exit(1);
}
- result = isccfg_check_namedconf(config, loadplugins, nodeprecate, logc,
- mctx);
+ result = isccfg_check_namedconf(config, loadplugins, logc, mctx);
if (result != ISC_R_SUCCESS) {
exit_status = 1;
}
.. literalinclude:: ../../doc/misc/redirect.zoneopt
.. literalinclude:: ../../doc/misc/static-stub.zoneopt
.. literalinclude:: ../../doc/misc/stub.zoneopt
-.. literalinclude:: ../../doc/misc/delegation-only.zoneopt
.. literalinclude:: ../../doc/misc/in-view.zoneopt
Files
view->preferred_glue = 0;
}
- obj = NULL;
- result = named_config_get(maps, "root-delegation-only", &obj);
- if (result == ISC_R_SUCCESS) {
- dns_view_setrootdelonly(view, true);
- }
- if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
- const cfg_obj_t *exclude;
- dns_fixedname_t fixed;
- dns_name_t *name;
-
- name = dns_fixedname_initname(&fixed);
- for (element = cfg_list_first(obj); element != NULL;
- element = cfg_list_next(element))
- {
- exclude = cfg_listelt_value(element);
- CHECK(dns_name_fromstring(
- name, cfg_obj_asstring(exclude), 0, NULL));
- dns_view_excludedelegationonly(view, name);
- }
- } else {
- dns_view_setrootdelonly(view, false);
- }
-
/*
* Load DynDB modules.
*/
const cfg_obj_t *forwarders = NULL;
const cfg_obj_t *forwardtype = NULL;
const cfg_obj_t *ixfrfromdiffs = NULL;
- const cfg_obj_t *only = NULL;
const cfg_obj_t *viewobj = NULL;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
const char *hintsfile = cfg_obj_asstring(fileobj);
CHECK(configure_hints(view, hintsfile));
-
- /*
- * Hint zones may also refer to delegation only points.
- */
- only = NULL;
- tresult = cfg_map_get(zoptions, "delegation-only",
- &only);
- if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
- {
- dns_view_adddelegationonly(view, origin);
- }
} else {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
(void)cfg_map_get(zoptions, "forwarders", &forwarders);
CHECK(configure_forward(config, view, origin, forwarders,
forwardtype));
-
- /*
- * Forward zones may also set delegation only.
- */
- only = NULL;
- tresult = cfg_map_get(zoptions, "delegation-only", &only);
- if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) {
- dns_view_adddelegationonly(view, origin);
- }
- goto cleanup;
- }
-
- /*
- * "delegation-only zones" aren't zones either.
- */
- if (strcasecmp(ztypestr, "delegation-only") == 0) {
- dns_view_adddelegationonly(view, origin);
goto cleanup;
}
forwardtype));
}
- /*
- * Stub and forward zones may also refer to delegation only points.
- */
- only = NULL;
- if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) {
- if (cfg_obj_asboolean(only)) {
- dns_view_adddelegationonly(view, origin);
- }
- }
-
/*
* Mark whether the zone was originally added at runtime or not
*/
* checked later when the modules are actually loaded and
* registered.)
*/
- result = isccfg_check_namedconf(config, false, false, named_g_lctx,
+ result = isccfg_check_namedconf(config, false, named_g_lctx,
named_g_mctx);
if (result != ISC_R_SUCCESS) {
goto cleanup_config;
}
if (strcasecmp(cfg_obj_asstring(obj), "hint") == 0 ||
- strcasecmp(cfg_obj_asstring(obj), "forward") == 0 ||
- strcasecmp(cfg_obj_asstring(obj), "delegation-only") == 0)
+ strcasecmp(cfg_obj_asstring(obj), "forward") == 0)
{
(void)putstr(text, "'");
(void)putstr(text, cfg_obj_asstring(obj));
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "check that zone type 'delegation-only' is properly rejected ($n)"
-ret=0
-$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1
-grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
echo_i "check that 'in-view' zones are properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1
use-v6-udp-ports { range 1024 65535; };
avoid-v4-udp-ports { range 1 1023; };
avoid-v6-udp-ports { range 1 1023; };
-
- root-delegation-only exclude { "them"; };
};
trusted-keys {
file "maxttl-bad.db";
max-zone-ttl 120;
};
-
-zone "." {
- type hint;
- file "shared.example.db";
- delegation-only yes;
-};
-
-zone com {
- type delegation-only;
-};
grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
-grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
-grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
-grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
- /* test that named loads with root-delegation-only */
- root-delegation-only;
};
zone "." {
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.4
all-cnames NS cname.tld
-delegation-only. NS ns.delegation-only.
-ns.delegation-only. A 10.53.0.6
example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
no-questions. NS ns.no-questions.
file "child.server.db";
};
-zone "delegation-only" {
- type delegation-only;
-};
-
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
dnssec-validation no;
querylog yes;
statistics-file "named.stats";
- /*
- * test that named loads with root-delegation-only that
- * has a exclude list.
- */
- root-delegation-only exclude { "a"; };
max-udp-size 4096;
};
file "no-edns-version.tld.db";
};
-zone "delegation-only" {
- type primary;
- file "delegation-only.db";
-};
-
zone "fetch.tld" {
type primary;
file "fetch.tld.db";
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-n=$((n+1))
-echo_i "check that SOA query returns data for delegation-only apex (${n})"
-ret=0
-dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-n=$((n+1))
-
-n=$((n+1))
-echo_i "check that NS query returns data for delegation-only apex (${n})"
-ret=0
-dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that A query returns data for delegation-only A apex (${n})"
-ret=0
-dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that CDS query returns data for delegation-only apex (${n})"
-ret=0
-dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})"
-ret=0
-dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-n=$((n+1))
-
-echo_i "check that DNSKEY query returns data for delegation-only apex (${n})"
-ret=0
-dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})"
-ret=0
-dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
-grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})"
-ret=0
-dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})"
-ret=0
-dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n+1))
-echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})"
-ret=0
-dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-n=$((n+1))
-
-echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})"
-ret=0
-dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
-grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
n=$((n+1))
echo_i "check zero ttl not returned for learnt non zero ttl records (${n})"
ret=0
../dnssec-guide \
../misc/options \
../misc/rndc.grammar \
- ../misc/delegation-only.zoneopt \
../misc/forward.zoneopt \
../misc/hint.zoneopt \
../misc/in-view.zoneopt \
``default``
Logging options for those categories where no specific configuration has been defined.
-``delegation-only``
- Queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a :any:`delegation-only` in a forward, hint, or stub zone declaration.
-
``dispatch``
Dispatching of incoming packets to the server modules where they are to be processed.
is to prefer A records when responding to queries that arrived via
IPv4 and AAAA when responding to queries that arrived via IPv6.
-.. namedconf:statement:: root-delegation-only
- :tags: deprecated
- :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list.
-
- This turns on enforcement of delegation-only in top-level domains (TLDs)
- and root zones with an
- optional exclude list.
-
- DS queries are expected to be made to and be answered by delegation-only
- zones. Such queries and responses are treated as an exception to
- delegation-only processing and are not converted to NXDOMAIN
- responses, provided a CNAME is not discovered at the query name.
-
- If a delegation-only zone server also serves a child zone, it is not
- always possible to determine whether an answer comes from the
- delegation-only zone or the child zone. SOA NS and DNSKEY records are
- apex-only records and a matching response that contains these records
- or DS is treated as coming from a child zone. RRSIG records are also
- examined to see whether they are signed by a child zone, and the
- authority section is examined to see if there is evidence that
- the answer is from the child zone. Answers that are determined to be
- from a child zone are not converted to NXDOMAIN responses. Despite
- all these checks, there is still a possibility of false negatives when
- a child zone is being served.
-
- Similarly, false positives can arise from empty nodes (no records at
- the name) in the delegation-only zone when the query type is not ``ANY``.
-
- Note that some TLDs are not delegation-only; e.g., "DE", "LV", "US", and
- "MUSEUM". This list is not exhaustive.
-
- ::
-
- options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
- };
-
- This option is deprecated, and will be rendered non-operational in a
- future release.
-
.. namedconf:statement:: disable-algorithms
:tags: dnssec
:short: Disables DNSSEC algorithms from a specified zone.
:any:`primary <type primary>` (or ``master``), :any:`secondary <type
secondary>` (or ``slave``), :any:`mirror <type mirror>`, :any:`hint <type
hint>`, :any:`stub <type stub>`, :any:`static-stub <type static-stub>`,
- :any:`forward <type forward>`, :any:`redirect <type redirect>`, or
- :any:`delegation-only <type delegation-only>`.
+ :any:`forward <type forward>`, or :any:`redirect <type redirect>`.
.. namedconf:statement:: type primary
:tags: zone
When using :option:`rndc reload` without specifying a zone name, redirect
zones are reloaded along with other zones.
-.. namedconf:statement:: type delegation-only
- :tags: deprecated
- :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.).
-
- This zone type is used to enforce the delegation-only status of
- infrastructure zones (e.g., COM, NET, ORG). Any answer that is received
- without an explicit or implicit delegation in the authority section is
- treated as NXDOMAIN. This does not apply to the zone apex, and should
- not be applied to leaf zones.
-
- :any:`delegation-only` has no effect on answers received from forwarders.
-
- See caveats in :any:`root-delegation-only`.
-
- This zone type is deprecated, and will be rendered non-operational in a
- future release.
-
.. namedconf:statement:: in-view
:tags: view, zone
:short: Specifies the view in which a given zone is defined.
:any:`dialup`
See the description of :any:`dialup` in :ref:`boolean_options`.
-.. namedconf:statement:: delegation-only
- :tags: deprecated
- :short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone.
-
- This flag only applies to forward, hint, and stub zones. If set to
- ``yes``, then the zone is treated as if it is also a
- delegation-only type zone.
-
- See caveats in :any:`root-delegation-only`.
-
- This option is deprecated, and will be rendered non-operational in a
- future release.
-
.. namedconf:statement:: file
:tags: zone
:short: Specifies the zone's filename.
stub.zoneopt \
static-stub.zoneopt \
redirect.zoneopt \
- delegation-only.zoneopt \
in-view.zoneopt
EXTRA_DIST = \
redirect.zoneopt: cfg_test
$(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar redirect > $@
-delegation-only.zoneopt: cfg_test
- $(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar delegation-only > $@
-
in-view.zoneopt: cfg_test
$(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar in-view > $@
zonetype = CFG_ZONE_FORWARD;
} else if (strcmp(argv[1], "redirect") == 0) {
zonetype = CFG_ZONE_REDIRECT;
- } else if (strcmp(argv[1], "delegation-only") == 0) {
- zonetype = CFG_ZONE_DELEGATION;
} else if (strcmp(argv[1], "in-view") == 0) {
zonetype = CFG_ZONE_INVIEW;
} else {
+++ /dev/null
-zone <string> [ <class> ] {
- type delegation-only;
-};
zone <string> [ <class> ] {
type forward;
- delegation-only <boolean>; // deprecated
forward ( first | only );
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
};
zone <string> [ <class> ] {
type hint;
check-names ( fail | warn | ignore );
- delegation-only <boolean>; // deprecated
file <quoted_string>;
};
response-padding { <address_match_element>; ... } block-size <integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
reuseport <boolean>;
- root-delegation-only [ exclude { <string>; ... } ]; // deprecated
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
secroots-file <quoted_string>;
resolver-retry-interval <integer>;
response-padding { <address_match_element>; ... } block-size <integer>;
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
- root-delegation-only [ exclude { <string>; ... } ]; // deprecated
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
send-cookie <boolean>;
allow-query-on { <address_match_element>; ... };
check-names ( fail | warn | ignore );
database <string>;
- delegation-only <boolean>; // deprecated
dialup ( notify | notify-passive | passive | refresh | <boolean> );
file <quoted_string>;
forward ( first | only );
#define DNS_LOGCATEGORY_DATABASE (&dns_categories[1])
#define DNS_LOGCATEGORY_SECURITY (&dns_categories[2])
/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
-#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4])
-#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5])
-#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6])
-#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7])
-#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
-#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
-#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
-#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11])
-#define DNS_LOGCATEGORY_RPZ (&dns_categories[12])
-#define DNS_LOGCATEGORY_RRL (&dns_categories[13])
-#define DNS_LOGCATEGORY_CNAME (&dns_categories[14])
-#define DNS_LOGCATEGORY_SPILL (&dns_categories[15])
-#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[16])
-#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[17])
-#define DNS_LOGCATEGORY_NSID (&dns_categories[18])
-#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[19])
+#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4])
+#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5])
+#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6])
+#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7])
+#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
+#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
+/* #define DNS_LOGCATEGORY_DELEGATION_ONLY removed */
+#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[10])
+#define DNS_LOGCATEGORY_RPZ (&dns_categories[11])
+#define DNS_LOGCATEGORY_RRL (&dns_categories[12])
+#define DNS_LOGCATEGORY_CNAME (&dns_categories[13])
+#define DNS_LOGCATEGORY_SPILL (&dns_categories[14])
+#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[15])
+#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[16])
+#define DNS_LOGCATEGORY_NSID (&dns_categories[17])
+#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[18])
/* Backwards compatibility. */
#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
dns_aclenv_t *aclenv;
dns_rdatatype_t preferred_glue;
bool flush;
- dns_namelist_t *delonly;
- bool rootdelonly;
- dns_namelist_t *rootexclude;
bool checknames;
uint16_t maxudp;
dns_ttl_t staleanswerttl;
* other returns are failures.
*/
-void
-dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name);
-/*%<
- * Add the given name to the delegation only table.
- *
- * Requires:
- *\li 'view' is valid.
- *\li 'name' is valid.
- *
- * Returns:
- *\li #ISC_R_SUCCESS
- *\li #ISC_R_NOMEMORY
- */
-
-void
-dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name);
-/*%<
- * Add the given name to be excluded from the root-delegation-only.
- *
- *
- * Requires:
- *\li 'view' is valid.
- *\li 'name' is valid.
- *
- * Returns:
- *\li #ISC_R_SUCCESS
- *\li #ISC_R_NOMEMORY
- */
-
-bool
-dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name);
-/*%<
- * Check if 'name' is in the delegation only table or if
- * rootdelonly is set that name is not being excluded.
- *
- * Requires:
- *\li 'view' is valid.
- *\li 'name' is valid.
- *
- * Returns:
- *\li #true if the name is the table.
- *\li #false otherwise.
- */
-
-void
-dns_view_setrootdelonly(dns_view_t *view, bool value);
-/*%<
- * Set the root delegation only flag.
- *
- * Requires:
- *\li 'view' is valid.
- */
-
-bool
-dns_view_getrootdelonly(dns_view_t *view);
-/*%<
- * Get the root delegation only flag.
- *
- * Requires:
- *\li 'view' is valid.
- */
-
isc_result_t
dns_view_freezezones(dns_view_t *view, bool freeze);
/*%<
* \#define to <dns/log.h>.
*/
isc_logcategory_t dns_categories[] = {
- { "notify", 0 }, { "database", 0 }, { "security", 0 },
- { "_placeholder", 0 }, { "dnssec", 0 }, { "resolver", 0 },
- { "xfer-in", 0 }, { "xfer-out", 0 }, { "dispatch", 0 },
- { "lame-servers", 0 }, { "delegation-only", 0 }, { "edns-disabled", 0 },
- { "rpz", 0 }, { "rate-limit", 0 }, { "cname", 0 },
- { "spill", 0 }, { "dnstap", 0 }, { "zoneload", 0 },
- { "nsid", 0 }, { "rpz-passthru", 0 }, { NULL, 0 }
+ { "notify", 0 }, { "database", 0 },
+ { "security", 0 }, { "_placeholder", 0 },
+ { "dnssec", 0 }, { "resolver", 0 },
+ { "xfer-in", 0 }, { "xfer-out", 0 },
+ { "dispatch", 0 }, { "lame-servers", 0 },
+ { "edns-disabled", 0 }, { "rpz", 0 },
+ { "rate-limit", 0 }, { "cname", 0 },
+ { "spill", 0 }, { "dnstap", 0 },
+ { "zoneload", 0 }, { "nsid", 0 },
+ { "rpz-passthru", 0 }, { NULL, 0 }
};
/*%
* - Check the parsed response for an OPT record and handle
* EDNS (rctx_opt(), rctx_edns()).
* - Check for a bad or lame server (rctx_badserver(), rctx_lameserver()).
- * - Handle delegation-only zones (rctx_delonly_zone()).
* - If RCODE and ANCOUNT suggest this is a positive answer, and
* if so, call rctx_answer(): go to step 2.
* - If RCODE and NSCOUNT suggest this is a negative answer or a
static isc_result_t
rctx_timedout(respctx_t *rctx);
-static void
-rctx_delonly_zone(respctx_t *rctx);
-
static void
rctx_ncache(respctx_t *rctx);
return (ISC_R_SUCCESS);
}
-static bool
-rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
- dns_namereln_t namereln;
- dns_rdata_rrsig_t rrsig;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- int order;
- isc_result_t result;
- unsigned int labels;
-
- for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- namereln = dns_name_fullcompare(&rrsig.signer, fctx->domain,
- &order, &labels);
- if (namereln == dns_namereln_subdomain) {
- return (true);
- }
- dns_rdata_reset(&rdata);
- }
- return (false);
-}
-
-static bool
-fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
- dns_name_t *name;
- dns_name_t *domain = fctx->domain;
- dns_rdataset_t *rdataset;
- dns_rdatatype_t type;
- isc_result_t result;
- bool keep_auth = false;
-
- if (message->rcode == dns_rcode_nxdomain) {
- return (false);
- }
-
- /*
- * A DS RRset can appear anywhere in a zone, even for a delegation-only
- * zone. So a response to an explicit query for this type should be
- * excluded from delegation-only fixup.
- *
- * SOA, NS, and DNSKEY can only exist at a zone apex, so a positive
- * response to a query for these types can never violate the
- * delegation-only assumption: if the query name is below a
- * zone cut, the response should normally be a referral, which should
- * be accepted; if the query name is below a zone cut but the server
- * happens to have authority for the zone of the query name, the
- * response is a (non-referral) answer. But this does not violate
- * delegation-only because the query name must be in a different zone
- * due to the "apex-only" nature of these types. Note that if the
- * remote server happens to have authority for a child zone of a
- * delegation-only zone, we may still incorrectly "fix" the response
- * with NXDOMAIN for queries for other types. Unfortunately it's
- * generally impossible to differentiate this case from violation of
- * the delegation-only assumption. Once the resolver learns the
- * correct zone cut, possibly via a separate query for an "apex-only"
- * type, queries for other types will be resolved correctly.
- *
- * A query for type ANY will be accepted if it hits an exceptional
- * type above in the answer section as it should be from a child
- * zone.
- *
- * Also accept answers with RRSIG records from the child zone.
- * Direct queries for RRSIG records should not be answered from
- * the parent zone.
- */
-
- if (message->counts[DNS_SECTION_ANSWER] != 0 &&
- (fctx->type == dns_rdatatype_ns || fctx->type == dns_rdatatype_ds ||
- fctx->type == dns_rdatatype_soa ||
- fctx->type == dns_rdatatype_any ||
- fctx->type == dns_rdatatype_rrsig ||
- fctx->type == dns_rdatatype_dnskey))
- {
- result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- while (result == ISC_R_SUCCESS) {
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_ANSWER,
- &name);
- for (rdataset = ISC_LIST_HEAD(name->list);
- rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link))
- {
- if (!dns_name_equal(name, fctx->name)) {
- continue;
- }
- type = rdataset->type;
- /*
- * RRsig from child?
- */
- if (type == dns_rdatatype_rrsig &&
- rrsig_fromchildzone(fctx, rdataset))
- {
- return (false);
- }
- /*
- * Direct query for apex records or DS.
- */
- if (fctx->type == type &&
- (type == dns_rdatatype_ds ||
- type == dns_rdatatype_ns ||
- type == dns_rdatatype_soa ||
- type == dns_rdatatype_dnskey))
- {
- return (false);
- }
- /*
- * Indirect query for apex records or DS.
- */
- if (fctx->type == dns_rdatatype_any &&
- (type == dns_rdatatype_ns ||
- type == dns_rdatatype_ds ||
- type == dns_rdatatype_soa ||
- type == dns_rdatatype_dnskey))
- {
- return (false);
- }
- }
- result = dns_message_nextname(message,
- DNS_SECTION_ANSWER);
- }
- }
-
- /*
- * A NODATA response to a DS query?
- */
- if (fctx->type == dns_rdatatype_ds &&
- message->counts[DNS_SECTION_ANSWER] == 0)
- {
- return (false);
- }
-
- /* Look for referral or indication of answer from child zone? */
- if (message->counts[DNS_SECTION_AUTHORITY] == 0) {
- goto munge;
- }
-
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- while (result == ISC_R_SUCCESS) {
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
- for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link))
- {
- type = rdataset->type;
- if (type == dns_rdatatype_soa &&
- dns_name_equal(name, domain))
- {
- keep_auth = true;
- }
-
- if (type != dns_rdatatype_ns &&
- type != dns_rdatatype_soa &&
- type != dns_rdatatype_rrsig)
- {
- continue;
- }
-
- if (type == dns_rdatatype_rrsig) {
- if (rrsig_fromchildzone(fctx, rdataset)) {
- return (false);
- } else {
- continue;
- }
- }
-
- /* NS or SOA records. */
- if (dns_name_equal(name, domain)) {
- /*
- * If a query for ANY causes a negative
- * response, we can be sure that this is
- * an empty node. For other type of queries
- * we cannot differentiate an empty node
- * from a node that just doesn't have that
- * type of record. We only accept the former
- * case.
- */
- if (message->counts[DNS_SECTION_ANSWER] == 0 &&
- fctx->type == dns_rdatatype_any)
- {
- return (false);
- }
- } else if (dns_name_issubdomain(name, domain)) {
- /* Referral or answer from child zone. */
- return (false);
- }
- }
- result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
- }
-
-munge:
- message->rcode = dns_rcode_nxdomain;
- message->counts[DNS_SECTION_ANSWER] = 0;
- if (!keep_auth) {
- message->counts[DNS_SECTION_AUTHORITY] = 0;
- }
- message->counts[DNS_SECTION_ADDITIONAL] = 0;
- return (true);
-}
-
static void
resquery_destroy(resquery_t *query) {
fetchctx_t *fctx = query->fctx;
return;
}
- /*
- * Handle delegation-only zones like NET or COM.
- */
- rctx_delonly_zone(&rctx);
-
/*
* Optionally call dns_rdata_checkowner() and
* dns_rdata_checknames() to validate the names in the response
return (ISC_R_COMPLETE);
}
-/*
- * rctx_delonly_zone():
- * Handle delegation-only zones like NET and COM.
- */
-static void
-rctx_delonly_zone(respctx_t *rctx) {
- fetchctx_t *fctx = rctx->fctx;
- char namebuf[DNS_NAME_FORMATSIZE];
- char domainbuf[DNS_NAME_FORMATSIZE];
- char addrbuf[ISC_SOCKADDR_FORMATSIZE];
- char classbuf[64];
- char typebuf[64];
-
- if (ISFORWARDER(rctx->query->addrinfo) ||
- !dns_view_isdelegationonly(fctx->res->view, fctx->domain) ||
- dns_name_equal(fctx->domain, fctx->name) ||
- !fix_mustbedelegationornxdomain(rctx->query->rmessage, fctx))
- {
- return;
- }
-
- dns_name_format(fctx->name, namebuf, sizeof(namebuf));
- dns_name_format(fctx->domain, domainbuf, sizeof(domainbuf));
- dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
- dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
- isc_sockaddr_format(&rctx->query->addrinfo->sockaddr, addrbuf,
- sizeof(addrbuf));
-
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
- "enforced delegation-only for '%s' (%s/%s/%s) from %s",
- domainbuf, namebuf, typebuf, classbuf, addrbuf);
-}
-
/***
*** Resolver Methods
***/
if (view->sfd != NULL) {
dns_rbt_destroy(&view->sfd);
}
- if (view->delonly != NULL) {
- dns_name_t *name;
- int i;
-
- for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
- name = ISC_LIST_HEAD(view->delonly[i]);
- while (name != NULL) {
- ISC_LIST_UNLINK(view->delonly[i], name, link);
- dns_name_free(name, view->mctx);
- isc_mem_put(view->mctx, name, sizeof(*name));
- name = ISC_LIST_HEAD(view->delonly[i]);
- }
- }
- isc_mem_put(view->mctx, view->delonly,
- sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
- view->delonly = NULL;
- }
- if (view->rootexclude != NULL) {
- dns_name_t *name;
- int i;
-
- for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
- name = ISC_LIST_HEAD(view->rootexclude[i]);
- while (name != NULL) {
- ISC_LIST_UNLINK(view->rootexclude[i], name,
- link);
- dns_name_free(name, view->mctx);
- isc_mem_put(view->mctx, name, sizeof(*name));
- name = ISC_LIST_HEAD(view->rootexclude[i]);
- }
- }
- isc_mem_put(view->mctx, view->rootexclude,
- sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
- view->rootexclude = NULL;
- }
if (view->secroots_priv != NULL) {
dns_keytable_detach(&view->secroots_priv);
}
return (result);
}
-void
-dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name) {
- dns_name_t *item;
- unsigned int hash;
-
- REQUIRE(DNS_VIEW_VALID(view));
-
- if (view->delonly == NULL) {
- view->delonly = isc_mem_get(view->mctx,
- sizeof(dns_namelist_t) *
- DNS_VIEW_DELONLYHASH);
- for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
- ISC_LIST_INIT(view->delonly[hash]);
- }
- }
- hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
- item = ISC_LIST_HEAD(view->delonly[hash]);
- while (item != NULL && !dns_name_equal(item, name)) {
- item = ISC_LIST_NEXT(item, link);
- }
- if (item != NULL) {
- return;
- }
- item = isc_mem_get(view->mctx, sizeof(*item));
- dns_name_init(item, NULL);
- dns_name_dup(name, view->mctx, item);
- ISC_LIST_APPEND(view->delonly[hash], item, link);
-}
-
-void
-dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name) {
- dns_name_t *item;
- unsigned int hash;
-
- REQUIRE(DNS_VIEW_VALID(view));
-
- if (view->rootexclude == NULL) {
- view->rootexclude = isc_mem_get(view->mctx,
- sizeof(dns_namelist_t) *
- DNS_VIEW_DELONLYHASH);
- for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
- ISC_LIST_INIT(view->rootexclude[hash]);
- }
- }
- hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
- item = ISC_LIST_HEAD(view->rootexclude[hash]);
- while (item != NULL && !dns_name_equal(item, name)) {
- item = ISC_LIST_NEXT(item, link);
- }
- if (item != NULL) {
- return;
- }
- item = isc_mem_get(view->mctx, sizeof(*item));
- dns_name_init(item, NULL);
- dns_name_dup(name, view->mctx, item);
- ISC_LIST_APPEND(view->rootexclude[hash], item, link);
-}
-
-bool
-dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name) {
- dns_name_t *item;
- unsigned int hash;
-
- REQUIRE(DNS_VIEW_VALID(view));
-
- if (!view->rootdelonly && view->delonly == NULL) {
- return (false);
- }
-
- hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
- if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
- if (view->rootexclude == NULL) {
- return (true);
- }
- item = ISC_LIST_HEAD(view->rootexclude[hash]);
- while (item != NULL && !dns_name_equal(item, name)) {
- item = ISC_LIST_NEXT(item, link);
- }
- if (item == NULL) {
- return (true);
- }
- }
-
- if (view->delonly == NULL) {
- return (false);
- }
-
- item = ISC_LIST_HEAD(view->delonly[hash]);
- while (item != NULL && !dns_name_equal(item, name)) {
- item = ISC_LIST_NEXT(item, link);
- }
- if (item == NULL) {
- return (false);
- }
- return (true);
-}
-
-void
-dns_view_setrootdelonly(dns_view_t *view, bool value) {
- REQUIRE(DNS_VIEW_VALID(view));
- view->rootdelonly = value;
-}
-
-bool
-dns_view_getrootdelonly(dns_view_t *view) {
- REQUIRE(DNS_VIEW_VALID(view));
- return (view->rootdelonly);
-}
-
isc_result_t
dns_view_freezezones(dns_view_t *view, bool value) {
REQUIRE(DNS_VIEW_VALID(view));
}
}
- obj = NULL;
- (void)cfg_map_get(options, "root-delegation-only", &obj);
- if (obj != NULL) {
- if (!cfg_obj_isvoid(obj)) {
- for (element = cfg_list_first(obj); element != NULL;
- element = cfg_list_next(element))
- {
- const cfg_obj_t *exclude;
-
- exclude = cfg_listelt_value(element);
- str = cfg_obj_asstring(exclude);
- tresult = check_name(str);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'",
- str);
- result = tresult;
- }
- }
- }
- }
-
/*
* Set supported DNSSEC algorithms.
*/
const cfg_obj_t *config, isc_symtab_t *symtab,
isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview,
const char *viewname, dns_rdataclass_t defclass,
- bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx,
- isc_mem_t *mctx) {
+ cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) {
const char *znamestr;
const char *typestr = NULL;
const char *target = NULL;
ztype = CFG_ZONE_FORWARD;
} else if (strcasecmp(typestr, "hint") == 0) {
ztype = CFG_ZONE_HINT;
- } else if (strcasecmp(typestr, "delegation-only") == 0) {
- ztype = CFG_ZONE_DELEGATION;
- if (!nodeprecate) {
- cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
- "'type delegation-only' is "
- "deprecated");
- }
} else if (strcasecmp(typestr, "redirect") == 0) {
ztype = CFG_ZONE_REDIRECT;
} else {
check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
const char *viewname, dns_rdataclass_t vclass,
isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins,
- bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx,
- isc_mem_t *mctx) {
+ isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) {
const cfg_obj_t *zones = NULL;
const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
tresult = check_zoneconf(zone, voptions, config, symtab, files,
keydirs, inview, viewname, vclass,
- nodeprecate, actx, logctx, mctx);
+ actx, logctx, mctx);
if (tresult != ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
isc_result_t
isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
- bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) {
+ isc_log_t *logctx, isc_mem_t *mctx) {
const cfg_obj_t *options = NULL;
const cfg_obj_t *views = NULL;
const cfg_obj_t *acls = NULL;
if (views == NULL) {
tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
- files, keydirs, check_plugins,
- nodeprecate, inview, logctx, mctx);
+ files, keydirs, check_plugins, inview,
+ logctx, mctx);
if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
if (tresult == ISC_R_SUCCESS) {
tresult = check_viewconf(config, voptions, key, vclass,
files, keydirs, check_plugins,
- nodeprecate, inview, logctx,
- mctx);
+ inview, logctx, mctx);
}
if (tresult != ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
isc_result_t
isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
- bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx);
+ isc_log_t *logctx, isc_mem_t *mctx);
/*%<
* Check the syntactic validity of a configuration parse tree generated from
* a named.conf file.
* If 'check_plugins' is true, load plugins and check the validity of their
* parameters as well.
*
- * If 'nodeprecate' is true, do not warn about deprecated configuration.
- *
* Requires:
*\li config is a valid parse tree
*
cfg_doc_enum, &cfg_rep_string, &forwardtype_enums
};
-static const char *zonetype_enums[] = {
- "primary", "master", "secondary", "slave",
- "mirror", "delegation-only", "forward", "hint",
- "redirect", "static-stub", "stub", NULL
-};
+static const char *zonetype_enums[] = { "primary", "master", "secondary",
+ "slave", "mirror", "forward",
+ "hint", "redirect", "static-stub",
+ "stub", NULL };
static cfg_type_t cfg_type_zonetype = { "zonetype", cfg_parse_enum,
cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &zonetype_enums };
{ "response-policy", &cfg_type_rpz, 0 },
{ "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "root-delegation-only", &cfg_type_optional_exclude,
- CFG_CLAUSEFLAG_DEPRECATED },
+ CFG_CLAUSEFLAG_ANCIENT },
{ "root-key-sentinel", &cfg_type_boolean, 0 },
{ "rrset-order", &cfg_type_rrsetorder, 0 },
{ "send-cookie", &cfg_type_boolean, 0 },
CFG_ZONE_STUB },
{ "delegation-only", &cfg_type_boolean,
CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD |
- CFG_CLAUSEFLAG_DEPRECATED },
+ CFG_CLAUSEFLAG_ANCIENT },
{ "dlz", &cfg_type_astring,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT },
{ "file", &cfg_type_qstring,
cfg_print_indent(&pctx);
cfg_print_cstr(&pctx, "type redirect;\n");
break;
- case CFG_ZONE_DELEGATION:
- cfg_print_indent(&pctx);
- cfg_print_cstr(&pctx, "type delegation-only;\n");
- break;
case CFG_ZONE_INVIEW:
/* no zone type is specified for these */
break;
projects / thirdparty / bind9.git / commitdiff
