1648. [func] Update dnssec-lookaside named.conf syntax to support

                        multiple dnssec-lookaside namespaces (not yet
                        implemented).

diff --git a/CHANGES b/CHANGES
index a8cb7392539e275fe629175a3d7f114e041e09d8..4e9bac6183ad47fbf4bb5f8ec25e095f57de5bea 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 1649.  [placeholder]   rt11206
 
-1648.  [placeholder]   rt11439
+1648.  [func]          Update dnssec-lookaside named.conf syntax to support
+                       multiple dnssec-lookaside namespaces (not yet
+                       implemented).  
 
 1647.  [placeholder]   rt11445
 

diff --git a/bin/named/server.c b/bin/named/server.c
index 0e6320c6e24e50758c1073a17f469c7db8c56f3d..a391ceff17ac488fd4a407408ba0f34f591e63c8 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.426 2004/05/14 00:51:52 marka Exp $ */
+/* $Id: server.c,v 1.427 2004/06/04 02:31:40 marka Exp $ */
 
 #include <config.h>
 
@@ -1171,14 +1171,42 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
        obj = NULL;
        result = ns_config_get(maps, "dnssec-lookaside", &obj);
        if (result == ISC_R_SUCCESS) {
-               const char *dlv;
-               isc_buffer_t b;
-               dlv = cfg_obj_asstring(obj);
-               isc_buffer_init(&b, dlv, strlen(dlv));
-               isc_buffer_add(&b, strlen(dlv));
-               CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed),
-                                       &b, dns_rootname, ISC_TRUE, NULL));
-               view->dlv = dns_fixedname_name(&view->dlv_fixed);
+               for (element = cfg_list_first(obj);
+                    element != NULL;
+                    element = cfg_list_next(element))
+               {
+                       const char *str;
+                       isc_buffer_t b;
+                       dns_name_t *dlv;
+
+                       obj = cfg_listelt_value(element);
+#if 0
+                       dns_fixedname_t fixed;
+                       dns_name_t *name;
+
+                       /*
+                        * When we support multiple dnssec-lookaside
+                        * entries this is how to find the domain to be
+                        * checked. XXXMPA
+                        */
+                       dns_fixedname_init(&fixed);
+                       name = dns_fixedname_name(&fixed);
+                       str = cfg_obj_asstring(cfg_tuple_get(obj,
+                                                            "domain"));
+                       isc_buffer_init(&b, str, strlen(str));
+                       isc_buffer_add(&b, strlen(str));
+                       CHECK(dns_name_fromtext(name, &b, dns_rootname,
+                                               ISC_TRUE, NULL));
+#endif
+                       str = cfg_obj_asstring(cfg_tuple_get(obj,
+                                                            "trust-anchor"));
+                       isc_buffer_init(&b, str, strlen(str));
+                       isc_buffer_add(&b, strlen(str));
+                       dlv = dns_fixedname_name(&view->dlv_fixed);
+                       CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
+                                               ISC_TRUE, NULL));
+                       view->dlv = dns_fixedname_name(&view->dlv_fixed);
+               }
        } else
                view->dlv = NULL;
 

diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index 70f7d422dd2798a95bbe9894a92c66458e4bfcbc..ebe0cb426a0c8d8d9eb2b89ca987819b0cb6574f 100644 (file)
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */
+/* $Id: named.conf,v 1.3 2004/06/04 02:31:41 marka Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -58,7 +58,7 @@ options {
        recursion yes;
        notify yes;
        dnssec-enable yes;
-       dnssec-lookaside "dlv.utld";
+       dnssec-lookaside "." trust-anchor "dlv.utld";
 };
 
 zone "." { type hint; file "hints"; };

diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index b5eca59ee70a905a799bcc809aba120ca9698097..4fcd5894b4e7399c648442195ec75856e65866fd 100644 (file)
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.7 2004/06/04 02:31:41 marka Exp $ */
 
 // NS6
 
@@ -32,7 +32,7 @@ options {
        notify yes;
        disable-algorithms . { DSA; };
        dnssec-enable yes;
-       dnssec-lookaside dlv;
+       dnssec-lookaside . trust-anchor dlv;
 };
 
 zone "." {

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2bebda5b539e9cee50250a4a6bf34bfc456e2c47..6df8cd1565cb8d062f93e10540f21787fe38d401 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.246 2004/05/19 23:42:05 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.247 2004/06/04 02:31:42 marka Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -2758,7 +2758,7 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-lookaside <replaceable>domain</replaceable>; </optional>
+    <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
     <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -2985,10 +2985,12 @@ Only the most specific will be applied.
 <listitem><para>
 When set <command>dnssec-lookaside</command> provides the
 validator with an alternate method to validate DNSKEY records at the
-top of a zone.  When set the domain specified by
-<command>dnssec-lookaside</command> is appended to DNSKEY's
-name and a DLV record is looked up.  If the DLV record validates
-a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
+top of a zone.  When a DNSKEY is at or below a domain specified by the
+deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
+has left the key untrusted, the trust-anchor will be append to the key
+name and a DLV record will be looked up to see if it can validate the
+key.  If the DLV record validates a DNSKEY (similarly to the way a DS
+record does) the DNSKEY RRset is deemed to be trusted.
 </para></listitem></varlistentry>
 
 <varlistentry><term><command>dnssec-must-be-secure</command></term>

diff --git a/doc/misc/options b/doc/misc/options
index 8eec93f4cae892d73bc3786754dc0a638c41f1d6..f77e4940c58d8f23166183789fe56e8115cca2cf 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -82,7 +82,7 @@ options {
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         disable-algorithms <string> { <string>; ... };
         dnssec-enable <boolean>;
-        dnssec-lookaside <string>;
+        dnssec-lookaside <string> trust-anchor <string>;
         dnssec-must-be-secure <string> <boolean>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
@@ -262,7 +262,7 @@ view <string> <optional_class> {
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         disable-algorithms <string> { <string>; ... };
         dnssec-enable <boolean>;
-        dnssec-lookaside <string>;
+        dnssec-lookaside <string> trust-anchor <string>;
         dnssec-must-be-secure <string> <boolean>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index b4b205c507c83f475920f622e84f545c00493470..2bca8ab5be192a85241a65a025c9e211289a5ae1 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.46 2004/05/17 05:37:41 marka Exp $ */
+/* $Id: check.c,v 1.47 2004/06/04 02:31:43 marka Exp $ */
 
 #include <config.h>
 
@@ -279,6 +279,39 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
        return (result);
 }
 
+static isc_result_t
+nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
+         const char *fmt, isc_log_t *logctx, isc_mem_t *mctx)
+{
+       char *key;
+       const char *file;
+       unsigned int line;
+       isc_result_t result;
+       isc_symvalue_t symvalue;
+
+       key = isc_mem_strdup(mctx, name);
+       if (key == NULL)
+               return (ISC_R_NOMEMORY);
+       symvalue.as_pointer = obj;
+       result = isc_symtab_define(symtab, key, value, symvalue,
+                                  isc_symexists_reject);
+       if (result == ISC_R_EXISTS) {
+               RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
+                                               &symvalue) == ISC_R_SUCCESS);
+               file = cfg_obj_file(symvalue.as_pointer);
+               line = cfg_obj_line(symvalue.as_pointer);
+
+               if (file == NULL)
+                       file = "<unknown file>";
+               cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
+               isc_mem_free(mctx, key);
+               result = ISC_R_EXISTS;
+       } else if (result != ISC_R_SUCCESS) {
+               isc_mem_free(mctx, key);
+       }
+       return (result);
+}
+
 static isc_result_t
 mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
             isc_mem_t *mctx)
@@ -290,9 +323,6 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
        dns_name_t *name;
        isc_buffer_t b;
        isc_result_t result = ISC_R_SUCCESS;
-       isc_result_t tresult;
-       isc_symvalue_t symvalue;
-       char *key;
 
        dns_fixedname_init(&fixed);
        name = dns_fixedname_name(&fixed);
@@ -300,42 +330,16 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
        str = cfg_obj_asstring(obj);
        isc_buffer_init(&b, str, strlen(str));
        isc_buffer_add(&b, strlen(str));
-       tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-       if (tresult != ISC_R_SUCCESS) {
+       result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+       if (result != ISC_R_SUCCESS) {
                cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                            "bad domain name '%s'", str);
-               result = tresult;
        } else {
-
                dns_name_format(name, namebuf, sizeof(namebuf));
-               key = isc_mem_strdup(mctx, namebuf);
-               if (key == NULL)
-                       return (ISC_R_NOMEMORY);
-               symvalue.as_pointer = secure;
-               tresult = isc_symtab_define(symtab, key, 1, symvalue,
-                                           isc_symexists_reject);
-               if (tresult == ISC_R_EXISTS) {
-                       const char *file;
-                       unsigned int line;
-
-                       RUNTIME_CHECK(isc_symtab_lookup(symtab, key, 1,
-                                           &symvalue) == ISC_R_SUCCESS);
-                       isc_mem_free(mctx, key);
-                       file = cfg_obj_file(symvalue.as_pointer);
-                       line = cfg_obj_line(symvalue.as_pointer);
-
-                       if (file == NULL)
-                               file = "<unknown file>";
-
-                       cfg_obj_log(secure, logctx, ISC_LOG_ERROR,
-                                   "dnssec-must-be-secure '%s': already "
-                                   "exists previous definition: %s:%u",
-                                   namebuf, file, line);
-                       result = tresult;
-               } else if (tresult != ISC_R_SUCCESS) {
-                       isc_mem_free(mctx, key);
-                       result = tresult;
-               }
+               result = nameexist(secure, namebuf, 1, symtab,
+                                  "dnssec-must-be-secure '%s': already "
+                                  "exists previous definition: %s:%u",
+                                  logctx, mctx);
        }
        return (result);
 }
@@ -353,6 +357,7 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
        unsigned int i;
        cfg_obj_t *obj = NULL;
        cfg_listelt_t *element;
+       isc_symtab_t *symtab = NULL;
 
        static intervaltable intervals[] = {
        { "cleaning-interval", 60, 28 * 24 * 60 },      /* 28 days */
@@ -458,21 +463,70 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
        obj = NULL;
        (void)cfg_map_get(options, "dnssec-lookaside", &obj);
        if (obj != NULL) {
-               dns_fixedname_t fixedname;
-               const char *dlv;
-               isc_buffer_t b;
-
-               dlv = cfg_obj_asstring(obj);
-               dns_fixedname_init(&fixedname);
-               isc_buffer_init(&b, dlv, strlen(dlv));
-               isc_buffer_add(&b, strlen(dlv));
-               tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-                                          dns_rootname, ISC_TRUE, NULL);
-               if (tresult != ISC_R_SUCCESS) {
-                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                   "bad domain name '%s'", dlv);
+               tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+                                           ISC_TRUE, &symtab);
+               if (tresult != ISC_R_SUCCESS)
                        result = tresult;
+               for (element = cfg_list_first(obj);
+                    element != NULL;
+                    element = cfg_list_next(element))
+               {
+                       dns_fixedname_t fixedname;
+                       dns_name_t *name;
+                       const char *dlv;
+                       isc_buffer_t b;
+
+                       obj = cfg_listelt_value(element);
+
+                       dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
+                       dns_fixedname_init(&fixedname);
+                       name = dns_fixedname_name(&fixedname);
+                       isc_buffer_init(&b, dlv, strlen(dlv));
+                       isc_buffer_add(&b, strlen(dlv));
+                       tresult = dns_name_fromtext(name, &b, dns_rootname,
+                                                   ISC_TRUE, NULL);
+                       if (tresult != ISC_R_SUCCESS) {
+                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                           "bad domain name '%s'", dlv);
+                               result = tresult;
+                       }
+                       if (symtab != NULL) {
+                               tresult = nameexist(obj, dlv, 1, symtab,
+                                                   "dnssec-lookaside '%s': "
+                                                   "already exists previous "
+                                                   "definition: %s:%u",
+                                                   logctx, mctx);
+                               if (tresult != ISC_R_SUCCESS &&
+                                   result == ISC_R_SUCCESS)
+                                       result = tresult;
+                       }
+                       /*
+                        * XXXMPA to be removed when multiple lookaside
+                        * namespaces are supported.
+                        */
+                       if (!dns_name_equal(dns_rootname, name)) {
+                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                           "dnssec-lookaside '%s': "
+                                           "non-root not yet supported", dlv);
+                               if (result == ISC_R_SUCCESS)
+                                       result = ISC_R_FAILURE;
+                       }
+                       dlv = cfg_obj_asstring(cfg_tuple_get(obj,
+                                              "trust-anchor"));
+                       dns_fixedname_init(&fixedname);
+                       isc_buffer_init(&b, dlv, strlen(dlv));
+                       isc_buffer_add(&b, strlen(dlv));
+                       tresult = dns_name_fromtext(name, &b, dns_rootname,
+                                                   ISC_TRUE, NULL);
+                       if (tresult != ISC_R_SUCCESS) {
+                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                           "bad domain name '%s'", dlv);
+                               if (result == ISC_R_SUCCESS)
+                                       result = tresult;
+                       }
                }
+               if (symtab != NULL)
+                       isc_symtab_destroy(&symtab);
        }
 
        /*
@@ -643,7 +697,6 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
        unsigned int ztype;
        cfg_obj_t *zoptions;
        cfg_obj_t *obj = NULL;
-       isc_symvalue_t symvalue;
        isc_result_t result = ISC_R_SUCCESS;
        isc_result_t tresult;
        unsigned int i;
@@ -758,48 +811,22 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
        dns_fixedname_init(&fixedname);
        isc_buffer_init(&b, zname, strlen(zname));
        isc_buffer_add(&b, strlen(zname));
-       result = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+       tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
                                   dns_rootname, ISC_TRUE, NULL);
        if (result != ISC_R_SUCCESS) {
                cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
                            "zone '%s': is not a valid name", zname);
-               result = ISC_R_FAILURE;
+               tresult = ISC_R_FAILURE;
        } else {
                char namebuf[DNS_NAME_FORMATSIZE];
-               char *key;
 
                dns_name_format(dns_fixedname_name(&fixedname),
                                namebuf, sizeof(namebuf));
-               key = isc_mem_strdup(mctx, namebuf);
-               if (key == NULL)
-                       return (ISC_R_NOMEMORY);
-               symvalue.as_pointer = zconfig;
-               tresult = isc_symtab_define(symtab, key,
-                                           ztype == HINTZONE ? 1 : 2,
-                                           symvalue, isc_symexists_reject);
-               if (tresult == ISC_R_EXISTS) {
-                       const char *file;
-                       unsigned int line;
-
-                       RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
-                                           ztype == HINTZONE ? 1 : 2,
-                                           &symvalue) == ISC_R_SUCCESS);
-                       isc_mem_free(mctx, key);
-                       file = cfg_obj_file(symvalue.as_pointer);
-                       line = cfg_obj_line(symvalue.as_pointer);
-
-                       if (file == NULL)
-                               file = "<unknown file>";
-                       cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-                                   "zone '%s': already exists "
-                                   "previous definition: %s:%u",
-                                   zname, file, line);
-                       result = ISC_R_FAILURE;
-               } else if (tresult != ISC_R_SUCCESS) {
-                       isc_mem_free(mctx, key);
-
-                       return (tresult);
-               }
+               tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2,
+                                  symtab, "zone '%s': already exists "
+                                  "previous definition: %s:%u", logctx, mctx);
+               if (tresult != ISC_R_SUCCESS)
+                       result = tresult;
        }
 
        /*

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 5460253c0f1c12299bfbf7baeb4aa6525c19b981..759e199b3e87c7ce28b3d8649cfdc56d25ab9139 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.33 2004/04/15 23:40:27 marka Exp $ */
+/* $Id: namedconf.c,v 1.34 2004/06/04 02:31:43 marka Exp $ */
 
 #include <config.h>
 
@@ -658,6 +658,28 @@ static cfg_type_t cfg_type_mustbesecure = {
        &cfg_rep_tuple, mustbesecure_fields
 };
 
+/*
+ * dnssec-lookaside
+ */
+
+static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
+
+static cfg_type_t cfg_type_trustanchor = {
+       "trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
+       &cfg_rep_string, &trustanchor_kw
+};
+
+static cfg_tuplefielddef_t lookaside_fields[] = {
+       { "domain", &cfg_type_astring, 0 },
+       { "trust-anchor", &cfg_type_trustanchor, 0 },
+       { NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_lookaside = {
+       "lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+       &cfg_rep_tuple, lookaside_fields
+};
+
 /*
  * Clauses that can be found within the 'view' statement,
  * with defaults in the 'options' statement.
@@ -703,7 +725,7 @@ view_clauses[] = {
        { "disable-algorithms", &cfg_type_disablealgorithm,
          CFG_CLAUSEFLAG_MULTI },
        { "dnssec-enable", &cfg_type_boolean, 0 },
-       { "dnssec-lookaside", &cfg_type_astring, 0 },
+       { "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
        { "dnssec-must-be-secure",  &cfg_type_mustbesecure,
           CFG_CLAUSEFLAG_MULTI },
        { NULL, NULL, 0 }
@@ -1201,6 +1223,7 @@ controls_clauses[] = {
          CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
        { NULL, NULL, 0 }
 };
+
 static cfg_clausedef_t *
 controls_clausesets[] = {
        controls_clauses,