diff options
Diffstat (limited to 'bin')
50 files changed, 3698 insertions, 2911 deletions
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 1e534071d0c80..bb51fd360ff97 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -33,6 +33,7 @@ #include <isc/mem.h> #include <isc/netdb.h> #include <isc/net.h> +#include <isc/print.h> #include <isc/region.h> #include <isc/stdio.h> #include <isc/string.h> diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 18cfdddc98bd5..a2a0856de475a 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -31,6 +31,7 @@ #include <isc/hash.h> #include <isc/log.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/result.h> #include <isc/string.h> #include <isc/util.h> diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 7e779c2d17f8a..b1b871d09bd85 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -30,6 +30,7 @@ #include <isc/hash.h> #include <isc/log.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/socket.h> #include <isc/string.h> #include <isc/task.h> diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index d0cdafed364bc..3c0507f7ce0f5 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009, 2012, 2013, 2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -29,6 +29,7 @@ #include <isc/file.h> #include <isc/keyboard.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/result.h> #include <isc/string.h> diff --git a/bin/confgen/util.c b/bin/confgen/util.c index 5f5f817a5d3d9..a3e21b5155af8 100644 --- a/bin/confgen/util.c +++ b/bin/confgen/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -25,6 +25,7 @@ #include <stdio.h> #include <isc/boolean.h> +#include <isc/print.h> #include "util.h" diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index b492ee71fd58a..f78d556bfbd77 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -130,77 +130,97 @@ will perform a lookup for an A record. .RE .SH "OPTIONS" .PP -The -\fB\-b\fR -option sets the source IP address of the query to -\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" +\-4 +.RS 4 +Use IPv4 only. +.RE .PP -The default query class (IN for internet) is overridden by the -\fB\-c\fR -option. +\-6 +.RS 4 +Use IPv6 only. +.RE +.PP +\-b \fIaddress\fR\fI[#port]\fR +.RS 4 +Set the source IP address of the query. The +\fIaddress\fR +must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" +.RE +.PP +\-c \fIclass\fR +.RS 4 +Set the query class. The default \fIclass\fR -is any valid class, such as HS for Hesiod records or CH for Chaosnet records. +is IN; other classes are HS for Hesiod records or CH for Chaosnet records. +.RE .PP -The -\fB\-f\fR -option makes -\fBdig \fR -operate in batch mode by reading a list of lookup requests to process from the file -\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to +\-f \fIfile\fR +.RS 4 +Batch mode: +\fBdig\fR +reads a list of lookup requests to process from the given +\fIfile\fR. Each line in the file should be organized in the same way they would be presented as queries to \fBdig\fR using the command\-line interface. +.RE .PP -The -\fB\-m\fR -option enables memory usage debugging. +\-i +.RS 4 +Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted. +.RE .PP -If a non\-standard port number is to be queried, the -\fB\-p\fR -option is used. -\fIport#\fR -is the port number that -\fBdig\fR -will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. +\-k \fIkeyfile\fR +.RS 4 +Sign queries using TSIG using a key read from the given file. Key files can be generated using +\fBtsig\-keygen\fR(8). When using TSIG authentication with +\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate +\fBkey\fR +and +\fBserver\fR +statements in +\fInamed.conf\fR. +.RE .PP -The -\fB\-4\fR -option forces -\fBdig\fR -to only use IPv4 query transport. The -\fB\-6\fR -option forces -\fBdig\fR -to only use IPv6 query transport. +\-m +.RS 4 +Enable memory usage debugging. +.RE .PP -The -\fB\-t\fR -option sets the query type to -\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the +\-p \fIport\fR +.RS 4 +Send the query to a non\-standard port on the server, instead of the defaut port 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. +.RE +.PP +\-q \fIname\fR +.RS 4 +The domain name to query. This is useful to distinguish the +\fIname\fR +from other arguments. +.RE +.PP +\-t \fItype\fR +.RS 4 +The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the \fB\-x\fR -option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, +option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the \fItype\fR -is set to +to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. +.RE .PP -The -\fB\-q\fR -option sets the query name to -\fIname\fR. This is useful to distinguish the -\fIname\fR -from other arguments. -.PP -The -\fB\-v\fR -causes -\fBdig\fR -to print the version number and exit. +\-v +.RS 4 +Print the version number and exit. +.RE .PP -Reverse lookups \(em mapping addresses to names \(em are simplified by the -\fB\-x\fR -option. +\-x \fIaddr\fR +.RS 4 +Simplified reverse lookups, for mapping addresses to names. The \fIaddr\fR -is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the +is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When the +\fB\-x\fR +is used, there is no need to provide the \fIname\fR, \fIclass\fR and @@ -208,35 +228,41 @@ and arguments. \fBdig\fR automatically performs a lookup for a name like -11.12.13.10.in\-addr.arpa -and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the +94.2.0.192.in\-addr.arpa +and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain (but see also the \fB\-i\fR -option. Bit string labels (RFC2874) are now experimental and are not attempted. +option). +.RE .PP -To sign the DNS queries sent by -\fBdig\fR -and their responses using transaction signatures (TSIG), specify a TSIG key file using the +\-y \fI[hmac:]\fR\fIkeyname:secret\fR +.RS 4 +Sign queries using TSIG with the given authentication key. +\fIkeyname\fR +is the name of the key, and +\fIsecret\fR +is the base64 encoded shared secret. +\fIhmac\fR +is the name of the key algorithm; valid choices are +hmac\-md5, +hmac\-sha1, +hmac\-sha224, +hmac\-sha256, +hmac\-sha384, or +hmac\-sha512. If +\fIhmac\fR +is not specified, the default is +hmac\-md5. +.sp +NOTE: You should use the \fB\-k\fR -option. You can also specify the TSIG key itself on the command line using the +option and avoid the \fB\-y\fR -option; -\fIhmac\fR -is the type of the TSIG, default HMAC\-MD5, -\fIname\fR -is the name of the TSIG key and -\fIkey\fR -is the actual key. The key is a base\-64 encoded string, typically generated by -\fBdnssec\-keygen\fR(8). Caution should be taken when using the +option, because with \fB\-y\fR -option on multi\-user systems as the key can be visible in the output from +the shared secret is supplied as a command line argument in clear text. This may be visible in the output from \fBps\fR(1) -or in the shell's history file. When using TSIG authentication with -\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate -\fBkey\fR -and -\fBserver\fR -statements in -\fInamed.conf\fR. +or in a history file maintained by the user's shell. +.RE .SH "QUERY OPTIONS" .PP \fBdig\fR @@ -245,7 +271,10 @@ provides a number of query options which affect the way in which lookups are mad Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form -\fB+keyword=value\fR. The query options are: +\fB+keyword=value\fR. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example, ++cd +is equivalent to ++cdflag. The query options are: .PP \fB+[no]aaflag\fR .RS 4 @@ -300,7 +329,7 @@ bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .RE .PP -\fB+[no]cl\fR +\fB+[no]class\fR .RS 4 Display [do not display] the CLASS when printing the record. .RE @@ -421,6 +450,12 @@ Print [do not print] the query as it is sent. By default, the query is not print Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. .RE .PP +\fB+[no]rdflag\fR +.RS 4 +A synonym for +\fI+[no]recurse\fR. +.RE +.PP \fB+[no]recurse\fR .RS 4 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means @@ -518,6 +553,8 @@ Toggle tracing of the delegation path from the root name servers for the name be \fBdig\fR makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. .sp +If @server is also specified, it affects only the initial query for the root zone name servers. +.sp \fB+dnssec\fR is also set when +trace is set to better emulate the default queries from a nameserver. .RE @@ -620,7 +657,7 @@ RFC1035. .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004\-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 07d8b0b7e14ad..145e6107ad33c 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -165,71 +165,75 @@ help(void) { " q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n" " (Use ixfr=version for type ixfr)\n" " q-opt is one of:\n" -" -x dot-notation (shortcut for reverse lookups)\n" -" -i (use IP6.INT for IPv6 reverse lookups)\n" -" -f filename (batch mode)\n" +" -4 (use IPv4 query transport only)\n" +" -6 (use IPv6 query transport only)\n" " -b address[#port] (bind to source address/port)\n" +" -c class (specify query class)\n" +" -f filename (batch mode)\n" +" -i (use IP6.INT for IPv6 reverse lookups)\n" +" -k keyfile (specify tsig key file)\n" +" -m (enable memory usage debugging)\n" " -p port (specify port number)\n" " -q name (specify query name)\n" " -t type (specify query type)\n" -" -c class (specify query class)\n" -" -k keyfile (specify tsig key file)\n" +" -x dot-notation (shortcut for reverse lookups)\n" " -y [hmac:]name:key (specify named base64 tsig key)\n" -" -4 (use IPv4 query transport only)\n" -" -6 (use IPv6 query transport only)\n" -" -m (enable memory usage debugging)\n" " d-opt is of the form +keyword[=value], where keyword is:\n" -" +[no]vc (TCP mode)\n" -" +[no]tcp (TCP mode, alternate syntax)\n" -" +time=### (Set query timeout) [5]\n" -" +tries=### (Set number of UDP attempts) [3]\n" -" +retry=### (Set number of UDP retries) [2]\n" -" +domain=### (Set default domainname)\n" -" +bufsize=### (Set EDNS0 Max UDP packet size)\n" -" +ndots=### (Set NDOTS value)\n" -" +[no]edns[=###] (Set EDNS version) [0]\n" -" +[no]search (Set whether to use searchlist)\n" -" +[no]showsearch (Search with intermediate results)\n" -" +[no]defname (Ditto)\n" -" +[no]recurse (Recursive mode)\n" -" +[no]ignore (Don't revert to TCP for TC responses.)" -"\n" -" +[no]fail (Don't try next server on SERVFAIL)\n" -" +[no]besteffort (Try to parse even illegal messages)\n" " +[no]aaonly (Set AA flag in query (+[no]aaflag))\n" -" +[no]adflag (Set AD flag in query)\n" -" +[no]cdflag (Set CD flag in query)\n" +" +[no]additional (Control display of additional section)\n" +" +[no]adflag (Set AD flag in query (default on))\n" +" +[no]all (Set or clear all display flags)\n" +" +[no]answer (Control display of answer section)\n" +" +[no]authority (Control display of authority section)\n" +" +[no]besteffort (Try to parse even illegal messages)\n" +" +bufsize=### (Set EDNS0 Max UDP packet size)\n" +" +[no]cdflag (Set checking disabled flag in query)\n" " +[no]cl (Control display of class in records)\n" " +[no]cmd (Control display of command line)\n" " +[no]comments (Control display of comment lines)\n" +" +[no]defname (Use search list (+[no]search))\n" +" +[no]dnssec (Request DNSSEC records)\n" +" +domain=### (Set default domainname)\n" +" +[no]edns[=###] (Set EDNS version) [0]\n" +" +[no]fail (Don't try next server on SERVFAIL)\n" +" +[no]identify (ID responders in short answers)\n" +" +[no]ignore (Don't revert to TCP for TC responses.)" +"\n" +" +[no]keepopen (Keep the TCP socket open between queries)\n" +" +[no]multiline (Print records in an expanded format)\n" +" +ndots=### (Set search NDOTS value)\n" +" +[no]nsid (Request Name Server ID)\n" +" +[no]nssearch (Search all authoritative nameservers)\n" +" +[no]onesoa (AXFR prints only one soa record)\n" +" +[no]qr (Print question before sending)\n" +" +[no]question (Control display of question section)\n" +" +[no]recurse (Recursive mode)\n" +" +retry=### (Set number of UDP retries) [2]\n" " +[no]rrcomments (Control display of per-record " "comments)\n" -" +[no]question (Control display of question)\n" -" +[no]answer (Control display of answer)\n" -" +[no]authority (Control display of authority)\n" -" +[no]additional (Control display of additional)\n" -" +[no]stats (Control display of statistics)\n" -" +[no]short (Disable everything except short\n" +" +[no]search (Set whether to use searchlist)\n" +" +[no]short (Display nothing except short\n" " form of answer)\n" -" +[no]ttlid (Control display of ttls in records)\n" -" +[no]all (Set or clear all display flags)\n" -" +[no]qr (Print question before sending)\n" -" +[no]nssearch (Search all authoritative nameservers)\n" -" +[no]identify (ID responders in short answers)\n" -" +[no]trace (Trace delegation down from root [+dnssec])\n" -" +[no]dnssec (Request DNSSEC records)\n" -" +[no]nsid (Request Name Server ID)\n" +" +[no]showsearch (Search with intermediate results)\n" #ifdef DIG_SIGCHASE " +[no]sigchase (Chase DNSSEC signatures)\n" -" +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n" +#endif +" +[no]split=## (Split hex/base64 fields into chunks)\n" +" +[no]stats (Control display of statistics)\n" +" +[no]tcp (TCP mode (+[no]vc))\n" +" +time=### (Set query timeout) [5]\n" +#ifdef DIG_SIGCHASE #if DIG_SIGCHASE_TD " +[no]topdown (Do DNSSEC validation top down mode)\n" #endif #endif -" +[no]split=## (Split hex/base64 fields into chunks)\n" -" +[no]multiline (Print records in an expanded format)\n" -" +[no]onesoa (AXFR prints only one soa record)\n" -" +[no]keepopen (Keep the TCP socket open between queries)\n" +" +[no]trace (Trace delegation down from root [+dnssec])\n" +" +tries=### (Set number of UDP attempts) [3]\n" +#ifdef DIG_SIGCHASE +" +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n" +#endif +" +[no]ttlid (Control display of ttls in records)\n" +" +[no]vc (TCP mode (+[no]tcp))\n" " global d-opts and servers (before host name) affect all queries.\n" " local d-opts and servers (after host name) affect only that lookup.\n" " -h (print help and exit)\n" @@ -306,6 +310,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { isc_result_t result; isc_uint64_t diff; char store[sizeof("12345678901234567890")]; + unsigned int styleflags = 0; if (query->lookup->trace || query->lookup->ns_search_only) { result = dns_rdatatype_totext(rdata->type, buf); @@ -313,7 +318,11 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { return (result); ADD_STRING(buf, " "); } - result = dns_rdata_totext(rdata, NULL, buf); + + if (rrcomments) + styleflags |= DNS_STYLEFLAG_RRCOMMENT; + result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, + splitwidth, " ", buf); if (result == ISC_R_NOSPACE) return (result); check_result(result, "dns_rdata_totext"); @@ -831,8 +840,9 @@ plus_option(char *option, isc_boolean_t is_batchfile, goto invalid_option; } break; - case 'l': /* cl */ - FULLCHECK("cl"); + case 'l': /* class */ + /* keep +cl for backwards compatibility */ + FULLCHECK2("cl", "class"); noclass = ISC_TF(!state); break; case 'm': /* cmd */ @@ -984,6 +994,10 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 'r': switch (cmd[1]) { + case 'd': /* rdflag */ + FULLCHECK("rdflag"); + lookup->recurse = state; + break; case 'e': switch (cmd[2]) { case 'c': /* recurse */ diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index 53ab0c6e9f3c4..8a3022dfc893d 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -47,6 +47,7 @@ <year>2011</year> <year>2013</year> <year>2014</year> + <year>2015</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -216,127 +217,204 @@ <refsect1> <title>OPTIONS</title> - <para> - The <option>-b</option> option sets the source IP address of the query - to <parameter>address</parameter>. This must be a valid - address on - one of the host's network interfaces or "0.0.0.0" or "::". An optional - port - may be specified by appending "#<port>" - </para> - - <para> - The default query class (IN for internet) is overridden by the - <option>-c</option> option. <parameter>class</parameter> is - any valid - class, such as HS for Hesiod records or CH for Chaosnet records. - </para> - - <para> - The <option>-f</option> option makes <command>dig </command> - operate - in batch mode by reading a list of lookup requests to process from the - file <parameter>filename</parameter>. The file contains a - number of - queries, one per line. Each entry in the file should be organized in - the same way they would be presented as queries to - <command>dig</command> using the command-line interface. - </para> - - <para> - The <option>-m</option> option enables memory usage debugging. - <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD - documented in include/isc/mem.h --> - </para> - - <para> - If a non-standard port number is to be queried, the - <option>-p</option> option is used. <parameter>port#</parameter> is - the port number that <command>dig</command> will send its - queries - instead of the standard DNS port number 53. This option would be used - to test a name server that has been configured to listen for queries - on a non-standard port number. - </para> - - <para> - The <option>-4</option> option forces <command>dig</command> - to only - use IPv4 query transport. The <option>-6</option> option forces - <command>dig</command> to only use IPv6 query transport. - </para> - - <para> - The <option>-t</option> option sets the query type to - <parameter>type</parameter>. It can be any valid query type - which is - supported in BIND 9. The default query type is "A", unless the - <option>-x</option> option is supplied to indicate a reverse lookup. - A zone transfer can be requested by specifying a type of AXFR. When - an incremental zone transfer (IXFR) is required, - <parameter>type</parameter> is set to <literal>ixfr=N</literal>. - The incremental zone transfer will contain the changes made to the zone - since the serial number in the zone's SOA record was - <parameter>N</parameter>. - </para> - - <para> - The <option>-q</option> option sets the query name to - <parameter>name</parameter>. This is useful to distinguish the - <parameter>name</parameter> from other arguments. - </para> - - <para> - The <option>-v</option> causes <command>dig</command> to - print the version number and exit. - </para> - - <para> - Reverse lookups — mapping addresses to names — are simplified by the - <option>-x</option> option. <parameter>addr</parameter> is - an IPv4 - address in dotted-decimal notation, or a colon-delimited IPv6 address. - When this option is used, there is no need to provide the - <parameter>name</parameter>, <parameter>class</parameter> and - <parameter>type</parameter> arguments. <command>dig</command> - automatically performs a lookup for a name like - <literal>11.12.13.10.in-addr.arpa</literal> and sets the - query type and - class to PTR and IN respectively. By default, IPv6 addresses are - looked up using nibble format under the IP6.ARPA domain. - To use the older RFC1886 method using the IP6.INT domain - specify the <option>-i</option> option. Bit string labels (RFC2874) - are now experimental and are not attempted. - </para> - - <para> - To sign the DNS queries sent by <command>dig</command> and - their - responses using transaction signatures (TSIG), specify a TSIG key file - using the <option>-k</option> option. You can also specify the TSIG - key itself on the command line using the <option>-y</option> option; - <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5, - <parameter>name</parameter> is the name of the TSIG key and - <parameter>key</parameter> is the actual key. The key is a - base-64 - encoded string, typically generated by - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>. - - Caution should be taken when using the <option>-y</option> option on - multi-user systems as the key can be visible in the output from - <citerefentry> - <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> - </citerefentry> - or in the shell's history file. When - using TSIG authentication with <command>dig</command>, the name - server that is queried needs to know the key and algorithm that is - being used. In BIND, this is done by providing appropriate - <command>key</command> and <command>server</command> statements in - <filename>named.conf</filename>. - </para> - + <variablelist> + <varlistentry> + <term>-4</term> + <listitem> + <para> + Use IPv4 only. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-6</term> + <listitem> + <para> + Use IPv6 only. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-b <replaceable class="parameter">address<optional>#port</optional></replaceable></term> + <listitem> + <para> + Set the source IP address of the query. + The <parameter>address</parameter> must be a valid address on + one of the host's network interfaces, or "0.0.0.0" or "::". An + optional port may be specified by appending "#<port>" + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">class</replaceable></term> + <listitem> + <para> + Set the query class. The + default <parameter>class</parameter> is IN; other classes + are HS for Hesiod records or CH for Chaosnet records. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-f <replaceable class="parameter">file</replaceable></term> + <listitem> + <para> + Batch mode: <command>dig</command> reads a list of lookup + requests to process from the + given <parameter>file</parameter>. Each line in the file + should be organized in the same way they would be + presented as queries to + <command>dig</command> using the command-line interface. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-i</term> + <listitem> + <para> + Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT + domain, which is no longer in use. Obsolete bit string + label queries (RFC2874) are not attempted. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k <replaceable class="parameter">keyfile</replaceable></term> + <listitem> + <para> + Sign queries using TSIG using a key read from the given file. + Key files can be generated using + <citerefentry> + <refentrytitle>tsig-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + When using TSIG authentication with <command>dig</command>, + the name server that is queried needs to know the key and + algorithm that is being used. In BIND, this is done by + providing appropriate <command>key</command> + and <command>server</command> statements in + <filename>named.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-m</term> + <listitem> + <para> + Enable memory usage debugging. + <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD + documented in include/isc/mem.h --> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Send the query to a non-standard port on the server, + instead of the defaut port 53. This option would be used + to test a name server that has been configured to listen + for queries on a non-standard port number. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-q <replaceable class="parameter">name</replaceable></term> + <listitem> + <para> + The domain name to query. This is useful to distinguish + the <parameter>name</parameter> from other arguments. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-t <replaceable class="parameter">type</replaceable></term> + <listitem> + <para> + The resource record type to query. It can be any valid query type + which is + supported in BIND 9. The default query type is "A", unless the + <option>-x</option> option is supplied to indicate a reverse lookup. + A zone transfer can be requested by specifying a type of AXFR. When + an incremental zone transfer (IXFR) is required, set the + <parameter>type</parameter> to <literal>ixfr=N</literal>. + The incremental zone transfer will contain the changes + made to the zone since the serial number in the zone's SOA + record was + <parameter>N</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-v</term> + <listitem> + <para> + Print the version number and exit. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-x <replaceable class="parameter">addr</replaceable></term> + <listitem> + <para> + Simplified reverse lookups, for mapping addresses to + names. The <parameter>addr</parameter> is an IPv4 address + in dotted-decimal notation, or a colon-delimited IPv6 + address. When the <option>-x</option> is used, there is no + need to provide + the <parameter>name</parameter>, <parameter>class</parameter> + and <parameter>type</parameter> + arguments. <command>dig</command> automatically performs a + lookup for a name like + <literal>94.2.0.192.in-addr.arpa</literal> and sets the + query type and class to PTR and IN respectively. IPv6 + addresses are looked up using nibble format under the + IP6.ARPA domain (but see also the <option>-i</option> + option). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></term> + <listitem> + <para> + Sign queries using TSIG with the given authentication key. + <parameter>keyname</parameter> is the name of the key, and + <parameter>secret</parameter> is the base64 encoded shared secret. + <parameter>hmac</parameter> is the name of the key algorithm; + valid choices are <literal>hmac-md5</literal>, + <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>, + <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or + <literal>hmac-sha512</literal>. If <parameter>hmac</parameter> + is not specified, the default is <literal>hmac-md5</literal>. + </para> + <para> + NOTE: You should use the <option>-k</option> option and + avoid the <option>-y</option> option, because + with <option>-y</option> the shared secret is supplied as + a command line argument in clear text. This may be visible + in the output from + <citerefentry> + <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> + or in a history file maintained by the user's shell. + </para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> <refsect1> @@ -358,6 +436,9 @@ that keyword. Other keywords assign values to options like the timeout interval. They have the form <option>+keyword=value</option>. + Keywords may be abbreviated, provided the abbreviation is + unambiguous; for example, <literal>+cd</literal> is equivalent + to <literal>+cdflag</literal>. The query options are: <variablelist> @@ -473,7 +554,7 @@ </varlistentry> <varlistentry> - <term><option>+[no]cl</option></term> + <term><option>+[no]class</option></term> <listitem> <para> Display [do not display] the CLASS when printing the @@ -686,6 +767,15 @@ </varlistentry> <varlistentry> + <term><option>+[no]rdflag</option></term> + <listitem> + <para> + A synonym for <parameter>+[no]recurse</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><option>+[no]recurse</option></term> <listitem> <para> @@ -850,6 +940,9 @@ referrals from the root servers, showing the answer from each server that was used to resolve the lookup. </para> <para> + If @server is also specified, it affects only the + initial query for the root zone name servers. + </para> <para> <command>+dnssec</command> is also set when +trace is set to better emulate the default queries from a nameserver. diff --git a/bin/dig/dig.html b/bin/dig/dig.html index e624e151c4343..6cb32c1189467 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -34,7 +34,7 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543544"></a><h2>DESCRIPTION</h2> +<a name="id2543547"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -81,7 +81,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543623"></a><h2>SIMPLE USAGE</h2> +<a name="id2543626"></a><h2>SIMPLE USAGE</h2> <p> A typical invocation of <span><strong class="command">dig</strong></span> looks like: </p> @@ -134,115 +134,135 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543726"></a><h2>OPTIONS</h2> -<p> - The <code class="option">-b</code> option sets the source IP address of the query - to <em class="parameter"><code>address</code></em>. This must be a valid - address on - one of the host's network interfaces or "0.0.0.0" or "::". An optional - port - may be specified by appending "#<port>" - </p> -<p> - The default query class (IN for internet) is overridden by the - <code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is - any valid - class, such as HS for Hesiod records or CH for Chaosnet records. - </p> -<p> - The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> - operate - in batch mode by reading a list of lookup requests to process from the - file <em class="parameter"><code>filename</code></em>. The file contains a - number of - queries, one per line. Each entry in the file should be organized in - the same way they would be presented as queries to - <span><strong class="command">dig</strong></span> using the command-line interface. - </p> -<p> - The <code class="option">-m</code> option enables memory usage debugging. - - </p> -<p> - If a non-standard port number is to be queried, the - <code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is - the port number that <span><strong class="command">dig</strong></span> will send its - queries - instead of the standard DNS port number 53. This option would be used - to test a name server that has been configured to listen for queries - on a non-standard port number. - </p> -<p> - The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> - to only - use IPv4 query transport. The <code class="option">-6</code> option forces - <span><strong class="command">dig</strong></span> to only use IPv6 query transport. - </p> -<p> - The <code class="option">-t</code> option sets the query type to - <em class="parameter"><code>type</code></em>. It can be any valid query type - which is - supported in BIND 9. The default query type is "A", unless the - <code class="option">-x</code> option is supplied to indicate a reverse lookup. - A zone transfer can be requested by specifying a type of AXFR. When - an incremental zone transfer (IXFR) is required, - <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>. - The incremental zone transfer will contain the changes made to the zone - since the serial number in the zone's SOA record was - <em class="parameter"><code>N</code></em>. - </p> -<p> - The <code class="option">-q</code> option sets the query name to - <em class="parameter"><code>name</code></em>. This is useful to distinguish the - <em class="parameter"><code>name</code></em> from other arguments. - </p> -<p> - The <code class="option">-v</code> causes <span><strong class="command">dig</strong></span> to - print the version number and exit. - </p> -<p> - Reverse lookups — mapping addresses to names — are simplified by the - <code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is - an IPv4 - address in dotted-decimal notation, or a colon-delimited IPv6 address. - When this option is used, there is no need to provide the - <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and - <em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span> - automatically performs a lookup for a name like - <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the - query type and - class to PTR and IN respectively. By default, IPv6 addresses are - looked up using nibble format under the IP6.ARPA domain. - To use the older RFC1886 method using the IP6.INT domain - specify the <code class="option">-i</code> option. Bit string labels (RFC2874) - are now experimental and are not attempted. - </p> +<a name="id2543730"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-4</span></dt> +<dd><p> + Use IPv4 only. + </p></dd> +<dt><span class="term">-6</span></dt> +<dd><p> + Use IPv6 only. + </p></dd> +<dt><span class="term">-b <em class="replaceable"><code>address[<span class="optional">#port</span>]</code></em></span></dt> +<dd><p> + Set the source IP address of the query. + The <em class="parameter"><code>address</code></em> must be a valid address on + one of the host's network interfaces, or "0.0.0.0" or "::". An + optional port may be specified by appending "#<port>" + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Set the query class. The + default <em class="parameter"><code>class</code></em> is IN; other classes + are HS for Hesiod records or CH for Chaosnet records. + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> +<dd><p> + Batch mode: <span><strong class="command">dig</strong></span> reads a list of lookup + requests to process from the + given <em class="parameter"><code>file</code></em>. Each line in the file + should be organized in the same way they would be + presented as queries to + <span><strong class="command">dig</strong></span> using the command-line interface. + </p></dd> +<dt><span class="term">-i</span></dt> +<dd><p> + Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT + domain, which is no longer in use. Obsolete bit string + label queries (RFC2874) are not attempted. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt> +<dd><p> + Sign queries using TSIG using a key read from the given file. + Key files can be generated using + <span class="citerefentry"><span class="refentrytitle">tsig-keygen</span>(8)</span>. + When using TSIG authentication with <span><strong class="command">dig</strong></span>, + the name server that is queried needs to know the key and + algorithm that is being used. In BIND, this is done by + providing appropriate <span><strong class="command">key</strong></span> + and <span><strong class="command">server</strong></span> statements in + <code class="filename">named.conf</code>. + </p></dd> +<dt><span class="term">-m</span></dt> +<dd><p> + Enable memory usage debugging. + + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send the query to a non-standard port on the server, + instead of the defaut port 53. This option would be used + to test a name server that has been configured to listen + for queries on a non-standard port number. + </p></dd> +<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt> +<dd><p> + The domain name to query. This is useful to distinguish + the <em class="parameter"><code>name</code></em> from other arguments. + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> +<dd><p> + The resource record type to query. It can be any valid query type + which is + supported in BIND 9. The default query type is "A", unless the + <code class="option">-x</code> option is supplied to indicate a reverse lookup. + A zone transfer can be requested by specifying a type of AXFR. When + an incremental zone transfer (IXFR) is required, set the + <em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>. + The incremental zone transfer will contain the changes + made to the zone since the serial number in the zone's SOA + record was + <em class="parameter"><code>N</code></em>. + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Print the version number and exit. + </p></dd> +<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt> +<dd><p> + Simplified reverse lookups, for mapping addresses to + names. The <em class="parameter"><code>addr</code></em> is an IPv4 address + in dotted-decimal notation, or a colon-delimited IPv6 + address. When the <code class="option">-x</code> is used, there is no + need to provide + the <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> + and <em class="parameter"><code>type</code></em> + arguments. <span><strong class="command">dig</strong></span> automatically performs a + lookup for a name like + <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the + query type and class to PTR and IN respectively. IPv6 + addresses are looked up using nibble format under the + IP6.ARPA domain (but see also the <code class="option">-i</code> + option). + </p></dd> +<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt> +<dd> <p> - To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and - their - responses using transaction signatures (TSIG), specify a TSIG key file - using the <code class="option">-k</code> option. You can also specify the TSIG - key itself on the command line using the <code class="option">-y</code> option; - <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5, - <em class="parameter"><code>name</code></em> is the name of the TSIG key and - <em class="parameter"><code>key</code></em> is the actual key. The key is a - base-64 - encoded string, typically generated by - <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. - - Caution should be taken when using the <code class="option">-y</code> option on - multi-user systems as the key can be visible in the output from - <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> - or in the shell's history file. When - using TSIG authentication with <span><strong class="command">dig</strong></span>, the name - server that is queried needs to know the key and algorithm that is - being used. In BIND, this is done by providing appropriate - <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in - <code class="filename">named.conf</code>. - </p> + Sign queries using TSIG with the given authentication key. + <em class="parameter"><code>keyname</code></em> is the name of the key, and + <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret. + <em class="parameter"><code>hmac</code></em> is the name of the key algorithm; + valid choices are <code class="literal">hmac-md5</code>, + <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, + <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or + <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em> + is not specified, the default is <code class="literal">hmac-md5</code>. + </p> +<p> + NOTE: You should use the <code class="option">-k</code> option and + avoid the <code class="option">-y</code> option, because + with <code class="option">-y</code> the shared secret is supplied as + a command line argument in clear text. This may be visible + in the output from + <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> + or in a history file maintained by the user's shell. + </p> +</dd> +</dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544018"></a><h2>QUERY OPTIONS</h2> +<a name="id2544181"></a><h2>QUERY OPTIONS</h2> <p><span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -258,6 +278,9 @@ that keyword. Other keywords assign values to options like the timeout interval. They have the form <code class="option">+keyword=value</code>. + Keywords may be abbreviated, provided the abbreviation is + unambiguous; for example, <code class="literal">+cd</code> is equivalent + to <code class="literal">+cdflag</code>. The query options are: </p> @@ -322,7 +345,7 @@ the query. This requests the server to not perform DNSSEC validation of responses. </p></dd> -<dt><span class="term"><code class="option">+[no]cl</code></span></dt> +<dt><span class="term"><code class="option">+[no]class</code></span></dt> <dd><p> Display [do not display] the CLASS when printing the record. @@ -445,6 +468,10 @@ when an answer is returned. The default is to print the question section as a comment. </p></dd> +<dt><span class="term"><code class="option">+[no]rdflag</code></span></dt> +<dd><p> + A synonym for <em class="parameter"><code>+[no]recurse</code></em>. + </p></dd> <dt><span class="term"><code class="option">+[no]recurse</code></span></dt> <dd><p> Toggle the setting of the RD (recursion desired) bit @@ -552,6 +579,10 @@ from each server that was used to resolve the lookup. </p> <p> + If @server is also specified, it affects only the + initial query for the root zone name servers. + </p> +<p> <span><strong class="command">+dnssec</strong></span> is also set when +trace is set to better emulate the default queries from a nameserver. @@ -600,7 +631,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2545576"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -646,7 +677,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545243"></a><h2>IDN SUPPORT</h2> +<a name="id2545638"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -660,14 +691,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545266"></a><h2>FILES</h2> +<a name="id2545660"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545283"></a><h2>SEE ALSO</h2> +<a name="id2545677"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -675,7 +706,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545320"></a><h2>BUGS</h2> +<a name="id2545715"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index d6fea27bef5cb..45dac2f5a1128 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -85,6 +85,7 @@ #include <isc/print.h> #include <isc/random.h> #include <isc/result.h> +#include <isc/safe.h> #include <isc/serial.h> #include <isc/string.h> #include <isc/task.h> @@ -193,7 +194,7 @@ dig_lookup_t *current_lookup = NULL; #ifdef DIG_SIGCHASE -isc_result_t get_trusted_key(isc_mem_t *mctx); +isc_result_t get_trusted_key(void); dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup, @@ -211,32 +212,26 @@ isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t* dnsseckey, - dns_rdataset_t *sigrdataset, - isc_mem_t *mctx); + dns_rdataset_t *sigrdataset); isc_result_t sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *keyrdataset, - dns_rdataset_t *sigrdataset, - isc_mem_t *mctx); + dns_rdataset_t *sigrdataset); isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, - dns_rdataset_t *dsrdataset, - isc_mem_t *mctx); + dns_rdataset_t *dsrdataset); void sigchase(dns_message_t *msg); void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); -void print_rdataset(dns_name_t *name, - dns_rdataset_t *rdataset, isc_mem_t *mctx); -void dup_name(dns_name_t *source, dns_name_t* target, - isc_mem_t *mctx); -void free_name(dns_name_t *name, isc_mem_t *mctx); +void print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset); +void dup_name(dns_name_t *source, dns_name_t* target); +void free_name(dns_name_t *name); void dump_database(void); void dump_database_section(dns_message_t *msg, int section); dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); isc_result_t contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset, - isc_mem_t *mctx); + dns_rdataset_t *sigrdataset); void print_type(dns_rdatatype_t type); isc_result_t prove_nx_domain(dns_message_t * msg, dns_name_t * name, @@ -258,7 +253,7 @@ isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, dns_rdataset_t ** sigrdataset); static void nameFromString(const char *str, dns_name_t *p_ret); int inf_name(dns_name_t * name1, dns_name_t * name2); -isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); +isc_result_t removetmpkey(const char *file); void clean_trustedkey(void); isc_result_t insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset); @@ -1011,7 +1006,6 @@ parse_bits(char *arg, const char *desc, isc_uint32_t max) { return (tmp); } - /* * Parse HMAC algorithm specification */ @@ -1627,7 +1621,7 @@ start_lookup(void) { #if DIG_SIGCHASE_TD if (current_lookup->do_topdown && !current_lookup->rdtype_sigchaseset) { - dst_key_t *trustedkey = NULL; + dst_key_t *dstkey = NULL; isc_buffer_t *b = NULL; isc_region_t r; isc_result_t result; @@ -1635,7 +1629,7 @@ start_lookup(void) { dns_name_t *key_name; int i; - result = get_trusted_key(mctx); + result = get_trusted_key(); if (result != ISC_R_SUCCESS) { printf("\n;; No trusted key, " "+sigchase option is disabled\n"); @@ -1650,22 +1644,22 @@ start_lookup(void) { if (dns_name_issubdomain(&query_name, key_name) == ISC_TRUE) - trustedkey = tk_list.key[i]; + dstkey = tk_list.key[i]; /* * Verify temp is really the lowest * WARNING */ } - if (trustedkey == NULL) { + if (dstkey == NULL) { printf("\n;; The queried zone: "); dns_name_print(&query_name, stdout); printf(" isn't a subdomain of any Trusted Keys" ": +sigchase option is disable\n"); current_lookup->sigchase = ISC_FALSE; - free_name(&query_name, mctx); + free_name(&query_name); goto novalidation; } - free_name(&query_name, mctx); + free_name(&query_name); current_lookup->rdtype_sigchase = current_lookup->rdtype; @@ -1690,7 +1684,7 @@ start_lookup(void) { result = isc_buffer_allocate(mctx, &b, BUFSIZE); check_result(result, "isc_buffer_allocate"); - result = dns_name_totext(dst_key_name(trustedkey), + result = dns_name_totext(dst_key_name(dstkey), ISC_FALSE, b); check_result(result, "dns_name_totext"); isc_buffer_usedregion(b, &r); @@ -2010,9 +2004,6 @@ insert_soa(dig_lookup_t *lookup) { dns_rdatalist_init(rdatalist); rdatalist->type = dns_rdatatype_soa; rdatalist->rdclass = lookup->rdclass; - rdatalist->covers = 0; - rdatalist->ttl = 0; - ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); dns_rdataset_init(rdataset); @@ -3682,10 +3673,14 @@ isc_result_t get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) { int count; isc_result_t result; + isc_boolean_t is_running; - isc_app_block(); + is_running = isc_app_isrunning(); + if (is_running) + isc_app_block(); result = bind9_getaddresses(host, myport, sockaddr, 1, &count); - isc_app_unblock(); + if (is_running) + isc_app_unblock(); if (result != ISC_R_SUCCESS) return (result); @@ -3922,16 +3917,16 @@ destroy_libs(void) { isc_mem_free(mctx, ptr); } if (dns_name_dynamic(&chase_name)) - free_name(&chase_name, mctx); + free_name(&chase_name); #if DIG_SIGCHASE_TD if (dns_name_dynamic(&chase_current_name)) - free_name(&chase_current_name, mctx); + free_name(&chase_current_name); if (dns_name_dynamic(&chase_authority_name)) - free_name(&chase_authority_name, mctx); + free_name(&chase_authority_name); #endif #if DIG_SIGCHASE_BU if (dns_name_dynamic(&chase_signame)) - free_name(&chase_signame, mctx); + free_name(&chase_signame); #endif #endif @@ -4081,7 +4076,7 @@ dump_database_section(dns_message_t *msg, int section) rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_name_print(msg_name, stdout); printf("\n"); - print_rdataset(msg_name, rdataset, mctx); + print_rdataset(msg_name, rdataset); printf("end\n"); } msg_name = NULL; @@ -4261,7 +4256,7 @@ isc_result_t insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) { isc_result_t result; - dst_key_t *key; + dst_key_t *dstkey; UNUSED(arg); @@ -4279,11 +4274,11 @@ insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) isc_buffer_add(&b, rdata.length); if (tk_list.nb_tk >= MAX_TRUSTED_KEY) return (ISC_R_SUCCESS); - key = NULL; - result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &key); + dstkey = NULL; + result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &dstkey); if (result != ISC_R_SUCCESS) continue; - tk_list.key[tk_list.nb_tk++] = key; + tk_list.key[tk_list.nb_tk++] = dstkey; } return (ISC_R_SUCCESS); } @@ -4308,7 +4303,7 @@ char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; isc_result_t -removetmpkey(isc_mem_t *mctx, const char *file) +removetmpkey(const char *file) { char *tempnamekey = NULL; int tempnamekeylen; @@ -4332,8 +4327,7 @@ removetmpkey(isc_mem_t *mctx, const char *file) } isc_result_t -get_trusted_key(isc_mem_t *mctx) -{ +get_trusted_key(void) { isc_result_t result; const char *filename = NULL; dns_rdatacallbacks_t callbacks; @@ -4384,7 +4378,7 @@ nameFromString(const char *str, dns_name_t *p_ret) { check_result(result, "nameFromString"); if (dns_name_dynamic(p_ret)) - free_name(p_ret, mctx); + free_name(p_ret); result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret); check_result(result, "nameFromString"); @@ -4433,7 +4427,6 @@ prepare_lookup(dns_name_t *name) #define __FOLLOW_GLUE__ #ifdef __FOLLOW_GLUE__ isc_buffer_t *b = NULL; - isc_result_t result; isc_region_t r; dns_rdataset_t *rdataset = NULL; isc_boolean_t true = ISC_TRUE; @@ -4528,7 +4521,7 @@ prepare_lookup(dns_name_t *name) printf(" for zone: %s", lookup->textname); printf(" with nameservers:"); printf("\n"); - print_rdataset(name, chase_nsrdataset, mctx); + print_rdataset(name, chase_nsrdataset); return (ISC_R_SUCCESS); } @@ -4611,14 +4604,14 @@ initialization(dns_name_t *name) INSIST(chase_nsrdataset != NULL); prepare_lookup(name); - dup_name(name, &chase_current_name, mctx); + dup_name(name, &chase_current_name); return (ISC_R_SUCCESS); } #endif void -print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) +print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) { isc_buffer_t *b = NULL; isc_result_t result; @@ -4640,17 +4633,17 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) void -dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) { +dup_name(dns_name_t *source, dns_name_t *target) { isc_result_t result; if (dns_name_dynamic(target)) - free_name(target, mctx); + free_name(target); result = dns_name_dup(source, mctx, target); check_result(result, "dns_name_dup"); } void -free_name(dns_name_t *name, isc_mem_t *mctx) { +free_name(dns_name_t *name) { dns_name_free(name, mctx); dns_name_init(name, NULL); } @@ -4667,8 +4660,7 @@ free_name(dns_name_t *name, isc_mem_t *mctx) { */ isc_result_t contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset, - isc_mem_t *mctx) + dns_rdataset_t *sigrdataset) { dns_rdataset_t myrdataset; dst_key_t *dnsseckey = NULL; @@ -4704,8 +4696,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_id(dnsseckey)); result = sigchase_verify_sig_key(name, rdataset, dnsseckey, - sigrdataset, - mctx); + sigrdataset); if (result == ISC_R_SUCCESS) goto cleanup; } @@ -4713,19 +4704,20 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_free(&dnsseckey); } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS); + result = ISC_R_NOTFOUND; + cleanup: if (dnsseckey != NULL) dst_key_free(&dnsseckey); dns_rdataset_disassociate(&myrdataset); - return (ISC_R_NOTFOUND); + return (result); } isc_result_t sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *keyrdataset, - dns_rdataset_t *sigrdataset, - isc_mem_t *mctx) + dns_rdataset_t *sigrdataset) { dns_rdataset_t mykeyrdataset; dst_key_t *dnsseckey = NULL; @@ -4748,7 +4740,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, check_result(result, "dns_dnssec_keyfromrdata"); result = sigchase_verify_sig_key(name, rdataset, dnsseckey, - sigrdataset, mctx); + sigrdataset); if (result == ISC_R_SUCCESS) goto cleanup; dst_key_free(&dnsseckey); @@ -4766,8 +4758,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, - dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset, - isc_mem_t *mctx) + dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset) { dns_rdata_sig_t siginfo; dns_rdataset_t myrdataset; @@ -4826,7 +4817,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, - dns_rdataset_t *dsrdataset, isc_mem_t *mctx) + dns_rdataset_t *dsrdataset) { dns_rdata_ds_t dsinfo; dns_rdataset_t mydsrdataset; @@ -4893,8 +4884,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, result = sigchase_verify_sig_key(name, keyrdataset, dnsseckey, - chase_sigkeyrdataset, - mctx); + chase_sigkeyrdataset); if (result == ISC_R_SUCCESS) goto cleanup; } else { @@ -5000,7 +4990,7 @@ sigchase_td(dns_message_t *msg) dns_rdatatype_ns, dns_rdatatype_any, DNS_SECTION_AUTHORITY); - dup_name(name, &chase_authority_name, mctx); + dup_name(name, &chase_authority_name); if (chase_nsrdataset != NULL) { have_delegation_ns = ISC_TRUE; printf("no response but there is a delegation" @@ -5018,7 +5008,7 @@ sigchase_td(dns_message_t *msg) } else { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - free_name(&chase_name, mctx); + free_name(&chase_name); clean_trustedkey(); return; } @@ -5050,7 +5040,7 @@ sigchase_td(dns_message_t *msg) return; INSIST(chase_keyrdataset != NULL); printf("\n;; DNSKEYset:\n"); - print_rdataset(&chase_current_name , chase_keyrdataset, mctx); + print_rdataset(&chase_current_name , chase_keyrdataset); result = advanced_rrsearch(&chase_sigkeyrdataset, @@ -5067,22 +5057,20 @@ sigchase_td(dns_message_t *msg) return; INSIST(chase_sigkeyrdataset != NULL); printf("\n;; RRSIG of the DNSKEYset:\n"); - print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx); + print_rdataset(&chase_current_name , chase_sigkeyrdataset); if (!chase_dslookedup && !chase_nslookedup) { if (!delegation_follow) { result = contains_trusted_key(&chase_current_name, chase_keyrdataset, - chase_sigkeyrdataset, - mctx); + chase_sigkeyrdataset); } else { INSIST(chase_dsrdataset != NULL); INSIST(chase_sigdsrdataset != NULL); result = sigchase_verify_ds(&chase_current_name, chase_keyrdataset, - chase_dsrdataset, - mctx); + chase_dsrdataset); } if (result != ISC_R_SUCCESS) { @@ -5141,8 +5129,8 @@ sigchase_td(dns_message_t *msg) result = child_of_zone(&chase_name, &chase_current_name, &tmp_name); if (dns_name_dynamic(&chase_authority_name)) - free_name(&chase_authority_name, mctx); - dup_name(&tmp_name, &chase_authority_name, mctx); + free_name(&chase_authority_name); + dup_name(&tmp_name, &chase_authority_name); printf(";; and we try to continue chain of trust" " validation of the zone: "); dns_name_print(&chase_authority_name, stdout); @@ -5187,7 +5175,7 @@ sigchase_td(dns_message_t *msg) return; INSIST(chase_dsrdataset != NULL); printf("\n;; DSset:\n"); - print_rdataset(&chase_authority_name , chase_dsrdataset, mctx); + print_rdataset(&chase_authority_name , chase_dsrdataset); result = advanced_rrsearch(&chase_sigdsrdataset, &chase_authority_name, @@ -5200,14 +5188,13 @@ sigchase_td(dns_message_t *msg) goto cleanandgo; } printf("\n;; RRSIGset of DSset\n"); - print_rdataset(&chase_authority_name, - chase_sigdsrdataset, mctx); + print_rdataset(&chase_authority_name, chase_sigdsrdataset); INSIST(chase_sigdsrdataset != NULL); result = sigchase_verify_sig(&chase_authority_name, chase_dsrdataset, chase_keyrdataset, - chase_sigdsrdataset, mctx); + chase_sigdsrdataset); if (result != ISC_R_SUCCESS) { printf("\n;; Impossible to verify the DSset:" " FAILED\n\n"); @@ -5223,8 +5210,8 @@ sigchase_td(dns_message_t *msg) have_delegation_ns = ISC_FALSE; delegation_follow = ISC_TRUE; error_message = NULL; - dup_name(&chase_authority_name, &chase_current_name, mctx); - free_name(&chase_authority_name, mctx); + dup_name(&chase_authority_name, &chase_current_name); + free_name(&chase_authority_name); return; } @@ -5249,14 +5236,14 @@ sigchase_td(dns_message_t *msg) } ret = sigchase_verify_sig(&rdata_name, rdataset, chase_keyrdataset, - sigrdataset, mctx); + sigrdataset); if (ret != ISC_R_SUCCESS) { - free_name(&rdata_name, mctx); + free_name(&rdata_name); printf("\n;; Impossible to verify the NSEC RR to prove" " the non-existence : FAILED\n\n"); goto cleanandgo; } - free_name(&rdata_name, mctx); + free_name(&rdata_name); if (result != ISC_R_SUCCESS) { printf("\n;; Impossible to verify the non-existence:" " FAILED\n\n"); @@ -5271,9 +5258,9 @@ sigchase_td(dns_message_t *msg) cleanandgo: printf(";; cleanandgo \n"); if (dns_name_dynamic(&chase_current_name)) - free_name(&chase_current_name, mctx); + free_name(&chase_current_name); if (dns_name_dynamic(&chase_authority_name)) - free_name(&chase_authority_name, mctx); + free_name(&chase_authority_name); clean_trustedkey(); return; @@ -5289,22 +5276,22 @@ sigchase_td(dns_message_t *msg) } result = sigchase_verify_sig(&chase_name, chase_rdataset, chase_keyrdataset, - chase_sigrdataset, mctx); + chase_sigrdataset); if (result != ISC_R_SUCCESS) { printf("\n;; Impossible to verify the RRset : FAILED\n\n"); /* printf("RRset:\n"); - print_rdataset(&chase_name , chase_rdataset, mctx); + print_rdataset(&chase_name , chase_rdataset); printf("DNSKEYset:\n"); - print_rdataset(&chase_name , chase_keyrdataset, mctx); + print_rdataset(&chase_name , chase_keyrdataset); printf("RRSIG of RRset:\n"); - print_rdataset(&chase_name , chase_sigrdataset, mctx); + print_rdataset(&chase_name , chase_sigrdataset); printf("\n"); */ goto cleanandgo; } else { printf("\n;; The Answer:\n"); - print_rdataset(&chase_name , chase_rdataset, mctx); + print_rdataset(&chase_name , chase_rdataset); printf("\n;; FINISH : we have validate the DNSSEC chain" " of trust: SUCCESS\n\n"); @@ -5345,9 +5332,9 @@ getneededrr(dns_message_t *msg) printf("\n;; No Answers: Validation FAILED\n\n"); return (ISC_R_NOTFOUND); } - dup_name(name, &chase_name, mctx); + dup_name(name, &chase_name); printf(";; RRset to chase:\n"); - print_rdataset(&chase_name, chase_rdataset, mctx); + print_rdataset(&chase_name, chase_rdataset); } INSIST(chase_rdataset != NULL); @@ -5361,14 +5348,14 @@ getneededrr(dns_message_t *msg) printf("\n;; RRSIG is missing for continue validation:" " FAILED\n\n"); if (dns_name_dynamic(&chase_name)) - free_name(&chase_name, mctx); + free_name(&chase_name); return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the RRset to chase:\n"); - print_rdataset(&chase_name, chase_sigrdataset, mctx); + print_rdataset(&chase_name, chase_sigrdataset); } INSIST(chase_sigrdataset != NULL); @@ -5379,7 +5366,7 @@ getneededrr(dns_message_t *msg) dns_rdataset_current(chase_sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - dup_name(&siginfo.signer, &chase_signame, mctx); + dup_name(&siginfo.signer, &chase_signame); dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); @@ -5393,17 +5380,17 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; DNSKEY is missing to continue validation:" " FAILED\n\n"); - free_name(&chase_signame, mctx); + free_name(&chase_signame); if (dns_name_dynamic(&chase_name)) - free_name(&chase_name, mctx); + free_name(&chase_name); return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - free_name(&chase_signame, mctx); + free_name(&chase_signame); return (ISC_R_NOTFOUND); } printf("\n;; DNSKEYset that signs the RRset to chase:\n"); - print_rdataset(&chase_signame, chase_keyrdataset, mctx); + print_rdataset(&chase_signame, chase_keyrdataset); } INSIST(chase_keyrdataset != NULL); @@ -5416,18 +5403,18 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; RRSIG for DNSKEY is missing to continue" " validation : FAILED\n\n"); - free_name(&chase_signame, mctx); + free_name(&chase_signame); if (dns_name_dynamic(&chase_name)) - free_name(&chase_name, mctx); + free_name(&chase_name); return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - free_name(&chase_signame, mctx); + free_name(&chase_signame); return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the DNSKEYset that signs the " "RRset to chase:\n"); - print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx); + print_rdataset(&chase_signame, chase_sigkeyrdataset); } INSIST(chase_sigkeyrdataset != NULL); @@ -5442,12 +5429,12 @@ getneededrr(dns_message_t *msg) printf("\n"); } if (result == ISC_R_NOTFOUND) { - free_name(&chase_signame, mctx); + free_name(&chase_signame); return (ISC_R_NOTFOUND); } if (chase_dsrdataset != NULL) { printf("\n;; DSset of the DNSKEYset\n"); - print_rdataset(&chase_signame, chase_dsrdataset, mctx); + print_rdataset(&chase_signame, chase_dsrdataset); } } @@ -5470,8 +5457,7 @@ getneededrr(dns_message_t *msg) chase_dsrdataset = NULL; } else { printf("\n;; RRSIG of the DSset of the DNSKEYset\n"); - print_rdataset(&chase_signame, chase_sigdsrdataset, - mctx); + print_rdataset(&chase_signame, chase_sigdsrdataset); } } return (1); @@ -5486,7 +5472,7 @@ sigchase_bu(dns_message_t *msg) int ret; if (tk_list.nb_tk == 0) { - result = get_trusted_key(mctx); + result = get_trusted_key(); if (result != ISC_R_SUCCESS) { printf("No trusted keys present\n"); return; @@ -5513,7 +5499,7 @@ sigchase_bu(dns_message_t *msg) result = prove_nx(msg, &query_name, current_lookup->rdclass, current_lookup->rdtype, &rdata_name, &rdataset, &sigrdataset); - free_name(&query_name, mctx); + free_name(&query_name); if (rdataset == NULL || sigrdataset == NULL || dns_name_countlabels(&rdata_name) == 0) { printf("\n;; Impossible to verify the Non-existence," @@ -5532,8 +5518,8 @@ sigchase_bu(dns_message_t *msg) printf(";; An NSEC prove the non-existence of a answers," " Now we want validate this NSEC\n"); - dup_name(&rdata_name, &chase_name, mctx); - free_name(&rdata_name, mctx); + dup_name(&rdata_name, &chase_name); + free_name(&rdata_name); chase_rdataset = rdataset; chase_sigrdataset = sigrdataset; chase_keyrdataset = NULL; @@ -5554,10 +5540,10 @@ sigchase_bu(dns_message_t *msg) result = sigchase_verify_sig(&chase_name, chase_rdataset, chase_keyrdataset, - chase_sigrdataset, mctx); + chase_sigrdataset); if (result != ISC_R_SUCCESS) { - free_name(&chase_name, mctx); - free_name(&chase_signame, mctx); + free_name(&chase_name); + free_name(&chase_signame); printf(";; No DNSKEY is valid to check the RRSIG" " of the RRset: FAILED\n"); clean_trustedkey(); @@ -5566,10 +5552,10 @@ sigchase_bu(dns_message_t *msg) printf(";; OK We found DNSKEY (or more) to validate the RRset\n"); result = contains_trusted_key(&chase_signame, chase_keyrdataset, - chase_sigkeyrdataset, mctx); + chase_sigkeyrdataset); if (result == ISC_R_SUCCESS) { - free_name(&chase_name, mctx); - free_name(&chase_signame, mctx); + free_name(&chase_name); + free_name(&chase_signame); printf("\n;; Ok this DNSKEY is a Trusted Key," " DNSSEC validation is ok: SUCCESS\n\n"); clean_trustedkey(); @@ -5579,8 +5565,8 @@ sigchase_bu(dns_message_t *msg) printf(";; Now, we are going to validate this DNSKEY by the DS\n"); if (chase_dsrdataset == NULL) { - free_name(&chase_name, mctx); - free_name(&chase_signame, mctx); + free_name(&chase_name); + free_name(&chase_signame); printf(";; the DNSKEY isn't trusted-key and there isn't" " DS to validate the DNSKEY: FAILED\n"); clean_trustedkey(); @@ -5588,10 +5574,10 @@ sigchase_bu(dns_message_t *msg) } result = sigchase_verify_ds(&chase_signame, chase_keyrdataset, - chase_dsrdataset, mctx); + chase_dsrdataset); if (result != ISC_R_SUCCESS) { - free_name(&chase_signame, mctx); - free_name(&chase_name, mctx); + free_name(&chase_signame); + free_name(&chase_name); printf(";; ERROR no DS validates a DNSKEY in the" " DNSKEY RRset: FAILED\n"); clean_trustedkey(); @@ -5602,8 +5588,8 @@ sigchase_bu(dns_message_t *msg) " the RRset\n"); INSIST(chase_sigdsrdataset != NULL); - dup_name(&chase_signame, &chase_name, mctx); - free_name(&chase_signame, mctx); + dup_name(&chase_signame, &chase_name); + free_name(&chase_signame); chase_rdataset = chase_dsrdataset; chase_sigrdataset = chase_sigdsrdataset; chase_keyrdataset = NULL; @@ -5716,7 +5702,7 @@ prove_nx_domain(dns_message_t *msg, printf("There is a NSEC for this zone in the" " AUTHORITY section:\n"); - print_rdataset(nsecname, nsecset, mctx); + print_rdataset(nsecname, nsecset); for (result = dns_rdataset_first(nsecset); result == ISC_R_SUCCESS; @@ -5745,7 +5731,7 @@ prove_nx_domain(dns_message_t *msg, dns_rdata_freestruct(&nsecstruct); *rdataset = nsecset; *sigrdataset = signsecset; - dup_name(nsecname, rdata_name, mctx); + dup_name(nsecname, rdata_name); return (ISC_R_SUCCESS); } @@ -5798,7 +5784,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset, printf("There isn't RRSIG NSEC for the zone \n"); return (ISC_R_FAILURE); } - dup_name(name, rdata_name, mctx); + dup_name(name, rdata_name); *rdataset = nsecset; *sigrdataset = signsecset; diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index d3237fa5dc2ef..30591dc556fd9 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -585,7 +585,7 @@ version(void) { static void setoption(char *opt) { - if (strncasecmp(opt, "all", 4) == 0) { + if (strncasecmp(opt, "all", 3) == 0) { show_settings(ISC_TRUE, ISC_FALSE); } else if (strncasecmp(opt, "class=", 6) == 0) { if (testclass(&opt[6])) diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 1c7e867eae7b3..229433d5fa5a0 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -32,7 +32,7 @@ dnssec\-dsfromkey \- DNSSEC DS RR generation tool .SH "SYNOPSIS" .HP 17 -\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile} +\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile} .HP 17 \fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname} .HP 17 @@ -60,6 +60,11 @@ Select the digest algorithm. The value of must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive. .RE .PP +\-C +.RS 4 +Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. +.RE +.PP \-T \fITTL\fR .RS 4 Specifies the TTL of the DS records. @@ -98,7 +103,7 @@ Include ZSK's when generating DS records. Without this option, only keys which h .RS 4 Generate a DLV set instead of a DS set. The specified \fBdomain\fR -is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. +is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. This is mutually exclusive with generating CDS records. .RE .PP \-s @@ -165,5 +170,5 @@ RFC 4509. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2012, 2014 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 8c1bd86f16d9f..72310f84c5449 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -238,7 +238,7 @@ logkey(dns_rdata_t *rdata) static void emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, - dns_rdata_t *rdata) + isc_boolean_t cds, dns_rdata_t *rdata) { isc_result_t result; unsigned char buf[DNS_DS_BUFFERSIZE]; @@ -302,9 +302,12 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, isc_buffer_usedregion(&classb, &r); printf("%.*s", (int)r.length, r.base); - if (lookaside == NULL) - printf(" DS "); - else + if (lookaside == NULL) { + if (cds) + printf(" CDS "); + else + printf(" DS "); + } else printf(" DLV "); isc_buffer_usedregion(&textb, &r); @@ -332,6 +335,7 @@ usage(void) { "(SHA-1, SHA-256, GOST or SHA-384)\n"); fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -2: use SHA-256\n"); + fprintf(stderr, " -C: print CDS record\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n"); fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n"); @@ -352,6 +356,7 @@ main(int argc, char **argv) { char *endp; int ch; unsigned int dtype = DNS_DSDIGEST_SHA1; + isc_boolean_t cds = ISC_FALSE; isc_boolean_t both = ISC_TRUE; isc_boolean_t usekeyset = ISC_FALSE; isc_boolean_t showall = ISC_FALSE; @@ -374,8 +379,8 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; - while ((ch = isc_commandline_parse(argc, argv, - "12Aa:c:d:Ff:K:l:sT:v:hV")) != -1) { +#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV" + while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { switch (ch) { case '1': dtype = DNS_DSDIGEST_SHA1; @@ -392,6 +397,12 @@ main(int argc, char **argv) { algname = isc_commandline_argument; both = ISC_FALSE; break; + case 'C': + if (lookaside != NULL) + fatal("lookaside and CDS are mutually" + " exclusive"); + cds = ISC_TRUE; + break; case 'c': classname = isc_commandline_argument; break; @@ -408,6 +419,9 @@ main(int argc, char **argv) { filename = isc_commandline_argument; break; case 'l': + if (cds) + fatal("lookaside and CDS are mutually" + " exclusive"); lookaside = isc_commandline_argument; if (strlen(lookaside) == 0U) fatal("lookaside must be a non-empty string"); @@ -526,11 +540,11 @@ main(int argc, char **argv) { if (both) { emit(DNS_DSDIGEST_SHA1, showall, lookaside, - &rdata); + cds, &rdata); emit(DNS_DSDIGEST_SHA256, showall, lookaside, - &rdata); + cds, &rdata); } else - emit(dtype, showall, lookaside, &rdata); + emit(dtype, showall, lookaside, cds, &rdata); } } else { unsigned char key_buf[DST_KEY_MAXSIZE]; @@ -539,10 +553,12 @@ main(int argc, char **argv) { DST_KEY_MAXSIZE, &rdata); if (both) { - emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata); - emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata); + emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds, + &rdata); + emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds, + &rdata); } else - emit(dtype, showall, lookaside, &rdata); + emit(dtype, showall, lookaside, cds, &rdata); } if (dns_rdataset_isassociated(&rdataset)) diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index 7245a83f4de6c..1127fa04e8b06 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -41,6 +41,7 @@ <year>2011</year> <year>2012</year> <year>2014</year> + <year>2015</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -52,6 +53,7 @@ <arg><option>-1</option></arg> <arg><option>-2</option></arg> <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> + <arg><option>-C</option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg> <arg choice="req">keyfile</arg> @@ -123,6 +125,16 @@ </varlistentry> <varlistentry> + <term>-C</term> + <listitem> + <para> + Generate CDS records rather than DS records. This is mutually + exclusive with generating lookaside records. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-T <replaceable class="parameter">TTL</replaceable></term> <listitem> <para> @@ -182,7 +194,8 @@ <option>domain</option> is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. + in RFC 4431. This is mutually exclusive with generating + CDS records. </para> </listitem> </varlistentry> diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 3f27b49e5bc2c..13e9cc5342a33 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -28,19 +28,19 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div> <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543514"></a><h2>DESCRIPTION</h2> +<a name="id2543522"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2543526"></a><h2>OPTIONS</h2> +<a name="id2543533"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -58,6 +58,11 @@ SHA-256 (SHA256), GOST or SHA-384 (SHA384). These values are case insensitive. </p></dd> +<dt><span class="term">-C</span></dt> +<dd><p> + Generate CDS records rather than DS records. This is mutually + exclusive with generating lookaside records. + </p></dd> <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt> <dd><p> Specifies the TTL of the DS records. @@ -98,7 +103,8 @@ <code class="option">domain</code> is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. + in RFC 4431. This is mutually exclusive with generating + CDS records. </p></dd> <dt><span class="term">-s</span></dt> <dd><p> @@ -125,7 +131,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543780"></a><h2>EXAMPLE</h2> +<a name="id2543800"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -140,7 +146,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543810"></a><h2>FILES</h2> +<a name="id2543830"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -154,13 +160,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543845"></a><h2>CAVEAT</h2> +<a name="id2543865"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543854"></a><h2>SEE ALSO</h2> +<a name="id2543875"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -170,7 +176,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543894"></a><h2>AUTHOR</h2> +<a name="id2543914"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 3cae29c724fbd..384e4b60b3699 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -41,6 +41,7 @@ #include <isc/commandline.h> #include <isc/entropy.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/region.h> #include <isc/string.h> #include <isc/util.h> @@ -231,7 +232,7 @@ main(int argc, char **argv) { int dbits = 0; dns_ttl_t ttl = 0; isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE; - isc_stdtime_t publish = 0, activate = 0, revoke = 0; + isc_stdtime_t publish = 0, activate = 0, revokekey = 0; isc_stdtime_t inactive = 0, delete = 0; isc_stdtime_t now; int prepub = -1; @@ -416,7 +417,7 @@ main(int argc, char **argv) { if (setrev || unsetrev) fatal("-R specified more than once"); - revoke = strtotime(isc_commandline_argument, + revokekey = strtotime(isc_commandline_argument, now, now, &setrev); unsetrev = !setrev; break; @@ -945,7 +946,7 @@ main(int argc, char **argv) { "was used. Revoking a ZSK is " "legal, but undefined.\n", program); - dst_key_settime(key, DST_TIME_REVOKE, revoke); + dst_key_settime(key, DST_TIME_REVOKE, revokekey); } if (setinact) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 0b9a1f59ea611..6756a38129e00 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2012, 2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -89,7 +89,7 @@ main(int argc, char **argv) { isc_uint32_t flags; isc_buffer_t buf; isc_boolean_t force = ISC_FALSE; - isc_boolean_t remove = ISC_FALSE; + isc_boolean_t removefile = ISC_FALSE; isc_boolean_t id = ISC_FALSE; if (argc == 1) @@ -123,7 +123,7 @@ main(int argc, char **argv) { } break; case 'r': - remove = ISC_TRUE; + removefile = ISC_TRUE; break; case 'R': id = ISC_TRUE; @@ -247,7 +247,7 @@ main(int argc, char **argv) { * Remove old key file, if told to (and if * it isn't the same as the new file) */ - if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) { + if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) { isc_buffer_init(&buf, oldname, sizeof(oldname)); dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE); dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 3d18b61a61392..e26356c788b10 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -108,8 +108,8 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch, } else if (epoch) { fprintf(stream, "%d\n", (int) when); } else { - time_t time = when; - output = ctime(&time); + time_t timet = when; + output = ctime(&timet); fprintf(stream, "%s", output); } } @@ -399,7 +399,6 @@ main(int argc, char **argv) { "inactive.\n", program); changed = setpub = setact = ISC_TRUE; - dst_key_free(&prevkey); } else { if (prepub < 0) prepub = 0; @@ -590,6 +589,8 @@ main(int argc, char **argv) { printf("%s\n", newname); } + if (prevkey != NULL) + dst_key_free(&prevkey); dst_key_free(&key); dst_lib_destroy(); isc_hash_destroy(); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index d791edb53fac0..6ef8e44b9d3a7 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -52,6 +52,7 @@ #include <isc/random.h> #include <isc/rwlock.h> #include <isc/serial.h> +#include <isc/safe.h> #include <isc/stdio.h> #include <isc/stdlib.h> #include <isc/string.h> @@ -681,7 +682,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, (iszsk(key) && !keyset_kskonly)) signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); - } else if (iszsk(key)) { + } else if (set->type == dns_rdatatype_cds || + set->type == dns_rdatatype_cdnskey || + iszsk(key)) { signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); } @@ -758,7 +761,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { - return (memcmp(a, b, hash_length + 1)); + return (isc_safe_memcompare(a, b, hash_length + 1)); } static void @@ -785,7 +788,7 @@ hashlist_hasdup(hashlist_t *l) { next += l->length; if (next[l->length-1] != 0) continue; - if (memcmp(current, next, l->length - 1) == 0) + if (isc_safe_memequal(current, next, l->length - 1)) return (ISC_TRUE); current = next; } @@ -1313,7 +1316,7 @@ cleanup: * Delete any RRSIG records at a node. */ static void -cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { +cleannode(dns_db_t *db, dns_dbversion_t *dbversion, dns_dbnode_t *node) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdataset_t set; isc_result_t result, dresult; @@ -1322,7 +1325,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { return; dns_rdataset_init(&set); - result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); + result = dns_db_allrdatasets(db, node, dbversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1336,7 +1339,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdataset_disassociate(&set); result = dns_rdatasetiter_next(rdsiter); if (destroy) { - dresult = dns_db_deleterdataset(db, node, version, + dresult = dns_db_deleterdataset(db, node, dbversion, dns_rdatatype_rrsig, covers); check_result(dresult, "dns_db_deleterdataset"); @@ -1853,11 +1856,9 @@ addnsec3param(const unsigned char *salt, size_t salt_len, dns_rdatatype_nsec3param, &nsec3param, &b); check_result(result, "dns_rdata_fromstruct()"); + dns_rdatalist_init(&rdatalist); rdatalist.rdclass = rdata.rdclass; rdatalist.type = rdata.type; - rdatalist.covers = 0; - rdatalist.ttl = 0; - ISC_LIST_INIT(rdatalist.rdata); ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); result = dns_rdatalist_tordataset(&rdatalist, &rdataset); check_result(result, "dns_rdatalist_tordataset()"); @@ -1919,11 +1920,10 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node, nexthash, ISC_SHA1_DIGESTLENGTH, nsec3buffer, &rdata); check_result(result, "addnsec3: dns_nsec3_buildrdata()"); + dns_rdatalist_init(&rdatalist); rdatalist.rdclass = rdata.rdclass; rdatalist.type = rdata.type; - rdatalist.covers = 0; rdatalist.ttl = ttl; - ISC_LIST_INIT(rdatalist.rdata); ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); result = dns_rdatalist_tordataset(&rdatalist, &rdataset); check_result(result, "dns_rdatalist_tordataset()"); @@ -2012,13 +2012,12 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, if (exists && nsec3.hash == hashalg && nsec3.iterations == iterations && nsec3.salt_length == salt_len && - !memcmp(nsec3.salt, salt, salt_len)) + isc_safe_memequal(nsec3.salt, salt, salt_len)) continue; + dns_rdatalist_init(&rdatalist); rdatalist.rdclass = rdata.rdclass; rdatalist.type = rdata.type; - rdatalist.covers = 0; rdatalist.ttl = rdataset.ttl; - ISC_LIST_INIT(rdatalist.rdata); dns_rdata_init(&delrdata); dns_rdata_clone(&rdata, &delrdata); ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link); @@ -2672,7 +2671,7 @@ set_nsec3params(isc_boolean_t update, isc_boolean_t set_salt, if (!update && set_salt) { if (salt_length != orig_saltlen || - memcmp(saltbuf, orig_salt, salt_length) != 0) + !isc_safe_memequal(saltbuf, orig_salt, salt_length)) fatal("An NSEC3 chain exists with a different salt. " "Use -u to update it."); } else if (!set_salt) { @@ -2740,7 +2739,7 @@ writeset(const char *prefix, dns_rdatatype_t type) { char *filename; char namestr[DNS_NAME_FORMATSIZE]; dns_db_t *db = NULL; - dns_dbversion_t *version = NULL; + dns_dbversion_t *dbversion = NULL; dns_diff_t diff; dns_difftuple_t *tuple = NULL; dns_fixedname_t fixed; @@ -2860,19 +2859,19 @@ writeset(const char *prefix, dns_rdatatype_t type) { gclass, 0, NULL, &db); check_result(result, "dns_db_create"); - result = dns_db_newversion(db, &version); + result = dns_db_newversion(db, &dbversion); check_result(result, "dns_db_newversion"); - result = dns_diff_apply(&diff, db, version); + result = dns_diff_apply(&diff, db, dbversion); check_result(result, "dns_diff_apply"); dns_diff_clear(&diff); - result = dns_master_dump(mctx, db, version, style, filename); + result = dns_master_dump(mctx, db, dbversion, style, filename); check_result(result, "dns_master_dump"); isc_mem_put(mctx, filename, filenamelen + 1); - dns_db_closeversion(db, &version, ISC_FALSE); + dns_db_closeversion(db, &dbversion, ISC_FALSE); dns_db_detach(&db); } @@ -3515,7 +3514,10 @@ main(int argc, char *argv[]) { * of keys rather early. */ ISC_LIST_INIT(keylist); - isc_rwlock_init(&keylist_lock, 0, 0); + result = isc_rwlock_init(&keylist_lock, 0, 0); + if (result != ISC_R_SUCCESS) + fatal("could not initialize keylist_lock: %s", + isc_result_totext(result)); /* * Fill keylist with: diff --git a/bin/named/client.c b/bin/named/client.c index f66ceda83d502..de2d596c8832d 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - #include <config.h> #include <isc/formatcheck.h> @@ -25,6 +23,7 @@ #include <isc/platform.h> #include <isc/print.h> #include <isc/queue.h> +#include <isc/random.h> #include <isc/stats.h> #include <isc/stdio.h> #include <isc/string.h> @@ -113,6 +112,7 @@ */ #endif + /*% nameserver client manager structure */ struct ns_clientmgr { /* Unlocked. */ @@ -328,12 +328,12 @@ exit_check(ns_client_t *client) { * We are trying to abort request processing. */ if (client->nsends > 0) { - isc_socket_t *socket; + isc_socket_t *sock; if (TCP_CLIENT(client)) - socket = client->tcpsocket; + sock = client->tcpsocket; else - socket = client->udpsocket; - isc_socket_cancel(socket, client->task, + sock = client->udpsocket; + isc_socket_cancel(sock, client->task, ISC_SOCKCANCEL_SEND); } @@ -828,16 +828,16 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { isc_result_t result; isc_region_t r; isc_sockaddr_t *address; - isc_socket_t *socket; + isc_socket_t *sock; isc_netaddr_t netaddr; int match; unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE; if (TCP_CLIENT(client)) { - socket = client->tcpsocket; + sock = client->tcpsocket; address = NULL; } else { - socket = client->udpsocket; + sock = client->udpsocket; address = &client->peeraddr; isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); @@ -861,7 +861,7 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { CTRACE("sendto"); - result = isc_socket_sendto2(socket, &r, client->task, + result = isc_socket_sendto2(sock, &r, client->task, address, pktinfo, client->sendevent, sockflags); if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) { @@ -1171,10 +1171,15 @@ ns_client_error(ns_client_t *client, isc_result_t result) { isc_boolean_t wouldlog; char log_buf[DNS_RRL_LOG_BUF_LEN]; dns_rrl_result_t rrl_result; + int loglevel; INSIST(rcode != dns_rcode_noerror && rcode != dns_rcode_nxdomain); - wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + if (ns_g_server->log_queries) + loglevel = DNS_RRL_LOG_DROP; + else + loglevel = ISC_LOG_DEBUG(1); + wouldlog = isc_log_wouldlog(ns_g_lctx, loglevel); rrl_result = dns_rrl(client->view, &client->peeraddr, TCP_CLIENT(client), dns_rdataclass_in, dns_rdatatype_none, @@ -1191,7 +1196,7 @@ ns_client_error(ns_client_t *client, isc_result_t result) { ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_CLIENT, - DNS_RRL_LOG_DROP, + loglevel, "%s", log_buf); } /* @@ -1646,7 +1651,7 @@ client_request(isc_task_t *task, isc_event_t *event) { } if (TCP_CLIENT(client)) isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_tcp); + dns_nsstatscounter_requesttcp); /* * It's a request. Parse it. @@ -1657,6 +1662,13 @@ client_request(isc_task_t *task, isc_event_t *event) { * Parsing the request failed. Send a response * (typically FORMERR or SERVFAIL). */ + if (result == DNS_R_OPTERR) + (void)client_addopt(client); + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, + "message parsing failed: %s", + isc_result_totext(result)); ns_client_error(client, result); goto cleanup; } @@ -2777,7 +2789,7 @@ void ns_client_logv(ns_client_t *client, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) { - char msgbuf[2048]; + char msgbuf[4096]; char peerbuf[ISC_SOCKADDR_FORMATSIZE]; char signerbuf[DNS_NAME_FORMATSIZE], qnamebuf[DNS_NAME_FORMATSIZE]; const char *viewname = ""; diff --git a/bin/named/config.c b/bin/named/config.c index a32f12e660ae3..cab6f1fd0db87 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -156,7 +156,14 @@ options {\n\ dnssec-enable yes;\n\ dnssec-validation yes; \n\ dnssec-accept-expired no;\n\ - clients-per-query 10;\n\ +" +#ifdef ENABLE_FETCHLIMIT +" fetches-per-server 0;\n\ + fetches-per-zone 0;\n\ + fetch-quota-params 100 0.1 0.3 0.7;\n\ +" +#endif /* ENABLE_FETCHLIMIT */ +" clients-per-query 10;\n\ max-clients-per-query 100;\n\ max-recursion-depth 7;\n\ max-recursion-queries 50;\n\ diff --git a/bin/named/control.c b/bin/named/control.c index 306bca0b27946..aacb0884fde0a 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -101,7 +101,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { if (command_compare(command, NS_COMMAND_RELOAD)) { result = ns_server_reloadcommand(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_RECONFIG)) { - result = ns_server_reconfigcommand(ns_g_server, command); + result = ns_server_reconfigcommand(ns_g_server); } else if (command_compare(command, NS_COMMAND_REFRESH)) { result = ns_server_refreshcommand(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_RETRANSFER)) { diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h index c345176a21271..51c55ec5d4a5f 100644 --- a/bin/named/include/named/lwdclient.h +++ b/bin/named/include/named/lwdclient.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -186,6 +186,7 @@ struct ns_lwdclientmgr { lwres_context_t *lwctx; /*%< lightweight proto context */ isc_task_t *task; /*%< owning task */ unsigned int flags; + isc_mutex_t lock; ISC_LINK(ns_lwdclientmgr_t) link; ISC_LIST(ns_lwdclient_t) idle; /*%< idle client slots */ ISC_LIST(ns_lwdclient_t) running; /*%< running clients */ diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h index 1537fb641da60..d41641f5cf02c 100644 --- a/bin/named/include/named/main.h +++ b/bin/named/include/named/main.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp $ */ - #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 @@ -26,6 +24,11 @@ #define main(argc, argv) bindmain(argc, argv) #endif +/* + * Commandline arguments for named; also referenced in win32/ntservice.c + */ +#define NS_MAIN_ARGS "46c:C:d:E:fFgi:lM:m:n:N:p:P:sS:t:T:U:u:vVx:" + ISC_PLATFORM_NORETURN_PRE void ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 1680776cd991a..a3696f1614c15 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -51,6 +51,7 @@ struct ns_server { isc_quota_t xfroutquota; isc_quota_t tcpquota; isc_quota_t recursionquota; + dns_acl_t *blackholeacl; char * statsfile; /*%< Statistics file name */ char * dumpfile; /*%< Dump file name */ @@ -130,7 +131,7 @@ enum { dns_nsstatscounter_tsigin = 4, dns_nsstatscounter_sig0in = 5, dns_nsstatscounter_invalidsig = 6, - dns_nsstatscounter_tcp = 7, + dns_nsstatscounter_requesttcp = 7, dns_nsstatscounter_authrej = 8, dns_nsstatscounter_recurserej = 9, @@ -165,16 +166,31 @@ enum { dns_nsstatscounter_updatefail = 34, dns_nsstatscounter_updatebadprereq = 35, - dns_nsstatscounter_rpz_rewrites = 36, + dns_nsstatscounter_recursclients = 36, + + dns_nsstatscounter_dns64 = 37, + + dns_nsstatscounter_ratedropped = 38, + dns_nsstatscounter_rateslipped = 39, + + dns_nsstatscounter_rpz_rewrites = 40, + + dns_nsstatscounter_udp = 41, + dns_nsstatscounter_tcp = 42, + + dns_nsstatscounter_nsidopt = 43, + dns_nsstatscounter_expireopt = 44, + dns_nsstatscounter_otheropt = 45, + dns_nsstatscounter_ecsopt = 46, -#ifdef USE_RRL - dns_nsstatscounter_ratedropped = 37, - dns_nsstatscounter_rateslipped = 38, + dns_nsstatscounter_sitopt = 47, + dns_nsstatscounter_sitbadsize = 48, + dns_nsstatscounter_sitbadtime = 49, + dns_nsstatscounter_sitnomatch = 50, + dns_nsstatscounter_sitmatch = 51, + dns_nsstatscounter_sitnew = 52, - dns_nsstatscounter_max = 39 -#else /* USE_RRL */ - dns_nsstatscounter_max = 37 -#endif /* USE_RRL */ + dns_nsstatscounter_max = 53 }; void @@ -213,7 +229,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text); */ isc_result_t -ns_server_reconfigcommand(ns_server_t *server, char *args); +ns_server_reconfigcommand(ns_server_t *server); /*%< * Act on a "reconfig" command from the command channel. */ diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index 850222ad02bf6..73422c6589813 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -302,7 +302,7 @@ ns_interface_listenudp(ns_interface_t *ifp) { return (ISC_R_SUCCESS); addtodispatch_failure: - for (i = disp - 1; i <= 0; i--) { + for (i = disp - 1; i >= 0; i--) { dns_dispatch_changeattributes(ifp->udpdispatch[i], 0, DNS_DISPATCHATTR_NOLISTEN); dns_dispatch_detach(&(ifp->udpdispatch[i])); diff --git a/bin/named/logconf.c b/bin/named/logconf.c index ce804055cc396..fd20d5a5ee8f4 100644 --- a/bin/named/logconf.c +++ b/bin/named/logconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2011, 2013, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -23,6 +23,7 @@ #include <isc/file.h> #include <isc/offset.h> +#include <isc/print.h> #include <isc/result.h> #include <isc/stdio.h> #include <isc/string.h> diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c index a8431340024ce..511cbf0fb4967 100644 --- a/bin/named/lwdclient.c +++ b/bin/named/lwdclient.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -59,12 +59,16 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, ns_lwdclientmgr_t *cm; ns_lwdclient_t *client; unsigned int i; - isc_result_t result = ISC_R_FAILURE; + isc_result_t result; cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t)); if (cm == NULL) return (ISC_R_NOMEMORY); + result = isc_mutex_init(&cm->lock); + if (result != ISC_R_SUCCESS) + goto freecm; + cm->listener = NULL; ns_lwreslistener_attach(listener, &cm->listener); cm->mctx = lwresd->mctx; @@ -78,10 +82,10 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, ISC_LIST_INIT(cm->idle); ISC_LIST_INIT(cm->running); - if (lwres_context_create(&cm->lwctx, cm->mctx, - ns__lwresd_memalloc, ns__lwresd_memfree, - LWRES_CONTEXT_SERVERMODE) - != ISC_R_SUCCESS) + result = lwres_context_create(&cm->lwctx, cm->mctx, + ns__lwresd_memalloc, ns__lwresd_memfree, + LWRES_CONTEXT_SERVERMODE); + if (result != ISC_R_SUCCESS) goto errout; for (i = 0; i < nclients; i++) { @@ -96,8 +100,10 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, /* * If we could create no clients, clean up and return. */ - if (ISC_LIST_EMPTY(cm->idle)) + if (ISC_LIST_EMPTY(cm->idle)) { + result = ISC_R_NOMEMORY; goto errout; + } result = isc_task_create(taskmgr, 0, &cm->task); if (result != ISC_R_SUCCESS) @@ -130,6 +136,9 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, if (cm->lwctx != NULL) lwres_context_destroy(&cm->lwctx); + DESTROYLOCK(&cm->lock); + + freecm: isc_mem_put(lwresd->mctx, cm, sizeof(*cm)); return (result); } @@ -139,11 +148,14 @@ lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) { ns_lwdclient_t *client; ns_lwreslistener_t *listener; - if (!SHUTTINGDOWN(cm)) + LOCK(&cm->lock); + if (!SHUTTINGDOWN(cm)) { + UNLOCK(&cm->lock); return; + } /* - * run through the idle list and free the clients there. Idle + * Run through the idle list and free the clients there. Idle * clients do not have a recv running nor do they have any finds * or similar running. */ @@ -156,14 +168,20 @@ lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) { client = ISC_LIST_HEAD(cm->idle); } - if (!ISC_LIST_EMPTY(cm->running)) + if (!ISC_LIST_EMPTY(cm->running)) { + UNLOCK(&cm->lock); return; + } + + UNLOCK(&cm->lock); lwres_context_destroy(&cm->lwctx); cm->view = NULL; isc_socket_detach(&cm->sock); isc_task_detach(&cm->task); + DESTROYLOCK(&cm->lock); + listener = cm->listener; ns_lwreslistener_unlinkcm(listener, cm); ns_lwdclient_log(50, "destroying manager %p", cm); @@ -225,8 +243,10 @@ ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) { NS_LWDCLIENT_SETRECVDONE(client); + LOCK(&cm->lock); INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0); cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING; + UNLOCK(&cm->lock); ns_lwdclient_log(50, "event received: task %p, length %u, result %u (%s)", @@ -274,40 +294,53 @@ ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) { ns_lwdclient_t *client; isc_result_t result; isc_region_t r; + isc_boolean_t destroy = ISC_FALSE; + + LOCK(&cm->lock); if (SHUTTINGDOWN(cm)) { - lwdclientmgr_destroy(cm); - return (ISC_R_SUCCESS); + destroy = ISC_TRUE; + result = ISC_R_SUCCESS; + goto unlock; } /* * If a recv is already running, don't bother. */ - if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0) - return (ISC_R_SUCCESS); + if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0) { + result = ISC_R_SUCCESS; + goto unlock; + } /* * If we have no idle slots, just return success. */ client = ISC_LIST_HEAD(cm->idle); - if (client == NULL) - return (ISC_R_SUCCESS); + if (client == NULL) { + result = ISC_R_SUCCESS; + goto unlock; + } + INSIST(NS_LWDCLIENT_ISIDLE(client)); /* + * Set the flag to say there is a recv pending. If isc_socket_recv + * fails we will clear the flag otherwise it will be cleared by + * ns_lwdclient_recv. + */ + cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING; + + /* * Issue the recv. If it fails, return that it did. */ r.base = client->buffer; r.length = LWRES_RECVLENGTH; result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv, client); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * Set the flag to say we've issued a recv() call. - */ - cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING; + if (result != ISC_R_SUCCESS) { + cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING; + goto unlock; + } /* * Remove the client from the idle list, and put it on the running @@ -317,7 +350,13 @@ ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) { ISC_LIST_UNLINK(cm->idle, client, link); ISC_LIST_APPEND(cm->running, client, link); - return (ISC_R_SUCCESS); + unlock: + UNLOCK(&cm->lock); + + if (destroy) + lwdclientmgr_destroy(cm); + + return (result); } static void @@ -335,6 +374,7 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) { * clients do not have a recv running nor do they have any finds * or similar running. */ + LOCK(&cm->lock); client = ISC_LIST_HEAD(cm->idle); while (client != NULL) { ns_lwdclient_log(50, "destroying client %p, manager %p", @@ -343,6 +383,7 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) { isc_mem_put(cm->mctx, client, sizeof(*client)); client = ISC_LIST_HEAD(cm->idle); } + UNLOCK(&cm->lock); /* * Cancel any pending I/O. @@ -353,6 +394,7 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) { * Run through the running client list and kill off any finds * in progress. */ + LOCK(&cm->lock); client = ISC_LIST_HEAD(cm->running); while (client != NULL) { if (client->find != client->v4find @@ -367,6 +409,8 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) { cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN; + UNLOCK(&cm->lock); + isc_event_free(&ev); } @@ -387,8 +431,10 @@ ns_lwdclient_stateidle(ns_lwdclient_t *client) { INSIST(client->v4find == NULL); INSIST(client->v6find == NULL); + LOCK(&cm->lock); ISC_LIST_UNLINK(cm->running, client, link); ISC_LIST_PREPEND(cm->idle, client, link); + UNLOCK(&cm->lock); NS_LWDCLIENT_SETIDLE(client); @@ -464,5 +510,7 @@ ns_lwdclient_initialize(ns_lwdclient_t *client, ns_lwdclientmgr_t *cmgr) { client->pktinfo_valid = ISC_FALSE; + LOCK(&cmgr->lock); ISC_LIST_APPEND(cmgr->idle, client, link); + UNLOCK(&cmgr->lock); } diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c index 7ee2196364e93..f9ed544fc2e22 100644 --- a/bin/named/lwresd.c +++ b/bin/named/lwresd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -602,7 +602,7 @@ listener_copysock(ns_lwreslistener_t *oldlistener, static isc_result_t listener_startclients(ns_lwreslistener_t *listener) { - ns_lwdclientmgr_t *cm; + ns_lwdclientmgr_t *cm, *next; unsigned int i; isc_result_t result; @@ -626,6 +626,7 @@ listener_startclients(ns_lwreslistener_t *listener) { LOCK(&listener->lock); cm = ISC_LIST_HEAD(listener->cmgrs); while (cm != NULL) { + next = ISC_LIST_NEXT(cm, link); result = ns_lwdclient_startrecv(cm); if (result != ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, @@ -633,7 +634,7 @@ listener_startclients(ns_lwreslistener_t *listener) { "could not start lwres " "client handler: %s", isc_result_totext(result)); - cm = ISC_LIST_NEXT(cm, link); + cm = next; } UNLOCK(&listener->lock); diff --git a/bin/named/main.c b/bin/named/main.c index 6e340cc13c496..5664e6545e4c2 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -381,6 +381,7 @@ static struct flag_def { const char *name; unsigned int value; } mem_debug_flags[] = { + { "none", 0}, { "trace", ISC_MEM_DEBUGTRACE }, { "record", ISC_MEM_DEBUGRECORD }, { "usage", ISC_MEM_DEBUGUSAGE }, @@ -391,6 +392,8 @@ static struct flag_def { static void set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { + isc_boolean_t clear = ISC_FALSE; + for (;;) { const struct flag_def *def; const char *end = strchr(arg, ','); @@ -401,16 +404,21 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { for (def = defs; def->name != NULL; def++) { if (arglen == (int)strlen(def->name) && memcmp(arg, def->name, arglen) == 0) { + if (def->value == 0) + clear = ISC_TRUE; *ret |= def->value; goto found; } } ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg); found: - if (*end == '\0') + if (clear || (*end == '\0')) break; arg = end + 1; } + + if (clear) + *ret = 0; } static void @@ -421,10 +429,12 @@ parse_command_line(int argc, char *argv[]) { save_command_line(argc, argv); - /* PLEASE keep options synchronized when main is hooked! */ -#define CMDLINE_FLAGS "46c:C:d:E:fFgi:lm:n:N:p:P:sS:t:T:U:u:vVx:" + /* + * NS_MAIN_ARGS is defined in main.h, so that it can be used + * both by named and by ntservice hooks. + */ isc_commandline_errprint = ISC_FALSE; - while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { + while ((ch = isc_commandline_parse(argc, argv, NS_MAIN_ARGS)) != -1) { switch (ch) { case '4': if (ns_g_disable4) @@ -476,6 +486,10 @@ parse_command_line(int argc, char *argv[]) { case 'l': ns_g_lwresdonly = ISC_TRUE; break; + case 'M': + if (strcmp(isc_commandline_argument, "external") == 0) + isc_mem_defaultflags = 0; + break; case 'm': set_flags(isc_commandline_argument, mem_debug_flags, &isc_mem_debugging); @@ -586,16 +600,16 @@ parse_command_line(int argc, char *argv[]) { ns_g_username = isc_commandline_argument; break; case 'v': - printf("%s %s", ns_g_product, ns_g_version); - if (*ns_g_description != 0) - printf(" %s", ns_g_description); - printf("\n"); + printf("%s %s%s%s <id:%s>\n", + ns_g_product, ns_g_version, + (*ns_g_description != '\0') ? " " : "", + ns_g_description, ns_g_srcid); exit(0); case 'V': - printf("%s %s", ns_g_product, ns_g_version); - if (*ns_g_description != 0) - printf(" %s", ns_g_description); - printf(" <id:%s> built by %s with %s\n", ns_g_srcid, + printf("%s %s%s%s <id:%s>\n", ns_g_product, ns_g_version, + (*ns_g_description != '\0') ? " " : "", + ns_g_description, ns_g_srcid); + printf("built by %s with %s\n", ns_g_builder, ns_g_configargs); #ifdef __clang__ printf("compiled by CLANG %s\n", __VERSION__); @@ -617,19 +631,15 @@ parse_command_line(int argc, char *argv[]) { #ifdef OPENSSL printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT); -#ifndef WIN32 printf("linked to OpenSSL version: %s\n", SSLeay_version(SSLEAY_VERSION)); #endif -#endif #ifdef HAVE_LIBXML2 printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION); -#ifndef WIN32 printf("linked to libxml2 version: %s\n", xmlParserVersion); #endif -#endif exit(0); case 'F': /* Reserved for FIPS mode */ @@ -638,7 +648,7 @@ parse_command_line(int argc, char *argv[]) { usage(); if (isc_commandline_option == '?') exit(0); - p = strchr(CMDLINE_FLAGS, isc_commandline_option); + p = strchr(NS_MAIN_ARGS, isc_commandline_option); if (p == NULL || *++p != ':') ns_main_earlyfatal("unknown option '-%c'", isc_commandline_option); @@ -749,10 +759,6 @@ static void destroy_managers(void) { ns_lwresd_shutdown(); - isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) - isc_entropy_detach(&ns_g_fallbackentropy); - /* * isc_taskmgr_destroy() will block until all tasks have exited, */ @@ -897,8 +903,10 @@ setup(void) { isc_result_totext(result)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product, - ns_g_version, saved_command_line); + ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>%s", + ns_g_product, ns_g_version, + *ns_g_description ? " " : "", ns_g_description, + ns_g_srcid, saved_command_line); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "built with %s", ns_g_configargs); @@ -1017,6 +1025,10 @@ cleanup(void) { ns_server_destroy(&ns_g_server); + isc_entropy_detach(&ns_g_entropy); + if (ns_g_fallbackentropy != NULL) + isc_entropy_detach(&ns_g_fallbackentropy); + ns_builtin_deinit(); /* diff --git a/bin/named/named.8 b/bin/named/named.8 index fe6bb4207e373..09bd4c117d28f 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -33,7 +33,7 @@ named \- Internet domain name server .SH "SYNOPSIS" .HP 6 -\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] +\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] .SH "DESCRIPTION" .PP \fBnamed\fR @@ -101,6 +101,12 @@ Run the server in the foreground and force all logging to \fIstderr\fR. .RE .PP +\-M \fIoption\fR +.RS 4 +Sets the default memory context options. Currently the only supported option is +\fIexternal\fR, which causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions. +.RE +.PP \-m \fIflag\fR .RS 4 Turn on memory usage debugging flags. Possible flags are @@ -280,7 +286,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2009, 2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000, 2001, 2003 Internet Software Consortium. .br diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 7ca3d2bf6a7a9..0ea469d35766e 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -45,6 +45,7 @@ <year>2011</year> <year>2013</year> <year>2014</year> + <year>2015</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -65,6 +66,7 @@ <arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg> <arg><option>-f</option></arg> <arg><option>-g</option></arg> + <arg><option>-M <replaceable class="parameter">option</replaceable></option></arg> <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg> <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg> <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg> @@ -182,6 +184,19 @@ </varlistentry> <varlistentry> + <term>-M <replaceable class="parameter">option</replaceable></term> + <listitem> + <para> + Sets the default memory context options. Currently + the only supported option is + <replaceable class="parameter">external</replaceable>, + which causes the internal memory manager to be bypassed + in favor of system-provided memory allocation functions. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-m <replaceable class="parameter">flag</replaceable></term> <listitem> <para> diff --git a/bin/named/named.html b/bin/named/named.html index 0c1abf1894fb1..83494ee5d9c02 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -29,10 +29,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> +<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543507"></a><h2>DESCRIPTION</h2> +<a name="id2543518"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -47,7 +47,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543531"></a><h2>OPTIONS</h2> +<a name="id2543543"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> @@ -96,6 +96,14 @@ Run the server in the foreground and force all logging to <code class="filename">stderr</code>. </p></dd> +<dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt> +<dd><p> + Sets the default memory context options. Currently + the only supported option is + <em class="replaceable"><code>external</code></em>, + which causes the internal memory manager to be bypassed + in favor of system-provided memory allocation functions. + </p></dd> <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt> <dd><p> Turn on memory usage debugging flags. Possible flags are @@ -240,7 +248,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544021"></a><h2>SIGNALS</h2> +<a name="id2544192"></a><h2>SIGNALS</h2> <p> In routine operation, signals should not be used to control the nameserver; <span><strong class="command">rndc</strong></span> should be used @@ -261,7 +269,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544137"></a><h2>CONFIGURATION</h2> +<a name="id2544308"></a><h2>CONFIGURATION</h2> <p> The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is provided @@ -278,7 +286,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544310"></a><h2>FILES</h2> +<a name="id2544344"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> @@ -291,7 +299,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544349"></a><h2>SEE ALSO</h2> +<a name="id2544384"></a><h2>SEE ALSO</h2> <p><em class="citetitle">RFC 1033</em>, <em class="citetitle">RFC 1034</em>, <em class="citetitle">RFC 1035</em>, @@ -304,7 +312,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544420"></a><h2>AUTHOR</h2> +<a name="id2544454"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/named/query.c b/bin/named/query.c index 706fdecd664d2..f2ca55538780b 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /*! \file */ #include <config.h> @@ -25,6 +23,7 @@ #include <isc/hex.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/serial.h> #include <isc/stats.h> #include <isc/util.h> @@ -118,21 +117,31 @@ #define NOQNAME(r) (((r)->attributes & \ DNS_RDATASETATTR_NOQNAME) != 0) -#if 0 -#define CTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_CLIENT, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "client %p: %s", client, (m)) -#define QTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "query %p: %s", query, (m)) +#ifdef WANT_QUERYTRACE +#define CTRACE(l,m) do { \ + if (client != NULL && client->query.qname != NULL) { \ + if (isc_log_wouldlog(ns_g_lctx, l)) { \ + char qbuf[DNS_NAME_FORMATSIZE]; \ + dns_name_format(client->query.qname, \ + qbuf, sizeof(qbuf)); \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, \ + NS_LOGMODULE_QUERY, \ + l, "client %p (%s): %s", \ + client, qbuf, (m)); \ + } \ + } else { \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, \ + NS_LOGMODULE_QUERY, \ + l, "client %p (<unknown-name>): %s", \ + client, (m)); \ + } \ +} while(0) #else -#define CTRACE(m) ((void)m) -#define QTRACE(m) ((void)m) -#endif +#define CTRACE(l,m) ((void)m) +#endif /* WANT_QUERYTRACE */ + #define DNS_GETDB_NOEXACT 0x01U #define DNS_GETDB_NOLOG 0x02U @@ -307,13 +316,13 @@ static inline void query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { dns_rdataset_t *rdataset = *rdatasetp; - CTRACE("query_putrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset"); if (rdataset != NULL) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, rdatasetp); } - CTRACE("query_putrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset: done"); } static inline void @@ -420,7 +429,7 @@ query_newnamebuf(ns_client_t *client) { isc_buffer_t *dbuf; isc_result_t result; - CTRACE("query_newnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf"); /*% * Allocate a name buffer. */ @@ -428,12 +437,13 @@ query_newnamebuf(ns_client_t *client) { dbuf = NULL; result = isc_buffer_allocate(client->mctx, &dbuf, 1024); if (result != ISC_R_SUCCESS) { - CTRACE("query_newnamebuf: isc_buffer_allocate failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newnamebuf: isc_buffer_allocate failed: done"); return (result); } ISC_LIST_APPEND(client->query.namebufs, dbuf, link); - CTRACE("query_newnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf: done"); return (ISC_R_SUCCESS); } @@ -443,7 +453,7 @@ query_getnamebuf(ns_client_t *client) { isc_result_t result; isc_region_t r; - CTRACE("query_getnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf"); /*% * Return a name buffer with space for a maximal name, allocating * a new one if necessary. @@ -452,7 +462,8 @@ query_getnamebuf(ns_client_t *client) { if (ISC_LIST_EMPTY(client->query.namebufs)) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } } @@ -463,7 +474,8 @@ query_getnamebuf(ns_client_t *client) { if (r.length < 255) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } @@ -471,7 +483,7 @@ query_getnamebuf(ns_client_t *client) { isc_buffer_availableregion(dbuf, &r); INSIST(r.length >= 255); } - CTRACE("query_getnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf: done"); return (dbuf); } @@ -479,7 +491,7 @@ static inline void query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { isc_region_t r; - CTRACE("query_keepname"); + CTRACE(ISC_LOG_DEBUG(3), "query_keepname"); /*% * 'name' is using space in 'dbuf', but 'dbuf' has not yet been * adjusted to take account of that. We do the adjustment. @@ -503,14 +515,14 @@ query_releasename(ns_client_t *client, dns_name_t **namep) { * rights on the buffer. */ - CTRACE("query_releasename"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename"); if (dns_name_hasbuffer(name)) { INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; } dns_message_puttempname(client->message, namep); - CTRACE("query_releasename: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename: done"); } static inline dns_name_t * @@ -523,11 +535,12 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); - CTRACE("query_newname"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname"); name = NULL; result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_newname: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newname: dns_message_gettempname failed: done"); return (NULL); } isc_buffer_availableregion(dbuf, &r); @@ -536,7 +549,7 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, dns_name_setbuffer(name, nbuf); client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; - CTRACE("query_newname: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname: done"); return (name); } @@ -545,17 +558,18 @@ query_newrdataset(ns_client_t *client) { dns_rdataset_t *rdataset; isc_result_t result; - CTRACE("query_newrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset"); rdataset = NULL; result = dns_message_gettemprdataset(client->message, &rdataset); if (result != ISC_R_SUCCESS) { - CTRACE("query_newrdataset: " + CTRACE(ISC_LOG_DEBUG(3), + "query_newrdataset: " "dns_message_gettemprdataset failed: done"); return (NULL); } dns_rdataset_init(rdataset); - CTRACE("query_newrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset: done"); return (rdataset); } @@ -727,8 +741,10 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, * Get the current version of this database. */ dbversion = query_findversion(client, db); - if (dbversion == NULL) + if (dbversion == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to get db version"); return (DNS_R_SERVFAIL); + } if ((options & DNS_GETDB_IGNOREACL) != 0) goto approved; @@ -1168,7 +1184,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, dns_name_t *mname = NULL; isc_result_t result; - CTRACE("query_isduplicate"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; @@ -1179,7 +1195,8 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, /* * We've already got this RRset in the response. */ - CTRACE("query_isduplicate: true: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_isduplicate: true: done"); return (ISC_TRUE); } else if (result == DNS_R_NXRRSET) { /* @@ -1195,7 +1212,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, if (mnamep != NULL) *mnamep = mname; - CTRACE("query_isduplicate: false: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); return (ISC_FALSE); } @@ -1222,7 +1239,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) return (ISC_R_SUCCESS); - CTRACE("query_addadditional"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional"); /* * Initialization. @@ -1278,7 +1295,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto try_cache; - CTRACE("query_addadditional: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1547,7 +1564,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } addname: - CTRACE("query_addadditional: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: addname"); /* * If we haven't added anything, then we're done. */ @@ -1587,7 +1604,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } cleanup: - CTRACE("query_addadditional: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -1600,7 +1617,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: done"); return (eresult); } @@ -1718,7 +1735,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client); - CTRACE("query_addadditional2"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2"); /* * We treat type A additional section processing as if it @@ -1750,14 +1767,16 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto findauthdb; if (zone == NULL) { - CTRACE("query_addadditional2: auth zone not found"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth zone not found"); goto try_cache; } /* Is the cached DB up-to-date? */ result = query_iscachevalid(zone, cdb, NULL, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old auth additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1770,7 +1789,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * ACL, since the result (not using this zone) would be same * regardless of the result. */ - CTRACE("query_addadditional2: negative auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); dns_zone_detach(&zone); @@ -1787,7 +1807,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } /* We've got an active cache. */ - CTRACE("query_addadditional2: auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -1811,7 +1832,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto try_cache; } - CTRACE("query_addadditional2: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1896,7 +1917,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old glue additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1905,14 +1927,15 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (cnode == NULL) { /* We have a negative cache. */ - CTRACE("query_addadditional2: negative glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); goto cleanup; } /* Cache hit. */ - CTRACE("query_addadditional2: glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -2095,7 +2118,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } } - CTRACE("query_addadditional2: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: addname"); /* * If we haven't added anything, then we're done. @@ -2114,7 +2137,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { fname = NULL; cleanup: - CTRACE("query_addadditional2: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: cleanup"); if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -2133,7 +2156,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional2: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: done"); return (eresult); } @@ -2148,7 +2171,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * 'fname', a name in the response message for 'client'. */ - CTRACE("query_addrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset"); ISC_LIST_APPEND(fname->list, rdataset, link); @@ -2170,7 +2193,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, additionalctx.rdataset = rdataset; (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, &additionalctx); - CTRACE("query_addrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); } static isc_result_t @@ -2202,7 +2225,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_dns64"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); name = *namep; mname = NULL; mrdataset = NULL; @@ -2219,7 +2242,8 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_dns64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_dns64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return (ISC_R_SUCCESS); @@ -2349,7 +2373,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, dns_message_puttemprdatalist(client->message, &dns64_rdatalist); } - CTRACE("query_dns64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); return (result); } @@ -2368,7 +2392,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, isc_result_t result; unsigned int i; - CTRACE("query_filter64"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); INSIST(client->query.dns64_aaaaok != NULL); INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset)); @@ -2388,7 +2412,8 @@ query_filter64(ns_client_t *client, dns_name_t **namep, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_filter64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_filter64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return; @@ -2487,7 +2512,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, if (dbuf != NULL) query_releasename(client, &name); - CTRACE("query_filter64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); } static void @@ -2509,7 +2534,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_addrrset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); name = *namep; rdataset = *rdatasetp; if (sigrdatasetp != NULL) @@ -2525,7 +2550,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, /* * We've already got an RRset of the given name and type. */ - CTRACE("query_addrrset: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addrrset: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) @@ -2564,7 +2590,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, ISC_LIST_APPEND(mname->list, sigrdataset, link); *sigrdatasetp = NULL; } - CTRACE("query_addrrset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); } static inline isc_result_t @@ -2580,7 +2606,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addsoa"); + CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); /* * Initialization. */ @@ -2608,12 +2634,14 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2643,6 +2671,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, * This is bad. We tried to get the SOA RR at the zone top * and it didn't work! */ + CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); eresult = DNS_R_SERVFAIL; } else { /* @@ -2707,7 +2736,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns"); /* * Initialization. */ @@ -2725,21 +2754,24 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { */ result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addns: dns_message_gettempname failed: done"); return (result); } dns_name_init(name, NULL); dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2754,14 +2786,15 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_rdatatype_ns, 0, client->now, rdataset, sigrdataset); } else { - CTRACE("query_addns: calling dns_db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); result = dns_db_findext(db, name, NULL, dns_rdatatype_ns, client->query.dboptions, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); } if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: " + CTRACE(ISC_LOG_ERROR, + "query_addns: " "dns_db_findrdataset or dns_db_find failed"); /* * This is bad. We tried to get the NS rdataset at the zone @@ -2778,7 +2811,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { } cleanup: - CTRACE("query_addns: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -2787,7 +2820,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { if (node != NULL) dns_db_detachnode(db, &node); - CTRACE("query_addns: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); return (eresult); } @@ -2839,7 +2872,6 @@ query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, } dns_rdataset_init(rdataset); rdatalist->type = dns_rdatatype_cname; - rdatalist->covers = 0; rdatalist->rdclass = client->message->rdclass; rdatalist->ttl = ttl; @@ -3055,7 +3087,7 @@ query_addbestns(ns_client_t *client) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addbestns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); fname = NULL; zfname = NULL; rdataset = NULL; @@ -3260,7 +3292,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, isc_result_t result; unsigned int count; - CTRACE("query_addds"); + CTRACE(ISC_LOG_DEBUG(3), "query_addds"); rname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3390,7 +3422,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addwildcardproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); fname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3754,9 +3786,10 @@ query_resume(isc_task_t *task, isc_event_t *event) { if (devent->sigrdataset != NULL) query_putrdataset(client, &devent->sigrdataset); isc_event_free(&event); - if (fetch_canceled) + if (fetch_canceled) { + CTRACE(ISC_LOG_ERROR, "fetch cancelled"); query_error(client, DNS_R_SERVFAIL, __LINE__); - else + } else query_next(client, ISC_R_CANCELED); /* * This may destroy the client. @@ -3939,8 +3972,11 @@ rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp, rpz_clean(zonep, dbp, nodep, rdatasetp); if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); - if (*rdatasetp == NULL) + if (*rdatasetp == NULL) { + CTRACE(ISC_LOG_ERROR, + "rpz_ready: query_newrdataset failed"); return (DNS_R_SERVFAIL); + } } return (ISC_R_SUCCESS); } @@ -4005,6 +4041,7 @@ rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type, st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { + CTRACE(ISC_LOG_ERROR, "RPZ recursing"); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, name, "rpz_rrset_find(1) ", result); @@ -4295,6 +4332,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_db_detachnode(*dbp, nodep); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, "allrdatasets() ", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: allrdatasets failed"); *policyp = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); } @@ -4313,6 +4352,9 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, "rdatasetiter ", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: rdatasetiter_destroy " + "failed"); *policyp = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); } @@ -4380,6 +4422,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_zone_detach(zonep); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, "", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: unexpected result"); return (DNS_R_SERVFAIL); } @@ -4845,6 +4889,7 @@ cleanup: rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { + CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); st->m.type = DNS_RPZ_TYPE_BAD; result = DNS_R_SERVFAIL; } @@ -5072,7 +5117,7 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { dns_rdataset_t *neg, *negsig; isc_result_t result = ISC_R_NOMEMORY; - CTRACE("query_addnoqnameproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); fname = NULL; neg = NULL; @@ -5478,7 +5523,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_clientinfo_t ci; ns_dbversion_t *dbversion; - CTRACE("redirect"); + CTRACE(ISC_LOG_DEBUG(3), "redirect"); if (client->view->redirect == NULL) return (ISC_R_NOTFOUND); @@ -5552,7 +5597,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, return (ISC_R_NOTFOUND); } - CTRACE("redirect: found data: done"); + CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); dns_name_copy(found, name, NULL); if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); @@ -5618,11 +5663,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) isc_boolean_t redirected = ISC_FALSE; dns_clientinfomethods_t cm; dns_clientinfo_t ci; + char errmsg[256]; isc_boolean_t associated; dns_section_t section; dns_ttl_t ttl; - CTRACE("query_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find"); /* * One-time initialization. @@ -5714,11 +5760,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -5730,6 +5780,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } result = dns_name_copy(tname, fname, NULL); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_name_copy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -5758,7 +5810,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) type = qtype; restart: - CTRACE("query_find: restart"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: restart"); want_restart = ISC_FALSE; authoritative = ISC_FALSE; version = NULL; @@ -5834,8 +5886,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) inc_stats(client, dns_nsstatscounter_authrej); if (!PARTIALANSWER(client)) QUERY_ERROR(DNS_R_REFUSED); - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getdb failed"); QUERY_ERROR(DNS_R_SERVFAIL); + } goto cleanup; } @@ -5862,24 +5917,30 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } db_find: - CTRACE("query_find: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find"); /* * We'll need some resources... */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); rdataset = query_newrdataset(client); if (fname == NULL || rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newrdataset failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -5893,7 +5954,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) &node, fname, &cm, &ci, rdataset, sigrdataset); resume: - CTRACE("query_find: resume"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); #ifdef USE_RRL /* @@ -6234,6 +6295,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } else { /* Unable to give root server referral. */ + CTRACE(ISC_LOG_ERROR, + "unable to give root server referral"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6496,11 +6559,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6601,6 +6670,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "failure getting " + "closest encloser"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6803,11 +6876,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7060,6 +7139,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Something has gone wrong. */ + snprintf(errmsg, sizeof(errmsg) - 1, + "query_find: unexpected error after resuming: %s", + isc_result_totext(result)); + CTRACE(ISC_LOG_ERROR, errmsg); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7107,6 +7190,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rdsiter = NULL; result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: type any; allrdatasets failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7236,12 +7321,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_rdatasetiter_destroy(&rdsiter); fname = query_newname(client, dbuf, &b); goto nxrrset_rrsig; - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: no matching rdatasets " + "in cache"); result = DNS_R_SERVFAIL; + } } dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_NOMORE) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_rdatasetiter_destroy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7431,7 +7522,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } addauth: - CTRACE("query_find: addauth"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: addauth"); /* * Add NS records to the authority section (if we haven't already * added them to the answer section). @@ -7459,7 +7550,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_fixedname_name(&wildcardname), ISC_TRUE, ISC_FALSE); cleanup: - CTRACE("query_find: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup"); /* * General cleanup. */ @@ -7573,7 +7664,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_send(client); ns_client_detach(&client); } - CTRACE("query_find: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: done"); return (eresult); } @@ -7661,7 +7752,7 @@ ns_query_start(ns_client_t *client) { unsigned int saved_extflags = client->extflags; unsigned int saved_flags = client->message->flags; - CTRACE("ns_query_start"); + CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); /* * Test only. diff --git a/bin/named/server.c b/bin/named/server.c index 84b4067bf400f..d7d1a59fc16c4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -195,6 +195,8 @@ struct dumpcontext { isc_mem_t *mctx; isc_boolean_t dumpcache; isc_boolean_t dumpzones; + isc_boolean_t dumpadb; + isc_boolean_t dumpbad; FILE *fp; ISC_LIST(struct viewlistentry) viewlist; struct viewlistentry *view; @@ -352,6 +354,9 @@ const char *empty_zones[] = { /* Example Prefix, RFC 3849. */ "8.B.D.0.1.0.0.2.IP6.ARPA", + /* RFC 7534 */ + "EMPTY.AS112.ARPA", + NULL }; @@ -1828,18 +1833,20 @@ add_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, isc_result_t result; unsigned char buf[DNS_SOA_BUFFERSIZE]; - dns_rdataset_init(&rdataset); - dns_rdatalist_init(&rdatalist); CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db), 0, 28800, 7200, 604800, 86400, buf, &rdata)); + + dns_rdatalist_init(&rdatalist); rdatalist.type = rdata.type; - rdatalist.covers = 0; rdatalist.rdclass = rdata.rdclass; rdatalist.ttl = 86400; ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + + dns_rdataset_init(&rdataset); CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); CHECK(dns_db_findnode(db, name, ISC_TRUE, &node)); CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); + cleanup: if (node != NULL) dns_db_detachnode(db, &node); @@ -1861,8 +1868,6 @@ add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, isc_buffer_init(&b, buf, sizeof(buf)); - dns_rdataset_init(&rdataset); - dns_rdatalist_init(&rdatalist); ns.common.rdtype = dns_rdatatype_ns; ns.common.rdclass = dns_db_class(db); ns.mctx = NULL; @@ -1870,14 +1875,18 @@ add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_name_clone(nsname, &ns.name); CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns, &ns, &b)); + + dns_rdatalist_init(&rdatalist); rdatalist.type = rdata.type; - rdatalist.covers = 0; rdatalist.rdclass = rdata.rdclass; rdatalist.ttl = 86400; ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + + dns_rdataset_init(&rdataset); CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); CHECK(dns_db_findnode(db, name, ISC_TRUE, &node)); CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); + cleanup: if (node != NULL) dns_db_detachnode(db, &node); @@ -2086,6 +2095,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, char **dlzargv; const cfg_obj_t *disabled; const cfg_obj_t *obj; +#ifdef ENABLE_FETCHLIMIT + const cfg_obj_t *obj2; +#endif /* ENABLE_FETCHLIMIT */ const cfg_listelt_t *element; in_port_t port; dns_cache_t *cache = NULL; @@ -2742,6 +2754,55 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, } dns_adb_setadbsize(view->adb, max_adb_size); +#ifdef ENABLE_FETCHLIMIT + /* + * Set up ADB quotas + */ + { + isc_uint32_t fps, freq; + double low, high, discount; + + obj = NULL; + result = ns_config_get(maps, "fetches-per-server", &obj); + INSIST(result == ISC_R_SUCCESS); + obj2 = cfg_tuple_get(obj, "fetches"); + fps = cfg_obj_asuint32(obj2); + obj2 = cfg_tuple_get(obj, "response"); + if (!cfg_obj_isvoid(obj2)) { + const char *resp = cfg_obj_asstring(obj2); + isc_result_t r; + + if (strcasecmp(resp, "drop") == 0) + r = DNS_R_DROP; + else if (strcasecmp(resp, "fail") == 0) + r = DNS_R_SERVFAIL; + else + INSIST(0); + + dns_resolver_setquotaresponse(view->resolver, + dns_quotatype_server, r); + } + + obj = NULL; + result = ns_config_get(maps, "fetch-quota-params", &obj); + INSIST(result == ISC_R_SUCCESS); + + obj2 = cfg_tuple_get(obj, "frequency"); + freq = cfg_obj_asuint32(obj2); + + obj2 = cfg_tuple_get(obj, "low"); + low = (double) cfg_obj_asfixedpoint(obj2) / 100.0; + + obj2 = cfg_tuple_get(obj, "high"); + high = (double) cfg_obj_asfixedpoint(obj2) / 100.0; + + obj2 = cfg_tuple_get(obj, "discount"); + discount = (double) cfg_obj_asfixedpoint(obj2) / 100.0; + + dns_adb_setquota(view->adb, fps, freq, low, high, discount); + } +#endif /* ENABLE_FETCHLIMIT */ + /* * Set resolver's lame-ttl. */ @@ -3169,6 +3230,29 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS); dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); +#ifdef ENABLE_FETCHLIMIT + obj = NULL; + result = ns_config_get(maps, "fetches-per-zone", &obj); + INSIST(result == ISC_R_SUCCESS); + obj2 = cfg_tuple_get(obj, "fetches"); + dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2)); + obj2 = cfg_tuple_get(obj, "response"); + if (!cfg_obj_isvoid(obj2)) { + const char *resp = cfg_obj_asstring(obj2); + isc_result_t r; + + if (strcasecmp(resp, "drop") == 0) + r = DNS_R_DROP; + else if (strcasecmp(resp, "fail") == 0) + r = DNS_R_SERVFAIL; + else + INSIST(0); + + dns_resolver_setquotaresponse(view->resolver, + dns_quotatype_zone, r); + } +#endif /* ENABLE_FETCHLIMIT */ + #ifdef ALLOW_FILTER_AAAA_ON_V4 obj = NULL; result = ns_config_get(maps, "filter-aaaa-on-v4", &obj); @@ -3259,18 +3343,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "root-delegation-only", &obj); - if (result == ISC_R_SUCCESS) { + if (result == ISC_R_SUCCESS) + dns_view_setrootdelonly(view, ISC_TRUE); + if (result == ISC_R_SUCCESS && ! cfg_obj_isvoid(obj)) { + const cfg_obj_t *exclude; dns_fixedname_t fixed; dns_name_t *name; - const cfg_obj_t *exclude; - - dns_view_setrootdelonly(view, ISC_TRUE); dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); for (element = cfg_list_first(obj); element != NULL; - element = cfg_list_next(element)) { + element = cfg_list_next(element)) + { exclude = cfg_listelt_value(element); CHECK(dns_name_fromstring(name, cfg_obj_asstring(exclude), @@ -4921,6 +5006,9 @@ load_configuration(const char *filename, ns_server_t *server, ns_cachelist_t cachelist, tmpcachelist; struct cfg_context *nzctx; unsigned int maxsocks; +#ifdef ENABLE_FETCHLIMIT + isc_uint32_t softquota = 0; +#endif /* ENABLE_FETCHLIMIT */ ISC_LIST_INIT(viewlist); ISC_LIST_INIT(builtin_viewlist); @@ -5082,11 +5170,30 @@ load_configuration(const char *filename, ns_server_t *server, configure_server_quota(maps, "tcp-clients", &server->tcpquota); configure_server_quota(maps, "recursive-clients", &server->recursionquota); - if (server->recursionquota.max > 1000) + +#ifdef ENABLE_FETCHLIMIT + if (server->recursionquota.max > 1000) { + int margin = ISC_MAX(100, ns_g_cpus + 1); + if (margin > server->recursionquota.max - 100) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "'recursive-clients %d' too low when " + "running with %d worker threads", + server->recursionquota.max, ns_g_cpus); + CHECK(ISC_R_RANGE); + } + softquota = server->recursionquota.max - margin; + } else + softquota = (server->recursionquota.max * 90) / 100; + + isc_quota_soft(&server->recursionquota, softquota); +#else + if (server->recursionquota.max > 1000) { isc_quota_soft(&server->recursionquota, server->recursionquota.max - 100); - else + } else isc_quota_soft(&server->recursionquota, 0); +#endif /* !ENABLE_FETCHLIMIT */ CHECK(configure_view_acl(NULL, config, "blackhole", NULL, ns_g_aclconfctx, ns_g_mctx, @@ -5784,6 +5891,8 @@ load_configuration(const char *filename, ns_server_t *server, if (view != NULL) dns_view_detach(&view); + ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link); + /* * This cleans up either the old production view list * or our temporary list depending on whether they @@ -6464,25 +6573,6 @@ reload(ns_server_t *server) { return (result); } -static void -reconfig(ns_server_t *server) { - isc_result_t result; - CHECK(loadconfig(server)); - - result = load_new_zones(server, ISC_FALSE); - if (result == ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "any newly configured zones are now loaded"); - else - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "loading new zones failed: %s", - isc_result_totext(result)); - - cleanup: ; -} - /* * Handle a reload event (from SIGHUP). */ @@ -6720,11 +6810,23 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { * Act on a "reconfig" command from the command channel. */ isc_result_t -ns_server_reconfigcommand(ns_server_t *server, char *args) { - UNUSED(args); +ns_server_reconfigcommand(ns_server_t *server) { + isc_result_t result; - reconfig(server); - return (ISC_R_SUCCESS); + CHECK(loadconfig(server)); + + result = load_new_zones(server, ISC_FALSE); + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "any newly configured zones are now loaded"); + else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "loading new zones failed: %s", + isc_result_totext(result)); +cleanup: + return (result); } /* @@ -7061,10 +7163,17 @@ dumpdone(void *arg, isc_result_t result) { goto cleanup; } } + + if ((dctx->dumpadb || dctx->dumpbad) && + dctx->cache == NULL && dctx->view->view->cachedb != NULL) + dns_db_attach(dctx->view->view->cachedb, &dctx->cache); + if (dctx->cache != NULL) { - dns_adb_dump(dctx->view->view->adb, dctx->fp); - dns_resolver_printbadcache(dctx->view->view->resolver, - dctx->fp); + if (dctx->dumpadb) + dns_adb_dump(dctx->view->view->adb, dctx->fp); + if (dctx->dumpbad) + dns_resolver_printbadcache(dctx->view->view->resolver, + dctx->fp); dns_db_detach(&dctx->cache); } if (dctx->dumpzones) { @@ -7148,6 +7257,8 @@ ns_server_dumpdb(ns_server_t *server, char *args) { dctx->mctx = server->mctx; dctx->dumpcache = ISC_TRUE; + dctx->dumpadb = ISC_TRUE; + dctx->dumpbad = ISC_TRUE; dctx->dumpzones = ISC_FALSE; dctx->fp = NULL; ISC_LIST_INIT(dctx->viewlist); @@ -7171,17 +7282,31 @@ ns_server_dumpdb(ns_server_t *server, char *args) { ptr = next_token(&args, " \t"); if (ptr != NULL && strcmp(ptr, "-all") == 0) { + /* also dump zones */ dctx->dumpzones = ISC_TRUE; - dctx->dumpcache = ISC_TRUE; ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) { - dctx->dumpzones = ISC_FALSE; - dctx->dumpcache = ISC_TRUE; + /* this is the default */ ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) { + /* only dump zones, suppress caches */ + dctx->dumpadb = ISC_FALSE; + dctx->dumpbad = ISC_FALSE; + dctx->dumpcache = ISC_FALSE; dctx->dumpzones = ISC_TRUE; + ptr = next_token(&args, " \t"); +#ifdef ENABLE_FETCHLIMIT + } else if (ptr != NULL && strcmp(ptr, "-adb") == 0) { + /* only dump adb, suppress other caches */ + dctx->dumpbad = ISC_FALSE; dctx->dumpcache = ISC_FALSE; ptr = next_token(&args, " \t"); + } else if (ptr != NULL && strcmp(ptr, "-bad") == 0) { + /* only dump badcache, suppress other caches */ + dctx->dumpadb = ISC_FALSE; + dctx->dumpcache = ISC_FALSE; + ptr = next_token(&args, " \t"); +#endif /* ENABLE_FETCHLIMIT */ } nextview: @@ -7275,11 +7400,26 @@ isc_result_t ns_server_dumprecursing(ns_server_t *server) { FILE *fp = NULL; isc_result_t result; +#ifdef ENABLE_FETCHLIMIT + dns_view_t *view; +#endif /* ENABLE_FETCHLIMIT */ CHECKMF(isc_stdio_open(server->recfile, "w", &fp), "could not open dump file", server->recfile); - fprintf(fp,";\n; Recursing Queries\n;\n"); + fprintf(fp, ";\n; Recursing Queries\n;\n"); ns_interfacemgr_dumprecursing(fp, server->interfacemgr); + +#ifdef ENABLE_FETCHLIMIT + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + fprintf(fp, ";\n; Active fetch domains [view: %s]\n;\n", + view->name); + dns_resolver_dumpfetches(view->resolver, fp); + } +#endif /* ENABLE_FETCHLIMIT */ + fprintf(fp, "; Dump complete\n"); cleanup: @@ -7632,7 +7772,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), - "version: %s%s%s%s <id:%s>\n" + "version: %s %s%s%s <id:%s>%s%s%s\n" #ifdef ISC_PLATFORM_USETHREADS "CPUs found: %u\n" "worker threads: %u\n" @@ -7647,7 +7787,9 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", - ns_g_version, ob, alt, cb, ns_g_srcid, + ns_g_product, ns_g_version, + (*ns_g_description != '\0') ? " " : "", + ns_g_description, ns_g_srcid, ob, alt, cb, #ifdef ISC_PLATFORM_USETHREADS ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp, #endif diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 8ec08d7b19598..4bfd52176a9ae 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: statschannel.c,v 1.28 2011/03/12 04:59:46 tbox Exp $ */ - /*! \file */ #include <config.h> @@ -123,6 +121,8 @@ set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, const char *xdesc, const char **xdescs) { REQUIRE(counter < maxcounter); +if (fdescs[counter] != NULL) +fprintf(stderr, "fdescs[%d] == %s\n", counter, fdescs[counter]); REQUIRE(fdescs[counter] == NULL); #ifdef HAVE_LIBXML2 REQUIRE(xdescs[counter] == NULL); @@ -168,7 +168,7 @@ init_desc(void) { SET_NSSTATDESC(sig0in, "requests with SIG(0) received", "ReqSIG0"); SET_NSSTATDESC(invalidsig, "requests with invalid signature", "ReqBadSIG"); - SET_NSSTATDESC(tcp, "TCP requests received", "ReqTCP"); + SET_NSSTATDESC(requesttcp, "TCP requests received", "ReqTCP"); SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej"); SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej"); SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej"); @@ -207,14 +207,32 @@ init_desc(void) { SET_NSSTATDESC(updatebadprereq, "updates rejected due to prerequisite failure", "UpdateBadPrereq"); - SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", - "RPZRewrites"); -#ifdef USE_RRL + SET_NSSTATDESC(recursclients, "recursing clients", + "RecursClients"); + SET_NSSTATDESC(dns64, "queries answered by DNS64", "DNS64"); SET_NSSTATDESC(ratedropped, "responses dropped for rate limits", "RateDropped"); SET_NSSTATDESC(rateslipped, "responses truncated for rate limits", "RateSlipped"); -#endif /* USE_RRL */ + SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", + "RPZRewrites"); + SET_NSSTATDESC(udp, "UDP queries received", "QryUDP"); + SET_NSSTATDESC(tcp, "TCP queries received", "QryTCP"); + SET_NSSTATDESC(nsidopt, "NSID option received", "NSIDOpt"); + SET_NSSTATDESC(expireopt, "Expire option received", "ExpireOpt"); + SET_NSSTATDESC(otheropt, "Other EDNS option received", "OtherOpt"); + SET_NSSTATDESC(sitopt, "source identity token option received", + "SitOpt"); + SET_NSSTATDESC(sitnew, "new source identity token requested", + "SitNew"); + SET_NSSTATDESC(sitbadsize, "source identity token - bad size", + "SitBadSize"); + SET_NSSTATDESC(sitbadtime, "source identity token - bad time", + "SitBadTime"); + SET_NSSTATDESC(sitnomatch, "source identity token - no match", + "SitNoMatch"); + SET_NSSTATDESC(sitmatch, "source identity token - match", "SitMatch"); + SET_NSSTATDESC(ecsopt, "EDNS client subnet option recieved", "ECSOpt"); INSIST(i == dns_nsstatscounter_max); /* Initialize resolver statistics */ @@ -285,6 +303,10 @@ init_desc(void) { SET_RESSTATDESC(queryrtt5, "queries with RTT > " DNS_RESOLVER_QRYRTTCLASS4STR "ms", "QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR "+"); + SET_RESSTATDESC(zonequota, "spilled due to zone quota", "ZoneQuota"); + SET_RESSTATDESC(serverquota, "spilled due to server quota", + "ServerQuota"); + INSIST(i == dns_resstatscounter_max); /* Initialize zone statistics */ @@ -495,7 +517,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, const char *category, const char **desc, int ncounters, int *indices, isc_uint64_t *values, int options) { - int i, index; + int i, idx; isc_uint64_t value; stats_dumparg_t dumparg; FILE *fp; @@ -517,8 +539,8 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, isc_stats_dump(stats, generalstat_dump, &dumparg, options); for (i = 0; i < ncounters; i++) { - index = indices[i]; - value = values[index]; + idx = indices[i]; + value = values[idx]; if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0) continue; @@ -527,7 +549,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, case statsformat_file: fp = arg; fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", - value, desc[index]); + value, desc[idx]); break; case statsformat_xml: #ifdef HAVE_LIBXML2 @@ -545,7 +567,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, "name")); TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR - desc[index])); + desc[i])); TRY0(xmlTextWriterEndElement(writer)); /* </name> */ @@ -569,7 +591,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, ISC_XMLCHAR "name", ISC_XMLCHAR - desc[index])); + desc[i])); TRY0(xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u", value)); TRY0(xmlTextWriterEndElement(writer)); @@ -587,7 +609,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, "name")); TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR - desc[index])); + desc[idx])); TRY0(xmlTextWriterEndElement(writer)); /* name */ TRY0(xmlTextWriterStartElement(writer, @@ -596,7 +618,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, } else { TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR - desc[index])); + desc[idx])); } TRY0(xmlTextWriterWriteFormatString(writer, "%" @@ -893,7 +915,6 @@ static isc_result_t zone_xmlrender(dns_zone_t *zone, void *arg) { isc_result_t result; char buf[1024 + 32]; /* sufficiently large for zone name and class */ - char *zone_name_only = NULL; dns_rdataclass_t rdclass; isc_uint32_t serial; xmlTextWriterPtr writer = arg; @@ -912,13 +933,11 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { dumparg.arg = writer; TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone")); - dns_zone_name(zone, buf, sizeof(buf)); - zone_name_only = strtok(buf, "/"); - if(zone_name_only == NULL) - zone_name_only = buf; + dns_zone_nameonly(zone, buf, sizeof(buf)); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name", - ISC_XMLCHAR zone_name_only)); + ISC_XMLCHAR buf)); + rdclass = dns_zone_getclass(zone); dns_rdataclass_format(rdclass, buf, sizeof(buf)); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass", @@ -990,7 +1009,7 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone")); - dns_zone_name(zone, buf, sizeof(buf)); + dns_zone_nameonly(zone, buf, sizeof(buf)); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf)); TRY0(xmlTextWriterEndElement(writer)); @@ -1058,7 +1077,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.ver3.xsl\"")); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version", - ISC_XMLCHAR "3.3")); + ISC_XMLCHAR "3.6")); /* Set common fields for statistics dump */ dumparg.type = statsformat_xml; diff --git a/bin/named/update.c b/bin/named/update.c index a526b02a10247..badf8fe1081f7 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -3017,6 +3017,19 @@ update_action(isc_task_t *task, isc_event_t *event) { goto failure; } } + if (! ISC_LIST_EMPTY(diff.tuples)) { + result = dns_zone_cdscheck(zone, db, ver); + if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: bad %s RRset", + result == DNS_R_BADCDS ? "CDS" : "CDNSKEY"); + result = DNS_R_REFUSED; + goto failure; + } + if (result != ISC_R_SUCCESS) + goto failure; + + } /* * If any changes were made, increment the SOA serial number, diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index a0a617d14c124..f8535b21ea7bf 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -135,6 +135,7 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { dns_rdataset_t rds; dns_rdata_t rd = DNS_RDATA_INIT; + dns_rdatalist_init(&rdl); rdl.type = rdata->type; rdl.rdclass = rdata->rdclass; rdl.ttl = ttl; @@ -143,8 +144,6 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { rdl.covers = dns_rdata_covers(rdata); else rdl.covers = dns_rdatatype_none; - ISC_LIST_INIT(rdl.rdata); - ISC_LINK_INIT(&rdl, link); dns_rdataset_init(&rds); dns_rdata_init(&rd); dns_rdata_clone(rdata, &rd); @@ -1420,8 +1419,6 @@ sendstream(xfrout_ctx_t *xfr) { msgrdl->covers = dns_rdata_covers(rdata); else msgrdl->covers = dns_rdatatype_none; - ISC_LINK_INIT(msgrdl, link); - ISC_LIST_INIT(msgrdl->rdata); ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link); result = dns_message_gettemprdataset(msg, &msgrds); diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1 index c46d023e8e815..28d5f42d78343 100644 --- a/bin/nsupdate/nsupdate.1 +++ b/bin/nsupdate/nsupdate.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -33,7 +33,7 @@ nsupdate \- Dynamic DNS update utility .SH "SYNOPSIS" .HP 9 -\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [filename] +\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\-L\ \fR\fB\fIlevel\fR\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [filename] .SH "DESCRIPTION" .PP \fBnsupdate\fR @@ -47,79 +47,48 @@ The resource records that are dynamically added or removed with \fBnsupdate\fR have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record. .PP -The -\fB\-d\fR -option makes -\fBnsupdate\fR -operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. -.PP -The -\fB\-D\fR -option makes -\fBnsupdate\fR -report additional debugging information to -\fB\-d\fR. -.PP -The -\fB\-L\fR -option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled. +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. .PP -Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. TSIG relies on a shared secret that should only be known to +TSIG relies on a shared secret that should only be known to \fBnsupdate\fR -and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable +and the name server. For instance, suitable \fBkey\fR and \fBserver\fR statements would be added to \fI/etc/named.conf\fR -so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. +so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. You can use +\fBddns\-confgen\fR +to generate suitable configuration fragments. \fBnsupdate\fR -does not read -\fI/etc/named.conf\fR. +uses the +\fB\-y\fR +or +\fB\-k\fR +options to provide the TSIG shared secret. These options are mutually exclusive. +.PP +SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. .PP GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched on with the \fB\-g\fR flag. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the \fB\-o\fR flag. +.SH "OPTIONS" .PP -\fBnsupdate\fR -uses the -\fB\-y\fR -or -\fB\-k\fR -option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. +\-d +.RS 4 +Debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. +.RE .PP -When the -\fB\-y\fR -option is used, a signature is generated from -[\fIhmac:\fR]\fIkeyname:secret.\fR -\fIkeyname\fR -is the name of the key, and -\fIsecret\fR -is the base64 encoded shared secret. -\fIhmac\fR -is the name of the key algorithm; valid choices are -hmac\-md5, -hmac\-sha1, -hmac\-sha224, -hmac\-sha256, -hmac\-sha384, or -hmac\-sha512. If -\fIhmac\fR -is not specified, the default is -hmac\-md5. NOTE: Use of the -\fB\-y\fR -option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from -\fBps\fR(1) -or in a history file maintained by the user's shell. +\-D +.RS 4 +Extra debug mode. +.RE .PP -With the -\fB\-k\fR -option, -\fBnsupdate\fR -reads the shared secret from the file -\fIkeyfile\fR. Keyfiles may be in two formats: a single file containing a +\-k \fIkeyfile\fR +.RS 4 +The file containing the TSIG authentication key. Keyfiles may be in two formats: a single file containing a \fInamed.conf\fR\-format \fBkey\fR statement, which may be generated automatically by @@ -130,11 +99,11 @@ and \fBdnssec\-keygen\fR. The \fB\-k\fR may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key. +.RE .PP -\fBnsupdate\fR -can be run in a local\-host only mode using the -\fB\-l\fR -flag. This sets the server address to localhost (disabling the +\-l +.RS 4 +Local\-host only mode. This sets the server address to localhost (disabling the \fBserver\fR so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in \fI/var/run/named/session.key\fR, which is automatically generated by @@ -145,44 +114,81 @@ to \fBlocal\fR. The location of this key file can be overridden with the \fB\-k\fR option. +.RE .PP -By default, -\fBnsupdate\fR -uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The -\fB\-v\fR -option makes -\fBnsupdate\fR -use a TCP connection. This may be preferable when a batch of update requests is made. -.PP -The -\fB\-p\fR -sets the default port number to use for connections to a name server. The default is 53. -.PP -The -\fB\-t\fR -option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. +\-L \fIlevel\fR +.RS 4 +Set the logging debug level. If zero, logging is disabled. +.RE .PP -The -\fB\-u\fR -option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. +\-p \fIport\fR +.RS 4 +Set the port to use for connections to a name server. The default is 53. +.RE .PP -The -\fB\-r\fR -option sets the number of UDP retries. The default is 3. If zero, only one update request will be made. +\-r \fIudpretries\fR +.RS 4 +The number of UDP retries. The default is 3. If zero, only one update request will be made. +.RE .PP -The -\fB\-R \fR\fB\fIrandomdev\fR\fR -option specifies a source of randomness. If the operating system does not provide a +\-R \fIrandomdev\fR +.RS 4 +Where to obtain randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. This option may be specified multiple times. +.RE +.PP +\-t \fItimeout\fR +.RS 4 +The maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. +.RE .PP -The \-V option causes +\-u \fIudptimeout\fR +.RS 4 +The UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. +.RE +.PP +\-v +.RS 4 +Use TCP even for small update requests. By default, \fBnsupdate\fR -to print the version number and exit. +uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. TCP may be preferable when a batch of update requests is made. +.RE +.PP +\-V +.RS 4 +Print the version number and exit. +.RE +.PP +\-y \fI[hmac:]\fR\fIkeyname:secret\fR +.RS 4 +Literal TSIG authentication key. +\fIkeyname\fR +is the name of the key, and +\fIsecret\fR +is the base64 encoded shared secret. +\fIhmac\fR +is the name of the key algorithm; valid choices are +hmac\-md5, +hmac\-sha1, +hmac\-sha224, +hmac\-sha256, +hmac\-sha384, or +hmac\-sha512. If +\fIhmac\fR +is not specified, the default is +hmac\-md5. +.sp +NOTE: Use of the +\fB\-y\fR +option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from +\fBps\fR(1) +or in a history file maintained by the user's shell. +.RE .SH "INPUT FORMAT" .PP \fBnsupdate\fR @@ -463,7 +469,7 @@ RFC 2931, .PP The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. .SH "COPYRIGHT" -Copyright \(co 2004\-2012, 2014 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index a68b00e0b9d71..bf907f1580fbd 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -106,7 +106,7 @@ extern int h_errno; #endif #endif -#define MAXCMD (4 * 1024) +#define MAXCMD (128 * 1024) #define MAXWIRE (64 * 1024) #define PACKETSIZE ((64 * 1024) - 1) #define INITTEXT (2 * 1024) @@ -1332,7 +1332,6 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { check_result(result, "dns_message_gettemprdatalist"); result = dns_message_gettemprdataset(updatemsg, &rdataset); check_result(result, "dns_message_gettemprdataset"); - dns_rdatalist_init(rdatalist); rdatalist->type = rdatatype; if (ispositive) { if (isrrset && rdata->data != NULL) @@ -1341,11 +1340,8 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { rdatalist->rdclass = dns_rdataclass_any; } else rdatalist->rdclass = dns_rdataclass_none; - rdatalist->covers = 0; - rdatalist->ttl = 0; rdata->rdclass = rdatalist->rdclass; rdata->type = rdatatype; - ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); dns_rdataset_init(rdataset); dns_rdatalist_tordataset(rdatalist, rdataset); @@ -1838,12 +1834,10 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { check_result(result, "dns_message_gettemprdatalist"); result = dns_message_gettemprdataset(updatemsg, &rdataset); check_result(result, "dns_message_gettemprdataset"); - dns_rdatalist_init(rdatalist); rdatalist->type = rdatatype; rdatalist->rdclass = rdataclass; rdatalist->covers = rdatatype; rdatalist->ttl = (dns_ttl_t)ttl; - ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); dns_rdataset_init(rdataset); dns_rdatalist_tordataset(rdatalist, rdataset); @@ -2197,6 +2191,7 @@ update_completed(isc_task_t *task, isc_event_t *event) { dns_request_destroy(&request); dns_message_renderreset(updatemsg); dns_message_settsigkey(updatemsg, NULL); + /* XXX MPA fix zonename is freed already */ send_update(zname, &master_servers[master_inuse]); isc_event_free(&event); return; @@ -2499,6 +2494,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_name_init(&master, NULL); dns_name_clone(&soa.origin, &master); + /* + * XXXMPA + */ if (userzone != NULL) zname = userzone; else diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook index e0f53e2a24c94..b973c1f693e9e 100644 --- a/bin/nsupdate/nsupdate.docbook +++ b/bin/nsupdate/nsupdate.docbook @@ -1,8 +1,8 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -44,6 +44,7 @@ <year>2011</year> <year>2012</year> <year>2014</year> + <year>2015</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -60,12 +61,13 @@ <command>nsupdate</command> <arg><option>-d</option></arg> <arg><option>-D</option></arg> + <arg><option>-L <replaceable class="parameter">level</replaceable></option></arg> <group> <arg><option>-g</option></arg> <arg><option>-o</option></arg> <arg><option>-l</option></arg> - <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg> - <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> + <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg> + <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> </group> <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg> @@ -103,43 +105,30 @@ This is identified by the MNAME field of the zone's SOA record. </para> <para> - The - <option>-d</option> - option makes - <command>nsupdate</command> - operate in debug mode. - This provides tracing information about the update requests that are - made and the replies received from the name server. - </para> - <para> - The <option>-D</option> option makes <command>nsupdate</command> - report additional debugging information to <option>-d</option>. - </para> - <para> - The <option>-L</option> option with an integer argument of zero or - higher sets the logging debug level. If zero, logging is disabled. - </para> - <para> Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and - RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on + RFC 2931 or GSS-TSIG as described in RFC 3645. + </para> + <para> + TSIG relies on a shared secret that should only be known to - <command>nsupdate</command> and the name server. Currently, - the only supported encryption algorithm for TSIG is HMAC-MD5, - which is defined in RFC 2104. Once other algorithms are - defined for TSIG, applications will need to ensure they select - the appropriate algorithm as well as the key when authenticating - each other. For instance, suitable <type>key</type> and + <command>nsupdate</command> and the name server. + For instance, suitable <type>key</type> and <type>server</type> statements would be added to <filename>/etc/named.conf</filename> so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using - TSIG authentication. SIG(0) uses public key cryptography. + TSIG authentication. You can use <command>ddns-confgen</command> + to generate suitable configuration fragments. + <command>nsupdate</command> + uses the <option>-y</option> or <option>-k</option> options + to provide the TSIG shared secret. These options are mutually exclusive. + </para> + <para> + SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. - <command>nsupdate</command> does not read - <filename>/etc/named.conf</filename>. </para> <para> GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode @@ -147,108 +136,183 @@ non-standards-compliant variant of GSS-TSIG used by Windows 2000 can be switched on with the <option>-o</option> flag. </para> - <para><command>nsupdate</command> - uses the <option>-y</option> or <option>-k</option> option - to provide the shared secret needed to generate a TSIG record - for authenticating Dynamic DNS update requests, default type - HMAC-MD5. These options are mutually exclusive. - </para> - <para> - When the <option>-y</option> option is used, a signature is - generated from - <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter> - <parameter>keyname</parameter> is the name of the key, and - <parameter>secret</parameter> is the base64 encoded shared secret. - <parameter>hmac</parameter> is the name of the key algorithm; - valid choices are <literal>hmac-md5</literal>, - <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>, - <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or - <literal>hmac-sha512</literal>. If <parameter>hmac</parameter> - is not specified, the default is <literal>hmac-md5</literal>. - NOTE: Use of the <option>-y</option> option is discouraged because the - shared secret is supplied as a command line argument in clear text. - This may be visible in the output from - <citerefentry> - <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> - </citerefentry> - or in a history file maintained by the user's shell. - </para> - <para> - With the - <option>-k</option> option, <command>nsupdate</command> reads - the shared secret from the file <parameter>keyfile</parameter>. - Keyfiles may be in two formats: a single file containing - a <filename>named.conf</filename>-format <command>key</command> - statement, which may be generated automatically by - <command>ddns-confgen</command>, or a pair of files whose names are - of the format <filename>K{name}.+157.+{random}.key</filename> and - <filename>K{name}.+157.+{random}.private</filename>, which can be - generated by <command>dnssec-keygen</command>. - The <option>-k</option> may also be used to specify a SIG(0) key used - to authenticate Dynamic DNS update requests. In this case, the key - specified is not an HMAC-MD5 key. - </para> - <para> - <command>nsupdate</command> can be run in a local-host only mode - using the <option>-l</option> flag. This sets the server address to - localhost (disabling the <command>server</command> so that the server - address cannot be overridden). Connections to the local server will - use a TSIG key found in <filename>/var/run/named/session.key</filename>, - which is automatically generated by <command>named</command> if any - local master zone has set <command>update-policy</command> to - <command>local</command>. The location of this key file can be - overridden with the <option>-k</option> option. - </para> - <para> - By default, <command>nsupdate</command> - uses UDP to send update requests to the name server unless they are too - large to fit in a UDP request in which case TCP will be used. - The - <option>-v</option> - option makes - <command>nsupdate</command> - use a TCP connection. - This may be preferable when a batch of update requests is made. - </para> - <para> - The <option>-p</option> sets the default port number to use for - connections to a name server. The default is 53. - </para> - <para> - The <option>-t</option> option sets the maximum time an update request - can - take before it is aborted. The default is 300 seconds. Zero can be - used - to disable the timeout. - </para> - <para> - The <option>-u</option> option sets the UDP retry interval. The default - is - 3 seconds. If zero, the interval will be computed from the timeout - interval - and number of UDP retries. - </para> - <para> - The <option>-r</option> option sets the number of UDP retries. The - default is - 3. If zero, only one update request will be made. - </para> - <para> - The <option>-R <replaceable - class="parameter">randomdev</replaceable></option> option - specifies a source of randomness. If the operating system - does not provide a <filename>/dev/random</filename> or - equivalent device, the default source of randomness is keyboard - input. <filename>randomdev</filename> specifies the name of - a character device or file containing random data to be used - instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard input - should be used. This option may be specified multiple times. - </para> - <para> - The -V option causes <command>nsupdate</command> to print the - version number and exit. - </para> + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-d</term> + <listitem> + <para> + Debug mode. This provides tracing information about the + update requests that are made and the replies received + from the name server. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-D</term> + <listitem> + <para> + Extra debug mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k <replaceable class="parameter">keyfile</replaceable></term> + <listitem> + <para> + The file containing the TSIG authentication key. + Keyfiles may be in two formats: a single file containing + a <filename>named.conf</filename>-format <command>key</command> + statement, which may be generated automatically by + <command>ddns-confgen</command>, or a pair of files whose names are + of the format <filename>K{name}.+157.+{random}.key</filename> and + <filename>K{name}.+157.+{random}.private</filename>, which can be + generated by <command>dnssec-keygen</command>. + The <option>-k</option> may also be used to specify a SIG(0) key used + to authenticate Dynamic DNS update requests. In this case, the key + specified is not an HMAC-MD5 key. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-l</term> + <listitem> + <para> + Local-host only mode. This sets the server address to + localhost (disabling the <command>server</command> so that the server + address cannot be overridden). Connections to the local server will + use a TSIG key found in <filename>/var/run/named/session.key</filename>, + which is automatically generated by <command>named</command> if any + local master zone has set <command>update-policy</command> to + <command>local</command>. The location of this key file can be + overridden with the <option>-k</option> option. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-L <replaceable class="parameter">level</replaceable></term> + <listitem> + <para> + Set the logging debug level. If zero, logging is disabled. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Set the port to use for connections to a name server. The + default is 53. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-r <replaceable class="parameter">udpretries</replaceable></term> + <listitem> + <para> + The number of UDP retries. The default is 3. If zero, only + one update request will be made. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-R <replaceable class="parameter">randomdev</replaceable></term> + <listitem> + <para> + Where to obtain randomness. If the operating system + does not provide a <filename>/dev/random</filename> or + equivalent device, the default source of randomness is keyboard + input. <filename>randomdev</filename> specifies the name of + a character device or file containing random data to be used + instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard input + should be used. This option may be specified multiple times. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-t <replaceable class="parameter">timeout</replaceable></term> + <listitem> + <para> + The maximum time an update request can take before it is + aborted. The default is 300 seconds. Zero can be used to + disable the timeout. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-u <replaceable class="parameter">udptimeout</replaceable></term> + <listitem> + <para> + The UDP retry interval. The default is 3 seconds. If zero, + the interval will be computed from the timeout interval and + number of UDP retries. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-v</term> + <listitem> + <para> + Use TCP even for small update requests. + By default, <command>nsupdate</command> + uses UDP to send update requests to the name server unless they are too + large to fit in a UDP request in which case TCP will be used. + TCP may be preferable when a batch of update requests is made. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-V</term> + <listitem> + <para> + Print the version number and exit. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></term> + <listitem> + <para> + Literal TSIG authentication key. + <parameter>keyname</parameter> is the name of the key, and + <parameter>secret</parameter> is the base64 encoded shared secret. + <parameter>hmac</parameter> is the name of the key algorithm; + valid choices are <literal>hmac-md5</literal>, + <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>, + <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or + <literal>hmac-sha512</literal>. If <parameter>hmac</parameter> + is not specified, the default is <literal>hmac-md5</literal>. + </para> + <para> + NOTE: Use of the <option>-y</option> option is discouraged because the + shared secret is supplied as a command line argument in clear text. + This may be visible in the output from + <citerefentry> + <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> + or in a history file maintained by the user's shell. + </para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> <refsect1> @@ -281,382 +345,382 @@ The command formats and their meaning are as follows: <variablelist> - <varlistentry> - <term> - <command>server</command> - <arg choice="req">servername</arg> - <arg choice="opt">port</arg> - </term> - <listitem> - <para> - Sends all dynamic update requests to the name server - <parameter>servername</parameter>. - When no server statement is provided, - <command>nsupdate</command> - will send updates to the master server of the correct zone. - The MNAME field of that zone's SOA record will identify the - master - server for that zone. - <parameter>port</parameter> - is the port number on - <parameter>servername</parameter> - where the dynamic update requests get sent. - If no port number is specified, the default DNS port number of - 53 is - used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>local</command> - <arg choice="req">address</arg> - <arg choice="opt">port</arg> - </term> - <listitem> - <para> - Sends all dynamic update requests using the local - <parameter>address</parameter>. - - When no local statement is provided, - <command>nsupdate</command> - will send updates using an address and port chosen by the - system. - <parameter>port</parameter> - can additionally be used to make requests come from a specific - port. - If no port number is specified, the system will assign one. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>zone</command> - <arg choice="req">zonename</arg> - </term> - <listitem> - <para> - Specifies that all updates are to be made to the zone - <parameter>zonename</parameter>. - If no - <parameter>zone</parameter> - statement is provided, - <command>nsupdate</command> - will attempt determine the correct zone to update based on the - rest of the input. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>class</command> - <arg choice="req">classname</arg> - </term> - <listitem> - <para> - Specify the default class. - If no <parameter>class</parameter> is specified, the - default class is - <parameter>IN</parameter>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>ttl</command> - <arg choice="req">seconds</arg> - </term> - <listitem> - <para> - Specify the default time to live for records to be added. + <varlistentry> + <term> + <command>server</command> + <arg choice="req">servername</arg> + <arg choice="opt">port</arg> + </term> + <listitem> + <para> + Sends all dynamic update requests to the name server + <parameter>servername</parameter>. + When no server statement is provided, + <command>nsupdate</command> + will send updates to the master server of the correct zone. + The MNAME field of that zone's SOA record will identify the + master + server for that zone. + <parameter>port</parameter> + is the port number on + <parameter>servername</parameter> + where the dynamic update requests get sent. + If no port number is specified, the default DNS port number of + 53 is + used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>local</command> + <arg choice="req">address</arg> + <arg choice="opt">port</arg> + </term> + <listitem> + <para> + Sends all dynamic update requests using the local + <parameter>address</parameter>. + + When no local statement is provided, + <command>nsupdate</command> + will send updates using an address and port chosen by the + system. + <parameter>port</parameter> + can additionally be used to make requests come from a specific + port. + If no port number is specified, the system will assign one. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>zone</command> + <arg choice="req">zonename</arg> + </term> + <listitem> + <para> + Specifies that all updates are to be made to the zone + <parameter>zonename</parameter>. + If no + <parameter>zone</parameter> + statement is provided, + <command>nsupdate</command> + will attempt determine the correct zone to update based on the + rest of the input. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>class</command> + <arg choice="req">classname</arg> + </term> + <listitem> + <para> + Specify the default class. + If no <parameter>class</parameter> is specified, the + default class is + <parameter>IN</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>ttl</command> + <arg choice="req">seconds</arg> + </term> + <listitem> + <para> + Specify the default time to live for records to be added. The value <parameter>none</parameter> will clear the default ttl. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>key</command> - <arg choice="opt">hmac:</arg><arg choice="req">keyname</arg> - <arg choice="req">secret</arg> - </term> - <listitem> - <para> - Specifies that all updates are to be TSIG-signed using the - <parameter>keyname</parameter> <parameter>secret</parameter> pair. - If <parameter>hmac</parameter> is specified, then it sets the - signing algorithm in use; the default is - <literal>hmac-md5</literal>. The <command>key</command> - command overrides any key specified on the command line via - <option>-y</option> or <option>-k</option>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>gsstsig</command> - </term> - <listitem> - <para> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>key</command> + <arg choice="opt">hmac:</arg><arg choice="req">keyname</arg> + <arg choice="req">secret</arg> + </term> + <listitem> + <para> + Specifies that all updates are to be TSIG-signed using the + <parameter>keyname</parameter> <parameter>secret</parameter> pair. + If <parameter>hmac</parameter> is specified, then it sets the + signing algorithm in use; the default is + <literal>hmac-md5</literal>. The <command>key</command> + command overrides any key specified on the command line via + <option>-y</option> or <option>-k</option>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>gsstsig</command> + </term> + <listitem> + <para> Use GSS-TSIG to sign the updated. This is equivalent to specifying <option>-g</option> on the commandline. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>oldgsstsig</command> - </term> - <listitem> - <para> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>oldgsstsig</command> + </term> + <listitem> + <para> Use the Windows 2000 version of GSS-TSIG to sign the updated. This is equivalent to specifying <option>-o</option> on the commandline. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>realm</command> - <arg choice="req"><optional>realm_name</optional></arg> - </term> - <listitem> - <para> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>realm</command> + <arg choice="req"><optional>realm_name</optional></arg> + </term> + <listitem> + <para> When using GSS-TSIG use <parameter>realm_name</parameter> rather than the default realm in <filename>krb5.conf</filename>. If no realm is specified the saved realm is cleared. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command><optional>prereq</optional> nxdomain</command> - <arg choice="req">domain-name</arg> - </term> - <listitem> - <para> - Requires that no resource record of any type exists with name - <parameter>domain-name</parameter>. - </para> - </listitem> - </varlistentry> - - - <varlistentry> - <term> - <command><optional>prereq</optional> yxdomain</command> - <arg choice="req">domain-name</arg> - </term> - <listitem> - <para> - Requires that - <parameter>domain-name</parameter> - exists (has as at least one resource record, of any type). - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command><optional>prereq</optional> nxrrset</command> - <arg choice="req">domain-name</arg> - <arg choice="opt">class</arg> - <arg choice="req">type</arg> - </term> - <listitem> - <para> - Requires that no resource record exists of the specified - <parameter>type</parameter>, - <parameter>class</parameter> - and - <parameter>domain-name</parameter>. - If - <parameter>class</parameter> - is omitted, IN (internet) is assumed. - </para> - </listitem> - </varlistentry> - - - <varlistentry> - <term> - <command><optional>prereq</optional> yxrrset</command> - <arg choice="req">domain-name</arg> - <arg choice="opt">class</arg> - <arg choice="req">type</arg> - </term> - <listitem> - <para> - This requires that a resource record of the specified - <parameter>type</parameter>, - <parameter>class</parameter> - and - <parameter>domain-name</parameter> - must exist. - If - <parameter>class</parameter> - is omitted, IN (internet) is assumed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command><optional>prereq</optional> yxrrset</command> - <arg choice="req">domain-name</arg> - <arg choice="opt">class</arg> - <arg choice="req">type</arg> - <arg choice="req" rep="repeat">data</arg> - </term> - <listitem> - <para> - The - <parameter>data</parameter> - from each set of prerequisites of this form - sharing a common - <parameter>type</parameter>, - <parameter>class</parameter>, - and - <parameter>domain-name</parameter> - are combined to form a set of RRs. This set of RRs must - exactly match the set of RRs existing in the zone at the - given - <parameter>type</parameter>, - <parameter>class</parameter>, - and - <parameter>domain-name</parameter>. - The - <parameter>data</parameter> - are written in the standard text representation of the resource - record's - RDATA. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command><optional>update</optional> del<optional>ete</optional></command> - <arg choice="req">domain-name</arg> - <arg choice="opt">ttl</arg> - <arg choice="opt">class</arg> - <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg> - </term> - <listitem> - <para> - Deletes any resource records named - <parameter>domain-name</parameter>. - If - <parameter>type</parameter> - and - <parameter>data</parameter> - is provided, only matching resource records will be removed. - The internet class is assumed if - <parameter>class</parameter> - is not supplied. The - <parameter>ttl</parameter> - is ignored, and is only allowed for compatibility. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command><optional>update</optional> add</command> - <arg choice="req">domain-name</arg> - <arg choice="req">ttl</arg> - <arg choice="opt">class</arg> - <arg choice="req">type</arg> - <arg choice="req" rep="repeat">data</arg> - </term> - <listitem> - <para> - Adds a new resource record with the specified - <parameter>ttl</parameter>, - <parameter>class</parameter> - and - <parameter>data</parameter>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>show</command> - </term> - <listitem> - <para> - Displays the current message, containing all of the - prerequisites and - updates specified since the last send. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>send</command> - </term> - <listitem> - <para> - Sends the current message. This is equivalent to entering a - blank line. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>answer</command> - </term> - <listitem> - <para> - Displays the answer. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>debug</command> - </term> - <listitem> - <para> - Turn on debugging. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>version</command> - </term> - <listitem> - <para> - Print version number. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <command>help</command> - </term> - <listitem> - <para> - Print a list of commands. - </para> - </listitem> - </varlistentry> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command><optional>prereq</optional> nxdomain</command> + <arg choice="req">domain-name</arg> + </term> + <listitem> + <para> + Requires that no resource record of any type exists with name + <parameter>domain-name</parameter>. + </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + <command><optional>prereq</optional> yxdomain</command> + <arg choice="req">domain-name</arg> + </term> + <listitem> + <para> + Requires that + <parameter>domain-name</parameter> + exists (has as at least one resource record, of any type). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command><optional>prereq</optional> nxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + </term> + <listitem> + <para> + Requires that no resource record exists of the specified + <parameter>type</parameter>, + <parameter>class</parameter> + and + <parameter>domain-name</parameter>. + If + <parameter>class</parameter> + is omitted, IN (internet) is assumed. + </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + <command><optional>prereq</optional> yxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + </term> + <listitem> + <para> + This requires that a resource record of the specified + <parameter>type</parameter>, + <parameter>class</parameter> + and + <parameter>domain-name</parameter> + must exist. + If + <parameter>class</parameter> + is omitted, IN (internet) is assumed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command><optional>prereq</optional> yxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + <arg choice="req" rep="repeat">data</arg> + </term> + <listitem> + <para> + The + <parameter>data</parameter> + from each set of prerequisites of this form + sharing a common + <parameter>type</parameter>, + <parameter>class</parameter>, + and + <parameter>domain-name</parameter> + are combined to form a set of RRs. This set of RRs must + exactly match the set of RRs existing in the zone at the + given + <parameter>type</parameter>, + <parameter>class</parameter>, + and + <parameter>domain-name</parameter>. + The + <parameter>data</parameter> + are written in the standard text representation of the resource + record's + RDATA. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command><optional>update</optional> del<optional>ete</optional></command> + <arg choice="req">domain-name</arg> + <arg choice="opt">ttl</arg> + <arg choice="opt">class</arg> + <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg> + </term> + <listitem> + <para> + Deletes any resource records named + <parameter>domain-name</parameter>. + If + <parameter>type</parameter> + and + <parameter>data</parameter> + is provided, only matching resource records will be removed. + The internet class is assumed if + <parameter>class</parameter> + is not supplied. The + <parameter>ttl</parameter> + is ignored, and is only allowed for compatibility. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command><optional>update</optional> add</command> + <arg choice="req">domain-name</arg> + <arg choice="req">ttl</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + <arg choice="req" rep="repeat">data</arg> + </term> + <listitem> + <para> + Adds a new resource record with the specified + <parameter>ttl</parameter>, + <parameter>class</parameter> + and + <parameter>data</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>show</command> + </term> + <listitem> + <para> + Displays the current message, containing all of the + prerequisites and + updates specified since the last send. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>send</command> + </term> + <listitem> + <para> + Sends the current message. This is equivalent to entering a + blank line. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>answer</command> + </term> + <listitem> + <para> + Displays the answer. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>debug</command> + </term> + <listitem> + <para> + Turn on debugging. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>version</command> + </term> + <listitem> + <para> + Print version number. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>help</command> + </term> + <listitem> + <para> + Print a list of commands. + </para> + </listitem> + </varlistentry> </variablelist> </para> @@ -723,45 +787,45 @@ <variablelist> <varlistentry> - <term><constant>/etc/resolv.conf</constant></term> - <listitem> - <para> - used to identify default name server - </para> - </listitem> + <term><constant>/etc/resolv.conf</constant></term> + <listitem> + <para> + used to identify default name server + </para> + </listitem> </varlistentry> <varlistentry> - <term><constant>/var/run/named/session.key</constant></term> - <listitem> - <para> - sets the default TSIG key for use in local-only mode - </para> - </listitem> + <term><constant>/var/run/named/session.key</constant></term> + <listitem> + <para> + sets the default TSIG key for use in local-only mode + </para> + </listitem> </varlistentry> <varlistentry> - <term><constant>K{name}.+157.+{random}.key</constant></term> - <listitem> - <para> - base-64 encoding of HMAC-MD5 key created by - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>. - </para> - </listitem> + <term><constant>K{name}.+157.+{random}.key</constant></term> + <listitem> + <para> + base-64 encoding of HMAC-MD5 key created by + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </listitem> </varlistentry> <varlistentry> - <term><constant>K{name}.+157.+{random}.private</constant></term> - <listitem> - <para> - base-64 encoding of HMAC-MD5 key created by - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>. - </para> - </listitem> + <term><constant>K{name}.+157.+{random}.private</constant></term> + <listitem> + <para> + base-64 encoding of HMAC-MD5 key created by + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </listitem> </varlistentry> </variablelist> @@ -778,13 +842,13 @@ <citetitle>RFC 2535</citetitle>, <citetitle>RFC 2931</citetitle>, <citerefentry> - <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>. </para> </refsect1> diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index 2e71ec1b1a479..76c54db290d5e 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -29,10 +29,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [filename]</p></div> +<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543479"></a><h2>DESCRIPTION</h2> +<a name="id2543491"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -57,43 +57,30 @@ This is identified by the MNAME field of the zone's SOA record. </p> <p> - The - <code class="option">-d</code> - option makes - <span><strong class="command">nsupdate</strong></span> - operate in debug mode. - This provides tracing information about the update requests that are - made and the replies received from the name server. - </p> -<p> - The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span> - report additional debugging information to <code class="option">-d</code>. - </p> -<p> - The <code class="option">-L</code> option with an integer argument of zero or - higher sets the logging debug level. If zero, logging is disabled. - </p> -<p> Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and - RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on + RFC 2931 or GSS-TSIG as described in RFC 3645. + </p> +<p> + TSIG relies on a shared secret that should only be known to - <span><strong class="command">nsupdate</strong></span> and the name server. Currently, - the only supported encryption algorithm for TSIG is HMAC-MD5, - which is defined in RFC 2104. Once other algorithms are - defined for TSIG, applications will need to ensure they select - the appropriate algorithm as well as the key when authenticating - each other. For instance, suitable <span class="type">key</span> and + <span><strong class="command">nsupdate</strong></span> and the name server. + For instance, suitable <span class="type">key</span> and <span class="type">server</span> statements would be added to <code class="filename">/etc/named.conf</code> so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using - TSIG authentication. SIG(0) uses public key cryptography. + TSIG authentication. You can use <span><strong class="command">ddns-confgen</strong></span> + to generate suitable configuration fragments. + <span><strong class="command">nsupdate</strong></span> + uses the <code class="option">-y</code> or <code class="option">-k</code> options + to provide the TSIG shared secret. These options are mutually exclusive. + </p> +<p> + SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. - <span><strong class="command">nsupdate</strong></span> does not read - <code class="filename">/etc/named.conf</code>. </p> <p> GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode @@ -101,108 +88,119 @@ non-standards-compliant variant of GSS-TSIG used by Windows 2000 can be switched on with the <code class="option">-o</code> flag. </p> -<p><span><strong class="command">nsupdate</strong></span> - uses the <code class="option">-y</code> or <code class="option">-k</code> option - to provide the shared secret needed to generate a TSIG record - for authenticating Dynamic DNS update requests, default type - HMAC-MD5. These options are mutually exclusive. - </p> -<p> - When the <code class="option">-y</code> option is used, a signature is - generated from - [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em> - <em class="parameter"><code>keyname</code></em> is the name of the key, and - <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret. - <em class="parameter"><code>hmac</code></em> is the name of the key algorithm; - valid choices are <code class="literal">hmac-md5</code>, - <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, - <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or - <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em> - is not specified, the default is <code class="literal">hmac-md5</code>. - NOTE: Use of the <code class="option">-y</code> option is discouraged because the - shared secret is supplied as a command line argument in clear text. - This may be visible in the output from - <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> - or in a history file maintained by the user's shell. - </p> -<p> - With the - <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads - the shared secret from the file <em class="parameter"><code>keyfile</code></em>. - Keyfiles may be in two formats: a single file containing - a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span> - statement, which may be generated automatically by - <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are - of the format <code class="filename">K{name}.+157.+{random}.key</code> and - <code class="filename">K{name}.+157.+{random}.private</code>, which can be - generated by <span><strong class="command">dnssec-keygen</strong></span>. - The <code class="option">-k</code> may also be used to specify a SIG(0) key used - to authenticate Dynamic DNS update requests. In this case, the key - specified is not an HMAC-MD5 key. - </p> -<p> - <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode - using the <code class="option">-l</code> flag. This sets the server address to - localhost (disabling the <span><strong class="command">server</strong></span> so that the server - address cannot be overridden). Connections to the local server will - use a TSIG key found in <code class="filename">/var/run/named/session.key</code>, - which is automatically generated by <span><strong class="command">named</strong></span> if any - local master zone has set <span><strong class="command">update-policy</strong></span> to - <span><strong class="command">local</strong></span>. The location of this key file can be - overridden with the <code class="option">-k</code> option. - </p> -<p> - By default, <span><strong class="command">nsupdate</strong></span> - uses UDP to send update requests to the name server unless they are too - large to fit in a UDP request in which case TCP will be used. - The - <code class="option">-v</code> - option makes - <span><strong class="command">nsupdate</strong></span> - use a TCP connection. - This may be preferable when a batch of update requests is made. - </p> -<p> - The <code class="option">-p</code> sets the default port number to use for - connections to a name server. The default is 53. - </p> -<p> - The <code class="option">-t</code> option sets the maximum time an update request - can - take before it is aborted. The default is 300 seconds. Zero can be - used - to disable the timeout. - </p> -<p> - The <code class="option">-u</code> option sets the UDP retry interval. The default - is - 3 seconds. If zero, the interval will be computed from the timeout - interval - and number of UDP retries. - </p> -<p> - The <code class="option">-r</code> option sets the number of UDP retries. The - default is - 3. If zero, only one update request will be made. - </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543564"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-d</span></dt> +<dd><p> + Debug mode. This provides tracing information about the + update requests that are made and the replies received + from the name server. + </p></dd> +<dt><span class="term">-D</span></dt> +<dd><p> + Extra debug mode. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt> +<dd><p> + The file containing the TSIG authentication key. + Keyfiles may be in two formats: a single file containing + a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span> + statement, which may be generated automatically by + <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are + of the format <code class="filename">K{name}.+157.+{random}.key</code> and + <code class="filename">K{name}.+157.+{random}.private</code>, which can be + generated by <span><strong class="command">dnssec-keygen</strong></span>. + The <code class="option">-k</code> may also be used to specify a SIG(0) key used + to authenticate Dynamic DNS update requests. In this case, the key + specified is not an HMAC-MD5 key. + </p></dd> +<dt><span class="term">-l</span></dt> +<dd><p> + Local-host only mode. This sets the server address to + localhost (disabling the <span><strong class="command">server</strong></span> so that the server + address cannot be overridden). Connections to the local server will + use a TSIG key found in <code class="filename">/var/run/named/session.key</code>, + which is automatically generated by <span><strong class="command">named</strong></span> if any + local master zone has set <span><strong class="command">update-policy</strong></span> to + <span><strong class="command">local</strong></span>. The location of this key file can be + overridden with the <code class="option">-k</code> option. + </p></dd> +<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Set the logging debug level. If zero, logging is disabled. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Set the port to use for connections to a name server. The + default is 53. + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt> +<dd><p> + The number of UDP retries. The default is 3. If zero, only + one update request will be made. + </p></dd> +<dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt> +<dd><p> + Where to obtain randomness. If the operating system + does not provide a <code class="filename">/dev/random</code> or + equivalent device, the default source of randomness is keyboard + input. <code class="filename">randomdev</code> specifies the name of + a character device or file containing random data to be used + instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard input + should be used. This option may be specified multiple times. + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt> +<dd><p> + The maximum time an update request can take before it is + aborted. The default is 300 seconds. Zero can be used to + disable the timeout. + </p></dd> +<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt> +<dd><p> + The UDP retry interval. The default is 3 seconds. If zero, + the interval will be computed from the timeout interval and + number of UDP retries. + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Use TCP even for small update requests. + By default, <span><strong class="command">nsupdate</strong></span> + uses UDP to send update requests to the name server unless they are too + large to fit in a UDP request in which case TCP will be used. + TCP may be preferable when a batch of update requests is made. + </p></dd> +<dt><span class="term">-V</span></dt> +<dd><p> + Print the version number and exit. + </p></dd> +<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt> +<dd> <p> - The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option - specifies a source of randomness. If the operating system - does not provide a <code class="filename">/dev/random</code> or - equivalent device, the default source of randomness is keyboard - input. <code class="filename">randomdev</code> specifies the name of - a character device or file containing random data to be used - instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard input - should be used. This option may be specified multiple times. - </p> + Literal TSIG authentication key. + <em class="parameter"><code>keyname</code></em> is the name of the key, and + <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret. + <em class="parameter"><code>hmac</code></em> is the name of the key algorithm; + valid choices are <code class="literal">hmac-md5</code>, + <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, + <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or + <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em> + is not specified, the default is <code class="literal">hmac-md5</code>. + </p> <p> - The -V option causes <span><strong class="command">nsupdate</strong></span> to print the - version number and exit. - </p> + NOTE: Use of the <code class="option">-y</code> option is discouraged because the + shared secret is supplied as a command line argument in clear text. + This may be visible in the output from + <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> + or in a history file maintained by the user's shell. + </p> +</dd> +</dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543849"></a><h2>INPUT FORMAT</h2> +<a name="id2543963"></a><h2>INPUT FORMAT</h2> <p><span><strong class="command">nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> @@ -232,270 +230,270 @@ </p> <div class="variablelist"><dl> <dt><span class="term"> - <span><strong class="command">server</strong></span> - {servername} - [port] - </span></dt> -<dd><p> - Sends all dynamic update requests to the name server - <em class="parameter"><code>servername</code></em>. - When no server statement is provided, - <span><strong class="command">nsupdate</strong></span> - will send updates to the master server of the correct zone. - The MNAME field of that zone's SOA record will identify the - master - server for that zone. - <em class="parameter"><code>port</code></em> - is the port number on - <em class="parameter"><code>servername</code></em> - where the dynamic update requests get sent. - If no port number is specified, the default DNS port number of - 53 is - used. - </p></dd> + <span><strong class="command">server</strong></span> + {servername} + [port] + </span></dt> +<dd><p> + Sends all dynamic update requests to the name server + <em class="parameter"><code>servername</code></em>. + When no server statement is provided, + <span><strong class="command">nsupdate</strong></span> + will send updates to the master server of the correct zone. + The MNAME field of that zone's SOA record will identify the + master + server for that zone. + <em class="parameter"><code>port</code></em> + is the port number on + <em class="parameter"><code>servername</code></em> + where the dynamic update requests get sent. + If no port number is specified, the default DNS port number of + 53 is + used. + </p></dd> <dt><span class="term"> - <span><strong class="command">local</strong></span> - {address} - [port] - </span></dt> + <span><strong class="command">local</strong></span> + {address} + [port] + </span></dt> <dd><p> - Sends all dynamic update requests using the local - <em class="parameter"><code>address</code></em>. + Sends all dynamic update requests using the local + <em class="parameter"><code>address</code></em>. - When no local statement is provided, - <span><strong class="command">nsupdate</strong></span> - will send updates using an address and port chosen by the - system. - <em class="parameter"><code>port</code></em> - can additionally be used to make requests come from a specific - port. - If no port number is specified, the system will assign one. - </p></dd> + When no local statement is provided, + <span><strong class="command">nsupdate</strong></span> + will send updates using an address and port chosen by the + system. + <em class="parameter"><code>port</code></em> + can additionally be used to make requests come from a specific + port. + If no port number is specified, the system will assign one. + </p></dd> <dt><span class="term"> - <span><strong class="command">zone</strong></span> - {zonename} - </span></dt> -<dd><p> - Specifies that all updates are to be made to the zone - <em class="parameter"><code>zonename</code></em>. - If no - <em class="parameter"><code>zone</code></em> - statement is provided, - <span><strong class="command">nsupdate</strong></span> - will attempt determine the correct zone to update based on the - rest of the input. - </p></dd> + <span><strong class="command">zone</strong></span> + {zonename} + </span></dt> +<dd><p> + Specifies that all updates are to be made to the zone + <em class="parameter"><code>zonename</code></em>. + If no + <em class="parameter"><code>zone</code></em> + statement is provided, + <span><strong class="command">nsupdate</strong></span> + will attempt determine the correct zone to update based on the + rest of the input. + </p></dd> <dt><span class="term"> - <span><strong class="command">class</strong></span> - {classname} - </span></dt> -<dd><p> - Specify the default class. - If no <em class="parameter"><code>class</code></em> is specified, the - default class is - <em class="parameter"><code>IN</code></em>. - </p></dd> + <span><strong class="command">class</strong></span> + {classname} + </span></dt> +<dd><p> + Specify the default class. + If no <em class="parameter"><code>class</code></em> is specified, the + default class is + <em class="parameter"><code>IN</code></em>. + </p></dd> <dt><span class="term"> - <span><strong class="command">ttl</strong></span> - {seconds} - </span></dt> + <span><strong class="command">ttl</strong></span> + {seconds} + </span></dt> <dd><p> - Specify the default time to live for records to be added. + Specify the default time to live for records to be added. The value <em class="parameter"><code>none</code></em> will clear the default ttl. - </p></dd> + </p></dd> <dt><span class="term"> - <span><strong class="command">key</strong></span> - [hmac:] {keyname} - {secret} - </span></dt> -<dd><p> - Specifies that all updates are to be TSIG-signed using the - <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair. - If <em class="parameter"><code>hmac</code></em> is specified, then it sets the - signing algorithm in use; the default is - <code class="literal">hmac-md5</code>. The <span><strong class="command">key</strong></span> - command overrides any key specified on the command line via - <code class="option">-y</code> or <code class="option">-k</code>. - </p></dd> + <span><strong class="command">key</strong></span> + [hmac:] {keyname} + {secret} + </span></dt> +<dd><p> + Specifies that all updates are to be TSIG-signed using the + <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair. + If <em class="parameter"><code>hmac</code></em> is specified, then it sets the + signing algorithm in use; the default is + <code class="literal">hmac-md5</code>. The <span><strong class="command">key</strong></span> + command overrides any key specified on the command line via + <code class="option">-y</code> or <code class="option">-k</code>. + </p></dd> <dt><span class="term"> - <span><strong class="command">gsstsig</strong></span> - </span></dt> + <span><strong class="command">gsstsig</strong></span> + </span></dt> <dd><p> Use GSS-TSIG to sign the updated. This is equivalent to specifying <code class="option">-g</code> on the commandline. - </p></dd> + </p></dd> <dt><span class="term"> - <span><strong class="command">oldgsstsig</strong></span> - </span></dt> + <span><strong class="command">oldgsstsig</strong></span> + </span></dt> <dd><p> Use the Windows 2000 version of GSS-TSIG to sign the updated. This is equivalent to specifying <code class="option">-o</code> on the commandline. - </p></dd> + </p></dd> <dt><span class="term"> - <span><strong class="command">realm</strong></span> - {[<span class="optional">realm_name</span>]} - </span></dt> + <span><strong class="command">realm</strong></span> + {[<span class="optional">realm_name</span>]} + </span></dt> <dd><p> When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather than the default realm in <code class="filename">krb5.conf</code>. If no realm is specified the saved realm is cleared. - </p></dd> + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span> - {domain-name} - </span></dt> + <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span> + {domain-name} + </span></dt> <dd><p> - Requires that no resource record of any type exists with name - <em class="parameter"><code>domain-name</code></em>. - </p></dd> + Requires that no resource record of any type exists with name + <em class="parameter"><code>domain-name</code></em>. + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span> - {domain-name} - </span></dt> -<dd><p> - Requires that - <em class="parameter"><code>domain-name</code></em> - exists (has as at least one resource record, of any type). - </p></dd> + <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span> + {domain-name} + </span></dt> +<dd><p> + Requires that + <em class="parameter"><code>domain-name</code></em> + exists (has as at least one resource record, of any type). + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span> - {domain-name} - [class] - {type} - </span></dt> -<dd><p> - Requires that no resource record exists of the specified - <em class="parameter"><code>type</code></em>, - <em class="parameter"><code>class</code></em> - and - <em class="parameter"><code>domain-name</code></em>. - If - <em class="parameter"><code>class</code></em> - is omitted, IN (internet) is assumed. - </p></dd> + <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span> + {domain-name} + [class] + {type} + </span></dt> +<dd><p> + Requires that no resource record exists of the specified + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>domain-name</code></em>. + If + <em class="parameter"><code>class</code></em> + is omitted, IN (internet) is assumed. + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> - {domain-name} - [class] - {type} - </span></dt> -<dd><p> - This requires that a resource record of the specified - <em class="parameter"><code>type</code></em>, - <em class="parameter"><code>class</code></em> - and - <em class="parameter"><code>domain-name</code></em> - must exist. - If - <em class="parameter"><code>class</code></em> - is omitted, IN (internet) is assumed. - </p></dd> + <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> + {domain-name} + [class] + {type} + </span></dt> +<dd><p> + This requires that a resource record of the specified + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>domain-name</code></em> + must exist. + If + <em class="parameter"><code>class</code></em> + is omitted, IN (internet) is assumed. + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> - {domain-name} - [class] - {type} - {data...} - </span></dt> -<dd><p> - The - <em class="parameter"><code>data</code></em> - from each set of prerequisites of this form - sharing a common - <em class="parameter"><code>type</code></em>, - <em class="parameter"><code>class</code></em>, - and - <em class="parameter"><code>domain-name</code></em> - are combined to form a set of RRs. This set of RRs must - exactly match the set of RRs existing in the zone at the - given - <em class="parameter"><code>type</code></em>, - <em class="parameter"><code>class</code></em>, - and - <em class="parameter"><code>domain-name</code></em>. - The - <em class="parameter"><code>data</code></em> - are written in the standard text representation of the resource - record's - RDATA. - </p></dd> + <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span> + {domain-name} + [class] + {type} + {data...} + </span></dt> +<dd><p> + The + <em class="parameter"><code>data</code></em> + from each set of prerequisites of this form + sharing a common + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em>, + and + <em class="parameter"><code>domain-name</code></em> + are combined to form a set of RRs. This set of RRs must + exactly match the set of RRs existing in the zone at the + given + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em>, + and + <em class="parameter"><code>domain-name</code></em>. + The + <em class="parameter"><code>data</code></em> + are written in the standard text representation of the resource + record's + RDATA. + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span> - {domain-name} - [ttl] - [class] - [type [data...]] - </span></dt> -<dd><p> - Deletes any resource records named - <em class="parameter"><code>domain-name</code></em>. - If - <em class="parameter"><code>type</code></em> - and - <em class="parameter"><code>data</code></em> - is provided, only matching resource records will be removed. - The internet class is assumed if - <em class="parameter"><code>class</code></em> - is not supplied. The - <em class="parameter"><code>ttl</code></em> - is ignored, and is only allowed for compatibility. - </p></dd> + <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span> + {domain-name} + [ttl] + [class] + [type [data...]] + </span></dt> +<dd><p> + Deletes any resource records named + <em class="parameter"><code>domain-name</code></em>. + If + <em class="parameter"><code>type</code></em> + and + <em class="parameter"><code>data</code></em> + is provided, only matching resource records will be removed. + The internet class is assumed if + <em class="parameter"><code>class</code></em> + is not supplied. The + <em class="parameter"><code>ttl</code></em> + is ignored, and is only allowed for compatibility. + </p></dd> <dt><span class="term"> - <span><strong class="command">[<span class="optional">update</span>] add</strong></span> - {domain-name} - {ttl} - [class] - {type} - {data...} - </span></dt> -<dd><p> - Adds a new resource record with the specified - <em class="parameter"><code>ttl</code></em>, - <em class="parameter"><code>class</code></em> - and - <em class="parameter"><code>data</code></em>. - </p></dd> + <span><strong class="command">[<span class="optional">update</span>] add</strong></span> + {domain-name} + {ttl} + [class] + {type} + {data...} + </span></dt> +<dd><p> + Adds a new resource record with the specified + <em class="parameter"><code>ttl</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>data</code></em>. + </p></dd> <dt><span class="term"> - <span><strong class="command">show</strong></span> - </span></dt> + <span><strong class="command">show</strong></span> + </span></dt> <dd><p> - Displays the current message, containing all of the - prerequisites and - updates specified since the last send. - </p></dd> + Displays the current message, containing all of the + prerequisites and + updates specified since the last send. + </p></dd> <dt><span class="term"> - <span><strong class="command">send</strong></span> - </span></dt> + <span><strong class="command">send</strong></span> + </span></dt> <dd><p> - Sends the current message. This is equivalent to entering a - blank line. - </p></dd> + Sends the current message. This is equivalent to entering a + blank line. + </p></dd> <dt><span class="term"> - <span><strong class="command">answer</strong></span> - </span></dt> + <span><strong class="command">answer</strong></span> + </span></dt> <dd><p> - Displays the answer. - </p></dd> + Displays the answer. + </p></dd> <dt><span class="term"> - <span><strong class="command">debug</strong></span> - </span></dt> + <span><strong class="command">debug</strong></span> + </span></dt> <dd><p> - Turn on debugging. - </p></dd> + Turn on debugging. + </p></dd> <dt><span class="term"> - <span><strong class="command">version</strong></span> - </span></dt> + <span><strong class="command">version</strong></span> + </span></dt> <dd><p> - Print version number. - </p></dd> + Print version number. + </p></dd> <dt><span class="term"> - <span><strong class="command">help</strong></span> - </span></dt> + <span><strong class="command">help</strong></span> + </span></dt> <dd><p> - Print a list of commands. - </p></dd> + Print a list of commands. + </p></dd> </dl></div> <p> </p> @@ -504,7 +502,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544823"></a><h2>EXAMPLES</h2> +<a name="id2545067"></a><h2>EXAMPLES</h2> <p> The examples below show how <span><strong class="command">nsupdate</strong></span> @@ -558,30 +556,30 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544867"></a><h2>FILES</h2> +<a name="id2545111"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> - used to identify default name server - </p></dd> + used to identify default name server + </p></dd> <dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt> <dd><p> - sets the default TSIG key for use in local-only mode - </p></dd> + sets the default TSIG key for use in local-only mode + </p></dd> <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt> <dd><p> - base-64 encoding of HMAC-MD5 key created by - <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. - </p></dd> + base-64 encoding of HMAC-MD5 key created by + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + </p></dd> <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt> <dd><p> - base-64 encoding of HMAC-MD5 key created by - <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. - </p></dd> + base-64 encoding of HMAC-MD5 key created by + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544950"></a><h2>SEE ALSO</h2> +<a name="id2545197"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">RFC 2136</em>, <em class="citetitle">RFC 3007</em>, @@ -596,7 +594,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2542004"></a><h2>BUGS</h2> +<a name="id2545255"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 27887cf081922..503108e69216c 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -107,7 +107,9 @@ Use the key \fIkey_id\fR from the configuration file. \fIkey_id\fR -must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no +must be known by +\fBnamed\fR +with the same algorithm and secret string in order for control message validation to succeed. If no \fIkey_id\fR is specified, \fBrndc\fR @@ -123,69 +125,101 @@ without arguments. .PP Currently supported commands are: .PP -\fBreload\fR +\fBaddzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR\fB\fIconfiguration\fR\fR\fB \fR .RS 4 -Reload configuration file and zones. +Add a zone while the server is running. This command requires the +\fBallow\-new\-zones\fR +option to be set to +\fByes\fR. The +\fIconfiguration\fR +string specified on the command line is the zone configuration text that would ordinarily be placed in +\fInamed.conf\fR. +.sp +The configuration is saved in a file called +\fI\fIhash\fR\fR\fI.nzf\fR, where +\fIhash\fR +is a cryptographic hash generated from the name of the view. When +\fBnamed\fR +is restarted, the file will be loaded into the view configuration, so that zones that were added can persist after a restart. +.sp +This sample +\fBaddzone\fR +command would add the zone +example.com +to the default view: +.sp +$\fBrndc addzone example.com '{ type master; file "example.com.db"; };'\fR +.sp +(Note the brackets and semi\-colon around the zone configuration text.) +.sp +See also +\fBrndc delzone\fR. .RE .PP -\fBreload \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBdelzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR .RS 4 -Reload the given zone. +Delete a zone while the server is running. Only zones that were originally added via +\fBrndc addzone\fR +can be deleted in this manner. +.sp +See also +\fBrndc addzone\fR .RE .PP -\fBrefresh \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBdumpdb \fR\fB[\-all|\-cache|\-zone|\-adb|\-bad]\fR\fB \fR\fB[\fIview ...\fR]\fR .RS 4 -Schedule zone maintenance for the given zone. +Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped. (See the +\fBdump\-file\fR +option in the BIND 9 Administrator Reference Manual.) .RE .PP -\fBretransfer \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBflush\fR .RS 4 -Retransfer the given slave zone from the master server. -.sp -If the zone is configured to use -\fBinline\-signing\fR, the signed version of the zone is discarded; after the retransfer of the unsigned version is complete, the signed version will be regenerated with all new signatures. +Flushes the server's cache. .RE .PP -\fBsign \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBflushname\fR \fIname\fR [\fIview\fR] .RS 4 -Fetch all DNSSEC keys for the given zone from the key directory (see the -\fBkey\-directory\fR -option in the BIND 9 Administrator Reference Manual). If they are within their publication period, merge them into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the zone is automatically re\-signed with the new key set. -.sp -This command requires that the -\fBauto\-dnssec\fR -zone option be set to -allow -or -maintain, and also requires the zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.) +Flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database or bad\-server cache. .RE .PP -\fBloadkeys \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBflushtree\fR \fIname\fR [\fIview\fR] .RS 4 -Fetch all DNSSEC keys for the given zone from the key directory. If they are within their publication period, merge them into the zone's DNSKEY RRset. Unlike -\fBrndc sign\fR, however, the zone is not immediately re\-signed by the new keys, but is allowed to incrementally re\-sign over time. -.sp -This command requires that the -\fBauto\-dnssec\fR -zone option be set to -maintain, and also requires the zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.) +Flushes the given name, and all of its subdomains, from the view's DNS cache. Note that this does +\fInot\fR +affect he server's address database or bad\-server cache. .RE .PP \fBfreeze \fR\fB[\fIzone\fR [\fIclass\fR [\fIview\fR]]]\fR .RS 4 Suspend updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synced into the master file. All dynamic update attempts will be refused while the zone is frozen. +.sp +See also +\fBrndc thaw\fR. .RE .PP -\fBthaw \fR\fB[\fIzone\fR [\fIclass\fR [\fIview\fR]]]\fR +\fBhalt \fR\fB[\-p]\fR .RS 4 -Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone from disk, and re\-enables dynamic updates after the load has completed. After a zone is thawed, dynamic updates will no longer be refused. If the zone has changed and the -\fBixfr\-from\-differences\fR -option is in use, then the journal file will be updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing journal file will be removed. +Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server is restarted. If +\fB\-p\fR +is specified +\fBnamed\fR's process id is returned. This allows an external process to determine when +\fBnamed\fR +had completed halting. +.sp +See also +\fBrndc stop\fR. .RE .PP -\fBsync \fR\fB[\-clean]\fR\fB \fR\fB[\fIzone\fR [\fIclass\fR [\fIview\fR]]]\fR +\fBloadkeys \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Sync changes in the journal file for a dynamic zone to the master file. If the "\-clean" option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. +Fetch all DNSSEC keys for the given zone from the key directory. If they are within their publication period, merge them into the zone's DNSKEY RRset. Unlike +\fBrndc sign\fR, however, the zone is not immediately re\-signed by the new keys, but is allowed to incrementally re\-sign over time. +.sp +This command requires that the +\fBauto\-dnssec\fR +zone option be set to +maintain, and also requires the zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.) .RE .PP \fBnotify \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR @@ -193,16 +227,12 @@ Sync changes in the journal file for a dynamic zone to the master file. If the " Resend NOTIFY messages for the zone. .RE .PP -\fBreconfig\fR -.RS 4 -Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. This is faster than a full -\fBreload\fR -when there is a large number of zones because it avoids the need to examine the modification times of the zones files. -.RE -.PP -\fBstats\fR +\fBnotrace\fR .RS 4 -Write server statistics to the statistics file. +Sets the server's debugging level to 0. +.sp +See also +\fBrndc trace\fR. .RE .PP \fBquerylog\fR [on|off] @@ -226,140 +256,65 @@ section of \fInamed.conf\fR. .RE .PP -\fBdumpdb \fR\fB[\-all|\-cache|\-zone]\fR\fB \fR\fB[\fIview ...\fR]\fR -.RS 4 -Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped. -.RE -.PP -\fBsecroots \fR\fB[\fIview ...\fR]\fR -.RS 4 -Dump the server's security roots to the secroots file for the specified views. If no view is specified, security roots for all views are dumped. -.RE -.PP -\fBstop \fR\fB[\-p]\fR +\fBreconfig\fR .RS 4 -Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. If -\fB\-p\fR -is specified -\fBnamed\fR's process id is returned. This allows an external process to determine when -\fBnamed\fR -had completed stopping. +Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. This is faster than a full +\fBreload\fR +when there is a large number of zones because it avoids the need to examine the modification times of the zones files. .RE .PP -\fBhalt \fR\fB[\-p]\fR +\fBrecursing\fR .RS 4 -Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server is restarted. If -\fB\-p\fR -is specified -\fBnamed\fR's process id is returned. This allows an external process to determine when +Dump the list of queries \fBnamed\fR -had completed halting. -.RE -.PP -\fBtrace\fR -.RS 4 -Increment the servers debugging level by one. -.RE -.PP -\fBtrace \fR\fB\fIlevel\fR\fR -.RS 4 -Sets the server's debugging level to an explicit value. -.RE -.PP -\fBnotrace\fR -.RS 4 -Sets the server's debugging level to 0. -.RE -.PP -\fBflush\fR -.RS 4 -Flushes the server's cache. -.RE -.PP -\fBflushname\fR \fIname\fR [\fIview\fR] -.RS 4 -Flushes the given name from the server's DNS cache and, if applicable, from the server's nameserver address database or bad\-server cache. +is currently recursing on, and the list of domains to which iterative queries are currently being sent. (The second list includes the number of fetches currently active for the given domain, and how many have been passed or dropped because of the +\fBfetches\-per\-zone\fR +option.) .RE .PP -\fBflushtree\fR \fIname\fR [\fIview\fR] -.RS 4 -Flushes the given name, and all of its subdomains, from the server's DNS cache. Note that this does -\fInot\fR -affect he server's address database or bad\-server cache. -.RE -.PP -\fBstatus\fR +\fBrefresh \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Display status of the server. Note that the number of zones includes the internal -\fBbind/CH\fR -zone and the default -\fB./IN\fR -hint zone if there is not an explicit root zone configured. +Schedule zone maintenance for the given zone. .RE .PP -\fBrecursing\fR +\fBreload\fR .RS 4 -Dump the list of queries -\fBnamed\fR -is currently recursing on. +Reload configuration file and zones. .RE .PP -\fBvalidation ( on | off | check ) \fR\fB[\fIview ...\fR]\fR\fB \fR +\fBreload \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Enable, disable, or check the current status of DNSSEC validation. Note -\fBdnssec\-enable\fR -also needs to be set to -\fByes\fR -or -\fBauto\fR -to be effective. It defaults to enabled. +Reload the given zone. .RE .PP -\fBtsig\-list\fR +\fBretransfer \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -List the names of all TSIG keys currently configured for use by -\fBnamed\fR -in each view. The list both statically configured keys and dynamic TKEY\-negotiated keys. +Retransfer the given slave zone from the master server. +.sp +If the zone is configured to use +\fBinline\-signing\fR, the signed version of the zone is discarded; after the retransfer of the unsigned version is complete, the signed version will be regenerated with all new signatures. .RE .PP -\fBtsig\-delete\fR \fIkeyname\fR [\fIview\fR] +\fBsecroots \fR\fB[\fIview ...\fR]\fR .RS 4 -Delete a given TKEY\-negotiated key from the server. (This does not apply to statically configured TSIG keys.) +Dump the server's security roots to the secroots file for the specified views. If no view is specified, security roots for all views are dumped. .RE .PP -\fBaddzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR\fB\fIconfiguration\fR\fR\fB \fR +\fBsign \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Add a zone while the server is running. This command requires the -\fBallow\-new\-zones\fR -option to be set to -\fByes\fR. The -\fIconfiguration\fR -string specified on the command line is the zone configuration text that would ordinarily be placed in -\fInamed.conf\fR. -.sp -The configuration is saved in a file called -\fI\fIhash\fR\fR\fI.nzf\fR, where -\fIhash\fR -is a cryptographic hash generated from the name of the view. When -\fBnamed\fR -is restarted, the file will be loaded into the view configuration, so that zones that were added can persist after a restart. -.sp -This sample -\fBaddzone\fR -command would add the zone -example.com -to the default view: +Fetch all DNSSEC keys for the given zone from the key directory (see the +\fBkey\-directory\fR +option in the BIND 9 Administrator Reference Manual). If they are within their publication period, merge them into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the zone is automatically re\-signed with the new key set. .sp -$\fBrndc addzone example.com '{ type master; file "example.com.db"; };'\fR +This command requires that the +\fBauto\-dnssec\fR +zone option be set to +allow +or +maintain, and also requires the zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.) .sp -(Note the brackets and semi\-colon around the zone configuration text.) -.RE -.PP -\fBdelzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR -.RS 4 -Delete a zone while the server is running. Only zones that were originally added via -\fBrndc addzone\fR -can be deleted in this manner. +See also +\fBrndc loadkeys\fR. .RE .PP \fBsigning \fR\fB[( \-list | \-clear \fIkeyid/algorithm\fR | \-clear all | \-nsec3param ( \fIparameters\fR | none ) ) ]\fR\fB \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR @@ -398,6 +353,86 @@ So, for example, to create an NSEC3 chain using the SHA\-1 hash algorithm, no op \fBrndc signing \-nsec3param none\fR removes an existing NSEC3 chain and replaces it with NSEC. .RE +.PP +\fBstats\fR +.RS 4 +Write server statistics to the statistics file. (See the +\fBstatistics\-file\fR +option in the BIND 9 Administrator Reference Manual.) +.RE +.PP +\fBstatus\fR +.RS 4 +Display status of the server. Note that the number of zones includes the internal +\fBbind/CH\fR +zone and the default +\fB./IN\fR +hint zone if there is not an explicit root zone configured. +.RE +.PP +\fBstop \fR\fB[\-p]\fR +.RS 4 +Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. If +\fB\-p\fR +is specified +\fBnamed\fR's process id is returned. This allows an external process to determine when +\fBnamed\fR +had completed stopping. +.sp +See also +\fBrndc halt\fR. +.RE +.PP +\fBsync \fR\fB[\-clean]\fR\fB \fR\fB[\fIzone\fR [\fIclass\fR [\fIview\fR]]]\fR +.RS 4 +Sync changes in the journal file for a dynamic zone to the master file. If the "\-clean" option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. +.RE +.PP +\fBthaw \fR\fB[\fIzone\fR [\fIclass\fR [\fIview\fR]]]\fR +.RS 4 +Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone from disk, and re\-enables dynamic updates after the load has completed. After a zone is thawed, dynamic updates will no longer be refused. If the zone has changed and the +\fBixfr\-from\-differences\fR +option is in use, then the journal file will be updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing journal file will be removed. +.sp +See also +\fBrndc freeze\fR. +.RE +.PP +\fBtrace\fR +.RS 4 +Increment the servers debugging level by one. +.RE +.PP +\fBtrace \fR\fB\fIlevel\fR\fR +.RS 4 +Sets the server's debugging level to an explicit value. +.sp +See also +\fBrndc notrace\fR. +.RE +.PP +\fBtsig\-delete\fR \fIkeyname\fR [\fIview\fR] +.RS 4 +Delete a given TKEY\-negotiated key from the server. (This does not apply to statically configured TSIG keys.) +.RE +.PP +\fBtsig\-list\fR +.RS 4 +List the names of all TSIG keys currently configured for use by +\fBnamed\fR +in each view. The list both statically configured keys and dynamic TKEY\-negotiated keys. +.RE +.PP +\fBvalidation ( on | off | check ) \fR\fB[\fIview ...\fR]\fR\fB \fR +.RS 4 +Enable, disable, or check the current status of DNSSEC validation. Note +\fBdnssec\-enable\fR +also needs to be set to +\fByes\fR +or +\fBauto\fR +to be effective. It defaults to enabled. +.RE .SH "LIMITATIONS" .PP There is currently no way to provide the shared secret for a @@ -417,7 +452,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007, 2013\-2015 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000, 2001 Internet Software Consortium. .br diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 87e966937e3de..c7d8fe1f84314 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -32,6 +32,7 @@ #include <isc/log.h> #include <isc/net.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/random.h> #include <isc/socket.h> #include <isc/stdtime.h> @@ -103,7 +104,7 @@ command is one of the following:\n\ Add zone to given view. Requires new-zone-file option.\n\ delzone zone [class [view]]\n\ Removes zone from given view. Requires new-zone-file option.\n\ - dumpdb [-all|-cache|-zones] [view ...]\n\ + dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]\n\ Dump cache(s) to the dump file (named_dump.db).\n\ flush Flushes all of the server's caches.\n\ flush [view] Flushes the server's cache for a view.\n\ diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index 5de34d27a3b84..141ce5f37ca22 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -1,8 +1,8 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -41,6 +41,7 @@ <year>2007</year> <year>2013</year> <year>2014</year> + <year>2015</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -99,99 +100,99 @@ <variablelist> <varlistentry> - <term>-b <replaceable class="parameter">source-address</replaceable></term> - <listitem> - <para> - Use <replaceable class="parameter">source-address</replaceable> - as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-c <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable class="parameter">config-file</replaceable> - as the configuration file instead of the default, - <filename>/etc/rndc.conf</filename>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-k <replaceable class="parameter">key-file</replaceable></term> - <listitem> - <para> - Use <replaceable class="parameter">key-file</replaceable> - as the key file instead of the default, - <filename>/etc/rndc.key</filename>. The key in - <filename>/etc/rndc.key</filename> will be used to - authenticate - commands sent to the server if the <replaceable class="parameter">config-file</replaceable> - does not exist. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">server</replaceable></term> - <listitem> - <para><replaceable class="parameter">server</replaceable> is - the name or address of the server which matches a - server statement in the configuration file for - <command>rndc</command>. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the <command>rndc</command> + <term>-b <replaceable class="parameter">source-address</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">source-address</replaceable> + as the source address for the connection to the server. + Multiple instances are permitted to allow setting of both + the IPv4 and IPv6 source addresses. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">config-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> + as the configuration file instead of the default, + <filename>/etc/rndc.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k <replaceable class="parameter">key-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">key-file</replaceable> + as the key file instead of the default, + <filename>/etc/rndc.key</filename>. The key in + <filename>/etc/rndc.key</filename> will be used to + authenticate + commands sent to the server if the <replaceable class="parameter">config-file</replaceable> + does not exist. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s <replaceable class="parameter">server</replaceable></term> + <listitem> + <para><replaceable class="parameter">server</replaceable> is + the name or address of the server which matches a + server statement in the configuration file for + <command>rndc</command>. If no server is supplied on the + command line, the host named by the default-server clause + in the options statement of the <command>rndc</command> configuration file will be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Send commands to TCP port - <replaceable class="parameter">port</replaceable> - instead - of BIND 9's default control channel port, 953. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-V</term> - <listitem> - <para> - Enable verbose logging. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-y <replaceable class="parameter">key_id</replaceable></term> - <listitem> - <para> - Use the key <replaceable class="parameter">key_id</replaceable> - from the configuration file. - <replaceable class="parameter">key_id</replaceable> - must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no <replaceable class="parameter">key_id</replaceable> - is specified, <command>rndc</command> will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. - </para> - </listitem> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Send commands to TCP port + <replaceable class="parameter">port</replaceable> + instead + of BIND 9's default control channel port, 953. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-V</term> + <listitem> + <para> + Enable verbose logging. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-y <replaceable class="parameter">key_id</replaceable></term> + <listitem> + <para> + Use the key <replaceable class="parameter">key_id</replaceable> + from the configuration file. + <replaceable class="parameter">key_id</replaceable> + must be + known by <command>named</command> with the same algorithm and secret string + in order for control message validation to succeed. + If no <replaceable class="parameter">key_id</replaceable> + is specified, <command>rndc</command> will first look + for a key clause in the server statement of the server + being used, or if no server statement is present for that + host, then the default-key clause of the options statement. + Note that the configuration file contains shared secrets + which are used to send authenticated control commands + to name servers. It should therefore not have general read + or write access. + </para> + </listitem> </varlistentry> </variablelist> @@ -208,489 +209,522 @@ </para> <variablelist> - <varlistentry> - <term><userinput>reload</userinput></term> - <listitem> - <para> - Reload configuration file and zones. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Reload the given zone. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Schedule zone maintenance for the given zone. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Retransfer the given slave zone from the master server. - </para> - <para> - If the zone is configured to use - <command>inline-signing</command>, the signed - version of the zone is discarded; after the - retransfer of the unsigned version is complete, the - signed version will be regenerated with all new - signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Fetch all DNSSEC keys for the given zone - from the key directory (see the - <command>key-directory</command> option in - the BIND 9 Administrator Reference Manual). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. If the DNSKEY RRset - is changed, then the zone is automatically - re-signed with the new key set. - </para> - <para> - This command requires that the - <command>auto-dnssec</command> zone option be set - to <literal>allow</literal> or - <literal>maintain</literal>, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Fetch all DNSSEC keys for the given zone - from the key directory. If they are within - their publication period, merge them into the - zone's DNSKEY RRset. Unlike <command>rndc - sign</command>, however, the zone is not - immediately re-signed by the new keys, but is - allowed to incrementally re-sign over time. - </para> - <para> - This command requires that the - <command>auto-dnssec</command> zone option - be set to <literal>maintain</literal>, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> - <listitem> - <para> - Suspend updates to a dynamic zone. If no zone is - specified, then all zones are suspended. This allows - manual edits to be made to a zone normally updated by - dynamic update. It also causes changes in the - journal file to be synced into the master file. - All dynamic update attempts will be refused while - the zone is frozen. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> - <listitem> - <para> - Enable updates to a frozen dynamic zone. If no - zone is specified, then all frozen zones are - enabled. This causes the server to reload the zone - from disk, and re-enables dynamic updates after the - load has completed. After a zone is thawed, - dynamic updates will no longer be refused. If - the zone has changed and the - <command>ixfr-from-differences</command> option is - in use, then the journal file will be updated to - reflect changes in the zone. Otherwise, if the - zone has changed, any existing journal file will be - removed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> - <listitem> - <para> - Sync changes in the journal file for a dynamic zone - to the master file. If the "-clean" option is - specified, the journal file is also removed. If - no zone is specified, then all zones are synced. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem> - <para> - Resend NOTIFY messages for the zone. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>reconfig</userinput></term> - <listitem> - <para> - Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full <command>reload</command> when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>stats</userinput></term> - <listitem> - <para> - Write server statistics to the statistics file. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>querylog</userinput> <optional>on|off</optional> </term> - <listitem> - <para> - Enable or disable query logging. (For backward - compatibility, this command can also be used without - an argument to toggle query logging on and off.) - </para> - <para> - Query logging can also be enabled - by explicitly directing the <command>queries</command> - <command>category</command> to a - <command>channel</command> in the - <command>logging</command> section of - <filename>named.conf</filename> or by specifying - <command>querylog yes;</command> in the - <command>options</command> section of - <filename>named.conf</filename>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term> - <listitem> - <para> - Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term> - <listitem> - <para> - Dump the server's security roots to the secroots - file for the specified views. If no view is - specified, security roots for all - views are dumped. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>stop <optional>-p</optional></userinput></term> - <listitem> - <para> - Stop the server, making sure any recent changes - made through dynamic update or IXFR are first saved to - the master files of the updated zones. - If <option>-p</option> is specified <command>named</command>'s process id is returned. - This allows an external process to determine when <command>named</command> - had completed stopping. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>halt <optional>-p</optional></userinput></term> - <listitem> - <para> - Stop the server immediately. Recent changes - made through dynamic update or IXFR are not saved to - the master files, but will be rolled forward from the - journal files when the server is restarted. - If <option>-p</option> is specified <command>named</command>'s process id is returned. - This allows an external process to determine when <command>named</command> - had completed halting. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>trace</userinput></term> - <listitem> - <para> - Increment the servers debugging level by one. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>trace <replaceable>level</replaceable></userinput></term> - <listitem> - <para> - Sets the server's debugging level to an explicit - value. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>notrace</userinput></term> - <listitem> - <para> - Sets the server's debugging level to 0. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>flush</userinput></term> - <listitem> - <para> - Flushes the server's cache. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> - <listitem> - <para> - Flushes the given name from the server's DNS cache - and, if applicable, from the server's nameserver address - database or bad-server cache. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> - <listitem> - <para> - Flushes the given name, and all of its subdomains, - from the server's DNS cache. Note that this does - <emphasis>not</emphasis> affect he server's address - database or bad-server cache. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>status</userinput></term> - <listitem> - <para> - Display status of the server. - Note that the number of zones includes the internal <command>bind/CH</command> zone - and the default <command>./IN</command> - hint zone if there is not an - explicit root zone configured. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>recursing</userinput></term> - <listitem> - <para> - Dump the list of queries <command>named</command> is currently recursing - on. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term> - <listitem> - <para> - Enable, disable, or check the current status of - DNSSEC validation. - Note <command>dnssec-enable</command> also needs to be - set to <userinput>yes</userinput> or - <userinput>auto</userinput> to be effective. - It defaults to enabled. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>tsig-list</userinput></term> - <listitem> - <para> - List the names of all TSIG keys currently configured - for use by <command>named</command> in each view. The - list both statically configured keys and dynamic - TKEY-negotiated keys. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term> - <listitem> - <para> - Delete a given TKEY-negotiated key from the server. - (This does not apply to statically configured TSIG - keys.) - </para> - </listitem> - </varlistentry> <varlistentry> - <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term> - <listitem> - <para> - Add a zone while the server is running. This - command requires the - <command>allow-new-zones</command> option to be set - to <userinput>yes</userinput>. The - <replaceable>configuration</replaceable> string - specified on the command line is the zone - configuration text that would ordinarily be - placed in <filename>named.conf</filename>. - </para> - <para> - The configuration is saved in a file called - <filename><replaceable>hash</replaceable>.nzf</filename>, - where <replaceable>hash</replaceable> is a - cryptographic hash generated from the name of - the view. When <command>named</command> is - restarted, the file will be loaded into the view - configuration, so that zones that were added - can persist after a restart. - </para> - <para> - This sample <command>addzone</command> command - would add the zone <literal>example.com</literal> - to the default view: - </para> - <para> + <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term> + <listitem> + <para> + Add a zone while the server is running. This + command requires the + <command>allow-new-zones</command> option to be set + to <userinput>yes</userinput>. The + <replaceable>configuration</replaceable> string + specified on the command line is the zone + configuration text that would ordinarily be + placed in <filename>named.conf</filename>. + </para> + <para> + The configuration is saved in a file called + <filename><replaceable>hash</replaceable>.nzf</filename>, + where <replaceable>hash</replaceable> is a + cryptographic hash generated from the name of + the view. When <command>named</command> is + restarted, the file will be loaded into the view + configuration, so that zones that were added + can persist after a restart. + </para> + <para> + This sample <command>addzone</command> command + would add the zone <literal>example.com</literal> + to the default view: + </para> + <para> <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput> - </para> - <para> - (Note the brackets and semi-colon around the zone - configuration text.) - </para> - </listitem> + </para> + <para> + (Note the brackets and semi-colon around the zone + configuration text.) + </para> + <para> + See also <command>rndc delzone</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>delzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> + <listitem> + <para> + Delete a zone while the server is running. + Only zones that were originally added via + <command>rndc addzone</command> can be deleted + in this manner. + </para> + <para> + See also <command>rndc addzone</command> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term> + <listitem> + <para> + Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. + (See the <command>dump-file</command> option in + the BIND 9 Administrator Reference Manual.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>flush</userinput></term> + <listitem> + <para> + Flushes the server's cache. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> + <listitem> + <para> + Flushes the given name from the view's DNS cache + and, if applicable, from the view's nameserver address + database or bad-server cache. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> + <listitem> + <para> + Flushes the given name, and all of its subdomains, + from the view's DNS cache. Note that this does + <emphasis>not</emphasis> affect he server's address + database or bad-server cache. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> + <listitem> + <para> + Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file. + All dynamic update attempts will be refused while + the zone is frozen. + </para> + <para> + See also <command>rndc thaw</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>halt <optional>-p</optional></userinput></term> + <listitem> + <para> + Stop the server immediately. Recent changes + made through dynamic update or IXFR are not saved to + the master files, but will be rolled forward from the + journal files when the server is restarted. + If <option>-p</option> is specified <command>named</command>'s process id is returned. + This allows an external process to determine when <command>named</command> + had completed halting. + </para> + <para> + See also <command>rndc stop</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike <command>rndc + sign</command>, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. + </para> + <para> + This command requires that the + <command>auto-dnssec</command> zone option + be set to <literal>maintain</literal>, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Resend NOTIFY messages for the zone. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>notrace</userinput></term> + <listitem> + <para> + Sets the server's debugging level to 0. + </para> + <para> + See also <command>rndc trace</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>querylog</userinput> <optional>on|off</optional> </term> + <listitem> + <para> + Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) + </para> + <para> + Query logging can also be enabled + by explicitly directing the <command>queries</command> + <command>category</command> to a + <command>channel</command> in the + <command>logging</command> section of + <filename>named.conf</filename> or by specifying + <command>querylog yes;</command> in the + <command>options</command> section of + <filename>named.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>reconfig</userinput></term> + <listitem> + <para> + Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full <command>reload</command> when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. + </para> + </listitem> </varlistentry> <varlistentry> - <term><userinput>delzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> + <term><userinput>recursing</userinput></term> <listitem> <para> - Delete a zone while the server is running. - Only zones that were originally added via - <command>rndc addzone</command> can be deleted - in this manner. - </para> - </listitem> + Dump the list of queries <command>named</command> is currently + recursing on, and the list of domains to which iterative + queries are currently being sent. (The second list includes + the number of fetches currently active for the given domain, + and how many have been passed or dropped because of the + <option>fetches-per-zone</option> option.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Schedule zone maintenance for the given zone. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>reload</userinput></term> + <listitem> + <para> + Reload configuration file and zones. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Reload the given zone. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Retransfer the given slave zone from the master server. + </para> + <para> + If the zone is configured to use + <command>inline-signing</command>, the signed + version of the zone is discarded; after the + retransfer of the unsigned version is complete, the + signed version will be regenerated with all new + signatures. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term> + <listitem> + <para> + Dump the server's security roots to the secroots + file for the specified views. If no view is + specified, security roots for all + views are dumped. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem> + <para> + Fetch all DNSSEC keys for the given zone + from the key directory (see the + <command>key-directory</command> option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. + </para> + <para> + This command requires that the + <command>auto-dnssec</command> zone option be set + to <literal>allow</literal> or + <literal>maintain</literal>, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + </para> + <para> + See also <command>rndc loadkeys</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> + <listitem> + <para> + List, edit, or remove the DNSSEC signing state records + for the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + <command>sig-signing-type</command>. + <command>rndc signing -list</command> converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + chains are being created or removed. + </para> + <para> + <command>rndc signing -clear</command> can remove + a single key (specified in the same format that + <command>rndc signing -list</command> uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. + </para> + <para> + <command>rndc signing -nsec3param</command> sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + <command>inline-signing</command> zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. + </para> + <para> + Currently, the only defined value for hash algorithm + is <literal>1</literal>, representing SHA-1. + The <option>flags</option> may be set to + <literal>0</literal> or <literal>1</literal>, + depending on whether you wish to set the opt-out + bit in the NSEC3 chain. <option>iterations</option> + defines the number of additional times to apply + the algorithm when generating an NSEC3 hash. The + <option>salt</option> is a string of data expressed + in hexadecimal, or a hyphen (`-') if no salt is + to be used. + </para> + <para> + So, for example, to create an NSEC3 chain using + the SHA-1 hash algorithm, no opt-out flag, + 10 iterations, and a salt value of "FFFF", use: + <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>. + To set the opt-out flag, 15 iterations, and no + salt, use: + <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>. + </para> + <para> + <command>rndc signing -nsec3param none</command> + removes an existing NSEC3 chain and replaces it + with NSEC. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>stats</userinput></term> + <listitem> + <para> + Write server statistics to the statistics file. + (See the <command>statistics-file</command> option in + the BIND 9 Administrator Reference Manual.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>status</userinput></term> + <listitem> + <para> + Display status of the server. + Note that the number of zones includes the internal <command>bind/CH</command> zone + and the default <command>./IN</command> + hint zone if there is not an + explicit root zone configured. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>stop <optional>-p</optional></userinput></term> + <listitem> + <para> + Stop the server, making sure any recent changes + made through dynamic update or IXFR are first saved to + the master files of the updated zones. + If <option>-p</option> is specified <command>named</command>'s process id is returned. + This allows an external process to determine when <command>named</command> + had completed stopping. + </para> + <para>See also <command>rndc halt</command>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> + <listitem> + <para> + Sync changes in the journal file for a dynamic zone + to the master file. If the "-clean" option is + specified, the journal file is also removed. If + no zone is specified, then all zones are synced. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> + <listitem> + <para> + Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. If + the zone has changed and the + <command>ixfr-from-differences</command> option is + in use, then the journal file will be updated to + reflect changes in the zone. Otherwise, if the + zone has changed, any existing journal file will be + removed. + </para> + <para>See also <command>rndc freeze</command>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>trace</userinput></term> + <listitem> + <para> + Increment the servers debugging level by one. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>trace <replaceable>level</replaceable></userinput></term> + <listitem> + <para> + Sets the server's debugging level to an explicit + value. + </para> + <para> + See also <command>rndc notrace</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term> + <listitem> + <para> + Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>tsig-list</userinput></term> + <listitem> + <para> + List the names of all TSIG keys currently configured + for use by <command>named</command> in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term> + <listitem> + <para> + Enable, disable, or check the current status of + DNSSEC validation. + Note <command>dnssec-enable</command> also needs to be + set to <userinput>yes</userinput> or + <userinput>auto</userinput> to be effective. + It defaults to enabled. + </para> + </listitem> </varlistentry> - <varlistentry> - <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> - <listitem> - <para> - List, edit, or remove the DNSSEC signing state records - for the specified zone. The status of ongoing DNSSEC - operations (such as signing or generating - NSEC3 chains) is stored in the zone in the form - of DNS resource records of type - <command>sig-signing-type</command>. - <command>rndc signing -list</command> converts - these records into a human-readable form, - indicating which keys are currently signing - or have finished signing the zone, and which NSEC3 - chains are being created or removed. - </para> - <para> - <command>rndc signing -clear</command> can remove - a single key (specified in the same format that - <command>rndc signing -list</command> uses to - display it), or all keys. In either case, only - completed keys are removed; any record indicating - that a key has not yet finished signing the zone - will be retained. - </para> - <para> - <command>rndc signing -nsec3param</command> sets - the NSEC3 parameters for a zone. This is the - only supported mechanism for using NSEC3 with - <command>inline-signing</command> zones. - Parameters are specified in the same format as - an NSEC3PARAM resource record: hash algorithm, - flags, iterations, and salt, in that order. - </para> - <para> - Currently, the only defined value for hash algorithm - is <literal>1</literal>, representing SHA-1. - The <option>flags</option> may be set to - <literal>0</literal> or <literal>1</literal>, - depending on whether you wish to set the opt-out - bit in the NSEC3 chain. <option>iterations</option> - defines the number of additional times to apply - the algorithm when generating an NSEC3 hash. The - <option>salt</option> is a string of data expressed - in hexadecimal, or a hyphen (`-') if no salt is - to be used. - </para> - <para> - So, for example, to create an NSEC3 chain using - the SHA-1 hash algorithm, no opt-out flag, - 10 iterations, and a salt value of "FFFF", use: - <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>. - To set the opt-out flag, 15 iterations, and no - salt, use: - <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>. - </para> - <para> - <command>rndc signing -nsec3param none</command> - removes an existing NSEC3 chain and replaces it - with NSEC. - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -708,19 +742,19 @@ <refsect1> <title>SEE ALSO</title> <para><citerefentry> - <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 0e74ea3531edc..0daea8a285499 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543428"></a><h2>DESCRIPTION</h2> +<a name="id2543431"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">rndc</strong></span> controls the operation of a name server. It supersedes the <span><strong class="command">ndc</strong></span> utility @@ -61,73 +61,73 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543463"></a><h2>OPTIONS</h2> +<a name="id2543466"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>source-address</code></em> - as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. - </p></dd> + Use <em class="replaceable"><code>source-address</code></em> + as the source address for the connection to the server. + Multiple instances are permitted to allow setting of both + the IPv4 and IPv6 source addresses. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> - as the configuration file instead of the default, - <code class="filename">/etc/rndc.conf</code>. - </p></dd> + Use <em class="replaceable"><code>config-file</code></em> + as the configuration file instead of the default, + <code class="filename">/etc/rndc.conf</code>. + </p></dd> <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>key-file</code></em> - as the key file instead of the default, - <code class="filename">/etc/rndc.key</code>. The key in - <code class="filename">/etc/rndc.key</code> will be used to - authenticate - commands sent to the server if the <em class="replaceable"><code>config-file</code></em> - does not exist. - </p></dd> + Use <em class="replaceable"><code>key-file</code></em> + as the key file instead of the default, + <code class="filename">/etc/rndc.key</code>. The key in + <code class="filename">/etc/rndc.key</code> will be used to + authenticate + commands sent to the server if the <em class="replaceable"><code>config-file</code></em> + does not exist. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> <dd><p><em class="replaceable"><code>server</code></em> is - the name or address of the server which matches a - server statement in the configuration file for - <span><strong class="command">rndc</strong></span>. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the <span><strong class="command">rndc</strong></span> + the name or address of the server which matches a + server statement in the configuration file for + <span><strong class="command">rndc</strong></span>. If no server is supplied on the + command line, the host named by the default-server clause + in the options statement of the <span><strong class="command">rndc</strong></span> configuration file will be used. - </p></dd> + </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Send commands to TCP port - <em class="replaceable"><code>port</code></em> - instead - of BIND 9's default control channel port, 953. - </p></dd> + Send commands to TCP port + <em class="replaceable"><code>port</code></em> + instead + of BIND 9's default control channel port, 953. + </p></dd> <dt><span class="term">-V</span></dt> <dd><p> - Enable verbose logging. - </p></dd> + Enable verbose logging. + </p></dd> <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt> <dd><p> - Use the key <em class="replaceable"><code>key_id</code></em> - from the configuration file. - <em class="replaceable"><code>key_id</code></em> - must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no <em class="replaceable"><code>key_id</code></em> - is specified, <span><strong class="command">rndc</strong></span> will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. - </p></dd> + Use the key <em class="replaceable"><code>key_id</code></em> + from the configuration file. + <em class="replaceable"><code>key_id</code></em> + must be + known by <span><strong class="command">named</strong></span> with the same algorithm and secret string + in order for control message validation to succeed. + If no <em class="replaceable"><code>key_id</code></em> + is specified, <span><strong class="command">rndc</strong></span> will first look + for a key clause in the server statement of the server + being used, or if no server statement is present for that + host, then the default-key clause of the options statement. + Note that the configuration file contains shared secrets + which are used to send authenticated control commands + to name servers. It should therefore not have general read + or write access. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543659"></a><h2>COMMANDS</h2> +<a name="id2543667"></a><h2>COMMANDS</h2> <p> A list of commands supported by <span><strong class="command">rndc</strong></span> can be seen by running <span><strong class="command">rndc</strong></span> without arguments. @@ -136,351 +136,396 @@ Currently supported commands are: </p> <div class="variablelist"><dl> -<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> +<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt> +<dd> +<p> + Add a zone while the server is running. This + command requires the + <span><strong class="command">allow-new-zones</strong></span> option to be set + to <strong class="userinput"><code>yes</code></strong>. The + <em class="replaceable"><code>configuration</code></em> string + specified on the command line is the zone + configuration text that would ordinarily be + placed in <code class="filename">named.conf</code>. + </p> +<p> + The configuration is saved in a file called + <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, + where <em class="replaceable"><code>hash</code></em> is a + cryptographic hash generated from the name of + the view. When <span><strong class="command">named</strong></span> is + restarted, the file will be loaded into the view + configuration, so that zones that were added + can persist after a restart. + </p> +<p> + This sample <span><strong class="command">addzone</strong></span> command + would add the zone <code class="literal">example.com</code> + to the default view: + </p> +<p> +<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong> + </p> +<p> + (Note the brackets and semi-colon around the zone + configuration text.) + </p> +<p> + See also <span><strong class="command">rndc delzone</strong></span>. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> +<dd> +<p> + Delete a zone while the server is running. + Only zones that were originally added via + <span><strong class="command">rndc addzone</strong></span> can be deleted + in this manner. + </p> +<p> + See also <span><strong class="command">rndc addzone</strong></span> + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> <dd><p> - Reload configuration file and zones. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> + Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. + (See the <span><strong class="command">dump-file</strong></span> option in + the BIND 9 Administrator Reference Manual.) + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> <dd><p> - Reload the given zone. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> + Flushes the server's cache. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> <dd><p> - Schedule zone maintenance for the given zone. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> + Flushes the given name from the view's DNS cache + and, if applicable, from the view's nameserver address + database or bad-server cache. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> +<dd><p> + Flushes the given name, and all of its subdomains, + from the view's DNS cache. Note that this does + <span class="emphasis"><em>not</em></span> affect he server's address + database or bad-server cache. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> <dd> <p> - Retransfer the given slave zone from the master server. - </p> + Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file. + All dynamic update attempts will be refused while + the zone is frozen. + </p> <p> - If the zone is configured to use - <span><strong class="command">inline-signing</strong></span>, the signed - version of the zone is discarded; after the - retransfer of the unsigned version is complete, the - signed version will be regenerated with all new - signatures. - </p> + See also <span><strong class="command">rndc thaw</strong></span>. + </p> </dd> -<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> <dd> <p> - Fetch all DNSSEC keys for the given zone - from the key directory (see the - <span><strong class="command">key-directory</strong></span> option in - the BIND 9 Administrator Reference Manual). If they are within - their publication period, merge them into the - zone's DNSKEY RRset. If the DNSKEY RRset - is changed, then the zone is automatically - re-signed with the new key set. - </p> -<p> - This command requires that the - <span><strong class="command">auto-dnssec</strong></span> zone option be set - to <code class="literal">allow</code> or - <code class="literal">maintain</code>, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) - </p> + Stop the server immediately. Recent changes + made through dynamic update or IXFR are not saved to + the master files, but will be rolled forward from the + journal files when the server is restarted. + If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. + This allows an external process to determine when <span><strong class="command">named</strong></span> + had completed halting. + </p> +<p> + See also <span><strong class="command">rndc stop</strong></span>. + </p> </dd> <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> <dd> <p> - Fetch all DNSSEC keys for the given zone - from the key directory. If they are within - their publication period, merge them into the - zone's DNSKEY RRset. Unlike <span><strong class="command">rndc - sign</strong></span>, however, the zone is not - immediately re-signed by the new keys, but is - allowed to incrementally re-sign over time. - </p> -<p> - This command requires that the - <span><strong class="command">auto-dnssec</strong></span> zone option - be set to <code class="literal">maintain</code>, - and also requires the zone to be configured to - allow dynamic DNS. - (See "Dynamic Update Policies" in the Administrator - Reference Manual for more details.) - </p> + Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike <span><strong class="command">rndc + sign</strong></span>, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. + </p> +<p> + This command requires that the + <span><strong class="command">auto-dnssec</strong></span> zone option + be set to <code class="literal">maintain</code>, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + </p> </dd> -<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> -<dd><p> - Suspend updates to a dynamic zone. If no zone is - specified, then all zones are suspended. This allows - manual edits to be made to a zone normally updated by - dynamic update. It also causes changes in the - journal file to be synced into the master file. - All dynamic update attempts will be refused while - the zone is frozen. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> -<dd><p> - Enable updates to a frozen dynamic zone. If no - zone is specified, then all frozen zones are - enabled. This causes the server to reload the zone - from disk, and re-enables dynamic updates after the - load has completed. After a zone is thawed, - dynamic updates will no longer be refused. If - the zone has changed and the - <span><strong class="command">ixfr-from-differences</strong></span> option is - in use, then the journal file will be updated to - reflect changes in the zone. Otherwise, if the - zone has changed, any existing journal file will be - removed. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> -<dd><p> - Sync changes in the journal file for a dynamic zone - to the master file. If the "-clean" option is - specified, the journal file is also removed. If - no zone is specified, then all zones are synced. - </p></dd> <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> <dd><p> - Resend NOTIFY messages for the zone. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> -<dd><p> - Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full <span><strong class="command">reload</strong></span> when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> -<dd><p> - Write server statistics to the statistics file. - </p></dd> + Resend NOTIFY messages for the zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> +<dd> +<p> + Sets the server's debugging level to 0. + </p> +<p> + See also <span><strong class="command">rndc trace</strong></span>. + </p> +</dd> <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt> <dd> <p> - Enable or disable query logging. (For backward - compatibility, this command can also be used without - an argument to toggle query logging on and off.) - </p> -<p> - Query logging can also be enabled - by explicitly directing the <span><strong class="command">queries</strong></span> - <span><strong class="command">category</strong></span> to a - <span><strong class="command">channel</strong></span> in the - <span><strong class="command">logging</strong></span> section of - <code class="filename">named.conf</code> or by specifying - <span><strong class="command">querylog yes;</strong></span> in the - <span><strong class="command">options</strong></span> section of - <code class="filename">named.conf</code>. - </p> + Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) + </p> +<p> + Query logging can also be enabled + by explicitly directing the <span><strong class="command">queries</strong></span> + <span><strong class="command">category</strong></span> to a + <span><strong class="command">channel</strong></span> in the + <span><strong class="command">logging</strong></span> section of + <code class="filename">named.conf</code> or by specifying + <span><strong class="command">querylog yes;</strong></span> in the + <span><strong class="command">options</strong></span> section of + <code class="filename">named.conf</code>. + </p> </dd> -<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> -<dd><p> - Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> -<dd><p> - Dump the server's security roots to the secroots - file for the specified views. If no view is - specified, security roots for all - views are dumped. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> -<dd><p> - Stop the server, making sure any recent changes - made through dynamic update or IXFR are first saved to - the master files of the updated zones. - If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. - This allows an external process to determine when <span><strong class="command">named</strong></span> - had completed stopping. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> +<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> <dd><p> - Stop the server immediately. Recent changes - made through dynamic update or IXFR are not saved to - the master files, but will be rolled forward from the - journal files when the server is restarted. - If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. - This allows an external process to determine when <span><strong class="command">named</strong></span> - had completed halting. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> + Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full <span><strong class="command">reload</strong></span> when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> <dd><p> - Increment the servers debugging level by one. + Dump the list of queries <span><strong class="command">named</strong></span> is currently + recursing on, and the list of domains to which iterative + queries are currently being sent. (The second list includes + the number of fetches currently active for the given domain, + and how many have been passed or dropped because of the + <code class="option">fetches-per-zone</code> option.) </p></dd> -<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> +<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> <dd><p> - Sets the server's debugging level to an explicit - value. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> + Schedule zone maintenance for the given zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> <dd><p> - Sets the server's debugging level to 0. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> + Reload configuration file and zones. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> <dd><p> - Flushes the server's cache. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> + Reload the given zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd> +<p> + Retransfer the given slave zone from the master server. + </p> +<p> + If the zone is configured to use + <span><strong class="command">inline-signing</strong></span>, the signed + version of the zone is discarded; after the + retransfer of the unsigned version is complete, the + signed version will be regenerated with all new + signatures. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> <dd><p> - Flushes the given name from the server's DNS cache - and, if applicable, from the server's nameserver address - database or bad-server cache. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> + Dump the server's security roots to the secroots + file for the specified views. If no view is + specified, security roots for all + views are dumped. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd> +<p> + Fetch all DNSSEC keys for the given zone + from the key directory (see the + <span><strong class="command">key-directory</strong></span> option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. + </p> +<p> + This command requires that the + <span><strong class="command">auto-dnssec</strong></span> zone option be set + to <code class="literal">allow</code> or + <code class="literal">maintain</code>, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + </p> +<p> + See also <span><strong class="command">rndc loadkeys</strong></span>. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> +<dd> +<p> + List, edit, or remove the DNSSEC signing state records + for the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + <span><strong class="command">sig-signing-type</strong></span>. + <span><strong class="command">rndc signing -list</strong></span> converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + chains are being created or removed. + </p> +<p> + <span><strong class="command">rndc signing -clear</strong></span> can remove + a single key (specified in the same format that + <span><strong class="command">rndc signing -list</strong></span> uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. + </p> +<p> + <span><strong class="command">rndc signing -nsec3param</strong></span> sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + <span><strong class="command">inline-signing</strong></span> zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. + </p> +<p> + Currently, the only defined value for hash algorithm + is <code class="literal">1</code>, representing SHA-1. + The <code class="option">flags</code> may be set to + <code class="literal">0</code> or <code class="literal">1</code>, + depending on whether you wish to set the opt-out + bit in the NSEC3 chain. <code class="option">iterations</code> + defines the number of additional times to apply + the algorithm when generating an NSEC3 hash. The + <code class="option">salt</code> is a string of data expressed + in hexadecimal, or a hyphen (`-') if no salt is + to be used. + </p> +<p> + So, for example, to create an NSEC3 chain using + the SHA-1 hash algorithm, no opt-out flag, + 10 iterations, and a salt value of "FFFF", use: + <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. + To set the opt-out flag, 15 iterations, and no + salt, use: + <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. + </p> +<p> + <span><strong class="command">rndc signing -nsec3param none</strong></span> + removes an existing NSEC3 chain and replaces it + with NSEC. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> <dd><p> - Flushes the given name, and all of its subdomains, - from the server's DNS cache. Note that this does - <span class="emphasis"><em>not</em></span> affect he server's address - database or bad-server cache. - </p></dd> + Write server statistics to the statistics file. + (See the <span><strong class="command">statistics-file</strong></span> option in + the BIND 9 Administrator Reference Manual.) + </p></dd> <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> <dd><p> - Display status of the server. - Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone - and the default <span><strong class="command">./IN</strong></span> - hint zone if there is not an - explicit root zone configured. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> -<dd><p> - Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing - on. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt> -<dd><p> - Enable, disable, or check the current status of - DNSSEC validation. - Note <span><strong class="command">dnssec-enable</strong></span> also needs to be - set to <strong class="userinput"><code>yes</code></strong> or - <strong class="userinput"><code>auto</code></strong> to be effective. - It defaults to enabled. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> -<dd><p> - List the names of all TSIG keys currently configured - for use by <span><strong class="command">named</strong></span> in each view. The - list both statically configured keys and dynamic - TKEY-negotiated keys. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> -<dd><p> - Delete a given TKEY-negotiated key from the server. - (This does not apply to statically configured TSIG - keys.) - </p></dd> -<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt> + Display status of the server. + Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone + and the default <span><strong class="command">./IN</strong></span> + hint zone if there is not an + explicit root zone configured. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> <dd> <p> - Add a zone while the server is running. This - command requires the - <span><strong class="command">allow-new-zones</strong></span> option to be set - to <strong class="userinput"><code>yes</code></strong>. The - <em class="replaceable"><code>configuration</code></em> string - specified on the command line is the zone - configuration text that would ordinarily be - placed in <code class="filename">named.conf</code>. - </p> -<p> - The configuration is saved in a file called - <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, - where <em class="replaceable"><code>hash</code></em> is a - cryptographic hash generated from the name of - the view. When <span><strong class="command">named</strong></span> is - restarted, the file will be loaded into the view - configuration, so that zones that were added - can persist after a restart. - </p> -<p> - This sample <span><strong class="command">addzone</strong></span> command - would add the zone <code class="literal">example.com</code> - to the default view: - </p> -<p> -<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong> - </p> + Stop the server, making sure any recent changes + made through dynamic update or IXFR are first saved to + the master files of the updated zones. + If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. + This allows an external process to determine when <span><strong class="command">named</strong></span> + had completed stopping. + </p> +<p>See also <span><strong class="command">rndc halt</strong></span>.</p> +</dd> +<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p> + Sync changes in the journal file for a dynamic zone + to the master file. If the "-clean" option is + specified, the journal file is also removed. If + no zone is specified, then all zones are synced. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd> <p> - (Note the brackets and semi-colon around the zone - configuration text.) - </p> + Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. If + the zone has changed and the + <span><strong class="command">ixfr-from-differences</strong></span> option is + in use, then the journal file will be updated to + reflect changes in the zone. Otherwise, if the + zone has changed, any existing journal file will be + removed. + </p> +<p>See also <span><strong class="command">rndc freeze</strong></span>.</p> </dd> -<dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> +<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> <dd><p> - Delete a zone while the server is running. - Only zones that were originally added via - <span><strong class="command">rndc addzone</strong></span> can be deleted - in this manner. - </p></dd> -<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> + Increment the servers debugging level by one. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> <dd> <p> - List, edit, or remove the DNSSEC signing state records - for the specified zone. The status of ongoing DNSSEC - operations (such as signing or generating - NSEC3 chains) is stored in the zone in the form - of DNS resource records of type - <span><strong class="command">sig-signing-type</strong></span>. - <span><strong class="command">rndc signing -list</strong></span> converts - these records into a human-readable form, - indicating which keys are currently signing - or have finished signing the zone, and which NSEC3 - chains are being created or removed. - </p> -<p> - <span><strong class="command">rndc signing -clear</strong></span> can remove - a single key (specified in the same format that - <span><strong class="command">rndc signing -list</strong></span> uses to - display it), or all keys. In either case, only - completed keys are removed; any record indicating - that a key has not yet finished signing the zone - will be retained. - </p> -<p> - <span><strong class="command">rndc signing -nsec3param</strong></span> sets - the NSEC3 parameters for a zone. This is the - only supported mechanism for using NSEC3 with - <span><strong class="command">inline-signing</strong></span> zones. - Parameters are specified in the same format as - an NSEC3PARAM resource record: hash algorithm, - flags, iterations, and salt, in that order. - </p> -<p> - Currently, the only defined value for hash algorithm - is <code class="literal">1</code>, representing SHA-1. - The <code class="option">flags</code> may be set to - <code class="literal">0</code> or <code class="literal">1</code>, - depending on whether you wish to set the opt-out - bit in the NSEC3 chain. <code class="option">iterations</code> - defines the number of additional times to apply - the algorithm when generating an NSEC3 hash. The - <code class="option">salt</code> is a string of data expressed - in hexadecimal, or a hyphen (`-') if no salt is - to be used. - </p> -<p> - So, for example, to create an NSEC3 chain using - the SHA-1 hash algorithm, no opt-out flag, - 10 iterations, and a salt value of "FFFF", use: - <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. - To set the opt-out flag, 15 iterations, and no - salt, use: - <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. - </p> -<p> - <span><strong class="command">rndc signing -nsec3param none</strong></span> - removes an existing NSEC3 chain and replaces it - with NSEC. - </p> + Sets the server's debugging level to an explicit + value. + </p> +<p> + See also <span><strong class="command">rndc notrace</strong></span>. + </p> </dd> +<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> +<dd><p> + Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) + </p></dd> +<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> +<dd><p> + List the names of all TSIG keys currently configured + for use by <span><strong class="command">named</strong></span> in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt> +<dd><p> + Enable, disable, or check the current status of + DNSSEC validation. + Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + set to <strong class="userinput"><code>yes</code></strong> or + <strong class="userinput"><code>auto</code></strong> to be effective. + It defaults to enabled. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2541986"></a><h2>LIMITATIONS</h2> +<a name="id2544994"></a><h2>LIMITATIONS</h2> <p> There is currently no way to provide the shared secret for a <code class="option">key_id</code> without using the configuration file. @@ -490,7 +535,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2542004"></a><h2>SEE ALSO</h2> +<a name="id2545012"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -500,7 +545,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2545200"></a><h2>AUTHOR</h2> +<a name="id2545067"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/rndc/util.c b/bin/rndc/util.c index c654462bf04d9..7716451da0e38 100644 --- a/bin/rndc/util.c +++ b/bin/rndc/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -26,6 +26,7 @@ #include <stdio.h> #include <isc/boolean.h> +#include <isc/print.h> #include "util.h" @@ -44,7 +45,7 @@ notify(const char *fmt, ...) { } } -void +void fatal(const char *format, ...) { va_list args; @@ -54,4 +55,4 @@ fatal(const char *format, ...) { va_end(args); fprintf(stderr, "\n"); exit(1); -} +} diff --git a/bin/tools/arpaname.c b/bin/tools/arpaname.c index 356a883a45daa..14609b57965f2 100644 --- a/bin/tools/arpaname.c +++ b/bin/tools/arpaname.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -19,6 +19,7 @@ #include "config.h" #include <isc/net.h> +#include <isc/print.h> #include <stdio.h> diff --git a/bin/tools/isc-hmac-fixup.c b/bin/tools/isc-hmac-fixup.c index 00613b387c48c..e443675ab34f3 100644 --- a/bin/tools/isc-hmac-fixup.c +++ b/bin/tools/isc-hmac-fixup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2010, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,6 +21,7 @@ #include <isc/base64.h> #include <isc/buffer.h> #include <isc/md5.h> +#include <isc/print.h> #include <isc/region.h> #include <isc/result.h> #include <isc/sha1.h> diff --git a/bin/tools/named-journalprint.c b/bin/tools/named-journalprint.c index 36d1acd3136de..035cb6e28c924 100644 --- a/bin/tools/named-journalprint.c +++ b/bin/tools/named-journalprint.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -22,6 +22,7 @@ #include <isc/log.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/util.h> #include <dns/journal.h> |