diff --git a/CHANGES b/CHANGES
index 6d36018b4e..b13501cd71 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3935. [bug] "geoip asnum" ACL elements would not match unless
+ the full organization name was specified. They
+ can now match against the AS number alone (e.g.,
+ AS1234). [RT #36945]
+
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980]
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
index 1ceece41cf..29d9d43459 100644
--- a/bin/tests/system/geoip/ns2/named10.conf
+++ b/bin/tests/system/geoip/ns2/named10.conf
@@ -40,7 +40,7 @@ controls {
};
view one {
- match-clients { geoip domain one.de; };
+ match-clients { geoip asnum "AS100001"; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
- match-clients { geoip domain two.com; };
+ match-clients { geoip asnum "AS100002"; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
- match-clients { geoip domain three.com; };
+ match-clients { geoip asnum "AS100003"; };
zone "example" {
type master;
file "example3.db";
@@ -64,7 +64,7 @@ view three {
};
view four {
- match-clients { geoip domain four.com; };
+ match-clients { geoip asnum "AS100004"; };
zone "example" {
type master;
file "example4.db";
@@ -72,7 +72,7 @@ view four {
};
view five {
- match-clients { geoip domain five.es; };
+ match-clients { geoip asnum "AS100005"; };
zone "example" {
type master;
file "example5.db";
@@ -80,7 +80,7 @@ view five {
};
view six {
- match-clients { geoip domain six.it; };
+ match-clients { geoip asnum "AS100006"; };
zone "example" {
type master;
file "example6.db";
@@ -88,7 +88,7 @@ view six {
};
view seven {
- match-clients { geoip domain seven.org; };
+ match-clients { geoip asnum "AS100007"; };
zone "example" {
type master;
file "example7.db";
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
index 85c0d32c34..1ceece41cf 100644
--- a/bin/tests/system/geoip/ns2/named11.conf
+++ b/bin/tests/system/geoip/ns2/named11.conf
@@ -40,7 +40,7 @@ controls {
};
view one {
- match-clients { geoip netspeed 0; };
+ match-clients { geoip domain one.de; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
- match-clients { geoip netspeed 1; };
+ match-clients { geoip domain two.com; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
- match-clients { geoip netspeed 2; };
+ match-clients { geoip domain three.com; };
zone "example" {
type master;
file "example3.db";
@@ -64,13 +64,37 @@ view three {
};
view four {
- match-clients { geoip netspeed 3; };
+ match-clients { geoip domain four.com; };
zone "example" {
type master;
file "example4.db";
};
};
+view five {
+ match-clients { geoip domain five.es; };
+ zone "example" {
+ type master;
+ file "example5.db";
+ };
+};
+
+view six {
+ match-clients { geoip domain six.it; };
+ zone "example" {
+ type master;
+ file "example6.db";
+ };
+};
+
+view seven {
+ match-clients { geoip domain seven.org; };
+ zone "example" {
+ type master;
+ file "example7.db";
+ };
+};
+
view none {
match-clients { any; };
zone "example" {
diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf
index a650a635d2..85c0d32c34 100644
--- a/bin/tests/system/geoip/ns2/named12.conf
+++ b/bin/tests/system/geoip/ns2/named12.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -18,10 +18,6 @@
controls { /* empty */ };
-acl blocking {
- geoip db country country AU;
-};
-
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -32,7 +28,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
- blackhole { blocking; };
};
key rndc_key {
@@ -43,3 +38,43 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
+
+view one {
+ match-clients { geoip netspeed 0; };
+ zone "example" {
+ type master;
+ file "example1.db";
+ };
+};
+
+view two {
+ match-clients { geoip netspeed 1; };
+ zone "example" {
+ type master;
+ file "example2.db";
+ };
+};
+
+view three {
+ match-clients { geoip netspeed 2; };
+ zone "example" {
+ type master;
+ file "example3.db";
+ };
+};
+
+view four {
+ match-clients { geoip netspeed 3; };
+ zone "example" {
+ type master;
+ file "example4.db";
+ };
+};
+
+view none {
+ match-clients { any; };
+ zone "example" {
+ type master;
+ file "example.db.in";
+ };
+};
diff --git a/bin/tests/system/geoip/ns2/named13.conf b/bin/tests/system/geoip/ns2/named13.conf
index f92d25216c..a650a635d2 100644
--- a/bin/tests/system/geoip/ns2/named13.conf
+++ b/bin/tests/system/geoip/ns2/named13.conf
@@ -18,6 +18,10 @@
controls { /* empty */ };
+acl blocking {
+ geoip db country country AU;
+};
+
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -28,6 +32,7 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
+ blackhole { blocking; };
};
key rndc_key {
@@ -38,75 +43,3 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
-
-acl gAU { geoip db country country AU; };
-acl gUS { geoip db country country US; };
-acl gGB { geoip db country country GB; };
-acl gCA { geoip db country country CA; };
-acl gCL { geoip db country country CL; };
-acl gDE { geoip db country country DE; };
-acl gEH { geoip db country country EH; };
-
-view one {
- match-clients { gAU; };
- zone "example" {
- type master;
- file "example1.db";
- };
-};
-
-view two {
- match-clients { gUS; };
- zone "example" {
- type master;
- file "example2.db";
- };
-};
-
-view three {
- match-clients { gGB; };
- zone "example" {
- type master;
- file "example3.db";
- };
-};
-
-view four {
- match-clients { gCA; };
- zone "example" {
- type master;
- file "example4.db";
- };
-};
-
-view five {
- match-clients { gCL; };
- zone "example" {
- type master;
- file "example5.db";
- };
-};
-
-view six {
- match-clients { gDE; };
- zone "example" {
- type master;
- file "example6.db";
- };
-};
-
-view seven {
- match-clients { gEH; };
- zone "example" {
- type master;
- file "example7.db";
- };
-};
-
-view none {
- match-clients { any; };
- zone "example" {
- type master;
- file "example.db.in";
- };
-};
diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf
new file mode 100644
index 0000000000..f92d25216c
--- /dev/null
+++ b/bin/tests/system/geoip/ns2/named14.conf
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ geoip-directory "../data";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
+acl gAU { geoip db country country AU; };
+acl gUS { geoip db country country US; };
+acl gGB { geoip db country country GB; };
+acl gCA { geoip db country country CA; };
+acl gCL { geoip db country country CL; };
+acl gDE { geoip db country country DE; };
+acl gEH { geoip db country country EH; };
+
+view one {
+ match-clients { gAU; };
+ zone "example" {
+ type master;
+ file "example1.db";
+ };
+};
+
+view two {
+ match-clients { gUS; };
+ zone "example" {
+ type master;
+ file "example2.db";
+ };
+};
+
+view three {
+ match-clients { gGB; };
+ zone "example" {
+ type master;
+ file "example3.db";
+ };
+};
+
+view four {
+ match-clients { gCA; };
+ zone "example" {
+ type master;
+ file "example4.db";
+ };
+};
+
+view five {
+ match-clients { gCL; };
+ zone "example" {
+ type master;
+ file "example5.db";
+ };
+};
+
+view six {
+ match-clients { gDE; };
+ zone "example" {
+ type master;
+ file "example6.db";
+ };
+};
+
+view seven {
+ match-clients { gEH; };
+ zone "example" {
+ type master;
+ file "example7.db";
+ };
+};
+
+view none {
+ match-clients { any; };
+ zone "example" {
+ type master;
+ file "example.db.in";
+ };
+};
diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh
index e7ab56a57b..3e916aed31 100644
--- a/bin/tests/system/geoip/tests.sh
+++ b/bin/tests/system/geoip/tests.sh
@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
-echo "I:checking GeoIP domain database ($n)"
+echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
-echo "I:checking GeoIP netspeed database ($n)"
+echo "I:checking GeoIP domain database ($n)"
ret=0
lret=0
-for i in 1 2 3 4; do
+for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
@@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
+n=`expr $n + 1`
+echo "I:checking GeoIP netspeed database ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4; do
+ $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+ j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+ [ "$i" = "$j" ] || lret=1
+ [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
+echo "I:reloading server"
+cp -f ns2/named13.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 3
+
n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL ($n)"
ret=0
@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret`
echo "I:reloading server"
-cp -f ns2/named13.conf ns2/named.conf
+cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 8551db6030..b5f54c0e8e 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2563,7 +2563,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
be configured to act as a lightweight resolver daemon using the
lwres statement in named.conf.
-
@@ -3454,17 +3453,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
"isp", "org", "asnum", "domain" and "netspeed".
- value is the value to searched for
- within the database. A string may be quoted if it contains
- spaces or other special characters. If this is a "country"
- search and the string is two characters long, then it must be a
- standard ISO-3166-1 two-letter country code, and if it is three
- characters long then it must be an ISO-3166-1 three-letter
- country code; otherwise it is the full name of the country.
- Similarly, if this is a "region" search and the string is
- two characters long, then it must be a standard two-letter state
- or province abbreviation; otherwise it is the full name of the
- state or province.
+ value is the value to search
+ for within the database. A string may be quoted if it
+ contains spaces or other special characters. If this is
+ an "asnum" search, then the leading "ASNNNN" string can be
+ used, otherwise the full description must be used (e.g.
+ "ASNNNN Example Company Name"). If this is a "country"
+ search and the string is two characters long, then it must
+ be a standard ISO-3166-1 two-letter country code, and if it
+ is three characters long then it must be an ISO-3166-1
+ three-letter country code; otherwise it is the full name
+ of the country. Similarly, if this is a "region" search
+ and the string is two characters long, then it must be a
+ standard two-letter state or province abbreviation;
+ otherwise it is the full name of the state or province.
The database field indicates which
@@ -8911,7 +8913,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive
simultaneous clients for any given query
(<qname,qtype,qclass>) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients.
+ named will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c
index 291b0d05e9..ec6beb7acb 100644
--- a/lib/dns/geoip.c
+++ b/lib/dns/geoip.c
@@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr,
return (ISC_FALSE);
s = name_lookup(db, subtype, ipnum);
- if (s != NULL && strcasecmp(elt->as_string, s) == 0)
- return (ISC_TRUE);
+ if (s != NULL) {
+ size_t l;
+ if (strcasecmp(elt->as_string, s) == 0)
+ return (ISC_TRUE);
+ if (subtype != dns_geoip_as_asnum)
+ break;
+ /*
+ * Just check if the ASNNNN value matches.
+ */
+ l = strlen(elt->as_string);
+ if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
+ strncasecmp(elt->as_string, s, l) == 0 &&
+ s[l] == ' ')
+ return (ISC_TRUE);
+ }
break;
case dns_geoip_netspeed_id:
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index 76f6ad4a9a..83d5ae6509 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
const char *stype, *search;
dns_geoip_subtype_t subtype;
dns_aclelement_t de;
+ size_t len;
REQUIRE(dep != NULL);
@@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
+ len = strlen(search);
- if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) {
+ if (len == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "zero-length geoip search field");
+ return (ISC_R_FAILURE);
+ }
+
+ if (strcasecmp(stype, "country") == 0 && len == 2) {
/* Two-letter country code */
subtype = dns_geoip_countrycode;
- strncpy(de.geoip_elem.as_string, search, 2);
- } else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "country") == 0 && len == 3) {
/* Three-letter country code */
subtype = dns_geoip_countrycode3;
- strncpy(de.geoip_elem.as_string, search, 3);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0) {
/* Country name */
subtype = dns_geoip_countryname;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "region") == 0 && len == 2) {
/* Two-letter region code */
subtype = dns_geoip_region;
- strncpy(de.geoip_elem.as_string, search, 2);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0) {
/* Region name */
subtype = dns_geoip_regionname;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "city") == 0) {
/* City name */
subtype = dns_geoip_city_name;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "postal") == 0 && len < 7) {
subtype = dns_geoip_city_postalcode;
- strncpy(de.geoip_elem.as_string, search, 6);
- de.geoip_elem.as_string[6] = '\0';
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "postal") == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "geoiop postal code (%s) too long", search);
+ return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "metro") == 0) {
subtype = dns_geoip_city_metrocode;
de.geoip_elem.as_int = atoi(search);
@@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "tz") == 0) {
subtype = dns_geoip_city_timezonecode;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "continent") == 0 && len == 2) {
/* Two-letter continent code */
subtype = dns_geoip_city_continentcode;
- strncpy(de.geoip_elem.as_string, search, 2);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "continent") == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "geoiop continent code (%s) too long", search);
+ return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "isp") == 0) {
subtype = dns_geoip_isp_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "asnum") == 0) {
subtype = dns_geoip_as_asnum;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "org") == 0) {
subtype = dns_geoip_org_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "domain") == 0) {
subtype = dns_geoip_domain_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "netspeed") == 0) {
subtype = dns_geoip_netspeed_id;
de.geoip_elem.as_int = atoi(search);
diff --git a/util/copyrights b/util/copyrights
index 350efbf9e7..87ff5ed109 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1321,10 +1321,11 @@
./bin/tests/system/geoip/geoip.c C 2013
./bin/tests/system/geoip/ns2/example.db.in ZONE 2013
./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013
-./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013
+./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013
-./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014
+./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014
+./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013