upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove "port" from source address options

Browse source 
Remove the use of "port" when configuring query-source(-v6),
transfer-source(-v6), notify-source(-v6), parental-source(-v6),
etc. Remove the use of source ports for parental-agents.

Also remove the deprecated options use-{v4,v6}-udp-ports and
avoid-{v4,v6}udp-ports.
This commit is contained in:
alessio 2024-09-04 17:48:04 +02:00
parent 0d4accd07f
commit da0e48b611
24 changed files with 258 additions and 518 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

133
bin/named/server.c
View file

@ -7485,43 +7485,6 @@ setoptstring(named_server_t *server, char **field, const cfg_obj_t *obj) {
}
}
static void
portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
bool positive) {
const cfg_listelt_t *element;
for (element = cfg_list_first(ports); element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *obj = cfg_listelt_value(element);
if (cfg_obj_isuint32(obj)) {
in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
if (positive) {
isc_portset_add(portset, port);
} else {
isc_portset_remove(portset, port);
}
} else {
const cfg_obj_t *obj_loport, *obj_hiport;
in_port_t loport, hiport;
obj_loport = cfg_tuple_get(obj, "loport");
loport = (in_port_t)cfg_obj_asuint32(obj_loport);
obj_hiport = cfg_tuple_get(obj, "hiport");
hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
if (positive) {
isc_portset_addrange(portset, loport, hiport);
} else {
isc_portset_removerange(portset, loport,
hiport);
}
}
}
}
static isc_result_t
removed(dns_zone_t *zone, void *uap) {
if (dns_zone_getview(zone) != uap) {
@ -8270,7 +8233,6 @@ load_configuration(const char *filename, named_server_t *server,
const cfg_obj_t *maps[3];
const cfg_obj_t *obj;
const cfg_obj_t *options;
const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
const cfg_obj_t *kasps;
const cfg_obj_t *keystores;
dns_kasp_t *kasp = NULL;
@ -8703,74 +8665,39 @@ load_configuration(const char *filename, named_server_t *server,
goto cleanup_v4portset;
}
usev4ports = NULL;
usev6ports = NULL;
avoidv4ports = NULL;
avoidv6ports = NULL;
(void)named_config_get(maps, "use-v4-udp-ports", &usev4ports);
if (usev4ports != NULL) {
portset_fromconf(v4portset, usev4ports, true);
} else {
result = isc_net_getudpportrange(AF_INET, &udpport_low,
&udpport_high);
if (result != ISC_R_SUCCESS) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"get the default UDP/IPv4 port range: %s",
isc_result_totext(result));
goto cleanup_v6portset;
}
if (udpport_low == udpport_high) {
isc_portset_add(v4portset, udpport_low);
} else {
isc_portset_addrange(v4portset, udpport_low,
udpport_high);
}
if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"using default UDP/IPv4 port range: "
"[%d, %d]",
udpport_low, udpport_high);
}
}
(void)named_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
if (avoidv4ports != NULL) {
portset_fromconf(v4portset, avoidv4ports, false);
result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
if (result != ISC_R_SUCCESS) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
ISC_LOG_ERROR,
"get the default UDP/IPv4 port range: %s",
isc_result_totext(result));
goto cleanup_v6portset;
}
(void)named_config_get(maps, "use-v6-udp-ports", &usev6ports);
if (usev6ports != NULL) {
portset_fromconf(v6portset, usev6ports, true);
} else {
result = isc_net_getudpportrange(AF_INET6, &udpport_low,
&udpport_high);
if (result != ISC_R_SUCCESS) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"get the default UDP/IPv6 port range: %s",
isc_result_totext(result));
goto cleanup_v6portset;
}
if (udpport_low == udpport_high) {
isc_portset_add(v6portset, udpport_low);
} else {
isc_portset_addrange(v6portset, udpport_low,
udpport_high);
}
if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"using default UDP/IPv6 port range: "
"[%d, %d]",
udpport_low, udpport_high);
}
isc_portset_addrange(v4portset, udpport_low, udpport_high);
if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
ISC_LOG_INFO,
"using default UDP/IPv4 port range: "
"[%d, %d]",
udpport_low, udpport_high);
}
(void)named_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
if (avoidv6ports != NULL) {
portset_fromconf(v6portset, avoidv6ports, false);
result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
if (result != ISC_R_SUCCESS) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
ISC_LOG_ERROR,
"get the default UDP/IPv6 port range: %s",
isc_result_totext(result));
goto cleanup_v6portset;
}
isc_portset_addrange(v6portset, udpport_low, udpport_high);
if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
ISC_LOG_INFO,
"using default UDP/IPv6 port range: "
"[%d, %d]",
udpport_low, udpport_high);
}
dns_dispatchmgr_setavailports(named_g_dispatchmgr, v4portset,

11
bin/tests/system/checkconf/portrange-good.conf → bin/tests/system/checkconf/ancient-avoid-v4-udp-ports.conf
View file

@ -11,12 +11,9 @@
* information regarding copyright ownership.
*/
/*
* Ancient options are fatal.
*/
options {
avoid-v4-udp-ports {
1935;
2605;
4321;
6514;
range 8610 8614;
};
avoid-v4-udp-ports { range 1 1023; };
};

19
bin/tests/system/checkconf/ancient-avoid-v6-udp-ports.conf Normal file
View file

@ -0,0 +1,19 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Ancient options are fatal.
*/
options {
avoid-v6-udp-ports { range 1 1023; };
};

6
bin/tests/system/checkconf/warn-notify-source.conf → bin/tests/system/checkconf/ancient-notify-source-port.conf
View file

@ -11,12 +11,8 @@
* information regarding copyright ownership.
*/
options {
port 5300;
};
zone example {
type secondary;
primaries { 1.2.3.4; };
notify-source 10.53.0.1 port 100;
notify-source 10.53.0.1 port 5300;
};

0
bin/tests/system/checkconf/warn-parental-source.conf → bin/tests/system/checkconf/ancient-parental-source-port.conf
View file

16
bin/tests/system/checkconf/ancient-query-source-port.conf Normal file
View file

@ -0,0 +1,16 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
server 1.2.3.4 {
query-source 10.10.10.10 port 5353;
};

0
bin/tests/system/checkconf/warn-transfer-source.conf → bin/tests/system/checkconf/ancient-transfer-source-port.conf
View file

19
bin/tests/system/checkconf/ancient-use-v4-udp-ports.conf Normal file
View file

@ -0,0 +1,19 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Ancient options are fatal.
*/
options {
use-v4-udp-ports { range 1024 65535; };
};

19
bin/tests/system/checkconf/ancient-use-v6-udp-ports.conf Normal file
View file

@ -0,0 +1,19 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Ancient options are fatal.
*/
options {
use-v6-udp-ports { range 1024 65535; };
};

5
bin/tests/system/checkconf/ancient.conf
View file

@ -16,4 +16,9 @@
*/
options {
fake-iquery yes;
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
avoid-v4-udp-ports { range 1 1023; };
avoid-v6-udp-ports { range 1 1023; };
};

9
bin/tests/system/checkconf/deprecated.conf
View file

@ -11,19 +11,10 @@
* information regarding copyright ownership.
*/
server 1.2.3.4 {
query-source 10.10.10.10 port 5353;
};
options {
dnssec-validation yes;
max-zone-ttl 600;
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
avoid-v4-udp-ports { range 1 1023; };
avoid-v6-udp-ports { range 1 1023; };
dnssec-must-be-secure mustbesecure.example yes;
sortlist { };

12
bin/tests/system/checkconf/good.conf.in
View file

@ -45,12 +45,6 @@ key-store "hsm" {
pkcs11-uri "pkcs11:token=bind9;pin-value=1234";
};
options {
avoid-v4-udp-ports {
100;
};
avoid-v6-udp-ports {
100;
};
blackhole {
10.0.0.0/8;
};
@ -91,7 +85,7 @@ options {
transfer-source 0.0.0.0;
zone-statistics none;
};
parental-agents "parents" port 5353 source 10.10.10.10 port 5354 source-v6 2001:db8::10 port 5355 {
parental-agents "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 {
10.10.10.11;
2001:db8::11;
};
@ -104,7 +98,7 @@ view "first" {
file "xxx";
update-policy local;
max-ixfr-ratio 20%;
notify-source 10.10.10.10 port 53;
notify-source 10.10.10.10;
};
zone "clone" {
type primary;
@ -193,7 +187,7 @@ view "fourth" {
1.2.3.5;
};
dnssec-policy "test";
parental-source 10.10.10.10 port 53;
parental-source 10.10.10.10;
};
zone "dnssec-default" {
type primary;

45
bin/tests/system/checkconf/tests.sh
View file

@ -141,6 +141,20 @@ grep "no longer exists" ancient.out >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for ancient_conf in ancient-*.conf; do
ancient_opt="${ancient_conf#ancient-}"
ancient_opt="${ancient_opt%.conf}"
n=$((n + 1))
echo_i "checking that ancient \"${ancient_opt}\" option report a fatal error ($n)"
ret=0
$CHECKCONF ${ancient_conf} >"${ancient_conf}.out" 2>&1 && ret=1
grep "no longer exists" "${ancient_conf}.out" >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
n=$((n + 1))
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
ret=0
@ -178,13 +192,8 @@ $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
if $test_fixed; then
grep "rrset-order: order 'fixed' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
else
@ -492,17 +501,6 @@ if [ $ret -ne 0 ]; then
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -p properly print a port range ($n)"
ret=0
$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1
grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -z handles in-view ($n)"
ret=0
@ -752,21 +750,6 @@ if [ $ret -ne 0 ]; then
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that *-source options with specified port generate warnings ($n)"
ret=0
$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
ret=0

2
bin/tests/system/notify/ns2/named.conf.in
View file

@ -57,7 +57,7 @@ zone x1 {
type primary;
file "generic.db";
also-notify { 10.53.0.3; };
notify-source 10.53.0.2 port @EXTRAPORT2@;
notify-source 10.53.0.2;
notify primary-only;
};
zone x2 {

2
bin/tests/system/notify/ns3/named.conf.in
View file

@ -40,5 +40,5 @@ zone "example" {
zone "notify-source-port-test" {
type primary;
file "notify-source-port-test.db";
notify-source 10.53.0.3 port @EXTRAPORT2@;
notify-source 10.53.0.3;
};

4
bin/tests/system/notify/tests.sh
View file

@ -207,10 +207,6 @@ grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run >/dev/null ||
grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run >/dev/null || ret=1
test_end
test_start "checking notify-source uses port option correctly"
grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run >/dev/null || ret=1
test_end
# notify messages were sent to unresponsive 10.53.10.53 during the tests
# above, which should time out at some point; we need to wait for them to
# appear in the logs in case the tests run faster than the notify timeouts

4
bin/tests/system/resolver/ns1/named.conf.in
View file

@ -41,13 +41,13 @@ server 10.53.0.3 {
server 10.42.23.3/32 {
notify-source 10.42.22.1;
query-source address 10.42.22.1 port 0;
query-source address 10.42.22.1;
transfer-source 10.42.22.1;
};
server fd92:7065:b8e:ffff::1000 {
notify-source-v6 fd92:7065:b8e:ffff::1001;
query-source-v6 address fd92:7065:b8e:ffff::1001 port 0;
query-source-v6 address fd92:7065:b8e:ffff::1001;
transfer-source-v6 fd92:7065:b8e:ffff::1001;
};

2
bin/tests/system/xfer/ns3/named.conf.in
View file

@ -52,7 +52,7 @@ zone "example" {
zone "primary" {
type secondary;
transfer-source 10.53.0.3 port @EXTRAPORT1@;
transfer-source 10.53.0.3;
primaries { 10.53.0.6; };
file "primary.bk";
};

7
bin/tests/system/xfer/tests.sh
View file

@ -655,13 +655,6 @@ retry_quiet 10 check_xfer_stats || tmp=1
if test $tmp != 0; then echo_i "failed"; fi
status=$((status + tmp))
n=$((n + 1))
echo_i "test that transfer-source uses port option correctly ($n)"
tmp=0
grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run >/dev/null || tmp=1
if test $tmp != 0; then echo_i "failed"; fi
status=$((status + tmp))
wait_for_message() (
nextpartpeek ns6/named.run >wait_for_message.$n
grep -F "$1" wait_for_message.$n >/dev/null

250
doc/arm/reference.rst
View file

@ -174,19 +174,19 @@ the following examples:
.. code-block:: none
// dense single-line style
zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
// single-statement-per-line style
zone "example.com" in{
type secondary;
file "secondary.example.com";
primaries {10.0.0.1;};
};
// spot the difference
zone "example.com" in{
type secondary;
file "sec.secondary.com";
primaries {10.0.0.1;}; };
// dense single-line style
zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
// single-statement-per-line style
zone "example.com" in{
type secondary;
file "secondary.example.com";
primaries {10.0.0.1;};
};
// spot the difference
zone "example.com" in{
type secondary;
file "sec.secondary.com";
primaries {10.0.0.1;}; };
.. _include_grammar:
@ -324,7 +324,7 @@ file documentation:
(3 days, 12 hours).
ISO 8601 duration format consists of the letter "P", followed by an
optional series of numbers with unit suffixes "Y" (year), "M" (month),
optional series of numbers with unit suffixes "Y" (year), "M" (month),
"W" (week), and "D" (day); this may optionally be followed by the
letter "T", and another series of numbers with unit suffixes
"H" (hour), "M" (minute), and "S" (second). Examples: "P3M10D"
@ -3268,7 +3268,7 @@ Query Address
:short: Controls the IPv6 address from which queries are issued.
If the server does not know the answer to a question, it queries other
name servers. :any:`query-source` specifies the address and port used for
name servers. :any:`query-source` specifies the address used for
such queries. For queries sent over IPv6, there is a separate
:any:`query-source-v6` option. If ``address`` is ``*`` (asterisk) or is
omitted, a wildcard IP address (``INADDR_ANY``) is used.
@ -3278,111 +3278,13 @@ Query Address
::
query-source address * port *;
query-source-v6 address * port *;
.. note:: ``port`` configuration is deprecated. A warning will be logged
when this parameter is used.
query-source address *;
query-source-v6 address *;
.. note:: The address specified in the :any:`query-source` option is
used for both UDP and TCP queries, but the port applies only to UDP
queries. TCP queries always use a random unprivileged port.
.. namedconf:statement:: use-v4-udp-ports
:tags: deprecated
:short: Specifies a list of ports that are valid sources for UDP/IPv4 messages.
.. namedconf:statement:: use-v6-udp-ports
:tags: deprecated
:short: Specifies a list of ports that are valid sources for UDP/IPv6 messages.
These statements, which are deprecated and will be removed in a future
release, specify a list of IPv4 and IPv6 UDP ports that are used as
source ports for UDP messages.
If :term:`port` is ``*`` or is omitted, a random port number from a
pre-configured range is selected and used for each query. The
port range(s) are specified in the :any:`use-v4-udp-ports` (for IPv4)
and :any:`use-v6-udp-ports` (for IPv6) options.
If :any:`use-v4-udp-ports` or :any:`use-v6-udp-ports` is unspecified,
:iscman:`named` checks whether the operating system provides a programming
interface to retrieve the system's default range for ephemeral ports. If
such an interface is available, :iscman:`named` uses the corresponding
system default range; otherwise, it uses its own defaults:
::
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
.. namedconf:statement:: avoid-v4-udp-ports
:tags: deprecated
:short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages.
.. namedconf:statement:: avoid-v6-udp-ports
:tags: deprecated
:short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages.
These statements, which are deprecated and will be removed in a future
release, indicate ranges of port numbers to exclude from those specified
in the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports`
options, respectively.
The defaults of the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports`
options are:
::
avoid-v4-udp-ports {};
avoid-v6-udp-ports {};
For example, with the following configuration:
::
use-v6-udp-ports { range 32768 65535; };
avoid-v6-udp-ports { 40000; range 50000 60000; };
UDP ports of IPv6 messages sent from :iscman:`named` are in one of the
following ranges: 32768 to 39999, 40001 to 49999, or 60001 to 65535.
:any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports` can be used to prevent
:iscman:`named` from choosing as its random source port a port that is blocked
by a firewall or that is used by other applications; if a
query went out with a source port blocked by a firewall, the answer
would not pass through the firewall and the name server would have to query
again. Note: the desired range can also be represented only with
:any:`use-v4-udp-ports` and :any:`use-v6-udp-ports`, and the ``avoid-``
options are redundant in that sense; they are provided for backward
compatibility and to possibly simplify the port specification.
.. note:: Make sure the ranges are sufficiently large for security. A
desirable size depends on several parameters, but we generally recommend
it contain at least 16384 ports (14 bits of entropy). Note also that the
system's default range when used may be too small for this purpose, and
that the range may even be changed while :iscman:`named` is running; the new
range is automatically applied when :iscman:`named` is reloaded. Explicit
configuration of :any:`use-v4-udp-ports` and :any:`use-v6-udp-ports` is encouraged,
so that the ranges are sufficiently large and are reasonably
independent from the ranges used by other applications.
.. note:: The operational configuration where :iscman:`named` runs may prohibit
the use of some ports. For example, Unix systems do not allow
:iscman:`named`, if run without root privilege, to use ports less than 1024.
If such ports are included in the specified (or detected) set of query
ports, the corresponding query attempts will fail, resulting in
resolution failures or delay. It is therefore important to configure the
set of ports that can be safely used in the expected operational
environment.
.. warning:: Specifying a single port is discouraged, as it removes a layer of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the listening port.
.. note:: See also :any:`transfer-source`, :any:`notify-source` and :any:`parental-source`.
.. _zone_transfers:
Zone Transfers
@ -3553,25 +3455,17 @@ options apply to zone transfers.
:any:`transfer-source` determines which local address is bound to
IPv4 TCP connections used to fetch zones transferred inbound by the
server. It also determines the source IPv4 address, and optionally
the UDP port, used for the refresh queries and forwarded dynamic
updates. If not set, it defaults to a system-controlled value which
is usually the address of the interface "closest to" the remote
end. This address must appear in the remote end's :any:`allow-transfer`
option for the zone being transferred, if one is specified. This
statement sets the :any:`transfer-source` for all zones, but can be
server. It also determines the source IPv4 address, used for the refresh
queries and forwarded dynamic updates. If not set, it defaults to a
system-controlled value which is usually the address of the interface
"closest to" the remote end. This address must appear in the remote
end's :any:`allow-transfer` option for the zone being transferred,
if one is specified.
This statement sets the :any:`transfer-source` for all zones, but can be
overridden on a per-view or per-zone basis by including a
:any:`transfer-source` statement within the :any:`view` or :any:`zone` block
in the configuration file.
.. note:: ``port`` configuration is deprecated. A warning will be logged
when this parameter is used.
.. warning:: Specifying a single port is discouraged, as it removes a layer of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the listening port.
.. namedconf:statement:: transfer-source-v6
:tags: transfer
:short: Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
@ -3581,23 +3475,15 @@ options apply to zone transfers.
.. namedconf:statement:: notify-source
:tags: transfer
:short: Defines the IPv4 address (and optional port) to be used for outgoing ``NOTIFY`` messages.
:short: Defines the IPv4 address to be used for outgoing ``NOTIFY`` messages.
:any:`notify-source` determines which local source address, and
optionally UDP port, is used to send NOTIFY messages. This
address must appear in the secondary server's :any:`primaries` zone clause or
in an :any:`allow-notify` clause. This statement sets the
:any:`notify-source` for all zones, but can be overridden on a per-zone
or per-view basis by including a :any:`notify-source` statement within
the :any:`zone` or :any:`view` block in the configuration file.
.. note:: ``port`` configuration is deprecated. A warning will be logged
when this parameter is used.
.. warning:: Specifying a single port is discouraged, as it removes a layer of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the listening port.
:any:`notify-source` determines which local source address is used to send
NOTIFY messages. This address must appear in the secondary server's
:any:`primaries` zone clause or in an :any:`allow-notify` clause.
This statement sets the :any:`notify-source` for all zones, but can be
overridden on a per-zone or per-view basis by including a
:any:`notify-source` statement within the :any:`zone` or :any:`view`
block in the configuration file.
.. namedconf:statement:: notify-source-v6
:tags: transfer
@ -6678,20 +6564,12 @@ The following options apply to DS queries sent to :any:`parental-agents`:
:tags: dnssec
:short: Specifies which local IPv4 source address is used to send parental DS queries.
:any:`parental-source` determines which local source address, and optionally
UDP port, is used to send parental DS queries. This statement sets the
:any:`parental-source` determines which local source address
is used to send parental DS queries. This statement sets the
:any:`parental-source` for all zones, but can be overridden on a per-zone or
per-view basis by including a :any:`parental-source` statement within the
:any:`zone` or :any:`view` block in the configuration file.
.. note:: ``port`` configuration is deprecated. A warning will be logged
when this parameter is used.
.. warning:: Specifying a single port is discouraged, as it removes a layer of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the listening port.
.. namedconf:statement:: parental-source-v6
:tags: dnssec
:short: Specifies which local IPv6 source address is used to send parental DS queries.
@ -7844,52 +7722,52 @@ Incoming Zone Transfers
this zone. Possible values and their meanings are:
``Needs Refresh``
The zone needs a refresh, but the process hasn't started yet,
which can be due to different factors, like the retry interval of
the zone.
The zone needs a refresh, but the process hasn't started yet,
which can be due to different factors, like the retry interval of
the zone.
``Pending``
The zone is flagged for a refresh, but the process is currently
in the queue and will start shortly, or is in a waiting state
because of rate-limiting, see :any:`serial-query-rate`. The
``Duration (s)`` timer starts before entering this state.
The zone is flagged for a refresh, but the process is currently
in the queue and will start shortly, or is in a waiting state
because of rate-limiting, see :any:`serial-query-rate`. The
``Duration (s)`` timer starts before entering this state.
``Refresh SOA``
Sending a refresh SOA query to get the zone serial number, then
initiate a zone transfer, if necessary. If this step is successful,
the ``SOA Query`` and ``Got SOA`` states will be skipped.
Otherwise, the zone transfer procedure can still be initiated,
and the SOA request will be attempted using the same transport as
the zone transfer. The ``Duration (s)`` timer restarts before
entering this state, and for each attempted connection (note that
in UDP mode there can be several retries during one "connection"
attempt).
Sending a refresh SOA query to get the zone serial number, then
initiate a zone transfer, if necessary. If this step is successful,
the ``SOA Query`` and ``Got SOA`` states will be skipped.
Otherwise, the zone transfer procedure can still be initiated,
and the SOA request will be attempted using the same transport as
the zone transfer. The ``Duration (s)`` timer restarts before
entering this state, and for each attempted connection (note that
in UDP mode there can be several retries during one "connection"
attempt).
``Deferred``
The zone is going to be refreshed, but the process was
deferred due to quota, see :any:`transfers-in` and
:any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before
entering this state.
The zone is going to be refreshed, but the process was
deferred due to quota, see :any:`transfers-in` and
:any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before
entering this state.
``SOA Query``
Sending SOA query to get the zone serial number, then
follow with a zone transfer, if necessary. The ``Duration (s)``
timer restarts before entering this state.
Sending SOA query to get the zone serial number, then
follow with a zone transfer, if necessary. The ``Duration (s)``
timer restarts before entering this state.
``Got SOA``
An answer for the SOA query from the previous step is
received, initiating a transfer.
An answer for the SOA query from the previous step is
received, initiating a transfer.
``Zone Transfer Request``
Waiting for the zone transfer to start. The ``Duration (s)`` timer
restarts before entering this state.
Waiting for the zone transfer to start. The ``Duration (s)`` timer
restarts before entering this state.
``First Data``
Waiting for the first data record of the transfer.
Waiting for the first data record of the transfer.
``Receiving IXFR Data``
Receiving data for an IXFR type incremental zone
transfer.
Receiving data for an IXFR type incremental zone
transfer.
``Finalizing IXFR``
Finalizing an IXFR type incremental zone transfer.

4
doc/misc/options
View file

@ -85,8 +85,6 @@ options {
attach-cache <string>;
auth-nxdomain <boolean>;
automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... }; // deprecated
avoid-v6-udp-ports { <portrange>; ... }; // deprecated
bindkeys-file <quoted_string>; // test only
blackhole { <address_match_element>; ... };
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
@ -314,8 +312,6 @@ options {
udp-send-buffer <integer>;
update-check-ksk <boolean>; // obsolete
update-quota <integer>;
use-v4-udp-ports { <portrange>; ... }; // deprecated
use-v6-udp-ports { <portrange>; ... }; // deprecated
v6-bias <integer>;
validate-except { <string>; ... };
version ( <quoted_string> | none );

10
lib/isccfg/check.c
View file

@ -3576,16 +3576,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (obj != NULL) {
in_port_t port =
isc_sockaddr_getport(cfg_obj_assockaddr(obj));
if (port == dnsport) {
if (port != 0) {
cfg_obj_log(obj, ISC_LOG_ERROR,
"'%s' cannot specify the "
"DNS listener port (%d)",
sources[i], port);
result = ISC_R_FAILURE;
} else if (port != 0) {
cfg_obj_log(obj, ISC_LOG_WARNING,
"'%s': specifying a port is "
"not recommended",
"deprecated",
sources[i]);
}
}

130
lib/isccfg/namedconf.c
View file

@ -1109,92 +1109,6 @@ doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
static cfg_type_t cfg_type_serverid = { "serverid", parse_serverid, NULL,
doc_serverid, NULL, NULL };
/*%
* Port list.
*/
static void
print_porttuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
cfg_print_cstr(pctx, "range ");
cfg_print_tuple(pctx, obj);
}
static cfg_tuplefielddef_t porttuple_fields[] = {
{ "loport", &cfg_type_uint32, 0 },
{ "hiport", &cfg_type_uint32, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_porttuple = { "porttuple", cfg_parse_tuple,
print_porttuple, cfg_doc_tuple,
&cfg_rep_tuple, porttuple_fields };
static isc_result_t
parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) {
isc_result_t result;
CHECK(cfg_parse_uint32(pctx, NULL, ret));
if ((*ret)->value.uint32 > 0xffff) {
cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
cfg_obj_destroy(pctx, ret);
result = ISC_R_RANGE;
}
cleanup:
return (result);
}
static isc_result_t
parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
isc_result_t result;
cfg_obj_t *obj = NULL;
UNUSED(type);
CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
if (pctx->token.type == isc_tokentype_number) {
CHECK(parse_port(pctx, ret));
} else {
CHECK(cfg_gettoken(pctx, 0));
if (pctx->token.type != isc_tokentype_string ||
strcasecmp(TOKEN_STRING(pctx), "range") != 0)
{
cfg_parser_error(pctx, CFG_LOG_NEAR,
"expected integer or 'range'");
return (ISC_R_UNEXPECTEDTOKEN);
}
CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj));
CHECK(parse_port(pctx, &obj->value.tuple[0]));
CHECK(parse_port(pctx, &obj->value.tuple[1]));
if (obj->value.tuple[0]->value.uint32 >
obj->value.tuple[1]->value.uint32)
{
cfg_parser_error(pctx, CFG_LOG_NOPREP,
"low port '%u' must not be larger "
"than high port",
obj->value.tuple[0]->value.uint32);
result = ISC_R_RANGE;
goto cleanup;
}
*ret = obj;
obj = NULL;
}
cleanup:
if (obj != NULL) {
cfg_obj_destroy(pctx, &obj);
}
return (result);
}
static cfg_type_t cfg_type_portrange = { "portrange", parse_portrange,
NULL, cfg_doc_terminal,
NULL, NULL };
static cfg_type_t cfg_type_bracketed_portlist = { "bracketed_portlist",
cfg_parse_bracketed_list,
cfg_print_bracketed_list,
cfg_doc_bracketed_list,
&cfg_rep_list,
&cfg_type_portrange };
static const char *cookiealg_enums[] = { "siphash24", NULL };
static cfg_type_t cfg_type_cookiealg = { "cookiealg", cfg_parse_enum,
cfg_print_ustring, cfg_doc_enum,
@ -1314,10 +1228,8 @@ static cfg_type_t cfg_type_fstrm_model = {
static cfg_clausedef_t options_clauses[] = {
{ "answer-cookie", &cfg_type_boolean, 0 },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist,
CFG_CLAUSEFLAG_DEPRECATED },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist,
CFG_CLAUSEFLAG_DEPRECATED },
{ "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY },
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
@ -1456,10 +1368,8 @@ static cfg_clausedef_t options_clauses[] = {
{ "update-quota", &cfg_type_uint32, 0 },
{ "use-id-pool", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "use-ixfr", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist,
CFG_CLAUSEFLAG_DEPRECATED },
{ "use-v6-udp-ports", &cfg_type_bracketed_portlist,
CFG_CLAUSEFLAG_DEPRECATED },
{ "use-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "use-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "version", &cfg_type_qstringornone, 0 },
{ NULL, NULL, 0 }
};
@ -2389,10 +2299,10 @@ static cfg_clausedef_t zone_clauses[] = {
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "also-notify", &cfg_type_namesockaddrkeylist,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "alt-transfer-source", &cfg_type_sockaddr4wild,
{ "alt-transfer-source", NULL,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_CLAUSEFLAG_ANCIENT },
{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
{ "alt-transfer-source-v6", NULL,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_CLAUSEFLAG_ANCIENT },
{ "auto-dnssec", &cfg_type_autodnssec,
@ -2509,7 +2419,7 @@ static cfg_clausedef_t zone_clauses[] = {
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "update-check-ksk", &cfg_type_boolean,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "use-alt-transfer-source", &cfg_type_boolean,
{ "use-alt-transfer-source", NULL,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
CFG_CLAUSEFLAG_ANCIENT },
{ "zero-no-soa-ttl", &cfg_type_boolean,
@ -3070,6 +2980,7 @@ parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
goto cleanup;
}
}
*ret = obj;
cleanup:
return (result);
@ -3365,17 +3276,8 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
have_address++;
} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
{
/* read "port" */
if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0)
{
cfg_parser_warning(
pctx, 0,
"token 'port' is deprecated");
}
CHECK(cfg_gettoken(pctx, 0));
CHECK(cfg_parse_rawport(pctx, CFG_ADDR_WILDOK,
&port));
have_port++;
/* Port has been removed */
++have_port;
} else if (strcasecmp(TOKEN_STRING(pctx), "tls") == 0) {
/* We do not expect TLS here, not parsing. */
++have_tls;
@ -3394,9 +3296,8 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
}
}
if (have_address > 1 || have_port > 1 || have_address + have_port == 0)
{
cfg_parser_error(pctx, 0, "expected one address and/or port");
if (have_address != 1) {
cfg_parser_error(pctx, 0, "expected exactly one address");
return (ISC_R_UNEXPECTEDTOKEN);
}
@ -3405,6 +3306,11 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (ISC_R_UNEXPECTEDTOKEN);
}
if (have_port > 0) {
cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists");
return (ISC_R_UNEXPECTEDTOKEN);
}
CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
*ret = obj;
@ -3422,8 +3328,6 @@ print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
cfg_print_cstr(pctx, "address ");
cfg_print_rawaddr(pctx, &na);
cfg_print_cstr(pctx, " port ");
cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
}
static void

67
lib/isccfg/parser.c
View file

@ -3272,6 +3272,8 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags,
cfg_obj_t *obj = NULL;
int have_port = 0;
int have_tls = 0;
int is_port_ok = (flags & CFG_ADDR_PORTOK) != 0;
int is_tls_ok = (flags & CFG_ADDR_TLSOK) != 0;
CHECK(cfg_create_obj(pctx, type, &obj));
CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
@ -3280,18 +3282,10 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags,
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_string) {
if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
if ((pctx->flags & CFG_PCTX_NODEPRECATED) ==
0 &&
(flags & CFG_ADDR_PORTOK) == 0)
{
cfg_parser_warning(
pctx, 0,
"token 'port' is deprecated");
}
CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
CHECK(cfg_parse_rawport(pctx, flags, &port));
++have_port;
} else if ((flags & CFG_ADDR_TLSOK) != 0 &&
} else if (is_tls_ok &&
strcasecmp(TOKEN_STRING(pctx), "tls") == 0)
{
cfg_obj_t *tls = NULL;
@ -3310,6 +3304,11 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags,
}
}
if (!is_port_ok && have_port > 0) {
cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists");
result = ISC_R_UNEXPECTEDTOKEN;
goto cleanup;
}
if (have_port > 1) {
cfg_parser_error(pctx, 0, "expected at most one port");
result = ISC_R_UNEXPECTEDTOKEN;
@ -3330,6 +3329,21 @@ cleanup:
return (result);
}
static isc_result_t
cfg_parse_sockaddr_generic(cfg_parser_t *pctx, cfg_type_t *klass,
const cfg_type_t *type, cfg_obj_t **ret) {
const unsigned int *flagp;
REQUIRE(pctx != NULL);
REQUIRE(klass != NULL);
REQUIRE(type != NULL);
REQUIRE(ret != NULL && *ret == NULL);
flagp = type->of;
return (parse_sockaddrsub(pctx, klass, *flagp, ret));
}
static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
CFG_ADDR_PORTOK;
cfg_type_t cfg_type_sockaddr = { "sockaddr", cfg_parse_sockaddr,
@ -3342,32 +3356,31 @@ cfg_type_t cfg_type_sockaddrtls = { "sockaddrtls", cfg_parse_sockaddrtls,
cfg_print_sockaddr, cfg_doc_sockaddr,
&cfg_rep_sockaddrtls, &sockaddrtls_flags };
static unsigned int sockaddr_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
cfg_type_t cfg_type_sockaddr_noport = {
"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr_flags_noport
};
static unsigned int sockaddrtls_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
CFG_ADDR_TLSOK;
cfg_type_t cfg_type_sockaddrtls_noport = {
"sockaddrtls", cfg_parse_sockaddrtls, cfg_print_sockaddr,
cfg_doc_sockaddr, &cfg_rep_sockaddrtls, &sockaddrtls_flags_noport
};
isc_result_t
cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
const unsigned int *flagp;
REQUIRE(pctx != NULL);
REQUIRE(type != NULL);
REQUIRE(ret != NULL && *ret == NULL);
flagp = type->of;
return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddr, type,
ret));
}
isc_result_t
cfg_parse_sockaddrtls(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
const unsigned int *flagp;
REQUIRE(pctx != NULL);
REQUIRE(type != NULL);
REQUIRE(ret != NULL && *ret == NULL);
flagp = type->of;
return (parse_sockaddrsub(pctx, &cfg_type_sockaddrtls, *flagp, ret));
return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddrtls, type,
ret));
}
void