<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
- <date>2018-05-29</date>
+ <date>2018-06-21</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
- except-from { <replaceable>quoted_string</replaceable>; ... } ];
- deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
- <replaceable>quoted_string</replaceable>; ... } ];
+ except-from { <replaceable>string</replaceable>; ... } ];
+ deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+ } ];
dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
directory <replaceable>quoted_string</replaceable>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... };
- dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
- hostname );
- dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
- size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
- unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
- | timestamp ) ];
+ dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+ response ) ]; ... };
+ dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
+ dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
+ <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
+ increment | timestamp ) ];
dnstap-version ( <replaceable>quoted_string</replaceable> | none );
dscp <replaceable>integer</replaceable>;
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
preferred-glue <replaceable>string</replaceable>;
prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
provide-ixfr <replaceable>boolean</replaceable>;
- qname-minimization ( strict | relaxed | disabled );
+ qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
- root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+ root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
v6-bias <replaceable>integer</replaceable>;
+ validate-except { <replaceable>string</replaceable>; ... };
version ( <replaceable>quoted_string</replaceable> | none );
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
cleaning-interval <replaceable>integer</replaceable>;
clients-per-query <replaceable>integer</replaceable>;
deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
- except-from { <replaceable>quoted_string</replaceable>; ... } ];
- deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
- <replaceable>quoted_string</replaceable>; ... } ];
+ except-from { <replaceable>string</replaceable>; ... } ];
+ deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+ } ];
dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
... };
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... };
+ dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+ response ) ]; ... };
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
preferred-glue <replaceable>string</replaceable>;
prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
provide-ixfr <replaceable>boolean</replaceable>;
- qname-minimization ( strict | relaxed | disabled );
+ qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
- root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+ root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>;
v6-bias <replaceable>integer</replaceable>;
+ validate-except { <replaceable>string</replaceable>; ... };
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [
port <replaceable>integer</replaceable> ]; ... };
- server-names { <replaceable>quoted_string</replaceable>; ... };
+ server-names { <replaceable>string</replaceable>; ... };
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
serial-update-method ( date | increment | unixtime );
server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port
<replaceable>integer</replaceable> ]; ... };
- server-names { <replaceable>quoted_string</replaceable>; ... };
+ server-names { <replaceable>string</replaceable>; ... };
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
unsigned int resolver_param;
+ dns_ntatable_t *ntatable = NULL;
const char *qminmode = NULL;
REQUIRE(DNS_VIEW_VALID(view));
CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0,
NULL));
view->redirectzone = name;
- } else
+ } else {
view->redirectzone = NULL;
+ }
+
+ /*
+ * Exceptions to DNSSEC validation.
+ */
+ obj = NULL;
+ result = named_config_get(maps, "validate-except", &obj);
+ if (result == ISC_R_SUCCESS) {
+ result = dns_view_getntatable(view, &ntatable);
+ }
+ if (result == ISC_R_SUCCESS) {
+ for (element = cfg_list_first(obj);
+ element != NULL;
+ element = cfg_list_next(element))
+ {
+ dns_fixedname_t fntaname;
+ dns_name_t *ntaname;
+
+ ntaname = dns_fixedname_initname(&fntaname);
+ obj = cfg_listelt_value(element);
+ CHECK(dns_name_fromstring(ntaname,
+ cfg_obj_asstring(obj),
+ 0, NULL));
+ CHECK(dns_ntatable_add(ntatable, ntaname,
+ true, 0, 0xffffffffU));
+ }
+ }
#ifdef HAVE_DNSTAP
/*
result = ISC_R_SUCCESS;
cleanup:
- if (clients != NULL)
+ if (ntatable != NULL) {
+ dns_ntatable_detach(&ntatable);
+ }
+ if (clients != NULL) {
dns_acl_detach(&clients);
- if (mapped != NULL)
+ }
+ if (mapped != NULL) {
dns_acl_detach(&mapped);
- if (excluded != NULL)
+ }
+ if (excluded != NULL) {
dns_acl_detach(&excluded);
- if (ring != NULL)
+ }
+ if (ring != NULL) {
dns_tsigkeyring_detach(&ring);
- if (zone != NULL)
+ }
+ if (zone != NULL) {
dns_zone_detach(&zone);
- if (dispatch4 != NULL)
+ }
+ if (dispatch4 != NULL) {
dns_dispatch_detach(&dispatch4);
- if (dispatch6 != NULL)
+ }
+ if (dispatch6 != NULL) {
dns_dispatch_detach(&dispatch6);
- if (resstats != NULL)
+ }
+ if (resstats != NULL) {
isc_stats_detach(&resstats);
- if (resquerystats != NULL)
+ }
+ if (resquerystats != NULL) {
dns_stats_detach(&resquerystats);
- if (order != NULL)
+ }
+ if (order != NULL) {
dns_order_detach(&order);
- if (cmctx != NULL)
+ }
+ if (cmctx != NULL) {
isc_mem_detach(&cmctx);
- if (hmctx != NULL)
+ }
+ if (hmctx != NULL) {
isc_mem_detach(&hmctx);
-
- if (cache != NULL)
+ }
+ if (cache != NULL) {
dns_cache_detach(&cache);
- if (dctx != NULL)
+ }
+ if (dctx != NULL) {
dns_dyndb_destroyctx(&dctx);
+ }
return (result);
}
max-cache-size 20000000000000;
nta-lifetime 604800;
nta-recheck 604800;
+ validate-except {
+ "corp";
+ };
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>validate-except</command></term>
+ <listitem>
+ <para>
+ Specifies a list of domain names at and beneath which DNSSEC
+ validation should <emphasis>not</emphasis> be performed,
+ regardless of the presence of a trust anchor at or above
+ those names. This may be used, for example, when configuring
+ a top-level domain intended only for local use, so that the
+ lack of a secure delegation for that domain in the root zone
+ will not cause validation failures. (This is similar
+ to setting a negative trust anchor, except that it is a
+ permanent configuration, whereas negative trust anchors
+ expire and are removed after a set period of time.)
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>dnssec-accept-expired</command></term>
<listitem>
<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
<command>deny-answer-addresses</command> { <replaceable>address_match_element</replaceable>; ... } [
- <command>except-from</command> { <replaceable>quoted_string</replaceable>; ... } ];
- <command>deny-answer-aliases</command> { <replaceable>quoted_string</replaceable>; ... } [ except-from {
- <replaceable>quoted_string</replaceable>; ... } ];
+ <command>except-from</command> { <replaceable>string</replaceable>; ... } ];
+ <command>deny-answer-aliases</command> { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+ } ];
<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
<command>directory</command> <replaceable>quoted_string</replaceable>;
<command>disable-algorithms</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
<command>dnssec-validation</command> ( yes | no | auto );
- <command>dnstap</command> { ( all | auth | client | forwarder |
- <command>resolver</command> ) [ ( query | response ) ]; ... };
- <command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none |
- <command>hostname</command> );
- <command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [
- <command>size</command> ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
- <command>unlimited</command> | <replaceable>integer</replaceable> ) ] [ suffix ( increment
- | timestamp ) ];
+ <command>dnstap</command> { ( all | auth | client | forwarder | resolver ) [ ( query |
+ <command>response</command> ) ]; ... };
+ <command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
+ <command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
+ <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
+ <command>increment</command> | timestamp ) ];
<command>dnstap-version</command> ( <replaceable>quoted_string</replaceable> | none );
<command>dscp</command> <replaceable>integer</replaceable>;
<command>dual-stack-servers</command> [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
<command>preferred-glue</command> <replaceable>string</replaceable>;
<command>prefetch</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
- <command>qname-minimization</command> ( strict | relaxed | disabled );
+ <command>qname-minimization</command> ( strict | relaxed | disabled | off );
<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
<command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
<command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
<command>dnsrps-enable</command> <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
- <command>root-delegation-only</command> [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+ <command>root-delegation-only</command> [ exclude { <replaceable>string</replaceable>; ... } ];
<command>root-key-sentinel</command> <replaceable>boolean</replaceable>;
<command>rrset-order</command> { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
<command>v6-bias</command> <replaceable>integer</replaceable>;
+ <command>validate-except</command> { <replaceable>string</replaceable>; ... };
<command>version</command> ( <replaceable>quoted_string</replaceable> | none );
<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
<command>zero-no-soa-ttl-cache</command> <replaceable>boolean</replaceable>;
<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
<command>max-records</command> <replaceable>integer</replaceable>;
<command>server-addresses</command> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ]; ... };
- <command>server-names</command> { <replaceable>quoted_string</replaceable>; ... };
+ <command>server-names</command> { <replaceable>string</replaceable>; ... };
<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
};
</programlisting>
datasize ( default | unlimited | <sizeval> );
deallocate-on-exit <boolean>; // obsolete
deny-answer-addresses { <address_match_element>; ... } [
- except-from { <quoted_string>; ... } ];
- deny-answer-aliases { <quoted_string>; ... } [ except-from {
- <quoted_string>; ... } ];
+ except-from { <string>; ... } ];
+ deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+ } ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
directory <quoted_string>;
disable-algorithms <string> { <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... }; // not configured
- dnstap-identity ( <quoted_string> | none |
- hostname ); // not configured
- dnstap-output ( file | unix ) <quoted_string> [
- size ( unlimited | <size> ) ] [ versions (
- unlimited | <integer> ) ] [ suffix ( increment
- | timestamp ) ]; // not configured
- dnstap-version ( <quoted_string> | none ); // not configured
+ dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+ response ) ]; ... };
+ dnstap-identity ( <quoted_string> | none | hostname );
+ dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+ <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+ increment | timestamp ) ];
+ dnstap-version ( <quoted_string> | none );
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- fstrm-set-buffer-hint <integer>; // not configured
- fstrm-set-flush-timeout <integer>; // not configured
- fstrm-set-input-queue-size <integer>; // not configured
- fstrm-set-output-notify-threshold <integer>; // not configured
- fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
- fstrm-set-output-queue-size <integer>; // not configured
- fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none ); // not configured
+ fstrm-set-buffer-hint <integer>;
+ fstrm-set-flush-timeout <integer>;
+ fstrm-set-input-queue-size <integer>;
+ fstrm-set-output-notify-threshold <integer>;
+ fstrm-set-output-queue-model ( mpsc | spsc );
+ fstrm-set-output-queue-size <integer>;
+ fstrm-set-reopen-interval <ttlval>;
+ geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
} ];
rfc2308-type1 <boolean>; // not yet implemented
- root-delegation-only [ exclude { <quoted_string>; ... } ];
+ root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };
v6-bias <integer>;
+ validate-except { <string>; ... };
version ( <quoted_string> | none );
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
cleaning-interval <integer>;
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [
- except-from { <quoted_string>; ... } ];
- deny-answer-aliases { <quoted_string>; ... } [ except-from {
- <quoted_string>; ... } ];
+ except-from { <string>; ... } ];
+ deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+ } ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
disable-algorithms <string> { <string>;
... }; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... }; // not configured
+ dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+ response ) ]; ... };
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
} ];
rfc2308-type1 <boolean>; // not yet implemented
- root-delegation-only [ exclude { <quoted_string>; ... } ];
+ root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
use-alt-transfer-source <boolean>;
use-queryport-pool <boolean>; // obsolete
v6-bias <integer>;
+ validate-except { <string>; ... };
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
zone <string> [ <class> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ) [
port <integer> ]; ... };
- server-names { <quoted_string>; ... };
+ server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
<integer> ]; ... };
- server-names { <quoted_string>; ... };
+ server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
max-records <integer>;
server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
- server-names { <quoted_string>; ... };
+ server-names { <string>; ... };
zone-statistics ( full | terse | none | <boolean> );
};
uint32_t lifetime);
/*%<
* Add a negative trust anchor to 'ntatable' for name 'name',
- * which will expire at time 'now' + 'lifetime'. If 'force' is false,
- * then the name will be checked periodically to see if it's bogus;
- * if not, then the NTA will be allowed to expire early.
+ * which will expire at time 'now' + 'lifetime'. If 'force' is true,
+ * then the NTA will persist for the entire specified lifetime.
+ * If it is false, then the name will be queried periodically and
+ * validation will be attempted to see whether it's still bogus;
+ * if validation is successful, the NTA will be allowed to expire
+ * early and validation below the NTA will resume.
*
* Notes:
*
dns_name_t *name;
isc_time_t t;
- name = dns_fixedname_initname(&fn);
- dns_rbt_fullnamefromnode(node, name);
- dns_name_format(name, nbuf, sizeof(nbuf));
- isc_time_set(&t, n->expiry, 0);
- isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
-
- snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
- first ? "" : "\n", nbuf,
- n->expiry <= now ? "expired" : "expiry",
- tbuf);
- first = false;
- result = putstr(buf, obuf);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- }
- result = dns_rbtnodechain_next(&chain, NULL, NULL);
- if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- break;
- }
- }
-
- cleanup:
- dns_rbtnodechain_invalidate(&chain);
- RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
- return (result);
-}
-
-#if 0
-isc_result_t
-dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
- isc_result_t result;
- dns_rbtnode_t *node;
- dns_rbtnodechain_t chain;
- isc_stdtime_t now;
-
- REQUIRE(VALID_NTATABLE(ntatable));
-
- isc_stdtime_get(&now);
-
- RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
- dns_rbtnodechain_init(&chain, ntatable->view->mctx);
- result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
- if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
- goto cleanup;
- for (;;) {
- dns_rbtnodechain_current(&chain, NULL, NULL, &node);
- if (node->data != NULL) {
- dns_nta_t *n = (dns_nta_t *) node->data;
- char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
- dns_fixedname_t fn;
- dns_name_t *name;
- isc_time_t t;
-
- name = dns_fixedname_initname(&fn);
- dns_rbt_fullnamefromnode(node, name);
- dns_name_format(name, nbuf, sizeof(nbuf));
- isc_time_set(&t, n->expiry, 0);
- isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
- fprintf(fp, "%s: %s %s\n", nbuf,
- n->expiry <= now ? "expired" : "expiry",
- tbuf);
+ /*
+ * Skip "validate-except" entries.
+ */
+ if (n->expiry != 0xffffffffU) {
+ name = dns_fixedname_initname(&fn);
+ dns_rbt_fullnamefromnode(node, name);
+ dns_name_format(name, nbuf, sizeof(nbuf));
+ isc_time_set(&t, n->expiry, 0);
+ isc_time_formattimestamp(&t, tbuf,
+ sizeof(tbuf));
+
+ snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
+ first ? "" : "\n", nbuf,
+ n->expiry <= now
+ ? "expired"
+ : "expiry",
+ tbuf);
+ first = false;
+ result = putstr(buf, obuf);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+ }
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
return (result);
}
-#endif
isc_result_t
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
for (;;) {
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
if (node->data != NULL) {
+ isc_buffer_t b;
+ char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
+ dns_fixedname_t fn;
+ dns_name_t *name;
dns_nta_t *n = (dns_nta_t *) node->data;
- if (n->expiry > now) {
- isc_buffer_t b;
- char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
- dns_fixedname_t fn;
- dns_name_t *name;
- name = dns_fixedname_initname(&fn);
- dns_rbt_fullnamefromnode(node, name);
+ /*
+ * Skip this node if the expiry is already in the
+ * past, or if this is a "validate-except" entry.
+ */
+ if (n->expiry <= now || n->expiry == 0xffffffffU) {
+ goto skip;
+ }
- isc_buffer_init(&b, nbuf, sizeof(nbuf));
- result = dns_name_totext(name, false, &b);
- if (result != ISC_R_SUCCESS)
- goto skip;
+ name = dns_fixedname_initname(&fn);
+ dns_rbt_fullnamefromnode(node, name);
- /* Zero terminate. */
- isc_buffer_putuint8(&b, 0);
+ isc_buffer_init(&b, nbuf, sizeof(nbuf));
+ result = dns_name_totext(name, false, &b);
+ if (result != ISC_R_SUCCESS)
+ goto skip;
- isc_buffer_init(&b, tbuf, sizeof(tbuf));
- dns_time32_totext(n->expiry, &b);
+ /* Zero terminate. */
+ isc_buffer_putuint8(&b, 0);
- /* Zero terminate. */
- isc_buffer_putuint8(&b, 0);
+ isc_buffer_init(&b, tbuf, sizeof(tbuf));
+ dns_time32_totext(n->expiry, &b);
- fprintf(fp, "%s %s %s\n", nbuf,
- n->forced ? "forced" : "regular",
- tbuf);
- written = true;
- }
+ /* Zero terminate. */
+ isc_buffer_putuint8(&b, 0);
+
+ fprintf(fp, "%s %s %s\n", nbuf,
+ n->forced ? "forced" : "regular",
+ tbuf);
+ written = true;
}
skip:
result = dns_rbtnodechain_next(&chain, NULL, NULL);
static cfg_type_t cfg_type_namelist = {
"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
- cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring
+ cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
};
static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
{ "trust-anchor-telemetry", &cfg_type_boolean,
CFG_CLAUSEFLAG_EXPERIMENTAL },
{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+ { "validate-except", &cfg_type_namelist, 0 },
{ "v6-bias", &cfg_type_uint32, 0 },
{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
projects / thirdparty / bind9.git / commitdiff
