From: Kees Monshouwer Date: Thu, 31 Jul 2014 10:51:02 +0000 (+0200) Subject: replace RFC2136 with dnsupdate/DNS update in options, counters and docs X-Git-Tag: auth-3.4.0-rc1~6^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71f758e0602e979f601cb4e284865eeb8571a1b9;p=thirdparty%2Fpdns.git replace RFC2136 with dnsupdate/DNS update in options, counters and docs --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index a218c696ad..e5969f3481 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -43,9 +43,9 @@ ArgvMap &arg() void declareArguments() { ::arg().set("local-port","The port on which we listen")="53"; - ::arg().setSwitch("experimental-rfc2136","Enable/Disable RFC2136 (Dynamic DNS) support. Default is no.")="no"; - ::arg().set("allow-2136-from","A global setting to allow RFC2136 from these IP ranges.")="0.0.0.0/0"; - ::arg().setSwitch("forward-2136","A global setting to allow RFC2136 packages that are for a Slave domain, to be forwarded to the master.")="yes"; + ::arg().setSwitch("experimental-dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no"; + ::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1"; + ::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes"; ::arg().setSwitch("log-dns-details","If PDNS should log DNS non-erroneous details")="no"; ::arg().setSwitch("log-dns-queries","If PDNS should log all incoming DNS queries")="no"; ::arg().set("local-address","Local IP addresses to which we bind")="0.0.0.0"; @@ -189,10 +189,10 @@ void declareStats(void) S.declare("query-cache-hit","Number of hits on the query cache"); S.declare("query-cache-miss","Number of misses on the query cache"); - S.declare("rfc2136-queries", "RFC2136 packets received."); - S.declare("rfc2136-answers", "RFC2136 packets successfully answered."); - S.declare("rfc2136-refused", "RFC2136 packets that are refused."); - S.declare("rfc2136-changes", "RFC2136 changes to records in total."); + S.declare("dnsupdate-queries", "DNS update packets received."); + S.declare("dnsupdate-answers", "DNS update packets successfully answered."); + S.declare("dnsupdate-refused", "DNS update packets that are refused."); + S.declare("dnsupdate-changes", "DNS update changes to records in total."); S.declare("servfail-packets","Number of times a server-failed packet was sent out"); S.declare("latency","Average number of microseconds needed to answer a question"); diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index b301fdad4b..072b0ee4ea 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -12751,10 +12751,10 @@ UPDATE records SET auth=1 WHERE auth IS NULL; New options - allow-2136-from + allow-dnsupdate-from - A global setting to allow RFC2136 from these IP ranges. + A global setting to allow DNS update from these IP ranges. @@ -12815,18 +12815,18 @@ UPDATE records SET auth=1 WHERE auth IS NULL; - experimental-rfc2136 + experimental-dnsupdate - Enable/Disable RFC2136 (Dynamic DNS) support. Default is no. + Enable/Disable DNS update (RFC2136) support. Default is no. - forward-2136 + forward-dnsupdate - A global setting to allow RFC2136 packages that are for a Slave domain, to be forwarded to the master. + A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. @@ -14041,34 +14041,34 @@ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR - ALLOW-2136-FROM + ALLOW-DNSUPDATE-FROM - See + See - TSIG-ALLOW-2136 + TSIG-ALLOW-DNSUPDATE - See + See - FORWARD-2136 + FORWARD-DNSUPDATE - See + See - SOA-EDIT-2136 + SOA-EDIT-DNSUPDATE - See + See @@ -14214,51 +14214,51 @@ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR - RFC2136 Support (Dynamic DNS Update) - Starting with the PowerDNS Authoritative Server 3.4.0, RFC2136 support is available. There are a number of items NOT supported: + Dynamic DNS Update (RFC2136) + Starting with the PowerDNS Authoritative Server 3.4.0, DNS update support is available. There are a number of items NOT supported: There is no support for GSS-TSIG and SIG (TSIG is supported); WKS records are specifically mentioned in the RFC, we don't specifically care about WKS records; Anything we forgot.... - The implementation requires the backend to support a number of new oparations. Currently, the following backends have been modified to support RFC2136: + The implementation requires the backend to support a number of new oparations. Currently, the following backends have been modified to support DNS update: gmysql gpgsql gsqlite3 - Configuration options + Configuration options There are two configuration parameters that can be used within the powerdns configuration file. - experimental-rfc2136 [=no] + experimental-dnsupdate [=no] - A setting to enable/disable RFC2136 support completely. The default is no, which means that RFC2136 updates are ignored by PowerDNS (no message is logged about this!). - Change the setting to experimental-rfc2136=yes to enable RFC2136 support. + A setting to enable/disable DNS update support completely. The default is no, which means that DNS updates are ignored by PowerDNS (no message is logged about this!). + Change the setting to experimental-dnsupdate=yes to enable DNS update support. - allow-2136-from + allow-dnsupdate-from A list of IP ranges that are allowed to perform updates on any domain. The default is 0.0.0.0/0, which means that all ranges are accepted. - Multiple entries can be used on this line (allow-2136-from=10.0.0.0/8 192.168.1.2/32). - The option can be left empty to disallow everything, this then should be used in combination with the allow-2136-from domainmetadata + Multiple entries can be used on this line (allow-dnsupdate-from=10.0.0.0/8 192.168.1.2/32). + The option can be left empty to disallow everything, this then should be used in combination with the allow-dnsupdate-from domainmetadata setting per zone. - forward-2136 [=yes] + forward-dnsupdate [=yes] Tell PowerDNS to forward to the master server if the zone is configured as slave. Masters are determined by the masters field in the domains table. - The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the allow-2136-from and - TSIG-2136-ALLOW are processed first, so those permissions apply before the forward-2136 is used. + The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the allow-dnsupdate-from and + TSIG-2136-ALLOW are processed first, so those permissions apply before the forward-dnsupdate is used. It will try all masters that you have configured until one is successful. @@ -14267,39 +14267,39 @@ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR - Per zone settings + Per zone settings For permissions, a number of per zone settings are available via the domain metadata (See ). - ALLOW-2136-FROM + ALLOW-DNSUPDATE-FROM - This setting has the same function as described in the configuration options (See ). + This setting has the same function as described in the configuration options (See ). Only one item is allowed per row, but multiple rows can be added. An example: sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-2136-FROM’,’10.0.0.0/8’); -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-2136-FROM’,’192.168.1.2/32’); +sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’10.0.0.0/8’); +sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’192.168.1.2/32’); - This will allow 10.0.0.0/8 and 192.168.1.2/32 to send RFC2136 update messages for the powerdnssec.org domain. + This will allow 10.0.0.0/8 and 192.168.1.2/32 to send DNS update messages for the powerdnssec.org domain. - TSIG-ALLOW-2136 + TSIG-ALLOW-DNSUPDATE - This setting allows you to set the TSIG key required to do an RFC2136 update. + This setting allows you to set the TSIG key required to do an DNS update. An example: sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-2136', 'test'); +sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test'); An example of how to use a TSIG key with the nsupdate command: @@ -14314,40 +14314,40 @@ send If a TSIG key is set for the domain, it is required to be used for the update. - The TSIG is extra security on top of the ALLOW-2136-FROM setting. - If a TSIG key is set, the IP(-range) still needs to be allowed via ALLOW-2136-FROM. + The TSIG is extra security on top of the ALLOW-DNSUPDATE-FROM setting. + If a TSIG key is set, the IP(-range) still needs to be allowed via ALLOW-DNSUPDATE-FROM. - FORWARD-2136 + FORWARD-DNSUPDATE - See for what it does, but per domain. + See for what it does, but per domain. sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-2136’,’’); +sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’); There is no content, the existence of the entry enables the forwarding. - This domain-specific setting is only useful when the configuration option forward-2136 is set to 'no', as that will disable it globally. + This domain-specific setting is only useful when the configuration option forward-dnsupdate is set to 'no', as that will disable it globally. Using the domainmetadata setting than allows you to enable it per domain. - SOA-EDIT-2136 + SOA-EDIT-DNSUPDATE - This configures how the soa serial should be updated. See . + This configures how the soa serial should be updated. See . - SOA Serial Updates + SOA Serial Updates After every update, the soa serial is updated as this is required by section 3.7 of RFC2136. - The behaviour is configurable via domainmetadata with the SOA-EDIT-2136 option. It has a number of + The behaviour is configurable via domainmetadata with the SOA-EDIT-DNSUPDATE option. It has a number of options listed below. If no behaviour is specified, DEFAULT is used. @@ -14363,12 +14363,12 @@ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-2 sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-2136’,’INCREASE’); +sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’); This will make the SOA Serial increase by one, for every successful update. - SOA-EDIT-2136 settings - These are the settings available for SOA-EDIT-2136. + SOA-EDIT-DNSUPDATE settings + These are the settings available for SOA-EDIT-DNSUPDATE. DEFAULT @@ -14410,12 +14410,12 @@ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT- - RFC2136 How-to: Setup dyndns/rfc2136 with dhcpd + DNS update How-to: Setup dyndns/rfc2136 with dhcpd - RFC2136 is often used with DHCP to automatically provide a hostname whenever a new IP-address is assigned by the DHCP server. - This section describes how you can setup PowerDNS to receive RFC2136 updates from ISC's dhcpd (version 4.1.1-P1). + DNS update is often used with DHCP to automatically provide a hostname whenever a new IP-address is assigned by the DHCP server. + This section describes how you can setup PowerDNS to receive DNS updates from ISC's dhcpd (version 4.1.1-P1). - Setting up dhcpd + Setting up dhcpd We're going to use a TSIG key for security. We're going to generate a key using the following command: @@ -14483,29 +14483,29 @@ zone 1.168.192.in-addr.arpa. { This concludes the changes that are needed to the dhcpd configuration file. - Setting up PowerDNS + Setting up PowerDNS A number of small changes are needed to powerdns to make it accept dynamic updates from dhcpd. - Enabled RFC2136 (dynamic update) support functionality in PowerDNS by adding the following to the + Enabled DNS update (RFC2136) support functionality in PowerDNS by adding the following to the PowerDNS configuration file (pdns.conf). -experimental-rfc2136=yes -allow-2136-from= +experimental-dnsupdate=yes +allow-dnsupdate-from= This tells PowerDNS to: - Enable RFC2136 support(experimental-rfc2136) - Allow updates from NO ip-address (allow-2136-from=) + Enable DNS update support(experimental-dnsupdate) + Allow updates from NO ip-address (allow-dnsupdate-from=) We just told powerdns (via the configuration file) that we accept updates from nobody via the - allow-2136-from parameter. That's not very useful, so we're going to give permissions + allow-dnsupdate-from parameter. That's not very useful, so we're going to give permissions per zone, via the domainmetadata table. sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-2136-FROM’,’127.0.0.1’); +sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’127.0.0.1’); This gives the ip '127.0.0.1' access to send update messages. Make sure you use the ip address of the machine that runs dhcpd. @@ -14516,10 +14516,10 @@ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-213 sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg=='); sql> select id from domains where name='powerdnssec.org'; 5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-2136', 'dhcpdupdate'); +sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate'); sql> select id from domains where name='1.168.192.in-addr.arpa'; 6 -sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-2136', 'dhcpdupdate'); +sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate'); This will: @@ -14531,27 +14531,27 @@ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLO - How it works - This is a short description of how RFC2136 (update) messages are processed by PowerDNS. + How it works + This is a short description of how DNS update messages are processed by PowerDNS. - The RFC2136 message is received. If it is TSIG signed, the TSIG is validated against the tsigkeys table. + The DNS update message is received. If it is TSIG signed, the TSIG is validated against the tsigkeys table. If it is not valid, Refused is returned to the requestor. A check is performed on the zone to see if it is a valid zone. ServFail is returned when not valid. - The experimental-rfc2136 setting is checked. Refused is returned when the setting is 'no'. + The experimental-dnsupdate setting is checked. Refused is returned when the setting is 'no'. - If the ALLOW-2136-FROM has a value (from both domainmetadata and the configuration file), a check on the value is performed. - If the requestor (sender of the update message) does not match the values in ALLOW-2136-FROM, Refused is returned. + If the ALLOW-DNSUPDATE-FROM has a value (from both domainmetadata and the configuration file), a check on the value is performed. + If the requestor (sender of the update message) does not match the values in ALLOW-DNSUPDATE-FROM, Refused is returned. If the message is TSIG signed, the TSIG keyname is compared with the TSIG keyname in domainmetadata. If they do not match, a Refused is send. - The TSIG-ALLOW-2136 domainmetadata setting is used to find which key belongs to the domain. + The TSIG-ALLOW-DNSUPDATE domainmetadata setting is used to find which key belongs to the domain. The backends are queried to find the backend for the given domain. - If the domain is a slave domain, the forward-2136 option and domainmetadata settings are checked. + If the domain is a slave domain, the forward-dnsupdate option and domainmetadata settings are checked. If forwarding to a master is enabled, the message is forward to the master. If that fails, the next master is tried until all masters are tried. If all masters fail, ServFail is returned. If a master succeeds, the result from that master is returned. @@ -14571,7 +14571,7 @@ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLO The cache for that record is purged. - If there are records updated and the SOA record was not modified, the SOA serial is updated. See . + If there are records updated and the SOA record was not modified, the SOA serial is updated. See . The cache for this record is purged. The transaction with the backend is committed. If this fails, ServFail is returned. @@ -23879,10 +23879,10 @@ static RandomLoader randomloader; - RFC2136 support + DNS update support - To make your backend RFC2136 compatible, it needs to implement a number of new functions and functions already used for slave-operation. - The new functions are not RFC2136 specific and might be used for other update/remove functionality at a later stage. + To make your backend DNS update compatible, it needs to implement a number of new functions and functions already used for slave-operation. + The new functions are not DNS update specific and might be used for other update/remove functionality at a later stage. class DNSBackend { public: diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index a864404db2..1e7bcdb9ae 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1016,12 +1016,12 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) } if(p->d.opcode) { // non-zero opcode (again thanks RA!) if(p->d.opcode==Opcode::Update) { - S.inc("rfc2136-queries"); + S.inc("dnsupdate-queries"); int res=processUpdate(p); if (res == RCode::Refused) - S.inc("rfc2136-refused"); + S.inc("dnsupdate-refused"); else if (res != RCode::ServFail) - S.inc("rfc2136-answers"); + S.inc("dnsupdate-answers"); r->setRcode(res); r->setOpcode(Opcode::Update); return r; diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index a1573fb1ca..510341ee8b 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -1,13 +1,13 @@ # Autogenerated configuration file template ################################# -# allow-2136-from A global setting to allow RFC2136 from these IP ranges. +# allow-axfr-ips Allow zonetransfers only to these subnets # -# allow-2136-from=0.0.0.0/0 +# allow-axfr-ips=127.0.0.0/8,::1 ################################# -# allow-axfr-ips Allow zonetransfers only to these subnets +# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # -# allow-axfr-ips=127.0.0.0/8,::1 +# allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-recursion List of subnets that are allowed to recurse @@ -154,6 +154,11 @@ # # experimental-dname-processing=no +################################# +# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. +# +# experimental-dnsupdate=no + ################################# # experimental-json-interface If the webserver should serve JSON data # @@ -165,14 +170,9 @@ # experimental-logfile=/var/log/pdns.log ################################# -# experimental-rfc2136 Enable/Disable RFC2136 (Dynamic DNS) support. Default is no. -# -# experimental-rfc2136=no - -################################# -# forward-2136 A global setting to allow RFC2136 packages that are for a Slave domain, to be forwarded to the master. +# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. # -# forward-2136=yes +# forward-dnsupdate=yes ################################# # guardian Run within a guardian process diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index d4dadf778b..1baf9dda34 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -570,9 +570,9 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) { vector forward; - B.getDomainMetadata(p->qdomain, "FORWARD-2136", forward); + B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward); - if (forward.size() == 0 && ! ::arg().mustDo("forward-2136")) { + if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) { L<d.id) + ") from " + p->getRemote() + " for " + p->qdomain + ": "; @@ -671,23 +671,23 @@ int PacketHandler::processUpdate(DNSPacket *p) { // Check permissions - IP based vector allowedRanges; - B.getDomainMetadata(p->qdomain, "ALLOW-2136-FROM", allowedRanges); - if (! ::arg()["allow-2136-from"].empty()) - stringtok(allowedRanges, ::arg()["allow-2136-from"], ", \t" ); + B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges); + if (! ::arg()["allow-dnsupdate-from"].empty()) + stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" ); NetmaskGroup ng; for(vector::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++) ng.addMask(*i); if ( ! ng.match(&p->d_remote)) { - L< tsigKeys; - B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-2136", tsigKeys); + B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys); if (tsigKeys.size() > 0) { bool validKey = false; @@ -734,7 +734,7 @@ int PacketHandler::processUpdate(DNSPacket *p) { DomainInfo di; di.backend=0; if(!B.getDomainInfo(p->qdomain, di) || !di.backend) { - L<qdomain<<"' (or backend does not support RFC2136 operation)"<qdomain<<"' (or backend does not support DNS update operation)"< soaEdit2136Setting; - B.getDomainMetadata(di->zone, "SOA-EDIT-2136", soaEdit2136Setting); + B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting); string soaEdit2136 = "DEFAULT"; string soaEdit; if (!soaEdit2136Setting.empty()) { @@ -958,7 +958,7 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di vector soaEditSetting; B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting); if (soaEditSetting.empty()) { - L<