"# END TRUST ANCHORS\n\
\n\
-primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
+remote-servers " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
2801:1b8:10::b; # b.root-servers.net\n\
2001:500:2::c; # c.root-servers.net\n\
2001:500:2f::f; # f.root-servers.net\n\
return ztype;
}
-static isc_result_t
-getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name,
- const cfg_obj_t **ret) {
+isc_result_t
+named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
+ const char *name, const cfg_obj_t **ret) {
isc_result_t result;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *elt;
return ISC_R_NOTFOUND;
}
-isc_result_t
-named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
- const char *name, const cfg_obj_t **ret) {
- isc_result_t result;
-
- if (strcmp(list, "parental-agents") == 0) {
- return getremotesdef(cctx, list, name, ret);
- } else if (strcmp(list, "primaries") == 0) {
- result = getremotesdef(cctx, list, name, ret);
- if (result != ISC_R_SUCCESS) {
- result = getremotesdef(cctx, "masters", name, ret);
- }
- return result;
- }
- return ISC_R_NOTFOUND;
-}
-
static isc_result_t
named_config_getname(isc_mem_t *mctx, const cfg_obj_t *obj,
dns_name_t **namep) {
}
isc_result_t
-named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype,
- const cfg_obj_t *list, isc_mem_t *mctx,
- dns_ipkeylist_t *ipkl) {
+named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+ isc_mem_t *mctx, dns_ipkeylist_t *ipkl) {
uint32_t addrcount = 0, srccount = 0;
uint32_t keycount = 0, tlscount = 0;
uint32_t listcount = 0, l = 0, i = 0;
isc_sockaddr_any6(&src6);
}
- result = ISC_R_NOMEMORY;
-
element = cfg_list_first(addrlist);
resume:
for (; element != NULL; element = cfg_list_next(element)) {
continue;
}
list = NULL;
- tresult = named_config_getremotesdef(config, listtype,
- listname, &list);
+ tresult = named_config_getremotesdef(
+ config, "remote-servers", listname, &list);
if (tresult == ISC_R_NOTFOUND) {
cfg_obj_log(addr, ISC_LOG_ERROR,
- "%s \"%s\" not found", listtype,
+ "remote-servers \"%s\" not found",
listname);
result = tresult;
const char *name, const cfg_obj_t **ret);
isc_result_t
-named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype,
- const cfg_obj_t *list, isc_mem_t *mctx,
- dns_ipkeylist_t *ipkl);
+named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+ isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
isc_result_t
named_config_getport(const cfg_obj_t *config, const char *type,
obj = cfg_tuple_get(catz_obj, "default-primaries");
}
if (obj != NULL && cfg_obj_istuple(obj)) {
- result = named_config_getipandkeylist(
- config, "primaries", obj, view->mctx, &opts->masters);
+ result = named_config_getipandkeylist(config, obj, view->mctx,
+ &opts->masters);
}
obj = cfg_tuple_get(catz_obj, "in-memory");
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- CHECK(named_config_getipandkeylist(config, "primaries",
- obj, mctx, &ipkl));
+ CHECK(named_config_getipandkeylist(config, obj, mctx,
+ &ipkl));
dns_zone_setalsonotify(zone, ipkl.addrs, ipkl.sources,
ipkl.keys, ipkl.tlss,
ipkl.count);
if (parentals != NULL) {
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- CHECK(named_config_getipandkeylist(
- config, "parental-agents", parentals, mctx,
- &ipkl));
+ CHECK(named_config_getipandkeylist(config, parentals,
+ mctx, &ipkl));
dns_zone_setparentals(zone, ipkl.addrs, ipkl.sources,
ipkl.keys, ipkl.tlss, ipkl.count);
dns_ipkeylist_clear(mctx, &ipkl);
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- CHECK(named_config_getipandkeylist(config, "primaries",
- obj, mctx, &ipkl));
+ CHECK(named_config_getipandkeylist(config, obj, mctx,
+ &ipkl));
dns_zone_setprimaries(mayberaw, ipkl.addrs,
ipkl.sources, ipkl.keys,
ipkl.tlss, ipkl.count);
file "redirect.db";
};
-primaries "test" {
+remote-servers "test" {
10.53.0.99;
};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-masters duplicate { 1.2.3.4; };
-primaries duplicate { 4.3.2.1; };
* information regarding copyright ownership.
*/
-primaries duplicate { 1.2.3.4; };
-primaries duplicate { 4.3.2.1; };
+remote-servers duplicate { 1.2.3.4; };
+remote-servers duplicate { 4.3.2.1; };
*/
view "test" {
- parental-agents "net" {
+ remote-servers "net" {
192.168.1.2;
};
zone "example.net" {
* information regarding copyright ownership.
*/
-parental-agents "net" {
+remote-servers "net" {
192.168.1.1;
};
-parental-agents "net" {
+remote-servers "net" {
192.168.1.2;
};
* information regarding copyright ownership.
*/
-parental-agents "net" { };
+remote-servers "net" { };
zone "example.net" {
type primary;
* information regarding copyright ownership.
*/
-parental-agents "com" {
+remote-servers "com" {
192.168.1.2;
};
* information regarding copyright ownership.
*/
-primaries "net" {
+remote-servers "net" {
192.168.1.2;
};
* information regarding copyright ownership.
*/
-masters a { 1.2.3.4; };
-primaries b { 1.2.3.4; };
+remote-servers a { 1.2.3.4; };
+remote-servers b { 1.2.3.4; };
transfer-source 0.0.0.0;
zone-statistics none;
};
-parental-agents "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 {
+remote-servers "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 {
10.10.10.11;
2001:db8::11;
};
*/
acl "transferees" {};
-primaries "stealthPrimaries" {127.0.0.1;};
-primaries "publicSecondaries" {127.0.0.1;};
+remote-servers "stealthPrimaries" {127.0.0.1;};
+remote-servers "publicSecondaries" {127.0.0.1;};
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
*/
acl "transferees" {};
-primaries "stealthPrimaries" {127.0.0.1;};
-primaries "publicSecondaries" {127.0.0.1;};
+remote-servers "stealthPrimaries" {127.0.0.1;};
+remote-servers "publicSecondaries" {127.0.0.1;};
zone "example.net" {
type secondary;
file "/var/cache/bind/example.net.db";
*/
acl "transferees" {};
-primaries "stealthPrimaries" {127.0.0.1;};
-primaries "publicSecondaries" {127.0.0.1;};
+remote-servers "stealthPrimaries" {127.0.0.1;};
+remote-servers "publicSecondaries" {127.0.0.1;};
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-parental-agents "ns8" port @PORT@ {
+remote-servers "ns8" port @PORT@ {
10.53.0.8;
};
also-notify { /* empty */ };
};
-# use both 'primaries' and 'masters' to test that they
-# can work correctly together.
-primaries noport { 10.53.0.4; };
-masters x21 port @EXTRAPORT1@ { noport; };
+remote-servers noport { 10.53.0.4; };
+remote-servers x21 port @EXTRAPORT1@ { noport; };
zone x1 {
type primary;
allow-transfer { any; };
};
-primaries others {
+remote-servers others {
10.53.0.2 port @PORT@;
10.53.0.2 port @PORT@ key altkey;
};
allow-transfer { tzkey; };
};
-primaries "ns1" port @PORT@ source 10.53.0.2 {
+remote-servers "ns1" port @PORT@ source 10.53.0.2 {
10.53.0.1;
};
A list of a :term:`port` or a port range. A port range is specified in the form of ``range`` followed by two :term:`port` s, ``port_low`` and ``port_high``, which represents port numbers from ``port_low`` through ``port_high``, inclusive. ``port_low`` must not be larger than ``port_high``. For example, ``range 1024 65535`` represents ports from 1024 through 65535. The asterisk (``*``) character is not allowed as a valid :term:`port` or as a port range boundary.
``remote-servers``
- A named list of one or more :term:`ip_address` es with optional :term:`tls_id`, :term:`server_key`, and/or :term:`port`. A ``remote-servers`` list may include other ``remote-servers`` lists. See :any:`primaries` block.
+ A named list of one or more :term:`ip_address` es with optional :term:`tls_id`, :term:`server_key`, and/or :term:`port`. A ``remote-servers`` list may include other ``remote-servers`` lists.
``server_key``
A :term:`domain_name` representing the name of a shared key, to be used for
:any:`logging`
Specifies what information the server logs and where the log messages are sent.
- ``masters``
- Synonym for :any:`primaries`.
-
:namedconf:ref:`options`
Controls global server configuration options and sets defaults for other statements.
- :any:`parental-agents`
- Defines a named list of servers for inclusion in primary and secondary zones' :any:`parental-agents` lists.
-
- :any:`primaries`
- Defines a named list of servers for inclusion in stub and secondary zones' :any:`primaries` or :any:`also-notify` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.)
+ :namedconf:ref:`remote-servers`
+ Defines a named list of servers for inclusion in various zone statements such as :any:`parental-agents`, :any:`primaries` or :any:`also-notify` lists.
:namedconf:ref:`server`
Sets certain configuration options on a per-server basis.
``debug`` level 2 is logged for errors other than SERVFAIL and for negative
responses such as NXDOMAIN.
-:any:`parental-agents` Block Grammar
+``remote-servers`` Block Grammar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: parental-agents
- :tags: zone
- :short: Defines a list of delegation agents to be used by primary and secondary zones.
-
-:any:`parental-agents` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-:any:`parental-agents` lists allow for a common set of parental agents to be
-easily used by multiple primary and secondary zones. A "parental agent" is a
-trusted DNS server that is queried to check whether DS records for a given zones
-are up-to-date.
+.. namedconf:statement:: remote-servers
+ :tags: server
+ :short: Defines a list of servers to be used by primary and secondary zones.
-:any:`primaries` Block Grammar
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: primaries
- :tags: zone
- :short: Defines one or more primary servers for a zone.
+This specifies a list that allows for a common set of servers to be easily used
+by multiple zones. The following options may reference to a list of
+remote servers: :any:`parental-agents`, :any:`primaries`, and :any:`also-notify`.
-:any:`primaries` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A "parental agent" is a trusted DNS server that is queried to check whether DS
+records for a given zones are up-to-date.
-:any:`primaries` lists allow for a common set of primary servers to be easily
-used by multiple stub and secondary zones in their :any:`primaries` or
-:any:`also-notify` lists. (Note: :any:`primaries` is a synonym for the original
-keyword ``masters``, which can still be used, but is no longer the
-preferred terminology.)
+A "primary server" is where a secondary server can request zone transfers from.
To force the zone transfer requests to be sent over TLS, use :any:`tls` keyword,
e.g. ``primaries { 192.0.2.1 tls tls-configuration-name; };``,
per second. The lowest possible rate is one per second; when set to
zero, it is silently raised to one.
+.. namedconf:statement:: primaries
+ :tags: transfer, zone
+ :short: Defines one or more servers that zone transfer can be requested from.
+
+ This specifies a list of one or more IP addresses of primary servers that
+ the secondary contacts to update its copy of the zone. Primaries list
+ elements can also be names of :any:`remote-servers` blocks.
+
+ By default, transfers are made from port 53 on the servers; this can be
+ changed for all servers by specifying a port number before the list of IP
+ addresses, or on a per-server basis after the IP address. Authentication to
+ the primary can also be done with per-server TSIG keys.
+
.. namedconf:statement:: startup-notify-rate
:tags: transfer, zone
:short: Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
trust relationship with the parental agent. For example, use TSIG to
authenticate the parental agent, or point to a validating resolver.
+.. namedconf:statement:: parental-agents
+ :tags: dnssec
+
+ This specifies a list of one or more IP addresses of parental agents that
+ are used to query the zone's DS records during a KSK rollover. The list of
+ parental agents can also contain the names of :any:`remote-servers` blocks.
+
+ By default, DS queries are sent from port 53 on the servers; this can be
+ changed for all servers by specifying a port number before the list of IP
+ addresses, or on a per-server basis after the IP address. Authentication to
+ the primary can also be done with per-server TSIG keys.
+
The following options apply to DS queries sent to :any:`parental-agents`:
.. namedconf:statement:: checkds
:tags: zone
:short: Contains a duplicate of the data for a zone that has been transferred from a primary server.
- A secondary zone is a replica of a primary zone. Type ``slave`` is a
- synonym for :any:`secondary <type secondary>`. The :any:`primaries` list specifies one or more IP
- addresses of primary servers that the secondary contacts to update
- its copy of the zone. Primaries list elements can
- also be names of other primaries lists. By default,
- transfers are made from port 53 on the servers;
- this can be changed for all servers by specifying
- a port number before the list of IP addresses,
- or on a per-server basis after the IP address.
- Authentication to the primary can also be done with
- per-server TSIG keys. If a file is specified, then the
- replica is written to this file
- whenever the zone
- is changed, and reloaded from this file on a server
- restart. Use of a file is recommended, since it
- often speeds server startup and eliminates a
- needless waste of bandwidth. Note that for large
- numbers (in the tens or hundreds of thousands) of
- zones per server, it is best to use a two-level
- naming scheme for zone filenames. For example,
- a secondary server for the zone
- ``example.com`` might place
- the zone contents into a file called
- ``ex/example.com``, where
- ``ex/`` is just the first two
- letters of the zone name. (Most operating systems
- behave very slowly if there are 100,000 files in a single directory.)
+ A secondary zone is a replica of a primary zone. Type ``slave`` is a
+ synonym for :any:`secondary <type secondary>`. The :any:`primaries` list
+ specifies one or more IP addresses of primary servers that the secondary
+ contacts to update its copy of the zone.
+
+ If a file is
+ specified, then the replica is written to this file whenever the zone
+ is changed, and reloaded from this file on a server restart. Use of a file
+ is recommended, since it often speeds server startup and eliminates a
+ needless waste of bandwidth. Note that for large numbers (in the tens or
+ hundreds of thousands) of zones per server, it is best to use a two-level
+ naming scheme for zone filenames. For example, a secondary server for the
+ zone ``example.com`` might place the zone contents into a file called
+ ``ex/example.com``, where ``ex/`` is just the first two letters of the zone
+ name. (Most operating systems behave very slowly if there are 100,000 files
+ in a single directory.)
.. namedconf:statement:: type mirror
:tags: zone
:any:`notify-to-soa`
See the description of :any:`notify-to-soa` in :ref:`boolean_options`.
+:any:`parental-agents`
+ This option is only meaningful if the zone is DNSSEC signed. When performing
+ a key rollover, BIND will query the parental agents to see if the new DS is
+ actually published before withdrawing the old DNSSEC key.
+
+:any:`primaries`
+ For secondary zones, these are the name servers to request zone transfers
+ from.
+
:any:`zone-statistics`
See the description of :any:`zone-statistics` in :namedconf:ref:`options`.
::
- parental-agents "net" {
+ remote-servers "net" {
10.53.0.11; 10.53.0.12;
};
zone-statistics ( full | terse | none | <boolean> );
};
-parental-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
-
plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
-primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
+remote-servers <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
server <netprefix> {
bogus <boolean>;
}
/*
- * Check primaries lists for duplicates.
+ * Check remote-server lists for duplicates.
*/
static isc_result_t
-check_primarylists(const cfg_obj_t *cctx, isc_mem_t *mctx) {
+check_remoteserverlists(const cfg_obj_t *cctx, isc_mem_t *mctx) {
isc_result_t result, tresult;
isc_symtab_t *symtab = NULL;
if (result != ISC_R_SUCCESS) {
return result;
}
- tresult = check_remoteserverlist(cctx, "primaries", symtab, mctx);
- if (tresult != ISC_R_SUCCESS) {
- result = tresult;
- }
- tresult = check_remoteserverlist(cctx, "masters", symtab, mctx);
- if (tresult != ISC_R_SUCCESS) {
- result = tresult;
- }
- isc_symtab_destroy(&symtab);
- return result;
-}
-
-/*
- * Check parental-agents lists for duplicates.
- */
-static isc_result_t
-check_parentalagentlists(const cfg_obj_t *cctx, isc_mem_t *mctx) {
- isc_result_t result, tresult;
- isc_symtab_t *symtab = NULL;
-
- result = isc_symtab_create(mctx, 100, freekey, mctx, false, &symtab);
- if (result != ISC_R_SUCCESS) {
- return result;
- }
- tresult = check_remoteserverlist(cctx, "parental-agents", symtab, mctx);
+ tresult = check_remoteserverlist(cctx, "remote-servers", symtab, mctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
static isc_result_t
-get_remotes(const cfg_obj_t *cctx, const char *list, const char *name,
- const cfg_obj_t **ret) {
+get_remoteservers_def(const char *list, const char *name, const cfg_obj_t *cctx,
+ const cfg_obj_t **ret) {
isc_result_t result;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *elt = NULL;
}
static isc_result_t
-get_remoteservers_def(const char *list, const char *name, const cfg_obj_t *cctx,
- const cfg_obj_t **ret) {
- isc_result_t result = ISC_R_NOTFOUND;
-
- if (strcmp(list, "primaries") == 0) {
- result = get_remotes(cctx, "primaries", name, ret);
- if (result != ISC_R_SUCCESS) {
- result = get_remotes(cctx, "masters", name, ret);
- }
- } else if (strcmp(list, "parental-agents") == 0) {
- result = get_remotes(cctx, "parental-agents", name, ret);
- }
- return result;
-}
-
-static isc_result_t
-validate_remotes(const char *list, const cfg_obj_t *obj,
- const cfg_obj_t *config, uint32_t *countp, isc_mem_t *mctx) {
+validate_remotes(const cfg_obj_t *obj, const cfg_obj_t *config,
+ uint32_t *countp, isc_mem_t *mctx) {
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
uint32_t count = 0;
if (tresult == ISC_R_EXISTS) {
continue;
}
- tresult = get_remoteservers_def(list, listname, config, &obj);
+ tresult = get_remoteservers_def("remote-servers", listname,
+ config, &obj);
if (tresult != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = tresult;
}
cfg_obj_log(addr, ISC_LOG_ERROR,
- "unable to find %s list '%s'", list,
+ "unable to find remote-servers list '%s'",
listname);
continue;
}
}
if (tresult == ISC_R_SUCCESS && donotify) {
uint32_t count;
- tresult = validate_remotes("primaries", obj, config,
- &count, mctx);
+ tresult = validate_remotes(obj, config, &count, mctx);
if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
{
result = tresult;
result = ISC_R_FAILURE;
} else {
uint32_t count;
- tresult = validate_remotes("primaries", obj, config,
- &count, mctx);
+ tresult = validate_remotes(obj, config, &count, mctx);
if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
{
result = tresult;
(void)cfg_map_get(zoptions, "parental-agents", &obj);
if (obj != NULL) {
uint32_t count;
- tresult = validate_remotes("parental-agents", obj,
- config, &count, mctx);
+ tresult = validate_remotes(obj, config, &count, mctx);
if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
{
result = tresult;
result = ISC_R_FAILURE;
}
- if (check_primarylists(config, mctx) != ISC_R_SUCCESS) {
- result = ISC_R_FAILURE;
- }
-
- if (check_parentalagentlists(config, mctx) != ISC_R_SUCCESS) {
+ if (check_remoteserverlists(config, mctx) != ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
{ "masters", &cfg_type_remoteservers,
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC },
{ "options", &cfg_type_options, 0 },
- { "parental-agents", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
- { "primaries", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
+ { "remote-servers", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
#if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C)
{ "statistics-channels", &cfg_type_statschannels,
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OPTIONAL },
projects / thirdparty / bind9.git / commitdiff
