diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 0bf37db577..60dad979d7 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.18 2005/06/20 01:03:48 marka Exp $ */ +/* $Id: check-tool.c,v 1.19 2005/08/24 23:53:54 marka Exp $ */ /*! \file */ @@ -70,7 +70,7 @@ unsigned int zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX | DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_INTEGRITYCHECK | + DNS_ZONEOPT_CHECKINTEGRITY | DNS_ZONEOPT_CHECKWILDCARD; /* diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index c77974845b..f0a4dd269f 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.37 2005/08/23 02:36:05 marka Exp $ */ +/* $Id: named-checkconf.c,v 1.38 2005/08/24 23:53:54 marka Exp $ */ /*! \file */ @@ -166,9 +166,7 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig, cfg_obj_t *fmtobj = NULL; dns_masterformat_t masterformat; - zone_options = DNS_ZONEOPT_CHECKNS | - DNS_ZONEOPT_MANYERRORS | - DNS_ZONEOPT_INTEGRITYCHECK; + zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS; zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); classobj = cfg_tuple_get(zconfig, "class"); @@ -219,6 +217,22 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig, zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; } + obj = NULL; + if (get_maps(maps, "check-integrity", &obj)) { + if (cfg_obj_asboolean(obj)) + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + else + zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; + } + + obj = NULL; + if (get_maps(maps, "check-sibling", &obj)) { + if (cfg_obj_asboolean(obj)) + zone_options |= DNS_ZONEOPT_CHECKSIBLING; + else + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; + } + obj = NULL; if (get_checknames(maps, &obj)) { if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 9ca813a235..fcc8037c76 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.38 2005/08/22 00:58:18 marka Exp $ */ +/* $Id: named-checkzone.c,v 1.39 2005/08/24 23:53:55 marka Exp $ */ /*! \file */ @@ -145,19 +145,36 @@ main(int argc, char **argv) { case 'i': if (!strcmp(isc_commandline_argument, "full")) { - zone_options |= DNS_ZONEOPT_INTEGRITYCHECK; + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY | + DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_TRUE; + docheckns = ISC_TRUE; + dochecksrv = ISC_TRUE; + } else if (!strcmp(isc_commandline_argument, + "full-sibling")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; docheckmx = ISC_TRUE; docheckns = ISC_TRUE; dochecksrv = ISC_TRUE; } else if (!strcmp(isc_commandline_argument, "local")) { - zone_options |= DNS_ZONEOPT_INTEGRITYCHECK; + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options |= DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_FALSE; + docheckns = ISC_FALSE; + dochecksrv = ISC_FALSE; + } else if (!strcmp(isc_commandline_argument, + "local-sibling")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; docheckmx = ISC_FALSE; docheckns = ISC_FALSE; dochecksrv = ISC_FALSE; } else if (!strcmp(isc_commandline_argument, "none")) { - zone_options &= ~DNS_ZONEOPT_INTEGRITYCHECK; + zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; docheckmx = ISC_FALSE; docheckns = ISC_FALSE; dochecksrv = ISC_FALSE; diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index c5c976975d..f902a19362 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 13, 2000 @@ -174,7 +174,9 @@ Perform post load zone integrity checks. Possible modes are "full" (default), - "local" and + "full-sibling", + "local", + "local-sibling" and "none". @@ -198,6 +200,12 @@ refer to in-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone. + + Mode "full-sibling" and + "local-sibling" disable sibling glue + checks but are otherwise the same as "full" + and "local" respectively. + Mode "none" disables the checks. diff --git a/bin/named/config.c b/bin/named/config.c index 36a6c3f101..e3e1f8f939 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.59 2005/08/23 02:36:06 marka Exp $ */ +/* $Id: config.c,v 1.60 2005/08/24 23:53:56 marka Exp $ */ /*! \file */ @@ -133,7 +133,6 @@ options {\n\ acache-cleaning-interval 60;\n\ max-acache-size 0;\n\ dnssec-enable no; /* Make yes for 9.4. */ \n\ - integrity-check yes;\n\ clients-per-query 10;\n\ max-clients-per-query 100;\n\ " @@ -167,6 +166,8 @@ options {\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ check-wildcard yes;\n\ + check-sibling yes;\n\ + check-integrity yes;\n\ };\n\ " diff --git a/bin/named/update.c b/bin/named/update.c index 04661de01e..6fa17bfbcf 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.123 2005/07/18 05:58:56 marka Exp $ */ +/* $Id: update.c,v 1.124 2005/08/24 23:53:57 marka Exp $ */ #include @@ -2199,7 +2199,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone, /* * Check zone integrity checks. */ - if ((options & DNS_ZONEOPT_INTEGRITYCHECK) == 0) + if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) continue; result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, 0, 0, NULL, foundname, NULL, NULL); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 2fb4e873f4..3f7b68b5d4 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.123 2005/08/23 02:36:08 marka Exp $ */ +/* $Id: zoneconf.c,v 1.124 2005/08/24 23:53:57 marka Exp $ */ /*% */ @@ -600,6 +600,11 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig, INSIST(result == ISC_R_SUCCESS); dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj)); + obj = NULL; + result = ns_config_get(maps, "check-sibling", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, + cfg_obj_asboolean(obj)); } /* @@ -666,9 +671,9 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig, dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail); obj = NULL; - result = ns_config_get(maps, "integrity-check", &obj); + result = ns_config_get(maps, "check-integrity", &obj); INSIST(obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_INTEGRITYCHECK, + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, cfg_obj_asboolean(obj)); } diff --git a/bin/tests/system/cacheclean/ns1/named.conf b/bin/tests/system/cacheclean/ns1/named.conf index 3d46e2493e..2f13e14e0e 100644 --- a/bin/tests/system/cacheclean/ns1/named.conf +++ b/bin/tests/system/cacheclean/ns1/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.6 2005/05/30 02:00:38 marka Exp $ */ +/* $Id: named.conf,v 1.7 2005/08/24 23:53:58 marka Exp $ */ controls { /* empty */ }; @@ -29,7 +29,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - integrity-check no; + check-integrity no; }; zone "." { diff --git a/bin/tests/system/checknames/ns1/named.conf b/bin/tests/system/checknames/ns1/named.conf index 284c7b6d3f..5ae14cd515 100644 --- a/bin/tests/system/checknames/ns1/named.conf +++ b/bin/tests/system/checknames/ns1/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.6 2005/05/30 02:00:39 marka Exp $ */ +/* $Id: named.conf,v 1.7 2005/08/24 23:53:58 marka Exp $ */ controls { /* empty */ }; @@ -28,7 +28,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - integrity-check no; + check-integrity no; }; zone "." { diff --git a/bin/tests/system/glue/ns1/named.conf b/bin/tests/system/glue/ns1/named.conf index 0f49dc3eb4..693e81d4bb 100644 --- a/bin/tests/system/glue/ns1/named.conf +++ b/bin/tests/system/glue/ns1/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.12 2005/05/30 02:00:39 marka Exp $ */ +/* $Id: named.conf,v 1.13 2005/08/24 23:53:59 marka Exp $ */ controls { /* empty */ }; @@ -30,7 +30,7 @@ options { recursion no; notify no; cache-file "cache"; - integrity-check no; + check-integrity no; }; zone "." { diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf index 8e0a5692eb..415e618a0f 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf +++ b/bin/tests/system/nsupdate/ns1/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.14 2005/05/20 01:09:35 marka Exp $ */ +/* $Id: named.conf,v 1.15 2005/08/24 23:53:59 marka Exp $ */ controls { /* empty */ }; @@ -43,7 +43,7 @@ controls { zone "example.nil" { type master; file "example.db"; - integrity-check no; + check-integrity no; allow-update { any; }; allow-transfer { any; }; }; @@ -51,7 +51,7 @@ zone "example.nil" { zone "update.nil" { type master; file "update.db"; - integrity-check no; + check-integrity no; allow-update { any; }; allow-transfer { any; }; also-notify { 10.53.0.2; }; diff --git a/bin/tests/system/xfer/ns2/named.conf b/bin/tests/system/xfer/ns2/named.conf index 7e523791f0..8fe3ed539b 100644 --- a/bin/tests/system/xfer/ns2/named.conf +++ b/bin/tests/system/xfer/ns2/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.20 2005/05/30 02:00:39 marka Exp $ */ +/* $Id: named.conf,v 1.21 2005/08/24 23:54:00 marka Exp $ */ controls { /* empty */ }; @@ -30,7 +30,7 @@ options { recursion no; notify yes; ixfr-from-differences yes; - integrity-check no; + check-integrity no; }; include "../../common/controls.conf"; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index e7e263c817..152a987f0b 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -4359,7 +4359,8 @@ category notify { null; }; ( warn | fail | ignore ); check-mx ( warn | fail | ignore ); check-wildcard yes_or_no; - integrity-checks yes_or_no; + check-integrity yes_or_no; + check-sibling yes_or_no; allow-notify { address_match_list }; allow-query { address_match_list }; allow-query-cache { address_match_list }; @@ -5507,7 +5508,7 @@ options { - integrity-check + check-integrity Perform post load zone integrity checks on master @@ -5524,6 +5525,15 @@ options { + + check-sibling + + + When performing integrity checks also check that + sibling glue exists. The default is yes. + + + @@ -7749,7 +7759,7 @@ view "external" { check-names (warn|fail|ignore) ; check-mx (warn|fail|ignore) ; check-wildcard yes_or_no; - integrity-checks yes_or_no ; + check-integrity yes_or_no ; dialup dialup_option ; delegation-only yes_or_no ; file string ; @@ -8160,11 +8170,21 @@ view "external" { - integrity-check + check-integrity See the description of - integrity-check in . + check-integrity in . + + + + + + check-sibling + + + See the description of + check-sibling in . diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index a70a913371..70e6fd7e70 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.136 2005/08/18 00:57:30 marka Exp $ */ +/* $Id: zone.h,v 1.137 2005/08/24 23:54:03 marka Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -58,8 +58,9 @@ typedef enum { #define DNS_ZONEOPT_CHECKWILDCARD 0x00002000U /*%< check for internal wildcards */ #define DNS_ZONEOPT_CHECKMX 0x00004000U /*%< check-mx */ #define DNS_ZONEOPT_CHECKMXFAIL 0x00008000U /*%< fatal check-mx failures */ -#define DNS_ZONEOPT_INTEGRITYCHECK 0x00010000U /*%< perform integrity checks */ -#define DNS_ZONEOPT_NOCHECKNS 0x00020000U /*%< disable IN NS address checks */ +#define DNS_ZONEOPT_CHECKINTEGRITY 0x00010000U /*%< perform integrity checks */ +#define DNS_ZONEOPT_CHECKSIBLING 0x00020000U /*%< perform sibling glue checks */ +#define DNS_ZONEOPT_NOCHECKNS 0x00040000U /*%< disable IN NS address checks */ #ifndef NOMINUM_PUBLIC /* diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ee70825737..a045728762 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.444 2005/08/18 00:57:29 marka Exp $ */ +/* $Id: zone.c,v 1.445 2005/08/24 23:54:02 marka Exp $ */ /*! \file */ @@ -1585,15 +1585,20 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, what = "SIBLING GLUE "; else what = ""; - dns_zone_log(zone, level, - "%s/NS '%s' has no %saddress records (A or AAAA)", - ownerbuf, namebuf, what); - /* - * Log missing address record. - */ - if (result == DNS_R_DELEGATION && zone->checkns != NULL) - answer = (zone->checkns)(zone, name, owner, &a, &aaaa); - answer = ISC_FALSE; + + if (result != DNS_R_DELEGATION || + DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) { + dns_zone_log(zone, level, "%s/NS '%s' has no %s" + "address records (A or AAAA)", + ownerbuf, namebuf, what); + /* + * Log missing address record. + */ + if (result == DNS_R_DELEGATION && zone->checkns != NULL) + (void)(zone->checkns)(zone, name, owner, + &a, &aaaa); + answer = ISC_FALSE; + } } else if (result == DNS_R_CNAME) { dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)", ownerbuf, namebuf); @@ -1849,7 +1854,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, goto cleanup; } if (zone->type == dns_zone_master && - DNS_ZONE_OPTION(zone, DNS_ZONEOPT_INTEGRITYCHECK) && + DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) && !integrity_checks(zone, db)) { result = DNS_R_BADZONE; goto cleanup; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index ec04f808dc..3613b33c9a 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.55 2005/08/18 00:57:31 marka Exp $ */ +/* $Id: namedconf.c,v 1.56 2005/08/24 23:54:04 marka Exp $ */ /*! \file */ @@ -806,8 +806,9 @@ zone_clauses[] = { { "zone-statistics", &cfg_type_boolean, 0 }, { "key-directory", &cfg_type_qstring, 0 }, { "check-wildcard", &cfg_type_boolean, 0 }, - { "integrity-check", &cfg_type_boolean, 0 }, + { "check-integrity", &cfg_type_boolean, 0 }, { "check-mx", &cfg_type_checkmode, 0 }, + { "check-sibling", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } };