upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

2609. [func] Simplify the configuration of dynamic zones:

Browse source 
- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
This commit is contained in:
Evan Hunt 2009-06-10 00:27:22 +00:00
parent afbe695de3
commit 351b62535d
59 changed files with 2348 additions and 1062 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
CHANGES
View file

@ -1,3 +1,15 @@
2609. [func] Simplify the configuration of dynamic zones:
- add ddns-confgen command to generate
configuration text for named.conf
- add zone option "ddns-autoconf yes;", which
causes named to generate a TSIG session key
and allow updates to the zone using that key
- add '-l' (localhost) option to nsupdate, which
causes nsupdate to connect to a locally-running
named process using the session key generated
by named
[RT #19284]
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.

4
bin/Makefile.in
View file

@ -13,13 +13,13 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.27 2009/03/02 23:47:43 tbox Exp $
# $Id: Makefile.in,v 1.28 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests tools nsupdate check
SUBDIRS = named rndc dig dnssec tests tools nsupdate check confgen
TARGETS =
@BIND9_MAKE_RULES@

100
bin/confgen/Makefile.in Normal file
View file

@ -0,0 +1,100 @@
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.2 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
MANPAGES = rndc-confgen.8 ddns-confgen.8
HTMLPAGES = rndc-confgen.html ddns-confgen.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
-c ${srcdir}/ddns-confgen.c
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ keygen.@O@ \
${UOBJS} ${CONFLIBS}
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ddns-confgen.@O@ util.@O@ keygen.@O@ \
${UOBJS} ${CONFLIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
clean distclean maintainer-clean::
rm -f ${TARGETS}

76
bin/confgen/ddns-confgen.8 Normal file
View file

@ -0,0 +1,76 @@
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: ddns-confgen.8,v 1.2 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "DDNS-CONFGEN" 8 "Jan 29, 2009" "" ""
.SH NAME
ddns-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP 13
\fBddns\-confgen\fR [\fB\-a\ \fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fIkeyname\fR\fR] [\fB\-r\ \fIrandomfile\fR\fR] [\fB\-s\fR] [\fB\-q\fR] [name]
.SH "DESCRIPTION"
.PP
\fBddns\-confgen\fR generates a key for use by \fBnsupdate\fR and \fBnamed\fR\&. It simplifies configuration of dynamic zones by generating a key and providing the \fBnsupdate\fR and \fBnamed\&.conf\fR syntax that will be needed to use it, including an example \fBupdate\-policy\fR statement\&.
.PP
If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample \fBnamed\&.conf\fR syntax\&. For example, \fBddns\-confgen example\&.com\fR would generate a key called "ddns\-key\&.example\&.com", and sample \fBnamed\&.conf\fR command that could be used in the zone definition for "example\&.com"\&.
.PP
Note that \fBnamed\fR itself can configure a local DDNS key for use with \fBnsupdate \-l\fR\&. \fBddns\-confgen\fR is only needed when a more elaborate configuration is required: for instance, if \fBnsupdate\fR is to be used from a remote system\&.
.SH "OPTIONS"
.TP
\-a \fIalgorithm\fR
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.TP
\-h
Prints a short summary of the options and arguments to \fBddns\-confgen\fR\&.
.TP
\-k \fIkeyname\fR
Specifies the key name of the DDNS authentication key\&. The default is \fBddns\-key\fR\&. The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
.TP
\-q
Quiet mode: Print only the key, with no explanatory text or usage examples\&.
.TP
\-r \fIrandomfile\fR
Specifies a source of random data for generating the authorization\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
.TP
\-s
Self mode: The example \fBnamed\&.conf\fR text shows how to set an update policy using the "self" nametype, using a single key per each domain name for updates, instead of the "subdomain" nametype which allows matching on any name within a specified domain\&.
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1), \fBnamed\&.conf\fR(5), \fBnamed\fR(8), BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
Internet Systems Consortium

247
bin/confgen/ddns-confgen.c Normal file
View file

@ -0,0 +1,247 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ddns-confgen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
/**
* ddns-confgen generates configuration files for dynamic DNS. It can
* be used as a convenient alternative to writing the ddns.key file
* and the corresponding key and update-policy statements in named.conf.
*/
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/assertions.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYNAME "ddns-key"
static char program[256];
const char *progname;
isc_boolean_t verbose = ISC_FALSE;
static void
usage(int status) {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-k keyname] [-r randomfile] [-q] [-z zone]\n\
-a alg: algorithm (default hmac-sha256)\n\
-k keyname: name of the key as it will be used in named.conf\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-z zone: name of the zone as it will be used named.conf\n\
-q: quiet mode: print the key, with no explanatory text\n",
progname);
exit (status);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_boolean_t quiet = ISC_FALSE;
isc_boolean_t self = ISC_FALSE;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *randomfile = NULL;
const char *keyname = NULL;
const char *zone = NULL;
char *keybuf = NULL;
dns_secalg_t alg = DST_ALG_HMACSHA256;
const char *algname = alg_totext(alg);
int keysize = 256;
int len = 0;
int ch;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS)
memcpy(program, "ddns-confgen", 13);
progname = program;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:hk:Mmr:qsVy:")) != -1) {
switch (ch) {
case 'a':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
fatal("Unsupported algorithm '%s'", algname);
keysize = alg_bits(alg);
break;
case 'h':
usage(0);
case 'k':
case 'y':
keyname = isc_commandline_argument;
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = ISC_TRUE;
break;
case 'q':
quiet = ISC_TRUE;
break;
case 'r':
randomfile = isc_commandline_argument;
break;
case 's':
self = ISC_TRUE;
case 'V':
verbose = ISC_TRUE;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(1);
} else
usage(0);
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc == 1)
zone = argv[0];
if (argc > 1)
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
if (self) {
if (zone == NULL)
usage(1);
keyname = zone;
} else {
if (keyname == NULL)
keyname = DEFAULT_KEYNAME;
if (zone != NULL) {
len = strlen(keyname) + strlen(zone) + 2;
keybuf = isc_mem_get(mctx, len);
snprintf(keybuf, len, "%s.%s", keyname, zone);
keyname = (const char *) keybuf;
}
}
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (!quiet)
printf("\
# To activate this key, place the following in named.conf, and\n\
# in a separate keyfile on the system or systems from which nsupdate\n\
# will be run:\n");
printf("\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n",
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer));
if (!quiet) {
if (zone == NULL) {
printf("\n\
# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
# update, place an \"update-policy\" statement granting update permission\n\
# to this key. For example, the following statement grants this key\n\
# permission to update any name within the zone:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
keyname);
} else if (self) {
printf("\n\
# Finally, in the \"zone\" statement for the zone containing the\n\
# name \"%s\", place an \"update-policy\" statement\n\
# like this one, adjusted as needed for your preferred permissions:\n\
update-policy {\n\
grant %s self . ANY;\n\
};\n",
zone, keyname);
} else {
printf("\n\
# Finally, in the \"zone\" definition statement for \"%s\",\n\
# place an \"update-policy\" statement like this one, adjusted as \n\
# needed for your preferred permissions:\n\
update-policy {\n\
grant %s subdomain %s%s ANY;\n\
};\n",
zone, keyname, zone,
zone[strlen(zone) - 1] == '.' ? "" : ".");
}
printf("\n\
# After the keyfile has been created, the following command will\n\
# execute nsupdate using this key:\n\
nsupdate -k <keyfile>\n");
}
if (zone != NULL && keybuf != NULL)
isc_mem_put(mctx, keybuf, len);
if (show_final_mem)
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}

199
bin/confgen/ddns-confgen.docbook Normal file
View file

@ -0,0 +1,199 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: ddns-confgen.docbook,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<refentry id="man.ddns-confgen">
<refentryinfo>
<date>Jan 29, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2001</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>ddns-confgen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-q</option></arg>
<arg choice="opt">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>ddns-confgen</command>
generates a key for use by <command>nsupdate</command>
and <command>named</command>. It simplifies configuration
of dynamic zones by generating a key and providing the
<command>nsupdate</command> and <command>named.conf</command>
syntax that will be needed to use it, including an example
<command>update-policy</command> statement.
</para>
<para>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<command>named.conf</command> syntax. For example,
<command>ddns-confgen example.com</command> would
generate a key called "ddns-key.example.com", and sample
<command>named.conf</command> command that could be used
in the zone definition for "example.com".
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance, if
<command>nsupdate</command> is to be used from a remote system.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>ddns-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant>.
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomfile</replaceable></term>
<listitem>
<para>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<filename>/dev/random</filename> or equivalent device, the
default source of randomness is keyboard input.
<filename>randomdev</filename> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard input
should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Self mode: The example <command>named.conf</command> text
shows how to set an update policy using the "self" nametype,
using a single key per each domain name for updates, instead of
the "subdomain" nametype which allows matching on any name
within a specified domain.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

123
bin/confgen/ddns-confgen.html Normal file
View file

@ -0,0 +1,123 @@
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: ddns-confgen.html,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s</code>] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id215081"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
of dynamic zones by generating a key and providing the
<span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
syntax that will be needed to use it, including an example
<span><strong class="command">update-policy</strong></span> statement.
</p>
<p>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<span><strong class="command">named.conf</strong></span> syntax. For example,
<span><strong class="command">ddns-confgen example.com</strong></span> would
generate a key called "ddns-key.example.com", and sample
<span><strong class="command">named.conf</strong></span> command that could be used
in the zone definition for "example.com".
</p>
<p>
Note that <span><strong class="command">named</strong></span> itself can configure a
local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
<span><strong class="command">ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance, if
<span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215144"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">ddns-confgen</strong></span>.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code>.
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<code class="filename">/dev/random</code> or equivalent device, the
default source of randomness is keyboard input.
<code class="filename">randomdev</code> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used.
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Self mode: The example <span><strong class="command">named.conf</strong></span> text
shows how to set an update policy using the "self" nametype,
using a single key per each domain name for updates, instead of
the "subdomain" nametype which allows matching on any name
within a specified domain.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id215274"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215312"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

219
bin/confgen/keygen.c Normal file
View file

@ -0,0 +1,219 @@
/*
* Copyright (C) 2004-2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
/*%
* Convert algorithm type to string.
*/
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return "hmac-md5";
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
return "hmac-sha224";
case DST_ALG_HMACSHA256:
return "hmac-sha256";
case DST_ALG_HMACSHA384:
return "hmac-sha384";
case DST_ALG_HMACSHA512:
return "hmac-sha512";
default:
return "(unknown)";
}
}
/*%
* Convert string to algorithm type.
*/
dns_secalg_t
alg_fromtext(const char *name) {
if (strcmp(name, "hmac-md5") == 0)
return DST_ALG_HMACMD5;
if (strcmp(name, "hmac-sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcmp(name, "hmac-sha224") == 0)
return DST_ALG_HMACSHA224;
if (strcmp(name, "hmac-sha256") == 0)
return DST_ALG_HMACSHA256;
if (strcmp(name, "hmac-sha384") == 0)
return DST_ALG_HMACSHA384;
if (strcmp(name, "hmac-sha512") == 0)
return DST_ALG_HMACSHA512;
return DST_ALG_UNKNOWN;
}
/*%
* Return default keysize for a given algorithm type.
*/
int
alg_bits(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return 128;
case DST_ALG_HMACSHA1:
return 160;
case DST_ALG_HMACSHA224:
return 224;
case DST_ALG_HMACSHA256:
return 256;
case DST_ALG_HMACSHA384:
return 384;
case DST_ALG_HMACSHA512:
return 512;
default:
return 0;
}
}
/*%
* Generate a key of size 'keysize' using entropy source 'randomfile',
* and place it in 'key_txtbuffer'
*/
void
generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer) {
isc_result_t result = ISC_R_SUCCESS;
isc_entropysource_t *entropy_source = NULL;
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
int entropy_flags = 0;
isc_entropy_t *ectx = NULL;
isc_buffer_t key_rawbuffer;
isc_region_t key_rawregion;
char key_rawsecret[64];
dst_key_t *key = NULL;
switch (alg) {
case DST_ALG_HMACMD5:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 256)
fatal("keysize %d out of range (must be 1-256)\n",
keysize);
break;
default:
fatal("unsupported algorithm %d\n", alg);
}
DO("create entropy context", isc_entropy_create(mctx, &ectx));
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
open_keyboard));
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
DO("generate key", dst_key_generate(dns_rootname, alg,
keysize, 0, 0,
DNS_KEYPROTO_ANY,
dns_rdataclass_in, mctx, &key));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
key_txtbuffer));
/*
* Shut down the entropy source now so the "stop typing" message
* does not muck with the output.
*/
if (entropy_source != NULL)
isc_entropy_destroysource(&entropy_source);
if (key != NULL)
dst_key_free(&key);
isc_entropy_detach(&ectx);
dst_lib_destroy();
}
/*%
* Write a key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
void
write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg) {
isc_result_t result;
const char *algname = alg_totext(alg);
FILE *fd;
DO("create keyfile", isc_file_safecreate(keyfile, &fd));
if (user != NULL) {
if (set_user(fd, user) == -1)
fatal("unable to set file owner\n");
}
fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n",
keyname, algname,
(int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd))
fatal("write to %s failed\n", keyfile);
if (fclose(fd))
fatal("fclose(%s) failed\n", keyfile);
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}

41
bin/confgen/keygen.h Normal file
View file

@ -0,0 +1,41 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.h,v 1.2 2009/06/10 00:27:21 each Exp $ */
#ifndef RNDC_KEYGEN_H
#define RNDC_KEYGEN_H 1
/*! \file */
#include <isc/lang.h>
ISC_LANG_BEGINDECLS
void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer);
void write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg);
const char *alg_totext(dns_secalg_t alg);
dns_secalg_t alg_fromtext(const char *name);
int alg_bits(dns_secalg_t alg);
ISC_LANG_ENDDECLS
#endif /* RNDC_KEYGEN_H */

95
bin/confgen/rndc-confgen.8 Normal file
View file

@ -0,0 +1,95 @@
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc-confgen.8,v 1.2 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "RNDC-CONFGEN" 8 "Aug 27, 2001" "" ""
.SH NAME
rndc-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP 13
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fIkeysize\fR\fR] [\fB\-c\ \fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fIkeyname\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-r\ \fIrandomfile\fR\fR] [\fB\-s\ \fIaddress\fR\fR] [\fB\-t\ \fIchrootdir\fR\fR] [\fB\-u\ \fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR generates configuration files for \fBrndc\fR\&. It can be used as a convenient alternative to writing the \fIrndc\&.conf\fR file and the corresponding \fBcontrols\fR and \fBkey\fR statements in \fInamed\&.conf\fR by hand\&. Alternatively, it can be run with the \fB\-a\fR option to set up a \fIrndc\&.key\fR file and avoid the need for a \fIrndc\&.conf\fR file and a \fBcontrols\fR statement altogether\&.
.SH "OPTIONS"
.TP
\-a
Do automatic \fBrndc\fR configuration\&. This creates a file \fIrndc\&.key\fR in \fI/etc\fR (or whatever \fIsysconfdir\fR was specified as when BIND was built) that is read by both \fBrndc\fR and \fBnamed\fR on startup\&. The \fIrndc\&.key\fR file defines a default command channel and authentication key allowing \fBrndc\fR to communicate with \fBnamed\fR on the local host with no further configuration\&.
Running \fBrndc\-confgen \-a\fR allows BIND 9 and \fBrndc\fR to be used as drop\-in replacements for BIND 8 and \fBndc\fR, with no changes to the existing BIND 8 \fInamed\&.conf\fR file\&.
If a more elaborate configuration than that generated by \fBrndc\-confgen \-a\fR is required, for example if rndc is to be used remotely, you should run \fBrndc\-confgen\fR without the \fB\-a\fR option and set up a \fIrndc\&.conf\fR and \fInamed\&.conf\fR as directed\&.
.TP
\-b \fIkeysize\fR
Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is 128\&.
.TP
\-c \fIkeyfile\fR
Used with the \fB\-a\fR option to specify an alternate location for \fIrndc\&.key\fR\&.
.TP
\-h
Prints a short summary of the options and arguments to \fBrndc\-confgen\fR\&.
.TP
\-k \fIkeyname\fR
Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is \fBrndc\-key\fR\&.
.TP
\-p \fIport\fR
Specifies the command channel port where \fBnamed\fR listens for connections from \fBrndc\fR\&. The default is 953\&.
.TP
\-r \fIrandomfile\fR
Specifies a source of random data for generating the authorization\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
.TP
\-s \fIaddress\fR
Specifies the IP address where \fBnamed\fR listens for command channel connections from \fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
.TP
\-t \fIchrootdir\fR
Used with the \fB\-a\fR option to specify a directory where \fBnamed\fR will run chrooted\&. An additional copy of the \fIrndc\&.key\fR will be written relative to this directory so that it will be found by the chrooted \fBnamed\fR\&.
.TP
\-u \fIuser\fR
Used with the \fB\-a\fR option to set the owner of the \fIrndc\&.key\fR file generated\&. If \fB\-t\fR is also specified only the file in the chroot area has its owner changed\&.
.SH "EXAMPLES"
.PP
To allow \fBrndc\fR to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample \fIrndc\&.conf\fR file and corresponding \fBcontrols\fR and \fBkey\fR statements to be manually inserted into \fInamed\&.conf\fR, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8), \fBrndc\&.conf\fR(5), \fBnamed\fR(8), BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
Internet Systems Consortium

121
bin/rndc/rndc-confgen.c → bin/confgen/rndc-confgen.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc-confgen.c,v 1.26 2008/10/15 23:47:31 tbox Exp $ */
/* $Id: rndc-confgen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -52,9 +52,10 @@
#include <dns/name.h>
#include <dst/dst.h>
#include <rndc/os.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
@ -75,72 +76,36 @@ usage(int status) {
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: a file containing random data\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
exit (status);
}
/*%
* Write an rndc.key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
static void
write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret )
{
FILE *fd;
fd = safe_create(keyfile);
if (fd == NULL)
fatal( "unable to create \"%s\"\n", keyfile);
if (user != NULL) {
if (set_user(fd, user) == -1)
fatal("unable to set file owner\n");
}
fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
"\tsecret \"%.*s\";\n};\n", keyname,
(int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd))
fatal("write to %s failed\n", keyfile);
if (fclose(fd))
fatal("fclose(%s) failed\n", keyfile);
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_buffer_t key_rawbuffer;
isc_buffer_t key_txtbuffer;
isc_region_t key_rawregion;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
isc_entropysource_t *entropy_source = NULL;
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *key = NULL;
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
char key_rawsecret[64];
char key_txtsecret[256];
dns_secalg_t alg = DST_ALG_HMACMD5;
const char *algname = alg_totext(alg);
char *p;
int ch;
int port;
int keysize;
int entropy_flags = 0;
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
@ -237,53 +202,13 @@ main(int argc, char **argv) {
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
DO("create entropy context", isc_entropy_create(mctx, &ectx));
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
open_keyboard));
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
keysize, 0, 0,
DNS_KEYPROTO_ANY,
dns_rdataclass_in, mctx, &key));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
&key_txtbuffer));
/*
* Shut down the entropy source now so the "stop typing" message
* does not muck with the output.
*/
if (entropy_source != NULL)
isc_entropy_destroysource(&entropy_source);
if (key != NULL)
dst_key_free(&key);
isc_entropy_detach(&ectx);
dst_lib_destroy();
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
keyname, &key_txtbuffer);
keyname, &key_txtbuffer, alg);
if (chrootdir != NULL) {
char *buf;
@ -294,14 +219,14 @@ main(int argc, char **argv) {
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
write_key_file(buf, user, keyname, &key_txtbuffer);
write_key_file(buf, user, keyname, &key_txtbuffer, alg);
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
algorithm hmac-md5;\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
@ -314,7 +239,7 @@ options {\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
# algorithm hmac-md5;\n\
# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
@ -323,11 +248,11 @@ options {\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
keyname,
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
keyname,
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);

2
bin/rndc/rndc-confgen.docbook → bin/confgen/rndc-confgen.docbook
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.docbook,v 1.13 2007/06/18 23:47:25 tbox Exp $ -->
<!-- $Id: rndc-confgen.docbook,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>

16
bin/rndc/rndc-confgen.html → bin/confgen/rndc-confgen.html
View file

@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
<!-- $Id: rndc-confgen.html,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543429"></a><h2>DESCRIPTION</h2>
<a name="id215112"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@ -48,7 +48,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543474"></a><h2>OPTIONS</h2>
<a name="id215153"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@ -57,7 +57,7 @@
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
was specified as when <span class="acronym">BIND</span> was
built)
that is read by both <span><strong class="command">rndc</strong></span>
and <span><strong class="command">named</strong></span> on startup. The
@ -155,7 +155,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543787"></a><h2>EXAMPLES</h2>
<a name="id215471"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@ -172,7 +172,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543829"></a><h2>SEE ALSO</h2>
<a name="id215511"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -180,7 +180,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543867"></a><h2>AUTHOR</h2>
<a name="id215549"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

2
bin/rndc/unix/Makefile.in → bin/confgen/unix/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.5 2007/06/19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.2 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@

30
bin/rndc/unix/os.c → bin/confgen/unix/os.c
View file

@ -15,13 +15,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.c,v 1.10 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: os.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <config.h>
#include <rndc/os.h>
#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
@ -42,29 +42,3 @@ set_user(FILE *fd, const char *user) {
}
return (fchown(fileno(fd), pw->pw_uid, -1));
}
FILE *
safe_create(const char *filename) {
int fd;
FILE *f;
struct stat sb;
int flags = O_WRONLY;
if (stat(filename, &sb) == -1) {
if (errno != ENOENT)
return (NULL);
flags = O_WRONLY | O_CREAT | O_EXCL;
} else if ((sb.st_mode & S_IFREG) == 0) {
errno = EOPNOTSUPP;
return (NULL);
} else
flags = O_WRONLY | O_TRUNC;
fd = open(filename, flags, S_IRUSR | S_IWUSR);
if (fd == -1)
return (NULL);
f = fdopen(fd, "w");
if (f == NULL)
close(fd);
return (f);
}

57
bin/confgen/util.c Normal file
View file

@ -0,0 +1,57 @@
/*
* Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <config.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <isc/boolean.h>
#include "util.h"
extern isc_boolean_t verbose;
extern const char *progname;
void
notify(const char *fmt, ...) {
va_list ap;
if (verbose) {
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fputs("\n", stderr);
}
}
void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", progname);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
exit(1);
}

51
bin/confgen/util.h Normal file
View file

@ -0,0 +1,51 @@
/*
* Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.h,v 1.2 2009/06/10 00:27:21 each Exp $ */
#ifndef RNDC_UTIL_H
#define RNDC_UTIL_H 1
/*! \file */
#include <isc/lang.h>
#include <isc/formatcheck.h>
#define NS_CONTROL_PORT 953
#undef DO
#define DO(name, function) \
do { \
result = function; \
if (result != ISC_R_SUCCESS) \
fatal("%s: %s", name, isc_result_totext(result)); \
else \
notify("%s", name); \
} while (0)
ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_LANG_ENDDECLS
#endif /* RNDC_UTIL_H */

0
bin/rndc/win32/confgen.dsp → bin/confgen/win32/confgen.dsp
View file

0
bin/rndc/win32/confgen.dsw → bin/confgen/win32/confgen.dsw
View file

0
bin/rndc/win32/confgen.mak → bin/confgen/win32/confgen.mak
View file

34
bin/rndc/win32/os.c → bin/confgen/win32/os.c
View file

@ -15,11 +15,11 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.c,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: os.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
#include <config.h>
#include <rndc/os.h>
#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
@ -33,33 +33,3 @@ int
set_user(FILE *fd, const char *user) {
return (0);
}
/*
* Note that the error code EOPNOTSUPP does not exist
* on win32 so we are forced to fall back to using
* ENOENT for now. WSAEOPNOTSUPP does exist but it
* should only be used for sockets.
*/
FILE *
safe_create(const char *filename) {
int fd;
FILE *f;
struct stat sb;
if (stat(filename, &sb) == -1) {
if (errno != ENOENT)
return (NULL);
} else if ((sb.st_mode & S_IFREG) == 0) {
errno = ENOENT;
return (NULL);
}
fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
if (fd == -1)
return (NULL);
f = fdopen(fd, "w");
if (f == NULL)
close(fd);
return (f);
}

22
bin/named/bind.keys.h
View file

@ -1,25 +1,7 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: bind.keys.h,v 1.5 2009/05/29 23:47:48 tbox Exp $ */
#define TRUSTED_KEYS "\
trusted-keys {\n\
# NOTE: This key expires September 2009 \n\
# Go to https://www.isc.org/solutions/dlv to download a replacement\n\
# NOTE: This key expires September 2009 \n\
# Go to https://www.isc.org/solutions/dlv to download a replacement\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
};\n\
"

38
bin/named/config.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.96 2009/03/16 23:41:21 each Exp $ */
/* $Id: config.c,v 1.97 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -42,6 +42,8 @@
#include <dns/tsig.h>
#include <dns/zone.h>
#include <dst/dst.h>
#include <named/config.h>
#include <named/globals.h>
@ -57,7 +59,10 @@ options {\n\
files unlimited;\n\
stacksize default;\n"
#endif
" deallocate-on-exit true;\n\
"# ddns-keyfile \"" NS_LOCALSTATEDIR "/run/named/ddns.key\";\n\
ddns-keyname local-ddns;\n\
ddns-keyalg hmac-sha256;\n\
deallocate-on-exit true;\n\
# directory <none>\n\
dump-file \"named_dump.db\";\n\
fake-iquery no;\n\
@ -163,6 +168,7 @@ options {\n\
notify-delay 5;\n\
notify-to-soa no;\n\
dialup no;\n\
ddns-autoconf no;\n\
# forward <none>\n\
# forwarders <none>\n\
maintain-ixfr-base no;\n\
@ -766,22 +772,30 @@ struct keyalgorithms {
const char *str;
enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
hmacsha256, hmacsha384, hmacsha512 } hmac;
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
{ "hmac-md5", hmacmd5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
{ "hmac-sha1", hmacsha1, 160 },
{ "hmac-sha224", hmacsha224, 224 },
{ "hmac-sha256", hmacsha256, 256 },
{ "hmac-sha384", hmacsha384, 384 },
{ "hmac-sha512", hmacsha512, 512 },
{ NULL, hmacnone, 0 }
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
{ NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
};
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits)
{
return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
}
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, isc_uint16_t *digestbits)
{
int i;
size_t len = 0;
@ -820,6 +834,8 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
INSIST(0);
}
}
if (typep != NULL)
*typep = algorithms[i].type;
if (digestbits != NULL)
*digestbits = bits;
return (ISC_R_SUCCESS);

5
bin/named/include/named/config.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: config.h,v 1.15 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
@ -75,5 +75,8 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits);
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, isc_uint16_t *digestbits);
#endif /* NAMED_CONFIG_H */

12
bin/named/include/named/globals.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: globals.h,v 1.82 2009/03/05 23:47:35 tbox Exp $ */
/* $Id: globals.h,v 1.83 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
@ -30,6 +30,8 @@
#include <dns/zone.h>
#include <dst/dst.h>
#include <named/types.h>
#undef EXTERN
@ -89,6 +91,10 @@ EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR
EXTERN cfg_obj_t * ns_g_bindkeys INIT(NULL);
EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR
"/rndc.key");
EXTERN dns_tsigkey_t * ns_g_ddnskey INIT(NULL);
EXTERN dns_name_t ns_g_ddnskeyname;
EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR
"/lwresd.conf");
EXTERN const char * lwresd_g_resolvconffile INIT("/etc"
@ -113,6 +119,10 @@ EXTERN const char * ns_g_chrootdir INIT(NULL);
EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE);
EXTERN const char * ns_g_defaultddnskeyfile INIT(NS_LOCALSTATEDIR
"/run/named/"
"ddns.key");
#if NS_RUN_PID_DIR
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
"/run/named/"

8
bin/named/include/named/server.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.97 2009/03/04 02:42:30 each Exp $ */
/* $Id: server.h,v 1.98 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
@ -107,6 +107,12 @@ struct ns_server {
dns_acache_t *acache;
ns_statschannellist_t statschannels;
dns_tsigkey_t *ddnskey;
char *ddns_keyfile;
dns_name_t *ddns_keyname;
unsigned int ddns_keyalg;
isc_uint16_t ddns_keybits;
};
#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R')

5
bin/named/include/named/tsigconf.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsigconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: tsigconf.h,v 1.17 2009/06/10 00:27:21 each Exp $ */
#ifndef NS_TSIGCONF_H
#define NS_TSIGCONF_H 1
@ -36,8 +36,9 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*
* Requires:
* \li 'config' is not NULL.
* \li 'vconfig' is not NULL.
* \li 'mctx' is not NULL
* \li 'ring' is not NULL, and '*ring' is NULL
* \li 'ringp' is not NULL, and '*ringp' is NULL
*
* Returns:
* \li ISC_R_SUCCESS

242
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.532 2009/05/29 23:47:48 tbox Exp $ */
/* $Id: server.c,v 1.533 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -60,6 +60,7 @@
#include <dns/forward.h>
#include <dns/journal.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/lib.h>
#include <dns/master.h>
#include <dns/masterdump.h>
@ -149,7 +150,7 @@
* a cache. Only effective when a finite max-cache-size is specified.
* This is currently defined to be 8MB.
*/
#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
struct ns_dispatch {
isc_sockaddr_t addr;
@ -1215,7 +1216,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
isc_uint32_t max_cache_size;
isc_uint32_t max_acache_size;
isc_uint32_t lame_ttl;
dns_tsig_keyring_t *ring;
dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx;
dns_dispatch_t *dispatch4 = NULL;
@ -1745,9 +1746,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
/*
* Configure the view's TSIG keys.
*/
ring = NULL;
CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
if (ns_g_server->ddnskey != NULL) {
CHECK(dns_tsigkeyring_add(ring, ns_g_server->ddns_keyname,
ns_g_server->ddnskey));
}
dns_view_setkeyring(view, ring);
ring = NULL; /* ownership transferred */
/*
* Configure the view's peer list.
@ -2313,6 +2318,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
result = ISC_R_SUCCESS;
cleanup:
if (ring != NULL)
dns_tsigkeyring_destroy(&ring);
if (zone != NULL)
dns_zone_detach(&zone);
if (dispatch4 != NULL)
@ -3212,6 +3219,212 @@ removed(dns_zone_t *zone, void *uap) {
return (ISC_R_SUCCESS);
}
static void
cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
if (server->ddns_keyfile != NULL) {
isc_file_remove(server->ddns_keyfile);
isc_mem_free(mctx, server->ddns_keyfile);
server->ddns_keyfile = NULL;
}
if (server->ddns_keyname != NULL) {
if (dns_name_dynamic(server->ddns_keyname))
dns_name_free(server->ddns_keyname, mctx);
isc_mem_put(mctx, server->ddns_keyname, sizeof(dns_name_t));
server->ddns_keyname = NULL;
}
if (server->ddnskey != NULL)
dns_tsigkey_detach(&server->ddnskey);
server->ddns_keyalg = DST_ALG_UNKNOWN;
server->ddns_keybits = 0;
}
static isc_result_t
generate_session_key(const char *filename, const char *keynamestr,
dns_name_t *keyname, const char *algstr,
dns_name_t *algname, unsigned int algtype,
isc_uint16_t bits, isc_mem_t *mctx,
dns_tsigkey_t **tsigkeyp)
{
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *key = NULL;
isc_buffer_t key_txtbuffer;
isc_buffer_t key_rawbuffer;
char key_txtsecret[256];
char key_rawsecret[64];
isc_region_t key_rawregion;
isc_stdtime_t now;
dns_tsigkey_t *tsigkey = NULL;
FILE *fp = NULL;
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"generating session key for dynamic DNS");
/* generate key */
result = dst_key_generate(keyname, algtype, bits, 1, 0,
DNS_KEYPROTO_ANY, dns_rdataclass_in,
mctx, &key);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Dump the key to the buffer for later use. Should be done before
* we transfer the ownership of key to tsigkey.
*/
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
CHECK(dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
/* Store the key in tsigkey. */
isc_stdtime_get(&now);
CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
ISC_FALSE, NULL, now, now, mctx, NULL,
&tsigkey));
key = NULL; /* ownership of key has been transferred */
/* Dump the key to the key file. */
CHECK(isc_file_safecreate(filename, &fp));
fprintf(fp, "key \"%s\" {\n"
"\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
(int) isc_buffer_usedlength(&key_txtbuffer),
(char*) isc_buffer_base(&key_txtbuffer));
RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
*tsigkeyp = tsigkey;
return (ISC_R_SUCCESS);
cleanup:
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"failed to generate session key "
"for dynamic DNS: %s", isc_result_totext(result));
if (tsigkey != NULL)
dns_tsigkey_detach(&tsigkey);
if (key != NULL)
dst_key_free(&key);
return (result);
}
static isc_result_t
configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
isc_mem_t *mctx)
{
const char *keyfile, *keynamestr, *algstr;
unsigned int algtype;
dns_fixedname_t fname;
dns_name_t *keyname, *algname;
isc_buffer_t buffer;
isc_uint16_t bits;
const cfg_obj_t *obj;
isc_boolean_t need_deleteold = ISC_FALSE;
isc_boolean_t need_createnew = ISC_FALSE;
isc_result_t result;
obj = NULL;
result = ns_config_get(maps, "ddns-keyfile", &obj);
if (result == ISC_R_SUCCESS) {
if (cfg_obj_isvoid(obj))
keyfile = NULL; /* disable it */
else
keyfile = cfg_obj_asstring(obj);
} else
keyfile = ns_g_defaultddnskeyfile;
obj = NULL;
result = ns_config_get(maps, "ddns-keyname", &obj);
INSIST(result == ISC_R_SUCCESS);
keynamestr = cfg_obj_asstring(obj);
dns_fixedname_init(&fname);
isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
isc_buffer_add(&buffer, strlen(keynamestr));
keyname = dns_fixedname_name(&fname);
result = dns_name_fromtext(keyname, &buffer, dns_rootname, ISC_FALSE,
NULL);
if (result != ISC_R_SUCCESS)
return (result);
obj = NULL;
result = ns_config_get(maps, "ddns-keyalg", &obj);
INSIST(result == ISC_R_SUCCESS);
algstr = cfg_obj_asstring(obj);
algname = NULL;
result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
if (result != ISC_R_SUCCESS) {
const char *s = " (keeping current key)";
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "ddns-keyalg: "
"unsupported or unknown algorithm '%s'%s",
algstr,
server->ddns_keyfile != NULL ? s : "");
return (result);
}
/* See if we need to (re)generate a new key. */
if (keyfile == NULL) {
if (server->ddns_keyfile != NULL)
need_deleteold = ISC_TRUE;
} else if (server->ddns_keyfile == NULL)
need_createnew = ISC_TRUE;
else if (strcmp(keyfile, server->ddns_keyfile) != 0 ||
!dns_name_equal(server->ddns_keyname, keyname) ||
server->ddns_keyalg != algtype ||
server->ddns_keybits != bits) {
need_deleteold = ISC_TRUE;
need_createnew = ISC_TRUE;
}
if (need_deleteold) {
INSIST(server->ddns_keyfile != NULL);
INSIST(server->ddns_keyname != NULL);
INSIST(server->ddnskey != NULL);
cleanup_session_key(server, mctx);
}
if (need_createnew) {
INSIST(server->ddnskey == NULL);
INSIST(server->ddns_keyfile == NULL);
INSIST(server->ddns_keyname == NULL);
INSIST(server->ddns_keyalg == DST_ALG_UNKNOWN);
INSIST(server->ddns_keybits == 0);
server->ddns_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
if (server->ddns_keyname == NULL)
goto cleanup;
dns_name_init(server->ddns_keyname, NULL);
CHECK(dns_name_dup(keyname, mctx, server->ddns_keyname));
server->ddns_keyfile = isc_mem_strdup(mctx, keyfile);
if (server->ddns_keyfile == NULL)
goto cleanup;
server->ddns_keyalg = algtype;
server->ddns_keybits = bits;
CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
algname, algtype, bits, mctx,
&server->ddnskey));
}
return (result);
cleanup:
cleanup_session_key(server, mctx);
return (result);
}
static isc_result_t
load_configuration(const char *filename, ns_server_t *server,
isc_boolean_t first_time)
@ -3642,6 +3855,15 @@ load_configuration(const char *filename, ns_server_t *server,
CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
&interval, ISC_FALSE));
/*
* Configure the server-wide session key. This must be done before
* configure views because zone configuration may require ddns-keyname.
* Failure of session key generation isn't fatal at this time; if it
* turns out that a session key is really needed but doesn't exist,
* we'll treat it as a fatal error then.
*/
(void)configure_session_key(maps, server, ns_g_mctx);
/*
* Configure and freeze all explicit views. Explicit
* views that have zones were already created at parsing
@ -4184,6 +4406,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
ns_statschannels_shutdown(server);
ns_controls_shutdown(server->controls);
end_reserved_dispatches(server, ISC_TRUE);
cleanup_session_key(server, server->mctx);
cfg_obj_destroy(ns_g_parser, &ns_g_config);
cfg_parser_destroy(&ns_g_parser);
@ -4216,6 +4439,11 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
dns_zonemgr_shutdown(server->zonemgr);
if (ns_g_ddnskey != NULL) {
dns_tsigkey_detach(&ns_g_ddnskey);
dns_name_free(&ns_g_ddnskeyname, server->mctx);
}
if (server->blackholeacl != NULL)
dns_acl_detach(&server->blackholeacl);
@ -4371,6 +4599,12 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
ISC_LIST_INIT(server->cachelist);
server->ddnskey = NULL;
server->ddns_keyfile = NULL;
server->ddns_keyname = NULL;
server->ddns_keyalg = DST_ALG_UNKNOWN;
server->ddns_keybits = 0;
server->magic = NS_SERVER_MAGIC;
*serverp = server;
}

4
bin/named/tsigconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsigconf.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: tsigconf.c,v 1.31 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -149,6 +149,8 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_result_t result;
int i;
REQUIRE(ringp != NULL && *ringp == NULL);
i = 0;
if (config != NULL)
maps[i++] = config;

3
bin/named/win32/os.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.c,v 1.31 2008/11/17 05:41:10 marka Exp $ */
/* $Id: os.c,v 1.32 2009/06/10 00:27:21 each Exp $ */
#include <config.h>
#include <stdarg.h>
@ -66,6 +66,7 @@ ns_paths_init() {
ns_g_defaultpidfile = isc_ntpaths_get(NAMED_PID_PATH);
lwresd_g_defaultpidfile = isc_ntpaths_get(LWRESD_PID_PATH);
ns_g_keyfile = isc_ntpaths_get(RNDC_KEY_PATH);
ns_g_defaultddnskeyfile = isc_ntpaths_get(NAMED_DDNSKEY_PATH);
Initialized = TRUE;
}

93
bin/named/zoneconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.149 2009/01/27 23:47:54 tbox Exp $ */
/* $Id: zoneconf.c,v 1.150 2009/06/10 00:27:21 each Exp $ */
/*% */
@ -55,16 +55,18 @@ typedef enum {
allow_update_forwarding
} acl_type_t;
/*%
* These are BIND9 server defaults, not necessarily identical to the
* library defaults defined in zone.c.
*/
#define RETERR(x) do { \
isc_result_t _r = (x); \
if (_r != ISC_R_SUCCESS) \
return (_r); \
} while (0)
#define CHECK(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
/*%
* Convenience function for configuring a single zone ACL.
*/
@ -169,7 +171,9 @@ parse_acl:
* Parse the zone update-policy statement.
*/
static isc_result_t
configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
const char *zname, isc_boolean_t autoddns)
{
const cfg_obj_t *updatepolicy = NULL;
const cfg_listelt_t *element, *element2;
dns_ssutable_t *table = NULL;
@ -177,7 +181,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
isc_result_t result;
(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
if (updatepolicy == NULL) {
if (updatepolicy == NULL && !autoddns) {
dns_zone_setssutable(zone, NULL);
return (ISC_R_SUCCESS);
}
@ -198,6 +203,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
const char *str;
isc_boolean_t grant = ISC_FALSE;
isc_boolean_t usezone = ISC_FALSE;
unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
dns_fixedname_t fname, fident;
isc_buffer_t b;
@ -237,7 +243,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
mtype = DNS_SSUMATCHTYPE_TCPSELF;
else if (strcasecmp(str, "6to4-self") == 0)
mtype = DNS_SSUMATCHTYPE_6TO4SELF;
else
else if (strcasecmp(str, "zonesub") == 0) {
mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
usezone = ISC_TRUE;
} else
INSIST(0);
dns_fixedname_init(&fident);
@ -253,15 +262,28 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
}
dns_fixedname_init(&fname);
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
dns_rootname, ISC_FALSE, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
goto cleanup;
if (usezone) {
result = dns_name_copy(dns_zone_getorigin(zone),
dns_fixedname_name(&fname),
NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"error copying origin: %s",
isc_result_totext(result));
goto cleanup;
}
} else {
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fname),
&b, dns_rootname,
ISC_FALSE, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
goto cleanup;
}
}
n = ns_config_listcount(typelist);
@ -311,7 +333,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
}
/*
* If this is a "ddns-autoconf" zone and a DDNS session key exists,
* then use the default policy, equivalent to:
* update-policy { grant <ddns-keyname> zonesub any; };
*/
if (autoddns) {
dns_rdatatype_t any = dns_rdatatype_any;
if (ns_g_server->ddns_keyname == NULL) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"failed to enable auto DDNS policy "
"for zone %s: session key not found",
zname);
result = ISC_R_NOTFOUND;
goto cleanup;
}
result = dns_ssutable_addrule(table, ISC_TRUE,
ns_g_server->ddns_keyname,
DNS_SSUMATCHTYPE_SUBDOMAIN,
dns_zone_getorigin(zone),
1, &any);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
result = ISC_R_SUCCESS;
@ -431,6 +480,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
isc_boolean_t ixfrdiff;
isc_boolean_t autoddns;
dns_masterformat_t masterformat;
isc_stats_t *zoneqrystats;
isc_boolean_t zonestats_on;
@ -731,6 +781,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
if (ztype == dns_zone_master) {
dns_acl_t *updateacl;
RETERR(configure_zone_acl(zconfig, vconfig, config,
allow_update, ac, zone,
dns_zone_setupdateacl,
@ -744,7 +795,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
"address, which is insecure",
zname);
RETERR(configure_zone_ssutable(zoptions, zone));
obj = NULL;
result = ns_config_get(maps, "ddns-autoconf", &obj);
INSIST(result == ISC_R_SUCCESS);
autoddns = cfg_obj_asboolean(obj);
RETERR(configure_zone_ssutable(zoptions, zone, zname,
autoddns));
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);

11
bin/nsupdate/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.29 2008/08/29 23:47:22 tbox Exp $
# $Id: Makefile.in,v 1.30 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISC_INCLUDES} @DST_GSSAPI_INC@
${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
CWARNINGS =
@ -43,7 +43,7 @@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
@ -63,6 +63,11 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
nsupdate.@O@: nsupdate.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
-c ${srcdir}/nsupdate.c
nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}

410
bin/nsupdate/nsupdate.1
View file

@ -13,373 +13,165 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: nsupdate.1,v 1.5 2009/03/10 01:12:31 tbox Exp $
.\" $Id: nsupdate.1,v 1.6 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
.\" Title: nsupdate
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jun 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "NSUPDATE" "1" "Jun 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "NSUPDATE" 1 "Jun 30, 2000" "" ""
.SH NAME
nsupdate \- Dynamic DNS update utility
.SH "SYNOPSIS"
.HP 9
\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\fB\-g\fR\fR | \fB\fB\-o\fR\fR | \fB\fB\-y\ \fI[hmac:]keyname:secret\fR\fR\fR | \fB\fB\-k\ \fIkeyfile\fR\fR\fR] [\fB\-t\ \fItimeout\fR\fR] [\fB\-u\ \fIudptimeout\fR\fR] [\fB\-r\ \fIudpretries\fR\fR] [\fB\-R\ \fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
.SH "DESCRIPTION"
.PP
\fBnsupdate\fR
is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
\fBnsupdate\fR is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server\&. This allows resource records to be added or removed from a zone without manually editing the zone file\&. A single update request can contain requests to add or remove more than one resource record\&.
.PP
Zones that are under dynamic control via
\fBnsupdate\fR
or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.
Zones that are under dynamic control via \fBnsupdate\fR or a DHCP server should not be edited by hand\&. Manual edits could conflict with dynamic updates and cause data to be lost\&.
.PP
The resource records that are dynamically added or removed with
\fBnsupdate\fR
have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
The resource records that are dynamically added or removed with \fBnsupdate\fR have to be in the same zone\&. Requests are sent to the zone's master server\&. This is identified by the MNAME field of the zone's SOA record\&.
.PP
The
\fB\-d\fR
option makes
\fBnsupdate\fR
operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
The \fB\-d\fR option makes \fBnsupdate\fR operate in debug mode\&. This provides tracing information about the update requests that are made and the replies received from the name server\&.
.PP
The
\fB\-D\fR
option makes
\fBnsupdate\fR
report additional debugging information to
\fB\-d\fR.
The \fB\-D\fR option makes \fBnsupdate\fR report additional debugging information to \fB\-d\fR\&.
.PP
Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
\fBnsupdate\fR
and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
\fBkey\fR
and
\fBserver\fR
statements would be added to
\fI/etc/named.conf\fR
so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
\fBnsupdate\fR
does not read
\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
The \fB\-L\fR option with an integer argument of zero or higher sets the logging debug level\&. If zero, logging is disabled\&.
.PP
\fBnsupdate\fR
uses the
\fB\-y\fR
or
\fB\-k\fR
option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the
\fB\-k\fR
option,
\fBnsupdate\fR
reads the shared secret from the file
\fIkeyfile\fR, whose name is of the form
\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
\fIK{name}.+157.+{random}.key\fR
must also be present. When the
\fB\-y\fR
option is used, a signature is generated from
[\fIhmac:\fR]\fIkeyname:secret.\fR
\fIkeyname\fR
is the name of the key, and
\fIsecret\fR
is the base64 encoded shared secret. Use of the
\fB\-y\fR
option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
\fBps\fR(1)
or in a history file maintained by the user's shell.
Transaction signatures can be used to authenticate the Dynamic DNS updates\&. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645\&. TSIG relies on a shared secret that should only be known to \fBnsupdate\fR and the name server\&. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104\&. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other\&. For instance, suitable \fBkey\fR and \fBserver\fR statements would be added to \fI/etc/named\&.conf\fR so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication\&. SIG(0) uses public key cryptography\&. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server\&. \fBnsupdate\fR does not read \fI/etc/named\&.conf\fR\&. GSS\-TSIG uses Kerberos credentials\&.
.PP
The
\fB\-k\fR
may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
\fBnsupdate\fR uses the \fB\-y\fR or \fB\-k\fR option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5\&. These options are mutually exclusive\&.
.PP
The
\fB\-g\fR
and
\fB\-o\fR
specify that GSS\-TSIG is to be used. The
\fB\-o\fR
should only be used with old Microsoft Windows 2000 servers.
When the \fB\-y\fR option is used, a signature is generated from [\fIhmac:\fR]\fIkeyname:secret\&.\fR \fIkeyname\fR is the name of the key, and \fIsecret\fR is the base64 encoded shared secret\&. Use of the \fB\-y\fR option is discouraged because the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from \fBps\fR(1) or in a history file maintained by the user's shell\&.
.PP
By default,
\fBnsupdate\fR
uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
\fB\-v\fR
option makes
\fBnsupdate\fR
use a TCP connection. This may be preferable when a batch of update requests is made.
With the \fB\-k\fR option, \fBnsupdate\fR reads the shared secret from the file \fIkeyfile\fR\&. Keyfiles may be in two formats: a single file containing a \fInamed\&.conf\fR\-format \fBkey\fR statement, which may be generated automatically by \fBddns\-confgen\fR, or a pair of files whose names are of the format \fIK{name}\&.+157\&.+{random}\&.key\fR and \fIK{name}\&.+157\&.+{random}\&.private\fR, which can be generated by \fBdnssec\-keygen\fR\&. The \fB\-k\fR may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests\&. In this case, the key specified is not an HMAC\-MD5 key\&.
.PP
The
\fB\-t\fR
option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
\fBnsupdate\fR can be run in a local\-host only mode using the \fB\-l\fR flag\&. This sets the server address to localhost (disabling the \fBserver\fR so that the server address cannot be overridden)\&. Connections to the local server will use a TSIG key found in \fI/var/run/named/ddns\&.key\fR, which is automatically generated by \fBnamed\fR if any local master zone has the \fBdynamic\fR zone option set to yes\&. The location of this key file can be overridden with the \fB\-k\fR option\&.
.PP
The
\fB\-u\fR
option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
By default, \fBnsupdate\fR uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used\&. The \fB\-v\fR option makes \fBnsupdate\fR use a TCP connection\&. This may be preferable when a batch of update requests is made\&.
.PP
The
\fB\-r\fR
option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
The \fB\-p\fR sets the default port number to use for connections to a name server\&. The default is 53\&.
.PP
The
\fB\-R \fR\fB\fIrandomdev\fR\fR
option specifies a source of randomness. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used. This option may be specified multiple times.
The \fB\-t\fR option sets the maximum time an update request can take before it is aborted\&. The default is 300 seconds\&. Zero can be used to disable the timeout\&.
.PP
The \fB\-u\fR option sets the UDP retry interval\&. The default is 3 seconds\&. If zero, the interval will be computed from the timeout interval and number of UDP retries\&.
.PP
The \fB\-r\fR option sets the number of UDP retries\&. The default is 3\&. If zero, only one update request will be made\&.
.PP
The \fB\-R \fIrandomdev\fR\fR option specifies a source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&. This option may be specified multiple times\&.
.SH "INPUT FORMAT"
.PP
\fBnsupdate\fR
reads input from
\fIfilename\fR
or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.
\fBnsupdate\fR reads input from \fIfilename\fR or standard input\&. Each command is supplied on exactly one line of input\&. Some commands are for administrative purposes\&. The others are either update instructions or prerequisite checks on the contents of the zone\&. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone\&. These conditions must be met if the entire update request is to succeed\&. Updates will be rejected if the tests for the prerequisite conditions fail\&.
.PP
Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the
\fBsend\fR
command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
.PP
The command formats and their meaning are as follows:
Every update request consists of zero or more prerequisites and zero or more updates\&. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone\&. A blank input line (or the \fBsend\fR command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server\&.
.PP
The command formats and their meaning are as follows:
.TP
\fBserver\fR {servername} [port]
.RS 4
Sends all dynamic update requests to the name server
\fIservername\fR. When no server statement is provided,
\fBnsupdate\fR
will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone.
\fIport\fR
is the port number on
\fIservername\fR
where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
.RE
.PP
Sends all dynamic update requests to the name server \fIservername\fR\&. When no server statement is provided, \fBnsupdate\fR will send updates to the master server of the correct zone\&. The MNAME field of that zone's SOA record will identify the master server for that zone\&. \fIport\fR is the port number on \fIservername\fR where the dynamic update requests get sent\&. If no port number is specified, the default DNS port number of 53 is used\&.
.TP
\fBlocal\fR {address} [port]
.RS 4
Sends all dynamic update requests using the local
\fIaddress\fR. When no local statement is provided,
\fBnsupdate\fR
will send updates using an address and port chosen by the system.
\fIport\fR
can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
.RE
.PP
Sends all dynamic update requests using the local \fIaddress\fR\&. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system\&. \fIport\fR can additionally be used to make requests come from a specific port\&. If no port number is specified, the system will assign one\&.
.TP
\fBzone\fR {zonename}
.RS 4
Specifies that all updates are to be made to the zone
\fIzonename\fR. If no
\fIzone\fR
statement is provided,
\fBnsupdate\fR
will attempt determine the correct zone to update based on the rest of the input.
.RE
.PP
Specifies that all updates are to be made to the zone \fIzonename\fR\&. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input\&.
.TP
\fBclass\fR {classname}
.RS 4
Specify the default class. If no
\fIclass\fR
is specified, the default class is
\fIIN\fR.
.RE
.PP
Specify the default class\&. If no \fIclass\fR is specified, the default class is \fIIN\fR\&.
.TP
\fBttl\fR {seconds}
.RS 4
Specify the default time to live for records to be added. The value
\fInone\fR
will clear the default ttl.
.RE
.PP
Specify the default time to live for records to be added\&. The value \fInone\fR will clear the default ttl\&.
.TP
\fBkey\fR {name} {secret}
.RS 4
Specifies that all updates are to be TSIG\-signed using the
\fIkeyname\fR
\fIkeysecret\fR
pair. The
\fBkey\fR
command overrides any key specified on the command line via
\fB\-y\fR
or
\fB\-k\fR.
.RE
.PP
Specifies that all updates are to be TSIG\-signed using the \fIkeyname\fR \fIkeysecret\fR pair\&. The \fBkey\fR command overrides any key specified on the command line via \fB\-y\fR or \fB\-k\fR\&.
.TP
\fBprereq nxdomain\fR {domain\-name}
.RS 4
Requires that no resource record of any type exists with name
\fIdomain\-name\fR.
.RE
.PP
Requires that no resource record of any type exists with name \fIdomain\-name\fR\&.
.TP
\fBprereq yxdomain\fR {domain\-name}
.RS 4
Requires that
\fIdomain\-name\fR
exists (has as at least one resource record, of any type).
.RE
.PP
Requires that \fIdomain\-name\fR exists (has as at least one resource record, of any type)\&.
.TP
\fBprereq nxrrset\fR {domain\-name} [class] {type}
.RS 4
Requires that no resource record exists of the specified
\fItype\fR,
\fIclass\fR
and
\fIdomain\-name\fR. If
\fIclass\fR
is omitted, IN (internet) is assumed.
.RE
.PP
Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR and \fIdomain\-name\fR\&. If \fIclass\fR is omitted, IN (internet) is assumed\&.
.TP
\fBprereq yxrrset\fR {domain\-name} [class] {type}
.RS 4
This requires that a resource record of the specified
\fItype\fR,
\fIclass\fR
and
\fIdomain\-name\fR
must exist. If
\fIclass\fR
is omitted, IN (internet) is assumed.
.RE
.PP
This requires that a resource record of the specified \fItype\fR, \fIclass\fR and \fIdomain\-name\fR must exist\&. If \fIclass\fR is omitted, IN (internet) is assumed\&.
.TP
\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
.RS 4
The
\fIdata\fR
from each set of prerequisites of this form sharing a common
\fItype\fR,
\fIclass\fR, and
\fIdomain\-name\fR
are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given
\fItype\fR,
\fIclass\fR, and
\fIdomain\-name\fR. The
\fIdata\fR
are written in the standard text representation of the resource record's RDATA.
.RE
.PP
The \fIdata\fR from each set of prerequisites of this form sharing a common \fItype\fR, \fIclass\fR, and \fIdomain\-name\fR are combined to form a set of RRs\&. This set of RRs must exactly match the set of RRs existing in the zone at the given \fItype\fR, \fIclass\fR, and \fIdomain\-name\fR\&. The \fIdata\fR are written in the standard text representation of the resource record's RDATA\&.
.TP
\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
.RS 4
Deletes any resource records named
\fIdomain\-name\fR. If
\fItype\fR
and
\fIdata\fR
is provided, only matching resource records will be removed. The internet class is assumed if
\fIclass\fR
is not supplied. The
\fIttl\fR
is ignored, and is only allowed for compatibility.
.RE
.PP
Deletes any resource records named \fIdomain\-name\fR\&. If \fItype\fR and \fIdata\fR is provided, only matching resource records will be removed\&. The internet class is assumed if \fIclass\fR is not supplied\&. The \fIttl\fR is ignored, and is only allowed for compatibility\&.
.TP
\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
.RS 4
Adds a new resource record with the specified
\fIttl\fR,
\fIclass\fR
and
\fIdata\fR.
.RE
.PP
Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR\&.
.TP
\fBshow\fR
.RS 4
Displays the current message, containing all of the prerequisites and updates specified since the last send.
.RE
.PP
Displays the current message, containing all of the prerequisites and updates specified since the last send\&.
.TP
\fBsend\fR
.RS 4
Sends the current message. This is equivalent to entering a blank line.
.RE
.PP
Sends the current message\&. This is equivalent to entering a blank line\&.
.TP
\fBanswer\fR
.RS 4
Displays the answer.
.RE
.PP
Displays the answer\&.
.TP
\fBdebug\fR
.RS 4
Turn on debugging.
.RE
Turn on debugging\&.
.PP
Lines beginning with a semicolon are comments and are ignored.
Lines beginning with a semicolon are comments and are ignored\&.
.SH "EXAMPLES"
.PP
The examples below show how
\fBnsupdate\fR
could be used to insert and delete resource records from the
\fBexample.com\fR
zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
\fBexample.com\fR.
.sp
.RS 4
The examples below show how \fBnsupdate\fR could be used to insert and delete resource records from the \fBexample\&.com\fR zone\&. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample\&.com\fR\&.
.nf
# nsupdate
> update delete oldhost.example.com A
> update add newhost.example.com 86400 A 172.16.1.1
> update delete oldhost\&.example\&.com A
> update add newhost\&.example\&.com 86400 A 172\&.16\&.1\&.1
> send
.fi
.RE
.sp
.PP
Any A records for
\fBoldhost.example.com\fR
are deleted. And an A record for
\fBnewhost.example.com\fR
with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds).
.sp
.RS 4
Any A records for \fBoldhost\&.example\&.com\fR are deleted\&. And an A record for \fBnewhost\&.example\&.com\fR with IP address 172\&.16\&.1\&.1 is added\&. The newly\-added record has a 1 day TTL (86400 seconds)\&.
.nf
# nsupdate
> prereq nxdomain nickname.example.com
> update add nickname.example.com 86400 CNAME somehost.example.com
> prereq nxdomain nickname\&.example\&.com
> update add nickname\&.example\&.com 86400 CNAME somehost\&.example\&.com
> send
.fi
.RE
.sp
.PP
The prerequisite condition gets the name server to check that there are no resource records of any type for
\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
The prerequisite condition gets the name server to check that there are no resource records of any type for \fBnickname\&.example\&.com\fR\&. If there are, the update request fails\&. If this name does not exist, a CNAME for it is added\&. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME\&. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records\&.)
.SH "FILES"
.PP
\fB/etc/resolv.conf\fR
.RS 4
.TP
\fB/etc/resolv\&.conf\fR
used to identify default name server
.RE
.PP
\fBK{name}.+157.+{random}.key\fR
.RS 4
base\-64 encoding of HMAC\-MD5 key created by
\fBdnssec\-keygen\fR(8).
.RE
.PP
\fBK{name}.+157.+{random}.private\fR
.RS 4
base\-64 encoding of HMAC\-MD5 key created by
\fBdnssec\-keygen\fR(8).
.RE
.TP
\fB/var/run/named/ddns\&.key\fR
sets the default TSIG key for use in local\-only mode
.TP
\fBK{name}\&.+157\&.+{random}\&.key\fR
base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8)\&.
.TP
\fBK{name}\&.+157\&.+{random}\&.private\fR
base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8)\&.
.SH "SEE ALSO"
.PP
\fBRFC2136\fR(),
\fBRFC3007\fR(),
\fBRFC2104\fR(),
\fBRFC2845\fR(),
\fBRFC1034\fR(),
\fBRFC2535\fR(),
\fBRFC2931\fR(),
\fBnamed\fR(8),
\fBdnssec\-keygen\fR(8).
\fBRFC2136\fR(), \fBRFC3007\fR(), \fBRFC2104\fR(), \fBRFC2845\fR(), \fBRFC1034\fR(), \fBRFC2535\fR(), \fBRFC2931\fR(), \fBnamed\fR(8), \fBddns\-confgen\fR(8), \fBdnssec\-keygen\fR(8)\&.
.SH "BUGS"
.PP
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
.SH "COPYRIGHT"
Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br
The TSIG key is redundantly stored in two separate files\&. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases\&.

141
bin/nsupdate/nsupdate.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.166 2009/04/30 07:10:09 marka Exp $ */
/* $Id: nsupdate.c,v 1.167 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -33,6 +33,7 @@
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/event.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/lex.h>
#include <isc/log.h>
@ -49,6 +50,8 @@
#include <isc/types.h>
#include <isc/util.h>
#include <isccfg/namedconf.h>
#include <dns/callbacks.h>
#include <dns/dispatch.h>
#include <dns/dnssec.h>
@ -105,6 +108,8 @@ extern int h_errno;
#define DNSDEFAULTPORT 53
static isc_uint16_t dnsport = DNSDEFAULTPORT;
#ifndef RESOLV_CONF
#define RESOLV_CONF "/etc/resolv.conf"
#endif
@ -118,6 +123,7 @@ static isc_boolean_t usevc = ISC_FALSE;
static isc_boolean_t usegsstsig = ISC_FALSE;
static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
static isc_boolean_t local_only = ISC_FALSE;
static isc_taskmgr_t *taskmgr = NULL;
static isc_task_t *global_task = NULL;
static isc_event_t *global_event = NULL;
@ -147,7 +153,8 @@ static isc_sockaddr_t *userserver = NULL;
static isc_sockaddr_t *localaddr = NULL;
static isc_sockaddr_t *serveraddr = NULL;
static isc_sockaddr_t tempaddr;
static char *keystr = NULL, *keyfile = NULL;
static const char *keyfile = NULL;
static char *keystr = NULL;
static isc_entropy_t *entropy = NULL;
static isc_boolean_t shuttingdown = ISC_FALSE;
static FILE *input;
@ -550,22 +557,90 @@ setup_keystr(void) {
isc_mem_free(mctx, secret);
}
/*
* Get a key from a named.conf format keyfile
*/
static isc_result_t
read_ddnskey(isc_mem_t *mctx, isc_log_t *lctx) {
cfg_parser_t *pctx = NULL;
cfg_obj_t *ddnskey = NULL;
const cfg_obj_t *key = NULL;
const cfg_obj_t *secretobj = NULL;
const cfg_obj_t *algorithmobj = NULL;
const char *keyname;
const char *secretstr;
const char *algorithm;
isc_result_t result;
int len;
if (! isc_file_exists(keyfile))
return (ISC_R_FILENOTFOUND);
result = cfg_parser_create(mctx, lctx, &pctx);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = cfg_parse_file(pctx, keyfile, &cfg_type_ddnskey, &ddnskey);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = cfg_map_get(ddnskey, "key", &key);
if (result != ISC_R_SUCCESS)
goto cleanup;
(void) cfg_map_get(key, "secret", &secretobj);
(void) cfg_map_get(key, "algorithm", &algorithmobj);
if (secretobj == NULL || algorithmobj == NULL)
fatal("key must have algorithm and secret");
keyname = cfg_obj_asstring(cfg_map_getname(key));
secretstr = cfg_obj_asstring(secretobj);
algorithm = cfg_obj_asstring(algorithmobj);
len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
keystr = isc_mem_allocate(mctx, len);
snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
setup_keystr();
cleanup:
if (pctx != NULL) {
if (ddnskey != NULL)
cfg_obj_destroy(pctx, &ddnskey);
cfg_parser_destroy(&pctx);
}
if (keystr != NULL)
isc_mem_free(mctx, keystr);
return (result);
}
static void
setup_keyfile(void) {
setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
dst_key_t *dstkey = NULL;
isc_result_t result;
dns_name_t *hmacname = NULL;
debug("Creating key...");
/* Try reading the key from a K* pair */
result = dst_key_fromnamedfile(keyfile,
DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
&dstkey);
/* If that didn't work, try reading it as a ddns.key keyfile */
if (result != ISC_R_SUCCESS) {
result = read_ddnskey(mctx, lctx);
if (result == ISC_R_SUCCESS)
return;
}
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not read key from %s: %s\n",
keyfile, isc_result_totext(result));
return;
}
switch (dst_key_alg(dstkey)) {
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
@ -726,7 +801,7 @@ setup_system(void) {
if (servers == NULL)
fatal("out of memory");
localhost.s_addr = htonl(INADDR_LOOPBACK);
isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
isc_sockaddr_fromin(&servers[0], &localhost, dnsport);
} else {
servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
if (servers == NULL)
@ -735,12 +810,12 @@ setup_system(void) {
if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
struct in_addr in4;
memcpy(&in4, lwconf->nameservers[i].address, 4);
isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
isc_sockaddr_fromin(&servers[i], &in4, dnsport);
} else {
struct in6_addr in6;
memcpy(&in6, lwconf->nameservers[i].address, 16);
isc_sockaddr_fromin6(&servers[i], &in6,
DNSDEFAULTPORT);
dnsport);
}
}
}
@ -807,8 +882,10 @@ setup_system(void) {
if (keystr != NULL)
setup_keystr();
else if (local_only)
read_ddnskey(mctx, lctx);
else if (keyfile != NULL)
setup_keyfile();
setup_keyfile(mctx, lctx);
}
static void
@ -825,7 +902,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
INSIST(count == 1);
}
#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:"
#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
static void
pre_parse_args(int argc, char **argv) {
@ -842,10 +919,11 @@ pre_parse_args(int argc, char **argv) {
break;
case '?':
case 'h':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
argv[0], isc_commandline_option);
fprintf(stderr, "usage: nsupdate [-d] "
fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
"[-g | -o | -y keyname:secret | -k keyfile] "
"[-v] [filename]\n");
exit(1);
@ -877,6 +955,9 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
case 'M':
break;
case 'l':
local_only = ISC_TRUE;
break;
case 'L':
result = isc_parse_uint32(&i, isc_commandline_argument,
10);
if (result != ISC_R_SUCCESS) {
@ -903,6 +984,15 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
usegsstsig = ISC_TRUE;
use_win2k_gsstsig = ISC_TRUE;
break;
case 'p':
result = isc_parse_uint16(&dnsport,
isc_commandline_argument, 10);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "bad port number "
"'%s'\n", isc_commandline_argument);
exit(1);
}
break;
case 't':
result = isc_parse_uint32(&timeout,
isc_commandline_argument, 10);
@ -948,6 +1038,22 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
exit(1);
}
if (local_only) {
struct in_addr localhost;
if (keyfile == NULL)
keyfile = DDNS_KEYFILE;
if (userserver == NULL) {
userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
if (userserver == NULL)
fatal("out of memory");
}
localhost.s_addr = htonl(INADDR_LOOPBACK);
isc_sockaddr_fromin(userserver, &localhost, dnsport);
}
#ifdef GSSAPI
if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
@ -956,7 +1062,7 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
}
#else
if (usegsstsig) {
fprintf(stderr, "%s: cannot specify -g or -o, " \
fprintf(stderr, "%s: cannot specify -g or -o, " \
"program not linked with GSS API Library\n",
argv[0]);
exit(1);
@ -1205,6 +1311,11 @@ evaluate_server(char *cmdline) {
char *word, *server;
long port;
if (local_only) {
fprintf(stderr, "cannot reset server in localhost-only mode\n");
return (STATUS_SYNTAX);
}
word = nsu_strsep(&cmdline, " \t\r\n");
if (*word == 0) {
fprintf(stderr, "could not read server name\n");
@ -1214,7 +1325,7 @@ evaluate_server(char *cmdline) {
word = nsu_strsep(&cmdline, " \t\r\n");
if (*word == 0)
port = DNSDEFAULTPORT;
port = dnsport;
else {
char *endp;
port = strtol(word, &endp, 10);
@ -1803,9 +1914,9 @@ get_next_command(void) {
"server address [port] (set master server for zone)\n"
"send (send the update request)\n"
"show (show the update request)\n"
"answer (show the answer to the last request)\n"
"answer (show the answer to the last request)\n"
"quit (quit, any pending update is not sent\n"
"help (display this message_\n"
"help (display this message_\n"
"key [hmac:]keyname secret (use TSIG to sign the request)\n"
"gsstsig (use GSS_TSIG to sign the request)\n"
"oldgsstsig (use Microsoft's GSS_TSIG to sign the request)\n"
@ -2195,7 +2306,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
result = dns_name_totext(&master, ISC_TRUE, &buf);
check_result(result, "dns_name_totext");
serverstr[isc_buffer_usedlength(&buf)] = 0;
get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
get_address(serverstr, dnsport, &tempaddr);
serveraddr = &tempaddr;
}
dns_rdata_freestruct(&soa);
@ -2299,7 +2410,7 @@ start_gssrequest(dns_name_t *master)
fatal("out of memory");
}
if (userserver == NULL)
get_address(namestr, DNSDEFAULTPORT, kserver);
get_address(namestr, dnsport, kserver);
else
(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));

82
bin/nsupdate/nsupdate.docbook
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.37 2009/03/09 04:18:51 marka Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.38 2009/06/10 00:27:21 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Jun 30, 2000</date>
@ -110,6 +110,10 @@
The <option>-D</option> option makes <command>nsupdate</command>
report additional debugging information to <option>-d</option>.
</para>
<para>
The <option>-L</option> option with an integer argument of zero or
higher sets the logging debug level. If zero, logging is disabled.
</para>
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
@ -137,40 +141,50 @@
uses the <option>-y</option> or <option>-k</option> option
to provide the shared secret needed to generate a TSIG record
for authenticating Dynamic DNS update requests, default type
HMAC-MD5. These options are mutually exclusive. With the
<option>-k</option> option, <command>nsupdate</command> reads
the shared secret from the file <parameter>keyfile</parameter>,
whose name is of the form
<filename>K{name}.+157.+{random}.private</filename>. For
historical reasons, the file
<filename>K{name}.+157.+{random}.key</filename> must also be
present. When the <option>-y</option> option is used, a
signature is generated from
<optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
<parameter>keyname</parameter> is the name of the key, and
<parameter>secret</parameter> is the base64 encoded shared
secret. Use of the <option>-y</option> option is discouraged
because the shared secret is supplied as a command line
argument in clear text. This may be visible in the output
from
<citerefentry>
<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
</citerefentry> or in a history file maintained by the user's
shell.
HMAC-MD5. These options are mutually exclusive.
</para>
<para>
When the <option>-y</option> option is used, a signature is
generated from
<optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
<parameter>keyname</parameter> is the name of the key, and
<parameter>secret</parameter> is the base64 encoded shared secret.
Use of the <option>-y</option> option is discouraged because the
shared secret is supplied as a command line argument in clear text.
This may be visible in the output from
<citerefentry>
<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>
or in a history file maintained by the user's shell.
</para>
<para>
With the
<option>-k</option> option, <command>nsupdate</command> reads
the shared secret from the file <parameter>keyfile</parameter>.
Keyfiles may be in two formats: a single file containing
a <filename>named.conf</filename>-format <command>key</command>
statement, which may be generated automatically by
<command>ddns-confgen</command>, or a pair of files whose names are
of the format <filename>K{name}.+157.+{random}.key</filename> and
<filename>K{name}.+157.+{random}.private</filename>, which can be
generated by <command>dnssec-keygen</command>.
The <option>-k</option> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</para>
<para>
The <option>-g</option> and <option>-o</option> specify that
GSS-TSIG is to be used. The <option>-o</option> should only
be used with old Microsoft Windows 2000 servers.
<command>nsupdate</command> can be run in a local-host only mode
using the <option>-l</option> flag. This sets the server address to
localhost (disabling the <command>server</command> so that the server
address cannot be overridden). Connections to the local server will
use a TSIG key found in <filename>/var/run/named/ddns.key</filename>,
which is automatically generated by <command>named</command> if any
local master zone has the <command>dynamic</command> zone option set
to yes. The location of this key file can be overridden with
the <option>-k</option> option.
</para>
<para>
By default,
<command>nsupdate</command>
By default, <command>nsupdate</command>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
The
@ -180,6 +194,10 @@
use a TCP connection.
This may be preferable when a batch of update requests is made.
</para>
<para>
The <option>-p</option> sets the default port number to use for
connections to a name server. The default is 53.
</para>
<para>
The <option>-t</option> option sets the maximum time an update request
can
@ -630,6 +648,15 @@
</listitem>
</varlistentry>
<varlistentry>
<term><constant>/var/run/named/ddns.key</constant></term>
<listitem>
<para>
sets the default TSIG key for use in local-only mode
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>K{name}.+157.+{random}.key</constant></term>
<listitem>
@ -683,6 +710,9 @@
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.

87
bin/nsupdate/nsupdate.html
View file

@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.html,v 1.42 2009/03/10 01:12:31 tbox Exp $ -->
<!-- $Id: nsupdate.html,v 1.43 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nsupdate</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.nsupdate"></a><div class="titlepage"></div>
@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543449"></a><h2>DESCRIPTION</h2>
<a name="id215133"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC2136
to a name server.
@ -69,6 +69,10 @@
The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
report additional debugging information to <code class="option">-d</code>.
</p>
<p>
The <code class="option">-L</code> option with an integer argument of zero or
higher sets the logging debug level. If zero, logging is disabled.
</p>
<p>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
@ -96,38 +100,48 @@
uses the <code class="option">-y</code> or <code class="option">-k</code> option
to provide the shared secret needed to generate a TSIG record
for authenticating Dynamic DNS update requests, default type
HMAC-MD5. These options are mutually exclusive. With the
<code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
whose name is of the form
<code class="filename">K{name}.+157.+{random}.private</code>. For
historical reasons, the file
<code class="filename">K{name}.+157.+{random}.key</code> must also be
present. When the <code class="option">-y</code> option is used, a
signature is generated from
[<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
<em class="parameter"><code>keyname</code></em> is the name of the key, and
<em class="parameter"><code>secret</code></em> is the base64 encoded shared
secret. Use of the <code class="option">-y</code> option is discouraged
because the shared secret is supplied as a command line
argument in clear text. This may be visible in the output
from
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
shell.
HMAC-MD5. These options are mutually exclusive.
</p>
<p>
When the <code class="option">-y</code> option is used, a signature is
generated from
[<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
<em class="parameter"><code>keyname</code></em> is the name of the key, and
<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
Use of the <code class="option">-y</code> option is discouraged because the
shared secret is supplied as a command line argument in clear text.
This may be visible in the output from
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
or in a history file maintained by the user's shell.
</p>
<p>
With the
<code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
Keyfiles may be in two formats: a single file containing
a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
statement, which may be generated automatically by
<span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
of the format <code class="filename">K{name}.+157.+{random}.key</code> and
<code class="filename">K{name}.+157.+{random}.private</code>, which can be
generated by <span><strong class="command">dnssec-keygen</strong></span>.
The <code class="option">-k</code> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</p>
<p>
The <code class="option">-g</code> and <code class="option">-o</code> specify that
GSS-TSIG is to be used. The <code class="option">-o</code> should only
be used with old Microsoft Windows 2000 servers.
<span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
using the <code class="option">-l</code> flag. This sets the server address to
localhost (disabling the <span><strong class="command">server</strong></span> so that the server
address cannot be overridden). Connections to the local server will
use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
which is automatically generated by <span><strong class="command">named</strong></span> if any
local master zone has the <span><strong class="command">dynamic</strong></span> zone option set
to yes. The location of this key file can be overridden with
the <code class="option">-k</code> option.
</p>
<p>
By default,
<span><strong class="command">nsupdate</strong></span>
By default, <span><strong class="command">nsupdate</strong></span>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
The
@ -137,6 +151,10 @@
use a TCP connection.
This may be preferable when a batch of update requests is made.
</p>
<p>
The <code class="option">-p</code> sets the default port number to use for
connections to a name server. The default is 53.
</p>
<p>
The <code class="option">-t</code> option sets the maximum time an update request
can
@ -169,7 +187,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543726"></a><h2>INPUT FORMAT</h2>
<a name="id215413"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@ -367,7 +385,7 @@
{domain-name}
[ttl]
[class]
[type [data...]]
[type [data...]]
</span></dt>
<dd><p>
Deletes any resource records named
@ -433,7 +451,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544567"></a><h2>EXAMPLES</h2>
<a name="id216068"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@ -487,12 +505,16 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544611"></a><h2>FILES</h2>
<a name="id216122"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
used to identify default name server
</p></dd>
<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
<dd><p>
sets the default TSIG key for use in local-only mode
</p></dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
<dd><p>
base-64 encoding of HMAC-MD5 key created by
@ -506,7 +528,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544680"></a><h2>SEE ALSO</h2>
<a name="id216386"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@ -515,11 +537,12 @@
<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2542156"></a><h2>BUGS</h2>
<a name="id216465"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library

27
bin/rndc/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.44 2007/06/18 23:47:22 tbox Exp $
# $Id: Makefile.in,v 1.45 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -47,20 +47,16 @@ RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${I
CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc.c rndc-confgen.c
SRCS= rndc.c
SUBDIRS = unix
TARGETS = rndc@EXEEXT@
TARGETS = rndc@EXEEXT@ rndc-confgen@EXEEXT@
MANPAGES = rndc.8 rndc.conf.5
MANPAGES = rndc.8 rndc-confgen.8 rndc.conf.5
HTMLPAGES = rndc.html rndc-confgen.html rndc.conf.html
HTMLPAGES = rndc.html rndc.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc.@O@: rndc.c
@ -70,19 +66,10 @@ rndc.@O@: rndc.c
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc.c
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
${RNDCLIBS}
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
${UOBJS} ${CONFLIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
@ -93,11 +80,9 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
install:: rndc@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
clean distclean maintainer-clean::

8
bin/rndc/include/rndc/os.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.h,v 1.11 2009/01/17 23:47:42 tbox Exp $ */
/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
/*! \file */
@ -27,12 +27,6 @@
ISC_LANG_BEGINDECLS
FILE *safe_create(const char *filename);
/*%<
* Open 'filename' for writing, truncate if necessary. If the file was
* created ensure that only the owner can read/write it.
*/
int set_user(FILE *fd, const char *user);
/*%<
* Set the owner of the file referenced by 'fd' to 'user'.

211
bin/rndc/rndc-confgen.8
View file

@ -1,211 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $
.\"
.hy 0
.ad l
.\" Title: rndc\-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Aug 27, 2001
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
rndc\-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP 13
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
generates configuration files for
\fBrndc\fR. It can be used as a convenient alternative to writing the
\fIrndc.conf\fR
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
\fInamed.conf\fR
by hand. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
\fIrndc.key\fR
file and avoid the need for a
\fIrndc.conf\fR
file and a
\fBcontrols\fR
statement altogether.
.SH "OPTIONS"
.PP
\-a
.RS 4
Do automatic
\fBrndc\fR
configuration. This creates a file
\fIrndc.key\fR
in
\fI/etc\fR
(or whatever
\fIsysconfdir\fR
was specified as when
BIND
was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup. The
\fIrndc.key\fR
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration.
.sp
Running
\fBrndc\-confgen \-a\fR
allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
\fInamed.conf\fR
file.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
is required, for example if rndc is to be used remotely, you should run
\fBrndc\-confgen\fR
without the
\fB\-a\fR
option and set up a
\fIrndc.conf\fR
and
\fInamed.conf\fR
as directed.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
.RE
.PP
\-c \fIkeyfile\fR
.RS 4
Used with the
\fB\-a\fR
option to specify an alternate location for
\fIrndc.key\fR.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
\fBrndc\-key\fR.
.RE
.PP
\-p \fIport\fR
.RS 4
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR. The default is 953.
.RE
.PP
\-r \fIrandomfile\fR
.RS 4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-s \fIaddress\fR
.RS 4
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR. The default is the loopback address 127.0.0.1.
.RE
.PP
\-t \fIchrootdir\fR
.RS 4
Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted. An additional copy of the
\fIrndc.key\fR
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR.
.RE
.PP
\-u \fIuser\fR
.RS 4
Used with the
\fB\-a\fR
option to set the owner of the
\fIrndc.key\fR
file generated. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed.
.RE
.SH "EXAMPLES"
.PP
To allow
\fBrndc\fR
to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample
\fIrndc.conf\fR
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
\fInamed.conf\fR, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
.br

171
bin/rndc/rndc.conf.5
View file

@ -13,33 +13,38 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $
.\" $Id: rndc.conf.5,v 1.39 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
.\" Title: \fIrndc.conf\fR
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "RNDC.CONF" 5 "June 30, 2000" "" ""
.SH NAME
rndc.conf \- rndc configuration file
.SH "SYNOPSIS"
.HP 10
\fBrndc.conf\fR
\fBrndc\&.conf\fR
.SH "DESCRIPTION"
.PP
\fIrndc.conf\fR
is the configuration file for
\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
\fIrndc\&.conf\fR is the configuration file for \fBrndc\fR, the BIND 9 name server control utility\&. This file has a similar structure and syntax to \fInamed\&.conf\fR\&. Statements are enclosed in braces and terminated with a semi\-colon\&. Clauses in the statements are also semi\-colon terminated\&. The usual comment styles are supported:
.PP
C style: /* */
.PP
@ -47,168 +52,70 @@ C++ style: // to end of line
.PP
Unix style: # to end of line
.PP
\fIrndc.conf\fR
is much simpler than
\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
\fIrndc\&.conf\fR is much simpler than \fInamed\&.conf\fR\&. The file uses three statements: an options statement, a server statement and a key statement\&.
.PP
The
\fBoptions\fR
statement contains five clauses. The
\fBdefault\-server\fR
clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
\fBrndc\fR. The
\fBdefault\-key\fR
clause is followed by the name of a key which is identified by a
\fBkey\fR
statement. If no
\fBkeyid\fR
is provided on the rndc command line, and no
\fBkey\fR
clause is found in a matching
\fBserver\fR
statement, this default key will be used to authenticate the server's commands and responses. The
\fBdefault\-port\fR
clause is followed by the port to connect to on the remote name server. If no
\fBport\fR
option is provided on the rndc command line, and no
\fBport\fR
clause is found in a matching
\fBserver\fR
statement, this default port will be used to connect. The
\fBdefault\-source\-address\fR
and
\fBdefault\-source\-address\-v6\fR
clauses which can be used to set the IPv4 and IPv6 source addresses respectively.
The \fBoptions\fR statement contains five clauses\&. The \fBdefault\-server\fR clause is followed by the name or address of a name server\&. This host will be used when no name server is given as an argument to \fBrndc\fR\&. The \fBdefault\-key\fR clause is followed by the name of a key which is identified by a \fBkey\fR statement\&. If no \fBkeyid\fR is provided on the rndc command line, and no \fBkey\fR clause is found in a matching \fBserver\fR statement, this default key will be used to authenticate the server's commands and responses\&. The \fBdefault\-port\fR clause is followed by the port to connect to on the remote name server\&. If no \fBport\fR option is provided on the rndc command line, and no \fBport\fR clause is found in a matching \fBserver\fR statement, this default port will be used to connect\&. The \fBdefault\-source\-address\fR and \fBdefault\-source\-address\-v6\fR clauses which can be used to set the IPv4 and IPv6 source addresses respectively\&.
.PP
After the
\fBserver\fR
keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses:
\fBkey\fR,
\fBport\fR
and
\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
\fBaddresses\fR
clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an
\fBsource\-address\fR
or
\fBsource\-address\-v6\fR
of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.
After the \fBserver\fR keyword, the server statement includes a string which is the hostname or address for a name server\&. The statement has three possible clauses: \fBkey\fR, \fBport\fR and \fBaddresses\fR\&. The key name must match the name of a key statement in the file\&. The port number specifies the port to connect to\&. If an \fBaddresses\fR clause is supplied these addresses will be used instead of the server name\&. Each address can take an optional port\&. If an \fBsource\-address\fR or \fBsource\-address\-v6\fR of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively\&.
.PP
The
\fBkey\fR
statement begins with an identifying string, the name of the key. The statement has two clauses.
\fBalgorithm\fR
identifies the encryption algorithm for
\fBrndc\fR
to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
The \fBkey\fR statement begins with an identifying string, the name of the key\&. The statement has two clauses\&. \fBalgorithm\fR identifies the encryption algorithm for \fBrndc\fR to use; currently only HMAC\-MD5 is supported\&. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key\&. The base\-64 string is enclosed in double quotes\&.
.PP
There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
\fBrndc\-confgen\fR
can be used to generate a random key, or the
\fBmmencode\fR
program, also known as
\fBmimencode\fR, can be used to generate a base\-64 string from known input.
\fBmmencode\fR
does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
There are two common ways to generate the base\-64 string for the secret\&. The BIND 9 program \fBrndc\-confgen\fR can be used to generate a random key, or the \fBmmencode\fR program, also known as \fBmimencode\fR, can be used to generate a base\-64 string from known input\&. \fBmmencode\fR does not ship with BIND 9 but is available on many systems\&. See the EXAMPLE section for sample command lines for each\&.
.SH "EXAMPLE"
.PP
.RS 4
.nf
options {
default\-server localhost;
default\-key samplekey;
};
.fi
.RE
.sp
.PP
.RS 4
.nf
server localhost {
key samplekey;
};
.fi
.RE
.sp
.PP
.RS 4
.nf
server testserver {
key testkey;
addresses { localhost port 5353; };
};
.fi
.RE
.sp
.PP
.RS 4
.nf
key samplekey {
algorithm hmac\-md5;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
.fi
.RE
.sp
.PP
.RS 4
.nf
key testkey {
algorithm hmac\-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
.fi
.RE
.sp
.PP
In the above example,
\fBrndc\fR
will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
In the above example, \fBrndc\fR will by default use the server at localhost (127\&.0\&.0\&.1) and the key called samplekey\&. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret\&. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes\&.
.PP
If
\fBrndc \-s testserver\fR
is used then
\fBrndc\fR
will connect to server on localhost port 5353 using the key testkey.
If \fBrndc \-s testserver\fR is used then \fBrndc\fR will connect to server on localhost port 5353 using the key testkey\&.
.PP
To generate a random secret with
\fBrndc\-confgen\fR:
To generate a random secret with \fBrndc\-confgen\fR:
.PP
\fBrndc\-confgen\fR
\fBrndc\-confgen\fR
.PP
A complete
\fIrndc.conf\fR
file, including the randomly generated key, will be written to the standard output. Commented\-out
\fBkey\fR
and
\fBcontrols\fR
statements for
\fInamed.conf\fR
are also printed.
A complete \fIrndc\&.conf\fR file, including the randomly generated key, will be written to the standard output\&. Commented\-out \fBkey\fR and \fBcontrols\fR statements for \fInamed\&.conf\fR are also printed\&.
.PP
To generate a base\-64 secret with
\fBmmencode\fR:
To generate a base\-64 secret with \fBmmencode\fR:
.PP
\fBecho "known plaintext for a secret" | mmencode\fR
\fBecho "known plaintext for a secret" | mmencode\fR
.SH "NAME SERVER CONFIGURATION"
.PP
The name server must be configured to accept rndc connections and to recognize the key specified in the
\fIrndc.conf\fR
file, using the controls statement in
\fInamed.conf\fR. See the sections on the
\fBcontrols\fR
statement in the BIND 9 Administrator Reference Manual for details.
The name server must be configured to accept rndc connections and to recognize the key specified in the \fIrndc\&.conf\fR file, using the controls statement in \fInamed\&.conf\fR\&. See the sections on the \fBcontrols\fR statement in the BIND 9 Administrator Reference Manual for details\&.
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc\-confgen\fR(8),
\fBmmencode\fR(1),
BIND 9 Administrator Reference Manual.
\fBrndc\fR(8), \fBrndc\-confgen\fR(8), \fBmmencode\fR(1), BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000, 2001 Internet Software Consortium.
.br
Internet Systems Consortium

14
bin/rndc/rndc.conf.html
View file

@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ -->
<!-- $Id: rndc.conf.html,v 1.30 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc.conf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.rndc.conf"></a><div class="titlepage"></div>
@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543352"></a><h2>DESCRIPTION</h2>
<a name="id215037"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@ -117,7 +117,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543500"></a><h2>EXAMPLE</h2>
<a name="id215198"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@ -191,7 +191,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543592"></a><h2>NAME SERVER CONFIGURATION</h2>
<a name="id215299"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@ -201,7 +201,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543613"></a><h2>SEE ALSO</h2>
<a name="id215321"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543652"></a><h2>AUTHOR</h2>
<a name="id215358"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

4
bin/rndc/unix/.cvsignore
View file

@ -1,4 +0,0 @@
Makefile
.libs
*.la
*.lo

5
configure.in
View file

@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.469 $)
AC_REVISION($Revision: 1.470 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
@ -2945,10 +2945,11 @@ AC_CONFIG_FILES([
lib/tests/include/tests/Makefile
bin/Makefile
bin/check/Makefile
bin/confgen/Makefile
bin/confgen/unix/Makefile
bin/named/Makefile
bin/named/unix/Makefile
bin/rndc/Makefile
bin/rndc/unix/Makefile
bin/dig/Makefile
bin/nsupdate/Makefile
bin/tests/Makefile

67
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.411 2009/06/02 05:51:44 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.412 2009/06/10 00:27:21 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -1651,11 +1651,25 @@ controls {
<para>
Dynamic update is enabled by including an
<command>allow-update</command> or <command>update-policy</command>
clause in the <command>zone</command> statement. The
<command>tkey-gssapi-credential</command> and
<command>allow-update</command>, <command>update-policy</command>
clause in the <command>zone</command> statement, or by setting the
<command>dynamic</command> option to <userinput>yes</userinput>
and creating a <filename>ddns.key</filename> file (see
<command>ddns-confgen</command>.)
</para>
<para>
If the zone's <command>dynamic</command> option is set to
<userinput>yes</userinput>, and if a <filename>ddns.key</filename>
file exists and contains a valid TSIG key, and if no other dynamic
update policy has been set for the zone, then updates to the zone
will be permitted for the key <filename>ddns.key</filename>.
</para>
<para>
The <command>tkey-gssapi-credential</command> and
<command>tkey-domain</command> clauses in the
<command>options</command> statement enable the
<command>options</command> statement enable the
server to negotiate keys that can be matched against those
in <command>update-policy</command> or
<command>allow-update</command>.
@ -1670,7 +1684,7 @@ controls {
</para>
<sect2 id="journal">
<title>The journal file</title>
<title>The journal file</title>
<para>
All changes made to a zone using dynamic update are stored
@ -9721,6 +9735,20 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>dynamic</command></term>
<listitem>
<para>
If this flag is set to <userinput>yes</userinput> in
a master zone, <command>named</command> will
automatically generate a TSIG session key for use
by <command>nsupdate -l</command> on the local system,
and the zone will be marked to allow dynamic updates
using this key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>forward</command></term>
<listitem>
@ -10103,7 +10131,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</para>
<programlisting>
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
</programlisting>
<para>
@ -10149,7 +10177,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<varname>krb5-self</varname>, <varname>ms-self</varname>,
<varname>krb5-subdomain</varname>,
<varname>ms-subdomain</varname>,
<varname>tcp-self</varname> and <varname>6to4-self</varname>.
<varname>tcp-self</varname>, <varname>6to4-self</varname>,
and <varname>zonesub</varname>.
</para>
<informaltable>
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@ -10184,6 +10213,28 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para>
<varname>zonesub</varname>
</para>
</entry> <entry colname="2">
<para>
This rule is similar to subdomain, except that
it matches when the name being updated is a
subdomain of the zone in which the
<command>update-policy</command> statement
appears. This obviates the need to type the zone
name twice, and enables the use of a standard
<command>update-policy</command> statement in
multiple zones without modification.
</para>
<para>
When this rule is used, the
<replaceable>name</replaceable> field is omitted.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para>

28
lib/bind9/check.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.101 2009/06/03 00:04:38 marka Exp $ */
/* $Id: check.c,v 1.102 2009/06/10 00:27:22 each Exp $ */
/*! \file */
@ -991,17 +991,22 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
result = tresult;
}
dns_fixedname_init(&fixed);
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
dns_rootname, ISC_FALSE, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
result = tresult;
if (tresult == ISC_R_SUCCESS &&
strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
dns_fixedname_init(&fixed);
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
&b, dns_rootname,
ISC_FALSE, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
result = tresult;
}
}
if (tresult == ISC_R_SUCCESS &&
strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
!dns_name_iswildcard(dns_fixedname_name(&fixed))) {
@ -1072,6 +1077,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "notify", MASTERZONE | SLAVEZONE },
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
{ "ddns-autoconf", MASTERZONE },
{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },

4
lib/dns/dst_api.c
View file

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.19 2009/03/02 23:47:43 tbox Exp $
* $Id: dst_api.c,v 1.20 2009/06/10 00:27:22 each Exp $
*/
/*! \file */
@ -110,7 +110,7 @@ static isc_result_t algorithm_status(unsigned int alg);
static isc_result_t addsuffix(char *filename, unsigned int len,
const char *ofilename, const char *suffix);
#define RETERR(x) \
#define RETERR(x) \
do { \
result = (x); \
if (result != ISC_R_SUCCESS) \

10
lib/dns/dst_internal.h
View file

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.11 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: dst_internal.h,v 1.12 2009/06/10 00:27:22 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@ -58,8 +58,8 @@
ISC_LANG_BEGINDECLS
#define KEY_MAGIC ISC_MAGIC('D','S','T','K')
#define CTX_MAGIC ISC_MAGIC('D','S','T','C')
#define KEY_MAGIC ISC_MAGIC('D','S','T','K')
#define CTX_MAGIC ISC_MAGIC('D','S','T','C')
#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
@ -72,7 +72,7 @@ extern isc_mem_t *dst__memory_pool;
typedef struct dst_func dst_func_t;
typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
@ -112,7 +112,7 @@ struct dst_key {
dst_hmacsha512_key_t *hmacsha512;
} keydata; /*%< pointer to key in crypto pkg fmt */
dst_func_t * func; /*%< crypto package specific functions */
dst_func_t * func; /*%< crypto package specific functions */
};
struct dst_context {

16
lib/dns/include/dns/tsig.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsig.h,v 1.51 2007/06/19 23:47:17 tbox Exp $ */
/* $Id: tsig.h,v 1.52 2009/06/10 00:27:22 each Exp $ */
#ifndef DNS_TSIG_H
#define DNS_TSIG_H 1
@ -242,6 +242,20 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
*\li #ISC_R_NOMEMORY
*/
isc_result_t
dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
dns_tsigkey_t *tkey);
/*%<
* Place a TSIG key onto a key ring.
*
* Requires:
*\li 'ring', 'name' and 'tkey' are not NULL
*
* Returns:
*\li #ISC_R_SUCCESS
*\li Any other value indicates failure.
*/
void
dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);

6
lib/dns/include/dst/dst.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.12 2008/09/24 02:46:23 marka Exp $ */
/* $Id: dst.h,v 1.13 2009/06/10 00:27:22 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@ -509,10 +509,12 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
void
dst_key_free(dst_key_t **keyp);
/*%<
* Release all memory associated with the key.
* Decrement the key's reference counter and, when it reaches zero,
* release all memory associated with the key.
*
* Requires:
*\li "keyp" is not NULL and "*keyp" is a valid key.
*\li reference counter greater than zero.
*
* Ensures:
*\li All memory associated with "*keyp" will be freed.

67
lib/dns/tsig.c
View file

@ -16,7 +16,7 @@
*/
/*
* $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $
* $Id: tsig.c,v 1.137 2009/06/10 00:27:22 each Exp $
*/
/*! \file */
#include <config.h>
@ -215,6 +215,37 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
level, "tsig key '%s': %s", namestr, message);
}
/*
* A supplemental routine just to add a key to ring. Note that reference
* counter should be counted separately because we may be adding the key
* as part of creation of the key, in which case the reference counter was
* already initialized. Also note we don't need RWLOCK for the reference
* counter: it's protected by a separate lock.
*/
static isc_result_t
keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
dns_tsigkey_t *tkey)
{
isc_result_t result;
RWLOCK(&ring->lock, isc_rwlocktype_write);
ring->writecount++;
/*
* Do on the fly cleaning. Find some nodes we might not
* want around any more.
*/
if (ring->writecount > 10) {
cleanup_ring(ring);
ring->writecount = 0;
}
result = dns_rbt_addname(ring->keys, name, tkey);
RWUNLOCK(&ring->lock, isc_rwlocktype_write);
return (result);
}
isc_result_t
dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
dst_key_t *dstkey, isc_boolean_t generated,
@ -331,7 +362,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
tkey->ring = ring;
if (key != NULL)
refs++;
refs = 1;
if (ring != NULL)
refs++;
ret = isc_refcount_init(&tkey->refs, refs);
@ -347,23 +378,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
tkey->magic = TSIG_MAGIC;
if (ring != NULL) {
RWLOCK(&ring->lock, isc_rwlocktype_write);
ring->writecount++;
/*
* Do on the fly cleaning. Find some nodes we might not
* want around any more.
*/
if (ring->writecount > 10) {
cleanup_ring(ring);
ring->writecount = 0;
}
ret = dns_rbt_addname(ring->keys, name, tkey);
if (ret != ISC_R_SUCCESS) {
RWUNLOCK(&ring->lock, isc_rwlocktype_write);
ret = keyring_add(ring, name, tkey);
if (ret != ISC_R_SUCCESS)
goto cleanup_refs;
}
RWUNLOCK(&ring->lock, isc_rwlocktype_write);
}
/*
@ -379,6 +396,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
"the key '%s' is too short to be secure",
namestr);
}
if (key != NULL)
*key = tkey;
@ -1533,6 +1551,19 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
return (ISC_R_SUCCESS);
}
isc_result_t
dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
dns_tsigkey_t *tkey)
{
isc_result_t result;
result = keyring_add(ring, name, tkey);
if (result == ISC_R_SUCCESS)
isc_refcount_increment(&tkey->refs, NULL);
return (result);
}
void
dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
dns_tsig_keyring_t *ring;

10
lib/isc/include/isc/file.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: file.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
/* $Id: file.h,v 1.36 2009/06/10 00:27:22 each Exp $ */
#ifndef ISC_FILE_H
#define ISC_FILE_H 1
@ -251,6 +251,14 @@ isc_file_truncate(const char *filename, isc_offset_t size);
* Truncate/extend the file specified to 'size' bytes.
*/
isc_result_t
isc_file_safecreate(const char *filename, FILE **fp);
/*%<
* Open 'filename' for writing, truncating if necessary. Ensure that
* if it existed it was a normal file. If creating the file, ensure
* that only the owner can read/write it.
*/
ISC_LANG_ENDDECLS
#endif /* ISC_FILE_H */

38
lib/isc/unix/file.c
View file

@ -48,7 +48,7 @@
* SUCH DAMAGE.
*/
/* $Id: file.c,v 1.53 2009/02/16 23:48:04 tbox Exp $ */
/* $Id: file.c,v 1.54 2009/06/10 00:27:22 each Exp $ */
/*! \file */
@ -442,3 +442,39 @@ isc_file_truncate(const char *filename, isc_offset_t size) {
result = isc__errno2result(errno);
return (result);
}
isc_result_t
isc_file_safecreate(const char *filename, FILE **fp) {
isc_result_t result;
int flags;
struct stat sb;
FILE *f;
int fd;
REQUIRE(filename != NULL);
REQUIRE(fp != NULL && *fp == NULL);
result = file_stats(filename, &sb);
if (result == ISC_R_SUCCESS) {
if ((sb.st_mode & S_IFREG) == 0)
return (ISC_R_INVALIDFILE);
flags = O_WRONLY | O_TRUNC;
} else if (result == ISC_R_FILENOTFOUND) {
flags = O_WRONLY | O_CREAT | O_EXCL;
} else
return (result);
fd = open(filename, flags, S_IRUSR | S_IWUSR);
if (fd == -1)
return (isc__errno2result(errno));
f = fdopen(fd, "w");
if (f == NULL) {
result = isc__errno2result(errno);
close(fd);
return (result);
}
*fp = f;
return (ISC_R_SUCCESS);
}

38
lib/isc/win32/file.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: file.c,v 1.31 2007/06/19 23:47:19 tbox Exp $ */
/* $Id: file.c,v 1.32 2009/06/10 00:27:22 each Exp $ */
#include <config.h>
@ -505,3 +505,39 @@ isc_file_truncate(const char *filename, isc_offset_t size) {
return (ISC_R_SUCCESS);
}
isc_result_t
isc_file_safecreate(const char *filename, FILE **fp) {
isc_result_t result;
int flags;
struct stat sb;
FILE *f;
int fd;
REQUIRE(filename != NULL);
REQUIRE(fp != NULL && *fp == NULL);
result = file_stats(filename, &sb);
if (result == ISC_R_SUCCESS) {
if ((sb.st_mode & S_IFREG) == 0)
return (ISC_R_INVALIDFILE);
flags = O_WRONLY | O_TRUNC;
} else if (result == ISC_R_FILENOTFOUND) {
flags = O_WRONLY | O_CREAT | O_EXCL;
} else
return (result);
fd = open(filename, flags, S_IRUSR | S_IWUSR);
if (fd == -1)
return (isc__errno2result(errno));
f = fdopen(fd, "w");
if (f == NULL) {
result = isc__errno2result(errno);
close(fd);
return (result);
}
*fp = f;
return (ISC_R_SUCCESS);
}

3
lib/isc/win32/include/isc/ntpaths.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ntpaths.h,v 1.16 2007/06/19 23:47:20 tbox Exp $ */
/* $Id: ntpaths.h,v 1.17 2009/06/10 00:27:22 each Exp $ */
/*
* Windows-specific path definitions
@ -51,7 +51,6 @@ enum NtPaths {
#define RNDC_KEYFILE isc_ntpaths_get(RNDC_KEY_PATH)
#define RESOLV_CONF isc_ntpaths_get(RESOLV_CONF_PATH)
/*
* Information about where the files are on disk
*/

8
lib/isc/win32/ntpaths.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ntpaths.c,v 1.11 2007/06/18 23:47:49 tbox Exp $ */
/* $Id: ntpaths.c,v 1.12 2009/06/10 00:27:22 each Exp $ */
/*
* This module fetches the required path information that is specific
@ -84,6 +84,9 @@ isc_ntpaths_init() {
strcpy(rndc_keyFile, namedBase);
strcat(rndc_keyFile, "\\etc\\rndc.key");
strcpy(ddns_keyFile, namedBase);
strcat(ddns_keyFile, "\\etc\\ddns.key");
strcpy(rndc_confFile, namedBase);
strcat(rndc_confFile, "\\etc\\rndc.conf");
strcpy(ns_defaultpidfile, namedBase);
@ -134,6 +137,9 @@ isc_ntpaths_get(int ind) {
case RNDC_KEY_PATH:
return (rndc_keyFile);
break;
case RNDC_KEY_PATH:
return (ddns_keyFile);
break;
default:
return (NULL);
}

10
lib/isccfg/include/isccfg/grammar.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: grammar.h,v 1.17 2008/09/25 04:02:39 tbox Exp $ */
/* $Id: grammar.h,v 1.18 2009/06/10 00:27:22 each Exp $ */
#ifndef ISCCFG_GRAMMAR_H
#define ISCCFG_GRAMMAR_H 1
@ -210,10 +210,18 @@ struct cfg_parser {
*/
unsigned int line;
/*%
* Parser context flags, used for maintaining state
* from one token to the next.
*/
unsigned int flags;
cfg_parsecallback_t callback;
void *callbackarg;
};
/* Parser context flags */
#define CFG_PCTX_SKIP 0x1
/*@{*/
/*%

5
lib/isccfg/include/isccfg/namedconf.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.h,v 1.11 2009/03/05 23:47:36 tbox Exp $ */
/* $Id: namedconf.h,v 1.12 2009/06/10 00:27:22 each Exp $ */
#ifndef ISCCFG_NAMEDCONF_H
#define ISCCFG_NAMEDCONF_H 1
@ -42,6 +42,9 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
/*%< A complete rndc.key file. */
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ddnskey;
/*%< A complete ddns.key file. */
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
/*%< A key reference, used as an ACL element */

65
lib/isccfg/namedconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.96 2009/05/29 22:22:37 jinmei Exp $ */
/* $Id: namedconf.c,v 1.97 2009/06/10 00:27:22 each Exp $ */
/*! \file */
@ -248,8 +248,8 @@ static cfg_type_t cfg_type_pubkey = {
* Note that the old parser allows quotes around the RR type names.
*/
static cfg_type_t cfg_type_rrtypelist = {
"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
&cfg_rep_list, &cfg_type_astring
"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
};
static const char *mode_enums[] = { "grant", "deny", NULL };
@ -258,13 +258,51 @@ static cfg_type_t cfg_type_mode = {
&mode_enums
};
static isc_result_t
parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
isc_result_t result;
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_string &&
strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
pctx->flags |= CFG_PCTX_SKIP;
}
return (cfg_parse_enum(pctx, type, ret));
cleanup:
return (result);
}
static isc_result_t
parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
isc_result_t result;
cfg_obj_t *obj = NULL;
if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
pctx->flags &= ~CFG_PCTX_SKIP;
CHECK(cfg_parse_void(pctx, NULL, &obj));
} else
result = cfg_parse_astring(pctx, type, &obj);
*ret = obj;
cleanup:
return (result);
}
static const char *matchtype_enums[] = {
"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
"tcp-self", "6to4-self", NULL };
"tcp-self", "6to4-self", "zonesub", NULL };
static cfg_type_t cfg_type_matchtype = {
"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
&matchtype_enums
"matchtype", parse_matchtype, cfg_print_ustring,
cfg_doc_enum, &cfg_rep_string, &matchtype_enums
};
static cfg_type_t cfg_type_matchname = {
"optional_matchname", parse_matchname, cfg_print_ustring,
cfg_doc_tuple, &cfg_rep_tuple, &cfg_type_ustring
};
/*%
@ -274,7 +312,7 @@ static cfg_tuplefielddef_t grant_fields[] = {
{ "mode", &cfg_type_mode, 0 },
{ "identity", &cfg_type_astring, 0 }, /* domain name */
{ "matchtype", &cfg_type_matchtype, 0 },
{ "name", &cfg_type_astring, 0 }, /* domain name */
{ "name", &cfg_type_matchname, 0 }, /* domain name */
{ "types", &cfg_type_rrtypelist, 0 },
{ NULL, NULL, 0 }
};
@ -678,6 +716,9 @@ options_clauses[] = {
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "coresize", &cfg_type_size, 0 },
{ "datasize", &cfg_type_size, 0 },
{ "ddns-keyfile", &cfg_type_qstringornone, 0 },
{ "ddns-keyname", &cfg_type_astring, 0 },
{ "ddns-keyalg", &cfg_type_astring, 0 },
{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
{ "dump-file", &cfg_type_qstring, 0 },
@ -967,6 +1008,7 @@ zone_clauses[] = {
{ "check-sibling", &cfg_type_boolean, 0 },
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-wildcard", &cfg_type_boolean, 0 },
{ "ddns-autoconf", &cfg_type_boolean, 0 },
{ "dialup", &cfg_type_dialuptype, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
@ -2133,6 +2175,15 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
&cfg_rep_map, rndckey_clausesets
};
/*
* ddns.key has exactly the same syntax as rndc.key, but it's defined
* separately for clarity (and so we can extend it someday, if needed).
*/
LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ddnskey = {
"ddnskey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
&cfg_rep_map, rndckey_clausesets
};
static cfg_tuplefielddef_t nameport_fields[] = {
{ "name", &cfg_type_astring, 0 },
{ "port", &cfg_type_optional_port, 0 },

3
lib/isccfg/parser.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: parser.c,v 1.129 2008/09/25 04:02:39 tbox Exp $ */
/* $Id: parser.c,v 1.130 2009/06/10 00:27:22 each Exp $ */
/*! \file */
@ -400,6 +400,7 @@ cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
pctx->callback = NULL;
pctx->callbackarg = NULL;
pctx->token.type = isc_tokentype_unknown;
pctx->flags = 0;
memset(specials, 0, sizeof(specials));
specials['{'] = 1;