#include <bind9/check.h>
+static in_port_t dnsport = 53;
+
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
isc_log_t *logctxlogc);
return (true);
}
+static isc_result_t
+check_port(const cfg_obj_t *options, isc_log_t *logctx, const char *type,
+ in_port_t *portp) {
+ const cfg_obj_t *portobj = NULL;
+ isc_result_t result;
+
+ result = cfg_map_get(options, type, &portobj);
+ if (result != ISC_R_SUCCESS) {
+ return (ISC_R_SUCCESS);
+ }
+
+ if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
+ cfg_obj_log(portobj, logctx, ISC_LOG_ERROR,
+ "port '%u' out of range",
+ cfg_obj_asuint32(portobj));
+ return (ISC_R_RANGE);
+ }
+
+ if (portp != NULL) {
+ *portp = (in_port_t)cfg_obj_asuint32(portobj);
+ }
+ return (ISC_R_SUCCESS);
+}
+
static isc_result_t
check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
optlevel_t optlevel) {
uint32_t lifetime = 3600;
bool has_dnssecpolicy = false;
const char *ccalg = "siphash24";
+ static const char *sources[] = {
+ "query-source",
+ "query-source-v6",
+ };
/*
* { "name", scale, value }
};
#endif /* ifdef HAVE_DNSTAP */
+ if (optlevel == optlevel_options) {
+ /*
+ * Check port values, and record "port" for later use.
+ */
+ tresult = check_port(options, logctx, "port", &dnsport);
+ if (tresult != ISC_R_SUCCESS) {
+ result = tresult;
+ }
+ tresult = check_port(options, logctx, "tls-port", NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ result = tresult;
+ }
+ tresult = check_port(options, logctx, "http-port", NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ result = tresult;
+ }
+ tresult = check_port(options, logctx, "https-port", NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ result = tresult;
+ }
+ }
+
+ if (optlevel == optlevel_options || optlevel == optlevel_view) {
+ /*
+ * Warn if query-source or query-source-v6 options specify
+ * a port, and fail if they specify the DNS port.
+ */
+ for (i = 0; i < ARRAY_SIZE(sources); i++) {
+ obj = NULL;
+ (void)cfg_map_get(options, sources[i], &obj);
+ if (obj != NULL) {
+ const isc_sockaddr_t *sa =
+ cfg_obj_assockaddr(obj);
+ in_port_t port = isc_sockaddr_getport(sa);
+ if (port == dnsport) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'%s' cannot specify the "
+ "DNS listener port (%d)",
+ sources[i], port);
+ result = ISC_R_FAILURE;
+ } else if (port != 0) {
+ cfg_obj_log(obj, logctx,
+ ISC_LOG_WARNING,
+ "'%s': specifying a port "
+ "is not recommended",
+ sources[i]);
+ }
+ }
+ }
+ }
+
/*
* Check that fields specified in units of time other than seconds
* have reasonable values.
"allow-update",
"allow-update-forwarding",
};
-
static optionstable dialups[] = {
{ "notify", CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
{ "notify-passive", CFG_ZONE_SECONDARY },
{ "passive", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
{ "refresh", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
};
+ static const char *sources[] = {
+ "transfer-source", "transfer-source-v6", "notify-source",
+ "notify-source-v6", "parental-source", "parental-source-v6",
+ };
znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
/*
* Check that ACLs expand correctly.
*/
- for (i = 0; i < (sizeof(acls) / sizeof(acls[0])); i++) {
+ for (i = 0; i < ARRAY_SIZE(acls); i++) {
tresult = checkacl(acls[i], actx, zconfig, voptions, config,
logctx, mctx);
if (tresult != ISC_R_SUCCESS) {
}
/*
- * Master, slave, and mirror zones may have an "also-notify" field, but
- * shouldn't if notify is disabled.
+ * Primary, secondary, and mirror zones may have an "also-notify"
+ * field, but shouldn't if notify is disabled.
*/
if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY ||
ztype == CFG_ZONE_MIRROR)
}
/*
- * Slave, mirror, and stub zones must have a "primaries" field, with one
- * exception: when mirroring the root zone, a default, built-in master
- * server list is used in the absence of one explicitly specified.
+ * Secondary, mirror, and stub zones must have a "primaries" field,
+ * with one exception: when mirroring the root zone, a default,
+ * built-in primary server list is used in the absence of one
+ * explicitly specified.
*/
if (ztype == CFG_ZONE_SECONDARY || ztype == CFG_ZONE_STUB ||
(ztype == CFG_ZONE_MIRROR && zname != NULL &&
}
}
+ /*
+ * Warn if *-source and *-source-v6 options specify a port,
+ * and fail if they specify the default listener port.
+ */
+ for (i = 0; i < ARRAY_SIZE(sources); i++) {
+ obj = NULL;
+ (void)cfg_map_get(zoptions, sources[i], &obj);
+ if (obj == NULL && goptions != NULL) {
+ (void)cfg_map_get(goptions, sources[i], &obj);
+ }
+ if (obj != NULL) {
+ in_port_t port =
+ isc_sockaddr_getport(cfg_obj_assockaddr(obj));
+ if (port == dnsport) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'%s' cannot specify the "
+ "DNS listener port (%d)",
+ sources[i], port);
+ result = ISC_R_FAILURE;
+ } else if (port != 0) {
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "'%s': specifying a port is "
+ "not recommended",
+ sources[i]);
+ }
+ }
+ }
+
/*
* Primary and secondary zones that have a "parental-agents" field,
* must have a corresponding "parental-agents" clause.
}
/*
- * Master zones can't have both "allow-update" and "update-policy".
+ * Primary zones can't have both "allow-update" and "update-policy".
*/
if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY) {
bool signing = false;
}
/*
- * If the zone type is rbt/rbt64 then master/hint zones require file
- * clauses. If inline-signing is used, then slave zones require a
+ * If the zone type is rbt/rbt64 then primary/hint zones require file
+ * clauses. If inline-signing is used, then secondary zones require a
* file clause as well.
*/
obj = NULL;
return (result);
}
-static struct {
- const char *v4;
- const char *v6;
-} sources[] = { { "transfer-source", "transfer-source-v6" },
- { "notify-source", "notify-source-v6" },
- { "parental-source", "parental-source-v6" },
- { "query-source", "query-source-v6" },
- { NULL, NULL } };
-
/*
* RNDC keys are not normalised unlike TSIG keys.
*
return (false);
}
+static struct {
+ const char *v4;
+ const char *v6;
+} sources[] = { { "transfer-source", "transfer-source-v6" },
+ { "notify-source", "notify-source-v6" },
+ { "parental-source", "parental-source-v6" },
+ { "query-source", "query-source-v6" },
+ { NULL, NULL } };
+
static isc_result_t
check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_symtab_t *symtab, isc_log_t *logctx) {
}
source = 0;
do {
+ /*
+ * For a v6 server we can't specify a v4 source,
+ * and vice versa.
+ */
obj = NULL;
if (n1.family == AF_INET) {
xfr = sources[source].v6;
p1, xfr);
result = ISC_R_FAILURE;
}
+
+ /*
+ * Check that we aren't using the DNS
+ * listener port (i.e. 53, or whatever was set
+ * as "port" in options) as a source port.
+ */
+ obj = NULL;
+ if (n1.family == AF_INET) {
+ xfr = sources[source].v4;
+ } else {
+ xfr = sources[source].v6;
+ }
+ (void)cfg_map_get(v1, xfr, &obj);
+ if (obj != NULL) {
+ const isc_sockaddr_t *sa =
+ cfg_obj_assockaddr(obj);
+ in_port_t port = isc_sockaddr_getport(sa);
+ if (port == dnsport) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'%s' cannot specify the "
+ "DNS listener port (%d)",
+ xfr, port);
+ result = ISC_R_FAILURE;
+ }
+ }
} while (sources[++source].v4 != NULL);
e2 = e1;
while ((e2 = cfg_list_next(e2)) != NULL) {
const cfg_obj_t *options = NULL;
const cfg_obj_t *views = NULL;
const cfg_obj_t *acls = NULL;
- const cfg_obj_t *kals = NULL;
- const cfg_obj_t *obj;
+ const cfg_obj_t *obj = NULL;
const cfg_listelt_t *velement;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
}
}
- tresult = cfg_map_get(config, "kal", &kals);
- if (tresult == ISC_R_SUCCESS) {
- const cfg_listelt_t *elt;
- const cfg_listelt_t *elt2;
- const char *aclname;
-
- for (elt = cfg_list_first(kals); elt != NULL;
- elt = cfg_list_next(elt)) {
- const cfg_obj_t *acl = cfg_listelt_value(elt);
-
- aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-
- for (elt2 = cfg_list_next(elt); elt2 != NULL;
- elt2 = cfg_list_next(elt2)) {
- const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
- const char *name;
- name = cfg_obj_asstring(
- cfg_tuple_get(acl2, "name"));
- if (strcasecmp(aclname, name) == 0) {
- const char *file = cfg_obj_file(acl);
- unsigned int line = cfg_obj_line(acl);
-
- if (file == NULL) {
- file = "<unknown file>";
- }
-
- cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
- "attempt to redefine "
- "kal '%s' previous "
- "definition: %s:%u",
- name, file, line);
- result = ISC_R_FAILURE;
- }
- }
- }
- }
-
cleanup:
if (symtab != NULL) {
isc_symtab_destroy(&symtab);
projects / thirdparty / bind9.git / commitdiff
