+ --- 9.7.3-P1 released ---
+
+3121. [security] An authoritative name server sending a negative
+ response containing a very large RRset could
+ trigger an off-by-one error in the ncache code
+ and crash named. [RT #24650]
+
+3120. [bug] Named could fail to validate zones listed in a DLV
+ that validated insecure without using DLV and had
+ DS records in the parent zone. [RT #24631]
+
--- 9.7.3 released ---
3018. [bug] Named failed to check for the "none;" acl when deciding
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
- <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2549151"></a>Introduction</h2></div></div></div>
-
- <p>
- BIND 9.7.3 is the current release of BIND 9.7.
- </p>
- <p>
- This document summarizes changes from BIND 9.7.1 to BIND 9.7.3.
- Please see the CHANGES file in the source code release for a
- complete list of all changes.
- </p>
- </div>
-
- <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415638"></a>Download</h2></div></div></div>
-
- <p>
- The latest development version of BIND 9 software can always be found
- on our web site at
- <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
- There you will find additional information about each release,
- source code, and some pre-compiled versions for certain operating
- systems.
- </p>
- </div>
-
- <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415690"></a>Support</h2></div></div></div>
-
- <p>Product support information is available on
- <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
- for paid support options. Free support is provided by our user
- community via a mailing list. Information on all public email
- lists is available at
- <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
- </p>
- </div>
-
- <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415627"></a>New Features</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415698"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Zones may be dynamically added and removed with the
- “rndc addzone” and “rndc delzone” commands. These
- dynamically added zones are written to a per-view
- configuration file. Do not rely on the configuration
- file name nor contents as this will change in a future
- release. This is an experimental feature at this time.
- </li><li class="listitem">
- Added new “filter-aaaa-on-v4” access control list to
- select which IPv4 clients have AAAA record filtering
- applied.
- </li><li class="listitem">
- A new command “rndc secroots” was added to dump a combined
- summary of the currently managed keys combined with statically
- configured trust anchors.
- </li><li class="listitem">
- Added support to load new keys into managed zones without
- signing immediately with "rndc loadkeys". Added support
- to link keys with "dnssec-keygen -S" and
- "dnssec-settime -S".
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415770"></a>Feature Changes</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415775"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Documentation improvements
- </li><li class="listitem">
- ORCHID prefixes were removed from the automatic empty
- zone list.
- </li><li class="listitem">
- Improved handling of GSSAPI security contexts. Specifically,
- better memory management of cached contexts, limited lifetime
- of a context to 1 hour, and added a “realm” command to
- nsupdate to allow selection of a non-default realm name.
- </li><li class="listitem">
- The contributed tool “zkt” was updated to version 1.0.
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415805"></a>Security Fixes</h2></div></div></div>
-
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415810"></a>9.7.2-P3</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Adding a NO DATA signed negative response to cache failed to clear
- any matching RRSIG records already in cache. A subsequent lookup
- of the cached NO DATA entry could crash named (INSIST) when the
- unexpected RRSIG was also returned with the NO DATA cache entry.
- [RT #22288] [CVE-2010-3613] [VU#706148]
- </li><li class="listitem">
- BIND, acting as a DNSSEC validator, was determining if the NS RRset
- is insecure based on a value that could mean either that the RRset
- is actually insecure or that there wasn't a matching key for the RRSIG
- in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
- This can happen when in the middle of a DNSKEY algorithm rollover,
- when two different algorithms were used to sign a zone but only the
- new set of keys are in the zone DNSKEY RRset.
- [RT #22309] [CVE-2010-3614] [VU#837744]
- </li><li class="listitem">
- <p>
- When BIND is running as an authoritative server for a zone and
- receives a query for that zone data, it first checks for allow-query
- acls in the zone statement, then in that view, then in global
- options. If none of these exist, it defaults to allowing any query
- (allow-query {"any"};).
- </p>
- <p>
- With this bug, if the allow-query is not set in the zone statement,
- it failed to check in view or global options and fell back to the
- default of allowing any query. This means that queries that the zone
- owner did not wish to allow were incorrectly allowed.
- [RT #22418] [CVE-2010-3615] [VU#510208]
- </p>
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415862"></a>9.7.2-P2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- A flaw where the wrong ACL was applied was fixed. This flaw
- allowed access to a cache via recursion even though the ACL
- disallowed it.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id3415878"></a>9.7.2-P1</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- If BIND, acting as a DNSSEC validating server, has two or more trust
- anchors configured in named.conf for the same zone (such as
- example.com) and the response for a record in that zone from the
- authoritative server includes a bad signature, the validating server
- will crash while trying to validate that query.
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415898"></a>Bug Fixes</h2></div></div></div>
-
- <div class="section" title="9.7.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415904"></a>9.7.3</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- BIND now builds with threads disabled in versions of NetBSD earlier
- than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
- and higher. Also removes support for unproven-pthreads, mit-pthreads
- and ptl2. [RT #19203]
- </li><li class="listitem">
- Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
- to properly update the zone when adding a DNSKEY for publication
- only). [RT #21324]
- </li><li class="listitem">
- "nsupdate -l" now gives error message if "session.key" file is not
- found. [RT #21670]
- </li><li class="listitem">
- HPUX now correctly defaults to using /dev/poll, which should
- increase performance. [RT #21919]
- </li><li class="listitem">
- If named is running as a threaded application, after an "rndc stop"
- command has been issued, other inbound TCP requests can cause named
- to hang and never complete shutdown. [RT #22108]
- </li><li class="listitem">
- After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
- not being refreshed until named is restarted. [RT #22296]
- </li><li class="listitem">
- An NSEC3PARAM record placed inside a zone which is not properly
- signed with NSEC3 could cause named to crash, if changed via dynamic
- update. [RT #22363]
- </li><li class="listitem">
- "rndc -h" now includes "loadkeys" option. [RT #22493]
- </li><li class="listitem">
- When performing a GSS-TSIG signed dynamic zone update, memory could be
- leaked. This causes an unclean shutdown and may affect long-running
- servers. [RT #22573]
- </li><li class="listitem">
- A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
- for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
- SO_ACCEPTFILTER support in BIND. [RT #22589]
- </li><li class="listitem">
-When signing records, named didn't filter out any TTL changes
-to DNSKEY records. This resulted in an incomplete key set. TTL
-changes are now dealt with before signing.
-[RT #22590]
- </li><li class="listitem">
- Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing
- named to freeze. [RT #22614]
- </li><li class="listitem">
- Don't run MX checks (check-mx) when the MX record points to ".".
-[RT #22645]
- </li><li class="listitem">
- DST key reference counts can now be incremented via dst_key_attach.
-[RT #22672]
- </li><li class="listitem">
-The IN6_IS_ADDR_LINKLOCAL and
-IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
-per current Windows OS. [RT #22724]
- </li><li class="listitem">
- "dnssec-settime -S" no longer tests prepublication interval validity
- when the interval is set to 0. [RT #22761]
- </li><li class="listitem">
- isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
- </li><li class="listitem">
- The Kerberos realm was being truncated when being pulled from the
- the host prinicipal, make krb5-self updates fail. [RT #22770]
- </li><li class="listitem">
- named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863]
- </li><li class="listitem">
-The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-than the correct option "-I". [RT #22887]
- </li><li class="listitem">
-The "rndc" command usage statement was missing the "-b" option.
-[RT #22937]
- </li><li class="listitem">
-There was a bug in how the clients-per-query code worked with some
-query patterns. This could result, in rare circumstances, in having all
-the client query slots filled with queries for the same DNS label,
-essentially ignoring the max-clients-per-query setting.
-[RT #22972]
- </li><li class="listitem">
-The secure zone update feature in named is based on the zone
-being signed and configured for dynamic updates. A bug in the ACL
-processing for "allow-update { none; };" resulted in a zone that is
-supposed to be static being treated as a dynamic zone. Thus, name
-would try to sign/re-sign that zone erroneously. [RT #23120]
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415913"></a>9.7.2-P3</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Microsoft changed the behavior of sockets between NT/XP based
- stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
- behavior, 2008r2 has the new behavior. With the change, different
- error results are possible, so ISC adapted BIND to handle the new
- error results.
- This resolves an issue where sockets would shut down on
- Windows servers causing named to stop responding to queries.
- [RT #21906]
- </li><li class="listitem">
- Windows has non-POSIX compliant behavior in its rename() and unlink()
- calls. This caused journal compaction to fail on Windows BIND servers
- with the log error: "dns_journal_compact failed: failure".
- [RT #22434]
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id3416078"></a>9.7.2-P1</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- A bug, introduced in BIND 9.7.2, caused named to fail to start
- if a master zone file was unreadable or missing. This has
- been corrected in 9.7.2-P1.
- </li><li class="listitem">
- BIND previously accepted answers from authoritative servers that did
- not provide a "proper" response, such as not setting AA bit. BIND was
- changed to be more strict in what it accepted but this caused
- operational issues. This new strictness has been backed out in
- 9.7.2-P1.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3416105"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Removed a warning message when running BIND 9 under Windows
- for when a TCP connection was aborted. This is a common
- occurrence and the warning was extraneous.
- </li><li class="listitem">
- Worked around a race condition in the cache database memory
- handling. Without this fix a DNS cache DB or ADB could
- incorrectly stay in an over memory state, effectively refusing
- further caching, which subsequently made a BIND 9 caching
- server unworkable.
- </li><li class="listitem">
- Partially disabled change 2864 because it would cause
- infinite attempts of RRSIG queries.
- </li><li class="listitem">
- BIND did not properly handle non-cacheable negative responses
- from insecure zones. This caused several non-protocol-compliant
- zones to become unresolvable. BIND is now more accepting of
- responses it receives from less strict servers.
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3416145"></a>Known issues in this release</h2></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- <p>
- "make test" will fail on OSX and possibly other operating systems.
- The failure occurs in a new test to check for allow-query ACLs.
- The failure is caused because the source address is not specified on
- the dig commands issued in the test.
- </p>
- <p>
- If running "make test" is part of your usual acceptance process,
- please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code>
- and add
- </p><p>
- <code class="code">-b 10.53.0.2</code>
- </p><p>
- to the <code class="code">DIGOPTS</code> line.
- </p>
- </li></ul></div>
- </div>
-
- <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3416192"></a>Thank You</h2></div></div></div>
-
- <p>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to make
- quality open source software, please visit our donations page at
- <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
- </p>
- </div>
-</div></body></html>
+++ /dev/null
- __________________________________________________________________
-
-Introduction
-
- BIND 9.7.3 is the current release of BIND 9.7.
-
- This document summarizes changes from BIND 9.7.1 to BIND 9.7.3. Please
- see the CHANGES file in the source code release for a complete list of
- all changes.
-
-Download
-
- The latest development version of BIND 9 software can always be found
- on our web site at http://www.isc.org/downloads/development. There you
- will find additional information about each release, source code, and
- some pre-compiled versions for certain operating systems.
-
-Support
-
- Product support information is available on
- http://www.isc.org/services/support for paid support options. Free
- support is provided by our user community via a mailing list.
- Information on all public email lists is available at
- https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.7.2
-
- * Zones may be dynamically added and removed with the "rndc addzone"
- and "rndc delzone" commands. These dynamically added zones are
- written to a per-view configuration file. Do not rely on the
- configuration file name nor contents as this will change in a
- future release. This is an experimental feature at this time.
- * Added new "filter-aaaa-on-v4" access control list to select which
- IPv4 clients have AAAA record filtering applied.
- * A new command "rndc secroots" was added to dump a combined summary
- of the currently managed keys combined with statically configured
- trust anchors.
- * Added support to load new keys into managed zones without signing
- immediately with "rndc loadkeys". Added support to link keys with
- "dnssec-keygen -S" and "dnssec-settime -S".
-
-Feature Changes
-
-9.7.2
-
- * Documentation improvements
- * ORCHID prefixes were removed from the automatic empty zone list.
- * Improved handling of GSSAPI security contexts. Specifically, better
- memory management of cached contexts, limited lifetime of a context
- to 1 hour, and added a "realm" command to nsupdate to allow
- selection of a non-default realm name.
- * The contributed tool "zkt" was updated to version 1.0.
-
-Security Fixes
-
-9.7.2-P3
-
- * Adding a NO DATA signed negative response to cache failed to clear
- any matching RRSIG records already in cache. A subsequent lookup of
- the cached NO DATA entry could crash named (INSIST) when the
- unexpected RRSIG was also returned with the NO DATA cache entry.
- [RT #22288] [CVE-2010-3613] [VU#706148]
- * BIND, acting as a DNSSEC validator, was determining if the NS RRset
- is insecure based on a value that could mean either that the RRset
- is actually insecure or that there wasn't a matching key for the
- RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
- RRset. This can happen when in the middle of a DNSKEY algorithm
- rollover, when two different algorithms were used to sign a zone
- but only the new set of keys are in the zone DNSKEY RRset. [RT
- #22309] [CVE-2010-3614] [VU#837744]
- * When BIND is running as an authoritative server for a zone and
- receives a query for that zone data, it first checks for
- allow-query acls in the zone statement, then in that view, then in
- global options. If none of these exist, it defaults to allowing any
- query (allow-query {"any"};).
- With this bug, if the allow-query is not set in the zone statement,
- it failed to check in view or global options and fell back to the
- default of allowing any query. This means that queries that the
- zone owner did not wish to allow were incorrectly allowed. [RT
- #22418] [CVE-2010-3615] [VU#510208]
-
-9.7.2-P2
-
- * A flaw where the wrong ACL was applied was fixed. This flaw allowed
- access to a cache via recursion even though the ACL disallowed it.
-
-9.7.2-P1
-
- * If BIND, acting as a DNSSEC validating server, has two or more
- trust anchors configured in named.conf for the same zone (such as
- example.com) and the response for a record in that zone from the
- authoritative server includes a bad signature, the validating
- server will crash while trying to validate that query.
-
-Bug Fixes
-
-9.7.3
-
- * BIND now builds with threads disabled in versions of NetBSD earlier
- than 5.0 and with pthreads enabled by default in NetBSD versions
- 5.0 and higher. Also removes support for unproven-pthreads,
- mit-pthreads and ptl2. [RT #19203]
- * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
- to properly update the zone when adding a DNSKEY for publication
- only). [RT #21324]
- * "nsupdate -l" now gives error message if "session.key" file is not
- found. [RT #21670]
- * HPUX now correctly defaults to using /dev/poll, which should
- increase performance. [RT #21919]
- * If named is running as a threaded application, after an "rndc stop"
- command has been issued, other inbound TCP requests can cause named
- to hang and never complete shutdown. [RT #22108]
- * After an "rndc reconfig", the refresh timer for managed-keys is
- ignored, resulting in managed-keys not being refreshed until named
- is restarted. [RT #22296]
- * An NSEC3PARAM record placed inside a zone which is not properly
- signed with NSEC3 could cause named to crash, if changed via
- dynamic update. [RT #22363]
- * "rndc -h" now includes "loadkeys" option. [RT #22493]
- * When performing a GSS-TSIG signed dynamic zone update, memory could
- be leaked. This causes an unclean shutdown and may affect
- long-running servers. [RT #22573]
- * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
- allows for a TCP DoS attack. Until there is a kernel fix, ISC is
- disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
- * When signing records, named didn't filter out any TTL changes to
- DNSKEY records. This resulted in an incomplete key set. TTL changes
- are now dealt with before signing. [RT #22590]
- * Corrected a defect where a combination of dynamic updates and zone
- transfers incorrectly locked the in-memory zone database, causing
- named to freeze. [RT #22614]
- * Don't run MX checks (check-mx) when the MX record points to ".".
- [RT #22645]
- * DST key reference counts can now be incremented via dst_key_attach.
- [RT #22672]
- * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
- were updated/corrected per current Windows OS. [RT #22724]
- * "dnssec-settime -S" no longer tests prepublication interval
- validity when the interval is set to 0. [RT #22761]
- * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
- attr. [RT #22766]
- * The Kerberos realm was being truncated when being pulled from the
- the host prinicipal, make krb5-self updates fail. [RT #22770]
- * named failed to preserve the case of domain names in RDATA which is
- not compressible when writing master files. [RT #22863]
- * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
- than the correct option "-I". [RT #22887]
- * The "rndc" command usage statement was missing the "-b" option. [RT
- #22937]
- * There was a bug in how the clients-per-query code worked with some
- query patterns. This could result, in rare circumstances, in having
- all the client query slots filled with queries for the same DNS
- label, essentially ignoring the max-clients-per-query setting. [RT
- #22972]
- * The secure zone update feature in named is based on the zone being
- signed and configured for dynamic updates. A bug in the ACL
- processing for "allow-update { none; };" resulted in a zone that is
- supposed to be static being treated as a dynamic zone. Thus, name
- would try to sign/re-sign that zone erroneously. [RT #23120]
-
-9.7.2-P3
-
- * Microsoft changed the behavior of sockets between NT/XP based
- stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
- behavior, 2008r2 has the new behavior. With the change, different
- error results are possible, so ISC adapted BIND to handle the new
- error results. This resolves an issue where sockets would shut down
- on Windows servers causing named to stop responding to queries. [RT
- #21906]
- * Windows has non-POSIX compliant behavior in its rename() and
- unlink() calls. This caused journal compaction to fail on Windows
- BIND servers with the log error: "dns_journal_compact failed:
- failure". [RT #22434]
-
-9.7.2-P1
-
- * A bug, introduced in BIND 9.7.2, caused named to fail to start if a
- master zone file was unreadable or missing. This has been corrected
- in 9.7.2-P1.
- * BIND previously accepted answers from authoritative servers that
- did not provide a "proper" response, such as not setting AA bit.
- BIND was changed to be more strict in what it accepted but this
- caused operational issues. This new strictness has been backed out
- in 9.7.2-P1.
-
-9.7.2
-
- * Removed a warning message when running BIND 9 under Windows for
- when a TCP connection was aborted. This is a common occurrence and
- the warning was extraneous.
- * Worked around a race condition in the cache database memory
- handling. Without this fix a DNS cache DB or ADB could incorrectly
- stay in an over memory state, effectively refusing further caching,
- which subsequently made a BIND 9 caching server unworkable.
- * Partially disabled change 2864 because it would cause infinite
- attempts of RRSIG queries.
- * BIND did not properly handle non-cacheable negative responses from
- insecure zones. This caused several non-protocol-compliant zones to
- become unresolvable. BIND is now more accepting of responses it
- receives from less strict servers.
-
-Known issues in this release
-
- * "make test" will fail on OSX and possibly other operating systems.
- The failure occurs in a new test to check for allow-query ACLs. The
- failure is caused because the source address is not specified on
- the dig commands issued in the test.
- If running "make test" is part of your usual acceptance process,
- please edit the file bin/tests/system/allow_query/test.sh and add
- -b 10.53.0.2
- to the DIGOPTS line.
-
-Thank You
-
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- http://www.isc.org/supportisc.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.5.476.2 2010/05/27 23:49:55 tbox Exp $
+# $Id: clean.sh,v 1.5.476.2.44.1 2011/05/27 00:43:04 each Exp $
rm -f random.data
rm -f ns*/named.run
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/root.db
+rm -f ns2/K*
+rm -f ns2/dlvset-*
+rm -f ns2/dsset-*
+rm -f ns2/*.signed
+rm -f ns2/*.pre
+rm -f ns2/signer.err
+rm -f ns2/druz.db
rm -f ns3/K*
rm -f ns3/*.db
rm -f ns3/*.signed
rm -f ns3/dlvset-*
rm -f ns3/dsset-*
rm -f ns3/keyset-*
-rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns1/trusted.conf ns5/trusted.conf
+rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
rm -f ns3/signer.err
rm -f ns6/K*
rm -f ns6/*.db
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.966.1 2011/05/27 00:43:04 each Exp $ */
controls { /* empty */ };
listen-on-v6 { none; };
recursion no;
notify yes;
- dnssec-enable no;
+ dnssec-enable yes;
};
-zone "." { type master; file "root.db"; };
+zone "." { type master; file "root.signed"; };
zone "rootservers.utld" { type master; file "rootservers.utld.db"; };
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db,v 1.4 2007/06/19 23:47:02 tbox Exp $
+; $Id: root.db.in,v 1.3.4.2 2011/05/27 00:43:04 each Exp $
$TTL 120
@ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld (
;
utld NS ns.utld
ns.utld A 10.53.0.2
+druz NS ns.druz
+ns.druz A 10.53.0.2
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.4.2 2011/05/27 00:43:04 each Exp $
+
+(cd ../ns2 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns1/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+echo "I: signed $zone"
+
+grep -v '^;' $keyname2.key | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+ "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5
+
--- /dev/null
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: druz.db.in,v 1.4.4.2 2011/05/27 00:43:05 each Exp $
+
+$TTL 120
+@ SOA ns hostmaster.ns 1 3600 1200 604800 60
+@ NS ns
+ns A 10.53.0.2
+;
+rootservers NS ns.rootservers
+ns.rootservers A 10.53.0.1
+;
+;
+child1 NS ns.child1
+ns.child1 A 10.53.0.3
+;
+child2 NS ns.child2
+ns.child2 A 10.53.0.4
+;
+child3 NS ns.child3
+ns.child3 A 10.53.0.3
+;
+child4 NS ns.child4
+ns.child4 A 10.53.0.3
+;
+child5 NS ns.child5
+ns.child5 A 10.53.0.3
+;
+child6 NS ns.child6
+ns.child6 A 10.53.0.4
+;
+child7 NS ns.child7
+ns.child7 A 10.53.0.3
+;
+child8 NS ns.child8
+ns.child8 A 10.53.0.3
+;
+child9 NS ns.child9
+ns.child9 A 10.53.0.3
+;
+child10 NS ns.child10
+ns.child10 A 10.53.0.3
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.966.1 2011/05/27 00:43:05 each Exp $ */
controls { /* empty */ };
listen-on-v6 { none; };
recursion no;
notify yes;
- dnssec-enable no;
+ dnssec-enable yes;
};
zone "." { type hint; file "hints"; };
zone "utld" { type master; file "utld.db"; };
+zone "druz" { type master; file "druz.signed"; };
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.4.2 2011/05/27 00:43:05 each Exp $
+
+(cd ../ns3 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns2/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=druz.
+infile=druz.db.in
+zonefile=druz.db
+outfile=druz.pre
+dlvzone=utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+$CHECKZONE -q -D -i none druz druz.pre |
+sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
+
+echo "I: signed $zone"
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.966.1 2011/05/27 00:43:05 each Exp $ */
controls { /* empty */ };
zone "child8.utld" { type master; file "child8.signed"; }; // no dlv
zone "child9.utld" { type master; file "child9.signed"; }; // dlv
zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned
+zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv
+zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv
+zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv
+zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv
+zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv
+zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv
+zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv
+zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.6.32.3 2010/05/27 23:49:55 tbox Exp $
+# $Id: sign.sh,v 1.6.32.3.44.1 2011/05/27 00:43:05 each Exp $
(cd ../ns6 && sh -e ./sign.sh)
+echo "I:dlv/ns3/sign.sh"
+
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
+dlvzone=dlv.utld.
dlvsets=
+dssets=
zone=child1.utld.
infile=child.db.in
zonefile=child1.utld.db
outfile=child1.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child3.utld.db
outfile=child3.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child4.utld.db
outfile=child4.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child5.utld.db
outfile=child5.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child7.utld.db
outfile=child7.signed
-dlvzone=dlv.utld.
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child8.utld.db
outfile=child8.signed
-dlvzone=dlv.utld.
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child9.utld.db
outfile=child9.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
infile=child.db.in
zonefile=child10.utld.db
outfile=child10.signed
-dlvzone=dlv.utld.
dlvsets="$dlvsets dlvset-$zone"
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
+zone=child1.druz.
+infile=child.db.in
+zonefile=child1.druz.db
+outfile=child1.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child3.druz.
+infile=child.db.in
+zonefile=child3.druz.db
+outfile=child3.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child4.druz.
+infile=child.db.in
+zonefile=child4.druz.db
+outfile=child4.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child5.druz.
+infile=child.db.in
+zonefile=child5.druz.db
+outfile=child5.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child7.druz.
+infile=child.db.in
+zonefile=child7.druz.db
+outfile=child7.druz.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child8.druz.
+infile=child.db.in
+zonefile=child8.druz.db
+outfile=child8.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child9.druz.
+infile=child.db.in
+zonefile=child9.druz.db
+outfile=child9.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=child10.druz.
+infile=child.db.in
+zonefile=child10.druz.db
+outfile=child10.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
zone=dlv.utld.
infile=dlv.db.in
zonefile=dlv.utld.db
outfile=dlv.signed
-dlvzone=dlv.utld.
keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
"$dn" $flags $proto $alg "$key";
};
EOF
-' > trusted.conf
-cp trusted.conf ../ns5
+' > trusted-dlv.conf
+cp trusted-dlv.conf ../ns5
+
+cp $dssets ../ns2
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.8 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.8.966.1 2011/05/27 00:43:05 each Exp $ */
/*
* Choose a keyname that is unlikely to clash with any real key names.
};
include "trusted.conf";
+include "trusted-dlv.conf";
options {
query-source address 10.53.0.5;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2.2.3 2010/07/11 01:18:17 each Exp $ */
+/* $Id: named.conf,v 1.2.2.3.34.1 2011/05/27 00:43:05 each Exp $ */
controls { /* empty */ };
zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
zone "grand.child10.utld" { type master; file "grand.child10.signed"; };
+zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
+zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
+zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
+zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
+zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
+zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
+zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
+zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.2.2.2 2010/05/27 23:49:55 tbox Exp $
+# $Id: sign.sh,v 1.2.2.2.44.1 2011/05/27 00:43:05 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+echo "I:dlv/ns6/sign.sh"
+
RANDFILE=../random.data
zone=grand.child1.utld.
$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo "I: signed $zone"
+
+zone=grand.child1.druz.
+infile=child.db.in
+zonefile=grand.child1.druz.db
+outfile=grand.child1.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.druz.
+infile=child.db.in
+zonefile=grand.child3.druz.db
+outfile=grand.child3.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.druz.
+infile=child.db.in
+zonefile=grand.child4.druz.db
+outfile=grand.child4.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.druz.
+infile=child.db.in
+zonefile=grand.child5.druz.db
+outfile=grand.child5.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.druz.
+infile=child.db.in
+zonefile=grand.child7.druz.db
+outfile=grand.child7.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.druz.
+infile=child.db.in
+zonefile=grand.child8.druz.db
+outfile=grand.child8.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.druz.
+infile=child.db.in
+zonefile=grand.child9.druz.db
+outfile=grand.child9.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.druz.
+infile=child.db.in
+zonefile=grand.child10.druz.db
+outfile=grand.child10.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.6 2009/03/02 23:47:43 tbox Exp $
+# $Id: setup.sh,v 1.6.542.1 2011/05/27 00:43:04 each Exp $
../../../tools/genrandom 400 random.data
-(cd ns3 && sh -e sign.sh)
+(cd ns1 && sh -e sign.sh)
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.4.558.2 2010/05/27 23:49:55 tbox Exp $
+# $Id: tests.sh,v 1.4.558.2.44.1 2011/05/27 00:43:04 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
LIBINTERFACE = 70
-LIBREVISION = 2
+LIBREVISION = 3
LIBAGE = 1
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: masterdump.h,v 1.42 2008/09/24 02:46:23 marka Exp $ */
+/* $Id: masterdump.h,v 1.42.604.1 2011/05/27 00:43:06 each Exp $ */
#ifndef DNS_MASTERDUMP_H
#define DNS_MASTERDUMP_H 1
const char *
dns_trust_totext(dns_trust_t trust);
+/*%<
+ * Display trust in textual form.
+ */
ISC_LANG_ENDDECLS
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataset.h,v 1.67.186.2 2010/02/25 05:25:53 tbox Exp $ */
+/* $Id: rdataset.h,v 1.67.186.2.48.1 2011/05/27 00:43:06 each Exp $ */
#ifndef DNS_RDATASET_H
#define DNS_RDATASET_H 1
* Mark the rdataset to be expired in the backing database.
*/
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*%<
+ * Display trust in textual form.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_RDATASET_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: masterdump.c,v 1.99 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: masterdump.c,v 1.99.334.1 2011/05/27 00:43:06 each Exp $ */
/*! \file */
#define MAXSORT 64
-static const char *trustnames[] = {
- "none",
- "pending-additional",
- "pending-answer",
- "additional",
- "glue",
- "answer",
- "authauthority",
- "authanswer",
- "secure",
- "local" /* aka ultimate */
-};
-
-const char *
-dns_trust_totext(dns_trust_t trust) {
- if (trust >= sizeof(trustnames)/sizeof(*trustnames))
- return ("bad");
- return (trustnames[trust]);
-}
-
static isc_result_t
dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
for (i = 0; i < n; i++) {
dns_rdataset_t *rds = sorted[i];
if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
- unsigned int trust = rds->trust;
- INSIST(trust < (sizeof(trustnames) /
- sizeof(trustnames[0])));
- fprintf(f, "; %s\n", trustnames[trust]);
+ fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
}
if (rds->type == 0 &&
(ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ncache.c,v 1.43.268.7 2010/05/19 09:51:31 marka Exp $ */
+/* $Id: ncache.c,v 1.43.268.7.46.1 2011/05/27 00:43:06 each Exp $ */
/*! \file */
*/
isc_buffer_availableregion(&buffer,
&r);
- if (r.length < 2)
+ if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataset.c,v 1.84.186.2 2010/02/25 05:25:51 tbox Exp $ */
+/* $Id: rdataset.c,v 1.84.186.2.48.1 2011/05/27 00:43:06 each Exp $ */
/*! \file */
#include <dns/rdataset.h>
#include <dns/compress.h>
+static const char *trustnames[] = {
+ "none",
+ "pending-additional",
+ "pending-answer",
+ "additional",
+ "glue",
+ "answer",
+ "authauthority",
+ "authanswer",
+ "secure",
+ "local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+ if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+ return ("bad");
+ return (trustnames[trust]);
+}
+
void
dns_rdataset_init(dns_rdataset_t *rdataset) {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.182.16.14 2010/11/16 01:21:49 marka Exp $ */
+/* $Id: validator.c,v 1.182.16.14.10.1 2011/05/27 00:43:06 each Exp $ */
#include <config.h>
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d", rdataset->trust);
+ "keyset with trust %s",
+ dns_trust_totext(rdataset->trust));
/*
* Only extract the dst key if the keyset is secure.
*/
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "dsset with trust %d", rdataset->trust);
+ "dsset with trust %s",
+ dns_trust_totext(rdataset->trust));
val->dsset = &val->frdataset;
result = validatezonekey(val);
if (result != DNS_R_WAIT)
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d", val->frdataset.trust);
+ "keyset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
/*
* Only extract the dst key if the keyset is secure.
*/
isc_boolean_t have_dsset;
dns_name_t *name;
validator_log(val, ISC_LOG_DEBUG(3),
- "%s with trust %d",
+ "%s with trust %s",
val->frdataset.type == dns_rdatatype_ds ?
"dsset" : "ds non-existance",
- val->frdataset.trust);
+ dns_trust_totext(val->frdataset.trust));
have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
name = dns_fixedname_name(&val->fname);
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
INSIST(type == dns_rdatatype_dlv);
if (val->frdataset.trust != dns_trust_secure) {
validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: trust %u",
- val->frdataset.trust);
+ "covering nsec: trust %s",
+ dns_trust_totext(val->frdataset.trust));
goto notfound;
}
result = dns_rdataset_first(&val->frdataset);
* See if we've got the key used in the signature.
*/
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d",
- val->frdataset.trust);
+ "keyset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
result = get_dst_key(val, siginfo, val->keyset);
if (result != ISC_R_SUCCESS) {
/*
" insecure DS");
return (DNS_R_MUSTBESECURE);
}
- markanswer(val, "validatezonekey (2)");
- return (ISC_R_SUCCESS);
+ if (val->view->dlv == NULL || DLVTRIED(val)) {
+ markanswer(val, "validatezonekey (2)");
+ return (ISC_R_SUCCESS);
+ }
+ return (startfinddlvsep(val, val->event->name));
}
/*
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "dlvset with trust %d", val->frdataset.trust);
+ "dlvset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
dns_rdataset_clone(&val->frdataset, &val->dlv);
val->havedlvsep = ISC_TRUE;
if (dlv_algorithm_supported(val))
-# $Id: version,v 1.51.2.11 2011/01/30 08:01:01 marka Exp $
+# $Id: version,v 1.51.2.11.12.1 2011/05/27 00:43:04 each Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
MAJORVER=9
MINORVER=7
PATCHVER=3
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1
projects / thirdparty / bind9.git / commitdiff
