mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-10 20:19:59 -04:00
remove "bindkeys-file" option
The bindkeys-file option was only used for testing purposes, and has now been replaced with a "-T bindkeys=<filename>" option for named.
This commit is contained in:
Evan Hunt
parent
15b0ff5036
commit
a373671f5e
20 changed files with 62 additions and 91 deletions
|
|
@ -89,9 +89,9 @@ EXTERN unsigned int named_g_debuglevel INIT(0);
|
|||
*/
|
||||
EXTERN cfg_obj_t *named_g_defaultconfig INIT(NULL);
|
||||
EXTERN const cfg_obj_t *named_g_defaultoptions INIT(NULL);
|
||||
EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf");
|
||||
EXTERN const char *named_g_defaultbindkeys INIT(NULL);
|
||||
EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key");
|
||||
EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf");
|
||||
EXTERN const char *named_g_bindkeysfile INIT(NULL);
|
||||
EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key");
|
||||
|
||||
EXTERN bool named_g_conffileset INIT(false);
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,6 @@ struct named_server {
|
|||
char *statsfile; /*%< Statistics file name */
|
||||
char *dumpfile; /*%< Dump file name */
|
||||
char *secrootsfile; /*%< Secroots file name */
|
||||
char *bindkeysfile; /*%< bind.keys file name */
|
||||
char *recfile; /*%< Recursive file name */
|
||||
bool version_set; /*%< User has set version */
|
||||
char *version; /*%< User-specified version */
|
||||
|
|
|
|||
|
|
@ -649,7 +649,7 @@ parse_fuzz_arg(void) {
|
|||
|
||||
static void
|
||||
parse_T_opt(char *option) {
|
||||
const char *p;
|
||||
const char *p = NULL;
|
||||
char *last = NULL;
|
||||
/*
|
||||
* force the server to behave (or misbehave) in
|
||||
|
|
@ -692,6 +692,8 @@ parse_T_opt(char *option) {
|
|||
if (maxudp <= 0) {
|
||||
named_main_earlyfatal("bad maxudp");
|
||||
}
|
||||
} else if (!strncmp(option, "bindkeys=", 9)) {
|
||||
named_g_bindkeysfile = option + 9;
|
||||
} else if (!strncmp(option, "mkeytimers=", 11)) {
|
||||
p = strtok_r(option + 11, "/", &last);
|
||||
if (p == NULL) {
|
||||
|
|
|
|||
|
|
@ -1138,8 +1138,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
const cfg_obj_t *builtin_keys = NULL;
|
||||
|
||||
/*
|
||||
* If bind.keys exists and is populated, it overrides
|
||||
* the trust-anchors clause hard-coded in
|
||||
* If "-T bindkeys=<filename>" was used and
|
||||
* the file has a root key in it, that will
|
||||
* replace the trust-anchors clause hard-coded in
|
||||
* named_g_defaultconfig.
|
||||
*/
|
||||
if (bindkeys != NULL) {
|
||||
|
|
@ -1147,7 +1148,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
|
||||
"obtaining root key for view %s "
|
||||
"from '%s'",
|
||||
view->name, named_g_server->bindkeysfile);
|
||||
view->name, named_g_bindkeysfile);
|
||||
|
||||
(void)cfg_map_get(bindkeys, "trust-anchors",
|
||||
&builtin_keys);
|
||||
|
|
@ -8114,9 +8115,8 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist,
|
|||
|
||||
static isc_result_t
|
||||
apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
||||
named_server_t *server, bool first_time) {
|
||||
cfg_obj_t *bindkeys = NULL;
|
||||
cfg_parser_t *bindkeys_parser = NULL;
|
||||
cfg_obj_t *bindkeys, named_server_t *server,
|
||||
bool first_time) {
|
||||
const cfg_obj_t *maps[3];
|
||||
const cfg_obj_t *obj = NULL;
|
||||
const cfg_obj_t *options = NULL;
|
||||
|
|
@ -8251,48 +8251,6 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
named_g_http_streams_per_conn = cfg_obj_asuint32(obj);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* If "dnssec-validation auto" is turned on, the root key
|
||||
* will be used as a default trust anchor. The root key
|
||||
* is built in, but if bindkeys-file is set, then it will
|
||||
* be overridden with the key in that file.
|
||||
*/
|
||||
obj = NULL;
|
||||
(void)named_config_get(maps, "bindkeys-file", &obj);
|
||||
if (obj != NULL) {
|
||||
setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
|
||||
INSIST(server->bindkeysfile != NULL);
|
||||
if (access(server->bindkeysfile, R_OK) != 0) {
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
|
||||
"unable to open '%s'; using built-in "
|
||||
"keys instead",
|
||||
server->bindkeysfile);
|
||||
} else {
|
||||
result = cfg_parser_create(isc_g_mctx,
|
||||
&bindkeys_parser);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_bindkeys_parser;
|
||||
}
|
||||
|
||||
result = cfg_parse_file(bindkeys_parser,
|
||||
server->bindkeysfile,
|
||||
&cfg_type_bindkeys, &bindkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER,
|
||||
ISC_LOG_INFO,
|
||||
"unable to parse '%s' "
|
||||
"error '%s'; using "
|
||||
"built-in keys instead",
|
||||
server->bindkeysfile,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
setstring(server, &server->bindkeysfile, NULL);
|
||||
}
|
||||
|
||||
#if defined(HAVE_GEOIP2)
|
||||
/*
|
||||
* Release any previously opened GeoIP2 databases.
|
||||
|
|
@ -8338,7 +8296,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
max, named_g_cpus);
|
||||
result = ISC_R_RANGE;
|
||||
|
||||
goto cleanup_bindkeys_parser;
|
||||
goto cleanup_tls;
|
||||
}
|
||||
softquota = max - margin;
|
||||
} else {
|
||||
|
|
@ -8363,7 +8321,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
aclctx, isc_g_mctx,
|
||||
&server->sctx->blackholeacl);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_bindkeys_parser;
|
||||
goto cleanup_tls;
|
||||
}
|
||||
|
||||
if (server->sctx->blackholeacl != NULL) {
|
||||
|
|
@ -9287,14 +9245,7 @@ cleanup_portsets:
|
|||
isc_portset_destroy(isc_g_mctx, &v6portset);
|
||||
isc_portset_destroy(isc_g_mctx, &v4portset);
|
||||
|
||||
cleanup_bindkeys_parser:
|
||||
if (bindkeys_parser != NULL) {
|
||||
if (bindkeys != NULL) {
|
||||
cfg_obj_destroy(bindkeys_parser, &bindkeys);
|
||||
}
|
||||
cfg_parser_destroy(&bindkeys_parser);
|
||||
}
|
||||
|
||||
cleanup_tls:
|
||||
/*
|
||||
* Detach the TLS client context (whether the one created at the
|
||||
* begining of this function, or the previous running one)
|
||||
|
|
@ -9347,7 +9298,7 @@ static isc_result_t
|
|||
load_configuration(named_server_t *server, bool first_time) {
|
||||
isc_result_t result;
|
||||
cfg_parser_t *parser = NULL;
|
||||
cfg_obj_t *config = NULL;
|
||||
cfg_obj_t *config = NULL, *bindkeys = NULL;
|
||||
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
|
||||
ISC_LOG_DEBUG(1), "load_configuration");
|
||||
|
|
@ -9362,10 +9313,44 @@ load_configuration(named_server_t *server, bool first_time) {
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
result = apply_configuration(parser, config, server, first_time);
|
||||
if (named_g_bindkeysfile != NULL) {
|
||||
/*
|
||||
* If "dnssec-validation auto" is turned on, the root key
|
||||
* will be used as a default trust anchor. The root key
|
||||
* is built in, but if -Tbindkeys=<filename> is used,
|
||||
* the key is overridden with the key in that file.
|
||||
*/
|
||||
if (access(named_g_bindkeysfile, R_OK) != 0) {
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
|
||||
"unable to open '%s'; using built-in "
|
||||
"keys instead",
|
||||
named_g_bindkeysfile);
|
||||
} else {
|
||||
cfg_parser_reset(parser);
|
||||
result = cfg_parse_file(parser, named_g_bindkeysfile,
|
||||
&cfg_type_bindkeys, &bindkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER,
|
||||
ISC_LOG_INFO,
|
||||
"unable to parse '%s' "
|
||||
"error '%s'; using "
|
||||
"built-in keys instead",
|
||||
named_g_bindkeysfile,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
result = apply_configuration(parser, config, bindkeys, server,
|
||||
first_time);
|
||||
|
||||
cleanup:
|
||||
if (config) {
|
||||
if (bindkeys != NULL) {
|
||||
cfg_obj_destroy(parser, &bindkeys);
|
||||
}
|
||||
if (config != NULL) {
|
||||
cfg_obj_destroy(parser, &config);
|
||||
}
|
||||
cfg_parser_destroy(&parser);
|
||||
|
|
@ -9986,10 +9971,6 @@ named_server_destroy(named_server_t **serverp) {
|
|||
isc_mem_free(server->mctx, server->secrootsfile);
|
||||
isc_mem_free(server->mctx, server->recfile);
|
||||
|
||||
if (server->bindkeysfile != NULL) {
|
||||
isc_mem_free(server->mctx, server->bindkeysfile);
|
||||
}
|
||||
|
||||
if (server->version != NULL) {
|
||||
isc_mem_free(server->mctx, server->version);
|
||||
}
|
||||
|
|
|
|||
1
bin/tests/system/dnssec/ns4/named.args
Normal file
1
bin/tests/system/dnssec/ns4/named.args
Normal file
|
|
@ -0,0 +1 @@
|
|||
-m record -c named.conf -d 99 -D dnssec-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf
|
||||
|
|
@ -35,7 +35,6 @@ options {
|
|||
|
||||
{% if managed_key %}
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
{% else %}
|
||||
dnssec-validation yes;
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
-m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1
|
||||
-m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 -T bindkeys=managed.conf
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ options {
|
|||
recursion yes;
|
||||
notify no;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
servfail-ttl 0;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
-m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20
|
||||
-m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T bindkeys=managed.conf
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ options {
|
|||
recursion yes;
|
||||
notify no;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
trust-anchor-telemetry no;
|
||||
};
|
||||
|
||||
|
|
|
|||
1
bin/tests/system/mkeys/ns4/named.args
Normal file
1
bin/tests/system/mkeys/ns4/named.args
Normal file
|
|
@ -0,0 +1 @@
|
|||
-m record -c named.conf -d 99 -D mkeys-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf
|
||||
|
|
@ -24,7 +24,6 @@ options {
|
|||
recursion yes;
|
||||
notify no;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
managed-keys-directory "nope";
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ options {
|
|||
recursion yes;
|
||||
notify no;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
servfail-ttl 0;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
-m record -c named.conf -d 99 -g -T maxcachesize=2097152
|
||||
-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeys=managed.conf
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeytimers=2/20/40
|
||||
-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T bindkeys=managed.conf -T mkeytimers=2/20/40
|
||||
|
|
|
|||
1
bin/tests/system/mkeys/ns7/named.args
Normal file
1
bin/tests/system/mkeys/ns7/named.args
Normal file
|
|
@ -0,0 +1 @@
|
|||
-m record -c named.conf -d 99 -D mkeys-ns7 -g -T maxcachesize=2097152 -T bindkeys=managed.conf
|
||||
|
|
@ -24,7 +24,6 @@ options {
|
|||
recursion yes;
|
||||
notify no;
|
||||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
|
|
|
|||
|
|
@ -1501,14 +1501,6 @@ default is used.
|
|||
default is ``named.stats`` in the server's current directory. The
|
||||
format of the file is described in :ref:`statsfile`.
|
||||
|
||||
.. namedconf:statement:: bindkeys-file
|
||||
:tags: dnssec
|
||||
:short: Specifies the pathname of a file to override the built-in trusted keys provided by :iscman:`named`.
|
||||
|
||||
This is the pathname of a file to override the built-in trusted keys provided
|
||||
by :iscman:`named`. See the discussion of :any:`dnssec-validation` for
|
||||
details. This is intended for server testing.
|
||||
|
||||
.. namedconf:statement:: secroots-file
|
||||
:tags: dnssec
|
||||
:short: Specifies the pathname of the file where the server dumps security roots, when using :option:`rndc secroots`.
|
||||
|
|
|
|||
|
|
@ -84,7 +84,6 @@ options {
|
|||
attach-cache <string>;
|
||||
auth-nxdomain <boolean>;
|
||||
automatic-interface-scan <boolean>;
|
||||
bindkeys-file <quoted_string>; // test only
|
||||
blackhole { <address_match_element>; ... };
|
||||
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
|
||||
check-dup-records ( fail | warn | ignore );
|
||||
|
|
|
|||
|
|
@ -1194,7 +1194,8 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = {
|
|||
};
|
||||
|
||||
/*%
|
||||
* Clauses that can occur in the bind.keys file.
|
||||
* Clauses that can occur in a trust anchor file (previously
|
||||
* called bind.keys).
|
||||
*/
|
||||
static cfg_clausedef_t bindkeys_clauses[] = {
|
||||
{ "managed-keys", &cfg_type_dnsseckeys,
|
||||
|
|
@ -1218,7 +1219,7 @@ static cfg_clausedef_t options_clauses[] = {
|
|||
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
|
||||
{ "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY },
|
||||
{ "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "blackhole", &cfg_type_bracketed_aml, 0 },
|
||||
{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
|
||||
{ "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },
|
||||
|
|
|
|||
Loading…
Reference in a new issue