From 83dc5a704a13f4b73cde99caa7b01f9702e84f5b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 15 Aug 2018 12:29:17 -0700 Subject: [PATCH 1/3] report when NTAs added to multiple views - the text returned by "rndc nta" when adding NTAs to multiple views was incorrectly terminated after the first line, so users only saw on NTA added unless they checked the logs. --- bin/named/server.c | 35 ++++++++++++++++++------- bin/tests/system/rndc/clean.sh | 1 + bin/tests/system/rndc/ns3/named.conf.in | 16 ++++++++--- bin/tests/system/rndc/tests.sh | 9 +++++++ 4 files changed, 47 insertions(+), 14 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 602023c914..926dcf03d0 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -938,7 +938,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, /* We don't need trust anchors for the _bind view */ if (strcmp(view->name, "_bind") == 0 && - view->rdclass == dns_rdataclass_chaos) { + view->rdclass == dns_rdataclass_chaos) + { return (ISC_R_SUCCESS); } @@ -14344,18 +14345,23 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (viewname != NULL && - strcmp(view->name, viewname) != 0) - continue; + static bool first = true; - if (view->nta_lifetime == 0) + if (viewname != NULL && strcmp(view->name, viewname) != 0) { continue; + } - if (!ttlset) + if (view->nta_lifetime == 0) { + continue; + } + + if (!ttlset) { ntattl = view->nta_lifetime; + } - if (ntatable != NULL) + if (ntatable != NULL) { dns_ntatable_detach(&ntatable); + } result = dns_view_getntatable(view, &ntatable); if (result == ISC_R_NOTFOUND) { @@ -14378,6 +14384,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, isc_time_set(&t, when, 0); isc_time_formattimestamp(&t, tbuf, sizeof(tbuf)); + if (!first) { + CHECK(putstr(text, "\n")); + } + first = false; + CHECK(putstr(text, "Negative trust anchor added: ")); CHECK(putstr(text, namebuf)); CHECK(putstr(text, "/")); @@ -14392,6 +14403,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, } else { CHECK(dns_ntatable_delete(ntatable, ntaname)); + if (!first) { + CHECK(putstr(text, "\n")); + } + first = false; + CHECK(putstr(text, "Negative trust anchor removed: ")); CHECK(putstr(text, namebuf)); CHECK(putstr(text, "/")); @@ -14411,11 +14427,10 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, "for view '%s': %s", view->name, isc_result_totext(result)); } - - CHECK(putnull(text)); - } + CHECK(putnull(text)); + cleanup: if (msg != NULL) { (void) putstr(text, msg); diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh index 65393720bd..8609ce4211 100644 --- a/bin/tests/system/rndc/clean.sh +++ b/bin/tests/system/rndc/clean.sh @@ -25,3 +25,4 @@ rm -f nsupdate.out.*.test* rm -f python.out.*.test* rm -f rndc.out.*.test* rm -f ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ns*/*.nta diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in index e8dbfc4aeb..dd3529559e 100644 --- a/bin/tests/system/rndc/ns3/named.conf.in +++ b/bin/tests/system/rndc/ns3/named.conf.in @@ -14,7 +14,6 @@ options { pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; - recursion no; }; key rndc_key { @@ -31,8 +30,17 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +view all { + match-clients { any; }; -zone "." { - type hint; - file "../../common/root.hint"; + recursion no; + + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view none { + match-clients { none; }; }; diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 488ee841a6..ae27ef1abf 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -656,5 +656,14 @@ grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check rndc nta reports adding to multiple views ($n)" +ret=0 +$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1 +lines=`cat rndc.out.test$n | wc -l` +[ ${lines:-0} -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From cc0abf62a1bb9c17dad4ace517ed654fd0b6d51e Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 3 Sep 2018 23:55:29 -0700 Subject: [PATCH 2/3] add -class option to rndc nta --- bin/named/server.c | 53 +++++++++++++++++++++++++--------- bin/rndc/rndc.docbook | 11 +++++-- bin/tests/system/rndc/clean.sh | 2 +- bin/tests/system/rndc/tests.sh | 16 ++++++++++ 4 files changed, 65 insertions(+), 17 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 926dcf03d0..374a365ecb 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -14232,6 +14232,7 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, dns_name_t *fname; dns_ttl_t ntattl; bool ttlset = false, excl = false; + dns_rdataclass_t rdclass = dns_rdataclass_in; UNUSED(force); @@ -14239,18 +14240,20 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, /* Skip the command name. */ ptr = next_token(lex, text); - if (ptr == NULL) + if (ptr == NULL) { return (ISC_R_UNEXPECTEDEND); + } for (;;) { /* Check for options */ ptr = next_token(lex, text); - if (ptr == NULL) + if (ptr == NULL) { return (ISC_R_UNEXPECTEDEND); + } - if (argcheck(ptr, "dump")) + if (argcheck(ptr, "dump")) { dump = true; - else if (argcheck(ptr, "remove")) { + } else if (argcheck(ptr, "remove")) { ntattl = 0; ttlset = true; } else if (argcheck(ptr, "force")) { @@ -14280,8 +14283,22 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, ttlset = true; continue; - } else + } else if (argcheck(ptr, "class")) { + isc_textregion_t tr; + + ptr = next_token(lex, text); + if (ptr == NULL) { + msg = "No class specified"; + CHECK(ISC_R_UNEXPECTEDEND); + } + + tr.base = ptr; + tr.length = strlen(ptr); + CHECK(dns_rdataclass_fromtext(&rdclass, &tr)); + continue; + } else { nametext = ptr; + } break; } @@ -14294,11 +14311,13 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (ntatable != NULL) + if (ntatable != NULL) { dns_ntatable_detach(&ntatable); + } result = dns_view_getntatable(view, &ntatable); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND) { continue; + } CHECK(dns_ntatable_totext(ntatable, text)); } CHECK(putnull(text)); @@ -14315,17 +14334,19 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, } /* Get the NTA name. */ - if (nametext == NULL) + if (nametext == NULL) { nametext = next_token(lex, text); - if (nametext == NULL) + } + if (nametext == NULL) { return (ISC_R_UNEXPECTEDEND); + } /* Copy nametext as it'll be overwritten by next_token() */ strlcpy(namebuf, nametext, DNS_NAME_FORMATSIZE); - if (strcmp(namebuf, ".") == 0) + if (strcmp(namebuf, ".") == 0) { ntaname = dns_rootname; - else { + } else { isc_buffer_t b; isc_buffer_init(&b, namebuf, strlen(namebuf)); isc_buffer_add(&b, strlen(namebuf)); @@ -14351,6 +14372,10 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, continue; } + if (view->rdclass != rdclass && rdclass != dns_rdataclass_any) { + continue; + } + if (view->nta_lifetime == 0) { continue; } @@ -14436,10 +14461,12 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, (void) putstr(text, msg); (void) putnull(text); } - if (excl) + if (excl) { isc_task_endexclusive(server->task); - if (ntatable != NULL) + } + if (ntatable != NULL) { dns_ntatable_detach(&ntatable); + } return (result); } diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index ccf5f8f477..2ab4d6d2db 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -575,7 +575,7 @@ nta - ( -d | -f | -r | -l duration) + ( -class class | -dump | -force | -remove | -lifetime duration) domain view @@ -623,7 +623,7 @@ is equivalent to . - If is used, any other arguments + If the is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up). @@ -640,10 +640,15 @@ lifetime, regardless of whether data could be validated if the NTA were not present. + + The view class can be specified with . + The default is class IN, which is + the only class for which DNSSEC is currently supported. + All of these options can be shortened, i.e., to , , , - and . + , and . diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh index 8609ce4211..3472273c27 100644 --- a/bin/tests/system/rndc/clean.sh +++ b/bin/tests/system/rndc/clean.sh @@ -12,7 +12,7 @@ rm -f dig.out.*.test* rm -f ns*/named.lock rm -f ns*/named.memstats -rm -f ns*/named.run +rm -f ns*/named.run ns*/named.run.prev rm -f ns2/named.stats rm -f ns2/nil.db ns2/other.db ns2/static.db ns2/*.jnl rm -f ns2/session.key diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index ae27ef1abf..b9dda3827e 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -486,6 +486,22 @@ grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret= if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "testing rndc nta -class option ($n)" +ret=0 +nextpart ns4/named.run > /dev/null +$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 +$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 +$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 +$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 +grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 do n=`expr $n + 1` From 2f6ba87ab9acf13b0b61fefc3579b400dff96e51 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 15 Aug 2018 12:36:37 -0700 Subject: [PATCH 3/3] CHANGES, release notes --- CHANGES | 8 ++++++++ doc/arm/notes.xml | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/CHANGES b/CHANGES index d34243d064..02a932688b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +5033. [bug] When adding NTAs to multiple views using "rndc nta", + the text returned via rndc was incorrectly terminated + after the first line, making it look as if only one + NTA had been added. Also, it was not possible to + differentiate between views with the same name but + different classes; this has been corrected with the + addition of a "-class" option. [GL #105] + 5032. [func] Add krb5-selfsub and ms-selfsub update policy rules. [GL #511] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 96d6c2a900..a9f702a9ed 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -465,6 +465,14 @@ instead of using the resolver category. + + + The rndc nta command could not differentiate + between views of the same name but different class; this + has been corrected with the addition of a -class + option. [GL #105] + + @@ -497,6 +505,15 @@ to be non-resolvable. [GL #390] + + + When a negative trust anchor was added to multiple views + using rndc nta, the text returned via + rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been + added. This has been fixed. [GL #105] + + named now rejects excessively large