upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 14:17:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

3008. [func] Response policy zones (RPZ) support. [RT #21726]

Browse source
This commit is contained in:
Mark Andrews 2011-01-13 01:59:28 +00:00
parent 100b78748b
commit 87708bde16
45 changed files with 4191 additions and 220 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
3008. [func] Response policy zones (RPZ) support. [RT #21726]
3007. [bug] Named failed to preserve the case of domain names in
rdata which is no compressable when writing master
files. [RT #22863]

7
bin/named/include/named/query.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.h,v 1.43 2010/12/08 02:46:15 marka Exp $ */
/* $Id: query.h,v 1.44 2011/01/13 01:59:25 marka Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
@ -26,8 +26,9 @@
#include <isc/buffer.h>
#include <isc/netaddr.h>
#include <dns/types.h>
#include <dns/rdataset.h>
#include <dns/rpz.h>
#include <dns/types.h>
#include <named/types.h>
@ -35,6 +36,7 @@
typedef struct ns_dbversion {
dns_db_t *db;
dns_dbversion_t *version;
isc_boolean_t acl_checked;
isc_boolean_t queryok;
ISC_LINK(struct ns_dbversion) link;
} ns_dbversion_t;
@ -55,6 +57,7 @@ struct ns_query {
isc_boolean_t isreferral;
isc_mutex_t fetchlock;
dns_fetch_t * fetch;
dns_rpz_st_t * rpz_st;
isc_bufferlist_t namebufs;
ISC_LIST(ns_dbversion_t) activeversions;
ISC_LIST(ns_dbversion_t) freeversions;

1330
bin/named/query.c
View file

File diff suppressed because it is too large Load diff

133
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.597 2011/01/11 23:47:12 tbox Exp $ */
/* $Id: server.c,v 1.598 2011/01/13 01:59:25 marka Exp $ */
/*! \file */
@ -1438,6 +1438,114 @@ cleanup:
return (result);
}
static isc_result_t
configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
const cfg_obj_t *rpz_obj, *policy_obj;
const char *str;
dns_fixedname_t fixed;
dns_name_t *origin;
dns_rpz_zone_t *old, *new;
dns_zone_t *zone;
isc_result_t result;
unsigned int l1, l2;
new = isc_mem_get(view->mctx, sizeof(*new));
if (new == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup;
}
memset(new, 0, sizeof(*new));
dns_name_init(&new->nsdname, NULL);
dns_name_init(&new->origin, NULL);
dns_name_init(&new->cname, NULL);
ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
rpz_obj = cfg_listelt_value(element);
policy_obj = cfg_tuple_get(rpz_obj, "policy");
if (cfg_obj_isvoid(policy_obj)) {
new->policy = DNS_RPZ_POLICY_GIVEN;
} else {
str = cfg_obj_asstring(policy_obj);
new->policy = dns_rpz_str2policy(str);
INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
}
dns_fixedname_init(&fixed);
origin = dns_fixedname_name(&fixed);
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "name"));
result = dns_name_fromstring(origin, str, DNS_NAME_DOWNCASE, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
origin, DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
/*
* The origin is part of 'nsdname' so we don't need to keep it
* seperately.
*/
l1 = dns_name_countlabels(&new->nsdname);
l2 = dns_name_countlabels(origin);
dns_name_getlabelsequence(&new->nsdname, l1 - l2, l2, &new->origin);
/*
* Are we configured to with the reponse policy zone?
*/
result = dns_view_findzone(view, &new->origin, &zone);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"unknown zone '%s'", str);
goto cleanup;
}
if (dns_zone_gettype(zone) != dns_zone_master &&
dns_zone_gettype(zone) != dns_zone_slave) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"zone '%s' is neither master nor slave", str);
dns_zone_detach(&zone);
result = DNS_R_NOTMASTER;
goto cleanup;
}
dns_zone_detach(&zone);
for (old = ISC_LIST_HEAD(view->rpz_zones);
old != new;
old = ISC_LIST_NEXT(old, link)) {
++new->num;
if (dns_name_equal(&old->origin, &new->origin)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"duplicate '%s'", str);
result = DNS_R_DUPLICATE;
goto cleanup;
}
}
if (new->policy == DNS_RPZ_POLICY_CNAME) {
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "cname"));
result = dns_name_fromstring(&new->cname, str, 0, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid cname '%s'", str);
goto cleanup;
}
}
return (ISC_R_SUCCESS);
cleanup:
dns_rpz_view_destroy(view);
return (result);
}
/*
* Configure 'view' according to 'vconfig', taking defaults from 'config'
* where values are missing in 'vconfig'.
@ -2781,6 +2889,29 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
}
}
/*
* Make the list of response policy zone names for views that
* are used for real lookups and so care about hints.
*/
zonelist = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints) {
obj = NULL;
result = ns_config_get(maps, "response-policy", &obj);
if (result == ISC_R_SUCCESS)
cfg_map_get(obj, "zone", &zonelist);
}
if (zonelist != NULL) {
for (element = cfg_list_first(zonelist);
element != NULL;
element = cfg_list_next(element)) {
result = configure_rpz(view, element);
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_rpz_set_need(ISC_TRUE);
}
}
result = ISC_R_SUCCESS;
cleanup:

4
bin/tests/system/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.33 2010/06/23 23:46:58 tbox Exp $
# $Id: Makefile.in,v 1.34 2011/01/13 01:59:25 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
SUBDIRS = filter-aaaa lwresd tkey
SUBDIRS = filter-aaaa lwresd rpz tkey
TARGETS =
@BIND9_MAKE_RULES@

3
bin/tests/system/README
View file

@ -17,6 +17,7 @@ involving a different DNS setup. They are:
nsupdate/ Dynamic update and IXFR tests
resolver/ Regression tests for resolver bugs that have been fixed
(not a complete resolver test suite)
rpz/ Tests of response policy zone (RPZ) rewriting
stub/ Tests of stub zone functionality
unknown/ Unknown type and class tests
upforwd/ Update forwarding tests
@ -57,4 +58,4 @@ The tests can be run individually like this:
To run all the tests, just type "make test".
$Id: README,v 1.14 2010/08/25 23:46:37 tbox Exp $
$Id: README,v 1.15 2011/01/13 01:59:25 marka Exp $

4
bin/tests/system/conf.sh.in
View file

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.57 2010/12/23 04:07:59 marka Exp $
# $Id: conf.sh.in,v 1.58 2011/01/13 01:59:26 marka Exp $
#
# Common configuration data for system tests, to be sourced into
@ -55,7 +55,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
dlv @DLZ_SYSTEM_TEST@ dlzexternal dns64 dnssec forward glue gost ixfr limits
lwresd masterfile masterformat metadata notify nsupdate pending pkcs11
resolver rrsetorder sortlist smartsign staticstub stub tkey
resolver rpz rrsetorder sortlist smartsign staticstub stub tkey
tsig tsiggss unknown upforwd views xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.

55
bin/tests/system/rpz/Makefile.in Normal file
View file

@ -0,0 +1,55 @@
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.2 2011/01/13 01:59:26 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES =
CDEFINES =
CWARNINGS =
DNSLIBS =
ISCLIBS = .
DNSDEPLIBS =
ISCDEPLIBS =
DEPLIBS =
LIBS = @LIBS@
TARGETS = rpz@EXEEXT@
RPZOBJS = rpz.@O@
SRCS = rpz.c
@BIND9_MAKE_RULES@
all: rpz@EXEEXT@
rpz@EXEEXT@: ${RPZOBJS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${RPZOBJS} ${LIBS}
clean distclean::
rm -f ${TARGETS}

22
bin/tests/system/rpz/clean.sh Normal file
View file

@ -0,0 +1,22 @@
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2011/01/13 01:59:26 marka Exp $
# Clean up after rpz tests.
rm -f dig.out* nsupdate.tmp
rm -f */named.memstats */named.run */session.key
rm -f ns3/bl*.db */*.jnl

33
bin/tests/system/rpz/ns1/named.conf Normal file
View file

@ -0,0 +1,33 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/01/13 01:59:26 marka Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
session-keyfile "session.key";
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
notify no;
};
zone "." {type master; file "root.db";};

28
bin/tests/system/rpz/ns1/root.db Normal file
View file

@ -0,0 +1,28 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db,v 1.2 2011/01/13 01:59:26 marka Exp $
$TTL 120
@ SOA s1. hostmaster.ns.s1. ( 1 3600 1200 604800 60 )
@ NS s1
s1. A 10.53.0.1
; rewrite responses from this zone
tld2. NS ns.tld2.
ns.tld2. A 10.53.0.2
; requests come from here
tld3. NS ns.tld3.
ns.tld3. A 10.53.0.3

18
bin/tests/system/rpz/ns2/hints Normal file
View file

@ -0,0 +1,18 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: hints,v 1.2 2011/01/13 01:59:26 marka Exp $
. 0 NS s1.
s1. 0 A 10.53.0.1

37
bin/tests/system/rpz/ns2/named.conf Normal file
View file

@ -0,0 +1,37 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/01/13 01:59:26 marka Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
notify no;
};
zone "." { type hint; file "hints"; };
zone "tld2." {type master; file "tld2.db";};
zone "sub1.tld2." {type master; file "tld2.db";};
zone "sub2.sub1.tld2." {type master; file "tld2.db";};

57
bin/tests/system/rpz/ns2/tld2.db Normal file
View file

@ -0,0 +1,57 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: tld2.db,v 1.2 2011/01/13 01:59:26 marka Exp $
; RPZ rewrite responses from this zone
$TTL 120
@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
NS @
A 10.53.0.2
nodata TXT "nodata"
a12 A 12.12.12.12
a0-1 A 192.168.0.1
AAAA 2001:2::1
TXT "a0-1 text"
a3-1 A 192.168.3.1
AAAA 2001:2:3::1
TXT "a3-1 text"
a3-2 A 192.168.3.2
AAAA 2001:2:3::2
TXT "a3-2 text"
a4-1 A 192.168.4.1
AAAA 2001:2:4::1
TXT "a4-1 text"
a4-1-aaaa AAAA 2001:2:4::1
a4-2 A 192.168.4.2
AAAA 2001:2:4::2
TXT "a4-2 text"
a4-3 A 192.168.4.3
AAAA 2001:2:4::3
TXT "a4-3 text"
a4-4 A 192.168.4.4
AAAA 2001:2:4::4
TXT "a4-4 text"
a4-5 CNAME a12

31
bin/tests/system/rpz/ns3/base.db Normal file
View file

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: base.db,v 1.2 2011/01/13 01:59:26 marka Exp $
; RPZ test
$TTL 120
@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
; Poke the radix tree a little.
128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip CNAME .
128.1111.2222.3333.4444.5555.6666.zz.rpz-ip CNAME .
128.1111.2222.3333.4444.5555.zz.8888.rpz-ip CNAME .
128.1111.2222.3333.4444.zz.8888.rpz-ip CNAME .
128.zz.3333.4444.0.0.8888.rpz-ip CNAME .
128.zz.3333.4444.0.7777.8888.rpz-ip CNAME .
128.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
127.zz.3333.4444.0.8777.8888.rpz-ip CNAME .

18
bin/tests/system/rpz/ns3/hints Normal file
View file

@ -0,0 +1,18 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: hints,v 1.2 2011/01/13 01:59:27 marka Exp $
. 0 NS s1.
s1. 0 A 10.53.0.1

77
bin/tests/system/rpz/ns3/named.conf Normal file
View file

@ -0,0 +1,77 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/01/13 01:59:27 marka Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
notify no;
response-policy {
zone "bl";
zone "bl-given" policy given;
zone "bl-no-op" policy no-op;
zone "bl-nodata" policy nodata;
zone "bl-nxdomain" policy nxdomain;
zone "bl-cname" policy cname nodata.tld2.;
};
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
logging {
category queries { default_stderr; };
category query-errors { default_stderr; };
};
zone "." { type hint; file "hints"; };
zone "bl." {type master; file "bl.db";
allow-update {any;};
};
zone "bl-given." {type master; file "bl-given.db";
allow-update {any;};
};
zone "bl-no-op." {type master; file "bl-no-op.db";
allow-update {any;};
};
zone "bl-nodata." {type master; file "bl-nodata.db";
allow-update {any;};
};
zone "bl-nxdomain." {type master; file "bl-nxdomain.db";
allow-update {any;};
};
zone "bl-cname." {type master; file "bl-cname.db";
allow-update {any;};
};

54
bin/tests/system/rpz/rpz.c Normal file
View file

@ -0,0 +1,54 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rpz.c,v 1.2 2011/01/13 01:59:26 marka Exp $ */
#include <config.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define USAGE "usage: nsip | nsdname\n"
int
main(int argc, char **argv)
{
if (argc != 2) {
fputs(USAGE, stderr);
return (1);
}
if (!strcasecmp(argv[1], "nsip")) {
#ifdef ENABLE_RPZ_NSIP
return (0);
#else
return (1);
#endif
}
if (!strcasecmp(argv[1], "nsdname")) {
#ifdef ENABLE_RPZ_NSDNAME
return (0);
#else
return (1);
#endif
}
fputs(USAGE, stderr);
return (1);
}

23
bin/tests/system/rpz/setup.sh Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2011/01/13 01:59:26 marka Exp $
sh clean.sh
for NM in '' -given -no-op -nodata -nxdomain -cname; do
cp -f ns3/base.db ns3/bl$NM.db
done

24
bin/tests/system/rpz/test1 Normal file
View file

@ -0,0 +1,24 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test1,v 1.2 2011/01/13 01:59:26 marka Exp $
server 10.53.0.3 5300
update add a0-1.tld2.bl. 300 CNAME .
update add a3-1.tld2.bl. 300 CNAME *.
update add *.sub1.tld2.bl. 300 A 12.12.12.12
send

35
bin/tests/system/rpz/test2 Normal file
View file

@ -0,0 +1,35 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test2,v 1.2 2011/01/13 01:59:26 marka Exp $
server 10.53.0.3 5300
; NODATA a3-1.tld2
update add 32.1.3.168.192.rpz-ip.bl 300 CNAME *.
; NXDOMAIN for network of a4-1.tld2
update add 24.0.4.168.192.rpz-ip.bl 300 CNAME .
; poke hole in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged
update add 32.1.4.168.192.rpz-ip.bl 300 CNAME 32.1.4.168.192
; NODATA a4-3.tld2
update add 32.3.4.168.192.rpz-ip.bl 300 CNAME *.
; NXDOMAIN for IPv6 a3-1.tld2
update add 128.1.zz.3.2.2001.rpz-ip.bl 300 CNAME .
send

22
bin/tests/system/rpz/test3 Normal file
View file

@ -0,0 +1,22 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test3,v 1.2 2011/01/13 01:59:26 marka Exp $
server 10.53.0.3 5300
update add *.tld2.rpz-nsdname.bl. 300 CNAME .
send

22
bin/tests/system/rpz/test4 Normal file
View file

@ -0,0 +1,22 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test4,v 1.2 2011/01/13 01:59:26 marka Exp $
server 10.53.0.3 5300
update add 32.2.0.53.10.rpz-nsip.bl. 300 CNAME .
send

36
bin/tests/system/rpz/test5 Normal file
View file

@ -0,0 +1,36 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test5,v 1.2 2011/01/13 01:59:26 marka Exp $
server 10.53.0.3 5300
update add a3-1.tld2.bl-given. 300 CNAME .
send
server 10.53.0.3 5300
update add a3-2.tld2.bl-no-op. 300 CNAME .
send
server 10.53.0.3 5300
update add a3-3.tld2.bl-nodata. 300 CNAME .
send
server 10.53.0.3 5300
update add a3-4.tld2.bl-nxdomain. 300 CNAME *.
send
server 10.53.0.3 5300
update add a3-5.tld2.bl-cname. 300 CNAME .
send

223
bin/tests/system/rpz/tests.sh Normal file
View file

@ -0,0 +1,223 @@
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2011/01/13 01:59:26 marka Exp $
# test response policy zones (RPZ)
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
root=10.53.0.1
s2=10.53.0.2
s3=10.53.0.3
DIGCMD="$DIG +noadd +nosea +nocmd -p 5300"
USAGE="$0: [-x]"
while getopts "x" c; do
case $c in
x) set -x;;
*) echo "$USAGE" 1>&2; exit 1;;
esac
done
shift `expr $OPTIND - 1 || true`
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
# really quit on control-C
trap 'exit 1' 1 2 15
# set DIGNM=file name for dig output
# $1=target domain $2=optional query type $3=optional string
dignm () {
DIGNM=dig.out-$DIGNM_SUB-$1
if test -n "$3"; then
DIGNM=$DIGNM-$3
fi
if test -n "$2"; then
DIGNM=$DIGNM-`expr "x$2" : 'x-t *\(.*\)'`
fi
}
setret () {
ret=1
echo "$*"
}
# check rewrite to NXDOMAIN
# $1=target domain $2=optional query type
nxdomain () {
dignm $1 "$2"
$DIGCMD +noauth $1 $2 @$s3 >$DIGNM
$PERL ../digcomp.pl dig.out-nxdomain $DIGNM || setret " in $DIGNM"
}
# check rewrite to NODATA
# $1=target domain $2=optional query type
nodata () {
dignm $1 "$2"
$DIGCMD +noauth $1 $2 @$s3 >$DIGNM
$PERL ../digcomp.pl dig.out-nodata $DIGNM || setret " in $DIGNM"
}
# check rewrite to "A 12.12.12.12"
# modify the output so that it is easily matched, but save the original line
# $1=target domain $2=optional query type
a12 () {
dignm $1 "$2"
$DIGCMD +noauth $1 $2 @$s3 \
| sed -e "/^$1\. /{" \
-e "s/.*/;xxx &/p" -e "s/^;xxx $1/a12.tld2/" -e '}' \
>$DIGNM
$PERL ../digcomp.pl dig.out-a12 $DIGNM || ret=1
}
# check that a response is not rewritten
# $1=target domain $2=optional query type
nochange () {
dignm $1 "$2" ok
DIGNM_OK=$DIGNM
dignm $1 "$2"
$DIGCMD $1 $2 @$s3 >$DIGNM
$DIGCMD $1 $2 @$s2 >$DIGNM_OK
$PERL ../digcomp.pl $DIGNM_OK $DIGNM || ret=1
}
flush_db () {
if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 freeze; then : ; else
echo "I:failed to freeze policy zone $1"
exit 1
fi
if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 thaw; then : ; else
echo "I:failed to thaw policy zone $1"
exit 1
fi
}
# $1=message $2=test file
start_test () {
ret=0
if test -n "$1"; then
echo "I:checking $1"
fi
PREV_FILE=$2
if test -n "$2"; then
DIGNM_SUB=`expr "$2" : 'test\(.\)'`
if $NSUPDATE -v $PREV_FILE; then : ; else
echo "I:failed to update policy zone $1 with $2"
exit 1
fi
#flush_db
else
DIGNM_SUB="${DIGNM_SUB}x"
fi
}
end_test () {
if test $ret != 0; then
echo "I:failed"
else
rm -f dig.out-${DIGNM_SUB}*
fi
if test -n "$PREV_FILE"; then
sed -e 's/ add / delete /' $PREV_FILE | $NSUPDATE
status=`expr $status + $ret`
#flush_db
fi
}
# make NXDOMAIN and NODATA prototypes
echo "I:making prototype RPZ NXDOMAIN, NODATA, and CNAME results"
$DIGCMD +noauth nonexistent @$s2 >dig.out-nxdomain
$DIGCMD +noauth nodata.tld2 @$s2 >dig.out-nodata
$DIGCMD +noauth a12.tld2 @$s2 >dig.out-a12
status=0
start_test "RPZ QNAME rewrites" test1
nxdomain a0-1.tld2
nodata a3-1.tld2
a12 a4-1.sub1.tld2
end_test
start_test "RPZ IP rewrites" test2
nodata a3-1.tld2
nochange a3-2.tld2
nxdomain a3-99.tld2
nochange a4-1.tld2
nxdomain a4-2.tld2
nochange a4-2.tld2 -taaaa
nochange a4-2.tld2 -ttxt
nxdomain a4-2.tld2 -tany
nodata a4-3.tld2
nxdomain a3-1.tld2 -tAAAA
nochange a4-1-aaaa.tld2 -tAAAA
end_test
start_test "RPZ radix tree deletions"
nochange a3-1.tld2
nochange a3-2.tld2
nochange a4-1.tld2
nochange a4-2.tld2
nochange a4-2.tld2 -taaaa
nochange a4-2.tld2 -ttxt
nochange a4-2.tld2 -tany
nochange a4-3.tld2
nochange a3-1.tld2 -tAAAA
nochange a4-1-aaaa.tld2 -tAAAA
end_test
if ./rpz nsdname; then
start_test "RPZ NSDNAME rewrites" test3
nochange a3-1.tld2
nxdomain a3-1.sub1.tld2
nxdomain a3-1.sub2.sub1.tld2
end_test
else
echo "I:RPZ NSDNAME not checked; named was not built with --enable-rpz-nsdname"
fi
if ./rpz nsip; then
start_test "RPZ NSIP rewrites" test4
nxdomain a3-1.tld2
nochange .
end_test
else
echo "I:RPZ NSIP not checked; named was not built with --enable-rpz-nsip"
fi
start_test "RPZ policy overrides" test5
nxdomain a3-1.tld2
nochange a3-2.tld2
nodata a3-3.tld2
nxdomain a3-4.tld2
dignm a3-5.tld2 -tany
$DIGCMD +noauth a3-5.tld2 -tany @$s3 >$DIGNM
if grep CNAME $DIGNM >/dev/null; then : ; else
echo "'policy cname' failed"
ret=1
fi
end_test
if test "$status" -eq 0; then
rm -f dig.out*
fi
echo "I:exit status: $status"
exit $status

33
config.h.in
View file

@ -16,7 +16,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h.in,v 1.141 2010/12/23 04:09:28 marka Exp $ */
/* $Id: config.h.in,v 1.142 2011/01/13 01:59:25 marka Exp $ */
/*! \file */
@ -144,9 +144,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if threads need PTHREAD_SCOPE_SYSTEM */
#undef NEED_PTHREAD_SCOPE_SYSTEM
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
/* Define to enable the "filter-aaaa-on-v4" option. */
#undef ALLOW_FILTER_AAAA_ON_V4
@ -160,6 +157,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to enable "rrset-order fixed" syntax. */
#undef DNS_RDATASET_FIXED
/* Define to enable rpz-nsdname rules. */
#undef ENABLE_RPZ_NSDNAME
/* Define to enable rpz-nsip rules. */
#undef ENABLE_RPZ_NSIP
/* Solaris hack to get select_large_fdset. */
#undef FD_SETSIZE
@ -374,9 +377,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
@ -397,26 +397,15 @@ int sigwait(const unsigned int *set, int *sig);
/* define if idnkit support is to be included. */
#undef WITH_IDN
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
#if defined AC_APPLE_UNIVERSAL_BUILD
# if defined __BIG_ENDIAN__
# define WORDS_BIGENDIAN 1
# endif
#else
# ifndef WORDS_BIGENDIAN
# undef WORDS_BIGENDIAN
# endif
#endif
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to `__inline__' or `__inline' if that's what the C compiler
calls it, or to nothing if 'inline' is not supported under any name. */
#ifndef __cplusplus
/* Define to empty if your compiler does not support "static inline". */
#undef inline
#endif
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t

41
configure.in
View file

@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.511 $)
AC_REVISION($Revision: 1.512 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
@ -308,7 +308,7 @@ AC_TRY_COMPILE(, [
],
[AC_MSG_RESULT(no)],
[AC_MSG_RESULT(yes)
AC_DEFINE(inline, )])
AC_DEFINE(inline, ,[Define to empty if your compiler does not support "static inline".])])
AC_TYPE_SIZE_T
AC_CHECK_TYPE(ssize_t, int)
@ -2729,6 +2729,42 @@ case "$enable_fixed" in
;;
esac
#
# Enable response policy rewriting using NS IP addresses
#
AC_ARG_ENABLE(rpz-nsip,
[ --enable-rpz-nsip enable rpz-nsip rules [[default=no]]],
enable_nsip="$enableval",
enable_nsip="no")
case "$enable_nsip" in
yes)
AC_DEFINE(ENABLE_RPZ_NSIP, 1,
[Define to enable rpz-nsip rules.])
;;
no)
;;
*)
;;
esac
#
# Enable response policy rewriting using NS name
#
AC_ARG_ENABLE(rpz-nsdname,
[ --enable-rpz-nsdname enable rpz-nsdname rules [[default=no]]],
enable_nsdname="$enableval",
enable_nsdname="no")
case "$enable_nsdname" in
yes)
AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
[Define to enable rpz-nsdname rules.])
;;
no)
;;
*)
;;
esac
#
# Activate "filter-aaaa-on-v4" or not?
#
@ -3269,6 +3305,7 @@ AC_CONFIG_FILES([
bin/tests/system/filter-aaaa/Makefile
bin/tests/system/gost/prereq.sh
bin/tests/system/lwresd/Makefile
bin/tests/system/rpz/Makefile
bin/tests/system/tkey/Makefile
bin/tests/tasks/Makefile
bin/tests/timers/Makefile

140
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.475 2011/01/07 04:31:38 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.476 2011/01/13 01:59:27 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -5165,6 +5165,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
<optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
<optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
<optional> response-policy { <replaceable>zone_name</replaceable> <optional> policy <replaceable>given</replaceable> | <replaceable>no-op</replaceable> | <replaceable>nxdomain</replaceable> | <replaceable>nodata</replaceable> | <replaceable>cname domain</replaceable> </optional> ; } ; </optional>
};
</programlisting>
@ -9183,6 +9184,143 @@ deny-answer-aliases { "example.net"; };
spuriously can break such applications.
</para>
</sect3>
<sect3>
<title>Response Policy Zone (RPZ) Rewriting</title>
<para>
<acronym>BIND</acronym> 9 includes an intentionally limited
mechanism to modify DNS responses for recursive requests
similar to email anti-spam DNS blacklists.
All response policy zones are named in the
<command>response-policy</command> option for the view or among the
global options if there is no response-policy option for the view.
</para>
<para>
The rules encoded in a response policy zone (RPZ) are applied
only to responses to queries that ask for recursion (RD=1).
RPZs are normal DNS zones containing largely valid RRsets
that can be queried normal if allowed.
It is usually best to restrict those queries with something like
<command>allow-query {none; };</command> or
<command>allow-query { 127.0.0.1; };</command>.
</para>
<para>
There are four kinds of RPZ rewrite rules. QNAME rules are
applied to query names in requests and to targets of CNAME
records resolved in the process of generating the response.
The owner name of a QNAME rule is the query name relativized
to the RPZ.
</para>
<para>
IP rules are triggered by addresses in A and AAAA records.
All IP addresses in A or AAAA RRsets are tested and the rule
longest prefix is applied. Ties between rules with equal prefixes
are broken in favor of the first RPZ mentioned in the
response-policy option.
The rule matching the smallest IP address is chosen among equal
prefix rules from a single RPZ.
IP rules are expressed in RRsets with owner names that are
subdomains of rpz-ip and encoding an IP address block, reversed
as in IN-ARPA.
prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255
encodes an IPv4 address.
IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or
prefix.WORDS.zz.WORDS. The words in the standard IPv6 text
representation are reversed, "::" is replaced with ".zz.",
and ":" becomes ".".
</para>
<para>
NSDNAME rules match names in NS RRsets for the response or a
parent. They are encoded as subdomains of rpz-nsdomain relativized
to the RPZ origin name.
</para>
<para>
NSIP rules match IP addresses in A and AAAA RRsets for names of
responsible servers or the names that can be matched by NSDNAME
rules. The are encoded like IP rules except as subdomains of
rpz-nsip.
</para>
<para>
Authority verification issues and variations in authority data in
the current version of <acronym>BIND</acronym> 9 can cause
inconsistent results from NSIP and NSDNAME. So they are available
only when <acronym>BIND</acronym> is built with the
<userinput>--enable-rpz-nsip</userinput> or
<userinput>--enable-rpz-nsdname</userinput> options
on the "configure" command line.
</para>
<para>
Four policies can be expressed.
The <command>NXDOMAIN</command> policy causes a NXDOMAIN response
and is expressed with an RRset consisting of a single CNAME
whose target is the root domain (.).
<command>NODATA</command> generates NODATA or ANCOUNT=1 regardless
of query type.
It is expressed with a CNAME whose target is the wildcard
top-level domain (*.).
The <command>NO-OP</command> policy does not change the response
and is used to "poke holes" in policies for larger CIDR blocks or in
zones named later in the <command>response-policy</command> option.
The NO-OP policy is expressed by a CNAME with a target consisting
of the variable part of the owner name, such as "example.com." for
a QNAME rule or "128.1.0.0.127." for an IP rule.
The <command>CNAME</command> policy is used to replace the RRsets
of response.
A and AAAA RRsets are most common and useful to capture
an evil domain in a walled garden, but any valid set of RRsets
is possible.
</para>
<para>
All of the policies in an RPZ can be overridden with a
<command>policy</command> clause.
<command>given</command> says "do not override."
<command>no-op</command> says "do nothing" regardless of the policy
in RPZ records.
<command>nxdomain</command> causes all RPZ rules to generate
NXDOMAIN results.
<command>nodata</command> gives nodata.
<command>cname domain</command> causes all RPZ rules to act as if
the consisted of a "cname domain" record.
</para>
<para>
For example, you might use this option statement
</para>
<programlisting>response-policy { zone "bl"; };</programlisting>
<para>
and this zone statement
</para>
<programlisting>zone "bl" {type master; file "example/bl"; allow-query {none;}; };</programlisting>
<para>
with this zone file
</para>
<programlisting>$TTL 1H
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
; QNAME rules
nxdomain.domain.com CNAME .
nodata.domain.com CNAME *.
bad.domain.com A 10.0.0.1
AAAA 2001:2::1
ok.domain.com CNAME ok.domain.com.
; IP rules rewriting all answers for 127/8 except 127.0.0.1
8.0.0.0.127.ip CNAME .
32.1.0.0.127.ip CNAME 32.1.0.0.127.
; NSDNAME and NSIP rules
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
</programlisting>
</sect3>
</sect2>
<sect2 id="server_statement_grammar">

15
lib/dns/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.175 2011/01/06 23:47:00 tbox Exp $
# $Id: Makefile.in,v 1.176 2011/01/13 01:59:27 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -64,9 +64,9 @@ DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
portlist.@O@ private.@O@ \
rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
rdatalist.@O@ \
rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
resolver.@O@ result.@O@ rootns.@O@ rriterator.@O@ sdb.@O@ \
rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \
rriterator.@O@ sdb.@O@ \
sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
tsec.@O@ tsig.@O@ ttl.@O@ validator.@O@ \
@ -90,11 +90,10 @@ DNSSRCS = acache.c acl.c adb.c byaddr.c \
keydata.c keytable.c lib.c log.c lookup.c \
master.c masterdump.c message.c \
name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
rdatalist.c \
rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
rdataset.c rdatasetiter.c rdataslab.c request.c \
resolver.c result.c rootns.c rriterator.c sdb.c sdlz.c \
soa.c ssu.c ssu_external.c \
resolver.c result.c rootns.c rpz.c rriterator.c \
sdb.c sdlz.c soa.c ssu.c ssu_external.c \
stats.c tcpmsg.c time.c timer.c tkey.c \
tsec.c tsig.c ttl.c validator.c \
version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}

20
lib/dns/db.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: db.c,v 1.95 2009/10/08 23:13:06 marka Exp $ */
/* $Id: db.c,v 1.96 2011/01/13 01:59:27 marka Exp $ */
/*! \file */
@ -944,3 +944,21 @@ dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
if (db->methods->resigned != NULL)
(db->methods->resigned)(db, rdataset, version);
}
void
dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
{
if (db->methods->rpz_enabled != NULL)
(db->methods->rpz_enabled)(db, st);
}
isc_result_t
dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
dns_rdataset_t *ardataset, dns_rpz_st_t *st)
{
if (db->methods->rpz_findips == NULL)
return (ISC_R_NOTIMPLEMENTED);
return ((db->methods->rpz_findips)(rpz, rpz_type, zone, db, version,
ardataset, st));
}

35
lib/dns/include/dns/db.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: db.h,v 1.102 2009/11/25 23:49:22 tbox Exp $ */
/* $Id: db.h,v 1.103 2011/01/13 01:59:28 marka Exp $ */
#ifndef DNS_DB_H
#define DNS_DB_H 1
@ -63,6 +63,7 @@
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/rpz.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
@ -170,6 +171,13 @@ typedef struct dns_dbmethods {
dns_dbversion_t *version);
isc_boolean_t (*isdnssec)(dns_db_t *db);
dns_stats_t *(*getrrsetstats)(dns_db_t *db);
void (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st);
isc_result_t (*rpz_findips)(dns_rpz_zone_t *rpz,
dns_rpz_type_t rpz_type,
dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *version,
dns_rdataset_t *ardataset,
dns_rpz_st_t *st);
} dns_dbmethods_t;
typedef isc_result_t
@ -1487,6 +1495,31 @@ dns_db_getrrsetstats(dns_db_t *db);
* dns_rdatasetstats_create(); otherwise NULL.
*/
void
dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st);
/*%<
* See if a policy database has DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSIP, or
* DNS_RPZ_TYPE_NSDNAME records.
*/
isc_result_t
dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
dns_rdataset_t *ardataset, dns_rpz_st_t *st);
/*%<
* Search the CDIR block tree of a response policy tree of trees for the best
* match to any of the IP addresses in an A or AAAA rdataset.
*
* Requires:
* \li search in policy zone 'rpz' for a match of 'rpz_type' either
* DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP
* \li 'zone' and 'db' are the database corresponding to 'rpz'
* \li 'version' is the required version of the database
* \li 'ardataset' is an A or AAAA rdataset of addresses to check
* \li 'found' specifies the previous best match if any or
* or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0
*/
ISC_LANG_ENDDECLS
#endif /* DNS_DB_H */

11
lib/dns/include/dns/name.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: name.h,v 1.135 2010/07/09 23:46:51 tbox Exp $ */
/* $Id: name.h,v 1.136 2011/01/13 01:59:28 marka Exp $ */
#ifndef DNS_NAME_H
#define DNS_NAME_H 1
@ -756,7 +756,7 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
isc_result_t
dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
dns_name_t *origin, unsigned int options,
const dns_name_t *origin, unsigned int options,
isc_buffer_t *target);
/*%<
* Convert the textual representation of a DNS name at source
@ -1168,11 +1168,18 @@ dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
isc_result_t
dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
isc_mem_t *mctx);
isc_result_t
dns_name_fromstring2(dns_name_t *target, const char *src,
const dns_name_t *origin, unsigned int options,
isc_mem_t *mctx);
/*%<
* Convert a string to a name and place it in target, allocating memory
* as necessary. 'options' has the same semantics as that of
* dns_name_fromtext().
*
* If 'target' has a buffer then the name will be copied into it rather than
* memory being allocated.
*
* Requires:
*
* \li 'target' is a valid name that is not read-only.

189
lib/dns/include/dns/rpz.h Normal file
View file

@ -0,0 +1,189 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rpz.h,v 1.2 2011/01/13 01:59:28 marka Exp $ */
#ifndef DNS_RPZ_H
#define DNS_RPZ_H 1
#include <isc/lang.h>
#include <dns/fixedname.h>
#include <dns/rdata.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
#define DNS_RPZ_IP_ZONE "rpz-ip"
#define DNS_RPZ_NSIP_ZONE "rpz-nsip"
#define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname"
typedef isc_uint8_t dns_rpz_cidr_bits_t;
typedef enum {
DNS_RPZ_TYPE_BAD,
DNS_RPZ_TYPE_QNAME,
DNS_RPZ_TYPE_IP,
DNS_RPZ_TYPE_NSIP,
DNS_RPZ_TYPE_NSDNAME
} dns_rpz_type_t;
/*
* Require DNS_RPZ_POLICY_NO_OP < DNS_RPZ_POLICY_NXDOMAIN <
* DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME.
*/
typedef enum {
DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what something else says */
DNS_RPZ_POLICY_NO_OP = 1, /* 'no-op': do not rewrite */
DNS_RPZ_POLICY_NXDOMAIN = 2, /* 'nxdomain': answer with NXDOMAIN */
DNS_RPZ_POLICY_NODATA = 3, /* 'nodata': answer with ANCOUNT=0 */
DNS_RPZ_POLICY_CNAME = 4, /* 'cname x': answer with x's rrsets */
DNS_RPZ_POLICY_RECORD = 5,
DNS_RPZ_POLICY_MISS,
DNS_RPZ_POLICY_ERROR
} dns_rpz_policy_t;
/*
* Specify a response policy zone.
*/
typedef struct dns_rpz_zone dns_rpz_zone_t;
struct dns_rpz_zone {
ISC_LINK(dns_rpz_zone_t) link;
int num;
dns_name_t origin; /* Policy zone name */
dns_name_t nsdname; /* RPZ_NSDNAME_ZONE.origin */
dns_rpz_policy_t policy; /* RPZ_POLICY_GIVEN or override */
dns_name_t cname; /* override name for
RPZ_POLICY_CNAME */
};
/*
* Radix trees for response policy IP addresses.
*/
typedef struct dns_rpz_cidr dns_rpz_cidr_t;
/*
* context for finding the best policy
*/
typedef struct {
unsigned int state;
# define DNS_RPZ_REWRITTEN 0x0001
# define DNS_RPZ_DONE_QNAME 0x0002
# define DNS_RPZ_DONE_A 0x0004
# define DNS_RPZ_RECURSING 0x0008
# define DNS_RPZ_HAVE_IP 0x0010
# define DNS_RPZ_HAVE_NSIPv4 0x0020
# define DNS_RPZ_HAVE_NSIPv6 0x0040
# define DNS_RPZ_HAD_NSDNAME 0x0080
/*
* Best match so far.
*/
struct {
dns_rpz_type_t type;
dns_rpz_zone_t *rpz;
dns_rpz_cidr_bits_t prefix;
dns_rpz_policy_t policy;
dns_ttl_t ttl;
isc_result_t result;
dns_zone_t *zone;
dns_db_t *db;
dns_dbnode_t *node;
dns_rdataset_t *rdataset;
} m;
/*
* State for chasing NS names and addresses including recursion.
*/
struct {
unsigned int label;
dns_db_t *db;
dns_rdataset_t *ns_rdataset;
dns_rdatatype_t r_type;
isc_result_t r_result;
dns_rdataset_t *r_rdataset;
} ns;
/*
* State of real query while recursing for NSIP or NSDNAME.
*/
struct {
isc_result_t result;
isc_boolean_t is_zone;
isc_boolean_t authoritative;
dns_zone_t *zone;
dns_db_t *db;
dns_dbnode_t *node;
dns_rdataset_t *rdataset;
dns_rdataset_t *sigrdataset;
dns_rdatatype_t qtype;
} q;
dns_name_t *qname;
dns_name_t *r_name;
dns_name_t *fname;
dns_fixedname_t _qnamef;
dns_fixedname_t _r_namef;
dns_fixedname_t _fnamef;
} dns_rpz_st_t;
#define DNS_RPZ_TTL_DEFAULT 5
/*
* So various response policy zone messages can be turned up or down.
*/
#define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING
#define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO
#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
const char *
dns_rpz_type2str(dns_rpz_type_t type);
dns_rpz_policy_t
dns_rpz_str2policy(const char *str);
void
dns_rpz_set_need(isc_boolean_t need);
isc_boolean_t
dns_rpz_needed(void);
void
dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
void
dns_rpz_view_destroy(dns_view_t *view);
isc_result_t
dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
dns_rpz_cidr_t **rbtdb_cidr);
void
dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
void
dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
void
dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
isc_result_t
dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
dns_rpz_type_t type, dns_name_t *canon_name,
dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
dns_rpz_policy_t
dns_rpz_decode_cname(dns_rdataset_t *, dns_name_t *selfname);
#endif /* DNS_RPZ_H */

4
lib/dns/include/dns/view.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.h,v 1.131 2011/01/11 23:47:13 tbox Exp $ */
/* $Id: view.h,v 1.132 2011/01/13 01:59:28 marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
@ -74,6 +74,7 @@
#include <dns/acl.h>
#include <dns/fixedname.h>
#include <dns/rdatastruct.h>
#include <dns/rpz.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
@ -160,6 +161,7 @@ struct dns_view {
dns_acl_t * v4_aaaa_acl;
dns_dns64list_t dns64;
unsigned int dns64cnt;
ISC_LIST(dns_rpz_zone_t) rpz_zones;
/*
* Configurable data for server use only,

25
lib/dns/name.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: name.c,v 1.172 2010/07/09 05:13:15 each Exp $ */
/* $Id: name.c,v 1.173 2011/01/13 01:59:27 marka Exp $ */
/*! \file */
@ -1021,7 +1021,7 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r) {
isc_result_t
dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
dns_name_t *origin, unsigned int options,
const dns_name_t *origin, unsigned int options,
isc_buffer_t *target)
{
unsigned char *ndata, *label;
@ -2395,6 +2395,14 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
isc_result_t
dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
isc_mem_t *mctx)
{
return (dns_name_fromstring2(target, src, dns_rootname, options, mctx));
}
isc_result_t
dns_name_fromstring2(dns_name_t *target, const char *src,
const dns_name_t *origin, unsigned int options,
isc_mem_t *mctx)
{
isc_result_t result;
isc_buffer_t buf;
@ -2405,14 +2413,19 @@ dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
isc_buffer_init(&buf, src, strlen(src));
isc_buffer_add(&buf, strlen(src));
dns_fixedname_init(&fn);
name = dns_fixedname_name(&fn);
if (BINDABLE(target) && target->buffer != NULL)
name = target;
else {
dns_fixedname_init(&fn);
name = dns_fixedname_name(&fn);
}
result = dns_name_fromtext(name, &buf, dns_rootname, options, NULL);
result = dns_name_fromtext(name, &buf, origin, options, NULL);
if (result != ISC_R_SUCCESS)
return (result);
result = dns_name_dup(name, mctx, target);
if (name != target)
result = dns_name_dupwithoffsets(name, mctx, target);
return (result);
}

245
lib/dns/rbtdb.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rbtdb.c,v 1.307 2010/12/02 04:58:13 marka Exp $ */
/* $Id: rbtdb.c,v 1.308 2011/01/13 01:59:27 marka Exp $ */
/*! \file */
@ -53,6 +53,7 @@
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rbt.h>
#include <dns/rpz.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
@ -437,6 +438,7 @@ typedef struct {
dns_rbt_t * tree;
dns_rbt_t * nsec;
dns_rbt_t * nsec3;
dns_rpz_cidr_t * rpz_cidr;
/* Unlocked */
unsigned int quantum;
@ -953,6 +955,9 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
if (rbtdb->rrsetstats != NULL)
dns_stats_detach(&rbtdb->rrsetstats);
if (rbtdb->rpz_cidr != NULL)
dns_rpz_cidr_free(&rbtdb->rpz_cidr);
isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
isc_rwlock_destroy(&rbtdb->tree_lock);
@ -1488,6 +1493,12 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
switch (node->nsec) {
case DNS_RBT_NSEC_NORMAL:
if (rbtdb->rpz_cidr != NULL) {
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_rbt_fullnamefromnode(node, name);
dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
}
result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
break;
case DNS_RBT_NSEC_HAS_NSEC:
@ -1522,6 +1533,7 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
}
}
result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
break;
case DNS_RBT_NSEC_NSEC:
result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
@ -2495,6 +2507,15 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
node = NULL;
result = dns_rbt_addnode(rbtdb->tree, name, &node);
if (result == ISC_R_SUCCESS) {
if (rbtdb->rpz_cidr != NULL) {
dns_fixedname_t fnamef;
dns_name_t *fname;
dns_fixedname_init(&fnamef);
fname = dns_fixedname_name(&fnamef);
dns_rbt_fullnamefromnode(node, fname);
dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname);
}
dns_rbt_namefromnode(node, &nodename);
#ifdef DNS_RBT_USEHASH
node->locknum = node->hashval % rbtdb->node_lock_count;
@ -4510,6 +4531,198 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
return (result);
}
/*
* Mark a database for response policy rewriting.
*/
static void
get_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
{
dns_rbtdb_t *rbtdb;
rbtdb = (dns_rbtdb_t *)db;
REQUIRE(VALID_RBTDB(rbtdb));
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
dns_rpz_enabled(rbtdb->rpz_cidr, st);
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
}
/*
* Search the CDIR block tree of a response policy tree of trees for all of
* the IP addresses in an A or AAAA rdataset.
* Among the policies for all IPv4 and IPv6 addresses for a name, choose
* the longest prefix. Among those with the longest prefix, the first
* configured policy. Among answers for with the longest prefixes for
* two or more IP addresses in the A and AAAA rdatasets the lexically
* smallest address.
*/
static isc_result_t
rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
dns_rdataset_t *ardataset, dns_rpz_st_t *st)
{
dns_rbtdb_t *rbtdb;
struct in_addr ina;
struct in6_addr in6a;
isc_netaddr_t netaddr;
dns_fixedname_t selfnamef, qnamef;
dns_name_t *selfname, *qname;
dns_rbtnode_t *node;
dns_rdataset_t zrdataset;
dns_rpz_cidr_bits_t prefix;
isc_result_t result;
dns_rpz_policy_t rpz_policy;
dns_ttl_t ttl;
rbtdb = (dns_rbtdb_t *)db;
REQUIRE(VALID_RBTDB(rbtdb));
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
if (rbtdb->rpz_cidr == NULL) {
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
dns_db_detach(&db);
dns_zone_detach(&zone);
return (ISC_R_UNEXPECTED);
}
dns_fixedname_init(&selfnamef);
dns_fixedname_init(&qnamef);
selfname = dns_fixedname_name(&selfnamef);
qname = dns_fixedname_name(&qnamef);
for (result = dns_rdataset_first(ardataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(ardataset)) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(ardataset, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
INSIST(rdata.length == 4);
memcpy(&ina.s_addr, rdata.data, 4);
isc_netaddr_fromin(&netaddr, &ina);
break;
case dns_rdatatype_aaaa:
INSIST(rdata.length == 16);
memcpy(in6a.s6_addr, rdata.data, 16);
isc_netaddr_fromin6(&netaddr, &in6a);
break;
default:
continue;
}
result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type,
selfname, qname, &prefix);
if (result != ISC_R_SUCCESS)
continue;
/*
* Choose the policy with the longest matching prefix.
* Between policies with the same prefix, choose the first
* configured.
*/
if (st->m.policy != DNS_RPZ_POLICY_MISS) {
if (prefix < st->m.prefix)
continue;
if (prefix == st->m.prefix &&
rpz->num > st->m.rpz->num)
continue;
}
/*
* We have rpz_st an entry with a prefix at least as long as
* the prefix of the entry we had before. Find the node
* corresponding to CDIR tree entry.
*/
node = NULL;
result = dns_rbt_findnode(rbtdb->tree, qname, NULL,
&node, NULL, 0, NULL, NULL);
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(qname, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_CACHE, DNS_RPZ_ERROR_LEVEL,
"rpz_findips findnode(%s): %s",
namebuf, isc_result_totext(result));
continue;
}
/*
* First look for a simple rewrite of the IP address.
* If that fails, look for a CNAME. If we cannot find
* a CNAME or the CNAME is neither of the special forms
* "*" or ".", treat it like a real CNAME.
*/
dns_rdataset_init(&zrdataset);
result = dns_db_findrdataset(db, node, version, ardataset->type,
0, 0, &zrdataset, NULL);
if (result != ISC_R_SUCCESS)
result = dns_db_findrdataset(db, node, version,
dns_rdatatype_cname,
0, 0, &zrdataset, NULL);
if (result == ISC_R_SUCCESS) {
if (zrdataset.type != dns_rdatatype_cname) {
rpz_policy = DNS_RPZ_POLICY_RECORD;
} else {
rpz_policy = dns_rpz_decode_cname(&zrdataset,
selfname);
if (rpz_policy == DNS_RPZ_POLICY_RECORD)
result = DNS_R_CNAME;
}
ttl = zrdataset.ttl;
} else {
rpz_policy = DNS_RPZ_POLICY_RECORD;
result = DNS_R_NXRRSET;
ttl = DNS_RPZ_TTL_DEFAULT;
}
/*
* Use an overriding action specified in the configuration file
*/
if (rpz->policy != DNS_RPZ_POLICY_GIVEN &&
rpz_policy != DNS_RPZ_POLICY_NO_OP)
rpz_policy = rpz->policy;
/*
* We know the new prefix is at least as long as the current.
* Prefer the new answer if the new prefix is longer.
* Prefer the zone configured first if the prefixes are equal.
* With two actions from the same zone, prefer the action
* on the "smallest" name.
*/
if (st->m.policy == DNS_RPZ_POLICY_MISS ||
prefix > st->m.prefix ||
rpz->num <= st->m.rpz->num ||
0 > dns_name_compare(qname, st->qname)) {
if (dns_rdataset_isassociated(st->m.rdataset))
dns_rdataset_disassociate(st->m.rdataset);
if (st->m.node != NULL)
dns_db_detachnode(st->m.db, &st->m.node);
if (st->m.db != NULL)
dns_db_detach(&st->m.db);
if (st->m.zone != NULL)
dns_zone_detach(&st->m.zone);
st->m.rpz = rpz;
st->m.type = rpz_type;
st->m.prefix = prefix;
st->m.policy = rpz_policy;
st->m.ttl = ttl;
st->m.result = result;
dns_name_copy(qname, st->qname, NULL);
if (rpz_policy == DNS_RPZ_POLICY_RECORD &&
result != DNS_R_NXRRSET) {
dns_rdataset_clone(&zrdataset,st->m.rdataset);
dns_db_attachnode(db, node, &st->m.node);
}
dns_db_attach(db, &st->m.db);
dns_zone_attach(zone, &st->m.zone);
}
if (dns_rdataset_isassociated(&zrdataset))
dns_rdataset_disassociate(&zrdataset);
}
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
return (ISC_R_SUCCESS);
}
static isc_result_t
cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
@ -6583,6 +6796,10 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
dns_rbtnode_t *nsecnode;
noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
if (noderesult == ISC_R_SUCCESS)
dns_rpz_cidr_addip(rbtdb->rpz_cidr, name);
if (!hasnsec)
return (noderesult);
if (noderesult == ISC_R_EXISTS) {
@ -6694,7 +6911,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
}
if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
return (result);
if (result != ISC_R_EXISTS) {
if (result == ISC_R_SUCCESS) {
dns_name_t foundname;
dns_name_init(&foundname, NULL);
dns_rbt_namefromnode(node, &foundname);
@ -7156,7 +7373,9 @@ static dns_dbmethods_t zone_methods = {
getsigningtime,
resigned,
isdnssec,
NULL
NULL,
get_rpz_enabled,
rpz_findips
};
static dns_dbmethods_t cache_methods = {
@ -7195,7 +7414,9 @@ static dns_dbmethods_t cache_methods = {
NULL,
NULL,
isdnssec,
getrrsetstats
getrrsetstats,
NULL,
NULL
};
isc_result_t
@ -7377,6 +7598,22 @@ dns_rbtdb_create
return (result);
}
/*
* Get ready for response policy IP address searching if at least one
* zone has been configured as a response policy zone and this
* is not a cache zone.
* It would be better to know that this database is for a policy
* zone named for a view, but that would require knowledge from
* above such as an argv[] set from data in the zone.
*/
if (type == dns_dbtype_zone && !dns_name_equal(origin, dns_rootname)) {
result = dns_rpz_new_cidr(mctx, origin, &rbtdb->rpz_cidr);
if (result != ISC_R_SUCCESS) {
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (result);
}
}
/*
* In order to set the node callback bit correctly in zone databases,
* we need to know if the node has the origin name of the zone.

1166
lib/dns/rpz.c Normal file
View file

File diff suppressed because it is too large Load diff

4
lib/dns/sdb.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: sdb.c,v 1.74 2010/08/16 04:46:16 marka Exp $ */
/* $Id: sdb.c,v 1.75 2011/01/13 01:59:27 marka Exp $ */
/*! \file */
@ -1254,6 +1254,8 @@ static dns_dbmethods_t sdb_methods = {
NULL,
NULL,
NULL,
NULL,
NULL
};
static isc_result_t

4
lib/dns/sdlz.c
View file

@ -50,7 +50,7 @@
* USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: sdlz.c,v 1.28 2010/12/19 02:37:08 each Exp $ */
/* $Id: sdlz.c,v 1.29 2011/01/13 01:59:28 marka Exp $ */
/*! \file */
@ -1237,6 +1237,8 @@ static dns_dbmethods_t sdlzdb_methods = {
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};

5
lib/dns/view.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.c,v 1.176 2011/01/11 23:47:13 tbox Exp $ */
/* $Id: view.c,v 1.177 2011/01/13 01:59:28 marka Exp $ */
/*! \file */
@ -53,6 +53,7 @@
#include <dns/request.h>
#include <dns/resolver.h>
#include <dns/result.h>
#include <dns/rpz.h>
#include <dns/stats.h>
#include <dns/tsig.h>
#include <dns/zone.h>
@ -191,6 +192,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->maxudp = 0;
view->v4_aaaa = dns_v4_aaaa_ok;
view->v4_aaaa_acl = NULL;
ISC_LIST_INIT(view->rpz_zones);
dns_fixedname_init(&view->dlv_fixed);
view->managed_keys = NULL;
#ifdef BIND9
@ -326,6 +328,7 @@ destroy(dns_view_t *view) {
dns_acache_detach(&view->acache);
}
#endif
dns_rpz_view_destroy(view);
if (view->requestmgr != NULL)
dns_requestmgr_detach(&view->requestmgr);
if (view->task != NULL)

12
lib/dns/win32/libdns.def
View file

@ -603,6 +603,18 @@ dns_result_register
dns_result_torcode
dns_result_totext
dns_rootns_create
dns_rpz_cidr_addip
dns_rpz_cidr_deleteip
dns_rpz_cidr_find
dns_rpz_cidr_free
dns_rpz_decode_cname
dns_rpz_enabled
dns_rpz_needed
dns_rpz_new_cidr
dns_rpz_set_need
dns_rpz_str2policy
dns_rpz_type2str
dns_rpz_view_destroy
dns_rriterator_current
dns_rriterator_destroy
dns_rriterator_first

8
lib/dns/win32/libdns.dsp
View file

@ -338,6 +338,10 @@ SOURCE=..\include\dns\rootns.h
# End Source File
# Begin Source File
SOURCE=..\include\dns\rpz.h
# End Source File
# Begin Source File
SOURCE=..\include\dns\rriterator.h
# End Source File
# Begin Source File
@ -630,6 +634,10 @@ SOURCE=..\rootns.c
# End Source File
# Begin Source File
SOURCE=..\rpz.c
# End Source File
# Begin Source File
SOURCE=..\rriterator.c
# End Source File
# Begin Source File

24
lib/dns/win32/libdns.mak
View file

@ -181,6 +181,7 @@ CLEAN :
-@erase "$(INTDIR)\resolver.obj"
-@erase "$(INTDIR)\result.obj"
-@erase "$(INTDIR)\rootns.obj"
-@erase "$(INTDIR)\rpz.obj"
-@erase "$(INTDIR)\sdb.obj"
-@erase "$(INTDIR)\sdlz.obj"
-@erase "$(INTDIR)\soa.obj"
@ -303,6 +304,7 @@ LINK32_OBJS= \
"$(INTDIR)\resolver.obj" \
"$(INTDIR)\result.obj" \
"$(INTDIR)\rootns.obj" \
"$(INTDIR)\rpz.obj" \
"$(INTDIR)\rriterator.obj" \
"$(INTDIR)\sdb.obj" \
"$(INTDIR)\sdlz.obj" \
@ -491,6 +493,8 @@ CLEAN :
-@erase "$(INTDIR)\result.sbr"
-@erase "$(INTDIR)\rootns.obj"
-@erase "$(INTDIR)\rootns.sbr"
-@erase "$(INTDIR)\rpz.obj"
-@erase "$(INTDIR)\rpz.sbr"
-@erase "$(INTDIR)\rriterator.obj"
-@erase "$(INTDIR)\rriterator.sbr"
-@erase "$(INTDIR)\sdb.obj"
@ -633,6 +637,7 @@ BSC32_SBRS= \
"$(INTDIR)\resolver.sbr" \
"$(INTDIR)\result.sbr" \
"$(INTDIR)\rootns.sbr" \
"$(INTDIR)\rpz.sbr" \
"$(INTDIR)\rriterator.sbr" \
"$(INTDIR)\sdb.sbr" \
"$(INTDIR)\sdlz.sbr" \
@ -726,6 +731,7 @@ LINK32_OBJS= \
"$(INTDIR)\resolver.obj" \
"$(INTDIR)\result.obj" \
"$(INTDIR)\rootns.obj" \
"$(INTDIR)\rpz.obj" \
"$(INTDIR)\rriterator.obj" \
"$(INTDIR)\sdb.obj" \
"$(INTDIR)\sdlz.obj" \
@ -1664,6 +1670,24 @@ SOURCE=..\rootns.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\rpz.c
!IF "$(CFG)" == "libdns - Win32 Release"
"$(INTDIR)\rpz.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ELSEIF "$(CFG)" == "libdns - Win32 Debug"
"$(INTDIR)\rpz.obj" "$(INTDIR)\rpz.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\rriterator.c

15
lib/dns/zone.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.580 2010/12/18 01:56:22 each Exp $ */
/* $Id: zone.c,v 1.581 2011/01/13 01:59:28 marka Exp $ */
/*! \file */
@ -322,6 +322,11 @@ struct dns_zone {
* True if added by "rndc addzone"
*/
isc_boolean_t added;
/*%
* whether a rpz radix was needed when last loaded
*/
isc_boolean_t rpz_zone;
};
#define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@ -833,6 +838,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
zone->nodes = 100;
zone->privatetype = (dns_rdatatype_t)0xffffU;
zone->added = ISC_FALSE;
zone->rpz_zone = ISC_FALSE;
zone->magic = ZONE_MAGIC;
@ -1434,7 +1440,8 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
* "rndc reconfig", we are done.
*/
if (!isc_time_isepoch(&zone->loadtime) &&
(flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
(flags & DNS_ZONELOADFLAG_NOSTAT) != 0 &&
zone->rpz_zone == dns_rpz_needed()) {
result = ISC_R_SUCCESS;
goto cleanup;
}
@ -1443,7 +1450,8 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
if (result == ISC_R_SUCCESS) {
if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
isc_time_compare(&filetime, &zone->loadtime) <= 0) {
isc_time_compare(&filetime, &zone->loadtime) <= 0 &&
zone->rpz_zone == dns_rpz_needed()) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"skipping load: master file "
"older than last load");
@ -1451,6 +1459,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
goto cleanup;
}
loadtime = filetime;
zone->rpz_zone = dns_rpz_needed();
}
}

117
lib/isccfg/namedconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.130 2011/01/07 04:31:39 marka Exp $ */
/* $Id: namedconf.c,v 1.131 2011/01/13 01:59:28 marka Exp $ */
/*! \file */
@ -1013,6 +1013,120 @@ static cfg_type_t cfg_type_masterformat = {
&cfg_rep_string, &masterformat_enums
};
/*
* response-policy {
* zone <string> [ policy (given|no-op|nxdomain|nodata|cname <domain> ) ];
* };
*
* this is a chimera of doc_optional_keyvalue() and cfg_doc_enum()
*/
static void
doc_rpz_policies(cfg_printer_t *pctx, const cfg_type_t *type) {
const keyword_type_t *kw;
const char * const *p;
kw = type->of;
cfg_print_chars(pctx, "[ ", 2);
cfg_print_cstr(pctx, kw->name);
cfg_print_chars(pctx, " ", 1);
cfg_print_chars(pctx, "( ", 2);
for (p = kw->type->of; *p != NULL; p++) {
cfg_print_cstr(pctx, *p);
if (p[1] != NULL)
cfg_print_chars(pctx, " | ", 3);
}
}
/*
* print_qstring() from parser.c
*/
static void
print_rpz_cname(cfg_printer_t *pctx, const cfg_obj_t *obj)
{
cfg_print_chars(pctx, "\"", 1);
cfg_print_ustring(pctx, obj);
cfg_print_chars(pctx, "\"", 1);
}
static void
doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) {
cfg_doc_terminal(pctx, type);
cfg_print_chars(pctx, " ) ]", 4);
}
static isc_result_t
parse_rpz(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
isc_result_t result;
cfg_obj_t *obj = NULL;
const cfg_tuplefielddef_t *fields = type->of;
CHECK(cfg_create_tuple(pctx, type, &obj));
CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
CHECK(cfg_parse_obj(pctx, fields[1].type, &obj->value.tuple[1]));
/*
* parse cname domain only after "policy cname"
*/
if (cfg_obj_isvoid(obj->value.tuple[1]) ||
strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[1]))) {
CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
} else {
CHECK(cfg_parse_obj(pctx, fields[2].type, &obj->value.tuple[2]));
}
*ret = obj;
return (ISC_R_SUCCESS);
cleanup:
CLEANUP_OBJ(obj);
return (result);
}
static const char *rpz_policies[] = {
"given", "no-op", "nxdomain", "nodata", "cname", NULL
};
static cfg_type_t cfg_type_rpz_policylist = {
"policies", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &rpz_policies
};
static keyword_type_t rpz_policies_kw = {
"policy", &cfg_type_rpz_policylist
};
static cfg_type_t cfg_type_rpz_policy = {
"optional_policy", parse_optional_keyvalue, print_keyvalue,
doc_rpz_policies, &cfg_rep_string, &rpz_policies_kw
};
static cfg_type_t cfg_type_cname = {
"domain", cfg_parse_astring, print_rpz_cname, doc_rpz_cname,
&cfg_rep_string, NULL
};
static cfg_tuplefielddef_t rpzone_fields[] = {
{ "name", &cfg_type_astring, 0 },
{ "policy", &cfg_type_rpz_policy, 0 },
{ "cname", &cfg_type_cname, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpzone = {
"rpzone", parse_rpz, cfg_print_tuple, cfg_doc_tuple,
&cfg_rep_tuple, rpzone_fields
};
static cfg_clausedef_t rpz_clauses[] = {
{ "zone", &cfg_type_rpzone, CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 }
};
static cfg_clausedef_t *rpz_clausesets[] = {
rpz_clauses,
NULL
};
static cfg_type_t cfg_type_rpz = {
"rpz", cfg_parse_map, cfg_print_map, cfg_doc_map,
&cfg_rep_map, rpz_clausesets
};
/*%
* dnssec-lookaside
*/
@ -1146,6 +1260,7 @@ view_clauses[] = {
{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa,
CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "response-policy", &cfg_type_rpz, 0 },
{ NULL, NULL, 0 }
};