+2609. [func] Simplify the configuration of dynamic zones:
+ - add ddns-confgen command to generate
+ configuration text for named.conf
+ - add zone option "ddns-autoconf yes;", which
+ causes named to generate a TSIG session key
+ and allow updates to the zone using that key
+ - add '-l' (localhost) option to nsupdate, which
+ causes nsupdate to connect to a locally-running
+ named process using the session key generated
+ by named
+ [RT #19284]
+
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.27 2009/03/02 23:47:43 tbox Exp $
+# $Id: Makefile.in,v 1.28 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig dnssec tests tools nsupdate check
+SUBDIRS = named rndc dig dnssec tests tools nsupdate check confgen
TARGETS =
@BIND9_MAKE_RULES@
--- /dev/null
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002 Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/06/10 00:27:21 each Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS = ../../lib/isccc/libisccc.@A@
+ISCLIBS = ../../lib/isc/libisc.@A@
+DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS = ../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
+ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns/libdns.@A@
+BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+
+RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS= rndc-confgen.c ddns-confgen.c
+
+SUBDIRS = unix
+
+TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
+
+MANPAGES = rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES = rndc-confgen.html ddns-confgen.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+UOBJS = unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+ -c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
+ -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ keygen.@O@ \
+ ${UOBJS} ${CONFLIBS}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ddns-confgen.@O@ util.@O@ keygen.@O@ \
+ ${UOBJS} ${CONFLIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+
+clean distclean maintainer-clean::
+ rm -f ${TARGETS}
--- /dev/null
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: ddns-confgen.8,v 1.2 2009/06/10 00:27:21 each Exp $
+.\"
+.hy 0
+.ad l
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "DDNS-CONFGEN" 8 "Jan 29, 2009" "" ""
+.SH NAME
+ddns-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBddns\-confgen\fR [\fB\-a\ \fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fIkeyname\fR\fR] [\fB\-r\ \fIrandomfile\fR\fR] [\fB\-s\fR] [\fB\-q\fR] [name]
+.SH "DESCRIPTION"
+.PP
+\fBddns\-confgen\fR generates a key for use by \fBnsupdate\fR and \fBnamed\fR\&. It simplifies configuration of dynamic zones by generating a key and providing the \fBnsupdate\fR and \fBnamed\&.conf\fR syntax that will be needed to use it, including an example \fBupdate\-policy\fR statement\&.
+.PP
+If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample \fBnamed\&.conf\fR syntax\&. For example, \fBddns\-confgen example\&.com\fR would generate a key called "ddns\-key\&.example\&.com", and sample \fBnamed\&.conf\fR command that could be used in the zone definition for "example\&.com"\&.
+.PP
+Note that \fBnamed\fR itself can configure a local DDNS key for use with \fBnsupdate \-l\fR\&. \fBddns\-confgen\fR is only needed when a more elaborate configuration is required: for instance, if \fBnsupdate\fR is to be used from a remote system\&.
+.SH "OPTIONS"
+.TP
+\-a \fIalgorithm\fR
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
+.TP
+\-h
+Prints a short summary of the options and arguments to \fBddns\-confgen\fR\&.
+.TP
+\-k \fIkeyname\fR
+Specifies the key name of the DDNS authentication key\&. The default is \fBddns\-key\fR\&. The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
+.TP
+\-q
+Quiet mode: Print only the key, with no explanatory text or usage examples\&.
+.TP
+\-r \fIrandomfile\fR
+Specifies a source of random data for generating the authorization\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
+.TP
+\-s
+Self mode: The example \fBnamed\&.conf\fR text shows how to set an update policy using the "self" nametype, using a single key per each domain name for updates, instead of the "subdomain" nametype which allows matching on any name within a specified domain\&.
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1), \fBnamed\&.conf\fR(5), \fBnamed\fR(8), BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ddns-confgen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYNAME "ddns-key"
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+static void
+usage(int status) {
+
+ fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-z zone]\n\
+ -a alg: algorithm (default hmac-sha256)\n\
+ -k keyname: name of the key as it will be used in named.conf\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -z zone: name of the zone as it will be used named.conf\n\
+ -q: quiet mode: print the key, with no explanatory text\n",
+ progname);
+
+ exit (status);
+}
+
+int
+main(int argc, char **argv) {
+ isc_boolean_t show_final_mem = ISC_FALSE;
+ isc_boolean_t quiet = ISC_FALSE;
+ isc_boolean_t self = ISC_FALSE;
+ isc_buffer_t key_txtbuffer;
+ char key_txtsecret[256];
+ isc_mem_t *mctx = NULL;
+ isc_result_t result = ISC_R_SUCCESS;
+ const char *randomfile = NULL;
+ const char *keyname = NULL;
+ const char *zone = NULL;
+ char *keybuf = NULL;
+ dns_secalg_t alg = DST_ALG_HMACSHA256;
+ const char *algname = alg_totext(alg);
+ int keysize = 256;
+ int len = 0;
+ int ch;
+
+ result = isc_file_progname(*argv, program, sizeof(program));
+ if (result != ISC_R_SUCCESS)
+ memcpy(program, "ddns-confgen", 13);
+ progname = program;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "a:hk:Mmr:qsVy:")) != -1) {
+ switch (ch) {
+ case 'a':
+ algname = isc_commandline_argument;
+ alg = alg_fromtext(algname);
+ if (alg == DST_ALG_UNKNOWN)
+ fatal("Unsupported algorithm '%s'", algname);
+ keysize = alg_bits(alg);
+ break;
+ case 'h':
+ usage(0);
+ case 'k':
+ case 'y':
+ keyname = isc_commandline_argument;
+ break;
+ case 'M':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+ break;
+ case 'm':
+ show_final_mem = ISC_TRUE;
+ break;
+ case 'q':
+ quiet = ISC_TRUE;
+ break;
+ case 'r':
+ randomfile = isc_commandline_argument;
+ break;
+ case 's':
+ self = ISC_TRUE;
+ case 'V':
+ verbose = ISC_TRUE;
+ break;
+ case '?':
+ if (isc_commandline_option != '?') {
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ usage(1);
+ } else
+ usage(0);
+ break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ argc -= isc_commandline_index;
+ argv += isc_commandline_index;
+
+ if (argc == 1)
+ zone = argv[0];
+
+ if (argc > 1)
+ usage(1);
+
+ DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+ if (self) {
+ if (zone == NULL)
+ usage(1);
+ keyname = zone;
+ } else {
+ if (keyname == NULL)
+ keyname = DEFAULT_KEYNAME;
+
+ if (zone != NULL) {
+ len = strlen(keyname) + strlen(zone) + 2;
+ keybuf = isc_mem_get(mctx, len);
+ snprintf(keybuf, len, "%s.%s", keyname, zone);
+ keyname = (const char *) keybuf;
+ }
+ }
+
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+ if (!quiet)
+ printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+ printf("\
+key \"%s\" {\n\
+ algorithm %s;\n\
+ secret \"%.*s\";\n\
+};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(&key_txtbuffer),
+ (char *)isc_buffer_base(&key_txtbuffer));
+
+ if (!quiet) {
+ if (zone == NULL) {
+ printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key. For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+ grant %s zonesub ANY;\n\
+};\n",
+ keyname);
+ } else if (self) {
+ printf("\n\
+# Finally, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s self . ANY;\n\
+};\n",
+ zone, keyname);
+ } else {
+ printf("\n\
+# Finally, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s subdomain %s%s ANY;\n\
+};\n",
+ zone, keyname, zone,
+ zone[strlen(zone) - 1] == '.' ? "" : ".");
+ }
+
+ printf("\n\
+# After the keyfile has been created, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+ }
+
+ if (zone != NULL && keybuf != NULL)
+ isc_mem_put(mctx, keybuf, len);
+
+ if (show_final_mem)
+ isc_mem_stats(mctx, stderr);
+
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: ddns-confgen.docbook,v 1.2 2009/06/10 00:27:21 each Exp $ -->
+<refentry id="man.ddns-confgen">
+ <refentryinfo>
+ <date>Jan 29, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>ddns-confgen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>ddns-confgen</application></refname>
+ <refpurpose>ddns key generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2004</year>
+ <year>2005</year>
+ <year>2007</year>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ <copyright>
+ <year>2001</year>
+ <year>2003</year>
+ <holder>Internet Software Consortium.</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>ddns-confgen</command>
+ <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+ <arg><option>-s</option></arg>
+ <arg><option>-q</option></arg>
+ <arg choice="opt">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>ddns-confgen</command>
+ generates a key for use by <command>nsupdate</command>
+ and <command>named</command>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <command>nsupdate</command> and <command>named.conf</command>
+ syntax that will be needed to use it, including an example
+ <command>update-policy</command> statement.
+ </para>
+
+ <para>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <command>named.conf</command> syntax. For example,
+ <command>ddns-confgen example.com</command> would
+ generate a key called "ddns-key.example.com", and sample
+ <command>named.conf</command> command that could be used
+ in the zone definition for "example.com".
+ </para>
+
+ <para>
+ Note that <command>named</command> itself can configure a
+ local DDNS key for use with <command>nsupdate -l</command>.
+ <command>ddns-confgen</command> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <command>nsupdate</command> is to be used from a remote system.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>ddns-confgen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-k <replaceable class="parameter">keyname</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the key name of the DDNS authentication key.
+ The default is <constant>ddns-key</constant>.
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-q</term>
+ <listitem>
+ <para>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <filename>/dev/random</filename> or equivalent device, the
+ default source of randomness is keyboard input.
+ <filename>randomdev</filename> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard input
+ should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s</term>
+ <listitem>
+ <para>
+ Self mode: The example <command>named.conf</command> text
+ shows how to set an update policy using the "self" nametype,
+ using a single key per each domain name for updates, instead of
+ the "subdomain" nametype which allows matching on any name
+ within a specified domain.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: ddns-confgen.html,v 1.2 2009/06/10 00:27:21 each Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> — ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s</code>] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215081"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+ generates a key for use by <span><strong class="command">nsupdate</strong></span>
+ and <span><strong class="command">named</strong></span>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+ syntax that will be needed to use it, including an example
+ <span><strong class="command">update-policy</strong></span> statement.
+ </p>
+<p>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <span><strong class="command">named.conf</strong></span> syntax. For example,
+ <span><strong class="command">ddns-confgen example.com</strong></span> would
+ generate a key called "ddns-key.example.com", and sample
+ <span><strong class="command">named.conf</strong></span> command that could be used
+ in the zone definition for "example.com".
+ </p>
+<p>
+ Note that <span><strong class="command">named</strong></span> itself can configure a
+ local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+ <span><strong class="command">ddns-confgen</strong></span> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215144"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">ddns-confgen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+ Specifies the key name of the DDNS authentication key.
+ The default is <code class="constant">ddns-key</code>.
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <code class="filename">/dev/random</code> or equivalent device, the
+ default source of randomness is keyboard input.
+ <code class="filename">randomdev</code> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard input
+ should be used.
+ </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd><p>
+ Self mode: The example <span><strong class="command">named.conf</strong></span> text
+ shows how to set an update policy using the "self" nametype,
+ using a single key per each domain name for updates, instead of
+ the "subdomain" nametype which allows matching on any name
+ within a specified domain.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215274"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215312"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+/*
+ * Copyright (C) 2004-2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return "hmac-md5";
+ case DST_ALG_HMACSHA1:
+ return "hmac-sha1";
+ case DST_ALG_HMACSHA224:
+ return "hmac-sha224";
+ case DST_ALG_HMACSHA256:
+ return "hmac-sha256";
+ case DST_ALG_HMACSHA384:
+ return "hmac-sha384";
+ case DST_ALG_HMACSHA512:
+ return "hmac-sha512";
+ default:
+ return "(unknown)";
+ }
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+ if (strcmp(name, "hmac-md5") == 0)
+ return DST_ALG_HMACMD5;
+ if (strcmp(name, "hmac-sha1") == 0)
+ return DST_ALG_HMACSHA1;
+ if (strcmp(name, "hmac-sha224") == 0)
+ return DST_ALG_HMACSHA224;
+ if (strcmp(name, "hmac-sha256") == 0)
+ return DST_ALG_HMACSHA256;
+ if (strcmp(name, "hmac-sha384") == 0)
+ return DST_ALG_HMACSHA384;
+ if (strcmp(name, "hmac-sha512") == 0)
+ return DST_ALG_HMACSHA512;
+ return DST_ALG_UNKNOWN;
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return 128;
+ case DST_ALG_HMACSHA1:
+ return 160;
+ case DST_ALG_HMACSHA224:
+ return 224;
+ case DST_ALG_HMACSHA256:
+ return 256;
+ case DST_ALG_HMACSHA384:
+ return 384;
+ case DST_ALG_HMACSHA512:
+ return 512;
+ default:
+ return 0;
+ }
+}
+
+/*%
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer) {
+ isc_result_t result = ISC_R_SUCCESS;
+ isc_entropysource_t *entropy_source = NULL;
+ int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+ int entropy_flags = 0;
+ isc_entropy_t *ectx = NULL;
+ isc_buffer_t key_rawbuffer;
+ isc_region_t key_rawregion;
+ char key_rawsecret[64];
+ dst_key_t *key = NULL;
+
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ if (keysize < 1 || keysize > 512)
+ fatal("keysize %d out of range (must be 1-512)\n",
+ keysize);
+ break;
+ case DST_ALG_HMACSHA256:
+ if (keysize < 1 || keysize > 256)
+ fatal("keysize %d out of range (must be 1-256)\n",
+ keysize);
+ break;
+ default:
+ fatal("unsupported algorithm %d\n", alg);
+ }
+
+
+ DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+ randomfile = NULL;
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+ }
+ DO("start entropy source", isc_entropy_usebestsource(ectx,
+ &entropy_source,
+ randomfile,
+ open_keyboard));
+
+ entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+ DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+ DO("generate key", dst_key_generate(dns_rootname, alg,
+ keysize, 0, 0,
+ DNS_KEYPROTO_ANY,
+ dns_rdataclass_in, mctx, &key));
+
+ isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+ DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+ isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+ DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+ key_txtbuffer));
+
+ /*
+ * Shut down the entropy source now so the "stop typing" message
+ * does not muck with the output.
+ */
+ if (entropy_source != NULL)
+ isc_entropy_destroysource(&entropy_source);
+
+ if (key != NULL)
+ dst_key_free(&key);
+
+ isc_entropy_detach(&ectx);
+ dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'. If 'user' is non-NULL,
+ * make that user the owner of the file. The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg) {
+ isc_result_t result;
+ const char *algname = alg_totext(alg);
+ FILE *fd;
+
+ DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+ if (user != NULL) {
+ if (set_user(fd, user) == -1)
+ fatal("unable to set file owner\n");
+ }
+
+ fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+ "\tsecret \"%.*s\";\n};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(secret),
+ (char *)isc_buffer_base(secret));
+ fflush(fd);
+ if (ferror(fd))
+ fatal("write to %s failed\n", keyfile);
+ if (fclose(fd))
+ fatal("fclose(%s) failed\n", keyfile);
+ fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.h,v 1.2 2009/06/10 00:27:21 each Exp $ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer);
+
+void write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg);
+
+const char *alg_totext(dns_secalg_t alg);
+dns_secalg_t alg_fromtext(const char *name);
+int alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
--- /dev/null
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: rndc-confgen.8,v 1.2 2009/06/10 00:27:21 each Exp $
+.\"
+.hy 0
+.ad l
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "RNDC-CONFGEN" 8 "Aug 27, 2001" "" ""
+.SH NAME
+rndc-confgen \- rndc key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fIkeysize\fR\fR] [\fB\-c\ \fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fIkeyname\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-r\ \fIrandomfile\fR\fR] [\fB\-s\ \fIaddress\fR\fR] [\fB\-t\ \fIchrootdir\fR\fR] [\fB\-u\ \fIuser\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBrndc\-confgen\fR generates configuration files for \fBrndc\fR\&. It can be used as a convenient alternative to writing the \fIrndc\&.conf\fR file and the corresponding \fBcontrols\fR and \fBkey\fR statements in \fInamed\&.conf\fR by hand\&. Alternatively, it can be run with the \fB\-a\fR option to set up a \fIrndc\&.key\fR file and avoid the need for a \fIrndc\&.conf\fR file and a \fBcontrols\fR statement altogether\&.
+.SH "OPTIONS"
+.TP
+\-a
+Do automatic \fBrndc\fR configuration\&. This creates a file \fIrndc\&.key\fR in \fI/etc\fR (or whatever \fIsysconfdir\fR was specified as when BIND was built) that is read by both \fBrndc\fR and \fBnamed\fR on startup\&. The \fIrndc\&.key\fR file defines a default command channel and authentication key allowing \fBrndc\fR to communicate with \fBnamed\fR on the local host with no further configuration\&.
+Running \fBrndc\-confgen \-a\fR allows BIND 9 and \fBrndc\fR to be used as drop\-in replacements for BIND 8 and \fBndc\fR, with no changes to the existing BIND 8 \fInamed\&.conf\fR file\&.
+If a more elaborate configuration than that generated by \fBrndc\-confgen \-a\fR is required, for example if rndc is to be used remotely, you should run \fBrndc\-confgen\fR without the \fB\-a\fR option and set up a \fIrndc\&.conf\fR and \fInamed\&.conf\fR as directed\&.
+.TP
+\-b \fIkeysize\fR
+Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is 128\&.
+.TP
+\-c \fIkeyfile\fR
+Used with the \fB\-a\fR option to specify an alternate location for \fIrndc\&.key\fR\&.
+.TP
+\-h
+Prints a short summary of the options and arguments to \fBrndc\-confgen\fR\&.
+.TP
+\-k \fIkeyname\fR
+Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is \fBrndc\-key\fR\&.
+.TP
+\-p \fIport\fR
+Specifies the command channel port where \fBnamed\fR listens for connections from \fBrndc\fR\&. The default is 953\&.
+.TP
+\-r \fIrandomfile\fR
+Specifies a source of random data for generating the authorization\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
+.TP
+\-s \fIaddress\fR
+Specifies the IP address where \fBnamed\fR listens for command channel connections from \fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
+.TP
+\-t \fIchrootdir\fR
+Used with the \fB\-a\fR option to specify a directory where \fBnamed\fR will run chrooted\&. An additional copy of the \fIrndc\&.key\fR will be written relative to this directory so that it will be found by the chrooted \fBnamed\fR\&.
+.TP
+\-u \fIuser\fR
+Used with the \fB\-a\fR option to set the owner of the \fIrndc\&.key\fR file generated\&. If \fB\-t\fR is also specified only the file in the chroot area has its owner changed\&.
+.SH "EXAMPLES"
+.PP
+To allow \fBrndc\fR to be used with no manual configuration, run
+.PP
+\fBrndc\-confgen \-a\fR
+.PP
+To print a sample \fIrndc\&.conf\fR file and corresponding \fBcontrols\fR and \fBkey\fR statements to be manually inserted into \fInamed\&.conf\fR, run
+.PP
+\fBrndc\-confgen\fR
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8), \fBrndc\&.conf\fR(5), \fBnamed\fR(8), BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc-confgen.c,v 1.26 2008/10/15 23:47:31 tbox Exp $ */
+/* $Id: rndc-confgen.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <dns/name.h>
#include <dst/dst.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
#include "util.h"
+#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
- -a: generate just the key clause and write it to keyfile (%s)\n\
- -b bits: from 1 through 512, default %d; total length of the secret\n\
- -c keyfile: specify an alternate key file (requires -a)\n\
- -k keyname: the name as it will be used in named.conf and rndc.conf\n\
- -p port: the port named will listen on and rndc will connect to\n\
- -r randomfile: a file containing random data\n\
- -s addr: the address to which rndc should connect\n\
- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
- -u user: set the keyfile owner to \"user\" (requires -a)\n",
- progname, keydef, DEFAULT_KEYLENGTH);
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+ -b bits: from 1 through 512, default %d; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+ -p port: the port named will listen on and rndc will connect to\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+ progname, keydef, DEFAULT_KEYLENGTH);
exit (status);
}
-/*%
- * Write an rndc.key file to 'keyfile'. If 'user' is non-NULL,
- * make that user the owner of the file. The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-static void
-write_key_file(const char *keyfile, const char *user,
- const char *keyname, isc_buffer_t *secret )
-{
- FILE *fd;
-
- fd = safe_create(keyfile);
- if (fd == NULL)
- fatal( "unable to create \"%s\"\n", keyfile);
- if (user != NULL) {
- if (set_user(fd, user) == -1)
- fatal("unable to set file owner\n");
- }
- fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
- "\tsecret \"%.*s\";\n};\n", keyname,
- (int)isc_buffer_usedlength(secret),
- (char *)isc_buffer_base(secret));
- fflush(fd);
- if (ferror(fd))
- fatal("write to %s failed\n", keyfile);
- if (fclose(fd))
- fatal("fclose(%s) failed\n", keyfile);
- fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
- isc_buffer_t key_rawbuffer;
isc_buffer_t key_txtbuffer;
- isc_region_t key_rawregion;
+ char key_txtsecret[256];
isc_mem_t *mctx = NULL;
- isc_entropy_t *ectx = NULL;
- isc_entropysource_t *entropy_source = NULL;
isc_result_t result = ISC_R_SUCCESS;
- dst_key_t *key = NULL;
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
- char key_rawsecret[64];
- char key_txtsecret[256];
+ dns_secalg_t alg = DST_ALG_HMACMD5;
+ const char *algname = alg_totext(alg);
char *p;
int ch;
int port;
int keysize;
- int entropy_flags = 0;
- int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
-
- DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
- randomfile = NULL;
- open_keyboard = ISC_ENTROPY_KEYBOARDYES;
- }
- DO("start entropy source", isc_entropy_usebestsource(ectx,
- &entropy_source,
- randomfile,
- open_keyboard));
-
- entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
- DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
- DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
- keysize, 0, 0,
- DNS_KEYPROTO_ANY,
- dns_rdataclass_in, mctx, &key));
-
- isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
- DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
- isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
- DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
- &key_txtbuffer));
-
- /*
- * Shut down the entropy source now so the "stop typing" message
- * does not muck with the output.
- */
- if (entropy_source != NULL)
- isc_entropy_destroysource(&entropy_source);
-
- if (key != NULL)
- dst_key_free(&key);
- isc_entropy_detach(&ectx);
- dst_lib_destroy();
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
- keyname, &key_txtbuffer);
+ keyname, &key_txtbuffer, alg);
if (chrootdir != NULL) {
char *buf;
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
- write_key_file(buf, user, keyname, &key_txtbuffer);
+ write_key_file(buf, user, keyname, &key_txtbuffer, alg);
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
- algorithm hmac-md5;\n\
+ algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
-# algorithm hmac-md5;\n\
+# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
- keyname,
+ keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
- keyname,
+ keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.docbook,v 1.13 2007/06/18 23:47:25 tbox Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.2 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543429"></a><h2>DESCRIPTION</h2>
+<a name="id215112"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543474"></a><h2>OPTIONS</h2>
+<a name="id215153"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was
+ was specified as when <span class="acronym">BIND</span> was
built)
that is read by both <span><strong class="command">rndc</strong></span>
and <span><strong class="command">named</strong></span> on startup. The
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543787"></a><h2>EXAMPLES</h2>
+<a name="id215471"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543829"></a><h2>SEE ALSO</h2>
+<a name="id215511"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543867"></a><h2>AUTHOR</h2>
+<a name="id215549"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.5 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.2 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.10 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: os.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <config.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
}
return (fchown(fileno(fd), pw->pw_uid, -1));
}
-
-FILE *
-safe_create(const char *filename) {
- int fd;
- FILE *f;
- struct stat sb;
- int flags = O_WRONLY;
-
- if (stat(filename, &sb) == -1) {
- if (errno != ENOENT)
- return (NULL);
- flags = O_WRONLY | O_CREAT | O_EXCL;
- } else if ((sb.st_mode & S_IFREG) == 0) {
- errno = EOPNOTSUPP;
- return (NULL);
- } else
- flags = O_WRONLY | O_TRUNC;
-
- fd = open(filename, flags, S_IRUSR | S_IWUSR);
- if (fd == -1)
- return (NULL);
- f = fdopen(fd, "w");
- if (f == NULL)
- close(fd);
- return (f);
-}
--- /dev/null
+/*
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+ va_list ap;
+
+ if (verbose) {
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ fputs("\n", stderr);
+ }
+}
+
+void
+fatal(const char *format, ...) {
+ va_list args;
+
+ fprintf(stderr, "%s: ", progname);
+ va_start(args, format);
+ vfprintf(stderr, format, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ exit(1);
+}
--- /dev/null
+/*
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.2 2009/06/10 00:27:21 each Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT 953
+
+#undef DO
+#define DO(name, function) \
+ do { \
+ result = function; \
+ if (result != ISC_R_SUCCESS) \
+ fatal("%s: %s", name, isc_result_totext(result)); \
+ else \
+ notify("%s", name); \
+ } while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: os.c,v 1.2 2009/06/10 00:27:21 each Exp $ */
#include <config.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
set_user(FILE *fd, const char *user) {
return (0);
}
-
-/*
- * Note that the error code EOPNOTSUPP does not exist
- * on win32 so we are forced to fall back to using
- * ENOENT for now. WSAEOPNOTSUPP does exist but it
- * should only be used for sockets.
- */
-
-FILE *
-safe_create(const char *filename) {
- int fd;
- FILE *f;
- struct stat sb;
-
- if (stat(filename, &sb) == -1) {
- if (errno != ENOENT)
- return (NULL);
- } else if ((sb.st_mode & S_IFREG) == 0) {
- errno = ENOENT;
- return (NULL);
- }
-
- fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
- if (fd == -1)
- return (NULL);
- f = fdopen(fd, "w");
- if (f == NULL)
- close(fd);
- return (f);
-}
-/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bind.keys.h,v 1.5 2009/05/29 23:47:48 tbox Exp $ */
-
#define TRUSTED_KEYS "\
trusted-keys {\n\
- # NOTE: This key expires September 2009 \n\
- # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+ # NOTE: This key expires September 2009 \n\
+ # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
};\n\
"
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.96 2009/03/16 23:41:21 each Exp $ */
+/* $Id: config.c,v 1.97 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <dns/tsig.h>
#include <dns/zone.h>
+#include <dst/dst.h>
+
#include <named/config.h>
#include <named/globals.h>
files unlimited;\n\
stacksize default;\n"
#endif
-" deallocate-on-exit true;\n\
+"# ddns-keyfile \"" NS_LOCALSTATEDIR "/run/named/ddns.key\";\n\
+ ddns-keyname local-ddns;\n\
+ ddns-keyalg hmac-sha256;\n\
+ deallocate-on-exit true;\n\
# directory <none>\n\
dump-file \"named_dump.db\";\n\
fake-iquery no;\n\
notify-delay 5;\n\
notify-to-soa no;\n\
dialup no;\n\
+ ddns-autoconf no;\n\
# forward <none>\n\
# forwarders <none>\n\
maintain-ixfr-base no;\n\
const char *str;
enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
hmacsha256, hmacsha384, hmacsha512 } hmac;
+ unsigned int type;
isc_uint16_t size;
} algorithms[] = {
- { "hmac-md5", hmacmd5, 128 },
- { "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
- { "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
- { "hmac-sha1", hmacsha1, 160 },
- { "hmac-sha224", hmacsha224, 224 },
- { "hmac-sha256", hmacsha256, 256 },
- { "hmac-sha384", hmacsha384, 384 },
- { "hmac-sha512", hmacsha512, 512 },
- { NULL, hmacnone, 0 }
+ { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
+ { "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
+ { "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+ { "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
+ { "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
+ { "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
+ { "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
+ { "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
+ { NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
};
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits)
+{
+ return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
+}
+
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ unsigned int *typep, isc_uint16_t *digestbits)
{
int i;
size_t len = 0;
INSIST(0);
}
}
+ if (typep != NULL)
+ *typep = algorithms[i].type;
if (digestbits != NULL)
*digestbits = bits;
return (ISC_R_SUCCESS);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: config.h,v 1.15 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits);
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ unsigned int *typep, isc_uint16_t *digestbits);
#endif /* NAMED_CONFIG_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: globals.h,v 1.82 2009/03/05 23:47:35 tbox Exp $ */
+/* $Id: globals.h,v 1.83 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
#include <dns/zone.h>
+#include <dst/dst.h>
+
#include <named/types.h>
#undef EXTERN
EXTERN cfg_obj_t * ns_g_bindkeys INIT(NULL);
EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR
"/rndc.key");
+
+EXTERN dns_tsigkey_t * ns_g_ddnskey INIT(NULL);
+EXTERN dns_name_t ns_g_ddnskeyname;
+
EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR
"/lwresd.conf");
EXTERN const char * lwresd_g_resolvconffile INIT("/etc"
EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE);
+EXTERN const char * ns_g_defaultddnskeyfile INIT(NS_LOCALSTATEDIR
+ "/run/named/"
+ "ddns.key");
+
#if NS_RUN_PID_DIR
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
"/run/named/"
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.97 2009/03/04 02:42:30 each Exp $ */
+/* $Id: server.h,v 1.98 2009/06/10 00:27:21 each Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
dns_acache_t *acache;
ns_statschannellist_t statschannels;
+
+ dns_tsigkey_t *ddnskey;
+ char *ddns_keyfile;
+ dns_name_t *ddns_keyname;
+ unsigned int ddns_keyalg;
+ isc_uint16_t ddns_keybits;
};
#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R')
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tsigconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: tsigconf.h,v 1.17 2009/06/10 00:27:21 each Exp $ */
#ifndef NS_TSIGCONF_H
#define NS_TSIGCONF_H 1
*
* Requires:
* \li 'config' is not NULL.
+ * \li 'vconfig' is not NULL.
* \li 'mctx' is not NULL
- * \li 'ring' is not NULL, and '*ring' is NULL
+ * \li 'ringp' is not NULL, and '*ringp' is NULL
*
* Returns:
* \li ISC_R_SUCCESS
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.532 2009/05/29 23:47:48 tbox Exp $ */
+/* $Id: server.c,v 1.533 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <dns/forward.h>
#include <dns/journal.h>
#include <dns/keytable.h>
+#include <dns/keyvalues.h>
#include <dns/lib.h>
#include <dns/master.h>
#include <dns/masterdump.h>
* a cache. Only effective when a finite max-cache-size is specified.
* This is currently defined to be 8MB.
*/
-#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
+#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
struct ns_dispatch {
isc_sockaddr_t addr;
isc_uint32_t max_cache_size;
isc_uint32_t max_acache_size;
isc_uint32_t lame_ttl;
- dns_tsig_keyring_t *ring;
+ dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx;
dns_dispatch_t *dispatch4 = NULL;
/*
* Configure the view's TSIG keys.
*/
- ring = NULL;
CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
+ if (ns_g_server->ddnskey != NULL) {
+ CHECK(dns_tsigkeyring_add(ring, ns_g_server->ddns_keyname,
+ ns_g_server->ddnskey));
+ }
dns_view_setkeyring(view, ring);
+ ring = NULL; /* ownership transferred */
/*
* Configure the view's peer list.
result = ISC_R_SUCCESS;
cleanup:
+ if (ring != NULL)
+ dns_tsigkeyring_destroy(&ring);
if (zone != NULL)
dns_zone_detach(&zone);
if (dispatch4 != NULL)
return (ISC_R_SUCCESS);
}
+static void
+cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
+ if (server->ddns_keyfile != NULL) {
+ isc_file_remove(server->ddns_keyfile);
+ isc_mem_free(mctx, server->ddns_keyfile);
+ server->ddns_keyfile = NULL;
+ }
+
+ if (server->ddns_keyname != NULL) {
+ if (dns_name_dynamic(server->ddns_keyname))
+ dns_name_free(server->ddns_keyname, mctx);
+ isc_mem_put(mctx, server->ddns_keyname, sizeof(dns_name_t));
+ server->ddns_keyname = NULL;
+ }
+
+ if (server->ddnskey != NULL)
+ dns_tsigkey_detach(&server->ddnskey);
+
+ server->ddns_keyalg = DST_ALG_UNKNOWN;
+ server->ddns_keybits = 0;
+}
+
+static isc_result_t
+generate_session_key(const char *filename, const char *keynamestr,
+ dns_name_t *keyname, const char *algstr,
+ dns_name_t *algname, unsigned int algtype,
+ isc_uint16_t bits, isc_mem_t *mctx,
+ dns_tsigkey_t **tsigkeyp)
+{
+ isc_result_t result = ISC_R_SUCCESS;
+ dst_key_t *key = NULL;
+ isc_buffer_t key_txtbuffer;
+ isc_buffer_t key_rawbuffer;
+ char key_txtsecret[256];
+ char key_rawsecret[64];
+ isc_region_t key_rawregion;
+ isc_stdtime_t now;
+ dns_tsigkey_t *tsigkey = NULL;
+ FILE *fp = NULL;
+
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ "generating session key for dynamic DNS");
+
+ /* generate key */
+ result = dst_key_generate(keyname, algtype, bits, 1, 0,
+ DNS_KEYPROTO_ANY, dns_rdataclass_in,
+ mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
+ /*
+ * Dump the key to the buffer for later use. Should be done before
+ * we transfer the ownership of key to tsigkey.
+ */
+ isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+ CHECK(dst_key_tobuffer(key, &key_rawbuffer));
+
+ isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+ CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
+
+ /* Store the key in tsigkey. */
+ isc_stdtime_get(&now);
+ CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
+ ISC_FALSE, NULL, now, now, mctx, NULL,
+ &tsigkey));
+ key = NULL; /* ownership of key has been transferred */
+
+ /* Dump the key to the key file. */
+ CHECK(isc_file_safecreate(filename, &fp));
+
+ fprintf(fp, "key \"%s\" {\n"
+ "\talgorithm %s;\n"
+ "\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
+ (int) isc_buffer_usedlength(&key_txtbuffer),
+ (char*) isc_buffer_base(&key_txtbuffer));
+
+ RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
+
+ *tsigkeyp = tsigkey;
+
+ return (ISC_R_SUCCESS);
+
+ cleanup:
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "failed to generate session key "
+ "for dynamic DNS: %s", isc_result_totext(result));
+ if (tsigkey != NULL)
+ dns_tsigkey_detach(&tsigkey);
+ if (key != NULL)
+ dst_key_free(&key);
+
+ return (result);
+}
+
+static isc_result_t
+configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
+ isc_mem_t *mctx)
+{
+ const char *keyfile, *keynamestr, *algstr;
+ unsigned int algtype;
+ dns_fixedname_t fname;
+ dns_name_t *keyname, *algname;
+ isc_buffer_t buffer;
+ isc_uint16_t bits;
+ const cfg_obj_t *obj;
+ isc_boolean_t need_deleteold = ISC_FALSE;
+ isc_boolean_t need_createnew = ISC_FALSE;
+ isc_result_t result;
+
+ obj = NULL;
+ result = ns_config_get(maps, "ddns-keyfile", &obj);
+ if (result == ISC_R_SUCCESS) {
+ if (cfg_obj_isvoid(obj))
+ keyfile = NULL; /* disable it */
+ else
+ keyfile = cfg_obj_asstring(obj);
+ } else
+ keyfile = ns_g_defaultddnskeyfile;
+
+ obj = NULL;
+ result = ns_config_get(maps, "ddns-keyname", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ keynamestr = cfg_obj_asstring(obj);
+ dns_fixedname_init(&fname);
+ isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
+ isc_buffer_add(&buffer, strlen(keynamestr));
+ keyname = dns_fixedname_name(&fname);
+ result = dns_name_fromtext(keyname, &buffer, dns_rootname, ISC_FALSE,
+ NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
+ obj = NULL;
+ result = ns_config_get(maps, "ddns-keyalg", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ algstr = cfg_obj_asstring(obj);
+ algname = NULL;
+ result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
+ if (result != ISC_R_SUCCESS) {
+ const char *s = " (keeping current key)";
+
+ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "ddns-keyalg: "
+ "unsupported or unknown algorithm '%s'%s",
+ algstr,
+ server->ddns_keyfile != NULL ? s : "");
+ return (result);
+ }
+
+ /* See if we need to (re)generate a new key. */
+ if (keyfile == NULL) {
+ if (server->ddns_keyfile != NULL)
+ need_deleteold = ISC_TRUE;
+ } else if (server->ddns_keyfile == NULL)
+ need_createnew = ISC_TRUE;
+ else if (strcmp(keyfile, server->ddns_keyfile) != 0 ||
+ !dns_name_equal(server->ddns_keyname, keyname) ||
+ server->ddns_keyalg != algtype ||
+ server->ddns_keybits != bits) {
+ need_deleteold = ISC_TRUE;
+ need_createnew = ISC_TRUE;
+ }
+
+ if (need_deleteold) {
+ INSIST(server->ddns_keyfile != NULL);
+ INSIST(server->ddns_keyname != NULL);
+ INSIST(server->ddnskey != NULL);
+
+ cleanup_session_key(server, mctx);
+ }
+
+ if (need_createnew) {
+ INSIST(server->ddnskey == NULL);
+ INSIST(server->ddns_keyfile == NULL);
+ INSIST(server->ddns_keyname == NULL);
+ INSIST(server->ddns_keyalg == DST_ALG_UNKNOWN);
+ INSIST(server->ddns_keybits == 0);
+
+ server->ddns_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+ if (server->ddns_keyname == NULL)
+ goto cleanup;
+ dns_name_init(server->ddns_keyname, NULL);
+ CHECK(dns_name_dup(keyname, mctx, server->ddns_keyname));
+
+ server->ddns_keyfile = isc_mem_strdup(mctx, keyfile);
+ if (server->ddns_keyfile == NULL)
+ goto cleanup;
+
+ server->ddns_keyalg = algtype;
+ server->ddns_keybits = bits;
+
+ CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+ algname, algtype, bits, mctx,
+ &server->ddnskey));
+ }
+
+ return (result);
+
+ cleanup:
+ cleanup_session_key(server, mctx);
+ return (result);
+}
+
static isc_result_t
load_configuration(const char *filename, ns_server_t *server,
isc_boolean_t first_time)
CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
&interval, ISC_FALSE));
+ /*
+ * Configure the server-wide session key. This must be done before
+ * configure views because zone configuration may require ddns-keyname.
+ * Failure of session key generation isn't fatal at this time; if it
+ * turns out that a session key is really needed but doesn't exist,
+ * we'll treat it as a fatal error then.
+ */
+ (void)configure_session_key(maps, server, ns_g_mctx);
+
/*
* Configure and freeze all explicit views. Explicit
* views that have zones were already created at parsing
ns_statschannels_shutdown(server);
ns_controls_shutdown(server->controls);
end_reserved_dispatches(server, ISC_TRUE);
+ cleanup_session_key(server, server->mctx);
cfg_obj_destroy(ns_g_parser, &ns_g_config);
cfg_parser_destroy(&ns_g_parser);
dns_zonemgr_shutdown(server->zonemgr);
+ if (ns_g_ddnskey != NULL) {
+ dns_tsigkey_detach(&ns_g_ddnskey);
+ dns_name_free(&ns_g_ddnskeyname, server->mctx);
+ }
+
if (server->blackholeacl != NULL)
dns_acl_detach(&server->blackholeacl);
ISC_LIST_INIT(server->cachelist);
+ server->ddnskey = NULL;
+ server->ddns_keyfile = NULL;
+ server->ddns_keyname = NULL;
+ server->ddns_keyalg = DST_ALG_UNKNOWN;
+ server->ddns_keybits = 0;
+
server->magic = NS_SERVER_MAGIC;
*serverp = server;
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tsigconf.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: tsigconf.c,v 1.31 2009/06/10 00:27:21 each Exp $ */
/*! \file */
isc_result_t result;
int i;
+ REQUIRE(ringp != NULL && *ringp == NULL);
+
i = 0;
if (config != NULL)
maps[i++] = config;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.31 2008/11/17 05:41:10 marka Exp $ */
+/* $Id: os.c,v 1.32 2009/06/10 00:27:21 each Exp $ */
#include <config.h>
#include <stdarg.h>
ns_g_defaultpidfile = isc_ntpaths_get(NAMED_PID_PATH);
lwresd_g_defaultpidfile = isc_ntpaths_get(LWRESD_PID_PATH);
ns_g_keyfile = isc_ntpaths_get(RNDC_KEY_PATH);
+ ns_g_defaultddnskeyfile = isc_ntpaths_get(NAMED_DDNSKEY_PATH);
Initialized = TRUE;
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zoneconf.c,v 1.149 2009/01/27 23:47:54 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.150 2009/06/10 00:27:21 each Exp $ */
/*% */
allow_update_forwarding
} acl_type_t;
-/*%
- * These are BIND9 server defaults, not necessarily identical to the
- * library defaults defined in zone.c.
- */
#define RETERR(x) do { \
isc_result_t _r = (x); \
if (_r != ISC_R_SUCCESS) \
return (_r); \
} while (0)
+#define CHECK(x) do { \
+ result = (x); \
+ if (result != ISC_R_SUCCESS) \
+ goto cleanup; \
+ } while (0)
+
/*%
* Convenience function for configuring a single zone ACL.
*/
* Parse the zone update-policy statement.
*/
static isc_result_t
-configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+ const char *zname, isc_boolean_t autoddns)
+{
const cfg_obj_t *updatepolicy = NULL;
const cfg_listelt_t *element, *element2;
dns_ssutable_t *table = NULL;
isc_result_t result;
(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
- if (updatepolicy == NULL) {
+
+ if (updatepolicy == NULL && !autoddns) {
dns_zone_setssutable(zone, NULL);
return (ISC_R_SUCCESS);
}
const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
const char *str;
isc_boolean_t grant = ISC_FALSE;
+ isc_boolean_t usezone = ISC_FALSE;
unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
dns_fixedname_t fname, fident;
isc_buffer_t b;
mtype = DNS_SSUMATCHTYPE_TCPSELF;
else if (strcasecmp(str, "6to4-self") == 0)
mtype = DNS_SSUMATCHTYPE_6TO4SELF;
- else
+ else if (strcasecmp(str, "zonesub") == 0) {
+ mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+ usezone = ISC_TRUE;
+ } else
INSIST(0);
dns_fixedname_init(&fident);
}
dns_fixedname_init(&fname);
- str = cfg_obj_asstring(dname);
- isc_buffer_init(&b, str, strlen(str));
- isc_buffer_add(&b, strlen(str));
- result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
- dns_rootname, ISC_FALSE, NULL);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
- "'%s' is not a valid name", str);
- goto cleanup;
+ if (usezone) {
+ result = dns_name_copy(dns_zone_getorigin(zone),
+ dns_fixedname_name(&fname),
+ NULL);
+ if (result != ISC_R_SUCCESS) {
+ cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+ "error copying origin: %s",
+ isc_result_totext(result));
+ goto cleanup;
+ }
+ } else {
+ str = cfg_obj_asstring(dname);
+ isc_buffer_init(&b, str, strlen(str));
+ isc_buffer_add(&b, strlen(str));
+ result = dns_name_fromtext(dns_fixedname_name(&fname),
+ &b, dns_rootname,
+ ISC_FALSE, NULL);
+ if (result != ISC_R_SUCCESS) {
+ cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+ "'%s' is not a valid name", str);
+ goto cleanup;
+ }
}
n = ns_config_listcount(typelist);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
+ }
+ /*
+ * If this is a "ddns-autoconf" zone and a DDNS session key exists,
+ * then use the default policy, equivalent to:
+ * update-policy { grant <ddns-keyname> zonesub any; };
+ */
+ if (autoddns) {
+ dns_rdatatype_t any = dns_rdatatype_any;
+
+ if (ns_g_server->ddns_keyname == NULL) {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "failed to enable auto DDNS policy "
+ "for zone %s: session key not found",
+ zname);
+ result = ISC_R_NOTFOUND;
+ goto cleanup;
+ }
+
+ result = dns_ssutable_addrule(table, ISC_TRUE,
+ ns_g_server->ddns_keyname,
+ DNS_SSUMATCHTYPE_SUBDOMAIN,
+ dns_zone_getorigin(zone),
+ 1, &any);
+
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
}
result = ISC_R_SUCCESS;
isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
isc_boolean_t ixfrdiff;
+ isc_boolean_t autoddns;
dns_masterformat_t masterformat;
isc_stats_t *zoneqrystats;
isc_boolean_t zonestats_on;
*/
if (ztype == dns_zone_master) {
dns_acl_t *updateacl;
+
RETERR(configure_zone_acl(zconfig, vconfig, config,
allow_update, ac, zone,
dns_zone_setupdateacl,
"address, which is insecure",
zname);
- RETERR(configure_zone_ssutable(zoptions, zone));
+ obj = NULL;
+ result = ns_config_get(maps, "ddns-autoconf", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ autoddns = cfg_obj_asboolean(obj);
+
+ RETERR(configure_zone_ssutable(zoptions, zone, zname,
+ autoddns));
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.29 2008/08/29 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.30 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISC_INCLUDES} @DST_GSSAPI_INC@
+ ${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
CWARNINGS =
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
-LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
+LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
@BIND9_MAKE_RULES@
+nsupdate.@O@: nsupdate.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
+ -c ${srcdir}/nsupdate.c
+
nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nsupdate.1,v 1.5 2009/03/10 01:12:31 tbox Exp $
+.\" $Id: nsupdate.1,v 1.6 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
-.\" Title: nsupdate
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: Jun 30, 2000
-.\" Manual: BIND9
-.\" Source: BIND9
-.\"
-.TH "NSUPDATE" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "NSUPDATE" 1 "Jun 30, 2000" "" ""
+.SH NAME
nsupdate \- Dynamic DNS update utility
.SH "SYNOPSIS"
.HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\fB\-g\fR\fR | \fB\fB\-o\fR\fR | \fB\fB\-y\ \fI[hmac:]keyname:secret\fR\fR\fR | \fB\fB\-k\ \fIkeyfile\fR\fR\fR] [\fB\-t\ \fItimeout\fR\fR] [\fB\-u\ \fIudptimeout\fR\fR] [\fB\-r\ \fIudpretries\fR\fR] [\fB\-R\ \fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
.SH "DESCRIPTION"
.PP
-\fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
+\fBnsupdate\fR is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server\&. This allows resource records to be added or removed from a zone without manually editing the zone file\&. A single update request can contain requests to add or remove more than one resource record\&.
.PP
-Zones that are under dynamic control via
-\fBnsupdate\fR
-or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.
+Zones that are under dynamic control via \fBnsupdate\fR or a DHCP server should not be edited by hand\&. Manual edits could conflict with dynamic updates and cause data to be lost\&.
.PP
-The resource records that are dynamically added or removed with
-\fBnsupdate\fR
-have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
+The resource records that are dynamically added or removed with \fBnsupdate\fR have to be in the same zone\&. Requests are sent to the zone's master server\&. This is identified by the MNAME field of the zone's SOA record\&.
.PP
-The
-\fB\-d\fR
-option makes
-\fBnsupdate\fR
-operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
+The \fB\-d\fR option makes \fBnsupdate\fR operate in debug mode\&. This provides tracing information about the update requests that are made and the replies received from the name server\&.
.PP
-The
-\fB\-D\fR
-option makes
-\fBnsupdate\fR
-report additional debugging information to
-\fB\-d\fR.
+The \fB\-D\fR option makes \fBnsupdate\fR report additional debugging information to \fB\-d\fR\&.
.PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
-\fBnsupdate\fR
-and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
-\fBkey\fR
-and
-\fBserver\fR
-statements would be added to
-\fI/etc/named.conf\fR
-so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
-\fBnsupdate\fR
-does not read
-\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
+The \fB\-L\fR option with an integer argument of zero or higher sets the logging debug level\&. If zero, logging is disabled\&.
.PP
-\fBnsupdate\fR
-uses the
-\fB\-y\fR
-or
-\fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR, whose name is of the form
-\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
-\fIK{name}.+157.+{random}.key\fR
-must also be present. When the
-\fB\-y\fR
-option is used, a signature is generated from
-[\fIhmac:\fR]\fIkeyname:secret.\fR
-\fIkeyname\fR
-is the name of the key, and
-\fIsecret\fR
-is the base64 encoded shared secret. Use of the
-\fB\-y\fR
-option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
-\fBps\fR(1)
-or in a history file maintained by the user's shell.
+Transaction signatures can be used to authenticate the Dynamic DNS updates\&. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645\&. TSIG relies on a shared secret that should only be known to \fBnsupdate\fR and the name server\&. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104\&. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other\&. For instance, suitable \fBkey\fR and \fBserver\fR statements would be added to \fI/etc/named\&.conf\fR so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication\&. SIG(0) uses public key cryptography\&. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server\&. \fBnsupdate\fR does not read \fI/etc/named\&.conf\fR\&. GSS\-TSIG uses Kerberos credentials\&.
.PP
-The
-\fB\-k\fR
-may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
+\fBnsupdate\fR uses the \fB\-y\fR or \fB\-k\fR option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5\&. These options are mutually exclusive\&.
.PP
-The
-\fB\-g\fR
-and
-\fB\-o\fR
-specify that GSS\-TSIG is to be used. The
-\fB\-o\fR
-should only be used with old Microsoft Windows 2000 servers.
+When the \fB\-y\fR option is used, a signature is generated from [\fIhmac:\fR]\fIkeyname:secret\&.\fR \fIkeyname\fR is the name of the key, and \fIsecret\fR is the base64 encoded shared secret\&. Use of the \fB\-y\fR option is discouraged because the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from \fBps\fR(1) or in a history file maintained by the user's shell\&.
.PP
-By default,
-\fBnsupdate\fR
-uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
-\fB\-v\fR
-option makes
-\fBnsupdate\fR
-use a TCP connection. This may be preferable when a batch of update requests is made.
+With the \fB\-k\fR option, \fBnsupdate\fR reads the shared secret from the file \fIkeyfile\fR\&. Keyfiles may be in two formats: a single file containing a \fInamed\&.conf\fR\-format \fBkey\fR statement, which may be generated automatically by \fBddns\-confgen\fR, or a pair of files whose names are of the format \fIK{name}\&.+157\&.+{random}\&.key\fR and \fIK{name}\&.+157\&.+{random}\&.private\fR, which can be generated by \fBdnssec\-keygen\fR\&. The \fB\-k\fR may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests\&. In this case, the key specified is not an HMAC\-MD5 key\&.
.PP
-The
-\fB\-t\fR
-option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
+ \fBnsupdate\fR can be run in a local\-host only mode using the \fB\-l\fR flag\&. This sets the server address to localhost (disabling the \fBserver\fR so that the server address cannot be overridden)\&. Connections to the local server will use a TSIG key found in \fI/var/run/named/ddns\&.key\fR, which is automatically generated by \fBnamed\fR if any local master zone has the \fBdynamic\fR zone option set to yes\&. The location of this key file can be overridden with the \fB\-k\fR option\&.
.PP
-The
-\fB\-u\fR
-option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
+By default, \fBnsupdate\fR uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used\&. The \fB\-v\fR option makes \fBnsupdate\fR use a TCP connection\&. This may be preferable when a batch of update requests is made\&.
.PP
-The
-\fB\-r\fR
-option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
+The \fB\-p\fR sets the default port number to use for connections to a name server\&. The default is 53\&.
.PP
-The
-\fB\-R \fR\fB\fIrandomdev\fR\fR
-option specifies a source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used. This option may be specified multiple times.
-.SH "INPUT FORMAT"
+The \fB\-t\fR option sets the maximum time an update request can take before it is aborted\&. The default is 300 seconds\&. Zero can be used to disable the timeout\&.
.PP
-\fBnsupdate\fR
-reads input from
-\fIfilename\fR
-or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.
+The \fB\-u\fR option sets the UDP retry interval\&. The default is 3 seconds\&. If zero, the interval will be computed from the timeout interval and number of UDP retries\&.
.PP
-Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the
-\fBsend\fR
-command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
+The \fB\-r\fR option sets the number of UDP retries\&. The default is 3\&. If zero, only one update request will be made\&.
.PP
-The command formats and their meaning are as follows:
+The \fB\-R \fIrandomdev\fR\fR option specifies a source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&. This option may be specified multiple times\&.
+.SH "INPUT FORMAT"
.PP
-\fBserver\fR {servername} [port]
-.RS 4
-Sends all dynamic update requests to the name server
-\fIservername\fR. When no server statement is provided,
-\fBnsupdate\fR
-will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone.
-\fIport\fR
-is the port number on
-\fIservername\fR
-where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.RE
+\fBnsupdate\fR reads input from \fIfilename\fR or standard input\&. Each command is supplied on exactly one line of input\&. Some commands are for administrative purposes\&. The others are either update instructions or prerequisite checks on the contents of the zone\&. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone\&. These conditions must be met if the entire update request is to succeed\&. Updates will be rejected if the tests for the prerequisite conditions fail\&.
.PP
-\fBlocal\fR {address} [port]
-.RS 4
-Sends all dynamic update requests using the local
-\fIaddress\fR. When no local statement is provided,
-\fBnsupdate\fR
-will send updates using an address and port chosen by the system.
-\fIport\fR
-can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.RE
+Every update request consists of zero or more prerequisites and zero or more updates\&. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone\&. A blank input line (or the \fBsend\fR command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server\&.
.PP
+The command formats and their meaning are as follows:
+.TP
+\fBserver\fR {servername} [port]
+Sends all dynamic update requests to the name server \fIservername\fR\&. When no server statement is provided, \fBnsupdate\fR will send updates to the master server of the correct zone\&. The MNAME field of that zone's SOA record will identify the master server for that zone\&. \fIport\fR is the port number on \fIservername\fR where the dynamic update requests get sent\&. If no port number is specified, the default DNS port number of 53 is used\&.
+.TP
+\fBlocal\fR {address} [port]
+Sends all dynamic update requests using the local \fIaddress\fR\&. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system\&. \fIport\fR can additionally be used to make requests come from a specific port\&. If no port number is specified, the system will assign one\&.
+.TP
\fBzone\fR {zonename}
-.RS 4
-Specifies that all updates are to be made to the zone
-\fIzonename\fR. If no
-\fIzone\fR
-statement is provided,
-\fBnsupdate\fR
-will attempt determine the correct zone to update based on the rest of the input.
-.RE
-.PP
+Specifies that all updates are to be made to the zone \fIzonename\fR\&. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input\&.
+.TP
\fBclass\fR {classname}
-.RS 4
-Specify the default class. If no
-\fIclass\fR
-is specified, the default class is
-\fIIN\fR.
-.RE
-.PP
+Specify the default class\&. If no \fIclass\fR is specified, the default class is \fIIN\fR\&.
+.TP
\fBttl\fR {seconds}
-.RS 4
-Specify the default time to live for records to be added. The value
-\fInone\fR
-will clear the default ttl.
-.RE
-.PP
+Specify the default time to live for records to be added\&. The value \fInone\fR will clear the default ttl\&.
+.TP
\fBkey\fR {name} {secret}
-.RS 4
-Specifies that all updates are to be TSIG\-signed using the
-\fIkeyname\fR
-\fIkeysecret\fR
-pair. The
-\fBkey\fR
-command overrides any key specified on the command line via
-\fB\-y\fR
-or
-\fB\-k\fR.
-.RE
-.PP
+Specifies that all updates are to be TSIG\-signed using the \fIkeyname\fR \fIkeysecret\fR pair\&. The \fBkey\fR command overrides any key specified on the command line via \fB\-y\fR or \fB\-k\fR\&.
+.TP
\fBprereq nxdomain\fR {domain\-name}
-.RS 4
-Requires that no resource record of any type exists with name
-\fIdomain\-name\fR.
-.RE
-.PP
+Requires that no resource record of any type exists with name \fIdomain\-name\fR\&.
+.TP
\fBprereq yxdomain\fR {domain\-name}
-.RS 4
-Requires that
-\fIdomain\-name\fR
-exists (has as at least one resource record, of any type).
-.RE
-.PP
+Requires that \fIdomain\-name\fR exists (has as at least one resource record, of any type)\&.
+.TP
\fBprereq nxrrset\fR {domain\-name} [class] {type}
-.RS 4
-Requires that no resource record exists of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.RE
-.PP
+Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR and \fIdomain\-name\fR\&. If \fIclass\fR is omitted, IN (internet) is assumed\&.
+.TP
\fBprereq yxrrset\fR {domain\-name} [class] {type}
-.RS 4
-This requires that a resource record of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR
-must exist. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.RE
-.PP
+This requires that a resource record of the specified \fItype\fR, \fIclass\fR and \fIdomain\-name\fR must exist\&. If \fIclass\fR is omitted, IN (internet) is assumed\&.
+.TP
\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
-.RS 4
-The
-\fIdata\fR
-from each set of prerequisites of this form sharing a common
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR
-are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR. The
-\fIdata\fR
-are written in the standard text representation of the resource record's RDATA.
-.RE
-.PP
+The \fIdata\fR from each set of prerequisites of this form sharing a common \fItype\fR, \fIclass\fR, and \fIdomain\-name\fR are combined to form a set of RRs\&. This set of RRs must exactly match the set of RRs existing in the zone at the given \fItype\fR, \fIclass\fR, and \fIdomain\-name\fR\&. The \fIdata\fR are written in the standard text representation of the resource record's RDATA\&.
+.TP
\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
-.RS 4
-Deletes any resource records named
-\fIdomain\-name\fR. If
-\fItype\fR
-and
-\fIdata\fR
-is provided, only matching resource records will be removed. The internet class is assumed if
-\fIclass\fR
-is not supplied. The
-\fIttl\fR
-is ignored, and is only allowed for compatibility.
-.RE
-.PP
+Deletes any resource records named \fIdomain\-name\fR\&. If \fItype\fR and \fIdata\fR is provided, only matching resource records will be removed\&. The internet class is assumed if \fIclass\fR is not supplied\&. The \fIttl\fR is ignored, and is only allowed for compatibility\&.
+.TP
\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
-.RS 4
-Adds a new resource record with the specified
-\fIttl\fR,
-\fIclass\fR
-and
-\fIdata\fR.
-.RE
-.PP
+Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR\&.
+.TP
\fBshow\fR
-.RS 4
-Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.RE
-.PP
+Displays the current message, containing all of the prerequisites and updates specified since the last send\&.
+.TP
\fBsend\fR
-.RS 4
-Sends the current message. This is equivalent to entering a blank line.
-.RE
-.PP
+Sends the current message\&. This is equivalent to entering a blank line\&.
+.TP
\fBanswer\fR
-.RS 4
-Displays the answer.
-.RE
-.PP
+Displays the answer\&.
+.TP
\fBdebug\fR
-.RS 4
-Turn on debugging.
-.RE
+Turn on debugging\&.
.PP
-Lines beginning with a semicolon are comments and are ignored.
+Lines beginning with a semicolon are comments and are ignored\&.
.SH "EXAMPLES"
.PP
-The examples below show how
-\fBnsupdate\fR
-could be used to insert and delete resource records from the
-\fBexample.com\fR
-zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
-\fBexample.com\fR.
-.sp
-.RS 4
+The examples below show how \fBnsupdate\fR could be used to insert and delete resource records from the \fBexample\&.com\fR zone\&. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample\&.com\fR\&.
.nf
# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
+> update delete oldhost\&.example\&.com A
+> update add newhost\&.example\&.com 86400 A 172\&.16\&.1\&.1
> send
.fi
-.RE
-.sp
.PP
-Any A records for
-\fBoldhost.example.com\fR
-are deleted. And an A record for
-\fBnewhost.example.com\fR
-with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds).
-.sp
-.RS 4
+Any A records for \fBoldhost\&.example\&.com\fR are deleted\&. And an A record for \fBnewhost\&.example\&.com\fR with IP address 172\&.16\&.1\&.1 is added\&. The newly\-added record has a 1 day TTL (86400 seconds)\&.
.nf
# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
+> prereq nxdomain nickname\&.example\&.com
+> update add nickname\&.example\&.com 86400 CNAME somehost\&.example\&.com
> send
.fi
-.RE
-.sp
.PP
-The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
+The prerequisite condition gets the name server to check that there are no resource records of any type for \fBnickname\&.example\&.com\fR\&. If there are, the update request fails\&. If this name does not exist, a CNAME for it is added\&. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME\&. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records\&.)
.SH "FILES"
-.PP
-\fB/etc/resolv.conf\fR
-.RS 4
+.TP
+\fB/etc/resolv\&.conf\fR
used to identify default name server
-.RE
-.PP
-\fBK{name}.+157.+{random}.key\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
-.PP
-\fBK{name}.+157.+{random}.private\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
+.TP
+\fB/var/run/named/ddns\&.key\fR
+sets the default TSIG key for use in local\-only mode
+.TP
+\fBK{name}\&.+157\&.+{random}\&.key\fR
+base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8)\&.
+.TP
+\fBK{name}\&.+157\&.+{random}\&.private\fR
+base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8)\&.
.SH "SEE ALSO"
.PP
-\fBRFC2136\fR(),
-\fBRFC3007\fR(),
-\fBRFC2104\fR(),
-\fBRFC2845\fR(),
-\fBRFC1034\fR(),
-\fBRFC2535\fR(),
-\fBRFC2931\fR(),
-\fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8).
+\fBRFC2136\fR(), \fBRFC3007\fR(), \fBRFC2104\fR(), \fBRFC2845\fR(), \fBRFC1034\fR(), \fBRFC2535\fR(), \fBRFC2931\fR(), \fBnamed\fR(8), \fBddns\-confgen\fR(8), \fBdnssec\-keygen\fR(8)\&.
.SH "BUGS"
.PP
-The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
+The TSIG key is redundantly stored in two separate files\&. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases\&.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsupdate.c,v 1.166 2009/04/30 07:10:09 marka Exp $ */
+/* $Id: nsupdate.c,v 1.167 2009/06/10 00:27:21 each Exp $ */
/*! \file */
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/event.h>
+#include <isc/file.h>
#include <isc/hash.h>
#include <isc/lex.h>
#include <isc/log.h>
#include <isc/types.h>
#include <isc/util.h>
+#include <isccfg/namedconf.h>
+
#include <dns/callbacks.h>
#include <dns/dispatch.h>
#include <dns/dnssec.h>
#define DNSDEFAULTPORT 53
+static isc_uint16_t dnsport = DNSDEFAULTPORT;
+
#ifndef RESOLV_CONF
#define RESOLV_CONF "/etc/resolv.conf"
#endif
static isc_boolean_t usegsstsig = ISC_FALSE;
static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
+static isc_boolean_t local_only = ISC_FALSE;
static isc_taskmgr_t *taskmgr = NULL;
static isc_task_t *global_task = NULL;
static isc_event_t *global_event = NULL;
static isc_sockaddr_t *localaddr = NULL;
static isc_sockaddr_t *serveraddr = NULL;
static isc_sockaddr_t tempaddr;
-static char *keystr = NULL, *keyfile = NULL;
+static const char *keyfile = NULL;
+static char *keystr = NULL;
static isc_entropy_t *entropy = NULL;
static isc_boolean_t shuttingdown = ISC_FALSE;
static FILE *input;
isc_mem_free(mctx, secret);
}
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_ddnskey(isc_mem_t *mctx, isc_log_t *lctx) {
+ cfg_parser_t *pctx = NULL;
+ cfg_obj_t *ddnskey = NULL;
+ const cfg_obj_t *key = NULL;
+ const cfg_obj_t *secretobj = NULL;
+ const cfg_obj_t *algorithmobj = NULL;
+ const char *keyname;
+ const char *secretstr;
+ const char *algorithm;
+ isc_result_t result;
+ int len;
+
+ if (! isc_file_exists(keyfile))
+ return (ISC_R_FILENOTFOUND);
+
+ result = cfg_parser_create(mctx, lctx, &pctx);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ result = cfg_parse_file(pctx, keyfile, &cfg_type_ddnskey, &ddnskey);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ result = cfg_map_get(ddnskey, "key", &key);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ (void) cfg_map_get(key, "secret", &secretobj);
+ (void) cfg_map_get(key, "algorithm", &algorithmobj);
+ if (secretobj == NULL || algorithmobj == NULL)
+ fatal("key must have algorithm and secret");
+
+ keyname = cfg_obj_asstring(cfg_map_getname(key));
+ secretstr = cfg_obj_asstring(secretobj);
+ algorithm = cfg_obj_asstring(algorithmobj);
+
+ len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
+ keystr = isc_mem_allocate(mctx, len);
+ snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
+ setup_keystr();
+
+ cleanup:
+ if (pctx != NULL) {
+ if (ddnskey != NULL)
+ cfg_obj_destroy(pctx, &ddnskey);
+ cfg_parser_destroy(&pctx);
+ }
+
+ if (keystr != NULL)
+ isc_mem_free(mctx, keystr);
+
+ return (result);
+}
+
static void
-setup_keyfile(void) {
+setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
dst_key_t *dstkey = NULL;
isc_result_t result;
dns_name_t *hmacname = NULL;
debug("Creating key...");
+ /* Try reading the key from a K* pair */
result = dst_key_fromnamedfile(keyfile,
DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
&dstkey);
+
+ /* If that didn't work, try reading it as a ddns.key keyfile */
+ if (result != ISC_R_SUCCESS) {
+ result = read_ddnskey(mctx, lctx);
+ if (result == ISC_R_SUCCESS)
+ return;
+ }
+
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not read key from %s: %s\n",
keyfile, isc_result_totext(result));
return;
}
+
switch (dst_key_alg(dstkey)) {
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
if (servers == NULL)
fatal("out of memory");
localhost.s_addr = htonl(INADDR_LOOPBACK);
- isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
+ isc_sockaddr_fromin(&servers[0], &localhost, dnsport);
} else {
servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
if (servers == NULL)
if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
struct in_addr in4;
memcpy(&in4, lwconf->nameservers[i].address, 4);
- isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
+ isc_sockaddr_fromin(&servers[i], &in4, dnsport);
} else {
struct in6_addr in6;
memcpy(&in6, lwconf->nameservers[i].address, 16);
isc_sockaddr_fromin6(&servers[i], &in6,
- DNSDEFAULTPORT);
+ dnsport);
}
}
}
if (keystr != NULL)
setup_keystr();
+ else if (local_only)
+ read_ddnskey(mctx, lctx);
else if (keyfile != NULL)
- setup_keyfile();
+ setup_keyfile(mctx, lctx);
}
static void
INSIST(count == 1);
}
-#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
static void
pre_parse_args(int argc, char **argv) {
break;
case '?':
+ case 'h':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
argv[0], isc_commandline_option);
- fprintf(stderr, "usage: nsupdate [-d] "
+ fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
"[-g | -o | -y keyname:secret | -k keyfile] "
"[-v] [filename]\n");
exit(1);
case 'M':
break;
case 'l':
+ local_only = ISC_TRUE;
+ break;
+ case 'L':
result = isc_parse_uint32(&i, isc_commandline_argument,
10);
if (result != ISC_R_SUCCESS) {
usegsstsig = ISC_TRUE;
use_win2k_gsstsig = ISC_TRUE;
break;
+ case 'p':
+ result = isc_parse_uint16(&dnsport,
+ isc_commandline_argument, 10);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "bad port number "
+ "'%s'\n", isc_commandline_argument);
+ exit(1);
+ }
+ break;
case 't':
result = isc_parse_uint32(&timeout,
isc_commandline_argument, 10);
exit(1);
}
+ if (local_only) {
+ struct in_addr localhost;
+
+ if (keyfile == NULL)
+ keyfile = DDNS_KEYFILE;
+
+ if (userserver == NULL) {
+ userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+ if (userserver == NULL)
+ fatal("out of memory");
+ }
+
+ localhost.s_addr = htonl(INADDR_LOOPBACK);
+ isc_sockaddr_fromin(userserver, &localhost, dnsport);
+ }
+
#ifdef GSSAPI
if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
}
#else
if (usegsstsig) {
- fprintf(stderr, "%s: cannot specify -g or -o, " \
+ fprintf(stderr, "%s: cannot specify -g or -o, " \
"program not linked with GSS API Library\n",
argv[0]);
exit(1);
char *word, *server;
long port;
+ if (local_only) {
+ fprintf(stderr, "cannot reset server in localhost-only mode\n");
+ return (STATUS_SYNTAX);
+ }
+
word = nsu_strsep(&cmdline, " \t\r\n");
if (*word == 0) {
fprintf(stderr, "could not read server name\n");
word = nsu_strsep(&cmdline, " \t\r\n");
if (*word == 0)
- port = DNSDEFAULTPORT;
+ port = dnsport;
else {
char *endp;
port = strtol(word, &endp, 10);
"server address [port] (set master server for zone)\n"
"send (send the update request)\n"
"show (show the update request)\n"
-"answer (show the answer to the last request)\n"
+"answer (show the answer to the last request)\n"
"quit (quit, any pending update is not sent\n"
-"help (display this message_\n"
+"help (display this message_\n"
"key [hmac:]keyname secret (use TSIG to sign the request)\n"
"gsstsig (use GSS_TSIG to sign the request)\n"
"oldgsstsig (use Microsoft's GSS_TSIG to sign the request)\n"
result = dns_name_totext(&master, ISC_TRUE, &buf);
check_result(result, "dns_name_totext");
serverstr[isc_buffer_usedlength(&buf)] = 0;
- get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
+ get_address(serverstr, dnsport, &tempaddr);
serveraddr = &tempaddr;
}
dns_rdata_freestruct(&soa);
fatal("out of memory");
}
if (userserver == NULL)
- get_address(namestr, DNSDEFAULTPORT, kserver);
+ get_address(namestr, dnsport, kserver);
else
(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.37 2009/03/09 04:18:51 marka Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.38 2009/06/10 00:27:21 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Jun 30, 2000</date>
The <option>-D</option> option makes <command>nsupdate</command>
report additional debugging information to <option>-d</option>.
</para>
+ <para>
+ The <option>-L</option> option with an integer argument of zero or
+ higher sets the logging debug level. If zero, logging is disabled.
+ </para>
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
uses the <option>-y</option> or <option>-k</option> option
to provide the shared secret needed to generate a TSIG record
for authenticating Dynamic DNS update requests, default type
- HMAC-MD5. These options are mutually exclusive. With the
- <option>-k</option> option, <command>nsupdate</command> reads
- the shared secret from the file <parameter>keyfile</parameter>,
- whose name is of the form
- <filename>K{name}.+157.+{random}.private</filename>. For
- historical reasons, the file
- <filename>K{name}.+157.+{random}.key</filename> must also be
- present. When the <option>-y</option> option is used, a
- signature is generated from
+ HMAC-MD5. These options are mutually exclusive.
+ </para>
+ <para>
+ When the <option>-y</option> option is used, a signature is
+ generated from
<optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
<parameter>keyname</parameter> is the name of the key, and
- <parameter>secret</parameter> is the base64 encoded shared
- secret. Use of the <option>-y</option> option is discouraged
- because the shared secret is supplied as a command line
- argument in clear text. This may be visible in the output
- from
+ <parameter>secret</parameter> is the base64 encoded shared secret.
+ Use of the <option>-y</option> option is discouraged because the
+ shared secret is supplied as a command line argument in clear text.
+ This may be visible in the output from
<citerefentry>
- <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
- </citerefentry> or in a history file maintained by the user's
- shell.
+ <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>
+ or in a history file maintained by the user's shell.
</para>
<para>
+ With the
+ <option>-k</option> option, <command>nsupdate</command> reads
+ the shared secret from the file <parameter>keyfile</parameter>.
+ Keyfiles may be in two formats: a single file containing
+ a <filename>named.conf</filename>-format <command>key</command>
+ statement, which may be generated automatically by
+ <command>ddns-confgen</command>, or a pair of files whose names are
+ of the format <filename>K{name}.+157.+{random}.key</filename> and
+ <filename>K{name}.+157.+{random}.private</filename>, which can be
+ generated by <command>dnssec-keygen</command>.
The <option>-k</option> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</para>
<para>
- The <option>-g</option> and <option>-o</option> specify that
- GSS-TSIG is to be used. The <option>-o</option> should only
- be used with old Microsoft Windows 2000 servers.
+ <command>nsupdate</command> can be run in a local-host only mode
+ using the <option>-l</option> flag. This sets the server address to
+ localhost (disabling the <command>server</command> so that the server
+ address cannot be overridden). Connections to the local server will
+ use a TSIG key found in <filename>/var/run/named/ddns.key</filename>,
+ which is automatically generated by <command>named</command> if any
+ local master zone has the <command>dynamic</command> zone option set
+ to yes. The location of this key file can be overridden with
+ the <option>-k</option> option.
</para>
<para>
- By default,
- <command>nsupdate</command>
+ By default, <command>nsupdate</command>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
The
use a TCP connection.
This may be preferable when a batch of update requests is made.
</para>
+ <para>
+ The <option>-p</option> sets the default port number to use for
+ connections to a name server. The default is 53.
+ </para>
<para>
The <option>-t</option> option sets the maximum time an update request
can
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><constant>/var/run/named/ddns.key</constant></term>
+ <listitem>
+ <para>
+ sets the default TSIG key for use in local-only mode
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><constant>K{name}.+157.+{random}.key</constant></term>
<listitem>
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
+ <citerefentry>
+ <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.html,v 1.42 2009/03/10 01:12:31 tbox Exp $ -->
+<!-- $Id: nsupdate.html,v 1.43 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.nsupdate"></a><div class="titlepage"></div>
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543449"></a><h2>DESCRIPTION</h2>
+<a name="id215133"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC2136
to a name server.
The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
report additional debugging information to <code class="option">-d</code>.
</p>
+<p>
+ The <code class="option">-L</code> option with an integer argument of zero or
+ higher sets the logging debug level. If zero, logging is disabled.
+ </p>
<p>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
uses the <code class="option">-y</code> or <code class="option">-k</code> option
to provide the shared secret needed to generate a TSIG record
for authenticating Dynamic DNS update requests, default type
- HMAC-MD5. These options are mutually exclusive. With the
- <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
- the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
- whose name is of the form
- <code class="filename">K{name}.+157.+{random}.private</code>. For
- historical reasons, the file
- <code class="filename">K{name}.+157.+{random}.key</code> must also be
- present. When the <code class="option">-y</code> option is used, a
- signature is generated from
+ HMAC-MD5. These options are mutually exclusive.
+ </p>
+<p>
+ When the <code class="option">-y</code> option is used, a signature is
+ generated from
[<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
<em class="parameter"><code>keyname</code></em> is the name of the key, and
- <em class="parameter"><code>secret</code></em> is the base64 encoded shared
- secret. Use of the <code class="option">-y</code> option is discouraged
- because the shared secret is supplied as a command line
- argument in clear text. This may be visible in the output
- from
- <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
- shell.
+ <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
+ Use of the <code class="option">-y</code> option is discouraged because the
+ shared secret is supplied as a command line argument in clear text.
+ This may be visible in the output from
+ <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+ or in a history file maintained by the user's shell.
</p>
<p>
+ With the
+ <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+ the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
+ Keyfiles may be in two formats: a single file containing
+ a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
+ statement, which may be generated automatically by
+ <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
+ of the format <code class="filename">K{name}.+157.+{random}.key</code> and
+ <code class="filename">K{name}.+157.+{random}.private</code>, which can be
+ generated by <span><strong class="command">dnssec-keygen</strong></span>.
The <code class="option">-k</code> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</p>
<p>
- The <code class="option">-g</code> and <code class="option">-o</code> specify that
- GSS-TSIG is to be used. The <code class="option">-o</code> should only
- be used with old Microsoft Windows 2000 servers.
+ <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
+ using the <code class="option">-l</code> flag. This sets the server address to
+ localhost (disabling the <span><strong class="command">server</strong></span> so that the server
+ address cannot be overridden). Connections to the local server will
+ use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
+ which is automatically generated by <span><strong class="command">named</strong></span> if any
+ local master zone has the <span><strong class="command">dynamic</strong></span> zone option set
+ to yes. The location of this key file can be overridden with
+ the <code class="option">-k</code> option.
</p>
<p>
- By default,
- <span><strong class="command">nsupdate</strong></span>
+ By default, <span><strong class="command">nsupdate</strong></span>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
The
use a TCP connection.
This may be preferable when a batch of update requests is made.
</p>
+<p>
+ The <code class="option">-p</code> sets the default port number to use for
+ connections to a name server. The default is 53.
+ </p>
<p>
The <code class="option">-t</code> option sets the maximum time an update request
can
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543726"></a><h2>INPUT FORMAT</h2>
+<a name="id215413"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
{domain-name}
[ttl]
[class]
- [type [data...]]
+ [type [data...]]
</span></dt>
<dd><p>
Deletes any resource records named
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544567"></a><h2>EXAMPLES</h2>
+<a name="id216068"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544611"></a><h2>FILES</h2>
+<a name="id216122"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
used to identify default name server
</p></dd>
+<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
+<dd><p>
+ sets the default TSIG key for use in local-only mode
+ </p></dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
<dd><p>
base-64 encoding of HMAC-MD5 key created by
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544680"></a><h2>SEE ALSO</h2>
+<a name="id216386"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2542156"></a><h2>BUGS</h2>
+<a name="id216465"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.44 2007/06/18 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.45 2009/06/10 00:27:21 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
-SRCS= rndc.c rndc-confgen.c
+SRCS= rndc.c
-SUBDIRS = unix
+TARGETS = rndc@EXEEXT@
-TARGETS = rndc@EXEEXT@ rndc-confgen@EXEEXT@
+MANPAGES = rndc.8 rndc.conf.5
-MANPAGES = rndc.8 rndc-confgen.8 rndc.conf.5
-
-HTMLPAGES = rndc.html rndc-confgen.html rndc.conf.html
+HTMLPAGES = rndc.html rndc.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
-UOBJS = unix/os.@O@
-
@BIND9_MAKE_RULES@
rndc.@O@: rndc.c
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc.c
-rndc-confgen.@O@: rndc-confgen.c
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
- -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
- -c ${srcdir}/rndc-confgen.c
-
rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
${RNDCLIBS}
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
- ${UOBJS} ${CONFLIBS}
-
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
-install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
+install:: rndc@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
clean distclean maintainer-clean::
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.h,v 1.11 2009/01/17 23:47:42 tbox Exp $ */
+/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
/*! \file */
ISC_LANG_BEGINDECLS
-FILE *safe_create(const char *filename);
-/*%<
- * Open 'filename' for writing, truncate if necessary. If the file was
- * created ensure that only the owner can read/write it.
- */
-
int set_user(FILE *fd, const char *user);
/*%<
* Set the owner of the file referenced by 'fd' to 'user'.
+++ /dev/null
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001, 2003 Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" Title: rndc\-confgen
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: Aug 27, 2001
-.\" Manual: BIND9
-.\" Source: BIND9
-.\"
-.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc\-confgen \- rndc key generation tool
-.SH "SYNOPSIS"
-.HP 13
-\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBrndc\-confgen\fR
-generates configuration files for
-\fBrndc\fR. It can be used as a convenient alternative to writing the
-\fIrndc.conf\fR
-file and the corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements in
-\fInamed.conf\fR
-by hand. Alternatively, it can be run with the
-\fB\-a\fR
-option to set up a
-\fIrndc.key\fR
-file and avoid the need for a
-\fIrndc.conf\fR
-file and a
-\fBcontrols\fR
-statement altogether.
-.SH "OPTIONS"
-.PP
-\-a
-.RS 4
-Do automatic
-\fBrndc\fR
-configuration. This creates a file
-\fIrndc.key\fR
-in
-\fI/etc\fR
-(or whatever
-\fIsysconfdir\fR
-was specified as when
-BIND
-was built) that is read by both
-\fBrndc\fR
-and
-\fBnamed\fR
-on startup. The
-\fIrndc.key\fR
-file defines a default command channel and authentication key allowing
-\fBrndc\fR
-to communicate with
-\fBnamed\fR
-on the local host with no further configuration.
-.sp
-Running
-\fBrndc\-confgen \-a\fR
-allows BIND 9 and
-\fBrndc\fR
-to be used as drop\-in replacements for BIND 8 and
-\fBndc\fR, with no changes to the existing BIND 8
-\fInamed.conf\fR
-file.
-.sp
-If a more elaborate configuration than that generated by
-\fBrndc\-confgen \-a\fR
-is required, for example if rndc is to be used remotely, you should run
-\fBrndc\-confgen\fR
-without the
-\fB\-a\fR
-option and set up a
-\fIrndc.conf\fR
-and
-\fInamed.conf\fR
-as directed.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.RE
-.PP
-\-c \fIkeyfile\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify an alternate location for
-\fIrndc.key\fR.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
-\fBrndc\-key\fR.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Specifies the command channel port where
-\fBnamed\fR
-listens for connections from
-\fBrndc\fR. The default is 953.
-.RE
-.PP
-\-r \fIrandomfile\fR
-.RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-s \fIaddress\fR
-.RS 4
-Specifies the IP address where
-\fBnamed\fR
-listens for command channel connections from
-\fBrndc\fR. The default is the loopback address 127.0.0.1.
-.RE
-.PP
-\-t \fIchrootdir\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify a directory where
-\fBnamed\fR
-will run chrooted. An additional copy of the
-\fIrndc.key\fR
-will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR.
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to set the owner of the
-\fIrndc.key\fR
-file generated. If
-\fB\-t\fR
-is also specified only the file in the chroot area has its owner changed.
-.RE
-.SH "EXAMPLES"
-.PP
-To allow
-\fBrndc\fR
-to be used with no manual configuration, run
-.PP
-\fBrndc\-confgen \-a\fR
-.PP
-To print a sample
-\fIrndc.conf\fR
-file and corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements to be manually inserted into
-\fInamed.conf\fR, run
-.PP
-\fBrndc\-confgen\fR
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001, 2003 Internet Software Consortium.
-.br
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $
+.\" $Id: rndc.conf.5,v 1.39 2009/06/10 00:27:21 each Exp $
.\"
.hy 0
.ad l
-.\" Title: \fIrndc.conf\fR
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: June 30, 2000
-.\" Manual: BIND9
-.\" Source: BIND9
-.\"
-.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "RNDC.CONF" 5 "June 30, 2000" "" ""
+.SH NAME
rndc.conf \- rndc configuration file
.SH "SYNOPSIS"
.HP 10
-\fBrndc.conf\fR
+\fBrndc\&.conf\fR
.SH "DESCRIPTION"
.PP
-\fIrndc.conf\fR
-is the configuration file for
-\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
-\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
+\fIrndc\&.conf\fR is the configuration file for \fBrndc\fR, the BIND 9 name server control utility\&. This file has a similar structure and syntax to \fInamed\&.conf\fR\&. Statements are enclosed in braces and terminated with a semi\-colon\&. Clauses in the statements are also semi\-colon terminated\&. The usual comment styles are supported:
.PP
C style: /* */
.PP
.PP
Unix style: # to end of line
.PP
-\fIrndc.conf\fR
-is much simpler than
-\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
-.PP
-The
-\fBoptions\fR
-statement contains five clauses. The
-\fBdefault\-server\fR
-clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
-\fBrndc\fR. The
-\fBdefault\-key\fR
-clause is followed by the name of a key which is identified by a
-\fBkey\fR
-statement. If no
-\fBkeyid\fR
-is provided on the rndc command line, and no
-\fBkey\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default key will be used to authenticate the server's commands and responses. The
-\fBdefault\-port\fR
-clause is followed by the port to connect to on the remote name server. If no
-\fBport\fR
-option is provided on the rndc command line, and no
-\fBport\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default port will be used to connect. The
-\fBdefault\-source\-address\fR
-and
-\fBdefault\-source\-address\-v6\fR
-clauses which can be used to set the IPv4 and IPv6 source addresses respectively.
-.PP
-After the
-\fBserver\fR
-keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses:
-\fBkey\fR,
-\fBport\fR
-and
-\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
-\fBaddresses\fR
-clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an
-\fBsource\-address\fR
-or
-\fBsource\-address\-v6\fR
-of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.
-.PP
-The
-\fBkey\fR
-statement begins with an identifying string, the name of the key. The statement has two clauses.
-\fBalgorithm\fR
-identifies the encryption algorithm for
-\fBrndc\fR
-to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
-.PP
-There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
-\fBrndc\-confgen\fR
-can be used to generate a random key, or the
-\fBmmencode\fR
-program, also known as
-\fBmimencode\fR, can be used to generate a base\-64 string from known input.
-\fBmmencode\fR
-does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
+\fIrndc\&.conf\fR is much simpler than \fInamed\&.conf\fR\&. The file uses three statements: an options statement, a server statement and a key statement\&.
+.PP
+The \fBoptions\fR statement contains five clauses\&. The \fBdefault\-server\fR clause is followed by the name or address of a name server\&. This host will be used when no name server is given as an argument to \fBrndc\fR\&. The \fBdefault\-key\fR clause is followed by the name of a key which is identified by a \fBkey\fR statement\&. If no \fBkeyid\fR is provided on the rndc command line, and no \fBkey\fR clause is found in a matching \fBserver\fR statement, this default key will be used to authenticate the server's commands and responses\&. The \fBdefault\-port\fR clause is followed by the port to connect to on the remote name server\&. If no \fBport\fR option is provided on the rndc command line, and no \fBport\fR clause is found in a matching \fBserver\fR statement, this default port will be used to connect\&. The \fBdefault\-source\-address\fR and \fBdefault\-source\-address\-v6\fR clauses which can be used to set the IPv4 and IPv6 source addresses respectively\&.
+.PP
+After the \fBserver\fR keyword, the server statement includes a string which is the hostname or address for a name server\&. The statement has three possible clauses: \fBkey\fR, \fBport\fR and \fBaddresses\fR\&. The key name must match the name of a key statement in the file\&. The port number specifies the port to connect to\&. If an \fBaddresses\fR clause is supplied these addresses will be used instead of the server name\&. Each address can take an optional port\&. If an \fBsource\-address\fR or \fBsource\-address\-v6\fR of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively\&.
+.PP
+The \fBkey\fR statement begins with an identifying string, the name of the key\&. The statement has two clauses\&. \fBalgorithm\fR identifies the encryption algorithm for \fBrndc\fR to use; currently only HMAC\-MD5 is supported\&. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key\&. The base\-64 string is enclosed in double quotes\&.
+.PP
+There are two common ways to generate the base\-64 string for the secret\&. The BIND 9 program \fBrndc\-confgen\fR can be used to generate a random key, or the \fBmmencode\fR program, also known as \fBmimencode\fR, can be used to generate a base\-64 string from known input\&. \fBmmencode\fR does not ship with BIND 9 but is available on many systems\&. See the EXAMPLE section for sample command lines for each\&.
.SH "EXAMPLE"
.PP
-.RS 4
.nf
options {
default\-server localhost;
default\-key samplekey;
};
.fi
-.RE
-.sp
.PP
-.RS 4
.nf
server localhost {
key samplekey;
};
.fi
-.RE
-.sp
.PP
-.RS 4
.nf
server testserver {
key testkey;
addresses { localhost port 5353; };
};
.fi
-.RE
-.sp
.PP
-.RS 4
.nf
key samplekey {
algorithm hmac\-md5;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
.fi
-.RE
-.sp
.PP
-.RS 4
.nf
key testkey {
algorithm hmac\-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
.fi
-.RE
-.sp
-.PP
-In the above example,
-\fBrndc\fR
-will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
-.PP
-If
-\fBrndc \-s testserver\fR
-is used then
-\fBrndc\fR
-will connect to server on localhost port 5353 using the key testkey.
-.PP
-To generate a random secret with
-\fBrndc\-confgen\fR:
-.PP
-\fBrndc\-confgen\fR
-.PP
-A complete
-\fIrndc.conf\fR
-file, including the randomly generated key, will be written to the standard output. Commented\-out
-\fBkey\fR
-and
-\fBcontrols\fR
-statements for
-\fInamed.conf\fR
-are also printed.
-.PP
-To generate a base\-64 secret with
-\fBmmencode\fR:
-.PP
-\fBecho "known plaintext for a secret" | mmencode\fR
+.PP
+In the above example, \fBrndc\fR will by default use the server at localhost (127\&.0\&.0\&.1) and the key called samplekey\&. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret\&. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes\&.
+.PP
+If \fBrndc \-s testserver\fR is used then \fBrndc\fR will connect to server on localhost port 5353 using the key testkey\&.
+.PP
+To generate a random secret with \fBrndc\-confgen\fR:
+.PP
+\fBrndc\-confgen\fR
+.PP
+A complete \fIrndc\&.conf\fR file, including the randomly generated key, will be written to the standard output\&. Commented\-out \fBkey\fR and \fBcontrols\fR statements for \fInamed\&.conf\fR are also printed\&.
+.PP
+To generate a base\-64 secret with \fBmmencode\fR:
+.PP
+\fBecho "known plaintext for a secret" | mmencode\fR
.SH "NAME SERVER CONFIGURATION"
.PP
-The name server must be configured to accept rndc connections and to recognize the key specified in the
-\fIrndc.conf\fR
-file, using the controls statement in
-\fInamed.conf\fR. See the sections on the
-\fBcontrols\fR
-statement in the BIND 9 Administrator Reference Manual for details.
+The name server must be configured to accept rndc connections and to recognize the key specified in the \fIrndc\&.conf\fR file, using the controls statement in \fInamed\&.conf\fR\&. See the sections on the \fBcontrols\fR statement in the BIND 9 Administrator Reference Manual for details\&.
.SH "SEE ALSO"
.PP
-\fBrndc\fR(8),
-\fBrndc\-confgen\fR(8),
-\fBmmencode\fR(1),
-BIND 9 Administrator Reference Manual.
+\fBrndc\fR(8), \fBrndc\-confgen\fR(8), \fBmmencode\fR(1), BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Systems Consortium
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.30 2009/06/10 00:27:21 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.rndc.conf"></a><div class="titlepage"></div>
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543352"></a><h2>DESCRIPTION</h2>
+<a name="id215037"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>EXAMPLE</h2>
+<a name="id215198"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543592"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id215299"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543613"></a><h2>SEE ALSO</h2>
+<a name="id215321"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543652"></a><h2>AUTHOR</h2>
+<a name="id215358"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
+++ /dev/null
-Makefile
-.libs
-*.la
-*.lo
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.469 $)
+AC_REVISION($Revision: 1.470 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
lib/tests/include/tests/Makefile
bin/Makefile
bin/check/Makefile
+ bin/confgen/Makefile
+ bin/confgen/unix/Makefile
bin/named/Makefile
bin/named/unix/Makefile
bin/rndc/Makefile
- bin/rndc/unix/Makefile
bin/dig/Makefile
bin/nsupdate/Makefile
bin/tests/Makefile
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.411 2009/06/02 05:51:44 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.412 2009/06/10 00:27:21 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<para>
Dynamic update is enabled by including an
- <command>allow-update</command> or <command>update-policy</command>
- clause in the <command>zone</command> statement. The
- <command>tkey-gssapi-credential</command> and
+ <command>allow-update</command>, <command>update-policy</command>
+ clause in the <command>zone</command> statement, or by setting the
+ <command>dynamic</command> option to <userinput>yes</userinput>
+ and creating a <filename>ddns.key</filename> file (see
+ <command>ddns-confgen</command>.)
+ </para>
+
+ <para>
+ If the zone's <command>dynamic</command> option is set to
+ <userinput>yes</userinput>, and if a <filename>ddns.key</filename>
+ file exists and contains a valid TSIG key, and if no other dynamic
+ update policy has been set for the zone, then updates to the zone
+ will be permitted for the key <filename>ddns.key</filename>.
+ </para>
+
+ <para>
+ The <command>tkey-gssapi-credential</command> and
<command>tkey-domain</command> clauses in the
- <command>options</command> statement enable the
+ <command>options</command> statement enable the
server to negotiate keys that can be matched against those
in <command>update-policy</command> or
<command>allow-update</command>.
</para>
<sect2 id="journal">
- <title>The journal file</title>
+ <title>The journal file</title>
<para>
All changes made to a zone using dynamic update are stored
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>dynamic</command></term>
+ <listitem>
+ <para>
+ If this flag is set to <userinput>yes</userinput> in
+ a master zone, <command>named</command> will
+ automatically generate a TSIG session key for use
+ by <command>nsupdate -l</command> on the local system,
+ and the zone will be marked to allow dynamic updates
+ using this key.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>forward</command></term>
<listitem>
</para>
<programlisting>
-( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
+( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
</programlisting>
<para>
<varname>krb5-self</varname>, <varname>ms-self</varname>,
<varname>krb5-subdomain</varname>,
<varname>ms-subdomain</varname>,
- <varname>tcp-self</varname> and <varname>6to4-self</varname>.
+ <varname>tcp-self</varname>, <varname>6to4-self</varname>,
+ and <varname>zonesub</varname>.
</para>
<informaltable>
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>zonesub</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule is similar to subdomain, except that
+ it matches when the name being updated is a
+ subdomain of the zone in which the
+ <command>update-policy</command> statement
+ appears. This obviates the need to type the zone
+ name twice, and enables the use of a standard
+ <command>update-policy</command> statement in
+ multiple zones without modification.
+ </para>
+ <para>
+ When this rule is used, the
+ <replaceable>name</replaceable> field is omitted.
+ </para>
+ </entry>
+ </row>
<row rowsep="0">
<entry colname="1">
<para>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.101 2009/06/03 00:04:38 marka Exp $ */
+/* $Id: check.c,v 1.102 2009/06/10 00:27:22 each Exp $ */
/*! \file */
result = tresult;
}
- dns_fixedname_init(&fixed);
- str = cfg_obj_asstring(dname);
- isc_buffer_init(&b, str, strlen(str));
- isc_buffer_add(&b, strlen(str));
- tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
- dns_rootname, ISC_FALSE, NULL);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
- "'%s' is not a valid name", str);
- result = tresult;
+ if (tresult == ISC_R_SUCCESS &&
+ strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
+ dns_fixedname_init(&fixed);
+ str = cfg_obj_asstring(dname);
+ isc_buffer_init(&b, str, strlen(str));
+ isc_buffer_add(&b, strlen(str));
+ tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
+ &b, dns_rootname,
+ ISC_FALSE, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+ "'%s' is not a valid name", str);
+ result = tresult;
+ }
}
+
if (tresult == ISC_R_SUCCESS &&
strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
!dns_name_iswildcard(dns_fixedname_name(&fixed))) {
{ "notify", MASTERZONE | SLAVEZONE },
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
+ { "ddns-autoconf", MASTERZONE },
{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.19 2009/03/02 23:47:43 tbox Exp $
+ * $Id: dst_api.c,v 1.20 2009/06/10 00:27:22 each Exp $
*/
/*! \file */
static isc_result_t addsuffix(char *filename, unsigned int len,
const char *ofilename, const char *suffix);
-#define RETERR(x) \
+#define RETERR(x) \
do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.11 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: dst_internal.h,v 1.12 2009/06/10 00:27:22 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
ISC_LANG_BEGINDECLS
-#define KEY_MAGIC ISC_MAGIC('D','S','T','K')
-#define CTX_MAGIC ISC_MAGIC('D','S','T','C')
+#define KEY_MAGIC ISC_MAGIC('D','S','T','K')
+#define CTX_MAGIC ISC_MAGIC('D','S','T','C')
#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
typedef struct dst_func dst_func_t;
-typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
+typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
dst_hmacsha512_key_t *hmacsha512;
} keydata; /*%< pointer to key in crypto pkg fmt */
- dst_func_t * func; /*%< crypto package specific functions */
+ dst_func_t * func; /*%< crypto package specific functions */
};
struct dst_context {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tsig.h,v 1.51 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: tsig.h,v 1.52 2009/06/10 00:27:22 each Exp $ */
#ifndef DNS_TSIG_H
#define DNS_TSIG_H 1
*\li #ISC_R_NOMEMORY
*/
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+ dns_tsigkey_t *tkey);
+/*%<
+ * Place a TSIG key onto a key ring.
+ *
+ * Requires:
+ *\li 'ring', 'name' and 'tkey' are not NULL
+ *
+ * Returns:
+ *\li #ISC_R_SUCCESS
+ *\li Any other value indicates failure.
+ */
+
void
dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.12 2008/09/24 02:46:23 marka Exp $ */
+/* $Id: dst.h,v 1.13 2009/06/10 00:27:22 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
void
dst_key_free(dst_key_t **keyp);
/*%<
- * Release all memory associated with the key.
+ * Decrement the key's reference counter and, when it reaches zero,
+ * release all memory associated with the key.
*
* Requires:
*\li "keyp" is not NULL and "*keyp" is a valid key.
+ *\li reference counter greater than zero.
*
* Ensures:
*\li All memory associated with "*keyp" will be freed.
*/
/*
- * $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $
+ * $Id: tsig.c,v 1.137 2009/06/10 00:27:22 each Exp $
*/
/*! \file */
#include <config.h>
level, "tsig key '%s': %s", namestr, message);
}
+/*
+ * A supplemental routine just to add a key to ring. Note that reference
+ * counter should be counted separately because we may be adding the key
+ * as part of creation of the key, in which case the reference counter was
+ * already initialized. Also note we don't need RWLOCK for the reference
+ * counter: it's protected by a separate lock.
+ */
+static isc_result_t
+keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+ dns_tsigkey_t *tkey)
+{
+ isc_result_t result;
+
+ RWLOCK(&ring->lock, isc_rwlocktype_write);
+ ring->writecount++;
+
+ /*
+ * Do on the fly cleaning. Find some nodes we might not
+ * want around any more.
+ */
+ if (ring->writecount > 10) {
+ cleanup_ring(ring);
+ ring->writecount = 0;
+ }
+
+ result = dns_rbt_addname(ring->keys, name, tkey);
+ RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+ return (result);
+}
+
isc_result_t
dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
dst_key_t *dstkey, isc_boolean_t generated,
tkey->ring = ring;
if (key != NULL)
- refs++;
+ refs = 1;
if (ring != NULL)
refs++;
ret = isc_refcount_init(&tkey->refs, refs);
tkey->magic = TSIG_MAGIC;
if (ring != NULL) {
- RWLOCK(&ring->lock, isc_rwlocktype_write);
- ring->writecount++;
-
- /*
- * Do on the fly cleaning. Find some nodes we might not
- * want around any more.
- */
- if (ring->writecount > 10) {
- cleanup_ring(ring);
- ring->writecount = 0;
- }
- ret = dns_rbt_addname(ring->keys, name, tkey);
- if (ret != ISC_R_SUCCESS) {
- RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+ ret = keyring_add(ring, name, tkey);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_refs;
- }
- RWUNLOCK(&ring->lock, isc_rwlocktype_write);
}
/*
"the key '%s' is too short to be secure",
namestr);
}
+
if (key != NULL)
*key = tkey;
return (ISC_R_SUCCESS);
}
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+ dns_tsigkey_t *tkey)
+{
+ isc_result_t result;
+
+ result = keyring_add(ring, name, tkey);
+ if (result == ISC_R_SUCCESS)
+ isc_refcount_increment(&tkey->refs, NULL);
+
+ return (result);
+}
+
void
dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
dns_tsig_keyring_t *ring;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: file.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: file.h,v 1.36 2009/06/10 00:27:22 each Exp $ */
#ifndef ISC_FILE_H
#define ISC_FILE_H 1
* Truncate/extend the file specified to 'size' bytes.
*/
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp);
+/*%<
+ * Open 'filename' for writing, truncating if necessary. Ensure that
+ * if it existed it was a normal file. If creating the file, ensure
+ * that only the owner can read/write it.
+ */
+
ISC_LANG_ENDDECLS
#endif /* ISC_FILE_H */
* SUCH DAMAGE.
*/
-/* $Id: file.c,v 1.53 2009/02/16 23:48:04 tbox Exp $ */
+/* $Id: file.c,v 1.54 2009/06/10 00:27:22 each Exp $ */
/*! \file */
result = isc__errno2result(errno);
return (result);
}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+ isc_result_t result;
+ int flags;
+ struct stat sb;
+ FILE *f;
+ int fd;
+
+ REQUIRE(filename != NULL);
+ REQUIRE(fp != NULL && *fp == NULL);
+
+ result = file_stats(filename, &sb);
+ if (result == ISC_R_SUCCESS) {
+ if ((sb.st_mode & S_IFREG) == 0)
+ return (ISC_R_INVALIDFILE);
+ flags = O_WRONLY | O_TRUNC;
+ } else if (result == ISC_R_FILENOTFOUND) {
+ flags = O_WRONLY | O_CREAT | O_EXCL;
+ } else
+ return (result);
+
+ fd = open(filename, flags, S_IRUSR | S_IWUSR);
+ if (fd == -1)
+ return (isc__errno2result(errno));
+
+ f = fdopen(fd, "w");
+ if (f == NULL) {
+ result = isc__errno2result(errno);
+ close(fd);
+ return (result);
+ }
+
+ *fp = f;
+ return (ISC_R_SUCCESS);
+}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: file.c,v 1.31 2007/06/19 23:47:19 tbox Exp $ */
+/* $Id: file.c,v 1.32 2009/06/10 00:27:22 each Exp $ */
#include <config.h>
return (ISC_R_SUCCESS);
}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+ isc_result_t result;
+ int flags;
+ struct stat sb;
+ FILE *f;
+ int fd;
+
+ REQUIRE(filename != NULL);
+ REQUIRE(fp != NULL && *fp == NULL);
+
+ result = file_stats(filename, &sb);
+ if (result == ISC_R_SUCCESS) {
+ if ((sb.st_mode & S_IFREG) == 0)
+ return (ISC_R_INVALIDFILE);
+ flags = O_WRONLY | O_TRUNC;
+ } else if (result == ISC_R_FILENOTFOUND) {
+ flags = O_WRONLY | O_CREAT | O_EXCL;
+ } else
+ return (result);
+
+ fd = open(filename, flags, S_IRUSR | S_IWUSR);
+ if (fd == -1)
+ return (isc__errno2result(errno));
+
+ f = fdopen(fd, "w");
+ if (f == NULL) {
+ result = isc__errno2result(errno);
+ close(fd);
+ return (result);
+ }
+
+ *fp = f;
+ return (ISC_R_SUCCESS);
+}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ntpaths.h,v 1.16 2007/06/19 23:47:20 tbox Exp $ */
+/* $Id: ntpaths.h,v 1.17 2009/06/10 00:27:22 each Exp $ */
/*
* Windows-specific path definitions
#define RNDC_KEYFILE isc_ntpaths_get(RNDC_KEY_PATH)
#define RESOLV_CONF isc_ntpaths_get(RESOLV_CONF_PATH)
-
/*
* Information about where the files are on disk
*/
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ntpaths.c,v 1.11 2007/06/18 23:47:49 tbox Exp $ */
+/* $Id: ntpaths.c,v 1.12 2009/06/10 00:27:22 each Exp $ */
/*
* This module fetches the required path information that is specific
strcpy(rndc_keyFile, namedBase);
strcat(rndc_keyFile, "\\etc\\rndc.key");
+ strcpy(ddns_keyFile, namedBase);
+ strcat(ddns_keyFile, "\\etc\\ddns.key");
+
strcpy(rndc_confFile, namedBase);
strcat(rndc_confFile, "\\etc\\rndc.conf");
strcpy(ns_defaultpidfile, namedBase);
case RNDC_KEY_PATH:
return (rndc_keyFile);
break;
+ case RNDC_KEY_PATH:
+ return (ddns_keyFile);
+ break;
default:
return (NULL);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: grammar.h,v 1.17 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: grammar.h,v 1.18 2009/06/10 00:27:22 each Exp $ */
#ifndef ISCCFG_GRAMMAR_H
#define ISCCFG_GRAMMAR_H 1
*/
unsigned int line;
+ /*%
+ * Parser context flags, used for maintaining state
+ * from one token to the next.
+ */
+ unsigned int flags;
+
cfg_parsecallback_t callback;
void *callbackarg;
};
+/* Parser context flags */
+#define CFG_PCTX_SKIP 0x1
/*@{*/
/*%
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.h,v 1.11 2009/03/05 23:47:36 tbox Exp $ */
+/* $Id: namedconf.h,v 1.12 2009/06/10 00:27:22 each Exp $ */
#ifndef ISCCFG_NAMEDCONF_H
#define ISCCFG_NAMEDCONF_H 1
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
/*%< A complete rndc.key file. */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ddnskey;
+/*%< A complete ddns.key file. */
+
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
/*%< A key reference, used as an ACL element */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.96 2009/05/29 22:22:37 jinmei Exp $ */
+/* $Id: namedconf.c,v 1.97 2009/06/10 00:27:22 each Exp $ */
/*! \file */
* Note that the old parser allows quotes around the RR type names.
*/
static cfg_type_t cfg_type_rrtypelist = {
- "rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
- &cfg_rep_list, &cfg_type_astring
+ "rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
+ cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
};
static const char *mode_enums[] = { "grant", "deny", NULL };
&mode_enums
};
+static isc_result_t
+parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type,
+ cfg_obj_t **ret) {
+ isc_result_t result;
+
+ CHECK(cfg_peektoken(pctx, 0));
+ if (pctx->token.type == isc_tokentype_string &&
+ strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
+ pctx->flags |= CFG_PCTX_SKIP;
+ }
+ return (cfg_parse_enum(pctx, type, ret));
+
+ cleanup:
+ return (result);
+}
+
+static isc_result_t
+parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type,
+ cfg_obj_t **ret) {
+ isc_result_t result;
+ cfg_obj_t *obj = NULL;
+
+ if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
+ pctx->flags &= ~CFG_PCTX_SKIP;
+ CHECK(cfg_parse_void(pctx, NULL, &obj));
+ } else
+ result = cfg_parse_astring(pctx, type, &obj);
+
+ *ret = obj;
+ cleanup:
+ return (result);
+}
+
static const char *matchtype_enums[] = {
"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
- "tcp-self", "6to4-self", NULL };
+ "tcp-self", "6to4-self", "zonesub", NULL };
static cfg_type_t cfg_type_matchtype = {
- "matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
- &matchtype_enums
+ "matchtype", parse_matchtype, cfg_print_ustring,
+ cfg_doc_enum, &cfg_rep_string, &matchtype_enums
+};
+
+static cfg_type_t cfg_type_matchname = {
+ "optional_matchname", parse_matchname, cfg_print_ustring,
+ cfg_doc_tuple, &cfg_rep_tuple, &cfg_type_ustring
};
/*%
{ "mode", &cfg_type_mode, 0 },
{ "identity", &cfg_type_astring, 0 }, /* domain name */
{ "matchtype", &cfg_type_matchtype, 0 },
- { "name", &cfg_type_astring, 0 }, /* domain name */
+ { "name", &cfg_type_matchname, 0 }, /* domain name */
{ "types", &cfg_type_rrtypelist, 0 },
{ NULL, NULL, 0 }
};
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "coresize", &cfg_type_size, 0 },
{ "datasize", &cfg_type_size, 0 },
+ { "ddns-keyfile", &cfg_type_qstringornone, 0 },
+ { "ddns-keyname", &cfg_type_astring, 0 },
+ { "ddns-keyalg", &cfg_type_astring, 0 },
{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
{ "dump-file", &cfg_type_qstring, 0 },
{ "check-sibling", &cfg_type_boolean, 0 },
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-wildcard", &cfg_type_boolean, 0 },
+ { "ddns-autoconf", &cfg_type_boolean, 0 },
{ "dialup", &cfg_type_dialuptype, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
&cfg_rep_map, rndckey_clausesets
};
+/*
+ * ddns.key has exactly the same syntax as rndc.key, but it's defined
+ * separately for clarity (and so we can extend it someday, if needed).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ddnskey = {
+ "ddnskey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+ &cfg_rep_map, rndckey_clausesets
+};
+
static cfg_tuplefielddef_t nameport_fields[] = {
{ "name", &cfg_type_astring, 0 },
{ "port", &cfg_type_optional_port, 0 },
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: parser.c,v 1.129 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: parser.c,v 1.130 2009/06/10 00:27:22 each Exp $ */
/*! \file */
pctx->callback = NULL;
pctx->callbackarg = NULL;
pctx->token.type = isc_tokentype_unknown;
+ pctx->flags = 0;
memset(specials, 0, sizeof(specials));
specials['{'] = 1;
projects / thirdparty / bind9.git / commitdiff
