classobj = cfg_tuple_get(vconfig, "class");
CHECK(named_config_getclass(classobj, dns_rdataclass_in,
&viewclass));
- if (dns_rdataclass_ismeta(viewclass)) {
+ switch (viewclass) {
+ case dns_rdataclass_in:
+ break;
+ case dns_rdataclass_chaos:
+ /* allow the builtin _bind view */
+ if (strcmp(viewname, "_bind") != 0) {
+ isc_log_write(
+ NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "view '%s': only builtin _bind view is "
+ "allowed in Chaos (CH) class",
+ viewname);
+ CLEANUP(ISC_R_FAILURE);
+ }
+ break;
+ default:
isc_log_write(NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "view '%s': class must not be meta",
+ "view '%s': only Internet (IN) class is "
+ "allowed",
viewname);
CLEANUP(ISC_R_FAILURE);
}
+++ /dev/null
-$TTL 300 ; 5 minutes
-@ CH SOA ns root (
- 2018010100 ; serial
- 1800 ; refresh (30 minutes)
- 1800 ; retry (30 minutes)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
- )
- NS ns
-ns A ch-addr.example. 1001
-test A ch-addr.example. 1002
- A ch-addr.example. 1003
log-report-channel yes;
};
};
-
-view alt chaos {
- zone example.chaos chaos {
- type primary;
- file "chaos.db";
- };
-};
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
-n=$((n + 1))
-echo_i "check that CHAOS addresses are compared correctly ($n)"
-ret=0
-$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n || ret=1
-lines=$(wc -l <dig.out.test$n)
-[ ${lines:-0} -eq 2 ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=$((status + ret))
-
n=$((n + 1))
echo_i "check that a Report-Channel EDNS option is added to responses ($n)"
ret=0
+++ /dev/null
-@ 3600 SOA . . 1 86400 3600 86400 3600
-@ 3600 CH NS invalid.
-version CH TXT "2"
};
};
-view "ch" ch {
-
- # Non-IN class catalog zone
- zone "catalog-bad5.example" ch {
- type primary;
- file "catalog-bad5.example.db";
- allow-transfer { any; };
- allow-update { any; };
- also-notify { 10.53.0.2; };
- notify explicit;
- };
-
-};
-
key tsig_key. {
secret "LSAnCU+Z";
algorithm @DEFAULT_HMAC@;
+++ /dev/null
-view override_bind chaos {
- zone "version.bind" chaos {
- type primary;
- database "_builtin version";
- };
-};
--- /dev/null
+view chaos ch {
+ match-clients { any; };
+};
};
key-directory ".";
};
-view "chaos" chaos {
- zone "hostname.bind" chaos {
- type primary;
- database "_builtin hostname";
- };
-};
dyndb "name" "library.so" {
this;
\};
dnssec-view2 IN fifth primary
dnssec-view3 IN fifth primary
dnssec-view4 IN fifth primary
-hostname.bind chaos chaos primary
fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
-ret=0
-$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
n=$((n + 1))
echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
ret=0
fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "check 'recursion yes;' is warned and disabled in a non-IN view ($n)"
-ret=0
-$CHECKCONF warn-chaos-recursion.conf >checkconf.out$n 2>&1 || ret=1
-grep -F "recursion will be disabled" checkconf.out$n >/dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
+++ /dev/null
-options {
- directory ".";
-};
-
-view chaos ch {
- match-clients { any; };
- recursion yes;
- zone "." {
- type hint;
- file "chaos.hints";
- };
-};
+++ /dev/null
-. CH NS ns.root.
-ns.root. CH A ns.root. 1
-ns.root. CH AAAA \# 1 00
-
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-
-view chaos ch {
- match-clients { any; };
- recursion yes;
- zone "." {
- type hint;
- file "chaos.db";
- };
- zone "version.bind" {
- type primary;
- database "_builtin version";
- };
-};
+++ /dev/null
-$TTL 300
-@ CH SOA ns.example. hostmaster.example. 1 3600 1200 604800 300
-@ CH NS ns.example.
-ns CH TXT "ns"
-a CH A target.example. 1
-target CH TXT "target"
};
};
};
-
-view chaos ch {
- match-clients { any; };
- recursion no;
- zone example {
- type primary;
- file "example.db";
- allow-update { any; };
- };
-};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-
-view chaos ch {
- match-clients { any; };
- recursion yes;
- dnssec-validation no;
- forward only;
- forwarders port @PORT@ { 10.53.0.2; };
- deny-answer-addresses { 0.0.0.0/0; ::/0; };
-};
# shellcheck source=conf.sh
. ../conf.sh
-cp ns1/chaos.db.in ns1/chaos.db
-cp ns2/example.db.in ns2/example.db
cp ns2/localhost.db.in ns2/localhost.db
pytestmark = pytest.mark.extra_artifacts(
[
"*/*.db",
+ "*/*.jnl",
]
)
def test_chaos_auth():
msg = isctest.query.create("a.example.", "A", qclass="CH")
res = isctest.query.udp(msg, "10.53.0.2")
- isctest.check.noerror(res)
+ isctest.check.refused(res)
def test_chaos_forward():
pytestmark = pytest.mark.extra_artifacts(
[
"*/*.db",
+ "*/*.jnl",
]
)
RUNCHECK(dns_requestmgr_create(isc_g_mctx, dispatchmgr, dispatchv4,
NULL, &requestmgr));
- dns_view_create(isc_g_mctx, NULL, 0, "_test", &view);
+ dns_view_create(isc_g_mctx, NULL, dns_rdataclass_in, "_test", &view);
isc_loopmgr_setup(sendqueries, NULL);
isc_loopmgr_teardown(teardown_view, view);
+++ /dev/null
-$TTL 3600
-@ CHAOS SOA @ @ 1970010100 86400 600 86400 300
-@ CHAOS NS @
-version CHAOS TXT "CH 1.0"
-hostname CHAOS TXT "unknown"
transfer-source-v6 fd92:7065:b8e:ffff::1001;
};
-/*
- * Must be first view so that there is a CH cache with name
- * "globalcache" before the recursive "default"/IN view is configured.
- */
-view "class" chaos {
- zone "chaostest" CHAOS {
- type primary;
- file "chaostest.db";
- };
-};
-
-/*
- * Must be second view so that so that we can check we don't attach to the
- * "globalcache"/CH cache.
- */
view "default" {
zone "." {
type hint;
status=$((status + ret))
n=$((n + 1))
-echo_i "checking REFUSED is returned when querying non existing domain in CH class ($n)"
+echo_i "checking REFUSED is returned when querying name in CH class ($n)"
ret=0
-dig_with_opts @10.53.0.1 hostname.chaostest txt ch >dig.ns1.out.1.${n} || ret=1
-grep "status: NOERROR" dig.ns1.out.1.${n} >/dev/null || ret=1
-dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.2.${n} || ret=1
-grep "status: REFUSED" dig.ns1.out.2.${n} >/dev/null || ret=1
+dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.${n} || ret=1
+grep "status: REFUSED" dig.ns1.out.${n} >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
file "broken5.db";
};
};
-
-view "class10" class10 {
- zone "." class10 {
- type hint;
- file "class10.hints";
- };
-
- zone "example." class10 {
- type primary;
- file "example-class10.db";
- };
-};
isc_g_mctx, dispatchmgr, have_ipv4 ? dispatchvx : NULL,
have_ipv6 ? dispatchvx : NULL, &requestmgr));
- dns_view_create(isc_g_mctx, NULL, 0, "_mdig", &view);
+ dns_view_create(isc_g_mctx, NULL, dns_rdataclass_in, "_mdig", &view);
}
/*% Main processing routine for mdig */
default values specified in the :any:`view` statement; these view-specific
defaults take precedence over those in the :namedconf:ref:`options` statement.
-Views are class-specific. If no class is given, class IN is assumed.
-Note that all non-IN views must contain a hint zone, since only the IN
-class has compiled-in default hints.
+Only class IN can be used for the views. If no class is given, class IN is
+assumed.
If there are no :any:`view` statements in the config file, a default view
that matches any client is automatically created in class IN. Any
REQUIRE(name != NULL);
REQUIRE(viewp != NULL && *viewp == NULL);
+ switch (rdclass) {
+ case dns_rdataclass_in:
+ break;
+ case dns_rdataclass_chaos:
+ if (strcmp(name, "_bind") == 0) {
+ /* allowed */
+ break;
+ }
+ FALLTHROUGH;
+ default:
+ UNREACHABLE();
+ }
+
result = isc_file_sanitize(NULL, name, "nta", buffer, sizeof(buffer));
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
}
symtype = vclass + 1;
+ /*
+ * Only the Internet (IN) class is allowed for user-defined
+ * views. The builtin "_bind" view (Chaos) is generated
+ * internally and never appears in the configuration here.
+ */
+ if (tresult == ISC_R_SUCCESS && vclass != dns_rdataclass_in) {
+ cfg_obj_log(view, ISC_LOG_ERROR,
+ "view '%s': only Internet (IN) class is "
+ "allowed",
+ key);
+ tresult = ISC_R_FAILURE;
+ }
if (tresult == ISC_R_SUCCESS && symtab != NULL) {
symvalue.as_cpointer = view;
tresult = isc_symtab_define(symtab, key, symtype,
projects / thirdparty / bind9.git / commitdiff
