+4786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
+ options are no longer conditionally compiled.
+ [RT #46340]
+
4785. [func] The hmac-md5 algorithm is no longer recommended for
use with RNDC keys. For compatibility reasons, it
it is still the default algorithm in rndc-confgen,
# fetch-glue <obsolete>;\n\
fetch-quota-params 100 0.1 0.3 0.7;\n\
fetches-per-server 0;\n\
- fetches-per-zone 0;\n"
-#ifdef ALLOW_FILTER_AAAA
-" filter-aaaa-on-v4 no;\n\
+ fetches-per-zone 0;\n\
+ filter-aaaa-on-v4 no;\n\
filter-aaaa-on-v6 no;\n\
filter-aaaa { any; };\n"
-#endif
#ifdef HAVE_GEOIP
" geoip-use-ecs yes;\n"
#endif
dns_quotatype_zone, r);
}
-#ifdef ALLOW_FILTER_AAAA
obj = NULL;
result = named_config_get(maps, "filter-aaaa-on-v4", &obj);
INSIST(result == ISC_R_SUCCESS);
CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
actx, named_g_mctx, &view->aaaa_acl));
-#endif
+
obj = NULL;
result = named_config_get(maps, "prefetch", &obj);
if (result == ISC_R_SUCCESS) {
fprintf(stderr, "args:\n");
fprintf(stderr, " --edns-version\n");
fprintf(stderr, " --enable-dnsrps\n");
- fprintf(stderr, " --enable-filter-aaaa\n");
fprintf(stderr, " --gethostname\n");
fprintf(stderr, " --gssapi\n");
fprintf(stderr, " --have-dlopen\n");
#endif
}
- if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
-#ifdef ALLOW_FILTER_AAAA
- return (0);
-#else
- return (1);
-#endif
- }
-
if (strcmp(argv[1], "--edns-version") == 0) {
#ifdef DNS_EDNS_VERSION
printf("%d\n", DNS_EDNS_VERSION);
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) 2010, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-$FEATURETEST --enable-filter-aaaa || {
- echo "I:This test requires --enable-filter-aaaa at compile time." >&2
- exit 255
-}
-exit 0
/* Use AES for Client Cookie generation */
#undef AES_CC
-/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
- */
-#undef ALLOW_FILTER_AAAA
-
/* define if ATF unit tests are to be built. */
#undef ATF_TEST
/* Define to the sockaddr length type used by getnameinfo(3). */
#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t
-/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
- */
-@ALLOW_FILTER_AAAA@
-
/* Define to enable "rrset-order fixed" syntax. */
@DNS_RDATASET_FIXED@
docdir
oldincludedir
includedir
+runstatedir
localstatedir
sharedstatedir
sysconfdir
with_dnsrps_libname
with_dnsrps_dir
enable_dnsrps
-enable_filter_aaaa
enable_dnstap
with_protobuf_c
with_libfstrm
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
+ libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--disable-rpz-nsdname disable rpz nsdname rules [default=enabled]
--enable-dnsrps-dl DNS Response Policy Service delayed link [default=$librpz_dl]
--enable-dnsrps enable DNS Response Policy Service API
- --enable-filter-aaaa enable filtering of AAAA records [default=no]
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no]
--enable-full-report report values of all configure options
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_atf+set}" = set || with_atf=yes
- test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
test "${enable_symtable+set}" = set || enable_symtable=all
test "${enable_warn_error+set}" = set || enable_warn_error=yes
fi
-#
-# Activate "filter-aaaa-on-v4/v6" or not?
-#
-# Check whether --enable-filter-aaaa was given.
-if test "${enable_filter_aaaa+set}" = set; then :
- enableval=$enable_filter_aaaa; enable_filter="$enableval"
-else
- enable_filter="no"
-fi
-
-case "$enable_filter" in
- yes)
-
-$as_echo "#define ALLOW_FILTER_AAAA 1" >>confdefs.h
-
- ;;
- no)
- ;;
- *)
- ;;
-esac
-
#
# Activate dnstap?
#
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
- test "yes" = "$enable_filter" && \
- echo " AAAA filtering (--enable-filter-aaaa)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_atf+set}" = set || with_atf=yes
- test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
test "${enable_symtable+set}" = set || enable_symtable=all
test "${enable_warn_error+set}" = set || enable_warn_error=yes
AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
fi
-#
-# Activate "filter-aaaa-on-v4/v6" or not?
-#
-AC_ARG_ENABLE(filter-aaaa,
- [ --enable-filter-aaaa enable filtering of AAAA records [[default=no]]],
- enable_filter="$enableval",
- enable_filter="no")
-case "$enable_filter" in
- yes)
- AC_DEFINE(ALLOW_FILTER_AAAA, 1,
- [Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.])
- ;;
- no)
- ;;
- *)
- ;;
-esac
-
#
# Activate dnstap?
#
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
- test "yes" = "$enable_filter" && \
- echo " AAAA filtering (--enable-filter-aaaa)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
<term><command>filter-aaaa-on-v4</command></term>
<listitem>
<para>
- This option is only available when
- <acronym>BIND</acronym> 9 is compiled with the
- <userinput>--enable-filter-aaaa</userinput> option on the
- "configure" command line. It is intended to help the
+ This option is intended to help the
transition from IPv4 to IPv6 by not giving IPv6 addresses
to DNS clients unless they have connections to the IPv6
Internet. This is not recommended unless absolutely
catagory.
</para>
</listitem>
+ <listitem>
+ <para>
+ The <command>filter-aaaa-on-v4</command> and
+ <command>filter-aaaa-on-v6</command> options are no longer
+ conditionally compiled in <command>named</command>. [RT #46340]
+ </para>
+ </listitem>
</itemizedlist>
</section>
additional section. */
#define DNS_MESSAGERENDER_PREFER_AAAA 0x0010 /*%< prefer AAAA records in
additional section. */
-#ifdef ALLOW_FILTER_AAAA
#define DNS_MESSAGERENDER_FILTER_AAAA 0x0020 /*%< filter AAAA records */
-#endif
typedef struct dns_msgblock dns_msgblock_t;
return (ISC_TRUE);
}
-#ifdef ALLOW_FILTER_AAAA
/*
* Decide whether to not answer with an AAAA record and its RRSIG
*/
return (ISC_TRUE);
}
-#endif
static isc_result_t
renderset(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
preferred_glue))
goto next;
-#ifdef ALLOW_FILTER_AAAA
/*
* Suppress AAAAs if asked and we are
* not doing DNSSEC or are breaking DNSSEC.
* Say so in the AD bit if we break DNSSEC.
*/
- if (norender_rdataset(rdataset, options, sectionid)) {
+ if (norender_rdataset(rdataset, options,
+ sectionid))
+ {
if (sectionid == DNS_SECTION_ANSWER ||
sectionid == DNS_SECTION_AUTHORITY)
msg->flags &= ~DNS_MESSAGEFLAG_AD;
goto next;
}
-#endif
st = *(msg->buffer);
count = 0;
{ "fetch-quota-params", &cfg_type_fetchquota, 0 },
{ "fetches-per-server", &cfg_type_fetchesper, 0 },
{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
-#ifdef ALLOW_FILTER_AAAA
{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
-#else
- { "filter-aaaa", &cfg_type_bracketed_aml,
- CFG_CLAUSEFLAG_NOTCONFIGURED },
- { "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
- CFG_CLAUSEFLAG_NOTCONFIGURED },
- { "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
- CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
{ "glue-cache", &cfg_type_boolean, 0 },
{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
{ "lame-ttl", &cfg_type_ttlval, 0 },
preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
-#ifdef ALLOW_FILTER_AAAA
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
* AAAA records.
if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
preferred_glue = DNS_MESSAGERENDER_PREFER_A;
}
-#endif
/*
* Create an OPT for our reply.
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
dns_ecs_init(&client->ecs);
-#ifdef ALLOW_FILTER_AAAA
client->filter_aaaa = dns_aaaa_ok;
-#endif
client->needshutdown = ISC_TF((client->sctx->options &
NS_SERVER_CLIENTTEST) != 0);
struct in6_pktinfo pktinfo;
isc_dscp_t dscp;
isc_event_t ctlevent;
-#ifdef ALLOW_FILTER_AAAA
dns_aaaa_t filter_aaaa;
-#endif
/*%
* Information about recent FORMERR response(s), for
* FORMERR loop avoidance. This is separate for each
#define NS_CLIENTATTR_MULTICAST 0x00008 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x00010 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x00020 /*%< include nameserver ID */
-#ifdef ALLOW_FILTER_AAAA
#define NS_CLIENTATTR_FILTER_AAAA 0x00040 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x00080 /*%< recursing for A against AAAA */
-#endif
#define NS_CLIENTATTR_WANTAD 0x00100 /*%< want AD in response if possible */
#define NS_CLIENTATTR_WANTCOOKIE 0x00200 /*%< return a COOKIE */
#define NS_CLIENTATTR_HAVECOOKIE 0x00400 /*%< has a valid COOKIE */
}
if (qtype == dns_rdatatype_a) {
-#ifdef ALLOW_FILTER_AAAA
isc_boolean_t have_a = ISC_FALSE;
-#endif
/*
* We now go looking for A and AAAA records, along with
dns_rdataset_disassociate(sigrdataset);
} else if (result == ISC_R_SUCCESS) {
mname = NULL;
-#ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE;
-#endif
if (additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
/*
* There's an A; check whether we're filtering AAAA
*/
-#ifdef ALLOW_FILTER_AAAA
if (have_a &&
(client->filter_aaaa == dns_aaaa_break_dnssec ||
(client->filter_aaaa == dns_aaaa_filter &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
-#endif
if (additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
if (dbversion == NULL)
goto regular;
-#ifdef ALLOW_FILTER_AAAA
if (client->filter_aaaa == dns_aaaa_filter ||
client->filter_aaaa == dns_aaaa_break_dnssec)
{
options |= DNS_RDATASETADDGLUE_FILTERAAAA;
}
-#endif
result = dns_rdataset_addglue(rdataset, dbversion->version,
options, client->message);
return;
}
-#ifdef ALLOW_FILTER_AAAA
static isc_boolean_t
is_v4_client(ns_client_t *client) {
if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
return (ISC_TRUE);
return (ISC_FALSE);
}
-#endif
static isc_uint32_t
dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
dns_rdatasetiter_t *rdsiter = NULL;
isc_result_t result;
dns_rdatatype_t onetype = 0; /* type to use for minimal-any */
-#ifdef ALLOW_FILTER_AAAA
isc_boolean_t have_aaaa, have_a, have_sig;
/*
have_aaaa = ISC_FALSE;
have_a = !qctx->authoritative;
have_sig = ISC_FALSE;
-#endif
result = dns_db_allrdatasets(qctx->db, qctx->node,
qctx->version, 0, &rdsiter);
result = dns_rdatasetiter_first(rdsiter);
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, qctx->rdataset);
-#ifdef ALLOW_FILTER_AAAA
/*
* Notice the presence of A and AAAAs so
* that AAAAs can be hidden from IPv4 clients.
else if (qctx->rdataset->type == dns_rdatatype_a)
have_a = ISC_TRUE;
}
-#endif
+
/*
* We found an NS RRset; no need to add one later.
*/
qctx->rdataset->type == qctx->qtype) &&
qctx->rdataset->type != 0)
{
-#ifdef ALLOW_FILTER_AAAA
if (dns_rdatatype_isdnssec(qctx->rdataset->type))
have_sig = ISC_TRUE;
-#endif
if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client))
{
result = dns_rdatasetiter_next(rdsiter);
}
-#ifdef ALLOW_FILTER_AAAA
/*
* Filter AAAAs if there is an A and there is no signature
* or we are supposed to break DNSSEC.
have_aaaa && have_a &&
(!have_sig || !WANTDNSSEC(qctx->client)))
qctx->client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
-#endif
+
if (qctx->fname != NULL)
dns_message_puttempname(qctx->client->message, &qctx->fname);
}
}
-#ifdef ALLOW_FILTER_AAAA
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
*
return (ISC_R_COMPLETE);
}
-#endif
/*%
* Build a repsonse for a "normal" query, for a type other than ANY,
return (query_done(qctx));
}
-#ifdef ALLOW_FILTER_AAAA
result = query_filter_aaaa(qctx);
if (result != ISC_R_COMPLETE)
return (result);
-#endif
/*
* Check to see if the AAAA RRset has non-excluded addresses
* in it. If not look for a A RRset.
if (qctx->type == dns_rdatatype_any) { /* XXX not yet */
goto cleanup;
}
-#ifdef ALLOW_FILTER_AAAA
if (qctx->client->filter_aaaa != dns_aaaa_ok &&
(qctx->type == dns_rdatatype_a ||
qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
{
goto cleanup;
}
-#endif
if (!ISC_LIST_EMPTY(qctx->client->view->dns64) &&
(qctx->type == dns_rdatatype_a ||
qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
if (qctx->type == dns_rdatatype_any) { /* XXX not yet */
goto cleanup;
}
-#ifdef ALLOW_FILTER_AAAA
if (qctx->client->filter_aaaa != dns_aaaa_ok &&
(qctx->type == dns_rdatatype_a ||
qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
{
goto cleanup;
}
-#endif
if (!ISC_LIST_EMPTY(qctx->client->view->dns64) &&
(qctx->type == dns_rdatatype_a ||
qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
qctx->need_wildcardproof = ISC_TRUE;
}
-#ifdef ALLOW_FILTER_AAAA
/*
* The filter-aaaa-on-v4 option should suppress AAAAs for IPv4
* clients if there is an A; filter-aaaa-on-v6 option does the same
qctx->client->filter_aaaa = qctx->client->view->v6_aaaa;
}
-#endif
if (qctx->type == dns_rdatatype_any) {
return (query_respond_any(qctx));
my %configdefh;
my @substdefh = ("AES_CC",
- "ALLOW_FILTER_AAAA",
"CONFIGARGS",
"DNS_RDATASET_FIXED",
"ENABLE_RPZ_NSDNAME",
" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
-" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
" enable-fixed-rrset enable fixed rrset ordering [default=no]\n",
" enable-developer enable developer build settings [default=no]\n",
" enable-querytrace enable very verbose query trace [default=no]\n",
my $enable_native_pkcs11 = "no";
my $enable_crypto_rand = "yes";
my $enable_openssl_hash = "auto";
-my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
my $enable_fixed_rrset = "no";
my $enable_developer = "no";
if ($val =~ /^no$/i) {
$enable_isc_spnego = "no";
}
- } elsif ($key =~ /^filter-aaaa$/i) {
- if ($val =~ /^no$/i) {
- $enable_filter_aaaa = "no";
- }
} elsif ($key =~ /^fixed-rrset$/i) {
if ($val =~ /^yes$/i) {
$enable_fixed_rrset = "yes";
if ($enable_developer eq "yes") {
$configdefh{"ISC_LIST_CHECKINIT"} = 1;
- $enable_filter_aaaa = "yes";
$enable_querytrace = "yes";
# no atf on WIN32
$enable_fixed_rrset = "yes";
} else {
print "isc-spnego: disabled\n";
}
- if ($enable_filter_aaaa eq "yes") {
- print "filter-aaaa: enabled\n";
- } else {
- print "filter-aaaa: disabled\n";
- }
if ($enable_fixed_rrset eq "yes") {
print "fixed-rrset: enabled\n";
} else {
}
}
-# enable-filter-aaaa
-if ($enable_filter_aaaa eq "yes") {
- $configdefh{"ALLOW_FILTER_AAAA"} = 1;
-}
-
# enable-fixed-rrset
if ($enable_fixed_rrset eq "yes") {
$configdefh{"DNS_RDATASET_FIXED"} = 1;
# --enable-querytrace supported
# --disable-rpz-nsip supported
# --disable-rpz-nsdname supported
-# --enable-filter-aaaa supported
# --enable-full-report supported by verbose
# --enable-dnstap not supported (requires libfstrm support on WIN32)
# --enable-seccomp not supported (Linux specific)
projects / thirdparty / bind9.git / commitdiff
