diff --git a/bin/named/server.c b/bin/named/server.c index 04361ec690..df02039f3e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -324,6 +324,12 @@ typedef struct catz_chgzone_event { bool mod; } catz_chgzone_event_t; +typedef struct catz_reconfig_data { + dns_catz_zone_t *catz; + const cfg_obj_t *config; + catz_cb_data_t *cbd; +} catz_reconfig_data_t; + typedef struct { unsigned int magic; #define DZARG_MAGIC ISC_MAGIC('D', 'z', 'a', 'r') @@ -441,7 +447,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify); + bool is_catz_member, bool modify); static void configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, @@ -2676,13 +2682,13 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { ns_cfgctx_t *cfg; dns_zone_t *zone = NULL; + /* + * A non-empty 'catalog-zones' statement implies that 'allow-new-zones' + * is true, so this is expected to be non-NULL. + */ cfg = (ns_cfgctx_t *)ev->view->new_zone_config; if (cfg == NULL) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "catz: allow-new-zones statement missing from " - "config; cannot add zone from the catalog"); - goto cleanup; + CHECK(ISC_R_FAILURE); } name = dns_catz_entry_getname(ev->entry); @@ -2803,7 +2809,7 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { isc_buffer_free(&confbuf); } /* - * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer3() + * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer() * failed. */ if (result != ISC_R_SUCCESS) { @@ -2827,10 +2833,11 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { result = isc_task_beginexclusive(task); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(ev->view); - result = configure_zone( - cfg->config, zoneobj, cfg->vconfig, ev->cbd->server->mctx, - ev->view, &ev->cbd->server->viewlist, - &ev->cbd->server->kasplist, cfg->actx, true, false, ev->mod); + result = configure_zone(cfg->config, zoneobj, cfg->vconfig, + ev->cbd->server->mctx, ev->view, + &ev->cbd->server->viewlist, + &ev->cbd->server->kasplist, cfg->actx, true, + false, true, ev->mod); dns_view_freeze(ev->view); isc_task_endexclusive(task); @@ -3028,6 +3035,86 @@ catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, DNS_EVENT_CATZMODZONE)); } +static void +catz_reconfigure(dns_catz_entry_t *entry, dns_view_t *view, + catz_reconfig_data_t *data) { + isc_buffer_t namebuf; + isc_buffer_t *confbuf = NULL; + const cfg_obj_t *zlist = NULL; + char nameb[DNS_NAME_FORMATSIZE]; + cfg_obj_t *zoneconf = NULL; + cfg_obj_t *zoneobj = NULL; + ns_cfgctx_t *cfg = NULL; + dns_zone_t *zone = NULL; + isc_result_t result; + + isc_buffer_init(&namebuf, nameb, DNS_NAME_FORMATSIZE); + dns_name_totext(dns_catz_entry_getname(entry), DNS_NAME_OMITFINALDOT, + &namebuf); + isc_buffer_putuint8(&namebuf, 0); + + result = dns_view_findzone(view, dns_catz_entry_getname(entry), &zone); + if (result != ISC_R_SUCCESS) { + return; + } + + /* + * A non-empty 'catalog-zones' statement implies that 'allow-new-zones' + * is true, so this is expected to be non-NULL. + */ + cfg = (ns_cfgctx_t *)view->new_zone_config; + if (cfg == NULL) { + CHECK(ISC_R_FAILURE); + } + + result = dns_catz_generate_zonecfg(data->catz, entry, &confbuf); + if (result == ISC_R_SUCCESS) { + cfg_parser_reset(cfg->add_parser); + result = cfg_parse_buffer(cfg->add_parser, confbuf, "catz", 0, + &cfg_type_addzoneconf, 0, &zoneconf); + isc_buffer_free(&confbuf); + } + /* + * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer() + * failed. + */ + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "catz_reconfigure: error \"%s\" while trying to " + "generate config for member zone '%s'", + isc_result_totext(result), nameb); + goto cleanup; + } + + CHECK(cfg_map_get(zoneconf, "zone", &zlist)); + if (!cfg_obj_islist(zlist)) { + CHECK(ISC_R_FAILURE); + } + zoneobj = cfg_listelt_value(cfg_list_first(zlist)); + + result = configure_zone(data->config, zoneobj, cfg->vconfig, + data->cbd->server->mctx, view, + &data->cbd->server->viewlist, + &data->cbd->server->kasplist, cfg->actx, true, + false, true, true); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "catz_reconfigure : error \"%s\" while trying to " + "reconfigure member zone '%s'", + isc_result_totext(result), nameb); + goto cleanup; + } + +cleanup: + if (zoneconf != NULL) { + cfg_obj_destroy(cfg->add_parser, &zoneconf); + } + + dns_zone_detach(&zone); +} + static isc_result_t configure_catz_zone(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *config, const cfg_listelt_t *element) { @@ -3066,18 +3153,18 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview, if (result == ISC_R_EXISTS) { isc_ht_iter_t *it = NULL; + catz_reconfig_data_t data = { + .catz = zone, + .config = config, + .cbd = (catz_cb_data_t *)dns_catz_zones_get_udata( + view->catzs), + }; RUNTIME_CHECK(pview != NULL); /* - * xxxwpk todo: reconfigure the zone!!!! - */ - cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL, - "catz: catalog zone '%s' will not be reconfigured", - str); - /* - * We have to walk through all the member zones and attach - * them to current view + * We have to walk through all the member zones, attach + * them to the current view and reconfigure */ dns_catz_get_iterator(zone, &it); @@ -3100,6 +3187,8 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview, dns_zone_setview(dnszone, view); dns_view_addzone(view, dnszone); + catz_reconfigure(entry, view, &data); + /* * The dns_view_findzone() call above increments the * zone's reference count, which we need to decrement @@ -4228,7 +4317,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, viewlist, kasplist, actx, false, - old_rpz_ok, false)); + old_rpz_ok, false, false)); zone_element_latest = element; } @@ -6502,7 +6591,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify) { + bool is_catz_member, bool modify) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ dns_zone_t *raw = NULL; /* New or reused raw zone */ @@ -6765,7 +6854,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, } } - if (view->catzs != NULL && + if (!is_catz_member && view->catzs != NULL && dns_catz_get_zone(view->catzs, origin) != NULL) { zone_is_catz = true; @@ -8073,7 +8162,7 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, CHECK(configure_zone(config, zconfig, vconfig, mctx, view, &named_g_server->viewlist, &named_g_server->kasplist, actx, true, - false, false)); + false, false, false)); } result = ISC_R_SUCCESS; @@ -8257,7 +8346,7 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config, cfg_aclconfctx_t *actx) { return (configure_zone( config, zconfig, vconfig, mctx, view, &named_g_server->viewlist, - &named_g_server->kasplist, actx, true, false, false)); + &named_g_server->kasplist, actx, true, false, false, false)); } /*% @@ -13964,7 +14053,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, result = configure_zone(cfg->config, zoneobj, cfg->vconfig, server->mctx, view, &server->viewlist, &server->kasplist, cfg->actx, true, false, - false); + false, false); dns_view_freeze(view); isc_task_endexclusive(server->task); @@ -14152,7 +14241,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, result = configure_zone(cfg->config, zoneobj, cfg->vconfig, server->mctx, view, &server->viewlist, &server->kasplist, cfg->actx, true, false, - true); + false, true); dns_view_freeze(view); exclusive = false; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 882a4bab4f..b13d912ad7 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -27,6 +27,7 @@ options { listen-on-v6 { fd92:7065:b8e:ffff::2; }; notify no; recursion no; +#T5 allow-query { 10.53.0.99; }; serial-query-rate 100; dnssec-validation no; }; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 8e54e0c549..713db3b890 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -703,6 +703,23 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +# GL #4733 +n=$((n + 1)) +echo_i "reconfiguring secondary - checking if catz member zones are reconfigured ($n)" +ret=0 +sed -e "s/^#T5//" ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that dom3.example. is refused by secondary because of an activated allow-query ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 6b8d6623e1..2a55861310 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,183 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +BIND 9.18.29 +------------ + +New Features +~~~~~~~~~~~~ + +- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. + ``fe3ae71e90`` + + There were cases in resolver.c when the `max-recursion-queries` quota + was ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of `max-recursion-queries`, and by + reducing the default value from 100 to 32. + + In addition, a new `max-query-restarts` option has been added which + limits the number of times a recursive server will follow CNAME or + DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + :gl:`!9283` + +- Generate changelog from git log. ``21a0b6aef7`` + + Use a single source of truth, the git log, to generate the list of + CHANGES. Use the .rst format and include it in the ARM for a quick + reference with proper gitlab links to issues and merge requests. + :gl:`#75` :gl:`!9181` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use _exit() in the fatal() function. ``e4c483f45f`` + + Since the fatal() isn't a correct but rather abrupt termination of the + program, we want to skip the various atexit() calls because not all + memory might be freed during fatal() call, etc. Using _exit() instead + of exit() has this effect - the program will end, but no destructors + or atexit routines will be called. :gl:`!9263` + +- Fix data race in clean_finds_at_name. ``541726871d`` + + Stop updating `find.result_v4` and `find.result_v4` in + `clean_finds_at_name`. The values are supposed to be + static. :gl:`#4118` :gl:`!9198` + +Bug Fixes +~~~~~~~~~ + +- Reconfigure catz member zones during named reconfiguration. + ``944d0dc942`` + + During a reconfiguration named wasn't reconfiguring catalog zones' + member zones. This has been fixed. :gl:`#4733` + +- Disassociate the SSL object from the cached SSL_SESSION. + ``64fde41253`` + + When the SSL object was destroyed, it would invalidate all SSL_SESSION + objects including the cached, but not yet used, TLS session objects. + + Properly disassociate the SSL object from the SSL_SESSION before we + store it in the TLS session cache, so we can later destroy it without + invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9279` + +- Attach/detach to the listening child socket when accepting TLS. + ``3ead47daff`` + + When TLS connection (TLSstream) connection was accepted, the children + listening socket was not attached to sock->server and thus it could + have been freed before all the accepted connections were actually + closed. + + In turn, this would cause us to call isc_tls_free() too soon - causing + cascade errors in pending SSL_read_ex() in the accepted connections. + + Properly attach and detach the children listening socket when + accepting and closing the server connections. :gl:`#4833` :gl:`!9278` + +- Make hypothesis optional for system tests. ``0d1953d7a8`` + + Ensure that system tests can be executed without Python hypothesis + package. :gl:`#4831` :gl:`!9268` + +- Don't loop indefinitely when isc_task quantum is 'unlimited' + ``674420df64`` + + Don't run more events than already scheduled. If the quantum is set + to a high value, the task_run() would execute already scheduled, and + all new events that result from running event->ev_action(). + + Setting quantum to a number of scheduled events will postpone events + scheduled after we enter the loop here to the next task_run() + invocation. :gl:`!9257` + +- Raise the log level of priming failures. ``c948babeeb`` + + When a priming query is complete, it's currently logged at level + ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising + it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + :gl:`!9251` + +- Add a compatibility shim for older libuv versions (< 1.19.0) + ``61ff983f00`` + + The uv_stream_get_write_queue_size() is supported only in relatively + newer versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function , so BIND 9 can be built in environments with + older libuv version. + +- Remove extra newline from yaml output. ``1222dbe9f9`` + + I split this into two commits, one for the actual newline removal, and + one for issues I found, ruining the yaml output when some errors were + outputted. + +- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW. + ``bbdd888b8e`` + + Add INSIST to fail if the multiplication would cause the variables to + overflow. :gl:`#4798` :gl:`!9230` + +- Remove unnecessary operations. ``2374a1a2bd`` + + Decrementing optlen immediately before calling continue is unneccesary + and inconsistent with the rest of dns_message_pseudosectiontoyaml and + dns_message_pseudosectiontotext. Coverity was also reporting an + impossible false positive overflow of optlen (CID 499061). :gl:`!9224` + +- Fix generation of 6to4-self name expansion from IPv4 address. + ``df55c15ebb`` + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the + wrong name being checked. Add system test for 6to4-self + implementation. :gl:`#4766` :gl:`!9218` + +- Fix false QNAME minimisation error being reported. ``4984afc80c`` + + Remove the false positive "success resolving" log message when QNAME + minimisation is in effect and the final result is NXDOMAIN. + :gl:`#4784` :gl:`!9216` + +- Dig +yaml was producing unexpected and/or invalid YAML output. + ``2db62a4dba`` + + :gl:`#4796` :gl:`!9214` + +- SVBC alpn text parsing failed to reject zero length alpn. + ``8f7be89052`` + + :gl:`#4775` :gl:`!9210` + +- Return SERVFAIL for a too long CNAME chain. ``f7de909b98`` + + When cutting a long CNAME chain, named was returning NOERROR instead + of SERVFAIL (alongside with a partial answer). This has been fixed. + :gl:`#4449` :gl:`!9204` + +- Properly calculate the amount of system memory. ``9faf355a5c`` + + On 32 bit machines isc_meminfo_totalphys could return an incorrect + value. :gl:`#4799` :gl:`!9200` + +- Update key lifetime and metadata after dnssec-policy reconfig. + ``2107a64ee6`` + + Adjust key state and timing metadata if dnssec-policy key lifetime + configuration is updated, so that it also affects existing keys. + :gl:`#4677` :gl:`!9192` + +- Fix dig +timeout argument when using +https. ``381d6246d6`` + + The +timeout argument was not used on DoH connections. This has been + fixed. :gl:`#4806` :gl:`!9161` + + Changes prior to 9.18.28 ------------------------ diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index fe47c8f903..71454d0724 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,6 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.18.29.rst .. include:: ../notes/notes-9.18.28.rst .. include:: ../notes/notes-9.18.27.rst .. include:: ../notes/notes-9.18.26.rst diff --git a/doc/notes/notes-9.18.29.rst b/doc/notes/notes-9.18.29.rst new file mode 100644 index 0000000000..1acc1445b6 --- /dev/null +++ b/doc/notes/notes-9.18.29.rst @@ -0,0 +1,98 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.29 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts` + configuration statement. + + There were cases when the :any:`max-recursion-queries` + quota was ineffective. It was possible to craft zones that would cause + a resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of :any:`max-recursion-queries` and by + reducing the default value from 100 to 32. + + In addition, a new :any:`max-query-restarts` configuration statement has been + added, which limits the number of times a recursive server will follow CNAME + or DNAME records before terminating resolution. This was previously a + hard-coded limit of 16 but is now configurable with a default value of 11. + + ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin + Tanir from NetSec group, ETH Zurich for discovering and notifying us about + the issue. :gl:`#4741` :gl:`!9283` + +- Raise the log level of priming failures. + + When a priming query is complete, it was previously logged at level + ``DEBUG(1)``, regardless of success or failure. It is now + logged to ``NOTICE`` in the case of failure. :gl:`#3516` + :gl:`!9251` + +- Add a compatibility shim for older libuv versions (< 1.19.0) + + The function uv_stream_get_write_queue_size() is supported only in relatively + new versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function so BIND 9 can be built in environments with + older libuv versions. + +Bug Fixes +~~~~~~~~~ + +- Return SERVFAIL for a too long CNAME chain. + + When following long CNAME chains, :iscman:`named` was returning NOERROR + (along with a partial answer) instead of SERVFAIL, if the chain exceeded the + maximum length. This has been fixed. :gl:`#4449` :gl:`!9204` + +- Reconfigure catz member zones during :iscman:`named` reconfiguration. + + During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog + zones' member zones. This has been fixed. :gl:`#4733` + +- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration. + + Adjust key state and timing metadata if :any:`dnssec-policy` key + lifetime configuration is updated, so that it also affects existing + keys. :gl:`#4677` :gl:`!9192` + +- Fix generation of 6to4-self name expansion from IPv4 address. + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the + wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9218` + +- :option:`dig +yaml` was producing unexpected and/or invalid YAML. + output. :gl:`#4796` :gl:`!9214` + +- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9210` + +- Fix false QNAME minimisation error being reported. + + Remove the false positive ``success resolving`` log message when QNAME + minimisation is in effect and the final result is an NXDOMAIN. + :gl:`#4784` :gl:`!9216` + +- Fix dig +timeout argument when using +https. + + The +timeout argument was not used on DoH connections. This has been + fixed. :gl:`#4806` :gl:`!9161` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 613805221f..f5505b1590 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -806,6 +806,13 @@ cleanup_task: return (result); } +void * +dns_catz_zones_get_udata(dns_catz_zones_t *catzs) { + REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); + + return (catzs->zmm->udata); +} + void dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) { REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h index ab5c614e96..d0acefba57 100644 --- a/lib/dns/include/dns/catz.h +++ b/lib/dns/include/dns/catz.h @@ -307,6 +307,15 @@ dns_catz_new_zones(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, * */ +void * +dns_catz_zones_get_udata(dns_catz_zones_t *catzs); +/*%< + * Get the 'udata' member of the zone methods which was set when creating catzs. + * + * Requires: + * \li 'catzs' is a valid dns_catz_zones_t. + */ + isc_result_t dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name, dns_catz_zone_t **catzp);