}
}
-static void
-portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
- bool positive) {
- const cfg_listelt_t *element;
-
- for (element = cfg_list_first(ports); element != NULL;
- element = cfg_list_next(element))
- {
- const cfg_obj_t *obj = cfg_listelt_value(element);
-
- if (cfg_obj_isuint32(obj)) {
- in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
-
- if (positive) {
- isc_portset_add(portset, port);
- } else {
- isc_portset_remove(portset, port);
- }
- } else {
- const cfg_obj_t *obj_loport, *obj_hiport;
- in_port_t loport, hiport;
-
- obj_loport = cfg_tuple_get(obj, "loport");
- loport = (in_port_t)cfg_obj_asuint32(obj_loport);
- obj_hiport = cfg_tuple_get(obj, "hiport");
- hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
-
- if (positive) {
- isc_portset_addrange(portset, loport, hiport);
- } else {
- isc_portset_removerange(portset, loport,
- hiport);
- }
- }
- }
-}
-
static isc_result_t
removed(dns_zone_t *zone, void *uap) {
if (dns_zone_getview(zone) != uap) {
const cfg_obj_t *maps[3];
const cfg_obj_t *obj;
const cfg_obj_t *options;
- const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
const cfg_obj_t *kasps;
const cfg_obj_t *keystores;
dns_kasp_t *kasp = NULL;
goto cleanup_v4portset;
}
- usev4ports = NULL;
- usev6ports = NULL;
- avoidv4ports = NULL;
- avoidv6ports = NULL;
-
- (void)named_config_get(maps, "use-v4-udp-ports", &usev4ports);
- if (usev4ports != NULL) {
- portset_fromconf(v4portset, usev4ports, true);
- } else {
- result = isc_net_getudpportrange(AF_INET, &udpport_low,
- &udpport_high);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "get the default UDP/IPv4 port range: %s",
- isc_result_totext(result));
- goto cleanup_v6portset;
- }
-
- if (udpport_low == udpport_high) {
- isc_portset_add(v4portset, udpport_low);
- } else {
- isc_portset_addrange(v4portset, udpport_low,
- udpport_high);
- }
- if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
- isc_log_write(NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "using default UDP/IPv4 port range: "
- "[%d, %d]",
- udpport_low, udpport_high);
- }
+ result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+ ISC_LOG_ERROR,
+ "get the default UDP/IPv4 port range: %s",
+ isc_result_totext(result));
+ goto cleanup_v6portset;
}
- (void)named_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
- if (avoidv4ports != NULL) {
- portset_fromconf(v4portset, avoidv4ports, false);
+
+ isc_portset_addrange(v4portset, udpport_low, udpport_high);
+ if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
+ isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+ ISC_LOG_INFO,
+ "using default UDP/IPv4 port range: "
+ "[%d, %d]",
+ udpport_low, udpport_high);
}
- (void)named_config_get(maps, "use-v6-udp-ports", &usev6ports);
- if (usev6ports != NULL) {
- portset_fromconf(v6portset, usev6ports, true);
- } else {
- result = isc_net_getudpportrange(AF_INET6, &udpport_low,
- &udpport_high);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "get the default UDP/IPv6 port range: %s",
- isc_result_totext(result));
- goto cleanup_v6portset;
- }
- if (udpport_low == udpport_high) {
- isc_portset_add(v6portset, udpport_low);
- } else {
- isc_portset_addrange(v6portset, udpport_low,
- udpport_high);
- }
- if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
- isc_log_write(NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "using default UDP/IPv6 port range: "
- "[%d, %d]",
- udpport_low, udpport_high);
- }
+ result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+ ISC_LOG_ERROR,
+ "get the default UDP/IPv6 port range: %s",
+ isc_result_totext(result));
+ goto cleanup_v6portset;
}
- (void)named_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
- if (avoidv6ports != NULL) {
- portset_fromconf(v6portset, avoidv6ports, false);
+ isc_portset_addrange(v6portset, udpport_low, udpport_high);
+ if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
+ isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+ ISC_LOG_INFO,
+ "using default UDP/IPv6 port range: "
+ "[%d, %d]",
+ udpport_low, udpport_high);
}
dns_dispatchmgr_setavailports(named_g_dispatchmgr, v4portset,
* information regarding copyright ownership.
*/
+/*
+ * Ancient options are fatal.
+ */
options {
- avoid-v4-udp-ports {
- 1935;
- 2605;
- 4321;
- 6514;
- range 8610 8614;
- };
+ avoid-v4-udp-ports { range 1 1023; };
};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Ancient options are fatal.
+ */
+options {
+ avoid-v6-udp-ports { range 1 1023; };
+};
* information regarding copyright ownership.
*/
-options {
- port 5300;
-};
-
zone example {
type secondary;
primaries { 1.2.3.4; };
- notify-source 10.53.0.1 port 100;
+ notify-source 10.53.0.1 port 5300;
};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+server 1.2.3.4 {
+ query-source 10.10.10.10 port 5353;
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Ancient options are fatal.
+ */
+options {
+ use-v4-udp-ports { range 1024 65535; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Ancient options are fatal.
+ */
+options {
+ use-v6-udp-ports { range 1024 65535; };
+};
*/
options {
fake-iquery yes;
+
+ use-v4-udp-ports { range 1024 65535; };
+ use-v6-udp-ports { range 1024 65535; };
+ avoid-v4-udp-ports { range 1 1023; };
+ avoid-v6-udp-ports { range 1 1023; };
};
* information regarding copyright ownership.
*/
-server 1.2.3.4 {
- query-source 10.10.10.10 port 5353;
-};
-
options {
dnssec-validation yes;
max-zone-ttl 600;
- use-v4-udp-ports { range 1024 65535; };
- use-v6-udp-ports { range 1024 65535; };
- avoid-v4-udp-ports { range 1 1023; };
- avoid-v6-udp-ports { range 1 1023; };
-
dnssec-must-be-secure mustbesecure.example yes;
sortlist { };
pkcs11-uri "pkcs11:token=bind9;pin-value=1234";
};
options {
- avoid-v4-udp-ports {
- 100;
- };
- avoid-v6-udp-ports {
- 100;
- };
blackhole {
10.0.0.0/8;
};
transfer-source 0.0.0.0;
zone-statistics none;
};
-parental-agents "parents" port 5353 source 10.10.10.10 port 5354 source-v6 2001:db8::10 port 5355 {
+parental-agents "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 {
10.10.10.11;
2001:db8::11;
};
file "xxx";
update-policy local;
max-ixfr-ratio 20%;
- notify-source 10.10.10.10 port 53;
+ notify-source 10.10.10.10;
};
zone "clone" {
type primary;
1.2.3.5;
};
dnssec-policy "test";
- parental-source 10.10.10.10 port 53;
+ parental-source 10.10.10.10;
};
zone "dnssec-default" {
type primary;
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
+for ancient_conf in ancient-*.conf; do
+ ancient_opt="${ancient_conf#ancient-}"
+ ancient_opt="${ancient_opt%.conf}"
+
+ n=$((n + 1))
+ echo_i "checking that ancient \"${ancient_opt}\" option report a fatal error ($n)"
+ ret=0
+
+ $CHECKCONF ${ancient_conf} >"${ancient_conf}.out" 2>&1 && ret=1
+ grep "no longer exists" "${ancient_conf}.out" >/dev/null || ret=1
+ if [ $ret -ne 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+done
+
n=$((n + 1))
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
ret=0
grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
if $test_fixed; then
grep "rrset-order: order 'fixed' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
else
fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "check that named-checkconf -p properly print a port range ($n)"
-ret=0
-$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1
-grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
n=$((n + 1))
echo_i "check that named-checkconf -z handles in-view ($n)"
ret=0
fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "check that *-source options with specified port generate warnings ($n)"
-ret=0
-$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "not recommended" <checkconf.out$n >/dev/null || ret=1
-$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "not recommended" <checkconf.out$n >/dev/null || ret=1
-$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "not recommended" <checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
n=$((n + 1))
echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
ret=0
type primary;
file "generic.db";
also-notify { 10.53.0.3; };
- notify-source 10.53.0.2 port @EXTRAPORT2@;
+ notify-source 10.53.0.2;
notify primary-only;
};
zone x2 {
zone "notify-source-port-test" {
type primary;
file "notify-source-port-test.db";
- notify-source 10.53.0.3 port @EXTRAPORT2@;
+ notify-source 10.53.0.3;
};
grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run >/dev/null || ret=1
test_end
-test_start "checking notify-source uses port option correctly"
-grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run >/dev/null || ret=1
-test_end
-
# notify messages were sent to unresponsive 10.53.10.53 during the tests
# above, which should time out at some point; we need to wait for them to
# appear in the logs in case the tests run faster than the notify timeouts
server 10.42.23.3/32 {
notify-source 10.42.22.1;
- query-source address 10.42.22.1 port 0;
+ query-source address 10.42.22.1;
transfer-source 10.42.22.1;
};
server fd92:7065:b8e:ffff::1000 {
notify-source-v6 fd92:7065:b8e:ffff::1001;
- query-source-v6 address fd92:7065:b8e:ffff::1001 port 0;
+ query-source-v6 address fd92:7065:b8e:ffff::1001;
transfer-source-v6 fd92:7065:b8e:ffff::1001;
};
zone "primary" {
type secondary;
- transfer-source 10.53.0.3 port @EXTRAPORT1@;
+ transfer-source 10.53.0.3;
primaries { 10.53.0.6; };
file "primary.bk";
};
if test $tmp != 0; then echo_i "failed"; fi
status=$((status + tmp))
-n=$((n + 1))
-echo_i "test that transfer-source uses port option correctly ($n)"
-tmp=0
-grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run >/dev/null || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
wait_for_message() (
nextpartpeek ns6/named.run >wait_for_message.$n
grep -F "$1" wait_for_message.$n >/dev/null
.. code-block:: none
- // dense single-line style
- zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
- // single-statement-per-line style
- zone "example.com" in{
- type secondary;
- file "secondary.example.com";
- primaries {10.0.0.1;};
- };
- // spot the difference
- zone "example.com" in{
- type secondary;
- file "sec.secondary.com";
- primaries {10.0.0.1;}; };
+ // dense single-line style
+ zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
+ // single-statement-per-line style
+ zone "example.com" in{
+ type secondary;
+ file "secondary.example.com";
+ primaries {10.0.0.1;};
+ };
+ // spot the difference
+ zone "example.com" in{
+ type secondary;
+ file "sec.secondary.com";
+ primaries {10.0.0.1;}; };
.. _include_grammar:
(3 days, 12 hours).
ISO 8601 duration format consists of the letter "P", followed by an
- optional series of numbers with unit suffixes "Y" (year), "M" (month),
+ optional series of numbers with unit suffixes "Y" (year), "M" (month),
"W" (week), and "D" (day); this may optionally be followed by the
letter "T", and another series of numbers with unit suffixes
"H" (hour), "M" (minute), and "S" (second). Examples: "P3M10D"
:short: Controls the IPv6 address from which queries are issued.
If the server does not know the answer to a question, it queries other
- name servers. :any:`query-source` specifies the address and port used for
+ name servers. :any:`query-source` specifies the address used for
such queries. For queries sent over IPv6, there is a separate
:any:`query-source-v6` option. If ``address`` is ``*`` (asterisk) or is
omitted, a wildcard IP address (``INADDR_ANY``) is used.
::
- query-source address * port *;
- query-source-v6 address * port *;
-
- .. note:: ``port`` configuration is deprecated. A warning will be logged
- when this parameter is used.
+ query-source address *;
+ query-source-v6 address *;
.. note:: The address specified in the :any:`query-source` option is
used for both UDP and TCP queries, but the port applies only to UDP
queries. TCP queries always use a random unprivileged port.
-.. namedconf:statement:: use-v4-udp-ports
- :tags: deprecated
- :short: Specifies a list of ports that are valid sources for UDP/IPv4 messages.
-
-.. namedconf:statement:: use-v6-udp-ports
- :tags: deprecated
- :short: Specifies a list of ports that are valid sources for UDP/IPv6 messages.
-
- These statements, which are deprecated and will be removed in a future
- release, specify a list of IPv4 and IPv6 UDP ports that are used as
- source ports for UDP messages.
-
- If :term:`port` is ``*`` or is omitted, a random port number from a
- pre-configured range is selected and used for each query. The
- port range(s) are specified in the :any:`use-v4-udp-ports` (for IPv4)
- and :any:`use-v6-udp-ports` (for IPv6) options.
-
- If :any:`use-v4-udp-ports` or :any:`use-v6-udp-ports` is unspecified,
- :iscman:`named` checks whether the operating system provides a programming
- interface to retrieve the system's default range for ephemeral ports. If
- such an interface is available, :iscman:`named` uses the corresponding
- system default range; otherwise, it uses its own defaults:
-
- ::
-
- use-v4-udp-ports { range 1024 65535; };
- use-v6-udp-ports { range 1024 65535; };
-
-.. namedconf:statement:: avoid-v4-udp-ports
- :tags: deprecated
- :short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages.
-
-.. namedconf:statement:: avoid-v6-udp-ports
- :tags: deprecated
- :short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages.
-
- These statements, which are deprecated and will be removed in a future
- release, indicate ranges of port numbers to exclude from those specified
- in the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports`
- options, respectively.
-
- The defaults of the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports`
- options are:
-
- ::
-
- avoid-v4-udp-ports {};
- avoid-v6-udp-ports {};
-
- For example, with the following configuration:
-
- ::
-
- use-v6-udp-ports { range 32768 65535; };
- avoid-v6-udp-ports { 40000; range 50000 60000; };
-
- UDP ports of IPv6 messages sent from :iscman:`named` are in one of the
- following ranges: 32768 to 39999, 40001 to 49999, or 60001 to 65535.
-
- :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports` can be used to prevent
- :iscman:`named` from choosing as its random source port a port that is blocked
- by a firewall or that is used by other applications; if a
- query went out with a source port blocked by a firewall, the answer
- would not pass through the firewall and the name server would have to query
- again. Note: the desired range can also be represented only with
- :any:`use-v4-udp-ports` and :any:`use-v6-udp-ports`, and the ``avoid-``
- options are redundant in that sense; they are provided for backward
- compatibility and to possibly simplify the port specification.
-
- .. note:: Make sure the ranges are sufficiently large for security. A
- desirable size depends on several parameters, but we generally recommend
- it contain at least 16384 ports (14 bits of entropy). Note also that the
- system's default range when used may be too small for this purpose, and
- that the range may even be changed while :iscman:`named` is running; the new
- range is automatically applied when :iscman:`named` is reloaded. Explicit
- configuration of :any:`use-v4-udp-ports` and :any:`use-v6-udp-ports` is encouraged,
- so that the ranges are sufficiently large and are reasonably
- independent from the ranges used by other applications.
-
- .. note:: The operational configuration where :iscman:`named` runs may prohibit
- the use of some ports. For example, Unix systems do not allow
- :iscman:`named`, if run without root privilege, to use ports less than 1024.
- If such ports are included in the specified (or detected) set of query
- ports, the corresponding query attempts will fail, resulting in
- resolution failures or delay. It is therefore important to configure the
- set of ports that can be safely used in the expected operational
- environment.
-
- .. warning:: Specifying a single port is discouraged, as it removes a layer of
- protection against spoofing errors.
-
- .. warning:: The configured :term:`port` must not be the same as the listening port.
-
- .. note:: See also :any:`transfer-source`, :any:`notify-source` and :any:`parental-source`.
-
.. _zone_transfers:
Zone Transfers
:any:`transfer-source` determines which local address is bound to
IPv4 TCP connections used to fetch zones transferred inbound by the
- server. It also determines the source IPv4 address, and optionally
- the UDP port, used for the refresh queries and forwarded dynamic
- updates. If not set, it defaults to a system-controlled value which
- is usually the address of the interface "closest to" the remote
- end. This address must appear in the remote end's :any:`allow-transfer`
- option for the zone being transferred, if one is specified. This
- statement sets the :any:`transfer-source` for all zones, but can be
+ server. It also determines the source IPv4 address, used for the refresh
+ queries and forwarded dynamic updates. If not set, it defaults to a
+ system-controlled value which is usually the address of the interface
+ "closest to" the remote end. This address must appear in the remote
+ end's :any:`allow-transfer` option for the zone being transferred,
+ if one is specified.
+ This statement sets the :any:`transfer-source` for all zones, but can be
overridden on a per-view or per-zone basis by including a
:any:`transfer-source` statement within the :any:`view` or :any:`zone` block
in the configuration file.
- .. note:: ``port`` configuration is deprecated. A warning will be logged
- when this parameter is used.
-
- .. warning:: Specifying a single port is discouraged, as it removes a layer of
- protection against spoofing errors.
-
- .. warning:: The configured :term:`port` must not be the same as the listening port.
-
.. namedconf:statement:: transfer-source-v6
:tags: transfer
:short: Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
.. namedconf:statement:: notify-source
:tags: transfer
- :short: Defines the IPv4 address (and optional port) to be used for outgoing ``NOTIFY`` messages.
-
- :any:`notify-source` determines which local source address, and
- optionally UDP port, is used to send NOTIFY messages. This
- address must appear in the secondary server's :any:`primaries` zone clause or
- in an :any:`allow-notify` clause. This statement sets the
- :any:`notify-source` for all zones, but can be overridden on a per-zone
- or per-view basis by including a :any:`notify-source` statement within
- the :any:`zone` or :any:`view` block in the configuration file.
-
- .. note:: ``port`` configuration is deprecated. A warning will be logged
- when this parameter is used.
+ :short: Defines the IPv4 address to be used for outgoing ``NOTIFY`` messages.
- .. warning:: Specifying a single port is discouraged, as it removes a layer of
- protection against spoofing errors.
-
- .. warning:: The configured :term:`port` must not be the same as the listening port.
+ :any:`notify-source` determines which local source address is used to send
+ NOTIFY messages. This address must appear in the secondary server's
+ :any:`primaries` zone clause or in an :any:`allow-notify` clause.
+ This statement sets the :any:`notify-source` for all zones, but can be
+ overridden on a per-zone or per-view basis by including a
+ :any:`notify-source` statement within the :any:`zone` or :any:`view`
+ block in the configuration file.
.. namedconf:statement:: notify-source-v6
:tags: transfer
:tags: dnssec
:short: Specifies which local IPv4 source address is used to send parental DS queries.
- :any:`parental-source` determines which local source address, and optionally
- UDP port, is used to send parental DS queries. This statement sets the
+ :any:`parental-source` determines which local source address
+ is used to send parental DS queries. This statement sets the
:any:`parental-source` for all zones, but can be overridden on a per-zone or
per-view basis by including a :any:`parental-source` statement within the
:any:`zone` or :any:`view` block in the configuration file.
- .. note:: ``port`` configuration is deprecated. A warning will be logged
- when this parameter is used.
-
- .. warning:: Specifying a single port is discouraged, as it removes a layer of
- protection against spoofing errors.
-
- .. warning:: The configured :term:`port` must not be the same as the listening port.
-
.. namedconf:statement:: parental-source-v6
:tags: dnssec
:short: Specifies which local IPv6 source address is used to send parental DS queries.
this zone. Possible values and their meanings are:
``Needs Refresh``
- The zone needs a refresh, but the process hasn't started yet,
- which can be due to different factors, like the retry interval of
- the zone.
+ The zone needs a refresh, but the process hasn't started yet,
+ which can be due to different factors, like the retry interval of
+ the zone.
``Pending``
- The zone is flagged for a refresh, but the process is currently
- in the queue and will start shortly, or is in a waiting state
- because of rate-limiting, see :any:`serial-query-rate`. The
- ``Duration (s)`` timer starts before entering this state.
+ The zone is flagged for a refresh, but the process is currently
+ in the queue and will start shortly, or is in a waiting state
+ because of rate-limiting, see :any:`serial-query-rate`. The
+ ``Duration (s)`` timer starts before entering this state.
``Refresh SOA``
- Sending a refresh SOA query to get the zone serial number, then
- initiate a zone transfer, if necessary. If this step is successful,
- the ``SOA Query`` and ``Got SOA`` states will be skipped.
- Otherwise, the zone transfer procedure can still be initiated,
- and the SOA request will be attempted using the same transport as
- the zone transfer. The ``Duration (s)`` timer restarts before
- entering this state, and for each attempted connection (note that
- in UDP mode there can be several retries during one "connection"
- attempt).
+ Sending a refresh SOA query to get the zone serial number, then
+ initiate a zone transfer, if necessary. If this step is successful,
+ the ``SOA Query`` and ``Got SOA`` states will be skipped.
+ Otherwise, the zone transfer procedure can still be initiated,
+ and the SOA request will be attempted using the same transport as
+ the zone transfer. The ``Duration (s)`` timer restarts before
+ entering this state, and for each attempted connection (note that
+ in UDP mode there can be several retries during one "connection"
+ attempt).
``Deferred``
- The zone is going to be refreshed, but the process was
- deferred due to quota, see :any:`transfers-in` and
- :any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before
- entering this state.
+ The zone is going to be refreshed, but the process was
+ deferred due to quota, see :any:`transfers-in` and
+ :any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before
+ entering this state.
``SOA Query``
- Sending SOA query to get the zone serial number, then
- follow with a zone transfer, if necessary. The ``Duration (s)``
- timer restarts before entering this state.
+ Sending SOA query to get the zone serial number, then
+ follow with a zone transfer, if necessary. The ``Duration (s)``
+ timer restarts before entering this state.
``Got SOA``
- An answer for the SOA query from the previous step is
- received, initiating a transfer.
+ An answer for the SOA query from the previous step is
+ received, initiating a transfer.
``Zone Transfer Request``
- Waiting for the zone transfer to start. The ``Duration (s)`` timer
- restarts before entering this state.
+ Waiting for the zone transfer to start. The ``Duration (s)`` timer
+ restarts before entering this state.
``First Data``
- Waiting for the first data record of the transfer.
+ Waiting for the first data record of the transfer.
``Receiving IXFR Data``
- Receiving data for an IXFR type incremental zone
- transfer.
+ Receiving data for an IXFR type incremental zone
+ transfer.
``Finalizing IXFR``
Finalizing an IXFR type incremental zone transfer.
attach-cache <string>;
auth-nxdomain <boolean>;
automatic-interface-scan <boolean>;
- avoid-v4-udp-ports { <portrange>; ... }; // deprecated
- avoid-v6-udp-ports { <portrange>; ... }; // deprecated
bindkeys-file <quoted_string>; // test only
blackhole { <address_match_element>; ... };
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
udp-send-buffer <integer>;
update-check-ksk <boolean>; // obsolete
update-quota <integer>;
- use-v4-udp-ports { <portrange>; ... }; // deprecated
- use-v6-udp-ports { <portrange>; ... }; // deprecated
v6-bias <integer>;
validate-except { <string>; ... };
version ( <quoted_string> | none );
if (obj != NULL) {
in_port_t port =
isc_sockaddr_getport(cfg_obj_assockaddr(obj));
- if (port == dnsport) {
+ if (port != 0) {
cfg_obj_log(obj, ISC_LOG_ERROR,
- "'%s' cannot specify the "
- "DNS listener port (%d)",
- sources[i], port);
- result = ISC_R_FAILURE;
- } else if (port != 0) {
- cfg_obj_log(obj, ISC_LOG_WARNING,
"'%s': specifying a port is "
- "not recommended",
+ "deprecated",
sources[i]);
}
}
static cfg_type_t cfg_type_serverid = { "serverid", parse_serverid, NULL,
doc_serverid, NULL, NULL };
-/*%
- * Port list.
- */
-static void
-print_porttuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
- cfg_print_cstr(pctx, "range ");
- cfg_print_tuple(pctx, obj);
-}
-static cfg_tuplefielddef_t porttuple_fields[] = {
- { "loport", &cfg_type_uint32, 0 },
- { "hiport", &cfg_type_uint32, 0 },
- { NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_porttuple = { "porttuple", cfg_parse_tuple,
- print_porttuple, cfg_doc_tuple,
- &cfg_rep_tuple, porttuple_fields };
-
-static isc_result_t
-parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) {
- isc_result_t result;
-
- CHECK(cfg_parse_uint32(pctx, NULL, ret));
- if ((*ret)->value.uint32 > 0xffff) {
- cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
- cfg_obj_destroy(pctx, ret);
- result = ISC_R_RANGE;
- }
-
-cleanup:
- return (result);
-}
-
-static isc_result_t
-parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
- isc_result_t result;
- cfg_obj_t *obj = NULL;
-
- UNUSED(type);
-
- CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
- if (pctx->token.type == isc_tokentype_number) {
- CHECK(parse_port(pctx, ret));
- } else {
- CHECK(cfg_gettoken(pctx, 0));
- if (pctx->token.type != isc_tokentype_string ||
- strcasecmp(TOKEN_STRING(pctx), "range") != 0)
- {
- cfg_parser_error(pctx, CFG_LOG_NEAR,
- "expected integer or 'range'");
- return (ISC_R_UNEXPECTEDTOKEN);
- }
- CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj));
- CHECK(parse_port(pctx, &obj->value.tuple[0]));
- CHECK(parse_port(pctx, &obj->value.tuple[1]));
- if (obj->value.tuple[0]->value.uint32 >
- obj->value.tuple[1]->value.uint32)
- {
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
- "low port '%u' must not be larger "
- "than high port",
- obj->value.tuple[0]->value.uint32);
- result = ISC_R_RANGE;
- goto cleanup;
- }
- *ret = obj;
- obj = NULL;
- }
-
-cleanup:
- if (obj != NULL) {
- cfg_obj_destroy(pctx, &obj);
- }
- return (result);
-}
-
-static cfg_type_t cfg_type_portrange = { "portrange", parse_portrange,
- NULL, cfg_doc_terminal,
- NULL, NULL };
-
-static cfg_type_t cfg_type_bracketed_portlist = { "bracketed_portlist",
- cfg_parse_bracketed_list,
- cfg_print_bracketed_list,
- cfg_doc_bracketed_list,
- &cfg_rep_list,
- &cfg_type_portrange };
-
static const char *cookiealg_enums[] = { "siphash24", NULL };
static cfg_type_t cfg_type_cookiealg = { "cookiealg", cfg_parse_enum,
cfg_print_ustring, cfg_doc_enum,
static cfg_clausedef_t options_clauses[] = {
{ "answer-cookie", &cfg_type_boolean, 0 },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
- { "avoid-v4-udp-ports", &cfg_type_bracketed_portlist,
- CFG_CLAUSEFLAG_DEPRECATED },
- { "avoid-v6-udp-ports", &cfg_type_bracketed_portlist,
- CFG_CLAUSEFLAG_DEPRECATED },
+ { "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
+ { "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY },
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
{ "update-quota", &cfg_type_uint32, 0 },
{ "use-id-pool", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "use-ixfr", NULL, CFG_CLAUSEFLAG_ANCIENT },
- { "use-v4-udp-ports", &cfg_type_bracketed_portlist,
- CFG_CLAUSEFLAG_DEPRECATED },
- { "use-v6-udp-ports", &cfg_type_bracketed_portlist,
- CFG_CLAUSEFLAG_DEPRECATED },
+ { "use-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
+ { "use-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "version", &cfg_type_qstringornone, 0 },
{ NULL, NULL, 0 }
};
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "also-notify", &cfg_type_namesockaddrkeylist,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
- { "alt-transfer-source", &cfg_type_sockaddr4wild,
+ { "alt-transfer-source", NULL,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_CLAUSEFLAG_ANCIENT },
- { "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
+ { "alt-transfer-source-v6", NULL,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_CLAUSEFLAG_ANCIENT },
{ "auto-dnssec", &cfg_type_autodnssec,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "update-check-ksk", &cfg_type_boolean,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
- { "use-alt-transfer-source", &cfg_type_boolean,
+ { "use-alt-transfer-source", NULL,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
CFG_CLAUSEFLAG_ANCIENT },
{ "zero-no-soa-ttl", &cfg_type_boolean,
goto cleanup;
}
}
+
*ret = obj;
cleanup:
return (result);
have_address++;
} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
{
- /* read "port" */
- if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0)
- {
- cfg_parser_warning(
- pctx, 0,
- "token 'port' is deprecated");
- }
- CHECK(cfg_gettoken(pctx, 0));
- CHECK(cfg_parse_rawport(pctx, CFG_ADDR_WILDOK,
- &port));
- have_port++;
+ /* Port has been removed */
+ ++have_port;
} else if (strcasecmp(TOKEN_STRING(pctx), "tls") == 0) {
/* We do not expect TLS here, not parsing. */
++have_tls;
}
}
- if (have_address > 1 || have_port > 1 || have_address + have_port == 0)
- {
- cfg_parser_error(pctx, 0, "expected one address and/or port");
+ if (have_address != 1) {
+ cfg_parser_error(pctx, 0, "expected exactly one address");
return (ISC_R_UNEXPECTEDTOKEN);
}
return (ISC_R_UNEXPECTEDTOKEN);
}
+ if (have_port > 0) {
+ cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists");
+ return (ISC_R_UNEXPECTEDTOKEN);
+ }
+
CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
*ret = obj;
isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
cfg_print_cstr(pctx, "address ");
cfg_print_rawaddr(pctx, &na);
- cfg_print_cstr(pctx, " port ");
- cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
}
static void
cfg_obj_t *obj = NULL;
int have_port = 0;
int have_tls = 0;
+ int is_port_ok = (flags & CFG_ADDR_PORTOK) != 0;
+ int is_tls_ok = (flags & CFG_ADDR_TLSOK) != 0;
CHECK(cfg_create_obj(pctx, type, &obj));
CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_string) {
if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
- if ((pctx->flags & CFG_PCTX_NODEPRECATED) ==
- 0 &&
- (flags & CFG_ADDR_PORTOK) == 0)
- {
- cfg_parser_warning(
- pctx, 0,
- "token 'port' is deprecated");
- }
CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
CHECK(cfg_parse_rawport(pctx, flags, &port));
++have_port;
- } else if ((flags & CFG_ADDR_TLSOK) != 0 &&
+ } else if (is_tls_ok &&
strcasecmp(TOKEN_STRING(pctx), "tls") == 0)
{
cfg_obj_t *tls = NULL;
}
}
+ if (!is_port_ok && have_port > 0) {
+ cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists");
+ result = ISC_R_UNEXPECTEDTOKEN;
+ goto cleanup;
+ }
if (have_port > 1) {
cfg_parser_error(pctx, 0, "expected at most one port");
result = ISC_R_UNEXPECTEDTOKEN;
return (result);
}
+static isc_result_t
+cfg_parse_sockaddr_generic(cfg_parser_t *pctx, cfg_type_t *klass,
+ const cfg_type_t *type, cfg_obj_t **ret) {
+ const unsigned int *flagp;
+
+ REQUIRE(pctx != NULL);
+ REQUIRE(klass != NULL);
+ REQUIRE(type != NULL);
+ REQUIRE(ret != NULL && *ret == NULL);
+
+ flagp = type->of;
+
+ return (parse_sockaddrsub(pctx, klass, *flagp, ret));
+}
+
static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
CFG_ADDR_PORTOK;
cfg_type_t cfg_type_sockaddr = { "sockaddr", cfg_parse_sockaddr,
cfg_print_sockaddr, cfg_doc_sockaddr,
&cfg_rep_sockaddrtls, &sockaddrtls_flags };
+static unsigned int sockaddr_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+cfg_type_t cfg_type_sockaddr_noport = {
+ "sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
+ cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr_flags_noport
+};
+
+static unsigned int sockaddrtls_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
+ CFG_ADDR_TLSOK;
+cfg_type_t cfg_type_sockaddrtls_noport = {
+ "sockaddrtls", cfg_parse_sockaddrtls, cfg_print_sockaddr,
+ cfg_doc_sockaddr, &cfg_rep_sockaddrtls, &sockaddrtls_flags_noport
+};
+
isc_result_t
cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
- const unsigned int *flagp;
-
- REQUIRE(pctx != NULL);
- REQUIRE(type != NULL);
- REQUIRE(ret != NULL && *ret == NULL);
-
- flagp = type->of;
-
- return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
+ return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddr, type,
+ ret));
}
isc_result_t
cfg_parse_sockaddrtls(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
- const unsigned int *flagp;
-
- REQUIRE(pctx != NULL);
- REQUIRE(type != NULL);
- REQUIRE(ret != NULL && *ret == NULL);
-
- flagp = type->of;
-
- return (parse_sockaddrsub(pctx, &cfg_type_sockaddrtls, *flagp, ret));
+ return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddrtls, type,
+ ret));
}
void
projects / thirdparty / bind9.git / commitdiff
