upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-26 12:23:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '105-nta-all' into 'master'

Browse source 
Resolve "[RT#44623] RNDC NTA option to add NTA to all views"

Closes #105

See merge request isc-projects/bind9!658
This commit is contained in:
Evan Hunt 2018-09-10 15:15:34 -04:00
commit 29f699d669
7 changed files with 137 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,3 +1,11 @@
5033. [bug] When adding NTAs to multiple views using "rndc nta",
the text returned via rndc was incorrectly terminated
after the first line, making it look as if only one
NTA had been added. Also, it was not possible to
differentiate between views with the same name but
different classes; this has been corrected with the
addition of a "-class" option. [GL #105]
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]

88
bin/named/server.c
View file

@ -938,7 +938,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/* We don't need trust anchors for the _bind view */
if (strcmp(view->name, "_bind") == 0 &&
view->rdclass == dns_rdataclass_chaos) {
view->rdclass == dns_rdataclass_chaos)
{
return (ISC_R_SUCCESS);
}
@ -14231,6 +14232,7 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
dns_name_t *fname;
dns_ttl_t ntattl;
bool ttlset = false, excl = false;
dns_rdataclass_t rdclass = dns_rdataclass_in;
UNUSED(force);
@ -14238,18 +14240,20 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
/* Skip the command name. */
ptr = next_token(lex, text);
if (ptr == NULL)
if (ptr == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
for (;;) {
/* Check for options */
ptr = next_token(lex, text);
if (ptr == NULL)
if (ptr == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
if (argcheck(ptr, "dump"))
if (argcheck(ptr, "dump")) {
dump = true;
else if (argcheck(ptr, "remove")) {
} else if (argcheck(ptr, "remove")) {
ntattl = 0;
ttlset = true;
} else if (argcheck(ptr, "force")) {
@ -14279,8 +14283,22 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
ttlset = true;
continue;
} else
} else if (argcheck(ptr, "class")) {
isc_textregion_t tr;
ptr = next_token(lex, text);
if (ptr == NULL) {
msg = "No class specified";
CHECK(ISC_R_UNEXPECTEDEND);
}
tr.base = ptr;
tr.length = strlen(ptr);
CHECK(dns_rdataclass_fromtext(&rdclass, &tr));
continue;
} else {
nametext = ptr;
}
break;
}
@ -14293,11 +14311,13 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (ntatable != NULL)
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
result = dns_view_getntatable(view, &ntatable);
if (result == ISC_R_NOTFOUND)
if (result == ISC_R_NOTFOUND) {
continue;
}
CHECK(dns_ntatable_totext(ntatable, text));
}
CHECK(putnull(text));
@ -14314,17 +14334,19 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
}
/* Get the NTA name. */
if (nametext == NULL)
if (nametext == NULL) {
nametext = next_token(lex, text);
if (nametext == NULL)
}
if (nametext == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
/* Copy nametext as it'll be overwritten by next_token() */
strlcpy(namebuf, nametext, DNS_NAME_FORMATSIZE);
if (strcmp(namebuf, ".") == 0)
if (strcmp(namebuf, ".") == 0) {
ntaname = dns_rootname;
else {
} else {
isc_buffer_t b;
isc_buffer_init(&b, namebuf, strlen(namebuf));
isc_buffer_add(&b, strlen(namebuf));
@ -14344,18 +14366,27 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (viewname != NULL &&
strcmp(view->name, viewname) != 0)
continue;
static bool first = true;
if (view->nta_lifetime == 0)
if (viewname != NULL && strcmp(view->name, viewname) != 0) {
continue;
}
if (!ttlset)
if (view->rdclass != rdclass && rdclass != dns_rdataclass_any) {
continue;
}
if (view->nta_lifetime == 0) {
continue;
}
if (!ttlset) {
ntattl = view->nta_lifetime;
}
if (ntatable != NULL)
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
result = dns_view_getntatable(view, &ntatable);
if (result == ISC_R_NOTFOUND) {
@ -14378,6 +14409,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
isc_time_set(&t, when, 0);
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
if (!first) {
CHECK(putstr(text, "\n"));
}
first = false;
CHECK(putstr(text, "Negative trust anchor added: "));
CHECK(putstr(text, namebuf));
CHECK(putstr(text, "/"));
@ -14392,6 +14428,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
} else {
CHECK(dns_ntatable_delete(ntatable, ntaname));
if (!first) {
CHECK(putstr(text, "\n"));
}
first = false;
CHECK(putstr(text, "Negative trust anchor removed: "));
CHECK(putstr(text, namebuf));
CHECK(putstr(text, "/"));
@ -14411,20 +14452,21 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
"for view '%s': %s",
view->name, isc_result_totext(result));
}
CHECK(putnull(text));
}
CHECK(putnull(text));
cleanup:
if (msg != NULL) {
(void) putstr(text, msg);
(void) putnull(text);
}
if (excl)
if (excl) {
isc_task_endexclusive(server->task);
if (ntatable != NULL)
}
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
return (result);
}

11
bin/rndc/rndc.docbook
View file

@ -575,7 +575,7 @@
<varlistentry>
<term><userinput>nta
<optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
<optional>( -class <replaceable>class</replaceable> | -dump | -force | -remove | -lifetime <replaceable>duration</replaceable>)</optional>
<replaceable>domain</replaceable>
<optional><replaceable>view</replaceable></optional>
</userinput></term>
@ -623,7 +623,7 @@
is equivalent to <option>-remove</option>.
</para>
<para>
If <option>-dump</option> is used, any other arguments
If the <option>-dump</option> is used, any other arguments
are ignored, and a list of existing NTAs is printed
(note that this may include NTAs that are expired but
have not yet been cleaned up).
@ -640,10 +640,15 @@
lifetime, regardless of whether data could be
validated if the NTA were not present.
</para>
<para>
The view class can be specified with <option>-class</option>.
The default is class <userinput>IN</userinput>, which is
the only class for which DNSSEC is currently supported.
</para>
<para>
All of these options can be shortened, i.e., to
<option>-l</option>, <option>-r</option>, <option>-d</option>,
and <option>-f</option>.
<option>-f</option>, and <option>-c</option>.
</para>
</listitem>
</varlistentry>

3
bin/tests/system/rndc/clean.sh
View file

@ -12,7 +12,7 @@
rm -f dig.out.*.test*
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run
rm -f ns*/named.run ns*/named.run.prev
rm -f ns2/named.stats
rm -f ns2/nil.db ns2/other.db ns2/static.db ns2/*.jnl
rm -f ns2/session.key
@ -25,3 +25,4 @@ rm -f nsupdate.out.*.test*
rm -f python.out.*.test*
rm -f rndc.out.*.test*
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ns*/*.nta

16
bin/tests/system/rndc/ns3/named.conf.in
View file

@ -14,7 +14,6 @@ options {
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
};
key rndc_key {
@ -31,8 +30,17 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view all {
match-clients { any; };
zone "." {
type hint;
file "../../common/root.hint";
recursion no;
zone "." {
type hint;
file "../../common/root.hint";
};
};
view none {
match-clients { none; };
};

25
bin/tests/system/rndc/tests.sh
View file

@ -486,6 +486,22 @@ grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "testing rndc nta -class option ($n)"
ret=0
nextpart ns4/named.run > /dev/null
$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288
do
n=`expr $n + 1`
@ -656,5 +672,14 @@ grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check rndc nta reports adding to multiple views ($n)"
ret=0
$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1
lines=`cat rndc.out.test$n | wc -l`
[ ${lines:-0} -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

17
doc/arm/notes.xml
View file

@ -465,6 +465,14 @@
instead of using the <command>resolver</command> category.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
</itemizedlist>
</section>
@ -497,6 +505,15 @@
to be non-resolvable. [GL #390]
</para>
</listitem>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large