BIND 9 Administrator Reference Manual

The view statement is a powerful feature @@ -5432,10 +5440,10 @@ zone zone_name [

@@ -5646,7 +5654,7 @@ zone zone_name [

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -5668,7 +5676,7 @@ zone zone_name [

-Zone Options

+Zone Options

allow-notify: @@ -6247,7 +6255,7 @@ zone zone_name [

-Zone File
+Zone File

Types of Resource Records and When to Use Them

@@ -6260,7 +6268,7 @@ zone zone_name [

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -6997,7 +7005,7 @@ zone zone_name [

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7200,7 +7208,7 @@ zone zone_name [

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -7456,7 +7464,7 @@ zone zone_name [

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -7517,7 +7525,7 @@ zone zone_name [

-Other Zone File Directives

+Other Zone File Directives

The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -7532,7 +7540,7 @@ zone zone_name [

-The @ (at-sign)

+The @ (at-sign)

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -7543,7 +7551,7 @@ zone zone_name [

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name @@ -7572,7 +7580,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename @@ -7608,7 +7616,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl @@ -7627,7 +7635,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range @@ -8018,7 +8026,7 @@ $GENERATE 1-127 $ CNAME $.0

-Name Server Statistics Counters

+Name Server Statistics Counters

@@ -8575,7 +8583,7 @@ $GENERATE 1-127 $ CNAME $.0

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

@@ -8729,7 +8737,7 @@ $GENERATE 1-127 $ CNAME $.0

-Resolver Statistics Counters

+Resolver Statistics Counters

@@ -9105,7 +9113,7 @@ $GENERATE 1-127 $ CNAME $.0

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

Socket I/O statistics counters are defined per socket types, which are @@ -9260,7 +9268,7 @@ $GENERATE 1-127 $ CNAME $.0

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index dd6991c5040..e56035adc85 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -46,10 +46,10 @@

Table of Contents

Access Control Lists

Chroot and Setuid

The chroot Environment
Using the setuid Function
The chroot Environment
Using the setuid Function

Dynamic Update Security

@@ -119,7 +119,7 @@ zone "example.com" {

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND @@ -145,7 +145,7 @@ zone "example.com" {

-The chroot Environment

+The chroot Environment

In order for a chroot environment to @@ -173,7 +173,7 @@ zone "example.com" {

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 8b5ebbed550..04b05a3eaf3 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -45,18 +45,18 @@

Table of Contents

Common Problems

It's not working; how can I figure out what's wrong?

Incrementing and Changing the Serial Number

Where Can I Get Help?

Common Problems

It's not working; how can I figure out what's wrong?

Incrementing and Changing the Serial Number

Where Can I Get Help?

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 72ab6fe248f..8007dd2dade 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -45,21 +45,21 @@

Table of Contents

Acknowledgments

A Brief History of the DNS and BIND

General DNS Reference Information

IPv6 addresses (AAAA)

Bibliography (and Suggested Reading)

Request for Comments (RFCs)
Internet Drafts
Other Documents About BIND
Other Documents About BIND

-Acknowledgments

+Acknowledgments

A Brief History of the DNS and BIND @@ -162,7 +162,7 @@

-General DNS Reference Information

+General DNS Reference Information

IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@

-Bibliography

+Bibliography

Standards

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and +

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and Specification. November 1987.

@@ -268,42 +268,42 @@
Proposed Standards

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS +
[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

-
[RFC2308] M. Andrews. Negative Caching of DNS +
[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.
+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.
+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.
+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.
+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.
+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.
+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.
+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.

@@ -312,19 +312,19 @@
DNS Security Proposed Standards

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.
+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.
+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.
+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.
+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS +
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. March 2005.

@@ -332,146 +332,146 @@
Other Important RFCs About DNS Implementation

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely +
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation +
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.
+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS +
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.

Resource Record Types

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.
+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.
+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using +
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain Name System. January 1996.

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the +
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of Services.. October 1996.

-
[RFC2163] A. Allocchio. Using the Internet DNS to +
[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.
+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.
+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.
+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.
+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP +
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP version 6. October 2003.

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.
+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

DNS and the Internet

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names +
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and +
[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.
+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.
+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.
+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.
+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

DNS Operations

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.
+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

-
[RFC1537] P. Beertema. Common DNS Data File +
[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

-
[RFC1912] D. Barr. Common DNS Operational and +
[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.
+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for +
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

Internationalized Domain Names

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.
+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.
+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). March 2003.

@@ -487,47 +487,47 @@

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String +
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.
+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-
[RFC1794] T. Brisco. DNS Support for Load +
[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.
+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.
+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.
+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via +
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.
+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

Obsolete and Unimplemented Experimental RFC

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical +
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical Location. November 1994.

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.
+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation +
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. July 2000.

@@ -541,39 +541,39 @@

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.
+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.
+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.
+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) +
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) Signing Authority. November 2000.

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.
+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.
+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.
+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

@@ -594,14 +594,14 @@

-Other Documents About BIND +Other Documents About BIND

-Bibliography
+Bibliography

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index b31b67ac0fe..44abd7729d4 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -157,25 +157,25 @@
server Statement Definition and Usage

statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage

view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage

zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File

Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records

Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive

Additional File Formats

BIND9 Statistics
@@ -184,31 +184,31 @@
7. BIND 9 Security Considerations

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid

-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function

Dynamic Update Security

8. Troubleshooting

-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?

A. Appendices

-
Acknowledgments
+
Acknowledgments

A Brief History of the DNS and BIND
-
General DNS Reference Information
+
General DNS Reference Information

IPv6 addresses (AAAA)

Bibliography (and Suggested Reading)

Request for Comments (RFCs)

Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND

I. Manual pages
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 9339878fcde..87701d1b081 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]

-
DESCRIPTION
+
DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@

-
SIMPLE USAGE
+
SIMPLE USAGE

A typical invocation of dig looks like:
@@ -144,7 +144,7 @@

-
OPTIONS
+
OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -248,7 +248,7 @@

-
QUERY OPTIONS
+
QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@

-
MULTIPLE QUERIES
+
MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-
IDN SUPPORT
+
IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-
FILES
+
FILES

/etc/resolv.conf

${HOME}/.digrc

-
SEE ALSO
+
SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-
BUGS
+
BUGS

There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 7c84aff80cf..cdbc3adb37f 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@
dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

-
DESCRIPTION
+
DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-
OPTIONS
+
OPTIONS

-1

@@ -99,7 +99,7 @@

-
EXAMPLE
+
EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -114,7 +114,7 @@

-
FILES
+
FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -128,13 +128,13 @@

-
CAVEAT
+
CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-
SEE ALSO
+
SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -143,7 +143,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 8996855de52..1c250e9a0b7 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
dnssec-keyfromlabel {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

-
DESCRIPTION
+
DESCRIPTION

dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -58,7 +58,7 @@

-
OPTIONS
+
OPTIONS

-a algorithm

@@ -139,7 +139,7 @@

-
GENERATED KEY FILES
+
GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -180,7 +180,7 @@

-
SEE ALSO
+
SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -188,7 +188,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 5f6ca8003c9..0e19917e531 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

-
DESCRIPTION
+
DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -63,7 +63,7 @@

-
OPTIONS
+
OPTIONS

-a algorithm

@@ -173,7 +173,7 @@

-
GENERATED KEYS
+
GENERATED KEYS

When dnssec-keygen completes successfully, @@ -219,7 +219,7 @@

-
EXAMPLE
+
EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -240,7 +240,7 @@

-
SEE ALSO
+
SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -249,7 +249,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 735cce1dbee..a811df32221 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-
DESCRIPTION
+
DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

-
OPTIONS
+
OPTIONS

-a

@@ -291,7 +291,7 @@

-
EXAMPLE
+
EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -320,7 +320,7 @@ db.example.com.signed %

-
KNOWN BUGS
+
KNOWN BUGS

dnssec-signzone was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys @@ -345,14 +345,14 @@ db.example.com.signed

-
SEE ALSO
+
SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 85ed78eaf6f..26c019bdef6 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-
DESCRIPTION
+
DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

-
IDN SUPPORT
+
IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

-
FILES
+
FILES

/etc/resolv.conf

-
SEE ALSO
+
SEE ALSO

dig(1), named(8).
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 424c9481d19..1eef86e49ae 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-z]

-
DESCRIPTION
+
DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file.

-
OPTIONS
+
OPTIONS

-h

@@ -92,21 +92,21 @@

-
RETURN VALUES
+
RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-
SEE ALSO
+
SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index cabab442cfa..756d865daa1 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-
DESCRIPTION
+
DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

-
OPTIONS
+
OPTIONS

-d

@@ -257,14 +257,14 @@

-
RETURN VALUES
+
RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-
SEE ALSO
+
SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -272,7 +272,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index d4783be0acd..2e23b83bdc6 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

-
DESCRIPTION
+
DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

-
OPTIONS
+
OPTIONS

-4

@@ -238,7 +238,7 @@

-
SIGNALS
+
SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -259,7 +259,7 @@

-
CONFIGURATION
+
CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -276,7 +276,7 @@

-
FILES
+
FILES

/etc/named.conf

@@ -289,7 +289,7 @@

-
SEE ALSO
+
SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -302,7 +302,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index d3d7547b81f..6b05a4a5ac4 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

-
DESCRIPTION
+
DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -187,7 +187,7 @@

-
INPUT FORMAT
+
INPUT FORMAT

nsupdate reads input from filename @@ -451,7 +451,7 @@

-
EXAMPLES
+
EXAMPLES

The examples below show how nsupdate @@ -505,7 +505,7 @@

-
FILES
+
FILES

/etc/resolv.conf

@@ -524,7 +524,7 @@

-
SEE ALSO
+
SEE ALSO

RFC2136, RFC3007, RFC2104, @@ -537,7 +537,7 @@

-
BUGS
+
BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index d6240a718e3..13ec6d1f5b5 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@
rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-
DESCRIPTION
+
DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -64,7 +64,7 @@

-
OPTIONS
+
OPTIONS

-a

@@ -171,7 +171,7 @@

-
EXAMPLES
+
EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -188,7 +188,7 @@

-
SEE ALSO
+
SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -196,7 +196,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 029eff39666..cefa45ecd54 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
rndc.conf

-
DESCRIPTION
+
DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

-
EXAMPLE
+
EXAMPLE

options { default-server localhost; @@ -209,7 +209,7 @@

-
NAME SERVER CONFIGURATION
+
NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

-
SEE ALSO
+
SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 8500fd33748..59e645b7578 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-
DESCRIPTION
+
DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

-
OPTIONS
+
OPTIONS

-b source-address

@@ -151,7 +151,7 @@

-
LIMITATIONS
+
LIMITATIONS

rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@

-
SEE ALSO
+
SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -175,7 +175,7 @@

-
AUTHOR
+
AUTHOR

Internet Systems Consortium

diff --git a/lib/dns/api b/lib/dns/api index 1505071b41b..4fc7eca838c 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 55 -LIBREVISION = 1 -LIBAGE = 0 +LIBINTERFACE = 56 +LIBREVISION = 0 +LIBAGE = 1 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index baff146fcad..8104b50c5f7 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.h,v 1.65.50.2 2009/01/18 23:47:41 tbox Exp $ */ +/* $Id: rdataset.h,v 1.65.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 @@ -110,6 +110,9 @@ typedef struct dns_rdatasetmethods { dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype); + void (*settrust)(dns_rdataset_t *rdataset, + dns_trust_t trust); + void (*expire)(dns_rdataset_t *rdataset); } dns_rdatasetmethods_t; #define DNS_RDATASET_MAGIC ISC_MAGIC('D','N','S','R') @@ -634,6 +637,19 @@ dns_rdataset_putadditional(dns_acache_t *acache, * information for 'rdataset.' */ +void +dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust); +/*%< + * Set the trust of the 'rdataset' to trust in any in the backing database. + * The local trust level of 'rdataset' is also set. + */ + +void +dns_rdataset_expire(dns_rdataset_t *rdataset); +/*%< + * Mark the rdataset to be expired in the backing database. + */ + ISC_LANG_ENDDECLS #endif /* DNS_RDATASET_H */ diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index fa837c1de4d..537bf0fc0f3 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.h,v 1.60.56.3 2009/01/29 22:40:35 jinmei Exp $ */ +/* $Id: resolver.h,v 1.60.56.3.24.1 2010/03/03 22:06:39 marka Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 @@ -508,6 +508,48 @@ dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state); unsigned int dns_resolver_getoptions(dns_resolver_t *resolver); +void +dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *expire); +/*%< + * Add a entry to the bad cache for that will expire at 'expire'. + * + * Requires: + * \li resolver to be valid. + * \li name to be valid. + */ + +isc_boolean_t +dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *now); +/*%< + * Check to see if there is a unexpired entry in the bad cache for + * . + * + * Requires: + * \li resolver to be valid. + * \li name to be valid. + */ + +void +dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name); +/*%< + * Flush the bad cache of all entries at 'name' if 'name' is non NULL. + * Flush the entire bad cache if 'name' is NULL. + * + * Requires: + * \li resolver to be valid. + */ + +void +dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); +/*% + * Print out the contents of the bad cache to 'fp'. + * + * Requires: + * \li resolver to be valid. + */ + ISC_LANG_ENDDECLS #endif /* DNS_RESOLVER_H */ diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index ed29bcd5d3f..fae43e348ec 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.116 2008/09/25 04:02:39 tbox Exp $ */ +/* $Id: result.h,v 1.116.228.1 2010/03/03 22:06:39 marka Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 @@ -148,8 +148,10 @@ #define DNS_R_MXISADDRESS (ISC_RESULTCLASS_DNS + 102) #define DNS_R_DUPLICATE (ISC_RESULTCLASS_DNS + 103) #define DNS_R_INVALIDNSEC3 (ISC_RESULTCLASS_DNS + 104) +#define DNS_R_NOTMASTER (ISC_RESULTCLASS_DNS + 105) +#define DNS_R_BROKENCHAIN (ISC_RESULTCLASS_DNS + 106) -#define DNS_R_NRESULTS 105 /*%< Number of results */ +#define DNS_R_NRESULTS 107 /*%< Number of results */ /* * DNS wire format rcodes. diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 2555214b14c..1f9ec74bf55 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.41.48.3 2009/01/18 23:25:17 marka Exp $ */ +/* $Id: validator.h,v 1.41.48.3.24.1 2010/03/03 22:06:39 marka Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 @@ -159,6 +159,8 @@ struct dns_validator { isc_boolean_t mustbesecure; unsigned int dlvlabels; unsigned int depth; + unsigned int authcount; + unsigned int authfail; }; /*% diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index af0450b525d..c1d9dc85895 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.43 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: ncache.c,v 1.43.336.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -519,6 +519,8 @@ static dns_rdatasetmethods_t rdataset_methods = { NULL, NULL, NULL, + NULL, + NULL, NULL }; diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index f841ebea5e9..20bfc4a8e8d 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16 2009/12/30 08:34:30 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.16.10.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -521,6 +521,8 @@ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader); static void prune_tree(isc_task_t *task, isc_event_t *event); +static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust); +static void rdataset_expire(dns_rdataset_t *rdataset); static dns_rdatasetmethods_t rdataset_methods = { rdataset_disassociate, @@ -535,7 +537,9 @@ static dns_rdatasetmethods_t rdataset_methods = { rdataset_getclosest, rdataset_getadditional, rdataset_setadditional, - rdataset_putadditional + rdataset_putadditional, + rdataset_settrust, + rdataset_expire }; static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp); @@ -7407,6 +7411,34 @@ rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, return (ISC_R_SUCCESS); } +static void +rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) { + dns_rbtdb_t *rbtdb = rdataset->private1; + dns_rbtnode_t *rbtnode = rdataset->private2; + rdatasetheader_t *header = rdataset->private3; + + header--; + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); + header->trust = rdataset->trust = trust; + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +} + +static void +rdataset_expire(dns_rdataset_t *rdataset) { + dns_rbtdb_t *rbtdb = rdataset->private1; + dns_rbtnode_t *rbtnode = rdataset->private2; + rdatasetheader_t *header = rdataset->private3; + + header--; + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); + expire_header(rbtdb, header, ISC_FALSE); + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +} + /* * Rdataset Iterator Methods */ diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c index d6f11ae64d3..97cef94b06a 100644 --- a/lib/dns/rdatalist.c +++ b/lib/dns/rdatalist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdatalist.c,v 1.36 2008/09/24 02:46:22 marka Exp $ */ +/* $Id: rdatalist.c,v 1.36.338.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -46,6 +46,8 @@ static dns_rdatasetmethods_t methods = { isc__rdatalist_getclosest, NULL, NULL, + NULL, + NULL, NULL }; diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 6088a068ad2..4361913377f 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.82.50.2 2009/01/18 23:47:40 tbox Exp $ */ +/* $Id: rdataset.c,v 1.82.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -182,6 +182,8 @@ static dns_rdatasetmethods_t question_methods = { NULL, NULL, NULL, + NULL, + NULL, NULL }; @@ -732,3 +734,22 @@ dns_rdataset_putadditional(dns_acache_t *acache, return (ISC_R_FAILURE); } +void +dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE(rdataset->methods != NULL); + + if (rdataset->methods->settrust != NULL) + (rdataset->methods->settrust)(rdataset, trust); + else + rdataset->trust = trust; +} + +void +dns_rdataset_expire(dns_rdataset_t *rdataset) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE(rdataset->methods != NULL); + + if (rdataset->methods->expire != NULL) + (rdataset->methods->expire)(rdataset); +} diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c index b22868d6f21..8d12eb8c8f4 100644 --- a/lib/dns/rdataslab.c +++ b/lib/dns/rdataslab.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataslab.c,v 1.48.50.2 2009/01/18 23:47:40 tbox Exp $ */ +/* $Id: rdataslab.c,v 1.48.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -436,6 +436,8 @@ static dns_rdatasetmethods_t rdataset_methods = { NULL, NULL, NULL, + NULL, + NULL, NULL }; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 02e96cda709..9dbb764f0be 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.20 2010/01/07 23:47:36 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.20.10.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -334,6 +334,18 @@ typedef struct alternate { ISC_LINK(struct alternate) link; } alternate_t; +typedef struct dns_badcache dns_badcache_t; +struct dns_badcache { + dns_badcache_t * next; + dns_rdatatype_t type; + isc_time_t expire; + unsigned int hashval; + dns_name_t name; +}; +#define DNS_BADCACHE_SIZE 1021 +#define DNS_BADCACHE_TTL(fctx) \ + (((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30) + struct dns_resolver { /* Unlocked. */ unsigned int magic; @@ -380,6 +392,13 @@ struct dns_resolver { isc_boolean_t priming; unsigned int spillat; /* clients-per-query */ unsigned int nextdisp; + + /* Bad cache. */ + dns_badcache_t ** badcache; + unsigned int badcount; + unsigned int badhash; + unsigned int badsweep; + /* Locked by primelock. */ dns_fetch_t * primefetch; /* Locked by nlock. */ @@ -410,7 +429,8 @@ static void empty_bucket(dns_resolver_t *res); static isc_result_t resquery_send(resquery_t *query); static void resquery_response(isc_task_t *task, isc_event_t *event); static void resquery_connected(isc_task_t *task, isc_event_t *event); -static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying); +static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, + isc_boolean_t badcache); static isc_boolean_t fctx_destroy(fetchctx_t *fctx); static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, @@ -1169,7 +1189,7 @@ process_sendevent(resquery_t *query, isc_event_t *event) { if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } } @@ -2071,7 +2091,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } } @@ -2133,7 +2153,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { dns_adb_destroyfind(&find); if (want_try) - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); else if (want_done) fctx_done(fctx, ISC_R_FAILURE, __LINE__); else if (bucket_empty) @@ -2545,7 +2565,7 @@ isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) { } static isc_result_t -fctx_getaddresses(fetchctx_t *fctx) { +fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; dns_resolver_t *res; @@ -2764,12 +2784,24 @@ fctx_getaddresses(fetchctx_t *fctx) { */ result = DNS_R_WAIT; } else { + isc_time_t expire; + isc_interval_t i; /* * We've lost completely. We don't know any * addresses, and the ADB has told us it can't get * them. */ FCTXTRACE("no addresses"); + isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0); + result = isc_time_nowplusinterval(&expire, &i); + if (badcache && + (fctx->type == dns_rdatatype_dnskey || + fctx->type == dns_rdatatype_dlv || + fctx->type == dns_rdatatype_ds) && + result == ISC_R_SUCCESS) + dns_resolver_addbadcache(fctx->res, + &fctx->name, + fctx->type, &expire); result = ISC_R_FAILURE; } } else { @@ -2992,7 +3024,7 @@ fctx_nextaddress(fetchctx_t *fctx) { } static void -fctx_try(fetchctx_t *fctx, isc_boolean_t retrying) { +fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { isc_result_t result; dns_adbaddrinfo_t *addrinfo; @@ -3010,7 +3042,7 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying) { fctx_cleanupaltfinds(fctx); fctx_cleanupforwaddrs(fctx); fctx_cleanupaltaddrs(fctx); - result = fctx_getaddresses(fctx); + result = fctx_getaddresses(fctx, badcache); if (result == DNS_R_WAIT) { /* * Sleep waiting for addresses. @@ -3175,7 +3207,7 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) { /* * Keep trying. */ - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } isc_event_free(&event); @@ -3345,7 +3377,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_FALSE); + fctx_try(fctx, ISC_FALSE, ISC_FALSE); } else if (bucket_empty) empty_bucket(res); } @@ -3923,6 +3955,8 @@ validated(isc_task_t *task, isc_event_t *event) { LOCK(&fctx->res->buckets[fctx->bucketnum].lock); + isc_stdtime_get(&now); + /* * If chaining, we need to make sure that the right result code is * returned, and that the rdatasets are bound. @@ -3969,35 +4003,80 @@ validated(isc_task_t *task, isc_event_t *event) { inc_stats(fctx->res, dns_resstatscounter_valfail); fctx->valfail++; fctx->vresult = vevent->result; - result = ISC_R_NOTFOUND; - if (vevent->rdataset != NULL) - result = dns_db_findnode(fctx->cache, vevent->name, - ISC_TRUE, &node); - if (result == ISC_R_SUCCESS) - (void)dns_db_deleterdataset(fctx->cache, node, NULL, - vevent->type, 0); - if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL) - (void)dns_db_deleterdataset(fctx->cache, node, NULL, - dns_rdatatype_rrsig, - vevent->type); - if (result == ISC_R_SUCCESS) - dns_db_detachnode(fctx->cache, &node); - result = vevent->result; + if (fctx->vresult != DNS_R_BROKENCHAIN) { + result = ISC_R_NOTFOUND; + if (vevent->rdataset != NULL) + result = dns_db_findnode(fctx->cache, + vevent->name, + ISC_TRUE, &node); + if (result == ISC_R_SUCCESS) + (void)dns_db_deleterdataset(fctx->cache, node, + NULL, + vevent->type, 0); + if (result == ISC_R_SUCCESS && + vevent->sigrdataset != NULL) + (void)dns_db_deleterdataset(fctx->cache, node, + NULL, + dns_rdatatype_rrsig, + vevent->type); + if (result == ISC_R_SUCCESS) + dns_db_detachnode(fctx->cache, &node); + } + if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) { + /* + * Cache the data as pending for later validation. + */ + result = ISC_R_NOTFOUND; + if (vevent->rdataset != NULL) + result = dns_db_findnode(fctx->cache, + vevent->name, + ISC_TRUE, &node); + if (result == ISC_R_SUCCESS) { + (void)dns_db_addrdataset(fctx->cache, node, + NULL, now, + vevent->rdataset, 0, + NULL); + } + if (result == ISC_R_SUCCESS && + vevent->sigrdataset != NULL) + (void)dns_db_addrdataset(fctx->cache, node, + NULL, now, + vevent->sigrdataset, + 0, NULL); + if (result == ISC_R_SUCCESS) + dns_db_detachnode(fctx->cache, &node); + } + result = fctx->vresult; add_bad(fctx, addrinfo, result, badns_validation); isc_event_free(&event); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); INSIST(fctx->validator == NULL); fctx->validator = ISC_LIST_HEAD(fctx->validators); - if (fctx->validator != NULL) { + if (fctx->validator != NULL) dns_validator_send(fctx->validator); - } else if (sentresponse) + else if (sentresponse) fctx_done(fctx, result, __LINE__); /* Locks bucket. */ - else - fctx_try(fctx, ISC_TRUE); /* Locks bucket. */ + else if (result == DNS_R_BROKENCHAIN) { + isc_result_t tresult; + isc_time_t expire; + isc_interval_t i; + + isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0); + tresult = isc_time_nowplusinterval(&expire, &i); + if (negative && + (fctx->type == dns_rdatatype_dnskey || + fctx->type == dns_rdatatype_dlv || + fctx->type == dns_rdatatype_ds) && + tresult == ISC_R_SUCCESS) + dns_resolver_addbadcache(fctx->res, + &fctx->name, + fctx->type, &expire); + fctx_done(fctx, result, __LINE__); /* Locks bucket. */ + } else + fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */ return; } - isc_stdtime_get(&now); if (negative) { dns_rdatatype_t covers; @@ -5790,7 +5869,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { /* * Try again. */ - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } else { unsigned int n; dns_rdataset_t *nsrdataset = NULL; @@ -6629,7 +6708,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * Try again. */ - fctx_try(fctx, !get_nameservers); + fctx_try(fctx, !get_nameservers, ISC_FALSE); } else if (resend) { /* * Resend (probably with changed options). @@ -6691,6 +6770,27 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /*** *** Resolver Methods ***/ +static void +destroy_badcache(dns_resolver_t *res) { + dns_badcache_t *bad, *next; + unsigned int i; + + if (res->badcache != NULL) { + for (i = 0; i < res->badhash; i++) + for (bad = res->badcache[i]; bad != NULL; + bad = next) { + next = bad->next; + isc_mem_put(res->mctx, bad, sizeof(*bad) + + bad->name.length); + res->badcount--; + } + isc_mem_put(res->mctx, res->badcache, + sizeof(*res->badcache) * res->badhash); + res->badcache = NULL; + res->badhash = 0; + INSIST(res->badcount == 0); + } +} static void destroy(dns_resolver_t *res) { @@ -6728,6 +6828,7 @@ destroy(dns_resolver_t *res) { isc_mem_put(res->mctx, a, sizeof(*a)); } dns_resolver_reset_algorithms(res); + destroy_badcache(res); dns_resolver_resetmustbesecure(res); #if USE_ALGLOCK isc_rwlock_destroy(&res->alglock); @@ -6851,6 +6952,10 @@ dns_resolver_create(dns_view_t *view, ISC_LIST_INIT(res->alternates); res->udpsize = RECV_BUFFER_SIZE; res->algorithms = NULL; + res->badcache = NULL; + res->badcount = 0; + res->badhash = 0; + res->badsweep = 0; res->mustbesecure = NULL; res->spillatmin = res->spillat = 10; res->spillatmax = 100; @@ -7692,6 +7797,256 @@ dns_resolver_getudpsize(dns_resolver_t *resolver) { return (resolver->udpsize); } +void +dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) { + unsigned int i; + dns_badcache_t *bad, *prev, *next; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) + goto unlock; + + if (name != NULL) { + isc_time_t now; + isc_result_t result; + result = isc_time_now(&now); + if (result != ISC_R_SUCCESS) + isc_time_settoepoch(&now); + i = dns_name_hash(name, ISC_FALSE) % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + int n; + next = bad->next; + n = isc_time_compare(&bad->expire, &now); + if (n < 0 || dns_name_equal(name, &bad->name)) { + if (prev == NULL) + resolver->badcache[i] = bad->next; + else + prev->next = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else + prev = bad; + } + } else + destroy_badcache(resolver); + + unlock: + UNLOCK(&resolver->lock); + +} + +static void +resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) { + unsigned int newsize; + dns_badcache_t **new, *bad, *next; + unsigned int i; + + if (grow) + newsize = resolver->badhash * 2 + 1; + else + newsize = (resolver->badhash - 1) / 2; + + new = isc_mem_get(resolver->mctx, + sizeof(*resolver->badcache) * newsize); + if (new == NULL) + return; + memset(new, 0, sizeof(*resolver->badcache) * newsize); + for (i = 0; i < resolver->badhash; i++) { + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (isc_time_compare(&bad->expire, now) < 0) { + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else { + bad->next = new[bad->hashval % newsize]; + new[bad->hashval % newsize] = bad; + } + } + } + isc_mem_put(resolver->mctx, resolver->badcache, + sizeof(*resolver->badcache) * resolver->badhash); + resolver->badhash = newsize; + resolver->badcache = new; +} + +void +dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *expire) +{ + isc_time_t now; + isc_result_t result = ISC_R_SUCCESS; + unsigned int i, hashval; + dns_badcache_t *bad, *prev, *next; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) { + resolver->badcache = isc_mem_get(resolver->mctx, + sizeof(*resolver->badcache) * + DNS_BADCACHE_SIZE); + if (resolver->badcache == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + resolver->badhash = DNS_BADCACHE_SIZE; + memset(resolver->badcache, 0, sizeof(*resolver->badcache) * + resolver->badhash); + } + + result = isc_time_now(&now); + if (result != ISC_R_SUCCESS) + isc_time_settoepoch(&now); + hashval = dns_name_hash(name, ISC_FALSE); + i = hashval % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (bad->type == type && dns_name_equal(name, &bad->name)) + break; + if (isc_time_compare(&bad->expire, &now) < 0) { + if (prev == NULL) + resolver->badcache[i] = bad->next; + else + prev->next = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else + prev = bad; + } + if (bad == NULL) { + isc_buffer_t buffer; + bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length); + if (bad == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + bad->type = type; + bad->hashval = hashval; + isc_buffer_init(&buffer, bad + 1, name->length); + dns_name_init(&bad->name, NULL); + dns_name_copy(name, &bad->name, &buffer); + bad->next = resolver->badcache[i]; + resolver->badcache[i] = bad; + resolver->badcount++; + if (resolver->badcount > resolver->badhash * 8) + resizehash(resolver, &now, ISC_TRUE); + if (resolver->badcount < resolver->badhash * 2 && + resolver->badhash > DNS_BADCACHE_SIZE) + resizehash(resolver, &now, ISC_FALSE); + } + bad->expire = *expire; + cleanup: + UNLOCK(&resolver->lock); +} + +isc_boolean_t +dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *now) +{ + dns_badcache_t *bad, *prev, *next; + isc_boolean_t answer = ISC_FALSE; + unsigned int i; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) + goto unlock; + + i = dns_name_hash(name, ISC_FALSE) % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + /* + * Search the hash list. Clean out expired records as we go. + */ + if (isc_time_compare(&bad->expire, now) < 0) { + if (prev != NULL) + prev->next = bad->next; + else + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + continue; + } + if (bad->type == type && dns_name_equal(name, &bad->name)) { + answer = ISC_TRUE; + break; + } + prev = bad; + } + + /* + * Slow sweep to clean out stale records. + */ + i = resolver->badsweep++ % resolver->badhash; + bad = resolver->badcache[i]; + if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) { + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } + + unlock: + UNLOCK(&resolver->lock); + return (answer); +} + +void +dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + dns_badcache_t *bad, *next, *prev; + isc_time_t now; + unsigned int i; + isc_uint64_t t; + + LOCK(&resolver->lock); + fprintf(fp, ";\n; Bad cache\n;\n"); + + if (resolver->badcache == NULL) + goto unlock; + + TIME_NOW(&now); + for (i = 0; i < resolver->badhash; i++) { + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (isc_time_compare(&bad->expire, &now) < 0) { + if (prev != NULL) + prev->next = bad->next; + else + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + continue; + } + prev = bad; + dns_name_format(&bad->name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(bad->type, typebuf, + sizeof(typebuf)); + t = isc_time_microdiff(&bad->expire, &now); + t /= 1000; + fprintf(fp, "; %s/%s [ttl " + "%" ISC_PLATFORM_QUADFORMAT "u]\n", + namebuf, typebuf, t); + } + } + + unlock: + UNLOCK(&resolver->lock); +} + static void free_algorithm(void *node, void *arg) { unsigned char *algorithms = node; diff --git a/lib/dns/result.c b/lib/dns/result.c index 54c70e0e908..f241ded6ea7 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: result.c,v 1.125.124.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -157,6 +157,9 @@ static const char *text[DNS_R_NRESULTS] = { "MX is an address", /*%< 102 DNS_R_MXISADDRESS */ "duplicate query", /*%< 103 DNS_R_DUPLICATE */ "invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */ + + "not master", /*%< 105 DNS_R_NOTMASTER */ + "broken trust chain", /*%< 106 DNS_R_BROKENCHAIN */ }; static const char *rcode_text[DNS_R_NRCODERESULTS] = { diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c index ab9ff1967f6..6ec620972e5 100644 --- a/lib/dns/sdb.c +++ b/lib/dns/sdb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.c,v 1.66.48.3 2009/06/26 06:25:44 marka Exp $ */ +/* $Id: sdb.c,v 1.66.48.3.10.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -1387,6 +1387,8 @@ static dns_rdatasetmethods_t methods = { NULL, NULL, NULL, + NULL, + NULL, NULL }; diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c index 5e5f7e3d7a2..f2f778613ae 100644 --- a/lib/dns/sdlz.c +++ b/lib/dns/sdlz.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2005-2009 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2005-2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdlz.c,v 1.18.50.3 2009/06/26 06:25:44 marka Exp $ */ +/* $Id: sdlz.c,v 1.18.50.3.10.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -1211,6 +1211,8 @@ static dns_rdatasetmethods_t rdataset_methods = { NULL, NULL, NULL, + NULL, + NULL, NULL }; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 1e55a34055b..faaa3f366a9 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11 2009/12/30 06:44:44 each Exp $ */ +/* $Id: validator.c,v 1.164.12.11.10.1 2010/03/03 22:06:39 marka Exp $ */ #include @@ -177,9 +177,16 @@ static inline void markanswer(dns_validator_t *val) { validator_log(val, ISC_LOG_DEBUG(3), "marking as answer"); if (val->event->rdataset != NULL) - val->event->rdataset->trust = dns_trust_answer; + dns_rdataset_settrust(val->event->rdataset, dns_trust_answer); if (val->event->sigrdataset != NULL) - val->event->sigrdataset->trust = dns_trust_answer; + dns_rdataset_settrust(val->event->sigrdataset, + dns_trust_answer); +} + +static inline void +marksecure(dns_validatorevent_t *event) { + dns_rdataset_settrust(event->rdataset, dns_trust_secure); + dns_rdataset_settrust(event->sigrdataset, dns_trust_secure); } static void @@ -425,7 +432,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { if (eresult == ISC_R_CANCELED) validator_done(val, eresult); else - validator_done(val, DNS_R_NOVALIDKEY); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); @@ -495,7 +502,7 @@ dsfetched(isc_task_t *task, isc_event_t *event) { if (eresult == ISC_R_CANCELED) validator_done(val, eresult); else - validator_done(val, DNS_R_NOVALIDDS); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); @@ -635,10 +642,16 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { if (result != DNS_R_WAIT) validator_done(val, result); } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } validator_log(val, ISC_LOG_DEBUG(3), "keyvalidated: got %s", isc_result_totext(eresult)); - validator_done(val, eresult); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); @@ -685,10 +698,16 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { if (result != DNS_R_WAIT) validator_done(val, result); } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } validator_log(val, ISC_LOG_DEBUG(3), "dsvalidated: got %s", isc_result_totext(eresult)); - validator_done(val, eresult); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); @@ -1199,6 +1218,8 @@ authvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "authvalidated: got %s", isc_result_totext(result)); + if (result == DNS_R_BROKENCHAIN) + val->authfail++; if (result == ISC_R_CANCELED) validator_done(val, result); else { @@ -1271,6 +1292,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) { * \li DNS_R_NCACHENXRRSET * \li DNS_R_NXRRSET * \li DNS_R_NXDOMAIN + * \li DNS_R_BROKENCHAIN */ static inline isc_result_t view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { @@ -1280,9 +1302,12 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; unsigned int options; + isc_time_t now; char buf1[DNS_NAME_FORMATSIZE]; char buf2[DNS_NAME_FORMATSIZE]; char buf3[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); @@ -1292,6 +1317,16 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { if (val->view->zonetable == NULL) return (ISC_R_CANCELED); + if (isc_time_now(&now) == ISC_R_SUCCESS && + dns_resolver_getbadcache(val->view->resolver, name, type, &now)) { + + dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)", + namebuf, typebuf); + return (DNS_R_BROKENCHAIN); + } + options = DNS_DBFIND_PENDINGOK; if (type == dns_rdatatype_dlv) options |= DNS_DBFIND_COVERINGNSEC; @@ -1300,6 +1335,7 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { result = dns_view_find(val->view, name, type, 0, options, ISC_FALSE, NULL, NULL, foundname, &val->frdataset, &val->fsigrdataset); + if (result == DNS_R_NXDOMAIN) { if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); @@ -1656,7 +1692,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { /* * We don't know anything about this key. */ - result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey, + result = create_fetch(val, &siginfo->signer, + dns_rdatatype_dnskey, fetch_callback_validator, "get_key"); if (result != ISC_R_SUCCESS) return (result); @@ -1671,7 +1708,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { * This key doesn't exist. */ result = DNS_R_CONTINUE; - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); if (dns_rdataset_isassociated(&val->frdataset) && val->keyset != &val->frdataset) @@ -1919,8 +1957,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) { "looking for noqname proof"); return (nsecvalidate(val, ISC_FALSE)); } else if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); @@ -2096,8 +2133,7 @@ dlv_validatezonekey(dns_validator_t *val) { "no RRSIG matching DLV key"); } if (result == ISC_R_SUCCESS) { - val->event->rdataset->trust = dns_trust_secure; - val->event->sigrdataset->trust = dns_trust_secure; + marksecure(val->event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else if (result == ISC_R_NOMORE && !supported_algorithm) { @@ -2198,8 +2234,7 @@ validatezonekey(dns_validator_t *val) { keynode = nextnode; } if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "signed by trusted key; " "marking as secure"); @@ -2226,11 +2261,14 @@ validatezonekey(dns_validator_t *val) { */ dns_name_format(val->event->name, namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(2), + validator_log(val, ISC_LOG_NOTICE, "unable to find a DNSKEY which verifies " "the DNSKEY RRset and also matches one " "of specified trusted-keys for '%s'", namebuf); + validator_log(val, ISC_LOG_NOTICE, + "please check the 'trusted-keys' for " + "'%s' in named.conf.", namebuf); return (DNS_R_NOVALIDKEY); } @@ -2291,7 +2329,8 @@ validatezonekey(dns_validator_t *val) { dns_rdataset_disassociate(&val->fsigrdataset); validator_log(val, ISC_LOG_DEBUG(2), "no DS record"); return (DNS_R_NOVALIDSIG); - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); } /* @@ -2440,8 +2479,7 @@ validatezonekey(dns_validator_t *val) { "no RRSIG matching DS key"); } if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else if (result == ISC_R_NOMORE && !supported_algorithm) { @@ -2844,6 +2882,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { "nsecvalidate"); if (result != ISC_R_SUCCESS) return (result); + val->authcount++; return (DNS_R_WAIT); } @@ -2868,8 +2907,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { "noqname proof found"); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); - val->event->rdataset->trust = dns_trust_secure; - val->event->sigrdataset->trust = dns_trust_secure; + marksecure(val->event); return (ISC_R_SUCCESS); } else if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0 && dns_name_countlabels(dns_fixedname_name(&val->wild)) @@ -2923,6 +2961,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { } findnsec3proofs(val); + if (val->authcount == val->authfail) + return (DNS_R_BROKENCHAIN); validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found"); val->attributes |= VALATTR_INSECURITY; @@ -2954,6 +2994,58 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { return (ISC_FALSE); } +static void +dlvvalidated(isc_task_t *task, isc_event_t *event) { + dns_validatorevent_t *devent; + dns_validator_t *val; + isc_result_t eresult; + isc_boolean_t want_destroy; + + UNUSED(task); + INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); + + devent = (dns_validatorevent_t *)event; + val = devent->ev_arg; + eresult = devent->result; + + isc_event_free(&event); + dns_validator_destroy(&val->subvalidator); + + INSIST(val->event != NULL); + + validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated"); + LOCK(&val->lock); + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), + "dlvset with trust %d", val->frdataset.trust); + dns_rdataset_clone(&val->frdataset, &val->dlv); + val->havedlvsep = ISC_TRUE; + if (dlv_algorithm_supported(val)) + dlv_validator_start(val); + else { + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } + } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } + validator_log(val, ISC_LOG_DEBUG(3), + "dlvvalidated: got %s", + isc_result_totext(eresult)); + validator_done(val, DNS_R_BROKENCHAIN); + } + want_destroy = exit_check(val); + UNLOCK(&val->lock); + if (want_destroy) + destroy(val); +} + /*% * Callback from fetching a DLV record. * @@ -3173,6 +3265,24 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { namebuf); result = view_find(val, dlvname, dns_rdatatype_dlv); if (result == ISC_R_SUCCESS) { + if (DNS_TRUST_PENDING(val->frdataset.trust) && + dns_rdataset_isassociated(&val->fsigrdataset)) + { + dns_fixedname_init(&val->fname); + dns_name_copy(dlvname, + dns_fixedname_name(&val->fname), + NULL); + result = create_validator(val, + dns_fixedname_name(&val->fname), + dns_rdatatype_dlv, + &val->frdataset, + &val->fsigrdataset, + dlvvalidated, + "finddlvsep"); + if (result != ISC_R_SUCCESS) + return (result); + return (DNS_R_WAIT); + } if (val->frdataset.trust < dns_trust_secure) return (DNS_R_NOVALIDSIG); val->havedlvsep = ISC_TRUE; @@ -3223,6 +3333,7 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { * \li DNS_R_NOVALIDSIG * \li DNS_R_NOVALIDNSEC * \li DNS_R_NOTINSECURE + * \li DNS_R_BROKENCHAIN */ static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) @@ -3465,7 +3576,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) if (result != ISC_R_SUCCESS) goto out; return (DNS_R_WAIT); - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); } /* @@ -3682,6 +3794,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->seensig = ISC_FALSE; val->havedlvsep = ISC_FALSE; val->depth = 0; + val->authcount = 0; + val->authfail = 0; val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset); diff --git a/lib/dns/view.c b/lib/dns/view.c index 961268e22c1..3726eefa5fb 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3 2009/11/12 23:39:23 marka Exp $ */ +/* $Id: view.c,v 1.150.84.3.10.1 2010/03/03 22:06:39 marka Exp $ */ /*! \file */ @@ -1271,10 +1271,11 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) { (void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name); result = dns_master_dumptostream(view->mctx, view->cachedb, NULL, - &dns_master_style_cache, fp); + &dns_master_style_cache, fp); if (result != ISC_R_SUCCESS) return (result); dns_adb_dump(view->adb, fp); + dns_resolver_printbadcache(view->resolver, fp); return (ISC_R_SUCCESS); } @@ -1295,6 +1296,8 @@ dns_view_flushcache(dns_view_t *view) { dns_cache_attachdb(view->cache, &view->cachedb); if (view->acache != NULL) dns_acache_setdb(view->acache, view->cachedb); + if (view->resolver != NULL) + dns_resolver_flushbadcache(view->resolver, NULL); dns_adb_flush(view->adb); return (ISC_R_SUCCESS); @@ -1309,6 +1312,8 @@ dns_view_flushname(dns_view_t *view, dns_name_t *name) { dns_adb_flushname(view->adb, name); if (view->cache == NULL) return (ISC_R_SUCCESS); + if (view->resolver != NULL) + dns_resolver_flushbadcache(view->resolver, name); return (dns_cache_flushname(view->cache, name)); } diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 0331c278e14..fd3792b18e3 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -467,6 +467,7 @@ dns_rdataset_clone dns_rdataset_count dns_rdataset_current dns_rdataset_disassociate +dns_rdataset_expire dns_rdataset_first dns_rdataset_getadditional dns_rdataset_getclosest @@ -478,6 +479,7 @@ dns_rdataset_makequestion dns_rdataset_next dns_rdataset_putadditional dns_rdataset_setadditional +dns_rdataset_settrust dns_rdataset_totext dns_rdataset_towire dns_rdataset_towiresorted @@ -520,6 +522,7 @@ dns_requestmgr_detach dns_requestmgr_shutdown dns_requestmgr_whenshutdown dns_resolver_addalternate +dns_resolver_addbadcache dns_resolver_algorithm_supported dns_resolver_attach dns_resolver_cancelfetch @@ -532,7 +535,9 @@ dns_resolver_disable_algorithm dns_resolver_dispatchmgr dns_resolver_dispatchv4 dns_resolver_dispatchv6 +dns_resolver_flushbadcache dns_resolver_freeze +dns_resolver_getbadcache dns_resolver_getlamettl dns_resolver_getoptions dns_resolver_getudpsize @@ -540,6 +545,7 @@ dns_resolver_getzeronosoattl dns_resolver_logfetch dns_resolver_nrunning dns_resolver_prime +dns_resolver_printbadcache dns_resolver_reset_algorithms dns_resolver_resetmustbesecure dns_resolver_setclientsperquery diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html index c90bcbd575f..f7f3a9fc725 100644 --- a/lib/lwres/man/lwres.html +++ b/lib/lwres/man/lwres.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres — introduction to the lightweight resolver library
@@ -32,7 +32,7 @@
#include <lwres/lwres.h>

-
DESCRIPTION
+
DESCRIPTION

The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname-to-address @@ -47,7 +47,7 @@

-
OVERVIEW
+
OVERVIEW

The lwresd library implements multiple name service APIs. The standard @@ -101,7 +101,7 @@

-
CLIENT-SIDE LOW-LEVEL API CALL FLOW
+
CLIENT-SIDE LOW-LEVEL API CALL FLOW

When a client program wishes to make an lwres request using the native low-level API, it typically performs the following @@ -149,7 +149,7 @@

-
SERVER-SIDE LOW-LEVEL API CALL FLOW
+
SERVER-SIDE LOW-LEVEL API CALL FLOW

When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the @@ -191,7 +191,7 @@

-
SEE ALSO
+
SEE ALSO

lwres_gethostent(3), lwres_getipnode(3), diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html index b546bcf155d..042e1586700 100644 --- a/lib/lwres/man/lwres_buffer.html +++ b/lib/lwres/man/lwres_buffer.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management
@@ -262,7 +262,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These functions provide bounds checked access to a region of memory where data is being read or written. diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html index fb29b7fbaec..aad6768e911 100644 --- a/lib/lwres/man/lwres_config.html +++ b/lib/lwres/man/lwres_config.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration
@@ -90,7 +90,7 @@ lwres_conf_t *

-
DESCRIPTION
+
DESCRIPTION

lwres_conf_init() creates an empty lwres_conf_t @@ -123,7 +123,7 @@ lwres_conf_t *

-
RETURN VALUES
+
RETURN VALUES

lwres_conf_parse() returns LWRES_R_SUCCESS if it successfully read and parsed @@ -142,13 +142,13 @@ lwres_conf_t *

-
SEE ALSO
+
SEE ALSO

stdio(3), resolver(5).

-
FILES
+
FILES

/etc/resolv.conf

diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index 22bdcd3c1e4..3635b9c913a 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management
@@ -172,7 +172,7 @@ void *

-
DESCRIPTION
+
DESCRIPTION

lwres_context_create() creates a lwres_context_t structure for use in lightweight resolver operations. It holds a socket and other @@ -258,7 +258,7 @@ void *

-
RETURN VALUES
+
RETURN VALUES

lwres_context_create() returns LWRES_R_NOMEMORY if memory for the struct lwres_context could not be allocated, @@ -283,7 +283,7 @@ void *

-
SEE ALSO
+
SEE ALSO

lwres_conf_init(3), malloc(3), diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html index e5cb4d31c02..2b6ba853a79 100644 --- a/lib/lwres/man/lwres_gabn.html +++ b/lib/lwres/man/lwres_gabn.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling
@@ -178,7 +178,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver name-to-address lookup request and @@ -278,7 +278,7 @@ typedef struct {

-
RETURN VALUES
+
RETURN VALUES

The getaddrbyname opcode functions lwres_gabnrequest_render(), @@ -316,7 +316,7 @@ typedef struct {

-
SEE ALSO
+
SEE ALSO

lwres_packet(3)

diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html index 994782dbb27..393efeb79b4 100644 --- a/lib/lwres/man/lwres_gai_strerror.html +++ b/lib/lwres/man/lwres_gai_strerror.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_gai_strerror — print suitable error string
@@ -42,7 +42,7 @@ char *

-
DESCRIPTION
+
DESCRIPTION

lwres_gai_strerror() returns an error message corresponding to an error code returned by getaddrinfo(). @@ -110,7 +110,7 @@ char *

-
SEE ALSO
+
SEE ALSO

strerror(3), lwres_getaddrinfo(3), diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html index d3f6e0ba358..ef5cd405826 100644 --- a/lib/lwres/man/lwres_getaddrinfo.html +++ b/lib/lwres/man/lwres_getaddrinfo.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name
@@ -89,7 +89,7 @@ struct addrinfo {

-
DESCRIPTION
+
DESCRIPTION

lwres_getaddrinfo() is used to get a list of IP addresses and port numbers for host hostname and service @@ -283,7 +283,7 @@ struct addrinfo {

-
RETURN VALUES
+
RETURN VALUES

lwres_getaddrinfo() returns zero on success or one of the error codes listed in gai_strerror(3) @@ -294,7 +294,7 @@ struct addrinfo {

-
SEE ALSO
+
SEE ALSO

lwres(3), lwres_getaddrinfo(3), diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html index 3bccc48ceb8..7f6a6adad25 100644 --- a/lib/lwres/man/lwres_gethostent.html +++ b/lib/lwres/man/lwres_gethostent.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry
@@ -228,7 +228,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These functions provide hostname-to-address and address-to-hostname lookups by means of the lightweight resolver. @@ -366,7 +366,7 @@ struct hostent {

-
RETURN VALUES
+
RETURN VALUES

The functions lwres_gethostbyname(), @@ -430,7 +430,7 @@ struct hostent {

-
SEE ALSO
+
SEE ALSO

gethostent(3), lwres_getipnode(3), @@ -439,7 +439,7 @@ struct hostent {

-
BUGS
+
BUGS

lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr() diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html index 5d9eb9d8318..f20240ef910 100644 --- a/lib/lwres/man/lwres_getipnode.html +++ b/lib/lwres/man/lwres_getipnode.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API
@@ -98,7 +98,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These functions perform thread safe, protocol independent nodename-to-address and address-to-nodename @@ -217,7 +217,7 @@ struct hostent {

-
RETURN VALUES
+
RETURN VALUES

If an error occurs, lwres_getipnodebyname() @@ -261,7 +261,7 @@ struct hostent {

-
SEE ALSO
+
SEE ALSO

RFC2553, lwres(3), diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html index 200f93feac4..88215ddc2d8 100644 --- a/lib/lwres/man/lwres_getnameinfo.html +++ b/lib/lwres/man/lwres_getnameinfo.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_getnameinfo — lightweight resolver socket address structure to hostname and @@ -82,7 +82,7 @@ int

-
DESCRIPTION
+
DESCRIPTION

This function is equivalent to the getnameinfo(3) function defined in RFC2133. @@ -149,13 +149,13 @@ int

-
RETURN VALUES
+
RETURN VALUES

lwres_getnameinfo() returns 0 on success or a non-zero error code if an error occurs.

-
SEE ALSO
+
SEE ALSO

RFC2133, getservbyport(3), lwres(3), @@ -165,7 +165,7 @@ int

-
BUGS
+
BUGS

RFC2133 fails to define what the nonzero return values of getnameinfo(3) diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html index be8c05aa0e9..8715e5fffbd 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.html +++ b/lib/lwres/man/lwres_getrrsetbyname.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records
@@ -102,7 +102,7 @@ struct rrsetinfo {

-
DESCRIPTION
+
DESCRIPTION

lwres_getrrsetbyname() gets a set of resource records associated with a hostname, class, @@ -150,7 +150,7 @@ struct rrsetinfo {

-
RETURN VALUES
+
RETURN VALUES

lwres_getrrsetbyname() returns zero on success, and one of the following error codes if an error occurred: @@ -184,7 +184,7 @@ struct rrsetinfo {

-
SEE ALSO
+
SEE ALSO

lwres(3).

diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html index bd1ce6036f1..476fd1f3749 100644 --- a/lib/lwres/man/lwres_gnba.html +++ b/lib/lwres/man/lwres_gnba.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling
@@ -183,7 +183,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver address-to-name lookup request and @@ -270,7 +270,7 @@ typedef struct {

-
RETURN VALUES
+
RETURN VALUES

The getnamebyaddr opcode functions lwres_gnbarequest_render(), @@ -308,7 +308,7 @@ typedef struct {

-
SEE ALSO
+
SEE ALSO

lwres_packet(3).

diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html index fce6c318eb8..2e77451590b 100644 --- a/lib/lwres/man/lwres_hstrerror.html +++ b/lib/lwres/man/lwres_hstrerror.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_herror, lwres_hstrerror — lightweight resolver error message generation
@@ -50,7 +50,7 @@ const char *

-
DESCRIPTION
+
DESCRIPTION

lwres_herror() prints the string s on stderr followed by the string generated by @@ -84,7 +84,7 @@ const char *

-
RETURN VALUES
+
RETURN VALUES

The string Unknown resolver error is returned by lwres_hstrerror() @@ -94,7 +94,7 @@ const char *

-
SEE ALSO
+
SEE ALSO

herror(3), lwres_hstrerror(3). diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html index 37bd95fdbc4..4358c1b31cc 100644 --- a/lib/lwres/man/lwres_inetntop.html +++ b/lib/lwres/man/lwres_inetntop.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_net_ntop — lightweight resolver IP address presentation
@@ -62,7 +62,7 @@ const char *

-
DESCRIPTION
+
DESCRIPTION

lwres_net_ntop() converts an IP address of protocol family af — IPv4 or IPv6 — at @@ -80,7 +80,7 @@ const char *

-
RETURN VALUES
+
RETURN VALUES

If successful, the function returns dst: a pointer to a string containing the presentation format of the @@ -93,7 +93,7 @@ const char *

-
SEE ALSO
+
SEE ALSO

RFC1884, inet_ntop(3), errno(3). diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html index c8fad5d3703..62aa19a463e 100644 --- a/lib/lwres/man/lwres_noop.html +++ b/lib/lwres/man/lwres_noop.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling
@@ -179,7 +179,7 @@ void

-
DESCRIPTION
+
DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver no-op request and response messages. @@ -270,7 +270,7 @@ typedef struct {

-
RETURN VALUES
+
RETURN VALUES

The no-op opcode functions lwres_nooprequest_render(), @@ -309,7 +309,7 @@ typedef struct {

-
SEE ALSO
+
SEE ALSO

lwres_packet(3)

diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html index 17aed04dcd2..7f2f67b7800 100644 --- a/lib/lwres/man/lwres_packet.html +++ b/lib/lwres/man/lwres_packet.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions
@@ -66,7 +66,7 @@ lwres_result_t

-
DESCRIPTION
+
DESCRIPTION

These functions rely on a struct lwres_lwpacket @@ -219,7 +219,7 @@ struct lwres_lwpacket {

-
RETURN VALUES
+
RETURN VALUES

Successful calls to lwres_lwpacket_renderheader() and diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html index 3cde25b7917..e6499654198 100644 --- a/lib/lwres/man/lwres_resutil.html +++ b/lib/lwres/man/lwres_resutil.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@
-
+

Name

lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions
@@ -134,7 +134,7 @@ lwres_result_t

-
DESCRIPTION
+
DESCRIPTION

lwres_string_parse() retrieves a DNS-encoded string starting the current pointer of lightweight resolver buffer b: i.e. @@ -210,7 +210,7 @@ typedef struct {

-
RETURN VALUES
+
RETURN VALUES

Successful calls to lwres_string_parse() @@ -248,7 +248,7 @@ typedef struct {

-
SEE ALSO
+
SEE ALSO

lwres_buffer(3), lwres_gabn(3). diff --git a/util/copyrights b/util/copyrights index 1e62a655e19..076455a6f55 100644 --- a/util/copyrights +++ b/util/copyrights @@ -158,7 +158,7 @@ ./bin/named/named.html HTML DOCBOOK ./bin/named/notify.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007 ./bin/named/query.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./bin/named/server.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./bin/named/server.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./bin/named/sortlist.c C 2000,2001,2004,2005,2006,2007 ./bin/named/statschannel.c C 2008,2009,2010 ./bin/named/tkeyconf.c C 1999,2000,2001,2004,2005,2006,2007 @@ -1678,13 +1678,13 @@ ./lib/dns/include/dns/rdata.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/rdataclass.h C 1998,1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/rdatalist.h C 1999,2000,2001,2004,2005,2006,2007,2008 -./lib/dns/include/dns/rdataset.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/include/dns/rdataset.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/include/dns/rdatasetiter.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/rdataslab.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008 ./lib/dns/include/dns/rdatatype.h C 1998,1999,2000,2001,2004,2005,2006,2007,2008 ./lib/dns/include/dns/request.h C 2000,2001,2002,2004,2005,2006,2007,2009 -./lib/dns/include/dns/resolver.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008,2009 -./lib/dns/include/dns/result.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 +./lib/dns/include/dns/resolver.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010 +./lib/dns/include/dns/result.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2010 ./lib/dns/include/dns/rootns.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/sdb.h C 2000,2001,2004,2005,2006,2007,2009 ./lib/dns/include/dns/sdlz.h C.PORTION 1999,2000,2001,2005,2006,2007,2009 @@ -1700,7 +1700,7 @@ ./lib/dns/include/dns/tsig.h C 1999,2000,2001,2002,2004,2005,2006,2007 ./lib/dns/include/dns/ttl.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/types.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./lib/dns/include/dns/validator.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/include/dns/validator.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/include/dns/version.h C 2001,2004,2005,2006,2007 ./lib/dns/include/dns/view.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/xfrin.h C 1999,2000,2001,2003,2004,2005,2006,2007,2009 @@ -1724,7 +1724,7 @@ ./lib/dns/masterdump.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/message.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/name.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 -./lib/dns/ncache.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008 +./lib/dns/ncache.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2010 ./lib/dns/nsec.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009 ./lib/dns/nsec3.c C 2006,2008,2009 ./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 @@ -1735,7 +1735,7 @@ ./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008 ./lib/dns/portlist.c C 2003,2004,2005,2006,2007 ./lib/dns/rbt.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009 -./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/rbtdb.h C 1999,2000,2001,2004,2005,2007 ./lib/dns/rbtdb64.c C 1999,2000,2001,2004,2005,2007 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004,2005,2007 @@ -1853,17 +1853,17 @@ ./lib/dns/rdata/in_1/wks_11.h C 1999,2000,2001,2004,2007 ./lib/dns/rdata/rdatastructpre.h C 1999,2000,2001,2004,2007 ./lib/dns/rdata/rdatastructsuf.h C 1999,2000,2001,2004,2007 -./lib/dns/rdatalist.c C 1999,2000,2001,2003,2004,2005,2007,2008 +./lib/dns/rdatalist.c C 1999,2000,2001,2003,2004,2005,2007,2008,2010 ./lib/dns/rdatalist_p.h C 2000,2001,2004,2005,2007,2008 -./lib/dns/rdataset.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/rdataset.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/rdatasetiter.c C 1999,2000,2001,2004,2005,2007 -./lib/dns/rdataslab.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/rdataslab.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/request.c C 2000,2001,2002,2004,2005,2006,2007,2008,2009 ./lib/dns/resolver.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 -./lib/dns/result.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2008 +./lib/dns/result.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2010 ./lib/dns/rootns.c C 1999,2000,2001,2002,2004,2005,2007,2008 -./lib/dns/sdb.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009 -./lib/dns/sdlz.c C.PORTION 1999,2000,2001,2005,2006,2007,2008,2009 +./lib/dns/sdb.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2010 +./lib/dns/sdlz.c C.PORTION 1999,2000,2001,2005,2006,2007,2008,2009,2010 ./lib/dns/soa.c C 2000,2001,2004,2005,2007 ./lib/dns/spnego.asn1 X 2006 ./lib/dns/spnego.c C 2006,2007,2008,2009 @@ -1878,9 +1878,9 @@ ./lib/dns/tkey.c C 1999,2000,2001,2003,2004,2005,2006,2007,2008 ./lib/dns/tsig.c C 1999,2000,2001,2002,2004,2005,2006,2007,2008 ./lib/dns/ttl.c C 1999,2000,2001,2004,2005,2007 -./lib/dns/validator.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/validator.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/version.c C 1998,1999,2000,2001,2004,2005,2007 -./lib/dns/view.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/view.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/win32/DLLMain.c C 2001,2004,2007 ./lib/dns/win32/gen.dsp X 2001 ./lib/dns/win32/gen.dsw X 2001 diff --git a/version b/version index 5559b5cc6cc..dd70948fd73 100644 --- a/version +++ b/version @@ -1,10 +1,10 @@ -# $Id: version,v 1.43.12.8 2010/02/18 03:34:50 marka Exp $ +# $Id: version,v 1.43.12.8.4.1 2010/03/03 22:06:36 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=6 -PATCHVER=2 -RELEASETYPE= +PATCHVER= +RELEASETYPE=-ESV RELEASEVER=

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

-trusted-keys Statement Grammar

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

-view Statement Definition and Usage

-zone Statement Definition and Usage

-Zone Types

-Class

-Zone Options

-Zone File

Types of Resource Records and When to Use Them

-Resource Records

-Textual expression of RRs

-Discussion of MX Records

-Inverse Mapping in IPv4

-Other Zone File Directives

-The @ (at-sign)

-The $ORIGIN Directive

-The $INCLUDE Directive

-The $TTL Directive

-BIND Master File Extension: the $GENERATE Directive

-Name Server Statistics Counters

-Zone Maintenance Statistics Counters

-Resolver Statistics Counters

-Socket I/O Statistics Counters

-Compatibility with BIND 8 Counters

-Chroot and Setuid +Chroot and Setuid

-The chroot Environment

-Using the setuid Function

-Common Problems

-It's not working; how can I figure out what's wrong?

-Incrementing and Changing the Serial Number

-Where Can I Get Help?

-Acknowledgments

A Brief History of the DNS and BIND @@ -162,7 +162,7 @@

-General DNS Reference Information

IPv6 addresses (AAAA)

-Bibliography

Standards

Proposed Standards

DNS Security Proposed Standards

Other Important RFCs About DNS Implementation

Resource Record Types

DNS and the Internet

DNS Operations

Internationalized Domain Names

Obsolete and Unimplemented Experimental RFC

-Other Documents About BIND +Other Documents About BIND

-Bibliography

DESCRIPTION

DESCRIPTION

SIMPLE USAGE

SIMPLE USAGE

OPTIONS

OPTIONS

QUERY OPTIONS

QUERY OPTIONS

MULTIPLE QUERIES

MULTIPLE QUERIES

IDN SUPPORT

IDN SUPPORT

FILES

FILES

SEE ALSO

SEE ALSO

BUGS

BUGS

DESCRIPTION

DESCRIPTION

OPTIONS

OPTIONS

EXAMPLE

EXAMPLE

FILES

FILES

CAVEAT

CAVEAT

SEE ALSO

SEE ALSO

AUTHOR

AUTHOR