From: Mark Andrews Date: Mon, 17 Feb 2003 01:15:44 +0000 (+0000) Subject: 1426. [cleanup] Disable RFC2535 style DNSSEC. This is incompatible X-Git-Tag: v9.2.2~29 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=43272e05ef6c622dd332efc9efb99863efcafb64;p=thirdparty%2Fbind9.git 1426. [cleanup] Disable RFC2535 style DNSSEC. This is incompatible with the forth coming DS style DNSSEC. --- diff --git a/CHANGES b/CHANGES index 3837a90dad6..df4a6d8f0ec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1426. [cleanup] Disable RFC2535 style DNSSEC. This is incompatible + with the forth coming DS style DNSSEC. --- 9.2.2rc1 released --- diff --git a/README b/README index 0060adad22c..a6c6bf89a63 100644 --- a/README +++ b/README @@ -220,6 +220,13 @@ Building Any additional preprocessor symbols you want defined. Defaults to empty string. + Possible settings: + -DISC_RFC2535 + Enable support RFC 2535 style DNSSEC. This + is incompatable with the upcoming DS support + and SHOULD NOT be set unless you are currently + making use of it. + To build shared libraries, specify "--with-libtool" on the configure command line. diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 4f6b956cd2e..e2311742985 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.139.2.1 2001/10/05 00:21:48 bwelling Exp $ */ +/* $Id: dnssec-signzone.c,v 1.139.2.1.6.1 2003/02/17 01:15:42 marka Exp $ */ #include @@ -1487,6 +1487,16 @@ usage(void) { fprintf(stderr, "Signing Keys: "); fprintf(stderr, "(default: all zone keys that have private keys)\n"); fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); +#ifndef ISC_RFC2535 + fprintf(stderr, +"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n" +"WARNING WARNING\n" +"WARNING This version of dnssec-signzone produces zones that are WARNING\n" +"WARNING incompatible with the forth coming DS based DNSSEC WARNING\n" +"WARNING standard. WARNING\n" +"WARNING WARNING\n" +"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"); +#endif exit(0); } @@ -1597,6 +1607,17 @@ main(int argc, char *argv[]) { } } +#ifndef ISC_RFC2535 + fprintf(stderr, +"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n" +"WARNING WARNING\n" +"WARNING This version of dnssec-signzone produces zones that are WARNING\n" +"WARNING incompatible with the forth coming DS based DNSSEC WARNING\n" +"WARNING standard. WARNING\n" +"WARNING WARNING\n" +"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"); +#endif + setup_entropy(mctx, randomfile, &ectx); eflags = ISC_ENTROPY_BLOCKING; if (!pseudorandom) diff --git a/bin/named/client.c b/bin/named/client.c index 78c07bb61b5..31ad686465d 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.11 2002/04/23 01:53:53 marka Exp $ */ +/* $Id: client.c,v 1.176.2.11.4.1 2003/02/17 01:15:42 marka Exp $ */ #include @@ -1014,7 +1014,11 @@ client_addopt(ns_client_t *client) { /* * Set EXTENDED-RCODE, VERSION, and Z to 0. */ +#ifdef ISC_RFC2535 rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); +#else + rdatalist->ttl = 0; +#endif /* * No ENDS options in the default case. diff --git a/bin/named/query.c b/bin/named/query.c index 59bd89f1925..293ffb65611 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.198.2.8 2002/08/02 04:17:21 marka Exp $ */ +/* $Id: query.c,v 1.198.2.8.4.1 2003/02/17 01:15:42 marka Exp $ */ #include @@ -3300,9 +3300,11 @@ ns_query_start(ns_client_t *client) { if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) client->query.attributes |= NS_QUERYATTR_WANTRECURSION; +#ifdef ISC_RFC2535 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0 || (message->flags & DNS_MESSAGEFLAG_AD) != 0) client->query.attributes |= NS_QUERYATTR_WANTDNSSEC; +#endif if (client->view->minimalresponses) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | diff --git a/bin/named/server.c b/bin/named/server.c index 69579c426d9..dfdfded502e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.339.2.8 2002/07/10 04:27:23 marka Exp $ */ +/* $Id: server.c,v 1.339.2.8.4.1 2003/02/17 01:15:43 marka Exp $ */ #include @@ -280,6 +280,7 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, CHECK(dns_keytable_create(mctx, &keytable)); +#ifdef ISC_RFC2535 if (vconfig != NULL) voptions = cfg_tuple_get(vconfig, "options"); @@ -303,7 +304,7 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, keytable, mctx)); } } - +#endif dns_keytable_detach(target); *target = keytable; /* Transfer ownership. */ keytable = NULL; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index ec77908e9c4..31ae5247744 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.218.2.12 2002/07/15 02:28:07 marka Exp $ */ +/* $Id: resolver.c,v 1.218.2.12.4.1 2003/02/17 01:15:43 marka Exp $ */ #include @@ -646,7 +646,11 @@ fctx_addopt(dns_message_t *message) { /* * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1. */ +#ifdef ISC_RFC2535 rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO; +#else + rdatalist->ttl = 0; +#endif /* * No EDNS options. @@ -3501,16 +3505,25 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) { * * Only one set of NS RRs is allowed. */ - if (ns_name != NULL && name != ns_name) - return (DNS_R_FORMERR); - ns_name = name; + if (rdataset->type == + dns_rdatatype_ns) { + if (ns_name != NULL && + name != ns_name) + return (DNS_R_FORMERR); + ns_name = name; + } name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_glue; ns_rdataset = rdataset; - } else if (type == dns_rdatatype_soa || + } + } + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (type == dns_rdatatype_soa || type == dns_rdatatype_nxt) { /* * SOA, SIG SOA, NXT, or SIG NXT. @@ -3524,11 +3537,18 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) { return (DNS_R_FORMERR); soa_name = name; } - negative_response = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_NCACHE; - rdataset->attributes |= - DNS_RDATASETATTR_NCACHE; + if (ns_name == NULL) { + negative_response = ISC_TRUE; + name->attributes |= + DNS_NAMEATTR_NCACHE; + rdataset->attributes |= + DNS_RDATASETATTR_NCACHE; + } else { + name->attributes |= + DNS_NAMEATTR_CACHE; + rdataset->attributes |= + DNS_RDATASETATTR_CACHE; + } if (aa) rdataset->trust = dns_trust_authauthority; diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 2d0832dab56..362d97016fa 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.70.2.14 2002/02/08 03:57:47 marka Exp $ */ +/* $Id: parser.c,v 1.70.2.14.4.1 2003/02/17 01:15:44 marka Exp $ */ #include @@ -799,7 +799,12 @@ namedconf_or_view_clauses[] = { { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, +#ifdef ISC_RFC2535 { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI }, +#else + { "trusted-keys", &cfg_type_trustedkeys, + CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_OBSOLETE }, +#endif { NULL, NULL, 0 } };