nta-recheck 300;\n\
# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n\
+ dot-port 853;\n\
prefetch 2 9;\n\
recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\
} else if (defport != 0) {
port = defport;
} else {
- result = named_config_getport(config, &port);
+ result = named_config_getport(config, "port", &port);
if (result != ISC_R_SUCCESS) {
return (result);
}
/*
* Get system defaults.
*/
- result = named_config_getport(config, &port);
+ result = named_config_getport(config, "port", &port);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
}
isc_result_t
-named_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+named_config_getport(const cfg_obj_t *config, const char *type,
+ in_port_t *portp) {
const cfg_obj_t *maps[3];
const cfg_obj_t *options = NULL;
const cfg_obj_t *portobj = NULL;
maps[i++] = named_g_defaults;
maps[i] = NULL;
- result = named_config_get(maps, "port", &portobj);
+ result = named_config_get(maps, type, &portobj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
struct keyalgorithms {
const char *str;
- enum { hmacnone,
- hmacmd5,
- hmacsha1,
- hmacsha224,
- hmacsha256,
- hmacsha384,
- hmacsha512 } hmac;
+ enum {
+ hmacnone,
+ hmacmd5,
+ hmacsha1,
+ hmacsha224,
+ hmacsha256,
+ hmacsha384,
+ hmacsha512
+ } hmac;
unsigned int type;
uint16_t size;
} algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
isc_result_t
-named_config_getport(const cfg_obj_t *config, in_port_t *portp);
+named_config_getport(const cfg_obj_t *config, const char *type,
+ in_port_t *portp);
isc_result_t
named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
EXTERN const char *named_g_configargs INIT(PACKAGE_CONFIGARGS);
EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER);
EXTERN in_port_t named_g_port INIT(0);
+EXTERN in_port_t named_g_dot_port INIT(0);
EXTERN isc_dscp_t named_g_dscp INIT(-1);
EXTERN named_server_t *named_g_server INIT(NULL);
#if NAMED_RUN_PID_DIR
EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/"
"named.pid");
-#else /* if NAMED_RUN_PID_DIR */
+#else /* if NAMED_RUN_PID_DIR */
EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/"
"named.pid");
#endif /* if NAMED_RUN_PID_DIR */
NAMED_LOGMODULE_MAIN,
ISC_LOG_CRITICAL, "%s", strs[i]);
}
-#else /* HAVE_BACKTRACE_SYMBOLS */
+#else /* HAVE_BACKTRACE_SYMBOLS */
for (int i = 0; i < nframes; i++) {
isc_log_write(
named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
printf("linked to OpenSSL version: %s\n",
OpenSSL_version(OPENSSL_VERSION));
-#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
- * 0x10100000L */
+#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+ * 0x10100000L */
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
break;
case 'p':
port = parse_int(isc_commandline_argument, "port");
- if (port < 1 || port > 65535) {
+ if (port < 1 || port > 64735) {
named_main_earlyfatal("port '%s' out of range",
isc_commandline_argument);
}
named_g_port = port;
+ /* XXXWPK have a separate option for that. */
+ named_g_dot_port = port + 800;
break;
case 's':
/* XXXRTH temporary syntax */
named_g_cpus, named_g_cpus == 1 ? "" : "s");
#ifdef WIN32
named_g_udpdisp = 1;
-#else /* ifdef WIN32 */
+#else /* ifdef WIN32 */
if (named_g_udpdisp == 0) {
named_g_udpdisp = named_g_cpus_detected;
}
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
"linked to OpenSSL version: %s",
OpenSSL_version(OPENSSL_VERSION));
-#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
- * 0x10100000L */
+#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+ * 0x10100000L */
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
"linked to OpenSSL version: %s",
size ) ] [ versions ( unlimited | integer ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( quoted_string | none );
+ dot-port integer;
dscp integer;
dual-stack-servers [ port integer ] { ( quoted_string [ port
integer ] [ dscp integer ] | ipv4_address [ port
static isc_result_t
nzd_count(dns_view_t *view, int *countp);
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
static isc_result_t
nzf_append(dns_view_t *view, const cfg_obj_t *zconfig);
#endif /* ifdef HAVE_LMDB */
dns_name_t *name = NULL;
isc_buffer_t namebuf;
const char *atstr = NULL;
- enum { INIT_DNSKEY,
- STATIC_DNSKEY,
- INIT_DS,
- STATIC_DS,
- TRUSTED } anchortype;
+ enum {
+ INIT_DNSKEY,
+ STATIC_DNSKEY,
+ INIT_DS,
+ STATIC_DS,
+ TRUSTED
+ } anchortype;
REQUIRE(namestrp != NULL && *namestrp == NULL);
REQUIRE(ds != NULL);
if (!strcasecmp(str, "fixed")) {
#if DNS_RDATASET_FIXED
mode = DNS_RDATASETATTR_FIXEDORDER;
-#else /* if DNS_RDATASET_FIXED */
+#else /* if DNS_RDATASET_FIXED */
mode = DNS_RDATASETATTR_CYCLIC;
#endif /* DNS_RDATASET_FIXED */
} else if (!strcasecmp(str, "random")) {
" without `./configure --enable-dnsrps`");
return (ISC_R_FAILURE);
}
-#else /* ifndef USE_DNSRPS */
+#else /* ifndef USE_DNSRPS */
if (dnsrps_enabled) {
if (librpz == NULL) {
cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
/*
* Set the view's port number for outgoing queries.
*/
- CHECKM(named_config_getport(config, &port), "port");
+ CHECKM(named_config_getport(config, "port", &port), "port");
dns_view_setdstport(view, port);
/*
/*
* Determine which port to send requests to.
*/
- CHECKM(named_config_getport(config, &port), "port");
+ CHECKM(named_config_getport(config, "port", &port), "port");
if (alternates != NULL) {
portobj = cfg_tuple_get(alternates, "port");
/*
* Determine which port to send forwarded requests to.
*/
- CHECKM(named_config_getport(config, &port), "port");
+ CHECKM(named_config_getport(config, "port", &port), "port");
if (forwarders != NULL) {
portobj = cfg_tuple_get(forwarders, "port");
}
result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
- dscp, src_acl, &lelt);
+ dscp, src_acl, false, NULL, NULL,
+ &lelt);
if (result != ISC_R_SUCCESS) {
goto clean;
}
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL && view != zoneview;
view = ISC_LIST_NEXT(view, link))
- {
- }
+ {}
if (view == NULL) {
continue;
}
return (ISC_R_FAILURE);
}
}
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
UNUSED(obj);
#endif /* HAVE_LMDB */
if (named_g_port != 0) {
listen_port = named_g_port;
} else {
- CHECKM(named_config_getport(config, &listen_port), "port");
+ CHECKM(named_config_getport(config, "port", &listen_port),
+ "port");
}
/*
#if defined(HAVE_GEOIP2)
geoip = named_g_geoip;
-#else /* if defined(HAVE_GEOIP2) */
+#else /* if defined(HAVE_GEOIP2) */
geoip = NULL;
#endif /* if defined(HAVE_GEOIP2) */
cfg_aclconfctx_t *actx, isc_mem_t *mctx,
uint16_t family, ns_listenelt_t **target) {
isc_result_t result;
- const cfg_obj_t *portobj, *dscpobj;
+ const cfg_obj_t *tlsobj, *portobj, *dscpobj;
in_port_t port;
isc_dscp_t dscp = -1;
+ const char *key = NULL, *cert = NULL;
+ bool tls = false;
ns_listenelt_t *delt = NULL;
REQUIRE(target != NULL && *target == NULL);
+ /* XXXWPK TODO be more verbose on failures. */
+ tlsobj = cfg_tuple_get(listener, "tls");
+ if (tlsobj != NULL && cfg_obj_isstring(tlsobj)) {
+ const cfg_obj_t *tlsconfigs = NULL;
+ const cfg_listelt_t *element;
+ (void)cfg_map_get(config, "tls", &tlsconfigs);
+ for (element = cfg_list_first(tlsconfigs); element != NULL;
+ element = cfg_list_next(element))
+ {
+ cfg_obj_t *tconfig = cfg_listelt_value(element);
+ const cfg_obj_t *name = cfg_map_getname(tconfig);
+ if (!strcmp(cfg_obj_asstring(name),
+ cfg_obj_asstring(tlsobj))) {
+ tls = true;
+ const cfg_obj_t *keyo = NULL, *certo = NULL;
+ (void)cfg_map_get(tconfig, "key-file", &keyo);
+ if (keyo == NULL) {
+ return (ISC_R_FAILURE);
+ }
+ (void)cfg_map_get(tconfig, "cert-file", &certo);
+ if (certo == NULL) {
+ return (ISC_R_FAILURE);
+ }
+ key = cfg_obj_asstring(keyo);
+ cert = cfg_obj_asstring(certo);
+ break;
+ }
+ }
+ if (!tls) {
+ return (ISC_R_FAILURE);
+ }
+ }
portobj = cfg_tuple_get(listener, "port");
if (!cfg_obj_isuint32(portobj)) {
- if (named_g_port != 0) {
- port = named_g_port;
+ if (tls) {
+ if (named_g_dot_port != 0) {
+ port = named_g_dot_port;
+ } else {
+ result = named_config_getport(
+ config, "dot-port", &port);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+ }
} else {
- result = named_config_getport(config, &port);
- if (result != ISC_R_SUCCESS) {
- return (result);
+ if (named_g_port != 0) {
+ port = named_g_port;
+ } else {
+ result = named_config_getport(config, "port",
+ &port);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
}
}
} else {
dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
}
- result = ns_listenelt_create(mctx, port, dscp, NULL, &delt);
+ result = ns_listenelt_create(mctx, port, dscp, NULL, tls, key, cert,
+ &delt);
if (result != ISC_R_SUCCESS) {
return (result);
}
#ifndef HAVE_LMDB
FILE *fp = NULL;
bool cleanup_config = false;
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
MDB_txn *txn = NULL;
MDB_dbi dbi;
(void)isc_stdio_close(fp);
fp = NULL;
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
/* Make sure we can open the NZD database */
result = nzd_writable(view);
if (result != ISC_R_SUCCESS) {
/* Save the new zone configuration into the NZD */
CHECK(nzd_open(view, 0, &txn, &dbi));
CHECK(nzd_save(&txn, dbi, zone, zoneobj));
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
/* Append the zone configuration to the NZF */
result = nzf_append(view, zoneobj);
#endif /* HAVE_LMDB */
cfg->nzf_config, name, NULL);
RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
}
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
if (txn != NULL) {
(void)nzd_close(&txn, false);
}
#ifndef HAVE_LMDB
FILE *fp = NULL;
cfg_obj_t *z;
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
MDB_txn *txn = NULL;
MDB_dbi dbi;
LOCK(&view->new_zone_lock);
}
(void)isc_stdio_close(fp);
fp = NULL;
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
/* Make sure we can open the NZD database */
result = nzd_writable(view);
if (result != ISC_R_SUCCESS) {
#ifdef HAVE_LMDB
CHECK(nzd_open(view, 0, &txn, &dbi));
CHECK(nzd_save(&txn, dbi, zone, zoneobj));
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
result = nzf_append(view, zoneobj);
if (result != ISC_R_SUCCESS) {
TCHECK(putstr(text, "\nNew zone config not saved: "));
if (fp != NULL) {
(void)isc_stdio_close(fp);
}
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
if (txn != NULL) {
(void)nzd_close(&txn, false);
}
/* Are we accepting new zones in this view? */
#ifdef HAVE_LMDB
if (view->new_zone_db == NULL)
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
if (view->new_zone_file == NULL)
#endif /* HAVE_LMDB */
{
(void)nzd_close(&txn, false);
}
UNLOCK(&view->new_zone_lock);
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
result = delete_zoneconf(view, cfg->add_parser, cfg->nzf_config,
dns_zone_getorigin(zone),
nzf_writeconf);
zconfig = find_name_in_list_from_map(cfg->nzf_config, "zone",
zonename, redirect);
}
-#else /* HAVE_LMDB */
+#else /* HAVE_LMDB */
if (zconfig == NULL) {
const cfg_obj_t *zlist = NULL;
CHECK(get_newzone_config(view, zonename, &nzconfig));
result = dns_dt_reopen(server->dtenv, backups);
return (result);
-#else /* ifdef HAVE_DNSTAP */
+#else /* ifdef HAVE_DNSTAP */
UNUSED(server);
UNUSED(lex);
UNUSED(text);
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <quoted_string> | none );
+ dot-port <integer>;
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <quoted_string> | none );
+ dot-port <integer>;
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <quoted_string> | none );
+ dot-port <integer>;
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
break;
default:
INSIST(0);
+ ISC_UNREACHABLE();
}
isc__nmsocket_detach(&sock->outer);
}
{ "notify-rate", &cfg_type_uint32, 0 },
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
+ { "dot-port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
{ "random-device", &cfg_type_qstringornone, 0 },
{ "recursing-file", &cfg_type_qstring, 0 },
$(LIBDNS_CFLAGS) \
$(LIBISC_CFLAGS) \
$(LIBNS_CFLAGS) \
- $(LIBUV_CFLAGS)
+ $(LIBUV_CFLAGS) \
+ $(OPENSSL_CFLAGS)
libns_la_LIBADD = \
$(LIBDNS_LIBS) \
$(LIBISC_LIBS) \
- $(LIBUV_LIBS)
+ $(LIBUV_LIBS) \
+ $(OPENSSL_LIBS)
libns_la_LDFLAGS = \
$(AM_LDFLAGS) \
#include <dns/types.h>
+#include <openssl/ssl.h>
+
/***
*** Types
***/
in_port_t port;
isc_dscp_t dscp; /* -1 = not set, 0..63 */
dns_acl_t *acl;
+ SSL_CTX * sslctx;
ISC_LINK(ns_listenelt_t) link;
};
isc_result_t
ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
- dns_acl_t *acl, ns_listenelt_t **target);
+ dns_acl_t *acl, bool tls, const char *key, const char *cert,
+ ns_listenelt_t **target);
/*%<
* Create a listen-on list element.
*/
return (result);
}
+/*
+ * XXXWPK we should probably pass a complete object with key, cert, and other
+ * TLS related options.
+ */
+static isc_result_t
+ns_interface_listentls(ns_interface_t *ifp, SSL_CTX *sslctx) {
+ isc_result_t result;
+ SSL_CTX *ctx = NULL;
+
+ result = isc_nm_listentlsdns(
+ ifp->mgr->nm, (isc_nmiface_t *)&ifp->addr, ns__client_request,
+ ifp, ns__client_tcpconn, ifp, sizeof(ns_client_t),
+ ifp->mgr->backlog, &ifp->mgr->sctx->tcpquota, sslctx,
+ &ifp->tcplistensocket);
+
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+ "creating TLS socket: %s",
+ isc_result_totext(result));
+ SSL_CTX_free(ctx);
+ return (result);
+ }
+
+ /*
+ * We call this now to update the tcp-highwater statistic:
+ * this is necessary because we are adding to the TCP quota just
+ * by listening.
+ */
+ result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+ "updating TCP stats: %s",
+ isc_result_totext(result));
+ }
+
+ return (result);
+}
+
static isc_result_t
ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
const char *name, ns_interface_t **ifpret, bool accept_tcp,
- isc_dscp_t dscp, bool *addr_in_use) {
+ ns_listenelt_t *elt, bool *addr_in_use) {
isc_result_t result;
ns_interface_t *ifp = NULL;
REQUIRE(ifpret != NULL && *ifpret == NULL);
return (result);
}
- ifp->dscp = dscp;
+ ifp->dscp = elt->dscp;
+
+ if (elt->sslctx != NULL) {
+ result = ns_interface_listentls(ifp, elt->sslctx);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup_interface;
+ }
+ *ifpret = ifp;
+ return (result);
+ }
result = ns_interface_listenudp(ifp);
if (result != ISC_R_SUCCESS) {
le->port);
result = ns_interface_setup(mgr, &listen_addr,
"<any>", &ifp, true,
- le->dscp, NULL);
+ le, NULL);
if (result == ISC_R_SUCCESS) {
ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
} else {
result = ns_interface_setup(
mgr, &listen_sockaddr, interface.name,
- &ifp, (adjusting) ? false : true,
- le->dscp, &addr_in_use);
+ &ifp, (adjusting) ? false : true, le,
+ &addr_in_use);
tried_listening = true;
if (!addr_in_use) {
#include <stdbool.h>
#include <isc/mem.h>
+#include <isc/netmgr.h>
#include <isc/util.h>
#include <dns/acl.h>
isc_result_t
ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
- dns_acl_t *acl, ns_listenelt_t **target) {
+ dns_acl_t *acl, bool tls, const char *key, const char *cert,
+ ns_listenelt_t **target) {
ns_listenelt_t *elt = NULL;
+ isc_result_t result = ISC_R_SUCCESS;
REQUIRE(target != NULL && *target == NULL);
elt = isc_mem_get(mctx, sizeof(*elt));
elt->mctx = mctx;
elt->port = port;
elt->dscp = dscp;
elt->acl = acl;
+ elt->sslctx = NULL;
+ if (tls) {
+ result = isc_nm_tls_create_server_ctx(key, cert, &elt->sslctx);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+ }
*target = elt;
return (ISC_R_SUCCESS);
}
if (elt->acl != NULL) {
dns_acl_detach(&elt->acl);
}
+ if (elt->sslctx != NULL) {
+ SSL_CTX_free(elt->sslctx);
+ elt->sslctx = NULL;
+ }
isc_mem_put(elt->mctx, elt, sizeof(*elt));
}
goto cleanup;
}
- result = ns_listenelt_create(mctx, port, dscp, acl, &elt);
+ result = ns_listenelt_create(mctx, port, dscp, acl, false, NULL, NULL,
+ &elt);
if (result != ISC_R_SUCCESS) {
goto cleanup_acl;
}
projects / thirdparty / bind9.git / commitdiff
