current managed keys combined with trusted keys.
[RT #20904]
+2924. [func] 'rndc secroots' dump a combined summary of the
+ current managed keys combined with trusted keys.
+ [RT #20904]
+
2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.106.4.4 2010/06/22 23:46:34 tbox Exp $ */
+/* $Id: config.c,v 1.106.4.5 2010/06/25 03:51:06 marka Exp $ */
/*! \file */
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
+ secroots-file \"named.secroots\";\n\
"
#ifdef PATH_RANDOMDEV
"\
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.c,v 1.36 2009/10/12 20:48:11 each Exp $ */
+/* $Id: control.c,v 1.36.50.1 2010/06/25 03:51:06 marka Exp $ */
/*! \file */
} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
ns_server_dumpdb(ns_g_server, command);
result = ISC_R_SUCCESS;
+ } else if (command_compare(command, NS_COMMAND_SECROOTS)) {
+ result = ns_server_dumpsecroots(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_TRACE)) {
result = ns_server_setdebuglevel(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.h,v 1.27 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: control.h,v 1.27.50.1 2010/06/25 03:51:06 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
#define NS_COMMAND_DUMPSTATS "stats"
#define NS_COMMAND_QUERYLOG "querylog"
#define NS_COMMAND_DUMPDB "dumpdb"
+#define NS_COMMAND_SECROOTS "secroots"
#define NS_COMMAND_TRACE "trace"
#define NS_COMMAND_NOTRACE "notrace"
#define NS_COMMAND_FLUSH "flush"
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.104.8.2 2010/05/14 23:49:20 tbox Exp $ */
+/* $Id: server.h,v 1.104.8.3 2010/06/25 03:51:06 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
dns_acl_t *blackholeacl;
char * statsfile; /*%< Statistics file name */
char * dumpfile; /*%< Dump file name */
+ char * secrootsfile; /*%< Secroots file name */
char * bindkeysfile; /*%< bind.keys file name */
char * recfile; /*%< Recursive file name */
isc_boolean_t version_set; /*%< User has set version */
isc_result_t
ns_server_dumpdb(ns_server_t *server, char *args);
+/*%
+ * Dump the current security roots to the secroots file.
+ */
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args);
+
/*%
* Change or increment the server debug level.
*/
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.556.8.13 2010/06/22 04:02:40 marka Exp $ */
+/* $Id: server.c,v 1.556.8.14 2010/06/25 03:51:06 marka Exp $ */
/*! \file */
CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
"strdup");
+ obj = NULL;
+ result = ns_config_get(maps, "secroots-file", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
+ "strdup");
+
obj = NULL;
result = ns_config_get(maps, "recursing-file", &obj);
INSIST(result == ISC_R_SUCCESS);
CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
"isc_mem_strdup");
+ server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
+ CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
+ ISC_R_SUCCESS,
+ "isc_mem_strdup");
+
server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
"isc_mem_strdup");
isc_mem_free(server->mctx, server->statsfile);
isc_mem_free(server->mctx, server->bindkeysfile);
isc_mem_free(server->mctx, server->dumpfile);
+ isc_mem_free(server->mctx, server->secrootsfile);
isc_mem_free(server->mctx, server->recfile);
if (server->version != NULL)
return (result);
}
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args) {
+ dns_view_t *view;
+ dns_keytable_t *secroots = NULL;
+ isc_result_t result;
+ char *ptr;
+ FILE *fp = NULL;
+ isc_time_t now;
+ char tbuf[64];
+
+ /* Skip the command name. */
+ ptr = next_token(&args, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+ ptr = next_token(&args, " \t");
+
+ CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
+ "could not open secroots dump file", server->secrootsfile);
+ TIME_NOW(&now);
+ isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
+ fprintf(fp, "%s\n", tbuf);
+
+ nextview:
+ for (view = ISC_LIST_HEAD(server->viewlist);
+ view != NULL;
+ view = ISC_LIST_NEXT(view, link))
+ {
+ if (ptr != NULL && strcmp(view->name, ptr) != 0)
+ continue;
+ if (secroots != NULL)
+ dns_keytable_detach(&secroots);
+ result = dns_view_getsecroots(view, &secroots);
+ if (result == ISC_R_NOTFOUND) {
+ result = ISC_R_SUCCESS;
+ continue;
+ }
+ fprintf(fp, "\n Start view %s\n\n", view->name);
+ CHECK(dns_keytable_dump(secroots, fp));
+ }
+ if (ptr != NULL) {
+ ptr = next_token(&args, " \t");
+ if (ptr != NULL)
+ goto nextview;
+ }
+
+ cleanup:
+ if (secroots != NULL)
+ dns_keytable_detach(&secroots);
+ if (fp != NULL)
+ (void)isc_stdio_close(fp);
+ if (result == ISC_R_SUCCESS)
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ "dumpsecroots complete");
+ else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "dumpsecroots failed: %s",
+ dns_result_totext(result));
+ return (result);
+}
+
isc_result_t
ns_server_dumprecursing(ns_server_t *server) {
FILE *fp = NULL;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.c,v 1.126.66.1 2009/12/18 07:59:09 each Exp $ */
+/* $Id: rndc.c,v 1.126.66.2 2010/06/25 03:51:06 marka Exp $ */
/*! \file */
querylog Toggle query logging.\n\
dumpdb [-all|-cache|-zones] [view ...]\n\
Dump cache(s) to the dump file (named_dump.db).\n\
+ secroots [view ...]\n\
+ Write security roots to the secroots file.\n\
stop Save pending updates to master files and stop the server.\n\
stop -p Save pending updates to master files and stop the server\n\
reporting process id.\n\
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.25.32.2 2010/06/03 23:49:23 tbox Exp $
+# $Id: clean.sh,v 1.25.32.3 2010/06/25 03:51:06 marka Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
+rm -f */named.secroots
+rm -f ns1/managed.key.id
rm -f signer/example.db
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.30.32.1 2010/06/25 03:51:07 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cp trusted.conf ../ns4/trusted.conf
cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
+#
+# Save keyid for managed key id test.
+#
+keyid=`expr $keyname : 'K.+001+\(.*\)'`
+echo "$keyid" > managed.key.id
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.28 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.28.558.1 2010/06/25 03:51:07 marka Exp $ */
// NS4
dnssec-must-be-secure mustbesecure.example yes;
};
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
zone "." {
type hint;
file "../../common/root.hint";
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.55.32.6 2010/06/04 00:04:09 marka Exp $
+# $Id: tests.sh,v 1.55.32.7 2010/06/25 03:51:06 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+# Test that "rndc secroots" is able to dump trusted keys
+echo "I:checking rndc secroots ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
+keyid=`cat ns1/managed.key.id`
+linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l`
+[ "$linecount" -eq 2 ] || ret=1
+linecount=`cat ns4/named.secroots | wc -l`
+[ "$linecount" -eq 9 ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.8 2010/06/22 06:18:07 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.9 2010/06/25 03:51:07 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>secroots
+ <optional><replaceable>view ...</replaceable></optional></userinput></term>
+ <listitem>
+ <para>
+ Dump the server's security roots to the secroots
+ file for the specified views. If no view is
+ specified, security roots for all
+ views are dumped.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><userinput>stop <optional>-p</optional></userinput></term>
<listitem>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>secroots-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server dumps
+ security roots to when instructed to do so with
+ <command>rndc secroots</command>.
+ If not specified, the default is <filename>named.secroots</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>session-keyfile</command></term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keytable.h,v 1.20.4.1 2010/01/13 19:31:53 each Exp $ */
+/* $Id: keytable.h,v 1.20.4.2 2010/06/25 03:51:07 marka Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
*\li Any other result is an error.
*/
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode);
/*%<
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keytable.c,v 1.39 2009/12/03 15:40:02 each Exp $ */
+/* $Id: keytable.c,v 1.39.4.1 2010/06/25 03:51:07 marka Exp $ */
/*! \file */
return (result);
}
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
+{
+ isc_result_t result;
+ dns_keynode_t *knode;
+ dns_rbtnode_t *node;
+ dns_rbtnodechain_t chain;
+
+ REQUIRE(VALID_KEYTABLE(keytable));
+
+ RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+ dns_rbtnodechain_init(&chain, keytable->mctx);
+ result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+ if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+ goto cleanup;
+ for (;;) {
+ char pbuf[DST_KEY_FORMATSIZE];
+
+ dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+ for (knode = node->data; knode != NULL; knode = knode->next) {
+ dst_key_format(knode->key, pbuf, sizeof(pbuf));
+ fprintf(fp, "%s ; %s\n", pbuf,
+ knode->managed ? "managed" : "trusted");
+ }
+ result = dns_rbtnodechain_next(&chain, NULL, NULL);
+ if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+ if (result == ISC_R_NOMORE)
+ result = ISC_R_SUCCESS;
+ break;
+ }
+ }
+
+ cleanup:
+ dns_rbtnodechain_invalidate(&chain);
+ RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+ return (result);
+}
+
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode) {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.113.4.5 2010/06/22 04:02:45 marka Exp $ */
+/* $Id: namedconf.c,v 1.113.4.6 2010/06/25 03:51:07 marka Exp $ */
/*! \file */
{ "random-device", &cfg_type_qstring, 0 },
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
+ { "secroots-file", &cfg_type_qstring, 0 },
{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
{ "serial-query-rate", &cfg_type_uint32, 0 },
{ "server-id", &cfg_type_serverid, 0 },
projects / thirdparty / bind9.git / commitdiff
