mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
remove {root-}delegation-only
complete the removal of the delegation-only and root-delegation-only options, and the delegation-only zone type.
This commit is contained in:
Evan Hunt
parent
9e7b7a5716
commit
833ca463d4
29 changed files with 44 additions and 825 deletions
|
|
@ -733,8 +733,7 @@ main(int argc, char **argv) {
|
|||
exit(1);
|
||||
}
|
||||
|
||||
result = isccfg_check_namedconf(config, loadplugins, nodeprecate, logc,
|
||||
mctx);
|
||||
result = isccfg_check_namedconf(config, loadplugins, logc, mctx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
exit_status = 1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -52,7 +52,6 @@ Any of these zone statements can also be set inside the view statement.
|
|||
.. literalinclude:: ../../doc/misc/redirect.zoneopt
|
||||
.. literalinclude:: ../../doc/misc/static-stub.zoneopt
|
||||
.. literalinclude:: ../../doc/misc/stub.zoneopt
|
||||
.. literalinclude:: ../../doc/misc/delegation-only.zoneopt
|
||||
.. literalinclude:: ../../doc/misc/in-view.zoneopt
|
||||
|
||||
Files
|
||||
|
|
|
|||
|
|
@ -5593,29 +5593,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
|
|||
view->preferred_glue = 0;
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "root-delegation-only", &obj);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
dns_view_setrootdelonly(view, true);
|
||||
}
|
||||
if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
|
||||
const cfg_obj_t *exclude;
|
||||
dns_fixedname_t fixed;
|
||||
dns_name_t *name;
|
||||
|
||||
name = dns_fixedname_initname(&fixed);
|
||||
for (element = cfg_list_first(obj); element != NULL;
|
||||
element = cfg_list_next(element))
|
||||
{
|
||||
exclude = cfg_listelt_value(element);
|
||||
CHECK(dns_name_fromstring(
|
||||
name, cfg_obj_asstring(exclude), 0, NULL));
|
||||
dns_view_excludedelegationonly(view, name);
|
||||
}
|
||||
} else {
|
||||
dns_view_setrootdelonly(view, false);
|
||||
}
|
||||
|
||||
/*
|
||||
* Load DynDB modules.
|
||||
*/
|
||||
|
|
@ -6500,7 +6477,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
|
|||
const cfg_obj_t *forwarders = NULL;
|
||||
const cfg_obj_t *forwardtype = NULL;
|
||||
const cfg_obj_t *ixfrfromdiffs = NULL;
|
||||
const cfg_obj_t *only = NULL;
|
||||
const cfg_obj_t *viewobj = NULL;
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
isc_result_t tresult;
|
||||
|
|
@ -6629,17 +6605,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
|
|||
const char *hintsfile = cfg_obj_asstring(fileobj);
|
||||
|
||||
CHECK(configure_hints(view, hintsfile));
|
||||
|
||||
/*
|
||||
* Hint zones may also refer to delegation only points.
|
||||
*/
|
||||
only = NULL;
|
||||
tresult = cfg_map_get(zoptions, "delegation-only",
|
||||
&only);
|
||||
if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
|
||||
{
|
||||
dns_view_adddelegationonly(view, origin);
|
||||
}
|
||||
} else {
|
||||
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
|
||||
|
|
@ -6663,23 +6628,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
|
|||
(void)cfg_map_get(zoptions, "forwarders", &forwarders);
|
||||
CHECK(configure_forward(config, view, origin, forwarders,
|
||||
forwardtype));
|
||||
|
||||
/*
|
||||
* Forward zones may also set delegation only.
|
||||
*/
|
||||
only = NULL;
|
||||
tresult = cfg_map_get(zoptions, "delegation-only", &only);
|
||||
if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) {
|
||||
dns_view_adddelegationonly(view, origin);
|
||||
}
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* "delegation-only zones" aren't zones either.
|
||||
*/
|
||||
if (strcasecmp(ztypestr, "delegation-only") == 0) {
|
||||
dns_view_adddelegationonly(view, origin);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
|
@ -6841,16 +6789,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
|
|||
forwardtype));
|
||||
}
|
||||
|
||||
/*
|
||||
* Stub and forward zones may also refer to delegation only points.
|
||||
*/
|
||||
only = NULL;
|
||||
if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) {
|
||||
if (cfg_obj_asboolean(only)) {
|
||||
dns_view_adddelegationonly(view, origin);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Mark whether the zone was originally added at runtime or not
|
||||
*/
|
||||
|
|
@ -8428,7 +8366,7 @@ load_configuration(const char *filename, named_server_t *server,
|
|||
* checked later when the modules are actually loaded and
|
||||
* registered.)
|
||||
*/
|
||||
result = isccfg_check_namedconf(config, false, false, named_g_lctx,
|
||||
result = isccfg_check_namedconf(config, false, named_g_lctx,
|
||||
named_g_mctx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_config;
|
||||
|
|
@ -13337,8 +13275,7 @@ newzone_parse(named_server_t *server, char *command, dns_view_t **viewp,
|
|||
}
|
||||
|
||||
if (strcasecmp(cfg_obj_asstring(obj), "hint") == 0 ||
|
||||
strcasecmp(cfg_obj_asstring(obj), "forward") == 0 ||
|
||||
strcasecmp(cfg_obj_asstring(obj), "delegation-only") == 0)
|
||||
strcasecmp(cfg_obj_asstring(obj), "forward") == 0)
|
||||
{
|
||||
(void)putstr(text, "'");
|
||||
(void)putstr(text, cfg_obj_asstring(obj));
|
||||
|
|
|
|||
|
|
@ -469,14 +469,6 @@ n=`expr $n + 1`
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "check that zone type 'delegation-only' is properly rejected ($n)"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1
|
||||
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "check that 'in-view' zones are properly rejected ($n)"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1
|
||||
|
|
|
|||
|
|
@ -23,8 +23,6 @@ options {
|
|||
use-v6-udp-ports { range 1024 65535; };
|
||||
avoid-v4-udp-ports { range 1 1023; };
|
||||
avoid-v6-udp-ports { range 1 1023; };
|
||||
|
||||
root-delegation-only exclude { "them"; };
|
||||
};
|
||||
|
||||
trusted-keys {
|
||||
|
|
@ -54,13 +52,3 @@ zone example.com {
|
|||
file "maxttl-bad.db";
|
||||
max-zone-ttl 120;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "shared.example.db";
|
||||
delegation-only yes;
|
||||
};
|
||||
|
||||
zone com {
|
||||
type delegation-only;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -169,9 +169,6 @@ grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null |
|
|||
grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
|
|
|||
|
|
@ -23,8 +23,6 @@ options {
|
|||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
dnssec-validation no;
|
||||
/* test that named loads with root-delegation-only */
|
||||
root-delegation-only;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
|
|
|||
|
|
@ -20,8 +20,6 @@ $TTL 300
|
|||
. NS a.root-servers.nil.
|
||||
a.root-servers.nil. A 10.53.0.4
|
||||
all-cnames NS cname.tld
|
||||
delegation-only. NS ns.delegation-only.
|
||||
ns.delegation-only. A 10.53.0.6
|
||||
example.net. NS ns.example.net.
|
||||
ns.example.net. A 10.53.0.6
|
||||
no-questions. NS ns.no-questions.
|
||||
|
|
|
|||
|
|
@ -46,10 +46,6 @@ zone "child.server" {
|
|||
file "child.server.db";
|
||||
};
|
||||
|
||||
zone "delegation-only" {
|
||||
type delegation-only;
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm @DEFAULT_HMAC@;
|
||||
|
|
|
|||
|
|
@ -25,11 +25,6 @@ options {
|
|||
dnssec-validation no;
|
||||
querylog yes;
|
||||
statistics-file "named.stats";
|
||||
/*
|
||||
* test that named loads with root-delegation-only that
|
||||
* has a exclude list.
|
||||
*/
|
||||
root-delegation-only exclude { "a"; };
|
||||
max-udp-size 4096;
|
||||
};
|
||||
|
||||
|
|
@ -77,11 +72,6 @@ zone "no-edns-version.tld" {
|
|||
file "no-edns-version.tld.db";
|
||||
};
|
||||
|
||||
zone "delegation-only" {
|
||||
type primary;
|
||||
file "delegation-only.db";
|
||||
};
|
||||
|
||||
zone "fetch.tld" {
|
||||
type primary;
|
||||
file "fetch.tld.db";
|
||||
|
|
|
|||
|
|
@ -546,102 +546,6 @@ grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that SOA query returns data for delegation-only apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
n=$((n+1))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that NS query returns data for delegation-only apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that A query returns data for delegation-only A apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that CDS query returns data for delegation-only apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
n=$((n+1))
|
||||
|
||||
echo_i "check that DNSKEY query returns data for delegation-only apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})"
|
||||
ret=0
|
||||
dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})"
|
||||
ret=0
|
||||
dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})"
|
||||
ret=0
|
||||
dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})"
|
||||
ret=0
|
||||
dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
n=$((n+1))
|
||||
|
||||
echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})"
|
||||
ret=0
|
||||
dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check zero ttl not returned for learnt non zero ttl records (${n})"
|
||||
ret=0
|
||||
|
|
|
|||
|
|
@ -68,7 +68,6 @@ EXTRA_DIST = \
|
|||
../dnssec-guide \
|
||||
../misc/options \
|
||||
../misc/rndc.grammar \
|
||||
../misc/delegation-only.zoneopt \
|
||||
../misc/forward.zoneopt \
|
||||
../misc/hint.zoneopt \
|
||||
../misc/in-view.zoneopt \
|
||||
|
|
|
|||
|
|
@ -24,9 +24,6 @@
|
|||
``default``
|
||||
Logging options for those categories where no specific configuration has been defined.
|
||||
|
||||
``delegation-only``
|
||||
Queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a :any:`delegation-only` in a forward, hint, or stub zone declaration.
|
||||
|
||||
``dispatch``
|
||||
Dispatching of incoming packets to the server modules where they are to be processed.
|
||||
|
||||
|
|
|
|||
|
|
@ -1598,46 +1598,6 @@ default is used.
|
|||
is to prefer A records when responding to queries that arrived via
|
||||
IPv4 and AAAA when responding to queries that arrived via IPv6.
|
||||
|
||||
.. namedconf:statement:: root-delegation-only
|
||||
:tags: deprecated
|
||||
:short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list.
|
||||
|
||||
This turns on enforcement of delegation-only in top-level domains (TLDs)
|
||||
and root zones with an
|
||||
optional exclude list.
|
||||
|
||||
DS queries are expected to be made to and be answered by delegation-only
|
||||
zones. Such queries and responses are treated as an exception to
|
||||
delegation-only processing and are not converted to NXDOMAIN
|
||||
responses, provided a CNAME is not discovered at the query name.
|
||||
|
||||
If a delegation-only zone server also serves a child zone, it is not
|
||||
always possible to determine whether an answer comes from the
|
||||
delegation-only zone or the child zone. SOA NS and DNSKEY records are
|
||||
apex-only records and a matching response that contains these records
|
||||
or DS is treated as coming from a child zone. RRSIG records are also
|
||||
examined to see whether they are signed by a child zone, and the
|
||||
authority section is examined to see if there is evidence that
|
||||
the answer is from the child zone. Answers that are determined to be
|
||||
from a child zone are not converted to NXDOMAIN responses. Despite
|
||||
all these checks, there is still a possibility of false negatives when
|
||||
a child zone is being served.
|
||||
|
||||
Similarly, false positives can arise from empty nodes (no records at
|
||||
the name) in the delegation-only zone when the query type is not ``ANY``.
|
||||
|
||||
Note that some TLDs are not delegation-only; e.g., "DE", "LV", "US", and
|
||||
"MUSEUM". This list is not exhaustive.
|
||||
|
||||
::
|
||||
|
||||
options {
|
||||
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
|
||||
};
|
||||
|
||||
This option is deprecated, and will be rendered non-operational in a
|
||||
future release.
|
||||
|
||||
.. namedconf:statement:: disable-algorithms
|
||||
:tags: dnssec
|
||||
:short: Disables DNSSEC algorithms from a specified zone.
|
||||
|
|
@ -6646,8 +6606,7 @@ Zone Types
|
|||
:any:`primary <type primary>` (or ``master``), :any:`secondary <type
|
||||
secondary>` (or ``slave``), :any:`mirror <type mirror>`, :any:`hint <type
|
||||
hint>`, :any:`stub <type stub>`, :any:`static-stub <type static-stub>`,
|
||||
:any:`forward <type forward>`, :any:`redirect <type redirect>`, or
|
||||
:any:`delegation-only <type delegation-only>`.
|
||||
:any:`forward <type forward>`, or :any:`redirect <type redirect>`.
|
||||
|
||||
.. namedconf:statement:: type primary
|
||||
:tags: zone
|
||||
|
|
@ -6872,23 +6831,6 @@ Zone Types
|
|||
When using :option:`rndc reload` without specifying a zone name, redirect
|
||||
zones are reloaded along with other zones.
|
||||
|
||||
.. namedconf:statement:: type delegation-only
|
||||
:tags: deprecated
|
||||
:short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.).
|
||||
|
||||
This zone type is used to enforce the delegation-only status of
|
||||
infrastructure zones (e.g., COM, NET, ORG). Any answer that is received
|
||||
without an explicit or implicit delegation in the authority section is
|
||||
treated as NXDOMAIN. This does not apply to the zone apex, and should
|
||||
not be applied to leaf zones.
|
||||
|
||||
:any:`delegation-only` has no effect on answers received from forwarders.
|
||||
|
||||
See caveats in :any:`root-delegation-only`.
|
||||
|
||||
This zone type is deprecated, and will be rendered non-operational in a
|
||||
future release.
|
||||
|
||||
.. namedconf:statement:: in-view
|
||||
:tags: view, zone
|
||||
:short: Specifies the view in which a given zone is defined.
|
||||
|
|
@ -7016,19 +6958,6 @@ Zone Options
|
|||
:any:`dialup`
|
||||
See the description of :any:`dialup` in :ref:`boolean_options`.
|
||||
|
||||
.. namedconf:statement:: delegation-only
|
||||
:tags: deprecated
|
||||
:short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone.
|
||||
|
||||
This flag only applies to forward, hint, and stub zones. If set to
|
||||
``yes``, then the zone is treated as if it is also a
|
||||
delegation-only type zone.
|
||||
|
||||
See caveats in :any:`root-delegation-only`.
|
||||
|
||||
This option is deprecated, and will be rendered non-operational in a
|
||||
future release.
|
||||
|
||||
.. namedconf:statement:: file
|
||||
:tags: zone
|
||||
:short: Specifies the zone's filename.
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ OPTIONS_FILES = \
|
|||
stub.zoneopt \
|
||||
static-stub.zoneopt \
|
||||
redirect.zoneopt \
|
||||
delegation-only.zoneopt \
|
||||
in-view.zoneopt
|
||||
|
||||
EXTRA_DIST = \
|
||||
|
|
@ -71,9 +70,6 @@ static-stub.zoneopt: cfg_test
|
|||
redirect.zoneopt: cfg_test
|
||||
$(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar redirect > $@
|
||||
|
||||
delegation-only.zoneopt: cfg_test
|
||||
$(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar delegation-only > $@
|
||||
|
||||
in-view.zoneopt: cfg_test
|
||||
$(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar in-view > $@
|
||||
|
||||
|
|
|
|||
|
|
@ -128,8 +128,6 @@ main(int argc, char **argv) {
|
|||
zonetype = CFG_ZONE_FORWARD;
|
||||
} else if (strcmp(argv[1], "redirect") == 0) {
|
||||
zonetype = CFG_ZONE_REDIRECT;
|
||||
} else if (strcmp(argv[1], "delegation-only") == 0) {
|
||||
zonetype = CFG_ZONE_DELEGATION;
|
||||
} else if (strcmp(argv[1], "in-view") == 0) {
|
||||
zonetype = CFG_ZONE_INVIEW;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
zone <string> [ <class> ] {
|
||||
type delegation-only;
|
||||
};
|
||||
|
|
@ -1,6 +1,5 @@
|
|||
zone <string> [ <class> ] {
|
||||
type forward;
|
||||
delegation-only <boolean>; // deprecated
|
||||
forward ( first | only );
|
||||
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
zone <string> [ <class> ] {
|
||||
type hint;
|
||||
check-names ( fail | warn | ignore );
|
||||
delegation-only <boolean>; // deprecated
|
||||
file <quoted_string>;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -250,7 +250,6 @@ options {
|
|||
response-padding { <address_match_element>; ... } block-size <integer>;
|
||||
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
|
||||
reuseport <boolean>;
|
||||
root-delegation-only [ exclude { <string>; ... } ]; // deprecated
|
||||
root-key-sentinel <boolean>;
|
||||
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
|
||||
secroots-file <quoted_string>;
|
||||
|
|
@ -524,7 +523,6 @@ view <string> [ <class> ] {
|
|||
resolver-retry-interval <integer>;
|
||||
response-padding { <address_match_element>; ... } block-size <integer>;
|
||||
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
|
||||
root-delegation-only [ exclude { <string>; ... } ]; // deprecated
|
||||
root-key-sentinel <boolean>;
|
||||
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
|
||||
send-cookie <boolean>;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ zone <string> [ <class> ] {
|
|||
allow-query-on { <address_match_element>; ... };
|
||||
check-names ( fail | warn | ignore );
|
||||
database <string>;
|
||||
delegation-only <boolean>; // deprecated
|
||||
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||
file <quoted_string>;
|
||||
forward ( first | only );
|
||||
|
|
|
|||
|
|
@ -27,22 +27,22 @@ extern isc_logmodule_t dns_modules[];
|
|||
#define DNS_LOGCATEGORY_DATABASE (&dns_categories[1])
|
||||
#define DNS_LOGCATEGORY_SECURITY (&dns_categories[2])
|
||||
/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
|
||||
#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4])
|
||||
#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5])
|
||||
#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6])
|
||||
#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7])
|
||||
#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
|
||||
#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
|
||||
#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
|
||||
#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11])
|
||||
#define DNS_LOGCATEGORY_RPZ (&dns_categories[12])
|
||||
#define DNS_LOGCATEGORY_RRL (&dns_categories[13])
|
||||
#define DNS_LOGCATEGORY_CNAME (&dns_categories[14])
|
||||
#define DNS_LOGCATEGORY_SPILL (&dns_categories[15])
|
||||
#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[16])
|
||||
#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[17])
|
||||
#define DNS_LOGCATEGORY_NSID (&dns_categories[18])
|
||||
#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[19])
|
||||
#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4])
|
||||
#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5])
|
||||
#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6])
|
||||
#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7])
|
||||
#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
|
||||
#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
|
||||
/* #define DNS_LOGCATEGORY_DELEGATION_ONLY removed */
|
||||
#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[10])
|
||||
#define DNS_LOGCATEGORY_RPZ (&dns_categories[11])
|
||||
#define DNS_LOGCATEGORY_RRL (&dns_categories[12])
|
||||
#define DNS_LOGCATEGORY_CNAME (&dns_categories[13])
|
||||
#define DNS_LOGCATEGORY_SPILL (&dns_categories[14])
|
||||
#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[15])
|
||||
#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[16])
|
||||
#define DNS_LOGCATEGORY_NSID (&dns_categories[17])
|
||||
#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[18])
|
||||
|
||||
/* Backwards compatibility. */
|
||||
#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
|
||||
|
|
|
|||
|
|
@ -162,9 +162,6 @@ struct dns_view {
|
|||
dns_aclenv_t *aclenv;
|
||||
dns_rdatatype_t preferred_glue;
|
||||
bool flush;
|
||||
dns_namelist_t *delonly;
|
||||
bool rootdelonly;
|
||||
dns_namelist_t *rootexclude;
|
||||
bool checknames;
|
||||
uint16_t maxudp;
|
||||
dns_ttl_t staleanswerttl;
|
||||
|
|
@ -922,68 +919,6 @@ dns_view_flushname(dns_view_t *view, const dns_name_t *name);
|
|||
* other returns are failures.
|
||||
*/
|
||||
|
||||
void
|
||||
dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name);
|
||||
/*%<
|
||||
* Add the given name to the delegation only table.
|
||||
*
|
||||
* Requires:
|
||||
*\li 'view' is valid.
|
||||
*\li 'name' is valid.
|
||||
*
|
||||
* Returns:
|
||||
*\li #ISC_R_SUCCESS
|
||||
*\li #ISC_R_NOMEMORY
|
||||
*/
|
||||
|
||||
void
|
||||
dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name);
|
||||
/*%<
|
||||
* Add the given name to be excluded from the root-delegation-only.
|
||||
*
|
||||
*
|
||||
* Requires:
|
||||
*\li 'view' is valid.
|
||||
*\li 'name' is valid.
|
||||
*
|
||||
* Returns:
|
||||
*\li #ISC_R_SUCCESS
|
||||
*\li #ISC_R_NOMEMORY
|
||||
*/
|
||||
|
||||
bool
|
||||
dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name);
|
||||
/*%<
|
||||
* Check if 'name' is in the delegation only table or if
|
||||
* rootdelonly is set that name is not being excluded.
|
||||
*
|
||||
* Requires:
|
||||
*\li 'view' is valid.
|
||||
*\li 'name' is valid.
|
||||
*
|
||||
* Returns:
|
||||
*\li #true if the name is the table.
|
||||
*\li #false otherwise.
|
||||
*/
|
||||
|
||||
void
|
||||
dns_view_setrootdelonly(dns_view_t *view, bool value);
|
||||
/*%<
|
||||
* Set the root delegation only flag.
|
||||
*
|
||||
* Requires:
|
||||
*\li 'view' is valid.
|
||||
*/
|
||||
|
||||
bool
|
||||
dns_view_getrootdelonly(dns_view_t *view);
|
||||
/*%<
|
||||
* Get the root delegation only flag.
|
||||
*
|
||||
* Requires:
|
||||
*\li 'view' is valid.
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
dns_view_freezezones(dns_view_t *view, bool freeze);
|
||||
/*%<
|
||||
|
|
|
|||
|
|
@ -22,13 +22,16 @@
|
|||
* \#define to <dns/log.h>.
|
||||
*/
|
||||
isc_logcategory_t dns_categories[] = {
|
||||
{ "notify", 0 }, { "database", 0 }, { "security", 0 },
|
||||
{ "_placeholder", 0 }, { "dnssec", 0 }, { "resolver", 0 },
|
||||
{ "xfer-in", 0 }, { "xfer-out", 0 }, { "dispatch", 0 },
|
||||
{ "lame-servers", 0 }, { "delegation-only", 0 }, { "edns-disabled", 0 },
|
||||
{ "rpz", 0 }, { "rate-limit", 0 }, { "cname", 0 },
|
||||
{ "spill", 0 }, { "dnstap", 0 }, { "zoneload", 0 },
|
||||
{ "nsid", 0 }, { "rpz-passthru", 0 }, { NULL, 0 }
|
||||
{ "notify", 0 }, { "database", 0 },
|
||||
{ "security", 0 }, { "_placeholder", 0 },
|
||||
{ "dnssec", 0 }, { "resolver", 0 },
|
||||
{ "xfer-in", 0 }, { "xfer-out", 0 },
|
||||
{ "dispatch", 0 }, { "lame-servers", 0 },
|
||||
{ "edns-disabled", 0 }, { "rpz", 0 },
|
||||
{ "rate-limit", 0 }, { "cname", 0 },
|
||||
{ "spill", 0 }, { "dnstap", 0 },
|
||||
{ "zoneload", 0 }, { "nsid", 0 },
|
||||
{ "rpz-passthru", 0 }, { NULL, 0 }
|
||||
};
|
||||
|
||||
/*%
|
||||
|
|
|
|||
|
|
@ -728,7 +728,6 @@ release_fctx(fetchctx_t *fctx);
|
|||
* - Check the parsed response for an OPT record and handle
|
||||
* EDNS (rctx_opt(), rctx_edns()).
|
||||
* - Check for a bad or lame server (rctx_badserver(), rctx_lameserver()).
|
||||
* - Handle delegation-only zones (rctx_delonly_zone()).
|
||||
* - If RCODE and ANCOUNT suggest this is a positive answer, and
|
||||
* if so, call rctx_answer(): go to step 2.
|
||||
* - If RCODE and NSCOUNT suggest this is a negative answer or a
|
||||
|
|
@ -928,9 +927,6 @@ rctx_dispfail(respctx_t *rctx);
|
|||
static isc_result_t
|
||||
rctx_timedout(respctx_t *rctx);
|
||||
|
||||
static void
|
||||
rctx_delonly_zone(respctx_t *rctx);
|
||||
|
||||
static void
|
||||
rctx_ncache(respctx_t *rctx);
|
||||
|
||||
|
|
@ -992,208 +988,6 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
|
|||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static bool
|
||||
rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
|
||||
dns_namereln_t namereln;
|
||||
dns_rdata_rrsig_t rrsig;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
int order;
|
||||
isc_result_t result;
|
||||
unsigned int labels;
|
||||
|
||||
for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
|
||||
result = dns_rdataset_next(rdataset))
|
||||
{
|
||||
dns_rdataset_current(rdataset, &rdata);
|
||||
result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
namereln = dns_name_fullcompare(&rrsig.signer, fctx->domain,
|
||||
&order, &labels);
|
||||
if (namereln == dns_namereln_subdomain) {
|
||||
return (true);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
}
|
||||
return (false);
|
||||
}
|
||||
|
||||
static bool
|
||||
fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
|
||||
dns_name_t *name;
|
||||
dns_name_t *domain = fctx->domain;
|
||||
dns_rdataset_t *rdataset;
|
||||
dns_rdatatype_t type;
|
||||
isc_result_t result;
|
||||
bool keep_auth = false;
|
||||
|
||||
if (message->rcode == dns_rcode_nxdomain) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
/*
|
||||
* A DS RRset can appear anywhere in a zone, even for a delegation-only
|
||||
* zone. So a response to an explicit query for this type should be
|
||||
* excluded from delegation-only fixup.
|
||||
*
|
||||
* SOA, NS, and DNSKEY can only exist at a zone apex, so a positive
|
||||
* response to a query for these types can never violate the
|
||||
* delegation-only assumption: if the query name is below a
|
||||
* zone cut, the response should normally be a referral, which should
|
||||
* be accepted; if the query name is below a zone cut but the server
|
||||
* happens to have authority for the zone of the query name, the
|
||||
* response is a (non-referral) answer. But this does not violate
|
||||
* delegation-only because the query name must be in a different zone
|
||||
* due to the "apex-only" nature of these types. Note that if the
|
||||
* remote server happens to have authority for a child zone of a
|
||||
* delegation-only zone, we may still incorrectly "fix" the response
|
||||
* with NXDOMAIN for queries for other types. Unfortunately it's
|
||||
* generally impossible to differentiate this case from violation of
|
||||
* the delegation-only assumption. Once the resolver learns the
|
||||
* correct zone cut, possibly via a separate query for an "apex-only"
|
||||
* type, queries for other types will be resolved correctly.
|
||||
*
|
||||
* A query for type ANY will be accepted if it hits an exceptional
|
||||
* type above in the answer section as it should be from a child
|
||||
* zone.
|
||||
*
|
||||
* Also accept answers with RRSIG records from the child zone.
|
||||
* Direct queries for RRSIG records should not be answered from
|
||||
* the parent zone.
|
||||
*/
|
||||
|
||||
if (message->counts[DNS_SECTION_ANSWER] != 0 &&
|
||||
(fctx->type == dns_rdatatype_ns || fctx->type == dns_rdatatype_ds ||
|
||||
fctx->type == dns_rdatatype_soa ||
|
||||
fctx->type == dns_rdatatype_any ||
|
||||
fctx->type == dns_rdatatype_rrsig ||
|
||||
fctx->type == dns_rdatatype_dnskey))
|
||||
{
|
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
|
||||
while (result == ISC_R_SUCCESS) {
|
||||
name = NULL;
|
||||
dns_message_currentname(message, DNS_SECTION_ANSWER,
|
||||
&name);
|
||||
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||
rdataset != NULL;
|
||||
rdataset = ISC_LIST_NEXT(rdataset, link))
|
||||
{
|
||||
if (!dns_name_equal(name, fctx->name)) {
|
||||
continue;
|
||||
}
|
||||
type = rdataset->type;
|
||||
/*
|
||||
* RRsig from child?
|
||||
*/
|
||||
if (type == dns_rdatatype_rrsig &&
|
||||
rrsig_fromchildzone(fctx, rdataset))
|
||||
{
|
||||
return (false);
|
||||
}
|
||||
/*
|
||||
* Direct query for apex records or DS.
|
||||
*/
|
||||
if (fctx->type == type &&
|
||||
(type == dns_rdatatype_ds ||
|
||||
type == dns_rdatatype_ns ||
|
||||
type == dns_rdatatype_soa ||
|
||||
type == dns_rdatatype_dnskey))
|
||||
{
|
||||
return (false);
|
||||
}
|
||||
/*
|
||||
* Indirect query for apex records or DS.
|
||||
*/
|
||||
if (fctx->type == dns_rdatatype_any &&
|
||||
(type == dns_rdatatype_ns ||
|
||||
type == dns_rdatatype_ds ||
|
||||
type == dns_rdatatype_soa ||
|
||||
type == dns_rdatatype_dnskey))
|
||||
{
|
||||
return (false);
|
||||
}
|
||||
}
|
||||
result = dns_message_nextname(message,
|
||||
DNS_SECTION_ANSWER);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* A NODATA response to a DS query?
|
||||
*/
|
||||
if (fctx->type == dns_rdatatype_ds &&
|
||||
message->counts[DNS_SECTION_ANSWER] == 0)
|
||||
{
|
||||
return (false);
|
||||
}
|
||||
|
||||
/* Look for referral or indication of answer from child zone? */
|
||||
if (message->counts[DNS_SECTION_AUTHORITY] == 0) {
|
||||
goto munge;
|
||||
}
|
||||
|
||||
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
||||
while (result == ISC_R_SUCCESS) {
|
||||
name = NULL;
|
||||
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
||||
for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
|
||||
rdataset = ISC_LIST_NEXT(rdataset, link))
|
||||
{
|
||||
type = rdataset->type;
|
||||
if (type == dns_rdatatype_soa &&
|
||||
dns_name_equal(name, domain))
|
||||
{
|
||||
keep_auth = true;
|
||||
}
|
||||
|
||||
if (type != dns_rdatatype_ns &&
|
||||
type != dns_rdatatype_soa &&
|
||||
type != dns_rdatatype_rrsig)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if (type == dns_rdatatype_rrsig) {
|
||||
if (rrsig_fromchildzone(fctx, rdataset)) {
|
||||
return (false);
|
||||
} else {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* NS or SOA records. */
|
||||
if (dns_name_equal(name, domain)) {
|
||||
/*
|
||||
* If a query for ANY causes a negative
|
||||
* response, we can be sure that this is
|
||||
* an empty node. For other type of queries
|
||||
* we cannot differentiate an empty node
|
||||
* from a node that just doesn't have that
|
||||
* type of record. We only accept the former
|
||||
* case.
|
||||
*/
|
||||
if (message->counts[DNS_SECTION_ANSWER] == 0 &&
|
||||
fctx->type == dns_rdatatype_any)
|
||||
{
|
||||
return (false);
|
||||
}
|
||||
} else if (dns_name_issubdomain(name, domain)) {
|
||||
/* Referral or answer from child zone. */
|
||||
return (false);
|
||||
}
|
||||
}
|
||||
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
|
||||
}
|
||||
|
||||
munge:
|
||||
message->rcode = dns_rcode_nxdomain;
|
||||
message->counts[DNS_SECTION_ANSWER] = 0;
|
||||
if (!keep_auth) {
|
||||
message->counts[DNS_SECTION_AUTHORITY] = 0;
|
||||
}
|
||||
message->counts[DNS_SECTION_ADDITIONAL] = 0;
|
||||
return (true);
|
||||
}
|
||||
|
||||
static void
|
||||
resquery_destroy(resquery_t *query) {
|
||||
fetchctx_t *fctx = query->fctx;
|
||||
|
|
@ -7799,11 +7593,6 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
|
|||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Handle delegation-only zones like NET or COM.
|
||||
*/
|
||||
rctx_delonly_zone(&rctx);
|
||||
|
||||
/*
|
||||
* Optionally call dns_rdata_checkowner() and
|
||||
* dns_rdata_checknames() to validate the names in the response
|
||||
|
|
@ -9996,40 +9785,6 @@ rctx_lameserver(respctx_t *rctx) {
|
|||
return (ISC_R_COMPLETE);
|
||||
}
|
||||
|
||||
/*
|
||||
* rctx_delonly_zone():
|
||||
* Handle delegation-only zones like NET and COM.
|
||||
*/
|
||||
static void
|
||||
rctx_delonly_zone(respctx_t *rctx) {
|
||||
fetchctx_t *fctx = rctx->fctx;
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char domainbuf[DNS_NAME_FORMATSIZE];
|
||||
char addrbuf[ISC_SOCKADDR_FORMATSIZE];
|
||||
char classbuf[64];
|
||||
char typebuf[64];
|
||||
|
||||
if (ISFORWARDER(rctx->query->addrinfo) ||
|
||||
!dns_view_isdelegationonly(fctx->res->view, fctx->domain) ||
|
||||
dns_name_equal(fctx->domain, fctx->name) ||
|
||||
!fix_mustbedelegationornxdomain(rctx->query->rmessage, fctx))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
dns_name_format(fctx->name, namebuf, sizeof(namebuf));
|
||||
dns_name_format(fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
|
||||
dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
|
||||
isc_sockaddr_format(&rctx->query->addrinfo->sockaddr, addrbuf,
|
||||
sizeof(addrbuf));
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
|
||||
DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||
"enforced delegation-only for '%s' (%s/%s/%s) from %s",
|
||||
domainbuf, namebuf, typebuf, classbuf, addrbuf);
|
||||
}
|
||||
|
||||
/***
|
||||
*** Resolver Methods
|
||||
***/
|
||||
|
|
|
|||
144
lib/dns/view.c
144
lib/dns/view.c
|
|
@ -384,41 +384,6 @@ destroy(dns_view_t *view) {
|
|||
if (view->sfd != NULL) {
|
||||
dns_rbt_destroy(&view->sfd);
|
||||
}
|
||||
if (view->delonly != NULL) {
|
||||
dns_name_t *name;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
|
||||
name = ISC_LIST_HEAD(view->delonly[i]);
|
||||
while (name != NULL) {
|
||||
ISC_LIST_UNLINK(view->delonly[i], name, link);
|
||||
dns_name_free(name, view->mctx);
|
||||
isc_mem_put(view->mctx, name, sizeof(*name));
|
||||
name = ISC_LIST_HEAD(view->delonly[i]);
|
||||
}
|
||||
}
|
||||
isc_mem_put(view->mctx, view->delonly,
|
||||
sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
|
||||
view->delonly = NULL;
|
||||
}
|
||||
if (view->rootexclude != NULL) {
|
||||
dns_name_t *name;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
|
||||
name = ISC_LIST_HEAD(view->rootexclude[i]);
|
||||
while (name != NULL) {
|
||||
ISC_LIST_UNLINK(view->rootexclude[i], name,
|
||||
link);
|
||||
dns_name_free(name, view->mctx);
|
||||
isc_mem_put(view->mctx, name, sizeof(*name));
|
||||
name = ISC_LIST_HEAD(view->rootexclude[i]);
|
||||
}
|
||||
}
|
||||
isc_mem_put(view->mctx, view->rootexclude,
|
||||
sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
|
||||
view->rootexclude = NULL;
|
||||
}
|
||||
if (view->secroots_priv != NULL) {
|
||||
dns_keytable_detach(&view->secroots_priv);
|
||||
}
|
||||
|
|
@ -1572,115 +1537,6 @@ dns_view_flushnode(dns_view_t *view, const dns_name_t *name, bool tree) {
|
|||
return (result);
|
||||
}
|
||||
|
||||
void
|
||||
dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name) {
|
||||
dns_name_t *item;
|
||||
unsigned int hash;
|
||||
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
|
||||
if (view->delonly == NULL) {
|
||||
view->delonly = isc_mem_get(view->mctx,
|
||||
sizeof(dns_namelist_t) *
|
||||
DNS_VIEW_DELONLYHASH);
|
||||
for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
|
||||
ISC_LIST_INIT(view->delonly[hash]);
|
||||
}
|
||||
}
|
||||
hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
|
||||
item = ISC_LIST_HEAD(view->delonly[hash]);
|
||||
while (item != NULL && !dns_name_equal(item, name)) {
|
||||
item = ISC_LIST_NEXT(item, link);
|
||||
}
|
||||
if (item != NULL) {
|
||||
return;
|
||||
}
|
||||
item = isc_mem_get(view->mctx, sizeof(*item));
|
||||
dns_name_init(item, NULL);
|
||||
dns_name_dup(name, view->mctx, item);
|
||||
ISC_LIST_APPEND(view->delonly[hash], item, link);
|
||||
}
|
||||
|
||||
void
|
||||
dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name) {
|
||||
dns_name_t *item;
|
||||
unsigned int hash;
|
||||
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
|
||||
if (view->rootexclude == NULL) {
|
||||
view->rootexclude = isc_mem_get(view->mctx,
|
||||
sizeof(dns_namelist_t) *
|
||||
DNS_VIEW_DELONLYHASH);
|
||||
for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
|
||||
ISC_LIST_INIT(view->rootexclude[hash]);
|
||||
}
|
||||
}
|
||||
hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
|
||||
item = ISC_LIST_HEAD(view->rootexclude[hash]);
|
||||
while (item != NULL && !dns_name_equal(item, name)) {
|
||||
item = ISC_LIST_NEXT(item, link);
|
||||
}
|
||||
if (item != NULL) {
|
||||
return;
|
||||
}
|
||||
item = isc_mem_get(view->mctx, sizeof(*item));
|
||||
dns_name_init(item, NULL);
|
||||
dns_name_dup(name, view->mctx, item);
|
||||
ISC_LIST_APPEND(view->rootexclude[hash], item, link);
|
||||
}
|
||||
|
||||
bool
|
||||
dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name) {
|
||||
dns_name_t *item;
|
||||
unsigned int hash;
|
||||
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
|
||||
if (!view->rootdelonly && view->delonly == NULL) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
|
||||
if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
|
||||
if (view->rootexclude == NULL) {
|
||||
return (true);
|
||||
}
|
||||
item = ISC_LIST_HEAD(view->rootexclude[hash]);
|
||||
while (item != NULL && !dns_name_equal(item, name)) {
|
||||
item = ISC_LIST_NEXT(item, link);
|
||||
}
|
||||
if (item == NULL) {
|
||||
return (true);
|
||||
}
|
||||
}
|
||||
|
||||
if (view->delonly == NULL) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
item = ISC_LIST_HEAD(view->delonly[hash]);
|
||||
while (item != NULL && !dns_name_equal(item, name)) {
|
||||
item = ISC_LIST_NEXT(item, link);
|
||||
}
|
||||
if (item == NULL) {
|
||||
return (false);
|
||||
}
|
||||
return (true);
|
||||
}
|
||||
|
||||
void
|
||||
dns_view_setrootdelonly(dns_view_t *view, bool value) {
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
view->rootdelonly = value;
|
||||
}
|
||||
|
||||
bool
|
||||
dns_view_getrootdelonly(dns_view_t *view) {
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
return (view->rootdelonly);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_view_freezezones(dns_view_t *view, bool value) {
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
|
|
|
|||
|
|
@ -1468,28 +1468,6 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
|
|||
}
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
(void)cfg_map_get(options, "root-delegation-only", &obj);
|
||||
if (obj != NULL) {
|
||||
if (!cfg_obj_isvoid(obj)) {
|
||||
for (element = cfg_list_first(obj); element != NULL;
|
||||
element = cfg_list_next(element))
|
||||
{
|
||||
const cfg_obj_t *exclude;
|
||||
|
||||
exclude = cfg_listelt_value(element);
|
||||
str = cfg_obj_asstring(exclude);
|
||||
tresult = check_name(str);
|
||||
if (tresult != ISC_R_SUCCESS) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"bad domain name '%s'",
|
||||
str);
|
||||
result = tresult;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Set supported DNSSEC algorithms.
|
||||
*/
|
||||
|
|
@ -2886,8 +2864,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
|||
const cfg_obj_t *config, isc_symtab_t *symtab,
|
||||
isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview,
|
||||
const char *viewname, dns_rdataclass_t defclass,
|
||||
bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx,
|
||||
isc_mem_t *mctx) {
|
||||
cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) {
|
||||
const char *znamestr;
|
||||
const char *typestr = NULL;
|
||||
const char *target = NULL;
|
||||
|
|
@ -2971,13 +2948,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
|||
ztype = CFG_ZONE_FORWARD;
|
||||
} else if (strcasecmp(typestr, "hint") == 0) {
|
||||
ztype = CFG_ZONE_HINT;
|
||||
} else if (strcasecmp(typestr, "delegation-only") == 0) {
|
||||
ztype = CFG_ZONE_DELEGATION;
|
||||
if (!nodeprecate) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
|
||||
"'type delegation-only' is "
|
||||
"deprecated");
|
||||
}
|
||||
} else if (strcasecmp(typestr, "redirect") == 0) {
|
||||
ztype = CFG_ZONE_REDIRECT;
|
||||
} else {
|
||||
|
|
@ -5236,8 +5206,7 @@ static isc_result_t
|
|||
check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
||||
const char *viewname, dns_rdataclass_t vclass,
|
||||
isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins,
|
||||
bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx,
|
||||
isc_mem_t *mctx) {
|
||||
isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) {
|
||||
const cfg_obj_t *zones = NULL;
|
||||
const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
|
||||
const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
|
||||
|
|
@ -5295,7 +5264,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
|
||||
tresult = check_zoneconf(zone, voptions, config, symtab, files,
|
||||
keydirs, inview, viewname, vclass,
|
||||
nodeprecate, actx, logctx, mctx);
|
||||
actx, logctx, mctx);
|
||||
if (tresult != ISC_R_SUCCESS) {
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
|
|
@ -5908,7 +5877,7 @@ check_controls(const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
|
|||
|
||||
isc_result_t
|
||||
isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
|
||||
bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) {
|
||||
isc_log_t *logctx, isc_mem_t *mctx) {
|
||||
const cfg_obj_t *options = NULL;
|
||||
const cfg_obj_t *views = NULL;
|
||||
const cfg_obj_t *acls = NULL;
|
||||
|
|
@ -5997,8 +5966,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
|
|||
|
||||
if (views == NULL) {
|
||||
tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
|
||||
files, keydirs, check_plugins,
|
||||
nodeprecate, inview, logctx, mctx);
|
||||
files, keydirs, check_plugins, inview,
|
||||
logctx, mctx);
|
||||
if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
|
|
@ -6090,8 +6059,7 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
|
|||
if (tresult == ISC_R_SUCCESS) {
|
||||
tresult = check_viewconf(config, voptions, key, vclass,
|
||||
files, keydirs, check_plugins,
|
||||
nodeprecate, inview, logctx,
|
||||
mctx);
|
||||
inview, logctx, mctx);
|
||||
}
|
||||
if (tresult != ISC_R_SUCCESS) {
|
||||
result = ISC_R_FAILURE;
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS
|
|||
|
||||
isc_result_t
|
||||
isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
|
||||
bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx);
|
||||
isc_log_t *logctx, isc_mem_t *mctx);
|
||||
/*%<
|
||||
* Check the syntactic validity of a configuration parse tree generated from
|
||||
* a named.conf file.
|
||||
|
|
@ -44,8 +44,6 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
|
|||
* If 'check_plugins' is true, load plugins and check the validity of their
|
||||
* parameters as well.
|
||||
*
|
||||
* If 'nodeprecate' is true, do not warn about deprecated configuration.
|
||||
*
|
||||
* Requires:
|
||||
*\li config is a valid parse tree
|
||||
*
|
||||
|
|
|
|||
|
|
@ -826,11 +826,10 @@ static cfg_type_t cfg_type_forwardtype = {
|
|||
cfg_doc_enum, &cfg_rep_string, &forwardtype_enums
|
||||
};
|
||||
|
||||
static const char *zonetype_enums[] = {
|
||||
"primary", "master", "secondary", "slave",
|
||||
"mirror", "delegation-only", "forward", "hint",
|
||||
"redirect", "static-stub", "stub", NULL
|
||||
};
|
||||
static const char *zonetype_enums[] = { "primary", "master", "secondary",
|
||||
"slave", "mirror", "forward",
|
||||
"hint", "redirect", "static-stub",
|
||||
"stub", NULL };
|
||||
static cfg_type_t cfg_type_zonetype = { "zonetype", cfg_parse_enum,
|
||||
cfg_print_ustring, cfg_doc_enum,
|
||||
&cfg_rep_string, &zonetype_enums };
|
||||
|
|
@ -2127,7 +2126,7 @@ static cfg_clausedef_t view_clauses[] = {
|
|||
{ "response-policy", &cfg_type_rpz, 0 },
|
||||
{ "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "root-delegation-only", &cfg_type_optional_exclude,
|
||||
CFG_CLAUSEFLAG_DEPRECATED },
|
||||
CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "root-key-sentinel", &cfg_type_boolean, 0 },
|
||||
{ "rrset-order", &cfg_type_rrsetorder, 0 },
|
||||
{ "send-cookie", &cfg_type_boolean, 0 },
|
||||
|
|
@ -2376,7 +2375,7 @@ static cfg_clausedef_t zone_only_clauses[] = {
|
|||
CFG_ZONE_STUB },
|
||||
{ "delegation-only", &cfg_type_boolean,
|
||||
CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD |
|
||||
CFG_CLAUSEFLAG_DEPRECATED },
|
||||
CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "dlz", &cfg_type_astring,
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT },
|
||||
{ "file", &cfg_type_qstring,
|
||||
|
|
@ -3878,10 +3877,6 @@ cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
|
|||
cfg_print_indent(&pctx);
|
||||
cfg_print_cstr(&pctx, "type redirect;\n");
|
||||
break;
|
||||
case CFG_ZONE_DELEGATION:
|
||||
cfg_print_indent(&pctx);
|
||||
cfg_print_cstr(&pctx, "type delegation-only;\n");
|
||||
break;
|
||||
case CFG_ZONE_INVIEW:
|
||||
/* no zone type is specified for these */
|
||||
break;
|
||||
|
|
|
|||
Loading…
Reference in a new issue