From 4a83ccf0710a3dc9d9a48ac6a75e9d1654af2b3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 1/9] Handle "type mirror;" when parsing zone configuration Add a new zone type, CFG_ZONE_MIRROR, to libisccfg, in order to limit the list of options which are considered valid for mirror zones. Update the relevant configuration checks. --- lib/bind9/check.c | 19 ++++-- lib/isccfg/include/isccfg/grammar.h | 1 + lib/isccfg/namedconf.c | 102 +++++++++++++++------------- 3 files changed, 69 insertions(+), 53 deletions(-) diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 4060851888..bfb8917001 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1989,6 +1989,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, strcasecmp(typestr, "secondary") == 0) { ztype = CFG_ZONE_SLAVE; + } else if (strcasecmp(typestr, "mirror") == 0) { + ztype = CFG_ZONE_MIRROR; } else if (strcasecmp(typestr, "stub") == 0) { ztype = CFG_ZONE_STUB; } else if (strcasecmp(typestr, "static-stub") == 0) { @@ -2100,6 +2102,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, case CFG_ZONE_MASTER: case CFG_ZONE_SLAVE: + case CFG_ZONE_MIRROR: case CFG_ZONE_HINT: case CFG_ZONE_STUB: case CFG_ZONE_STATICSTUB: @@ -2184,10 +2187,12 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } /* - * Master & slave zones may have an "also-notify" field, but + * Master, slave, and mirror zones may have an "also-notify" field, but * shouldn't if notify is disabled. */ - if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) { + if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE || + ztype == CFG_ZONE_MIRROR) + { bool donotify = true; obj = NULL; @@ -2228,9 +2233,11 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } /* - * Slave & stub zones must have a "masters" field. + * Slave, mirror, and stub zones must have a "masters" field. */ - if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_STUB) { + if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_MIRROR || + ztype == CFG_ZONE_STUB) + { obj = NULL; if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) { cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR, @@ -2621,7 +2628,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, znamestr); result = tresult; } else if (tresult == ISC_R_SUCCESS && - (ztype == CFG_ZONE_SLAVE || ddns)) { + (ztype == CFG_ZONE_SLAVE || + ztype == CFG_ZONE_MIRROR || ddns)) + { tresult = fileexist(fileobj, files, true, logctx); if (tresult != ISC_R_SUCCESS) result = tresult; diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h index a066cd13e9..93ff3df156 100644 --- a/lib/isccfg/include/isccfg/grammar.h +++ b/lib/isccfg/include/isccfg/grammar.h @@ -72,6 +72,7 @@ #define CFG_ZONE_REDIRECT 0x02000000 #define CFG_ZONE_DELEGATION 0x01000000 #define CFG_ZONE_INVIEW 0x00800000 +#define CFG_ZONE_MIRROR 0x00400000 typedef struct cfg_clausedef cfg_clausedef_t; typedef struct cfg_tuplefielddef cfg_tuplefielddef_t; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 3b51a080ba..960e03d308 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -668,7 +668,7 @@ static cfg_type_t cfg_type_forwardtype = { }; static const char *zonetype_enums[] = { - "primary", "master", "secondary", "slave", + "primary", "master", "secondary", "slave", "mirror", "delegation-only", "forward", "hint", "redirect", "static-stub", "stub", NULL }; @@ -2020,33 +2020,33 @@ static cfg_type_t cfg_type_validityinterval = { static cfg_clausedef_t zone_clauses[] = { { "allow-notify", &cfg_type_bracketed_aml, - CFG_ZONE_SLAVE + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "allow-query", &cfg_type_bracketed_aml, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB }, { "allow-query-on", &cfg_type_bracketed_aml, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB }, { "allow-transfer", &cfg_type_bracketed_aml, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "allow-update", &cfg_type_bracketed_aml, CFG_ZONE_MASTER }, { "allow-update-forwarding", &cfg_type_bracketed_aml, - CFG_ZONE_SLAVE + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "also-notify", &cfg_type_namesockaddrkeylist, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "alt-transfer-source", &cfg_type_sockaddr4wild, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "alt-transfer-source-v6", &cfg_type_sockaddr6wild, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "auto-dnssec", &cfg_type_autodnssec, CFG_ZONE_MASTER | CFG_ZONE_SLAVE @@ -2108,67 +2108,67 @@ zone_clauses[] = { CFG_CLAUSEFLAG_OBSOLETE }, { "masterfile-format", &cfg_type_masterformat, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_REDIRECT }, { "masterfile-style", &cfg_type_masterstyle, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_REDIRECT }, { "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE }, { "max-journal-size", &cfg_type_size, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "max-records", &cfg_type_uint32, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, { "max-refresh-time", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-retry-time", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-transfer-idle-in", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-transfer-idle-out", &cfg_type_uint32, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_MIRROR | CFG_ZONE_SLAVE }, { "max-transfer-time-in", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-transfer-time-out", &cfg_type_uint32, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_MIRROR | CFG_ZONE_SLAVE }, { "max-zone-ttl", &cfg_type_maxttl, CFG_ZONE_MASTER | CFG_ZONE_REDIRECT }, { "min-refresh-time", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "min-retry-time", &cfg_type_uint32, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "mirror", &cfg_type_boolean, CFG_ZONE_SLAVE }, { "multi-master", &cfg_type_boolean, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "notify", &cfg_type_notifytype, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "notify-delay", &cfg_type_uint32, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "notify-source", &cfg_type_sockaddr4wild, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "notify-source-v6", &cfg_type_sockaddr6wild, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "notify-to-soa", &cfg_type_boolean, CFG_ZONE_MASTER | CFG_ZONE_SLAVE @@ -2178,10 +2178,10 @@ zone_clauses[] = { CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, { "request-expire", &cfg_type_boolean, - CFG_ZONE_SLAVE + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "request-ixfr", &cfg_type_boolean, - CFG_ZONE_SLAVE + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "serial-update-method", &cfg_type_updatemethod, CFG_ZONE_MASTER @@ -2202,26 +2202,26 @@ zone_clauses[] = { CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, { "transfer-source", &cfg_type_sockaddr4wild, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "transfer-source-v6", &cfg_type_sockaddr6wild, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "try-tcp-refresh", &cfg_type_boolean, - CFG_ZONE_SLAVE + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "update-check-ksk", &cfg_type_boolean, CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, { "use-alt-transfer-source", &cfg_type_boolean, - CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "zero-no-soa-ttl", &cfg_type_boolean, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "zone-statistics", &cfg_type_zonestat, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, { NULL, NULL, 0 } }; @@ -2239,16 +2239,17 @@ zone_only_clauses[] = { * the zone options and the global/view options. Ugh. */ { "type", &cfg_type_zonetype, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_STATICSTUB | CFG_ZONE_DELEGATION | CFG_ZONE_HINT | - CFG_ZONE_REDIRECT | CFG_ZONE_FORWARD + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_DELEGATION | + CFG_ZONE_HINT | CFG_ZONE_REDIRECT | CFG_ZONE_FORWARD }, { "check-names", &cfg_type_checkmode, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_HINT | CFG_ZONE_STUB }, { "database", &cfg_type_astring, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB }, { "delegation-only", &cfg_type_boolean, CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD @@ -2257,8 +2258,8 @@ zone_only_clauses[] = { CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT }, { "file", &cfg_type_qstring, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB | - CFG_ZONE_HINT | CFG_ZONE_REDIRECT + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_HINT | CFG_ZONE_REDIRECT }, { "in-view", &cfg_type_astring, CFG_ZONE_INVIEW @@ -2267,16 +2268,17 @@ zone_only_clauses[] = { CFG_CLAUSEFLAG_OBSOLETE }, { "ixfr-from-differences", &cfg_type_boolean, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE }, { "journal", &cfg_type_qstring, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE + CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR }, { "masters", &cfg_type_namesockaddrkeylist, - CFG_ZONE_SLAVE | CFG_ZONE_STUB | CFG_ZONE_REDIRECT + CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | + CFG_ZONE_REDIRECT }, { "pubkey", &cfg_type_pubkey, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE @@ -4121,6 +4123,10 @@ cfg_print_zonegrammar(const unsigned int zonetype, cfg_print_indent(&pctx); cfg_print_cstr(&pctx, "type ( slave | secondary );\n"); break; + case CFG_ZONE_MIRROR: + cfg_print_indent(&pctx); + cfg_print_cstr(&pctx, "type mirror;\n"); + break; case CFG_ZONE_STUB: cfg_print_indent(&pctx); cfg_print_cstr(&pctx, "type stub;\n"); From e1bb8de6f09325eaa54cae60f0f5a23b54fab2f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 2/9] Define a separate dns_zonetype_t for mirror zones Rather than overloading dns_zone_slave and discerning between a slave zone and a mirror zone using a zone option, define a separate enum value, dns_zone_mirror, to be used exclusively by mirror zones. Update code handling slave zones to ensure it also handles mirror zones where applicable. --- bin/named/config.c | 2 + bin/named/server.c | 15 +++++-- bin/named/statschannel.c | 1 + bin/named/zoneconf.c | 16 +++++--- doc/design/zone | 1 + lib/dns/include/dns/zone.h | 1 + lib/dns/zone.c | 84 +++++++++++++++++++++++++++----------- lib/ns/notify.c | 1 + lib/ns/query.c | 8 ++-- lib/ns/update.c | 4 +- lib/ns/xfrout.c | 9 +++- 11 files changed, 103 insertions(+), 39 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 405197363e..f3c7b39a16 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -432,6 +432,8 @@ named_config_getzonetype(const cfg_obj_t *zonetypeobj) { strcasecmp(str, "slave") == 0) { ztype = dns_zone_slave; + } else if (strcasecmp(str, "mirror") == 0) { + ztype = dns_zone_mirror; } else if (strcasecmp(str, "stub") == 0) { ztype = dns_zone_stub; } else if (strcasecmp(str, "static-stub") == 0) { diff --git a/bin/named/server.c b/bin/named/server.c index 1fc81d8991..26019992aa 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -10162,7 +10162,8 @@ named_server_retransfercommand(named_server_t *server, isc_lex_t *lex, dns_zone_detach(&raw); } type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub || + if (type == dns_zone_slave || type == dns_zone_mirror || + type == dns_zone_stub || (type == dns_zone_redirect && dns_zone_getredirecttype(zone) == dns_zone_slave)) dns_zone_forcereload(zone); @@ -10194,7 +10195,9 @@ named_server_reloadcommand(named_server_t *server, isc_lex_t *lex, msg = "server reload successful"; } else { type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) { + if (type == dns_zone_slave || type == dns_zone_mirror || + type == dns_zone_stub) + { dns_zone_refresh(zone); dns_zone_detach(&zone); msg = "zone refresh queued"; @@ -10285,7 +10288,7 @@ named_server_refreshcommand(named_server_t *server, isc_lex_t *lex, isc_result_t result; dns_zone_t *zone = NULL, *raw = NULL; const char msg1[] = "zone refresh queued"; - const char msg2[] = "not a slave or stub zone"; + const char msg2[] = "not a slave, mirror, or stub zone"; dns_zonetype_t type; result = zone_from_args(server, lex, NULL, &zone, NULL, @@ -10303,7 +10306,9 @@ named_server_refreshcommand(named_server_t *server, isc_lex_t *lex, } type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) { + if (type == dns_zone_slave || type == dns_zone_mirror || + type == dns_zone_stub) + { dns_zone_refresh(zone); dns_zone_detach(&zone); (void) putstr(text, msg1); @@ -13495,6 +13500,7 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, TCHECK(putstr(text, zonename)); TCHECK(putstr(text, "' and associated files will be deleted.")); } else if (dns_zone_gettype(mayberaw) == dns_zone_slave || + dns_zone_gettype(mayberaw) == dns_zone_mirror || dns_zone_gettype(mayberaw) == dns_zone_stub) { bool first; @@ -14093,6 +14099,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, /* Refresh/expire times */ if (zonetype == dns_zone_slave || + zonetype == dns_zone_mirror || zonetype == dns_zone_stub || zonetype == dns_zone_redirect) { diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 79d66d8e01..bd8d1c58ce 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -94,6 +94,7 @@ user_zonetype( dns_zone_t *zone ) { { dns_zone_none, "none" }, { dns_zone_master, "master" }, { dns_zone_slave, "slave" }, + { dns_zone_mirror, "mirror" }, { dns_zone_stub, "stub" }, { dns_zone_staticstub, "static-stub" }, { dns_zone_key, "key" }, diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 85e5421fd2..57ace8a0da 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -755,8 +755,13 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, isc_result_t result; switch (ztype) { - case dns_zone_slave: zone = "slave"; break; - case dns_zone_master: zone = "master"; break; + case dns_zone_slave: + case dns_zone_mirror: + zone = "slave"; + break; + case dns_zone_master: + zone = "master"; + break; default: INSIST(0); } @@ -982,7 +987,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, return (ISC_R_FAILURE); } - if (ztype == dns_zone_slave) + if (ztype == dns_zone_slave || ztype == dns_zone_mirror) masterformat = dns_masterformat_raw; else masterformat = dns_masterformat_text; @@ -1076,7 +1081,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, /* * Notify messages are processed by the raw zone if it exists. */ - if (ztype == dns_zone_slave) + if (ztype == dns_zone_slave || ztype == dns_zone_mirror) RETERR(configure_zone_acl(zconfig, vconfig, config, allow_notify, ac, mayberaw, dns_zone_setnotifyacl, @@ -1537,7 +1542,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } } - if (ztype == dns_zone_slave) { + if (ztype == dns_zone_slave || ztype == dns_zone_mirror) { RETERR(configure_zone_acl(zconfig, vconfig, config, allow_update_forwarding, ac, mayberaw, dns_zone_setforwardacl, @@ -1696,6 +1701,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, */ switch (ztype) { case dns_zone_slave: + case dns_zone_mirror: case dns_zone_stub: case dns_zone_redirect: count = 0; diff --git a/doc/design/zone b/doc/design/zone index 227576d856..55c3484bba 100644 --- a/doc/design/zone +++ b/doc/design/zone @@ -111,6 +111,7 @@ Types: dns_zone_none = 0, dns_zone_master, dns_zone_slave, + dns_zone_mirror, dns_zone_stub, dns_zone_hint, dns_zone_cache, diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 484e82806f..aaa4a1e435 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -38,6 +38,7 @@ typedef enum { dns_zone_none, dns_zone_master, dns_zone_slave, + dns_zone_mirror, dns_zone_stub, dns_zone_staticstub, dns_zone_key, diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 60545141c7..27dda5ab9f 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1709,16 +1709,17 @@ dns_zone_getjournal(dns_zone_t *zone) { * master file (if any) is written by the server, rather than being * updated manually and read by the server. * - * This is true for slave zones, stub zones, key zones, and zones that - * allow dynamic updates either by having an update policy ("ssutable") - * or an "allow-update" ACL with a value other than exactly "{ none; }". + * This is true for slave zones, mirror zones, stub zones, key zones, + * and zones that allow dynamic updates either by having an update + * policy ("ssutable") or an "allow-update" ACL with a value other than + * exactly "{ none; }". */ bool dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) { REQUIRE(DNS_ZONE_VALID(zone)); - if (zone->type == dns_zone_slave || zone->type == dns_zone_stub || - zone->type == dns_zone_key || + if (zone->type == dns_zone_slave || zone->type == dns_zone_mirror || + zone->type == dns_zone_stub || zone->type == dns_zone_key || (zone->type == dns_zone_redirect && zone->masters != NULL)) return (true); @@ -2072,7 +2073,8 @@ zone_load(dns_zone_t *zone, unsigned int flags, bool locked) { goto cleanup; } - if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub || + if ((zone->type == dns_zone_slave || zone->type == dns_zone_mirror || + zone->type == dns_zone_stub || (zone->type == dns_zone_redirect && zone->masters != NULL)) && rbt) { if (zone->masterfile == NULL || @@ -2108,7 +2110,9 @@ zone_load(dns_zone_t *zone, unsigned int flags, bool locked) { } dns_db_settask(db, zone->task); - if (zone->type == dns_zone_master || zone->type == dns_zone_slave) { + if (zone->type == dns_zone_master || zone->type == dns_zone_slave || + zone->type == dns_zone_mirror) + { result = dns_db_setgluecachestats(db, zone->gluecachestats); if (result == ISC_R_NOTIMPLEMENTED) { result = ISC_R_SUCCESS; @@ -2280,27 +2284,39 @@ get_master_options(dns_zone_t *zone) { unsigned int options; options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN; - if (zone->type == dns_zone_slave || + if (zone->type == dns_zone_slave || zone->type == dns_zone_mirror || (zone->type == dns_zone_redirect && zone->masters == NULL)) + { options |= DNS_MASTER_SLAVE; - if (zone->type == dns_zone_key) + } + if (zone->type == dns_zone_key) { options |= DNS_MASTER_KEY; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) { options |= DNS_MASTER_CHECKNS; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) { options |= DNS_MASTER_FATALNS; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) { options |= DNS_MASTER_CHECKNAMES; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) { options |= DNS_MASTER_CHECKNAMESFAIL; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) { options |= DNS_MASTER_CHECKMX; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) { options |= DNS_MASTER_CHECKMXFAIL; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) { options |= DNS_MASTER_CHECKWILDCARD; - if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) + } + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) { options |= DNS_MASTER_CHECKTTL; + } + return (options); } @@ -4433,6 +4449,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, */ if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) { if (zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_stub || (zone->type == dns_zone_redirect && zone->masters == NULL)) { @@ -4592,14 +4609,15 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, "loaded; checking validity"); /* - * Master / Slave / Stub zones require both NS and SOA records at - * the top of the zone. + * Master / Slave / Mirror / Stub zones require both NS and SOA records + * at the top of the zone. */ switch (zone->type) { case dns_zone_dlz: case dns_zone_master: case dns_zone_slave: + case dns_zone_mirror: case dns_zone_stub: case dns_zone_redirect: if (soacount != 1) { @@ -4723,6 +4741,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS); if (zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_stub || (zone->type == dns_zone_redirect && zone->masters != NULL)) { @@ -4909,6 +4928,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, isc_mem_put(zone->mctx, inc, sizeof(*inc)); } if (zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_stub || zone->type == dns_zone_key || (zone->type == dns_zone_redirect && zone->masters != NULL)) { @@ -5063,7 +5083,9 @@ zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, while (result == ISC_R_SUCCESS) { if (errors != NULL && zone->rdclass == dns_rdataclass_in && (zone->type == dns_zone_master || - zone->type == dns_zone_slave)) { + zone->type == dns_zone_slave || + zone->type == dns_zone_mirror)) + { dns_rdata_init(&rdata); dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &ns, NULL); @@ -10043,6 +10065,7 @@ zone_maintenance(dns_zone_t *zone) { break; /* FALLTHROUGH */ case dns_zone_slave: + case dns_zone_mirror: case dns_zone_stub: LOCK_ZONE(zone); if (isc_time_compare(&now, &zone->expiretime) >= 0 && @@ -10065,6 +10088,7 @@ zone_maintenance(dns_zone_t *zone) { break; /* FALLTHROUGH */ case dns_zone_slave: + case dns_zone_mirror: case dns_zone_stub: if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) && isc_time_compare(&now, &zone->refreshtime) >= 0) @@ -10077,7 +10101,7 @@ zone_maintenance(dns_zone_t *zone) { /* * Slaves send notifies before backing up to disk, masters after. */ - if (zone->type == dns_zone_slave && + if ((zone->type == dns_zone_slave || zone->type == dns_zone_mirror) && (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) && isc_time_compare(&now, &zone->notifytime) >= 0) @@ -10089,6 +10113,7 @@ zone_maintenance(dns_zone_t *zone) { switch (zone->type) { case dns_zone_master: case dns_zone_slave: + case dns_zone_mirror: case dns_zone_key: case dns_zone_redirect: case dns_zone_stub: @@ -11950,8 +11975,10 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { master, source); /* Try with slave with TCP. */ if ((zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_redirect) && - DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) { + DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) + { if (!dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr, &zone->sourceaddr, @@ -12026,8 +12053,11 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { */ if (msg->rcode == dns_rcode_refused && (zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_redirect)) + { goto tcp_transfer; + } goto next_master; } @@ -12036,7 +12066,9 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { */ if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) { if (zone->type == dns_zone_slave || - zone->type == dns_zone_redirect) { + zone->type == dns_zone_mirror || + zone->type == dns_zone_redirect) + { dns_zone_log(zone, ISC_LOG_INFO, "refresh: truncated UDP answer, " "initiating TCP zone xfer " @@ -12164,6 +12196,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { "refresh: skipping %s as master %s " "(source %s) is unreachable (cached)", (zone->type == dns_zone_slave || + zone->type == dns_zone_mirror || zone->type == dns_zone_redirect) ? "zone transfer" : "NS query", master, source); @@ -12173,7 +12206,9 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); dns_request_destroy(&zone->request); if (zone->type == dns_zone_slave || - zone->type == dns_zone_redirect) { + zone->type == dns_zone_mirror || + zone->type == dns_zone_redirect) + { do_queue_xfrin = true; } else { INSIST(zone->type == dns_zone_stub); @@ -13028,6 +13063,7 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) { break; case dns_zone_slave: + case dns_zone_mirror: treat_as_slave: if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) diff --git a/lib/ns/notify.c b/lib/ns/notify.c index 1b3b420144..a01c4ce552 100644 --- a/lib/ns/notify.c +++ b/lib/ns/notify.c @@ -141,6 +141,7 @@ ns_notify_start(ns_client_t *client) { if ((zonetype == dns_zone_master) || (zonetype == dns_zone_slave) || + (zonetype == dns_zone_mirror) || (zonetype == dns_zone_stub)) { isc_sockaddr_t *from = ns_client_getsockaddr(client); diff --git a/lib/ns/query.c b/lib/ns/query.c index 60b3310ab6..ba45b6667e 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -7099,8 +7099,8 @@ query_respond_any(query_ctx_t *qctx) { } /* - * Set the expire time, if requested, when answering from a - * slave or master zone. + * Set the expire time, if requested, when answering from a slave, mirror, or + * master zone. */ static void query_getexpire(query_ctx_t *qctx) { @@ -7117,7 +7117,9 @@ query_getexpire(query_ctx_t *qctx) { dns_zone_getraw(qctx->zone, &raw); mayberaw = (raw != NULL) ? raw : qctx->zone; - if (dns_zone_gettype(mayberaw) == dns_zone_slave) { + if (dns_zone_gettype(mayberaw) == dns_zone_slave || + dns_zone_gettype(mayberaw) == dns_zone_mirror) + { isc_time_t expiretime; uint32_t secs; dns_zone_getexpiretime(qctx->zone, &expiretime); diff --git a/lib/ns/update.c b/lib/ns/update.c index d39eec7522..c1d3e70b7b 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -1637,6 +1637,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { CHECK(send_update_event(client, zone)); break; case dns_zone_slave: + case dns_zone_mirror: CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), "update forwarding", zonename, true, false)); @@ -1649,7 +1650,8 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { failure: if (result == DNS_R_REFUSED) { - INSIST(dns_zone_gettype(zone) == dns_zone_slave); + INSIST(dns_zone_gettype(zone) == dns_zone_slave || + dns_zone_gettype(zone) == dns_zone_mirror); inc_stats(client, zone, ns_statscounter_updaterej); } /* diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index d2851063f6..4573d52248 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -848,9 +848,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { } else { /* zone table has a match */ switch(dns_zone_gettype(zone)) { - /* Master and slave zones are OK for transfer. */ + /* + * Master, slave, and mirror zones are OK for transfer. + */ case dns_zone_master: case dns_zone_slave: + case dns_zone_mirror: case dns_zone_dlz: break; default: @@ -1087,7 +1090,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { dns_zone_getraw(zone, &raw); mayberaw = (raw != NULL) ? raw : zone; if ((client->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0 && - dns_zone_gettype(mayberaw) == dns_zone_slave) { + (dns_zone_gettype(mayberaw) == dns_zone_slave || + dns_zone_gettype(mayberaw) == dns_zone_mirror)) + { isc_time_t expiretime; uint32_t secs; dns_zone_getexpiretime(zone, &expiretime); From 2cb9e8a0209d6fe30afd2c303ffb284e5e7e185c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 3/9] Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration. --- bin/named/server.c | 8 ++- bin/named/zoneconf.c | 66 +++++++---------------- bin/tests/system/mirror/README | 17 ++++++ bin/tests/system/mirror/ns3/named.conf.in | 24 +++------ bin/tests/system/mirror/setup.sh | 2 - bin/tests/system/mirror/tests.sh | 12 ++--- lib/dns/include/dns/zone.h | 7 --- lib/dns/win32/libdns.def.in | 1 - lib/dns/zone.c | 9 +--- lib/dns/zt.c | 3 +- lib/isccfg/namedconf.c | 3 -- lib/ns/query.c | 7 +-- util/copyrights | 1 + 13 files changed, 66 insertions(+), 94 deletions(-) create mode 100644 bin/tests/system/mirror/README diff --git a/bin/named/server.c b/bin/named/server.c index 26019992aa..0c6224fd84 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6978,6 +6978,9 @@ removed(dns_zone_t *zone, void *uap) { case dns_zone_slave: type = "slave"; break; + case dns_zone_mirror: + type = "mirror"; + break; case dns_zone_stub: type = "stub"; break; @@ -14043,7 +14046,10 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, type = "master"; break; case dns_zone_slave: - type = dns_zone_ismirror(zone) ? "mirror" : "slave"; + type = "slave"; + break; + case dns_zone_mirror: + type = "mirror"; break; case dns_zone_stub: type = "stub"; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 57ace8a0da..36a29ece17 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1700,8 +1700,26 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * Configure slave functionality. */ switch (ztype) { - case dns_zone_slave: case dns_zone_mirror: + /* + * Disable outgoing zone transfers for mirror zones unless they + * are explicitly enabled by zone configuration. + */ + obj = NULL; + (void)cfg_map_get(zoptions, "allow-transfer", &obj); + if (obj == NULL) { + dns_acl_t *none; + RETERR(dns_acl_none(mctx, &none)); + dns_zone_setxfracl(zone, none); + dns_acl_detach(&none); + } + /* + * Only allow "also-notify". + */ + notifytype = dns_notifytype_explicit; + dns_zone_setnotifytype(zone, notifytype); + /* FALLTHROUGH */ + case dns_zone_slave: case dns_zone_stub: case dns_zone_redirect: count = 0; @@ -1733,35 +1751,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi); - obj = NULL; - (void)cfg_map_get(zoptions, "mirror", &obj); - if (obj != NULL) { - bool mirror = cfg_obj_asboolean(obj); - dns_zone_setoption(mayberaw, DNS_ZONEOPT_MIRROR, - mirror); - if (mirror) { - /* - * Disable outgoing zone transfers unless they - * are explicitly enabled by zone - * configuration. - */ - obj = NULL; - (void)cfg_map_get(zoptions, "allow-transfer", - &obj); - if (obj == NULL) { - dns_acl_t *none; - RETERR(dns_acl_none(mctx, &none)); - dns_zone_setxfracl(zone, none); - dns_acl_detach(&none); - } - /* - * Only allow "also-notify". - */ - notifytype = dns_notifytype_explicit; - dns_zone_setnotifytype(zone, notifytype); - } - } - obj = NULL; result = named_config_get(maps, "max-transfer-time-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1901,7 +1890,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { const char *cfilename; const char *zfilename; dns_zone_t *raw = NULL; - bool has_raw, mirror; + bool has_raw; dns_zonetype_t ztype; zoptions = cfg_tuple_get(zconfig, "options"); @@ -1941,21 +1930,6 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { return (false); } - /* - * Do not reuse a zone whose "mirror" setting was changed. - */ - obj = NULL; - mirror = false; - (void)cfg_map_get(zoptions, "mirror", &obj); - if (obj != NULL) { - mirror = cfg_obj_asboolean(obj); - } - if (dns_zone_ismirror(zone) != mirror) { - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "not reusable: mirror setting changed"); - return (false); - } - if (zonetype_fromconfig(zoptions) != ztype) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: type mismatch"); diff --git a/bin/tests/system/mirror/README b/bin/tests/system/mirror/README new file mode 100644 index 0000000000..1cb7bdd422 --- /dev/null +++ b/bin/tests/system/mirror/README @@ -0,0 +1,17 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +This test checks whether zones configured with "type mirror;" behave as +expected. + +ns1 is an authoritative-only server. It only serves the root zone, which is +mirrored by ns3. + +ns2 is an authoritative-only server. It serves a number of zones, some of which +are delegated to it by ns1 and used in recursive resolution tests aimed at ns3 +while others are only served so that ns3 has a primary server to mirror zones +from during various tests of the mirror zone implementation. + +ns3 is a recursive resolver. It has a number of mirror zones configured. This +is the only server whose behavior is being examined by this system test. diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index 9eec0acf89..4b14e8d9a7 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -37,62 +37,54 @@ zone "." { }; zone "." { - type slave; + type mirror; masters { 10.53.0.1; }; - mirror yes; file "root.db.mirror"; }; zone "initially-unavailable" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "initially-unavailable.db.mirror"; use-alt-transfer-source no; }; zone "verify-axfr" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-axfr.db.mirror"; }; zone "verify-ixfr" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-ixfr.db.mirror"; masterfile-format text; }; zone "verify-load" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-load.db.mirror"; masterfile-format text; }; zone "verify-reconfig" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-reconfig.db.mirror"; masterfile-format text; }; zone "verify-unsigned" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-unsigned.db.mirror"; }; zone "verify-untrusted" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-untrusted.db.mirror"; }; diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh index 4a1413dfa1..da81617675 100644 --- a/bin/tests/system/mirror/setup.sh +++ b/bin/tests/system/mirror/setup.sh @@ -21,6 +21,4 @@ copy_setports ns3/named.conf.in ns3/named.conf ( cd ns1 && $SHELL -e sign.sh ) cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed -cat ns2/verify-ixfr.db.original.signed > ns2/verify-ixfr.db.signed cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror -cat ns2/verify-untrusted.db.original.signed > ns2/verify-untrusted.db.signed diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index 73b01f7ae4..1768847d6a 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -380,7 +380,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking that \"rndc reconfig\" properly handles a yes -> no \"mirror\" setting change ($n)" +echo_i "checking that \"rndc reconfig\" properly handles a mirror -> slave zone type change ($n)" ret=0 # Sanity check before we start. $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 @@ -390,13 +390,13 @@ grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 # Reconfigure the zone so that it is no longer a mirror zone. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { - s/mirror yes;/mirror no;/ + s/type mirror;/type slave;/ }' ns3/named.conf > ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf nextpart ns3/named.run > /dev/null $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 -# Zones whose "mirror" setting was changed should not be reusable, which means -# the tested zone should have been reloaded from disk. +# Zones whose type was changed should not be reusable, which means the tested +# zone should have been reloaded from disk. wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 @@ -407,7 +407,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking that \"rndc reconfig\" properly handles a no -> yes \"mirror\" setting change ($n)" +echo_i "checking that \"rndc reconfig\" properly handles a slave -> mirror zone type change ($n)" ret=0 # Put an incorrectly signed version of the zone in the zone file used by ns3. nextpart ns3/named.run > /dev/null @@ -415,7 +415,7 @@ cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror # Reconfigure the zone so that it is a mirror zone again. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { - s/mirror no;/mirror yes;/ + s/type slave;/type mirror;/ }' ns3/named.conf > ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index aaa4a1e435..e2ad6314a5 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -83,7 +83,6 @@ typedef enum { DNS_ZONEOPT_CHECKSPF = 1<<27, /*%< check SPF records */ DNS_ZONEOPT_CHECKTTL = 1<<28, /*%< check max-zone-ttl */ DNS_ZONEOPT_AUTOEMPTY = 1<<29, /*%< automatic empty zone */ - DNS_ZONEOPT_MIRROR = 1<<30, /*%< mirror zone */ } dns_zoneopt_t; /* @@ -2486,12 +2485,6 @@ dns_zone_isloaded(const dns_zone_t *zone); * false otherwise. */ -bool -dns_zone_ismirror(const dns_zone_t *zone); -/*%< - * Return true if 'zone' is a mirror zone, return false otherwise. - */ - isc_result_t dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver); /*%< diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index e8ac6af323..83a77856bc 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1201,7 +1201,6 @@ dns_zone_idetach dns_zone_isdynamic dns_zone_isforced dns_zone_isloaded -dns_zone_ismirror dns_zone_keydone dns_zone_link dns_zone_load diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 27dda5ab9f..e4f1d3f4e3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -19446,13 +19446,6 @@ dns_zone_isloaded(const dns_zone_t *zone) { return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)); } -bool -dns_zone_ismirror(const dns_zone_t *zone) { - REQUIRE(DNS_ZONE_VALID(zone)); - - return (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MIRROR)); -} - isc_result_t dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { dns_dbversion_t *version = NULL; @@ -19466,7 +19459,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(db != NULL); - if (!dns_zone_ismirror(zone)) { + if (dns_zone_gettype(zone) != dns_zone_mirror) { return (ISC_R_SUCCESS); } diff --git a/lib/dns/zt.c b/lib/dns/zt.c index 6b9e7d3277..62b0e4a053 100644 --- a/lib/dns/zt.c +++ b/lib/dns/zt.c @@ -181,7 +181,8 @@ dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options, * instead of returning a SERVFAIL. */ if ((options & DNS_ZTFIND_MIRROR) != 0 && - dns_zone_ismirror(dummy) && !dns_zone_isloaded(dummy)) + dns_zone_gettype(dummy) == dns_zone_mirror && + !dns_zone_isloaded(dummy)) { result = ISC_R_NOTFOUND; } else { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 960e03d308..3e537a3a60 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2152,9 +2152,6 @@ zone_clauses[] = { { "min-retry-time", &cfg_type_uint32, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, - { "mirror", &cfg_type_boolean, - CFG_ZONE_SLAVE - }, { "multi-master", &cfg_type_boolean, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, diff --git a/lib/ns/query.c b/lib/ns/query.c index ba45b6667e..20ed367495 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -1095,7 +1095,7 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name, /* * Mirror zone data is treated as cache data. */ - if (dns_zone_ismirror(zone)) { + if (dns_zone_gettype(zone) == dns_zone_mirror) { return (query_checkcacheaccess(client, name, qtype, options)); } @@ -5382,7 +5382,7 @@ ns__query_start(query_ctx_t *qctx) { if (qctx->is_zone) { qctx->authoritative = true; if (qctx->zone != NULL) { - if (dns_zone_ismirror(qctx->zone)) { + if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) { qctx->authoritative = false; } if (dns_zone_gettype(qctx->zone) == @@ -7920,7 +7920,8 @@ query_zone_delegation(query_ctx_t *qctx) { if (USECACHE(qctx->client) && (RECURSIONOK(qctx->client) || - (qctx->zone != NULL && dns_zone_ismirror(qctx->zone)))) + (qctx->zone != NULL && + dns_zone_gettype(qctx->zone) == dns_zone_mirror))) { /* * We might have a better answer or delegation in the diff --git a/util/copyrights b/util/copyrights index 0a2cc0e0f7..b7fb76b013 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1537,6 +1537,7 @@ ./bin/tests/system/metadata/parent.db ZONE 2009,2016,2018 ./bin/tests/system/metadata/setup.sh SH 2009,2011,2012,2014,2016,2017,2018 ./bin/tests/system/metadata/tests.sh SH 2009,2011,2012,2013,2014,2016,2017,2018 +./bin/tests/system/mirror/README TXT.BRIEF 2018 ./bin/tests/system/mirror/clean.sh SH 2018 ./bin/tests/system/mirror/ns1/named.conf.in CONF-C 2018 ./bin/tests/system/mirror/ns1/root.db.in ZONE 2018 From 1d49b01cc6ddd51647227730531fa5668c135201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 4/9] Clean up handling of NOTIFY settings for mirror zones Previous way of handling NOTIFY settings for mirror zones was a bit tricky: any value of the "notify" option was accepted, but it was subsequently overridden with dns_notifytype_explicit. Given the way zone configuration is performed, this resulted in the following behavior: - if "notify yes;" was set explicitly at any configuration level or inherited from default configuration, it was silently changed and so only hosts specified in "also-notify", if any, were notified, - if "notify no;" was set at any configuration level, it was effectively honored since even though zone->notifytype was silently set to dns_notifytype_explicit, the "also-notify" option was never processed due to "notify no;" being set. Effectively, this only allowed the hosts specified in "also-notify" to be notified, when either "notify yes;" or "notify explicit;" was explicitly set or inherited from default configuration. Clean up handling of NOTIFY settings for mirror zones by: - reporting a configuration error when anything else than "notify no;" or "notify explicit;" is set for a mirror zone at the zone level, - overriding inherited "notify yes;" setting with "notify explicit;" for mirror zones, - informing the user when the "notify" setting is overridden, unless the setting in question was inherited from default configuration. --- bin/named/zoneconf.c | 38 +++++++++++-- .../bad-mirror-explicit-notify-yes.conf | 16 ++++++ .../good-mirror-inherited-notify-yes.conf | 19 +++++++ lib/bind9/check.c | 56 +++++++++++++++++++ util/copyrights | 2 + 5 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf create mode 100644 bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 36a29ece17..a1f2c5340e 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -833,6 +833,37 @@ isself(dns_view_t *myview, dns_tsigkey_t *mykey, return (view == myview); } +/*% + * For mirror zones, change "notify yes;" to "notify explicit;", informing the + * user only if "notify" was explicitly configured rather than inherited from + * default configuration. + */ +static dns_notifytype_t +process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype, + const char *zname, const cfg_obj_t **maps) +{ + const cfg_obj_t *obj = NULL; + + /* + * Return the original setting if this is not a mirror zone or if the + * zone is configured with something else than "notify yes;". + */ + if (ztype != dns_zone_mirror || ntype != dns_notifytype_yes) { + return (ntype); + } + + /* + * Only log a message if "notify" was set in the configuration + * hierarchy supplied in 'maps'. + */ + if (named_config_get(maps, "notify", &obj) == ISC_R_SUCCESS) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO, + "'notify explicit;' will be used for mirror zone " + "'%s'", zname); + } + + return (dns_notifytype_explicit); +} isc_result_t named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, @@ -1187,6 +1218,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, else INSIST(0); } + notifytype = process_notifytype(notifytype, ztype, zname, + nodefault); if (raw != NULL) dns_zone_setnotifytype(raw, dns_notifytype_no); dns_zone_setnotifytype(zone, notifytype); @@ -1713,11 +1746,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setxfracl(zone, none); dns_acl_detach(&none); } - /* - * Only allow "also-notify". - */ - notifytype = dns_notifytype_explicit; - dns_zone_setnotifytype(zone, notifytype); /* FALLTHROUGH */ case dns_zone_slave: case dns_zone_stub: diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf new file mode 100644 index 0000000000..e0fabdff38 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; + masters { 127.0.0.1; }; + notify yes; +}; diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf new file mode 100644 index 0000000000..14a29bf7b5 --- /dev/null +++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + notify yes; +}; + +zone "." { + type mirror; + masters { 127.0.0.1; }; +}; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index bfb8917001..2a54fdf0d0 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1915,6 +1915,52 @@ check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) { return (result); } +/*% + * Check whether NOTIFY configuration at the zone level is acceptable for a + * mirror zone. Return true if it is; return false otherwise. + */ +static bool +check_mirror_zone_notify(const cfg_obj_t *zoptions, const char *znamestr, + isc_log_t *logctx) +{ + bool notify_configuration_ok = true; + const cfg_obj_t *obj = NULL; + + (void)cfg_map_get(zoptions, "notify", &obj); + if (obj == NULL) { + /* + * "notify" not set at zone level. This is fine. + */ + return (true); + } + + if (cfg_obj_isboolean(obj)) { + if (cfg_obj_asboolean(obj)) { + /* + * "notify yes;" set at zone level. This is an error. + */ + notify_configuration_ok = false; + } + } else { + const char *notifystr = cfg_obj_asstring(obj); + if (strcasecmp(notifystr, "explicit") != 0) { + /* + * Something else than "notify explicit;" set at zone + * level. This is an error. + */ + notify_configuration_ok = false; + } + } + + if (!notify_configuration_ok) { + cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR, + "zone '%s': mirror zones can only be used with " + "'notify no;' or 'notify explicit;'", znamestr); + } + + return (notify_configuration_ok); +} + static isc_result_t check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, @@ -2186,6 +2232,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } + /* + * Only a limited subset of all possible "notify" settings can be used + * at the zone level for mirror zones. + */ + if (ztype == CFG_ZONE_MIRROR && + !check_mirror_zone_notify(zoptions, znamestr, logctx)) + { + result = ISC_R_FAILURE; + } + /* * Master, slave, and mirror zones may have an "also-notify" field, but * shouldn't if notify is disabled. diff --git a/util/copyrights b/util/copyrights index b7fb76b013..4bc3900435 100644 --- a/util/copyrights +++ b/util/copyrights @@ -597,6 +597,7 @@ ./bin/tests/system/checkconf/bad-maxcachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-maxncachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-maxttlmap.conf CONF-C 2014,2016,2018 +./bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-noddns.conf CONF-C 2014,2016,2018 ./bin/tests/system/checkconf/bad-options-also-notify.conf CONF-C 2016,2018 ./bin/tests/system/checkconf/bad-printtime.conf CONF-C 2016,2018 @@ -668,6 +669,7 @@ ./bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf CONF-C 2017,2018 ./bin/tests/system/checkconf/good-maxcachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/good-maxncachettl.conf CONF-C 2018 +./bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf CONF-C 2018 ./bin/tests/system/checkconf/good-nested.conf CONF-C 2015,2016,2018 ./bin/tests/system/checkconf/good-options-also-notify.conf CONF-C 2016,2018 ./bin/tests/system/checkconf/good-printtime.conf CONF-C 2016,2018 From 34dc674fed76ec87217fab5bf4d7f575e8b572d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 5/9] Prevent mirror zones from being used when recursion is disabled Since mirror zone data is treated as cache data for access control purposes, configuring a mirror zone and disabling recursion at the same time would effectively prevent mirror zone data from being used since disabling recursion also disables cache access to all clients by default. Even though this behavior can be inhibited by configuration, mirror zones are a recursive resolver feature and thus recursion is now required to use them. Ignore the fact that certain configurations might still trick named into assuming recursion is enabled when it effectively is not since this change is not meant to put a hard policy in place but rather just to prevent accidental mirror zone misuse. --- .../bad-mirror-allow-recursion-none.conf | 20 +++++ .../checkconf/bad-mirror-recursion-no.conf | 19 +++++ lib/bind9/check.c | 75 +++++++++++++++++++ util/copyrights | 2 + 4 files changed, 116 insertions(+) create mode 100644 bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf create mode 100644 bin/tests/system/checkconf/bad-mirror-recursion-no.conf diff --git a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf new file mode 100644 index 0000000000..9dabf8897e --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + recursion yes; + allow-recursion { none; }; +}; + +zone "." { + type mirror; + masters { 127.0.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf new file mode 100644 index 0000000000..4dff2cadfd --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + recursion no; +}; + +zone "." { + type mirror; + masters { 127.0.0.1; }; +}; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 2a54fdf0d0..6f4cf798ec 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1961,6 +1961,68 @@ check_mirror_zone_notify(const cfg_obj_t *zoptions, const char *znamestr, return (notify_configuration_ok); } +/*% + * Try to determine whether recursion is available in a view without resorting + * to extraordinary measures: just check the "recursion" and "allow-recursion" + * settings. The point is to prevent accidental mirror zone misuse rather than + * to enforce some sort of policy. Recursion is assumed to be allowed by + * default if it is not explicitly disabled. + */ +static bool +check_recursion(const cfg_obj_t *config, const cfg_obj_t *voptions, + const cfg_obj_t *goptions, isc_log_t *logctx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx) +{ + dns_acl_t *acl = NULL; + const cfg_obj_t *obj; + isc_result_t result; + bool retval = true; + + /* + * Check the "recursion" option first. + */ + obj = NULL; + result = ISC_R_NOTFOUND; + if (voptions != NULL) { + result = cfg_map_get(voptions, "recursion", &obj); + } + if (result != ISC_R_SUCCESS && goptions != NULL) { + result = cfg_map_get(goptions, "recursion", &obj); + } + if (result == ISC_R_SUCCESS && !cfg_obj_asboolean(obj)) { + retval = false; + goto cleanup; + } + + /* + * If recursion is not disabled by the "recursion" option, check + * whether it is disabled by the "allow-recursion" ACL. + */ + obj = NULL; + result = ISC_R_NOTFOUND; + if (voptions != NULL) { + result = cfg_map_get(voptions, "allow-recursion", &obj); + } + if (result != ISC_R_SUCCESS && goptions != NULL) { + result = cfg_map_get(goptions, "allow-recursion", &obj); + } + if (result == ISC_R_SUCCESS) { + result = cfg_acl_fromconfig(obj, config, logctx, actx, mctx, 0, + &acl); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + retval = !dns_acl_isnone(acl); + } + + cleanup: + if (acl != NULL) { + dns_acl_detach(&acl); + } + + return (retval); +} + static isc_result_t check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, @@ -2315,6 +2377,19 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } + /* + * Configuring a mirror zone and disabling recursion at the same time + * contradicts the purpose of the former. + */ + if (ztype == CFG_ZONE_MIRROR && + !check_recursion(config, voptions, goptions, logctx, actx, mctx)) + { + cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR, + "zone '%s': mirror zones cannot be used if " + "recursion is disabled", znamestr); + result = ISC_R_FAILURE; + } + /* * Master zones can't have both "allow-update" and "update-policy". */ diff --git a/util/copyrights b/util/copyrights index 4bc3900435..c362e624bd 100644 --- a/util/copyrights +++ b/util/copyrights @@ -597,7 +597,9 @@ ./bin/tests/system/checkconf/bad-maxcachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-maxncachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-maxttlmap.conf CONF-C 2014,2016,2018 +./bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-mirror-recursion-no.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-noddns.conf CONF-C 2014,2016,2018 ./bin/tests/system/checkconf/bad-options-also-notify.conf CONF-C 2016,2018 ./bin/tests/system/checkconf/bad-printtime.conf CONF-C 2016,2018 From 2c69734bcf00feef18eb61fbf48324a4688296c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 6/9] Define a default master server list for the root zone To minimize the effort required to set up IANA root zone mirroring, define a default master server list for the root zone and use it when that zone is to be mirrored and no master server list was explicitly specified. Contents of that list are taken from RFC 7706 and are subject to change in future releases. Since the static get_masters_def() function in bin/named/config.c does exactly what named_zone_configure() in bin/named/zoneconf.c needs to do, make the former non-static and use it in the latter to prevent code duplication. --- bin/named/config.c | 24 +++++++++++++++---- bin/named/include/named/config.h | 6 +++++ bin/named/zoneconf.c | 12 ++++++++++ .../bad-mirror-explicit-notify-yes.conf | 1 - ...-mirror-non-root-zone-without-masters.conf | 14 +++++++++++ .../checkconf/bad-mirror-recursion-no.conf | 1 - .../good-mirror-inherited-notify-yes.conf | 1 - ...good-mirror-root-zone-without-masters.conf | 14 +++++++++++ lib/bind9/check.c | 8 ++++--- util/copyrights | 2 ++ 10 files changed, 73 insertions(+), 10 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf create mode 100644 bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf diff --git a/bin/named/config.c b/bin/named/config.c index f3c7b39a16..9ce79bfd57 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -301,6 +301,21 @@ view \"_bind\" chaos {\n\ MANAGED_KEYS "# END MANAGED KEYS\n\ +\n\ +masters " DEFAULT_IANA_ROOT_ZONE_MASTERS " {\n\ + 2001:500:84::b; # b.root-servers.net\n\ + 2001:500:2f::f; # f.root-servers.net\n\ + 2001:7fd::1; # k.root-servers.net\n\ + 2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\ + 2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\ + 192.228.79.201; # b.root-servers.net\n\ + 192.33.4.12; # c.root-servers.net\n\ + 192.5.5.241; # f.root-servers.net\n\ + 192.112.36.4; # g.root-servers.net\n\ + 193.0.14.129; # k.root-servers.net\n\ + 192.0.47.132; # xfr.cjr.dns.icann.org\n\ + 192.0.32.132; # xfr.lax.dns.icann.org\n\ +};\n\ "; isc_result_t @@ -555,9 +570,9 @@ named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, } } -static isc_result_t -get_masters_def(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret) +isc_result_t +named_config_getmastersdef(const cfg_obj_t *cctx, const char *name, + const cfg_obj_t **ret) { isc_result_t result; const cfg_obj_t *masters = NULL; @@ -699,7 +714,8 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, break; if (j < l) continue; - tresult = get_masters_def(config, listname, &list); + tresult = named_config_getmastersdef(config, listname, + &list); if (tresult == ISC_R_NOTFOUND) { cfg_obj_log(addr, named_g_lctx, ISC_LOG_ERROR, "masters \"%s\" not found", listname); diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index ad69a16248..a3e3ae241d 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -22,6 +22,8 @@ #include #include +#define DEFAULT_IANA_ROOT_ZONE_MASTERS "_default_iana_root_zone_masters" + isc_result_t named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf); @@ -57,6 +59,10 @@ void named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp, uint32_t count); +isc_result_t +named_config_getmastersdef(const cfg_obj_t *cctx, const char *name, + const cfg_obj_t **ret); + isc_result_t named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, isc_mem_t *mctx, dns_ipkeylist_t *ipkl); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index a1f2c5340e..52264239e0 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1753,6 +1753,18 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, count = 0; obj = NULL; (void)cfg_map_get(zoptions, "masters", &obj); + /* + * Use the built-in master server list if one was not + * explicitly specified and this is a root zone mirror. + */ + if (obj == NULL && ztype == dns_zone_mirror && + dns_name_equal(dns_zone_getorigin(zone), dns_rootname)) + { + result = named_config_getmastersdef(named_g_config, + DEFAULT_IANA_ROOT_ZONE_MASTERS, + &obj); + RETERR(result); + } if (obj != NULL) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf index e0fabdff38..8d5b28a792 100644 --- a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf +++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf @@ -11,6 +11,5 @@ zone "." { type mirror; - masters { 127.0.0.1; }; notify yes; }; diff --git a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf new file mode 100644 index 0000000000..e212bed6ac --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "foo." { + type mirror; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf index 4dff2cadfd..9b02f0dcb7 100644 --- a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf +++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf @@ -15,5 +15,4 @@ options { zone "." { type mirror; - masters { 127.0.0.1; }; }; diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf index 14a29bf7b5..241a77ca0c 100644 --- a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf +++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf @@ -15,5 +15,4 @@ options { zone "." { type mirror; - masters { 127.0.0.1; }; }; diff --git a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf new file mode 100644 index 0000000000..1b7a1cdd6f --- /dev/null +++ b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; +}; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 6f4cf798ec..ab944ebd78 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2351,10 +2351,12 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } /* - * Slave, mirror, and stub zones must have a "masters" field. + * Slave, mirror, and stub zones must have a "masters" field, with one + * exception: when mirroring the root zone, a default, built-in master + * server list is used in the absence of one explicitly specified. */ - if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_MIRROR || - ztype == CFG_ZONE_STUB) + if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_STUB || + (ztype == CFG_ZONE_MIRROR && !dns_name_equal(zname, dns_rootname))) { obj = NULL; if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) { diff --git a/util/copyrights b/util/copyrights index c362e624bd..9a19e34162 100644 --- a/util/copyrights +++ b/util/copyrights @@ -599,6 +599,7 @@ ./bin/tests/system/checkconf/bad-maxttlmap.conf CONF-C 2014,2016,2018 ./bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-mirror-recursion-no.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-noddns.conf CONF-C 2014,2016,2018 ./bin/tests/system/checkconf/bad-options-also-notify.conf CONF-C 2016,2018 @@ -672,6 +673,7 @@ ./bin/tests/system/checkconf/good-maxcachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/good-maxncachettl.conf CONF-C 2018 ./bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf CONF-C 2018 +./bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf CONF-C 2018 ./bin/tests/system/checkconf/good-nested.conf CONF-C 2015,2016,2018 ./bin/tests/system/checkconf/good-options-also-notify.conf CONF-C 2016,2018 ./bin/tests/system/checkconf/good-printtime.conf CONF-C 2016,2018 From adbe2caf28728a1e24e7741aebc013fe6de13789 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 7/9] Test whether mirror zones can be added and removed dynamically Extend the "mirror" zone system test to make sure mirror zones can be added and removed dynamically using rndc. --- bin/tests/system/mirror/clean.sh | 1 + bin/tests/system/mirror/ns2/named.conf.in | 5 ++++ bin/tests/system/mirror/ns2/sign.sh | 2 +- bin/tests/system/mirror/ns3/named.conf.in | 1 + bin/tests/system/mirror/tests.sh | 33 +++++++++++++++++++++++ 5 files changed, 41 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/mirror/clean.sh b/bin/tests/system/mirror/clean.sh index fc189a8604..99ee2ae020 100644 --- a/bin/tests/system/mirror/clean.sh +++ b/bin/tests/system/mirror/clean.sh @@ -11,6 +11,7 @@ rm -f */*.conf rm -f */*.db rm -f */*.jnl rm -f */*.mirror +rm -f */*.nzd* rm -f */*.prev rm -f */*.signed rm -f */K* diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in index ebcce5729a..2979ea9980 100644 --- a/bin/tests/system/mirror/ns2/named.conf.in +++ b/bin/tests/system/mirror/ns2/named.conf.in @@ -45,6 +45,11 @@ zone "initially-unavailable" { allow-transfer { 10.53.0.254; }; }; +zone "verify-addzone" { + type master; + file "verify-addzone.db.original.signed"; +}; + zone "verify-axfr" { type master; file "verify-axfr.db.signed"; diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh index e8239b14e0..57df68db1b 100644 --- a/bin/tests/system/mirror/ns2/sign.sh +++ b/bin/tests/system/mirror/ns2/sign.sh @@ -36,7 +36,7 @@ ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in` UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1` UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2` -for variant in axfr ixfr load reconfig untrusted; do +for variant in addzone axfr ixfr load reconfig untrusted; do zone=verify-$variant infile=verify.db.in zonefile=verify-$variant.db diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index 4b14e8d9a7..edf6a21702 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -29,6 +29,7 @@ options { recursion yes; allow-query-cache { 10.53.0.1; }; trust-anchor-telemetry yes; + allow-new-zones yes; }; zone "." { diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index 1768847d6a..8411857d0d 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -427,6 +427,39 @@ nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-reconfi if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "checking that a mirror zone can be added using rndc ($n)" +ret=0 +# Sanity check: the zone should not exist in the root zone. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +# Mirror a zone which does not exist in the root zone. +nextpart ns3/named.run > /dev/null +$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; masters { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1 +wait_for_transfer verify-addzone +# Check whether the mirror zone was added and whether it behaves as expected. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that a mirror zone can be deleted using rndc ($n)" +ret=0 +# Remove the mirror zone added in the previous test. +$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1 +# Check whether the mirror zone was removed. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)" ret=0 From 7bb3d000a5fa0d20a5564b3f465caa85c026e133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 8/9] Update documentation --- bin/named/named.conf.5 | 9 +- bin/named/named.conf.docbook | 11 +- bin/named/named.conf.html | 9 +- bin/tests/cfg_test.c | 2 + doc/arm/Bv9ARM-book.xml | 174 ++++++++++++++++------------ doc/arm/Bv9ARM.ch05.html | 216 ++++++++++++++++++++++++----------- doc/arm/man.named.conf.html | 9 +- doc/arm/mirror.zoneopt.xml | 56 +++++++++ doc/arm/options.grammar.xml | 1 - doc/arm/slave.zoneopt.xml | 1 - doc/misc/Makefile.in | 2 + doc/misc/mirror.zoneopt | 42 +++++++ doc/misc/options | 11 +- doc/misc/slave.zoneopt | 1 - util/copyrights | 2 + 15 files changed, 375 insertions(+), 171 deletions(-) create mode 100644 doc/arm/mirror.zoneopt.xml create mode 100644 doc/misc/mirror.zoneopt diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 6104832681..8d109a00b9 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -884,7 +884,6 @@ view \fIstring\fR [ \fIclass\fR ] { max\-zone\-ttl ( unlimited | \fIttlval\fR ); min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; - mirror \fIboolean\fR; multi\-master \fIboolean\fR; notify ( explicit | master\-only | \fIboolean\fR ); notify\-delay \fIinteger\fR; @@ -910,7 +909,7 @@ view \fIstring\fR [ \fIclass\fR ] { transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; try\-tcp\-refresh \fIboolean\fR; - type ( primary | master | secondary | slave | + type ( primary | master | secondary | slave | mirror | delegation\-only | forward | hint | redirect | static\-stub | stub ); update\-check\-ksk \fIboolean\fR; @@ -993,7 +992,6 @@ zone \fIstring\fR [ \fIclass\fR ] { max\-zone\-ttl ( unlimited | \fIttlval\fR ); min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; - mirror \fIboolean\fR; multi\-master \fIboolean\fR; notify ( explicit | master\-only | \fIboolean\fR ); notify\-delay \fIinteger\fR; @@ -1017,8 +1015,9 @@ zone \fIstring\fR [ \fIclass\fR ] { transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; try\-tcp\-refresh \fIboolean\fR; - type ( primary | master | secondary | slave | delegation\-only | - forward | hint | redirect | static\-stub | stub ); + type ( primary | master | secondary | slave | mirror | + delegation\-only | forward | hint | redirect | static\-stub | + stub ); update\-check\-ksk \fIboolean\fR; update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self | external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 49aa2104f9..01dc81be6c 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -341,7 +341,6 @@ options { min-retry-time integer; minimal-any boolean; minimal-responses ( no-auth | no-auth-recursive | boolean ); - mirror boolean; multi-master boolean; new-zones-directory quoted_string; no-case-compress { address_match_element; ... }; @@ -673,7 +672,6 @@ view string [ class ] { min-retry-time integer; minimal-any boolean; minimal-responses ( no-auth | no-auth-recursive | boolean ); - mirror boolean; multi-master boolean; new-zones-directory quoted_string; no-case-compress { address_match_element; ... }; @@ -864,7 +862,6 @@ view string [ class ] { max-zone-ttl ( unlimited | ttlval ); min-refresh-time integer; min-retry-time integer; - mirror boolean; multi-master boolean; notify ( explicit | master-only | boolean ); notify-delay integer; @@ -890,7 +887,7 @@ view string [ class ] { transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; try-tcp-refresh boolean; - type ( primary | master | secondary | slave | + type ( primary | master | secondary | slave | mirror | delegation-only | forward | hint | redirect | static-stub | stub ); update-check-ksk boolean; @@ -969,7 +966,6 @@ zone string [ class ] { max-zone-ttl ( unlimited | ttlval ); min-refresh-time integer; min-retry-time integer; - mirror boolean; multi-master boolean; notify ( explicit | master-only | boolean ); notify-delay integer; @@ -993,8 +989,9 @@ zone string [ class ] { transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; try-tcp-refresh boolean; - type ( primary | master | secondary | slave | delegation-only | - forward | hint | redirect | static-stub | stub ); + type ( primary | master | secondary | slave | mirror | + delegation-only | forward | hint | redirect | static-stub | + stub ); update-check-ksk boolean; update-policy ( local | { ( deny | grant ) string ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 7169f14ceb..a5b2ccd702 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -853,7 +853,6 @@ view max-zone-ttl ( unlimited | ttlval );
min-refresh-time integer;
min-retry-time integer;
- mirror boolean;
multi-master boolean;
notify ( explicit | master-only | boolean );
notify-delay integer;
@@ -879,7 +878,7 @@ view transfer-source-v6 ( ipv6_address | * ) [ port (
    integer | * ) ] [ dscp integer ];
try-tcp-refresh boolean;
- type ( primary | master | secondary | slave |
+ type ( primary | master | secondary | slave | mirror |
    delegation-only | forward | hint | redirect |
    static-stub | stub );
update-check-ksk boolean;
@@ -959,7 +958,6 @@ zone max-zone-ttl ( unlimited | ttlval );
min-refresh-time integer;
min-retry-time integer;
- mirror boolean;
multi-master boolean;
notify ( explicit | master-only | boolean );
notify-delay integer;
@@ -983,8 +981,9 @@ zone transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
    ] [ dscp integer ];
try-tcp-refresh boolean;
- type ( primary | master | secondary | slave | delegation-only |
-     forward | hint | redirect | static-stub | stub );
+ type ( primary | master | secondary | slave | mirror |
+     delegation-only | forward | hint | redirect | static-stub |
+     stub );
update-check-ksk boolean;
update-policy ( local | { ( deny | grant ) string ( 6to4-self |
    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c index 4d01e41056..0c8e1a7940 100644 --- a/bin/tests/cfg_test.c +++ b/bin/tests/cfg_test.c @@ -115,6 +115,8 @@ main(int argc, char **argv) { strcmp(argv[1], "seconary") == 0) { zonetype = CFG_ZONE_SLAVE; + } else if (strcmp(argv[1], "mirror") == 0) { + zonetype = CFG_ZONE_MIRROR; } else if (strcmp(argv[1], "stub") == 0) { zonetype = CFG_ZONE_STUB; } else if (strcmp(argv[1], "static-stub") == 0) { diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 02d933c7f6..c2c5e4f43f 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -7317,8 +7317,8 @@ options { - - allow-transfer + + allow-transfer Specifies which hosts are allowed to @@ -11410,6 +11410,7 @@ view "external" { + @@ -11429,6 +11430,7 @@ view "external" { acceptable values include: master (or primary), slave (or secondary), + mirror, delegation-only, forward, hint, @@ -11565,6 +11567,97 @@ view "external" { + + + + mirror + + + + + + + A mirror zone acts like a zone of type + secondary whose data is + subject to DNSSEC validation before being used + in answers. Validation is performed during the + zone transfer process, and again when the zone + file is loaded from disk when + named is restarted. If + validation fails, a retransfer of the zone is + scheduled; if the mirror zone had not previously + been loaded or if the previous version has + expired, traditional DNS recursion will be used + to look up the answers instead. + + + For validation to succeed, a key-signing key + (KSK) for the zone must be configured as a trust + anchor in named.conf: that + is, a key for the zone must either be specified + in managed-keys or + trusted-keys, or in the case + of the root zone, + dnssec-validation must be set + to auto. Answers coming + from a mirror zone look almost exactly like + answers from a zone of type + secondary, with the + notable exceptions that the AA bit + ("authoritative answer") is not set, and the AD + bit ("authenticated data") is. + + + Since mirror zones are intended to be used by + recursive resolvers, adding one to a view with + recursion disabled is considered to be a + configuration error. + + + When configuring NOTIFY for a mirror zone, only + notify no; and + notify explicit; can be + used. Using any other + notify setting at the + zone level is a configuration error. Using any + other notify setting at + the options or + view level will cause + that setting to be overridden with + notify explicit; for the + mirror zone in question. + + + Outgoing transfers of mirror zones are disabled + by default but may be enabled using + . + + + While any zone may be configured with this type, + it is intended to be used to set up a fast local + copy of the root zone, similar to the one + described in RFC 7706. Note, however, that + mirror zones are not supposed to augment the + example configuration provided by RFC 7706 but + rather to replace it altogether. + + + A default list of primary servers for the root + zone is built into named and + thus IANA root zone mirroring can be enabled + using the following configuration: + +zone "." { + type mirror; +}; + + To make mirror zone contents persist between + named restarts, use the + + option. + + + @@ -12067,19 +12160,20 @@ view "external" { - - file + + file Set the zone's filename. In master, hint, and redirect zones which do not have masters defined, zone data is loaded from this file. In - slave, stub, and - redirect zones which do have - masters defined, zone data is - retrieved from another server and saved in this file. - This option is not applicable to other zone types. + slave, mirror, + stub, and redirect + zones which do have masters + defined, zone data is retrieved from another server + and saved in this file. This option is not + applicable to other zone types. @@ -12524,68 +12618,6 @@ example.com. NS ns2.example.net. - - mirror - - - If set to yes, this causes the - zone to become a mirror zone. A mirror zone is a - secondary zone whose data - is subject to DNSSEC validation before being - used in answers. The default is - no. - - - A mirror zone's contents are validated during the transfer - process, and again when the zone file is loaded from disk - when named is restarted. If validation - fails, a retransfer of the zone is scheduled; if the mirror - zone had not previously been loaded or if the previous - version has expired, traditional DNS recursion will be used - to look up the answers instead. - - - For validation to succeed, a key-signing key (KSK) for - the zone must be configured as a trust anchor in - named.conf: - that is, a key for the zone must either be specified in - managed-keys or - trusted-keys, or in the case of - the root zone, dnssec-validation - must be set to auto. - Answers coming from a mirror zone look almost exactly like - answers from a normal slave zone, with the notable - exceptions that the AA bit ("authoritative answer") is - not set, and the AD bit ("authenticated data") is. - - - Though this option can be used for other zones, it - is intended to be used to set up a fast local copy of - the root zone, as described in RFC 7706. - This can be done by using the following configuration: - -zone "." { - type slave; - mirror yes; - file "root.mirror"; - masters { - 192.228.79.201; # b.root-servers.net - 192.33.4.12; # c.root-servers.net - 192.5.5.241; # f.root-servers.net - 192.112.36.4; # g.root-servers.net - 193.0.14.129; # k.root-servers.net - 192.0.47.132; # xfr.cjr.dns.icann.org - 192.0.32.132; # xfr.lax.dns.icann.org - 2001:500:84::b; # b.root-servers.net - 2001:500:2f::f; # f.root-servers.net - 2001:7fd::1; # k.root-servers.net - 2620:0:2830:202::132; # xfr.cjr.dns.icann.org - 2620:0:2d0:202::132; # xfr.lax.dns.icann.org - }; -}; - - - multi-master diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 36939a6ea3..401f9f204c 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -2531,7 +2531,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] min-retry-time integer; minimal-any boolean; minimal-responses ( no-auth | no-auth-recursive | boolean ); - mirror boolean; multi-master boolean; new-zones-directory quoted_string; no-case-compress { address_match_element; ... }; @@ -5369,7 +5368,9 @@ options { It is now ignored with some warning messages.

-
allow-transfer
+
+allow-transfer +

Specifies which hosts are allowed to @@ -9398,7 +9399,6 @@ view "external" { max-transfer-time-out integer; min-refresh-time integer; min-retry-time integer; - mirror boolean; multi-master boolean; notify ( explicit | master-only | boolean ); notify-delay integer; @@ -9421,6 +9421,50 @@ view "external" { }; 

+zone string [ class ] {
+	type mirror;
+	allow-notify { address_match_element; ... };
+	allow-query { address_match_element; ... };
+	allow-query-on { address_match_element; ... };
+	allow-transfer { address_match_element; ... };
+	allow-update-forwarding { address_match_element; ... };
+	also-notify [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... };
+	alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	check-names ( fail | warn | ignore );
+	database string;
+	file quoted_string;
+	ixfr-from-differences boolean;
+	journal quoted_string;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... };
+	max-journal-size ( default | unlimited | sizeval );
+	max-records integer;
+	max-refresh-time integer;
+	max-retry-time integer;
+	max-transfer-idle-in integer;
+	max-transfer-idle-out integer;
+	max-transfer-time-in integer;
+	max-transfer-time-out integer;
+	min-refresh-time integer;
+	min-retry-time integer;
+	multi-master boolean;
+	notify ( explicit | master-only | boolean );
+	notify-delay integer;
+	notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	request-expire boolean;
+	request-ixfr boolean;
+	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ];
+	try-tcp-refresh boolean;
+	use-alt-transfer-source boolean;
+	zero-no-soa-ttl boolean;
+	zone-statistics ( full | terse | none | boolean );
+};
+
+
 zone string [ class ] {
 	type hint;
 	check-names ( fail | warn | ignore );
@@ -9519,6 +9563,7 @@ view "external" {
               acceptable values include:
               master (or primary),
               slave (or secondary),
+              mirror,
               delegation-only,
               forward,
               hint,
@@ -9656,6 +9701,97 @@ view "external" {
                     
 
 
+
+                      

+                        mirror
+                      

+                    
+
+                      

+                      

+                      

+                        A mirror zone acts like a zone of type
+                        secondary whose data is
+                        subject to DNSSEC validation before being used
+                        in answers.  Validation is performed during the
+                        zone transfer process, and again when the zone
+                        file is loaded from disk when
+                        named is restarted.  If
+                        validation fails, a retransfer of the zone is
+                        scheduled; if the mirror zone had not previously
+                        been loaded or if the previous version has
+                        expired, traditional DNS recursion will be used
+                        to look up the answers instead.
+                      

+                      

+                        For validation to succeed, a key-signing key
+                        (KSK) for the zone must be configured as a trust
+                        anchor in named.conf: that
+                        is, a key for the zone must either be specified
+                        in managed-keys or
+                        trusted-keys, or in the case
+                        of the root zone,
+                        dnssec-validation must be set
+                        to auto.  Answers coming
+                        from a mirror zone look almost exactly like
+                        answers from a zone of type
+                        secondary, with the
+                        notable exceptions that the AA bit
+                        ("authoritative answer") is not set, and the AD
+                        bit ("authenticated data") is.
+                      

+                      

+                        Since mirror zones are intended to be used by
+                        recursive resolvers, adding one to a view with
+                        recursion disabled is considered to be a
+                        configuration error.
+                      

+                      

+                        When configuring NOTIFY for a mirror zone, only
+                        notify no; and
+                        notify explicit; can be
+                        used.  Using any other
+                        notify setting at the
+                        zone level is a configuration error.  Using any
+                        other notify setting at
+                        the options or
+                        view level will cause
+                        that setting to be overridden with
+                        notify explicit; for the
+                        mirror zone in question.
+                      

+                      

+                        Outgoing transfers of mirror zones are disabled
+                        by default but may be enabled using
+                        allow-transfer.
+                      

+                      

+                        While any zone may be configured with this type,
+                        it is intended to be used to set up a fast local
+                        copy of the root zone, similar to the one
+                        described in RFC 7706.  Note, however, that
+                        mirror zones are not supposed to augment the
+                        example configuration provided by RFC 7706 but
+                        rather to replace it altogether.
+                      

+                      

+                        A default list of primary servers for the root
+                        zone is built into named and
+                        thus IANA root zone mirroring can be enabled
+                        using the following configuration:
+                      

+
zone "." {
+        type mirror;
+};

+                      

+                        To make mirror zone contents persist between
+                        named restarts, use the
+                        file
+                        option.
+                      

+                    
+
+
 
                       

                         static-stub
@@ -10093,18 +10229,21 @@ view "external" {
                     See caveats in root-delegation-only.
-
file
+
+file +

Set the zone's filename. In master, hint, and redirect zones which do not have masters defined, zone data is loaded from this file. In - slave, stub, and - redirect zones which do have - masters defined, zone data is - retrieved from another server and saved in this file. - This option is not applicable to other zone types. + slave, mirror, + stub, and redirect + zones which do have masters + defined, zone data is retrieved from another server + and saved in this file. This option is not + applicable to other zone types.

forward
@@ -10444,65 +10583,6 @@ example.com. NS ns2.example.net. behavior is disabled by default.

-
mirror
-
-

- If set to yes, this causes the - zone to become a mirror zone. A mirror zone is a - secondary zone whose data - is subject to DNSSEC validation before being - used in answers. The default is - no. -

-

- A mirror zone's contents are validated during the transfer - process, and again when the zone file is loaded from disk - when named is restarted. If validation - fails, a retransfer of the zone is scheduled; if the mirror - zone had not previously been loaded or if the previous - version has expired, traditional DNS recursion will be used - to look up the answers instead. -

-

- For validation to succeed, a key-signing key (KSK) for - the zone must be configured as a trust anchor in - named.conf: - that is, a key for the zone must either be specified in - managed-keys or - trusted-keys, or in the case of - the root zone, dnssec-validation - must be set to auto. - Answers coming from a mirror zone look almost exactly like - answers from a normal slave zone, with the notable - exceptions that the AA bit ("authoritative answer") is - not set, and the AD bit ("authenticated data") is. -

-

- Though this option can be used for other zones, it - is intended to be used to set up a fast local copy of - the root zone, as described in RFC 7706. - This can be done by using the following configuration: -

-
zone "." {
-        type slave;
-        mirror yes;
-        file "root.mirror";
-        masters {
-                192.228.79.201;       # b.root-servers.net
-                192.33.4.12;          # c.root-servers.net
-                192.5.5.241;          # f.root-servers.net
-                192.112.36.4;         # g.root-servers.net
-                193.0.14.129;         # k.root-servers.net
-                192.0.47.132;         # xfr.cjr.dns.icann.org
-                192.0.32.132;         # xfr.lax.dns.icann.org
-                2001:500:84::b;       # b.root-servers.net
-                2001:500:2f::f;       # f.root-servers.net
-                2001:7fd::1;          # k.root-servers.net
-                2620:0:2830:202::132; # xfr.cjr.dns.icann.org
-                2620:0:2d0:202::132;  # xfr.lax.dns.icann.org
-        };
-};
-
multi-master

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 3c91638ea3..4a9411be55 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -871,7 +871,6 @@ view max-zone-ttl ( unlimited | ttlval );
min-refresh-time integer;
min-retry-time integer;
- mirror boolean;
multi-master boolean;
notify ( explicit | master-only | boolean );
notify-delay integer;
@@ -897,7 +896,7 @@ view transfer-source-v6 ( ipv6_address | * ) [ port (
    integer | * ) ] [ dscp integer ];
try-tcp-refresh boolean;
- type ( primary | master | secondary | slave |
+ type ( primary | master | secondary | slave | mirror |
    delegation-only | forward | hint | redirect |
    static-stub | stub );
update-check-ksk boolean;
@@ -977,7 +976,6 @@ zone max-zone-ttl ( unlimited | ttlval );
min-refresh-time integer;
min-retry-time integer;
- mirror boolean;
multi-master boolean;
notify ( explicit | master-only | boolean );
notify-delay integer;
@@ -1001,8 +999,9 @@ zone transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
    ] [ dscp integer ];
try-tcp-refresh boolean;
- type ( primary | master | secondary | slave | delegation-only |
-     forward | hint | redirect | static-stub | stub );
+ type ( primary | master | secondary | slave | mirror |
+     delegation-only | forward | hint | redirect | static-stub |
+     stub );
update-check-ksk boolean;
update-policy ( local | { ( deny | grant ) string ( 6to4-self |
    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
diff --git a/doc/arm/mirror.zoneopt.xml b/doc/arm/mirror.zoneopt.xml new file mode 100644 index 0000000000..694fd80d78 --- /dev/null +++ b/doc/arm/mirror.zoneopt.xml @@ -0,0 +1,56 @@ + + + + +zone string [ class ] { + type mirror; + allow-notify { address_match_element; ... }; + allow-query { address_match_element; ... }; + allow-query-on { address_match_element; ... }; + allow-transfer { address_match_element; ... }; + allow-update-forwarding { address_match_element; ... }; + also-notify [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... }; + alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + check-names ( fail | warn | ignore ); + database string; + file quoted_string; + ixfr-from-differences boolean; + journal quoted_string; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... }; + max-journal-size ( default | unlimited | sizeval ); + max-records integer; + max-refresh-time integer; + max-retry-time integer; + max-transfer-idle-in integer; + max-transfer-idle-out integer; + max-transfer-time-in integer; + max-transfer-time-out integer; + min-refresh-time integer; + min-retry-time integer; + multi-master boolean; + notify ( explicit | master-only | boolean ); + notify-delay integer; + notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + request-expire boolean; + request-ixfr boolean; + transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + try-tcp-refresh boolean; + use-alt-transfer-source boolean; + zero-no-soa-ttl boolean; + zone-statistics ( full | terse | none | boolean ); +}; + diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml index 3eae56c229..d8c9243ae5 100644 --- a/doc/arm/options.grammar.xml +++ b/doc/arm/options.grammar.xml @@ -180,7 +180,6 @@ min-retry-time integer; minimal-any boolean; minimal-responses ( no-auth | no-auth-recursive | boolean ); - mirror boolean; multi-master boolean; new-zones-directory quoted_string; no-case-compress { address_match_element; ... }; diff --git a/doc/arm/slave.zoneopt.xml b/doc/arm/slave.zoneopt.xml index 0c4ee36a70..63c0a4acf1 100644 --- a/doc/arm/slave.zoneopt.xml +++ b/doc/arm/slave.zoneopt.xml @@ -50,7 +50,6 @@ max-transfer-time-out integer; min-refresh-time integer; min-retry-time integer; - mirror boolean; multi-master boolean; notify ( explicit | master-only | boolean ); notify-delay integer; diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index c4967ff519..21084d5591 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -35,6 +35,7 @@ options: FORCE ${CFG_TEST} --named --grammar > $@.raw ; \ ${CFG_TEST} --zonegrammar master > master.zoneopt ; \ ${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \ + ${CFG_TEST} --zonegrammar mirror > mirror.zoneopt ; \ ${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \ ${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \ ${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \ @@ -54,6 +55,7 @@ docbook: options ${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook ${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml ${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml + ${PERL} docbook-zoneopt.pl mirror.zoneopt > ${top_srcdir}/doc/arm/mirror.zoneopt.xml ${PERL} docbook-zoneopt.pl forward.zoneopt > ${top_srcdir}/doc/arm/forward.zoneopt.xml ${PERL} docbook-zoneopt.pl hint.zoneopt > ${top_srcdir}/doc/arm/hint.zoneopt.xml ${PERL} docbook-zoneopt.pl stub.zoneopt > ${top_srcdir}/doc/arm/stub.zoneopt.xml diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt new file mode 100644 index 0000000000..6184d371d5 --- /dev/null +++ b/doc/misc/mirror.zoneopt @@ -0,0 +1,42 @@ +zone [ ] { + type mirror; + allow-notify { ; ... }; + allow-query { ; ... }; + allow-query-on { ; ... }; + allow-transfer { ; ... }; + allow-update-forwarding { ; ... }; + also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; + alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + check-names ( fail | warn | ignore ); + database ; + file ; + ixfr-from-differences ; + journal ; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + max-journal-size ( default | unlimited | ); + max-records ; + max-refresh-time ; + max-retry-time ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; + min-refresh-time ; + min-retry-time ; + multi-master ; + notify ( explicit | master-only | ); + notify-delay ; + notify-source ( | * ) [ port ( | * ) ] [ dscp ]; + notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + request-expire ; + request-ixfr ; + transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; + transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + try-tcp-refresh ; + use-alt-transfer-source ; + zero-no-soa-ttl ; + zone-statistics ( full | terse | none | ); +}; diff --git a/doc/misc/options b/doc/misc/options index e845e3e52f..441cda28df 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -239,7 +239,6 @@ options { min-roots ; // not implemented minimal-any ; minimal-responses ( no-auth | no-auth-recursive | ); - mirror ; multi-master ; multiple-cnames ; // obsolete named-xfer ; // obsolete @@ -580,7 +579,6 @@ view [ ] { min-roots ; // not implemented minimal-any ; minimal-responses ( no-auth | no-auth-recursive | ); - mirror ; multi-master ; new-zones-directory ; no-case-compress { ; ... }; @@ -786,7 +784,6 @@ view [ ] { max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; - mirror ; multi-master ; notify ( explicit | master-only | ); notify-delay ; @@ -814,7 +811,7 @@ view [ ] { transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; try-tcp-refresh ; - type ( primary | master | secondary | slave | + type ( primary | master | secondary | slave | mirror | delegation-only | forward | hint | redirect | static-stub | stub ); update-check-ksk ; @@ -892,7 +889,6 @@ zone [ ] { max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; - mirror ; multi-master ; notify ( explicit | master-only | ); notify-delay ; @@ -918,8 +914,9 @@ zone [ ] { transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; try-tcp-refresh ; - type ( primary | master | secondary | slave | delegation-only | - forward | hint | redirect | static-stub | stub ); + type ( primary | master | secondary | slave | mirror | + delegation-only | forward | hint | redirect | static-stub | + stub ); update-check-ksk ; update-policy ( local | { ( deny | grant ) ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt index 42c87f4678..248823a88b 100644 --- a/doc/misc/slave.zoneopt +++ b/doc/misc/slave.zoneopt @@ -37,7 +37,6 @@ zone [ ] { max-transfer-time-out ; min-refresh-time ; min-retry-time ; - mirror ; multi-master ; notify ( explicit | master-only | ); notify-delay ; diff --git a/util/copyrights b/util/copyrights index 9a19e34162..0b1c923821 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2682,6 +2682,7 @@ ./doc/arm/managed-keys.xml SGML 2010,2014,2015,2016,2017,2018 ./doc/arm/master.zoneopt.xml SGML 2018 ./doc/arm/masters.grammar.xml SGML 2018 +./doc/arm/mirror.zoneopt.xml SGML 2018 ./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018 ./doc/arm/notes.conf X 2015,2018 ./doc/arm/notes.html X 2014,2015,2016,2017,2018 @@ -2748,6 +2749,7 @@ ./doc/misc/master.zoneopt X 2018 ./doc/misc/migration TXT.BRIEF 2000,2001,2003,2004,2007,2008,2016,2018 ./doc/misc/migration-4to9 TXT.BRIEF 2001,2004,2016,2018 +./doc/misc/mirror.zoneopt X 2018 ./doc/misc/options X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018 ./doc/misc/redirect.zoneopt X 2018 ./doc/misc/rfc-compliance TXT.BRIEF 2001,2004,2015,2016,2018 From 5b699aaa424be45a30263783da3ff5a7ed8a320a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH 9/9] Add CHANGES entry XXXX. [func] A default list of primary servers for the root zone is now built into named, allowing the "masters" statement to be omitted when configuring an IANA root zone mirror. [GL #564] XXXX. [func] Attempts to use mirror zones with recursion disabled are now considered a configuration error. [GL #564] XXXX. [func] The only valid zone-level NOTIFY settings for mirror zones are now "notify no;" and "notify explicit;". [GL #564] XXXX. [func] Mirror zones are now configured using "type mirror;" rather than "mirror yes;". [GL #564] --- CHANGES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGES b/CHANGES index d82373c4bc..34c100c670 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,18 @@ +5055. [func] A default list of primary servers for the root zone is + now built into named, allowing the "masters" statement + to be omitted when configuring an IANA root zone + mirror. [GL #564] + +5054. [func] Attempts to use mirror zones with recursion disabled + are now considered a configuration error. [GL #564] + +5053. [func] The only valid zone-level NOTIFY settings for mirror + zones are now "notify no;" and "notify explicit;". + [GL #564] + +5052. [func] Mirror zones are now configured using "type mirror;" + rather than "mirror yes;". [GL #564] + 5051. [doc] Documentation incorrectly stated that the "server-addresses" static-stub zone option accepts custom port numbers. [GL #582]