* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.339.2.8.4.3 2003/02/18 03:27:58 marka Exp $ */
+/* $Id: server.c,v 1.339.2.8.4.3.2.1 2003/09/17 05:40:36 explorer Exp $ */
#include <config.h>
cfg_obj_t *typeobj = NULL;
cfg_obj_t *forwarders = NULL;
cfg_obj_t *forwardtype = NULL;
+ cfg_obj_t *only = NULL;
isc_result_t result;
isc_buffer_t buffer;
dns_fixedname_t fixorigin;
goto cleanup;
}
+ /*
+ * "delegation-only zones" aren't zones either.
+ */
+ if (strcasecmp(ztypestr, "delegation-only") == 0) {
+ result = dns_view_adddelegationonly(view, origin);
+ goto cleanup;
+ }
+
/*
* Check for duplicates in the new zone table.
*/
forwardtype));
}
+ /*
+ * Stub and forward zones may also refer to delegation only points.
+ */
+ only = NULL;
+ if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
+ {
+ if (cfg_obj_asboolean(only))
+ CHECK(dns_view_adddelegationonly(view, origin));
+ }
+
/*
* Configure the zone.
*/
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.22.4.1 2003/02/17 01:29:29 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.22.4.1.2.1 2003/09/17 05:40:37 explorer Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
those servers during resolution.
</para></entry>
</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>delegation-only</command></para></entry>
+<entry colname = "2"><para>Delegation only. Logs queries that have have
+been forced to NXDOMAIN as the result of a delegation-only zone or
+a <command>delegation-only</command> in a stub or forward
+zone declartation.
+</para></entry>
+</row>
</tbody>
</tgroup></informaltable>
</sect3>
<sect2 id="zone_statement_grammar"><title><command>zone</command>
Statement Grammar</title>
<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{
- type ( master | slave | hint | stub | forward ) ;
+ type ( master | slave | hint | stub | forward /| delegation-only ) ;
<optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
+ <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
IN, the server uses a compiled-in default set of root servers hints.
Classes other than IN have no built-in defaults hints.</para></entry>
</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
+<entry colname = "2"><para>This is used to enforce the delegation only
+status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
+is received without a explicit or implict delegation in the authority
+section will be treated as NXDOMAIN. This does not apply to the zone
+apex. This SHOULD NOT be applied to leaf zones.</para></entry>
+</row>
</tbody>
</tgroup></informaltable></sect3>
<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
</listitem></varlistentry>
+<varlistentry><term><command>delegation-only</command></term>
+<listitem><para>The flag only applies to forward and stub zones. If set
+to <userinput>yes</userinput> then the zone will also be treated as if it
+is also a delegation-only type zone.
+</para>
+</listitem></varlistentry>
+
<varlistentry><term><command>forward</command></term>
<listitem><para>Only meaningful if the zone has a forwarders
list. The <command>only</command> value causes the lookup to fail
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.h,v 1.30.2.1 2001/10/11 02:03:23 marka Exp $ */
+/* $Id: log.h,v 1.30.2.1.12.1 2003/09/17 05:40:40 explorer Exp $ */
/* Principal Authors: DCL */
#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7])
#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8])
#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9])
+#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
/* Backwards compatibility. */
#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.h,v 1.73.2.2 2002/08/05 06:57:13 marka Exp $ */
+/* $Id: view.h,v 1.73.2.2.6.1 2003/09/17 05:40:40 explorer Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
in_port_t dstport;
dns_aclenv_t aclenv;
isc_boolean_t flush;
+ dns_namelist_t * delonly;
/*
* Configurable data for server use only,
* ISC_R_NOMEMORY
*/
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
+/*
+ * Add the given name to the delegation only table.
+ *
+ * Requires:
+ * 'view' is valid.
+ * 'name' is valid.
+ *
+ * Returns:
+ * ISC_R_SUCCESS
+ * ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
+/*
+ * Check if 'name' is in the delegation only table.
+ *
+ * Requires:
+ * 'view' is valid.
+ * 'name' is valid.
+ *
+ * Returns:
+ * ISC_TRUE if the name is is the table.
+ * ISC_FALSE othewise.
+ */
+
+
ISC_LANG_ENDDECLS
#endif /* DNS_VIEW_H */
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.c,v 1.33.2.2 2001/10/11 23:07:00 gson Exp $ */
+/* $Id: log.c,v 1.33.2.2.12.1 2003/09/17 05:40:39 explorer Exp $ */
/* Principal Authors: DCL */
{ "xfer-out", 0 },
{ "dispatch", 0 },
{ "lame-servers", 0 },
+ { "delegation-only", 0 },
{ NULL, 0 }
};
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ncache.c,v 1.24.2.2 2002/02/08 03:57:29 marka Exp $ */
+/* $Id: ncache.c,v 1.24.2.2.6.1 2003/09/17 05:40:39 explorer Exp $ */
#include <config.h>
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ if (message->counts[DNS_SECTION_AUTHORITY])
+ result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ else
+ result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.218.2.12.4.4 2003/02/18 03:32:01 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.12.4.4.2.1 2003/09/17 05:40:39 explorer Exp $ */
#include <config.h>
dns_rdataset_t *ardataset,
isc_result_t *eresultp);
+static isc_boolean_t
+fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
+
+ dns_name_t *name;
+ dns_rdataset_t *rdataset;
+ dns_rdatatype_t type;
+ isc_result_t result;
+ isc_boolean_t keep_auth = ISC_FALSE;
+
+ if (message->rcode == dns_rcode_nxdomain)
+ return (ISC_FALSE);
+
+ /* Look for referral. */
+ if (message->counts[DNS_SECTION_AUTHORITY] == 0)
+ goto munge;
+
+ result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ while (result == ISC_R_SUCCESS) {
+ name = NULL;
+ dns_message_currentname(message, DNS_SECTION_AUTHORITY,
+ &name);
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+ rdataset = ISC_LIST_NEXT(rdataset, link)) {
+ type = rdataset->type;
+ if (type == dns_rdatatype_soa &&
+ dns_name_equal(name, domain))
+ keep_auth = ISC_TRUE;
+ if (type != dns_rdatatype_ns)
+ continue;
+ if (dns_name_equal(name, domain))
+ goto munge;
+ if (dns_name_issubdomain(name, domain))
+ return (ISC_FALSE);
+ }
+ result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+ }
+
+ munge:
+ message->rcode = dns_rcode_nxdomain;
+ message->counts[DNS_SECTION_ANSWER] = 0;
+ if (!keep_auth)
+ message->counts[DNS_SECTION_AUTHORITY] = 0;
+ message->counts[DNS_SECTION_ADDITIONAL] = 0;
+ return (ISC_TRUE);
+}
+
static inline isc_result_t
fctx_starttimer(fetchctx_t *fctx) {
/*
goto done;
}
+ /*
+ * Enforce delegations only zones like NET and COM.
+ */
+ if (dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
+ !dns_name_equal(&fctx->domain, &fctx->name) &&
+ fix_mustbedelegationornxdomain(message, &fctx->domain)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ char domainbuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+ dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ "enforced delegation-only for '%s' (%s)",
+ domainbuf, namebuf);
+ }
+
/*
* Follow A6 and other additional section data chains.
*/
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.c,v 1.103.2.2 2002/08/05 06:57:12 marka Exp $ */
+/* $Id: view.c,v 1.103.2.2.6.1 2003/09/17 05:40:40 explorer Exp $ */
#include <config.h>
#define ADBSHUTDOWN(v) (((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
#define REQSHUTDOWN(v) (((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
+#define DNS_VIEW_DELONLYHASH 111
+
static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
static void adb_shutdown(isc_task_t *task, isc_event_t *event);
static void req_shutdown(isc_task_t *task, isc_event_t *event);
if (result != ISC_R_SUCCESS)
goto cleanup_fwdtable;
view->peers = NULL;
+ view->delonly = NULL;
/*
* Initialize configuration data with default values.
dns_acl_detach(&view->v6synthesisacl);
if (view->sortlist != NULL)
dns_acl_detach(&view->sortlist);
+ if (view->delonly != NULL) {
+ dns_name_t *name;
+ int i;
+
+ for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+ name = ISC_LIST_HEAD(view->delonly[i]);
+ while (name != NULL) {
+ ISC_LIST_UNLINK(view->delonly[i], name, link);
+ dns_name_free(name, view->mctx);
+ isc_mem_put(view->mctx, name, sizeof(*name));
+ name = ISC_LIST_HEAD(view->delonly[i]);
+ }
+ }
+ isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) *
+ DNS_VIEW_DELONLYHASH);
+ view->delonly = NULL;
+ }
dns_keytable_detach(&view->trustedkeys);
dns_keytable_detach(&view->secroots);
dns_fwdtable_destroy(&view->fwdtable);
dns_adb_flush(view->adb);
return (ISC_R_SUCCESS);
}
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
+ isc_result_t result;
+ dns_name_t *new;
+ isc_uint32_t hash;
+
+ REQUIRE(DNS_VIEW_VALID(view));
+
+ if (view->delonly == NULL) {
+ view->delonly = isc_mem_get(view->mctx,
+ sizeof(dns_namelist_t) *
+ DNS_VIEW_DELONLYHASH);
+ if (view->delonly == NULL)
+ return (ISC_R_NOMEMORY);
+ for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
+ ISC_LIST_INIT(view->delonly[hash]);
+ }
+ hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
+ new = ISC_LIST_HEAD(view->delonly[hash]);
+ while (new != NULL && !dns_name_equal(new, name))
+ new = ISC_LIST_NEXT(new, link);
+ if (new != NULL)
+ return (ISC_R_SUCCESS);
+ new = isc_mem_get(view->mctx, sizeof(*new));
+ if (new == NULL)
+ return (ISC_R_NOMEMORY);
+ dns_name_init(new, NULL);
+ result = dns_name_dup(name, view->mctx, new);
+ if (result == ISC_R_SUCCESS)
+ ISC_LIST_APPEND(view->delonly[hash], new, link);
+ else
+ isc_mem_put(view->mctx, new, sizeof(*new));
+ return (result);
+}
+
+isc_result_t
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
+ dns_name_t *new;
+ isc_uint32_t hash;
+
+ REQUIRE(DNS_VIEW_VALID(view));
+
+ if (view->delonly == NULL)
+ return (ISC_FALSE);
+
+ hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
+ new = ISC_LIST_HEAD(view->delonly[hash]);
+ while (new != NULL && !dns_name_equal(new, name))
+ new = ISC_LIST_NEXT(new, link);
+ if (new == NULL)
+ return (ISC_FALSE);
+ return (ISC_TRUE);
+}
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.14.2.16 2002/04/23 02:00:03 marka Exp $ */
+/* $Id: check.c,v 1.14.2.16.6.1 2003/09/17 05:40:40 explorer Exp $ */
#include <config.h>
#define STUBZONE 4
#define HINTZONE 8
#define FORWARDZONE 16
+#define DELEGATIONZONE 32
typedef struct {
const char *name;
{ "notify", MASTERZONE | SLAVEZONE },
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
+ { "delegation-only", STUBZONE | FORWARDZONE},
{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
ztype = FORWARDZONE;
else if (strcasecmp(typestr, "hint") == 0)
ztype = HINTZONE;
+ else if (strcasecmp(typestr, "delegation-only") == 0)
+ ztype = DELEGATIONZONE;
else {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"zone '%s': invalid type %s",
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: parser.c,v 1.70.2.14.4.2 2003/02/17 07:05:10 marka Exp $ */
+/* $Id: parser.c,v 1.70.2.14.4.2.2.1 2003/09/17 05:40:40 explorer Exp $ */
#include <config.h>
};
static const char *zonetype_enums[] = {
- "master", "slave", "stub", "hint", "forward", NULL };
+ "master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
static cfg_type_t cfg_type_zonetype = {
"zonetype", parse_enum, print_ustring, &cfg_rep_string,
&zonetype_enums
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
{ "update-policy", &cfg_type_updatepolicy, 0 },
{ "database", &cfg_type_astring, 0 },
+ { "delegation-only", &cfg_type_boolean, 0 },
/*
* Note that the format of the check-names option is different between
* the zone options and the global/view options. Ugh.
projects / thirdparty / bind9.git / commitdiff
