upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 07:02:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '7-remove-dlv-validation' into 'master'

Browse source 
Remove DLV validation code

Closes #7

See merge request isc-projects/bind9!2233
This commit is contained in:
Evan Hunt 2019-08-09 12:40:52 -04:00
commit ed10608663
101 changed files with 1130 additions and 3278 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete;
all code enabling its use has been removed from the
validator, "delv", and the DNSSEC tools. [GL #7]
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
validated and cached immediately, with no need to

76
bin/delv/delv.c
View file

@ -125,18 +125,16 @@ static bool
static bool
cdflag = false,
no_sigs = false,
root_validation = true,
dlv_validation = true;
root_validation = true;
static bool use_tcp = false;
static char *anchorfile = NULL;
static char *trust_anchor = NULL;
static char *dlv_anchor = NULL;
static int num_keys = 0;
static dns_fixedname_t afn, dfn;
static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
static dns_fixedname_t afn;
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
@ -161,7 +159,7 @@ usage(void) {
" q-opt is one of:\n"
" -x dot-notation (shortcut for reverse lookups)\n"
" -d level (set debugging level)\n"
" -a anchor-file (specify root and dlv trust anchors)\n"
" -a anchor-file (specify root trust anchor)\n"
" -b address[#port] (bind to source address/port)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
@ -181,7 +179,8 @@ usage(void) {
" +[no]comments (Control display of comment lines)\n"
" +[no]rrcomments (Control display of per-record "
"comments)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" format)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields into chunks)\n"
" +[no]tcp (TCP mode)\n"
@ -190,7 +189,7 @@ usage(void) {
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]vtrace (Trace validation process)\n"
" +[no]dlv (DNSSEC lookaside validation anchor)\n"
" +[no]dlv (Obsolete)\n"
" +[no]root (DNSSEC validation trust anchor)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" -h (print help and exit)\n"
@ -381,10 +380,9 @@ print_status(dns_rdataset_t *rdataset) {
tstr = "glue data";
break;
case dns_trust_answer:
if (root_validation || dlv_validation)
if (root_validation) {
tstr = "unsigned answer";
else
tstr = "answer not validated";
}
break;
case dns_trust_authauthority:
tstr = "authority data";
@ -575,30 +573,30 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
bool match_root = false, match_dlv = false;
bool match_root = false;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
if (!root_validation && !dlv_validation)
if (!root_validation) {
return (ISC_R_SUCCESS);
}
if (anchor_name)
if (anchor_name) {
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
}
if (!match_root && !match_dlv)
if (!match_root) {
return (ISC_R_SUCCESS);
if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
}
if (!root_validation && match_root) {
return (ISC_R_SUCCESS);
}
if (match_root)
if (match_root) {
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
trust_anchor);
if (match_dlv)
delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
dlv_anchor);
}
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
@ -697,7 +695,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
if (!root_validation && !dlv_validation) {
if (!root_validation) {
return (ISC_R_SUCCESS);
}
@ -719,9 +717,6 @@ setup_dnsseckeys(dns_client_t *client) {
if (trust_anchor != NULL) {
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
}
if (dlv_anchor != NULL) {
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
}
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
@ -772,11 +767,6 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("No trusted keys were loaded");
}
if (dlv_validation) {
dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
}
cleanup:
if (bindkeys != NULL) {
cfg_obj_destroy(parser, &bindkeys);
@ -1024,11 +1014,10 @@ plus_option(char *option) {
switch (cmd[1]) {
case 'l': /* dlv */
FULLCHECK("dlv");
if (state && no_sigs)
break;
dlv_validation = state;
if (value != NULL) {
dlv_anchor = isc_mem_strdup(mctx, value);
if (state) {
fprintf(stderr, "Invalid option: "
"+dlv is obsolete\n");
exit(1);
}
break;
case 'n': /* dnssec */
@ -1213,7 +1202,6 @@ dash_option(char *option, char *next, bool *open_type_class) {
/* NOTREACHED */
case 'i':
no_sigs = true;
dlv_validation = false;
root_validation = false;
break;
case 'm':
@ -1648,14 +1636,18 @@ main(int argc, char *argv[]) {
/* Set up resolution options */
resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
if (no_sigs)
if (no_sigs) {
resopt |= DNS_CLIENTRESOPT_NODNSSEC;
if (!root_validation && !dlv_validation)
}
if (!root_validation) {
resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
if (cdflag)
}
if (cdflag) {
resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
if (use_tcp)
}
if (use_tcp) {
resopt |= DNS_CLIENTRESOPT_TCP;
}
/* Perform resolution */
ISC_LIST_INIT(namelist);
@ -1680,8 +1672,6 @@ main(int argc, char *argv[]) {
dns_client_freeresanswer(client, &namelist);
cleanup:
if (dlv_anchor != NULL)
isc_mem_free(mctx, dlv_anchor);
if (trust_anchor != NULL)
isc_mem_free(mctx, trust_anchor);
if (anchorfile != NULL)

24
bin/delv/delv.docbook
View file

@ -96,7 +96,7 @@
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
@ -211,10 +211,7 @@
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options. DNSSEC Lookaside
Validation can also be turned on by using the
<option>+dlv=NAME</option> to specify the name of a
zone containing DLV records.
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
@ -620,8 +617,7 @@
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option> and
<option>+nodlv</option>.
<option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
@ -630,7 +626,7 @@
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional (non-lookaside)
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
@ -641,18 +637,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dlv[=DLV]</option></term>
<listitem>
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The <option>-a</option> option must also be used to specify
a file containing the DLV key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>

53
bin/dnssec/dnssec-dsfromkey.c
View file

@ -208,8 +208,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
}
static void
logkey(dns_rdata_t *rdata)
{
logkey(dns_rdata_t *rdata) {
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
@ -228,9 +227,7 @@ logkey(dns_rdata_t *rdata)
}
static void
emit(dns_dsdigest_t dt, bool showall, char *lookaside,
bool cds, dns_rdata_t *rdata)
{
emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
@ -262,18 +259,6 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
if (result != ISC_R_SUCCESS)
fatal("can't print name");
/* Add lookaside origin, if set */
if (lookaside != NULL) {
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, lookaside);
if (lookaside[strlen(lookaside) - 1] != '.') {
if (isc_buffer_availablelength(&nameb) < 1)
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, ".");
}
}
result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
&textb);
@ -293,26 +278,24 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL) {
if (cds)
printf(" CDS ");
else
printf(" DS ");
} else
printf(" DLV ");
if (cds) {
printf(" CDS ");
} else {
printf(" DS ");
}
isc_buffer_usedregion(&textb, &r);
printf("%.*s\n", (int)r.length, r.base);
}
static void
emits(bool showall, char *lookaside, bool cds, dns_rdata_t *rdata) {
emits(bool showall, bool cds, dns_rdata_t *rdata) {
unsigned i, n;
n = sizeof(dtype)/sizeof(dtype[0]);
for (i = 0; i < n; i++) {
if (dtype[i] != 0) {
emit(dtype[i], showall, lookaside, cds, rdata);
emit(dtype[i], showall, cds, rdata);
}
}
}
@ -338,12 +321,11 @@ usage(void) {
" -f zonefile: read keys from a zone file\n"
" -h: print help information\n"
" -K directory: where to find key or keyset files\n"
" -l zone: print DLV records in the given lookaside zone\n"
" -s: read keys from keyset-<dnsname> file\n"
" -T: TTL of output records (omitted by default)\n"
" -v level: verbosity\n"
" -V: print version information\n");
fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
fprintf(stderr, "Output: DS or CDS RRs\n");
exit (-1);
}
@ -352,7 +334,6 @@ int
main(int argc, char **argv) {
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
int ch;
bool cds = false;
@ -397,9 +378,6 @@ main(int argc, char **argv) {
add_dtype(strtodsdigest(isc_commandline_argument));
break;
case 'C':
if (lookaside != NULL)
fatal("lookaside and CDS are mutually"
" exclusive");
cds = true;
break;
case 'c':
@ -418,12 +396,7 @@ main(int argc, char **argv) {
filename = isc_commandline_argument;
break;
case 'l':
if (cds)
fatal("lookaside and CDS are mutually"
" exclusive");
lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string");
fatal("-l option (DLV lookaside) is obsolete");
break;
case 's':
usekeyset = true;
@ -528,7 +501,7 @@ main(int argc, char **argv) {
logkey(&rdata);
}
emits(showall, lookaside, cds, &rdata);
emits(showall, cds, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
@ -536,7 +509,7 @@ main(int argc, char **argv) {
loadkey(argv[isc_commandline_index], key_buf,
DST_KEY_MAXSIZE, &rdata);
emits(showall, lookaside, cds, &rdata);
emits(showall, cds, &rdata);
}
if (dns_rdataset_isassociated(&rdataset)) {

24
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -112,10 +112,8 @@
<para>
The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
Signer) resource records (RRs) and other similarly-constructed RRs:
with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
DS) RRs.
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<option>-C</option> option.
</para>
<para>
@ -212,9 +210,7 @@
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with the <option>-l</option> option for generating DLV
records.
Generate CDS records rather than DS records.
</para>
</listitem>
</varlistentry>
@ -260,19 +256,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<replaceable>domain</replaceable> is appended to the name for each
record in the set.
This is mutually exclusive with the <option>-C</option> option
for generating CDS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
@ -362,7 +345,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle> (DS RRs),
<citetitle>RFC 4431</citetitle> (DLV RRs),
<citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
<citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
<citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).

34
bin/dnssec/dnssec-signzone.c
View file

@ -163,8 +163,6 @@ static bool removefile = false;
static bool generateds = false;
static bool ignore_kskflag = false;
static bool keyset_kskonly = false;
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
static unsigned int serialformat = SOA_SERIAL_KEEP;
static unsigned int hash_length = 0;
@ -2906,7 +2904,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
dns_dbversion_t *dbversion = NULL;
dns_diff_t diff;
dns_difftuple_t *tuple = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
dns_rdata_t rdata, ds;
bool have_ksk = false;
@ -2939,18 +2936,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
dns_diff_init(mctx, &diff);
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
unsigned int labels;
dns_name_init(&tname, NULL);
name = dns_fixedname_initname(&fixed);
labels = dns_name_countlabels(gorigin);
dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
result = dns_name_concatenate(&tname, dlv, name, NULL);
check_result(result, "dns_name_concatenate");
} else
name = gorigin;
name = gorigin;
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
@ -2991,8 +2977,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
DNS_DSDIGEST_SHA256,
dsbuf, &ds);
check_result(result, "dns_ds_buildrdata");
if (type == dns_rdatatype_dlv)
ds.type = dns_rdatatype_dlv;
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADDRESIGN,
name, 0, &ds, &tuple);
@ -3130,7 +3114,6 @@ usage(void) {
"\t\twith older versions of dnssec-signzone -g\n");
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
fprintf(stderr, "\t-3 NSEC3 salt\n");
fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
fprintf(stderr, "\t-A NSEC3 optout\n");
@ -3206,8 +3189,6 @@ main(int argc, char *argv[]) {
int tempfilelen = 0;
dns_rdataclass_t rdclass;
isc_task_t **tasks = NULL;
isc_buffer_t b;
int len;
hashlist_t hashlist;
bool make_keyset = false;
bool set_salt = false;
@ -3385,14 +3366,7 @@ main(int argc, char *argv[]) {
break;
case 'l':
len = strlen(isc_commandline_argument);
isc_buffer_init(&b, isc_commandline_argument, len);
isc_buffer_add(&b, len);
dlv = dns_fixedname_initname(&dlv_fixed);
result = dns_name_fromtext(dlv, &b, dns_rootname, 0,
NULL);
check_result(result, "dns_name_fromtext(dlv)");
fatal("-l option (DLV lookaside) is obsolete");
break;
case 'M':
@ -3798,10 +3772,8 @@ main(int argc, char *argv[]) {
if (!nokeys) {
writeset("dsset-", dns_rdatatype_ds);
if (make_keyset)
if (make_keyset) {
writeset("keyset-", dns_rdatatype_dnskey);
if (dlv != NULL) {
writeset("dlvset-", dns_rdatatype_dlv);
}
}

10
bin/dnssec/dnssec-signzone.docbook
View file

@ -224,16 +224,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">maxttl</replaceable></term>
<listitem>

11
bin/named/named.conf.docbook
View file

@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2019-06-28</date>
<date>2019-08-07</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
@ -154,7 +154,6 @@ logging {
</literallayout>
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
@ -253,9 +252,6 @@ options {
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable>
trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
@ -614,9 +610,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable>
trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
@ -866,7 +859,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
masters [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable>
| <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [
port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
max-ixfr-log-size ( default | unlimited |
max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
max-records <replaceable>integer</replaceable>;
max-refresh-time <replaceable>integer</replaceable>;
@ -886,7 +878,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable>
| * ) ] [ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
request-expire <replaceable>boolean</replaceable>;
request-ixfr <replaceable>boolean</replaceable>;
serial-update-method ( date | increment | unixtime );

54
bin/named/server.c
View file

@ -3783,7 +3783,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *zonelist;
const cfg_obj_t *dlzlist;
const cfg_obj_t *dlz;
const cfg_obj_t *dlvobj = NULL;
unsigned int dlzargc;
char **dlzargv;
const cfg_obj_t *dyndb_list, *plugin_list;
@ -4614,7 +4613,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
}
/*
* Set supported DS/DLV digest types.
* Set supported DS digest types.
*/
dns_resolver_reset_ds_digests(view->resolver);
disabled = NULL;
@ -5204,57 +5203,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
view->prefetch_eligible = view->prefetch_trigger + 6;
}
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
/* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
/* If "no", skip; if "auto", log warning */
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
} else if (!strcasecmp(dom, "auto")) {
/*
* Warning logged by libbind9.
*/
result = ISC_R_NOTFOUND;
}
}
}
if (result == ISC_R_SUCCESS) {
dns_name_t *dlv, *iscdlv;
dns_fixedname_t f;
/* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_initname(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
obj = cfg_listelt_value(element);
obj = cfg_tuple_get(obj, "trust-anchor");
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
if (dns_name_equal(dlv, iscdlv)) {
/*
* Warning logged by libbind9.
*/
view->dlv = NULL;
} else {
view->dlv = dlv;
}
}
} else {
view->dlv = NULL;
}
/*
* For now, there is only one kind of trusted keys, the
* "security roots".

17
bin/python/dnssec-checkds.docbook
View file

@ -59,9 +59,8 @@
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-checkds</command>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</para>
</refsection>
@ -74,7 +73,7 @@
<listitem>
<para>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</para>
@ -98,16 +97,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">file</replaceable></term>
<listitem>

42
bin/python/isc/checkds.py.in
View file

@ -21,7 +21,7 @@ prog = 'dnssec-checkds'
############################################################################
# SECRR class:
# Class for DS/DLV resource record
# Class for DS resource record
############################################################################
class SECRR:
hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'}
@ -33,7 +33,7 @@ class SECRR:
digest = ''
ttl = 0
def __init__(self, rrtext, dlvname = None):
def __init__(self, rrtext):
if not rrtext:
raise Exception
@ -45,24 +45,8 @@ class SECRR:
if len(fields) < 7:
raise Exception
if dlvname:
self.rrtype = "DLV"
self.dlvname = dlvname.lower()
parent = fields[0].lower().strip('.').split('.')
parent.reverse()
dlv = dlvname.split('.')
dlv.reverse()
while len(dlv) != 0 and len(parent) != 0 and parent[0] == dlv[0]:
parent = parent[1:]
dlv = dlv[1:]
if dlv:
raise Exception
parent.reverse()
self.parent = '.'.join(parent)
self.rrname = self.parent + '.' + self.dlvname + '.'
else:
self.rrtype = "DS"
self.rrname = fields[0].lower()
self.rrtype = "DS"
self.rrname = fields[0].lower()
fields = fields[1:]
if fields[0].upper() in ['IN', 'CH', 'HS']:
@ -91,9 +75,9 @@ class SECRR:
############################################################################
# check:
# Fetch DS/DLV RRset for the given zone from the DNS; fetch DNSKEY
# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY
# RRset from the masterfile if specified, or from DNS if not.
# Generate a set of expected DS/DLV records from the DNSKEY RRset,
# Generate a set of expected DS records from the DNSKEY RRset,
# and report on congruency.
############################################################################
def check(zone, args):
@ -101,15 +85,13 @@ def check(zone, args):
if args.dssetfile:
fp = open(args.dssetfile).read()
else:
cmd = [args.dig, "+noall", "+answer", "-t",
"dlv" if args.lookaside else "ds", "-q",
zone + "." + args.lookaside if args.lookaside else zone]
cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone]
fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
rrlist.append(SECRR(line, args.lookaside))
rrlist.append(SECRR(line))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
@ -117,8 +99,6 @@ def check(zone, args):
cmd = [args.dsfromkey]
for algo in args.algo:
cmd += ['-a', algo]
if args.lookaside:
cmd += ["-l", args.lookaside]
if args.masterfile:
cmd += ["-f", args.masterfile, zone]
@ -132,7 +112,7 @@ def check(zone, args):
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
klist.append(SECRR(line, args.lookaside))
klist.append(SECRR(line))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
@ -182,8 +162,6 @@ def parse_args():
type=str, help='path to \'dnssec-dsfromkey\'')
parser.add_argument('-f', '--file', dest='masterfile', type=str,
help='zone master file')
parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
help='DLV lookaside zone')
parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
@ -191,8 +169,6 @@ def parse_args():
args = parser.parse_args()
args.zone = args.zone.strip('.')
if args.lookaside:
args.lookaside = args.lookaside.strip('.')
return args

15
bin/tests/cfg_test.c
View file

@ -49,7 +49,8 @@ output(void *closure, const char *text, int textlen) {
static void
usage(void) {
fprintf(stderr, "usage: cfg_test --rndc|--named "
"[--grammar] [--memstats] conffile\n");
"[--grammar] [--zonegrammar] [--active] "
"[--memstats] conffile\n");
exit(1);
}
@ -67,6 +68,7 @@ main(int argc, char **argv) {
bool memstats = false;
char *filename = NULL;
unsigned int zonetype = 0;
unsigned int pflags = 0;
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
@ -98,7 +100,9 @@ main(int argc, char **argv) {
usage();
while (argc > 1) {
if (strcmp(argv[1], "--grammar") == 0) {
if (strcmp(argv[1], "--active") == 0) {
pflags |= CFG_PRINTER_ACTIVEONLY;
} else if (strcmp(argv[1], "--grammar") == 0) {
grammar = true;
} else if (strcmp(argv[1], "--zonegrammar") == 0) {
argv++, argc--;
@ -149,13 +153,14 @@ main(int argc, char **argv) {
if (grammar) {
if (type == NULL)
usage();
cfg_print_grammar(type, output, NULL);
cfg_print_grammar(type, pflags, output, NULL);
} else if (zonetype != 0) {
cfg_print_zonegrammar(zonetype, output, NULL);
cfg_print_zonegrammar(zonetype, pflags, output, NULL);
} else {
if (type == NULL || filename == NULL)
usage();
RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &pctx) == ISC_R_SUCCESS);
RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &pctx) ==
ISC_R_SUCCESS);
result = cfg_parse_file(pctx, filename, type, &cfg);

20
bin/tests/system/checkconf/check-dlv-ksk-key.conf
View file

@ -1,20 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-keys {
dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG
xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR
x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL
KjHzpT59k/VStTDN0YUuWrBNh";
};

1
bin/tests/system/checkconf/deprecated.conf
View file

@ -11,7 +11,6 @@
options {
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.example.com;
};
trusted-keys {

21
bin/tests/system/checkconf/tests.sh
View file

@ -130,7 +130,6 @@ n=`expr $n + 1`
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -389,7 +388,7 @@ n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
ret=0
$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
@ -397,17 +396,15 @@ n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
ret=0
$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)"
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
ret=0
$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
lines=$(wc -l < checkconf.out$n)
if [ $lines != 1 ]; then ret=1; fi
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
@ -456,14 +453,6 @@ grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
ret=0
$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
grep "trust anchor for dlv.isc.org is present" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
ret=0
$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1

0
bin/tests/system/checkconf/good-dlv-dlv.example.com.conf → bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf
View file

6
bin/tests/system/checkds/dig.bat
View file

@ -9,8 +9,6 @@ if "%arg:~0,1%" == "+" goto next
if "%arg%" == "-t" goto next
if "%arg%" == "ds" goto ds
if "%arg%" == "DS" goto ds
if "%arg%" == "dlv" goto dlv
if "%arg%" == "DLV" goto dlv
if "%arg%" == "dnskey" goto dnskey
if "%arg%" == "DNSKEY" goto dnskey
set file=%arg%
@ -20,10 +18,6 @@ goto next
set ext=ds
goto next
:dlv
set ext=dlv
goto next
:dnskey
set ext=dnskey
goto next

4
bin/tests/system/checkds/dig.pl
View file

@ -24,10 +24,6 @@ foreach $arg (@ARGV) {
$ext = "ds";
next;
}
if ($arg =~ /^dlv$/i) {
$ext = "dlv";
next;
}
if ($arg =~ /^dnskey$/i) {
$ext = "dnskey";
next;

1
bin/tests/system/checkds/dig.sh
View file

@ -14,7 +14,6 @@ while [ "$#" != 0 ]; do
+*) shift ;;
-t) shift ;;
DS|ds) ext=ds ; shift ;;
DLV|dlv) ext=dlv ; shift ;;
DNSKEY|dnskey) ext=dnskey ; shift ;;
*) file=$1 ; shift ;;
esac

2
bin/tests/system/checkds/missing.example.dlv.example.dlv.db
View file

@ -1,2 +0,0 @@
missing.example.dlv.example. 3600 IN DLV 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7
missing.example.dlv.example. 3600 IN DLV 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200

0
bin/tests/system/checkds/none.example.dlv.example.dlv.db
View file

2
bin/tests/system/checkds/ok.example.dlv.example.dlv.db
View file

@ -1,2 +0,0 @@
ok.example.dlv.example. 3600 IN DLV 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
ok.example.dlv.example. 3600 IN DLV 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13

76
bin/tests/system/checkds/tests.sh
View file

@ -43,24 +43,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for correct DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for correct DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
@ -79,24 +61,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
@ -119,28 +83,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
@ -159,24 +101,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking with prepared dsset file ($n)"
ret=0
$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1

2
bin/tests/system/checkds/wrong.example.dlv.example.dlv.db
View file

@ -1,2 +0,0 @@
wrong.example.dlv.example. 3600 IN DLV 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC
wrong.example.dlv.example. 3600 IN DLV 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C

2
bin/tests/system/conf.sh.common
View file

@ -59,7 +59,7 @@ PARALLEL_COMMON="dnssec rpzrecurse serve-stale \
acl additional addzone allow-query auth autosign \
builtin cacheclean case catz cds chain \
checkconf checknames checkzone \
cookie database digdelv dlv dlz dlzexternal \
cookie database digdelv dlz dlzexternal \
dns64 dscp dsdigest dyndb \
ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward \

2
bin/tests/system/digdelv/tests.sh
View file

@ -55,7 +55,7 @@ check_ttl_range() {
# using delv insecure mode as not testing dnssec here
delv_with_opts() {
"$DELV" +noroot +nodlv -p "$PORT" "$@"
"$DELV" +noroot -p "$PORT" "$@"
}
KEYID="$(cat ns2/keyid)"

45
bin/tests/system/dlv/clean.sh
View file

@ -1,45 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f ns*/named.run
rm -f ns*/named.conf
rm -f ns1/K*
rm -f ns1/dsset-*
rm -f ns1/*.signed
rm -f ns1/signer.err
rm -f ns1/root.db
rm -f ns1/trusted.conf
rm -f ns2/K*
rm -f ns2/dlvset-*
rm -f ns2/dsset-*
rm -f ns2/*.signed
rm -f ns2/*.pre
rm -f ns2/signer.err
rm -f ns2/druz.db
rm -f ns3/K*
rm -f ns3/*.db
rm -f ns3/*.signed ns3/*.signed.tmp
rm -f ns3/dlvset-*
rm -f ns3/dsset-*
rm -f ns3/keyset-*
rm -f ns3/trusted*.conf
rm -f ns3/signer.err
rm -f ns5/trusted*.conf
rm -f ns6/K*
rm -f ns6/*.db
rm -f ns6/*.signed
rm -f ns6/dsset-*
rm -f ns6/signer.err
rm -f ns7/trusted*.conf ns8/trusted*.conf
rm -f */named.memstats
rm -f dig.out.ns*.test*
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*

25
bin/tests/system/dlv/ns1/named.conf.in
View file

@ -1,25 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." { type master; file "root.signed"; };
zone "rootservers.utld" { type master; file "rootservers.utld.db"; };

26
bin/tests/system/dlv/ns1/root.db.in
View file

@ -1,26 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld (
1 3600 1200 604800 60 )
@ NS ns.rootservers.utld
ns A 10.53.0.1
;
; A zone that is unsigned (utld=unsigned tld) that will include a second level
; zone that acts as a DLV.
;
utld NS ns.utld
ns.utld A 10.53.0.2
;
; A zone that has a bad DNSKEY RRset but has good DLV records for its child
; zones.
;
druz NS ns.druz
ns.druz A 10.53.0.2

13
bin/tests/system/dlv/ns1/rootservers.utld.db
View file

@ -1,13 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.1

38
bin/tests/system/dlv/ns1/sign.sh
View file

@ -1,38 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
SYSTESTDIR=dlv
(cd ../ns2 && $SHELL -e ./sign.sh || exit 1)
echo_i "dlv/ns1/sign.sh"
zone=.
infile=root.db.in
zonefile=root.db
outfile=root.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
keyfile_to_static_keys $keyname2 > trusted.conf
cp trusted.conf ../ns5
cp trusted.conf ../ns7
cp trusted.conf ../ns8

47
bin/tests/system/dlv/ns2/druz.db.in
View file

@ -1,47 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.2
;
rootservers NS ns.rootservers
ns.rootservers A 10.53.0.1
;
;
child1 NS ns.child1
ns.child1 A 10.53.0.3
;
child2 NS ns.child2
ns.child2 A 10.53.0.4
;
child3 NS ns.child3
ns.child3 A 10.53.0.3
;
child4 NS ns.child4
ns.child4 A 10.53.0.3
;
child5 NS ns.child5
ns.child5 A 10.53.0.3
;
child6 NS ns.child6
ns.child6 A 10.53.0.4
;
child7 NS ns.child7
ns.child7 A 10.53.0.3
;
child8 NS ns.child8
ns.child8 A 10.53.0.3
;
child9 NS ns.child9
ns.child9 A 10.53.0.3
;
child10 NS ns.child10
ns.child10 A 10.53.0.3

11
bin/tests/system/dlv/ns2/hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

37
bin/tests/system/dlv/ns2/named.conf.in
View file

@ -1,37 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
/* Root hints. */
zone "." { type hint; file "hints"; };
/*
* A zone that is unsigned (utld=unsigned tld) that will include a second level
* zone that acts as a DLV.
*/
zone "utld" { type master; file "utld.db"; };
/*
* A zone that has a bad DNSKEY RRset but has good DLV records for its child
* zones.
*/
zone "druz" { type master; file "druz.signed"; };

37
bin/tests/system/dlv/ns2/sign.sh
View file

@ -1,37 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
SYSTESTDIR=dlv
(cd ../ns3 && $SHELL -e ./sign.sh || exit 1)
echo_i "dlv/ns2/sign.sh"
zone=druz.
infile=druz.db.in
zonefile=druz.db
outfile=druz.pre
dlvzone=utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
$CHECKZONE -q -D -i none druz druz.pre |
sed '/IN DNSKEY/s/\([a-z0-9A-Z+/]\{10\}\)[a-z0-9A-Z+/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
echo_i "signed $zone"

61
bin/tests/system/dlv/ns2/utld.db
View file

@ -1,61 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.2
;
rootservers NS ns.rootservers
ns.rootservers A 10.53.0.1
;
dlv NS ns.dlv
ns.dlv A 10.53.0.3
;
disabled-algorithm-dlv NS ns.disabled-algorithm-dlv
ns.disabled-algorithm-dlv A 10.53.0.3
;
unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv
ns.unsupported-algorithm-dlv A 10.53.0.3
;
child1 NS ns.child1
ns.child1 A 10.53.0.3
;
child2 NS ns.child2
ns.child2 A 10.53.0.4
;
child3 NS ns.child3
ns.child3 A 10.53.0.3
;
child4 NS ns.child4
ns.child4 A 10.53.0.3
;
child5 NS ns.child5
ns.child5 A 10.53.0.3
;
child6 NS ns.child6
ns.child6 A 10.53.0.4
;
child7 NS ns.child7
ns.child7 A 10.53.0.3
;
child8 NS ns.child8
ns.child8 A 10.53.0.3
;
child9 NS ns.child9
ns.child9 A 10.53.0.3
;
child10 NS ns.child10
ns.child10 A 10.53.0.3
;
disabled-algorithm NS ns.disabled-algorithm
ns.disabled-algorithm A 10.53.0.3
;
unsupported-algorithm NS ns.unsupported-algorithm
ns.unsupported-algorithm A 10.53.0.3

17
bin/tests/system/dlv/ns3/child.db.in
View file

@ -1,17 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.3
foo TXT foo
bar TXT bar
grand NS ns.grand
ns.grand A 10.53.0.6

13
bin/tests/system/dlv/ns3/dlv.db.in
View file

@ -1,13 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.3

11
bin/tests/system/dlv/ns3/hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

141
bin/tests/system/dlv/ns3/named.conf.in
View file

@ -1,141 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
/* Root hints. */
zone "." { type hint; file "hints"; };
/* DLV zone below unsigned TLD. */
zone "dlv.utld" { type master; file "dlv.utld.signed"; };
/* DLV zone signed with a disabled algorithm below unsigned TLD. */
zone "disabled-algorithm-dlv.utld." {
type master;
file "disabled-algorithm-dlv.utld.signed";
};
/* DLV zone signed with an unsupported algorithm below unsigned TLD. */
zone "unsupported-algorithm-dlv.utld." {
type master;
file "unsupported-algorithm-dlv.utld.signed";
};
/* Signed zone below unsigned TLD with DLV entry. */
zone "child1.utld" { type master; file "child1.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with a disabled algorithm.
*/
zone "child3.utld" { type master; file "child3.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry. This one is slightly
* different because its children (the grandchildren) don't have a DS record in
* this zone. The grandchild zones are served by ns6.
*
*/
zone "child4.utld" { type master; file "child4.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with an unsupported algorithm.
*/
zone "child5.utld" { type master; file "child5.signed"; };
/* Signed zone below unsigned TLD without DLV entry. */
zone "child7.utld" { type master; file "child7.signed"; };
/*
* Signed zone below unsigned TLD without DLV entry and no DS records for the
* grandchildren.
*/
zone "child8.utld" { type master; file "child8.signed"; };
/* Signed zone below unsigned TLD with DLV entry. */
zone "child9.utld" { type master; file "child9.signed"; };
/* Unsigned zone below an unsigned TLD with DLV entry. */
zone "child10.utld" { type master; file "child.db.in"; };
/*
* Zone signed with a disabled algorithm (an algorithm that is disabled in
* one of the test resolvers) with DLV entry.
*/
zone "disabled-algorithm.utld" {
type master;
file "disabled-algorithm.utld.signed";
};
/* Zone signed with an unsupported algorithm with DLV entry. */
zone "unsupported-algorithm.utld" {
type master;
file "unsupported-algorithm.utld.signed";
};
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust.
*/
zone "child1.druz" { type master; file "child1.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. The DLV zone is signed with a disabled algorithm.
*/
zone "child3.druz" { type master; file "child3.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. Also there are no DS records for the grandchildren.
*/
zone "child4.druz" { type master; file "child4.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. The DLV zone is signed with an unsupported algorithm.
*/
zone "child5.druz" { type master; file "child5.druz.signed"; };
/*
* Signed zone below signed TLD without DLV entry, and no chain of
* trust.
*/
zone "child7.druz" { type master; file "child7.druz.signed"; };
/*
* Signed zone below signed TLD without DLV entry and no DS set. Also DS
* records for the grandchildren are not included in the zone.
*/
zone "child8.druz" { type master; file "child8.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no DS set. Also DS
* records for the grandchildren are not included in the zone.
*/
zone "child9.druz" { type master; file "child9.druz.signed"; };
/*
* Unsigned zone below signed TLD with good DLV entry but no chain of
* trust.
*/
zone "child10.druz" { type master; file "child.db.in"; };

397
bin/tests/system/dlv/ns3/sign.sh
View file

@ -1,397 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
(cd ../ns6 && $SHELL -e ./sign.sh)
echo_i "dlv/ns3/sign.sh"
dlvzone="dlv.utld"
dlvsets=
dssets=
disableddlvzone="disabled-algorithm-dlv.utld"
disableddlvsets=
disableddssets=
unsupporteddlvzone="unsupported-algorithm-dlv.utld"
unsupporteddlvsets=
unsupporteddssets=
# Signed zone below unsigned TLD with DLV entry.
zone=child1.utld
infile=child.db.in
zonefile=child1.utld.db
outfile=child1.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with a disabled algorithm.
zone=child3.utld
infile=child.db.in
zonefile=child3.utld.db
outfile=child3.signed
disableddlvsets="$disableddlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry. This one is slightly
# different because its children (the grandchildren) don't have a DS record in
# this zone. The grandchild zones are served by ns6.
zone=child4.utld
infile=child.db.in
zonefile=child4.utld.db
outfile=child4.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with an unsupported algorithm.
zone=child5.utld
infile=child.db.in
zonefile=child5.utld.db
outfile=child5.signed
unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD without DLV entry.
zone=child7.utld
infile=child.db.in
zonefile=child7.utld.db
outfile=child7.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD without DLV entry and no DS records for the
# grandchildren.
zone=child8.utld
infile=child.db.in
zonefile=child8.utld.db
outfile=child8.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry.
zone=child9.utld
infile=child.db.in
zonefile=child9.utld.db
outfile=child9.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign
# the zone to generate the DLV set.
zone=child10.utld
infile=child.db.in
zonefile=child10.utld.db
outfile=child10.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Zone signed with a disabled algorithm (an algorithm that is disabled in
# one of the test resolvers) with DLV entry.
zone=disabled-algorithm.utld
infile=child.db.in
zonefile=disabled-algorithm.utld.db
outfile=disabled-algorithm.utld.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Zone signed with an unsupported algorithm with DLV entry.
zone=unsupported-algorithm.utld
infile=child.db.in
zonefile=unsupported-algorithm.utld.db
outfile=unsupported-algorithm.utld.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
cp ${keyname2}.key ${keyname2}.tmp
awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
cp dlvset-${zone}${TP} dlvset-${zone}tmp
awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}${TP}
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set.
zone=child1.druz
infile=child.db.in
zonefile=child1.druz.db
outfile=child1.druz.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
dssets="$dssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
# signed with a disabled algorithm.
zone=child3.druz
infile=child.db.in
zonefile=child3.druz.db
outfile=child3.druz.signed
disableddlvsets="$disableddlvsets dlvset-${zone}${TP}"
disableddssets="$disableddssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set, but missing
# DS records for the grandchildren.
zone=child4.druz
infile=child.db.in
zonefile=child4.druz.db
outfile=child4.druz.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
dssets="$dssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
# signed with an unsupported algorithm algorithm.
zone=child5.druz
infile=child.db.in
zonefile=child5.druz.db
outfile=child5.druz.signed
unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}"
unsupporteddssets="$unsupportedssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD without DLV entry, but with normal DS set.
zone=child7.druz
infile=child.db.in
zonefile=child7.druz.db
outfile=child7.druz.signed
dssets="$dssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.${zone}${TP}
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD without DLV entry and no DS set. Also DS
# records for the grandchildren are not included in the zone.
zone=child8.druz
infile=child.db.in
zonefile=child8.druz.db
outfile=child8.druz.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry but no DS set. Also DS
# records for the grandchildren are not included in the zone.
zone=child9.druz
infile=child.db.in
zonefile=child9.druz.db
outfile=child9.druz.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Unsigned zone below signed TLD with DLV entry and DS set. We still need to
# sign the zone to generate the DS sets.
zone=child10.druz
infile=child.db.in
zonefile=child10.druz.db
outfile=child10.druz.signed
dlvsets="$dlvsets dlvset-${zone}${TP}"
dssets="$dssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
cp $dssets ../ns2
cp $disableddssets ../ns2
cp $unsupporteddssets ../ns2
# DLV zones
infile=dlv.db.in
for zone in dlv.utld disabled-algorithm-dlv.utld unsupported-algorithm-dlv.utld
do
zonefile="${zone}.db"
outfile="${zone}.signed"
case $zone in
"dlv.utld")
algorithm=$DEFAULT_ALGORITHM
bits=$DEFAULT_BITS
dlvfiles=$dlvsets
;;
"disabled-algorithm-dlv.utld")
algorithm=$DISABLED_ALGORITHM
bits=$DISABLED_BITS
dlvfiles=$disableddlvsets
;;
"unsupported-algorithm-dlv.utld")
algorithm=$DEFAULT_ALGORITHM
bits=$DEFAULT_BITS
dlvfiles=$unsupporteddlvsets
;;
esac
keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`
cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile
case $zone in
"dlv.utld")
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
keyfile_to_static_keys $keyname2 > ../ns5/trusted-dlv.conf
;;
"disabled-algorithm-dlv.utld")
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
keyfile_to_static_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf
;;
"unsupported-algorithm-dlv.utld")
cp ${keyname2}.key ${keyname2}.tmp
$SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
keyfile_to_static_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
;;
esac
echo_i "signed $zone"
done

34
bin/tests/system/dlv/ns4/child.db
View file

@ -1,34 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.3
;
rootservers NS ns.rootservers
ns.rootservers A 10.53.0.1
;
child1 NS ns.child1
ns.child1 A 10.53.0.3
;
child2 NS ns.child2
ns.child2 A 10.53.0.4
;
child3 NS ns.child3
ns.child3 A 10.53.0.3
;
child4 NS ns.child4
ns.child4 A 10.53.0.3
;
child5 NS ns.child5
ns.child5 A 10.53.0.3
;
child6 NS ns.child5
ns.child6 A 10.53.0.4

11
bin/tests/system/dlv/ns4/hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

26
bin/tests/system/dlv/ns4/named.conf.in
View file

@ -1,26 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." { type hint; file "hints"; };
zone "child2.utld" { type master; file "child.db"; };
zone "child6.utld" { type master; file "child.db"; };

11
bin/tests/system/dlv/ns5/hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

30
bin/tests/system/dlv/ns5/named.conf.in
View file

@ -1,30 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "trusted.conf";
include "trusted-dlv.conf";
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "dlv.utld";
disable-algorithms "utld." { @DISABLED_ALGORITHM@; };
};
zone "." { type hint; file "hints"; };

20
bin/tests/system/dlv/ns5/rndc.conf
View file

@ -1,20 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
algorithm hmac-sha256;
secret "34f88008d07deabbe65bd01f1d233d47";
};
options {
default-server 10.53.0.5;
default-port 5353;
};

15
bin/tests/system/dlv/ns6/child.db.in
View file

@ -1,15 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 120
@ SOA ns hostmaster.ns6 1 3600 1200 604800 60
@ NS ns
ns A 10.53.0.6
foo TXT foo
bar TXT bar

11
bin/tests/system/dlv/ns6/hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

40
bin/tests/system/dlv/ns6/named.conf.in
View file

@ -1,40 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." { type hint; file "hints"; };
zone "grand.child1.utld" { type master; file "grand.child1.signed"; };
zone "grand.child3.utld" { type master; file "grand.child3.signed"; };
zone "grand.child4.utld" { type master; file "grand.child4.signed"; };
zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
zone "grand.child10.utld" { type master; file "grand.child10.signed"; };
zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };

251
bin/tests/system/dlv/ns6/sign.sh
View file

@ -1,251 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
SYSTESTDIR=dlv
echo_i "dlv/ns6/sign.sh"
zone=grand.child1.utld.
infile=child.db.in
zonefile=grand.child1.utld.db
outfile=grand.child1.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child3.utld.
infile=child.db.in
zonefile=grand.child3.utld.db
outfile=grand.child3.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child4.utld.
infile=child.db.in
zonefile=grand.child4.utld.db
outfile=grand.child4.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child5.utld.
infile=child.db.in
zonefile=grand.child5.utld.db
outfile=grand.child5.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child7.utld.
infile=child.db.in
zonefile=grand.child7.utld.db
outfile=grand.child7.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child8.utld.
infile=child.db.in
zonefile=grand.child8.utld.db
outfile=grand.child8.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child9.utld.
infile=child.db.in
zonefile=grand.child9.utld.db
outfile=grand.child9.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child10.utld.
infile=child.db.in
zonefile=grand.child10.utld.db
outfile=grand.child10.signed
dlvzone=dlv.utld.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child1.druz.
infile=child.db.in
zonefile=grand.child1.druz.db
outfile=grand.child1.druz.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child3.druz.
infile=child.db.in
zonefile=grand.child3.druz.db
outfile=grand.child3.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child4.druz.
infile=child.db.in
zonefile=grand.child4.druz.db
outfile=grand.child4.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child5.druz.
infile=child.db.in
zonefile=grand.child5.druz.db
outfile=grand.child5.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child7.druz.
infile=child.db.in
zonefile=grand.child7.druz.db
outfile=grand.child7.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child8.druz.
infile=child.db.in
zonefile=grand.child8.druz.db
outfile=grand.child8.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child9.druz.
infile=child.db.in
zonefile=grand.child9.druz.db
outfile=grand.child9.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=grand.child10.druz.
infile=child.db.in
zonefile=grand.child10.druz.db
outfile=grand.child10.druz.signed
dlvzone=dlv.druz.
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"

12
bin/tests/system/dlv/ns7/hints
View file

@ -1,12 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

31
bin/tests/system/dlv/ns7/named.conf.in
View file

@ -1,31 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "trusted.conf";
include "trusted-dlv-unsupported.conf";
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld";
};
zone "." { type hint; file "hints"; };

12
bin/tests/system/dlv/ns8/hints
View file

@ -1,12 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1

32
bin/tests/system/dlv/ns8/named.conf.in
View file

@ -1,32 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "trusted.conf";
include "trusted-dlv-disabled.conf";
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.8; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld";
disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; };
};
zone "." { type hint; file "hints"; };

26
bin/tests/system/dlv/setup.sh
View file

@ -1,26 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
(cd ns1 && $SHELL -e sign.sh)

111
bin/tests/system/dlv/tests.sh
View file

@ -1,111 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)"
ret=0
$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Test that a child zone that is signed with an unsupported algorithm,
# referenced by a good DLV zone, yields an insecure response.
echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)"
ret=0
$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Test that a child zone that is signed with a disabled algorithm,
# referenced by a good DLV zone, yields an insecure response.
echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)"
ret=0
$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Test that a child zone that is signed with a known algorithm, referenced by
# a DLV zone that is signed with a disabled algorithm, yields a bogus
# response.
echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)"
ret=0
$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1
grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Test that a child zone that is signed with a known algorithm, referenced by
# a DLV zone that is signed with an unsupported algorithm, yields a bogus
# response.
echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)"
ret=0
$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1
grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1
grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

5
bin/tests/system/dnssec/README
View file

@ -14,9 +14,12 @@ for the root.
ns5 is a caching-only server, configured with the an incorrect trusted
key for the root. It is used for testing failure cases.
ns6 is a caching-only server configured to use DLV.
ns6 is an caching and authoritative server used for testing unusual
server behaviors such as disabled DNSSEC algorithms.
ns7 is used for checking non-cacheable answers.
ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.
ns9 is a forwarding-only server.

4
bin/tests/system/dnssec/clean.sh
View file

@ -11,7 +11,7 @@
set -e
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed
rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
rm -f ./*/example.bk
rm -f ./*/named.conf
rm -f ./*/named.memstats
@ -44,10 +44,8 @@ rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
rm -f ./ns2/cds-kskonly.secure.db
rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
rm -f ./ns2/dlv.db
rm -f ./ns2/in-addr.arpa.db
rm -f ./ns2/nsec3chain-test.db
rm -f ./ns2/private.secure.example.db
rm -f ./ns2/single-nsec3.db
rm -f ./ns2/updatecheck-kskonly.secure.*
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db

2
bin/tests/system/dnssec/ns1/root.db.in
View file

@ -20,8 +20,6 @@ a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2
dlv. NS ns2.dlv.
ns2.dlv. A 10.53.0.2
algroll. NS ns2.algroll.
ns2.algroll. A 10.53.0.2
managed. NS ns2.managed.

1
bin/tests/system/dnssec/ns1/sign.sh
View file

@ -25,7 +25,6 @@ zonefile=root.db
echo_i "ns1/sign.sh"
cp "../ns2/dsset-example$TP" .
cp "../ns2/dsset-dlv$TP" .
cp "../ns2/dsset-in-addr.arpa$TP" .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"

19
bin/tests/system/dnssec/ns2/dlv.db.in
View file

@ -1,19 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2

11
bin/tests/system/dnssec/ns2/named.conf.in
View file

@ -40,11 +40,6 @@ zone "." {
file "../../common/root.hint";
};
zone "dlv" {
type master;
file "dlv.db.signed";
};
zone "trusted" {
type master;
file "trusted.db.signed";
@ -61,12 +56,6 @@ zone "example" {
allow-update { any; };
};
zone "private.secure.example" {
type master;
file "private.secure.example.db.signed";
allow-update { any; };
};
zone "insecure.secure.example" {
type master;
file "insecure.secure.example.db";

25
bin/tests/system/dnssec/ns2/sign.sh
View file

@ -136,31 +136,6 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
# Sign the privately secure file
privzone=private.secure.example
privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db
privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone")
cat "$privinfile" "$privkeyname.key" > "$privzonefile"
"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1
# Sign the DLV secure zone.
dlvzone=dlv.
dlvinfile=dlv.db.in
dlvzonefile=dlv.db
dlvsetfile="dlvset-${privzone}${TP}"
dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone")
cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile"
"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1
# Sign the badparam secure file
zone=badparam.

1
bin/tests/system/dnssec/ns6/named.conf.in
View file

@ -23,7 +23,6 @@ options {
notify yes;
disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv;
};
zone "." {

67
bin/tests/system/dnssec/tests.sh
View file

@ -1212,34 +1212,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that positive validation in a privately secure zone works ($n)"
ret=0
dig_with_opts +noauth a.private.secure.example. a @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
dig_with_opts +noauth a.private.secure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that negative validation in a privately secure zone works ($n)"
ret=0
dig_with_opts +noauth q.private.secure.example. a @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
dig_with_opts +noauth q.private.secure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that lookups succeed after disabling an algorithm ($n)"
ret=0
dig_with_opts +noauth example. SOA @10.53.0.2 \
@ -1253,28 +1225,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking privately secure to nxdomain works ($n)"
ret=0
dig_with_opts +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking privately secure wildcard to nxdomain works ($n)"
ret=0
dig_with_opts +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking a non-cachable NODATA works ($n)"
ret=0
dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \
@ -1299,21 +1249,6 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
#
# private.secure.example is served by the same server as its
# grand parent and there is not a secure delegation from secure.example
# to private.secure.example. In addition secure.example is using a
# algorithm which the validation does not support.
#
echo_i "checking dnssec-lookaside-validation works ($n)"
ret=0
dig_with_opts private.secure.example. SOA @10.53.0.6 \
> dig.out.ns6.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that we can load a rfc2535 signed zone ($n)"
ret=0
dig_with_opts rfc2535.example. SOA @10.53.0.2 \
@ -2433,7 +2368,7 @@ status=$((status+ret))
echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
ret=0
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1
digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
n=$((n+1))

2
bin/tests/system/filter-aaaa/ns1/sign.sh
View file

@ -14,8 +14,6 @@ SYSTEMTESTTOP=../..
SYSTESTDIR=filter-aaaa
dlvsets=
zone=signed.
infile=signed.db.in
zonefile=signed.db.signed

2
bin/tests/system/filter-aaaa/ns4/sign.sh
View file

@ -14,8 +14,6 @@ SYSTEMTESTTOP=../..
SYSTESTDIR=filter-aaaa
dlvsets=
zone=signed.
infile=signed.db.in
zonefile=signed.db.signed

2
bin/tests/system/wildcard/ns1/named.conf.in
View file

@ -24,8 +24,6 @@ options {
zone "." { type master; file "root.db.signed"; };
zone "dlv" { type master; file "dlv.db.signed"; };
zone "nsec" { type master; file "nsec.db.signed"; };
zone "private.nsec" { type master; file "private.nsec.db.signed"; };

1
bin/tests/system/wildcard/ns1/root.db.in
View file

@ -11,6 +11,5 @@ $TTL 120
@ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
@ NS a.root-servers.nil
a.root-servers.nil A 10.53.0.1
dlv NS a.root-servers.nil
nsec NS a.root-servers.nil
nsec3 NS a.root-servers.nil

14
bin/tests/system/wildcard/ns1/sign.sh
View file

@ -16,20 +16,6 @@ SYSTESTDIR=wildcard
dssets=
zone=dlv
infile=dlv.db.in
zonefile=dlv.db
outfile=dlv.db.signed
dssets="$dssets dsset-${zone}${TP}"
keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
zone=nsec
infile=nsec.db.in
zonefile=nsec.db

1
bin/tests/system/wildcard/ns5/named.conf.in
View file

@ -20,7 +20,6 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
dnssec-lookaside . trust-anchor dlv;
};
include "../ns1/trusted.conf";

48
doc/arm/Bv9ARM-book.xml
View file

@ -2184,11 +2184,11 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para><command>dnssec-signzone</command>
will also produce a keyset and dsset files and optionally a
dlvset file. These are used to provide the parent zone
administrators with the <literal>DNSKEYs</literal> (or their
corresponding <literal>DS</literal> records) that are the
secure entry point to the zone.
will also produce a keyset and dsset files. These are used
to provide the parent zone administrators with the
<literal>DNSKEYs</literal> (or their corresponding
<literal>DS</literal> records) that are the secure entry
point to the zone.
</para>
</section>
@ -5069,7 +5069,7 @@ options {
<term><command>disable-ds-digests</command></term>
<listitem>
<para>
Disable the specified DS/DLV digest types at and below the
Disable the specified DS digest types at and below the
specified name.
Multiple <command>disable-ds-digests</command>
statements are allowed.
@ -5084,40 +5084,6 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-lookaside</command></term>
<listitem>
<para>
When set, <command>dnssec-lookaside</command> provides the
validator with an alternate method to validate DNSKEY
records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest
<command>dnssec-lookaside</command>, and the normal DNSSEC
validation has left the key untrusted, the trust-anchor
will be appended to the key name and a DLV record will be
looked up to see if it can validate the key. If the DLV
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>no</userinput>, then dnssec-lookaside
is not used.
</para>
<para>
This option is deprecated and its use is discouraged.
</para>
<para>
NOTE: The ISC-provided DLV service at
<literal>dlv.isc.org</literal>, has been shut down.
The <command>dnssec-lookaside auto;</command>
configuration option, which set <command>named</command>
up to use ISC DLV with minimal configuration, has
accordingly been removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-must-be-secure</command></term>
<listitem>
@ -13338,7 +13304,7 @@ view external {
</entry>
<entry colname="2">
<para>
A DNS Look-aside Validation record which contains
A DNS Lookaside Validation record which contains
the records that are used as trust anchors for
zones in a DLV namespace. Described in RFC 4431.
</para>

13
doc/arm/notes.xml
View file

@ -204,8 +204,13 @@
</listitem>
<listitem>
<para>
The <command>dnssec-lookaside</command> option has been deprecated.
The feature still works, but it is discouraged to use it. [GL #7]
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <command>dnssec-lookaside</command> option has been
marked as deprecated; when used in <filename>named.conf</filename>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <command>delv</command>, and the DNSSEC tools.
[GL #7]
</para>
</listitem>
</itemizedlist>
@ -216,9 +221,7 @@
<listitem>
<para>
<command>named</command> will now log a warning if
a static key is configured for the root zone, or if
any key is configured for "dlv.isc.org", which has been shut
down. [GL #6]
a static key is configured for the root zone. [GL #6]
</para>
</listitem>
<listitem>

5
doc/arm/options.grammar.xml
View file

@ -58,7 +58,7 @@
<command>check-srv-cname</command> ( fail | warn | ignore );
<command>check-wildcard</command> <replaceable>boolean</replaceable>;
<command>clients-per-query</command> <replaceable>integer</replaceable>;
<command>cookie-algorithm</command> ( aes | sha1 | sha256 );
<command>cookie-algorithm</command> ( aes | siphash24 );
<command>cookie-secret</command> <replaceable>string</replaceable>;
<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
@ -89,9 +89,6 @@
<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable>
<command>trust-anchor</command> <replaceable>string</replaceable> |
<command>auto</command> | no ); deprecated
<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );

48
doc/misc/Makefile.in
View file

@ -33,26 +33,30 @@ options: FORCE
if test -x ${CFG_TEST} ; \
then \
${CFG_TEST} --named --grammar > $@.raw ; \
${CFG_TEST} --zonegrammar master > master.zoneopt ; \
${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \
${CFG_TEST} --zonegrammar mirror > mirror.zoneopt ; \
${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \
${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \
${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \
${CFG_TEST} --zonegrammar static-stub > static-stub.zoneopt ; \
${CFG_TEST} --zonegrammar redirect > redirect.zoneopt ; \
${CFG_TEST} --zonegrammar delegation-only > delegation-only.zoneopt ; \
${CFG_TEST} --zonegrammar in-view > in-view.zoneopt ; \
${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
mv -f $@.new $@ ; \
${CFG_TEST} --named --grammar --active > $@.raw ; \
${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
mv -f $@.new $@.active ; \
rm -f $@.raw $@.sorted ; \
${CFG_TEST} --zonegrammar master --active > master.zoneopt ; \
${CFG_TEST} --zonegrammar slave --active > slave.zoneopt ; \
${CFG_TEST} --zonegrammar mirror --active > mirror.zoneopt ; \
${CFG_TEST} --zonegrammar forward --active > forward.zoneopt ; \
${CFG_TEST} --zonegrammar hint --active > hint.zoneopt ; \
${CFG_TEST} --zonegrammar stub --active > stub.zoneopt ; \
${CFG_TEST} --zonegrammar static-stub --active > static-stub.zoneopt ; \
${CFG_TEST} --zonegrammar redirect --active > redirect.zoneopt ; \
${CFG_TEST} --zonegrammar delegation-only --active > delegation-only.zoneopt ; \
${CFG_TEST} --zonegrammar in-view --active > in-view.zoneopt ; \
else \
rm -f $@.new $@.raw $@.sorted ; \
fi
docbook: options
${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook
${PERL} docbook-options.pl options.active > ${top_srcdir}/bin/named/named.conf.docbook
${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml
${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml
${PERL} docbook-zoneopt.pl mirror.zoneopt > ${top_srcdir}/doc/arm/mirror.zoneopt.xml
@ -63,14 +67,14 @@ docbook: options
${PERL} docbook-zoneopt.pl redirect.zoneopt > ${top_srcdir}/doc/arm/redirect.zoneopt.xml
${PERL} docbook-zoneopt.pl delegation-only.zoneopt > ${top_srcdir}/doc/arm/delegation-only.zoneopt.xml
${PERL} docbook-zoneopt.pl in-view.zoneopt > ${top_srcdir}/doc/arm/in-view.zoneopt.xml
${PERL} docbook-grammars.pl options acl > ${top_srcdir}/doc/arm/acl.grammar.xml
${PERL} docbook-grammars.pl options controls > ${top_srcdir}/doc/arm/controls.grammar.xml
${PERL} docbook-grammars.pl options key > ${top_srcdir}/doc/arm/key.grammar.xml
${PERL} docbook-grammars.pl options logging > ${top_srcdir}/doc/arm/logging.grammar.xml
${PERL} docbook-grammars.pl options masters > ${top_srcdir}/doc/arm/masters.grammar.xml
${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml
${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml
${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
${PERL} docbook-grammars.pl options dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
${PERL} docbook-grammars.pl options.active acl > ${top_srcdir}/doc/arm/acl.grammar.xml
${PERL} docbook-grammars.pl options.active controls > ${top_srcdir}/doc/arm/controls.grammar.xml
${PERL} docbook-grammars.pl options.active key > ${top_srcdir}/doc/arm/key.grammar.xml
${PERL} docbook-grammars.pl options.active logging > ${top_srcdir}/doc/arm/logging.grammar.xml
${PERL} docbook-grammars.pl options.active masters > ${top_srcdir}/doc/arm/masters.grammar.xml
${PERL} docbook-grammars.pl options.active options > ${top_srcdir}/doc/arm/options.grammar.xml
${PERL} docbook-grammars.pl options.active server > ${top_srcdir}/doc/arm/server.grammar.xml
${PERL} docbook-grammars.pl options.active statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
${PERL} docbook-grammars.pl options.active dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
${PERL} docbook-grammars.pl options.active managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
${PERL} docbook-grammars.pl options.active trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml

6
doc/misc/docbook-grammars.pl
View file

@ -59,12 +59,6 @@ while (<FH>) {
$display = 1
}
if (m{// not.*implemented} || m{// obsolete} ||
m{// ancient} || m{// test.*only})
{
next;
}
s{ // not configured}{};
s{ // non-operational}{};
s{ // may occur multiple times,*}{};

20
doc/misc/docbook-options.pl
View file

@ -120,12 +120,6 @@ while (<FH>) {
my $blank = 0;
while (<FH>) {
if (m{// not.*implemented} || m{// obsolete} ||
m{// ancient} || m{// test.*only})
{
next;
}
s{ // not configured}{};
s{ // non-operational}{};
s{ (// )*may occur multiple times,*}{};
@ -140,22 +134,22 @@ while (<FH>) {
<refsection><info><title>$HEADING</title></info>
END
if ($1 eq "trusted-keys") {
print <<END;
if ($1 eq "trusted-keys") {
print <<END;
<para>Deprecated - see DNSSEC-KEYS.</para>
END
}
}
if ($1 eq "managed-keys") {
print <<END;
if ($1 eq "managed-keys") {
print <<END;
<para>Deprecated - see DNSSEC-KEYS.</para>
END
}
}
print <<END;
<literallayout class="normal">
END
}
}
if (m{^\s*$} && !$blank) {
$blank = 1;

6
doc/misc/docbook-zoneopt.pl
View file

@ -44,12 +44,6 @@ print <<END;
END
while (<FH>) {
if (m{// not.*implemented} || m{// obsolete} ||
m{// ancient} || m{// test.*only})
{
next;
}
s{ // not configured}{};
s{ // may occur multiple times,*}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;

2
doc/misc/format-options.pl
View file

@ -11,7 +11,7 @@
print <<END;
This is a summary of the named.conf options supported by
This is a summary of the named.conf options supported by
this version of BIND 9.
END

1
doc/misc/master.zoneopt
View file

@ -44,7 +44,6 @@ zone <string> [ <class> ] {
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
serial-update-method ( date | increment | unixtime );
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;

12
doc/misc/options
View file

@ -1,5 +1,5 @@
This is a summary of the named.conf options supported by
This is a summary of the named.conf options supported by
this version of BIND 9.
acl <string> { <address_match_element>; ... }; // may occur multiple times
@ -148,7 +148,7 @@ options {
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string>
trust-anchor <string> |
auto | no ); // may occur multiple times, deprecated
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
@ -193,7 +193,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
@ -214,7 +214,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -527,7 +527,7 @@ view <string> [ <class> ] {
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string>
trust-anchor <string> |
auto | no ); // may occur multiple times, deprecated
auto | no ); // obsolete, may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
@ -565,7 +565,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key

867
doc/misc/options.active Normal file
View file

@ -0,0 +1,867 @@
This is a summary of the named.conf options supported by
this version of BIND 9.
acl <string> { <address_match_element>; ... }; // may occur multiple times
controls {
inet ( <ipv4_address> | <ipv6_address> |
* ) [ port ( <integer> | * ) ] allow
{ <address_match_element>; ... } [
keys { <string>; ... } ] [ read-only
<boolean> ]; // may occur multiple times
unix <quoted_string> perm <integer>
owner <integer> group <integer> [
keys { <string>; ... } ] [ read-only
<boolean> ]; // may occur multiple times
}; // may occur multiple times
dlz <string> {
database <string>;
search <boolean>;
}; // may occur multiple times
dnssec-keys { <string> ( static-key |
initial-key ) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dyndb <string> <quoted_string> {
<unspecified-text> }; // may occur multiple times
key <string> {
algorithm <string>;
secret <string>;
}; // may occur multiple times
logging {
category <string> { <string>; ... }; // may occur multiple times
channel <string> {
buffered <boolean>;
file <quoted_string> [ versions ( unlimited | <integer> ) ]
[ size <size> ] [ suffix ( increment | timestamp ) ];
null;
print-category <boolean>;
print-severity <boolean>;
print-time ( iso8601 | iso8601-utc | local | <boolean> );
severity <log_severity>;
stderr;
syslog [ <syslog_facility> ];
}; // may occur multiple times
};
managed-keys { <string> ( static-key
| initial-key ) <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
masters <string> [ port <integer> ] [ dscp
<integer> ] { ( <masters> | <ipv4_address> [
port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... }; // may occur multiple times
options {
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-cache { <address_match_element>; ... };
allow-query-cache-on { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
answer-cookie <boolean>;
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... };
avoid-v6-udp-ports { <portrange>; ... };
bindkeys-file <quoted_string>;
blackhole { <address_match_element>; ... };
cache-file <quoted_string>;
catalog-zones { zone <string> [ default-masters [ port <integer> ]
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
check-mx-cname ( fail | warn | ignore );
check-names ( primary | master |
secondary | slave | response ) (
fail | warn | ignore ); // may occur multiple times
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
clients-per-query <integer>;
cookie-algorithm ( aes | siphash24 );
cookie-secret <string>; // may occur multiple times
coresize ( default | unlimited | <sizeval> );
datasize ( default | unlimited | <sizeval> );
deny-answer-addresses { <address_match_element>; ... } [
except-from { <string>; ... } ];
deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
directory <quoted_string>;
disable-algorithms <string> { <string>;
... }; // may occur multiple times
disable-ds-digests <string> { <string>;
... }; // may occur multiple times
disable-empty-zone <string>; // may occur multiple times
dns64 <netprefix> {
break-dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive-only <boolean>;
suffix <ipv6_address>;
}; // may occur multiple times
dns64-contact <string>;
dns64-server <string>;
dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver | update ) [ ( query | response ) ];
... }; // not configured
dnstap-identity ( <quoted_string> | none |
hostname ); // not configured
dnstap-output ( file | unix ) <quoted_string> [
size ( unlimited | <size> ) ] [ versions (
unlimited | <integer> ) ] [ suffix ( increment
| timestamp ) ]; // not configured
dnstap-version ( <quoted_string> | none ); // not configured
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
<integer> ] [ dscp <integer> ] ); ... };
dump-file <quoted_string>;
edns-udp-size <integer>;
empty-contact <string>;
empty-server <string>;
empty-zones-enable <boolean>;
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( default | unlimited | <sizeval> );
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
fstrm-set-buffer-hint <integer>; // not configured
fstrm-set-flush-timeout <integer>; // not configured
fstrm-set-input-queue-size <integer>; // not configured
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none );
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
inline-signing <boolean>;
interface-interval <ttlval>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
keep-response-order { <address_match_element>; ... };
key-directory <quoted_string>;
lame-ttl <ttlval>;
listen-on [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-mapped-addresses <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
max-stale-ttl <ttlval>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
memstatistics <boolean>;
memstatistics-file <quoted_string>;
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
multi-master <boolean>;
new-zones-directory <quoted_string>;
no-case-compress { <address_match_element>; ... };
nocookie-udp-size <integer>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-rate <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nxdomain-redirect <string>;
pid-file ( <quoted_string> | none );
port <integer>;
preferred-glue <string>;
prefetch <integer> [ <integer> ];
provide-ixfr <boolean>;
qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
querylog <boolean>;
random-device ( <quoted_string> | none );
rate-limit {
all-per-second <integer>;
errors-per-second <integer>;
exempt-clients { <address_match_element>; ... };
ipv4-prefix-length <integer>;
ipv6-prefix-length <integer>;
log-only <boolean>;
max-table-size <integer>;
min-table-size <integer>;
nodata-per-second <integer>;
nxdomains-per-second <integer>;
qps-scale <integer>;
referrals-per-second <integer>;
responses-per-second <integer>;
slip <integer>;
window <integer>;
};
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
require-server-cookie <boolean>;
reserved-sockets <integer>;
resolver-nonbackoff-tries <integer>;
resolver-query-timeout <integer>;
resolver-retry-interval <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
dnsrps-options { <unspecified-text> } ];
root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
secroots-file <quoted_string>;
send-cookie <boolean>;
serial-query-rate <integer>;
serial-update-method ( date | increment | unixtime );
server-id ( <quoted_string> | none | hostname );
servfail-ttl <ttlval>;
session-keyalg <string>;
session-keyfile ( <quoted_string> | none );
session-keyname <string>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> );
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
startup-notify-rate <integer>;
statistics-file <quoted_string>;
synth-from-dnssec <boolean>;
tcp-advertised-timeout <integer>;
tcp-clients <integer>;
tcp-idle-timeout <integer>;
tcp-initial-timeout <integer>;
tcp-keepalive-timeout <integer>;
tcp-listen-queue <integer>;
tkey-dhkey <quoted_string> <integer>;
tkey-domain <quoted_string>;
tkey-gssapi-credential <quoted_string>;
tkey-gssapi-keytab <quoted_string>;
transfer-format ( many-answers | one-answer );
transfer-message-size <integer>;
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
transfers-in <integer>;
transfers-out <integer>;
transfers-per-ns <integer>;
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
use-alt-transfer-source <boolean>;
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };
v6-bias <integer>;
validate-except { <string>; ... };
version ( <quoted_string> | none );
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
zone-statistics ( full | terse | none | <boolean> );
};
plugin ( query ) <string> [ { <unspecified-text>
} ]; // may occur multiple times
server <netprefix> {
bogus <boolean>;
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
keys <server_key>;
max-udp-size <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
padding <integer>;
provide-ixfr <boolean>;
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
send-cookie <boolean>;
tcp-keepalive <boolean>;
tcp-only <boolean>;
transfer-format ( many-answers | one-answer );
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
statistics-channels {
inet ( <ipv4_address> | <ipv6_address> |
* ) [ port ( <integer> | * ) ] [
allow { <address_match_element>; ...
} ]; // may occur multiple times
}; // may occur multiple times
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
view <string> [ <class> ] {
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-cache { <address_match_element>; ... };
allow-query-cache-on { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
cache-file <quoted_string>;
catalog-zones { zone <string> [ default-masters [ port <integer> ]
[ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
<integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
check-mx-cname ( fail | warn | ignore );
check-names ( primary | master |
secondary | slave | response ) (
fail | warn | ignore ); // may occur multiple times
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [
except-from { <string>; ... } ];
deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
disable-algorithms <string> { <string>;
... }; // may occur multiple times
disable-ds-digests <string> { <string>;
... }; // may occur multiple times
disable-empty-zone <string>; // may occur multiple times
dlz <string> {
database <string>;
search <boolean>;
}; // may occur multiple times
dns64 <netprefix> {
break-dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive-only <boolean>;
suffix <ipv6_address>;
}; // may occur multiple times
dns64-contact <string>;
dns64-server <string>;
dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-keys { <string> ( static-key |
initial-key ) <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver | update ) [ ( query | response ) ];
... }; // not configured
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
<integer> ] [ dscp <integer> ] ); ... };
dyndb <string> <quoted_string> {
<unspecified-text> }; // may occur multiple times
edns-udp-size <integer>;
empty-contact <string>;
empty-server <string>;
empty-zones-enable <boolean>;
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
glue-cache <boolean>;
inline-signing <boolean>;
ixfr-from-differences ( primary | master | secondary | slave |
<boolean> );
key <string> {
algorithm <string>;
secret <string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>;
managed-keys { <string> (
static-key | initial-key
) <integer> <integer>
<integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <address_match_element>; ... };
match-destinations { <address_match_element>; ... };
match-recursive-only <boolean>;
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <ttlval>;
max-clients-per-query <integer>;
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <ttlval>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-stale-ttl <ttlval>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-udp-size <integer>;
max-zone-ttl ( unlimited | <ttlval> );
message-compression <boolean>;
min-cache-ttl <ttlval>;
min-ncache-ttl <ttlval>;
min-refresh-time <integer>;
min-retry-time <integer>;
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
multi-master <boolean>;
new-zones-directory <quoted_string>;
no-case-compress { <address_match_element>; ... };
nocookie-udp-size <integer>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
nta-lifetime <ttlval>;
nta-recheck <ttlval>;
nxdomain-redirect <string>;
plugin ( query ) <string> [ {
<unspecified-text> } ]; // may occur multiple times
preferred-glue <string>;
prefetch <integer> [ <integer> ];
provide-ixfr <boolean>;
qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
rate-limit {
all-per-second <integer>;
errors-per-second <integer>;
exempt-clients { <address_match_element>; ... };
ipv4-prefix-length <integer>;
ipv6-prefix-length <integer>;
log-only <boolean>;
max-table-size <integer>;
min-table-size <integer>;
nodata-per-second <integer>;
nxdomains-per-second <integer>;
qps-scale <integer>;
referrals-per-second <integer>;
responses-per-second <integer>;
slip <integer>;
window <integer>;
};
recursion <boolean>;
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
require-server-cookie <boolean>;
resolver-nonbackoff-tries <integer>;
resolver-query-timeout <integer>;
resolver-retry-interval <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <ttlval> ] [ min-update-interval
<ttlval> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
dnsrps-options { <unspecified-text> } ];
root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
send-cookie <boolean>;
serial-update-method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
keys <server_key>;
max-udp-size <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
) ] [ dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
| * ) ] [ dscp <integer> ];
padding <integer>;
provide-ixfr <boolean>;
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
( <integer> | * ) ] ) | ( [ [ address ] (
<ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
dscp <integer> ];
query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
port ( <integer> | * ) ] ) | ( [ [ address ] (
<ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
dscp <integer> ];
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
send-cookie <boolean>;
tcp-keepalive <boolean>;
tcp-only <boolean>;
transfer-format ( many-answers | one-answer );
transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port (
<integer> | * ) ] [ dscp <integer> ];
transfers <integer>;
}; // may occur multiple times
servfail-ttl <ttlval>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale-answer-enable <boolean>;
stale-answer-ttl <ttlval>;
synth-from-dnssec <boolean>;
transfer-format ( many-answers | one-answer );
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
trusted-keys { <string>
<integer> <integer>
<integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
use-alt-transfer-source <boolean>;
v6-bias <integer>;
validate-except { <string>; ... };
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
zone <string> [ <class> ] {
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
<masters> | <ipv4_address> [ port <integer> ] |
<ipv6_address> [ port <integer> ] ) [ key <string> ];
... };
alt-transfer-source ( <ipv4_address> | * ) [ port (
<integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
<integer> | * ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off );
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
check-mx-cname ( fail | warn | ignore );
check-names ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
database <string>;
delegation-only <boolean>;
dialup ( notify | notify-passive | passive | refresh |
<boolean> );
dlz <string>;
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { (
<ipv4_address> | <ipv6_address> ) [ port <integer> ] [
dscp <integer> ]; ... };
in-view <string>;
inline-signing <boolean>;
ixfr-from-differences <boolean>;
journal <quoted_string>;
key-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
| <ipv4_address> [ port <integer> ] | <ipv6_address> [
port <integer> ] ) [ key <string> ]; ... };
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
) ] [ dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
| * ) ] [ dscp <integer> ];
notify-to-soa <boolean>;
request-expire <boolean>;
request-ixfr <boolean>;
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port (
<integer> | * ) ] [ dscp <integer> ];
try-tcp-refresh <boolean>;
type ( primary | master | secondary | slave | mirror |
delegation-only | forward | hint | redirect |
static-stub | stub );
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> (
6to4-self | external | krb5-self | krb5-selfsub |
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
name | self | selfsub | selfwild | subdomain | tcp-self
| wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
use-alt-transfer-source <boolean>;
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times
zone-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times
zone <string> [ <class> ] {
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off );
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
check-mx-cname ( fail | warn | ignore );
check-names ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
database <string>;
delegation-only <boolean>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
dlz <string>;
dnskey-sig-validity <integer>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
in-view <string>;
inline-signing <boolean>;
ixfr-from-differences <boolean>;
journal <quoted_string>;
key-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-transfer-idle-in <integer>;
max-transfer-idle-out <integer>;
max-transfer-time-in <integer>;
max-transfer-time-out <integer>;
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
[ dscp <integer> ];
notify-to-soa <boolean>;
request-expire <boolean>;
request-ixfr <boolean>;
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
dscp <integer> ];
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
try-tcp-refresh <boolean>;
type ( primary | master | secondary | slave | mirror |
delegation-only | forward | hint | redirect | static-stub |
stub );
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
| ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
| subdomain | tcp-self | wildcard | zonesub ) [ <string> ]
<rrtypelist>; ... };
use-alt-transfer-source <boolean>;
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times

1
doc/misc/slave.zoneopt
View file

@ -43,7 +43,6 @@ zone <string> [ <class> ] {
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
notify-to-soa <boolean>;
nsec3-test-zone <boolean>; // test only
request-expire <boolean>;
request-ixfr <boolean>;
sig-signing-nodes <integer>;

134
lib/bind9/check.c
View file

@ -58,11 +58,6 @@
#include <bind9/check.h>
static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
static dns_name_t const dlviscorg =
DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
isc_log_t *logctxlogc);
@ -858,9 +853,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
dns_fixedname_t fixed;
const char *str;
dns_name_t *name;
isc_buffer_t b;
uint32_t lifetime = 3600;
const char *ccalg = "siphash24";
@ -1069,7 +1062,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
}
/*
* Set supported DS/DLV digest types.
* Set supported DS digest types.
*/
obj = NULL;
(void)cfg_map_get(options, "disable-ds-digests", &obj);
@ -1085,107 +1078,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
}
}
name = dns_fixedname_initname(&fixed);
/*
* Check the DLV zone name.
*/
obj = NULL;
(void)cfg_map_get(options, "dnssec-lookaside", &obj);
if (obj != NULL) {
tresult = isc_symtab_create(mctx, 100, freekey, mctx,
false, &symtab);
if (tresult != ISC_R_SUCCESS)
result = tresult;
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
const char *dlv;
const cfg_obj_t *dlvobj, *anchor;
obj = cfg_listelt_value(element);
anchor = cfg_tuple_get(obj, "trust-anchor");
dlvobj = cfg_tuple_get(obj, "domain");
dlv = cfg_obj_asstring(dlvobj);
/*
* If domain is "auto" or "no" and trust anchor
* is missing, skip remaining tests
*/
if (cfg_obj_isvoid(anchor)) {
if (!strcasecmp(dlv, "no")) {
continue;
}
if (!strcasecmp(dlv, "auto")) {
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"dnssec-lookaside 'auto' "
"is no longer supported");
continue;
}
}
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", dlv);
result = tresult;
continue;
}
if (symtab != NULL) {
tresult = nameexist(obj, dlv, 1, symtab,
"dnssec-lookaside '%s': "
"already exists; previous "
"definition: %s:%u",
logctx, mctx);
if (tresult != ISC_R_SUCCESS &&
result == ISC_R_SUCCESS)
result = tresult;
}
/*
* XXXMPA to be removed when multiple lookaside
* namespaces are supported.
*/
if (!dns_name_equal(dns_rootname, name)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside '%s': "
"non-root not yet supported", dlv);
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
if (cfg_obj_isvoid(anchor)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside requires "
"either or 'no' or a "
"domain and trust anchor");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
dlv = cfg_obj_asstring(anchor);
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", dlv);
if (result == ISC_R_SUCCESS)
result = tresult;
continue;
}
if (dns_name_equal(&dlviscorg, name)) {
cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
"dlv.isc.org has been shut down");
continue;
}
}
if (symtab != NULL)
isc_symtab_destroy(&symtab);
}
/*
* Check auto-dnssec at the view/options level
*/
@ -3058,7 +2950,6 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
#define ROOT_KSK_ANY 0x03
#define ROOT_KSK_2010 0x04
#define ROOT_KSK_2017 0x08
#define DLV_KSK_KEY 0x10
static isc_result_t
check_trusted_key(const cfg_obj_t *key, bool managed,
@ -3235,13 +3126,6 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
}
}
/*
* Flag any use of dlv.isc.org, regardless of content.
*/
if (dns_name_equal(keyname, &dlviscorg)) {
*keyflags |= DLV_KSK_KEY;
}
return (result);
}
@ -3830,14 +3714,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
"with initial-key instead.");
}
if ((flags & DLV_KSK_KEY) != 0) {
cfg_obj_log(check_keys[i], logctx,
ISC_LOG_WARNING,
"trust anchor for dlv.isc.org "
"is present; dlv.isc.org has "
"been shut down");
}
tflags |= flags;
}
}
@ -3908,14 +3784,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
"the updated 2017 key");
}
if ((flags & DLV_KSK_KEY) != 0) {
cfg_obj_log(check_keys[i], logctx,
ISC_LOG_WARNING,
"trust anchor for dlv.isc.org "
"is present; dlv.isc.org has "
"been shut down");
}
dflags |= flags;
}
}

40
lib/dns/client.c
View file

@ -706,46 +706,6 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
return (result);
}
isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname)
{
isc_result_t result;
isc_buffer_t b;
dns_view_t *view = NULL;
REQUIRE(DNS_CLIENT_VALID(client));
LOCK(&client->lock);
result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
rdclass, &view);
UNLOCK(&client->lock);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (dlvname == NULL)
view->dlv = NULL;
else {
dns_name_t *newdlv;
isc_buffer_constinit(&b, dlvname, strlen(dlvname));
isc_buffer_add(&b, strlen(dlvname));
newdlv = dns_fixedname_name(&view->dlv_fixed);
result = dns_name_fromtext(newdlv, &b, dns_rootname,
DNS_NAME_DOWNCASE, NULL);
if (result != ISC_R_SUCCESS)
goto cleanup;
view->dlv = dns_fixedname_name(&view->dlv_fixed);
}
cleanup:
if (view != NULL)
dns_view_detach(&view);
return (result);
}
static isc_result_t
getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
dns_rdataset_t *rdataset;

20
lib/dns/include/dns/client.h
View file

@ -271,26 +271,6 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
*\li Anything else Failure.
*/
isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname);
/*%<
* Specify a name to use for DNSSEC lookaside validation.
* If a trusted key has been added for that name, then DLV will be
* used during validation. If 'dlvname' is NULL, then DLV will no
* longer be used for this client.
*
* Requires:
*
*\li 'client' is a valid client.
*
* Returns:
*
*\li #ISC_R_SUCCESS On success.
*
*\li Anything else Failure.
*/
isc_result_t
dns_client_resolve(dns_client_t *client, const dns_name_t *name,
dns_rdataclass_t rdclass, dns_rdatatype_t type,

4
lib/dns/include/dns/dsdigest.h
View file

@ -24,7 +24,7 @@ ISC_LANG_BEGINDECLS
isc_result_t
dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source);
/*%<
* Convert the text 'source' refers to into a DS/DLV digest type value.
* Convert the text 'source' refers to into a DS digest type value.
* The text may contain either a mnemonic digest name or a decimal
* digest number.
*
@ -42,7 +42,7 @@ dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source);
isc_result_t
dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target);
/*%<
* Put a textual representation of the DS/DLV digest type 'dsdigest'
* Put a textual representation of the DS digest type 'dsdigest'
* into 'target'.
*
* Requires:

4
lib/dns/include/dns/resolver.h
View file

@ -483,7 +483,7 @@ dns_resolver_reset_algorithms(dns_resolver_t *resolver);
void
dns_resolver_reset_ds_digests(dns_resolver_t *resolver);
/*%<
* Clear the disabled DS/DLV digest types.
* Clear the disabled DS digest types.
*/
isc_result_t
@ -503,7 +503,7 @@ isc_result_t
dns_resolver_disable_ds_digest(dns_resolver_t *resolver,
const dns_name_t *name, unsigned int digest_type);
/*%<
* Mark the given DS/DLV digest type as disabled and below 'name'.
* Mark the given DS digest type as disabled and below 'name'.
* Valid types are less than 256.
*
* Returns:

15
lib/dns/include/dns/validator.h
View file

@ -26,8 +26,6 @@
* the view and may fetch RRset to complete trust chains. It implements
* DNSSEC as specified in RFC 4033, 4034 and 4035.
*
* It can also optionally implement ISC's DNSSEC look-aside validation.
*
* Correct operation is critical to preventing spoofed answers from secure
* zones being accepted.
*
@ -152,11 +150,7 @@ struct dns_validator {
dns_fixedname_t nearest;
dns_fixedname_t closest;
ISC_LINK(dns_validator_t) link;
dns_rdataset_t dlv;
dns_fixedname_t dlvsep;
bool havedlvsep;
bool mustbesecure;
unsigned int dlvlabels;
bool mustbesecure;
unsigned int depth;
unsigned int authcount;
unsigned int authfail;
@ -166,7 +160,7 @@ struct dns_validator {
/*%
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DLV 0x0001U
/* obsolete: #define DNS_VALIDATOR_DLV 0x0001U */
#define DNS_VALIDATOR_DEFER 0x0002U
#define DNS_VALIDATOR_NOCDFLAG 0x0004U
#define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */
@ -210,11 +204,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
* Its 'result' field will be ISC_R_SUCCESS iff the
* response was successfully proven to be either secure or
* part of a known insecure domain.
*
* options:
* If DNS_VALIDATOR_DLV is set the caller knows there is not a
* trusted key and the validator should immediately attempt to validate
* the answer by looking for an appropriate DLV RRset.
*/
void

2
lib/dns/include/dns/view.h
View file

@ -168,8 +168,6 @@ struct dns_view {
bool rootdelonly;
dns_namelist_t * rootexclude;
bool checknames;
dns_name_t * dlv;
dns_fixedname_t dlv_fixed;
uint16_t maxudp;
dns_ttl_t staleanswerttl;
dns_stale_answer_t staleanswersok; /* rndc setting */

16
lib/dns/resolver.c
View file

@ -2446,10 +2446,6 @@ resquery_send(resquery_t *query) {
if (result != ISC_R_SUCCESS) {
secure_domain = false;
}
if (res->view->dlv != NULL) {
secure_domain = true;
}
if (secure_domain ||
(ISFORWARDER(query->addrinfo) && ntacovered))
{
@ -3714,7 +3710,6 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
result = isc_time_nowplusinterval(&expire, &i);
if (badcache &&
(fctx->type == dns_rdatatype_dnskey ||
fctx->type == dns_rdatatype_dlv ||
fctx->type == dns_rdatatype_ds) &&
result == ISC_R_SUCCESS)
dns_resolver_addbadcache(res, &fctx->name,
@ -5488,7 +5483,6 @@ validated(isc_task_t *task, isc_event_t *event) {
tresult = isc_time_nowplusinterval(&expire, &i);
if (negative &&
(fctx->type == dns_rdatatype_dnskey ||
fctx->type == dns_rdatatype_dlv ||
fctx->type == dns_rdatatype_ds) &&
tresult == ISC_R_SUCCESS)
dns_resolver_addbadcache(res, &fctx->name,
@ -5929,11 +5923,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
if (result != ISC_R_SUCCESS) {
return (result);
}
if (!secure_domain && res->view->dlv != NULL) {
valoptions |= DNS_VALIDATOR_DLV;
secure_domain = true;
}
}
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
@ -6523,11 +6512,6 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
now, checknta, NULL, &secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
if (!secure_domain && res->view->dlv != NULL) {
valoptions |= DNS_VALIDATOR_DLV;
secure_domain = true;
}
}
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)

821
lib/dns/validator.c
View file

File diff suppressed because it is too large Load diff

2
lib/dns/view.c
View file

@ -205,7 +205,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->dstport = 53;
view->preferred_glue = 0;
view->flush = false;
view->dlv = NULL;
view->maxudp = 0;
view->staleanswerttl = 1;
view->staleanswersok = dns_stale_answer_conf;
@ -216,7 +215,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->maxbits = 0;
view->rpzs = NULL;
view->catzs = NULL;
dns_fixedname_init(&view->dlv_fixed);
view->managed_keys = NULL;
view->redirect = NULL;
view->redirectzone = NULL;

1
lib/dns/win32/libdns.def.in
View file

@ -147,7 +147,6 @@ dns_client_freeupdate
dns_client_mctx
dns_client_request
dns_client_resolve
dns_client_setdlv
dns_client_setservers
dns_client_startrequest
dns_client_startresolve

6
lib/isccfg/include/isccfg/cfg.h
View file

@ -485,6 +485,10 @@ cfg_printx(const cfg_obj_t *obj, unsigned int flags,
#define CFG_PRINTER_XKEY 0x1 /* '?' out shared keys. */
#define CFG_PRINTER_ONELINE 0x2 /* print config as a single line */
#define CFG_PRINTER_ACTIVEONLY 0x4 /* print only active configuration
options, omitting ancient,
obsolete, nonimplemented,
and test-only options. */
/*%<
* Print the configuration object 'obj' by repeatedly calling the
@ -496,7 +500,7 @@ cfg_printx(const cfg_obj_t *obj, unsigned int flags,
*/
void
cfg_print_grammar(const cfg_type_t *type,
cfg_print_grammar(const cfg_type_t *type, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure);
/*%<

2
lib/isccfg/include/isccfg/grammar.h
View file

@ -550,7 +550,7 @@ cfg_clause_validforzone(const char *name, unsigned int ztype);
*/
void
cfg_print_zonegrammar(const unsigned int zonetype,
cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure);
/*%<

17
lib/isccfg/namedconf.c
View file

@ -1876,7 +1876,7 @@ view_clauses[] = {
{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-lookaside", &cfg_type_lookaside,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
@ -3851,7 +3851,7 @@ cfg_clause_validforzone(const char *name, unsigned int ztype) {
}
void
cfg_print_zonegrammar(const unsigned int zonetype,
cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure)
{
@ -3866,7 +3866,7 @@ cfg_print_zonegrammar(const unsigned int zonetype,
pctx.f = f;
pctx.closure = closure;
pctx.indent = 0;
pctx.flags = 0;
pctx.flags = flags;
memmove(clauses, zone_clauses, sizeof(zone_clauses));
memmove(clauses + sizeof(zone_clauses)/sizeof(zone_clauses[0]) - 1,
@ -3922,8 +3922,17 @@ cfg_print_zonegrammar(const unsigned int zonetype,
}
for (clause = clauses; clause->name != NULL; clause++) {
if (((pctx.flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
(((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
{
continue;
}
if ((clause->flags & zonetype) == 0 ||
strcasecmp(clause->name, "type") == 0) {
strcasecmp(clause->name, "type") == 0)
{
continue;
}
cfg_print_indent(&pctx);

20
lib/isccfg/parser.c
View file

@ -2312,6 +2312,14 @@ cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
for (clauseset = type->of; *clauseset != NULL; clauseset++) {
for (clause = *clauseset; clause->name != NULL; clause++) {
if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
(((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
{
continue;
}
cfg_print_cstr(pctx, clause->name);
cfg_print_cstr(pctx, " ");
cfg_doc_obj(pctx, clause->type);
@ -2359,6 +2367,14 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
for (clauseset = type->of; *clauseset != NULL; clauseset++) {
for (clause = *clauseset; clause->name != NULL; clause++) {
if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
(((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
{
continue;
}
cfg_print_indent(pctx);
cfg_print_cstr(pctx, clause->name);
if (clause->type->print != cfg_print_void)
@ -3460,7 +3476,7 @@ cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
}
void
cfg_print_grammar(const cfg_type_t *type,
cfg_print_grammar(const cfg_type_t *type, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure)
{
@ -3469,7 +3485,7 @@ cfg_print_grammar(const cfg_type_t *type,
pctx.f = f;
pctx.closure = closure;
pctx.indent = 0;
pctx.flags = 0;
pctx.flags = flags;
cfg_doc_obj(&pctx, type);
}

11
lib/samples/Makefile-postinstall.in
View file

@ -24,14 +24,13 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
TARGETS = sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \
dlvchecks@EXEEXT@
sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
OBJS = sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
sample-request.@O@ nsprobe.@O@ dlvchecks.@O@
sample-request.@O@ nsprobe.@O@
SRCS = sample.c sample-async.c sample-gai.c sample-update.c \
sample-request.c nsprobe.c dlvchecks..c
sample-request.c nsprobe.c
@BIND9_MAKE_RULES@
@ -63,9 +62,5 @@ nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
nsprobe.@O@ ${LIBS}
dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dlvchecks.@O@ ${LIBS}
clean distclean maintainer-clean::
rm -f ${TARGETS}

Some files were not shown because too many files have changed in this diff Show more