#if CHECK_SIBLING
DNS_ZONEOPT_CHECKSIBLING |
#endif /* if CHECK_SIBLING */
- DNS_ZONEOPT_CHECKWILDCARD |
+ DNS_ZONEOPT_CHECKSVCB | DNS_ZONEOPT_CHECKWILDCARD |
DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
/*
zone_options |= DNS_ZONEOPT_CHECKSPF;
}
+ obj = NULL;
+ if (get_maps(maps, "check-svcb", &obj)) {
+ if (cfg_obj_asboolean(obj)) {
+ zone_options |= DNS_ZONEOPT_CHECKSVCB;
+ } else {
+ zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
+ }
+ } else {
+ zone_options |= DNS_ZONEOPT_CHECKSVCB;
+ }
+
obj = NULL;
if (get_checknames(maps, &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
isc_commandline_errprint = false;
while ((c = isc_commandline_parse(argc, argv,
- "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:"
- "M:S:T:W:")) != EOF)
+ "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:C:"
+ "DF:M:S:T:W:")) != EOF)
{
switch (c) {
case 'c':
workdir = isc_commandline_argument;
break;
+ case 'C':
+ if (ARGCMP("check-svcb:fail")) {
+ zone_options |= DNS_ZONEOPT_CHECKSVCB;
+ } else if (ARGCMP("check-svcb:ignore")) {
+ zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
+ } else {
+ fprintf(stderr, "invalid argument to -C: %s\n",
+ isc_commandline_argument);
+ exit(1);
+ }
+ break;
+
case 'D':
dumpzone++;
break;
Synopsis
~~~~~~~~
-:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
+:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
Description
~~~~~~~~~~~
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
+.. option:: -C mode
+
+ This option controls check mode on zone files when loading.
+ Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
+
+ ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
+ records and ``check-svcb:ignore`` disables these checks. The
+ default is ``check-svcb:fail``.
+
.. option:: -i mode
This option performs post-load zone integrity checks. Possible modes are
Synopsis
~~~~~~~~
-:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
+:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
Description
~~~~~~~~~~~
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
+.. option:: -C mode
+
+ This option controls check mode on zone files when loading.
+ Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
+
+ ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
+ records and ``check-svcb:ignore`` disables these checks. The
+ default is ``check-svcb:fail``.
+
.. option:: -i mode
This option performs post-load zone integrity checks. Possible modes are
check-names response ignore;\n\
check-names secondary warn;\n\
check-spf warn;\n\
+ check-svcb yes;\n\
clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-validation " VALIDATION_DEFAULT "; \n"
}
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
+ obj = NULL;
+ result = named_config_get(maps, "check-svcb", &obj);
+ INSIST(result == ISC_R_SUCCESS && obj != NULL);
+ dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSVCB,
+ cfg_obj_asboolean(obj));
+
obj = NULL;
result = named_config_get(maps, "zero-no-soa-ttl", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
Policy Framework record present (starts with "v=spf1") if there is an
SPF record present. The default is ``warn``.
+.. namedconf:statement:: check-svcb
+ :tags: zone
+ :short: Specifies whether to perform additional checks on SVCB records.
+
+ If ``yes``, checks that SVCB records that start with a ``_dns``
+ label prefixed by an optional ``_<port>`` label (e.g.
+ ``_443._dns.ns1.example``), have an ``alpn`` parameter and that
+ the ``dohpath`` parameter exists when the ``alpn`` indicates
+ that it should be present. The default is ``yes``.
+
.. namedconf:statement:: zero-no-soa-ttl
:tags: zone, query, server
:short: Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
named-checkzone \- zone file validity checking or converting tool
.SH SYNOPSIS
.sp
-\fBnamed\-checkzone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-o\fP filename] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {zonename} {filename}
+\fBnamed\-checkzone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-C\fP mode] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-o\fP filename] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {zonename} {filename}
.SH DESCRIPTION
.sp
\fBnamed\-checkzone\fP checks the syntax and integrity of a zone file. It
.UNINDENT
.INDENT 0.0
.TP
+.B \-C mode
+This option controls check mode on zone files when loading.
+Possible modes are \fBcheck\-svcb:fail\fP and \fBcheck\-svcb:ignore\fP\&.
+.sp
+\fBcheck\-svcb:fail\fP turns on additional checks on \fB_dns\fP SVCB
+records and \fBcheck\-svcb:ignore\fP disables these checks. The
+default is \fBcheck\-svcb:fail\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-i mode
This option performs post\-load zone integrity checks. Possible modes are
\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP,
named-compilezone \- zone file validity checking or converting tool
.SH SYNOPSIS
.sp
-\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename}
+\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-C\fP mode] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename}
.SH DESCRIPTION
.sp
\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file,
.UNINDENT
.INDENT 0.0
.TP
+.B \-C mode
+This option controls check mode on zone files when loading.
+Possible modes are \fBcheck\-svcb:fail\fP and \fBcheck\-svcb:ignore\fP\&.
+.sp
+\fBcheck\-svcb:fail\fP turns on additional checks on \fB_dns\fP SVCB
+records and \fBcheck\-svcb:ignore\fP disables these checks. The
+default is \fBcheck\-svcb:fail\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-i mode
This option performs post\-load zone integrity checks. Possible modes are
\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP,
check\-sibling <boolean>;
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
+ check\-svcb <boolean>;
check\-wildcard <boolean>;
clients\-per\-query <integer>;
cookie\-algorithm ( aes | siphash24 );
check\-sibling <boolean>;
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
+ check\-svcb <boolean>;
check\-wildcard <boolean>;
clients\-per\-query <integer>;
deny\-answer\-addresses { <address_match_element>; ... } [ except\-from { <string>; ... } ];
check\-sibling <boolean>;
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
+ check\-svcb <boolean>;
check\-wildcard <boolean>;
database <string>;
dialup ( notify | notify\-passive | passive | refresh | <boolean> );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
+ check-svcb <boolean>;
check-wildcard <boolean>;
clients-per-query <integer>;
cookie-algorithm ( aes | siphash24 );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
+ check-svcb <boolean>;
check-wildcard <boolean>;
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
+ check-svcb <boolean>;
check-wildcard <boolean>;
database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
#define DNS_MASTER_CHECKMX 0x00000800
#define DNS_MASTER_CHECKMXFAIL 0x00001000
-#define DNS_MASTER_RESIGN 0x00002000
-#define DNS_MASTER_KEY 0x00004000 /*%< Loading a key zone master file. */
-#define DNS_MASTER_NOTTL 0x00008000 /*%< Don't require ttl. */
-#define DNS_MASTER_CHECKTTL 0x00010000 /*%< Check max-zone-ttl */
+#define DNS_MASTER_RESIGN 0x00002000
+#define DNS_MASTER_KEY 0x00004000 /*%< Loading a key zone master file. */
+#define DNS_MASTER_NOTTL 0x00008000 /*%< Don't require ttl. */
+#define DNS_MASTER_CHECKTTL 0x00010000 /*%< Check max-zone-ttl */
+#define DNS_MASTER_CHECKSVCB 0x00020000 /*%< Check SVBC records */
ISC_LANG_BEGINDECLS
DNS_ZONEOPT_CHECKSPF = 1 << 27, /*%< check SPF records */
DNS_ZONEOPT_CHECKTTL = 1 << 28, /*%< check max-zone-ttl */
DNS_ZONEOPT_AUTOEMPTY = 1 << 29, /*%< automatic empty zone */
+ DNS_ZONEOPT_CHECKSVCB = 1 << 30, /*%< check SVBC records */
DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
} dns_zoneopt_t;
}
}
+ if (type == dns_rdatatype_svcb &&
+ (lctx->options & DNS_MASTER_ZONE) != 0 &&
+ (lctx->options & DNS_MASTER_CHECKSVCB) != 0)
+ {
+ result = dns_rdata_checksvcb(ictx->current,
+ &rdata[rdcount]);
+ if (result != ISC_R_SUCCESS) {
+ (*callbacks->error)(callbacks,
+ "%s:%lu: SVCB "
+ "record not valid: %s",
+ source, line,
+ isc_result_totext(result));
+ if (MANYERRS(lctx, result)) {
+ SETRESULT(lctx, result);
+ target = target_ft;
+ continue;
+ } else if (result != ISC_R_SUCCESS) {
+ goto insist_and_cleanup;
+ }
+ }
+ }
+
if (dns_rdatatype_atparent(type) &&
dns_master_isprimary(lctx) &&
dns_name_equal(ictx->current, lctx->top))
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) {
options |= DNS_MASTER_CHECKTTL;
}
+ if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSVCB)) {
+ options |= DNS_MASTER_CHECKSVCB;
+ }
return (options);
}
{ "check-sibling", &cfg_type_boolean, CFG_ZONE_PRIMARY },
{ "check-spf", &cfg_type_warn, CFG_ZONE_PRIMARY },
{ "check-srv-cname", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
+ { "check-svcb", &cfg_type_boolean, CFG_ZONE_PRIMARY },
{ "check-wildcard", &cfg_type_boolean, CFG_ZONE_PRIMARY },
{ "dialup", &cfg_type_dialuptype,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
ISC_MEM_ZERO);
}
+ options = dns_zone_getoptions(zone);
+
for (rule = 0,
result = dns_message_firstname(request, DNS_SECTION_UPDATE);
result == ISC_R_SUCCESS;
if (result != ISC_R_SUCCESS) {
FAIL(DNS_R_REFUSED);
}
+ if ((options & DNS_ZONEOPT_CHECKSVCB) != 0 &&
+ rdata.type == dns_rdatatype_svcb) {
+ result = dns_rdata_checksvcb(name, &rdata);
+ if (result != ISC_R_SUCCESS) {
+ const char *reason =
+ isc_result_totext(result);
+ FAILNT(DNS_R_REFUSED, name, rdata.type,
+ reason);
+ }
+ }
} else if (update_class == dns_rdataclass_any) {
if (ttl != 0 || rdata.length != 0 ||
(dns_rdatatype_ismeta(rdata.type) &&
* Process the Update Section.
*/
- options = dns_zone_getoptions(zone);
for (rule = 0,
result = dns_message_firstname(request, DNS_SECTION_UPDATE);
result == ISC_R_SUCCESS;
projects / thirdparty / bind9.git / commitdiff
