ -16,6 +16,7 @@
#include <stdlib.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
@ -63,8 +64,8 @@ static enum { progmode_check, progmode_compile } progmode;
} \
} while (0)
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -354,7 +355,7 @@ main(int argc, char **argv) {
break;
case 'v':
printf(VERSION "\n");
printf("%s\n", PACKAGE_VERSION);
exit(0);
case 'w':

30
bin/confgen/Makefile.am Normal file
View file

@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
LDADD = \
libconfgen.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS)
noinst_LTLIBRARIES = libconfgen.la
libconfgen_la_SOURCES = \
include/confgen/os.h \
keygen.h \
keygen.c \
util.h \
util.c \
unix/os.c
sbin_PROGRAMS = rndc-confgen ddns-confgen
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/ddns-confgen \
$(DESTDIR)$(sbindir)/tsig-confgen
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/tsig-confgen

110
bin/confgen/Makefile.in
View file

@ -1,110 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
MANPAGES = rndc-confgen.8 ddns-confgen.8
HTMLPAGES = rndc-confgen.html ddns-confgen.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
# make a link in the build directory to assist with testing
tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
rm -f tsig-keygen@EXEEXT@
${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
rm -f ${DESTDIR}${mandir}/man8/ddns-confgen.8
rm -f ${DESTDIR}${mandir}/man8/rndc-confgen.8
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
clean distclean maintainer-clean::
rm -f ${TARGETS}

5
bin/confgen/ddns-confgen.c
View file

@ -22,6 +22,7 @@
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@ -57,8 +58,8 @@ const char *progname;
static enum { progmode_keygen, progmode_confgen } progmode;
bool verbose = false; /* needed by util.c but not used here */
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(int status);
static void
usage(int status) {

5
bin/confgen/rndc-confgen.c
View file

@ -25,6 +25,7 @@
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@ -60,8 +61,8 @@ bool verbose = false;
const char *keyfile, *keydef;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(int status);
static void
usage(int status) {

28
bin/confgen/unix/Makefile.in
View file

@ -1,28 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES =
CWARNINGS =
OBJS = os.@O@
SRCS = os.c
TARGETS = ${OBJS}
@BIND9_MAKE_RULES@

6
bin/confgen/util.h
View file

@ -14,6 +14,7 @@
/*! \file */
#include <isc/attributes.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/platform.h>
@ -35,9 +36,8 @@ ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_LANG_ENDDECLS

21
bin/delv/Makefile.am Normal file
View file

@ -0,0 +1,21 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
-I$(top_builddir)/include \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIRS_CFLAGS)
AM_CPPFLAGS += \
-DSYSCONFDIR=\"${sysconfdir}\"
bin_PROGRAMS = delv
delv_SOURCES = \
delv.c
delv_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIRS_LIBS)

80
bin/delv/Makefile.in
View file

@ -1,80 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
TARGETS = delv@EXEEXT@
OBJS = delv.@O@
SRCS = delv.c
MANPAGES = delv.1
HTMLPAGES = delv.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
delv@EXEEXT@: delv.@O@ ${DEPLIBS}
export BASEOBJS="delv.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: delv@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delv@EXEEXT@ ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS}

8
bin/delv/delv.c
View file

@ -28,6 +28,7 @@
#include <unistd.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/hex.h>
@ -205,9 +206,8 @@ usage(void) {
exit(1);
}
ISC_PLATFORM_NORETURN_PRE static void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
static void
fatal(const char *format, ...) {
@ -1327,7 +1327,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
/* handled in preparse_args() */
break;
case 'v':
fputs("delv " VERSION "\n", stderr);
fprintf(stderr, "delv %s\n", PACKAGE_VERSION);
exit(0);
/* NOTREACHED */
default:

30
bin/dig/Makefile.am Normal file
View file

@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIRS_CFLAGS) \
$(LIBBIND9_CFLAGS) \
$(LIBIDN2_CFLAGS)
LDADD = \
libdighost.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIRS_LIBS) \
$(LIBBIND9_LIBS) \
$(LIBIDN2_LIBS)
noinst_LTLIBRARIES = libdighost.la
libdighost_la_SOURCES = \
dighost.h \
dighost.c
bin_PROGRAMS = dig host nslookup
nslookup_LDADD = \
$(LDADD) \
$(READLINE_LIB)

110
bin/dig/Makefile.in
View file

@ -1,110 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
${ISCDEPLIBS} ${ISCCFGDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @LIBIDN2_LIBS@ @LIBS@
SUBDIRS =
TARGETS = dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
OBJS = dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
UOBJS =
SRCS = dig.c dighost.c host.c nslookup.c
MANPAGES = dig.1 host.1 nslookup.1
HTMLPAGES = dig.html host.html nslookup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
LDFLAGS = @LDFLAGS@ @LIBIDN2_LDFLAGS@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
for m in ${MANPAGES}; do \
${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
done
uninstall::
for m in ${MANPAGES}; do \
rm -f ${DESTDIR}${mandir}/man1/$$m || exit 1; \
done
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

18
bin/dig/dig.c
View file

@ -18,6 +18,7 @@
#include <time.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
@ -41,7 +42,7 @@
#include <dns/result.h>
#include <dns/tsig.h>
#include <dig/dig.h>
#include "dighost.h"
#define ADD_STRING(b, s) \
{ \
@ -109,8 +110,8 @@ usage(void) {
fprintf(stderr, "Press <Help> for complete list of options\n");
}
#else /* if TARGET_OS_IPHONE */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -125,7 +126,7 @@ usage(void) {
/*% version */
static void
version(void) {
fputs("DiG " VERSION "\n", stderr);
fprintf(stderr, "DiG %s\n", PACKAGE_VERSION);
}
/*% help */
@ -912,7 +913,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
if (printcmd) {
snprintf(lookup->cmdline, sizeof(lookup->cmdline),
"%s; <<>> DiG " VERSION " <<>>", first ? "\n" : "");
"%s; <<>> DiG %s <<>>", first ? "\n" : "",
PACKAGE_VERSION);
i = 1;
while (i < argc) {
snprintf(append, sizeof(append), " %s", argv[i++]);
@ -2658,7 +2660,7 @@ dig_query_setup(bool is_batchfile, bool config_only, int argc, char **argv) {
}
void
dig_startup() {
dig_startup(void) {
isc_result_t result;
debug("dig_startup()");
@ -2669,12 +2671,12 @@ dig_startup() {
}
void
dig_query_start() {
dig_query_start(void) {
start_lookup();
}
void
dig_shutdown() {
dig_shutdown(void) {
destroy_lookup(default_lookup);
if (atomic_load(&batchname) != 0) {
if (batchfp != stdin) {

2
bin/dig/dighost.c
View file

@ -84,7 +84,7 @@
#include <bind9/getaddresses.h>
#include <dig/dig.h>
#include "dighost.h"
#if USE_PKCS11
#include <pk11/result.h>

170
bin/dig/include/dig/dig.h → bin/dig/dighost.h
View file

@ -17,6 +17,7 @@
#include <inttypes.h>
#include <stdbool.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/bufferlist.h>
#include <isc/formatcheck.h>
@ -77,7 +78,7 @@
ISC_LANG_BEGINDECLS
typedef struct dig_lookup dig_lookup_t;
typedef struct dig_query dig_query_t;
typedef struct dig_query dig_query_t;
typedef struct dig_server dig_server_t;
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
@ -112,76 +113,76 @@ struct dig_lookup {
* sources. */
char textname[MXNAME]; /*% Name we're going to be
* looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
dns_rdataclass_t rdclass;
bool rdtypeset;
bool rdclassset;
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char * sendspace;
dns_name_t * name;
isc_interval_t interval;
dns_message_t * sendmsg;
dns_name_t * oname;
bool rdtypeset;
bool rdclassset;
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char *sendspace;
dns_name_t *name;
isc_interval_t interval;
dns_message_t *sendmsg;
dns_name_t *oname;
ISC_LINK(dig_lookup_t) link;
ISC_LIST(dig_query_t) q;
ISC_LIST(dig_query_t) connecting;
dig_query_t * current_query;
dig_serverlist_t my_server_list;
dig_query_t *current_query;
dig_serverlist_t my_server_list;
dig_searchlist_t *origin;
dig_query_t * xfr_q;
uint32_t retries;
int nsfound;
uint16_t udpsize;
int16_t edns;
int16_t padding;
uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t * tsigctx;
isc_buffer_t * querysig;
uint32_t msgcounter;
dns_fixedname_t fdomain;
isc_sockaddr_t * ecs_addr;
char * cookie;
dns_ednsopt_t * ednsopts;
unsigned int ednsoptscnt;
isc_dscp_t dscp;
unsigned int ednsflags;
dns_opcode_t opcode;
int rrcomments;
unsigned int eoferr;
dig_query_t *xfr_q;
uint32_t retries;
int nsfound;
uint16_t udpsize;
int16_t edns;
int16_t padding;
uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t *tsigctx;
isc_buffer_t *querysig;
uint32_t msgcounter;
dns_fixedname_t fdomain;
isc_sockaddr_t *ecs_addr;
char *cookie;
dns_ednsopt_t *ednsopts;
unsigned int ednsoptscnt;
isc_dscp_t dscp;
unsigned int ednsflags;
dns_opcode_t opcode;
int rrcomments;
unsigned int eoferr;
};
/*% The dig_query structure */
struct dig_query {
unsigned int magic;
unsigned int magic;
dig_lookup_t *lookup;
bool waiting_connect, pending_free, waiting_senddone, first_pass,
first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
warn_id, timedout;
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
uint32_t rr_count;
bool ixfr_axfr;
char * servname;
char * userarg;
isc_buffer_t recvbuf, lengthbuf, tmpsendbuf, sendbuf;
char * recvspace, *tmpsendspace, lengthspace[4];
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
uint32_t rr_count;
bool ixfr_axfr;
char *servname;
char *userarg;
isc_buffer_t recvbuf, lengthbuf, tmpsendbuf, sendbuf;
char *recvspace, *tmpsendspace, lengthspace[4];
isc_socket_t *sock;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
isc_time_t time_sent;
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t * timer;
isc_time_t time_sent;
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t *timer;
};
struct dig_server {
@ -202,38 +203,38 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
* Externals from dighost.c
*/
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_searchlistlist_t search_list;
extern unsigned int extrabytes;
extern unsigned int extrabytes;
extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
showsearch, yaml;
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t * mctx;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t *mctx;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern const dns_name_t *hmacname;
extern unsigned int digestbits;
extern dns_tsigkey_t * tsigkey;
extern bool validated;
extern isc_taskmgr_t * taskmgr;
extern isc_task_t * global_task;
extern bool free_now;
extern bool debugging, debugtiming, memdebugging;
extern bool keep_open;
extern unsigned int digestbits;
extern dns_tsigkey_t *tsigkey;
extern bool validated;
extern isc_taskmgr_t *taskmgr;
extern isc_task_t *global_task;
extern bool free_now;
extern bool debugging, debugtiming, memdebugging;
extern bool keep_open;
extern char *progname;
extern int tries;
extern int fatalexit;
extern bool verbose;
extern int tries;
extern int fatalexit;
extern bool verbose;
/*
* Routines in dighost.c.
@ -247,15 +248,14 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
isc_result_t
get_reverse(char *reverse, size_t len, char *value, bool strict);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
digexit(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
digexit(void);
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@ -333,7 +333,7 @@ set_search_domain(char *domain);
* Routines to be defined in dig.c, host.c, and nslookup.c. and
* then assigned to the appropriate function pointer
*/
extern isc_result_t (*dighost_printmessage)(dig_query_t * query,
extern isc_result_t (*dighost_printmessage)(dig_query_t *query,
const isc_buffer_t *msgbuf,
dns_message_t *msg, bool headers);

9
bin/dig/host.c
View file

@ -21,6 +21,7 @@
#endif /* ifdef HAVE_LOCALE_H */
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/netaddr.h>
#include <isc/print.h>
@ -38,7 +39,7 @@
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dig/dig.h>
#include "dighost.h"
static bool short_form = true, listed_server = false;
static bool default_lookups = true;
@ -101,8 +102,8 @@ rcode_totext(dns_rcode_t rcode) {
return (totext.deconsttext);
}
ISC_PLATFORM_NORETURN_PRE static void
show_usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
show_usage(void);
static void
show_usage(void) {
@ -581,7 +582,7 @@ static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
/*% version */
static void
version(void) {
fputs("host " VERSION "\n", stderr);
fprintf(stderr, "host %s\n", PACKAGE_VERSION);
}
static void

9
bin/dig/nslookup.c
View file

@ -15,6 +15,7 @@
#include <unistd.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/event.h>
@ -35,7 +36,7 @@
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dig/dig.h>
#include "dighost.h"
#if defined(HAVE_READLINE)
#if defined(HAVE_EDIT_READLINE_READLINE_H)
@ -629,7 +630,7 @@ set_ndots(const char *value) {
static void
version(void) {
fputs("nslookup " VERSION "\n", stderr);
fprintf(stderr, "nslookup %s\n", PACKAGE_VERSION);
}
static void
@ -879,8 +880,8 @@ get_next_command(void) {
isc_mem_free(mctx, buf);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {

38
bin/dnssec/Makefile.am Normal file
View file

@ -0,0 +1,38 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS)
AM_CPPFLAGS += \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
noinst_LTLIBRARIES = libdnssectool.la
LDADD = \
libdnssectool.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS)
sbin_PROGRAMS = \
dnssec-cds \
dnssec-dsfromkey \
dnssec-importkey \
dnssec-keyfromlabel \
dnssec-keygen \
dnssec-revoke \
dnssec-settime \
dnssec-signzone \
dnssec-verify
libdnssectool_la_SOURCES = \
dnssectool.h \
dnssectool.c
dnssec_keygen_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(LIBISCCFG_CFLAGS)
dnssec_keygen_LDADD = \
$(LDADD) \
$(LIBISCCFG_LIBS)

126
bin/dnssec/Makefile.in
View file

@ -1,126 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
HTMLPAGES = dnssec-cds.html dnssec-dsfromkey.html \
dnssec-importkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
rm -f ${TARGETS}

7
bin/dnssec/dnssec-cds.c
View file

@ -21,6 +21,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
@ -1020,8 +1021,8 @@ nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
}
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -1029,7 +1030,7 @@ usage(void) {
fprintf(stderr,
" %s options [options] -f <file> -d <path> <domain>\n",
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options:\n"
" -a <algorithm> digest algorithm (SHA-1 / "
"SHA-256 / SHA-384)\n"

5
bin/dnssec/dnssec-dsfromkey.c
View file

@ -15,6 +15,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/hash.h>
@ -320,8 +321,8 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) {
}
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {

7
bin/dnssec/dnssec-importkey.c
View file

@ -14,6 +14,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/hash.h>
@ -264,15 +265,15 @@ emit(const char *dir, dns_rdata_t *rdata) {
dst_key_free(&key);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
fprintf(stderr, " %s options -f file [keyname]\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -f file: read key from zone file\n");
fprintf(stderr, " -K <directory>: directory in which to store "

7
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -16,6 +16,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/mem.h>
@ -47,14 +48,14 @@
const char *program = "dnssec-keyfromlabel";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s -l label [options] name\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");

7
bin/dnssec/dnssec-keygen.c
View file

@ -31,6 +31,7 @@
#include <stdlib.h>
#include <unistd.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/mem.h>
@ -70,8 +71,8 @@ const char *program = "dnssec-keygen";
isc_log_t *lctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
progress(int p);
@ -136,7 +137,7 @@ static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] name\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");

7
bin/dnssec/dnssec-keygen.docbook
View file

@ -108,13 +108,6 @@
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</para>
<para>
The <command>dnssec-keymgr</command> command acts as a wrapper
around <command>dnssec-keygen</command>, generating and updating keys
as needed to enforce defined security policies such as key rollover
scheduling. Using <command>dnssec-keymgr</command> may be preferable
to direct use of <command>dnssec-keygen</command>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>

7
bin/dnssec/dnssec-revoke.c
View file

@ -16,6 +16,7 @@
#include <stdlib.h>
#include <unistd.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
@ -40,14 +41,14 @@ const char *program = "dnssec-revoke";
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
#if USE_PKCS11
fprintf(stderr,
" -E engine: specify PKCS#11 provider "

7
bin/dnssec/dnssec-settime.c
View file

@ -18,6 +18,7 @@
#include <time.h>
#include <unistd.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
@ -44,14 +45,14 @@ const char *program = "dnssec-settime";
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
#if USE_PKCS11
fprintf(stderr,

9
bin/dnssec/dnssec-signzone.c
View file

@ -33,6 +33,7 @@
#include <isc/app.h>
#include <isc/atomic.h>
#include <isc/attributes.h>
#include <isc/base32.h>
#include <isc/commandline.h>
#include <isc/event.h>
@ -3125,11 +3126,11 @@ print_version(FILE *fp) {
return;
}
fprintf(fp, "; dnssec_signzone version " VERSION "\n");
fprintf(fp, "; dnssec_signzone version %s\n", PACKAGE_VERSION);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -3138,7 +3139,7 @@ usage(void) {
fprintf(stderr, "\n");
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options: (default value in parenthesis) \n");
fprintf(stderr, "\t-S:\tsmart signing: automatically finds key files\n"

7
bin/dnssec/dnssec-verify.c
View file

@ -16,6 +16,7 @@
#include <time.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/base32.h>
#include <isc/commandline.h>
#include <isc/event.h>
@ -137,8 +138,8 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
}
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@ -147,7 +148,7 @@ usage(void) {
fprintf(stderr, "\n");
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options: (default value in parenthesis) \n");
fprintf(stderr, "\t-v debuglevel (0)\n");

2
bin/dnssec/dnssectool.c
View file

@ -112,7 +112,7 @@ vbprintf(int level, const char *fmt, ...) {
void
version(const char *name) {
fprintf(stderr, "%s %s\n", name, VERSION);
fprintf(stderr, "%s %s\n", name, PACKAGE_VERSION);
exit(0);
}

10
bin/dnssec/dnssectool.h
View file

@ -15,6 +15,7 @@
#include <inttypes.h>
#include <stdbool.h>
#include <isc/attributes.h>
#include <isc/log.h>
#include <isc/platform.h>
#include <isc/stdtime.h>
@ -42,9 +43,8 @@ extern uint8_t dtype[8];
typedef void(fatalcallback_t)(void);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
setfatalcallback(fatalcallback_t *callback);
@ -55,8 +55,8 @@ check_result(isc_result_t result, const char *message);
void
vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
ISC_PLATFORM_NORETURN_PRE void
version(const char *program) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
version(const char *program);
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);

2
bin/named/.gitignore vendored
View file

@ -1,3 +1,3 @@
.libs
/named
named-symtbl.c
/xsl.c

109
bin/named/Makefile.am Normal file
View file

@ -0,0 +1,109 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
-I$(srcdir)/unix/include \
-I$(top_builddir)/include \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCC_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBBIND9_CFLAGS) \
$(LIBLTDL_CFLAGS) \
$(OPENSSL_CFLAGS) \
$(LIBCAP_CFLAGS) \
$(LMDB_CFLAGS) \
$(MAXMINDDB_CFLAGS) \
$(DNSTAP_CFLAGS) \
$(ZLIB_CFLAGS)
if HAVE_JSON_C
AM_CPPFLAGS += \
$(JSON_C_CFLAGS)
endif HAVE_JSON_C
if HAVE_LIBXML2
AM_CPPFLAGS += \
$(LIBXML2_CFLAGS)
endif HAVE_LIBXML2
AM_CPPFLAGS += \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
sbin_PROGRAMS = named
nodist_named_SOURCES = xsl.c
BUILT_SOURCES = xsl.c
CLEANFILES = xsl.c
xsl.c: bind9.xsl Makefile
(echo 'const char xslmsg[] =' && \
$(SED) -e 's,\",\\\",g' \
-e 's,^,\",' \
-e 's,$$,\",' && \
echo ";") \
< "${srcdir}/bind9.xsl" > $@
named_SOURCES = \
builtin.c \
config.c \
control.c \
controlconf.c \
fuzz.c \
log.c \
logconf.c \
main.c \
server.c \
statschannel.c \
tkeyconf.c \
tsigconf.c \
zoneconf.c \
unix/dlz_dlopen_driver.c \
unix/os.c \
include/named/builtin.h \
include/named/config.h \
include/named/control.h \
include/named/fuzz.h \
include/named/geoip.h \
include/named/globals.h \
include/named/log.h \
include/named/logconf.h \
include/named/main.h \
include/named/server.h \
include/named/smf_globals.h \
include/named/statschannel.h \
include/named/tkeyconf.h \
include/named/tsigconf.h \
include/named/types.h \
include/named/zoneconf.h \
unix/include/named/os.h \
xsl_p.h
if HAVE_GEOIP2
AM_CPPFLAGS += \
-DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\"
named_SOURCES += \
geoip.c
endif
named_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCC_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBBIND9_LIBS) \
$(LIBLTDL_LIBS) \
$(OPENSSL_LIBS) \
$(LIBCAP_LIBS) \
$(LMDB_LIBS) \
$(MAXMINDDB_LIBS) \
$(DNSTAP_LIBS) \
$(LIBXML2_LIBS) \
$(ZLIB_LIBS)
if HAVE_JSON_C
named_LDADD += \
$(JSON_C_LIBS)
endif HAVE_JSON_C

179
bin/named/Makefile.in
View file

@ -1,179 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
VERSION=@BIND9_VERSION@
@BIND9_PRODUCT@
@BIND9_DESCRIPTION@
@BIND9_SRCID@
@BIND9_CONFIGARGS@
@BIND9_MAKE_INCLUDES@
#
# Add database drivers here.
#
DBDRIVER_OBJS =
DBDRIVER_SRCS =
DBDRIVER_INCLUDES =
DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${NS_INCLUDES} ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} \
${OPENSSL_CFLAGS} \
${JSON_C_CFLAGS} \
${LIBXML2_CFLAGS} \
${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS} \
${ZLIB_CFLAGS}
CDEFINES = @CONTRIB_DLZ@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
NSDEPLIBS = ../../lib/ns/libns.@A@
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
LIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBCAP_LIBS@ \
${LMDB_LIBS} \
@LIBS@
SUBDIRS = unix
TARGETS = named@EXEEXT@
GEOIP2LINKOBJS = geoip.@O@
OBJS = builtin.@O@ config.@O@ control.@O@ \
controlconf.@O@ fuzz.@O@ \
@GEOIP2LINKOBJS@ \
log.@O@ logconf.@O@ main.@O@ \
server.@O@ statschannel.@O@ \
tkeyconf.@O@ tsigconf.@O@ zoneconf.@O@ \
${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
GEOIP2LINKSRCS = geoip.c
SRCS = builtin.c config.c control.c \
controlconf.c fuzz.c \
@GEOIP2LINKSRCS@ \
log.c logconf.c main.c \
server.c statschannel.c \
tkeyconf.c tsigconf.c zoneconf.c \
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
MANPAGES = named.8 named.conf.5
HTMLPAGES = named.html named.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DPRODUCT=\"${PRODUCT}\" \
-DDESCRIPTION=\"${DESCRIPTION}\" \
-DSRCID=\"${SRCID}\" \
-DCONFIGARGS="\"${CONFIGARGS}\"" \
-DBUILDER="\"make\"" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
config.@O@: config.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DSRCID=\"${SRCID}\" \
-DDYNDB_LIBDIR=\"@libdir@/bind\" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
-DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\" \
-c ${srcdir}/config.c
server.@O@: server.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
named@EXEEXT@: ${OBJS} ${DEPLIBS}
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
maintainer-clean::
bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
depend: bind9.xsl.h
statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: named@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
rm -f ${DESTDIR}${mandir}/man8/named.8
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@DLZ_DRIVER_RULES@

1272
bin/named/bind9.xsl.h
View file

File diff suppressed because it is too large Load diff

2
bin/named/builtin.c
View file

@ -347,7 +347,7 @@ do_version_lookup(dns_sdblookup_t *lookup) {
return (put_txt(lookup, named_g_server->version));
}
} else {
return (put_txt(lookup, named_g_version));
return (put_txt(lookup, PACKAGE_VERSION));
}
}

4
bin/named/controlconf.c
View file

@ -1191,9 +1191,9 @@ add_listener(named_controls_t *cp, controllistener_t **listenerp,
if (result == ISC_R_SUCCESS) {
int pf = isc_sockaddr_pf(&listener->address);
if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
#ifdef ISC_PLATFORM_HAVESYSUNH
#ifndef _WIN32
(pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
#endif
(pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
{
result = ISC_R_FAMILYNOSUPPORT;

51
bin/named/convertxsl.pl
View file

@ -1,51 +0,0 @@
#!/usr/bin/env perl
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
use strict;
use warnings;
my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
$rev =~ s/\$//g;
$rev =~ s/,v//g;
$rev =~ s/Id: //;
my $xsl = "unknown";
my $lines = '';
while (<>) {
chomp;
# pickout the id for comment.
$xsl = $_ if (/<!-- .Id:.* -->/);
# convert Id string to a form not recognisable by cvs.
$_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
s/[\ \t]+/ /g;
s/\>\ \</\>\</g;
s/\"/\\\"/g;
s/^/\t\"/;
s/[\ \t]+$//g;
s/$/\\n\"/;
if ($lines eq "") {
$lines .= $_;
} else {
$lines .= "\n" . $_;
}
}
$xsl =~ s/\$//g;
$xsl =~ s/<!-- Id: //;
$xsl =~ s/ -->.*//;
$xsl =~ s/,v//;
print "/*\n * Generated by $rev \n * From $xsl\n */\n";
print 'static char xslmsg[] =',"\n";
print $lines;
print ';', "\n";

12
bin/named/include/named/globals.h
View file

@ -65,12 +65,12 @@ EXTERN isc_socketmgr_t *named_g_socketmgr INIT(NULL);
EXTERN isc_nm_t *named_g_nm INIT(NULL);
EXTERN cfg_parser_t *named_g_parser INIT(NULL);
EXTERN cfg_parser_t *named_g_addparser INIT(NULL);
EXTERN const char *named_g_version INIT(VERSION);
EXTERN const char *named_g_product INIT(PRODUCT);
EXTERN const char *named_g_description INIT(DESCRIPTION);
EXTERN const char *named_g_srcid INIT(SRCID);
EXTERN const char *named_g_configargs INIT(CONFIGARGS);
EXTERN const char *named_g_builder INIT(BUILDER);
EXTERN const char *named_g_version INIT(PACKAGE_VERSION);
EXTERN const char *named_g_product INIT(PACKAGE_NAME);
EXTERN const char *named_g_description INIT(PACKAGE_DESCRIPTION);
EXTERN const char *named_g_srcid INIT(PACKAGE_SRCID);
EXTERN const char *named_g_configargs INIT(PACKAGE_CONFIGARGS);
EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER);
EXTERN in_port_t named_g_port INIT(0);
EXTERN isc_dscp_t named_g_dscp INIT(-1);

12
bin/named/include/named/main.h
View file

@ -9,8 +9,9 @@
* information regarding copyright ownership.
*/
#ifndef NAMED_MAIN_H
#define NAMED_MAIN_H 1
#pragma once
#include <isc/attributes.h>
/*! \file */
@ -23,14 +24,11 @@
*/
#define NAMED_MAIN_ARGS "46A:c:d:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:"
ISC_PLATFORM_NORETURN_PRE void
named_main_earlyfatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
named_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
named_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
named_main_setmemstats(const char *);
#endif /* NAMED_MAIN_H */

37
bin/named/main.c
View file

@ -18,6 +18,7 @@
#include <string.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/backtrace.h>
#include <isc/commandline.h>
#include <isc/dir.h>
@ -189,9 +190,9 @@ named_main_earlyfatal(const char *format, ...) {
exit(1);
}
ISC_PLATFORM_NORETURN_PRE static void
ISC_NORETURN static void
assertion_failed(const char *file, int line, isc_assertiontype_t type,
const char *cond) ISC_PLATFORM_NORETURN_POST;
const char *cond);
static void
assertion_failed(const char *file, int line, isc_assertiontype_t type,
@ -254,10 +255,9 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type,
exit(1);
}
ISC_PLATFORM_NORETURN_PRE static void
ISC_NORETURN static void
library_fatal_error(const char *file, int line, const char *format,
va_list args)
ISC_FORMAT_PRINTF(3, 0) ISC_PLATFORM_NORETURN_POST;
va_list args) ISC_FORMAT_PRINTF(3, 0);
static void
library_fatal_error(const char *file, int line, const char *format,
@ -487,16 +487,15 @@ printversion(bool verbose) {
const cfg_obj_t *defaults = NULL, *obj = NULL;
#endif /* if defined(HAVE_GEOIP2) */
printf("%s %s%s%s <id:%s>\n", named_g_product, named_g_version,
(*named_g_description != '\0') ? " " : "", named_g_description,
named_g_srcid);
printf("%s%s <id:%s>\n", PACKAGE_STRING, PACKAGE_DESCRIPTION,
PACKAGE_SRCID);
if (!verbose) {
return;
}
printf("running on %s\n", named_os_uname());
printf("built by %s with %s\n", named_g_builder, named_g_configargs);
printf("built by %s with %s\n", PACKAGE_BUILDER, PACKAGE_CONFIGARGS);
#ifdef __clang__
printf("compiled by CLANG %s\n", __VERSION__);
#else /* ifdef __clang__ */
@ -1049,9 +1048,8 @@ setup(void) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
"starting %s %s%s%s <id:%s>", named_g_product,
named_g_version, *named_g_description ? " " : "",
named_g_description, named_g_srcid);
"starting %s%s <id:%s>", PACKAGE_STRING,
PACKAGE_DESCRIPTION, PACKAGE_SRCID);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "running on %s",
@ -1059,7 +1057,7 @@ setup(void) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "built with %s",
named_g_configargs);
PACKAGE_CONFIGARGS);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
@ -1228,7 +1226,6 @@ setup(void) {
*/
/* xxdb_init(); */
#ifdef ISC_DLZ_DLOPEN
/*
* Register the DLZ "dlopen" driver.
*/
@ -1237,7 +1234,6 @@ setup(void) {
named_main_earlyfatal("dlz_dlopen_init() failed: %s",
isc_result_totext(result));
}
#endif /* ifdef ISC_DLZ_DLOPEN */
#if CONTRIB_DLZ
/*
@ -1321,12 +1317,10 @@ cleanup(void) {
*/
dlz_drivers_clear();
#endif /* ifdef CONTRIB_DLZ */
#ifdef ISC_DLZ_DLOPEN
/*
* Unregister "dlopen" DLZ driver.
*/
dlz_dlopen_clear();
#endif /* ifdef ISC_DLZ_DLOPEN */
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "exiting");
@ -1454,10 +1448,11 @@ main(int argc, char *argv[]) {
*/
strlcat(version,
#if defined(NO_VERSION_DATE) || !defined(__DATE__)
"named version: BIND " VERSION " <" SRCID ">",
#else /* if defined(NO_VERSION_DATE) || !defined(__DATE__) */
"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
#endif /* if defined(NO_VERSION_DATE) || !defined(__DATE__) */
"named version: BIND " PACKAGE_VERSION " <" PACKAGE_SRCID ">",
#else
"named version: BIND " PACKAGE_VERSION " <" PACKAGE_SRCID
"> (" __DATE__ ")",
#endif
sizeof(version));
result = isc_file_progname(*argv, program_name, sizeof(program_name));
if (result != ISC_R_SUCCESS) {

27
bin/named/server.c
View file

@ -22,6 +22,7 @@
#include <isc/aes.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/commandline.h>
#include <isc/dir.h>
@ -381,9 +382,8 @@ const char *empty_zones[] = {
NULL
};
ISC_PLATFORM_NORETURN_PRE static void
fatal(named_server_t *server, const char *msg,
isc_result_t result) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
fatal(named_server_t *server, const char *msg, isc_result_t result);
static void
named_server_reload(isc_task_t *task, isc_event_t *event);
@ -1633,7 +1633,6 @@ cleanup:
return (result);
}
#ifdef HAVE_DLOPEN
static isc_result_t
configure_dyndb(const cfg_obj_t *dyndb, isc_mem_t *mctx,
const dns_dyndbctx_t *dctx) {
@ -1660,7 +1659,6 @@ configure_dyndb(const cfg_obj_t *dyndb, isc_mem_t *mctx,
}
return (result);
}
#endif /* ifdef HAVE_DLOPEN */
static isc_result_t
disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
@ -3760,7 +3758,7 @@ configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) {
result = named_config_get(maps, "dnstap-version", &obj);
if (result != ISC_R_SUCCESS) {
/* not specified; use the product and version */
dns_dt_setversion(named_g_server->dtenv, PRODUCT " " VERSION);
dns_dt_setversion(named_g_server->dtenv, PACKAGE_STRING);
} else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
/* Quoted string */
dns_dt_setversion(named_g_server->dtenv, cfg_obj_asstring(obj));
@ -3817,7 +3815,6 @@ create_mapped_acl(void) {
return (result);
}
#ifdef HAVE_DLOPEN
/*%
* A callback for the cfg_pluginlist_foreach() call in configure_view() below.
* If registering any plugin fails, registering subsequent ones is not
@ -3855,11 +3852,10 @@ register_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj,
return (result);
}
#endif /* ifdef HAVE_DLOPEN */
/*
* Configure 'view' according to 'vconfig', taking defaults from 'config'
* where values are missing in 'vconfig'.
* Configure 'view' according to 'vconfig', taking defaults from
* 'config' where values are missing in 'vconfig'.
*
* When configuring the default view, 'vconfig' will be NULL and the
* global defaults in 'config' used exclusively.
@ -5412,7 +5408,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
(void)cfg_map_get(config, "dyndb", &dyndb_list);
}
#ifdef HAVE_DLOPEN
for (element = cfg_list_first(dyndb_list); element != NULL;
element = cfg_list_next(element))
{
@ -5428,7 +5423,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
CHECK(configure_dyndb(dyndb, mctx, dctx));
}
#endif /* ifdef HAVE_DLOPEN */
/*
* Load plugins.
@ -5440,7 +5434,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
(void)cfg_map_get(config, "plugin", &plugin_list);
}
#ifdef HAVE_DLOPEN
if (plugin_list != NULL) {
INSIST(view->hooktable == NULL);
CHECK(ns_hooktable_create(view->mctx,
@ -5453,7 +5446,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
CHECK(cfg_pluginlist_foreach(config, plugin_list, named_g_lctx,
register_one_plugin, view));
}
#endif /* ifdef HAVE_DLOPEN */
/*
* Setup automatic empty zones. If recursion is off then
@ -11744,10 +11736,9 @@ named_server_status(named_server_t *server, isc_buffer_t **text) {
isc_time_formathttptimestamp(&named_g_configtime, configtime,
sizeof(configtime));
snprintf(line, sizeof(line), "version: %s %s%s%s <id:%s>%s%s%s\n",
named_g_product, named_g_version,
(*named_g_description != '\0') ? " " : "", named_g_description,
named_g_srcid, ob, alt, cb);
snprintf(line, sizeof(line), "version: %s%s <id:%s>%s%s%s\n",
PACKAGE_STRING, PACKAGE_DESCRIPTION, PACKAGE_SRCID, ob, alt,
cb);
CHECK(putstr(text, line));
result = named_os_gethostname(hostname, sizeof(hostname));

10
bin/named/statschannel.c
View file

@ -52,7 +52,7 @@
#define ISC_XMLCHAR (const xmlChar *)
#endif /* HAVE_LIBXML2 */
#include "bind9.xsl.h"
#include "xsl_p.h"
struct named_statschannel {
/* Unlocked */
@ -1988,7 +1988,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
TRY0(xmlTextWriterEndElement(writer)); /* current-time */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "version"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR named_g_version));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR PACKAGE_VERSION));
TRY0(xmlTextWriterEndElement(writer)); /* version */
if ((flags & STATS_XML_SERVER) != 0) {
@ -2825,7 +2825,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
obj = json_object_new_string(nowstr);
CHECKMEM(obj);
json_object_object_add(bindstats, "current-time", obj);
obj = json_object_new_string(named_g_version);
obj = json_object_new_string(PACKAGE_VERSION);
CHECKMEM(obj);
json_object_object_add(bindstats, "version", obj);
@ -3472,6 +3472,7 @@ render_xsl(const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
isc_httpdfree_t **freecb, void **freecb_args) {
isc_result_t result;
char *_headers = NULL;
char *p;
UNUSED(url);
UNUSED(querystring);
@ -3530,7 +3531,8 @@ render_xsl(const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
send:
*retcode = 200;
*retmsg = "OK";
isc_buffer_reinit(b, xslmsg, strlen(xslmsg));
DE_CONST(xslmsg, p);
isc_buffer_reinit(b, p, strlen(xslmsg));
isc_buffer_add(b, strlen(xslmsg));
end:
free(_headers);

30
bin/named/unix/Makefile.in
View file

@ -1,30 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${DNS_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES =
CWARNINGS =
OBJS = os.@O@ dlz_dlopen_driver.@O@
SRCS = os.c dlz_dlopen_driver.c
TARGETS = ${OBJS}
@BIND9_MAKE_RULES@

86
bin/named/unix/dlz_dlopen_driver.c
View file

@ -10,13 +10,11 @@
*/
#include <inttypes.h>
#include <ltdl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if HAVE_DLFCN_H
#include <dlfcn.h>
#endif /* if HAVE_DLFCN_H */
#include <isc/mem.h>
#include <isc/print.h>
@ -30,7 +28,6 @@
#include <dlz/dlz_dlopen_driver.h>
#include <named/globals.h>
#ifdef ISC_DLZ_DLOPEN
static dns_sdlzimplementation_t *dlz_dlopen = NULL;
typedef struct dlopen_data {
@ -183,13 +180,21 @@ dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
*/
static void *
dl_load_symbol(dlopen_data_t *cd, const char *symbol, bool mandatory) {
void *ptr = dlsym(cd->dl_handle, symbol);
if (ptr == NULL && mandatory) {
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen: library '%s' is missing "
"required symbol '%s'",
cd->dl_path, symbol);
void *ptr = lt_dlsym((lt_dlhandle)cd->dl_handle, symbol);
if (ptr == NULL) {
const char *errmsg = lt_dlerror();
if (errmsg == NULL) {
errmsg = "returned function pointer is NULL";
}
if (mandatory) {
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen: library '%s' is missing "
"required symbol '%s': %s",
cd->dl_path, symbol, errmsg);
}
}
/* Cleanup any errors */
(void)lt_dlerror();
return (ptr);
}
@ -202,7 +207,6 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
dlopen_data_t *cd;
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_FAILURE;
int dlopen_flags = 0;
UNUSED(driverarg);
@ -214,45 +218,33 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
return (ISC_R_FAILURE);
}
isc_mem_create(&mctx);
if (lt_dlinit() != 0) {
return (ISC_R_FAILURE);
}
isc_mem_create(&mctx);
cd = isc_mem_get(mctx, sizeof(*cd));
memset(cd, 0, sizeof(*cd));
cd->mctx = mctx;
cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]);
cd->dlzname = isc_mem_strdup(cd->mctx, dlzname);
/* Initialize the lock */
isc_mutex_init(&cd->lock);
/* Open the library */
dlopen_flags = RTLD_NOW | RTLD_GLOBAL;
#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
/*
* If RTLD_DEEPBIND is available then use it. This can avoid
* issues with a module using a different version of a system
* library than one that bind9 uses. For example, bind9 may link
* to MIT kerberos, but the module may use Heimdal. If we don't
* use RTLD_DEEPBIND then we could end up with Heimdal functions
* calling MIT functions, which leads to bizarre results (usually
* a segfault).
*/
dlopen_flags |= RTLD_DEEPBIND;
#endif /* if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ */
cd->dl_handle = dlopen(cd->dl_path, dlopen_flags);
cd->dl_handle = lt_dlopenext(cd->dl_path);
if (cd->dl_handle == NULL) {
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen failed to open library '%s' - %s",
cd->dl_path, dlerror());
"dlz_dlopen failed to open library '%s': %s",
cd->dl_path, lt_dlerror());
result = ISC_R_FAILURE;
goto failed;
}
(void)lt_dlerror();
/* Find the symbols */
cd->dlz_version =
(dlz_dlopen_version_t *)dl_load_symbol(cd, "dlz_version", true);
@ -330,20 +322,14 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
failed:
dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
if (cd->dl_path != NULL) {
isc_mem_free(mctx, cd->dl_path);
}
if (cd->dlzname != NULL) {
isc_mem_free(mctx, cd->dlzname);
}
if (dlopen_flags != 0) {
isc_mutex_destroy(&cd->lock);
}
#ifdef HAVE_DLCLOSE
isc_mem_free(mctx, cd->dl_path);
isc_mem_free(mctx, cd->dlzname);
isc_mutex_destroy(&cd->lock);
if (cd->dl_handle) {
dlclose(cd->dl_handle);
(void)lt_dlclose(cd->dl_handle);
}
#endif /* ifdef HAVE_DLCLOSE */
isc_mem_put(mctx, cd, sizeof(*cd));
isc_mem_destroy(&mctx);
return (result);
@ -372,11 +358,9 @@ dlopen_dlz_destroy(void *driverarg, void *dbdata) {
isc_mem_free(cd->mctx, cd->dlzname);
}
#ifdef HAVE_DLCLOSE
if (cd->dl_handle) {
dlclose(cd->dl_handle);
lt_dlclose(cd->dl_handle);
}
#endif /* ifdef HAVE_DLCLOSE */
isc_mutex_destroy(&cd->lock);
@ -547,17 +531,12 @@ static dns_sdlzmethods_t dlz_dlopen_methods = {
dlopen_dlz_configure, dlopen_dlz_ssumatch, dlopen_dlz_addrdataset,
dlopen_dlz_subrdataset, dlopen_dlz_delrdataset
};
#endif /* ifdef ISC_DLZ_DLOPEN */
/*
* Register driver with BIND
*/
isc_result_t
dlz_dlopen_init(isc_mem_t *mctx) {
#ifndef ISC_DLZ_DLOPEN
UNUSED(mctx);
return (ISC_R_NOTIMPLEMENTED);
#else /* ifndef ISC_DLZ_DLOPEN */
isc_result_t result;
dlopen_log(2, "Registering DLZ_dlopen driver");
@ -576,7 +555,6 @@ dlz_dlopen_init(isc_mem_t *mctx) {
}
return (result);
#endif /* ifndef ISC_DLZ_DLOPEN */
}
/*
@ -584,10 +562,8 @@ dlz_dlopen_init(isc_mem_t *mctx) {
*/
void
dlz_dlopen_clear(void) {
#ifdef ISC_DLZ_DLOPEN
dlopen_log(2, "Unregistering DLZ_dlopen driver");
if (dlz_dlopen != NULL) {
dns_sdlzunregister(&dlz_dlopen);
}
#endif /* ifdef ISC_DLZ_DLOPEN */
}

9
bin/named/win32/dlz_dlopen_driver.c
View file

@ -28,7 +28,6 @@
#include <dlz/dlz_dlopen_driver.h>
#include <named/globals.h>
#ifdef ISC_DLZ_DLOPEN
static dns_sdlzimplementation_t *dlz_dlopen = NULL;
typedef struct dlopen_data {
@ -530,17 +529,12 @@ static dns_sdlzmethods_t dlz_dlopen_methods = {
dlopen_dlz_configure, dlopen_dlz_ssumatch, dlopen_dlz_addrdataset,
dlopen_dlz_subrdataset, dlopen_dlz_delrdataset
};
#endif /* ifdef ISC_DLZ_DLOPEN */
/*
* Register driver with BIND
*/
isc_result_t
dlz_dlopen_init(isc_mem_t *mctx) {
#ifndef ISC_DLZ_DLOPEN
UNUSED(mctx);
return (ISC_R_NOTIMPLEMENTED);
#else /* ifndef ISC_DLZ_DLOPEN */
isc_result_t result;
dlopen_log(2, "Registering DLZ_dlopen driver");
@ -559,7 +553,6 @@ dlz_dlopen_init(isc_mem_t *mctx) {
}
return (result);
#endif /* ifndef ISC_DLZ_DLOPEN */
}
/*
@ -567,10 +560,8 @@ dlz_dlopen_init(isc_mem_t *mctx) {
*/
void
dlz_dlopen_clear(void) {
#ifdef ISC_DLZ_DLOPEN
dlopen_log(2, "Unregistering DLZ_dlopen driver");
if (dlz_dlopen != NULL) {
dns_sdlzunregister(&dlz_dlopen);
}
#endif /* ifdef ISC_DLZ_DLOPEN */
}

6
bin/named/win32/include/named/ntservice.h
View file

@ -18,12 +18,12 @@
#define BIND_SERVICE_NAME "named"
void
ntservice_init();
ntservice_init(void);
void UpdateSCM(DWORD);
void
ServiceControl(DWORD dwCtrlCode);
void
ntservice_shutdown();
ntservice_shutdown(void);
BOOL
ntservice_isservice();
ntservice_isservice(void);
#endif /* ifndef NTSERVICE_H */

4
bin/named/win32/ntservice.c
View file

@ -50,8 +50,8 @@ ntservice_init(void) {
}
UpdateSCM(SERVICE_RUNNING);
} else {
strlcpy(ConsoleTitle, "BIND Version ", sizeof(ConsoleTitle));
strlcat(ConsoleTitle, VERSION, sizeof(ConsoleTitle));
snprintf(ConsoleTitle, sizeof(ConsoleTitle), "%s Version %s",
PACKAGE_NAME, PACKAGE_VERSION);
SetConsoleTitle(ConsoleTitle);
}
}

7
bin/python/isc/tests/test-policies/05-numeric-zone.pol → bin/named/xsl_p.h
View file

@ -9,7 +9,6 @@
* information regarding copyright ownership.
*/
// Zone policy that uses a numeric name
zone "99example.test" {
coverage 6mo;
};
#pragma once
extern const char xslmsg[];

25
bin/nsupdate/Makefile.am Normal file
View file

@ -0,0 +1,25 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIRS_CFLAGS) \
$(LIBBIND9_CFLAGS) \
$(GSSAPI_CFLAGS) \
$(KRB5_CFLAGS)
AM_CPPFLAGS += \
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\"
LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIRS_LIBS) \
$(LIBBIND9_LIBS) \
$(READLINE_LIB) \
$(GSSAPI_LIBS) \
$(KRB5_LIBS)
bin_PROGRAMS = nsupdate

93
bin/nsupdate/Makefile.in
View file

@ -1,93 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
READLINE_LIB = @READLINE_LIB@
DST_GSSAPI_INC = @DST_GSSAPI_INC@
CINCLUDES = ${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISC_INCLUDES} \
${ISCCFG_INCLUDES} ${IRS_INCLUDES} ${DST_GSSAPI_INC} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_GSSAPI@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
IRSLIBS = ../../lib/irs/libirs.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
${ISCDEPLIBS} ${ISCCFGDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
TARGETS = nsupdate@EXEEXT@
OBJS = nsupdate.@O@
UOBJS =
SRCS = nsupdate.c
MANPAGES = nsupdate.1
HTMLPAGES = nsupdate.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
nsupdate.@O@: nsupdate.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
-c ${srcdir}/nsupdate.c
nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nsupdate.@O@ ${READLINE_LIB} ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean::
rm -f ${TARGETS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: nsupdate@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/nsupdate.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/nsupdate.1
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nsupdate@EXEEXT@

79
bin/nsupdate/nsupdate.c
View file

@ -20,6 +20,7 @@
#include <unistd.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@ -74,14 +75,23 @@
#include <irs/resconf.h>
#ifdef GSSAPI
#if HAVE_GSSAPI
#include <dst/gssapi.h>
#ifdef WIN32
#if HAVE_KRB5_KRB5_H
#include <krb5/krb5.h>
#else /* ifdef WIN32 */
#include ISC_PLATFORM_KRB5HEADER
#endif /* ifdef WIN32 */
#endif /* ifdef GSSAPI */
#elif HAVE_KRB5_H
#include <krb5.h>
#endif
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
#endif /* HAVE_GSSAPI */
#include <bind9/getaddresses.h>
#if defined(HAVE_READLINE)
@ -189,9 +199,8 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
static void
send_update(dns_name_t *zonename, isc_sockaddr_t *master);
ISC_PLATFORM_NORETURN_PRE static void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
static void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@ -199,7 +208,7 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
static void
ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
#ifdef GSSAPI
#if HAVE_GSSAPI
static dns_fixedname_t fkname;
static isc_sockaddr_t *kserver = NULL;
static char *realm = NULL;
@ -212,7 +221,7 @@ typedef struct nsu_gssinfo {
} nsu_gssinfo_t;
static void
failed_gssrequest();
failed_gssrequest(void);
static void
start_gssrequest(dns_name_t *master);
static void
@ -220,7 +229,7 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
dns_request_t **request, gss_ctx_id_t context);
static void
recvgss(isc_task_t *task, isc_event_t *event);
#endif /* GSSAPI */
#endif /* HAVE_GSSAPI */
static void
error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@ -1005,7 +1014,7 @@ get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr,
static void
version(void) {
fputs("nsupdate " VERSION "\n", stderr);
fprintf(stderr, "nsupdate %s\n", PACKAGE_VERSION);
}
#define PARSE_ARGS_FMT "46dDML:y:ghilovk:p:Pr:R::t:Tu:V"
@ -1228,13 +1237,13 @@ parse_args(int argc, char **argv) {
exit(1);
}
#ifdef GSSAPI
#if HAVE_GSSAPI
if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
argv[0]);
exit(1);
}
#else /* ifdef GSSAPI */
#else /* HAVE_GSSAPI */
if (usegsstsig) {
fprintf(stderr,
"%s: cannot specify -g or -o, "
@ -1242,7 +1251,7 @@ parse_args(int argc, char **argv) {
argv[0]);
exit(1);
}
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
if (argv[isc_commandline_index] != NULL) {
if (strcmp(argv[isc_commandline_index], "-") == 0) {
@ -1698,7 +1707,7 @@ evaluate_zone(char *cmdline) {
static uint16_t
evaluate_realm(char *cmdline) {
#ifdef GSSAPI
#if HAVE_GSSAPI
char *word;
char buf[1024];
int n;
@ -1720,10 +1729,10 @@ evaluate_realm(char *cmdline) {
}
realm = isc_mem_strdup(gmctx, buf);
return (STATUS_MORE);
#else /* ifdef GSSAPI */
#else /* HAVE_GSSAPI */
UNUSED(cmdline);
return (STATUS_SYNTAX);
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
}
static uint16_t
@ -2201,25 +2210,25 @@ do_next_command(char *cmdline) {
return (evaluate_checknames(cmdline));
}
if (strcasecmp(word, "gsstsig") == 0) {
#ifdef GSSAPI
#if HAVE_GSSAPI
usegsstsig = true;
use_win2k_gsstsig = false;
#else /* ifdef GSSAPI */
#else /* HAVE_GSSAPI */
fprintf(stderr, "gsstsig not supported\n");
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
return (STATUS_MORE);
}
if (strcasecmp(word, "oldgsstsig") == 0) {
#ifdef GSSAPI
#if HAVE_GSSAPI
usegsstsig = true;
use_win2k_gsstsig = true;
#else /* ifdef GSSAPI */
#else /* HAVE_GSSAPI */
fprintf(stderr, "gsstsig not supported\n");
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
return (STATUS_MORE);
}
if (strcasecmp(word, "help") == 0) {
fprintf(stdout, "nsupdate " VERSION ":\n"
fprintf(stdout, "nsupdate " PACKAGE_VERSION ":\n"
"local address [port] (set local "
"resolver)\n"
"server address [port] (set master server "
@ -2261,7 +2270,7 @@ do_next_command(char *cmdline) {
return (STATUS_MORE);
}
if (strcasecmp(word, "version") == 0) {
fprintf(stdout, "nsupdate " VERSION "\n");
fprintf(stdout, "nsupdate " PACKAGE_VERSION "\n");
return (STATUS_MORE);
}
fprintf(stderr, "incorrect section name: %s\n", word);
@ -2770,7 +2779,7 @@ lookforsoa:
}
dns_rdata_freestruct(&soa);
#ifdef GSSAPI
#if HAVE_GSSAPI
if (usegsstsig) {
dns_name_init(&tmpzonename, NULL);
dns_name_dup(zname, gmctx, &tmpzonename);
@ -2781,10 +2790,10 @@ lookforsoa:
send_update(zname, &master_servers[master_inuse]);
setzoneclass(dns_rdataclass_none);
}
#else /* ifdef GSSAPI */
#else /* HAVE_GSSAPI */
send_update(zname, &master_servers[master_inuse]);
setzoneclass(dns_rdataclass_none);
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
dns_message_destroy(&soaquery);
dns_request_destroy(&request);
@ -2838,7 +2847,7 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
requests++;
}
#ifdef GSSAPI
#if HAVE_GSSAPI
/*
* Get the realm from the users kerberos ticket if possible
@ -2893,7 +2902,7 @@ get_ticket_realm(isc_mem_t *mctx) {
}
static void
failed_gssrequest() {
failed_gssrequest(void) {
seenerror = true;
dns_name_free(&tmpzonename, gmctx);
@ -3199,7 +3208,7 @@ done:
dns_message_destroy(&rcvmsg);
ddebug("Out of recvgss");
}
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
static void
start_update(void) {
@ -3298,7 +3307,7 @@ cleanup(void) {
dns_message_destroy(&answer);
}
#ifdef GSSAPI
#if HAVE_GSSAPI
if (tsigkey != NULL) {
ddebug("detach tsigkey x%p", tsigkey);
dns_tsigkey_detach(&tsigkey);
@ -3321,7 +3330,7 @@ cleanup(void) {
if (dns_name_dynamic(&restart_master)) {
dns_name_free(&restart_master, gmctx);
}
#endif /* ifdef GSSAPI */
#endif /* HAVE_GSSAPI */
if (sig0key != NULL) {
dst_key_free(&sig0key);

13
bin/pkcs11/Makefile.am Normal file
View file

@ -0,0 +1,13 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS)
LDADD = \
$(LIBISC_LIBS)
bin_PROGRAMS = \
pkcs11-list \
pkcs11-destroy \
pkcs11-keygen \
pkcs11-tokens

101
bin/pkcs11/Makefile.in
View file

@ -1,101 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DEPLIBS = ${ISCDEPLIBS}
# if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER}
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS = benchmarks
TARGETS = pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \
pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@
SRCS = pkcs11-list.c pkcs11-destroy.c \
pkcs11-keygen.c pkcs11-tokens.c
OBJS = pkcs11-list.@O@ pkcs11-destroy.@O@ \
pkcs11-keygen.@O@ pkcs11-tokens.@O@
MANPAGES = pkcs11-list.8 pkcs11-destroy.8 \
pkcs11-keygen.8 pkcs11-tokens.8
HTMLPAGES = pkcs11-list.html pkcs11-destroy.html \
pkcs11-keygen.html pkcs11-tokens.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
pkcs11-list@EXEEXT@: pkcs11-list.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ pkcs11-list.@O@ ${LIBS}
pkcs11-destroy@EXEEXT@: pkcs11-destroy.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ pkcs11-destroy.@O@ ${LIBS}
pkcs11-keygen@EXEEXT@: pkcs11-keygen.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ pkcs11-keygen.@O@ ${LIBS}
pkcs11-tokens@EXEEXT@: pkcs11-tokens.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ pkcs11-tokens.@O@ ${LIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
rm -f ${DESTDIR}${mandir}/man8/pkcs11-keygen.8
rm -f ${DESTDIR}${mandir}/man8/pkcs11-destroy.8
rm -f ${DESTDIR}${mandir}/man8/pkcs11-list.8
${LIBTOOL_MODE_UNINSTALL} rm -f /
${DESTDIR}${sbindir}/pkcs11-tokens@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f /
${DESTDIR}${sbindir}/pkcs11-keygen@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f /
${DESTDIR}${sbindir}/pkcs11-destroy@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f /
${DESTDIR}${sbindir}/pkcs11-list@EXEEXT@
clean distclean::
rm -f ${OBJS} ${TARGETS}

12
bin/plugins/Makefile.am Normal file
View file

@ -0,0 +1,12 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCFG_CFLAGS)
pkglib_LTLIBRARIES = filter-aaaa.la
filter_aaaa_la_SOURCES = filter-aaaa.c
filter_aaaa_la_LDFLAGS = -avoid-version -module -shared -export-dynamic

79
bin/plugins/Makefile.in
View file

@ -1,79 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${NS_INCLUDES} ${DNS_INCLUDES} \
${ISCCFG_INCLUDES} ${ISC_INCLUDES}
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
NSLIBS = ../../lib/ns/libns.@A@
LIBS =
SO_TARGETS = lib/filter-aaaa.@SO@
SO_INSTALL = filter-aaaa.@SO@
TARGETS = @SO_TARGETS@
SO_OBJS = filter-aaaa.@O@
SO_SRCS = filter-aaaa.c
CFLAGS = @CFLAGS@ @SO_CFLAGS@
SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@
MANPAGES = filter-aaaa.8
HTMLPAGES = filter-aaaa.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
lib/filter-aaaa.@SO@: filter-aaaa.@SO@
$(SHELL) ${top_srcdir}/mkinstalldirs `pwd`/lib
${LIBTOOL_MODE_INSTALL} ${INSTALL} filter-aaaa.@SO@ `pwd`/lib
filter-aaaa.@SO@: filter-aaaa.@O@
${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ \
filter-aaaa.@O@ ${LIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean::
rm -f filter-aaaa.so
rm -f ${TARGETS} ${OBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${plugindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: @SO_TARGETS@ installdirs
for i in ${SO_INSTALL} ; \
do \
if test -f $$i ; \
then \
${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} $$i \
${DESTDIR}${plugindir}; \
fi \
done
${INSTALL_DATA} ${srcdir}/filter-aaaa.8 ${DESTDIR}${mandir}/man8
uninstall::
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${plugindir}/filter-aaaa.@SO@
rm -f ${DESTDIR}${mandir}/man8/filter-aaaa.8

7
bin/plugins/filter-aaaa.c
View file

@ -11,6 +11,13 @@
/*! \file */
/* aliases for the exported symbols */
#define plugin_destroy filter_aaaa_LTX_plugin_destroy
#define plugin_register filter_aaaa_LTX_plugin_register
#define plugin_version filter_aaaa_LTX_plugin_version
#define plugin_check filter_aaaa_LTX_plugin_check
#include <inttypes.h>
#include <stdbool.h>
#include <string.h>

8
bin/python/.gitignore vendored
View file

@ -1,8 +0,0 @@
build
dnssec-checkds
dnssec-checkds.py
dnssec-coverage
dnssec-coverage.py
dnssec-keymgr
dnssec-keymgr.py
*.pyc

80
bin/python/Makefile.in
View file

@ -1,80 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
PYTHON = @PYTHON@
SUBDIRS = isc
TARGETS = dnssec-checkds dnssec-coverage dnssec-keymgr
PYSRCS = dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
MANPAGES = dnssec-checkds.8 dnssec-coverage.8 dnssec-keymgr.8
HTMLPAGES = dnssec-checkds.html dnssec-coverage.html dnssec-keymgr.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-checkds: dnssec-checkds.py
cp -f dnssec-checkds.py dnssec-checkds
chmod +x dnssec-checkds
dnssec-coverage: dnssec-coverage.py
cp -f dnssec-coverage.py dnssec-coverage
chmod +x dnssec-coverage
dnssec-keymgr: dnssec-keymgr.py
cp -f dnssec-keymgr.py dnssec-keymgr
chmod +x dnssec-keymgr
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
if test -n "${PYTHON}" ; then \
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
else \
${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
fi ; \
rm -rf build ; \
fi
uninstall::
rm -f ${DESTDIR}${mandir}/man8/dnssec-keymgr.8
rm -f ${DESTDIR}${mandir}/man8/dnssec-coverage.8
rm -f ${DESTDIR}${mandir}/man8/dnssec-checkds.8
rm -f ${DESTDIR}${sbindir}/dnssec-keymgr
rm -f ${DESTDIR}${sbindir}/dnssec-coverage
rm -f ${DESTDIR}${sbindir}/dnssec-checkds
# only manually uninstall for the python package itself
clean distclean::
rm -f ${TARGETS}
rm -rf build
distclean::
rm -f dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py

95
bin/python/dnssec-checkds.8
View file

@ -1,95 +0,0 @@
.\" Copyright (C) 2012-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-checkds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2013-01-01
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-CHECKDS" "8" "2013\-01\-01" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-checkds \- DNSSEC delegation consistency checking tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-checkds\fR\ 'u
\fBdnssec\-checkds\fR [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\ \fR\fB\fIfile\fR\fR] {zone}
.SH "DESCRIPTION"
.PP
\fBdnssec\-checkds\fR
verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
If a
\fBfile\fR
is specified, then the zone is read from that file to find the DNSKEY records\&. If not, then the DNSKEY records for the zone are looked up in the DNS\&.
.RE
.PP
\-s \fIfile\fR
.RS 4
Specifies a prepared dsset file, such as would be generated by
\fBdnssec\-signzone\fR, to use as a source for the DS RRset instead of querying the parent\&.
.RE
.PP
\-d \fIdig path\fR
.RS 4
Specifies a path to a
\fBdig\fR
binary\&. Used for testing\&.
.RE
.PP
\-D \fIdsfromkey path\fR
.RS 4
Specifies a path to a
\fBdnssec\-dsfromkey\fR
binary\&. Used for testing\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-dsfromkey\fR(8),
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2012-2020 Internet Systems Consortium, Inc. ("ISC")
.br

148
bin/python/dnssec-checkds.docbook
View file

@ -1,148 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
<info>
<date>2013-01-01</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-checkds</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-checkds</application></refname>
<refpurpose>DNSSEC delegation consistency checking tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2012</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-checkds</command>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="req" rep="norepeat">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-checkds</command>
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
If a <option>file</option> is specified, then the zone is
read from that file to find the DNSKEY records. If not,
then the DNSKEY records for the zone are looked up in the DNS.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Specifies a prepared dsset file, such as would be generated
by <command>dnssec-signzone</command>, to use as a source for
the DS RRset instead of querying the parent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">dig path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>dig</command> binary. Used
for testing.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">dsfromkey path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>dnssec-dsfromkey</command> binary.
Used for testing.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</para>
</refsection>
</refentry>

122
bin/python/dnssec-checkds.html
View file

@ -1,122 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2012-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-checkds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-checkds"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-checkds</span>
&#8212; DNSSEC delegation consistency checking tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-checkds</code>
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>file</code></em></code>]
{zone}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
If a <code class="option">file</code> is specified, then the zone is
read from that file to find the DNSKEY records. If not,
then the DNSKEY records for the zone are looked up in the DNS.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Specifies a prepared dsset file, such as would be generated
by <span class="command"><strong>dnssec-signzone</strong></span>, to use as a source for
the DS RRset instead of querying the parent.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dig</strong></span> binary. Used
for testing.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
Used for testing.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
</p>
</div>
</div></body>
</html>

27
bin/python/dnssec-checkds.py.in
View file

@ -1,27 +0,0 @@
#!@PYTHON@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
import os
import sys
sys.path.insert(0, os.path.dirname(sys.argv[0]))
if os.name != 'nt':
if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir
sys.path.insert(1, '@PYTHON_INSTALL_DIR@')
else:
sys.path.insert(1, os.path.join('@prefix@', 'lib',
'python' + sys.version[:3], 'site-packages'))
import isc.checkds
if __name__ == "__main__":
isc.checkds.main()

156
bin/python/dnssec-coverage.8
View file

@ -1,156 +0,0 @@
.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-coverage
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-11
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-COVERAGE" "8" "2014\-01\-11" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-coverage \- checks future DNSKEY coverage for a zone
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-coverage\fR\ 'u
\fBdnssec\-coverage\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIlength\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIDNSKEY\ TTL\fR\fR] [\fB\-m\ \fR\fB\fImax\ TTL\fR\fR] [\fB\-r\ \fR\fB\fIinterval\fR\fR] [\fB\-c\ \fR\fB\fIcompilezone\ path\fR\fR] [\fB\-k\fR] [\fB\-z\fR] [zone...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-coverage\fR
verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage\&.
.PP
If
\fBzone\fR
is specified, then keys found in the key repository matching that zone are scanned, and an ordered list is generated of the events scheduled for that key (i\&.e\&., publication, activation, inactivation, deletion)\&. The list of events is walked in order of occurrence\&. Warnings are generated if any event is scheduled which could cause the zone to enter a state in which validation failures might occur: for example, if the number of published or active keys for a given algorithm drops to zero, or if a key is deleted from the zone too soon after a new key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches\&.
.PP
If
\fBzone\fR
is not specified, then all keys in the key repository will be scanned, and all zones for which there are keys will be analyzed\&. (Note: This method of reporting is only accurate if all the zones that have keys in a given repository share the same TTL parameters\&.)
.SH "OPTIONS"
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which keys can be found\&. Defaults to the current working directory\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
If a
\fBfile\fR
is specified, then the zone is read from that file; the largest TTL and the DNSKEY TTL are determined directly from the zone data, and the
\fB\-m\fR
and
\fB\-d\fR
options do not need to be specified on the command line\&.
.RE
.PP
\-l \fIduration\fR
.RS 4
The length of time to check for DNSSEC coverage\&. Key events scheduled further into the future than
\fBduration\fR
will be ignored, and assumed to be correct\&.
.sp
The value of
\fBduration\fR
can be set in seconds, or in larger units of time by adding a suffix: \*(Aqmi\*(Aq for minutes, \*(Aqh\*(Aq for hours, \*(Aqd\*(Aq for days, \*(Aqw\*(Aq for weeks, \*(Aqmo\*(Aq for months, \*(Aqy\*(Aq for years\&.
.RE
.PP
\-m \fImaximum TTL\fR
.RS 4
Sets the value to be used as the maximum TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure\&. When a zone\-signing key is deactivated, there must be enough time for the record in the zone with the longest TTL to have expired from resolver caches before that key can be purged from the DNSKEY RRset\&. If that condition does not apply, a warning will be generated\&.
.sp
The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: \*(Aqmi\*(Aq for minutes, \*(Aqh\*(Aq for hours, \*(Aqd\*(Aq for days, \*(Aqw\*(Aq for weeks, \*(Aqmo\*(Aq for months, \*(Aqy\*(Aq for years\&.
.sp
This option is not necessary if the
\fB\-f\fR
has been used to specify a zone file\&. If
\fB\-f\fR
has been specified, this option may still be used; it will override the value found in the file\&.
.sp
If this option is not used and the maximum TTL cannot be retrieved from a zone file, a warning is generated and a default value of 1 week is used\&.
.RE
.PP
\-d \fIDNSKEY TTL\fR
.RS 4
Sets the value to be used as the DNSKEY TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure\&. When a key is rolled (that is, replaced with a new key), there must be enough time for the old DNSKEY RRset to have expired from resolver caches before the new key is activated and begins generating signatures\&. If that condition does not apply, a warning will be generated\&.
.sp
The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: \*(Aqmi\*(Aq for minutes, \*(Aqh\*(Aq for hours, \*(Aqd\*(Aq for days, \*(Aqw\*(Aq for weeks, \*(Aqmo\*(Aq for months, \*(Aqy\*(Aq for years\&.
.sp
This option is not necessary if
\fB\-f\fR
has been used to specify a zone file from which the TTL of the DNSKEY RRset can be read, or if a default key TTL was set using ith the
\fB\-L\fR
to
\fBdnssec\-keygen\fR\&. If either of those is true, this option may still be used; it will override the values found in the zone file or the key file\&.
.sp
If this option is not used and the key TTL cannot be retrieved from the zone file or the key file, then a warning is generated and a default value of 1 day is used\&.
.RE
.PP
\-r \fIresign interval\fR
.RS 4
Sets the value to be used as the resign interval for the zone or zones being analyzed when determining whether there is a possibility of validation failure\&. This value defaults to 22\&.5 days, which is also the default in
\fBnamed\fR\&. However, if it has been changed by the
\fBsig\-validity\-interval\fR
option in
named\&.conf, then it should also be changed here\&.
.sp
The length of the interval can be set in seconds, or in larger units of time by adding a suffix: \*(Aqmi\*(Aq for minutes, \*(Aqh\*(Aq for hours, \*(Aqd\*(Aq for days, \*(Aqw\*(Aq for weeks, \*(Aqmo\*(Aq for months, \*(Aqy\*(Aq for years\&.
.RE
.PP
\-k
.RS 4
Only check KSK coverage; ignore ZSK events\&. Cannot be used with
\fB\-z\fR\&.
.RE
.PP
\-z
.RS 4
Only check ZSK coverage; ignore KSK events\&. Cannot be used with
\fB\-k\fR\&.
.RE
.PP
\-c \fIcompilezone path\fR
.RS 4
Specifies a path to a
\fBnamed\-compilezone\fR
binary\&. Used for testing\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-checkds\fR(8),
\fBdnssec-dsfromkey\fR(8),
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

272
bin/python/dnssec-coverage.docbook
View file

@ -1,272 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
<info>
<date>2014-01-11</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-coverage</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-coverage</application></refname>
<refpurpose>checks future DNSKEY coverage for a zone</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-coverage</command>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">length</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">DNSKEY TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">max TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">compilezone path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="repeat">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-coverage</command>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
coverage.
</para>
<para>
If <option>zone</option> is specified, then keys found in
the key repository matching that zone are scanned, and an ordered
list is generated of the events scheduled for that key (i.e.,
publication, activation, inactivation, deletion). The list of
events is walked in order of occurrence. Warnings are generated
if any event is scheduled which could cause the zone to enter a
state in which validation failures might occur: for example, if
the number of published or active keys for a given algorithm drops
to zero, or if a key is deleted from the zone too soon after a new
key is rolled, and cached data signed by the prior key has not had
time to expire from resolver caches.
</para>
<para>
If <option>zone</option> is not specified, then all keys in the
key repository will be scanned, and all zones for which there are
keys will be analyzed. (Note: This method of reporting is only
accurate if all the zones that have keys in a given repository
share the same TTL parameters.)
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
If a <option>file</option> is specified, then the zone is
read from that file; the largest TTL and the DNSKEY TTL are
determined directly from the zone data, and the
<option>-m</option> and <option>-d</option> options do
not need to be specified on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">duration</replaceable></term>
<listitem>
<para>
The length of time to check for DNSSEC coverage. Key events
scheduled further into the future than <option>duration</option>
will be ignored, and assumed to be correct.
</para>
<para>
The value of <option>duration</option> can be set in seconds,
or in larger units of time by adding a suffix: 'mi' for minutes,
'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
'y' for years.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">maximum TTL</replaceable></term>
<listitem>
<para>
Sets the value to be used as the maximum TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a zone-signing key is
deactivated, there must be enough time for the record in the
zone with the longest TTL to have expired from resolver caches
before that key can be purged from the DNSKEY RRset. If that
condition does not apply, a warning will be generated.
</para>
<para>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
<para>
This option is not necessary if the <option>-f</option> has
been used to specify a zone file. If <option>-f</option> has
been specified, this option may still be used; it will override
the value found in the file.
</para>
<para>
If this option is not used and the maximum TTL cannot be retrieved
from a zone file, a warning is generated and a default value of
1 week is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">DNSKEY TTL</replaceable></term>
<listitem>
<para>
Sets the value to be used as the DNSKEY TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a key is rolled (that
is, replaced with a new key), there must be enough time for the
old DNSKEY RRset to have expired from resolver caches before
the new key is activated and begins generating signatures. If
that condition does not apply, a warning will be generated.
</para>
<para>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
<para>
This option is not necessary if <option>-f</option> has
been used to specify a zone file from which the TTL
of the DNSKEY RRset can be read, or if a default key TTL was
set using ith the <option>-L</option> to
<command>dnssec-keygen</command>. If either of those is true,
this option may still be used; it will override the values
found in the zone file or the key file.
</para>
<para>
If this option is not used and the key TTL cannot be retrieved
from the zone file or the key file, then a warning is generated
and a default value of 1 day is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">resign interval</replaceable></term>
<listitem>
<para>
Sets the value to be used as the resign interval for the zone
or zones being analyzed when determining whether there is a
possibility of validation failure. This value defaults to
22.5 days, which is also the default in
<command>named</command>. However, if it has been changed
by the <option>sig-validity-interval</option> option in
<filename>named.conf</filename>, then it should also be
changed here.
</para>
<para>
The length of the interval can be set in seconds, or in larger
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Only check KSK coverage; ignore ZSK events. Cannot be
used with <option>-z</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Only check ZSK coverage; ignore KSK events. Cannot be
used with <option>-k</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">compilezone path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>named-compilezone</command> binary.
Used for testing.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

236
bin/python/dnssec-coverage.html
View file

@ -1,236 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-coverage</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-coverage</span>
&#8212; checks future DNSKEY coverage for a zone
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-coverage</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-z</code>]
[zone...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-coverage</strong></span>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
coverage.
</p>
<p>
If <code class="option">zone</code> is specified, then keys found in
the key repository matching that zone are scanned, and an ordered
list is generated of the events scheduled for that key (i.e.,
publication, activation, inactivation, deletion). The list of
events is walked in order of occurrence. Warnings are generated
if any event is scheduled which could cause the zone to enter a
state in which validation failures might occur: for example, if
the number of published or active keys for a given algorithm drops
to zero, or if a key is deleted from the zone too soon after a new
key is rolled, and cached data signed by the prior key has not had
time to expire from resolver caches.
</p>
<p>
If <code class="option">zone</code> is not specified, then all keys in the
key repository will be scanned, and all zones for which there are
keys will be analyzed. (Note: This method of reporting is only
accurate if all the zones that have keys in a given repository
share the same TTL parameters.)
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
If a <code class="option">file</code> is specified, then the zone is
read from that file; the largest TTL and the DNSKEY TTL are
determined directly from the zone data, and the
<code class="option">-m</code> and <code class="option">-d</code> options do
not need to be specified on the command line.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
<dd>
<p>
The length of time to check for DNSSEC coverage. Key events
scheduled further into the future than <code class="option">duration</code>
will be ignored, and assumed to be correct.
</p>
<p>
The value of <code class="option">duration</code> can be set in seconds,
or in larger units of time by adding a suffix: 'mi' for minutes,
'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
'y' for years.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
<dd>
<p>
Sets the value to be used as the maximum TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a zone-signing key is
deactivated, there must be enough time for the record in the
zone with the longest TTL to have expired from resolver caches
before that key can be purged from the DNSKEY RRset. If that
condition does not apply, a warning will be generated.
</p>
<p>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
<p>
This option is not necessary if the <code class="option">-f</code> has
been used to specify a zone file. If <code class="option">-f</code> has
been specified, this option may still be used; it will override
the value found in the file.
</p>
<p>
If this option is not used and the maximum TTL cannot be retrieved
from a zone file, a warning is generated and a default value of
1 week is used.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
<dd>
<p>
Sets the value to be used as the DNSKEY TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a key is rolled (that
is, replaced with a new key), there must be enough time for the
old DNSKEY RRset to have expired from resolver caches before
the new key is activated and begins generating signatures. If
that condition does not apply, a warning will be generated.
</p>
<p>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
<p>
This option is not necessary if <code class="option">-f</code> has
been used to specify a zone file from which the TTL
of the DNSKEY RRset can be read, or if a default key TTL was
set using ith the <code class="option">-L</code> to
<span class="command"><strong>dnssec-keygen</strong></span>. If either of those is true,
this option may still be used; it will override the values
found in the zone file or the key file.
</p>
<p>
If this option is not used and the key TTL cannot be retrieved
from the zone file or the key file, then a warning is generated
and a default value of 1 day is used.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
<dd>
<p>
Sets the value to be used as the resign interval for the zone
or zones being analyzed when determining whether there is a
possibility of validation failure. This value defaults to
22.5 days, which is also the default in
<span class="command"><strong>named</strong></span>. However, if it has been changed
by the <code class="option">sig-validity-interval</code> option in
<code class="filename">named.conf</code>, then it should also be
changed here.
</p>
<p>
The length of the interval can be set in seconds, or in larger
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Only check KSK coverage; ignore ZSK events. Cannot be
used with <code class="option">-z</code>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Only check ZSK coverage; ignore KSK events. Cannot be
used with <code class="option">-k</code>.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
Used for testing.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dnssec-checkds</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>
</p>
</div>
</div></body>
</html>

27
bin/python/dnssec-coverage.py.in
View file

@ -1,27 +0,0 @@
#!@PYTHON@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
import os
import sys
sys.path.insert(0, os.path.dirname(sys.argv[0]))
if os.name != 'nt':
if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir
sys.path.insert(1, '@PYTHON_INSTALL_DIR@')
else:
sys.path.insert(1, os.path.join('@prefix@', 'lib',
'python' + sys.version[:3], 'site-packages'))
import isc.coverage
if __name__ == "__main__":
isc.coverage.main()

298
bin/python/dnssec-keymgr.8
View file

@ -1,298 +0,0 @@
.\" Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-keymgr
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2016-06-03
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYMGR" "8" "2016\-06\-03" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-keymgr \- Ensures correct DNSKEY coverage for a zone based on a defined policy
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keymgr\fR\ 'u
\fBdnssec\-keymgr\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-c\ \fR\fB\fIfile\fR\fR] [\fB\-f\fR] [\fB\-k\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-z\fR] [\fB\-g\ \fR\fB\fIpath\fR\fR] [\fB\-s\ \fR\fB\fIpath\fR\fR] [zone...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-keymgr\fR
is a high level Python wrapper to facilitate the key rollover process for zones handled by BIND\&. It uses the BIND commands for manipulating DNSSEC key metadata:
\fBdnssec\-keygen\fR
and
\fBdnssec\-settime\fR\&.
.PP
DNSSEC policy can be read from a configuration file (default
/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&.
.PP
When
\fBdnssec\-keymgr\fR
runs, it examines the DNSSEC keys for one or more zones, comparing their timing metadata against the policies for those zones\&. If key settings do not conform to the DNSSEC policy (for example, because the policy has been changed), they are automatically corrected\&.
.PP
A zone policy can specify a duration for which we want to ensure the key correctness (\fBcoverage\fR)\&. It can also specify a rollover period (\fBroll\-period\fR)\&. If policy indicates that a key should roll over before the coverage period ends, then a successor key will automatically be created and added to the end of the key series\&.
.PP
If zones are specified on the command line,
\fBdnssec\-keymgr\fR
will examine only those zones\&. If a specified zone does not already have keys in place, then keys will be generated for it according to policy\&.
.PP
If zones are
\fInot\fR
specified on the command line, then
\fBdnssec\-keymgr\fR
will search the key directory (either the current working directory or the directory set by the
\fB\-K\fR
option), and check the keys for all the zones represented in the directory\&.
.PP
Key times that are in the past will not be updated unless the
\fB\-f\fR
is used (see below)\&. Key inactivation and deletion times that are less than five minutes in the future will be delayed by five minutes\&.
.PP
It is expected that this tool will be run automatically and unattended (for example, by
\fBcron\fR)\&.
.SH "OPTIONS"
.PP
\-c \fIfile\fR
.RS 4
If
\fB\-c\fR
is specified, then the DNSSEC policy is read from
\fBfile\fR\&. (If not specified, then the policy is read from
/etc/dnssec\-policy\&.conf; if that file doesn\*(Aqt exist, a built\-in global default policy is used\&.)
.RE
.PP
\-f
.RS 4
Force: allow updating of key events even if they are already in the past\&. This is not recommended for use with zones in which keys have already been published\&. However, if a set of keys has been generated all of which have publication and activation dates in the past, but the keys have not been published in a zone as yet, then this option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals\&.
.RE
.PP
\-g \fIkeygen\-path\fR
.RS 4
Specifies a path to a
\fBdnssec\-keygen\fR
binary\&. Used for testing\&. See also the
\fB\-s\fR
option\&.
.RE
.PP
\-h
.RS 4
Print the
\fBdnssec\-keymgr\fR
help summary and exit\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which keys can be found\&. Defaults to the current working directory\&.
.RE
.PP
\-k
.RS 4
Only apply policies to KSK keys\&. See also the
\fB\-z\fR
option\&.
.RE
.PP
\-q
.RS 4
Quiet: suppress printing of
\fBdnssec\-keygen\fR
and
\fBdnssec\-settime\fR\&.
.RE
.PP
\-s \fIsettime\-path\fR
.RS 4
Specifies a path to a
\fBdnssec\-settime\fR
binary\&. Used for testing\&. See also the
\fB\-g\fR
option\&.
.RE
.PP
\-v
.RS 4
Print the
\fBdnssec\-keymgr\fR
version and exit\&.
.RE
.PP
\-z
.RS 4
Only apply policies to ZSK keys\&. See also the
\fB\-k\fR
option\&.
.RE
.SH "POLICY CONFIGURATION"
.PP
The
dnssec\-policy\&.conf
file can specify three kinds of policies:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIPolicy classes\fR
(\fBpolicy \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR) can be inherited by zone policies or other policy classes; these can be used to create sets of different security profiles\&. For example, a policy class
\fBnormal\fR
might specify 1024\-bit key sizes, but a class
\fBextra\fR
might specify 2048 bits instead;
\fBextra\fR
would be used for zones that had unusually high security needs\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIAlgorithm policies:\fR
(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIZone policies:\fR
(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&.
.RE
.PP
Options that can be specified in policies:
.PP
\fBalgorithm\fR \fIname\fR;
.RS 4
The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
.RE
.PP
\fBcoverage\fR \fIduration\fR;
.RS 4
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
.RE
.PP
\fBdirectory\fR \fIpath\fR;
.RS 4
Specifies the directory in which keys should be stored\&.
.RE
.PP
\fBkey\-size\fR \fIkeytype\fR \fIsize\fR;
.RS 4
Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
\fBkeyttl\fR \fIduration\fR;
.RS 4
The key TTL\&. If no policy is defined, the default is one hour\&.
.RE
.PP
\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long after inactivation a key should be deleted from the zone\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long before activation a key should be published\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBroll\-period\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&.
.RE
.PP
\fBstandby\fR \fIkeytype\fR \fInumber\fR;
.RS 4
Not yet implemented\&.
.RE
.SH "REMAINING WORK"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Enable scheduling of KSK rollovers using the
\fB\-P sync\fR
and
\fB\-D sync\fR
options to
\fBdnssec\-keygen\fR
and
\fBdnssec\-settime\fR\&. Check the parent zone (as in
\fBdnssec\-checkds\fR) to determine when it\*(Aqs safe for the key to roll\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Allow configuration of standby keys and use of the REVOKE bit, for keys that use RFC 5011 semantics\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-coverage\fR(8),
\fBdnssec-keygen\fR(8),
\fBdnssec-settime\fR(8),
\fBdnssec-checkds\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2016-2020 Internet Systems Consortium, Inc. ("ISC")
.br

422
bin/python/dnssec-keymgr.docbook
View file

@ -1,422 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
<info>
<date>2016-06-03</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keymgr</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keymgr</application></refname>
<refpurpose>Ensures correct DNSKEY coverage for a zone based on a defined policy</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-keymgr</command>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
<arg choice="opt" rep="repeat">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>dnssec-keymgr</command> is a high level Python wrapper
to facilitate the key rollover process for zones handled by
BIND. It uses the BIND commands for manipulating DNSSEC key
metadata: <command>dnssec-keygen</command> and
<command>dnssec-settime</command>.
</para>
<para>
DNSSEC policy can be read from a configuration file (default
<filename>/etc/dnssec-policy.conf</filename>), from which the
key parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a "<literal>default</literal>" policy
used for all zones.
</para>
<para>
When <command>dnssec-keymgr</command> runs, it examines the DNSSEC
keys for one or more zones, comparing their timing metadata against
the policies for those zones. If key settings do not conform to the
DNSSEC policy (for example, because the policy has been changed),
they are automatically corrected.
</para>
<para>
A zone policy can specify a duration for which we want to
ensure the key correctness (<option>coverage</option>). It can
also specify a rollover period (<option>roll-period</option>).
If policy indicates that a key should roll over before the
coverage period ends, then a successor key will automatically be
created and added to the end of the key series.
</para>
<para>
If zones are specified on the command line,
<command>dnssec-keymgr</command> will examine only those zones.
If a specified zone does not already have keys in place, then
keys will be generated for it according to policy.
</para>
<para>
If zones are <emphasis>not</emphasis> specified on the command
line, then <command>dnssec-keymgr</command> will search the
key directory (either the current working directory or the directory
set by the <option>-K</option> option), and check the keys for
all the zones represented in the directory.
</para>
<para>
Key times that are in the past will not be updated unless
the <option>-f</option> is used (see below). Key inactivation
and deletion times that are less than five minutes in the future
will be delayed by five minutes.
</para>
<para>
It is expected that this tool will be run automatically and
unattended (for example, by <command>cron</command>).
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-c <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
If <option>-c</option> is specified, then the DNSSEC
policy is read from <option>file</option>. (If not
specified, then the policy is read from
<filename>/etc/dnssec-policy.conf</filename>; if that file
doesn't exist, a built-in global default policy is used.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">keygen-path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>dnssec-keygen</command> binary.
Used for testing.
See also the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the <command>dnssec-keymgr</command> help summary
and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Only apply policies to KSK keys.
See also the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet: suppress printing of <command>dnssec-keygen</command>
and <command>dnssec-settime</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">settime-path</replaceable></term>
<listitem>
<para>
Specifies a path to a <command>dnssec-settime</command> binary.
Used for testing.
See also the <option>-g</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the <command>dnssec-keymgr</command> version and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Only apply policies to ZSK keys.
See also the <option>-k</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>POLICY CONFIGURATION</title></info>
<para>
The <filename>dnssec-policy.conf</filename> file can specify three kinds
of policies:
</para>
<itemizedlist>
<listitem>
<para>
<emphasis>Policy classes</emphasis>
(<option>policy <replaceable>name</replaceable> { ... };</option>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <userinput>normal</userinput> might specify
1024-bit key sizes, but a class <userinput>extra</userinput> might
specify 2048 bits instead; <userinput>extra</userinput> would be
used for zones that had unusually high security needs.
</para>
</listitem>
<listitem>
<para>
<emphasis>Algorithm policies:</emphasis>
(<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <command>algorithm-policy</command>, and the
new key sizes would then be used for any key of type RSASHA256.
</para>
</listitem>
<listitem>
<para>
<emphasis>Zone policies:</emphasis>
(<option>zone <replaceable>name</replaceable> { ... };</option> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <option>policy</option> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
If a zone does not have its own policy then the
"<literal>default</literal>" policy applies.
</para>
</listitem>
</itemizedlist>
<para>
Options that can be specified in policies:
</para>
<variablelist>
<varlistentry>
<term><command>algorithm</command>
<replaceable>name</replaceable><literal>;</literal></term>
<listitem>
<para>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>coverage</command>
<replaceable>duration</replaceable><literal>;</literal></term>
<listitem>
<para>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration
using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>directory</command>
<replaceable>path</replaceable><literal>;</literal></term>
<listitem>
<para>
Specifies the directory in which keys should be stored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>key-size</command> <replaceable>keytype</replaceable>
<replaceable>size</replaceable><literal>;</literal></term>
<listitem>
<para>
Specifies the number of bits to use in creating keys.
The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>keyttl</command>
<replaceable>duration</replaceable><literal>;</literal></term>
<listitem>
<para>
The key TTL. If no policy is defined, the default is one hour.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>post-publish</command> <replaceable>keytype</replaceable>
<replaceable>duration</replaceable><literal>;</literal></term>
<listitem>
<para>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>pre-publish</command> <replaceable>keytype</replaceable>
<replaceable>duration</replaceable><literal>;</literal></term>
<listitem>
<para>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>roll-period</command> <replaceable>keytype</replaceable>
<replaceable>duration</replaceable><literal>;</literal></term>
<listitem>
<para>
How frequently keys should be rolled over.
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>standby</command> <replaceable>keytype</replaceable>
<replaceable>number</replaceable><literal>;</literal></term>
<listitem>
<para>
Not yet implemented.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>REMAINING WORK</title></info>
<itemizedlist>
<listitem>
<para>
Enable scheduling of KSK rollovers using the <option>-P sync</option>
and <option>-D sync</option> options to
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>. Check the parent zone
(as in <command>dnssec-checkds</command>) to determine when it's
safe for the key to roll.
</para>
</listitem>
<listitem>
<para>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
</para>
</listitem>
</itemizedlist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dnssec-coverage</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

371
bin/python/dnssec-keymgr.html
View file

@ -1,371 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keymgr</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-keymgr</span>
&#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keymgr</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-k</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-z</code>]
[<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
[zone...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
to facilitate the key rollover process for zones handled by
BIND. It uses the BIND commands for manipulating DNSSEC key
metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-settime</strong></span>.
</p>
<p>
DNSSEC policy can be read from a configuration file (default
<code class="filename">/etc/dnssec-policy.conf</code>), from which the
key parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a "<code class="literal">default</code>" policy
used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
keys for one or more zones, comparing their timing metadata against
the policies for those zones. If key settings do not conform to the
DNSSEC policy (for example, because the policy has been changed),
they are automatically corrected.
</p>
<p>
A zone policy can specify a duration for which we want to
ensure the key correctness (<code class="option">coverage</code>). It can
also specify a rollover period (<code class="option">roll-period</code>).
If policy indicates that a key should roll over before the
coverage period ends, then a successor key will automatically be
created and added to the end of the key series.
</p>
<p>
If zones are specified on the command line,
<span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
If a specified zone does not already have keys in place, then
keys will be generated for it according to policy.
</p>
<p>
If zones are <span class="emphasis"><em>not</em></span> specified on the command
line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
key directory (either the current working directory or the directory
set by the <code class="option">-K</code> option), and check the keys for
all the zones represented in the directory.
</p>
<p>
Key times that are in the past will not be updated unless
the <code class="option">-f</code> is used (see below). Key inactivation
and deletion times that are less than five minutes in the future
will be delayed by five minutes.
</p>
<p>
It is expected that this tool will be run automatically and
unattended (for example, by <span class="command"><strong>cron</strong></span>).
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
If <code class="option">-c</code> is specified, then the DNSSEC
policy is read from <code class="option">file</code>. (If not
specified, then the policy is read from
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
doesn't exist, a built-in global default policy is used.)
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd>
<p>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
Used for testing.
See also the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
and exit.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Only apply policies to KSK keys.
See also the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
and <span class="command"><strong>dnssec-settime</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
Used for testing.
See also the <code class="option">-g</code> option.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Only apply policies to ZSK keys.
See also the <code class="option">-k</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>POLICY CONFIGURATION</h2>
<p>
The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
of policies:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="emphasis"><em>Policy classes</em></span>
(<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <strong class="userinput"><code>normal</code></strong> might specify
1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
used for zones that had unusually high security needs.
</p>
</li>
<li class="listitem">
<p>
<span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
new key sizes would then be used for any key of type RSASHA256.
</p>
</li>
<li class="listitem">
<p>
<span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
If a zone does not have its own policy then the
"<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
<p>
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
<em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>coverage</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration
using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>directory</strong></span>
<em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
ignored. The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
The keytype is either "zsk" or "ksk".
A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
<em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>REMAINING WORK</h2>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
and <code class="option">-D sync</code> options to
<span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone
(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
safe for the key to roll.
</p>
</li>
<li class="listitem">
<p>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
</p>
</li>
</ul></div>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dnssec-coverage</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-settime</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-checkds</span>(8)
</span>
</p>
</div>
</div></body>
</html>

27
bin/python/dnssec-keymgr.py.in
View file

@ -1,27 +0,0 @@
#!@PYTHON@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
import os
import sys
sys.path.insert(0, os.path.dirname(sys.argv[0]))
if os.name != 'nt':
if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir
sys.path.insert(1, '@PYTHON_INSTALL_DIR@')
else:
sys.path.insert(1, os.path.join('@prefix@', 'lib',
'python' + sys.version[:3], 'site-packages'))
import isc.keymgr
if __name__ == "__main__":
isc.keymgr.main()

17
bin/python/isc/.gitignore vendored
View file

@ -1,17 +0,0 @@
__init__.py
checkds.py
coverage.py
dnskey.py
eventlist.py
keydict.py
keyevent.py
keymgr.py
keyseries.py
keyzone.py
parser.out
parsetab.py
policy.py
policy_test.py
rndc.py
tests/dnskey_test.py
utils.py

43
bin/python/isc/Makefile.in
View file

@ -1,43 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
SUBDIRS = tests
PYTHON = @PYTHON@
PYSRCS = __init__.py checkds.py coverage.py dnskey.py eventlist.py \
keydict.py keyevent.py keymgr.py keyseries.py keyzone.py \
policy.py rndc.py utils.py
TARGETS = parsetab.py
@BIND9_MAKE_RULES@
.SUFFIXES: .py .pyc
.py.pyc:
$(PYTHON) -m compileall .
parsetab.py: policy.py
$(PYTHON) policy.py parse /dev/null > /dev/null
PYTHONPATH=${srcdir} $(PYTHON) -m parsetab
check test: subdirs
clean distclean::
rm -f *.pyc parser.out parsetab.py
rm -rf __pycache__ build
distclean::
rm -rf ${PYSRCS}

24
bin/python/isc/__init__.py.in
View file

@ -1,24 +0,0 @@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
__all__ = ['checkds', 'coverage', 'keymgr', 'dnskey', 'eventlist',
'keydict', 'keyevent', 'keyseries', 'keyzone', 'policy',
'parsetab', 'rndc', 'utils']
from isc.dnskey import *
from isc.eventlist import *
from isc.keydict import *
from isc.keyevent import *
from isc.keyseries import *
from isc.keyzone import *
from isc.policy import *
from isc.rndc import *
from isc.utils import *

182
bin/python/isc/checkds.py.in
View file

@ -1,182 +0,0 @@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
import argparse
import os
import sys
from subprocess import Popen, PIPE
from isc.utils import prefix,version
prog = 'dnssec-checkds'
############################################################################
# SECRR class:
# Class for DS resource record
############################################################################
class SECRR:
hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'}
rrname = ''
rrclass = 'IN'
keyid = None
keyalg = None
hashalg = None
digest = ''
ttl = 0
def __init__(self, rrtext):
if not rrtext:
raise Exception
# 'str' does not have decode method in python3
if type(rrtext) is not str:
fields = rrtext.decode('ascii').split()
else:
fields = rrtext.split()
if len(fields) < 7:
raise Exception
self.rrtype = "DS"
self.rrname = fields[0].lower()
fields = fields[1:]
if fields[0].upper() in ['IN', 'CH', 'HS']:
self.rrclass = fields[0].upper()
fields = fields[1:]
else:
self.ttl = int(fields[0])
self.rrclass = fields[1].upper()
fields = fields[2:]
if fields[0].upper() != self.rrtype:
raise Exception('%s does not match %s' %
(fields[0].upper(), self.rrtype))
self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4])
self.digest = ''.join(fields[4:]).upper()
def __repr__(self):
return '%s %s %s %d %d %d %s' % \
(self.rrname, self.rrclass, self.rrtype,
self.keyid, self.keyalg, self.hashalg, self.digest)
def __eq__(self, other):
return self.__repr__() == other.__repr__()
############################################################################
# check:
# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY
# RRset from the masterfile if specified, or from DNS if not.
# Generate a set of expected DS records from the DNSKEY RRset,
# and report on congruency.
############################################################################
def check(zone, args):
rrlist = []
if args.dssetfile:
fp = open(args.dssetfile).read()
else:
cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone]
fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
rrlist.append(SECRR(line))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
cmd = [args.dsfromkey]
for algo in args.algo:
cmd += ['-a', algo]
if args.masterfile:
cmd += ["-f", args.masterfile, zone]
fp, _ = Popen(cmd, stdout=PIPE).communicate()
else:
intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
"-q", zone], stdout=PIPE).communicate()
cmd += ["-f", "-", zone]
fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
klist.append(SECRR(line))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
return False
match = True
for rr in rrlist:
if rr not in klist:
print("KSK for %s %s/%03d/%05d (%s) missing from child" %
(rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
rr.keyid, SECRR.hashalgs[rr.hashalg]))
match = False
for rr in klist:
if rr not in rrlist:
print("%s for KSK %s/%03d/%05d (%s) missing from parent" %
(rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
rr.keyid, SECRR.hashalgs[rr.hashalg]))
match = False
for rr in klist:
if rr in rrlist:
print("%s for KSK %s/%03d/%05d (%s) found in parent" %
(rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
rr.keyid, SECRR.hashalgs[rr.hashalg]))
return match
############################################################################
# parse_args:
# Read command line arguments, set global 'args' structure
############################################################################
def parse_args():
parser = argparse.ArgumentParser(description=prog + ': checks DS coverage')
bindir = 'bin'
sbindir = 'bin' if os.name == 'nt' else 'sbin'
parser.add_argument('zone', type=str, help='zone to check')
parser.add_argument('-a', '--algo', dest='algo', action='append',
default=[], type=str, help='DS digest algorithm')
parser.add_argument('-d', '--dig', dest='dig',
default=os.path.join(prefix(bindir), 'dig'),
type=str, help='path to \'dig\'')
parser.add_argument('-D', '--dsfromkey', dest='dsfromkey',
default=os.path.join(prefix(sbindir),
'dnssec-dsfromkey'),
type=str, help='path to \'dnssec-dsfromkey\'')
parser.add_argument('-f', '--file', dest='masterfile', type=str,
help='zone master file')
parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
version=version)
args = parser.parse_args()
args.zone = args.zone.strip('.')
return args
############################################################################
# Main
############################################################################
def main():
args = parse_args()
match = check(args.zone, args)
exit(0 if match else 1)

290
bin/python/isc/coverage.py.in
View file

@ -1,290 +0,0 @@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
from __future__ import print_function
import os
import sys
import argparse
import glob
import re
import time
import calendar
import pprint
from collections import defaultdict
prog = 'dnssec-coverage'
from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
############################################################################
# print a fatal error and exit
############################################################################
def fatal(*args, **kwargs):
print(*args, **kwargs)
sys.exit(1)
############################################################################
# output:
############################################################################
_firstline = True
def output(*args, **kwargs):
"""output text, adding a vertical space this is *not* the first
first section being printed since a call to vreset()"""
global _firstline
if 'skip' in kwargs:
skip = kwargs['skip']
kwargs.pop('skip', None)
else:
skip = True
if _firstline:
_firstline = False
elif skip:
print('')
if args:
print(*args, **kwargs)
def vreset():
"""reset vertical spacing"""
global _firstline
_firstline = True
############################################################################
# parse_time
############################################################################
def parse_time(s):
""" convert a formatted time (e.g., 1y, 6mo, 15mi, etc) into seconds
:param s: String with some text representing a time interval
:return: Integer with the number of seconds in the time interval
"""
s = s.strip()
# if s is an integer, we're done already
try:
return int(s)
except ValueError:
pass
# try to parse as a number with a suffix indicating unit of time
r = re.compile(r'([0-9][0-9]*)\s*([A-Za-z]*)')
m = r.match(s)
if not m:
raise ValueError("Cannot parse %s" % s)
n, unit = m.groups()
n = int(n)
unit = unit.lower()
if unit.startswith('y'):
return n * 31536000
elif unit.startswith('mo'):
return n * 2592000
elif unit.startswith('w'):
return n * 604800
elif unit.startswith('d'):
return n * 86400
elif unit.startswith('h'):
return n * 3600
elif unit.startswith('mi'):
return n * 60
elif unit.startswith('s'):
return n
else:
raise ValueError("Invalid suffix %s" % unit)
############################################################################
# set_path:
############################################################################
def set_path(command, default=None):
""" find the location of a specified command. if a default is supplied
and it works, we use it; otherwise we search PATH for a match.
:param command: string with a command to look for in the path
:param default: default location to use
:return: detected location for the desired command
"""
fpath = default
if not fpath or not os.path.isfile(fpath) or not os.access(fpath, os.X_OK):
path = os.environ["PATH"]
if not path:
path = os.path.defpath
for directory in path.split(os.pathsep):
fpath = os.path.join(directory, command)
if os.path.isfile(fpath) and os.access(fpath, os.X_OK):
break
fpath = None
return fpath
############################################################################
# parse_args:
############################################################################
def parse_args():
"""Read command line arguments, set global 'args' structure"""
compilezone = set_path('named-compilezone',
os.path.join(utils.prefix('sbin'),
'named-compilezone'))
parser = argparse.ArgumentParser(description=prog + ': checks future ' +
'DNSKEY coverage for a zone')
parser.add_argument('zone', type=str, nargs='*', default=None,
help='zone(s) to check' +
'(default: all zones in the directory)')
parser.add_argument('-K', dest='path', default='.', type=str,
help='a directory containing keys to process',
metavar='dir')
parser.add_argument('-f', dest='filename', type=str,
help='zone master file', metavar='file')
parser.add_argument('-m', dest='maxttl', type=str,
help='the longest TTL in the zone(s)',
metavar='time')
parser.add_argument('-d', dest='keyttl', type=str,
help='the DNSKEY TTL', metavar='time')
parser.add_argument('-r', dest='resign', default='1944000',
type=str, help='the RRSIG refresh interval '
'in seconds [default: 22.5 days]',
metavar='time')
parser.add_argument('-c', dest='compilezone',
default=compilezone, type=str,
help='path to \'named-compilezone\'',
metavar='path')
parser.add_argument('-l', dest='checklimit',
type=str, default='0',
help='Length of time to check for '
'DNSSEC coverage [default: 0 (unlimited)]',
metavar='time')
parser.add_argument('-z', dest='no_ksk',
action='store_true', default=False,
help='Only check zone-signing keys (ZSKs)')
parser.add_argument('-k', dest='no_zsk',
action='store_true', default=False,
help='Only check key-signing keys (KSKs)')
parser.add_argument('-D', '--debug', dest='debug_mode',
action='store_true', default=False,
help='Turn on debugging output')
parser.add_argument('-v', '--version', action='version',
version=utils.version)
args = parser.parse_args()
if args.no_zsk and args.no_ksk:
fatal("ERROR: -z and -k cannot be used together.")
elif args.no_zsk or args.no_ksk:
args.keytype = "KSK" if args.no_zsk else "ZSK"
else:
args.keytype = None
if args.filename and len(args.zone) > 1:
fatal("ERROR: -f can only be used with one zone.")
# strip trailing dots if any
args.zone = [x[:-1] if (len(x) > 1 and x[-1] == '.') else x
for x in args.zone]
# convert from time arguments to seconds
try:
if args.maxttl:
m = parse_time(args.maxttl)
args.maxttl = m
except ValueError:
pass
try:
if args.keyttl:
k = parse_time(args.keyttl)
args.keyttl = k
except ValueError:
pass
try:
if args.resign:
r = parse_time(args.resign)
args.resign = r
except ValueError:
pass
try:
if args.checklimit:
lim = args.checklimit
r = parse_time(args.checklimit)
if r == 0:
args.checklimit = None
else:
args.checklimit = time.time() + r
except ValueError:
pass
# if we've got the values we need from the command line, stop now
if args.maxttl and args.keyttl:
return args
# load keyttl and maxttl data from zonefile
if args.zone and args.filename:
try:
zone = keyzone(args.zone[0], args.filename, args.compilezone)
args.maxttl = args.maxttl or zone.maxttl
args.keyttl = args.maxttl or zone.keyttl
except Exception as e:
print("Unable to load zone data from %s: " % args.filename, e)
if not args.maxttl:
output("WARNING: Maximum TTL value was not specified. Using 1 week\n"
"\t (604800 seconds); re-run with the -m option to get more\n"
"\t accurate results.")
args.maxttl = 604800
return args
############################################################################
# Main
############################################################################
def main():
args = parse_args()
print("PHASE 1--Loading keys to check for internal timing problems")
try:
kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl)
except Exception as e:
fatal('ERROR: Unable to build key dictionary: ' + str(e))
for key in kd:
key.check_prepub(output)
if key.sep:
key.check_postpub(output)
else:
key.check_postpub(output, args.maxttl + args.resign)
output("PHASE 2--Scanning future key events for coverage failures")
vreset()
try:
elist = eventlist(kd)
except Exception as e:
fatal('ERROR: Unable to build event list: ' + str(e))
errors = False
if not args.zone:
if not elist.coverage(None, args.keytype, args.checklimit, output):
errors = True
else:
for zone in args.zone:
try:
if not elist.coverage(zone, args.keytype,
args.checklimit, output):
errors = True
except:
output('ERROR: Coverage check failed for zone ' + zone)
sys.exit(1 if errors else 0)

Some files were not shown because too many files have changed in this diff Show more