clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-validation " VALIDATION_DEFAULT "; \n"
+#ifdef USE_DNSRPS
+ " dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
+#endif /* ifdef USE_DNSRPS */
#ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n"
#endif /* ifdef HAVE_DNSTAP */
char *statsfile; /*%< Statistics file name */
char *dumpfile; /*%< Dump file name */
char *secrootsfile; /*%< Secroots file name */
- char *bindkeysfile; /*%< bind.keys file name
- * */
+ char *bindkeysfile; /*%< bind.keys file name */
char *recfile; /*%< Recursive file name */
- bool version_set; /*%< User has set version
- * */
+ bool version_set; /*%< User has set version */
char *version; /*%< User-specified version */
- bool hostname_set; /*%< User has set hostname
- * */
- char *hostname; /*%< User-specified hostname
- * */
+ bool hostname_set; /*%< User has set hostname */
+ char *hostname; /*%< User-specified hostname */
+#ifdef USE_DNSRPS
+ char *dnsrpslib;
+#endif /* ifdef USE_DNSRPS */
/* Server data structures. */
dns_loadmgr_t *loadmgr;
}
/*
- * Get an DNSRPS configuration value using the global and view options
+ * Get a DNSRPS configuration value using the global and view options
* for the default. Return false upon failure.
*/
static bool
server->kasplist = kasplist;
kasplist = tmpkasplist;
+#ifdef USE_DNSRPS
+ /*
+ * Find the path to the DNSRPS implementation library.
+ */
+ obj = NULL;
+ if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) {
+ if (server->dnsrpslib != NULL) {
+ dns_dnsrps_server_destroy();
+ isc_mem_free(server->mctx, server->dnsrpslib);
+ server->dnsrpslib = NULL;
+ }
+ setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj));
+ result = dns_dnsrps_server_create(server->dnsrpslib);
+ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+ "initializing DNSRPS RPZ provider '%s': %s",
+ server->dnsrpslib, isc_result_totext(result));
+ /*
+ * It's okay if librpz isn't available. We'll complain
+ * later if it turns out to be needed for a view with
+ * "dnsrps-enable yes".
+ */
+ if (result == ISC_R_FILENOTFOUND) {
+ result = ISC_R_SUCCESS;
+ }
+ CHECKFATAL(result, "initializing RPZ service interface");
+ }
+#endif /* ifdef USE_DNSRPS */
+
/*
* Configure the views.
*/
.recfile = isc_mem_strdup(mctx, "named.recursing"),
};
-#ifdef USE_DNSRPS
- CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
- "interface");
-#endif /* ifdef USE_DNSRPS */
-
/* Initialize server data structures. */
ISC_LIST_INIT(server->kasplist);
ISC_LIST_INIT(server->viewlist);
/* Must be first. */
- CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
- "DST");
+ CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
+ "initializing DST");
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints),
#ifdef USE_DNSRPS
dns_dnsrps_server_destroy();
+ isc_mem_free(server->mctx, server->dnsrpslib);
#endif /* ifdef USE_DNSRPS */
named_controls_destroy(&server->controls);
AC_ARG_ENABLE([dnsrps-dl],
[AS_HELP_STRING([--enable-dnsrps-dl],
[DNS Response Policy Service delayed link
- [default=$librpz_dl]])],
- [enable_librpz_dl="$enableval"], [enable_librpz_dl="$with_dlopen"])
+ [default=yes]])],
+ [enable_dnsprs_dl="$enableval"], [enable_dnsrps_dl="yes"])
-AS_IF([test "$enable_librpz_dl" = "yes" -a "$with_dlopen" = "no"],
+AS_IF([test "$enable_dnsprs_dl" = "yes" -a "$with_dlopen" = "no"],
[AC_MSG_ERROR([DNS Response Policy Service delayed link requires dlopen to be enabled])])
# [pairwise: skip]
[librpz_path="$withval/$librpz_name"], [librpz_path="$librpz_name"])
AC_DEFINE_UNQUOTED([DNSRPS_LIBRPZ_PATH], ["$librpz_path"],
[dnsrps $librpz_name])
-AS_IF([test "$enable_librpz_dl" = "yes"],
+AS_IF([test "$enable_dnsrps_dl" = "yes"],
[
dnsrps_lib_open=2
],[
[enable_dnsrps=$enableval], [enable_dnsrps=no])
AS_IF([test "$enable_dnsrps" != "no"],[
- AS_IF([test "$dnsrps_avail" != "yes"],
- [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
AS_IF([test "$dnsrps_lib_open" = "0"],
[AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
(DNSRPS) interface, if it has been compiled in :iscman:`named` using
``configure --enable-dnsrps``.
+.. namedconf:statement:: dnsrps-library
+ :tags: server, security
+ :short: Turns on the DNS Response Policy Service (DNSRPS) interface.
+
+ This option specifies the path to the DNSRPS provider library. Typically
+ this library is detected when building with ``configure --enable-dnsrps``
+ and does not need to be specified in ``named.conf``; the option exists
+ to override the default library for testing purposes.
+
.. namedconf:statement:: dnsrps-options
:tags: server, security
:short: Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
The block provides additional RPZ configuration
settings, which are passed through to the DNSRPS provider library.
Multiple DNSRPS settings in an :any:`dnsrps-options` string should be
- separated with semi-colons (;). The DNSRPS provider, librpz, is passed a
+ separated with semi-colons (;). The DNSRPS provider library is passed a
configuration string consisting of the :any:`dnsrps-options` text,
concatenated with settings derived from the :any:`response-policy`
statement.
dns64-server <string>;
dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured
+ dnsrps-library <quoted_string>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
#include <dns/rdatasetiter.h>
#include <dns/rpz.h>
-librpz_t *librpz;
+librpz_t *librpz = NULL;
librpz_emsg_t librpz_lib_open_emsg;
-static void *librpz_handle;
+static void *librpz_handle = NULL;
#define RPSDB_MAGIC ISC_MAGIC('R', 'P', 'Z', 'F')
#define VALID_RPSDB(rpsdb) ((rpsdb)->common.impmagic == RPSDB_MAGIC)
* This is not thread safe, but it is called by a single thread.
*/
isc_result_t
-dns_dnsrps_server_create(void) {
+dns_dnsrps_server_create(const char *librpz_path) {
librpz_emsg_t emsg;
INSIST(clist == NULL);
* Notice if librpz is available.
*/
librpz = librpz_lib_open(&librpz_lib_open_emsg, &librpz_handle,
- DNSRPS_LIBRPZ_PATH);
- /*
- * Stop now without complaining if librpz is not available.
- * Complain later if and when librpz is needed for a view with
- * "dnsrps-enable yes" (including the default view).
- */
+ librpz_path);
if (librpz == NULL) {
- return (ISC_R_SUCCESS);
+ return (ISC_R_FILENOTFOUND);
}
isc_mutex_init(&dnsrps_mutex);
librpz->clist_detach(&clist);
}
-#ifdef LIBRPZ_USE_DLOPEN
+#if DNSRPS_LIB_OPEN == 2
if (librpz != NULL) {
INSIST(librpz_handle != NULL);
if (dlclose(librpz_handle) != 0) {
"dnsrps: dlclose(): %s", dlerror());
}
librpz_handle = NULL;
+ librpz = NULL;
}
-#endif /* ifdef LIBRPZ_USE_DLOPEN */
+#endif
}
/*
* Start dnsrps for the entire server.
*/
isc_result_t
-dns_dnsrps_server_create(void);
+dns_dnsrps_server_create(const char *librpz_path);
/*
* Stop dnsrps for the entire server.
typedef librpz_0_t librpz_t;
extern librpz_t *librpz;
-#if LIBRPZ_LIB_OPEN == 2
+#if DNSRPS_LIB_OPEN == 2
#include <dlfcn.h>
/**
*dl_handle = NULL;
}
-#if LIBRPZ_LIB_OPEN == 1
+#if DNSRPS_LIB_OPEN == 1
emsg->c[0] = '\0';
return (&LIBRPZ_DEF);
-#else /* if LIBRPZ_LIB_OPEN == 1 */
+#else /* if DNSRPS_LIB_OPEN == 1 */
snprintf(emsg->c, sizeof(librpz_emsg_t),
"librpz not available via ./configure");
return (NULL);
-#endif /* LIBRPZ_LIB_OPEN */
+#endif /* DNSRPS_LIB_OPEN */
}
#endif /* LIBRPZ_LIB_OPEN */
{ "datasize", &cfg_type_size, CFG_CLAUSEFLAG_ANCIENT },
{ "deallocate-on-exit", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+#ifdef USE_DNSRPS
+ { "dnsrps-library", &cfg_type_qstring, 0 },
+#else /* ifdef USE_DNSRPS */
+ { "dnsrps-library", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* ifdef USE_DNSRPS */
#ifdef HAVE_DNSTAP
{ "dnstap-output", &cfg_type_dnstapoutput, 0 },
{ "dnstap-identity", &cfg_type_serverid, 0 },