fold the upforwd system test README file and nsupdate input files into the tests.sh script;
other minor cleanup of the upforwd test
543. [doc] The 'port' option is now documented.
- 542. [func] Add allow-update-forwarding support.
+ 542. [func] Add support for update forwarding as required for
+ full compliance with RFC2136. It is turned off
+ by default and can be enabled using the
+ 'allow-update-forwarding' option.
541. [func] Add bogus server support.
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.74 2000/11/22 02:49:57 gson Exp $ */
+/* $Id: update.c,v 1.75 2000/12/01 21:37:08 gson Exp $ */
#include <config.h>
if (sigresult != ISC_R_SUCCESS)
FAIL(sigresult);
CHECK(send_update_event(client, zone));
- break; /* OK. */
+ break;
case dns_zone_slave:
- if (dns_message_gettsig(client->message, NULL) == NULL) {
- dns_acl_t *forwardacl;
-
- /*
- * We only REFUSE if policy is explicitly set and
- * we fail to match.
- */
- forwardacl = dns_zone_getforwardacl(zone);
- if (forwardacl == NULL) {
- FAILS(DNS_R_NOTIMP,
- "unsigned updates not forwarded (noacl)");
- } else {
- result = ns_client_checkacl(client,
- "update-forward",
- forwardacl,
- ISC_FALSE,
- ISC_LOG_INFO);
- if (result != ISC_R_SUCCESS)
- FAIL(DNS_R_REFUSED);
- }
- }
+ CHECK(ns_client_checkacl(client, "update forwarding",
+ dns_zone_getforwardacl(zone),
+ ISC_FALSE, ISC_LOG_ERROR));
CHECK(send_forward_event(client, zone));
- break; /* OK. */
+ break;
default:
FAILC(DNS_R_NOTAUTH,
"not authoritative for update zone");
+++ /dev/null
-Copyright (C) 2000 Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: README,v 1.2 2000/11/06 08:33:06 marka Exp $
-
-ns1 stealth master
-ns2 slave
-ns3 slave
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2000/11/28 19:06:47 gson Exp $ */
+/* $Id: named.conf,v 1.4 2000/12/01 21:37:13 gson Exp $ */
options {
query-source address 10.53.0.3;
zone "example" {
type slave;
file "example.bk";
- allow-update-forwarding { 10.53.0.3; };
+ allow-update-forwarding { any; };
masters { 10.53.0.1; };
};
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.5 2000/11/28 03:21:17 marka Exp $
+# $Id: tests.sh,v 1.6 2000/12/01 21:37:10 gson Exp $
+
+# ns1 = stealth master
+# ns2 = slave with update forwarding disabled; not currently used
+# ns3 = slave with update forwarding enabled
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
-echo "I:fetching first copy of zone before update"
+echo "I:fetching master copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
-echo "I:fetching second copy of zone before update"
+echo "I:fetching slave 1 copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
-echo "I:fetching third copy of zone before update"
+echo "I:fetching slave 2 copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
$PERL ../digcomp.pl knowngood.before dig.out.ns3 || status=1
echo "I:updating zone (signed)"
-# nsupdate will print a ">" prompt to stdout as it gets each input line.
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K update.scp > /dev/null
+$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || status=1
+server 10.53.0.3 5300
+update add updated.example. 600 A 10.10.10.1
+update add updated.example. 600 TXT Foo
+send
+EOF
+
echo "I:sleeping 15 seconds for server to incorporate changes"
sleep 15
-echo "I:fetching first copy of zone after update"
+echo "I:fetching master copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
-echo "I:fetching second copy of zone after update"
+echo "I:fetching slave 1 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
-echo "I:fetching third copy of zone after update"
+echo "I:fetching slave 2 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
$PERL ../digcomp.pl knowngood.after1 dig.out.ns3 || status=1
echo "I:updating zone (unsigned)"
-# nsupdate will print a ">" prompt to stdout as it gets each input line.
-$NSUPDATE update.scp2 > /dev/null
+$NSUPDATE -- - <<EOF || status=1
+server 10.53.0.3 5300
+update add unsigned.example. 600 A 10.10.10.1
+update add unsigned.example. 600 TXT Foo
+send
+EOF
+
echo "I:sleeping 15 seconds for server to incorporate changes"
sleep 15
-echo "I:fetching first copy of zone after update"
+echo "I:fetching master copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
-echo "I:fetching second copy of zone after update"
+echo "I:fetching slave 1 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
-echo "I:fetching third copy of zone after update"
+echo "I:fetching slave 2 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
+++ /dev/null
-server 10.53.0.2 5300
-update add updated.example. 600 A 10.10.10.1
-update add updated.example. 600 TXT Foo
-
+++ /dev/null
-server 10.53.0.3 5300
-local 10.53.0.3
-update add unsigned.example. 600 A 10.10.10.1
-update add unsigned.example. 600 TXT Foo
-
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
-<!-- File: $Id: Bv9ARM-book.xml,v 1.59 2000/11/30 21:33:22 gson Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.60 2000/12/01 21:37:15 gson Exp $ -->
<book>
</row>
<row rowsep = "0">
<entry colname = "1"><para><command>allow-update-forwarding</command></para></entry>
- <entry colname = "2"><para>Specifies which hosts are allowed to
+
+<entry colname = "2"><para>Specifies which hosts are allowed to
submit Dynamic DNS updates to slave zones to be forwarded to the
-master.
-This applies only to unsigned updates.
-Signed updates are always forwarded.
-If there is no acl defined then the server will return NOTIMPL, causing the
-client to skip to the next server. If an acl is defined and there is no
-match then the default is to deny update forwarding.</para>
+master. The default is <userinput>{ none; }</userinput>, which
+means that no update forwarding will be performed. To enable
+update forwarding, specify <userinput>allow-update-forwarding { any; };</userinput>.
+Specifying values other than <userinput>{ none; }</userinput> or
+<userinput>{ any; }</userinput> is usually counterproductive, since
+the responsibility for update access control should rest with the
+master server, not the slaves.</para>
+
+<para>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <xref linkend="dynamic_update_security">
+for more details.</para>
</entry>
</row>
<row rowsep = "0">
modification times) or the <command>chown</command> utility (to
set the user id and/or group id) on files to which you want <acronym>BIND</acronym>
to write.</para></sect2></sect1>
-<sect1><title>Dynamic Updates</title>
+<sect1 id="dynamic_update_security"><title>Dynamic Updates</title>
<para>Access to the dynamic
update facility should be strictly limited. In earlier versions of
<acronym>BIND</acronym> the only way to do this was based on the IP
./bin/tests/system/unknown/ns1/example-in.db ZONE 2000
./bin/tests/system/unknown/ns1/named.conf CONF-C 2000
./bin/tests/system/unknown/tests.sh SH 2000
-./bin/tests/system/upforwd/README TXT.BRIEF 2000
./bin/tests/system/upforwd/clean.sh SH 2000
./bin/tests/system/upforwd/knowngood.after1 X 2000
./bin/tests/system/upforwd/knowngood.after2 X 2000
./bin/tests/system/upforwd/ns3/named.conf CONF-C 2000
./bin/tests/system/upforwd/setup.sh SH 2000
./bin/tests/system/upforwd/tests.sh SH 2000
-./bin/tests/system/upforwd/update.scp X 2000
-./bin/tests/system/upforwd/update.scp2 X 2000
./bin/tests/system/views/.cvsignore X 2000
./bin/tests/system/views/clean.sh SH 2000
./bin/tests/system/views/ns1/.cvsignore X 2000
projects / thirdparty / bind9.git / commitdiff
