+3496. [func] Improvements to RPZ performance. The "response-policy"
+ syntax now includes a "min-ns-dots" clause, with
+ default 1, to exclude top-level domains from
+ NSIP and NSDNAME checking. --enable-rpz-nsip and
+ --enable-rpz-nsdname are now the default. [RT #32251]
+
3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
contributed by Mark Goldfinch. [RT #32549]
dns_nsstatscounter_updatefail = 34,
dns_nsstatscounter_updatebadprereq = 35,
- dns_nsstatscounter_max = 36
+ dns_nsstatscounter_rpz_rewrites = 36,
+
+ dns_nsstatscounter_max = 37
};
void
}
static void
-rpz_log_rewrite(ns_client_t *client, const char *disabled,
+rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
dns_rpz_policy_t policy, dns_rpz_type_t type,
- dns_name_t *rpz_qname) {
+ dns_zone_t *zone, dns_name_t *rpz_qname)
+{
+ isc_stats_t *zonestats;
char qname_buf[DNS_NAME_FORMATSIZE];
char rpz_qname_buf[DNS_NAME_FORMATSIZE];
+ /*
+ * Count enabled rewrites in the global counter.
+ * Count both enabled and disabled rewrites for each zone.
+ */
+ if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_rpz_rewrites);
+ }
+ if (zone != NULL) {
+ zonestats = dns_zone_getrequeststats(zone);
+ if (zonestats != NULL)
+ isc_stats_increment(zonestats,
+ dns_nsstatscounter_rpz_rewrites);
+ }
+
if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
return;
ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
- disabled,
+ disabled ? "disabled " : "",
dns_rpz_type2str(type), dns_rpz_policy2str(policy),
qname_buf, rpz_qname_buf);
}
if (!isc_log_wouldlog(ns_g_lctx, level))
return;
+ /*
+ * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+ */
dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
dns_name_format(name, namebuf2, sizeof(namebuf2));
ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
rdatasetp, resuming);
switch (result) {
case ISC_R_SUCCESS:
+ case DNS_R_GLUE:
+ case DNS_R_ZONECUT:
result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
break;
case DNS_R_EMPTYNAME:
result = DNS_R_CNAME;
}
break;
+ case DNS_R_NXRRSET:
+ policy = DNS_RPZ_POLICY_NODATA;
+ break;
case DNS_R_DNAME:
/*
* DNAME policy RRs have very few if any uses that are not
* better served with simple wildcards. Making the work would
* require complications to get the number of labels matched
* in the name or the found name to the main DNS_R_DNAME case
- * in query_find(). So fall through to treat them as NODATA.
+ * in query_find().
+ */
+ dns_rdataset_disassociate(*rdatasetp);
+ dns_db_detachnode(*dbp, nodep);
+ /*
+ * Fall through to treat it as a miss.
*/
- case DNS_R_NXRRSET:
- policy = DNS_RPZ_POLICY_NODATA;
- break;
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
/*
* If we don't get a qname hit,
* see if it is worth looking for other types.
*/
- dns_db_rpz_enabled(*dbp, client->query.rpz_st);
+ (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
dns_db_detach(dbp);
dns_zone_detach(zonep);
+ result = DNS_R_NXDOMAIN;
policy = DNS_RPZ_POLICY_MISS;
break;
default:
dns_zone_detach(zonep);
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
"", result);
- policy = DNS_RPZ_POLICY_ERROR;
- result = DNS_R_SERVFAIL;
- break;
+ return (DNS_R_SERVFAIL);
}
*policyp = policy;
if (result == ISC_R_SUCCESS)
break;
INSIST(result == DNS_R_NAMETOOLONG);
+ /*
+ * Trim the name until it is not too long.
+ */
labels = dns_name_countlabels(prefix);
if (labels < 2) {
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
rdatasetp, &policy);
switch (result) {
case DNS_R_NXDOMAIN:
- case DNS_R_EMPTYNAME:
break;
case DNS_R_SERVFAIL:
rpz_clean(&zone, &db, &node, rdatasetp);
(st->m.type == rpz_type &&
0 >= dns_name_compare(rpz_qname, st->qname))))
continue;
-
+#if 0
+ /*
+ * This code would block a customer reported information
+ * leak of rpz rules by rewriting requests in the
+ * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
+ * Without this code, a bad guy could request
+ * 24.0.3.2.10.rpz-ip. to find the policy rule for
+ * 10.2.3.0/14. It is an insignificant leak and this
+ * code is not worth its cost, because the bad guy
+ * could publish "evil.com A 10.2.3.4" and request
+ * evil.com to get the same information.
+ * Keep code with "#if 0" in case customer demand
+ * is irresistible.
+ *
+ * We have the less frequent case of a triggered
+ * policy. Check that we have not trigger on one
+ * of the pretend RPZ TLDs.
+ * This test would make it impossible to rewrite
+ * names in TLDs that start with "rpz-" should
+ * ICANN ever allow such TLDs.
+ */
+ labels = dns_name_countlabels(qname);
+ if (labels >= 2) {
+ dns_label_t label;
+
+ dns_name_getlabel(qname, labels-2, &label);
+ if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
+ strncasecmp((const char *)label.base+1,
+ DNS_RPZ_PREFIX,
+ sizeof(DNS_RPZ_PREFIX)-1) == 0)
+ continue;
+ }
+#endif
/*
* Merely log DNS_RPZ_POLICY_DISABLED hits.
*/
if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
- rpz_log_rewrite(client, "disabled ",
- policy, rpz_type, rpz_qname);
+ rpz_log_rewrite(client, ISC_TRUE, policy,
+ rpz_type, zone, rpz_qname);
continue;
}
rdataset = NULL;
if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
/*
- * Check rules for the query name if this it the first time
+ * Check rules for the query name if this is the first time
* for the current qname, i.e. we've not been recursing.
* There is a first time for each name in a CNAME chain.
*/
dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
- while (st->r.label > 1) {
+ while (st->r.label > client->view->rpz_min_ns_labels) {
/*
* Get NS rrset for each domain in the current qname.
*/
st->m.policy == DNS_RPZ_POLICY_ERROR) {
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
result != DNS_R_DELEGATION)
- rpz_log_rewrite(client, "", st->m.policy, st->m.type,
- st->qname);
+ rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+ st->m.type, st->m.zone, st->qname);
rpz_match_clear(st);
}
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
}
/*
- * See if response policy zone rewriting is allowed a lack of interest
+ * See if response policy zone rewriting is allowed by a lack of interest
* by the client in DNSSEC or a lack of signatures.
*/
static isc_boolean_t
fname, dns_trust_authanswer, st->m.ttl);
if (result != ISC_R_SUCCESS)
return (result);
- rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+ rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+ st->m.type, st->m.zone, st->qname);
ns_client_qnamereplace(client, fname);
/*
* Turn off DNSSEC because the results of a
query_putrdataset(client, &sigrdataset);
rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
- rpz_log_rewrite(client, "", rpz_st->m.policy,
- rpz_st->m.type, rpz_st->qname);
+ rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
+ rpz_st->m.type, zone, rpz_st->qname);
}
}
return (result);
}
+static isc_result_t
+configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+ const char *str, const char *msg)
+{
+ isc_result_t result;
+
+ result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
+ if (result != ISC_R_SUCCESS)
+ cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+ "invalid %s '%s'", msg, str);
+ return (result);
+}
+
+static isc_result_t
+configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+ const char *str, const dns_name_t *origin)
+{
+ isc_result_t result;
+
+ result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
+ view->mctx);
+ if (result != ISC_R_SUCCESS)
+ cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+ "invalid zone '%s'", str);
+ return (result);
+}
+
static isc_result_t
configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
{
- const cfg_obj_t *rpz_obj, *policy_obj, *obj;
+ const cfg_obj_t *rpz_obj, *obj;
const char *str;
dns_rpz_zone_t *old, *new;
- dns_zone_t *zone = NULL;
isc_result_t result;
+ rpz_obj = cfg_listelt_value(element);
+
new = isc_mem_get(view->mctx, sizeof(*new));
if (new == NULL) {
- result = ISC_R_NOMEMORY;
- goto cleanup;
+ cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+ "no memory for response policy zones");
+ return (ISC_R_NOMEMORY);
}
memset(new, 0, sizeof(*new));
dns_name_init(&new->origin, NULL);
dns_name_init(&new->nsdname, NULL);
- dns_name_init(&new->cname, NULL);
dns_name_init(&new->passthru, NULL);
+ dns_name_init(&new->cname, NULL);
ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
- rpz_obj = cfg_listelt_value(element);
- policy_obj = cfg_tuple_get(rpz_obj, "policy");
- if (cfg_obj_isvoid(policy_obj)) {
- new->policy = DNS_RPZ_POLICY_GIVEN;
- } else {
- str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
- "policy name"));
- new->policy = dns_rpz_str2policy(str);
- INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
- }
-
obj = cfg_tuple_get(rpz_obj, "recursive-only");
if (cfg_obj_isvoid(obj)) {
new->recursive_only = recursive_only_def;
}
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
- result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
- view->mctx);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "invalid zone '%s'", str);
- goto cleanup;
- }
-
- result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
- &new->origin, DNS_NAME_DOWNCASE,
- view->mctx);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "invalid zone '%s'", str);
- goto cleanup;
- }
-
- result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
- DNS_NAME_DOWNCASE, view->mctx);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "invalid zone '%s'", str);
- goto cleanup;
- }
-
- result = dns_view_findzone(view, &new->origin, &zone);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "unknown zone '%s'", str);
- goto cleanup;
- }
- if (dns_zone_gettype(zone) != dns_zone_master &&
- dns_zone_gettype(zone) != dns_zone_slave) {
+ result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ if (dns_name_equal(&new->origin, dns_rootname)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "zone '%s' is neither master nor slave", str);
- dns_zone_detach(&zone);
- result = DNS_R_NOTMASTER;
- goto cleanup;
+ "invalid zone name '%s'", str);
+ return (DNS_R_EMPTYLABEL);
}
- dns_zone_detach(&zone);
-
for (old = ISC_LIST_HEAD(view->rpz_zones);
old != new;
old = ISC_LIST_NEXT(old, link)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"duplicate '%s'", str);
result = DNS_R_DUPLICATE;
- goto cleanup;
+ return (result);
}
}
- if (new->policy == DNS_RPZ_POLICY_CNAME) {
- str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
- result = dns_name_fromstring(&new->cname, str,
- DNS_NAME_DOWNCASE, view->mctx);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
- "invalid cname '%s'", str);
- goto cleanup;
+ result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
+ DNS_RPZ_NSDNAME_ZONE, &new->origin);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
+ result = configure_rpz_name(view, rpz_obj, &new->passthru,
+ DNS_RPZ_PASSTHRU_ZONE, "zone");
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
+ obj = cfg_tuple_get(rpz_obj, "policy");
+ if (cfg_obj_isvoid(obj)) {
+ new->policy = DNS_RPZ_POLICY_GIVEN;
+ } else {
+ str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+ new->policy = dns_rpz_str2policy(str);
+ INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+ if (new->policy == DNS_RPZ_POLICY_CNAME) {
+ str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
+ result = configure_rpz_name(view, rpz_obj, &new->cname,
+ str, "cname");
+ if (result != ISC_R_SUCCESS)
+ return (result);
}
}
return (ISC_R_SUCCESS);
-
- cleanup:
- dns_rpz_view_destroy(view);
- return (result);
}
/*
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
unsigned int query_timeout, ndisp;
struct cfg_context *nzctx;
+ dns_rpz_zone_t *rpz;
REQUIRE(DNS_VIEW_VALID(view));
&view->queryacl));
}
+ /*
+ * Make the list of response policy zone names for a view that
+ * is used for real lookups and so cares about hints.
+ */
+ obj = NULL;
+ if (view->rdclass == dns_rdataclass_in && need_hints &&
+ ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+ const cfg_obj_t *rpz_obj;
+ isc_boolean_t recursive_only_def;
+ dns_ttl_t ttl_def;
+
+ rpz_obj = cfg_tuple_get(obj, "recursive-only");
+ if (!cfg_obj_isvoid(rpz_obj) &&
+ !cfg_obj_asboolean(rpz_obj))
+ recursive_only_def = ISC_FALSE;
+ else
+ recursive_only_def = ISC_TRUE;
+
+ rpz_obj = cfg_tuple_get(obj, "break-dnssec");
+ if (!cfg_obj_isvoid(rpz_obj) &&
+ cfg_obj_asboolean(rpz_obj))
+ view->rpz_break_dnssec = ISC_TRUE;
+ else
+ view->rpz_break_dnssec = ISC_FALSE;
+
+ rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
+ if (cfg_obj_isuint32(rpz_obj))
+ ttl_def = cfg_obj_asuint32(rpz_obj);
+ else
+ ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+ rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
+ if (cfg_obj_isuint32(rpz_obj))
+ view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
+ else
+ view->rpz_min_ns_labels = 2;
+
+ element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
+ while (element != NULL) {
+ result = configure_rpz(view, element,
+ recursive_only_def, ttl_def);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+ element = cfg_list_next(element);
+ }
+ }
+
/*
* Configure the zones.
*/
actx, ISC_FALSE));
}
+ for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+ rpz != NULL;
+ rpz = ISC_LIST_NEXT(rpz, link))
+ {
+ if (!rpz->defined) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
+ cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+ "'%s' is not a master or slave zone",
+ namebuf);
+ result = ISC_R_NOTFOUND;
+ goto cleanup;
+ }
+ }
+
/*
* If we're allowing added zones, then load zone configuration
* from the newzone file for zones that were added during previous
}
}
- /*
- * Make the list of response policy zone names for views that
- * are used for real lookups and so care about hints.
- */
- obj = NULL;
- if (view->rdclass == dns_rdataclass_in && need_hints &&
- ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
- const cfg_obj_t *recursive_only_obj;
- const cfg_obj_t *break_dnssec_obj, *ttl_obj;
- isc_boolean_t recursive_only_def;
- dns_ttl_t ttl_def;
-
- recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
- if (!cfg_obj_isvoid(recursive_only_obj) &&
- !cfg_obj_asboolean(recursive_only_obj))
- recursive_only_def = ISC_FALSE;
- else
- recursive_only_def = ISC_TRUE;
-
- break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
- if (!cfg_obj_isvoid(break_dnssec_obj) &&
- cfg_obj_asboolean(break_dnssec_obj))
- view->rpz_break_dnssec = ISC_TRUE;
- else
- view->rpz_break_dnssec = ISC_FALSE;
-
- ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
- if (cfg_obj_isuint32(ttl_obj))
- ttl_def = cfg_obj_asuint32(ttl_obj);
- else
- ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
-
- for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
- element != NULL;
- element = cfg_list_next(element)) {
- result = configure_rpz(view, element,
- recursive_only_def, ttl_def);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_rpz_set_need(ISC_TRUE);
- }
- }
-
result = ISC_R_SUCCESS;
cleanup:
const char *zname;
dns_rdataclass_t zclass;
const char *ztypestr;
+ isc_boolean_t is_rpz;
+ dns_rpz_zone_t *rpz;
options = NULL;
(void)cfg_map_get(config, "options", &options);
}
INSIST(dupzone == NULL);
+ /*
+ * Note whether this is a response policy zone.
+ */
+ is_rpz = ISC_FALSE;
+ for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+ rpz != NULL;
+ rpz = ISC_LIST_NEXT(rpz, link))
+ {
+ if (dns_name_equal(&rpz->origin, origin)) {
+ is_rpz = ISC_TRUE;
+ rpz->defined = ISC_TRUE;
+ break;
+ }
+ }
+
/*
* See if we can reuse an existing zone. This is
* only possible if all of these are true:
* - The zone is compatible with the config
* options (e.g., an existing master zone cannot
* be reused if the options specify a slave zone)
+ * - The zone was and is or was not and is not a policy zone
*/
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
view->rdclass, &pview);
if (zone != NULL && !ns_zone_reusable(zone, zconfig))
dns_zone_detach(&zone);
+ if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
+ dns_zone_detach(&zone);
+
if (zone != NULL) {
/*
* We found a reusable zone. Make it use the
dns_zone_setstats(zone, ns_g_server->zonestats);
}
+ if (is_rpz) {
+ result = dns_zone_rpz_enable(zone);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "zone '%s': incompatible"
+ " masterfile-format or database"
+ " for a response policy zone",
+ zname);
+ goto cleanup;
+ }
+ }
+
/*
* If the zone contains a 'forwarders' statement, configure
* selective forwarding.
SET_NSSTATDESC(updatebadprereq,
"updates rejected due to prerequisite failure",
"UpdateBadPrereq");
+ SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+ "RPZRewrites");
INSIST(i == dns_nsstatscounter_max);
/* Initialize resolver statistics */
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.3 2011/01/13 04:59:24 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.6 2012/01/07 23:46:53 tbox Exp $
# Clean up after rpz tests.
-rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
+rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns*/*.key ns*/*.private ns2/tld2s.db
rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
-rm -f */named.memstats */named.run */named.rpz */session.key
+rm -f */named.memstats */named.run */named.stats */session.key
rm -f */*.jnl */*.core */*.pid
/*
- * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2011/01/13 04:59:24 tbox Exp $ */
controls { /* empty */ };
-; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db,v 1.6 2012/01/07 23:46:53 tbox Exp $
$TTL 120
-@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
-@ NS ns.
+. SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
+ NS ns.
ns. A 10.53.0.1
-. A 10.53.0.1
; rewrite responses from this zone
tld2. NS ns.tld2.
; rewrite responses from this zone
tld4. NS ns.tld4.
ns.tld4. A 10.53.0.4
+
+; performance test
+tld5. NS ns.tld5.
+ns.tld5. A 10.53.0.5
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: base-tld2s.db,v 1.1.2.1 2012/02/24 17:22:37 vjs Exp $
; RPZ rewrite responses from this signed zone
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: hints,v 1.4 2011/10/13 01:32:33 vjs Exp $
-
-. 0 NS ns1.
-ns1. 0 A 10.53.0.1
+. 120 NS ns.
+ns. 120 A 10.53.0.1
/*
- * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.6 2012/01/07 23:46:53 tbox Exp $ */
controls { /* empty */ };
-; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: tld2.db,v 1.4.4.2 2012/02/24 17:22:37 vjs Exp $
; RPZ rewrite responses from this zone
-; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: base.db,v 1.6.4.1 2011/10/15 23:03:38 vjs Exp $
; RPZ test
redirect A 127.0.0.1
*.redirect A 127.0.0.1
*.credirect CNAME google.com.
+
+
+; names in the RPZ TLDs that some say should not be rewritten.
+; This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+; (or whatever) is available by publishing "foo A 10.2.3.4" and then
+; resolving foo.
+32.3.2.1.127.rpz-ip CNAME walled.invalid.
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: crash1,v 1.2 2011/10/13 04:53:06 marka Exp $
; a bad zone that caused a crash related to dns_rdataset_disassociate()
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: crash2,v 1.3 2011/11/18 19:32:13 each Exp $
; a valid zone containing records that caused crashes
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: hints,v 1.4 2011/10/13 01:32:33 vjs Exp $
-
-. 0 NS ns1.
-ns1. 0 A 10.53.0.1
+. 120 NS ns.
+ns. 120 A 10.53.0.1
/*
- * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.5 2011/10/28 11:46:50 marka Exp $ */
/*
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
+ statistics-file "named.stats";
session-keyfile "session.key";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
zone "bl-cname" policy cname txt-only.tld2.;
zone "bl-wildcname" policy cname *.tld4.;
zone "bl-garden" policy cname a12.tld2.;
- };
+ } min-ns-dots 0;
};
key rndc_key {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
-logging {
- # change "-c named.conf -d 99 -g" to "-c named.conf -d 99 -f"
- # in ../start.pl to check the rpz log category
- channel rpz { severity debug 10;
- print-category yes; print-time yes; print-severity yes;
- file "named.rpz";};
- category rpz { default_stderr; rpz; };
- category queries { default_stderr; rpz; };
- category query-errors { default_stderr; };
-};
-
// include "../trusted.conf";
zone "." { type hint; file "hints"; };
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: hints,v 1.2 2011/10/13 04:53:06 marka Exp $
-. 0 NS ns1.
-ns1. 0 A 10.53.0.1
+. 120 NS ns.
+ns. 120 A 10.53.0.1
/*
- * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2.6.1 2012/02/24 17:22:37 vjs Exp $ */
controls { /* empty */ };
-; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: tld4.db,v 1.2.6.1 2012/02/24 17:22:37 vjs Exp $
; RPZ rewrite responses from this zone
-; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: hints,v 1.1.2.1 2011/10/15 23:00:04 vjs Exp $
-
-. 0 NS ns1.
-ns1. 0 A 10.53.0.1
+. 120 NS ns.
+ns. 120 A 10.53.0.1
--- /dev/null
+# run the performace test close to real life
+
+-c named.conf -g
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.1.2.2 2012/02/24 17:22:38 vjs Exp $ */
/*
transfer-source 10.53.0.5;
port 5300;
pid-file "named.pid";
+ statistics-file "named.stats";
session-keyfile "session.key";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
notify no;
- # Eventually turn rpz on.
+ # turn rpz on or off
include "rpz-switch";
};
secret "1234abcd8765";
algorithm hmac-md5;
};
-controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
+controls {
+ inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+};
include "../trusted.conf";
zone "." {type hint; file "hints"; };
-zone "example.com." {type master; file "example.db"; };
+zone "tld5." {type master; file "tld5.db"; };
+zone "example.tld5." {type master; file "example.db"; };
-zone "bl." {type master; file "bl.db"; };
+zone "bl0." {type master; file "bl.db"; };
+zone "bl1." {type master; file "bl.db"; };
+zone "bl2." {type master; file "bl.db"; };
--- /dev/null
+; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+
+
+; RPZ preformance test
+
+$TTL 120
+@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+ NS ns
+ NS ns1
+ NS ns2
+ NS ns3
+ NS ns4
+ NS ns5
+ NS ns6
+ NS ns7
+ NS ns8
+ NS ns9
+ NS ns10
+ NS ns11
+ NS ns12
+ NS ns13
+ NS ns14
+ NS ns15
+ NS ns16
+ NS ns17
+ NS ns18
+ NS ns19
+ns A 10.53.0.5
+ns1 A 10.53.0.5
+ns2 A 10.53.0.5
+ns3 A 10.53.0.5
+ns4 A 10.53.0.5
+ns5 A 10.53.0.5
+ns6 A 10.53.0.5
+ns7 A 10.53.0.5
+ns8 A 10.53.0.5
+ns9 A 10.53.0.5
+ns10 A 10.53.0.5
+ns11 A 10.53.0.5
+ns12 A 10.53.0.5
+ns13 A 10.53.0.5
+ns14 A 10.53.0.5
+ns15 A 10.53.0.5
+ns16 A 10.53.0.5
+ns17 A 10.53.0.5
+ns18 A 10.53.0.5
+ns19 A 10.53.0.5
+
+
+$ORIGIN example.tld5.
+example.tld5. NS ns
+ NS ns1
+ns A 10.53.0.5
+ns1 A 10.53.0.5
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: qperf.sh,v 1.1.2.1 2011/10/15 23:03:37 vjs Exp $
for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do
QPERF=$QDIR/queryperf
/*
- * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rpz.c,v 1.3.226.1 2011/10/15 23:03:37 vjs Exp $ */
#include <config.h>
#! /bin/sh
#
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.6 2012/01/07 23:46:53 tbox Exp $
set -e
# Performance checks.
-# First with rpz off.
cat <<EOF >ns5/rpz-switch
-response-policy {zone "bl";}
- recursive-only no
- max-policy-ttl 90
- break-dnssec yes;
+response-policy {
+ zone "bl0"; zone "bl1"; zone "bl2";
+ } recursive-only no
+ max-policy-ttl 90
+ # min-ns-dots 0
+ break-dnssec yes;
EOF
cat <<EOF >ns5/example.db
\$TTL 120
-@ SOA . hostmaster.ns.example. ( 1 3600 1200 604800 60 )
+@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
NS ns
+ NS ns1
ns A 10.53.0.5
+ns1 A 10.53.0.5
EOF
cat <<EOF >ns5/bl.db
; used only in failure for "recursive-only no" in #8 test5
a3-5.tld2 CNAME *.
-; for "break-dnssec" in #9 test5
+; for "break-dnssec" in #9 & #10 test5
a3-5.tld2s CNAME *.
-; for "max-policy-ttl 90" in test5
+; for "max-policy-ttl 90" in #17 test5
a3-17.tld2 500 A 17.17.17.17
-; dummy NSDNAME policies to trigger lookups
-ns-1.example.com.rpz-nsdname CNAME .
-ns-2.example.com.rpz-nsdname CNAME .
-ns-3.example.com.rpz-nsdname CNAME .
-ns-4.example.com.rpz-nsdname CNAME .
-ns-5.example.com.rpz-nsdname CNAME .
+; dummy NSDNAME policy to trigger lookups
+ns1.x.rpz-nsdname CNAME .
EOF
if test -n "$QPERF"; then
# do not build the full zones if we will not use them to avoid the long
# time otherwise required to shut down the server
$PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
- printf("host-%d-%d\tA 192.168.%d.%d\n",
- $val/256, $val%256, $val/256, $val%256);
+ printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256);
}' >>ns5/example.db
echo >>ns5/bl.db
echo "; rewrite some names" >>ns5/bl.db
$PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
- printf("host-%d.sub%d.example.com\tCNAME\t.\n", $val/256, $val%256);
+ printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
}' >>ns5/bl.db
echo >>ns5/bl.db
$PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n",
$val%256, $val/256);
- printf("32.%d.%d.168.192.rpz-nsip\tCNAME\t.\n",
- ($val+1)%256, ($val+1)/256);
}' >>ns5/bl.db
fi
# some psuedo-random queryperf requests
-$PERL -e 'for ($cnt = $val = 1; $cnt <= 2000; ++$cnt) {
- printf("host-%d.sub%d.example.com A\n", $val%256, $val/256);
- $val = ($val * 9 + 32771) % 65536;
+$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
+ printf("host-%05d.example.tld5 A\n", $val);
+ $val = ($val * 9 + 32771) % 65536;
}' >ns5/requests
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test1,v 1.8 2012/01/07 00:19:59 each Exp $
; Use comment lines instead of blank lines to combine update requests into
; 3, 21
update add a3-1.tld2.bl. 300 CNAME *.
; and no assert-botch
-; 5, 22
+; 4, 5, 22, 23
update add a3-2.tld2.bl. 300 DNAME example.com.
;
; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2.
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test2,v 1.6 2011/11/18 19:32:13 each Exp $
; Use comment lines instead of blank lines to combine update requests into
; 9
update add 128.1.zz.3.2.2001.rpz-ip.bl 300 CNAME .
;
-; apply the policy with the lexically smallest address of 192.168.5.1
+; apply the policy with the lexically smaller trigger address of 192.168.5.1
; to an RRset of more than one A RR
; 11
update add 32.1.5.168.192.rpz-ip.bl 300 A 127.0.0.1
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test3,v 1.5 2011/10/13 01:32:32 vjs Exp $
; Use comment lines instead of blank lines to combine update requests into
server 10.53.0.3 5300
+; 3, 4, 5
; NXDOMAIN for *.sub1.tld2 by NSDNAME
update add *.sub1.tld2.rpz-nsdname.bl. 300 CNAME .
;
+; 6
; walled garden for *.sub2.tld2
update add *.sub2.tld2.rpz-nsdname.bl. 300 CNAME a12-cname.tld2.
;
+; 7, 8
; exempt a3-2.tld2 and anything in 192.168.0.0/24
; also checks that IP policies are preferred over NSDNAME policies
update add a3-2.tld2.bl 300 CNAME a3-2.tld2.
update add 24.0.0.168.192.rpz-ip.bl 300 CNAME 24.0.0.168.192.
;
+; 9
; prefer QNAME policy to NSDNAME policy
update add a4-1.tld2.bl. 300 A 12.12.12.12
-;
+; 10
; prefer policy for largest NS name
update add ns.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.1
update add ns.subsub.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.2
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test4,v 1.5 2011/10/13 01:32:33 vjs Exp $
; Use comment lines instead of blank lines to combine update requests into
--- /dev/null
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+; single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; walled-garden NSIP tests
+
+server 10.53.0.3 5300
+
+; rewrite all of tld2 based on its server IP address
+update add 32.2.0.53.10.rpz-nsip.bl. 300 A 41.41.41.41
+update add 32.2.0.53.10.rpz-nsip.bl. 300 AAAA 2041::41
+update add 32.2.0.53.10.rpz-nsip.bl. 300 TXT "NSIP walled garden"
+send
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test5,v 1.5.4.1 2012/02/24 17:22:37 vjs Exp $
; Use comment lines instead of blank lines to combine update requests into
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.12 2012/01/07 23:46:53 tbox Exp $
# test response policy zones (RPZ)
ns5=$ns.5 # check performance with this server
HAVE_CORE=
+SAVE_RESULTS=
+NS3_STATS=47
USAGE="$0: [-x]"
while getopts "x" c; do
# really quit on control-C
trap 'exit 1' 1 2 15
+TS='%H:%M:%S '
+TS=
+comment () {
+ if test -n "$TS"; then
+ date "+I:${TS}$*"
+ fi
+}
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
digcmd () {
- digcmd_args="+noadd +nosearch +time=1 +tries=1 -p 5300 $*"
+ digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*"
expr "$digcmd_args" : '.*@' >/dev/null || \
digcmd_args="$digcmd_args @$ns3"
expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \
setret () {
ret=1
+ status=`expr $status + 1`
echo "$*"
}
# (re)load the reponse policy zones with the rules in the file $TEST_FILE
load_db () {
if test -n "$TEST_FILE"; then
- if $NSUPDATE -v $TEST_FILE; then : ; else
+ if ! $NSUPDATE -v $TEST_FILE; then
echo "I:failed to update policy zone with $TEST_FILE"
exit 1
fi
return 1
}
+# check that statistics for $1 in $2 = $3
+ckstats () {
+ $RNDCCMD $1 stats
+ CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \
+ $2/named.stats`
+ CNT=`expr 0$CNT + 0`
+ if test "$CNT" -ne $3; then
+ setret "I:wrong $2 statistics of $CNT instead of $3"
+ fi
+}
+
# $1=message $2=optional test file name
start_group () {
ret=0
- test -n "$1" && echo "I:checking $1"
+ test -n "$1" && date "+I:${TS}checking $1"
TEST_FILE=$2
if test -n "$TEST_FILE"; then
GROUP_NM="-$TEST_FILE"
end_group () {
if test -n "$TEST_FILE"; then
+ # remove the previous set of test rules
sed -e 's/[ ]add[ ]/ delete /' $TEST_FILE | $NSUPDATE
TEST_FILE=
fi
ckalive $ns3 "I:failed; ns3 server crashed and restarted"
- if test "$status" -eq 0; then
- # look for complaints from rpz.c
- EMSGS=`grep -l 'invalid rpz' */*.run`
- if test -n "$EMSGS"; then
- setret "I:'invalid rpz' complaints in $EMSGS starting with:"
- grep 'invalid rpz' */*.run | sed -e '4,$d' -e 's/^/I: /'
- fi
- # look for complaints from rpz.c and query.c
- EMSGS=`grep -l 'rpz .*failed' */*.run`
- if test -n "$EMSGS"; then
- setret "I:'rpz failed' complaints in $EMSGS starting with:"
- grep 'rpz .*failed' */*.run | sed -e '4,$d' -e 's/^/I: /'
- fi
- fi
- status=`expr $status + $ret`
GROUP_NM=
}
+clean_result () {
+ if test -z "$SAVE_RESULTS"; then
+ rm -f $*
+ fi
+}
+
# $1=dig args $2=other dig output file
ckresult () {
#ckalive "$1" "I:server crashed by 'dig $1'" || return 1
if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
- rm -f ${DIGNM}*
+ clean_result ${DIGNM}*
return 0
fi
setret "I:'dig $1' wrong; diff $DIGNM $2"
digcmd $2 >$DIGNM
#ckalive "$2" "I:server crashed by 'dig $2'" || return 1
ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
- ADDR_TTL=`sed -n -e "s/^[-.a-z0-9]\{1,\} *\([0-9]*\) IN A\{1,4\} ${ADDR_ESC}\$/\1/p" $DIGNM`
+ ADDR_TTL=`sed -n -e "s/^[-.a-z0-9]\{1,\} *\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM`
if test -z "$ADDR_TTL"; then
setret "I:'dig $2' wrong; no address $ADDR record in $DIGNM"
return 1
setret "I:'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM"
return 1
fi
- rm -f ${DIGNM}*
+ clean_result ${DIGNM}*
}
# check that a response is not rewritten
make_dignm
digcmd $* >$DIGNM
digcmd $* @$ns2 >${DIGNM}_OK
- ckresult "$*" ${DIGNM}_OK && rm -f ${DIGNM}_OK
+ ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
}
# check against a 'here document'
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
-nodata a3-2.tld2 # 4 no crash on DNAME
-nodata sub.a3-2.tld2
+nodata a3-2.tld2 # 4 nodata at DNAME itself
+nochange sub.a3-2.tld2 # 5 miss where DNAME might work
nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 # 7
nodata a4-3-cname.tld2 # 8
end_group
if ./rpz nsdname; then
+ # these tests assume "min-ns-dots 0"
start_group "NSDNAME rewrites" test3
- nochange a3-1.tld2
+ nochange a3-1.tld2 # 1
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
nxdomain a3-1.subsub.sub1.tld2
addr 127.0.0.2 a3-1.subsub.sub3.tld2
nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
end_group
+ NS3_STATS=`expr $NS3_STATS + 7`
else
- echo "I:NSDNAME not checked; named not configured with --enable-rpz-nsdname"
+ echo "I:NSDNAME not checked; named configured with --disable-rpz-nsdname"
fi
if ./rpz nsip; then
+ # these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4
- nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 by NSIP
+ nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
nochange a3-2.tld2. # 2 exempt rewrite by name
nochange a0-1.tld2. # 3 exempt rewrite by address block
nochange a3-1.tld4 # 4 different NS IP address
end_group
+
+# start_group "walled garden NSIP rewrites" test4a
+# addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
+# addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
+# here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
+# ;; status: NOERROR, x
+# a3-1.tld2. x IN TXT "NSIP walled garden"
+#EOF
+# end_group
+ NS3_STATS=`expr $NS3_STATS + 1`
else
- echo "I:NSIP not checked; named not configured with --enable-rpz-nsip"
+ echo "I:NSIP not checked; named configured with --disable-rpz-nsip"
fi
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
nocrash www.redirect -t$Q
nocrash www.credirect -t$Q
done
+
+# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+# (or whatever) is available by publishing "foo A 10.2.3.4" and then
+# resolving foo.
+# nxdomain 32.3.2.1.127.rpz-ip
end_group
QPERF=`sh qperf.sh`
if test -n "$QPERF"; then
perf () {
- echo "I:checking performance $1"
- # don't measure the costs of -d99
- $RNDCCMD $ns5 notrace >/dev/null
- $QPERF -1 -l2 -d ns5/requests -s $ns5 -p 5300 >ns5/$2.perf
+ date "+I:${TS}checking performance $1"
+ # Dry run to prime everything
+ comment "before dry run $1"
+ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >/dev/null
+ comment "before real test $1"
+ PFILE="ns5/$2.perf"
+ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >$PFILE
+ comment "after test $1"
+ X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \
+ | tr '\n' ' '`
+ if test "$X" != "$3"; then
+ setret "I:wrong results '$X' in $PFILE"
+ fi
ckalive $ns5 "I:failed; server #5 crashed"
}
trim () {
sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
}
- # Dry run to prime disk cache
- # Otherwise a first test of either flavor is 25% low
- perf 'to prime disk cache' rpz
-
- # get queries/second with rpz
- perf 'with rpz' rpz
+ # get qps with rpz
+ perf 'with rpz' rpz 'NOERROR:2900 NXDOMAIN:100 '
+ RPZ=`trim rpz`
- # turn off rpz and measure queries/second again
- # Don't wait for a clean stop. Clean stops of this server need seconds
- # until the sockets are closed. 5 or 10 seconds after that, the
- # server really stops and deletes named.pid.
- echo "# rpz off" >ns5/rpz-switch
- PID=`cat ns5/named.pid`
- test -z "$PID" || kill -9 "$PID"
- $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
- perf 'without rpz' norpz
-
- # Don't wait for a clean stop. Clean stops of this server need seconds
- # until the sockets are closed. 5 or 10 seconds after that, the
- # server really stops and deletes named.pid.
+ # turn off rpz and measure qps again
echo "# rpz off" >ns5/rpz-switch
- PID=`cat ns5/named.pid`
- test -z "$PID" || kill -9 "$PID" && rm -f ns5/named.pid
-
+ RNDCCMD_OUT=`$RNDCCMD $ns5 reload`
+ perf 'without rpz' norpz 'NOERROR:3000 '
NORPZ=`trim norpz`
- RPZ=`trim rpz`
- echo "I:$RPZ qps with RPZ versus $NORPZ qps without"
- # fail if RPZ costs more than 100%
- NORPZ2=`expr "$NORPZ" / 2`
- if test "$RPZ" -le "$NORPZ2"; then
- echo "I:rpz $RPZ qps too far below non-RPZ $NORPZ qps"
- status=`expr $status + 1`
+ PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ`
+ echo "I:$RPZ qps with rpz is $PERCENT% of $NORPZ qps without rpz"
+
+ MIN_PERCENT=30
+ if test "$PERCENT" -lt $MIN_PERCENT; then
+ setret "I:$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps"
fi
+
+ if test "$PERCENT" -ge 100; then
+ setret "I:$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high"
+ fi
+
+ ckstats $ns5 ns5 203
+
else
echo "I:performance not checked; queryperf not available"
fi
+ckstats $ns3 ns3 55
+
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
$PERL $SYSTEMTESTTOP/stop.pl . ns3
test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?"
fi
+# look for complaints from lib/dns/rpz.c and bin/name/query.c
+EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
+if test -n "$EMSGS"; then
+ setret "I:error messages in $EMSGS starting with:"
+ egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' -e 's/^/I: /'
+fi
echo "I:exit status: $status"
exit $status
[default=autodetect]
--enable-fixed-rrset enable fixed rrset ordering
[default=no]
- --enable-rpz-nsip enable rpz-nsip rules [default=no]
- --enable-rpz-nsdname enable rpz-nsdname rules [default=no]
- --enable-filter-aaaa enable filtering of AAAA records over IPv4
- [default=no]
+ --disable-rpz-nsip disable rpz-nsip rules [default=enabled]
+ --disable-rpz-nsdname disable rpz-nsdname rules [default=enabled]
+ --enable-filter-aaaa enable filtering of AAAA records [default=no]
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${with_atf+set}" = set || with_atf=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
- test "${enable_rpz_nsip+set}" = set || enable_rpz_nsip=yes
- test "${enable_rpz_nsdname+set}" = set || enable_rpz_nsdname=yes
test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
case "$host" in
*-darwin*)
if test "${enable_rpz_nsip+set}" = set; then :
enableval=$enable_rpz_nsip; enable_nsip="$enableval"
else
- enable_nsip="no"
+ enable_nsip="yes"
fi
case "$enable_nsip" in
if test "${enable_rpz_nsdname+set}" = set; then :
enableval=$enable_rpz_nsdname; enable_nsdname="$enableval"
else
- enable_nsdname="no"
+ enable_nsdname="yes"
fi
case "$enable_nsdname" in
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${with_atf+set}" = set || with_atf=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
- test "${enable_rpz_nsip+set}" = set || enable_rpz_nsip=yes
- test "${enable_rpz_nsdname+set}" = set || enable_rpz_nsdname=yes
test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
case "$host" in
*-darwin*)
# Enable response policy rewriting using NS IP addresses
#
AC_ARG_ENABLE(rpz-nsip,
- [ --enable-rpz-nsip enable rpz-nsip rules [[default=no]]],
+ [ --disable-rpz-nsip disable rpz-nsip rules [[default=enabled]]],
enable_nsip="$enableval",
- enable_nsip="no")
+ enable_nsip="yes")
case "$enable_nsip" in
yes)
AC_DEFINE(ENABLE_RPZ_NSIP, 1,
# Enable response policy rewriting using NS name
#
AC_ARG_ENABLE(rpz-nsdname,
- [ --enable-rpz-nsdname enable rpz-nsdname rules [[default=no]]],
+ [ --disable-rpz-nsdname disable rpz-nsdname rules [[default=enabled]]],
enable_nsdname="$enableval",
- enable_nsdname="no")
+ enable_nsdname="yes")
case "$enable_nsdname" in
yes)
AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
} <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
- <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> ; </optional>
+ <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional>
};
</programlisting>
They are encoded as subdomains of
<userinput>rpz-nsdomain</userinput> relativized
to the RPZ origin name.
- </para>
-
- <para>
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
<userinput>rpz-nsip</userinput>.
+ NSDNAME and NSIP triggers are checked only for names with at
+ least <command>min-ns-dots</command> dots.
+ The default value of <command>min-ns-dots</command> is 1 to
+ exclude top level domains.
</para>
<para>
and addresses.
</para>
- <para>
- Authority verification issues and variations in authority data
- can cause inconsistent results for NSIP and NSDNAME policy records.
- Glue NS records often differ from authoritative NS records.
- So they are available
- only when <acronym>BIND</acronym> is built with the
- <userinput>--enable-rpz-nsip</userinput> or
- <userinput>--enable-rpz-nsdname</userinput> options
- on the "configure" command line.
- </para>
-
<para>
RPZ record sets are sets of any types of DNS record except
DNAME or DNSSEC that encode actions or responses to queries.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
</programlisting>
- <para>
- Note: RPZ may impact server performance. Each configured
- response policy zone requires the server to perform one to four
- additional database lookups before a query can be answered.
+ <para>
+ RPZ can affect server performance.
+ Each configured response policy zone requires the server to
+ perform one to four additional database lookups before a
+ query can be answered.
For example, a DNS server with four policy zones, each with all
- four kinds of response triggers — QNAME, IP, NSIP, and
- NSDNAME — requires a total of 17 times as many database
+ four kinds of response triggers, QNAME, IP, NSIP, and
+ NSDNAME, requires a total of 17 times as many database
lookups as a similar DNS server with no response policy zones.
A <acronym>BIND9</acronym> server with adequate memory and one
response policy zone with QNAME and IP triggers might achieve a
- maximum queries-per-second rate about 20% lower. A server with
- four response policy zones with QNAME and IP triggers might
- have a maximum QPS rate about 50% lower.
- </para>
+ maximum queries-per-second rate about 20% lower.
+ A server with four response policy zones with QNAME and IP
+ triggers might have a maximum QPS rate about 50% lower.
+ </para>
+
+ <para>
+ Responses rewritten by RPZ are counted in the
+ <command>RPZRewrites</command> statistics.
+ </para>
</sect3>
</sect2>
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RPZRewrites</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Response policy zone rewrites.
+ </para>
+ </entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
(db->methods->resigned)(db, rdataset, version);
}
-void
+isc_result_t
dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
{
if (db->methods->rpz_enabled != NULL)
- (db->methods->rpz_enabled)(db, st);
+ return ((db->methods->rpz_enabled)(db, st));
+ return (ISC_R_SUCCESS);
}
void
dns_dbversion_t *version);
isc_boolean_t (*isdnssec)(dns_db_t *db);
dns_stats_t *(*getrrsetstats)(dns_db_t *db);
- void (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st);
+ isc_result_t (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st);
void (*rpz_findips)(dns_rpz_zone_t *rpz,
dns_rpz_type_t rpz_type,
dns_zone_t *zone, dns_db_t *db,
* dns_rdatasetstats_create(); otherwise NULL.
*/
-void
+isc_result_t
dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st);
/*%<
- * See if a policy database has DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSIP, or
- * DNS_RPZ_TYPE_NSDNAME records.
+ * Mark a database for response policy rewriting
+ * or find which RPZ data is available.
*/
void
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rpz.h,v 1.5 2011/10/28 11:46:50 marka Exp $ */
#ifndef DNS_RPZ_H
#define DNS_RPZ_H 1
ISC_LANG_BEGINDECLS
-#define DNS_RPZ_IP_ZONE "rpz-ip"
-#define DNS_RPZ_NSIP_ZONE "rpz-nsip"
-#define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname"
-#define DNS_RPZ_PASSTHRU_ZONE "rpz-passthru"
+#define DNS_RPZ_PREFIX "rpz-"
+#define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip"
+#define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip"
+#define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname"
+#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru"
typedef isc_uint8_t dns_rpz_cidr_bits_t;
dns_ttl_t max_policy_ttl;
dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
isc_boolean_t recursive_only;
+ isc_boolean_t defined;
};
/*
const char *
dns_rpz_policy2str(dns_rpz_policy_t policy);
-void
-dns_rpz_set_need(isc_boolean_t need);
-
-isc_boolean_t
-dns_rpz_needed(void);
-
void
dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
dns_rpz_cidr_t **rbtdb_cidr);
void
-dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
+dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
void
dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
ISC_LIST(dns_rpz_zone_t) rpz_zones;
isc_boolean_t rpz_recursive_only;
isc_boolean_t rpz_break_dnssec;
+ unsigned int rpz_min_ns_labels;
/*
* Configurable data for server use only,
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
#include <dns/types.h>
#include <dns/zt.h>
* maintenance timer.
*/
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone);
+/*%
+ * Set the response policy associated with a zone.
+ */
+
+isc_boolean_t
+dns_zone_get_rpz(dns_zone_t *zone);
+
ISC_LANG_ENDDECLS
#endif /* DNS_ZONE_H */
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_CACHE,
ISC_LOG_WARNING,
- "delete_nsecnode(): "
+ "delete_node(): "
"dns_rbt_deletenode(nsecnode): %s",
isc_result_totext(result));
}
}
- result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
#ifdef BIND9
- dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
+ if (rbtdb->rpz_cidr != NULL)
+ dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
#endif
+ result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
break;
case DNS_RBT_NSEC_NSEC:
result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_CACHE,
ISC_LOG_WARNING,
- "delete_nsecnode(): "
+ "delete_cnode(): "
"dns_rbt_deletenode: %s",
isc_result_totext(result));
}
}
/*
- * Mark a database for response policy rewriting.
+ * Mark a database for response policy rewriting
+ * or find which RPZ data is available.
*/
#ifdef BIND9
-static void
-get_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
+static isc_result_t
+rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
{
dns_rbtdb_t *rbtdb;
+ isc_result_t result;
+ result = ISC_R_SUCCESS;
rbtdb = (dns_rbtdb_t *)db;
REQUIRE(VALID_RBTDB(rbtdb));
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
- dns_rpz_enabled(rbtdb->rpz_cidr, st);
+ if (st != NULL) {
+ dns_rpz_enabled_get(rbtdb->rpz_cidr, st);
+ } else {
+ result = dns_rpz_new_cidr(rbtdb->common.mctx,
+ &rbtdb->common.origin,
+ &rbtdb->rpz_cidr);
+ }
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+ return (result);
}
/*
noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
#ifdef BIND9
- if (noderesult == ISC_R_SUCCESS)
+ if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL)
dns_rpz_cidr_addip(rbtdb->rpz_cidr, name);
#endif
isdnssec,
NULL,
#ifdef BIND9
- get_rpz_enabled,
+ rpz_enabled,
rpz_findips,
#else
NULL,
return (result);
}
-#ifdef BIND9
- /*
- * Get ready for response policy IP address searching if at least one
- * zone has been configured as a response policy zone and this
- * is not a cache zone.
- * It would be better to know that this database is for a policy
- * zone named for a view, but that would require knowledge from
- * above such as an argv[] set from data in the zone.
- */
- if (type == dns_dbtype_zone && !dns_name_equal(origin, dns_rootname)) {
- result = dns_rpz_new_cidr(mctx, origin, &rbtdb->rpz_cidr);
- if (result != ISC_R_SUCCESS) {
- free_rbtdb(rbtdb, ISC_FALSE, NULL);
- return (result);
- }
- }
-#endif
-
/*
* In order to set the node callback bit correctly in zone databases,
* we need to know if the node has the origin name of the zone.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
/*! \file */
dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.origin */
};
-static isc_boolean_t have_rpz_zones = ISC_FALSE;
-
const char *
dns_rpz_type2str(dns_rpz_type_t type) {
switch (type) {
}
}
-/*
- * Note that we have at least one response policy zone.
- * It would be better for something to tell the rbtdb code that the
- * zone is in at least one view's list of policy zones.
- */
-void
-dns_rpz_set_need(isc_boolean_t need) {
- have_rpz_zones = need;
-}
-
-isc_boolean_t
-dns_rpz_needed(void) {
- return (have_rpz_zones);
-}
-
/*
* Start a new radix tree for a response policy zone.
*/
REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL);
- /*
- * Only if there is at least one response policy zone.
- */
- if (!have_rpz_zones)
- return (ISC_R_SUCCESS);
-
cidr = isc_mem_get(mctx, sizeof(*cidr));
if (cidr == NULL)
return (ISC_R_NOMEMORY);
* See if a policy zone has IP, NSIP, or NSDNAME rules or records.
*/
void
-dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) {
+dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) {
if (cidr == NULL)
return;
if (cidr->root != NULL &&
badname(int level, dns_name_t *name, const char *str1, const char *str2) {
char printname[DNS_NAME_FORMATSIZE];
+ /*
+ * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
+ */
if (level < DNS_RPZ_DEBUG_QUIET
&& isc_log_wouldlog(dns_lctx, level)) {
dns_name_format(name, printname, sizeof(printname));
dns_rpz_cidr_bits_t tgt_prefix;
dns_rpz_type_t type;
- if (cidr == NULL)
- return;
+ REQUIRE(cidr != NULL);
/*
* No worries if the new name is not an IP address.
{
char printname[DNS_NAME_FORMATSIZE];
+ /*
+ * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+ */
dns_name_format(name, printname, sizeof(printname));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
dns_rpz_cidr_find
dns_rpz_cidr_free
dns_rpz_decode_cname
-dns_rpz_enabled
-dns_rpz_needed
+dns_rpz_enabled_get
dns_rpz_new_cidr
dns_rpz_policy2str
-dns_rpz_set_need
dns_rpz_str2policy
dns_rpz_type2str
dns_rpz_view_destroy
dns_zone_forcereload
dns_zone_forwardupdate
dns_zone_fulldumptostream
+dns_zone_get_rpz
dns_zone_getadded
dns_zone_getchecknames
dns_zone_getclass
dns_zone_refresh
dns_zone_rekey
dns_zone_replacedb
+dns_zone_rpz_enable
dns_zone_setacache
dns_zone_setadded
dns_zone_setalsonotify
isc_boolean_t added;
/*%
- * whether a rpz radix was needed when last loaded
+ * whether this is a response policy zone
*/
- isc_boolean_t rpz_zone;
+ isc_boolean_t is_rpz;
/*%
* Serial number update method.
zone->nodes = 100;
zone->privatetype = (dns_rdatatype_t)0xffffU;
zone->added = ISC_FALSE;
- zone->rpz_zone = ISC_FALSE;
+ zone->is_rpz = ISC_FALSE;
ISC_LIST_INIT(zone->forwards);
zone->raw = NULL;
zone->secure = NULL;
}
+/*
+ * Set the response policy index and information for a zone.
+ */
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone) {
+ /*
+ * Only RBTDB zones can be used for response policy zones,
+ * because only they have the code to load the create the summary data.
+ * Only zones that are loaded instead of mmap()ed create the
+ * summary data and so can be policy zones.
+ */
+ if (strcmp(zone->db_argv[0], "rbt") != 0 &&
+ strcmp(zone->db_argv[0], "rbt64") != 0)
+ return (ISC_R_NOTIMPLEMENTED);
+
+ zone->is_rpz = ISC_TRUE;
+
+ return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+dns_zone_get_rpz(dns_zone_t *zone) {
+ return (zone->is_rpz);
+}
+
static isc_result_t
zone_load(dns_zone_t *zone, unsigned int flags) {
isc_result_t result;
* "rndc reconfig", we are done.
*/
if (!isc_time_isepoch(&zone->loadtime) &&
- (flags & DNS_ZONELOADFLAG_NOSTAT) != 0 &&
- zone->rpz_zone == dns_rpz_needed()) {
+ (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
result = ISC_R_SUCCESS;
goto cleanup;
}
if (result == ISC_R_SUCCESS) {
if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
- isc_time_compare(&filetime, &zone->loadtime) <= 0 &&
- zone->rpz_zone == dns_rpz_needed()) {
+ isc_time_compare(&filetime, &zone->loadtime) <= 0) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"skipping load: master file "
"older than last load");
goto cleanup;
}
loadtime = filetime;
- zone->rpz_zone = dns_rpz_needed();
}
}
isc_result_t tresult;
unsigned int options;
- options = get_master_options(zone);
+#ifdef BIND9
+ if (zone->is_rpz) {
+ result = dns_db_rpz_enabled(db, NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ }
+#endif
+ options = get_master_options(zone);
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
options |= DNS_MASTER_MANYERRORS;
* response-policy {
* zone <string> [ policy (given|disabled|passthru|
* nxdomain|nodata|cname <domain> ) ]
- * [ recursive-only yes|no ]
- * [ max-policy-ttl number ] ;
- * } [ recursive-only yes|no ] [ break-dnssec yes|no ]
- * [ max-policy-ttl number ] ;
+ * [ recursive-only yes|no ] [ max-policy-ttl number ] ;
+ * } [ recursive-only yes|no ] [ max-policy-ttl number ] ;
+ * [ break-dnssec yes|no ] [ min-ns-dots number ] ;
*/
static void
{ "recursive-only", &cfg_type_boolean, 0 },
{ "break-dnssec", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
+ { "min-ns-dots", &cfg_type_uint32, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz = {
projects / thirdparty / bind9.git / commitdiff
