diff --git a/.clang-format b/.clang-format index 7137d8e008..124d82a269 100644 --- a/.clang-format +++ b/.clang-format @@ -34,6 +34,10 @@ PointerAlignment: Right PointerBindsToType: false IncludeBlocks: Regroup IncludeCategories: + - Regex: '^<(urcu\.h|urcu/urcu-|urcu-)' + Priority: 2 + - Regex: '^' - Priority: 1 - - Regex: '".*"' - Priority: 9 + Priority: 35 + - Regex: '^ + "$PYTEST" --setup-only -n "${TEST_PARALLEL_JOBS:-1}" + needs: + - job: autoreconf + artifacts: true + artifacts: + paths: + - bind-* + untracked: true + expire_in: "1 day" + when: on_failure + +.display_pytest_failures: &display_pytest_failures + - awk '/^=+ FAILURES =+/{flag=1;next}/^=+.*=+$/{flag=0}flag' bin/tests/system/pytest.out.txt || true + - awk '/^=+ ERRORS =+/{flag=1;next}/^=+.*=+$/{flag=0}flag' bin/tests/system/pytest.out.txt || true .system_test_common: &system_test_common <<: *default_triggering_rules stage: system before_script: - - *setup_softhsm - - *retrieve_out_of_tree_workspace + - test -n "${OUT_OF_TREE_WORKSPACE}" && cp -r bin/tests/system/* "${OUT_OF_TREE_WORKSPACE}/bin/tests/system/" && cd "${OUT_OF_TREE_WORKSPACE}" - *setup_interfaces script: + - *find_pytest - cd bin/tests/system - - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 - - if git rev-parse > /dev/null 2>&1; then ( ! grep "^I:.*:file.*not removed$" *.log ); fi + - > + "$PYTEST" --junit-xml="$CI_PROJECT_DIR"/junit.xml -n "$TEST_PARALLEL_JOBS" | tee pytest.out.txt + - '( ! grep -F "grep: warning:" pytest.out.txt )' after_script: - test -n "${OUT_OF_TREE_WORKSPACE}" && cd "${OUT_OF_TREE_WORKSPACE}" - - test -d bind-* && cd bind-* - - cat bin/tests/system/test-suite.log - - *save_out_of_tree_workspace + - *display_pytest_failures .system_test: &system_test_job <<: *system_test_common artifacts: untracked: true - expire_in: "1 day" - when: on_failure + exclude: + - "**/__pycache__/**/*" + when: always + reports: + junit: junit.xml .system_test_gcov: &system_test_gcov_job <<: *system_test_common artifacts: untracked: true - expire_in: "1 day" + exclude: + - "**/__pycache__/**/*" when: always .system_test_tsan: &system_test_tsan_job <<: *system_test_common after_script: - - cat bin/tests/system/test-suite.log - - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; + - *display_pytest_failures + - find bin/tests/system -name "*dig.*" | xargs grep "error" || true + - *find_python + - *parse_tsan + - > + "$PYTHON" bin/tests/convert-trs-to-junit.py . > "$CI_PROJECT_DIR"/junit.xml artifacts: - expire_in: "1 day" untracked: true - when: on_failure + exclude: + - "**/__pycache__/**/*" + when: always + reports: + junit: junit.xml .unit_test_common: &unit_test_common <<: *default_triggering_rules stage: unit before_script: - - *setup_softhsm - - *retrieve_out_of_tree_workspace + - test -n "${OUT_OF_TREE_WORKSPACE}" && cd "${OUT_OF_TREE_WORKSPACE}" script: - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1 after_script: - - *save_out_of_tree_workspace + - test -d bind-* && cd bind-* + - REALSOURCEDIR="$PWD" + - test -n "${OUT_OF_TREE_WORKSPACE}" && cd "${OUT_OF_TREE_WORKSPACE}" + - *find_python + - > + "$PYTHON" "$REALSOURCEDIR"/bin/tests/convert-trs-to-junit.py . > "$CI_PROJECT_DIR"/junit.xml .unit_test: &unit_test_job <<: *unit_test_common artifacts: untracked: true - expire_in: "1 day" - when: on_failure + when: always + reports: + junit: junit.xml .unit_test_gcov: &unit_test_gcov_job <<: *unit_test_common artifacts: untracked: true - expire_in: "1 day" when: always .unit_test_tsan: &unit_test_tsan_job <<: *unit_test_common after_script: - - find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; + - *find_python + - *parse_tsan + - > + "$PYTHON" bin/tests/convert-trs-to-junit.py . > "$CI_PROJECT_DIR"/junit.xml artifacts: - expire_in: "1 day" - paths: - - lib/*/tests/tsan.* - - tsan/ - when: on_failure - -.cppcheck_args: &run_cppcheck | - cppcheck --enable=warning,performance,portability,information,missingInclude --include=config.h --std=c11 --language=c --project=compile_commands.json --error-exitcode=2 -j ${TEST_PARALLEL_JOBS:-1} --xml --output-file=cppcheck.results --relative-paths="$CI_PROJECT_DIR" --inline-suppr --suppressions-list=util/suppressions.txt - -.cppcheck_report: &cppcheck_report_html | - cppcheck-htmlreport --title="BIND 9 ($CI_COMMIT_SHORT_SHA) Cppcheck Report" --file=cppcheck.results --report-dir=cppcheck_html/ + untracked: true + when: always + reports: + junit: junit.xml -.cppcheck: &cppcheck_job - <<: *default_triggering_rules - stage: postcheck +.docs: &docs_job + stage: docs script: - *configure - - (make -nwk all || true) | compiledb - - export GCC_VERSION=$(gcc --version | sed -n 's/.* \([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p') - - sed -i "/gcc\",/a\"-DCPPCHECK\", \"-D__STDC__\", \"-D__GNUC__=${GCC_VERSION}\"," compile_commands.json - - *run_cppcheck - after_script: - - *cppcheck_report_html + - make -j${BUILD_PARALLEL_JOBS:-1} -k doc V=1 + - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf + - find doc/man/ -maxdepth 1 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" ) + +.respdiff: &respdiff_job + stage: system + before_script: + - autoreconf -fi + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} V=1 + - *setup_interfaces + - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git + - cd bind-qa/bind9/respdiff + needs: [] artifacts: paths: - - compile_commands.json - - cppcheck.results - - cppcheck_html/ - expire_in: "1 day" - when: on_failure - needs: - - job: autoreconf - artifacts: true + - bind-qa/bind9/respdiff + exclude: + - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. + untracked: true + when: always ### Job Definitions @@ -411,21 +532,29 @@ misc: - test ! -f CHANGES.SE || perl util/check-changes master=0 CHANGES.SE - test ! -f CHANGES.SE || sh util/check-line-length.sh CHANGES.SE - rm CHANGES.tmp - - perl -w util/merge_copyrights - - diff -urNap util/copyrights util/newcopyrights - - rm util/newcopyrights - - perl -w util/update_copyrights < util/copyrights - - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi - - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'` - sh util/check-categories.sh + - sh util/check-gitignore.sh + - sh util/check-trailing-whitespace.sh - if git grep SYSTEMTESTTOP -- ':!.gitlab-ci.yml'; then echo 'Please use relative paths instead of $SYSTEMTESTTOP.'; exit 1; fi - bash util/unused-headers.sh + - bash util/xmllint-html.sh needs: [] artifacts: paths: - - util/newcopyrights - checklibs.out - expire_in: "1 day" + when: on_failure + +black: + <<: *precheck_job + needs: [] + script: + - black $(git ls-files '*.py') + - git diff > black.patch + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - black.patch + expire_in: "1 week" when: on_failure clang-format: @@ -433,7 +562,13 @@ clang-format: needs: [] script: - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi + - git diff > clang-format.patch - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - clang-format.patch + expire_in: "1 week" + when: on_failure coccinelle: <<: *precheck_job @@ -442,6 +577,23 @@ coccinelle: - util/check-cocci - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi +pylint: + <<: *precheck_job + needs: [] + script: + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') + # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') + +reuse: + <<: *precheck_job + needs: [] + image: + name: docker.io/fsfe/reuse:latest + entrypoint: [""] + script: + - reuse lint + danger: <<: *precheck_job needs: [] @@ -453,28 +605,11 @@ danger: variables: - $DANGER_GITLAB_API_TOKEN -flake8: - <<: *default_triggering_rules - <<: *base_image - stage: postcheck - needs: - - job: autoreconf - artifacts: true +checkbashisms: + <<: *precheck_job + needs: [] script: - - *configure - - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)') - -pylint: - <<: *default_triggering_rules - <<: *base_image - stage: postcheck - needs: - - job: autoreconf - artifacts: true - script: - - *configure - - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python" - - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)') + - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print) tarball-create: stage: precheck @@ -486,180 +621,227 @@ tarball-create: - autoreconf -fi - ./configure --enable-maintainer-mode - make -j${BUILD_PARALLEL_JOBS:-1} all V=1 - - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; git diff > diff.patch; exit 1; fi - make -j${BUILD_PARALLEL_JOBS:-1} dist V=1 artifacts: paths: + - diff.patch - bind-*.tar.${TARBALL_EXTENSION} + when: always needs: - job: autoreconf artifacts: true -# Jobs for doc builds on Debian 10 "buster" (amd64) +# Jobs for doc builds on Debian 12 "bookworm" (amd64) docs: - <<: *release_branch_triggering_rules + <<: *default_triggering_rules <<: *base_image - stage: docs - before_script: - - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}" - script: - - *configure - - make -j${BUILD_PARALLEL_JOBS:-1} -k doc V=1 - - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf - - find doc/man/ -maxdepth 1 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" ) + <<: *docs_job needs: - job: autoreconf artifacts: true - allow_failure: false artifacts: - paths: - - doc/arm/ - - doc/man/ - - doc/misc/ - expire_in: "1 month" + untracked: true -push:docs: +docs:tarball: + <<: *default_triggering_rules <<: *base_image - stage: push + <<: *docs_job + before_script: + - *unpack_release_tarball needs: - - job: docs - artifacts: false - script: - - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=main $GITLAB_PAGES_DOCS_TRIGGER_URL - only: - - main@isc-projects/bind9 - - /^v9_[1-9][0-9]$/@isc-projects/bind9 + - job: tarball-create + artifacts: true -# Jobs for regular GCC builds on Alpine Linux 3.13 (amd64) +# Jobs for regular GCC builds on Alpine Linux 3.18 (amd64) -gcc:alpine3.13:amd64: +gcc:alpine3.18:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" EXTRA_CONFIGURE: "${WITHOUT_READLINE}" - <<: *alpine_3_13_amd64_image + <<: *alpine_3_18_amd64_image <<: *build_job -system:gcc:alpine3.13:amd64: - <<: *alpine_3_13_amd64_image +system:gcc:alpine3.18:amd64: + <<: *alpine_3_18_amd64_image <<: *system_test_job needs: - - job: gcc:alpine3.13:amd64 + - job: gcc:alpine3.18:amd64 artifacts: true -unit:gcc:alpine3.13:amd64: - <<: *alpine_3_13_amd64_image +unit:gcc:alpine3.18:amd64: + <<: *alpine_3_18_amd64_image <<: *unit_test_job needs: - - job: gcc:alpine3.13:amd64 + - job: gcc:alpine3.18:amd64 artifacts: true -# Jobs for regular GCC builds on CentOS 7 (amd64) +# Jobs for regular GCC builds on Oracle Linux 8 (amd64) -gcc:centos7:amd64: +gcc:oraclelinux8:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" EXTRA_CONFIGURE: "--with-libidn2" - <<: *centos_centos7_amd64_image + <<: *oraclelinux_8_amd64_image <<: *build_job -system:gcc:centos7:amd64: - <<: *centos_centos7_amd64_image +system:gcc:oraclelinux8:amd64: + <<: *oraclelinux_8_amd64_image <<: *system_test_job needs: - - job: gcc:centos7:amd64 + - job: gcc:oraclelinux8:amd64 artifacts: true -unit:gcc:centos7:amd64: - <<: *centos_centos7_amd64_image +unit:gcc:oraclelinux8:amd64: + <<: *oraclelinux_8_amd64_image <<: *unit_test_job needs: - - job: gcc:centos7:amd64 + - job: gcc:oraclelinux8:amd64 artifacts: true -# Jobs for regular GCC builds on CentOS 8 (amd64) +# Jobs for regular GCC builds on Oracle Linux 9 (amd64) -gcc:centos8:amd64: +gcc:oraclelinux9:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2" - <<: *centos_centos8_amd64_image + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + <<: *oraclelinux_9_amd64_image <<: *build_job -system:gcc:centos8:amd64: - <<: *centos_centos8_amd64_image +system:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image <<: *system_test_job needs: - - job: gcc:centos8:amd64 + - job: gcc:oraclelinux9:amd64 artifacts: true -unit:gcc:centos8:amd64: - <<: *centos_centos8_amd64_image +unit:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image <<: *unit_test_job needs: - - job: gcc:centos8:amd64 + - job: gcc:oraclelinux9:amd64 + +# Jobs for scheduled GCC builds on Oracle Linux 8 & 9 FIPS-aware images with +# FIPS mode in BIND 9 enabled + +gcc:8fips:amd64: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-tracing" + <<: *oraclelinux_8fips_amd64_image + <<: *build_job + <<: *api_schedules_tags_triggers_web_triggering_rules + +system:gcc:8fips:amd64: + <<: *oraclelinux_8fips_amd64_image + <<: *system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules + needs: + - job: gcc:8fips:amd64 artifacts: true -# Jobs for regular GCC builds on Debian 9 "stretch" (amd64) +unit:gcc:8fips:amd64: + <<: *oraclelinux_8fips_amd64_image + <<: *unit_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules + needs: + - job: gcc:8fips:amd64 + artifacts: true -gcc:stretch:amd64: +gcc:9fips:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--without-cmocka --without-gssapi" - <<: *debian_stretch_amd64_image + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-leak-detection --disable-tracing" + <<: *oraclelinux_9fips_amd64_image <<: *build_job + <<: *api_schedules_tags_triggers_web_triggering_rules -system:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image +system:gcc:9fips:amd64: + <<: *oraclelinux_9fips_amd64_image <<: *system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - - job: gcc:stretch:amd64 + - job: gcc:9fips:amd64 artifacts: true -unit:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image +unit:gcc:9fips:amd64: + <<: *oraclelinux_9fips_amd64_image <<: *unit_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - - job: gcc:stretch:amd64 + - job: gcc:9fips:amd64 artifacts: true -# Jobs for regular GCC builds on Debian 10 "buster" (amd64) +gcc:tarball:nosphinx: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + RUN_MAKE_INSTALL: 1 + <<: *oraclelinux_9_amd64_image + <<: *build_job + before_script: + - (! command -v sphinx-build >/dev/null) + - *unpack_release_tarball + needs: + - job: tarball-create + artifacts: true -gcc:buster:amd64: +# Jobs for regular GCC builds on Debian 12 "bookworm" (amd64) + +gcc:bookworm:amd64: variables: + BUILD_CONTRIB: 1 CC: gcc CFLAGS: "${CFLAGS_COMMON} --coverage -O0" EXTRA_CONFIGURE: "--with-libidn2 ${WITH_READLINE_LIBEDIT}" - <<: *debian_buster_amd64_image + RUN_MAKE_INSTALL: 1 + <<: *debian_bookworm_amd64_image <<: *build_job -system:gcc:buster:amd64: - <<: *debian_buster_amd64_image +system:gcc:bookworm:amd64: + <<: *debian_bookworm_amd64_image <<: *system_test_gcov_job + variables: + CI_ENABLE_ALL_TESTS: 1 needs: - - job: unit:gcc:buster:amd64 + - job: unit:gcc:bookworm:amd64 artifacts: true -unit:gcc:buster:amd64: - <<: *debian_buster_amd64_image +unit:gcc:bookworm:amd64: + <<: *debian_bookworm_amd64_image <<: *unit_test_gcov_job + variables: + CI_ENABLE_ALL_TESTS: 1 needs: - - job: gcc:buster:amd64 + - job: gcc:bookworm:amd64 artifacts: true -# Jobs for scan-build builds on Debian 10 "buster" (amd64) +# Build job for cross-compiled GCC builds on 64-bit Debian 12 "bookworm" +# (amd64) with 32-bit BIND 9. + +gcc:bookworm:amd64cross32: + variables: + CFLAGS: "${CFLAGS_COMMON}" + CROSS_COMPILATION: 1 + EXTRA_CONFIGURE: "--build=x86_64-linux-gnu --host=i686-linux-gnu --with-libidn2 ${WITH_READLINE_LIBEDIT}" + <<: *debian_bookworm_amd64cross32_image + <<: *build_job + +# Jobs for scan-build builds on Debian 12 "bookworm" (amd64) -.scan_build: &scan_build | - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" \ - --keep-cc \ - --status-bugs \ - --keep-going \ - -o scan-build.reports \ - make -j${BUILD_PARALLEL_JOBS:-1} all V=1 +.scan_build: &scan_build + - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" + --keep-cc + --status-bugs + --keep-going + -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1 scan-build: <<: *default_triggering_rules @@ -679,9 +861,39 @@ scan-build: artifacts: paths: - scan-build.reports/ - expire_in: "1 day" when: on_failure +# Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "sid" (amd64) +# Run with pkcs11-provider tests + +gcc:ossl3:sid:amd64: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -O3 -DOPENSSL_NO_DEPRECATED=1 -DOPENSSL_API_COMPAT=30000" + # See https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 + EXTRA_CONFIGURE: "--without-jemalloc --disable-leak-detection" + RUN_MAKE_INSTALL: 1 + <<: *debian_sid_amd64_image + <<: *build_job + +system:gcc:ossl3:sid:amd64: + # Set up environment variables to run pkcs11-provider system tests + variables: + OPENSSL_CONF: "/var/tmp/etc/openssl-provider.cnf" + SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" + <<: *debian_sid_amd64_image + <<: *system_test_job + needs: + - job: gcc:ossl3:sid:amd64 + artifacts: true + +unit:gcc:ossl3:amd64: + <<: *debian_sid_amd64_image + <<: *unit_test_job + needs: + - job: gcc:ossl3:sid:amd64 + artifacts: true + # Jobs for regular GCC builds on Debian "sid" (amd64) # Also tests configration option: --without-lmdb. @@ -689,7 +901,7 @@ gcc:sid:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O3" - EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb" + EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb ${WITH_READLINE}" RUN_MAKE_INSTALL: 1 <<: *debian_sid_amd64_image <<: *build_job @@ -708,11 +920,7 @@ unit:gcc:sid:amd64: - job: gcc:sid:amd64 artifacts: true -cppcheck: - <<: *base_image - <<: *cppcheck_job - -# Job for out-of-tree GCC build on Debian "sid" (amd64) +# Job for out-of-tree GCC build on Debian 12 "bookworm" (amd64) # Also tests configration option: --with-lmdb. gcc:out-of-tree: @@ -722,31 +930,31 @@ gcc:out-of-tree: CONFIGURE: "${CI_PROJECT_DIR}/configure" EXTRA_CONFIGURE: "--with-libidn2 --with-lmdb" RUN_MAKE_INSTALL: 1 - OUT_OF_TREE_WORKSPACE: /tmp/out_of_tree_workspace + OUT_OF_TREE_WORKSPACE: workspace <<: *base_image <<: *build_job system:gcc:out-of-tree: variables: - OUT_OF_TREE_WORKSPACE: /tmp/out_of_tree_workspace + OUT_OF_TREE_WORKSPACE: workspace needs: - job: gcc:out-of-tree artifacts: true <<: *base_image <<: *system_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules unit:gcc:out-of-tree: variables: - OUT_OF_TREE_WORKSPACE: /tmp/out_of_tree_workspace + OUT_OF_TREE_WORKSPACE: workspace needs: - job: gcc:out-of-tree artifacts: true <<: *base_image <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules -# Jobs for tarball GCC builds on Debian 10 "buster" (amd64) +# Jobs for tarball GCC builds on Debian 12 "bookworm" (amd64) gcc:tarball: variables: @@ -756,9 +964,7 @@ gcc:tarball: <<: *base_image <<: *build_job before_script: - - tar --extract --file bind-*.tar.${TARBALL_EXTENSION} - - rm -f bind-*.tar.${TARBALL_EXTENSION} - - cd bind-* + - *unpack_release_tarball needs: - job: tarball-create artifacts: true @@ -766,10 +972,13 @@ gcc:tarball: system:gcc:tarball: <<: *base_image <<: *system_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* - *setup_interfaces + after_script: + - cd bind-* + - *display_pytest_failures needs: - job: gcc:tarball artifacts: true @@ -777,7 +986,7 @@ system:gcc:tarball: unit:gcc:tarball: <<: *base_image <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* needs: @@ -790,7 +999,15 @@ gcc:tumbleweed:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -DDEBUG" - EXTRA_CONFIGURE: "--with-libidn2 ${WITH_READLINE_READLINE}" + # NOTE: Testing DNSRPS-enabled builds currently requires an + # operating system with glibc 2.34+. This requirement will go away + # once the DNSRPS dynamic loading code gets reworked to use libuv's + # dlopen() API. + # + # NOTE: This does *not* enable testing of the DNSRPS feature itself. + # Doing that requires a DNSRPS provider library to be present on the + # test host. + EXTRA_CONFIGURE: "--enable-dnsrps --enable-dnsrps-dl --with-libidn2 ${WITH_READLINE_READLINE}" <<: *tumbleweed_latest_amd64_image <<: *build_job @@ -808,78 +1025,76 @@ unit:gcc:tumbleweed:amd64: - job: gcc:tumbleweed:amd64 artifacts: true -# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64) +# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64) -gcc:bionic:amd64: +gcc:focal:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--disable-dnstap --disable-geoip" - <<: *ubuntu_bionic_amd64_image + CFLAGS: "${CFLAGS_COMMON} -Og" + EXTRA_CONFIGURE: "--disable-dnstap --without-cmocka --without-gssapi --with-libidn2" + <<: *ubuntu_focal_amd64_image <<: *build_job -system:gcc:bionic:amd64: - <<: *ubuntu_bionic_amd64_image +system:gcc:focal:amd64: + <<: *ubuntu_focal_amd64_image <<: *system_test_job needs: - - job: gcc:bionic:amd64 + - job: gcc:focal:amd64 artifacts: true -unit:gcc:bionic:amd64: - <<: *ubuntu_bionic_amd64_image +unit:gcc:focal:amd64: + <<: *ubuntu_focal_amd64_image <<: *unit_test_job needs: - - job: gcc:bionic:amd64 + - job: gcc:focal:amd64 artifacts: true -# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64) +# Jobs for regular GCC builds on Ubuntu 22.04 Jammy Jellyfish (amd64) -gcc:focal:amd64: +gcc:jammy:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -Og" - EXTRA_CONFIGURE: "--with-libidn2" - <<: *ubuntu_focal_amd64_image + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--disable-geoip --with-libidn2 --disable-doh" + <<: *ubuntu_jammy_amd64_image <<: *build_job -system:gcc:focal:amd64: - <<: *ubuntu_focal_amd64_image +system:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image <<: *system_test_job needs: - - job: gcc:focal:amd64 + - job: gcc:jammy:amd64 artifacts: true -unit:gcc:focal:amd64: - <<: *ubuntu_focal_amd64_image +unit:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image <<: *unit_test_job needs: - - job: gcc:focal:amd64 + - job: gcc:jammy:amd64 artifacts: true -# Jobs for ASAN builds on Debian 10 "buster" (amd64) +# Jobs for ASAN builds on Fedora 38 (amd64) gcc:asan: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined" LDFLAGS: "-fsanitize=address,undefined" - EXTRA_CONFIGURE: "--with-libidn2" - <<: *base_image + EXTRA_CONFIGURE: "--with-libidn2 --without-jemalloc" + <<: *fedora_38_amd64_image <<: *build_job system:gcc:asan: variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} - <<: *base_image + LSAN_OPTIONS: "suppressions=$CI_PROJECT_DIR/suppr-lsan.txt" + <<: *fedora_38_amd64_image <<: *system_test_job needs: - job: gcc:asan artifacts: true unit:gcc:asan: - variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} - <<: *base_image + <<: *fedora_38_amd64_image <<: *unit_test_job needs: - job: gcc:asan @@ -890,13 +1105,11 @@ clang:asan: CC: ${CLANG} CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined" LDFLAGS: "-fsanitize=address,undefined" - EXTRA_CONFIGURE: "--with-libidn2" + EXTRA_CONFIGURE: "--with-libidn2 --without-jemalloc" <<: *base_image <<: *build_job system:clang:asan: - variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} <<: *base_image <<: *system_test_job needs: @@ -904,29 +1117,27 @@ system:clang:asan: artifacts: true unit:clang:asan: - variables: - ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON} <<: *base_image <<: *unit_test_job needs: - job: clang:asan artifacts: true -# Jobs for TSAN builds on Debian 10 "buster" (amd64) +# Jobs for TSAN builds on Fedora 38 (amd64) gcc:tsan: - <<: *base_image - <<: *build_job variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread" LDFLAGS: "-fsanitize=thread" - EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" + EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock --without-jemalloc" + <<: *tsan_fedora_38_amd64_image + <<: *build_job system:gcc:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_38_amd64_image <<: *system_test_tsan_job needs: - job: gcc:tsan @@ -934,26 +1145,26 @@ system:gcc:tsan: unit:gcc:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_38_amd64_image <<: *unit_test_tsan_job needs: - job: gcc:tsan artifacts: true clang:tsan: - <<: *base_image + <<: *tsan_debian_bookworm_amd64_image <<: *build_job variables: CC: "${CLANG}" CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread" LDFLAGS: "-fsanitize=thread" - EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" + EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock --without-jemalloc" system:clang:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bookworm_amd64_image <<: *system_test_tsan_job needs: - job: clang:tsan @@ -961,136 +1172,92 @@ system:clang:tsan: unit:clang:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bookworm_amd64_image <<: *unit_test_tsan_job needs: - job: clang:tsan artifacts: true -# Jobs for builds with mutex-based atomics on Debian 10 "buster" (amd64) +# Jobs for Debian 11 "bullseye" (amd64) -gcc:mutexatomics: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--with-libidn2 --enable-mutex-atomics" - <<: *base_image - <<: *build_job - -system:gcc:mutexatomics: - <<: *base_image - <<: *system_test_job - needs: - - job: gcc:mutexatomics - artifacts: true - -unit:gcc:mutexatomics: - <<: *base_image - <<: *unit_test_job - needs: - - job: gcc:mutexatomics - artifacts: true - -# Jobs for Clang builds on Debian 10 "buster" (amd64) - -clang:buster:amd64: +clang:bullseye:amd64: variables: CC: ${CLANG} CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion" - <<: *debian_buster_amd64_image + <<: *debian_bullseye_amd64_image <<: *build_job -system:clang:buster:amd64: - <<: *debian_buster_amd64_image +system:clang:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *system_test_job needs: - - job: clang:buster:amd64 + - job: clang:bullseye:amd64 artifacts: true -unit:clang:buster:amd64: - <<: *debian_buster_amd64_image +unit:clang:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *unit_test_job needs: - - job: clang:buster:amd64 + - job: clang:bullseye:amd64 artifacts: true -# Jobs for PKCS#11-enabled GCC builds on Debian "sid" (amd64) - -gcc:softhsm2.4: +gcc:bullseye:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" - <<: *base_image + # See https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 + EXTRA_CONFIGURE: "--with-libidn2 --without-jemalloc --disable-leak-detection" + <<: *debian_bullseye_amd64_image <<: *build_job -system:gcc:softhsm2.4: - <<: *base_image - <<: *system_test_job - needs: - - job: gcc:softhsm2.4 - artifacts: true - -unit:gcc:softhsm2.4: - <<: *base_image - <<: *unit_test_job - needs: - - job: gcc:softhsm2.4 - artifacts: true - -# Jobs for PKCS#11-enabled GCC builds on Fedora 34 (amd64) - -gcc:softhsm2.6: +system:gcc:bullseye:amd64: + # Set up environment variables that allow the "keyfromlabel" system test to be run variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O1" - EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so" - <<: *fedora_34_amd64_image - <<: *build_job - -system:gcc:softhsm2.6: - <<: *fedora_34_amd64_image + OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" + SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" + <<: *debian_bullseye_amd64_image <<: *system_test_job needs: - - job: gcc:softhsm2.6 + - job: gcc:bullseye:amd64 artifacts: true -unit:gcc:softhsm2.6: - <<: *fedora_34_amd64_image +unit:gcc:bullseye:amd64: + <<: *debian_bullseye_amd64_image <<: *unit_test_job needs: - - job: gcc:softhsm2.6 + - job: gcc:bullseye:amd64 artifacts: true -# Jobs for Clang builds on FreeBSD 11 (amd64) +# Jobs for Clang builds on Debian 12 "bookworm" (amd64) -clang:freebsd11:amd64: +clang:bookworm:amd64: variables: - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "${WITH_READLINE}" - USER: gitlab-runner - <<: *freebsd_11_amd64_image + BUILD_CONTRIB: 1 + CC: ${CLANG} + CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion -DOPENSSL_API_COMPAT=10100" + # See https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 + EXTRA_CONFIGURE: "--without-jemalloc --disable-leak-detection" + RUN_MAKE_INSTALL: 1 + <<: *debian_bookworm_amd64_image <<: *build_job - <<: *schedules_tags_web_triggering_rules -system:clang:freebsd11:amd64: - <<: *freebsd_11_amd64_image - <<: *system_test_job - <<: *schedules_tags_web_triggering_rules +system:clang:bookworm:amd64: + # Set up environment variables that allow the "keyfromlabel" system test to be run variables: - USER: gitlab-runner - TEST_PARALLEL_JOBS: 4 + OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" + SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" + <<: *debian_bookworm_amd64_image + <<: *system_test_job needs: - - job: clang:freebsd11:amd64 + - job: clang:bookworm:amd64 artifacts: true -unit:clang:freebsd11:amd64: - <<: *freebsd_11_amd64_image +unit:clang:bookworm:amd64: + <<: *debian_bookworm_amd64_image <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules needs: - - job: clang:freebsd11:amd64 + - job: clang:bookworm:amd64 artifacts: true # Jobs for Clang builds on FreeBSD 12 (amd64) @@ -1108,7 +1275,6 @@ system:clang:freebsd12:amd64: <<: *system_test_job variables: USER: gitlab-runner - TEST_PARALLEL_JOBS: 4 needs: - job: clang:freebsd12:amd64 artifacts: true @@ -1135,7 +1301,6 @@ system:clang:freebsd13:amd64: <<: *system_test_job variables: USER: gitlab-runner - TEST_PARALLEL_JOBS: 4 needs: - job: clang:freebsd13:amd64 artifacts: true @@ -1160,14 +1325,13 @@ clang:openbsd:amd64: system:clang:openbsd:amd64: <<: *openbsd_amd64_image <<: *system_test_job + <<: *api_schedules_triggers_web_triggering_rules variables: USER: gitlab-runner needs: - job: clang:openbsd:amd64 artifacts: true - only: - - schedules - - web + allow_failure: true unit:clang:openbsd:amd64: <<: *openbsd_amd64_image @@ -1188,7 +1352,7 @@ release: # Prepare release tarball contents (tarballs + documentation) - mkdir -p release/doc/arm - pushd release - - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip . + - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" . - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README.md,srcid} . - rm -rf "${BIND_DIRECTORY}" @@ -1209,35 +1373,33 @@ release: artifacts: paths: - "*.tar.gz" - expire_in: "1 day" + expire_in: never # Coverity Scan analysis upload -.coverity_cache_prep: &coverity_cache_prep | - test -f cov-analysis-linux64.md5 && test -f cov-analysis-linux64.tgz || ( - curl --output cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 \ - --form project=$COVERITY_SCAN_PROJECT_NAME \ - --form token=$COVERITY_SCAN_TOKEN \ - --form md5=1 - curl --output cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 \ - --form project=$COVERITY_SCAN_PROJECT_NAME \ - --form token=$COVERITY_SCAN_TOKEN - ) - test "$(md5sum cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat cov-analysis-linux64.md5)" - tar --extract --gzip --file=cov-analysis-linux64.tgz - test -d cov-analysis-linux64-2020.09 - -.coverity_build: &coverity_build | - cov-analysis-linux64-2020.09/bin/cov-build --dir cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' - tar --create --gzip --file=cov-int.tar.gz cov-int/ - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME \ - --form token=$COVERITY_SCAN_TOKEN \ - --form email=bind-changes@isc.org \ - --form file=@cov-int.tar.gz \ - --form version="$(git rev-parse --short HEAD)" \ - --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 \ - | tee curl-response.txt - grep -q 'Build successfully submitted' curl-response.txt +.coverity_prep: &coverity_prep + - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form md5=1 + - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" + - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp + - test -d /tmp/cov-analysis-linux64-* + +.coverity_build: &coverity_build + - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int --fs-capture-search . sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' + - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int + - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form email=bind-changes@isc.org + --form file=@/tmp/cov-int.tar.gz + --form version="$(git rev-parse --short HEAD)" + --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 + | tee curl-response.txt + - grep -q 'Build successfully submitted' curl-response.txt coverity: <<: *base_image @@ -1247,9 +1409,11 @@ coverity: CFLAGS: "${CFLAGS_COMMON} -Og" EXTRA_CONFIGURE: "--with-libidn2" script: - - *coverity_cache_prep + - *coverity_prep - *configure - *coverity_build + after_script: + - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ needs: - job: autoreconf artifacts: true @@ -1263,54 +1427,114 @@ coverity: variables: - $COVERITY_SCAN_PROJECT_NAME - $COVERITY_SCAN_TOKEN - cache: - key: cov-analysis-linux64-2020.09 - paths: - - cov-analysis-linux64.md5 - - cov-analysis-linux64.tgz -# Respdiff test +# Respdiff tests -respdiff: - <<: *base_image - stage: system +respdiff-short: + <<: *respdiff_job + <<: *default_triggering_rules + <<: *debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -DISC_TRACK_PTHREADS_OBJECTS" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + script: + - bash respdiff.sh -m /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + +respdiff-short:asan: + <<: *respdiff_job + <<: *default_triggering_rules + <<: *debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined" + LDFLAGS: "-fsanitize=address,undefined" + EXTRA_CONFIGURE: "--disable-dnsrps --without-jemalloc" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + script: + - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + +respdiff-short:tsan: + <<: *respdiff_job + <<: *default_triggering_rules + <<: *tsan_debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread" + LDFLAGS: "-fsanitize=thread" + EXTRA_CONFIGURE: "--disable-dnsrps --enable-pthread-rwlock --without-jemalloc" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + script: + - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + after_script: + - *find_python + - *parse_tsan + +respdiff-long: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *respdiff_debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -DISC_TRACK_PTHREADS_OBJECTS" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + script: + - bash respdiff.sh -m /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + +respdiff-long:asan: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined" + LDFLAGS: "-fsanitize=address,undefined" + EXTRA_CONFIGURE: "--disable-dnsrps --without-jemalloc" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + script: + - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + +respdiff-long:tsan: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *tsan_debian_bookworm_amd64_image + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread" + LDFLAGS: "-fsanitize=thread" + EXTRA_CONFIGURE: "--disable-dnsrps --enable-pthread-rwlock --without-jemalloc" + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + script: + - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + after_script: + - *find_python + - *parse_tsan + +respdiff-long-third-party: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *debian_bookworm_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" - BIND_BASELINE_VERSION: v9_11_24 + MAX_DISAGREEMENTS_PERCENTAGE: "0.5" script: - - autoreconf -fi - - ./configure - - make -j${BUILD_PARALLEL_JOBS:-1} V=1 - - *setup_interfaces - - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refbind - - cd refbind/ - - ./configure - - make -j${BUILD_PARALLEL_JOBS:-1} V=1 - - cd ../bind-qa/bind9/respdiff - - bash respdiff.sh -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}/refbind" "${CI_PROJECT_DIR}" - needs: - - job: tarball-create - artifacts: true - only: - - tags - artifacts: - paths: - - refbind - untracked: true - expire_in: "1 day" - when: on_failure + - bash respdiff.sh -s third_party -q "${PWD}/100k_mixed.txt" -c 1 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" # "Stress" tests +# Parallel build in the "make" step is avoided since multiple jobs can be +# executed concurrently on the same runner. This may present problems when one +# job runs a performance-sensitive task of replying to queries while another +# takes all cores to build BIND. .stress: &stress_job stage: performance script: - *configure - *setup_interfaces - - *setup_softhsm - - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 + - make -k all V=1 - make DESTDIR="${INSTALL_PATH}" install - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - cd bind-qa/bind9/stress @@ -1320,16 +1544,17 @@ respdiff: artifacts: true artifacts: untracked: true - expire_in: "1 day" + expire_in: "1 week" when: always timeout: 2h -stress:authoritative:fedora:34:amd64: - <<: *fedora_34_amd64_image +stress:authoritative:fedora:38:amd64: + <<: *fedora_38_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: authoritative RATE: 10000 @@ -1338,12 +1563,13 @@ stress:authoritative:fedora:34:amd64: variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:recursive:fedora:34:amd64: - <<: *fedora_34_amd64_image +stress:recursive:fedora:38:amd64: + <<: *fedora_38_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: recursive RATE: 10000 @@ -1352,12 +1578,28 @@ stress:recursive:fedora:34:amd64: variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:authoritative:fedora:34:arm64: - <<: *fedora_34_arm64_image +stress:rpz:fedora:38:amd64: + <<: *fedora_38_amd64_image + <<: *linux_stress_amd64 + <<: *stress_job + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" + FLAME: /usr/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) + +stress:authoritative:fedora:38:arm64: + <<: *fedora_38_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: authoritative RATE: 10000 @@ -1366,12 +1608,13 @@ stress:authoritative:fedora:34:arm64: variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:recursive:fedora:34:arm64: - <<: *fedora_34_arm64_image +stress:recursive:fedora:38:arm64: + <<: *fedora_38_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: recursive RATE: 10000 @@ -1380,12 +1623,28 @@ stress:recursive:fedora:34:arm64: variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) +stress:rpz:fedora:38:arm64: + <<: *fedora_38_arm64_image + <<: *linux_stress_arm64 + <<: *stress_job + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" + FLAME: /usr/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) + stress:authoritative:freebsd12:amd64: <<: *freebsd_12_amd64_image <<: *freebsd_stress_amd64 <<: *stress_job variables: CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/local/bin/flame MODE: authoritative RATE: 10000 @@ -1400,6 +1659,7 @@ stress:recursive:freebsd12:amd64: <<: *stress_job variables: CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/local/bin/flame MODE: recursive RATE: 10000 @@ -1408,35 +1668,69 @@ stress:recursive:freebsd12:amd64: variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) +stress:rpz:freebsd12:amd64: + <<: *freebsd_12_amd64_image + <<: *freebsd_stress_amd64 + <<: *stress_job + variables: + CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" + FLAME: /usr/local/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) + +# git fsck operates over the whole repository and is sufficient to schedule it +# only in one branch, preferably "main". GitLab's clone strategy prevents us +# from using the "bind9" repo clone; we need to clone it ourselves. +fsck: + <<: *base_image + stage: postcheck + variables: + GIT_STRATEGY: none + script: + - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone + - cd bind9-full-clone/ + - git fsck + only: + - schedules + needs: [] + gcov: <<: *base_image <<: *default_triggering_rules stage: postcheck needs: - - job: system:gcc:buster:amd64 + - job: system:gcc:bookworm:amd64 artifacts: true script: - # *.gcno and *.gcda files generated for shared library objects are created - # in directories in which gcovr is unable to process them properly - # (.../.libs/...). Move such *.gcno and *.gcda files one level higher. - - find . -regex ".*/\.libs/.*\.\(gcda\|gcno\)" -execdir mv "{}" .. \; - # Help gcovr process the nasty tricks in lib/dns/code.h, where we include C - # source files from lib/dns/rdata/*/, using an even nastier trick. - - find lib/dns/rdata/* -name "*.c" -execdir cp -f "{}" ../../ \; + # Ensure gcov files for unit tests are found via tests/ rather than + # lib/*/tests/ to prevent confusing gcovr. + - find lib/ -name tests -type l -delete + # The "a-conftest.gcno" file is result of the ./configure step and + # should be removed as it does not belong to the BIND 9 code base. + - rm a-conftest.gcno # Generate XML file in the Cobertura XML format suitable for use by GitLab # for the purpose of displaying code coverage information in the diff view # of a given merge request. - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --xml -o coverage.xml - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --html-details -o coverage.html - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' -o coverage.txt + - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --cobertura-pretty -o coverage.xml + - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --html-details -o coverage.html + - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --txt -o coverage.txt - tail -n 3 coverage.txt + coverage: /^TOTAL.*\s+(\d+\%)$/ artifacts: paths: - coverage*.html + - coverage.css - coverage.txt - coverage.xml reports: - cobertura: coverage.xml + coverage_report: + coverage_format: cobertura + path: coverage.xml # Pairwise testing of ./configure options diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md index b2f43e8255..f8b82b694b 100644 --- a/.gitlab/issue_templates/Bug.md +++ b/.gitlab/issue_templates/Bug.md @@ -1,8 +1,8 @@ ### Summary diff --git a/.gitlab/issue_templates/CVE.md b/.gitlab/issue_templates/CVE.md index bff1818526..782c2a4d04 100644 --- a/.gitlab/issue_templates/CVE.md +++ b/.gitlab/issue_templates/CVE.md @@ -3,31 +3,126 @@ THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE. If the bug you are reporting is potentially security-related - for example, if it involves an assertion failure or other crash in `named` that can be -triggered repeatedly - then please do *NOT* report it here, but send an -email to [security-officer@isc.org](security-officer@isc.org). +triggered repeatedly - then please make sure that you make the new issue +confidential! --> +| Quick Links | :link: | +| ------------------------ | ------------------------------------ | +| Incident Manager: | @user | +| Deputy Incident Manager: | @user | +| Public Disclosure Date: | YYYY-MM-DD | +| CVSS Score: | [0.0][cvss_score] | +| Security Advisory: | isc-private/printing-press!NNN | +| Mattermost Channel: | [CVE-YYYY-NNNN][mattermost_url] | +| Support Ticket: | [URL] | +| Release Checklist: | #NNNN | +| Post-mortem Etherpad: | [postmortem-YYYY-MM][postmortem_url] | -### CVE-specific actions - - - [ ] Assign a CVE identifier - - [ ] Determine CVSS score - - [ ] Determine the range of BIND versions affected (including the Subscription Edition) - - [ ] Determine whether workarounds for the problem exists - - [ ] Create a draft of the security advisory and put the information above in there - - [ ] Prepare a detailed description of the problem which should include the following by default: - - instructions for reproducing the problem (a system test is good enough) - - explanation of code flow which triggers the problem (a system test is *not* good enough) - - [ ] Prepare a private merge request containing the following items in separate commits: - - a test for the issue (may be moved to a separate merge request for deferred merging) - - a fix for the issue - - documentation updates (`CHANGES`, release notes, anything else applicable) - - [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions - - [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff - - [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description) - - [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch - -### Release-specific actions - - - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined - - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order +[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 +[mattermost_url]: +[postmortem_url]: + +:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** + +[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations + +### Earlier Than T-5 + + - [ ] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager + - [ ] [:link:][step_respond] **(IM)** Respond to the bug reporter + - [ ] [:link:][step_etherpad] **(IM)** Create an Etherpad for post-mortem + - [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue + - [ ] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier + - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier and the CVSS score + - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition) + - [ ] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist + - [ ] [:link:][step_coordinate] **(SwEng)** If necessary, coordinate with other parties + - [ ] [:link:][step_earliest] **(Support)** Prepare and send out "earliest" notifications + - [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it + - [ ] [:link:][step_reproducer_mr] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem + - [ ] [:link:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready + - [ ] [:link:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem + - [ ] [:link:][step_fix_mr] **(SwEng)** Prepare a private merge request with the fix + - [ ] [:link:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions + - [ ] [:link:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix + - [ ] [:link:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product + - [ ] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory + - [ ] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle + - [ ] [:link:][step_changes] **(QA)** (BIND 9 only) Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined + - [ ] [:link:][step_merge_fixes] **(QA)** Merge the CVE fixes in CVE identifier order + - [ ] [:link:][step_patches] **(QA)** Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch + - [ ] [:link:][step_asn_releases] **(QA)** Prepare ASN releases (as outlined in the Release Checklist) + +### At T-5 + + - [ ] [:link:][step_send_asn] **(Support)** Send ASN to eligible customers + - [ ] [:link:][step_preannouncement] **(Support)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes + +### At T-4 + + - [ ] [:link:][step_verify_asn] **(Support)** Verify that all ASN-eligible customers have received the notification email + +### At T-1 + + - [ ] [:link:][step_check_customers] **(Support)** Verify that any new or reinstated customers have received the notification email + - [ ] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers + +### On the Day of Public Disclosure + + - [ ] [:link:][step_clearance] **(IM)** Grant Support clearance to proceed with public release + - [ ] [:link:][step_publish] **(Support)** Publish the releases (as outlined in the release checklist) + - [ ] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base + - [ ] [:link:][step_publish_advisory] **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base + - [ ] [:link:][step_notifications] **(First IM)** Send notification emails to third parties + - [ ] [:link:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs + - [ ] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request + - [ ] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete + - [ ] [:link:][step_customers] **(Support)** Inform customers a fix has been released + +### After Public Disclosure + + - [ ] [:link:][step_postmortem] **(First IM)** Organize post-mortem meeting and make sure it happens + - [ ] [:link:][step_tickets] **(Support)** Close support tickets + - [ ] [:link:][step_regression] **(QA)** Merge a regression test reproducing the bug into all affected (and still maintained) branches + +[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager +[step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter +[step_etherpad]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-an-etherpad-for-post-mortem +[step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue +[step_assign_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier +[step_note_cve_info]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-and-the-cvss-score +[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition +[step_workarounds]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist +[step_coordinate]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties +[step_earliest]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-and-send-out-earliest-notifications +[step_advisory_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it +[step_reproducer_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem +[step_notify_support]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready +[step_code_analysis]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem +[step_fix_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix +[step_review_fix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions +[step_review_docs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix +[step_backports]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product +[step_finish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory +[step_meta_issue]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle +[step_changes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-reserve-a-block-of-changes-placeholders-once-the-complete-set-of-vulnerabilities-fixed-in-a-given-release-cycle-is-determined +[step_merge_fixes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order +[step_patches]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch +[step_asn_releases]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist +[step_send_asn]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-asn-to-eligible-customers +[step_preannouncement]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes +[step_verify_asn]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-all-asn-eligible-customers-have-received-the-notification-email +[step_check_customers]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-any-new-or-reinstated-customers-have-received-the-notification-email +[step_packager_emails]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers +[step_clearance]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-support-clearance-to-proceed-with-public-release +[step_publish]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist +[step_matrix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base +[step_publish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base +[step_notifications]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties +[step_mitre]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves +[step_merge_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request +[step_embargo_end]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete +[step_customers]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-customers-a-fix-has-been-released +[step_postmortem]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#organize-post-mortem-meeting-and-make-sure-it-happens +[step_tickets]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#close-support-tickets +[step_regression]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index 1e73f509a6..82d635e70d 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -30,39 +30,41 @@ ### Before the Code Freeze - - [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates). - - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform. - - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released. + - [ ] ***(QA)*** Rebase -S editions on top of current open-source versions: `git checkout bind-9.18-sub && git rebase origin/bind-9.18` + - [ ] ***(QA)*** [Inform](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_supp_marketing.py) Support and Marketing of impending release (and give estimated release dates). + - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform. Check [public](https://gitlab.isc.org/isc-projects/bind9/-/pipelines?scope=all&source=schedule) and [private](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=all&source=schedule) scheduled pipelines. + - [ ] ***(QA)*** Check [Perflab](https://perflab.isc.org/) to ensure there has been no unexplained drop in performance for the versions being released. - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1]. - - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only). - - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported. - - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is in effect. + - [ ] ***(QA)*** Ensure that there are no outstanding [merge requests in the private repository](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/)[^1] (Subscription Edition only). + - [ ] ***(QA)*** [Ensure](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/check_backports.py) all merge requests marked for backporting have been indeed backported. + - [ ] ***(QA)*** [Announce](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_code_freeze.py) (on Mattermost) that the code freeze is in effect. ### Before the Tagging Deadline - - [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found. - - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well. - - [ ] ***(QA)*** Update API files for libraries with new version information. - - [ ] ***(QA)*** Change software version and library versions in `configure.ac` (new major release only). - - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org`. - - [ ] ***(QA)*** Update `CHANGES`. - - [ ] ***(QA)*** Update `CHANGES.SE` (Subscription Edition only). - - [ ] ***(QA)*** Update `README.md`. - - [ ] ***(QA)*** Update `version`. - - [ ] ***(QA)*** Build documentation on `docs.isc.org`. - - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes. - - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct. - - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`). + - [ ] ***(QA)*** Inspect the current output of the `cross-version-config-tests` job to verify that no unexpected backward-incompatible change was introduced in the current release cycle. + - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well. [Example](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/510) + - [ ] ***(QA)*** Add a release marker to `CHANGES`. Examples: [9.18](https://gitlab.isc.org/isc-projects/bind9/-/commit/f14d8ad78c0506fd4247187f2177f8eceeb6b3b9), [9.16](https://gitlab.isc.org/isc-projects/bind9/-/commit/1bcdf21874f99a00da389d723e0ad07dfd70f9f1) + - [ ] ***(QA)*** Add a release marker to `CHANGES.SE` (Subscription Edition only). [Example](https://gitlab.isc.org/isc-private/bind9/-/commit/0f03d5737bcbdaa1bf713c6db1887b14938c3421) + - [ ] ***(QA)*** Update BIND 9 version in `configure.ac` ([9.18+](https://gitlab.isc.org/isc-projects/bind9/-/commit/3c85ab7f4c35e6d8acef1393606002a0a8730100)) or `version` ([9.16](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7692/diffs?commit_id=1bcdf21874f99a00da389d723e0ad07dfd70f9f1)). + - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org` (9.16). + - [ ] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository) + - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9.x.y`). ### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases) - - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published. + - [ ] ***(QA)*** Check that the formatting is correct for HTML and PDF versions of release notes. + - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct. + - [ ] ***(QA)*** Verify GitLab CI results [for the tags](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=tags) created and sign off on the releases to be published. + - [ ] ***(QA)*** Update GitLab settings for all maintained branches to allow merging to them again: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository) + - [ ] ***(QA)*** Prepare (using [`version_bump.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/version_bump.py)) and merge MRs resetting the release notes and updating the version string for each maintained branch. - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over. - - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. + - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. Ask [signers on Mattermost](https://mattermost.isc.org/isc/channels/bind-9-qa). + - [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical. - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures. - - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again. + - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again: Run `publish_bind.sh` on repo.isc.org to pre-publish. - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built. - - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages. + - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages (in [cloudsmith branch in private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith)). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/e2512f4cfaf991827a635e374e7e93b27a5f38ba) + - [ ] ***(QA)*** Prepare the `patches/` subdirectory for each security release (if applicable). - [ ] ***(QA)*** Notify Support that the releases have been prepared. - [ ] ***(Support)*** Send out ASNs (if applicable). @@ -70,26 +72,29 @@ - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable). - [ ] ***(Support)*** Place tarballs in public location on FTP site. - - [ ] ***(Support)*** Publish links to downloads on ISC website. - - [ ] ***(Support)*** Write release email to *bind-announce*. - - [ ] ***(Support)*** Write email to *bind-users* (if a major release). + - [ ] ***(Support)*** Publish links to downloads on ISC website. [Example](https://gitlab.isc.org/website/theme-staging-site/-/commit/1ac7b30b73cb03228df4cd5651fa4e774ac35625) + - [ ] ***(Support)*** Add the new releases to the [vulnerability matrix in the Knowledge Base](https://kb.isc.org/docs/aa-00913). + - [ ] ***(Support)*** Use the [Printing Press project](https://gitlab.isc.org/isc-private/printing-press/-/wikis/home#adding-new-documents) to prepare a release announcement email and send it to the *bind-announce* mailing list. + - [ ] ***(Support)*** Write email to *bind-users* (if a major release). [Example](https://lists.isc.org/pipermail/bind-users/2022-January/105624.html) - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket). - [ ] ***(Support)*** Update tickets in case of waiting support customers. - - [ ] ***(QA)*** Build and test any outstanding private packages. - - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs). + - [ ] ***(QA)*** Build and test any outstanding private packages in [private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/2007d566db81dd9dfd79e571e2f600a3bc284da4) + - [ ] ***(QA)*** Build [public RPMs](https://gitlab.isc.org/isc-packages/rpms/bind). [Example commit](https://gitlab.isc.org/isc-packages/rpms/bind/-/commit/3b5e851ea7c4e3570371a4878b5461f02a44f8cc) which triggers [Copr builds](https://copr.fedorainfracloud.org/coprs/isc/) automatically + - [ ] ***(SwEng)*** Build Debian/Ubuntu packages. + - [ ] ***(SwEng)*** Update Docker files [here](https://gitlab.isc.org/isc-projects/bind9-docker/-/branches) and make sure push is synchronized to [GitHub](https://github.com/isc-projects/bind9-docker). [Docker Hub](https://hub.docker.com/r/internetsystemsconsortium/bind9) should pick it up automatically. [Example](https://gitlab.isc.org/isc-projects/bind9-docker/-/commit/cada7e10e9af951595c98bfffc4bd42512faac05) - [ ] ***(QA)*** Inform Marketing of the release. - - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made. - - [ ] ***(Marketing)*** Post short note to Twitter. + - [ ] ***(Marketing)*** Post a short note to Mastodon. - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND). - [ ] ***(Marketing)*** Write blog article (if a major release). - - [ ] ***(QA)*** Ensure all new tags are annotated and signed. + - [ ] ***(QA)*** Ensure all new tags are annotated and signed. `git show --show-signature v9.19.12` - [ ] ***(QA)*** Push tags for the published releases to the public repository. - - [ ] ***(QA)*** Merge the automatically prepared `prep 9.x.y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_x`). - - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch. - - [ ] ***(QA)*** Prepare empty release notes for the next set of releases. + - [ ] ***(QA)*** Using [`merge_tag.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/merge_tag.py), merge published release tags back into the their relevant development/maintenance branches. + - [ ] ***(QA)*** Ensure `allow_failure: true` is removed from the `cross-version-config-tests` job if it was set during the current release cycle. - [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public. - - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2]. - - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`. + - [ ] ***(QA)*** Sanitize [confidential issues](https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=milestone_due_desc&state=opened&confidential=yes) which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2]. + - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant [`Dockerfile`](https://gitlab.isc.org/isc-projects/images/-/merge_requests/228/diffs). + - [ ] ***(QA)*** Run a pipeline to rebuild all [images](https://gitlab.isc.org/isc-projects/images) used in GitLab CI. + - [ ] ***(QA)*** Update [`metadata.json`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/metadata.json) with the upcoming release information. [^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone. [^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure. diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 87739a0fe6..0000000000 --- a/.lgtm.yml +++ /dev/null @@ -1,35 +0,0 @@ -extraction: - cpp: - prepare: - packages: - - "libxml2-dev" - - "libjson-c-dev" - - "libssl-dev" - - "zlib1g-dev" - - "libcmocka-dev" - - "pkg-config" - - "libcap2-dev" - - "libedit-dev" - - "libidn2-dev" - - "libmaxminddb-dev" - - "libuv1-dev" - - "libnghttp2-dev" - configure: - command: - - "autoreconf -fi" - - "CFLAGS=\"-Og -g\" ./configure --enable-developer" -path_classifiers: - test: - - "lib/*/tests/" - - "bin/tests/" - docs: - - "**/*.xml" - - "**/*.docbook" - - "**/*.html" - - "**/*.1" - - "**/*.5" - - "**/*.8" -queries: - - exclude: fuzz/ - - exclude: "bin/tests/system/*/ans*/*.py" - - exclude: cpp/use-of-goto diff --git a/.pylintrc b/.pylintrc index 178a06a801..07d503514d 100644 --- a/.pylintrc +++ b/.pylintrc @@ -1,8 +1,10 @@ [MASTER] disable= + C0103, # invalid-name C0114, # missing-module-docstring C0115, # missing-class-docstring C0116, # missing-function-docstring + C0209, # consider-using-f-string + C0415, # import-outside-toplevel R0801, # duplicate-code - C0103, # invalid-name - C0415,# import-outside-toplevel + R0903, # too-few-public-methods diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 0000000000..5ea7be0600 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,20 @@ +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +version: 2 + +build: + os: ubuntu-22.04 + tools: + python: "3.11" + +# Build documentation in doc/arm/ with Sphinx +sphinx: + configuration: doc/arm/conf.py + +# Build all formats +formats: all + +# Explicitly set the version of Python and its requirements +python: + install: + - requirements: doc/arm/requirements.txt diff --git a/.reuse/dep5 b/.reuse/dep5 new file mode 100644 index 0000000000..ded1db308a --- /dev/null +++ b/.reuse/dep5 @@ -0,0 +1,199 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: BIND 9 +Upstream-Contact: Internet Systems Consortium, Inc. ("ISC") +Source: https://gitlab.isc.org/isc-projects/bind9/ + +# +# Build system, data files from tests, and misc cruft +# +Files: **/*.after* + **/*.bad + **/*.batch + **/*.before* + **/*.ccache + **/*.good + **/*.key + **/*.pem + **/*.private + **/*.raw + **/*.saved + **/*.zonelist + **/*dig.out* + **/Makefile + **/Makefile.* + **/testdata/* + .github/* + .gitlab/* + AUTHORS + CHANGES + COPYRIGHT + Makefile + Makefile.* + bin/tests/system/checkzone/zones/bad-caa-rr.db + bin/tests/system/checkzone/zones/bad1.db + bin/tests/system/checkzone/zones/crashzone.db + bin/tests/system/dnstap/large-answer.fstrm + bin/tests/system/doth/CA/CA.cfg + bin/tests/system/doth/CA/README + bin/tests/system/doth/CA/index.txt + bin/tests/system/doth/CA/index.txt.attr + bin/tests/system/doth/CA/serial + bin/tests/system/notify/ns4/named.port.in + bin/tests/system/formerr/nametoolong + bin/tests/system/formerr/noquestions + bin/tests/system/formerr/twoquestions + bin/tests/system/forward/CA/CA.cfg + bin/tests/system/forward/CA/README + bin/tests/system/forward/CA/index.txt + bin/tests/system/forward/CA/index.txt.attr + bin/tests/system/forward/CA/serial + bin/tests/system/journal/ns1/managed-keys.bind.in + bin/tests/system/journal/ns1/managed-keys.bind.jnl.in + bin/tests/system/journal/ns2/managed-keys.bind.in + bin/tests/system/journal/ns2/managed-keys.bind.jnl.in + bin/tests/system/keepalive/expected + bin/tests/system/legacy/ns6/edns512.db.signed + bin/tests/system/legacy/ns7/edns512-notcp.db.signed + bin/tests/system/nsupdate/CA/CA.cfg + bin/tests/system/nsupdate/CA/README + bin/tests/system/nsupdate/CA/index.txt + bin/tests/system/nsupdate/CA/index.txt.attr + bin/tests/system/nsupdate/CA/serial + bin/tests/system/nsupdate/commandlist + bin/tests/system/nsupdate/verylarge.in + bin/tests/system/org.isc.bind.system.plist + bin/tests/system/pipelined/input + bin/tests/system/pipelined/inputb + bin/tests/system/pipelined/ref + bin/tests/system/pipelined/refb + bin/tests/system/rsabigexponent/ns2/dsset-example.in + bin/tests/system/run.gdb + bin/tests/system/runtime/ctrl-chars + bin/tests/system/runtime/long-cmd-line + bin/tests/system/statschannel/traffic.expect.1 + bin/tests/system/statschannel/traffic.expect.2 + bin/tests/system/statschannel/traffic.expect.4 + bin/tests/system/statschannel/traffic.expect.5 + bin/tests/system/statschannel/traffic.expect.6 + bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt + bin/tests/system/tsig/badlocation + bin/tests/system/tsig/badtime + bin/tests/system/unknown/large.out + bin/tests/system/xfer/ans5/badkeydata + bin/tests/system/xfer/ans5/badmessageid + bin/tests/system/xfer/ans5/goodaxfr + bin/tests/system/xfer/ans5/partial + bin/tests/system/xfer/ans5/soamismatch + bin/tests/system/xfer/ans5/unknownkey + bin/tests/system/xfer/ans5/unsigned + bin/tests/system/xfer/ans5/wrongkey + bin/tests/system/xfer/ans5/wrongname + bin/tests/system/xfer/knowngood.mapped + cocci/*.cocci + cocci/*.disabled + cocci/*.spatch + doc/arm/*.dia + doc/arm/*.png + doc/arm/isc-logo.pdf + doc/arm/requirements.txt + doc/man/*.1in + doc/man/*.5in + doc/man/*.8in + fuzz/*.in/* +Copyright: Internet Systems Consortium, Inc. ("ISC") +License: MPL-2.0 + +# +# DNSSEC Guide images +# +Files: doc/dnssec-guide/img/*.png +Copyright: Internet Systems Consortium, Inc. ("ISC") +License: MPL-2.0 + +# +# Libtool Files +# +Files: m4/libtool.m4 + m4/ltoptions.m4 + m4/ltsugar.m4 + m4/ltversion.m4 + m4/ltversion.m4 + m4/lt~obsolete.m4 +Copyright: Free Software Foundation, Inc. +License: + This file is free software; the Free Software Foundation gives unlimited + permission to copy and/or distribute it, with or without modifications, as long + as this notice is preserved. + +# +# DLZ Modules +# +Files: contrib/dlz/modules/*/testing/* +Copyright: Internet Systems Consortium, Inc. ("ISC") + Stichting NLnet, Netherlands +License: ISC and MPL-2.0 + +# +# Stuff that's basically uncopyrightable (configuration, generated files), +# use CC0-1.0 for clarity that we don't care +# +Files: **/.clang-format + **/.clang-format.headers + **/.dir-locals.el + **/.gitattributes + **/.gitignore + **/named*.args + **/named.dropedns + **/named.ednsformerr + **/named.ednsnotimp + **/named.ednsrefused + **/named.maxudp1460 + **/named.maxudp512 + **/named.noaa + **/named.noedns + **/named.nosoa + **/named.notcp + **/startme + .clang-format + .clang-format.headers + .dir-locals.el + .git-blame-ignore-revs + .gitattributes + .gitignore + .gitlab-ci.yml + .lgtm.yml + .pylintrc + .readthedocs.yaml + .tsan-suppress + .uncrustify.cfg + doc/misc/*.zoneopt + doc/misc/options + doc/misc/rndc.grammar + sonar-project.properties +Copyright: Internet Systems Consortium, Inc. ("ISC") +License: CC0-1.0 + +# +# geoip2 test files (mmdb is generated from json) +# +Files: bin/tests/system/geoip2/data/*.json + bin/tests/system/geoip2/data/*.mmdb +Copyright: Internet Systems Consortium, Inc. ("ISC") +License: CC0-1.0 + +# +# files that may be left over from other branches. +# +# in a newly cloned branch or after running "git clean", these +# files don't exist, but they can be left lying around after +# checking out an older branch. we explicitly ignore them so they +# won't clutter up the output when running "reuse lint" by hand +# in a working source tree. +# +Files: **/platform.h + bin/python/* + bin/tests/optional/* + make/* + unit/unittest.sh +Copyright: Internet Systems Consortium, Inc. ("ISC") +License: CC0-1.0 diff --git a/.reuse/templates/isc.jinja2 b/.reuse/templates/isc.jinja2 new file mode 100644 index 0000000000..3f29bd1782 --- /dev/null +++ b/.reuse/templates/isc.jinja2 @@ -0,0 +1,16 @@ +{% for copyright_line in copyright_lines %} +{{ copyright_line }} +{% endfor %} + +{% for expression in spdx_expressions %} +SPDX-License-Identifier: {{ expression }} +{% endfor %} + +{% if "MPL-2.0" in spdx_expressions %} +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. +{% endif %} diff --git a/.tsan-suppress b/.tsan-suppress new file mode 100644 index 0000000000..9473b652d2 --- /dev/null +++ b/.tsan-suppress @@ -0,0 +1,3 @@ +# Uninstrumented libraries +called_from_lib:libfstrm.so +race:dummyrpz diff --git a/AUTHORS b/AUTHORS index 6943d5a575..dd8241789a 100644 --- a/AUTHORS +++ b/AUTHORS @@ -51,3 +51,4 @@ Anay Panvalkar colleen Robert Edmonds JoÃŖo Damas +Artem Boldariev (АŅ€Ņ‚ĐĩĐŧ БоĐģĐ´Đ°Ņ€Ņ”в) diff --git a/CHANGES b/CHANGES index 9cba132d15..4cb9f4cdbd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,2565 @@ + --- 9.19.17 released --- + +6246. [placeholder] + +6245. [security] Limit the amount of recursion that can be performed + by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152] + +6244. [bug] Adjust log levels on malformed messages to NOTICE when + transferring in a zone. [GL #4290] + +6243. [bug] Restore the call order of dns_validator_destroy and + fetchctx_detach to prevent use after free. [GL #4214] + +6242. [func] Ignore jemalloc versions before 4.0.0 as we now + need explicit memory arenas and tcache support. + [GL #4296] + +6241. [placeholder] + +6240. [bug] Use dedicated per-worker thread jemalloc memory + arenas for send buffers allocation to reduce memory + consumption and avoid lock contention. [GL #4038] + +6239. [func] Deprecate the 'dnssec-must-be-secure' option. + [GL #3700] + +6238. [cleanup] Refactor several objects relying on dns_rbt trees + to instead of dns_nametree, a wrapper around dns_qp. + [GL !8213] + +6237. [bug] Address memory leaks due to not clearing OpenSSL error + stack. [GL #4159] + +6236. [func] Add isc_mem_cget() and isc_mem_cput() calloc-like + functions that take nmemb and size, do checked + multiplication and zero the memory before returning + it to the user. Replace isc_mem_getx(..., ISC_MEM_ZERO) + with isc_mem_cget(...) usage. [GL !8237] + +6235. [doc] Clarify BIND 9 time formats. [GL #4266] + +6234. [bug] Restore stale-refresh-time value after flushing the + cache. [GL #4278] + +6233. [func] Extend client side support for the EDNS EXPIRE option + to IXFR and AXFR query types. [GL #4170] + +6232. [bug] Following the introduction of krb5-subdomain-self-rhs + and ms-subdomain-self-rhs update rules, removal of + nonexistent PTR and SRV records via UPDATE could fail. + [GL #4280] + +6231. [func] Make nsupdate honor -v for SOA requests only if the + server is specified. [GL #1181] + +6230. [bug] Prevent an unnecessary query restart if a synthesized + CNAME target points to the CNAME owner. [GL #3835] + +6229. [func] Add basic USDT framework for adding static + tracing points. [GL #4041] + +6228. [func] Limit the number of inactive network manager handles + and uvreq objects that we keep around for reusing + later. [GL #4265] + +6227. [bug] Check the statistics-channel HTTP Content-length + to prevent negative or overflowing values from + causing a crash. [GL #4125] + +6226. [bug] Attach dispatchmgr in the dns_view object to prevent + use-after-free when shutting down. [GL #4228] + +6225. [func] Convert dns_nta, dns_forward and dns_keytable units + to use QP trie instead of an RBT. [GL !7811] + +6224. [bug] Check the If-Modified-Since value length to prevent + out-of-bounds write. [GL #4124] + +6223. [func] Make -E engine option for OpenSSL Engine API use only. + OpenSSL Provider API will now require engine to not be + set. [GL #8153] + +6222. [func] Fixes to provider/engine based ECDSA key handling. + [GL !8152] + + --- 9.19.16 released --- + +6221. [cleanup] Refactor dns_rdataset internals, move rdatasetheader + declarations out of rbtdb.c so they can be used by other + databases in the future, and split the zone and cache + functions from rbtdb.c into separate modules. [GL !7873] + +6220. [func] Deprecate the 'dialup' and 'heartbeat-interval' + options. [GL #3700] + +6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'. + [GL #4032] + +6218. [func] Add inline-signing to dnssec-policy. [GL #3677] + +6217. [func] The dns_badcache unit was refactored to use cds_lfht + instead of hand-crafted locked hashtable. [GL #4223] + +6216. [bug] Pin dns_request events to the originating loop + to serialize access to the data. [GL #4086] + +6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API + support is not configured. [GL #4225] + +6214. [bug] Fix the memory leak in for struct stub_glue_request + allocated in stub_request_nameserver_address() but not + freed in stub_glue_response(). [GL #4227] + +6213. [bug] Mark a primary server as temporarily unreachable if the + TCP connection attempt times out. [GL #4215] + +6212. [placeholder] + +6211. [func] Remove 'auto-dnssec'. This obsoletes the configuration + options 'dnskey-sig-validity', 'dnssec-dnskey-kskonly', + 'dnssec-update-mode', 'sig-validity-interval', and + 'update-check-ksk'. [GL #3672] + +6210. [func] Don't add signing records for DNSKEY added with dynamic + update. The dynamic update DNSSEC management feature was + removed with GL #3686. [GL !8070] + +6209. [func] Reduce query-response latency by making recursive + queries (CNAME, DNAME, NSEC) asynchronous instead + of directly calling the respective functions. [GL #4185] + +6208. [func] Return BADCOOKIE for out-of-date or otherwise bad, well + formed DNS SERVER COOKIES. [GL #4194] + + --- 9.19.15 released --- + +6207. [cleanup] The code implementing TSIG/TKEY support has been cleaned + up and refactored for improved robustness, readability, + and consistency with other code modules. [GL !7828] + +6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to + avoid a race with dns_catz_shutdown_catzs(). [GL #4171] + +6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs. + [GL #4154] + +6204. [bug] Use NS records for relaxed QNAME-minimization mode. + This reduces the number of queries named makes when + resolving, as it allows the non-existence of NS RRsets + at non-referral nodes to be cached in addition to the + referrals that are normally cached. [GL #3325] + +6203. [cleanup] Ensure that the size calculation does not overflow + when allocating memory for an array. + [GL #4120] [GL #4121] [GL #4122] + +6202. [func] Use per-loop memory contexts for dns_resolver + objects. [GL !8015] + +6201. [bug] The free_all_cpu_call_rcu_data() call at the end + of isc_loopmgr_run() was causing ~200 ms extra + latency. [GL #4163] + +6200. [placeholder] + +6199. [bug] Improve HTTP Connection: header protocol conformance + in the statistics channel. [GL #4126] + +6198. [func] Remove the holes in the isc_result_t enum to compact + the isc_result tables. [GL #4149] + +6197. [bug] Fix a data race between the dns_zone and dns_catz + modules when registering/unregistering a database + update notification callback for a catalog zone. + [GL #4132] + +6196. [cleanup] Report "permission denied" instead of "unexpected error" + when trying to update a zone file on a read-only file + system. Thanks to Midnight Veil. [GL #4134] + +6195. [bug] Use rcu to reference view->adb. [GL #4021] + +6194. [func] Change function 'find_zone_keys()' to look for signing + keys by looking for key files instead of a DNSKEY + RRset lookup. [GL #4141] + +6193. [bug] Fix a catz db update notification callback registration + logic error, which could crash named when receiving an + AXFR update for a catalog zone while the previous update + process of the catalog zone was already running. + [GL #4136] + + --- 9.19.14 released --- + +6192. [placeholder] + +6191. [placeholder] + +6190. [security] Improve the overmem cleaning process to prevent the + cache going over the configured limit. (CVE-2023-2828) + [GL #4055] + +6189. [bug] Fix an extra dns_validator deatch when encountering + deadling which would lead to assertion failure. + [GL #4115] + +6188. [performance] Reduce memory consumption by allocating properly + sized send buffers for stream-based transports. + [GL #4038] + +6187. [bug] Address view shutdown INSIST when accessing the + zonetable. [GL #4093] + +6186. [bug] Fix a 'clients-per-query' miscalculation bug. When the + 'stale-answer-enable' options was enabled and the + 'stale-answer-client-timeout' option was enabled and + larger than 0, named was taking two places from the + 'clients-per-query' limit for each client and was + failing to gradually auto-tune its value, as configured. + [GL #4074] + +6185. [func] Add "ClientQuota" statistics channel counter, which + indicates the number of the resolver's spilled queries + due to reaching the clients per query quota. [GL !7978] + +6184. [func] Special-case code that was added to allow GSS-TSIG + to work around bugs in the Windows 2000 version of + Active Directory has been removed. The 'nsupdate -o' + option and 'oldgsstsig' command have been + deprecated, and are now treated as synonyms for + 'nsupdate -g' and 'gsstsig' respectively. [GL #4012] + +6183. [bug] Fix a serve-stale bug where a delegation from cache + could be returned to the client. [GL #3950] + +6182. [cleanup] Remove configure checks for epoll, kqueue and + /dev/poll. [GL #4098] + +6181. [placeholder] + +6180. [bug] The session key object could be incorrectly added + to multiple different views' keyrings. [GL #4079] + +6179. [bug] Fix an interfacemgr use-after-free error in + zoneconf.c:isself(). [GL #3765] + +6178. [func] Add support for the multi-signer model 2 (RFC 8901) when + using inline-signing. [GL #2710] + +6177. [placeholder] + +6176. [test] Add support for using pytest & pytest-xdist to + execute the system test suite. [GL #3978] + +6175. [test] Fix the `upforwd` system test to be more reliable, + +6174. [placeholder] + +6173. [bug] Properly process extra "nameserver" lines in + resolv.conf otherwise the next line is not properly + processed. [GL #4066] + +6172. [cleanup] Refactor the loop manager and qp-trie code to remove + isc_qsbr and use liburcu instead. [GL #3936] + +6171. [cleanup] Remove the stack implementation added in change 6108: + we are using the liburcu concurrent data structures + instead. [GL !7920] + +6170. [func] The 'rndc -t' option allows a timeout to be set in + seconds, so that commands that take a long time to + complete (e.g., reloading a very large configuration) + can be given time to do so. The default is 60 + seconds. [GL #4046] + +6169. [bug] named could crash when deleting inline-signing zones + with "rndc delzone". [GL #4054] + +6168. [func] Refactor the glue cache to store list of the GLUE + directly in the rdatasetheader instead of keeping + it in the hashtable indexed by the node pointer. + [GL #4045] + +6167. [func] Add 'cdnskey' configuration option. [GL #4050] + +6166. [func] Retry without DNS COOKIE on FORMERR if it appears that + the FORMERR was due to the presence of a DNS COOKIE + option. [GL #4049] + +6165. [bug] Fix a logic error in dighost.c which could call the + dighost_shutdown() callback twice and cause problems + if the callback function was not idempotent. [GL #4039] + + --- 9.19.13 released --- + +6164. [bug] Set the rndc idle read timeout back to 60 seconds, + from the netmgr default of 30 seconds, in order to + match the behavior of 9.16 and earlier. [GL #4046] + +6163. [func] Add option to dnstap-read to use timestamps in + milliseconds (thanks to Oliver Ford). [GL #2360] + +6162. [placeholder] + +6161. [bug] Fix log file rotation when using absolute path as + file. [GL #3991] + +6160. [bug] 'delv +ns' could print duplicate output. [GL #4020] + +6159. [bug] Fix use-after-free bug in TCP accept connection + failure. [GL #4018] + +6158. [func] Add ISC_LIST_FOREACH() and ISC_LIST_FOREACH_SAFE() + to walk the ISC_LIST() in a unified manner and use + the safe macro to fix the potential UAF when shutting + down the isc_httpd. [GL #4031] + +6157. [bug] When removing delegations in an OPTOUT range + empty-non-terminal NSEC3 records generated by + those delegations were not removed. [GL #4027] + +6156. [bug] Reimplement the maximum and idle timeouts for incoming + zone tranfers. [GL #4004] + +6155. [bug] Treat ISC_R_INVALIDPROTO as a networking error + in the dispatch code to avoid retrying with the + same server. [GL #4005] + +6154. [func] Add spinlock implementation. The spinlock is much + smaller (8 bytes) than pthread_mutex (40 bytes), so + it can be easily embedded into objects for more + fine-grained locking (per-object vs per-bucket). + + On the other hand, the spinlock is unsuitable for + situations where the lock might be held for a long + time as it keeps the waiting threads in a spinning + busy loop. [GL #3977] + +6153. [bug] Fix the streaming protocols (TCP, TLS) shutdown + sequence. [GL #4011] + +6152. [bug] In dispatch, honour the configured source-port + selection when UDP connection fails with address + in use error. + + Also treat ISC_R_NOPERM same as ISC_R_ADDRINUSE. + [GL #3986] + +6151. [bug] When the same ``notify-source`` address and port number + was configured for multiple destinations and zones, an + unresponsive server could tie up the socket until it + timed out; in the meantime, NOTIFY messages for other + servers silently failed.``named`` will now retry these + failing messages over TCP. NOTIFY failures are now + logged at level INFO. [GL #4001] [GL #4002] + +6150. [bug] If the zones have active upstream forwards, the + shutting down the server might cause assertion + failures as the forward were all canceled from + the main loop instead from the loops associated + with the zone. [GL #4015] + +6149. [test] As a workaround, include an OpenSSL header file before + including cmocka.h in the unit tests, because OpenSSL + 3.1.0 uses __attribute__(malloc), conflicting with a + redefined malloc in cmocka.h. [GL #4000] + +6148. [bug] Fix a use-after-free bug in dns_xfrin_create(). + [GL !7832] + +6147. [performance] Fix the TCP server parent quota use. [GL #3985] + + --- 9.19.12 released --- + +6146. [performance] Replace the zone table red-black tree and associated + locking with a lock-free qp-trie. [GL !7582] + +6145. [bug] Fix a possible use-after-free bug in the + dns__catz_done_cb() function. [GL #3997] + +6144. [bug] A reference counting problem (double detach) might + occur when shutting down zone transfer early after + switching the dns_xfrin to use dns_dispatch API. + [GL #3984] + +6143. [bug] A reference counting problem on the error path in + the xfrin_connect_done() might cause an assertion + failure on shutdown. [GL #3989] + +6142. [bug] Reduce the number of dns_dnssec_verify calls made + determining if revoked keys needs to be removed from + the trust anchors. [GL #3981] + +6141. [bug] Fix several issues in nsupdate timeout handling and + update the -t option's documentation. [GL #3674] + +6140. [func] Implement automatic parental-agents ('checkds yes'). + [GL #3901] + +6139. [func] Add isc_histo_t general-purpose log-linear histograms, + and use them for message size statistics. [GL !7696] + +6138. [doc] Fix the DF-flag documentation on the outgoing + UDP packets. [GL #3710] + +6137. [cleanup] Remove the trampoline jump when spawning threads. + [GL !7293] + +6136. [cleanup] Remove the isc_fsaccess API in favor of creating + temporary file first and atomically replace the key + with non-truncated content. [GL #3982] + +6135. [cleanup] Change isc_stdtime_get(&t) to t = isc_stdtime_now(). + [GL !7757] + +6134. [bug] Fix a crash when dig or host receive a signal. + [GL #3970] + +6133. [cleanup] Refactor the isc_job_run() to not make any allocations + by embedding isc_job_t into callback argument, and + running it directly. As a side-effect, isc_async_run + and isc_job_run now executes jobs in the natural order. + + Use the new improved API to execute connect, read and + send callbacks from netmgr in more straightforward + manner, speeding up the networking. [GL #3961] + +6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] + +6131. [test] Add a minimal test-only library to allow testing + of the DNSRPS API without FastRPZ installed. + Thanks to Farsight Securty. [GL !7693] + +6130. [func] The new "delv +ns" option activates name server mode, + in which delv sets up an internal recursive + resolver and uses that, rather than an external + server, to look up the requested data. All messages + sent and received during the resolution and + validation process are logged. This can be used in + place of "dig +trace"; it more accurately + replicates the behavior of named when resolving + a query. [GL #3842] + +6129. [cleanup] Value stored to 'source' during its initialization is + never read. [GL #3965] + +6128. [bug] Fix an omission in an earlier commit to avoid a race + between the 'dns__catz_update_cb()' and + 'dns_catz_dbupdate_callback()' functions. [GL #3968] + +6127. [cleanup] Refactor network manager netievent callbacks to + use isc_job_run()/isc_async_run(). [GL #3964] + +6126. [func] Remove zone type "delegation-only" and the + "delegation-only" and "root-delegation-only" + options. [GL #3953] + +6125. [bug] Hold a catz reference while the update process is + running, so that the catalog zone is not destroyed + during shutdown until the update process is finished or + properly canceled by the activated 'shuttingdown' flag. + [GL #3955] + +6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to + an NSEC3 incapable DNSSEC algorithm using KASP the zone + could sometimes be incompletely signed. [GL #3937] + +6123. [placeholder] + +6122. [func] BIND now requires liburcu for lock-free data structures + and concurrent safe memory reclamation. It replaces the + home-grown lock-free linked list and QSBR machinery + added in changes 6108 and 6109. [GL #3935] + +6121. [cleanup] Remove support for TKEY Mode 2 (Diffie-Hellman Exchanged + Keying). [GL #3905] + + --- 9.19.11 released --- + +6120. [bug] Use two pairs of dns_db_t and dns_dbversion_t in a + catalog zone structure to avoid a race between the + dns__catz_update_cb() and dns_catz_dbupdate_callback() + functions. [GL #3907] + +6119. [bug] Make sure to revert the reconfigured zones to the + previous version of the view, when the new view + reconfiguration fails during the configuration of + one of the configured zones. [GL #3911] + +6118. [func] Add 'cds-digest-types' configuration option. Also allow + dnssec-signzone to create multple CDS records. + [GL #3837] + +6117. [func] Add a qp-trie data structure. This is a foundation for + our plan to replace, in stages, BIND's red-black tree. + The qp-trie has lock-free multithreaded reads, using + QSBR for safe memory reclamation. [GL !7130] + +6116. [placeholder] + +6115. [bug] Unregister db update notify callback before detaching + from the previous db inside the catz update notify + callback. [GL #3777] + +6114. [func] Run the catalog zone update process on the offload + threads. [GL #3881] + +6113. [func] Add shutdown signaling for catalog zones. [GL !7571] + +6112. [func] Add reference count tracing for dns_catz_zone_t and + dns_catz_zones_t. [GL !7570] + +6111. [cleanup] Move irs_resconf into libdns, and remove the + now empty libirs. [GL !7463] + +6110. [cleanup] Refactor the dns_xfrin module to use dns_dispatch + to set up TCP connections and send and receive + messages. [GL #3886] + +6109. [func] Infrastructure for QSBR, asynchronous safe memory + reclamation for lock-free data structures. [GL !7471] + +6108. [func] Support for simple lock-free singly-linked stacks. + [GL !7470] + +6107. [cleanup] Remove the dns_sdb API and rewrite the named + builtin databases to implement dns_db directly. + [GL #3882] + +6106. [cleanup] Move bind9_getaddresses() to isc_getaddresses() + and remove the now empty libbind9. [GL !7462] + +6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in + configure_rpz() and configure_catz(), respectively, + just after attaching it to the new view. [GL #3880] + +6104. [cleanup] Move libbind9's configuration checking code into + libisccfg alongside the other configuration code. + [GL !7461] + +6103. [func] All uses of the isc_task and isc_event APIs have + been refactored to use isc_loop instead, and the + original APIs have been removed. [GL #3797] + +6102. [cleanup] Several nugatory headers have been removed from libisc. + [GL !7464] + +6101. [port] Clarify the portability dodge needed for `strerror_r()` + [GL !7465] + +6100. [cleanup] Deprecate , because obsolete + functions are now deleted instead of marked with + an attribute. [GL !7466] + +6099. [performance] Change the internal read-write lock to modified C-RW-WP + algorithm that is more reader-writer fair and has better + performance for our workloads. [GL #1609] + +6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. + [GL #3871] + +6097. [port] Improve support for yield / pause instructions in spin + loops on AArch64 platforms. [GL !7469] + +6096. [bug] Fix RPZ reference counting error on shutdown in + dns__rpz_timer_cb(). [GL #3866] + +6095. [test] Test various 'islands of trust' configurations when + using managed keys. [GL #3662] + +6094. [bug] Building against (or running with) libuv versions + 1.35.0 and 1.36.0 is now a fatal error. The rules for + mixing and matching compile-time and run-time libuv + versions have been tightened for libuv versions between + 1.35.0 and 1.40.0. [GL #3840] + +6093. [performance] Reduce the size of each rdataset header object + by 16 bytes. [GL !7505] + +6092. [bug] dnssec-cds failed to cleanup properly. [GL #3831] + +6091. [cleanup] Drop RHEL 7 and clones support. [GL #3729] + +6090. [bug] Fix a bug in resolver's resume_dslookup() function by + making sure that dns_resolver_createfetch() is called + with valid parameters, as required by the function. + [GL #3839] + +6089. [bug] Source ports configured for query-source, + transfer-source, etc, were being ignored. (This + feature is deprecated, but it is not yet removed, + so the bug still needed fixing.) [GL #3790] + +6088. [cleanup] /etc/bind.keys is no longer needed and has been + removed from the distribution. named and delv can + still load keys from a file for testing purposes, + but they no longer do so by default. [GL #3850] + +6087. [cleanup] Remove support for the `DNS_NAME_DOWNCASE` option to + the various dns_*_fromwire() functions. It has long + been unused and is unsupported since change 6022. + [GL !7467] + +6086. [cleanup] Remove some remnants of bitstring labels. [GL !7196] + +6085. [func] Add isc_time_monotonic() to simplify time measurements. + [GL !7468] + +6084. [bug] When BIND was built without jemalloc, the allocator flag + ISC_MEM_ZERO could return non-zero memory. [GL #3845] + + --- 9.19.10 released --- + +6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently + broken by changes 5949 and 6042. [GL #3827] + +6082. [test] fuzz/dns_message_checksig leaked memory when shutting + down. [GL #3828] + +6081. [bug] Handle primary server address lookup failures in + nsupdate more gracefully. [GL #3830] + +6080. [bug] 'named -V' leaked memory. [GL #3829] + +6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' + command. [GL #3822] + +6078. [func] Cleanup the memory statistic counters to a bare + minumum - InUse with Malloced as alias. [GL #3718] + +6077. [func] Implement query forwarding to DoT-enabled upstream + servers. [GL #3726] + +6076. [bug] Handle OS errors when creating UDP and TCP sockets + more gracefully. [GL #3800] + +6075. [bug] Add missing node lock when setting node->wild in + add_wildcard_magic. [GL #3799] + +6074. [func] Refactor the isc_nm_xfr_allowed() function to return + isc_result_t instead of boolean. [GL #3808] + +6073. [bug] Set RD=1 on DS requests to parental-agents. [GL #3783] + +6072. [bug] Avoid the OpenSSL lock contention when initializing + Message Digest Contexts by using explicit algorithm + fetching, initializing static contexts for every + supported algorithms, and initializing the new context + by copying the static copy. [GL #3795] + +6071. [func] The use of "port" when configuring query-source, + transfer-source, notify-source and parental-source + addresses has been deprecated, along with the + use-v[46]-udp-ports and avoid-v[46]-udp-ports + options. A warning will be logged when these + options are used. In a future release, they + will be removed. [GL #3781] + +6070. [func] DSCP parsing has now been fully removed, and + configuration of DSCP values in named.conf is a + configuration error. [GL #3789] + +6069. [bug] Detach from the view in zone_shutdown() to + release the memory held by the dead view + early. [GL #3801] + +6068. [bug] Downloading a zone via TLS from a server which does + not negotiate "dot" ALPN token could crash BIND + on shutdown. That has been fixed. [GL #3767] + + --- 9.19.9 released --- + +6067. [security] Fix serve-stale crash when recursive clients soft quota + is reached. (CVE-2022-3924) [GL #3619] + +6066. [security] Handle RRSIG lookups when serve-stale is active. + (CVE-2022-3736) [GL #3622] + +6065. [placeholder] + +6064. [security] An UPDATE message flood could cause named to exhaust all + available memory. This flaw was addressed by adding a + new "update-quota" statement that controls the number of + simultaneous UPDATE messages that can be processed or + forwarded. The default is 100. A stats counter has been + added to record events when the update quota is + exceeded, and the XML and JSON statistics version + numbers have been updated. (CVE-2022-3094) [GL #3523] + +6063. [cleanup] The RSA and ECDSA parts of the DNSSEC has been + refactored for a better OpenSSL 3.x integration and + preliminary PKCS#11 support via for OpenSSL Providers + has been added. [GL #3785] + +6062. [func] The DSCP implementation, which has been + nonfunctional for some time, is now marked as + obsolete and the implementation has been removed. + Configuring DSCP values in named.conf has no + effect, and a warning will be logged that + the feature should no longer be used. [GL #3773] + +6061. [bug] Fix unexpected "Prohibited" extended DNS error + on allow-recursion. [GL #3743] + +6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() + by detaching from the zone manager outside of the write + lock. [GL #3768] + +6059. [bug] In some serve stale scenarios, like when following an + expired CNAME record, named could return SERVFAIL if the + previous request wasn't successful. Consider non-stale + data when in serve-stale mode. [GL #3678] + +6058. [bug] Prevent named from crashing when "rndc delzone" + attempts to delete a zone added by a catalog zone. + [GL #3745] + +6057. [bug] Fix shutdown and error path bugs in the rpz unit. + [GL #3735] + +6056. [bug] Fix a race in adb.c:clean_namehooks(), so that an ADB + entry does not expire without holding the entries lock. + [GL #3754] + +6055. [cleanup] Remove setting alternate transfer sources, make options + alt-transfer-source, alt-transfer-transfer-source-v6, + and use-alt-transfer-source ancient. [GL #3714] + +6054. [func] Refactor remote servers (primaries, parental-agents) + in zone.c. Store common code in new source files + remote.c and remote.h. Introduce a new way to set the + source address and port. [GL !7110] + +6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752] + +6052. [func] Replace DNS over TCP and DNS over TLS transports + code with a new, unified transport implementation. + [GL #3374] + +6051. [bug] Improve thread safety in the dns_dispatch unit. + [GL #3178] [GL #3636] + +6050. [bug] Changes to the RPZ response-policy min-update-interval + and add-soa options now take effect as expected when + named is reconfigured. [GL #3740] + +6049. [bug] Exclude ABD hashtables from the ADB memory + overmem checks and don't clean ADB names + and ADB entries used in the last 10 seconds + (ADB_CACHE_MINIMUM). [GL #3739] + +6048. [bug] Fix a log message error in dns_catz_update_from_db(), + where serials with values of 2^31 or larger were logged + incorrectly as negative numbers. [GL #3742] + +6047. [bug] Try the next server instead of trying the same + server again on an outgoing query timeout. + [GL #3637] + +6046. [bug] TLS session resumption might lead to handshake + failures when client certificates are used for + authentication (Mutual TLS). This has been fixed. + [GL #3725] + +6045. [cleanup] The list of supported DNSSEC algorithms changed log + level from "warning" to "notice" to match named's other + startup messages. [GL !7217] + +6044. [bug] There was an "RSASHA236" typo in a log message. + [GL !7206] + + --- 9.19.8 released --- + +6043. [bug] The key file IO locks objects would never get + deleted from the hashtable due to off-by-one error. + [GL #3727] + +6042. [bug] ANY responses could sometimes have the wrong TTL. + [GL #3613] + +6041. [func] Set the RLIMIT_NOFILE to rlim_max returned from + getrlimit() instead of trying to guess the maximum + allowed value. [GL #3676] + +6040. [bug] Speed up the named shutdown time by explicitly + canceling all recursing ns_client objects for + each ns_clientmgr. [GL #3183] + +6039. [bug] Removing a catalog zone from catalog-zones without + also removing the referenced zone could leave a + dangling pointer. [GL #3683] + +6038. [placeholder] + +6037. [func] Reject zones which have DS records not at delegation + points. [GL #3697] + +6036. [bug] nslookup and host were not honoring the selected port + in TCP mode. [GL #3721] + +6035. [bug] Refactor the dns_resolver unit to store the fetch + contexts and zone counter directly in the hash + tables without buckets and implement effective + cleaning of both objects. [GL #3709] + +6034. [func] Deprecate alt-transfer-source, alt-transfer-source-v6 + and use-alt-transfer-source. [GL #3694] + +6033. [func] Log messages related to serve-stale now include the RR + type involved. [GL !7145] + +6032. [bug] After change 5995, zone transfers were using a small + compression context that only had space for the first + few dozen names in each message. They now use a large + compression context with enough space for every name. + [GL #3706] + +6031. [bug] Move the "final reference detached" log message + from dns_zone unit to the DEBUG(1) log level. + [GL #3707] + +6030. [bug] Refactor the ADB to use a global LRU queue, store + the ADB names and ADB entries directly in the hash + tables instead of buckets, and properly clean the + ADB names and entries when not in use. [GL #3239] + [GL #3238] [GL #2615] [GL #2078] [GL #2437] + [GL #3312] [GL #2441] + +6029. [cleanup] Remove the unused external cache cleaning mechanism + as RBTDB has its own internal cache cleaning + mechanism and we don't support any other database + implementations. [GL #3639] + +6028. [performance] Build-time code generation of DNS RRtype switches + is now much faster. [GL !7121] + +6027. [bug] Fix assertion failure in isc_http API used by + statschannel if the read callback would be called + on HTTP request that has been already closed. + [GL #3693] + +6026. [cleanup] Deduplicate time unit conversion factors. + [GL !7033] + +6025. [bug] Copy TLS identifier when setting up primaries for + catalog member zones. [GL #3638] + +6024. [func] Deprecate 'auto-dnssec'. [GL #3667] + +6023. [func] Remove dynamic update DNSSEC management feature. + [GL #3686] + +6022. [performance] The decompression implementation in dns_name_fromwire() + is now smaller and faster. [GL #3655] + +6021. [bug] Use the current domain name when checking answers from + a dual-stack-server. [GL #3607] + +6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard + option when loading a zone. [GL #1905] + +6019. [func] Deprecate `coresize`, `datasize`, `files`, and + `stacksize` named.conf options. [GL #3676] + +6018. [cleanup] Remove the --with-tuning configure option. + [GL #3664] + +6017. [bug] The view's zone table was not locked when it should + have been leading to race conditions when external + extensions that manipulate the zone table where in + use. [GL #3468] + +6016. [func] Change NSEC3PARAM TTL to match the SOA MINIMUM. + [GL #3570] + +6015. [bug] Some browsers (Firefox) send more than 10 HTTP + headers. Bump the number of allowed HTTP headers + to 100. [GL #3670] + +6014. [func] Add isc_hashmap API implementation that implements + Robin Hood hashing. The API requires the keys to + be stored with the stored value. [GL !6790] + + --- 9.19.7 released --- + +6013. [bug] Fix a crash that could happen when you change + a dnssec-policy zone with NSEC3 to start using + inline-signing. [GL #3591] + +6012. [placeholder] + +6011. [func] Refactor the privilege setting part of named_os unit + to make libcap on Linux mandatory and use setreuid + and setregid if available. [GL #3583] + +6010. [func] Make the initial interface scan happen before + dropping the privileges. This requires exiting + exclusive mode before scanning the interfaces + and re-entering it again when we are done. This + is because starting the listening on interfaces + requires the loopmgr to be running and not paused. + [GL #3583] + +6009. [bug] Don't trust a placeholder KEYDATA from the managed-keys + zone by adding it into secroots. [GL #2895] + +6008. [bug] Fixed a race condition that could cause a crash + in dns_zone_synckeyzone(). [GL #3617] + +6007. [cleanup] Don't enforce the jemalloc use on NetBSD. [GL #3634] + +6006. [cleanup] The zone dumping was using isc_task API to launch + the zonedump on the offloaded threadpool. Remove + the task and launch the offloaded work directly. + [GL #3628] + +6005. [func] The zone loading has been moved to the offload + threadpool instead of doing incremental repeated + tasks, so zone loading scheduling is now driven + by the operating system scheduler rather than fixed + (100) quantum. [GL #3625] + +6004. [func] Add check-svcb to control the checking of additional + constraints on SVBC records. This change impacts on + named, named-checkconf, named-checkzone, + named-compilezone and nsupdate. [GL #3576] + +6003. [bug] Fix an inheritance bug when setting the port on + remote servers in configuration. [GL #3627] + +6002. [bug] Fix a resolver prefetch bug when the record's TTL value + is equal to the configured prefetch eligibility value, + but the record was erroneously not treated as eligible + for prefetching. [GL #3603] + +6001. [bug] Always call dns_adb_endudpfetch() after calling + dns_adb_beginudpfetch() for UDP queries in resolver.c, + in order to adjust back the quota. [GL #3598] + +6000. [bug] Fix a startup issue on Solaris systems with many + (reportedly > 510) CPUs. Thanks to Stacey Marshall from + Oracle for deep investigation of the problem. [GL #3563] + +5999. [bug] rpz-ip rules could be ineffective in some scenarios + with CD=1 queries. [GL #3247] + +5998. [placeholder] + +5997. [cleanup] Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR() + reporting macros. [GL !6914] + +5996. [bug] Fix a couple of bugs in cfg_print_duration(), which + could result in generating incomplete duration values + when printing the configuration using named-checkconf. + [GL !6880] + +5995. [performance] A new algorithm for DNS name compression based on a + hash set of message offsets. Name compression is now + more complete as well as being generally faster, and + the implementation is less complicated and requires + much less memory. [GL !6517] + +5994. [func] Refactor the isc_httpd implementation used in the + statistics channel. [GL !6879] + +5993. [cleanup] Store dns_name_t attributes as boolean members of + the structure. Remove DNS_NAMEATTR_* macros. + Fix latent attribute handling bug in RBT. [GL !6902] + + --- 9.19.6 released --- + +5992. [func] Introduce the new isc_mem_*x() APIs that takes extra + flags as the last argument. Currently ISC_MEM_ZERO + and ISC_MEM_ALIGN(n) flags have been implemented that + clears the memory to avoid the isc_mem_get()/memset() + pattern and make aligned allocation which replaces the + previous isc_mem_*_aligned() calls. [GL !6398] + +5991. [protocol] Add support for parsing and validating "dohpath" to + SVCB. [GL #3544] + +5990. [test] fuzz/dns_message_checksig now creates the key directory + it uses when testing in /tmp at run time. [GL #3569] + +5989. [func] Implement support for DDNS update forwarding using DoT + to TLS-enabled primary servers. [GL #3512] + +5988. [bug] Some out of memory conditions in opensslrsa_link.c + could lead to memory leaks. [GL #3551] + +5987. [func] Provide custom isc_mem based allocators for libuv, + OpenSSL and libxml2 libraries that support replacing + the internal allocators. [GL #3559] + +5986. [func] Make the memory context debugging options local to + the memory context and make it immutable for the memory + context lifetime. [GL #3559] + +5985. [func] Bump the minimal libuv version to 1.34.0. [GL #3567] + +5984. [func] 'named -V' now reports the list of supported + DNSSEC/DS/HMAC algorithms and the supported TKEY modes. + [GL #3541] + +5983. [bug] Changing just the TSIG key names for primaries in + catalog zones' member zones was not effective. + [GL #3557] + +5982. [func] Extend dig to allow requests to be signed using SIG(0) + as well as providing a mechanism to specify the signing + time. [GL !5923] + +5981. [test] Add dns_message_checksig fuzzer to check messages + signed using TSIG or SIG(0). [GL !5923] + +5980. [func] The internal isc_entropy API provider has been + changed from OpenSSL RAND_bytes() to uv_random() + to use system provided entropy. [GL !6803] + +5979. [func] Implement DoT support for nsupdate. [GL #1781] + +5978. [port] The ability to use pkcs11 via engine_pkcs11 has been + restored, by only using deprecated APIs in + OpenSSL 3.0.0. BIND needs to be compiled with + '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS + at compile time. [GL !6711] + +5977. [bug] named could incorrectly return non-truncated, glueless + referrals for responses whose size was close to the UDP + packet size limit. [GL #1967] + +5976. [cleanup] isc_timer_t objects are now created, started and + destroyed in a particular loop, and timer callbacks + run in that loop. isc_timer_stop() can still be called + from any loop; when run from a different loop than + the one associated with the timer, the request will + be recorded in atomic variable and the timer will + be stopped on the next callback call. [GL #3202] + +5975. [func] Implement TLS transport support for dns_request and + dns_dispatch. [GL #3529] + +5974. [bug] Fix an assertion failure in dispatch caused by + extra read callback call. [GL #3545] + +5973. [bug] Fixed a possible invalid detach in UPDATE + processing. [GL #3522] + +5972. [bug] Gracefully handle when the statschannel HTTP connection + gets cancelled during sending data back to the client. + [GL #3542] + +5971. [func] Add libsystemd sd_notify() support. [GL #1176] + +5970. [func] Log the reason why a query was refused. [GL !6669] + +5969. [bug] DNSSEC signing statistics failed to identify the + algorithm involved. The key names have been changed + to be the algorithm number followed by "+" followed + by the key id (e.g. "8+54274"). [GL #3525] + +5968. [cleanup] Remove 'resolve' binary from tests. [GL !6733] + +5967. [cleanup] Flagged the obsolete "random-device" option as + ancient; it is now an error to configure it. [GL #3399] + +5966. [func] You can now specify if a server must return a DNS + COOKIE before accepting the response over UDP. + [GL #2295] + + server { require-cookie ; }; + +5965. [cleanup] Move the duplicated ASCII case conversion tables to + isc_ascii where they can be shared, and replace the + various hot-path tolower() loops with calls to new + isc_ascii implementations. [GL !6516] + +5964. [func] When an international domain name is not valid, DiG will + now pass it through unchanged, instead of stopping with + an error message. [GL #3527] + +5963. [bug] Ensure struct named_server is properly initialized. + [GL #6531] + + --- 9.19.5 released --- + +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] + +5961. [placeholder] + +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] + +5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 + and later versions. The openssldh_compare(), + openssldh_paramcompare(), and openssldh_todns() + functions were affected. (CVE-2022-2906) [GL #3491] + +5958. [security] When an HTTP connection was reused to get + statistics from the stats channel, and zlib + compression was in use, each successive + response sent larger and larger blocks of memory, + potentially reading past the end of the allocated + buffer. (CVE-2022-2881) [GL #3493] + +5957. [security] Prevent excessive resource use while processing large + delegations. (CVE-2022-2795) [GL #3394] + +5956. [func] Make RRL code treat all QNAMEs that are subject to + wildcard processing within a given zone as the same + name. [GL #3459] + +5955. [port] The libxml2 library has deprecated the usage of + xmlInitThreads() and xmlCleanupThreads() functions. Use + xmlInitParser() and xmlCleanupParser() instead. + [GL #3518] + +5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008 + conversion fails. [GL #3485] + +5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add + mctx attach/detach pair to make sure that the memory + context used by a memory pool is not destroyed before + the memory pool itself. [GL #3515] + +5952. [bug] Use quotes around address strings in YAML output. + [GL #3511] + +5951. [bug] In some cases, the dnstap query_message field was + erroneously set when logging response messages. + [GL #3501] + +5950. [func] Implement a feature to set an Extended DNS Error (EDE) + code on responses modified by RPZ. [GL #3410] + +5949. [func] Add new isc_loopmgr API that runs the application + event loops and completely replaces the isc_app + API. Refactor the isc_taskmgr, isc_timermgr and + isc_netmgr to use the isc_loopmgr event loops. + [GL #3508] + +5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing + dns_db_detachnode() call. [GL #3500] + +5947. [func] Change dnssec-policy to allow graceful transition from + an NSEC only zone to NSEC3. [GL #3486] + +5946. [bug] Fix statistics channel's handling of multiple HTTP + requests in a single connection which have non-empty + request bodies. [GL #3463] + +5945. [bug] If parsing /etc/bind.key failed, delv could assert + when trying to parse the built in trust anchors as + the parser hadn't been reset. [GL !6468] + +5944. [bug] Fix +http-plain-get and +http-plain-post options + support in dig. Thanks to Marco Davids at SIDN for + reporting the problem. [GL !6672] + +5943. [placeholder] + +5942. [bug] Fix tkey.c:buildquery() function's error handling by + adding the missing cleanup code. [GL #3492] + +5941. [func] Zones with dnssec-policy now require dynamic DNS or + inline-siging to be configured explicitly. [GL #3381] + +5940. [placeholder] + +5939. [placeholder] + +5938. [bug] An integer type overflow could cause an assertion + failure when freeing memory. [GL #3483] + +5937. [cleanup] The dns_rdatalist_tordataset() and + dns_rdatalist_fromrdataset() functions can no + longer fail. Clean up their prototypes and error + handling, and that of other calling functions that + subsequently cannot fail, including + dns_message_setquerytsig(). [GL #3467] + +5936. [bug] Don't enable serve-stale for lookups that error because + it is a duplicate query or a query that would be + dropped. [GL #2982] + +5935. [bug] Fix DiG lookup reference counting bug, which could + be observed in NSSEARCH mode. [GL #3478] + + --- 9.19.4 released --- + +5934. [func] Improve fetches-per-zone fetch limit logging to log + the final allowed and spilled values of the fetch + counters before the counter object gets destroyed. + [GL #3461] + +5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in + named on Fedorda 33, Oracle Linux 9 and RHEL9 when + they are disabled by the security policy. [GL #3469] + +5932. [bug] Fix rndc dumpdb -expired and always include expired + RRsets, not just for RBTDB_VIRTUAL time window. + [GL #3462] + +5931. [bug] Fix DiG query error handling robustness in NSSEARCH + mode by making sure that udp_ready(), tcp_connected(), + and send_done() callbacks start the next query in chain + even if there is some kind of error with the previous + query. [GL #3419] + +5930. [bug] Fix DiG query retry and fail-over bug in UDP mode. + Also simplify the overall retry and fail-over logic to + make it behave predictably, and always respect the + documented +retry/+tries count set by a command-line + option (or use the default values of 2 or 3 + respectively). [GL #3407] + +5929. [func] The use of the "max-zone-ttl" option in "zone" and + "options" blocks is now deprecated; this should + now be configured as part of "dnssec-policy" + instead. The old option still works in zones + with no "dnssec-policy" configured, but a warning + will be logged when loading configuration. Its + functionality will be removed in a future release. + Using "max-zone-ttl" and "dnssec-policy" in the + same zone is now a fatal error. [GL #2918] + +5928. [placeholder] + +5927. [bug] A race was possible in dns_dispatch_connect() + that could trigger an assertion failure if two + threads called it near-simultaneously. [GL #3456] + +5926. [func] Handle transient TCP connect() EADDRINUSE failures + on FreeBSD (and possibly other BSDs) by trying three + times before giving up. [GL #3451] + +5925. [bug] With a forwarder configured for all queries, resolution + failures encountered during DS chasing could trigger + assertion failures due to a logic bug in + resume_dslookup() that caused it to call + dns_resolver_createfetch() with an invalid name. + [GL #3439] + +5924. [func] When it's necessary to use AXFR to respond to an + IXFR request, a message explaining the reason + is now logged at level info. [GL #2683] + +5923. [bug] Fix inheritance for dnssec-policy when checking for + inline-signing. [GL #3438] + +5922. [bug] Forwarding of UPDATE message could fail with the + introduction of netmgr. This has been fixed. [GL #3389] + +5921. [test] Convert system tests to use a default DNSKEY algorithm + where the test is not DNSKEY algorithm specific. + [GL #3440] + +5920. [bug] Don't pass back the current name offset when the + compression is disabled in the non-improving case. + [GL #3423] + + --- 9.19.3 released --- + +5919. [func] The "rndc fetchlimit" command lists name servers + and domain names that are being rate-limited by + "fetches-per-server" or "fetches-per-zone" limits. + [GL #665] + +5918. [test] Convert system tests to use a default HMAC algorithm + where the test is not HMAC specific. [GL #3433] + +5917. [bug] Update ifconfig.sh script as is miscomputed interface + identifiers when destroying interfaces. [GL #3061] + +5916. [bug] When resolving a name, don't give up immediately if an + authoritative server returns FORMERR; try the other + servers first. [GL #3152] + +5915. [bug] Detect missing closing brace (}) and computational + overflows in $GENERATE directives. [GL #3429] + +5914. [bug] When synth-from-dnssec generated a response using + records from a higher zone, it could unexpectedly prove + non-existance of records in a subordinate grafted-on + namespace. [GL #3402] + +5913. [placeholder] + +5912. [cleanup] The "glue-cache" option has been removed. The glue cache + feature still works and is now permanently enabled. + [GL #2147] + +5911. [bug] Update HTTP listener settings on reconfiguration. + [GL #3415] + +5910. [cleanup] Move built-in dnssec-policies into the defaultconf. + These are now printed with 'named -C'. [GL !6467] + +5909. [bug] The server-side destination port was missing from dnstap + captures of client traffic. [GL #3309] + +5908. [bug] Fix race conditions in route_connected(). [GL #3401] + +5907. [bug] Fix a crash in dig NS search mode when one of the NS + server queries fail. [GL #3207] + +5906. [cleanup] Various features (e.g. prefetch, RPZ) no longer share + common pointers when initiating recursion. This + rationalizes recursion quota handling and makes the + value of the RecursClients statistics counter more + accurate. [GL #3168] + +5905. [bug] When the TCP connection would be closed/reset between + the connect/accept and the read, the uv_read_start() + return value would be unexpected and cause an assertion + failure. [GL #3400] + +5904. [func] Changed dnssec-signzone -H default to 0 additional + NSEC3 iterations. [GL #3395] + +5903. [bug] When named checks that the OPCODE in a response matches + that of the request, if there is a mismatch named logs + an error. Some of those error messages incorrectly + used RCODE instead of OPCODE to lookup the nemonic. + This has been corrected. [GL !6420] + +5902. [func] NXDOMAIN cache records are no longer retained in + the cache after expiry, even when serve-stale is + in use. [GL #3386] + +5901. [bug] When processing a catalog zone member zone make sure + that there is no configured pre-existing forward-only + forward zone with that name. [GL #2506] + +5900. [placeholder] + + --- 9.19.2 released --- + +5899. [func] Don't try to process DNSSEC-related and ZONEMD records + in catz. [GL #3380] + +5898. [cleanup] Simplify BIND's internal DNS name compression API. As + RFC 6891 explains, it isn't practical to deploy new + label types or compression methods, so it isn't + necessary to have an API designed to support them. + Remove compression terminology that refers to Internet + Drafts that expired in the 1990s. [GL !6270] + +5897. [bug] Views that weren't configured to use RFC 5011 key + management would still set up an empty managed-keys + zone. This has been fixed. [GL #3349] + +5896. [func] Add some more dnssec-policy checks to detect weird + policies. [GL #1611] + +5895. [test] Add new set of unit test macros and move the unit + tests under single namespace in /tests/. [GL !6243] + +5894. [func] Avoid periodic interface re-scans on Linux by + default, where a reliable event-based mechanism for + detecting interface state changes is available. + [GL #3064] + +5893. [func] Add TLS session resumption support to the client-side + TLS code. [GL !6274] + +5892. [cleanup] Refactored the the hash tables in resolver.c to + use the isc_ht API. [GL !6271] + +5891. [func] Key timing options for `dnssec-settime` and related + utilities now accept "UNSET" times as printed by + `dnssec-settime -p`. [GL #3361] + +5890. [bug] When the fetches-per-server quota was adjusted + because of an authoritative server timing out more + or less frequently, it was incorrectly set to 1 + rather than the intended value. This has been + fixed. [GL #3327] + +5889. [cleanup] Refactored and simplified the shutdown processes in + dns_view, dns_resolver, dns_requestmgr, and dns_adb + by reducing interdependencies between the objects. + [GL !6278] + +5888. [bug] Only write key files if the dnssec-policy keymgr has + changed the metadata. [GL #3302] + +5887. [cleanup] Remove the on-shutdown mechanics from isc_task API. + Replace it by isc_task_send() when we are shutting + down. [GL !6275] + + --- 9.19.1 released --- + +5886. [security] Fix a crash in DNS-over-HTTPS (DoH) code caused by + premature TLS stream socket object deletion. + (CVE-2022-1183) [GL #3216] + +5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub + and static-stub zones at or above the query name. This + has now been addressed. [GL #3232] + +5884. [cleanup] Reduce struct padding in ADB address entries, and use a + binary hash function to find addresses. [GL !6219] + +5883. [cleanup] Move netmgr/uv-compat.{c,h} to , so + the compatibility libuv shims could be used outside + the network manager. [GL !6199] + +5882. [contrib] Avoid name space collision in dlz modules by prefixing + functions with 'dlz_'. [GL !5778] + +5881. [placeholder] + +5880. [func] Add new named command-line option -C to print built-in + defaults. [GL #1326] + +5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306] + +5878. [func] Check the algorithm name or OID embedded at the start + of the signature field for PRIVATEDNS and PRIVATEOID + SIG and RRSIG records are well formed. [GL #3296] + +5877. [func] Introduce the concept of broken catalog zones described + in the DNS catalog zones draft version 5 document. + [GL #3224] + +5876. [func] Add DNS Extended Errors when stale answers are returned + from cache. [GL #2267] + +5875. [bug] Fixed a deadlock that could occur if an rndc + connection arrived during the shutdown of network + interfaces. [GL #3272] + +5874. [placeholder] + +5873. [bug] Refactor the fctx_done() function to set fctx to + NULL after detaching, so that reference counting + errors will be easier to avoid. [GL #2969] + +5872. [bug] udp_recv() in dispatch could trigger an INSIST when the + callback's result indicated success but the response + was canceled in the meantime. [GL #3300] + +5871. [bug] Fix dig hanging on TLS context creation errors. + [GL #3285] + +5870. [cleanup] Remove redundant macros in the RBT implementation. + [GL !6158] + +5869. [func] Enable use of IP(V6)_RECVERR on Linux that allows + the kernel to report destination host/network + unreachable errors to the userspace application. + [GL #4251] + +5868. [cleanup] Use Daniel Lemire's "nearly divisionless" algorithm + for unbiased bounded random numbers, and move + re-seeding out of the hot path. [GL !6161] + +5867. [bug] Fix assertion failure triggered by attaching to dns_adb + in dns_adb_createfind() that has been triggered to shut + down in different thread between the check for shutting + down condition and the attach to dns_adb. [GL #3298] + +5866. [bug] Work around a jemalloc quirk which could trigger an + out-of-memory condition in named over time. [GL #3287] + +5865. [func] Make statistics channel and control channel listen + on a single network manager thread. [GL !6032] + +5864. [func] The OID embedded at the start of a PRIVATEOID public + key in a KEY, DNSKEY, CDNSKEY, or RKEY RR is now + checked for validity when reading from wire or from + zone files, and the OID is printed when + 'dig +rrcomments' is used. Similarly, the name + embedded at the start of a PRIVATEDNS public key + is also checked for validity. [GL #3234] + +5863. [bug] If there was a pending negative cache DS entry, + validations depending upon it could fail. [GL #3279] + +5862. [bug] dig returned a 0 exit status on UDP connection failure. + [GL #3235] + +5861. [func] Implement support for catalog zones change of ownership + (coo) mechanism described in the DNS catalog zones draft + version 5 document. [GL #3223] + +5860. [func] Implement support for catalog zones options new syntax + based on catalog zones custom properties with "ext" + suffix described in the DNS catalog zones draft version + 5 document. [GL #3222] + +5859. [bug] Fix an assertion failure when using dig with +nssearch + and +tcp options by starting the next query in the + send_done() callback (like in the UDP mode) instead + of doing that recursively in start_tcp(). Also + ensure that queries interrupted while connecting + are detached properly. [GL #3144] + +5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign + when using 'auto-dnssec maintain;'. [GL #2931] + +5857. [bug] Fixed a possible crash during shutdown due to ADB + entries being unlinked from the hash table too + soon. [GL #3256] + + --- 9.19.0 released --- + +5856. [bug] The "starting maxtime timer" message related to outgoing + zone transfers was incorrectly logged at the ERROR level + instead of DEBUG(1). [GL #3208] + +5855. [bug] Ensure that zone maintenance queries have a retry limit. + [GL #3242] + +5854. [func] Implement reference counting for TLS contexts and + allow reloading of TLS certificates on reconfiguration + without destroying the underlying TCP listener sockets + for TLS-based DNS transports. [GL #3122] + +5853. [bug] When using both the `+qr` and `+y` options `dig` could + crash if the connection to the first server was not + successful. [GL #3244] + +5852. [func] Add new "reuseport" option to enable/disable load + balancing of sockets. [GL #3249] + +5851. [placeholder] + +5850. [func] Run the RPZ update process on the offload threads. + [GL #3190] + +5849. [cleanup] Remove use of exclusive mode in ns_interfacemgr in + favor of rwlocked access to localhost and localnets + members of dns_aclenv_t structure. [GL #3229] + +5848. [bug] dig could hang in some cases involving multiple servers + in a lookup, when a request fails and the next one + refuses to start for some reason, for example if it was + an IPv4 mapped IPv6 address. [GL #3248] + +5847. [cleanup] Remove task privileged mode in favor of processing + all events in the loadzone task in a single run + by setting the quantum to UINT_MAX. [GL #3253] + +5846. [func] In dns_zonemgr, create per-thread task, zonetask, and + loadtask and pin the zones to individual threads, + instead of having "many", spreading the zones among + them and hoping for the best. This also removes any + need to dynamically reallocate the pools with memory + contexts and tasks. [GL #3226] + +5845. [bug] Refactor the timer to keep track of posted events + as to use isc_task_purgeevent() instead of using + isc_task_purgerange(). The isc_task_purgeevent() + has been refactored to purge a single event instead + of walking through the list of posted events. + [GL #3252] + +5844. [bug] dig +nssearch was hanging until manually interrupted. + [GL #3145] + +5843. [bug] When an UPDATE targets a zone that is not configured, + the requested zone name is now logged in the "not + authoritative" error message, so that it is easier to + track down problematic update clients. [GL #3209] + +5842. [cleanup] Remove the task exclusive mode use in ns_clientmgr. + [GL #3230] + +5841. [bug] Refactor the address database: + - Use self-resizing hash tables, eliminating the + need to go into task-exclusive mode when resizing. + - Simplify reference counting of ADB objects + and the process for shutting down. [GL #3213] + +5840. [cleanup] Remove multiple application context use in dns_client + unit. [GL !6041] + +5839. [func] Add support for remote TLS certificates + verification, both to BIND and dig, making it possible + to implement Strict and Mutual TLS authentication, + as described in RFC 9103, Section 9.3. [GL #3163] + +5838. [cleanup] When modifying a member zone in a catalog zone, and it + is detected that the zone exists and was not created by + the current catalog zone, distinguish the two cases when + the zone was not added by a catalog zone at all, and + when the zone was added by a different catalog zone, + and log a warning message accordingly. [GL #3221] + +5837. [func] Key timing options for `dnssec-keygen` and + `dnssec-settime` now accept times as printed by + `dnssec-settime -p`. [GL !2947] + +5836. [bug] Quote the dns64 prefix in error messages that complain + about problems with it, to avoid confusion with the + following dns64 ACLs. [GL #3210] + +5835. [cleanup] Remove extrahandlesize from the netmgr, the callers + now have to allocate the object before calling + isc_nm_setdata() and deallocate the memory in the close + callback passed to isc_nm_setdata(). [GL #3227] + +5834. [cleanup] C99 variable-length arrays are difficult to use safely, + so avoid them except in test code. [GL #3201] + +5833. [bug] When encountering socket error while trying to initiate + a TCP connection to a server, dig could hang + indefinitely, when there were more servers to try. + [GL #3205] + +5832. [bug] When timing-out or having other types of socket errors + during a query, dig wasn't trying to perform the lookup + using other servers, in case they exist. [GL #3128] + +5831. [bug] When resending a UDP request in the result of a timeout, + the recv_done() function in dighost.c was prepending + the new query into the loookup's queries list instead + of inserting, which could cause an assertion failure + when the resent query's result was SERVFAIL. [GL #3020] + +5830. [func] Implement incremental resizing of isc_ht hash tables to + perform the rehashing gradually. The catalog zone + implementation has been optimized to work with hundreds + of thousands of member zones. [GL #3212] [GL #3744] + +5829. [func] Refactor and simplify isc_timer API in preparation + for further refactoring on top of network manager + loops. [GL #3202] + +5828. [bug] Replace single TCP write timer with per-TCP write + timers. [GL #3200] + +5827. [cleanup] The command-line utilities printed their version numbers + inconsistently; they all now print to stdout. (They are + still inconsistent abotut whether you use `-v` or `-V` + to request the version). [GL #3189] + +5826. [cleanup] Stop dig from complaining about lack of IDN support when + the user asks for no IDN translation. [GL #3188] + +5825. [func] Set the minimum MTU on UDPv6 and TCPv6 sockets and + limit TCP maximum segment size (TCP_MAXSEG) to (1220) + for both TCPv4 and TCPv6 sockets. [GL #2201] + +5824. [bug] Invalid dnssec-policy definitions were being accepted + where the defined keys did not cover both KSK and ZSK + roles for a given algorithm. This is now checked for + and the dnssec-policy is rejected if both roles are + not present for all algorithms in use. [GL #3142] + +5823. [func] Replace hazard pointers based lock-free list with + locked-list based queue that's simpler and has no or + little performance impact. [GL #3180] + +5822. [bug] When calling dns_dispatch_send(), attach/detach + dns_request_t object as the read callback could + be called before send callback dereferencing + dns_request_t object too early. [GL #3105] + +5821. [bug] Fix query context management issues in the TCP part + of dig. [GL #3184] + +5820. [security] An assertion could occur in resume_dslookup() if the + fetch had been shut down earlier. (CVE-2022-0667) + [GL #3129] + +5819. [security] Lookups involving a DNAME could trigger an INSIST when + "synth-from-dnssec" was enabled. (CVE-2022-0635) + [GL #3158] + +5818. [security] A synchronous call to closehandle_cb() caused + isc__nm_process_sock_buffer() to be called recursively, + which in turn left TCP connections hanging in the + CLOSE_WAIT state blocking indefinitely when + out-of-order processing was disabled. (CVE-2022-0396) + [GL #3112] + +5817. [security] The rules for acceptance of records into the cache + have been tightened to prevent the possibility of + poisoning if forwarders send records outside + the configured bailiwick. (CVE-2021-25220) [GL #2950] + +5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using + not very accurate pre-processor checks for using shims. + [GL #3172] + +5815. [bug] If an oversized key name of a specific length was used + in the text form of an HTTP or SVBC record, an INSIST + could be triggered when parsing it. [GL #3175] + +5814. [bug] The RecursClients statistics counter could underflow + in certain resolution scenarios. [GL #3147] + +5813. [func] The "keep-response-order" ACL has been declared + obsolete, and is now non-operational. [GL #3140] + +5812. [func] Drop the artificial limit on the number of queries + processed in a single TCP read callback. [GL #3141] + +5811. [bug] Reimplement the maximum and idle timeouts for outgoing + zone tranfers. [GL #1897] + +5810. [func] New option '-J' for dnssec-signzone and dnssec-verify + allows loading journal files. [GL #2486] + +5809. [bug] Reset client TCP connection when data received cannot + be parsed as a valid DNS request. [GL #3149] + +5808. [bug] Certain TCP failures were not caught and handled + correctly by the dispatch manager, causing + connections to time out rather than returning + SERVFAIL. [GL #3133] + +5807. [bug] Add a TCP "write" timer, and time out writing + connections after the "tcp-idle-timeout" period + has elapsed. [GL #3132] + +5806. [bug] An error in checking the "blackhole" ACL could cause + DNS requests sent by named to fail if the + destination address or prefix was specifically + excluded from the ACL. [GL #3157] + +5805. [func] The result of each resolver priming attempt is now + included in the "resolver priming query complete" log + message. [GL #3139] + +5804. [func] Add a debug log message when starting and ending + the task exclusive mode. [GL #3137] + +5803. [func] Use compile-time paths in the documentation. + [GL #2717] + +5802. [test] Add system test to test engine_pkcs11. [GL !5727] + +5801. [bug] Log "quota reached" message when hard quota + is reached when accepting a connection. [GL #3125] + +5800. [func] Add ECS support to the DLZ interface. [GL #3082] + +5799. [bug] Use L1 cache-line size detected at runtime. [GL #3108] + +5798. [test] Add system test to test dnssec-keyfromlabel. [GL #3092] + +5797. [bug] A failed view configuration during a named + reconfiguration procedure could cause inconsistencies + in BIND internal structures, causing a crash or other + unexpected errors. [GL #3060] + +5796. [bug] Ignore the invalid (<= 0) values returned + by the sysconf() check for the L1 cache line + size. [GL #3108] + +5795. [bug] rndc could crash when interrupted by a signal + before receiving a response. [GL #3080] + +5794. [func] Set the IPV6_V6ONLY on all IPv6 sockets to + restrict the IPv6 sockets to sending and + receiving IPv6 packets only. [GL #3093] + +5793. [bug] Correctly detect and enable UDP recvmmsg support + in all versions of libuv that support it. [GL #3095] + +5792. [bug] Don't schedule zone events on ISC_R_SHUTTINGDOWN + event failures. [GL #3084] + +5791. [func] Remove workaround for servers returning FORMERR + when receiving NOTIFY query with SOA record in + ANSWER section. [GL #3086] + +5790. [bug] The control channel was incorrectly looking for + ISC_R_CANCELED as a signal that the named is + shutting down. In the dispatch refactoring, + the result code returned from network manager + is now ISC_R_SHUTTINGDOWN. Change the control + channel code to use ISC_R_SHUTTINGDOWN result + code to detect named being shut down. [GL #3079] + + --- 9.17.22 released --- + +5789. [bug] Allow replacing expired zone signatures with + signatures created by the KSK. [GL #3049] + +5788. [bug] An assertion could occur if a catalog zone event was + scheduled while the task manager was being shut + down. [GL #3074] + +5787. [doc] Update 'auto-dnssec' documentation, it may only be + activated at zone level. [GL #3023] + +5786. [bug] Defer detaching from zone->raw in zone_shutdown() if + the zone is in the process of being dumped to disk, to + ensure that the unsigned serial number information is + always written in the raw-format header of the signed + version on an inline-signed zone. [GL #3071] + +5785. [bug] named could leak memory when two dnssec-policy clauses + had the same name. named failed to log this error. + [GL #3085] + +5784. [func] Implement TLS-contexts reuse. Reusing the + previously created TLS context objects can reduce + initialisation time for some configurations and enables + TLS session resumption for incoming zone transfers over + TLS (XoT). [GL #3067] + +5783. [func] named is now able to log TLS pre-master secrets for + debugging purposes. This requires setting the + SSLKEYLOGFILE environment variable appropriately. + [GL #2723] + +5782. [func] Use ECDSA P-256 instead of a 4096-bit RSA when + generating ephemeral key and certificate for the + 'tls ephemeral' configuration. [GL #2264] + +5781. [bug] Make BIND work with OpenSSL 3.0.1 as it is now + enforcing minimum buffer lengths in EVP_MAC_final and + hence EVP_DigestSignFinal. rndc and TSIG at a minimum + were broken by this change. [GL #3057] + +5780. [bug] The Linux kernel may send netlink messages + indicating that network interfaces have changed + when they have not. This caused frequent unnecessary + re-scans of the interfaces. Netlink messages now + only trigger re-scanning if a new address is seen + or an existing address is removed. [GL #3055] + +5779. [test] Drop cppcheck suppressions and workarounds. [GL #2886] + +5778. [bug] Destroyed TLS contexts could have been used after a + reconfiguration, making BIND unable to serve queries + over TLS and HTTPS. [GL #3053] + +5777. [bug] TCP connections could hang after receiving + non-matching responses. [GL #3042] + +5776. [bug] Add a missing isc_condition_destroy() for nmsocket + condition variable and add missing isc_mutex_destroy() + for nmworker lock. [GL #3051] + + --- 9.17.21 released --- + +5775. [bug] Added a timer in the resolver to kill fetches that + have deadlocked as a result of dependency loops + with the ADB or the validator. This condition is + now logged with the message "shut down hung fetch + while resolving '/'". [GL #3040] + +5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec") + as active by default. It is limited to NSEC only + and by default ignores NSEC records with next name + in form \000.domain. [GL #1265] + +5773. [func] Change the message when accepting TCP connection has + failed to say "Accepting TCP connection failed" and + change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA + and ISC_R_SOFTQUOTA results codes from ERROR to INFO. + [GL #2700] + +5772. [bug] The resolver could hang on shutdown due to dispatch + resources not being cleaned up when a TCP connection + was reset. [GL #3026] + +5771. [bug] Use idn2 UseSTD3ASCIIRules=false to disable additional + unicode validity checks because enabling the additional + checks would break valid domain names that contains + non-alphanumerical characters such as underscore + character (_) or wildcard (*). This reverts change + [GL !5738] from the previous release. [GL #1610] + +5770. [func] BIND could abort on startup on systems using old + OpenSSL versions when 'protocols' option is used inside + a 'tls' statement. [GL !5602] + +5769. [func] Added support for client-side 'tls' parameters when + doing incoming zone transfers via XoT. [GL !5602] + +5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853] + +5767. [func] Extend allow-transfer option with 'port' and + 'transport' options to restrict zone transfers to + a specific port and DNS transport protocol. + [GL #2776] + +5766. [func] Unused 'tls' clause options 'ca-file' and 'hostname' + were disabled. [GL !5600] + +5765. [bug] Fix a bug in DoH implementation making 'dig' + abort when ALPN negotiation fails. [GL #3022] + +5764. [bug] dns_sdlz_putrr failed to process some valid resource + records. [GL #3021] + +5763. [bug] Fix a bug in DoT code leading to an abort when + a zone transfer ends with an unexpected DNS message. + [GL #3004] + +5762. [bug] Fix a "named" crash related to removing and restoring a + `catalog-zone` entry in the configuration file and + running `rndc reconfig`. [GL #1608] + +5761. [bug] OpenSSL 3.0.0 support could fail to correctly read + ECDSA private keys leading to incorrect signatures + being generated. [GL #3014] + +5760. [bug] Prevent a possible use-after-free error in resolver. + [GL #3018] + +5759. [func] Set Extended DNS Error Code 18 - Prohibited if query + access is denied to the specific client. [GL #1836] + +5758. [bug] mdig now honors the operating system's preferred + ephemeral port range. [GL #2374] + +5757. [test] Replace sed in nsupdate system test with awk to + construct the nsupdate command. The sed expression + was not reliably changing the ttl. [GL #3003] + +5756. [func] Assign HTTP freshness lifetime to responses sent + via DNS-over-HTTPS, according to the recommendations + given in RFC 8484. [GL #2854] + + --- 9.17.20 released --- + +5755. [bug] The statistics channel wasn't correctly handling + multiple HTTP requests, or pipelined or truncated + requests. [GL #2973] + +5754. [bug] "tls" statements may omit "key-file" and "cert-file", + but if either one is specified, then both must be. + [GL #2986] + +5753. [placeholder] + +5752. [bug] Fix an assertion failure caused by missing member zones + during a reload of a catalog zone. [GL #2308] + +5751. [port] Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 + deprecated 'engine' support. If OpenSSL 3.0.0 has + been built without support for deprecated functionality + pkcs11 via engine_pkcs11 is no longer available. + [GL #2843] + +5750. [bug] Fix a bug when comparing two RSA keys. There was a typo + which caused the "p" prime factors to not being + compared. [GL #2972] + +5749. [bug] Handle duplicate references to the same catalog + zone gracefully. [GL #2916] + +5748. [func] Update "nsec3param" defaults to iterations 0, salt + length 0. [GL #2956] + +5747. [func] Update rndc serve-stale status output to be less + confusing. [GL #2742] + +5746. [bug] A lame server delegation could lead to a loop in which + a resolver fetch depends on an ADB find which depends + on the same resolver fetch. Previously, this would + cause the fetch to hang until timing out, but after + change #5730 it would hang forever. The condition is + now detected and avoided. [GL #2927] + +5745. [bug] Fetch context objects now use attach/detach + semantics to make it easier to find and debug + reference-counting errors, and several such errors + have been fixed. [GL #2953] + +5744. [func] The network manager is now used for netlink sockets + to monitor network interface changes. This was the + last remaining use of the old isc_socket and + isc_socketmgr APIs, so they have now been removed. + The "named -S" argument and the "reserved-sockets" + option in named.conf have no function now, and are + deprecated. "socketmgr" statistics are no longer + reported in the statistics channel. [GL #2926] + +5743. [func] Add finer-grained "update-policy" rules, + "krb5-subdomain-self-rhs" and "ms-subdomain-self-rhs", + which restrict SRV and PTR record changes, allowing + only records whose content matches the machine name + embedded in the Kerberos principal making the change. + [GL #481] + +5742. [func] ISC_LIKELY() and ISC_UNLIKELY() macros have been + removed. [GL #2952] + +5741. [bug] Log files with "timestamp" suffixes could be left in + place after rolling, even if the number of preserved + log files exceeded the configured "versions" limit. + [GL #828] + +5740. [func] Implement incremental resizing of RBT hash table to + perform the rehashing gradually. [GL #2941] + +5739. [func] Change default of 'dnssec-dnskey-kskonly' to 'yes'. + [GL #1316] + +5738. [bug] Enable idn2 UseSTD3ASCIIRules=true to implement + additional unicode validity checks. [GL #1610] + +5737. [bug] Address Coverity warning in lib/dns/dnssec.c. + [GL #2935] + + --- 9.17.19 released --- + +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] + +5735. [cleanup] The result codes which BIND 9 uses internally are now + all defined as a single list of enum values rather than + as multiple sets of integers scattered around shared + libraries. This prevents the need for locking in some + functions operating on result codes, and makes result + codes more debugger-friendly. [GL #719] + +5734. [bug] Fix intermittent assertion failures in dig which were + triggered during zone transfers. [GL #2884] + +5733. [func] Require the "dot" Application-Layer Protocol Negotiation + (ALPN) token to be selected in the TLS handshake for + zone transfers over TLS (XoT), as required by RFC 9103 + section 7.1. [GL #2794] + +5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(), + ns_lib_init(), and ns_lib_shutdown() functions, as they + no longer served any useful purpose. [GL #88] + +5731. [bug] Disallow defining "http" configuration clauses called + "default" as they were silently ignored. [GL #2925] + +5730. [func] The resolver and the request and dispatch managers have + been substantially refactored, and are now based on the + network manager instead of the old isc_socket API. All + outgoing DNS queries and requests now use the new API; + isc_socket is only used to monitor for network interface + changes. [GL #2401] + +5729. [func] Allow finer control over TLS protocol configuration by + implementing new options for "tls" configuration clauses + ("dhparam-file", "ciphers", "prefer-server-ciphers", + "session-tickets"). These options make achieving perfect + forward secrecy (PFS) possible for DNS-over-TLS (DoT) + and DNS-over-HTTPS (DoH). [GL #2796] + +5728. [func] Allow specifying supported TLS protocol versions for + each "tls" configuration clause. [GL #2795] + +5727. [placeholder] + +5726. [bug] Fix a use-after-free bug which was triggered while + checking for duplicate "http" configuration clauses. + [GL #2924] + +5725. [bug] Fix an assertion failure triggered by passing an invalid + HTTP path to dig. [GL #2923] + +5724. [bug] Address a potential deadlock when checking zone content + consistency. [GL #2908] + +5723. [bug] Change 5709 broke backward compatibility for the + "check-names master ..." and "check-names slave ..." + options. This has been fixed. [GL #2911] + +5722. [bug] Preserve the contents of the receive buffer for TCPDNS + and TLSDNS when growing its size. [GL #2917] + +5721. [func] A new realloc()-like function, isc_mem_reget(), was + added to the libisc API for resizing memory chunks + allocated using isc_mem_get(). Memory (re)allocation + functions are now guaranteed to return non-NULL pointers + for zero-sized allocation requests. [GL !5440] + +5720. [contrib] Remove old-style DLZ drivers that had to be enabled at + build time. [GL #2814] + +5719. [func] Remove support for the "map" zone file format. + [GL #2882] + +5718. [bug] The "sig-signing-type" zone configuration option was + processed incorrectly, causing valid configurations to + be rejected. This has been fixed. [GL #2906] + +5717. [func] The "cache-file" option, which was documented as "for + testing purposes only" and not to be used, has been + removed. [GL #2903] + +5716. [placeholder] + +5715. [func] Add a check for ports specified in "*-source(-v6)" + options clashing with a global listening port. Such a + configuration was already unsupported, but it failed + silently; it is now treated as an error. [GL #2888] + +5714. [bug] Remove the "adjust interface" mechanism which was + responsible for setting up listeners on interfaces when + the "*-source(-v6)" address and port were the same as + the "listen-on(-v6)" address and port. Such a + configuration is no longer supported; under certain + timing conditions, that mechanism could prevent named + from listening on some TCP ports. This has been fixed. + [GL #2852] + +5713. [func] Add "primaries" as a synonym for "masters" and + "default-primaries" as a synonym for "default-masters" + in catalog zone configuration options. [GL #2818] + +5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11 + from the OpenSC project. [GL #2691] + + --- 9.17.18 released --- + +5711. [bug] "map" files exceeding 2GB in size failed to load due to + a size comparison that incorrectly treated the file size + as a signed integer. [GL #2878] + +5710. [placeholder] + +5709. [func] When reporting zone types in the statistics channel, the + terms "primary" and "secondary" are now used instead of + "master" and "slave", respectively. Enum values + throughout the code have been updated to use this + terminology as well. [GL #1944] + +5708. [placeholder] + +5707. [bug] A bug was fixed which prevented dig from querying + DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860] + +5706. [cleanup] Support for external applications to register with + libisc and use it has been removed. Export versions of + BIND 9 libraries have not been supported for some time, + but the isc_lib_register() function was still available; + it has now been removed. [GL !2420] + +5705. [bug] Change #5686 altered the internal memory structure of + zone databases, but neglected to update the MAPAPI value + for zone files in "map" format. This caused named to + attempt to load incompatible map files, triggering an + assertion failure on startup. The MAPAPI value has now + been updated, so named rejects outdated files when + encountering them. [GL #2872] + +5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be + ignored inadvertently in client requests. It has now + been fixed and this option is handled properly again. + [GL #1927] + +5703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket + associated with an unused HTTP/2 session. [GL #2858] + +5702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients + by allowing HTTP/2 request headers in any order. + [GL #2875] + +5701. [bug] named-checkconf failed to detect syntactically invalid + values of the "key" and "tls" parameters used to define + members of remote server lists. [GL #2461] + +5700. [bug] When a member zone was removed from a catalog zone, + journal files for the former were not deleted. + [GL #2842] + +5699. [func] Data structures holding DNSSEC signing statistics are + now grown and shrunk as necessary upon key rollover + events. [GL #1721] + +5698. [bug] When a DNSSEC-signed zone which only has a single + signing key available is migrated to use KASP, that key + is now treated as a Combined Signing Key (CSK). + [GL #2857] + +5697. [func] dnssec-cds now only generates SHA-2 DS records by + default and avoids copying deprecated SHA-1 records from + a child zone to its delegation in the parent. If the + child zone does not publish SHA-2 CDS records, + dnssec-cds will generate them from the CDNSKEY records. + The "-a algorithm" option now affects the process of + generating DS digest records from both CDS and CDNSKEY + records. Thanks to Tony Finch. [GL #2871] + +5696. [protocol] Support for HTTPS and SVCB record types has been added. + [GL #1132] + +5695. [func] Add a new dig command-line option, "+showbadcookie", + which causes a BADCOOKIE response message to be + displayed when it is received from the server. + [GL #2319] + +5694. [bug] Stale data in the cache could cause named to send + non-minimized queries despite QNAME minimization being + enabled. [GL #2665] + +5693. [func] Restore support for reading "timeout" and "attempts" + options from /etc/resolv.conf, and use their values in + dig, host, and nslookup. (This was previously supported + by liblwres, and was still mentioned in the man pages, + but had stopped working after liblwres was deprecated in + favor of libirs.) [GL #2785] + +5692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by + detaching from an HTTP/2 session handle too early when + sending data. [GL #2851] + +5691. [bug] When a dynamic zone was made available in another view + using the "in-view" statement, running "rndc freeze" + always reported an "already frozen" error even though + the zone was successfully frozen. [GL #2844] + +5690. [func] dnssec-signzone now honors Predecessor and Successor + metadata found in private key files: if a signature for + an RRset generated by the inactive predecessor exists + and does not need to be replaced, no additional + signature is now created for that RRset using the + successor key. This enables dnssec-signzone to gradually + replace RRSIGs during a ZSK rollover. [GL #1551] + + --- 9.17.17 released --- + +5689. [security] An assertion failure occurred when named attempted to + send a UDP packet that exceeded the MTU size, if + Response Rate Limiting (RRL) was enabled. + (CVE-2021-25218) [GL #2856] + +5688. [bug] Zones using KASP and inline-signed zones failed to apply + changes from the unsigned zone to the signed zone under + certain circumstances. This has been fixed. [GL #2735] + +5687. [bug] "rndc reload " could trigger a redundant + reload for an inline-signed zone whose zone file was not + modified since the last "rndc reload". This has been + fixed. [GL #2855] + +5686. [func] The number of internal data structures allocated for + each zone was reduced. [GL #2829] + +5685. [bug] named failed to check the opcode of responses when + performing zone refreshes, stub zone updates, and UPDATE + forwarding. This has been fixed. [GL #2762] + +5684. [func] The DNS-over-HTTP (DoH) configuration syntax was + extended: + - The maximum number of active DoH connections can now + be set using the "http-listener-clients" option. The + default is 300. + - The maximum number of concurrent HTTP/2 streams per + connection can now be set using the + "http-streams-per-connection" option. The default is + 100. + - Both of these values can also be set on a per-listener + basis using the "listener-clients" and + "streams-per-connection" parameters in an "http" + statement. + [GL #2809] + +5683. [bug] The configuration-checking code now verifies HTTP paths. + [GL !5231] + +5682. [bug] Some changes to "zone-statistics" settings were not + properly processed by "rndc reconfig". This has been + fixed. [GL #2820] + +5681. [func] Relax the checks in the dns_zone_cdscheck() function to + allow CDS and CDNSKEY records in the zone that do not + match an existing DNSKEY record, as long as the + algorithm matches. This allows a clean rollover from one + provider to another in a multi-signer DNSSEC + configuration. [GL #2710] + +5680. [bug] HTTP GET requests without query strings caused a crash + in DoH code. This has been fixed. [GL !5268] + +5679. [func] Thread affinity is no longer set. [GL #2822] + +5678. [bug] The "check DS" code failed to release all resources upon + named shutdown when a refresh was in progress. This has + been fixed. [GL #2811] + +5677. [func] Previously, named accepted FORMERR responses both with + and without an OPT record, as an indication that a given + server did not support EDNS. To implement full + compliance with RFC 6891, only FORMERR responses without + an OPT record are now accepted. This intentionally + breaks communication with servers that do not support + EDNS and that incorrectly echo back the query message + with the RCODE field set to FORMERR and the QR bit set + to 1. [GL #2249] + +5676. [func] Memory allocation has been substantially refactored; it + is now based on the memory allocation API provided by + the jemalloc library, which is a new optional build + dependency for BIND 9. [GL #2433] + +5675. [bug] Compatibility with DoH clients has been improved by + ignoring the value of the "Accept" HTTP header. + [GL !5246] + +5674. [bug] A shutdown hang was triggered by DoH clients prematurely + aborting HTTP/2 streams. This has been fixed. [GL !5245] + +5673. [func] Add a new build-time option, --disable-doh, to allow + building BIND 9 without the libnghttp2 library. + [GL #2478] + +5672. [bug] Authentication of rndc messages could fail if a + "controls" statement was configured with multiple key + algorithms for the same listener. This has been fixed. + [GL #2756] + + --- 9.17.16 released --- + +5671. [bug] A race condition could occur where two threads were + competing for the same set of key file locks, leading to + a deadlock. This has been fixed. [GL #2786] + +5670. [bug] create_keydata() created an invalid placeholder keydata + record upon a refresh failure, which prevented the + database of managed keys from subsequently being read + back. This has been fixed. [GL #2686] + +5669. [func] KASP support was extended with the "check DS" feature. + Zones with "dnssec-policy" and "parental-agents" + configured now check for DS presence and can perform + automatic KSK rollovers. [GL #1126] + +5668. [bug] Rescheduling a setnsec3param() task when a zone failed + to load on startup caused a hang on shutdown. This has + been fixed. [GL #2791] + +5667. [bug] The configuration-checking code failed to account for + the inheritance rules of the "dnssec-policy" option. + This has been fixed. [GL #2780] + +5666. [doc] The safe "edns-udp-size" value was tweaked to match the + probing value from BIND 9.16 for better compatibility. + [GL #2183] + +5665. [bug] If nsupdate sends an SOA request and receives a REFUSED + response, it now fails over to the next available + server. [GL #2758] + +5664. [func] For UDP messages larger than the path MTU, named now + sends an empty response with the TC (TrunCated) bit set. + In addition, setting the DF (Don't Fragment) flag on + outgoing UDP sockets was re-enabled. [GL #2790] + +5663. [bug] Non-zero OPCODEs are now properly handled when receiving + queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) + channels. [GL #2787] + +5662. [bug] Views with recursion disabled are now configured with a + default cache size of 2 MB unless "max-cache-size" is + explicitly set. This prevents cache RBT hash tables from + being needlessly preallocated for such views. [GL #2777] + +5661. [bug] Change 5644 inadvertently introduced a deadlock: when + locking the key file mutex for each zone structure in a + different view, the "in-view" logic was not considered. + This has been fixed. [GL #2783] + +5660. [bug] The configuration-checking code failed to account for + the inheritance rules of the "key-directory" option. + [GL #2778] + + This change was included in BIND 9.17.15. + +5659. [bug] When preparing DNS responses, named could replace the + letters 'W' (uppercase) and 'w' (lowercase) with '\000'. + This has been fixed. [GL #2779] + + This change was included in BIND 9.17.15. + +5658. [bug] Increasing "max-cache-size" for a running named instance + (using "rndc reconfig") did not cause the hash tables + used by cache databases to be grown accordingly. This + has been fixed. [GL #2770] + +5657. [cleanup] Support was removed for both built-in atomics in old + versions of Clang (< 3.6.0) and GCC (< 4.7.0), and + atomics emulated with a mutex. [GL #2606] + +5656. [bug] Named now ensures that large responses work correctly + over DNS-over-HTTPS (DoH), and that zone transfer + requests over DoH are explicitly rejected. [GL !5148] + +5655. [bug] Signed, insecure delegation responses prepared by named + either lacked the necessary NSEC records or contained + duplicate NSEC records when both wildcard expansion and + CNAME chaining were required to prepare the response. + This has been fixed. [GL #2759] + +5654. [port] Windows support has been removed. [GL #2690] + +5653. [bug] A bug that caused the NSEC3 salt to be changed on every + restart for zones using KASP has been fixed. [GL #2725] + + --- 9.17.14 released --- + +5652. [bug] A copy-and-paste error in change 5584 caused the + IP_DONTFRAG socket option to be enabled instead of + disabled. This has been fixed. [GL #2746] + +5651. [func] Refactor zone dumping to be processed asynchronously via + the uv_work_t thread pool API. [GL #2732] + +5650. [bug] Prevent a crash that could occur if serve-stale was + enabled and a prefetch was triggered during a query + restart. [GL #2733] + +5649. [bug] If a query was answered with stale data on a server with + DNS64 enabled, an assertion could occur if a non-stale + answer arrived afterward. [GL #2731] + +5648. [bug] The calculation of the estimated IXFR transaction size + in dns_journal_iter_init() was invalid. [GL #2685] + +5647. [func] The interface manager has been refactored to use fewer + client manager objects, which in turn use fewer memory + contexts and tasks. This should result in less + fragmented memory and better startup performance. + [GL #2433] + +5646. [bug] The default TCP timeout for rndc has been increased to + 60 seconds. This was its original value, but it had been + inadvertently lowered to 10 when rndc was updated to use + the network manager. [GL #2643] + +5645. [cleanup] Remove the rarely-used dns_name_copy() function and + rename dns_name_copynf() to dns_name_copy(). [GL !5081] + +5644. [bug] Fix a race condition in reading and writing key files + for zones using KASP and configured in multiple views. + [GL #1875] + +5643. [placeholder] + +5642. [bug] Zones which are configured in multiple views with + different values set for "dnssec-policy" and with + identical values set for "key-directory" are now + detected and treated as a configuration error. + [GL #2463] + +5641. [bug] Address a potential memory leak in + dst_key_fromnamedfile(). [GL #2689] + +5640. [func] Add new configuration options for setting the size of + receive and send buffers in the operating system: + "tcp-receive-buffer", "tcp-send-buffer", + "udp-receive-buffer", and "udp-send-buffer". [GL #2313] + +5639. [bug] Check that the first and last SOA record of an AXFR are + consistent. [GL #2528] + + --- 9.17.13 released --- + +5638. [bug] Improvements related to network manager/task manager + integration: + - isc_managers_create() and isc_managers_destroy() + functions were added to handle setup and teardown of + netmgr, taskmgr, timermgr, and socketmgr, since these + require a precise order of operations now. + - Event queue processing is now quantized to prevent + infinite looping. + - The netmgr can now be paused from within a netmgr + thread. + - Deadlocks due to a conflict between netmgr's + pause/resume and listen/stoplistening operations were + fixed. + [GL #2654] + +5637. [placeholder] + +5636. [bug] named and named-checkconf did not report an error when + multiple zones with the "dnssec-policy" option set were + using the same zone file. This has been fixed. + [GL #2603] + +5635. [bug] Journal compaction could fail when a journal with + invalid transaction headers was not detected at startup. + This has been fixed. [GL #2670] + +5634. [bug] If "dnssec-policy" was active and a private key file was + temporarily offline during a rekey event, named could + incorrectly introduce replacement keys and break a + signed zone. This has been fixed. [GL #2596] + +5633. [doc] The "inline-signing" option was incorrectly described as + being inherited from the "options"/"view" levels and was + incorrectly accepted at those levels without effect. + This has been fixed. [GL #2536] + +5632. [func] Add a new built-in KASP, "insecure", which is used to + transition a zone from a signed to an unsigned state. + The existing built-in KASP "none" should no longer be + used to unsign a zone. [GL #2645] + +5631. [protocol] Update the implementation of the ZONEMD RR type to match + RFC 8976. [GL #2658] + +5630. [func] Treat DNSSEC responses containing NSEC3 records with + iteration counts greater than 150 as insecure. + [GL #2445] + +5629. [func] Reduce the maximum supported number of NSEC3 iterations + that can be configured for a zone to 150. [GL #2642] + +5628. [bug] Host and nslookup could crash upon receiving a SERVFAIL + response. This has been fixed. [GL #2564] + +5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone + apex were triggering infinite resigning loops. This has + been fixed. [GL #2650] + +5626. [bug] When generating zone signing keys, KASP now also checks + for key ID conflicts among newly created keys, rather + than just between new and existing ones. [GL #2628] + +5625. [bug] A deadlock could occur when multiple "rndc addzone", + "rndc delzone", and/or "rndc modzone" commands were + invoked simultaneously for different zones. This has + been fixed. [GL #2626] + +5624. [func] Task manager events are now processed inside network + manager loops. The task manager no longer needs its own + set of worker threads, which improves resolver + performance. [GL #2638] + +5623. [bug] When named was shut down during an ongoing zone + transfer, xfrin_fail() could incorrectly be called + twice. This has been fixed. [GL #2630] + +5622. [cleanup] The lib/samples/ directory has been removed, as export + versions of libraries are no longer maintained. + [GL !4835] + +5621. [placeholder] + +5620. [bug] If zone journal files written by BIND 9.16.11 or earlier + were present when BIND was upgraded, the zone file for + that zone could have been inadvertently rewritten with + the current zone contents. This caused the original zone + file structure (e.g. comments, $INCLUDE directives) to + be lost, although the zone data itself was preserved. + This has been fixed. [GL #2623] + +5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the + protocol such that NSEC(3) TTL values are set to the + minimum of the SOA MINIMUM value or the SOA TTL. + [GL #2347] + +5618. [bug] Change 5149 introduced some inconsistencies in the way + record TTLs were presented in cache dumps. These + inconsistencies have been eliminated. [GL #389] + [GL #2289] + --- 9.17.12 released --- 5617. [placeholder] @@ -1083,7 +3645,7 @@ 5349. [bug] Fix a race in task_pause/unpause. [GL #1571] 5348. [bug] dnssec-settime -Psync was not being honoured. - [GL !2893] + Thanks to Tony Finch. [GL !2893] --- 9.15.8 released --- diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 67b4c15ac9..153305e433 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,3 +1,16 @@ + + # BIND 9 Code of Conduct Like the technical community as a whole, the BIND 9 team and community is made diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 991745f90e..c108dbeec6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,12 +1,14 @@ ## BIND 9 Source Access and Contributor Guidelines *May 28, 2020* @@ -69,14 +71,14 @@ To clone the repository, use: > $ git clone https://gitlab.isc.org/isc-projects/bind9.git -Release branch names are of the form `v9_X`, where X represents the second -number in the BIND 9 version number. So, to check out the BIND 9.12 +Release branch names are of the form `bind-9.X`, where X represents the second +number in the BIND 9 version number. So, to check out the BIND 9.18 branch, use: -> $ git checkout v9_12 +> $ git checkout bind-9.18 Whenever a branch is ready for publication, a tag is placed of the -form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`. +form `v9.X.Y`. The 9.18.0 release, for instance, is tagged as `v9.18.0`. The branch in which the next major release is being developed is called `main`. @@ -100,22 +102,7 @@ Twitter, or Facebook. ### Reporting possible security issues -If you think you may be seeing a potential security vulnerability in BIND -(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please -report it immediately by emailing to security-officer@isc.org. Plain-text -e-mail is not a secure choice for communications concerning undisclosed -security issues so please encrypt your communications to us if possible, -using the [ISC Security Officer public key](https://www.isc.org/pgpkey/). - -Do not discuss undisclosed security vulnerabilities on any public mailing list. -ISC has a long history of handling reported vulnerabilities promptly and -effectively and we respect and acknowledge responsible reporters. - -ISC's Security Vulnerability Disclosure Policy is documented at -[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861). - -If you have a crash, you may want to consult -["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340) +See `SECURITY.md`. ### Contributing code diff --git a/COPYRIGHT b/COPYRIGHT index ecb9bc38ea..12f791767c 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,4 +1,4 @@ -Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2023 Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this @@ -133,7 +133,7 @@ modification, are permitted provided that the following conditions are met: 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. - + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -149,35 +149,35 @@ POSSIBILITY OF SUCH DAMAGE. ----------------------------------------------------------------------------- Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan -(Royal Institute of Technology, Stockholm, Sweden). -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. Neither the name of the Institute nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. ----------------------------------------------------------------------------- diff --git a/HISTORY.md b/HISTORY.md deleted file mode 100644 index 50ad4c63ed..0000000000 --- a/HISTORY.md +++ /dev/null @@ -1,632 +0,0 @@ - -### Functional enhancements from prior major releases of BIND 9 - -#### BIND 9.16 - -BIND 9.16 (a stable branch based on the 9.15 development branch) -includes a number of changes from BIND 9.14 and earlier releases. -New features include: - -* New `dnssec-policy` statement to configure a key and signing policy - for zones, enabling automatic key regeneration and rollover. -* New network manager based on `libuv`. -* Added support for the new GeoIP2 geolocation API, `libmaxminddb`. -* Improved DNSSEC trust anchor configuration using the `trust-anchors` - statement, permitting configuration of trust anchors in DS as well as - DNSKEY format. -* YAML output for `dig`, `mdig`, and `delv`. - -#### BIND 9.14 - -BIND 9.14 (a stable branch based on the 9.13 development branch) -includes a number of changes from BIND 9.12 and earlier releases. -New features include: - -* A new "plugin" mechanism has been added to allow query functionality - to be extended using dynamically loadable libraries. The "filter-aaaa" - feature has been removed from named and is now implemented as a plugin. -* Socket and task code has been refactored to improve performance. -* QNAME minimization, as described in RFC 7816, is now supported. -* "Root key sentinel" support, enabling validating resolvers to indicate - via a special query which trust anchors are configured for the root zone. -* Secondary zones can now be configured as "mirror" zones; their contents - are transferred in as with traditional slave zones, but are subject to - DNSSEC validation and are not treated as authoritative data when - answering. This makes it easier to configure a local copy of the root - zone as described in RFC 7706. -* The "validate-except" option allows configuration of domains below which - DNSSEC validation should not be performed. -* The default value of "dnssec-validation" is now "auto". -* IDNA2008 is now supported when linking with `libidn2`. -* "named -V" now outputs the default paths for files used by named - and other tools. - -In addition, workarounds that were formerly in place to enable resolution -of domains whose authoritative servers did not respond to EDNS queries -have been removed. See [https://dnsflagday.net](https://dnsflagday.net) -for more details. - -Cryptographic support has been modernized. BIND now uses the -best available pseudo-random number generator for the platform on which -it's built. Very old versions of OpenSSL are no longer supported. -Cryptography is now mandatory: building BIND without DNSSEC is no -longer supported. - -Special code to support certain legacy operating systems has also -been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details -of supported platforms. In addition to OpenSSL, BIND now requires -support for IPv6, threads, and standard atomic operations provided -by the C compiler. - -#### BIND 9.12 - -BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases. -New features include: - -* `named` and related libraries have been substantially refactored for - improved query performance -- particularly on delegation heavy zones -- - and for improved readability, maintainability, and testability. -* Code implementing the name server query processing logic has been moved - into a new `libns` library, for easier testing and use in tools other - than `named`. -* Cached, validated NSEC and other records can now be used to synthesize - NXDOMAIN responses. -* The DNS Response Policy Service API (DNSRPS) is now supported. -* Setting `'max-journal-size default'` now limits the size of journal files - to twice the size of the zone. -* `dnstap-read -x` prints a hex dump of the wire format of each logged - DNS message. -* `dnstap` output files can now be configured to roll automatically when - reaching a given size. -* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO - 8601 (UTC) formats. -* Logging channels and `dnstap` output files can now be configured to use a - timestamp as the suffix when rolling to a new file. -* `'named-checkconf -l'` lists zones found in `named.conf`. -* Added support for the EDNS Padding and Keepalive options. -* 'new-zones-directory' option sets the location where the configuration - data for zones added by rndc addzone is stored. -* The default key algorithm in `rndc-confgen` is now hmac-sha256. -* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available - by default without a configure option. -* The obsolete `isc-hmac-fixup` command has been removed. - -#### BIND 9.11 - -BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier -releases. New features include: - -- Added support for Catalog Zones, a new method for provisioning servers: a - list of zones to be served is stored in a DNS zone, along with their - configuration parameters. Changes to the catalog zone are propagated to - slaves via normal AXFR/IXFR, whereupon the zones that are listed in it - are automatically added, deleted or reconfigured. -- Added support for "dnstap", a fast and flexible method of capturing and - logging DNS traffic. -- Added support for "dyndb", a new API for loading zone data from an - external database, developed by Red Hat for the FreeIPA project. -- "fetchlimit" quotas are now compiled in by default. These are for the - use of recursive resolvers that are are under high query load for domains - whose authoritative servers are nonresponsive or are experiencing a - denial of service attack: - - "fetches-per-server" limits the number of simultaneous queries that - can be sent to any single authoritative server. The configured value - is a starting point; it is automatically adjusted downward if the - server is partially or completely non-responsive. The algorithm used - to adjust the quota can be configured via the "fetch-quota-params" - option. - - "fetches-per-zone" limits the number of simultaneous queries that can - be sent for names within a single domain. (Note: Unlike - "fetches-per-server", this value is not self-tuning.) - - New stats counters have been added to count queries spilled due to - these quotas. -- Added a new "dnssec-keymgr" key mainenance utility, which can generate or - update keys as needed to ensure that a zone's keys match a defined DNSSEC - policy. -- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and - is no longer optional. EDNS COOKIE is a mechanism enabling clients to - detect off-path spoofed responses, and servers to detect spoofed-source - queries. Clients that identify themselves using COOKIE options are not - subject to response rate limiting (RRL) and can receive larger UDP - responses. -- SERVFAIL responses can now be cached for a limited time (defaulting to 1 - second, with an upper limit of 30). This can reduce the frequency of - retries when a query is persistently failing. -- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be - skipped if a name server IP address isn't in the cache yet; the address - will be looked up and the rule will be applied on future queries. -- Added a Python RNDC module. This allows multiple commands to sent over a - persistent RNDC channel, which saves time. -- The "controls" block in named.conf can now grant read-only "rndc" access - to specified clients or keys. Read-only clients could, for example, check - "rndc status" but could not reconfigure or shut down the server. -- "rndc" commands can now return arbitrarily large amounts of text to the - caller. -- The zone serial number of a dynamically updatable zone can now be set via - "rndc signing -serial ". This allows inline-signing - zones to be set to a specific serial number. -- The new "rndc nta" command can be used to set a Negative Trust Anchor - (NTA), disabling DNSSEC validation for a specific domain; this can be - used when responses from a domain are known to be failing validation due - to administrative error rather than because of a spoofing attack. - Negative trust anchors are strictly temporary; by default they expire - after one hour, but can be configured to last up to one week. -- "rndc delzone" can now be used on zones that were not originally created - by "rndc addzone". -- "rndc modzone" reconfigures a single zone, without requiring the entire - server to be reconfigured. -- "rndc showzone" displays the current configuration of a zone. -- "rndc managed-keys" can be used to check the status of RFC 5011 managed - trust anchors, or to force trust anchors to be refreshed. -- "max-cache-size" can now be set to a percentage of available memory. The - default is 90%. -- Update forwarding performance has been improved by allowing a single TCP - connection to be shared by multiple updates. -- The EDNS Client Subnet (ECS) option is now supported for authoritative - servers; if a query contains an ECS option then ACLs containing "geoip" - or "ecs" elements can match against the the address encoded in the - option. This can be used to select a view for a query, so that different - answers can be provided depending on the client network. -- The EDNS EXPIRE option has been implemented on the client side, allowing - a slave server to set the expiration timer correctly when transferring - zone data from another slave server. -- The key generation and manipulation tools (dnssec-keygen, dnssec-settime, - dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync" - options to set the publication and deletion times of CDS and CDNSKEY - parent-synchronization records. Both named and dnssec-signzone can now - publish and remove these records at the scheduled times. -- A new "minimal-any" option reduces the size of UDP responses for query - type ANY by returning a single arbitrarily selected RRset instead of all - RRsets. -- A new "masterfile-style" zone option controls the formatting of text zone - files: When set to "full", a zone file is dumped in - single-line-per-record format. -- "serial-update-method" can now be set to "date". On update, the serial - number will be set to the current date in YYYYMMDDNN format. -- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. -- "named -L " causes named to send log messages to the specified - file by default instead of to the system log. -- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s - for weeks, days, hours, minutes, and seconds. -- "dig +unknownformat" prints dig output in RFC 3597 "unknown record" - presentation format. -- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests. -- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on - requests. -- "mdig" is an alternate version of dig which sends multiple pipelined TCP - queries to a server. Instead of waiting for a response after sending a - query, it sends all queries immediately and displays responses in the - order received. -- "serial-query-rate" no longer controls NOTIFY messages. These are - separately controlled by "notify-rate" and "startup-notify-rate". -- "nsupdate" now performs "check-names" processing by default on records to - be added. This can be disabled with "check-names no". -- The statistics channel now supports DEFLATE compression, reducing the - size of the data sent over the network when querying statistics. -- New counters have been added to the statistics channel to track the sizes - of incoming queries and outgoing responses in histogram buckets, as - specified in RSSAC002. -- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been - added, allowing redirection to a specified DNS namespace instead of a - single redirect zone. -- When starting up, named now ensures that no other named process is - already running. -- Files created by named to store information, including "mkeys" and "nzf" - files, are now named after their corresponding views unless the view name - contains characters incompatible with use as a filename. Old style - filenames (based on the hash of the view name) will still work. - -#### BIND 9.10.0 - -BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier -releases. New features include: - - - DNS Response-rate limiting (DNS RRL), which blunts the - impact of reflection and amplification attacks, is always - compiled in and no longer requires a compile-time option - to enable it. - - An experimental "Source Identity Token" (SIT) EDNS option - is now available. Similar to DNS Cookies as invented by - Donald Eastlake 3rd, these are designed to enable clients - to detect off-path spoofed responses, and to enable servers - to detect spoofed-source queries. Servers can be configured - to send smaller responses to clients that have not identified - themselves using a SIT option, reducing the effectiveness of - amplification attacks. RRL processing has also been updated; - clients proven to be legitimate via SIT are not subject to - rate limiting. Use "configure --enable-sit" to enable this - feature in BIND. - - A new zone file format, "map", stores zone data in a - format that can be mapped directly into memory, allowing - significantly faster zone loading. - - "delv" (domain entity lookup and validation) is a new tool - with dig-like semantics for looking up DNS data and performing - internal DNSSEC validation. This allows easy validation in - environments where the resolver may not be trustworthy, and - assists with troubleshooting of DNSSEC problems. (NOTE: - In previous development releases of BIND 9.10, this utility - was called "delve". The spelling has been changed to avoid - confusion with the "delve" utility included with the Xapian - search engine.) - - Improved EDNS(0) processing for better resolver performance - and reliability over slow or lossy connections. - - A new "configure --with-tuning=large" option tunes certain - compiled-in constants and default settings to values better - suited to large servers with abundant memory. This can - improve performance on such servers, but will consume more - memory and may degrade performance on smaller systems. - - Substantial improvement in response-policy zone (RPZ) - performance. Up to 32 response-policy zones can be - configured with minimal performance loss. - - To improve recursive resolver performance, cache records - which are still being requested by clients can now be - automatically refreshed from the authoritative server - before they expire, reducing or eliminating the time - window in which no answer is available in the cache. - - New "rpz-client-ip" triggers and drop policies allowing - response policies based on the IP address of the client. - - ACLs can now be specified based on geographic location - using the MaxMind GeoIP databases. Use "configure - --with-geoip" to enable. - - Zone data can now be shared between views, allowing - multiple views to serve the same zones authoritatively - without storing multiple copies in memory. - - New XML schema (version 3) for the statistics channel - includes many new statistics and uses a flattened XML tree - for faster parsing. The older schema is now deprecated. - - A new stylesheet, based on the Google Charts API, displays - XML statistics in charts and graphs on javascript-enabled - browsers. - - The statistics channel can now provide data in JSON - format as well as XML. - - New stats counters track TCP and UDP queries received - per zone, and EDNS options received in total. - - The internal and export versions of the BIND libraries - (libisc, libdns, etc) have been unified so that external - library clients can use the same libraries as BIND itself. - - A new compile-time option, "configure --enable-native-pkcs11", - allows BIND 9 cryptography functions to use the PKCS#11 API - natively, so that BIND can drive a cryptographic hardware - service module (HSM) directly instead of using a modified - OpenSSL as an intermediary. (Note: This feature requires an - HSM to have a full implementation of the PKCS#11 API; many - current HSMs only have partial implementations. The new - "pkcs11-tokens" command can be used to check API completeness. - Native PKCS#11 is known to work with the Thales nShield HSM - and with SoftHSM version 2 from the Open DNSSEC project.) - - The new "max-zone-ttl" option enforces maximum TTLs for - zones. This can simplify the process of rolling DNSSEC keys - by guaranteeing that cached signatures will have expired - within the specified amount of time. - - "dig +subnet" sends an EDNS CLIENT-SUBNET option when - querying. - - "dig +expire" sends an EDNS EXPIRE option when querying. - When this option is sent with an SOA query to a server - that supports it, it will report the expiry time of - a slave zone. - - New "dnssec-coverage" tool to check DNSSEC key coverage - for a zone and report if a lapse in signing coverage has - been inadvertently scheduled. - - Signing algorithm flexibility and other improvements - for the "rndc" control channel. - - "named-checkzone" and "named-compilezone" can now read - journal files, allowing them to process dynamic zones. - - Multiple DLZ databases can now be configured. Individual - zones can be configured to be served from a specific DLZ - database. DLZ databases now serve zones of type "master" - and "redirect". - - "rndc zonestatus" reports information about a specified zone. - - "named" now listens on IPv6 as well as IPv4 interfaces - by default. - - "named" now preserves the capitalization of names - when responding to queries: for instance, a query for - "example.com" may be answered with "example.COM" if the - name was configured that way in the zone file. Some - clients have a bug causing them to depend on the older - behavior, in which the case of the answer always matched - the case of the query, rather than the case of the name - configured in the DNS. Such clients can now be specified - in the new "no-case-compress" ACL; this will restore the - older behavior of "named" for those clients only. - - new "dnssec-importkey" command allows the use of offline - DNSSEC keys with automatic DNSKEY management. - - New "named-rrchecker" tool to verify the syntactic - correctness of individual resource records. - - When re-signing a zone, the new "dnssec-signzone -Q" option - drops signatures from keys that are still published but are - no longer active. - - "named-checkconf -px" will print the contents of configuration - files with the shared secrets obscured, making it easier to - share configuration (e.g. when submitting a bug report) - without revealing private information. - - "rndc scan" causes named to re-scan network interfaces for - changes in local addresses. - - On operating systems with support for routing sockets, - network interfaces are re-scanned automatically whenever - they change. - - "tsig-keygen" is now available as an alternate command - name to use for "ddns-confgen". - -#### BIND 9.9.0 - -BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier -releases. New features include: - -- Inline signing, allowing automatic DNSSEC signing of - master zones without modification of the zonefile, or - "bump in the wire" signing in slaves. -- NXDOMAIN redirection. -- New 'rndc flushtree' command clears all data under a given - name from the DNS cache. -- New 'rndc sync' command dumps pending changes in a dynamic - zone to disk without a freeze/thaw cycle. -- New 'rndc signing' command displays or clears signing status - records in 'auto-dnssec' zones. -- NSEC3 parameters for 'auto-dnssec' zones can now be set prior - to signing, eliminating the need to initially sign with NSEC. -- Startup time improvements on large authoritative servers. -- Slave zones are now saved in raw format by default. -- Several improvements to response policy zones (RPZ). -- Improved hardware scalability by using multiple threads - to listen for queries and using finer-grained client locking -- The 'also-notify' option now takes the same syntax as - 'masters', so it can used named masterlists and TSIG keys. -- 'dnssec-signzone -D' writes an output file containing only DNSSEC - data, which can be included by the primary zone file. -- 'dnssec-signzone -R' forces removal of signatures that are - not expired but were created by a key which no longer exists. -- 'dnssec-signzone -X' allows a separate expiration date to - be specified for DNSKEY signatures from other signatures. -- New '-L' option to dnssec-keygen, dnssec-settime, and - dnssec-keyfromlabel sets the default TTL for the key. -- dnssec-dsfromkey now supports reading from standard input, - to make it easier to convert DNSKEY to DS. -- RFC 1918 reverse zones have been added to the empty-zones - table per RFC 6303. -- Dynamic updates can now optionally set the zone's SOA serial - number to the current UNIX time. -- DLZ modules can now retrieve the source IP address of - the querying client. -- 'request-ixfr' option can now be set at the per-zone level. -- 'dig +rrcomments' turns on comments about DNSKEY records, - indicating their key ID, algorithm and function -- Simplified nsupdate syntax and added readline support - -#### BIND 9.8.0 - -BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier -releases. New features include: - -- Built-in trust anchor for the root zone, which can be - switched on via "dnssec-validation auto;" -- Support for DNS64. -- Support for response policy zones (RPZ). -- Support for writable DLZ zones. -- Improved ease of configuration of GSS/TSIG for - interoperability with Active Directory -- Support for GOST signing algorithm for DNSSEC. -- Removed RTT Banding from server selection algorithm. -- New "static-stub" zone type. -- Allow configuration of resolver timeouts via - "resolver-query-timeout" option. -- The DLZ "dlopen" driver is now built by default. -- Added a new include file with function typedefs - for the DLZ "dlopen" driver. -- Made "--with-gssapi" default. -- More verbose error reporting from DLZ LDAP. - -#### BIND 9.7.0 - -BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier -releases. Most are intended to simplify DNSSEC configuration. -New features include: - -- Fully automatic signing of zones by "named". -- Simplified configuration of DNSSEC Lookaside Validation (DLV). -- Simplified configuration of Dynamic DNS, using the "ddns-confgen" - command line tool or the "local" update-policy option. (As a side - effect, this also makes it easier to configure automatic zone - re-signing.) -- New named option "attach-cache" that allows multiple views to - share a single cache. -- DNS rebinding attack prevention. -- New default values for dnssec-keygen parameters. -- Support for RFC 5011 automated trust anchor maintenance -- Smart signing: simplified tools for zone signing and key - maintenance. -- The "statistics-channels" option is now available on Windows. -- A new DNSSEC-aware libdns API for use by non-BIND9 applications -- On some platforms, named and other binaries can now print out - a stack backtrace on assertion failure, to aid in debugging. -- A "tools only" installation mode on Windows, which only installs - dig, host, nslookup and nsupdate. -- Improved PKCS#11 support, including Keyper support and explicit - OpenSSL engine selection. - -#### BIND 9.6.0 - -- Full NSEC3 support -- Automatic zone re-signing -- New update-policy methods tcp-self and 6to4-self -- The BIND 8 resolver library, libbind, has been removed from the BIND 9 - distribution and is now available as a separate download. -- Change the default pid file location from /var/run to - /var/run/{named,lwresd} for improved chroot/setuid support. - -#### BIND 9.5.0 - -- GSS-TSIG support (RFC 3645). -- DHCID support. -- Experimental http server and statistics support for named via xml. -- More detailed statistics counters including those supported in BIND 8. -- Faster ACL processing. -- Use Doxygen to generate internal documentation. -- Efficient LRU cache-cleaning mechanism. -- NSID support. - -BIND 9.4.0 - -- Implemented "additional section caching (or acache)", an internal cache - framework for additional section content to improve response performance. - Several configuration options were provided to control the behavior. -- New notify type 'master-only'. Enable notify for master zones only. -- Accept 'notify-source' style syntax for query-source. -- rndc now allows addresses to be set in the server clauses. -- New option "allow-query-cache". This lets "allow-query" be used to - specify the default zone access level rather than having to have every - zone override the global value. "allow-query-cache" can be set at both - the options and view levels. If "allow-query-cache" is not set then - "allow-recursion" is used if set, otherwise "allow-query" is used if set - unless "recursion no;" is set in which case "none;" is used, otherwise - the default (localhost; localnets;) is used. -- rndc: the source address can now be specified. -- ixfr-from-differences now takes master and slave in addition to yes and - no at the options and view levels. -- Allow the journal's name to be changed via named.conf. -- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the - specified zone. -- 'dig +trace' now randomly selects the next servers to try. Report if - there is a bad delegation. -- Improve check-names error messages. -- Make public the function to read a key file, dst_key_read_public(). -- dig now returns the byte count for axfr/ixfr. -- allow-update is now settable at the options / view level. -- named-checkconf now checks the logging configuration. -- host now can turn on memory debugging flags with '-m'. -- Don't send notify messages to self. -- Perform sanity checks on NS records which refer to 'in zone' names. -- New zone option "notify-delay". Specify a minimum delay between sets of - NOTIFY messages. -- Extend adjusting TTL warning messages. -- Named and named-checkzone can now both check for non-terminal wildcard - records. -- "rndc freeze/thaw" now freezes/thaws all zones. -- named-checkconf now check acls to verify that they only refer to existing - acls. -- The server syntax has been extended to support a range of servers. -- Report differences between hints and real NS rrset and associated address - records. -- Preserve the case of domain names in rdata during zone transfers. -- Restructured the data locking framework using architecture dependent - atomic operations (when available), improving response performance on - multi-processor machines significantly. x86, x86_64, alpha, powerpc, and - mips are currently supported. -- UNIX domain controls are now supported. -- Add support for additional zone file formats for improving loading - performance. The masterfile-format option in named.conf can be used to - specify a non-default format. A separate command named-compilezone was - provided to generate zone files in the new format. Additionally, the -I - and -O options for dnssec-signzone specify the input and output formats. -- dnssec-signzone can now randomize signature end times (dnssec-signzone -j - jitter). -- Add support for CH A record. -- Add additional zone data constancy checks. named-checkzone has extended - checking of NS, MX and SRV record and the hosts they reference. named - has extended post zone load checks. New zone options: check-mx and - integrity-check. -- edns-udp-size can now be overridden on a per server basis. -- dig can now specify the EDNS version when making a query. -- Added framework for handling multiple EDNS versions. -- Additional memory debugging support to track size and mctx arguments. -- Detect duplicates of UDP queries we are recursing on and drop them. New - stats category "duplicates". -- "USE INTERNAL MALLOC" is now runtime selectable. -- The lame cache is now done on a basis as some - servers only appear to be lame for certain query types. -- Limit the number of recursive clients that can be waiting for a single - query () to resolve. New options clients-per-query - and max-clients-per-query. -- dig: report the number of extra bytes still left in the packet after - processing all the records. -- Support for IPSECKEY rdata type. -- Raise the UDP receive buffer size to 32k if it is less than 32k. -- x86 and x86_64 now have separate atomic locking implementations. -- named-checkconf now validates update-policy entries. -- Attempt to make the amount of work performed in a iteration self tuning. - The covers nodes clean from the cache per iteration, nodes written to - disk when rewriting a master file and nodes destroyed per iteration when - destroying a zone or a cache. -- ISC string copy API. -- Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC - 1918 zones are not yet covered by this but are likely to be in a future - release. -- New options: empty-server, empty-contact, empty-zones-enable and - disable-empty-zone. -- dig now has a '-q queryname' and '+showsearch' options. -- host/nslookup now continue (default)/fail on SERVFAIL. -- dig now warns if 'RA' is not set in the answer when 'RD' was set in the - query. host/nslookup skip servers that fail to set 'RA' when 'RD' is set - unless a server is explicitly set. -- Integrate contributed DLZ code into named. -- Integrate contributed IDN code from JPNIC. -- libbind: corresponds to that from BIND 8.4.7. - -#### BIND 9.3.0 - -- DNSSEC is now DS based (RFC 3658). -- DNSSEC lookaside validation. -- check-names is now implemented. -- rrset-order is more complete. -- IPv4/IPv6 transition support, dual-stack-servers. -- IXFR deltas can now be generated when loading master files, - ixfr-from-differences. -- It is now possible to specify the size of a journal, max-journal-size. -- It is now possible to define a named set of master servers to be used in - masters clause, masters. -- The advertised EDNS UDP size can now be set, edns-udp-size. -- allow-v6-synthesis has been obsoleted. -- Zones containing MD and MF will now be rejected. -- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than - NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. -- libbind: corresponds to that from BIND 8.4.5. - -#### BIND 9.2.0 - -- The size of the cache can now be limited using the "max-cache-size" - option. -- The server can now automatically convert RFC1886-style recursive lookup - requests into RFC2874-style lookups, when enabled using the new option - "allow-v6-synthesis". This allows stub resolvers that support AAAA - records but not A6 record chains or binary labels to perform lookups in - domains that make use of these IPv6 DNS features. -- Performance has been improved. -- The man pages now use the more portable "man" macros rather than the - "mandoc" macros, and are installed by "make install". -- The named.conf parser has been completely rewritten. It now supports - "include" directives in more places such as inside "view" statements, and - it no longer has any reserved words. -- The "rndc status" command is now implemented. -- rndc can now be configured automatically. -- A BIND 8 compatible stub resolver library is now included in lib/bind. -- OpenSSL has been removed from the distribution. This means that to use - DNSSEC, OpenSSL must be installed and the --with-openssl option must be - supplied to configure. This does not apply to the use of TSIG, which - does not require OpenSSL. -- The source distribution now builds on Windows. See - win32utils/readme1.txt and win32utils/win32-build.txt for details. -- This distribution also includes a new lightweight stub resolver library - and associated resolver daemon that fully support forward and reverse - lookups of both IPv4 and IPv6 addresses. This library is considered - experimental and is not a complete replacement for the BIND 8 resolver - library. Applications that use the BIND 8 `res_*` functions to perform - DNS lookups or dynamic updates still need to be linked against the BIND 8 - libraries. For DNS lookups, they can also use the new "getrrsetbyname()" - API. -- BIND 9.2 is capable of acting as an authoritative server for DNSSEC - secured zones. This functionality is believed to be stable and complete - except for lacking support for verifications involving wildcard records - in secure zones. -- When acting as a caching server, BIND 9.2 can be configured to perform - DNSSEC secure resolution on behalf of its clients. This part of the - DNSSEC implementation is still considered experimental. For detailed - information about the state of the DNSSEC implementation, see the file - doc/misc/dnssec. diff --git a/LICENSE b/LICENSE index be2cc4dfb6..7bad356140 100644 --- a/LICENSE +++ b/LICENSE @@ -346,7 +346,7 @@ Exhibit A - Source Code Form License Notice 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at - http://mozilla.org/MPL/2.0/. + https://mozilla.org/MPL/2.0/. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt new file mode 100644 index 0000000000..137069b823 --- /dev/null +++ b/LICENSES/Apache-2.0.txt @@ -0,0 +1,73 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. + +"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: + + (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. + + You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/LICENSES/Autoconf-exception-3.0.txt b/LICENSES/Autoconf-exception-3.0.txt new file mode 100644 index 0000000000..f212f9c7bc --- /dev/null +++ b/LICENSES/Autoconf-exception-3.0.txt @@ -0,0 +1,26 @@ +AUTOCONF CONFIGURE SCRIPT EXCEPTION + +Version 3.0, 18 August 2009 +Copyright Š 2009 Free Software Foundation, Inc. + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +This Exception is an additional permission under section 7 of the GNU General Public License, version 3 ("GPLv3"). It applies to a given file that bears a notice placed by the copyright holder of the file stating that the file is governed by GPLv3 along with this Exception. + +The purpose of this Exception is to allow distribution of Autoconf's typical output under terms of the recipient's choice (including proprietary). + +0. Definitions. + +"Covered Code" is the source or object code of a version of Autoconf that is a covered work under this License. + +"Normally Copied Code" for a version of Autoconf means all parts of its Covered Code which that version can copy from its code (i.e., not from its input file) into its minimally verbose, non-debugging and non-tracing output. + +"Ineligible Code" is Covered Code that is not Normally Copied Code. + +1. Grant of Additional Permission. + +You have permission to propagate output of Autoconf, even if such propagation would otherwise violate the terms of GPLv3. However, if by modifying Autoconf you cause any Ineligible Code of the version you received to become Normally Copied Code of your modified version, then you void this Exception for the resulting covered work. If you convey that resulting covered work, you must remove this Exception in accordance with the second paragraph of Section 7 of GPLv3. + +2. No Weakening of Autoconf Copyleft. + +The availability of this Exception does not imply any general presumption that third-party software is unaffected by the copyleft requirements of the license of Autoconf. diff --git a/LICENSES/BSD-2-Clause.txt b/LICENSES/BSD-2-Clause.txt new file mode 100644 index 0000000000..b0e20f5382 --- /dev/null +++ b/LICENSES/BSD-2-Clause.txt @@ -0,0 +1,9 @@ +Copyright (c) All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/LICENSES/BSD-3-Clause.txt b/LICENSES/BSD-3-Clause.txt new file mode 100644 index 0000000000..6c9eef8d8c --- /dev/null +++ b/LICENSES/BSD-3-Clause.txt @@ -0,0 +1,11 @@ +Copyright (c) . All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt new file mode 100644 index 0000000000..0e259d42c9 --- /dev/null +++ b/LICENSES/CC0-1.0.txt @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/LICENSES/FSFAP.txt b/LICENSES/FSFAP.txt new file mode 100644 index 0000000000..32bc8a8898 --- /dev/null +++ b/LICENSES/FSFAP.txt @@ -0,0 +1 @@ +Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty. diff --git a/LICENSES/GPL-2.0-or-later.txt b/LICENSES/GPL-2.0-or-later.txt new file mode 100644 index 0000000000..17cb286430 --- /dev/null +++ b/LICENSES/GPL-2.0-or-later.txt @@ -0,0 +1,117 @@ +GNU GENERAL PUBLIC LICENSE +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. + +Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. + +You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. + + c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. + +3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. + +If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. + +9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. + + one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author + + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. + +signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice diff --git a/LICENSES/GPL-3.0-or-later.txt b/LICENSES/GPL-3.0-or-later.txt new file mode 100644 index 0000000000..d41c0bd98f --- /dev/null +++ b/LICENSES/GPL-3.0-or-later.txt @@ -0,0 +1,232 @@ +GNU GENERAL PUBLIC LICENSE +Version 3, 29 June 2007 + +Copyright Š 2007 Free Software Foundation, Inc. + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +Preamble + +The GNU General Public License is a free, copyleft license for software and other kinds of works. + +The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. + +To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. + +For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. + +Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. + +For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. + +Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. + +Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS + +0. Definitions. + +“This License” refers to version 3 of the GNU General Public License. + +“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. + +“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations. + +To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work. + +A “covered work” means either the unmodified Program or a work based on the Program. + +To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. + +To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. + +An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. + +1. Source Code. +The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work. + +A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. + +The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. + +The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. + +The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. + +The Corresponding Source for a work in source code form is that same work. + +2. Basic Permissions. +All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. + +You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. + +Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. + +3. Protecting Users' Legal Rights From Anti-Circumvention Law. +No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. + +When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. + +4. Conveying Verbatim Copies. +You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. + +You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. + +5. Conveying Modified Source Versions. +You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. + + c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. + +A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. + +6. Conveying Non-Source Forms. +You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: + + a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. + + d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. + +A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. + +A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. + +“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. + +If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). + +The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. + +Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. + +7. Additional Terms. +“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. + +When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. + +Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or authors of the material; or + + e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. + +All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. + +If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. + +Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. + +8. Termination. +You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). + +However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. + +Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. + +Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. + +9. Acceptance Not Required for Having Copies. +You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. + +10. Automatic Licensing of Downstream Recipients. +Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. + +An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. + +You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. + +11. Patents. +A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”. + +A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. + +Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. + +In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. + +If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. + +If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. + +A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. + +Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. + +12. No Surrender of Others' Freedom. +If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. + +13. Use with the GNU Affero General Public License. +Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. + +14. Revised Versions of this License. +The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. + +If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. + +Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. + +15. Disclaimer of Warranty. +THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +16. Limitation of Liability. +IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +17. Interpretation of Sections 15 and 16. +If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + +If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”. + +You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . + +The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . diff --git a/LICENSES/ISC.txt b/LICENSES/ISC.txt new file mode 100644 index 0000000000..b9c199c98f --- /dev/null +++ b/LICENSES/ISC.txt @@ -0,0 +1,8 @@ +ISC License: + +Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC") +Copyright (c) 1995-2003 by Internet Software Consortium + +Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/LICENSES/LLVM-exception.txt b/LICENSES/LLVM-exception.txt new file mode 100644 index 0000000000..fa4b725a0e --- /dev/null +++ b/LICENSES/LLVM-exception.txt @@ -0,0 +1,15 @@ +---- LLVM Exceptions to the Apache 2.0 License ---- + + As an exception, if, as a result of your compiling your source code, portions + of this Software are embedded into an Object form of such source code, you + may redistribute such embedded portions in such Object form without complying + with the conditions of Sections 4(a), 4(b) and 4(d) of the License. + + In addition, if you combine or link compiled forms of this Software with + software that is licensed under the GPLv2 ("Combined Software") and if a + court of competent jurisdiction determines that the patent provision (Section + 3), the indemnity provision (Section 9) or other Section of the License + conflicts with the conditions of the GPLv2, you may retroactively and + prospectively choose to deem waived or otherwise exclude such Section(s) of + the License, but only in their entirety and only with respect to the Combined + Software. diff --git a/LICENSES/LicenseRef-Automake-exception-2.0.txt b/LICENSES/LicenseRef-Automake-exception-2.0.txt new file mode 100644 index 0000000000..e9e1af5bb4 --- /dev/null +++ b/LICENSES/LicenseRef-Automake-exception-2.0.txt @@ -0,0 +1 @@ +As a special exception to the GNU General Public License, if you distribute this file as part of a program that contains a configuration script generated by Autoconf, you may include it under the same distribution terms that you use for the rest of that program. diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt new file mode 100644 index 0000000000..2071b23b0e --- /dev/null +++ b/LICENSES/MIT.txt @@ -0,0 +1,9 @@ +MIT License + +Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/LICENSES/MPL-2.0.txt b/LICENSES/MPL-2.0.txt new file mode 100644 index 0000000000..6c949eafd4 --- /dev/null +++ b/LICENSES/MPL-2.0.txt @@ -0,0 +1,144 @@ +Mozilla Public License Version 2.0 + +1. Definitions + + 1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. + + 1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution. + + 1.3. "Contribution" means Covered Software of a particular Contributor. + + 1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. + + 1.5. "Incompatible With Secondary Licenses" means + + (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. + + 1.6. "Executable Form" means any form of the work other than Source Code Form. + + 1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. + + 1.8. "License" means this document. + + 1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. + + 1.10. "Modifications" means any of the following: + + (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or + + (b) any new file in Source Code Form that contains any Covered Software. + + 1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. + + 1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. + + 1.13. "Source Code Form" means the form of the work preferred for making modifications. + + 1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. + +2. License Grants and Conditions + + 2.1. Grants + Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: + + (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and + + (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. + + 2.2. Effective Date + The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. + + 2.3. Limitations on Grant Scope + The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor: + + (a) for any code that a Contributor has removed from Covered Software; or + + (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or + + (c) under Patent Claims infringed by Covered Software in the absence of its Contributions. + + This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4). + + 2.4. Subsequent Licenses + No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). + + 2.5. Representation + Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. + + 2.6. Fair Use + This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. + + 2.7. Conditions + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. + +3. Responsibilities + + 3.1. Distribution of Source Form + All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form. + + 3.2. Distribution of Executable Form + If You distribute Covered Software in Executable Form then: + + (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and + + (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License. + + 3.3. Distribution of a Larger Work + You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). + + 3.4. Notices + You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. + + 3.5. Application of Additional Terms + You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. + +5. Termination + + 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. + + 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. + + 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. + +6. Disclaimer of Warranty +Covered Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer. + +7. Limitation of Liability +Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation +Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims. + +9. Miscellaneous +This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. + +10. Versions of the License + + 10.1. New Versions + Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. + + 10.2. Effect of New Versions + You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. + + 10.3. Modified Versions + If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). + + 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice + + This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0. diff --git a/Makefile.am b/Makefile.am index f2005cfab7..df91934e03 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,19 +1,25 @@ include $(top_srcdir)/Makefile.top -SUBDIRS = . lib doc bin fuzz +SUBDIRS = . lib doc -BUILT_SOURCES = bind.keys.h -CLEANFILES = bind.keys.h +# build libtest before fuzz/* and bin/tests +SUBDIRS += tests + +# run fuzz tests before system tests +SUBDIRS += fuzz bin + +BUILT_SOURCES += bind.keys.h +CLEANFILES += bind.keys.h bind.keys.h: bind.keys Makefile ${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@ -dist_sysconf_DATA = bind.keys - .PHONY: doc -EXTRA_DIST = \ +EXTRA_DIST = \ + bind.keys \ util/bindkeys.pl \ + util/dtrace.sh \ contrib \ CHANGES \ COPYRIGHT \ diff --git a/Makefile.docs b/Makefile.docs index 3b2700687b..674f51d2fc 100644 --- a/Makefile.docs +++ b/Makefile.docs @@ -2,6 +2,7 @@ SPHINX_V = $(SPHINX_V_@AM_V@) SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@) SPHINX_V_0 = -q SPHINX_V_1 = -n +SPHINX_W = -W AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@) AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@) @@ -9,26 +10,47 @@ AM_V_SPHINX_0 = @echo " SPHINX $@"; SPHINXBUILDDIR = $(builddir)/_build +LF = \n +RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf`` +RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key`` +NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf`` +NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid`` +SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key`` + +export RST_EPILOG = $(RNDC_CONF)$(LF)$(RNDC_KEY)$(LF)$(NAMED_CONF)$(LF)$(BIND_KEYS)$(LF)$(NAMED_PID)$(LF)$(SESSION_KEY) + common_SPHINXOPTS = \ - -W \ + $(SPHINX_W) \ -c $(srcdir) \ -a \ $(SPHINX_V) -ALLSPHINXOPTS = \ - $(common_SPHINXOPTS) \ - -D version="$(PACKAGE_VERSION)" \ - -D today="$(RELEASE_DATE)" \ - -D release="$(PACKAGE_VERSION)" \ - $(SPHINXOPTS) \ +# The "today" variable set below is not directly used in the ARM, but its value +# is implicitly inserted on the title page of the PDF file produced by Sphinx. +ALLSPHINXOPTS = \ + $(common_SPHINXOPTS) \ + -D today="$(RELEASE_DATE)" \ + -D rst_epilog="$$(printf "$${RST_EPILOG}")" \ + $(SPHINXOPTS) \ $(srcdir) -man_SPHINXOPTS = \ - $(common_SPHINXOPTS) \ - -D version="@""PACKAGE_VERSION@"\ - -D today="@""RELEASE_DATE@" \ - -D release="@""PACKAGE_VERSION@"\ - $(SPHINXOPTS) \ +_ = @ +man_RNDC_CONF = .. |rndc_conf| replace:: ``$(_)sysconfdir$(_)/rndc.conf`` +man_RNDC_KEY = .. |rndc_key| replace:: ``$(_)sysconfdir$(_)/rndc.key`` +man_NAMED_CONF = .. |named_conf| replace:: ``$(_)sysconfdir$(_)/named.conf`` +man_BIND_KEYS = .. |bind_keys| replace:: ``$(_)sysconfdir$(_)/bind.keys`` +man_NAMED_PID = .. |named_pid| replace:: ``$(_)runstatedir$(_)/named.pid`` +man_SESSION_KEY = .. |session_key| replace:: ``$(_)runstatedir$(_)/session.key`` + +export man_RST_EPILOG = $(man_RNDC_CONF)$(LF)$(man_RNDC_KEY)$(LF)$(man_NAMED_CONF)$(LF)$(man_BIND_KEYS)$(LF)$(man_NAMED_PID)$(LF)$(man_SESSION_KEY) + +man_SPHINXOPTS = \ + $(common_SPHINXOPTS) \ + -D version="@""PACKAGE_VERSION@" \ + -D today="@""RELEASE_DATE@" \ + -D release="@""PACKAGE_VERSION@" \ + -D rst_epilog="$$(printf "$${man_RST_EPILOG}")" \ + $(SPHINXOPTS) \ $(srcdir) AM_V_SED = $(AM_V_SED_@AM_V@) @@ -38,15 +60,3 @@ AM_V_SED_0 = @echo " SED $@"; AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@) AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@) AM_V_CFG_TEST_0 = @echo " CFG_GEN $@"; - -AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@) -AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@) -AM_V_RST_OPTIONS_0 = @echo " RST_OPTIONS $@"; - -AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@) -AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@) -AM_V_RST_ZONEOPT_0 = @echo " RST_ZONEOPT $@"; - -AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@) -AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@) -AM_V_RST_GRAMMARS_0 = @echo " RST_GRAMMARS $@"; diff --git a/Makefile.dtrace b/Makefile.dtrace new file mode 100644 index 0000000000..9cb6b002b9 --- /dev/null +++ b/Makefile.dtrace @@ -0,0 +1,20 @@ +# Hey Emacs, this is -*- makefile-automake -*- file! +# vim: filetype=automake + +AM_V_DTRACE = $(AM_V_DTRACE_@AM_V@) +AM_V_DTRACE_ = $(AM_V_DTRACE_@AM_DEFAULT_V@) +AM_V_DTRACE_0 = @echo " DTRACE $@"; + +BUILT_SOURCES += probes.h +CLEANFILES += probes.h probes.o + +probes.h: Makefile probes.d + $(AM_V_DTRACE)$(DTRACE) -s $(srcdir)/probes.d -h -o $@ +probes.lo: Makefile probes.d $(DTRACE_DEPS) + $(AM_V_DTRACE)$(LIBTOOL) --mode=compile --tag=CC $(DTRACE) -s $(srcdir)/probes.d -G -o $@ $(DTRACE_OBJS) + +if HAVE_DTRACE +if !HOST_MACOS +DTRACE_LIBADD = probes.lo +endif +endif diff --git a/Makefile.tests b/Makefile.tests index 3b5e07d90c..e1b7e0e046 100644 --- a/Makefile.tests +++ b/Makefile.tests @@ -1,11 +1,23 @@ # Hey Emacs, this is -*- makefile-automake -*- file! # vim: filetype=automake +unit-local: check + +if HAVE_CMOCKA +TESTS = $(check_PROGRAMS) +endif HAVE_CMOCKA + +LOG_COMPILER = $(top_builddir)/tests/unit-test-driver.sh + +AM_CFLAGS += \ + -I$(top_srcdir)/tests/include \ + $(TEST_CFLAGS) + AM_CPPFLAGS += \ $(CMOCKA_CFLAGS) \ - -DNAMED_PLUGINDIR=\"$(libdir)/named\" \ - -DSKIPPED_TEST_EXIT_CODE=77 \ + -DNAMED_PLUGINDIR=\"$(pkglibdir)\" \ -DTESTS_DIR=\"$(abs_srcdir)\" -LDADD = \ +LDADD += \ + $(top_builddir)/tests/libtest/libtest.la \ $(CMOCKA_LIBS) diff --git a/Makefile.top b/Makefile.top index 5826876371..d01317dadb 100644 --- a/Makefile.top +++ b/Makefile.top @@ -11,7 +11,12 @@ AM_CPPFLAGS = \ -include $(top_builddir)/config.h \ -I$(srcdir)/include -AM_LDFLAGS = +AM_LDFLAGS = \ + $(STD_LDFLAGS) +LDADD = + +BUILT_SOURCES = +CLEANFILES = if HOST_MACOS AM_LDFLAGS += \ @@ -24,6 +29,9 @@ LIBISC_CFLAGS = \ -I$(top_builddir)/lib/isc/include LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la +if HAVE_DTRACE +LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo +endif LIBDNS_CFLAGS = \ -I$(top_srcdir)/lib/dns/include \ @@ -31,18 +39,18 @@ LIBDNS_CFLAGS = \ LIBDNS_LIBS = \ $(top_builddir)/lib/dns/libdns.la +if HAVE_DTRACE +LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo +endif LIBNS_CFLAGS = \ -I$(top_srcdir)/lib/ns/include LIBNS_LIBS = \ $(top_builddir)/lib/ns/libns.la - -LIBIRS_CFLAGS = \ - -I$(top_srcdir)/lib/irs/include - -LIBIRS_LIBS = \ - $(top_builddir)/lib/irs/libirs.la +if HAVE_DTRACE +LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo +endif LIBISCCFG_CFLAGS = \ -I$(top_srcdir)/lib/isccfg/include @@ -55,9 +63,3 @@ LIBISCCC_CFLAGS = \ LIBISCCC_LIBS = \ $(top_builddir)/lib/isccc/libisccc.la - -LIBBIND9_CFLAGS = \ - -I$(top_srcdir)/lib/bind9/include - -LIBBIND9_LIBS = \ - $(top_builddir)/lib/bind9/libbind9.la diff --git a/OPTIONS.md b/OPTIONS.md index 642d9549fc..acdcaf823e 100644 --- a/OPTIONS.md +++ b/OPTIONS.md @@ -1,12 +1,14 @@ Setting the `CPPFLAGS` environment variable before running `configure` can be used to enable certain compile-time options that are not @@ -24,3 +26,4 @@ Some of these settings are: | `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult | | `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` | | `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports | +| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support | diff --git a/PLATFORMS.md b/PLATFORMS.md deleted file mode 100644 index 37bcd1dac1..0000000000 --- a/PLATFORMS.md +++ /dev/null @@ -1,102 +0,0 @@ - -## Supported platforms - -In general, this version of BIND will build and run on any POSIX-compliant -system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant -IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library, -the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library. - -The following C11 features are used in BIND 9: - -* Atomic operations support from the compiler is needed, either in the form of - builtin operations. - -* Thread Local Storage support from the compiler is needed, either in the form - of C11 `_Thread_local`/`thread_local`, or the `__thread` GCC extension. - -The C11 variants are preferred. - -BIND 9.17 requires a fairly recent version of `libuv` (at least 1.x). For -some of the older systems listed below, you will have to install an updated -`libuv` package from sources such as EPEL, PPA, or other native sources for -updated packages. The other option is to build and install `libuv` from -source. - -Certain optional BIND features have additional library dependencies. -These include `libxml2` and `libjson-c` for statistics, `libmaxminddb` for -geolocation, `libfstrm` and `libprotobuf-c` for DNSTAP, and `libidn2` for -internationalized domain name conversion. - -ISC regularly tests BIND on many operating systems and architectures, but -lacks the resources to test all of them. Consequently, ISC is only able to -offer support on a "best effort" basis for some. - -### Regularly tested platforms - -As of Nov 2020, BIND 9.17 is fully supported and regularly tested on the -following systems: - -* Debian 9, 10 -* Ubuntu LTS 18.04, 20.04 -* Fedora 34 -* Red Hat Enterprise Linux / CentOS 7, 8 -* FreeBSD 11.4, 12.2, 13.0 -* OpenBSD 6.9 -* Alpine Linux 3.13 - -The amd64, i386, armhf and arm64 CPU architectures are all fully supported. - -### Best effort - -The following are platforms on which BIND is known to build and run. -ISC makes every effort to fix bugs on these platforms, but may be unable -to do so quickly due to lack of hardware, less familiarity on the part -of engineering staff, and other constraints. None of these are tested -regularly by ISC. - -* macOS 10.12+ -* Solaris 11 -* NetBSD -* Other Linux distributions still supported by their vendors, such as: - * Ubuntu 20.10+ - * Gentoo - * Arch Linux -* OpenWRT/LEDE 17.01+ -* Other CPU architectures (mips, mipsel, sparc, ...) - -### Community maintained - -These systems may not all have the required dependencies for building BIND -easily available, although it will be possible in many cases to compile -those directly from source. The community and interested parties may wish -to help with maintenance, and we welcome patch contributions, although we -cannot guarantee that we will accept them. All contributions will be -assessed against the risk of adverse effect on officially supported -platforms. - -* Platforms past or close to their respective EOL dates, such as: - * Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported) - * CentOS 6 - * Debian Jessie - * FreeBSD 10.x - -## Unsupported platforms - -These are platforms on which BIND 9.17 is known *not* to build or run: - -* Platforms without at least OpenSSL 1.0.2 -* Windows -* Solaris 10 and older -* Platforms that don't support IPv6 Advanced Socket API (RFC 3542) -* Platforms that don't support atomic operations (via compiler or library) -* Linux without NPTL (Native POSIX Thread Library) -* Platforms on which `libuv` cannot be compiled diff --git a/README.md b/README.md index c6172f5e0f..6e39de51e7 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,14 @@ # BIND 9 @@ -16,9 +18,6 @@ 1. [Reporting bugs and getting help](#help) 1. [Contributing to BIND](#contrib) 1. [Building BIND](#build) -1. [macOS](#macos) -1. [Dependencies](#dependencies) -1. [Compile-time options](#opts) 1. [Automated testing](#testing) 1. [Documentation](#doc) 1. [Change log](#changes) @@ -49,9 +48,6 @@ Internet infrastructure, developed BIND 9 and is responsible for its ongoing maintenance and improvement. BIND is open source software licensed under the terms of the Mozilla Public License, version 2.0. -For a summary of features introduced in past major releases of BIND, -see the file [HISTORY](HISTORY.md). - For a detailed list of changes made throughout the history of BIND 9, see the file [CHANGES](CHANGES). See [below](#changes) for details on the CHANGES file format. @@ -59,7 +55,9 @@ CHANGES file format. For up-to-date versions and release notes, see [https://www.isc.org/download/](https://www.isc.org/download/). -For information about supported platforms, see [PLATFORMS](PLATFORMS.md). +For information about supported platforms, see the +["Supported Platforms"](doc/arm/platforms.rst) section in the BIND 9 +Administrator Reference Manual. ### Reporting bugs and getting help @@ -76,17 +74,9 @@ contents of your configuration file in a non-confidential issue, it is advisable to obscure key secrets; this can be done automatically by using `named-checkconf -px`. -If you are reporting a bug that is a potential security issue, such as an -assertion failure or other crash in `named`, please do *NOT* use GitLab to -report it. Instead, send mail to -[security-officer@isc.org](mailto:security-officer@isc.org) using our -OpenPGP key to secure your message. (Information about OpenPGP and links -to our key can be found at -[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not -discuss the bug on any public mailing list. - -For a general overview of ISC security policies, read the Knowledgebase -article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861). +For information about ISC's Security Vulnerability Disclosure Policy and +information about reporting potential security issues, please see +`SECURITY.md`. Professional support and training for BIND are available from ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact) @@ -126,141 +116,9 @@ including your patch as an attachment, preferably generated by ### Building BIND 9 -At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler, -basic POSIX support, and a 64-bit integer type. BIND also requires the -`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a -cryptography provider library such as OpenSSL or a hardware service -module supporting PKCS#11. On Linux, BIND requires the `libcap` library -to set process privileges, though this requirement can be overridden by -disabling capability support at compile time. See [Compile-time -options](#opts) below for details on other libraries that may be -required to support optional features. - -Successful builds have been observed on many versions of Linux and -Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, -Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, -OpenIndiana, OmniOS CE, HP-UX, and OpenWRT. - -To build on a Unix or Linux system, use: - - $ autoreconf -fi (if you are building in the git repository) - $ ./configure - $ make - -If you're using Emacs, you might find `make tags` helpful. - -Several environment variables, which can be set before running `configure`, -affect compilation. Significant ones are: - -|Variable|Description | -|--------------------|-----------------------------------------------| -|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.| -|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. | -|`LDFLAGS`|Linker flags. Defaults to empty string.| - -Additional environment variables affecting the build are listed at the -end of the `configure` help text, which can be obtained by running the -command: - - $ ./configure --help - -#### macOS - -Building on macOS assumes that the "Command Tools for Xcode" are installed. -These can be downloaded from -[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/) -or, if you have Xcode already installed, you can run `xcode-select --install`. -(Note that an Apple ID may be required to access the download page.) - -#### Dependencies - -To build BIND you need to have the following packages installed: - - libuv - pkg-config / pkgconfig / pkgconf - -To build BIND from the git repository, you need the following tools -installed: - - autoconf (includes autoreconf) - automake - libtool - -#### Compile-time options - -To see a full list of configuration options, run `configure --help`. - -For the server to support DNSSEC, you need to build it with crypto support. -To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the -OpenSSL library is installed in a nonstandard location, specify the prefix -using `--with-openssl=` on the configure command line. To use a -PKCS#11 hardware service module for cryptographic operations, specify the -path to the PKCS#11 provider library using `--with-pkcs11=`, and -configure BIND with `--enable-native-pkcs11`. - -To support the HTTP statistics channel, the server must be linked with at -least one of the following libraries: `libxml2` -[http://xmlsoft.org](http://xmlsoft.org) or `json-c` -[https://github.com/json-c/json-c](https://github.com/json-c/json-c). -If these are installed at a nonstandard location, then: - -* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`. -* for `json-c`, adjust `PKG_CONFIG_PATH`. - -To support compression on the HTTP statistics channel, the server must be -linked against `libzlib`. If this is installed in a nonstandard location, -specify the prefix using `--with-zlib=/prefix`. - -To support storing configuration data for runtime-added zones in an LMDB -database, the server must be linked with `liblmdb`. If this is installed in a -nonstandard location, specify the prefix using `with-lmdb=/prefix`. - -To support MaxMind GeoIP2 location-based ACLs, the server must be linked -with `libmaxminddb`. This is turned on by default if the library is -found; if the library is installed in a nonstandard location, -specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support -can be switched off with `--disable-geoip`. - -For DNSTAP packet logging, you must have installed `libfstrm` -[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm) -and `libprotobuf-c` -[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers), -and BIND must be configured with `--enable-dnstap`. - -Certain compiled-in constants and default settings can be decreased to -values better suited to small machines, e.g. OpenWRT boxes, by specifying -`--with-tuning=small` on the `configure` command line. This decreases -memory usage by using smaller structures, but degrades performance. - -On Linux, process capabilities are managed in user space using -the `libcap` library, which can be installed on most Linux systems via -the `libcap-dev` or `libcap-devel` package. Process capability support can -also be disabled by configuring with `--disable-linux-caps`. - -On some platforms it is necessary to explicitly request large file support -to handle files bigger than 2GB. This can be done by using -`--enable-largefile` on the `configure` command line. - -Support for the "fixed" rrset-order option can be enabled or disabled by -specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the -configure command line. By default, fixed rrset-order is disabled to -reduce memory footprint. - -The `--enable-querytrace` option causes `named` to log every step of -processing every query. The `--enable-singletrace` option turns on the -same verbose tracing, but allows an individual query to be separately -traced by setting its query ID to 0. These options should only be enabled -when debugging, because they have a significant negative impact on query -performance. - -`make install` installs `named` and the various BIND 9 libraries. By -default, installation is into /usr/local, but this can be changed with the -`--prefix` option when running `configure`. - -You may specify the option `--sysconfdir` to set the directory where -configuration files like `named.conf` go by default, and `--localstatedir` -to set the default parent directory of `run/named.pid`. `--sysconfdir` -defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`. +For information about building BIND 9, see the +["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9 +Administrator Reference Manual. ### Automated testing diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..2c63605988 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ + +# Security Policy + +ISC's Security Vulnerability Disclosure Policy is documented in the +relevant [ISC Knowledgebase article][1]. + +## Reporting possible security issues + +If you think you may be seeing a potential security vulnerability in +BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure), +please report it immediately by [opening a confidential GitLab issue][2] +(preferred) or emailing bind-security@isc.org. + +Please do not discuss undisclosed security vulnerabilities on any public +mailing list. ISC has a long history of handling reported +vulnerabilities promptly and effectively and we respect and acknowledge +responsible reporters. + +If you have a crash, you may want to consult the Knowledgebase article +entitled ["What to do if your BIND or DHCP server has crashed"][3]. + +[1]: https://kb.isc.org/docs/aa-00861 +[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug +[3]: https://kb.isc.org/docs/aa-00340 diff --git a/bin/Makefile.am b/bin/Makefile.am index 296a0220f7..ba7658e1a7 100644 --- a/bin/Makefile.am +++ b/bin/Makefile.am @@ -1,5 +1 @@ SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins - -if HAVE_PKCS11 -SUBDIRS += pkcs11 -endif diff --git a/bin/check/Makefile.am b/bin/check/Makefile.am index fd8e51ba65..c25dc4d3bf 100644 --- a/bin/check/Makefile.am +++ b/bin/check/Makefile.am @@ -4,10 +4,9 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ $(LIBNS_CFLAGS) \ - $(LIBISCCFG_CFLAGS) \ - $(LIBBIND9_CFLAGS) + $(LIBISCCFG_CFLAGS) -AM_CPPFLAGS += \ +AM_CPPFLAGS += \ -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" noinst_LTLIBRARIES = libcheck-tool.la @@ -16,13 +15,12 @@ libcheck_tool_la_SOURCES = \ check-tool.h \ check-tool.c -LDADD = \ +LDADD += \ libcheck-tool.la \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBNS_LIBS) \ - $(LIBISCCFG_LIBS) \ - $(LIBBIND9_LIBS) + $(LIBISCCFG_LIBS) bin_PROGRAMS = named-checkconf named-checkzone diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index dd9a98c297..93cde40550 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -12,6 +14,7 @@ /*! \file */ #include +#include #include #include @@ -19,9 +22,8 @@ #include #include #include -#include -#include #include +#include #include #include #include @@ -38,7 +40,6 @@ #include #include #include -#include #include #include @@ -92,7 +93,7 @@ dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX | #if CHECK_SIBLING DNS_ZONEOPT_CHECKSIBLING | #endif /* if CHECK_SIBLING */ - DNS_ZONEOPT_CHECKWILDCARD | + DNS_ZONEOPT_CHECKSVCB | DNS_ZONEOPT_CHECKWILDCARD | DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME; /* @@ -203,7 +204,8 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner, */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -405,7 +407,8 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) { */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -491,7 +494,8 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) { */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -571,96 +575,6 @@ setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) { return (ISC_R_SUCCESS); } -/*% scan the zone for oversize TTLs */ -static isc_result_t -check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) { - isc_result_t result; - dns_db_t *db = NULL; - dns_dbversion_t *version = NULL; - dns_dbnode_t *node = NULL; - dns_dbiterator_t *dbiter = NULL; - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdataset_t rdataset; - dns_fixedname_t fname; - dns_name_t *name; - name = dns_fixedname_initname(&fname); - dns_rdataset_init(&rdataset); - - CHECK(dns_zone_getdb(zone, &db)); - INSIST(db != NULL); - - CHECK(dns_db_newversion(db, &version)); - CHECK(dns_db_createiterator(db, 0, &dbiter)); - - for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbiter)) - { - result = dns_dbiterator_current(dbiter, &node, name); - if (result == DNS_R_NEWORIGIN) { - result = ISC_R_SUCCESS; - } - CHECK(result); - - CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsiter)); - for (result = dns_rdatasetiter_first(rdsiter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter)) - { - dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.ttl > maxttl) { - char nbuf[DNS_NAME_FORMATSIZE]; - char tbuf[255]; - isc_buffer_t b; - isc_region_t r; - - dns_name_format(name, nbuf, sizeof(nbuf)); - isc_buffer_init(&b, tbuf, sizeof(tbuf) - 1); - CHECK(dns_rdatatype_totext(rdataset.type, &b)); - isc_buffer_usedregion(&b, &r); - r.base[r.length] = 0; - - dns_zone_log(zone, ISC_LOG_ERROR, - "%s/%s TTL %d exceeds " - "maximum TTL %d", - nbuf, tbuf, rdataset.ttl, maxttl); - dns_rdataset_disassociate(&rdataset); - CHECK(ISC_R_RANGE); - } - dns_rdataset_disassociate(&rdataset); - } - if (result == ISC_R_NOMORE) { - result = ISC_R_SUCCESS; - } - CHECK(result); - - dns_rdatasetiter_destroy(&rdsiter); - dns_db_detachnode(db, &node); - } - - if (result == ISC_R_NOMORE) { - result = ISC_R_SUCCESS; - } - -cleanup: - if (node != NULL) { - dns_db_detachnode(db, &node); - } - if (rdsiter != NULL) { - dns_rdatasetiter_destroy(&rdsiter); - } - if (dbiter != NULL) { - dns_dbiterator_destroy(&dbiter); - } - if (version != NULL) { - dns_db_closeversion(db, &version, false); - } - if (db != NULL) { - dns_db_detach(&db); - } - - return (result); -} - /*% load the zone */ isc_result_t load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, @@ -681,9 +595,9 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, zonename, filename, classname); } - CHECK(dns_zone_create(&zone, mctx)); + dns_zone_create(&zone, mctx, 0); - dns_zone_settype(zone, dns_zone_master); + dns_zone_settype(zone, dns_zone_primary); isc_buffer_constinit(&buffer, zonename, strlen(zonename)); isc_buffer_add(&buffer, strlen(zonename)); @@ -702,7 +616,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, CHECK(dns_zone_setjournal(zone, journal)); } - DE_CONST(classname, region.base); + region.base = UNCONST(classname); region.length = strlen(classname); CHECK(dns_rdataclass_fromtext(&rdclass, ®ion)); @@ -724,14 +638,6 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, CHECK(dns_zone_load(zone, false)); - /* - * When loading map files we can't catch oversize TTLs during - * load, so we check for them here. - */ - if (fileformat == dns_masterformat_map && maxttl != 0) { - CHECK(check_ttls(zone, maxttl)); - } - if (zonep != NULL) { *zonep = zone; zone = NULL; diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h index 6e9e483f54..64ac9e7917 100644 --- a/bin/check/check-tool.h +++ b/bin/check/check-tool.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef CHECK_TOOL_H -#define CHECK_TOOL_H +#pragma once /*! \file */ @@ -49,5 +50,3 @@ extern bool dochecksrv; extern dns_zoneopt_t zone_options; ISC_LANG_ENDDECLS - -#endif /* ifndef CHECK_TOOL_H */ diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 11303e9648..19f672224e 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -22,7 +24,6 @@ #include #include #include -#include #include #include #include @@ -32,21 +33,17 @@ #include #include #include -#include #include #include +#include #include #include -#include - #include "check-tool.h" static const char *program = "named-checkconf"; -static bool loadplugins = true; - isc_log_t *logc = NULL; #define CHECK(r) \ @@ -57,13 +54,13 @@ isc_log_t *logc = NULL; } while (0) /*% usage */ -ISC_NORETURN static void +noreturn static void usage(void); static void usage(void) { fprintf(stderr, - "usage: %s [-chijlvz] [-p [-x]] [-t directory] " + "usage: %s [-achijlvz] [-p [-x]] [-t directory] " "[named.conf]\n", program); exit(1); @@ -158,7 +155,7 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) { return (ISC_R_FAILURE); } - DE_CONST(zclass, r.base); + r.base = UNCONST(zclass); r.length = strlen(zclass); result = dns_rdataclass_fromtext(&rdclass, &r); if (result != ISC_R_SUCCESS) { @@ -245,9 +242,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, * Skip checks when using an alternate data source. */ cfg_map_get(zoptions, "database", &dbobj); - if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 && - strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0) - { + if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0) { return (ISC_R_SUCCESS); } @@ -276,7 +271,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, } /* - * Is the redirect zone configured as a slave? + * Is the redirect zone configured as a secondary? */ if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) { cfg_map_get(zoptions, "primaries", &primariesobj); @@ -305,8 +300,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, zone_options &= ~DNS_ZONEOPT_CHECKDUPRR; zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKDUPRR; @@ -325,8 +319,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, zone_options &= ~DNS_ZONEOPT_CHECKMX; zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKMX; @@ -356,8 +349,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, zone_options |= DNS_ZONEOPT_WARNMXCNAME; zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_WARNMXCNAME; @@ -376,8 +368,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, zone_options |= DNS_ZONEOPT_WARNSRVCNAME; zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_WARNSRVCNAME; @@ -400,13 +391,34 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { zone_options &= ~DNS_ZONEOPT_CHECKSPF; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKSPF; } + obj = NULL; + if (get_maps(maps, "check-svcb", &obj)) { + if (cfg_obj_asboolean(obj)) { + zone_options |= DNS_ZONEOPT_CHECKSVCB; + } else { + zone_options &= ~DNS_ZONEOPT_CHECKSVCB; + } + } else { + zone_options |= DNS_ZONEOPT_CHECKSVCB; + } + + obj = NULL; + if (get_maps(maps, "check-wildcard", &obj)) { + if (cfg_obj_asboolean(obj)) { + zone_options |= DNS_ZONEOPT_CHECKWILDCARD; + } else { + zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD; + } + } else { + zone_options |= DNS_ZONEOPT_CHECKWILDCARD; + } + obj = NULL; if (get_checknames(maps, &obj)) { if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { @@ -419,8 +431,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, zone_options &= ~DNS_ZONEOPT_CHECKNAMES; zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKNAMES; @@ -435,11 +446,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, masterformat = dns_masterformat_text; } else if (strcasecmp(masterformatstr, "raw") == 0) { masterformat = dns_masterformat_raw; - } else if (strcasecmp(masterformatstr, "map") == 0) { - masterformat = dns_masterformat_map; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -453,7 +461,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig, NULL); if (result != ISC_R_SUCCESS) { fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass, - dns_result_totext(result)); + isc_result_totext(result)); } return (result); } @@ -502,7 +510,7 @@ config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, *classp = defclass; return (ISC_R_SUCCESS); } - DE_CONST(cfg_obj_asstring(classobj), r.base); + r.base = UNCONST(cfg_obj_asstring(classobj)); r.length = strlen(r.base); return (dns_rdataclass_fromtext(classp, &r)); } @@ -567,10 +575,10 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, static void output(void *closure, const char *text, int textlen) { - UNUSED(closure); if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) { + isc_result_t *result = closure; perror("fwrite"); - exit(1); + *result = ISC_R_FAILURE; } } @@ -582,20 +590,21 @@ main(int argc, char **argv) { cfg_obj_t *config = NULL; const char *conffile = NULL; isc_mem_t *mctx = NULL; - isc_result_t result; - int exit_status = 0; + isc_result_t result = ISC_R_SUCCESS; + bool cleanup_dst = true; bool load_zones = false; bool list_zones = false; bool print = false; bool nodeprecate = false; unsigned int flags = 0; + unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS; isc_commandline_errprint = false; /* * Process memory debugging argument first. */ -#define CMDLINE_FLAGS "cdhijlm:t:pvxz" +#define CMDLINE_FLAGS "acdhijlm:t:pvxz" while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (c) { case 'm': @@ -611,12 +620,6 @@ main(int argc, char **argv) { { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } - if (strcasecmp(isc_commandline_argument, "size") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGSIZE; - } - if (strcasecmp(isc_commandline_argument, "mctx") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGCTX; - } break; default: break; @@ -628,8 +631,12 @@ main(int argc, char **argv) { while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) { switch (c) { + case 'a': + checkflags &= ~BIND_CHECK_ALGORITHMS; + break; + case 'c': - loadplugins = false; + checkflags &= ~BIND_CHECK_PLUGINS; break; case 'd': @@ -656,7 +663,7 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) { fprintf(stderr, "isc_dir_chroot: %s\n", isc_result_totext(result)); - exit(1); + CHECK(result); } break; @@ -666,7 +673,8 @@ main(int argc, char **argv) { case 'v': printf("%s\n", PACKAGE_VERSION); - exit(0); + result = ISC_R_SUCCESS; + goto cleanup; case 'x': flags |= CFG_PRINTER_XKEY; @@ -684,27 +692,29 @@ main(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': + isc_mem_detach(&mctx); usage(); default: fprintf(stderr, "%s: unhandled option -%c\n", program, isc_commandline_option); - exit(1); + CHECK(ISC_R_FAILURE); } } if (((flags & CFG_PRINTER_XKEY) != 0) && !print) { fprintf(stderr, "%s: -x cannot be used without -p\n", program); - exit(1); + CHECK(ISC_R_FAILURE); } if (print && list_zones) { fprintf(stderr, "%s: -l cannot be used with -p\n", program); - exit(1); + CHECK(ISC_R_FAILURE); } if (isc_commandline_index + 1 < argc) { + isc_mem_detach(&mctx); usage(); } if (argv[isc_commandline_index] != NULL) { @@ -714,45 +724,48 @@ main(int argc, char **argv) { conffile = NAMED_CONFFILE; } - RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); + CHECK(setup_logging(mctx, stdout, &logc)); - dns_result_register(); + CHECK(dst_lib_init(mctx, NULL)); + cleanup_dst = true; - RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS); + CHECK(cfg_parser_create(mctx, logc, &parser)); if (nodeprecate) { cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true); } cfg_parser_setcallback(parser, directory_callback, NULL); - if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) != - ISC_R_SUCCESS) - { - exit(1); + CHECK(cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config)); + CHECK(isccfg_check_namedconf(config, checkflags, logc, mctx)); + if (load_zones || list_zones) { + CHECK(load_zones_fromconfig(config, mctx, list_zones)); } - result = bind9_check_namedconf(config, loadplugins, logc, mctx); - if (result != ISC_R_SUCCESS) { - exit_status = 1; + if (print) { + cfg_printx(config, flags, output, &result); } - if (result == ISC_R_SUCCESS && (load_zones || list_zones)) { - result = load_zones_fromconfig(config, mctx, list_zones); - if (result != ISC_R_SUCCESS) { - exit_status = 1; - } +cleanup: + if (config != NULL) { + cfg_obj_destroy(parser, &config); } - if (print && exit_status == 0) { - cfg_printx(config, flags, output, NULL); + if (parser != NULL) { + cfg_parser_destroy(&parser); } - cfg_obj_destroy(parser, &config); - cfg_parser_destroy(&parser); + if (cleanup_dst) { + dst_lib_destroy(); + } - isc_log_destroy(&logc); + if (logc != NULL) { + isc_log_destroy(&logc); + } - isc_mem_destroy(&mctx); + if (mctx != NULL) { + isc_mem_destroy(&mctx); + } - return (exit_status); + return (result == ISC_R_SUCCESS ? 0 : 1); } diff --git a/bin/check/named-checkconf.rst b/bin/check/named-checkconf.rst index 4ddaab9112..41dad390fa 100644 --- a/bin/check/named-checkconf.rst +++ b/bin/check/named-checkconf.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: named-checkconf +.. program:: named-checkconf .. _man_named-checkconf: named-checkconf - named configuration file syntax checking tool @@ -29,77 +21,96 @@ named-checkconf - named configuration file syntax checking tool Synopsis ~~~~~~~~ -:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename} +:program:`named-checkconf` [**-achjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename} Description ~~~~~~~~~~~ -``named-checkconf`` checks the syntax, but not the semantics, of a -``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax +:program:`named-checkconf` checks the syntax, but not the semantics, of a +:iscman:`named` configuration file. The file, along with all files included by it, is parsed and checked for syntax errors. If no file is specified, -``/etc/named.conf`` is read by default. +|named_conf| is read by default. -Note: files that ``named`` reads in separate parser contexts, such as -``rndc.key`` and ``bind.keys``, are not automatically read by -``named-checkconf``. Configuration errors in these files may cause -``named`` to fail to run, even if ``named-checkconf`` was successful. -However, ``named-checkconf`` can be run on these files explicitly. +Note: files that :iscman:`named` reads in separate parser contexts, such as +``rndc.conf`` or ``rndc.key``, are not automatically read by +:program:`named-checkconf`. Configuration errors in these files may cause +:iscman:`named` to fail to run, even if :program:`named-checkconf` was +successful. However, :program:`named-checkconf` can be run on these files +explicitly. Options ~~~~~~~ -``-h`` +.. option:: -a + + Don't check the `dnssec-policy`'s DNSSEC key algorithms against + those supported by the crypto provider. This is useful when checking + a `named.conf` intended to be run on another machine with possibly a + different set of supported DNSSEC key algorithms. + +.. option:: -h + This option prints the usage summary and exits. -``-j`` - When loading a zonefile, this option instructs ``named`` to read the journal if it exists. +.. option:: -j + + When loading a zonefile, this option instructs :iscman:`named` to read the journal if it exists. + +.. option:: -l -``-l`` This option lists all the configured zones. Each line of output contains the zone name, class (e.g. IN), view, and type (e.g. primary or secondary). -``-c`` +.. option:: -c + This option specifies that only the "core" configuration should be checked. This suppresses the loading of plugin modules, and causes all parameters to ``plugin`` statements to be ignored. -``-i`` +.. option:: -i + This option ignores warnings on deprecated options. -``-p`` - This option prints out the ``named.conf`` and included files in canonical form if - no errors were detected. See also the ``-x`` option. +.. option:: -p + + This option prints out the :iscman:`named.conf` and included files in canonical form if + no errors were detected. See also the :option:`-x` option. + +.. option:: -t directory -``-t directory`` - This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the + This option instructs :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the configuration file are processed as if run by a similarly chrooted - ``named``. + :iscman:`named`. -``-v`` - This option prints the version of the ``named-checkconf`` program and exits. +.. option:: -v + + This option prints the version of the :program:`named-checkconf` program and exits. + +.. option:: -x -``-x`` When printing the configuration files in canonical form, this option obscures shared secrets by replacing them with strings of question marks - (``?``). This allows the contents of ``named.conf`` and related files + (``?``). This allows the contents of :iscman:`named.conf` and related files to be shared - for example, when submitting bug reports - without compromising private data. This option cannot be used without - ``-p``. + :option:`-p`. + +.. option:: -z + + This option performs a test load of all zones of type ``primary`` found in :iscman:`named.conf`. -``-z`` - This option performs a test load of all zones of type ``primary`` found in ``named.conf``. +.. option:: filename -``filename`` This indicates the name of the configuration file to be checked. If not specified, - it defaults to ``/etc/named.conf``. + it defaults to |named_conf|. Return Values ~~~~~~~~~~~~~ -``named-checkconf`` returns an exit status of 1 if errors were detected +:program:`named-checkconf` returns an exit status of 1 if errors were detected and 0 otherwise. See Also ~~~~~~~~ -:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual. +:iscman:`named(8) `, :iscman:`named-checkzone(8) `, BIND 9 Administrator Reference Manual. diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 145f80c096..795624651a 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,7 +17,6 @@ #include #include -#include #include #include #include @@ -23,10 +24,8 @@ #include #include #include -#include -#include +#include #include -#include #include #include @@ -38,7 +37,6 @@ #include #include #include -#include #include #include @@ -47,7 +45,7 @@ static int quiet = 0; static isc_mem_t *mctx = NULL; dns_zone_t *zone = NULL; -dns_zonetype_t zonetype = dns_zone_master; +dns_zonetype_t zonetype = dns_zone_primary; static int dumpzone = 0; static const char *output_filename; static const char *prog_name = NULL; @@ -59,12 +57,12 @@ static enum { progmode_check, progmode_compile } progmode; if (result != ISC_R_SUCCESS) { \ if (!quiet) \ fprintf(stderr, "%s() returned %s\n", \ - function, dns_result_totext(result)); \ + function, isc_result_totext(result)); \ return (result); \ } \ } while (0) -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -146,8 +144,7 @@ main(int argc, char **argv) { } else if (PROGCMP("named-compilezone")) { progmode = progmode_compile; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* Compilation specific defaults */ @@ -166,8 +163,8 @@ main(int argc, char **argv) { isc_commandline_errprint = false; while ((c = isc_commandline_parse(argc, argv, - "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:" - "M:S:T:W:")) != EOF) + "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:C:" + "DF:M:S:T:W:")) != EOF) { switch (c) { case 'c': @@ -362,6 +359,18 @@ main(int argc, char **argv) { workdir = isc_commandline_argument; break; + case 'C': + if (ARGCMP("check-svcb:fail")) { + zone_options |= DNS_ZONEOPT_CHECKSVCB; + } else if (ARGCMP("check-svcb:ignore")) { + zone_options &= ~DNS_ZONEOPT_CHECKSVCB; + } else { + fprintf(stderr, "invalid argument to -C: %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'D': dumpzone++; break; @@ -425,7 +434,7 @@ main(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", prog_name, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': usage(); @@ -454,8 +463,6 @@ main(int argc, char **argv) { inputformat = dns_masterformat_raw; fprintf(stderr, "WARNING: input format raw, version " "ignored\n"); - } else if (strcasecmp(inputformatstr, "map") == 0) { - inputformat = dns_masterformat_map; } else { fprintf(stderr, "unknown file format: %s\n", inputformatstr); @@ -474,12 +481,11 @@ main(int argc, char **argv) { outputformat = dns_masterformat_raw; rawversion = strtol(outputformatstr + 4, &end, 10); if (end == outputformatstr + 4 || *end != '\0' || - rawversion > 1U) { + rawversion > 1U) + { fprintf(stderr, "unknown raw format version\n"); exit(1); } - } else if (strcasecmp(outputformatstr, "map") == 0) { - outputformat = dns_masterformat_map; } else { fprintf(stderr, "unknown file format: %s\n", outputformatstr); @@ -515,7 +521,8 @@ main(int argc, char **argv) { } if (argc - isc_commandline_index < 1 || - argc - isc_commandline_index > 2) { + argc - isc_commandline_index > 2) + { usage(); } @@ -525,8 +532,6 @@ main(int argc, char **argv) { ISC_R_SUCCESS); } - dns_result_register(); - origin = argv[isc_commandline_index++]; if (isc_commandline_index == argc) { diff --git a/bin/check/named-checkzone.rst b/bin/check/named-checkzone.rst index 95c6c7434e..e6ad56f73c 100644 --- a/bin/check/named-checkzone.rst +++ b/bin/check/named-checkzone.rst @@ -1,80 +1,84 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. +.. highlight: console +.. BEWARE: Do not forget to edit also named-compilezone.rst! -.. highlight: console +.. iscman:: named-checkzone +.. program:: named-checkzone +.. _man_named-checkzone: -named-checkzone, named-compilezone - zone file validity checking or converting tool ------------------------------------------------------------------------------------ +named-checkzone - zone file validation tool +------------------------------------------- Synopsis ~~~~~~~~ -:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename} - -:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename} +:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename} Description ~~~~~~~~~~~ -``named-checkzone`` checks the syntax and integrity of a zone file. It -performs the same checks as ``named`` does when loading a zone. This -makes ``named-checkzone`` useful for checking zone files before +:program:`named-checkzone` checks the syntax and integrity of a zone file. It +performs the same checks as :iscman:`named` does when loading a zone. This +makes :program:`named-checkzone` useful for checking zone files before configuring them into a name server. -``named-compilezone`` is similar to ``named-checkzone``, but it always -dumps the zone contents to a specified file in a specified format. -It also applies stricter check levels by default, since the -dump output is used as an actual zone file loaded by ``named``. -When manually specified otherwise, the check levels must at least be as -strict as those specified in the ``named`` configuration file. - Options ~~~~~~~ -``-d`` +.. option:: -d + This option enables debugging. -``-h`` +.. option:: -h + This option prints the usage summary and exits. -``-q`` +.. option:: -q + This option sets quiet mode, which only sets an exit code to indicate successful or failed completion. -``-v`` - This option prints the version of the ``named-checkzone`` program and exits. +.. option:: -v + + This option prints the version of the :program:`named-checkzone` program and exits. + +.. option:: -j -``-j`` - When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal + When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal file name is assumed to be the zone file name with the string ``.jnl`` appended. -``-J filename`` - When loading the zone file, this option tells ``named`` to read the journal from the given file, if - it exists. This implies ``-j``. +.. option:: -J filename + + When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if + it exists. This implies :option:`-j`. + +.. option:: -c class -``-c class`` This option specifies the class of the zone. If not specified, ``IN`` is assumed. -``-i mode`` +.. option:: -C mode + + This option controls check mode on zone files when loading. + Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``. + + ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB + records and ``check-svcb:ignore`` disables these checks. The + default is ``check-svcb:fail``. + +.. option:: -i mode + This option performs post-load zone integrity checks. Possible modes are ``full`` (the default), ``full-sibling``, ``local``, ``local-sibling``, and ``none``. @@ -100,114 +104,128 @@ Options Mode ``none`` disables the checks. -``-f format`` - This option specifies the format of the zone file. Possible formats are ``text`` - (the default), ``raw``, and ``map``. +.. option:: -f format + + This option specifies the format of the zone file. Possible formats are + ``text`` (the default), and ``raw``. + +.. option:: -F format -``-F format`` This option specifies the format of the output file specified. For - ``named-checkzone``, this does not have any effect unless it dumps + :program:`named-checkzone`, this does not have any effect unless it dumps the zone contents. Possible formats are ``text`` (the default), which is the standard - textual representation of the zone, and ``map``, ``raw``, and - ``raw=N``, which store the zone in a binary format for rapid - loading by ``named``. ``raw=N`` specifies the format version of the - raw zone file: if ``N`` is 0, the raw file can be read by any version of - ``named``; if N is 1, the file can only be read by release 9.9.0 or - higher. The default is 1. - -``-k mode`` + textual representation of the zone, and ``raw`` and ``raw=N``, which + store the zone in a binary format for rapid loading by :iscman:`named`. + ``raw=N`` specifies the format version of the raw zone file: if ``N`` is + 0, the raw file can be read by any version of :iscman:`named`; if N is 1, the + file can only be read by release 9.9.0 or higher. The default is 1. + +.. option:: -k mode + This option performs ``check-names`` checks with the specified failure mode. - Possible modes are ``fail`` (the default for ``named-compilezone``), - ``warn`` (the default for ``named-checkzone``), and ``ignore``. + Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. + +.. option:: -l ttl -``-l ttl`` This option sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value causes the zone to be rejected. This - is similar to using the ``max-zone-ttl`` option in ``named.conf``. + is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`. + +.. option:: -L serial -``-L serial`` - When compiling a zone to ``raw`` or ``map`` format, this option sets the "source + When compiling a zone to ``raw`` format, this option sets the "source serial" value in the header to the specified serial number. This is expected to be used primarily for testing purposes. -``-m mode`` +.. option:: -m mode + This option specifies whether MX records should be checked to see if they are addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. -``-M mode`` +.. option:: -M mode + This option checks whether a MX record refers to a CNAME. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. -``-n mode`` +.. option:: -n mode + This option specifies whether NS records should be checked to see if they are - addresses. Possible modes are ``fail`` (the default for - ``named-compilezone``), ``warn`` (the default for ``named-checkzone``), - and ``ignore``. + addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. + +.. option:: -o filename -``-o filename`` This option writes the zone output to ``filename``. If ``filename`` is ``-``, then - the zone output is written to standard output. This is mandatory for ``named-compilezone``. + the zone output is written to standard output. + +.. option:: -r mode -``-r mode`` This option checks for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. -``-s style`` +.. option:: -s style + This option specifies the style of the dumped zone file. Possible styles are ``full`` (the default) and ``relative``. The ``full`` format is most suitable for processing automatically by a separate script. The relative format is more human-readable and is thus - suitable for editing by hand. For ``named-checkzone``, this does not - have any effect unless it dumps the zone contents. It also does not - have any meaning if the output format is not text. + suitable for editing by hand. This does not have any effect unless it dumps + the zone contents. It also does not have any meaning if the output format + is not text. + +.. option:: -S mode -``-S mode`` This option checks whether an SRV record refers to a CNAME. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. -``-t directory`` - This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the +.. option:: -t directory + + This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the configuration file are processed as if run by a similarly chrooted - ``named``. + :iscman:`named`. + +.. option:: -T mode -``-T mode`` This option checks whether Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are ``warn`` (the default) and ``ignore``. -``-w directory`` - This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file +.. option:: -w directory + + This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file ``$INCLUDE`` directives work. This is similar to the directory clause in - ``named.conf``. + :iscman:`named.conf`. -``-D`` - This option dumps the zone file in canonical format. This is always enabled for - ``named-compilezone``. +.. option:: -D + + This option dumps the zone file in canonical format. + +.. option:: -W mode -``-W mode`` This option specifies whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the - wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn`` + wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn`` (the default) and ``ignore``. -``zonename`` +.. option:: zonename + This indicates the domain name of the zone being checked. -``filename`` +.. option:: filename + This is the name of the zone file. Return Values ~~~~~~~~~~~~~ -``named-checkzone`` returns an exit status of 1 if errors were detected +:program:`named-checkzone` returns an exit status of 1 if errors were detected and 0 otherwise. See Also ~~~~~~~~ -:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference +:iscman:`named(8) `, :iscman:`named-checkconf(8) `, :iscman:`named-compilezone(8) `, :rfc:`1035`, BIND 9 Administrator Reference Manual. diff --git a/bin/check/named-compilezone.rst b/bin/check/named-compilezone.rst new file mode 100644 index 0000000000..0b4c98d449 --- /dev/null +++ b/bin/check/named-compilezone.rst @@ -0,0 +1,233 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. BEWARE: Do not forget to edit also named-checkzone.rst! + +.. iscman:: named-compilezone +.. program:: named-compilezone +.. _man_named-compilezone: + +named-compilezone - zone file converting tool +--------------------------------------------- + +Synopsis +~~~~~~~~ + +:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename} + +Description +~~~~~~~~~~~ + +:program:`named-compilezone` checks the syntax and integrity of a zone file, +and dumps the zone contents to a specified file in a specified format. +It applies strict check levels by default, since the +dump output is used as an actual zone file loaded by :iscman:`named`. +When manually specified otherwise, the check levels must at least be as +strict as those specified in the :iscman:`named` configuration file. + +Options +~~~~~~~ + +.. option:: -d + + This option enables debugging. + +.. option:: -h + + This option prints the usage summary and exits. + +.. option:: -q + + This option sets quiet mode, which only sets an exit code to indicate + successful or failed completion. + +.. option:: -v + + This option prints the version of the :iscman:`named-checkzone` program and exits. + +.. option:: -j + + When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal + file name is assumed to be the zone file name with the + string ``.jnl`` appended. + +.. option:: -J filename + + When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if + it exists. This implies :option:`-j`. + +.. option:: -c class + + This option specifies the class of the zone. If not specified, ``IN`` is assumed. + +.. option:: -C mode + + This option controls check mode on zone files when loading. + Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``. + + ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB + records and ``check-svcb:ignore`` disables these checks. The + default is ``check-svcb:fail``. + +.. option:: -i mode + + This option performs post-load zone integrity checks. Possible modes are + ``full`` (the default), ``full-sibling``, ``local``, + ``local-sibling``, and ``none``. + + Mode ``full`` checks that MX records refer to A or AAAA records + (both in-zone and out-of-zone hostnames). Mode ``local`` only + checks MX records which refer to in-zone hostnames. + + Mode ``full`` checks that SRV records refer to A or AAAA records + (both in-zone and out-of-zone hostnames). Mode ``local`` only + checks SRV records which refer to in-zone hostnames. + + Mode ``full`` checks that delegation NS records refer to A or AAAA + records (both in-zone and out-of-zone hostnames). It also checks that + glue address records in the zone match those advertised by the child. + Mode ``local`` only checks NS records which refer to in-zone + hostnames or verifies that some required glue exists, i.e., when the + name server is in a child zone. + + Modes ``full-sibling`` and ``local-sibling`` disable sibling glue + checks, but are otherwise the same as ``full`` and ``local``, + respectively. + + Mode ``none`` disables the checks. + +.. option:: -f format + + This option specifies the format of the zone file. Possible formats are + ``text`` (the default), and ``raw``. + +.. option:: -F format + + This option specifies the format of the output file specified. For + :iscman:`named-checkzone`, this does not have any effect unless it dumps + the zone contents. + + Possible formats are ``text`` (the default), which is the standard + textual representation of the zone, and ``raw`` and ``raw=N``, which + store the zone in a binary format for rapid loading by :iscman:`named`. + ``raw=N`` specifies the format version of the raw zone file: if ``N`` is + 0, the raw file can be read by any version of :iscman:`named`; if N is 1, the + file can only be read by release 9.9.0 or higher. The default is 1. + +.. option:: -k mode + + This option performs ``check-names`` checks with the specified failure mode. + Possible modes are ``fail`` (the default), ``warn``, and ``ignore``. + +.. option:: -l ttl + + This option sets a maximum permissible TTL for the input file. Any record with a + TTL higher than this value causes the zone to be rejected. This + is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`. + +.. option:: -L serial + + When compiling a zone to ``raw`` format, this option sets the "source + serial" value in the header to the specified serial number. This is + expected to be used primarily for testing purposes. + +.. option:: -m mode + + This option specifies whether MX records should be checked to see if they are + addresses. Possible modes are ``fail``, ``warn`` (the default), and + ``ignore``. + +.. option:: -M mode + + This option checks whether a MX record refers to a CNAME. Possible modes are + ``fail``, ``warn`` (the default), and ``ignore``. + +.. option:: -n mode + + This option specifies whether NS records should be checked to see if they are + addresses. Possible modes are ``fail`` (the default), ``warn``, and + ``ignore``. + +.. option:: -o filename + + This option writes the zone output to ``filename``. If ``filename`` is ``-``, then + the zone output is written to standard output. This is mandatory for :program:`named-compilezone`. + +.. option:: -r mode + + This option checks for records that are treated as different by DNSSEC but are + semantically equal in plain DNS. Possible modes are ``fail``, + ``warn`` (the default), and ``ignore``. + +.. option:: -s style + + This option specifies the style of the dumped zone file. Possible styles are + ``full`` (the default) and ``relative``. The ``full`` format is most + suitable for processing automatically by a separate script. + The relative format is more human-readable and is thus + suitable for editing by hand. + +.. option:: -S mode + + This option checks whether an SRV record refers to a CNAME. Possible modes are + ``fail``, ``warn`` (the default), and ``ignore``. + +.. option:: -t directory + + This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the + configuration file are processed as if run by a similarly chrooted + :iscman:`named`. + +.. option:: -T mode + + This option checks whether Sender Policy Framework (SPF) records exist and issues a + warning if an SPF-formatted TXT record is not also present. Possible + modes are ``warn`` (the default) and ``ignore``. + +.. option:: -w directory + + This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file + ``$INCLUDE`` directives work. This is similar to the directory clause in + :iscman:`named.conf`. + +.. option:: -D + + This option dumps the zone file in canonical format. This is always enabled for + :program:`named-compilezone`. + +.. option:: -W mode + + This option specifies whether to check for non-terminal wildcards. Non-terminal + wildcards are almost always the result of a failure to understand the + wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn`` + (the default) and ``ignore``. + +.. option:: zonename + + This indicates the domain name of the zone being checked. + +.. option:: filename + + This is the name of the zone file. + +Return Values +~~~~~~~~~~~~~ + +:program:`named-compilezone` returns an exit status of 1 if errors were detected +and 0 otherwise. + +See Also +~~~~~~~~ + +:iscman:`named(8) `, :iscman:`named-checkconf(8) `, :iscman:`named-checkzone(8) `, :rfc:`1035`, +BIND 9 Administrator Reference Manual. diff --git a/bin/confgen/Makefile.am b/bin/confgen/Makefile.am index d43aa2004a..c1dca43194 100644 --- a/bin/confgen/Makefile.am +++ b/bin/confgen/Makefile.am @@ -5,7 +5,7 @@ AM_CPPFLAGS += \ $(LIBDNS_CFLAGS) \ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" -LDADD = \ +LDADD += \ libconfgen.la \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) diff --git a/bin/confgen/ddns-confgen.rst b/bin/confgen/ddns-confgen.rst new file mode 100644 index 0000000000..9dd9d5ef5f --- /dev/null +++ b/bin/confgen/ddns-confgen.rst @@ -0,0 +1,96 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. BEWARE: Do not forget to edit also tsig-keygen.rst! + +.. iscman:: ddns-confgen +.. program:: ddns-confgen +.. _man_ddns-confgen: + +ddns-confgen - TSIG key generation tool +--------------------------------------- + +Synopsis +~~~~~~~~ +:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone] + +Description +~~~~~~~~~~~ + +:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the :iscman:`rndc` command channel. + +The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``. +The generated key is accompanied by configuration text and instructions that +can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS, +including an example ``update-policy`` statement. +(This usage is similar to the :iscman:`rndc-confgen` command for setting up +command-channel security.) + +Note that :iscman:`named` itself can configure a local DDNS key for use with +:option:`nsupdate -l`; it does this when a zone is configured with +``update-policy local;``. :program:`ddns-confgen` is only needed when a more +elaborate configuration is required: for instance, if :iscman:`nsupdate` is to +be used from a remote system. + +Options +~~~~~~~ + +.. option:: -a algorithm + + This option specifies the algorithm to use for the TSIG key. Available + choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, + and hmac-sha512. The default is hmac-sha256. Options are + case-insensitive, and the "hmac-" prefix may be omitted. + +.. option:: -h + + This option prints a short summary of options and arguments. + +.. option:: -k keyname + + This option specifies the key name of the DDNS authentication key. The + default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is + specified; otherwise, the default is ``ddns-key`` as a separate label + followed by the argument of the option, e.g., ``ddns-key.example.com.`` + The key name must have the format of a valid domain name, consisting of + letters, digits, hyphens, and periods. + +.. option:: -q + + This option enables quiet mode, which prints only the key, with no + explanatory text or usage examples. This is essentially identical to + :iscman:`tsig-keygen`. + +.. option:: -s name + + This option generates a configuration example to allow dynamic updates + of a single hostname. The example :iscman:`named.conf` text shows how to set + an update policy for the specified name using the "name" nametype. The + default key name is ``ddns-key.name``. Note that the "self" nametype + cannot be used, since the name to be updated may differ from the key + name. This option cannot be used with the :option:`-z` option. + +.. option:: -z zone + + This option generates a configuration example to allow + dynamic updates of a zone. The example :iscman:`named.conf` text shows how + to set an update policy for the specified zone using the "zonesub" + nametype, allowing updates to all subdomain names within that zone. + This option cannot be used with the :option:`-s` option. + +See Also +~~~~~~~~ + +:iscman:`nsupdate(1) `, :iscman:`named.conf(5) `, :iscman:`named(8) `, BIND 9 Administrator Reference Manual. diff --git a/bin/confgen/include/confgen/os.h b/bin/confgen/include/confgen/os.h index acb50ae718..2a924a30b1 100644 --- a/bin/confgen/include/confgen/os.h +++ b/bin/confgen/include/confgen/os.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -11,8 +13,7 @@ /*! \file */ -#ifndef RNDC_OS_H -#define RNDC_OS_H 1 +#pragma once #include @@ -30,5 +31,3 @@ set_user(FILE *fd, const char *user); */ ISC_LANG_ENDDECLS - -#endif /* ifndef RNDC_OS_H */ diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index a0840834d8..4698d1a078 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -19,12 +21,9 @@ #include #include #include -#include #include #include -#include - #include #include @@ -34,29 +33,6 @@ #include "util.h" -/*% - * Convert algorithm type to string. - */ -const char * -alg_totext(dns_secalg_t alg) { - switch (alg) { - case DST_ALG_HMACMD5: - return ("hmac-md5"); - case DST_ALG_HMACSHA1: - return ("hmac-sha1"); - case DST_ALG_HMACSHA224: - return ("hmac-sha224"); - case DST_ALG_HMACSHA256: - return ("hmac-sha256"); - case DST_ALG_HMACSHA384: - return ("hmac-sha384"); - case DST_ALG_HMACSHA512: - return ("hmac-sha512"); - default: - return ("(unknown)"); - } -} - /*% * Convert string to algorithm type. */ @@ -175,7 +151,7 @@ void write_key_file(const char *keyfile, const char *user, const char *keyname, isc_buffer_t *secret, dns_secalg_t alg) { isc_result_t result; - const char *algname = alg_totext(alg); + const char *algname = dst_hmac_algorithm_totext(alg); FILE *fd = NULL; DO("create keyfile", isc_file_safecreate(keyfile, &fd)); diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h index c9bc05b170..f5b7a551cd 100644 --- a/bin/confgen/keygen.h +++ b/bin/confgen/keygen.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef RNDC_KEYGEN_H -#define RNDC_KEYGEN_H 1 +#pragma once /*! \file */ @@ -38,5 +39,3 @@ int alg_bits(dns_secalg_t alg); ISC_LANG_ENDDECLS - -#endif /* RNDC_KEYGEN_H */ diff --git a/bin/confgen/os.c b/bin/confgen/os.c index 87dcab74aa..445d64bf60 100644 --- a/bin/confgen/os.c +++ b/bin/confgen/os.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index d53093dfb3..4c2c3cafed 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -32,14 +34,11 @@ #include #include #include -#include #include #include #include #include -#include - #include #include @@ -61,7 +60,7 @@ bool verbose = false; const char *keyfile, *keydef; -ISC_NORETURN static void +noreturn static void usage(int status); static void @@ -222,7 +221,7 @@ main(int argc, char **argv) { if (keysize < 0) { keysize = alg_bits(alg); } - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); diff --git a/bin/confgen/rndc-confgen.rst b/bin/confgen/rndc-confgen.rst index 91416f8f1c..0a91489c48 100644 --- a/bin/confgen/rndc-confgen.rst +++ b/bin/confgen/rndc-confgen.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: rndc-confgen +.. program:: rndc-confgen .. _man_rndc-confgen: rndc-confgen - rndc key generation tool @@ -34,86 +26,96 @@ Synopsis Description ~~~~~~~~~~~ -``rndc-confgen`` generates configuration files for ``rndc``. It can be -used as a convenient alternative to writing the ``rndc.conf`` file and -the corresponding ``controls`` and ``key`` statements in ``named.conf`` -by hand. Alternatively, it can be run with the ``-a`` option to set up a -``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a +:program:`rndc-confgen` generates configuration files for :iscman:`rndc`. It can be +used as a convenient alternative to writing the :iscman:`rndc.conf` file and +the corresponding ``controls`` and ``key`` statements in :iscman:`named.conf` +by hand. Alternatively, it can be run with the :option:`-a` option to set up a +``rndc.key`` file and avoid the need for a :iscman:`rndc.conf` file and a ``controls`` statement altogether. Options ~~~~~~~ -``-a`` - This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key`` - in ``/etc`` (or a different ``sysconfdir`` specified when BIND - was built) that is read by both ``rndc`` and ``named`` on startup. +.. option:: -a + + This option sets automatic :iscman:`rndc` configuration, which creates a file + |rndc_key| that is read by both :iscman:`rndc` and :iscman:`named` on startup. The ``rndc.key`` file defines a default command channel and - authentication key allowing ``rndc`` to communicate with ``named`` on + authentication key allowing :iscman:`rndc` to communicate with :iscman:`named` on the local host with no further configuration. If a more elaborate configuration than that generated by - ``rndc-confgen -a`` is required, for example if rndc is to be used - remotely, run ``rndc-confgen`` without the ``-a`` option - and set up ``rndc.conf`` and ``named.conf`` as directed. + :option:`rndc-confgen -a` is required, for example if rndc is to be used + remotely, run :program:`rndc-confgen` without the :option:`-a` option + and set up :iscman:`rndc.conf` and :iscman:`named.conf` as directed. + +.. option:: -A algorithm -``-A algorithm`` This option specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512. The default is hmac-sha256. -``-b keysize`` +.. option:: -b keysize + This option specifies the size of the authentication key in bits. The size must be between 1 and 512 bits; the default is the hash size. -``-c keyfile`` - This option is used with the ``-a`` option to specify an alternate location for +.. option:: -c keyfile + + This option is used with the :option:`-a` option to specify an alternate location for ``rndc.key``. -``-h`` +.. option:: -h + This option prints a short summary of the options and arguments to - ``rndc-confgen``. + :program:`rndc-confgen`. -``-k keyname`` - This option specifies the key name of the ``rndc`` authentication key. This must be a +.. option:: -k keyname + + This option specifies the key name of the :iscman:`rndc` authentication key. This must be a valid domain name. The default is ``rndc-key``. -``-p port`` - This option specifies the command channel port where ``named`` listens for - connections from ``rndc``. The default is 953. +.. option:: -p port + + This option specifies the command channel port where :iscman:`named` listens for + connections from :iscman:`rndc`. The default is 953. + +.. option:: -q -``-q`` This option prevets printing the written path in automatic configuration mode. -``-s address`` - This option specifies the IP address where ``named`` listens for command-channel - connections from ``rndc``. The default is the loopback address +.. option:: -s address + + This option specifies the IP address where :iscman:`named` listens for command-channel + connections from :iscman:`rndc`. The default is the loopback address 127.0.0.1. -``-t chrootdir`` - This option is used with the ``-a`` option to specify a directory where ``named`` +.. option:: -t chrootdir + + This option is used with the :option:`-a` option to specify a directory where :iscman:`named` runs chrooted. An additional copy of the ``rndc.key`` is written relative to this directory, so that it is found by the - chrooted ``named``. + chrooted :iscman:`named`. + +.. option:: -u user -``-u user`` - This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file. - If ``-t`` is also specified, only the file in the chroot + This option is used with the :option:`-a` option to set the owner of the generated ``rndc.key`` file. + If :option:`-t` is also specified, only the file in the chroot area has its owner changed. Examples ~~~~~~~~ -To allow ``rndc`` to be used with no manual configuration, run: +To allow :iscman:`rndc` to be used with no manual configuration, run: ``rndc-confgen -a`` -To print a sample ``rndc.conf`` file and the corresponding ``controls`` and -``key`` statements to be manually inserted into ``named.conf``, run: +To print a sample :iscman:`rndc.conf` file and the corresponding ``controls`` and +``key`` statements to be manually inserted into :iscman:`named.conf`, run: -``rndc-confgen`` +:program:`rndc-confgen` See Also ~~~~~~~~ -:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual. +:iscman:`rndc(8) `, :iscman:`rndc.conf(5) `, :iscman:`named(8) `, BIND 9 Administrator Reference Manual. diff --git a/bin/confgen/tsig-keygen.c b/bin/confgen/tsig-keygen.c index 11f65e0426..620717c626 100644 --- a/bin/confgen/tsig-keygen.c +++ b/bin/confgen/tsig-keygen.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -28,19 +30,13 @@ #include #include #include -#include #include #include #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include #include -#include #include @@ -57,7 +53,7 @@ const char *progname; static enum { progmode_keygen, progmode_confgen } progmode; bool verbose = false; /* needed by util.c but not used here */ -ISC_NORETURN static void +noreturn static void usage(int status); static void @@ -101,11 +97,6 @@ main(int argc, char **argv) { int len = 0; int ch; -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - result = isc_file_progname(*argv, program, sizeof(program)); if (result != ISC_R_SUCCESS) { memmove(program, "tsig-keygen", 11); @@ -129,14 +120,14 @@ main(int argc, char **argv) { } else if (PROGCMP("ddns-confgen")) { progmode = progmode_confgen; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_commandline_errprint = false; while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) != - -1) { + -1) + { switch (ch) { case 'a': algname = isc_commandline_argument; @@ -217,7 +208,7 @@ main(int argc, char **argv) { } /* Use canonical algorithm name */ - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); diff --git a/bin/confgen/tsig-keygen.rst b/bin/confgen/tsig-keygen.rst index 0d709b4122..7420bede43 100644 --- a/bin/confgen/tsig-keygen.rst +++ b/bin/confgen/tsig-keygen.rst @@ -1,101 +1,54 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. +.. highlight: console +.. BEWARE: Do not forget to edit also ddns-confgen.rst! -.. highlight: console +.. iscman:: tsig-keygen +.. program:: tsig-keygen +.. _man_tsig-keygen: -tsig-keygen, ddns-confgen - TSIG key generation tool ----------------------------------------------------- +tsig-keygen - TSIG key generation tool +-------------------------------------- Synopsis ~~~~~~~~ -:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name] - -:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone] +:program:`tsig-keygen` [**-a** algorithm] [**-h**] [name] Description ~~~~~~~~~~~ -``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a -utility that generates keys for use in TSIG signing. The resulting keys -can be used, for example, to secure dynamic DNS updates to a zone, or for -the ``rndc`` command channel. - -When run as ``tsig-keygen``, a domain name can be specified on the -command line to be used as the name of the generated key. If no -name is specified, the default is ``tsig-key``. +:program:`tsig-keygen` is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the :iscman:`rndc` command channel. -When run as ``ddns-confgen``, the key name can specified using ``-k`` -parameter and defaults to ``ddns-key``. The generated key is accompanied -by configuration text and instructions that can be used with ``nsupdate`` -and ``named`` when setting up dynamic DNS, including an example -``update-policy`` statement. (This usage is similar to the ``rndc-confgen`` -command for setting up command-channel security.) - -Note that ``named`` itself can configure a local DDNS key for use with -``nsupdate -l``; it does this when a zone is configured with -``update-policy local;``. ``ddns-confgen`` is only needed when a more -elaborate configuration is required: for instance, if ``nsupdate`` is to -be used from a remote system. +A domain name can be specified on the command line to be used as the name +of the generated key. If no name is specified, the default is ``tsig-key``. Options ~~~~~~~ -``-a algorithm`` +.. option:: -a algorithm + This option specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512. The default is hmac-sha256. Options are case-insensitive, and the "hmac-" prefix may be omitted. -``-h`` - This option prints a short summary of options and arguments. - -``-k keyname`` - This option specifies the key name of the DDNS authentication key. The - default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is - specified; otherwise, the default is ``ddns-key`` as a separate label - followed by the argument of the option, e.g., ``ddns-key.example.com.`` - The key name must have the format of a valid domain name, consisting of - letters, digits, hyphens, and periods. +.. option:: -h -``-q`` (``ddns-confgen`` only) - This option enables quiet mode, which prints only the key, with no - explanatory text or usage examples. This is essentially identical to - ``tsig-keygen``. - -``-s name`` (``ddns-confgen`` only) - This option generates a configuration example to allow dynamic updates - of a single hostname. The example ``named.conf`` text shows how to set - an update policy for the specified name using the "name" nametype. The - default key name is ``ddns-key.name``. Note that the "self" nametype - cannot be used, since the name to be updated may differ from the key - name. This option cannot be used with the ``-z`` option. - -``-z zone`` (``ddns-confgen`` only) - This option generates a configuration example to allow - dynamic updates of a zone. The example ``named.conf`` text shows how - to set an update policy for the specified zone using the "zonesub" - nametype, allowing updates to all subdomain names within that zone. - This option cannot be used with the ``-s`` option. + This option prints a short summary of options and arguments. See Also ~~~~~~~~ -:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual. +:iscman:`nsupdate(1) `, :iscman:`named.conf(5) `, :iscman:`named(8) `, BIND 9 Administrator Reference Manual. diff --git a/bin/confgen/util.c b/bin/confgen/util.c index 70afa2bc09..23b7f3fd57 100644 --- a/bin/confgen/util.c +++ b/bin/confgen/util.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -17,7 +19,7 @@ #include #include -#include +#include extern bool verbose; extern const char *progname; @@ -43,5 +45,6 @@ fatal(const char *format, ...) { vfprintf(stderr, format, args); va_end(args); fprintf(stderr, "\n"); + isc__tls_setfatalmode(); exit(1); } diff --git a/bin/confgen/util.h b/bin/confgen/util.h index 3426e70b7e..4ac83e5143 100644 --- a/bin/confgen/util.h +++ b/bin/confgen/util.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,15 +11,13 @@ * information regarding copyright ownership. */ -#ifndef RNDC_UTIL_H -#define RNDC_UTIL_H 1 +#pragma once /*! \file */ #include #include #include -#include #define NS_CONTROL_PORT 953 @@ -36,9 +36,7 @@ ISC_LANG_BEGINDECLS void notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); -ISC_NORETURN void +noreturn void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); ISC_LANG_ENDDECLS - -#endif /* RNDC_UTIL_H */ diff --git a/bin/delv/Makefile.am b/bin/delv/Makefile.am index 54050232bf..032da0e545 100644 --- a/bin/delv/Makefile.am +++ b/bin/delv/Makefile.am @@ -4,8 +4,8 @@ AM_CPPFLAGS += \ -I$(top_builddir)/include \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ - $(LIBISCCFG_CFLAGS) \ - $(LIBIRS_CFLAGS) + $(LIBNS_CFLAGS) \ + $(LIBISCCFG_CFLAGS) AM_CPPFLAGS += \ -DSYSCONFDIR=\"${sysconfdir}\" @@ -14,8 +14,9 @@ bin_PROGRAMS = delv delv_SOURCES = \ delv.c + delv_LDADD = \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ - $(LIBISCCFG_LIBS) \ - $(LIBIRS_LIBS) + $(LIBNS_LIBS) \ + $(LIBISCCFG_LIBS) diff --git a/bin/delv/delv.c b/bin/delv/delv.c index b1af11d8c4..ce22835ef5 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -23,50 +25,58 @@ #include #include -#include +#include #include #include #include #include -#include #include #include #include #include #include #include -#include +#include +#include #include -#include #include -#include #include +#include #include +#include #include +#include #include +#include #include #include #include -#include #include #include +#include #include #include #include #include #include #include +#include #include +#include #include +#include #include #include -#include #include #include +#include +#include +#include + #include #define CHECK(r) \ @@ -79,33 +89,54 @@ #define MAXNAME (DNS_NAME_MAXTEXT + 1) /* Variables used internally by delv. */ -char *progname; +char *progname = NULL; static isc_mem_t *mctx = NULL; static isc_log_t *lctx = NULL; +static dns_view_t *view = NULL; +static ns_server_t *sctx = NULL; +static ns_interface_t *ifp = NULL; +static dns_dispatch_t *dispatch = NULL; +static dns_db_t *roothints = NULL; +static isc_stats_t *resstats = NULL; +static dns_stats_t *resquerystats = NULL; +static FILE *logfp = NULL; + +/* Managers */ +static isc_nm_t *netmgr = NULL; +static isc_loopmgr_t *loopmgr = NULL; +static dns_dispatchmgr_t *dispatchmgr = NULL; +static dns_requestmgr_t *requestmgr = NULL; +static ns_interfacemgr_t *interfacemgr = NULL; + +/* TLS */ +static isc_tlsctx_cache_t *tlsctx_client_cache = NULL; /* Configurables */ static char *server = NULL; static const char *port = "53"; +static uint32_t destport = 53; static isc_sockaddr_t *srcaddr4 = NULL, *srcaddr6 = NULL; static isc_sockaddr_t a4, a6; static char *curqname = NULL, *qname = NULL; static bool classset = false; static dns_rdatatype_t qtype = dns_rdatatype_none; static bool typeset = false; +static const char *hintfile = NULL; static unsigned int styleflags = 0; static uint32_t splitwidth = 0xffffffff; static bool showcomments = true, showdnssec = true, showtrust = true, rrcomments = true, noclass = false, nocrypto = false, nottl = false, multiline = false, short_form = false, print_unknown_format = false, - yaml = false; + yaml = false, fulltrace = false; static bool resolve_trace = false, validator_trace = false, - message_trace = false; + message_trace = false, send_trace = false; static bool use_ipv4 = true, use_ipv6 = true; static bool cdflag = false, no_sigs = false, root_validation = true; +static bool qmin = false, qmin_strict = false; static bool use_tcp = false; @@ -116,7 +147,10 @@ static int num_keys = 0; static dns_fixedname_t afn; static dns_name_t *anchor_name = NULL; -/* Default bind.keys contents */ +static dns_master_style_t *style = NULL; +static dns_fixedname_t qfn; + +/* Default trust anchors */ static char anchortext[] = TRUST_ANCHORS; /* @@ -183,8 +217,12 @@ usage(void) { "records)\n" " +[no]mtrace (Trace messages " "received)\n" + " +[no]ns (Run internal name " + "server)\n" " +[no]multiline (Print records in an " "expanded format)\n" + " +[no]qmin[=mode] (QNAME minimization: " + "relaxed or strict)\n" " +[no]root (DNSSEC validation trust " "anchor)\n" " +[no]rrcomments (Control display of " @@ -195,6 +233,8 @@ usage(void) { " +[no]short (Short form answer)\n" " +[no]split=## (Split hex/base64 fields " "into chunks)\n" + " +[no]strace (Trace messages " + "sent)\n" " +[no]tcp (TCP mode)\n" " +[no]ttl (Control display of ttls " "in records)\n" @@ -210,7 +250,7 @@ usage(void) { exit(1); } -ISC_NORETURN static void +noreturn static void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); static void @@ -223,6 +263,7 @@ fatal(const char *format, ...) { vfprintf(stderr, format, args); va_end(args); fprintf(stderr, "\n"); + isc__tls_setfatalmode(); exit(1); } @@ -274,6 +315,7 @@ setup_logging(FILE *errout) { isc_result_t result; isc_logdestination_t destination; isc_logconfig_t *logconfig = NULL; + int packetlevel = 10; isc_log_create(mctx, &lctx, &logconfig); isc_log_registercategories(lctx, categories); @@ -326,9 +368,12 @@ setup_logging(FILE *errout) { } } - if (message_trace && loglevel < 10) { + if (send_trace) { + packetlevel = 11; + } + if ((message_trace || send_trace) && loglevel < packetlevel) { isc_log_createchannel(logconfig, "messages", ISC_LOG_TOFILEDESC, - ISC_LOG_DEBUG(10), &destination, + ISC_LOG_DEBUG(packetlevel), &destination, ISC_LOG_PRINTPREFIX); result = isc_log_usechannel(logconfig, "messages", @@ -418,9 +463,8 @@ print_status(dns_rdataset_t *rdataset) { } } -static isc_result_t -printdata(dns_rdataset_t *rdataset, dns_name_t *owner, - dns_master_style_t *style) { +static void +printdata(dns_rdataset_t *rdataset, dns_name_t *owner) { isc_result_t result = ISC_R_SUCCESS; static dns_trust_t trust; static bool first = true; @@ -432,12 +476,13 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner, if (!dns_rdataset_isassociated(rdataset)) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(owner, namebuf, sizeof(namebuf)); - delv_log(ISC_LOG_DEBUG(4), "WARN: empty rdataset %s", namebuf); - return (ISC_R_SUCCESS); + delv_log(ISC_LOG_DEBUG(4), "warning: empty rdataset %s", + namebuf); + return; } if (!showdnssec && rdataset->type == dns_rdatatype_rrsig) { - return (ISC_R_SUCCESS); + return; } if (first || rdataset->trust != trust) { @@ -460,7 +505,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner, result = dns_rdataset_next(rdataset)) { if ((rdataset->attributes & - DNS_RDATASETATTR_NEGATIVE) != 0) { + DNS_RDATASETATTR_NEGATIVE) != 0) + { continue; } @@ -484,7 +530,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner, } else { dns_indent_t indent = { " ", 2 }; if (!yaml && (rdataset->attributes & - DNS_RDATASETATTR_NEGATIVE) != 0) { + DNS_RDATASETATTR_NEGATIVE) != 0) + { isc_buffer_putstr(&target, "; "); } result = dns_master_rdatasettotext( @@ -509,16 +556,11 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner, if (t != NULL) { isc_mem_put(mctx, t, len); } - - return (ISC_R_SUCCESS); } static isc_result_t -setup_style(dns_master_style_t **stylep) { +setup_style(void) { isc_result_t result; - dns_master_style_t *style = NULL; - - REQUIRE(stylep != NULL && *stylep == NULL); styleflags |= DNS_STYLEFLAG_REL_OWNER; if (yaml) { @@ -559,9 +601,6 @@ setup_style(dns_master_style_t **stylep) { 48, 80, 8, splitwidth, mctx); } - if (result == ISC_R_SUCCESS) { - *stylep = style; - } return (result); } @@ -569,7 +608,7 @@ static isc_result_t convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) { isc_result_t result; isc_buffer_t b; - dns_name_t *n; + dns_name_t *n = NULL; unsigned int len; REQUIRE(fn != NULL && name != NULL && text != NULL); @@ -581,7 +620,7 @@ convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) { result = dns_name_fromtext(n, &b, dns_rootname, 0, NULL); if (result != ISC_R_SUCCESS) { - delv_log(ISC_LOG_ERROR, "failed to convert QNAME %s: %s", text, + delv_log(ISC_LOG_ERROR, "failed to convert name %s: %s", text, isc_result_totext(result)); return (result); } @@ -591,7 +630,7 @@ convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) { } static isc_result_t -key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { +key_fromconfig(const cfg_obj_t *key, dns_client_t *client, dns_view_t *toview) { dns_rdata_dnskey_t dnskey; dns_rdata_ds_t ds; uint32_t rdata1, rdata2, rdata3; @@ -616,6 +655,8 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { } anchortype; const cfg_obj_t *obj; + REQUIRE(client != NULL || toview != NULL); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); CHECK(convert_name(&fkeyname, &keyname, keynamestr)); @@ -709,9 +750,15 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { CHECK(dns_rdata_fromstruct(NULL, dnskey.common.rdclass, dnskey.common.rdtype, &dnskey, &rrdatabuf)); - CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in, - dns_rdatatype_dnskey, keyname, - &rrdatabuf)); + if (client != NULL) { + CHECK(dns_client_addtrustedkey( + client, dns_rdataclass_in, dns_rdatatype_dnskey, + keyname, &rrdatabuf)); + } else if (toview != NULL) { + CHECK(dns_view_addtrustedkey(toview, + dns_rdatatype_dnskey, + keyname, &rrdatabuf)); + } break; case INITIAL_DS: case STATIC_DS: @@ -752,9 +799,14 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { CHECK(dns_rdata_fromstruct(NULL, ds.common.rdclass, ds.common.rdtype, &ds, &rrdatabuf)); - CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in, - dns_rdatatype_ds, keyname, - &rrdatabuf)); + if (client != NULL) { + CHECK(dns_client_addtrustedkey( + client, dns_rdataclass_in, dns_rdatatype_ds, + keyname, &rrdatabuf)); + } else if (toview != NULL) { + CHECK(dns_view_addtrustedkey(toview, dns_rdatatype_ds, + keyname, &rrdatabuf)); + } } num_keys++; @@ -778,7 +830,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { } static isc_result_t -load_keys(const cfg_obj_t *keys, dns_client_t *client) { +load_keys(const cfg_obj_t *keys, dns_client_t *client, dns_view_t *toview) { const cfg_listelt_t *elt, *elt2; const cfg_obj_t *key, *keylist; isc_result_t result = ISC_R_SUCCESS; @@ -788,9 +840,10 @@ load_keys(const cfg_obj_t *keys, dns_client_t *client) { keylist = cfg_listelt_value(elt); for (elt2 = cfg_list_first(keylist); elt2 != NULL; - elt2 = cfg_list_next(elt2)) { + elt2 = cfg_list_next(elt2)) + { key = cfg_listelt_value(elt2); - CHECK(key_fromconfig(key, client)); + CHECK(key_fromconfig(key, client, toview)); } } @@ -802,23 +855,18 @@ load_keys(const cfg_obj_t *keys, dns_client_t *client) { } static isc_result_t -setup_dnsseckeys(dns_client_t *client) { +setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) { isc_result_t result; cfg_parser_t *parser = NULL; const cfg_obj_t *trusted_keys = NULL; const cfg_obj_t *managed_keys = NULL; const cfg_obj_t *trust_anchors = NULL; cfg_obj_t *bindkeys = NULL; - const char *filename = anchorfile; if (!root_validation) { return (ISC_R_SUCCESS); } - if (filename == NULL) { - filename = SYSCONFDIR "/bind.keys"; - } - if (trust_anchor == NULL) { trust_anchor = isc_mem_strdup(mctx, "."); } @@ -829,26 +877,22 @@ setup_dnsseckeys(dns_client_t *client) { CHECK(cfg_parser_create(mctx, dns_lctx, &parser)); - if (access(filename, R_OK) != 0) { - if (anchorfile != NULL) { + if (anchorfile != NULL) { + if (access(anchorfile, R_OK) != 0) { fatal("Unable to read key file '%s'", anchorfile); } - } else { - result = cfg_parse_file(parser, filename, &cfg_type_bindkeys, + + result = cfg_parse_file(parser, anchorfile, &cfg_type_bindkeys, &bindkeys); if (result != ISC_R_SUCCESS) { - if (anchorfile != NULL) { - fatal("Unable to load keys from '%s'", - anchorfile); - } + fatal("Unable to load keys from '%s'", anchorfile); } - } - - if (bindkeys == NULL) { + } else { isc_buffer_t b; isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1); isc_buffer_add(&b, sizeof(anchortext) - 1); + cfg_parser_reset(parser); result = cfg_parse_buffer(parser, &b, NULL, 0, &cfg_type_bindkeys, 0, &bindkeys); if (result != ISC_R_SUCCESS) { @@ -862,13 +906,13 @@ setup_dnsseckeys(dns_client_t *client) { cfg_map_get(bindkeys, "trust-anchors", &trust_anchors); if (trusted_keys != NULL) { - CHECK(load_keys(trusted_keys, client)); + CHECK(load_keys(trusted_keys, client, toview)); } if (managed_keys != NULL) { - CHECK(load_keys(managed_keys, client)); + CHECK(load_keys(managed_keys, client, toview)); } if (trust_anchors != NULL) { - CHECK(load_keys(trust_anchors, client)); + CHECK(load_keys(trust_anchors, client, toview)); } result = ISC_R_SUCCESS; @@ -892,21 +936,15 @@ setup_dnsseckeys(dns_client_t *client) { static isc_result_t addserver(dns_client_t *client) { - struct addrinfo hints, *res, *cur; + struct addrinfo hints, *res = NULL, *cur = NULL; int gaierror; struct in_addr in4; struct in6_addr in6; - isc_sockaddr_t *sa; + isc_sockaddr_t *sa = NULL; isc_sockaddrlist_t servers; - uint32_t destport; isc_result_t result; dns_name_t *name = NULL; - result = parse_uint(&destport, port, 0xffff, "port"); - if (result != ISC_R_SUCCESS) { - fatal("Couldn't parse port number"); - } - ISC_LIST_INIT(servers); if (inet_pton(AF_INET, server, &in4) == 1) { @@ -946,14 +984,16 @@ addserver(dns_client_t *client) { result = ISC_R_SUCCESS; for (cur = res; cur != NULL; cur = cur->ai_next) { if (cur->ai_family != AF_INET && - cur->ai_family != AF_INET6) { + cur->ai_family != AF_INET6) + { continue; } sa = isc_mem_get(mctx, sizeof(*sa)); - memset(sa, 0, sizeof(*sa)); + *sa = (isc_sockaddr_t){ + .length = (unsigned int)cur->ai_addrlen, + }; ISC_LINK_INIT(sa, link); memmove(&sa->type, cur->ai_addr, cur->ai_addrlen); - sa->length = (unsigned int)cur->ai_addrlen; ISC_LIST_APPEND(servers, sa, link); } freeaddrinfo(res); @@ -982,13 +1022,7 @@ findserver(dns_client_t *client) { isc_result_t result; irs_resconf_t *resconf = NULL; isc_sockaddrlist_t *nameservers; - isc_sockaddr_t *sa, *next; - uint32_t destport; - - result = parse_uint(&destport, port, 0xffff, "port"); - if (result != ISC_R_SUCCESS) { - fatal("Couldn't parse port number"); - } + isc_sockaddr_t *sa = NULL, *next = NULL; result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf); if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) { @@ -1142,9 +1176,26 @@ plus_option(char *option) { goto invalid_option; } break; + case 'h': + switch (cmd[1]) { + case 'i': /* hint */ + if (state) { + if (value == NULL) { + fatal("+hint: must specify hint file"); + } + hintfile = value; + } else { + hintfile = NULL; + } + break; + default: + goto invalid_option; + } + break; case 'm': switch (cmd[1]) { case 't': /* mtrace */ + FULLCHECK("mtrace"); message_trace = state; if (state) { resolve_trace = state; @@ -1158,6 +1209,41 @@ plus_option(char *option) { goto invalid_option; } break; + case 'n': + switch (cmd[1]) { + case 's': /* ns */ + FULLCHECK("ns"); + fulltrace = state; + if (state) { + message_trace = state; + send_trace = state; + resolve_trace = state; + logfp = stdout; + } + break; + default: + goto invalid_option; + } + break; + case 'q': /* qmin */ + FULLCHECK("qmin"); + if (state) { + if (value == NULL || strcasecmp(value, "relaxed") == 0) + { + qmin = true; + } else if (strcasecmp(value, "strict") == 0) { + qmin = true; + qmin_strict = true; + } else { + fatal("Invalid qmin option '%s': " + "use 'relaxed' or 'strict'\n", + value); + } + } else { + qmin = false; + qmin_strict = false; + } + break; case 'r': switch (cmd[1]) { case 'o': /* root */ @@ -1227,6 +1313,13 @@ plus_option(char *option) { fatal("Couldn't parse split"); } break; + case 't': /* strace */ + FULLCHECK("strace"); + send_trace = state; + if (state) { + message_trace = state; + } + break; default: goto invalid_option; } @@ -1241,9 +1334,20 @@ plus_option(char *option) { FULLCHECK("tcp"); use_tcp = state; break; - case 'r': /* trust */ - FULLCHECK("trust"); - showtrust = state; + case 'r': + switch (cmd[2]) { + case 'a': /* trace */ + FULLCHECK("trace"); + fatal("Invalid argument +trace. For " + "delegation path tracing, use +ns."); + break; + case 'u': /* trust */ + FULLCHECK("trust"); + showtrust = state; + break; + default: + goto invalid_option; + } break; case 't': /* ttl */ FULLCHECK("ttl"); @@ -1276,6 +1380,10 @@ plus_option(char *option) { fprintf(stderr, "Invalid option: +%s\n", option); usage(); } + + if (qmin && !fulltrace) { + fatal("'+qmin' cannot be used without '+ns'"); + } return; } @@ -1329,7 +1437,6 @@ dash_option(char *option, char *next, bool *open_type_class) { case 'h': usage(); exit(0); - /* NOTREACHED */ case 'i': no_sigs = true; root_validation = false; @@ -1338,12 +1445,10 @@ dash_option(char *option, char *next, bool *open_type_class) { /* handled in preparse_args() */ break; case 'v': - fprintf(stderr, "delv %s\n", PACKAGE_VERSION); + printf("delv %s\n", PACKAGE_VERSION); exit(0); - /* NOTREACHED */ default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (strlen(option) > 1U) { option = &option[1]; @@ -1430,6 +1535,10 @@ dash_option(char *option, char *next, bool *open_type_class) { return (value_from_next); case 'p': port = value; + result = parse_uint(&destport, port, 0xffff, "port"); + if (result != ISC_R_SUCCESS) { + fatal("Couldn't parse port number"); + } return (value_from_next); case 'q': if (curqname != NULL) { @@ -1449,7 +1558,8 @@ dash_option(char *option, char *next, bool *open_type_class) { warn("extra query type"); } if (rdtype == dns_rdatatype_ixfr || - rdtype == dns_rdatatype_axfr) { + rdtype == dns_rdatatype_axfr) + { fatal("Transfer not supported"); } qtype = rdtype; @@ -1481,7 +1591,7 @@ dash_option(char *option, char *next, bool *open_type_class) { fprintf(stderr, "Invalid option: -%s\n", option); usage(); } - /* NOTREACHED */ + UNREACHABLE(); return (false); } @@ -1528,7 +1638,8 @@ preparse_args(int argc, char **argv) { /* Look for dash value option. */ if (strpbrk(option, dash_opts) != &option[0] || - strlen(option) > 1U) { + strlen(option) > 1U) + { /* Error or value in option. */ continue; } @@ -1566,13 +1677,15 @@ parse_args(int argc, char **argv) { } else if (argv[0][0] == '-') { if (argc <= 1) { if (dash_option(&argv[0][1], NULL, - &open_type_class)) { + &open_type_class)) + { argc--; argv++; } } else { if (dash_option(&argv[0][1], argv[1], - &open_type_class)) { + &open_type_class)) + { argc--; argv++; } @@ -1591,7 +1704,8 @@ parse_args(int argc, char **argv) { warn("extra query type"); } if (rdtype == dns_rdatatype_ixfr || - rdtype == dns_rdatatype_axfr) { + rdtype == dns_rdatatype_axfr) + { fatal("Transfer not supported"); } qtype = rdtype; @@ -1680,10 +1794,9 @@ get_reverse(char *reverse, size_t len, char *value, bool strict) { /* This is a valid IPv6 address. */ dns_fixedname_t fname; dns_name_t *name; - unsigned int options = 0; name = dns_fixedname_initname(&fname); - result = dns_byaddr_createptrname(&addr, options, name); + result = dns_byaddr_createptrname(&addr, name); if (result != ISC_R_SUCCESS) { return (result); } @@ -1715,74 +1828,56 @@ get_reverse(char *reverse, size_t len, char *value, bool strict) { } } -int -main(int argc, char *argv[]) { - dns_client_t *client = NULL; - isc_result_t result; - dns_fixedname_t qfn; - dns_name_t *query_name, *response_name; +static void +resolve_cb(dns_client_t *client, const dns_name_t *query_name, + dns_namelist_t *namelist, isc_result_t result) { char namestr[DNS_NAME_FORMATSIZE]; dns_rdataset_t *rdataset; - dns_namelist_t namelist; - unsigned int resopt; - isc_appctx_t *actx = NULL; - isc_nm_t *netmgr = NULL; - isc_taskmgr_t *taskmgr = NULL; - isc_socketmgr_t *socketmgr = NULL; - isc_timermgr_t *timermgr = NULL; - dns_master_style_t *style = NULL; - struct sigaction sa; - - progname = argv[0]; - preparse_args(argc, argv); - - argc--; - argv++; - isc_lib_register(); - result = dns_lib_init(); - if (result != ISC_R_SUCCESS) { - fatal("dns_lib_init failed: %d", result); + if (result != ISC_R_SUCCESS && !yaml) { + delv_log(ISC_LOG_ERROR, "resolution failed: %s", + isc_result_totext(result)); } - isc_mem_create(&mctx); - - CHECK(isc_appctx_create(mctx, &actx)); - isc_managers_create(mctx, 1, 0, 0, &netmgr, &taskmgr, &timermgr, - &socketmgr); - - parse_args(argc, argv); + if (yaml) { + printf("type: DELV_RESULT\n"); + dns_name_format(query_name, namestr, sizeof(namestr)); + printf("query_name: %s\n", namestr); + printf("status: %s\n", isc_result_totext(result)); + printf("records:\n"); + } - CHECK(setup_style(&style)); + for (dns_name_t *response_name = ISC_LIST_HEAD(*namelist); + response_name != NULL; + response_name = ISC_LIST_NEXT(response_name, link)) + { + for (rdataset = ISC_LIST_HEAD(response_name->list); + rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) + { + printdata(rdataset, response_name); + } + } - setup_logging(stderr); + dns_client_freeresanswer(client, namelist); + isc_mem_put(mctx, namelist, sizeof(*namelist)); - CHECK(isc_app_ctxstart(actx)); + dns_client_detach(&client); - /* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */ - memset(&sa, 0, sizeof(sa)); - sa.sa_handler = SIG_DFL; - if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0) { - fatal("Couldn't set up signal handler"); - } + isc_loopmgr_shutdown(loopmgr); +} - /* Create client */ - result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr, 0, - &client, srcaddr4, srcaddr6); - if (result != ISC_R_SUCCESS) { - delv_log(ISC_LOG_ERROR, "dns_client_create: %s", - isc_result_totext(result)); - goto cleanup; - } +static void +run_resolve(void *arg) { + dns_client_t *client = NULL; + dns_namelist_t *namelist = NULL; + unsigned int resopt; + isc_result_t result; + dns_name_t *query_name = NULL; - /* Set the nameserver */ - if (server != NULL) { - addserver(client); - } else { - findserver(client); - } + UNUSED(arg); - CHECK(setup_dnsseckeys(client)); + namelist = isc_mem_get(mctx, sizeof(*namelist)); + ISC_LIST_INIT(*namelist); /* Construct QNAME */ CHECK(convert_name(&qfn, &query_name, qname)); @@ -1802,39 +1897,355 @@ main(int argc, char *argv[]) { resopt |= DNS_CLIENTRESOPT_TCP; } + /* Create client */ + CHECK(dns_client_create(mctx, loopmgr, netmgr, 0, tlsctx_client_cache, + &client, srcaddr4, srcaddr6)); + + /* Set the nameserver */ + if (server != NULL) { + addserver(client); + } else { + findserver(client); + } + + CHECK(setup_dnsseckeys(client, NULL)); + /* Perform resolution */ - ISC_LIST_INIT(namelist); - result = dns_client_resolve(client, query_name, dns_rdataclass_in, - qtype, resopt, &namelist); - if (result != ISC_R_SUCCESS && !yaml) { + CHECK(dns_client_resolve(client, query_name, dns_rdataclass_in, qtype, + resopt, namelist, resolve_cb)); + return; +cleanup: + if (!yaml) { delv_log(ISC_LOG_ERROR, "resolution failed: %s", isc_result_totext(result)); } - if (yaml) { - printf("type: DELV_RESULT\n"); - dns_name_format(query_name, namestr, sizeof(namestr)); - printf("query_name: %s\n", namestr); - printf("status: %s\n", isc_result_totext(result)); - printf("records:\n"); + isc_mem_put(mctx, namelist, sizeof(*namelist)); + isc_loopmgr_shutdown(loopmgr); + + dns_client_detach(&client); +} + +static void +shutdown_server(void) { + if (requestmgr != NULL) { + dns_requestmgr_shutdown(requestmgr); + dns_requestmgr_detach(&requestmgr); + } + if (interfacemgr != NULL) { + ns_interfacemgr_shutdown(interfacemgr); + ns_interfacemgr_detach(&interfacemgr); + } + if (dispatch != NULL) { + dns_dispatch_detach(&dispatch); + } + if (dispatchmgr != NULL) { + dns_dispatchmgr_detach(&dispatchmgr); + } + if (sctx != NULL) { + ns_server_detach(&sctx); } - for (response_name = ISC_LIST_HEAD(namelist); response_name != NULL; - response_name = ISC_LIST_NEXT(response_name, link)) + isc_loopmgr_shutdown(loopmgr); +} + +static void +recvresponse(void *arg) { + dns_request_t *request = (dns_request_t *)arg; + dns_message_t *query = dns_request_getarg(request); + isc_result_t result = dns_request_getresult(request); + dns_message_t *response = NULL; + dns_name_t *prev = NULL; + + if (result != ISC_R_SUCCESS) { + fatal("request event result: %s", isc_result_totext(result)); + } + + dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); + + result = dns_request_getresponse(request, response, + DNS_MESSAGEPARSE_PRESERVEORDER); + if (result != ISC_R_SUCCESS) { + fatal("request response failed: %s", isc_result_totext(result)); + } + if (response->rcode != dns_rcode_noerror) { + result = dns_result_fromrcode(response->rcode); + delv_log(ISC_LOG_INFO, "response code: %s", + isc_result_totext(result)); + goto cleanup; + } + + for (result = dns_message_firstname(response, DNS_SECTION_ANSWER); + result == ISC_R_SUCCESS; + result = dns_message_nextname(response, DNS_SECTION_ANSWER)) { - for (rdataset = ISC_LIST_HEAD(response_name->list); - rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) + dns_name_t *name = NULL; + dns_rdataset_t *rdataset = NULL; + dns_rdatatype_t prevtype = 0; + + dns_message_currentname(response, DNS_SECTION_ANSWER, &name); + + for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { - result = printdata(rdataset, response_name, style); - if (result != ISC_R_SUCCESS) { - delv_log(ISC_LOG_ERROR, "print data failed"); + dns_rdataset_t rds, sigs; + int options = 0; + + /* + * The response message contains the answer the + * resolver found, but it doesn't contain the + * trust status. if we're not displaying that, + * fine, we can just print that version. + */ + if (!showtrust) { + printdata(rdataset, name); + continue; + } + + /* + * ... but if we are printing the trust status + * (which is the default behavior)), we'll need + * to retrieve a copy of the rdataset from the cache. + * if we do that for ever record, it will produce + * duplicate output, so we check here whether we've + * already printed this name and type. + */ + if (prev != NULL && dns_name_equal(prev, name)) { + continue; + } + prev = name; + + if (prevtype == rdataset->type) { + continue; + } + prevtype = rdataset->type; + + /* do the cache lookup */ + if (rdataset->type == dns_rdatatype_rrsig) { + continue; + } + + dns_rdataset_init(&rds); + dns_rdataset_init(&sigs); + + if (cdflag) { + options |= DNS_DBFIND_PENDINGOK; + } + result = dns_view_simplefind(view, name, rdataset->type, + 0, options, false, &rds, + &sigs); + if (result == ISC_R_SUCCESS) { + printdata(&rds, name); + dns_rdataset_disassociate(&rds); + if (dns_rdataset_isassociated(&sigs)) { + printdata(&sigs, name); + dns_rdataset_disassociate(&sigs); + } } } } - dns_client_freeresanswer(client, &namelist); +cleanup: + dns_message_detach(&query); + dns_message_detach(&response); + dns_request_destroy(&request); + + dns_view_detach(&view); + shutdown_server(); +} + +static isc_result_t +accept_cb(isc_nmhandle_t *handle, isc_result_t result, void *arg) { + UNUSED(handle); + UNUSED(arg); + + return (result); +} + +static void +sendquery(void *arg) { + isc_nmsocket_t *sock = (isc_nmsocket_t *)arg; + isc_sockaddr_t peer = isc_nmsocket_getaddr(sock); + isc_result_t result; + dns_message_t *message = NULL; + dns_name_t *query_name = NULL, *mname = NULL; + dns_rdataset_t *mrdataset = NULL; + dns_rdataset_t *opt = NULL; + dns_request_t *request = NULL; + + /* Construct query message */ + CHECK(convert_name(&qfn, &query_name, qname)); + + dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message); + message->opcode = dns_opcode_query; + message->flags = DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_AD; + if (cdflag) { + message->flags |= DNS_MESSAGEFLAG_CD; + } + message->rdclass = dns_rdataclass_in; + message->id = (dns_messageid_t)isc_random16(); + + dns_message_gettempname(message, &mname); + dns_message_gettemprdataset(message, &mrdataset); + dns_name_clone(query_name, mname); + dns_rdataset_makequestion(mrdataset, dns_rdataclass_in, qtype); + ISC_LIST_APPEND(mname->list, mrdataset, link); + dns_message_addname(message, mname, DNS_SECTION_QUESTION); + mrdataset = NULL; + mname = NULL; + + CHECK(dns_message_buildopt(message, &opt, 0, 0, DNS_MESSAGEEXTFLAG_DO, + NULL, 0)); + CHECK(dns_message_setopt(message, opt)); + + CHECK(dns_requestmgr_create(mctx, loopmgr, dispatchmgr, NULL, NULL, + &requestmgr)); + + dns_view_attach(view, &(dns_view_t *){ NULL }); + CHECK(dns_request_create(requestmgr, message, NULL, &peer, NULL, NULL, + DNS_REQUESTOPT_TCP, NULL, 1, 0, 0, + isc_loop_current(loopmgr), recvresponse, + message, &request)); + return; + +cleanup: + if (message != NULL) { + dns_message_detach(&message); + } + + shutdown_server(); +} + +static isc_result_t +matchview(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, + dns_message_t *message, dns_aclenv_t *env, isc_result_t *sigresultp, + dns_view_t **viewp) { + UNUSED(srcaddr); + UNUSED(destaddr); + UNUSED(message); + UNUSED(env); + UNUSED(sigresultp); + + *viewp = view; + return (ISC_R_SUCCESS); +} + +static void +run_server(void *arg) { + isc_result_t result; + dns_cache_t *cache = NULL; + isc_sockaddr_t addr, any; + struct in_addr in; + + UNUSED(arg); + + RUNTIME_CHECK(inet_pton(AF_INET, "127.0.0.1", &in)); + isc_sockaddr_fromin(&addr, &in, 0); + + ns_server_create(mctx, matchview, &sctx); + + CHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr)); + isc_sockaddr_any(&any); + CHECK(dns_dispatch_createudp(dispatchmgr, &any, &dispatch)); + CHECK(ns_interfacemgr_create(mctx, sctx, loopmgr, netmgr, dispatchmgr, + NULL, false, &interfacemgr)); + + CHECK(dns_view_create(mctx, dispatchmgr, dns_rdataclass_in, "_default", + &view)); + CHECK(dns_cache_create(loopmgr, dns_rdataclass_in, "", &cache)); + dns_view_setcache(view, cache, false); + dns_cache_detach(&cache); + dns_view_setdstport(view, destport); + + CHECK(dns_rootns_create(mctx, dns_rdataclass_in, hintfile, &roothints)); + dns_view_sethints(view, roothints); + dns_db_detach(&roothints); + + view->qminimization = qmin; + view->qmin_strict = qmin_strict; + + dns_view_initsecroots(view); + CHECK(setup_dnsseckeys(NULL, view)); + + CHECK(dns_view_createresolver(view, loopmgr, 1, netmgr, 0, + tlsctx_client_cache, dispatch, NULL)); + + isc_stats_create(mctx, &resstats, dns_resstatscounter_max); + dns_resolver_setstats(view->resolver, resstats); + isc_stats_detach(&resstats); + + dns_rdatatypestats_create(mctx, &resquerystats); + dns_resolver_setquerystats(view->resolver, resquerystats); + dns_stats_detach(&resquerystats); + + dns_view_freeze(view); + + ns_interface_create(interfacemgr, &addr, NULL, &ifp); + + CHECK(isc_nm_listenstreamdns(netmgr, ISC_NM_LISTEN_ONE, &addr, + ns_client_request, ifp, accept_cb, ifp, 10, + NULL, NULL, &ifp->tcplistensocket)); + ifp->flags |= NS_INTERFACEFLAG_LISTENING; + isc_async_current(loopmgr, sendquery, ifp->tcplistensocket); + + return; cleanup: + if (view != NULL) { + dns_view_detach(&view); + } + shutdown_server(); +} + +int +main(int argc, char *argv[]) { + isc_result_t result; + isc_loop_t *loop = NULL; + + progname = argv[0]; + logfp = stderr; + + preparse_args(argc, argv); + + argc--; + argv++; + + isc_managers_create(&mctx, 1, &loopmgr, &netmgr); + loop = isc_loop_main(loopmgr); + + result = dst_lib_init(mctx, NULL); + if (result != ISC_R_SUCCESS) { + fatal("dst_lib_init failed: %d", result); + } + + parse_args(argc, argv); + + CHECK(setup_style()); + + setup_logging(logfp); + + if (!fulltrace && hintfile != NULL) { + delv_log(ISC_LOG_WARNING, + "WARNING: not using internal name server mode, " + "hint file will be ignored"); + } + + if (fulltrace && server != NULL) { + delv_log(ISC_LOG_WARNING, + "WARNING: using internal name server mode: " + "'@%s' will be ignored", + server); + } + + isc_tlsctx_cache_create(mctx, &tlsctx_client_cache); + + isc_loop_setup(loop, fulltrace ? run_server : run_resolve, NULL); + isc_loopmgr_run(loopmgr); + +cleanup: + if (tlsctx_client_cache != NULL) { + isc_tlsctx_cache_detach(&tlsctx_client_cache); + } if (trust_anchor != NULL) { isc_mem_free(mctx, trust_anchor); } @@ -1847,19 +2258,11 @@ main(int argc, char *argv[]) { if (style != NULL) { dns_master_styledestroy(&style, mctx); } - if (client != NULL) { - dns_client_destroy(&client); - } - isc_managers_destroy(&netmgr, &taskmgr, &timermgr, &socketmgr); - if (actx != NULL) { - isc_appctx_destroy(&actx); - } - if (lctx != NULL) { - isc_log_destroy(&lctx); - } - isc_mem_detach(&mctx); - dns_lib_shutdown(); + isc_log_destroy(&lctx); + dst_lib_destroy(); + + isc_managers_destroy(&mctx, &loopmgr, &netmgr); return (0); } diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst index dc2ab4687a..2ab1f897f4 100644 --- a/bin/delv/delv.rst +++ b/bin/delv/delv.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: delv +.. program:: delv .. _man_delv: delv - DNS lookup and validation utility @@ -40,10 +32,10 @@ Synopsis Description ~~~~~~~~~~~ -``delv`` is a tool for sending DNS queries and validating the results, -using the same internal resolver and validator logic as ``named``. +:program:`delv` is a tool for sending DNS queries and validating the results, +using the same internal resolver and validator logic as :iscman:`named`. -``delv`` sends to a specified name server all queries needed to +:program:`delv` sends to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, queries for DNSKEY, and DS records to establish a chain of trust for @@ -52,25 +44,25 @@ simulates the behavior of a name server configured for DNSSEC validating and forwarding. By default, responses are validated using the built-in DNSSEC trust anchor -for the root zone ("."). Records returned by ``delv`` are either fully +for the root zone ("."). Records returned by :program:`delv` are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced -in detail. Because ``delv`` does not rely on an external server to carry +in detail. Because :program:`delv` does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy. -Unless it is told to query a specific name server, ``delv`` tries +Unless it is told to query a specific name server, :program:`delv` tries each of the servers listed in ``/etc/resolv.conf``. If no usable server -addresses are found, ``delv`` sends queries to the localhost +addresses are found, :program:`delv` sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6). -When no command-line arguments or options are given, ``delv`` +When no command-line arguments or options are given, :program:`delv` performs an NS query for "." (the root zone). Simple Usage ~~~~~~~~~~~~ -A typical invocation of ``delv`` looks like: +A typical invocation of :program:`delv` looks like: :: @@ -78,125 +70,143 @@ A typical invocation of ``delv`` looks like: where: -``server`` +.. option:: server + is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied ``server`` argument is a - hostname, ``delv`` resolves that name before querying that name + hostname, :program:`delv` resolves that name before querying that name server (note, however, that this initial lookup is *not* validated by DNSSEC). - If no ``server`` argument is provided, ``delv`` consults + If no ``server`` argument is provided, :program:`delv` consults ``/etc/resolv.conf``; if an address is found there, it queries the - name server at that address. If either of the ``-4`` or ``-6`` + name server at that address. If either of the :option:`-4` or :option:`-6` options is in use, then only addresses for the corresponding - transport are tried. If no usable addresses are found, ``delv`` + transport are tried. If no usable addresses are found, :program:`delv` sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6). -``name`` +.. option:: name + is the domain name to be looked up. -``type`` +.. option:: type + indicates what type of query is required - ANY, A, MX, etc. ``type`` can be any valid query type. If no ``type`` argument is - supplied, ``delv`` performs a lookup for an A record. + supplied, :program:`delv` performs a lookup for an A record. Options ~~~~~~~ -``-a anchor-file`` - This option specifies a file from which to read DNSSEC trust anchors. The default - is ``/etc/bind.keys``, which is included with BIND 9 and contains one - or more trust anchors for the root zone ("."). +.. option:: -a anchor-file + + This option specifies a file from which to read an alternate + DNSSEC root zone trust anchor. + + By default, keys that do not match the root zone name (`.`) are + ignored. If an alternate key name is desired, it can be + specified using the :option:`+root` option. - Keys that do not match the root zone name are ignored. An alternate - key name can be specified using the ``+root=NAME`` options. + Note: When reading trust anchors, :program:`delv` treats + ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That + is, for a managed key, it is the *initial* key that is trusted; + :rfc:`5011` key management is not supported. :program:`delv` does not + consult the managed-keys database maintained by :iscman:`named`. This + means that if the default key built in to :program:`delv` is revoked, + :program:`delv` must be updated to a newer version in order to continue + validating. - Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``, - ``initial-key``, and ``static-key`` identically. That is, for a managed key, - it is the *initial* key that is trusted; :rfc:`5011` key management is not - supported. ``delv`` does not consult the managed-keys database maintained by - ``named``, which means that if either of the keys in ``/etc/bind.keys`` is - revoked and rolled over, ``/etc/bind.keys`` must be updated to - use DNSSEC validation in ``delv``. +.. option:: -b address -``-b address`` This option sets the source IP address of the query to ``address``. This must be a valid address on one of the host's network interfaces, or ``0.0.0.0``, or ``::``. An optional source port may be specified by appending ``#`` -``-c class`` +.. option:: -c class + This option sets the query class for the requested data. Currently, only class - "IN" is supported in ``delv`` and any other value is ignored. + "IN" is supported in :program:`delv` and any other value is ignored. + +.. option:: -d level -``-d level`` This option sets the systemwide debug level to ``level``. The allowed range is from 0 to 99. The default is 0 (no debugging). Debugging traces from - ``delv`` become more verbose as the debug level increases. See the - ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for + :program:`delv` become more verbose as the debug level increases. See the + :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for additional debugging details. -``-h`` - This option displays the ``delv`` help usage output and exits. +.. option:: -h + + This option displays the :program:`delv` help usage output and exits. + +.. option:: -i -``-i`` This option sets insecure mode, which disables internal DNSSEC validation. (Note, however, that this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it does - not return invalid data; this can cause ``delv`` to time out. When it + not return invalid data; this can cause :program:`delv` to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use - ``dig +cd``.) + :option:`dig +cd`.) + +.. option:: -m -``-m`` This option enables memory usage debugging. -``-p port#`` +.. option:: -p port# + This option specifies a destination port to use for queries, instead of the standard DNS port number 53. This option is used with a name server that has been configured to listen for queries on a non-standard port number. -``-q name`` +.. option:: -q name + This option sets the query name to ``name``. While the query name can be - specified without using the ``-q`` option, it is sometimes necessary to + specified without using the :option:`-q` option, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH). -``-t type`` +.. option:: -t type + This option sets the query type to ``type``, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As - with ``-q``, this is useful to distinguish query-name types or classes + with :option:`-q`, this is useful to distinguish query-name types or classes when they are ambiguous. It is sometimes necessary to disambiguate names from types. - The default query type is "A", unless the ``-x`` option is supplied + The default query type is "A", unless the :option:`-x` option is supplied to indicate a reverse lookup, in which case it is "PTR". -``-v`` - This option prints the ``delv`` version and exits. +.. option:: -v + + This option prints the :program:`delv` version and exits. + +.. option:: -x addr -``-x addr`` This option performs a reverse lookup, mapping an address to a name. ``addr`` is an IPv4 address in dotted-decimal notation, or a colon-delimited - IPv6 address. When ``-x`` is used, there is no need to provide the - ``name`` or ``type`` arguments; ``delv`` automatically performs a + IPv6 address. When :option:`-x` is used, there is no need to provide the + ``name`` or ``type`` arguments; :program:`delv` automatically performs a lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. -``-4`` - This option forces ``delv`` to only use IPv4. +.. option:: -4 -``-6`` - This option forces ``delv`` to only use IPv6. + This option forces :program:`delv` to only use IPv4. + +.. option:: -6 + + This option forces :program:`delv` to only use IPv6. Query Options ~~~~~~~~~~~~~ -``delv`` provides a number of query options which affect the way results +:program:`delv` provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. Each query option is identified by a keyword preceded by a plus sign @@ -205,69 +215,121 @@ the string ``no`` to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form ``+keyword=value``. The query options are: -``+[no]cdflag`` +.. option:: +cdflag, +nocdflag + This option controls whether to set the CD (checking disabled) bit in queries - sent by ``delv``. This may be useful when troubleshooting DNSSEC + sent by :program:`delv`. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver. A validating resolver blocks invalid responses, making it difficult to retrieve them for analysis. Setting the CD flag on queries causes the resolver - to return invalid responses, which ``delv`` can then validate + to return invalid responses, which :program:`delv` can then validate internally and report the errors in detail. -``+[no]class`` +.. option:: +class, +noclass + This option controls whether to display the CLASS when printing a record. The default is to display the CLASS. -``+[no]ttl`` +.. option:: +hint=FILE, +nohint + + This option specifies a filename from which to load root hints; + this will be used to find the root name servers when name server + mode (``delv +ns``) is in use. If the option is not specified, + built-in root hints will be used. + +.. option:: +ns, +nons + + This option toggles name server mode. When this option is in use, + the ``delv`` process instantiates a full recursive resolver, and uses + that to look up the requested query name and type. Turning on this + option also activates ``+mtrace``, ``+strace`` and ``+rtrace``, so that + every iterative query will be logged, including the full response messages + from each authoritatve server. These logged messages will be written + to ``stdout`` rather than ``stderr`` as usual, so that the full trace + can be captured more easily. + + This is intended to be similar to the behavior of ``dig +trace``, but + because it uses the same code as ``named``, it much more accurately + replicates the behavior of a recursive name server with a cold cache + that is processing a recursive query. + +.. option:: +qmin[=MODE], +noqmin + + When used with ``+ns``, this option enables QNAME minimization mode. + Valid options of MODE are ``relaxed`` and ``strict``. By default, + QNAME minimization is disabled. If ``+qmin`` is specified but MODE + is omitted, then ``relaxed`` mode will be used. + +.. option:: +ttl, +nottl + This option controls whether to display the TTL when printing a record. The default is to display the TTL. -``+[no]rtrace`` - This option toggles resolver fetch logging. This reports the name and type of each - query sent by ``delv`` in the process of carrying out the resolution - and validation process, including the original query - and all subsequent queries to follow CNAMEs and to establish a chain - of trust for DNSSEC validation. +.. option:: +rtrace, +nortrace + + This option toggles resolver fetch logging. This reports the name and + type of each query sent by :program:`delv` in the process of carrying + out the resolution and validation process, including the original query + and all subsequent queries to follow CNAMEs and to establish a chain of + trust for DNSSEC validation. This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the - ``-d`` option produces the same output, but affects other + :option:`-d` option produces the same output, but affects other logging categories as well. -``+[no]mtrace`` - This option toggles message logging. This produces a detailed dump of the - responses received by ``delv`` in the process of carrying out the - resolution and validation process. +.. option:: +mtrace, +nomtrace + + This option toggles logging of messages received. This produces + a detailed dump of the responses received by :program:`delv` in the + process of carrying out the resolution and validation process. This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category. Setting the systemwide - debug level to 10 using the ``-d`` option produces the same + debug level to 10 using the :option:`-d` option produces the same output, but affects other logging categories as well. -``+[no]vtrace`` +.. option:: +strace, +nostrace + + This option toggles logging of messages sent. This produces a detailed + dump of the queries sent by :program:`delv` in the process of carrying + out the resolution and validation process. Turning on this option + also activates ``+mtrace``. + + This is equivalent to setting the debug level to 11 for the "packets" + module of the "resolver" logging category. Setting the systemwide + debug level to 11 using the :option:`-d` option produces the same + output, but affects other logging categories as well. + +.. option:: +vtrace, +novtrace + This option toggles validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid. This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category. Setting the - systemwide debug level to 3 using the ``-d`` option produces the + systemwide debug level to 3 using the :option:`-d` option produces the same output, but affects other logging categories as well. -``+[no]short`` +.. option:: +short, +noshort + This option toggles between verbose and terse answers. The default is to print the answer in a verbose form. -``+[no]comments`` +.. option:: +comments, +nocomments + This option toggles the display of comment lines in the output. The default is to print comments. -``+[no]rrcomments`` +.. option:: +rrcomments, +norrcomments + This option toggles the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is to print per-record comments. -``+[no]crypto`` +.. option:: +crypto, +nocrypto + This option toggles the display of cryptographic fields in DNSSEC records. The contents of these fields are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the @@ -275,62 +337,69 @@ assign values to options like the timeout interval. They have the form they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the key ID is displayed as the replacement, e.g. ``[ key id = value ]``. -``+[no]trust`` +.. option:: +trust, +notrust + This option controls whether to display the trust level when printing a record. The default is to display the trust level. -``+[no]split[=W]`` +.. option:: +split[=W], +nosplit + This option splits long hex- or base64-formatted fields in resource records into chunks of ``W`` characters (where ``W`` is rounded up to the nearest multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -``+[no]all`` - This option sets or clears the display options ``+[no]comments``, - ``+[no]rrcomments``, and ``+[no]trust`` as a group. +.. option:: +all, +noall + + This option sets or clears the display options :option:`+comments`, + :option:`+rrcomments`, and :option:`+trust` as a group. + +.. option:: +multiline, +nomultiline -``+[no]multiline`` This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine - parsing of the ``delv`` output. + parsing of the :program:`delv` output. -``+[no]dnssec`` - This option indicates whether to display RRSIG records in the ``delv`` output. - The default is to do so. Note that (unlike in ``dig``) this does +.. option:: +dnssec, +nodnssec + + This option indicates whether to display RRSIG records in the :program:`delv` output. + The default is to do so. Note that (unlike in :iscman:`dig`) this does *not* control whether to request DNSSEC records or to validate them. DNSSEC records are always requested, and validation - always occurs unless suppressed by the use of ``-i`` or - ``+noroot``. + always occurs unless suppressed by the use of :option:`-i` or + :option:`+noroot`. + +.. option:: +root[=ROOT], +noroot -``+[no]root[=ROOT]`` This option indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is a built-in key. If - specifying a different trust anchor, then ``-a`` must be used to specify a + specifying a different trust anchor, then :option:`-a` must be used to specify a file containing the key. -``+[no]tcp`` +.. option:: +tcp, +notcp + This option controls whether to use TCP when sending queries. The default is to use UDP unless a truncated response has been received. -``+[no]unknownformat`` +.. option:: +unknownformat, +nounknownformat + This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`). The default is to print RDATA for known types in the type's presentation format. -``+[no]yaml`` +.. option:: +yaml, +noyaml + This option prints response data in YAML format. Files ~~~~~ -``/etc/bind.keys`` - ``/etc/resolv.conf`` See Also ~~~~~~~~ -:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`. +:iscman:`dig(1) `, :iscman:`named(8) `, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`. diff --git a/bin/dig/Makefile.am b/bin/dig/Makefile.am index e130df08c1..685829f75c 100644 --- a/bin/dig/Makefile.am +++ b/bin/dig/Makefile.am @@ -4,23 +4,20 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ $(LIBISCCFG_CFLAGS) \ - $(LIBIRS_CFLAGS) \ - $(LIBBIND9_CFLAGS) \ - $(LIBIDN2_CFLAGS) + $(LIBIDN2_CFLAGS) \ + $(LIBUV_CFLAGS) -LDADD = \ +LDADD += \ libdighost.la \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBISCCFG_LIBS) \ - $(LIBIRS_LIBS) \ - $(LIBBIND9_LIBS) \ $(LIBIDN2_LIBS) noinst_LTLIBRARIES = libdighost.la -libdighost_la_SOURCES = \ - dighost.h \ +libdighost_la_SOURCES = \ + dighost.h \ dighost.c bin_PROGRAMS = dig host nslookup diff --git a/bin/dig/dig.c b/bin/dig/dig.c index fbcd9737d7..54f7f81e33 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -17,18 +19,16 @@ #include #include -#include #include +#include +#include #include #include -#include -#include +#include #include -#include +#include #include -#include - #include #include #include @@ -40,7 +40,6 @@ #include #include #include -#include #include #include "dighost.h" @@ -58,7 +57,7 @@ dig_lookup_t *default_lookup = NULL; -static atomic_uintptr_t batchname = ATOMIC_VAR_INIT(0); +static char *batchname = NULL; static FILE *batchfp = NULL; static char *argv0; static int addresscount = 0; @@ -112,7 +111,7 @@ usage(void) { fprintf(stderr, "Press for complete list of options\n"); } #else /* if TARGET_OS_IPHONE */ -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -124,12 +123,6 @@ usage(void) { } #endif /* if TARGET_OS_IPHONE */ -/*% version */ -static void -version(void) { - fprintf(stderr, "DiG %s\n", PACKAGE_VERSION); -} - /*% help */ static void help(void) { @@ -211,9 +204,6 @@ help(void) { "from ipv4only.arpa)\n" " +[no]dnssec (Request DNSSEC records)\n" " +domain=### (Set default domainname)\n" - " +[no]dscp[=###] (Set the DSCP value to " - "### " - "[0..63])\n" " +[no]edns[=###] (Set EDNS version) [0]\n" " +ednsflags=### (Set EDNS flag bits)\n" " +[no]ednsnegotiation (Set EDNS version " @@ -228,17 +218,20 @@ help(void) { "SERVFAIL)\n" " +[no]header-only (Send query without a " "question section)\n" - " +[no]https[=###] (DNS over HTTPS mode) " + " +[no]https[=###] (DNS-over-HTTPS mode) " "[/]\n" " +[no]https-get (Use GET instead of " - "default POST method\n" + "default POST method while using HTTPS)\n" + " +[no]http-plain[=###] (DNS over plain HTTP " + "mode) " + "[/]\n" + " +[no]http-plain-get (Use GET instead of " + "default POST method while using plain HTTP)\n" " +[no]identify (ID responders in short " "answers)\n" #ifdef HAVE_LIBIDN2 - " +[no]idnin (Parse IDN names " - "[default=on on tty])\n" - " +[no]idnout (Convert IDN response " - "[default=on on tty])\n" + " +[no]idn (convert international " + "domain names)\n" #endif /* ifdef HAVE_LIBIDN2 */ " +[no]ignore (Don't revert to TCP for " "TC responses.)\n" @@ -247,8 +240,6 @@ help(void) { " +[no]keepopen (Keep the TCP socket open " "between " "queries)\n" - " +[no]mapped (Allow mapped IPv4 over " - "IPv6)\n" " +[no]multiline (Print records in an " "expanded format)\n" " +ndots=### (Set search NDOTS value)\n" @@ -261,6 +252,8 @@ help(void) { "request)\n" " +padding=### (Set padding block size " "[0])\n" + " +qid=### (Specify the query ID to " + "use when sending queries)\n" " +[no]qr (Print question before " "sending)\n" " +[no]question (Control display of " @@ -282,6 +275,7 @@ help(void) { "short\n" " form of answers - global " "option)\n" + " +[no]showbadcookie (Show BADCOOKIE message)\n" " +[no]showsearch (Search with intermediate " "results)\n" " +[no]split=## (Split hex/base64 fields " @@ -294,7 +288,15 @@ help(void) { "(+[no]tcflag))\n" " +[no]tcp (TCP mode (+[no]vc))\n" " +timeout=### (Set query timeout) [5]\n" - " +[no]tls (DNS over TLS mode)\n" + " +[no]tls (DNS-over-TLS mode)\n" + " +[no]tls-ca[=file] (Enable remote server's " + "TLS certificate validation)\n" + " +[no]tls-hostname=hostname (Explicitly set " + "the expected TLS hostname)\n" + " +[no]tls-certfile=file (Load client TLS " + "certificate chain from file)\n" + " +[no]tls-keyfile=file (Load client TLS " + "private key from file)\n" " +[no]trace (Trace delegation down " "from root " "[+dnssec])\n" @@ -346,13 +348,15 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) { } else { printf(";; Query time: %ld msec\n", (long)diff / 1000); } - if (query->lookup->tls_mode) { + if (dig_lookup_is_tls(query->lookup)) { proto = "TLS"; } else if (query->lookup->https_mode) { if (query->lookup->http_plain) { - proto = "HTTP"; + proto = query->lookup->https_get ? "HTTP-GET" + : "HTTP"; } else { - proto = "HTTPS"; + proto = query->lookup->https_get ? "HTTPS-GET" + : "HTTPS"; } } else if (query->lookup->tcp_mode) { proto = "TCP"; @@ -483,7 +487,8 @@ dns64prefix_answer(dns_message_t *msg, isc_buffer_t *buf) { size_t i, count = 10; name = dns_fixedname_initname(&fixed); - result = dns_name_fromstring(name, "ipv4only.arpa", 0, NULL); + result = dns_name_fromstring(name, "ipv4only.arpa", dns_rootname, 0, + NULL); check_result(result, "dns_name_fromstring"); result = dns_message_findname(msg, DNS_SECTION_ANSWER, name, @@ -496,10 +501,12 @@ dns64prefix_answer(dns_message_t *msg, isc_buffer_t *buf) { } result = dns_dns64_findprefix(rdataset, prefix, &count); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND) { return (ISC_R_SUCCESS); - if (count > 10) + } + if (count > 10) { count = 10; + } for (i = 0; i < count; i++) { result = isc_netaddr_totext(&prefix[i].addr, buf); if (result != ISC_R_SUCCESS) { @@ -569,7 +576,7 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, isc_buffer_t *buf, static bool isdotlocal(dns_message_t *msg) { isc_result_t result; - static unsigned char local_ndata[] = { "\005local\0" }; + static unsigned char local_ndata[] = { "\005local" }; static unsigned char local_offsets[] = { 0, 6 }; static dns_name_t local = DNS_NAME_INITABSOLUTE(local_ndata, local_offsets); @@ -682,7 +689,8 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS; } if (query->lookup->onesoa && - query->lookup->rdtype == dns_rdatatype_axfr) { + query->lookup->rdtype == dns_rdatatype_axfr) + { flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA : DNS_MESSAGETEXTFLAG_OMITSOA; } @@ -771,7 +779,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, strlcat(sockstr, "0", sizeof(sockstr)); } - printf(" response_address: %s\n", sockstr); + printf(" response_address: \"%s\"\n", sockstr); printf(" response_port: %u\n", sport); } @@ -788,7 +796,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, strlcat(sockstr, "0", sizeof(sockstr)); } - printf(" query_address: %s\n", sockstr); + printf(" query_address: \"%s\"\n", sockstr); printf(" query_port: %u\n", sport); } @@ -909,8 +917,9 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, check_result(result, "dns_message_sectiontotext"); } else if (dns64prefix) { result = dns64prefix_answer(msg, buf); - if (result == ISC_R_NOSPACE) + if (result == ISC_R_NOSPACE) { goto buftoosmall; + } check_result(result, "dns64prefix_answer"); } else { result = short_answer(msg, flags, buf, query); @@ -1018,6 +1027,128 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) { } } +#define FULLCHECK(A) \ + do { \ + size_t _l = strlen(cmd); \ + if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \ + goto invalid_option; \ + } while (0) +#define FULLCHECK2(A, B) \ + do { \ + size_t _l = strlen(cmd); \ + if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \ + (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \ + goto invalid_option; \ + } while (0) +#define FULLCHECK6(A, B, C, D, E, F) \ + do { \ + size_t _l = strlen(cmd); \ + if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \ + (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0) && \ + (_l >= sizeof(C) || strncasecmp(cmd, C, _l) != 0) && \ + (_l >= sizeof(D) || strncasecmp(cmd, D, _l) != 0) && \ + (_l >= sizeof(E) || strncasecmp(cmd, E, _l) != 0) && \ + (_l >= sizeof(F) || strncasecmp(cmd, F, _l) != 0)) \ + goto invalid_option; \ + } while (0) + +static bool +plus_tls_options(const char *cmd, const char *value, const bool state, + dig_lookup_t *lookup) { + /* + * Using TLS implies "TCP-like" mode. + */ + if (!lookup->tcp_mode_set) { + lookup->tcp_mode = state; + } + switch (cmd[3]) { + case '-': + /* + * Assume that if any of the +tls-* options are set, then we + * need to verify the remote certificate (compatibility with + * kdig). + */ + if (state) { + lookup->tls_ca_set = state; + } + switch (cmd[4]) { + case 'c': + switch (cmd[5]) { + case 'a': + FULLCHECK("tls-ca"); + lookup->tls_ca_set = state; + if (state && value != NULL) { + lookup->tls_ca_file = + isc_mem_strdup(mctx, value); + } + break; + case 'e': + FULLCHECK("tls-certfile"); + lookup->tls_cert_file_set = state; + if (state) { + if (value != NULL && *value != '\0') { + lookup->tls_cert_file = + isc_mem_strdup(mctx, + value); + } else { + fprintf(stderr, + ";; TLS certificate " + "file is " + "not specified\n"); + goto invalid_option; + } + } + break; + default: + goto invalid_option; + } + break; + case 'h': + FULLCHECK("tls-hostname"); + lookup->tls_hostname_set = state; + if (state) { + if (value != NULL && *value != '\0') { + lookup->tls_hostname = + isc_mem_strdup(mctx, value); + } else { + fprintf(stderr, ";; TLS hostname is " + "not specified\n"); + goto invalid_option; + } + } + break; + case 'k': + FULLCHECK("tls-keyfile"); + lookup->tls_key_file_set = state; + if (state) { + if (value != NULL && *value != '\0') { + lookup->tls_key_file = + isc_mem_strdup(mctx, value); + } else { + fprintf(stderr, + ";; TLS private key file is " + "not specified\n"); + goto invalid_option; + } + } + break; + default: + goto invalid_option; + } + break; + case '\0': + FULLCHECK("tls"); + lookup->tls_mode = state; + break; + default: + goto invalid_option; + } + + return true; +invalid_option: + return false; +} + /*% * We're not using isc_commandline_parse() here since the command line * syntax of dig is quite a bit different from that which can be described @@ -1047,31 +1178,6 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, /* parse the rest of the string */ value = strtok_r(NULL, "", &last); -#define FULLCHECK(A) \ - do { \ - size_t _l = strlen(cmd); \ - if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \ - goto invalid_option; \ - } while (0) -#define FULLCHECK2(A, B) \ - do { \ - size_t _l = strlen(cmd); \ - if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \ - (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \ - goto invalid_option; \ - } while (0) -#define FULLCHECK6(A, B, C, D, E, F) \ - do { \ - size_t _l = strlen(cmd); \ - if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \ - (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0) && \ - (_l >= sizeof(C) || strncasecmp(cmd, C, _l) != 0) && \ - (_l >= sizeof(D) || strncasecmp(cmd, D, _l) != 0) && \ - (_l >= sizeof(E) || strncasecmp(cmd, E, _l) != 0) && \ - (_l >= sizeof(F) || strncasecmp(cmd, F, _l) != 0)) \ - goto invalid_option; \ - } while (0) - switch (cmd[0]) { case 'a': switch (cmd[1]) { @@ -1281,22 +1387,6 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } strlcpy(domainopt, value, sizeof(domainopt)); break; - case 's': /* dscp */ - FULLCHECK("dscp"); - if (!state) { - lookup->dscp = -1; - break; - } - if (value == NULL) { - goto need_value; - } - result = parse_uint(&num, value, 0x3f, "DSCP"); - if (result != ISC_R_SUCCESS) { - warn("Couldn't parse DSCP value"); - goto exit_or_usage; - } - lookup->dscp = num; - break; default: goto invalid_option; } @@ -1413,8 +1503,31 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } break; case 'f': /* fail */ - FULLCHECK("fail"); - lookup->servfail_stops = state; + switch (cmd[1]) { + case 'a': + FULLCHECK("fail"); + lookup->servfail_stops = state; + break; + case 'u': + FULLCHECK("fuzztime"); + lookup->fuzzing = state; + if (lookup->fuzzing) { + if (value == NULL) { + lookup->fuzztime = 0x622acce1; + break; + } + result = parse_uint(&num, value, 0xffffffff, + "fuzztime"); + if (result != ISC_R_SUCCESS) { + warn("Couldn't parse fuzztime"); + goto exit_or_usage; + } + lookup->fuzztime = num; + } + break; + default: + goto invalid_option; + } break; case 'h': switch (cmd[1]) { @@ -1426,6 +1539,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, FULLCHECK6("https", "https-get", "https-post", "http-plain", "http-plain-get", "http-plain-post"); +#if HAVE_LIBNGHTTP2 if (lookup->https_path != NULL) { isc_mem_free(mctx, lookup->https_path); lookup->https_path = NULL; @@ -1442,12 +1556,12 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, FULLCHECK("http-plain"); break; case '-': - switch (cmd[6]) { + switch (cmd[11]) { case 'p': - FULLCHECK("https-plain-post"); + FULLCHECK("http-plain-post"); break; case 'g': - FULLCHECK("https-plain-get"); + FULLCHECK("http-plain-get"); lookup->https_get = true; break; } @@ -1480,11 +1594,22 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } if (value == NULL) { lookup->https_path = isc_mem_strdup( - mctx, DEFAULT_HTTPS_PATH); + mctx, ISC_NM_HTTP_DEFAULT_PATH); } else { + if (!isc_nm_http_path_isvalid(value)) { + fprintf(stderr, + ";; The given HTTP path \"%s\" " + "is not " + "a valid absolute path\n", + value); + goto invalid_option; + } lookup->https_path = isc_mem_strdup(mctx, value); } +#else + fprintf(stderr, ";; DoH support not enabled\n"); +#endif break; default: goto invalid_option; @@ -1492,7 +1617,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, break; case 'i': switch (cmd[1]) { - case 'd': /* identify */ + case 'd': switch (cmd[2]) { case 'e': FULLCHECK("identify"); @@ -1500,27 +1625,28 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, break; case 'n': switch (cmd[3]) { - case 'i': + case '\0': + FULLCHECK("idn"); + lookup->idnin = state; + lookup->idnout = state; + break; + case 'i': /* (compat) */ FULLCHECK("idnin"); -#ifndef HAVE_LIBIDN2 - fprintf(stderr, ";; IDN input support" - " not enabled\n"); -#else /* ifndef HAVE_LIBIDN2 */ lookup->idnin = state; -#endif /* ifndef HAVE_LIBIDN2 */ break; - case 'o': + case 'o': /* (compat) */ FULLCHECK("idnout"); -#ifndef HAVE_LIBIDN2 - fprintf(stderr, ";; IDN output support" - " not enabled\n"); -#else /* ifndef HAVE_LIBIDN2 */ lookup->idnout = state; -#endif /* ifndef HAVE_LIBIDN2 */ break; default: goto invalid_option; } +#ifndef HAVE_LIBIDN2 + if (state) { + printf(";; IDN support " + "is not available\n"); + } +#endif /* ifndef HAVE_LIBIDN2 */ break; default: goto invalid_option; @@ -1570,7 +1696,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, switch (cmd[1]) { case 'a': FULLCHECK("mapped"); - lookup->mapped = state; + fprintf(stderr, ";; +mapped option is deprecated"); break; case 'u': FULLCHECK("multiline"); @@ -1649,7 +1775,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } for (num = 0; num < sizeof(opcodetext) / sizeof(opcodetext[0]); - num++) { + num++) + { if (strcasecmp(opcodetext[num], value) == 0) { break; } @@ -1791,10 +1918,20 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } break; case 'w': /* showsearch */ - FULLCHECK("showsearch"); - if (!lookup->trace) { - showsearch = state; - usesearch = state; + switch (cmd[4]) { + case 'b': + FULLCHECK("showbadcookie"); + lookup->showbadcookie = state; + break; + case 's': + FULLCHECK("showsearch"); + if (!lookup->trace) { + showsearch = state; + usesearch = state; + } + break; + default: + goto invalid_option; } break; default: @@ -1852,7 +1989,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } if (!state) { if (lookup->ecs_addr != NULL) { - isc_mem_free(mctx, lookup->ecs_addr); + isc_mem_put(mctx, lookup->ecs_addr, + sizeof(*lookup->ecs_addr)); lookup->ecs_addr = NULL; } break; @@ -1861,7 +1999,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, lookup->edns = DEFAULT_EDNS_VERSION; } if (lookup->ecs_addr != NULL) { - isc_mem_free(mctx, lookup->ecs_addr); + isc_mem_put(mctx, lookup->ecs_addr, + sizeof(*lookup->ecs_addr)); lookup->ecs_addr = NULL; } result = parse_netprefix(&lookup->ecs_addr, value); @@ -1912,10 +2051,16 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } break; case 'l': - FULLCHECK("tls"); - lookup->tls_mode = state; - if (!lookup->tcp_mode_set) { - lookup->tcp_mode = state; + switch (cmd[2]) { + case 's': + if (!plus_tls_options(cmd, value, state, + lookup)) + { + goto invalid_option; + } + break; + default: + goto invalid_option; } break; case 'o': @@ -2050,6 +2195,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, #if !TARGET_OS_IPHONE exit_or_usage: + cleanup_openssl_refs(); digexit(); #endif /* if !TARGET_OS_IPHONE */ } @@ -2090,7 +2236,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, have_ipv6 = false; } else { fatal("can't find IPv4 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -2100,7 +2246,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, have_ipv4 = false; } else { fatal("can't find IPv6 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -2136,7 +2282,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, (*lookup)->use_usec = true; break; case 'v': - version(); + printf("DiG %s\n", PACKAGE_VERSION); exit(0); break; } @@ -2208,7 +2354,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, } return (value_from_next); case 'f': - atomic_store(&batchname, (uintptr_t)value); + batchname = value; return (value_from_next); case 'k': strlcpy(keyfile, value, sizeof(keyfile)); @@ -2251,7 +2397,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, result = dns_rdatatype_fromtext( &rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) { + rdtype == dns_rdatatype_ixfr) + { result = DNS_R_UNKNOWN; } } @@ -2311,7 +2458,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; digestbits = 0; } /* XXXONDREJ: FIXME */ @@ -2324,7 +2471,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, } *need_clone = true; if (get_reverse(textname, sizeof(textname), value, false) == - ISC_R_SUCCESS) { + ISC_R_SUCCESS) + { strlcpy((*lookup)->textname, textname, sizeof((*lookup)->textname)); debug("looking up %s", (*lookup)->textname); @@ -2352,7 +2500,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, fprintf(stderr, "Invalid option: -%s\n", option); usage(); } - /* NOTREACHED */ + UNREACHABLE(); return (false); } @@ -2506,7 +2654,8 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { } if (batchfp != NULL) { while (fgets(batchline, sizeof(batchline), batchfp) != - 0) { + 0) + { debug("config line %s", batchline); bargc = split_batchline(batchline, bargv, 62, ".digrc argv"); @@ -2598,7 +2747,8 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { &rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) { + rdtype == dns_rdatatype_ixfr) + { fprintf(stderr, ";; Warning, " "ixfr requires " "a " @@ -2638,7 +2788,8 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { lookup->rdtype = rdtype; lookup->rdtypeset = true; if (rdtype == - dns_rdatatype_axfr) { + dns_rdatatype_axfr) + { lookup->section_question = plusquest; lookup->comments = @@ -2646,7 +2797,8 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { } if (rdtype == dns_rdatatype_any && - !lookup->tcp_mode_set) { + !lookup->tcp_mode_set) + { lookup->tcp_mode = true; } lookup->ixfr_serial = false; @@ -2694,7 +2846,7 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { * first entry, then trust the callback in dighost_shutdown * to get the rest */ - char *filename = (char *)atomic_load(&batchname); + char *filename = batchname; if ((filename != NULL) && !(is_batchfile)) { if (strcmp(filename, "-") == 0) { batchfp = stdin; @@ -2758,38 +2910,32 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) { static void query_finished(void) { char batchline[MXNAME]; - int bargc; - char *bargv[16]; - - if (atomic_load(&batchname) == 0) { - isc_app_shutdown(); - return; - } fflush(stdout); - if (feof(batchfp)) { - atomic_store(&batchname, 0); - isc_app_shutdown(); - if (batchfp != stdin) { - fclose(batchfp); - } - return; - } - if (fgets(batchline, sizeof(batchline), batchfp) != 0) { + if (batchname != NULL && !feof(batchfp) && + fgets(batchline, sizeof(batchline), batchfp) != NULL) + { + int bargc; + char *bargv[16]; debug("batch line %s", batchline); bargc = split_batchline(batchline, bargv, 14, "batch argv"); bargv[0] = argv0; parse_args(true, false, bargc, (char **)bargv); start_lookup(); - } else { - atomic_store(&batchname, 0); + return; + } + + debug("shutdown"); + + /* We are done */ + if (batchname != NULL) { if (batchfp != stdin) { fclose(batchfp); } - isc_app_shutdown(); - return; + batchname = NULL; } + isc_loopmgr_shutdown(loopmgr); } static void @@ -2853,8 +2999,6 @@ dig_comments(dig_lookup_t *lookup, const char *format, ...) { void dig_setup(int argc, char **argv) { - isc_result_t result; - ISC_LIST_INIT(lookup_list); ISC_LIST_INIT(server_list); ISC_LIST_INIT(search_list); @@ -2873,9 +3017,6 @@ dig_setup(int argc, char **argv) { progname = argv[0]; preparse_args(argc, argv); - result = isc_app_start(); - check_result(result, "isc_app_start"); - setup_libs(); setup_system(ipv4only, ipv6only); } @@ -2898,32 +3039,17 @@ dig_query_setup(bool is_batchfile, bool config_only, int argc, char **argv) { void dig_startup(void) { - isc_result_t result; - debug("dig_startup()"); - result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); - check_result(result, "isc_app_onrun"); - isc_app_run(); -} - -void -dig_query_start(void) { - start_lookup(); + isc_loopmgr_setup(loopmgr, run_loop, NULL); + isc_loopmgr_run(loopmgr); } void dig_shutdown(void) { destroy_lookup(default_lookup); - if (atomic_load(&batchname) != 0) { - if (batchfp != stdin) { - fclose(batchfp); - } - atomic_store(&batchname, 0); - } cancel_all(); destroy_libs(); - isc_app_finish(); } /*% Main processing routine for dig */ diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst index b54d22ef5c..32029417f5 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dig +.. program:: dig .. _man_dig: dig - DNS lookup utility @@ -37,41 +29,41 @@ Synopsis Description ~~~~~~~~~~~ -``dig`` is a flexible tool for interrogating DNS name servers. It +:program:`dig` is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the -name server(s) that were queried. Most DNS administrators use ``dig`` to +name server(s) that were queried. Most DNS administrators use :program:`dig` to troubleshoot DNS problems because of its flexibility, ease of use, and clarity of output. Other lookup tools tend to have less functionality -than ``dig``. +than :program:`dig`. -Although ``dig`` is normally used with command-line arguments, it also +Although :program:`dig` is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when -the ``-h`` option is given. The BIND 9 -implementation of ``dig`` allows multiple lookups to be issued from the +the :option:`-h` option is given. The BIND 9 +implementation of :program:`dig` allows multiple lookups to be issued from the command line. -Unless it is told to query a specific name server, ``dig`` tries each +Unless it is told to query a specific name server, :program:`dig` tries each of the servers listed in ``/etc/resolv.conf``. If no usable server -addresses are found, ``dig`` sends the query to the local host. +addresses are found, :program:`dig` sends the query to the local host. -When no command-line arguments or options are given, ``dig`` +When no command-line arguments or options are given, :program:`dig` performs an NS query for "." (the root). -It is possible to set per-user defaults for ``dig`` via +It is possible to set per-user defaults for :program:`dig` via ``${HOME}/.digrc``. This file is read and any options in it are applied -before the command-line arguments. The ``-r`` option disables this +before the command-line arguments. The :option:`-r` option disables this feature, for scripts that need predictable behavior. The IN and CH class names overlap with the IN and CH top-level domain -names. Either use the ``-t`` and ``-c`` options to specify the type and -class, use the ``-q`` to specify the domain name, or use "IN." and +names. Either use the :option:`-t` and :option:`-c` options to specify the type and +class, use the :option:`-q` to specify the domain name, or use "IN." and "CH." when looking up these top-level domains. Simple Usage ~~~~~~~~~~~~ -A typical invocation of ``dig`` looks like: +A typical invocation of :program:`dig` looks like: :: @@ -79,83 +71,103 @@ A typical invocation of ``dig`` looks like: where: -``server`` +.. option:: server + is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied ``server`` argument is a - hostname, ``dig`` resolves that name before querying that name + hostname, :program:`dig` resolves that name before querying that name server. - If no ``server`` argument is provided, ``dig`` consults + If no ``server`` argument is provided, :program:`dig` consults ``/etc/resolv.conf``; if an address is found there, it queries the - name server at that address. If either of the ``-4`` or ``-6`` + name server at that address. If either of the :option:`-4` or :option:`-6` options are in use, then only addresses for the corresponding - transport are tried. If no usable addresses are found, ``dig`` + transport are tried. If no usable addresses are found, :program:`dig` sends the query to the local host. The reply from the name server that responds is displayed. -``name`` +.. option:: name + is the name of the resource record that is to be looked up. -``type`` +.. option:: type + indicates what type of query is required - ANY, A, MX, SIG, etc. ``type`` can be any valid query type. If no ``type`` argument is - supplied, ``dig`` performs a lookup for an A record. + supplied, :program:`dig` performs a lookup for an A record. Options ~~~~~~~ -``-4`` +.. option:: -4 + This option indicates that only IPv4 should be used. -``-6`` +.. option:: -6 + This option indicates that only IPv6 should be used. -``-b address[#port]`` +.. option:: -b address[#port] + This option sets the source IP address of the query. The ``address`` must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending ``#port``. -``-c class`` +.. option:: -c class + This option sets the query class. The default ``class`` is IN; other classes are HS for Hesiod records or CH for Chaosnet records. -``-f file`` - This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from +.. option:: -f file + + This option sets batch mode, in which :program:`dig` reads a list of lookup requests to process from the given ``file``. Each line in the file should be organized in the - same way it would be presented as a query to ``dig`` using the + same way it would be presented as a query to :program:`dig` using the command-line interface. -``-k keyfile`` - This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key - files can be generated using ``tsig-keygen``. When using TSIG - authentication with ``dig``, the name server that is queried needs to - know the key and algorithm that is being used. In BIND, this is done - by providing appropriate ``key`` and ``server`` statements in - ``named.conf``. +.. option:: -h + + Print a usage summary. + +.. option:: -k keyfile + + This option tells :program:`dig` to sign queries using TSIG or + SIG(0) using a key read from the given file. Key files can be + generated using :iscman:`tsig-keygen`. When using TSIG authentication + with :program:`dig`, the name server that is queried needs to + know the key and algorithm that is being used. In BIND, this is + done by providing appropriate ``key`` and ``server`` statements + in :iscman:`named.conf` for TSIG and by looking up the KEY record + in zone data for SIG(0). + +.. option:: -m -``-m`` This option enables memory usage debugging. -``-p port`` +.. option:: -p port + This option sends the query to a non-standard port on the server, instead of the default port 53. This option is used to test a name server that has been configured to listen for queries on a non-standard port number. -``-q name`` +.. option:: -q name + This option specifies the domain name to query. This is useful to distinguish the ``name`` from other arguments. -``-r`` +.. option:: -r + This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for scripts that need predictable behavior. -``-t type`` +.. option:: -t type + This option indicates the resource record type to query, which can be any valid query type. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is - ``A``, unless the ``-x`` option is supplied to indicate a reverse + ``A``, unless the :option:`-x` option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the ``type`` to ``ixfr=N``. The incremental zone transfer contains @@ -166,23 +178,27 @@ Options the number of the type. If the resource record type is not supported in BIND 9, the result is displayed as described in :rfc:`3597`. -``-u`` +.. option:: -u + This option indicates that print query times should be provided in microseconds instead of milliseconds. -``-v`` +.. option:: -v + This option prints the version number and exits. -``-x addr`` +.. option:: -x addr + This option sets simplified reverse lookups, for mapping addresses to names. The ``addr`` is an IPv4 address in dotted-decimal notation, or a - colon-delimited IPv6 address. When the ``-x`` option is used, there is no + colon-delimited IPv6 address. When the :option:`-x` option is used, there is no need to provide the ``name``, ``class``, and ``type`` arguments. - ``dig`` automatically performs a lookup for a name like + :program:`dig` automatically performs a lookup for a name like ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. -``-y [hmac:]keyname:secret`` +.. option:: -y [hmac:]keyname:secret + This option signs queries using TSIG with the given authentication key. ``keyname`` is the name of the key, and ``secret`` is the base64-encoded shared secret. ``hmac`` is the name of the key algorithm; @@ -191,15 +207,15 @@ Options not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is ``hmac-sha256``. -.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option, - because with ``-y`` the shared secret is supplied as a command-line +.. note:: Only the :option:`-k` option should be used, rather than the :option:`-y` option, + because with :option:`-y` the shared secret is supplied as a command-line argument in clear text. This may be visible in the output from ``ps1`` or in a history file maintained by the user's shell. Query Options ~~~~~~~~~~~~~ -``dig`` provides a number of query options which affect the way in which +:program:`dig` provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry @@ -210,20 +226,24 @@ Each query option is identified by a keyword preceded by a plus sign the string ``no`` to negate the meaning of that keyword. Other keywords assign values to options, like the timeout interval. They have the form ``+keyword=value``. Keywords may be abbreviated, provided the -abbreviation is unambiguous; for example, ``+cd`` is equivalent to -``+cdflag``. The query options are: +abbreviation is unambiguous; for example, :option:`+cd` is equivalent to +:option:`+cdflag`. The query options are: -``+[no]aaflag`` - This option is a synonym for ``+[no]aaonly``. +.. option:: +aaflag, +noaaflag + + This option is a synonym for :option:`+aaonly`, :option:`+noaaonly`. + +.. option:: +aaonly, +noaaonly -``+[no]aaonly`` This option sets the ``aa`` flag in the query. -``+[no]additional`` +.. option:: +additional, +noadditional + This option displays [or does not display] the additional section of a reply. The default is to display it. -``+[no]adflag`` +.. option:: +adflag, +noadflag + This option sets [or does not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have been validated as secure, according to the security @@ -232,61 +252,73 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to indicates that some part of the answer was insecure or not validated. This bit is set by default. -``+[no]all`` +.. option:: +all, +noall + This option sets or clears all display flags. -``+[no]answer`` +.. option:: +answer, +noanswer + This option displays [or does not display] the answer section of a reply. The default is to display it. -``+[no]authority`` +.. option:: +authority, +noauthority + This option displays [or does not display] the authority section of a reply. The default is to display it. -``+[no]badcookie`` +.. option:: +badcookie, +nobadcookie + This option retries the lookup with a new server cookie if a BADCOOKIE response is received. -``+[no]besteffort`` +.. option:: +besteffort, +nobesteffort + This option attempts to display the contents of messages which are malformed. The default is to not display malformed answers. -``+bufsize[=B]`` +.. option:: +bufsize[=B] + This option sets the UDP message buffer size advertised using EDNS0 to ``B`` bytes. The maximum and minimum sizes of this buffer are 65535 and 0, respectively. ``+bufsize`` restores the default buffer size. -``+[no]cdflag`` +.. option:: +cd, +cdflag, +nocdflag + This option sets [or does not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -``+[no]class`` +.. option:: +class, +noclass + This option displays [or does not display] the CLASS when printing the record. -``+[no]cmd`` +.. option:: +cmd, +nocmd + This option toggles the printing of the initial comment in the output, identifying the - version of ``dig`` and the query options that have been applied. This option + version of :program:`dig` and the query options that have been applied. This option always has a global effect; it cannot be set globally and then overridden on a per-lookup basis. The default is to print this comment. -``+[no]comments`` +.. option:: +comments, +nocomments + This option toggles the display of some comment lines in the output, with information about the packet header and OPT pseudosection, and the names of the response section. The default is to print these comments. Other types of comments in the output are not affected by this option, but can be controlled using other command-line switches. These include - ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``. + :option:`+cmd`, :option:`+question`, :option:`+stats`, and :option:`+rrcomments`. + +.. option:: +cookie=####, +nocookie -``+[no]cookie=####`` This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE from a previous response allows the server to identify a previous client. The default is ``+cookie``. - ``+cookie`` is also set when ``+trace`` is set to better emulate the + ``+cookie`` is also set when :option:`+trace` is set to better emulate the default queries from a nameserver. -``+[no]crypto`` +.. option:: +crypto, +nocrypto + This option toggles the display of cryptographic fields in DNSSEC records. The contents of these fields are unnecessary for debugging most DNSSEC validation failures and removing them makes it easier to see the @@ -294,63 +326,79 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the key ID is displayed as the replacement, e.g. ``[ key id = value ]``. -``+[no]defname`` - This option, which is deprecated, is treated as a synonym for ``+[no]search``. +.. option:: +defname, +nodefname + + This option, which is deprecated, is treated as a synonym for + :option:`+search`, :option:`+nosearch`. + +.. option:: +dns64prefix, +nodns64prefix -``+[no]dns64prefix`` Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found. -``+[no]dnssec`` +.. option:: +dnssec, +do, +nodnssec, +nodo + This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in the OPT record in the additional section of the query. -``+domain=somename`` +.. option:: +domain=somename + This option sets the search list to contain the single domain ``somename``, as if specified in a ``domain`` directive in ``/etc/resolv.conf``, and - enables search list processing as if the ``+search`` option were + enables search list processing as if the :option:`+search` option were given. -``+dscp=value`` - This option sets the DSCP code point to be used when sending the query. Valid DSCP - code points are in the range [0...63]. By default no code point is - explicitly set. +.. option:: +edns[=#], +noedns -``+[no]edns[=#]`` This option specifies the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version causes an EDNS query to be sent. ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by default. -``+[no]ednsflags[=#]`` +.. option:: +ednsflags[=#], +noednsflags + This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex, and octal encodings are accepted. Setting a named flag (e.g., DO) is silently ignored. By default, no Z bits are set. -``+[no]ednsnegotiation`` +.. option:: +ednsnegotiation, +noednsnegotiation + This option enables/disables EDNS version negotiation. By default, EDNS version negotiation is enabled. -``+[no]ednsopt[=code[:value]]`` +.. option:: +ednsopt[=code[:value]], +noednsopt + This option specifies the EDNS option with code point ``code`` and an optional payload of ``value`` as a hexadecimal string. ``code`` can be either an EDNS option name (for example, ``NSID`` or ``ECS``) or an arbitrary numeric value. ``+noednsopt`` clears the EDNS options to be sent. -``+[no]expire`` +.. option:: +expire, +noexpire + This option sends an EDNS Expire option. -``+[no]fail`` - This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is +.. option:: +fail, +nofail + + This option indicates that :iscman:`named` should try [or not try] the next server if a SERVFAIL is received. The default is to not try the next server, which is the reverse of normal stub resolver behavior. -``+[no]header-only`` +.. option:: +fuzztime[=value], +nofuzztime + + This option allows the signing time to be specified when generating + signed messages. If a value is specified it is the seconds since + 00:00:00 January 1, 1970 UTC ignoring leap seconds. If no value + is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used. + The default is ``+nofuzztime`` and the current time is used. + +.. option:: +header-only, +noheader-only + This option sends a query with a DNS header without a question section. The default is to add a question section. The query type and query name are ignored when this is set. -``+[no]https[=value]`` - This option indicates whether to use DNS-over-HTTPS (DoH) when querying +.. option:: +https[=value], +nohttps + + This option indicates whether to use DNS over HTTPS (DoH) when querying name servers. When this option is in use, the port number defaults to 443. The HTTP POST request mode is used when sending the query. @@ -358,94 +406,99 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to query URI; the default is ``/dns-query``. So, for example, ``dig @example.com +https`` will use the URI ``https://example.com/dns-query``. -``+[no]https-get[=value]`` - Similar to ``+https``, except that the HTTP GET request mode is used +.. option:: +https-get[=value], +nohttps-get + + Similar to :option:`+https`, except that the HTTP GET request mode is used when sending the query. -``+[no]https-post[=value]`` - Same as ``+https``. +.. option:: +https-post[=value], +nohttps-post + + Same as :option:`+https`. -``+[no]http-plain[=value]`` - Similar to ``+https``, except that HTTP queries will be sent over a +.. option:: +http-plain[=value], +nohttp-plain + + Similar to :option:`+https`, except that HTTP queries will be sent over a non-encrypted channel. When this option is in use, the port number defaults to 80 and the HTTP request mode is POST. -``+[no]http-plain-get[=value]`` - Similar to ``+http-plain``, except that the HTTP request mode is GET. +.. option:: +http-plain-get[=value], +nohttp-plain-get + + Similar to :option:`+http-plain`, except that the HTTP request mode is GET. + +.. option:: +http-plain-post[=value], +nohttp-plain-post + + Same as :option:`+http-plain`. -``+[no]http-plain-post[=value]`` - Same as ``+http-plain``. +.. option:: +identify, +noidentify -``+[no]identify`` This option shows [or does not show] the IP address and port number that - supplied the answer, when the ``+short`` option is enabled. If short + supplied the answer, when the :option:`+short` option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -``+[no]idnin`` - This option processes [or does not process] IDN domain names on input. This requires - ``IDN SUPPORT`` to have been enabled at compile time. +.. option:: +idn, +noidn - The default is to process IDN input when standard output is a tty. - The IDN processing on input is disabled when ``dig`` output is redirected - to files, pipes, and other non-tty file descriptors. + Enable or disable IDN processing. By default IDN is enabled for + input query names, and for display when the output is a terminal. -``+[no]idnout`` - This option converts [or does not convert] puny code on output. This requires - ``IDN SUPPORT`` to have been enabled at compile time. + You can also turn off :program:`dig`'s IDN processing by setting + the ``IDN_DISABLE`` environment variable. - The default is to process puny code on output when standard output is - a tty. The puny code processing on output is disabled when ``dig`` output - is redirected to files, pipes, and other non-tty file descriptors. +.. option:: +ignore, +noignore -``+[no]ignore`` - This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By - default, TCP retries are performed. + This option ignores [or does not ignore] truncation in UDP + responses instead of retrying with TCP. By default, TCP retries are + performed. + +.. option:: +keepalive, +nokeepalive -``+[no]keepalive`` This option sends [or does not send] an EDNS Keepalive option. -``+[no]keepopen`` +.. option:: +keepopen, +nokeepopen + This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than creating a new TCP socket for each lookup. The default is ``+nokeepopen``. -``+[no]mapped`` - This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is - ``+mapped``. +.. option:: +multiline, +nomultiline -``+[no]multiline`` This option prints [or does not print] records, like the SOA records, in a verbose multi-line format with human-readable comments. The default is to print each record on - a single line to facilitate machine parsing of the ``dig`` output. + a single line to facilitate machine parsing of the :program:`dig` output. + +.. option:: +ndots=D -``+ndots=D`` This option sets the number of dots (``D``) that must appear in ``name`` for it to be considered absolute. The default value is that defined using the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement is present. Names with fewer dots are interpreted as relative names, and are searched for in the domains listed in the ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if - ``+search`` is set. + :option:`+search` is set. + +.. option:: +nsid, +nonsid -``+[no]nsid`` When enabled, this option includes an EDNS name server ID request when sending a query. -``+[no]nssearch`` - When this option is set, ``dig`` attempts to find the authoritative +.. option:: +nssearch, +nonssearch + + When this option is set, :program:`dig` attempts to find the authoritative name servers for the zone containing the name being looked up, and display the SOA record that each name server has for the zone. Addresses of servers that did not respond are also printed. -``+[no]onesoa`` +.. option:: +onesoa, +noonesoa + When enabled, this option prints only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records. -``+[no]opcode=value`` +.. option:: +opcode=value, +noopcode + When enabled, this option sets (restores) the DNS message opcode to the specified value. The default value is QUERY (0). -``+padding=value`` +.. option:: +padding=value + This option pads the size of the query packet using the EDNS Padding option to blocks of ``value`` bytes. For example, ``+padding=32`` causes a 48-byte query to be padded to 64 bytes. The default block size is 0, @@ -454,75 +507,96 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to mandatory. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE. -``+qid=value`` +.. option:: +qid=value + This option specifies the query ID to use when sending queries. -``+[no]qr`` +.. option:: +qr, +noqr + This option toggles the display of the query message as it is sent. By default, the query is not printed. -``+[no]question`` +.. option:: +question, +noquestion + This option toggles the display of the question section of a query when an answer is returned. The default is to print the question section as a comment. -``+[no]raflag`` +.. option:: +raflag, +noraflag + This option sets [or does not set] the RA (Recursion Available) bit in the query. The default is ``+noraflag``. This bit is ignored by the server for QUERY. -``+[no]rdflag`` - This option is a synonym for ``+[no]recurse``. +.. option:: +rdflag, +nordflag + + This option is a synonym for :option:`+recurse`, :option:`+norecurse`. + +.. option:: +recurse, +norecurse -``+[no]recurse`` This option toggles the setting of the RD (recursion desired) bit in the query. - This bit is set by default, which means ``dig`` normally sends + This bit is set by default, which means :program:`dig` normally sends recursive queries. Recursion is automatically disabled when the - ``+nssearch`` or ``+trace`` query option is used. + :option:`+nssearch` or :option:`+trace` query option is used. + +.. option:: +retry=T -``+retry=T`` This option sets the number of times to retry UDP and TCP queries to server to ``T`` - instead of the default, 2. Unlike ``+tries``, this does not include + instead of the default, 2. Unlike :option:`+tries`, this does not include the initial query. -``+[no]rrcomments`` +.. option:: +rrcomments, +norrcomments + This option toggles the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active. -``+[no]search`` +.. option:: +search, +nosearch + This option uses [or does not use] the search list defined by the searchlist or domain directive in ``resolv.conf``, if any. The search list is not used by default. ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by - ``+ndots``, determines whether the name is treated as relative + :option:`+ndots`, determines whether the name is treated as relative and hence whether a search is eventually performed. -``+[no]short`` +.. option:: +short, +noshort + This option toggles whether a terse answer is provided. The default is to print the answer in a verbose form. This option always has a global effect; it cannot be set globally and then overridden on a per-lookup basis. -``+[no]showsearch`` +.. option:: +showbadcookie, +noshowbadcookie + + This option toggles whether to show the message containing the + BADCOOKIE rcode before retrying the request or not. The default + is to not show the messages. + +.. option:: +showsearch, +noshowsearch + This option performs [or does not perform] a search showing intermediate results. -``+[no]sigchase`` - This feature is now obsolete and has been removed; use ``delv`` +.. option:: +sigchase, +nosigchase + + This feature is now obsolete and has been removed; use :iscman:`delv` instead. -``+split=W`` +.. option:: +split=W + This option splits long hex- or base64-formatted fields in resource records into chunks of ``W`` characters (where ``W`` is rounded up to the nearest multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -``+[no]stats`` +.. option:: +stats, +nostats + This option toggles the printing of statistics: when the query was made, the size of the reply, etc. The default behavior is to print the query statistics as a comment after each lookup. -``+[no]subnet=addr[/prefix-length]`` +.. option:: +subnet=addr[/prefix-length], +nosubnet + This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP address or network prefix. @@ -531,33 +605,61 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to prefix-length of zero, which signals a resolver that the client's address information must *not* be used when resolving this query. -``+[no]tcflag`` +.. option:: +tcflag, +notcflag + This option sets [or does not set] the TC (TrunCation) bit in the query. The default is ``+notcflag``. This bit is ignored by the server for QUERY. -``+[no]tcp`` - This option indicates whether to use TCP when querying name servers. - The default behavior is to use UDP unless a type ``any`` or ``ixfr=N`` - query is requested, in which case the default is TCP. AXFR queries - always use TCP. +.. option:: +tcp, +notcp + + This option indicates whether to use TCP when querying name + servers. The default behavior is to use UDP unless a type ``any`` + or ``ixfr=N`` query is requested, in which case the default is + TCP. AXFR queries always use TCP. To prevent retry over TCP when + TC=1 is returned from a UDP query, use ``+ignore``. + +.. option:: +timeout=T -``+timeout=T`` This option sets the timeout for a query to ``T`` seconds. The default timeout is 5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1. -``+[no]tls`` - This option indicates whether to use DNS-over-TLS (DoT) when querying +.. option:: +tls, +notls + + This option indicates whether to use DNS over TLS (DoT) when querying name servers. When this option is in use, the port number defaults to 853. -``+[no]topdown`` - This feature is related to ``dig +sigchase``, which is obsolete and - has been removed. Use ``delv`` instead. +.. option:: +tls-ca[=file-name], +notls-ca + + This option enables remote server TLS certificate validation for + DNS transports, relying on TLS. Certificate authorities + certificates are loaded from the specified PEM file + (``file-name``). If the file is not specified, the default + certificates from the global certificates store are used. + +.. option:: +tls-certfile=file-name, +tls-keyfile=file-name, +notls-certfile, +notls-keyfile + + These options set the state of certificate-based client + authentication for DNS transports, relying on TLS. Both certificate + chain file and private key file are expected to be in PEM format. + Both options must be specified at the same time. + +.. option:: +tls-hostname=hostname, +notls-hostname + + This option makes :program:`dig` use the provided hostname during remote + server TLS certificate verification. Otherwise, the DNS server name + is used. This option has no effect if :option:`+tls-ca` is not specified. + +.. option:: +topdown, +notopdown + + This feature is related to :option:`dig +sigchase`, which is obsolete and + has been removed. Use :iscman:`delv` instead. + +.. option:: +trace, +notrace -``+[no]trace`` This option toggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When - tracing is enabled, ``dig`` makes iterative queries to resolve the + tracing is enabled, :program:`dig` makes iterative queries to resolve the name being looked up. It follows referrals from the root servers, showing the answer from each server that was used to resolve the lookup. @@ -565,49 +667,57 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to If ``@server`` is also specified, it affects only the initial query for the root zone name servers. - ``+dnssec`` is also set when ``+trace`` is set, to better emulate the + :option:`+dnssec` is also set when :option:`+trace` is set, to better emulate the default queries from a name server. -``+tries=T`` +.. option:: +tries=T + This option sets the number of times to try UDP and TCP queries to server to ``T`` instead of the default, 3. If ``T`` is less than or equal to zero, the number of tries is silently rounded up to 1. -``+trusted-key=####`` - This option formerly specified trusted keys for use with ``dig +sigchase``. This - feature is now obsolete and has been removed; use ``delv`` instead. +.. option:: +trusted-key=#### + + This option formerly specified trusted keys for use with :option:`dig +sigchase`. This + feature is now obsolete and has been removed; use :iscman:`delv` instead. + +.. option:: +ttlid, +nottlid -``+[no]ttlid`` This option displays [or does not display] the TTL when printing the record. -``+[no]ttlunits`` +.. option:: +ttlunits, +nottlunits + This option displays [or does not display] the TTL in friendly human-readable time units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes, - hours, days, and weeks. This implies ``+ttlid``. + hours, days, and weeks. This implies :option:`+ttlid`. + +.. option:: +unknownformat, +nounknownformat -``+[no]unknownformat`` This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`). The default is to print RDATA for known types in the type's presentation format. -``+[no]vc`` +.. option:: +vc, +novc + This option uses [or does not use] TCP when querying name servers. This alternate - syntax to ``+[no]tcp`` is provided for backwards compatibility. The + syntax to :option:`+tcp` is provided for backwards compatibility. The ``vc`` stands for "virtual circuit." -``+[no]yaml`` - When enabled, this option prints the responses (and, if ``+qr`` is in use, also the +.. option:: +yaml, +noyaml + + When enabled, this option prints the responses (and, if :option:`+qr` is in use, also the outgoing queries) in a detailed YAML format. -``+[no]zflag`` +.. option:: +zflag, +nozflag + This option sets [or does not set] the last unassigned DNS header flag in a DNS query. This flag is off by default. Multiple Queries ~~~~~~~~~~~~~~~~ -The BIND 9 implementation of ``dig`` supports specifying multiple -queries on the command line (in addition to supporting the ``-f`` batch +The BIND 9 implementation of :program:`dig` supports specifying multiple +queries on the command line (in addition to supporting the :option:`-f` batch file option). Each of those queries can be supplied with its own set of flags, options, and query options. @@ -620,32 +730,41 @@ query. A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied -on the command line. Any global query options (except ``+[no]cmd`` and -``+[no]short`` options) can be overridden by a query-specific set of +on the command line. Any global query options (except :option:`+cmd` and +:option:`+short` options) can be overridden by a query-specific set of query options. For example: :: dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -shows how ``dig`` can be used from the command line to make three +shows how :program:`dig` can be used from the command line to make three lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1, and a query for the NS records of ``isc.org``. A global query option of -``+qr`` is applied, so that ``dig`` shows the initial query it made for -each lookup. The final query has a local query option of ``+noqr`` which -means that ``dig`` does not print the initial query when it looks up the +:option:`+qr` is applied, so that :program:`dig` shows the initial query it made for +each lookup. The final query has a local query option of :option:`+noqr` which +means that :program:`dig` does not print the initial query when it looks up the NS records for ``isc.org``. -IDN Support -~~~~~~~~~~~ +Return Codes +~~~~~~~~~~~~ + +:program:`dig` return codes are: + +``0`` + DNS response received, including NXDOMAIN status + +``1`` + Usage error + +``8`` + Couldn't open batch file + +``9`` + No reply from server -If ``dig`` has been built with IDN (internationalized domain name) -support, it can accept and display non-ASCII domain names. ``dig`` -appropriately converts character encoding of a domain name before sending -a request to a DNS server or displaying a reply from the server. -To turn off IDN support, use the parameters -``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment -variable. +``10`` + Internal error Files ~~~~~ @@ -657,7 +776,7 @@ Files See Also ~~~~~~~~ -:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`. +:iscman:`delv(1) `, :iscman:`host(1) `, :iscman:`named(8) `, :iscman:`dnssec-keygen(8) `, :rfc:`1035`. Bugs ~~~~ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 0965760876..5e8e8422a5 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -22,43 +24,40 @@ #include #include #include +#include +#include #include #include #include #include -#ifdef HAVE_LOCALE_H -#include -#endif /* ifdef HAVE_LOCALE_H */ - #ifdef HAVE_LIBIDN2 #include #endif /* HAVE_LIBIDN2 */ -#include #include #include +#include #include #include #include +#include #include #include -#include #include #include -#include #include #include #include #include #include #include -#include #include +#include #include #include - -#include +#include +#include #include #include @@ -73,29 +72,24 @@ #include #include #include -#include #include #include -#include #include #include -#include - #include "dighost.h" -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ +#define systemlocale(l) (void)setlocale(l, "") +#define resetlocale(l) (void)setlocale(l, "C") dig_lookuplist_t lookup_list; dig_serverlist_t server_list; dig_searchlistlist_t search_list; -static atomic_bool cancel_now = ATOMIC_VAR_INIT(false); +static bool cancel_now = false; bool check_ra = false, have_ipv4 = false, have_ipv6 = false, specified_source = false, free_now = false, usesearch = false, @@ -108,24 +102,20 @@ unsigned int extrabytes; isc_mem_t *mctx = NULL; isc_log_t *lctx = NULL; isc_nm_t *netmgr = NULL; -isc_taskmgr_t *taskmgr = NULL; -isc_task_t *global_task = NULL; +isc_loopmgr_t *loopmgr = NULL; +isc_loop_t *mainloop = NULL; isc_sockaddr_t localaddr; -isc_refcount_t sendcount = ATOMIC_VAR_INIT(0); -isc_refcount_t recvcount = ATOMIC_VAR_INIT(0); +isc_refcount_t sendcount = 0; +isc_refcount_t recvcount = 0; int ndots = -1; -int tries = 3; +int tries = -1; int lookup_counter = 0; static char servercookie[256]; #ifdef HAVE_LIBIDN2 static void -idn_locale_to_ace(const char *src, char *dst, size_t dstlen); -static void -idn_ace_to_locale(const char *src, char **dst); -static isc_result_t -idn_output_filter(isc_buffer_t *buffer, unsigned int used_org); +idn_input(const char *src, char *dst, size_t dstlen); #endif /* HAVE_LIBIDN2 */ isc_nmhandle_t *keep = NULL; @@ -148,39 +138,20 @@ char keyfile[MXNAME] = ""; char keysecret[MXNAME] = ""; unsigned char cookie_secret[33]; unsigned char cookie[8]; -const dns_name_t *hmacname = NULL; +dst_algorithm_t hmac = DST_ALG_UNKNOWN; unsigned int digestbits = 0; isc_buffer_t *namebuf = NULL; dns_tsigkey_t *tsigkey = NULL; +dst_key_t *sig0key = NULL; bool validated = true; -isc_mempool_t *commctx = NULL; bool debugging = false; bool debugtiming = false; bool memdebugging = false; char *progname = NULL; -isc_mutex_t lookup_lock; dig_lookup_t *current_lookup = NULL; #define DIG_MAX_ADDRESSES 20 -/*% - * Apply and clear locks at the event level in global task. - * Can I get rid of these using shutdown events? XXX - */ -#define LOCK_LOOKUP \ - { \ - debug("lock_lookup %s:%d", __FILE__, __LINE__); \ - check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_" \ - "lock"); \ - debug("success"); \ - } -#define UNLOCK_LOOKUP \ - { \ - debug("unlock_lookup %s:%d", __FILE__, __LINE__); \ - check_result(isc_mutex_unlock((&lookup_lock)), "isc_mutex_" \ - "unlock"); \ - } - static void default_warnerr(const char *format, ...) { va_list args; @@ -238,6 +209,9 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, static void start_udp(dig_query_t *query); +static void +start_tcp(dig_query_t *query); + static void force_next(dig_query_t *query); @@ -350,10 +324,9 @@ get_reverse(char *reverse, size_t len, char *value, bool strict) { /* This is a valid IPv6 address. */ dns_fixedname_t fname; dns_name_t *name; - unsigned int options = 0; name = dns_fixedname_initname(&fname); - result = dns_byaddr_createptrname(&addr, options, name); + result = dns_byaddr_createptrname(&addr, name); if (result != ISC_R_SUCCESS) { return (result); } @@ -438,6 +411,7 @@ fatal(const char *format, ...) { vfprintf(stderr, format, args); va_end(args); fprintf(stderr, "\n"); + isc__tls_setfatalmode(); digexit(); } @@ -449,7 +423,7 @@ debug(const char *format, ...) { if (debugging) { fflush(stdout); if (debugtiming) { - TIME_NOW(&t); + t = isc_time_now(); fprintf(stderr, "%u.%06u: ", isc_time_seconds(&t), isc_time_nanoseconds(&t) / 1000); } @@ -500,7 +474,8 @@ get_server_list(irs_resconf_t *resconf) { debug("get_server_list()"); servers = irs_resconf_getnameservers(resconf); for (sa = ISC_LIST_HEAD(*servers); sa != NULL; - sa = ISC_LIST_NEXT(sa, link)) { + sa = ISC_LIST_NEXT(sa, link)) + { int pf = isc_sockaddr_pf(sa); isc_netaddr_t na; isc_result_t result; @@ -558,8 +533,9 @@ set_nameserver(char *opt) { return; } - result = bind9_getaddresses(opt, 0, sockaddrs, DIG_MAX_ADDRESSES, - &count); + isc_loopmgr_blocking(loopmgr); + result = isc_getaddresses(opt, 0, sockaddrs, DIG_MAX_ADDRESSES, &count); + isc_loopmgr_nonblocking(loopmgr); if (result != ISC_R_SUCCESS) { fatal("couldn't get address for '%s': %s", opt, isc_result_totext(result)); @@ -605,8 +581,13 @@ clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) { dig_lookup_t * make_empty_lookup(void) { dig_lookup_t *looknew; + int idnin = false, idnout = false; + #ifdef HAVE_LIBIDN2 - bool idn_allowed = isatty(1) ? (getenv("IDN_DISABLE") == NULL) : false; + if (getenv("IDN_DISABLE") == NULL) { + idnin = true; + idnout = isatty(1); + } #endif /* HAVE_LIBIDN2 */ debug("make_empty_lookup()"); @@ -623,10 +604,8 @@ make_empty_lookup(void) { .besteffort = true, .opcode = dns_opcode_query, .badcookie = true, -#ifdef HAVE_LIBIDN2 - .idnin = idn_allowed, - .idnout = idn_allowed, -#endif /* HAVE_LIBIDN2 */ + .idnin = idnin, + .idnout = idnout, .udpsize = -1, .edns = -1, .recurse = true, @@ -638,8 +617,6 @@ make_empty_lookup(void) { .section_authority = true, .section_additional = true, .ednsneg = true, - .mapped = true, - .dscp = -1, }; dns_fixedname_init(&looknew->fdomain); @@ -647,6 +624,8 @@ make_empty_lookup(void) { ISC_LIST_INIT(looknew->q); ISC_LIST_INIT(looknew->my_server_list); + isc_tlsctx_cache_create(mctx, &looknew->tls_ctx_cache); + isc_refcount_init(&looknew->references, 1); looknew->magic = DIG_LOOKUP_MAGIC; @@ -736,6 +715,32 @@ clone_lookup(dig_lookup_t *lookold, bool servers) { } looknew->https_get = lookold->https_get; looknew->http_plain = lookold->http_plain; + + looknew->tls_ca_set = lookold->tls_ca_set; + if (lookold->tls_ca_file != NULL) { + looknew->tls_ca_file = isc_mem_strdup(mctx, + lookold->tls_ca_file); + }; + + looknew->tls_hostname_set = lookold->tls_hostname_set; + if (lookold->tls_hostname != NULL) { + looknew->tls_hostname = isc_mem_strdup(mctx, + lookold->tls_hostname); + } + + looknew->tls_key_file_set = lookold->tls_key_file_set; + if (lookold->tls_key_file != NULL) { + looknew->tls_key_file = isc_mem_strdup(mctx, + lookold->tls_key_file); + } + + looknew->tls_cert_file_set = lookold->tls_cert_file_set; + if (lookold->tls_cert_file != NULL) { + looknew->tls_cert_file = isc_mem_strdup(mctx, + lookold->tls_cert_file); + } + + looknew->showbadcookie = lookold->showbadcookie; looknew->sendcookie = lookold->sendcookie; looknew->seenbadcookie = lookold->seenbadcookie; looknew->badcookie = lookold->badcookie; @@ -748,7 +753,6 @@ clone_lookup(dig_lookup_t *lookold, bool servers) { } looknew->ednsneg = lookold->ednsneg; looknew->padding = lookold->padding; - looknew->mapped = lookold->mapped; looknew->multiline = lookold->multiline; looknew->nottl = lookold->nottl; looknew->noclass = lookold->noclass; @@ -787,20 +791,26 @@ clone_lookup(dig_lookup_t *lookold, bool servers) { looknew->tsigctx = NULL; looknew->need_search = lookold->need_search; looknew->done_as_is = lookold->done_as_is; - looknew->dscp = lookold->dscp; looknew->rrcomments = lookold->rrcomments; - looknew->eoferr = lookold->eoferr; + looknew->fuzzing = lookold->fuzzing; + looknew->fuzztime = lookold->fuzztime; if (lookold->ecs_addr != NULL) { - size_t len = sizeof(isc_sockaddr_t); - looknew->ecs_addr = isc_mem_allocate(mctx, len); - memmove(looknew->ecs_addr, lookold->ecs_addr, len); + looknew->ecs_addr = isc_mem_get(mctx, + sizeof(*looknew->ecs_addr)); + memmove(looknew->ecs_addr, lookold->ecs_addr, + sizeof(*looknew->ecs_addr)); } dns_name_copy(dns_fixedname_name(&lookold->fdomain), dns_fixedname_name(&looknew->fdomain)); if (servers) { + if (lookold->tls_ctx_cache != NULL) { + isc_tlsctx_cache_detach(&looknew->tls_ctx_cache); + isc_tlsctx_cache_attach(lookold->tls_ctx_cache, + &looknew->tls_ctx_cache); + } clone_server_list(lookold->my_server_list, &looknew->my_server_list); } @@ -864,7 +874,7 @@ setup_text_key(void) { secretsize = isc_buffer_usedlength(&secretbuf); - if (hmacname == NULL) { + if (hmac == DST_ALG_UNKNOWN) { result = DST_R_UNSUPPORTEDALG; goto failure; } @@ -874,9 +884,8 @@ setup_text_key(void) { goto failure; } - result = dns_tsigkey_create(&keyname, hmacname, secretstore, - (int)secretsize, false, NULL, 0, 0, mctx, - NULL, &tsigkey); + result = dns_tsigkey_create(&keyname, hmac, secretstore, + (int)secretsize, mctx, &tsigkey); failure: if (result != ISC_R_SUCCESS) { printf(";; Couldn't create key %s: %s\n", keynametext, @@ -948,8 +957,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) { fatal("invalid prefix '%s'\n", value); } - sa = isc_mem_allocate(mctx, sizeof(*sa)); - memset(sa, 0, sizeof(*sa)); + sa = isc_mem_get(mctx, sizeof(*sa)); + *sa = (isc_sockaddr_t){ .length = 0 }; if (strcmp(buf, "0") == 0) { sa->type.sa.sa_family = AF_UNSPEC; @@ -1012,50 +1021,50 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) { * Parse HMAC algorithm specification */ void -parse_hmac(const char *hmac) { +parse_hmac(const char *algname) { char buf[20]; size_t len; - REQUIRE(hmac != NULL); + REQUIRE(algname != NULL); - len = strlen(hmac); + len = strlen(algname); if (len >= sizeof(buf)) { - fatal("unknown key type '%.*s'", (int)len, hmac); + fatal("unknown key type '%.*s'", (int)len, algname); } - strlcpy(buf, hmac, sizeof(buf)); + strlcpy(buf, algname, sizeof(buf)); digestbits = 0; if (strcasecmp(buf, "hmac-md5") == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else if (strcasecmp(buf, "hmac-sha1") == 0) { - hmacname = DNS_TSIG_HMACSHA1_NAME; + hmac = DST_ALG_HMACSHA1; digestbits = 0; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - hmacname = DNS_TSIG_HMACSHA1_NAME; + hmac = DST_ALG_HMACSHA1; digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160); } else if (strcasecmp(buf, "hmac-sha224") == 0) { - hmacname = DNS_TSIG_HMACSHA224_NAME; + hmac = DST_ALG_HMACSHA224; } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA224_NAME; + hmac = DST_ALG_HMACSHA224; digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224); } else if (strcasecmp(buf, "hmac-sha256") == 0) { - hmacname = DNS_TSIG_HMACSHA256_NAME; + hmac = DST_ALG_HMACSHA256; } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA256_NAME; + hmac = DST_ALG_HMACSHA256; digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256); } else if (strcasecmp(buf, "hmac-sha384") == 0) { - hmacname = DNS_TSIG_HMACSHA384_NAME; + hmac = DST_ALG_HMACSHA384; } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA384_NAME; + hmac = DST_ALG_HMACSHA384; digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384); } else if (strcasecmp(buf, "hmac-sha512") == 0) { - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = DST_ALG_HMACSHA512; } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = DST_ALG_HMACSHA512; digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512); } else { fprintf(stderr, @@ -1132,6 +1141,10 @@ setup_file_key(void) { debug("setup_file_key()"); + if (sig0key != NULL) { + dst_key_free(&sig0key); + } + /* Try reading the key from a K* pair */ result = dst_key_fromnamedfile( keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); @@ -1152,36 +1165,29 @@ setup_file_key(void) { switch (dst_key_alg(dstkey)) { case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; case DST_ALG_HMACSHA1: - hmacname = DNS_TSIG_HMACSHA1_NAME; - break; case DST_ALG_HMACSHA224: - hmacname = DNS_TSIG_HMACSHA224_NAME; - break; case DST_ALG_HMACSHA256: - hmacname = DNS_TSIG_HMACSHA256_NAME; - break; case DST_ALG_HMACSHA384: - hmacname = DNS_TSIG_HMACSHA384_NAME; - break; case DST_ALG_HMACSHA512: - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = dst_key_alg(dstkey); break; default: - printf(";; Couldn't create key %s: bad algorithm\n", - keynametext); - goto failure; + dst_key_attach(dstkey, &sig0key); + dst_key_free(&dstkey); + return; } - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname, - dstkey, false, NULL, 0, 0, mctx, - NULL, &tsigkey); - if (result != ISC_R_SUCCESS) { - printf(";; Couldn't create key %s: %s\n", keynametext, - isc_result_totext(result)); - goto failure; + + if (dstkey != NULL) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, + dstkey, false, false, NULL, + 0, 0, mctx, &tsigkey); + if (result != ISC_R_SUCCESS) { + printf(";; Couldn't create key %s: %s\n", keynametext, + isc_result_totext(result)); + } } + failure: if (dstkey != NULL) { dst_key_free(&dstkey); @@ -1277,6 +1283,17 @@ setup_system(bool ipv4only, bool ipv6only) { ndots = irs_resconf_getndots(resconf); debug("ndots is %d.", ndots); } + if (timeout == 0) { + timeout = irs_resconf_gettimeout(resconf); + debug("timeout is %d.", timeout); + } + if (tries == -1) { + tries = irs_resconf_getattempts(resconf); + if (tries == 0) { + tries = 3; + } + debug("retries is %d.", tries); + } /* If user doesn't specify server use nameservers from resolv.conf. */ if (ISC_LIST_EMPTY(server_list)) { @@ -1295,11 +1312,6 @@ setup_system(bool ipv4only, bool ipv6only) { irs_resconf_destroy(&resconf); -#ifdef HAVE_SETLOCALE - /* Set locale */ - (void)setlocale(LC_ALL, ""); -#endif /* ifdef HAVE_SETLOCALE */ - if (keyfile[0] != 0) { setup_file_key(); } else if (keysecret[0] != 0) { @@ -1331,11 +1343,6 @@ setup_libs(void) { debug("setup_libs()"); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - result = isc_net_probeipv4(); if (result == ISC_R_SUCCESS) { have_ipv4 = true; @@ -1349,8 +1356,7 @@ setup_libs(void) { fatal("can't find either v4 or v6 networking"); } - isc_mem_create(&mctx); - isc_mem_setname(mctx, "dig"); + isc_managers_create(&mctx, 1, &loopmgr, &netmgr); isc_log_create(mctx, &lctx, &logconfig); isc_log_setcontext(lctx); @@ -1362,26 +1368,12 @@ setup_libs(void) { isc_log_setdebuglevel(lctx, 0); - isc_managers_create(mctx, 1, 0, 0, &netmgr, &taskmgr, NULL, NULL); - - result = isc_task_create(taskmgr, 0, &global_task); - check_result(result, "isc_task_create"); - isc_task_setname(global_task, "dig", NULL); + isc_mem_setname(mctx, "dig"); + mainloop = isc_loop_main(loopmgr); result = dst_lib_init(mctx, NULL); check_result(result, "dst_lib_init"); is_dst_up = true; - - isc_mempool_create(mctx, COMMSIZE, &commctx); - isc_mempool_setname(commctx, "COMMPOOL"); - /* - * 6 and 2 set as reasonable parameters for 3 or 4 nameserver - * systems. - */ - isc_mempool_setfreemax(commctx, 6); - isc_mempool_setfillcount(commctx, 2); - - isc_mutex_init(&lookup_lock); } typedef struct dig_ednsoptname { @@ -1493,12 +1485,10 @@ static void add_question(dns_message_t *message, dns_name_t *name, dns_rdataclass_t rdclass, dns_rdatatype_t rdtype) { dns_rdataset_t *rdataset; - isc_result_t result; debug("add_question()"); rdataset = NULL; - result = dns_message_gettemprdataset(message, &rdataset); - check_result(result, "dns_message_gettemprdataset()"); + dns_message_gettemprdataset(message, &rdataset); dns_rdataset_makequestion(rdataset, rdclass, rdtype); ISC_LIST_APPEND(name->list, rdataset, link); } @@ -1532,7 +1522,35 @@ check_if_done(void) { INSIST(isc_refcount_current(&recvcount) == 0); debug("shutting down"); dighost_shutdown(); + + if (current_lookup == NULL && keep != NULL) { + isc_nmhandle_detach(&keep); + } + } +} + +/*% + * Check if we're done with all the queries in the lookup, except for + * the `except_q` query (can be NULL if no exception is required). + * Expects `l` to be a valid and locked lookup. + */ +static bool +check_if_queries_done(dig_lookup_t *l, dig_query_t *except_q) { + dig_query_t *q = ISC_LIST_HEAD(l->q); + + debug("check_if_queries_done(%p)", l); + + while (q != NULL) { + if (!q->started || isc_refcount_current(&q->references) > 1) { + if (!q->canceled && q != except_q) { + debug("there is a pending query %p", q); + return (false); + } + } + q = ISC_LIST_NEXT(q, link); } + + return (true); } static void @@ -1564,7 +1582,7 @@ _destroy_lookup(dig_lookup_t *lookup) { isc_buffer_free(&lookup->querysig); } if (lookup->sendspace != NULL) { - isc_mempool_put(commctx, lookup->sendspace); + isc_mem_put(mctx, lookup->sendspace, COMMSIZE); } if (lookup->tsigctx != NULL) { @@ -1572,7 +1590,7 @@ _destroy_lookup(dig_lookup_t *lookup) { } if (lookup->ecs_addr != NULL) { - isc_mem_free(mctx, lookup->ecs_addr); + isc_mem_put(mctx, lookup->ecs_addr, sizeof(*lookup->ecs_addr)); } if (lookup->ednsopts != NULL) { @@ -1589,6 +1607,26 @@ _destroy_lookup(dig_lookup_t *lookup) { isc_mem_free(mctx, lookup->https_path); } + if (lookup->tls_ctx_cache != NULL) { + isc_tlsctx_cache_detach(&lookup->tls_ctx_cache); + } + + if (lookup->tls_ca_file != NULL) { + isc_mem_free(mctx, lookup->tls_ca_file); + } + + if (lookup->tls_hostname != NULL) { + isc_mem_free(mctx, lookup->tls_hostname); + } + + if (lookup->tls_key_file != NULL) { + isc_mem_free(mctx, lookup->tls_key_file); + } + + if (lookup->tls_cert_file != NULL) { + isc_mem_free(mctx, lookup->tls_cert_file); + } + isc_mem_free(mctx, lookup); } @@ -1650,8 +1688,8 @@ destroy_query(dig_query_t *query, const char *file, unsigned int line) { INSIST(query->recvspace != NULL); - isc_mempool_put(commctx, query->recvspace); - isc_mempool_put(commctx, query->tmpsendspace); + isc_mem_put(mctx, query->recvspace, COMMSIZE); + isc_mem_put(mctx, query->tmpsendspace, COMMSIZE); query->magic = 0; isc_mem_free(mctx, query); @@ -1715,7 +1753,7 @@ void start_lookup(void) { debug("start_lookup()"); - if (atomic_load(&cancel_now)) { + if (cancel_now) { return; } @@ -1766,11 +1804,19 @@ clear_current_lookup(void) { return; } + if (lookup->cleared) { + debug("current_lookup is already cleared"); + return; + } + if (ISC_LIST_HEAD(lookup->q) != NULL) { debug("still have a worker"); return; } + lookup->cleared = true; + debug("lookup cleared"); + lookup_detach(&lookup); } @@ -1857,7 +1903,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) { dns_rdata_ns_t ns; if (query->lookup->trace_root && - query->lookup->nsfound >= MXSERV) { + query->lookup->nsfound >= MXSERV) + { break; } @@ -1878,7 +1925,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) { cancel_lookup(query->lookup); lookup->doing_xfr = false; if (!lookup->trace_root && - section == DNS_SECTION_ANSWER) { + section == DNS_SECTION_ANSWER) + { lookup->trace = false; } else { lookup->trace = query->lookup->trace; @@ -1981,7 +2029,7 @@ next_origin(dig_lookup_t *oldlookup) { * Check for a absolute name or ndots being met. */ name = dns_fixedname_initname(&fixed); - result = dns_name_fromstring2(name, oldlookup->textname, NULL, 0, NULL); + result = dns_name_fromstring(name, oldlookup->textname, NULL, 0, NULL); if (result == ISC_R_SUCCESS && (dns_name_isabsolute(name) || (int)dns_name_countlabels(name) > ndots)) @@ -2043,18 +2091,15 @@ insert_soa(dig_lookup_t *lookup) { isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore, sizeof(lookup->rdatastore)); - result = dns_message_gettemprdata(lookup->sendmsg, &rdata); - check_result(result, "dns_message_gettemprdata"); + dns_message_gettemprdata(lookup->sendmsg, &rdata); result = dns_rdata_fromstruct(rdata, lookup->rdclass, dns_rdatatype_soa, &soa, &lookup->rdatabuf); check_result(result, "isc_rdata_fromstruct"); - result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist); - check_result(result, "dns_message_gettemprdatalist"); + dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist); - result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); + dns_message_gettemprdataset(lookup->sendmsg, &rdataset); dns_rdatalist_init(rdatalist); rdatalist->type = dns_rdatatype_soa; @@ -2063,8 +2108,7 @@ insert_soa(dig_lookup_t *lookup) { dns_rdatalist_tordataset(rdatalist, rdataset); - result = dns_message_gettempname(lookup->sendmsg, &soaname); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(lookup->sendmsg, &soaname); dns_name_clone(lookup->name, soaname); ISC_LIST_INIT(soaname->list); ISC_LIST_APPEND(soaname->list, rdataset, link); @@ -2090,10 +2134,9 @@ _new_query(dig_lookup_t *lookup, char *servname, char *userarg, *query = (dig_query_t){ .sendbuf = lookup->renderbuf, .servname = servname, .userarg = userarg, - .first_pass = true, .warn_id = true, - .recvspace = isc_mempool_get(commctx), - .tmpsendspace = isc_mempool_get(commctx) }; + .recvspace = isc_mem_get(mctx, COMMSIZE), + .tmpsendspace = isc_mem_get(mctx, COMMSIZE) }; lookup_attach(lookup, &query->lookup); @@ -2160,8 +2203,7 @@ setup_lookup(dig_lookup_t *lookup) { debug("cloning server list"); clone_server_list(server_list, &lookup->my_server_list); } - result = dns_message_gettempname(lookup->sendmsg, &lookup->name); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(lookup->sendmsg, &lookup->name); isc_buffer_init(&lookup->namebuf, lookup->name_space, sizeof(lookup->name_space)); @@ -2176,7 +2218,7 @@ setup_lookup(dig_lookup_t *lookup) { textname = lookup->textname; #ifdef HAVE_LIBIDN2 if (lookup->idnin) { - idn_locale_to_ace(textname, idn_textname, sizeof(idn_textname)); + idn_input(textname, idn_textname, sizeof(idn_textname)); debug("idn_textname: %s", idn_textname); textname = idn_textname; } @@ -2202,15 +2244,12 @@ setup_lookup(dig_lookup_t *lookup) { if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); - result = dns_message_gettempname(lookup->sendmsg, - &lookup->oname); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(lookup->sendmsg, &lookup->oname); /* XXX Helper funct to conv char* to name? */ origin = lookup->origin->origin; #ifdef HAVE_LIBIDN2 if (lookup->idnin) { - idn_locale_to_ace(origin, idn_origin, - sizeof(idn_origin)); + idn_input(origin, idn_origin, sizeof(idn_origin)); debug("trying idn origin %s", idn_origin); origin = idn_origin; } @@ -2272,18 +2311,20 @@ setup_lookup(dig_lookup_t *lookup) { result = dns_name_fromtext(lookup->name, &b, dns_rootname, 0, &lookup->namebuf); - } - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(lookup->sendmsg, &lookup->name); - warn("'%s' is not a legal name " - "(%s)", - lookup->textname, isc_result_totext(result)); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(lookup->sendmsg, + &lookup->name); + warn("'%s' is not a legal name (%s)", + lookup->textname, + isc_result_totext(result)); #if TARGET_OS_IPHONE - clear_current_lookup(); - return (false); + clear_current_lookup(); + return (false); #else /* if TARGET_OS_IPHONE */ - digexit(); + cleanup_openssl_refs(); + digexit(); #endif /* if TARGET_OS_IPHONE */ + } } } dns_name_format(lookup->name, store, sizeof(store)); @@ -2384,15 +2425,20 @@ setup_lookup(dig_lookup_t *lookup) { debug("initializing keys"); result = dns_message_settsigkey(lookup->sendmsg, tsigkey); check_result(result, "dns_message_settsigkey"); + } else if (sig0key != NULL) { + debug("initializing keys"); + result = dns_message_setsig0key(lookup->sendmsg, sig0key); + check_result(result, "dns_message_setsig0key"); } - lookup->sendspace = isc_mempool_get(commctx); - if (lookup->sendspace == NULL) { - fatal("memory allocation failure"); + if (lookup->fuzzing) { + lookup->sendmsg->fuzzing = true; + lookup->sendmsg->fuzztime = lookup->fuzztime; } - result = dns_compress_init(&cctx, -1, mctx); - check_result(result, "dns_compress_init"); + lookup->sendspace = isc_mem_get(mctx, COMMSIZE); + + dns_compress_init(&cctx, mctx, 0); debug("starting to render the message"); isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE); @@ -2486,8 +2532,7 @@ setup_lookup(dig_lookup_t *lookup) { memmove(addr, &sin6->sin6_addr, addrl); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf)); @@ -2505,7 +2550,8 @@ setup_lookup(dig_lookup_t *lookup) { addr[addrl - 1] &= ~0U << (8 - (plen % 8)); } - isc_buffer_putmem(&b, addr, (unsigned)addrl); + isc_buffer_putmem(&b, addr, + (unsigned int)addrl); } opts[i].value = (uint8_t *)ecsbuf; @@ -2609,6 +2655,54 @@ setup_lookup(dig_lookup_t *lookup) { return (true); } +/*% + * NSSEARCH mode special mode handling function to start the next query in the + * list. The lookup lock must be held by the caller. The function will detach + * both the lookup and the query, and may cancel the lookup and clear the + * current lookup. + */ +static void +nssearch_next(dig_lookup_t *l, dig_query_t *q) { + dig_query_t *next = ISC_LIST_NEXT(q, link); + bool tcp_mode = l->tcp_mode; + + INSIST(l->ns_search_only && !l->trace_root); + INSIST(l == current_lookup); + + if (next == NULL) { + /* + * If this is the last query, and if there was + * not a single successful query in the whole + * lookup, then treat the situation as an error, + * cancel and clear the lookup. + */ + if (check_if_queries_done(l, q) && !l->ns_search_success) { + dighost_error("NS servers could not be reached"); + if (exitcode < 9) { + exitcode = 9; + } + + cancel_lookup(l); + query_detach(&q); + lookup_detach(&l); + clear_current_lookup(); + } else { + query_detach(&q); + lookup_detach(&l); + } + } else { + query_detach(&q); + lookup_detach(&l); + + debug("sending next, since searching"); + if (tcp_mode) { + start_tcp(next); + } else { + start_udp(next); + } + } +} + /*% * Event handler for send completion. Track send counter, and clear out * the query if the send was canceled. @@ -2616,7 +2710,6 @@ setup_lookup(dig_lookup_t *lookup) { static void send_done(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { dig_query_t *query = (dig_query_t *)arg; - dig_query_t *next = NULL; dig_lookup_t *l = NULL; REQUIRE(DIG_VALID_QUERY(query)); @@ -2630,44 +2723,30 @@ send_done(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { INSIST(!free_now); - LOCK_LOOKUP; - isc_nmhandle_detach(&query->sendhandle); - if (eresult != ISC_R_SUCCESS) { - if (eresult != ISC_R_CANCELED) { - debug("send failed: %s", isc_result_totext(eresult)); + lookup_attach(query->lookup, &l); + + if (eresult == ISC_R_CANCELED || query->canceled) { + debug("send_done: cancel"); + if (!query->canceled) { + cancel_lookup(l); } query_detach(&query); - - UNLOCK_LOOKUP; + lookup_detach(&l); return; + } else if (eresult != ISC_R_SUCCESS) { + debug("send failed: %s", isc_result_totext(eresult)); } - lookup_attach(query->lookup, &l); - if (l->ns_search_only && !l->trace_root && !l->tcp_mode) { - debug("sending next, since searching"); - next = ISC_LIST_NEXT(query, link); - + if (l->ns_search_only && !l->trace_root) { + nssearch_next(l, query); + } else { query_detach(&query); lookup_detach(&l); - - if (next == NULL) { - clear_current_lookup(); - } else { - start_udp(next); - } - - check_if_done(); - UNLOCK_LOOKUP; - return; } - query_detach(&query); - lookup_detach(&l); - check_if_done(); - UNLOCK_LOOKUP; } /*% @@ -2684,6 +2763,14 @@ _cancel_lookup(dig_lookup_t *lookup, const char *file, unsigned int line) { REQUIRE(DIG_VALID_QUERY(query)); next = ISC_LIST_NEXT(query, link); ISC_LIST_DEQUEUE(lookup->q, query, link); + debug("canceling pending query %p, belonging to %p", query, + query->lookup); + query->canceled = true; + if (query->readhandle != NULL && + !isc_nm_is_http_handle(query->readhandle)) + { + isc_nm_cancelread(query->readhandle); + } query_detach(&query); query = next; } @@ -2692,6 +2779,130 @@ _cancel_lookup(dig_lookup_t *lookup, const char *file, unsigned int line) { check_if_done(); } +static isc_tlsctx_t * +get_create_tls_context(dig_query_t *query, const bool is_https, + isc_tlsctx_client_session_cache_t **psess_cache) { + isc_result_t result; + isc_tlsctx_t *ctx = NULL, *found_ctx = NULL; + isc_tls_cert_store_t *store = NULL, *found_store = NULL; + char tlsctxname[ISC_SOCKADDR_FORMATSIZE]; + const uint16_t family = isc_sockaddr_pf(&query->sockaddr) == PF_INET6 + ? AF_INET6 + : AF_INET; + isc_tlsctx_cache_transport_t transport = + is_https ? isc_tlsctx_cache_https : isc_tlsctx_cache_tls; + const bool hostname_ignore_subject = !is_https; + isc_tlsctx_client_session_cache_t *sess_cache = NULL, + *found_sess_cache = NULL; + + if (query->lookup->tls_key_file_set != query->lookup->tls_cert_file_set) + { + return (NULL); + } + + isc_sockaddr_format(&query->sockaddr, tlsctxname, sizeof(tlsctxname)); + + result = isc_tlsctx_cache_find(query->lookup->tls_ctx_cache, tlsctxname, + transport, family, &found_ctx, + &found_store, &found_sess_cache); + if (result != ISC_R_SUCCESS) { + if (query->lookup->tls_ca_set) { + if (found_store == NULL) { + result = isc_tls_cert_store_create( + query->lookup->tls_ca_file, &store); + + if (result != ISC_R_SUCCESS) { + goto failure; + } + } else { + store = found_store; + } + } + + result = isc_tlsctx_createclient(&ctx); + if (result != ISC_R_SUCCESS) { + goto failure; + } + + if (store != NULL) { + const char *hostname = + query->lookup->tls_hostname_set + ? query->lookup->tls_hostname + : query->userarg; + /* + * According to RFC 8310, Subject field MUST NOT be + * inspected when verifying hostname for DoT. Only + * SubjectAltName must be checked. That is NOT the case + * for HTTPS. + */ + result = isc_tlsctx_enable_peer_verification( + ctx, false, store, hostname, + hostname_ignore_subject); + if (result != ISC_R_SUCCESS) { + goto failure; + } + } + + if (query->lookup->tls_key_file_set && + query->lookup->tls_cert_file_set) + { + result = isc_tlsctx_load_certificate( + ctx, query->lookup->tls_key_file, + query->lookup->tls_cert_file); + if (result != ISC_R_SUCCESS) { + goto failure; + } + } + + if (!is_https) { + isc_tlsctx_enable_dot_client_alpn(ctx); + } + +#if HAVE_LIBNGHTTP2 + if (is_https) { + isc_tlsctx_enable_http2client_alpn(ctx); + } +#endif /* HAVE_LIBNGHTTP2 */ + + isc_tlsctx_client_session_cache_create( + mctx, ctx, ISC_TLSCTX_CLIENT_SESSION_CACHE_DEFAULT_SIZE, + &sess_cache); + + result = isc_tlsctx_cache_add( + query->lookup->tls_ctx_cache, tlsctxname, transport, + family, ctx, store, sess_cache, NULL, NULL, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (psess_cache != NULL) { + INSIST(*psess_cache == NULL); + *psess_cache = sess_cache; + } + return (ctx); + } + + if (psess_cache != NULL) { + INSIST(*psess_cache == NULL); + *psess_cache = found_sess_cache; + } + + INSIST(!query->lookup->tls_ca_set || found_store != NULL); + return (found_ctx); +failure: + if (ctx != NULL) { + isc_tlsctx_free(&ctx); + } + /* + * The 'found_store' is being managed by the TLS context + * cache. Thus, we should keep it as it is, as it will get + * destroyed alongside the cache. As there is one store per + * multiple TLS contexts, we need to handle store deletion in a + * special way. + */ + if (store != NULL && store != found_store) { + isc_tls_cert_store_free(&store); + } + return (NULL); +} + static void tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg); @@ -2703,22 +2914,31 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg); static void start_tcp(dig_query_t *query) { isc_result_t result; - dig_query_t *next; + dig_query_t *next = NULL; + dig_query_t *connectquery = NULL; + isc_tlsctx_t *tlsctx = NULL; + bool tls_mode = false; + isc_tlsctx_client_session_cache_t *sess_cache = NULL; + int local_timeout; + REQUIRE(DIG_VALID_QUERY(query)); debug("start_tcp(%p)", query); query_attach(query, &query->lookup->current_query); + tls_mode = dig_lookup_is_tls(query->lookup); + /* * For TLS connections, we want to override the default * port number. */ if (!port_set) { - if (query->lookup->tls_mode) { + if (tls_mode) { port = 853; } else if (query->lookup->https_mode && - !query->lookup->http_plain) { + !query->lookup->http_plain) + { port = 443; } else if (query->lookup->https_mode) { port = 80; @@ -2740,8 +2960,7 @@ start_tcp(dig_query_t *query) { return; } - if (!query->lookup->mapped && - isc_sockaddr_pf(&query->sockaddr) == AF_INET6 && + if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&query->sockaddr.type.sin6.sin6_addr)) { isc_netaddr_t netaddr; @@ -2773,77 +2992,88 @@ start_tcp(dig_query_t *query) { launch_next_query(query); query_detach(&query); return; + } else if (keep != NULL) { + isc_nmhandle_detach(&keep); + } + + if (timeout != 0) { + local_timeout = timeout * 1000; } else { - int local_timeout = timeout * 1000; - if (local_timeout == 0) { - local_timeout = TCP_TIMEOUT * 1000; - } + local_timeout = TCP_TIMEOUT * 1000; + } - if (keep != NULL) { - isc_nmhandle_detach(&keep); + if (!specified_source) { + if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) && have_ipv4) + { + isc_sockaddr_any(&localaddr); + } else { + isc_sockaddr_any6(&localaddr); } + } - if (!specified_source) { - if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) && - have_ipv4) { - isc_sockaddr_any(&localaddr); - } else { - isc_sockaddr_any6(&localaddr); - } - } + REQUIRE(query != NULL); - REQUIRE(query != NULL); + query_attach(query, &connectquery); - if (query->lookup->tls_mode) { - result = isc_tlsctx_createclient(&query->tlsctx); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_nm_tlsdnsconnect(netmgr, &localaddr, - &query->sockaddr, tcp_connected, - query, local_timeout, 0, - query->tlsctx); - } else if (query->lookup->https_mode) { - // OQS updated from 4096 to 8192 - char uri[8192] = { 0 }; - snprintf(uri, sizeof(uri), "https://%s:%u%s", - query->userarg, (uint16_t)port, - query->lookup->https_path); - - if (!query->lookup->http_plain) { - result = - isc_tlsctx_createclient(&query->tlsctx); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_tlsctx_enable_http2client_alpn( - query->tlsctx); + if (tls_mode) { + tlsctx = get_create_tls_context(connectquery, false, + &sess_cache); + if (tlsctx == NULL) { + goto failure_tls; + } + isc_nm_streamdnsconnect(netmgr, &localaddr, &query->sockaddr, + tcp_connected, connectquery, + local_timeout, tlsctx, sess_cache); +#if HAVE_LIBNGHTTP2 + } else if (query->lookup->https_mode) { + char uri[4096] = { 0 }; + isc_nm_http_makeuri(!query->lookup->http_plain, + &query->sockaddr, query->userarg, port, + query->lookup->https_path, uri, + sizeof(uri)); + + if (!query->lookup->http_plain) { + tlsctx = get_create_tls_context(connectquery, true, + &sess_cache); + if (tlsctx == NULL) { + goto failure_tls; } - - isc_nm_httpconnect(netmgr, &localaddr, &query->sockaddr, - uri, !query->lookup->https_get, - tcp_connected, query, query->tlsctx, - local_timeout, 0); - } else { - isc_nm_tcpdnsconnect(netmgr, &localaddr, - &query->sockaddr, tcp_connected, - query, local_timeout, 0); } - /* XXX: set DSCP */ + isc_nm_httpconnect(netmgr, &localaddr, &query->sockaddr, uri, + !query->lookup->https_get, tcp_connected, + connectquery, tlsctx, sess_cache, + local_timeout); +#endif + } else { + isc_nm_streamdnsconnect(netmgr, &localaddr, &query->sockaddr, + tcp_connected, connectquery, + local_timeout, NULL, NULL); } - /* - * If we're at the endgame of a nameserver search, we need to - * immediately bring up all the queries. Do it here. - */ - if (query->lookup->ns_search_only && !query->lookup->trace_root) { - debug("sending next, since searching"); - if (ISC_LINK_LINKED(query, link)) { - next = ISC_LIST_NEXT(query, link); - ISC_LIST_DEQUEUE(query->lookup->q, query, link); - } else { - next = NULL; - } - if (next != NULL) { - start_tcp(next); - } + return; + +failure_tls: + if (query->lookup->tls_key_file_set != query->lookup->tls_cert_file_set) + { + dighost_warning( + "both TLS client certificate and key file must be " + "specified a the same time"); + } else { + dighost_warning("TLS context cannot be created"); + } + + if (ISC_LINK_LINKED(query, link)) { + next = ISC_LIST_NEXT(query, link); + } else { + next = NULL; + } + query_detach(&connectquery); + query_detach(&query); + if (next == NULL) { + clear_current_lookup(); + } else { + start_tcp(next); } } @@ -2865,9 +3095,9 @@ send_udp(dig_query_t *query) { isc_buffer_usedregion(&query->sendbuf, &r); debug("sending a request"); if (query->lookup->use_usec) { - TIME_NOW_HIRES(&query->time_sent); + query->time_sent = isc_time_now_hires(); } else { - TIME_NOW(&query->time_sent); + query->time_sent = isc_time_now(); } isc_nmhandle_attach(query->handle, &query->sendhandle); @@ -2877,10 +3107,9 @@ send_udp(dig_query_t *query) { debug("sendcount=%" PRIuFAST32, isc_refcount_current(&sendcount)); /* XXX qrflag, print_query, etc... */ - if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) { + if (query->lookup->qr) { extrabytes = 0; - dighost_printmessage(ISC_LIST_HEAD(query->lookup->q), - &query->lookup->renderbuf, + dighost_printmessage(query, &query->lookup->renderbuf, query->lookup->sendmsg, true); if (query->lookup->stats) { print_query_size(query); @@ -2891,30 +3120,102 @@ send_udp(dig_query_t *query) { static void udp_ready(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { dig_query_t *query = (dig_query_t *)arg; + dig_query_t *next = NULL; + char sockstr[ISC_SOCKADDR_FORMATSIZE]; + dig_lookup_t *l = NULL; dig_query_t *readquery = NULL; int local_timeout = timeout * 1000; - if (eresult == ISC_R_CANCELED) { - query_detach(&query); + REQUIRE(DIG_VALID_QUERY(query)); + REQUIRE(query->handle == NULL); + + debug("udp_ready()"); + + query->started = true; + + if (cancel_now) { + query_detach(&query); return; - } else if (eresult != ISC_R_SUCCESS) { - dig_lookup_t *l = query->lookup; + } - if (eresult != ISC_R_CANCELED) { - debug("udp setup failed: %s", - isc_result_totext(eresult)); - } + INSIST(!free_now); - cancel_lookup(l); + debug("udp_ready(%p, %s, %p)", handle, isc_result_totext(eresult), + query); + + lookup_attach(query->lookup, &l); + + if (eresult == ISC_R_CANCELED || query->canceled) { + debug("in cancel handler"); + if (!query->canceled) { + cancel_lookup(l); + } + query_detach(&query); lookup_detach(&l); + clear_current_lookup(); + return; + } + + if (eresult != ISC_R_SUCCESS) { + debug("udp setup failed: %s", isc_result_totext(eresult)); + isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); + dighost_warning("UDP setup with %s(%s) for %s failed: %s.", + sockstr, query->servname, l->textname, + isc_result_totext(eresult)); + + /* + * NSSEARCH mode: if the current query failed to start properly, + * then send_done() will not be called, and we want to make sure + * that the next query gets a chance to start in order to not + * break the chain. + */ + if (l->ns_search_only && !l->trace_root) { + nssearch_next(l, query); + + check_if_done(); + return; + } + + if (exitcode < 9) { + exitcode = 9; + } + + if (l->retries > 1) { + l->retries--; + debug("making new UDP request, %d tries left", + l->retries); + requeue_lookup(l, true); + next = NULL; + } else if ((l->current_query != NULL) && + (ISC_LINK_LINKED(l->current_query, link))) + { + next = ISC_LIST_NEXT(l->current_query, link); + } else { + next = NULL; + } + query_detach(&query); + if (next == NULL) { + cancel_lookup(l); + } + lookup_detach(&l); + + if (next != NULL) { + start_udp(next); + check_if_done(); + } else { + clear_current_lookup(); + } + return; } + exitcode = 0; + query_attach(query, &readquery); debug("recving with lookup=%p, query=%p, handle=%p", query->lookup, - query, query->handle); + query, handle); query->handle = handle; isc_nmhandle_attach(handle, &query->readhandle); @@ -2932,6 +3233,7 @@ udp_ready(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { send_udp(readquery); query_detach(&query); + lookup_detach(&l); } /*% @@ -2965,8 +3267,7 @@ start_udp(dig_query_t *query) { return; } - if (!query->lookup->mapped && - isc_sockaddr_pf(&query->sockaddr) == AF_INET6 && + if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&query->sockaddr.type.sin6.sin6_addr)) { isc_netaddr_t netaddr; @@ -2998,7 +3299,7 @@ start_udp(dig_query_t *query) { query_attach(query, &connectquery); isc_nm_udpconnect(netmgr, &localaddr, &query->sockaddr, udp_ready, connectquery, - (timeout ? timeout : UDP_TIMEOUT) * 1000, 0); + (timeout ? timeout : UDP_TIMEOUT) * 1000); } /*% @@ -3039,11 +3340,9 @@ force_next(dig_query_t *query) { debug("force_next()"); - LOCK_LOOKUP; INSIST(!free_now); - if (atomic_load(&cancel_now)) { - UNLOCK_LOOKUP; + if (cancel_now) { return; } @@ -3051,13 +3350,13 @@ force_next(dig_query_t *query) { if (try_next_server(l)) { lookup_detach(&l); - UNLOCK_LOOKUP; return; } if (l->retries > 1) { l->retries--; - debug("making new TCP request, %d tries left", l->retries); + debug("making new %s request, %d tries left", + l->tcp_mode ? "TCP" : "UDP", l->retries); requeue_lookup(l, true); lookup_detach(&l); isc_refcount_decrement0(&recvcount); @@ -3065,7 +3364,6 @@ force_next(dig_query_t *query) { isc_refcount_current(&recvcount)); query_detach(&query); clear_current_lookup(); - UNLOCK_LOOKUP; return; } @@ -3085,8 +3383,7 @@ force_next(dig_query_t *query) { dighost_error("no response from %s\n", buf); } else { printf("%s", l->cmdline); - dighost_error("connection timed out; " - "no servers could be reached\n"); + dighost_error("no servers could be reached\n"); } if (exitcode < 9) { @@ -3097,29 +3394,6 @@ force_next(dig_query_t *query) { cancel_lookup(l); lookup_detach(&l); clear_current_lookup(); - UNLOCK_LOOKUP; -} - -/*% - * Called when a peer closes a TCP socket prematurely. - */ -static void -requeue_or_update_exitcode(dig_lookup_t *lookup) { - if (lookup->eoferr == 0U && lookup->retries > 1) { - --lookup->retries; - /* - * Peer closed the connection prematurely for the first time - * for this lookup. Try again, keeping track of this failure. - */ - dig_lookup_t *requeued_lookup = requeue_lookup(lookup, true); - requeued_lookup->eoferr++; - } else { - /* - * Peer closed the connection prematurely and it happened - * previously for this lookup. Indicate an error. - */ - exitcode = 9; - } } /*% @@ -3132,6 +3406,7 @@ launch_next_query(dig_query_t *query) { int local_timeout = timeout * 1000; dig_lookup_t *l = NULL; isc_region_t r; + bool xfr; REQUIRE(DIG_VALID_QUERY(query)); INSIST(!free_now); @@ -3159,16 +3434,37 @@ launch_next_query(dig_query_t *query) { debug("have local timeout of %d", local_timeout); isc_nmhandle_settimeout(query->handle, local_timeout); + xfr = query->lookup->rdtype == dns_rdatatype_ixfr || + query->lookup->rdtype == dns_rdatatype_axfr; + if (xfr && + isc_nm_socket_type(query->handle) == isc_nm_streamdnssocket && + query->lookup->tls_mode) + { + isc_result_t result = isc_nm_xfr_checkperm(query->handle); + if (result != ISC_R_SUCCESS) { + dighost_error("zone transfers over the established TLS " + "connection are not allowed: %s", + isc_result_totext(result)); + isc_refcount_decrement0(&recvcount); + isc_nmhandle_detach(&query->readhandle); + cancel_lookup(l); + lookup_detach(&l); + clear_current_lookup(); + return; + } + } + query_attach(query, &readquery); + isc_nm_read(query->handle, recv_done, readquery); if (!query->first_soa_rcvd) { dig_query_t *sendquery = NULL; debug("sending a request in launch_next_query"); if (query->lookup->use_usec) { - TIME_NOW_HIRES(&query->time_sent); + query->time_sent = isc_time_now_hires(); } else { - TIME_NOW(&query->time_sent); + query->time_sent = isc_time_now(); } query_attach(query, &sendquery); @@ -3184,10 +3480,10 @@ launch_next_query(dig_query_t *query) { isc_refcount_current(&sendcount)); /* XXX qrflag, print_query, etc... */ - if (!ISC_LIST_EMPTY(l->q) && l->qr) { + if (l->qr) { extrabytes = 0; - dighost_printmessage(ISC_LIST_HEAD(l->q), &l->renderbuf, - l->sendmsg, true); + dighost_printmessage(query, &l->renderbuf, l->sendmsg, + true); if (l->stats) { print_query_size(query); } @@ -3210,43 +3506,70 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { char sockstr[ISC_SOCKADDR_FORMATSIZE]; dig_lookup_t *l = NULL; + REQUIRE(DIG_VALID_QUERY(query)); + REQUIRE(query->handle == NULL); + debug("tcp_connected()"); - if (atomic_load(&cancel_now)) { + query->started = true; + + if (cancel_now) { + query_detach(&query); return; } - REQUIRE(DIG_VALID_QUERY(query)); - REQUIRE(query->handle == NULL); INSIST(!free_now); debug("tcp_connected(%p, %s, %p)", handle, isc_result_totext(eresult), query); - LOCK_LOOKUP; lookup_attach(query->lookup, &l); - if (query->tlsctx != NULL) { - isc_tlsctx_free(&query->tlsctx); - } - - if (eresult == ISC_R_CANCELED) { + if (eresult == ISC_R_CANCELED || eresult == ISC_R_TLSBADPEERCERT || + query->canceled) + { debug("in cancel handler"); isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); + if (eresult == ISC_R_TLSBADPEERCERT) { + dighost_warning( + "TLS peer certificate verification for " + "%s failed: %s", + sockstr, + isc_nm_verify_tls_peer_result_string(handle)); + } else if (query->lookup->rdtype == dns_rdatatype_ixfr || + query->lookup->rdtype == dns_rdatatype_axfr) + { + puts("; Transfer failed."); + } + + if (!query->canceled) { + cancel_lookup(l); + } + query_detach(&query); lookup_detach(&l); clear_current_lookup(); - UNLOCK_LOOKUP; return; - } else if (eresult != ISC_R_SUCCESS) { + } + + if (eresult != ISC_R_SUCCESS) { debug("unsuccessful connection: %s", isc_result_totext(eresult)); isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); - if (eresult != ISC_R_CANCELED) { - dighost_warning("Connection to %s(%s) for %s failed: " - "%s.", - sockstr, query->servname, l->textname, - isc_result_totext(eresult)); + dighost_warning("Connection to %s(%s) for %s failed: %s.", + sockstr, query->servname, l->textname, + isc_result_totext(eresult)); + + /* + * NSSEARCH mode: if the current query failed to start properly, + * then send_done() will not be called, and we want to make sure + * that the next query gets a chance to start in order to not + * break the chain. + */ + if (l->ns_search_only && !l->trace_root) { + nssearch_next(l, query); + check_if_done(); + return; } /* XXX Clean up exitcodes */ @@ -3255,9 +3578,9 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { } if (l->retries > 1) { + l->retries--; debug("making new TCP request, %d tries left", l->retries); - l->retries--; requeue_lookup(l, true); next = NULL; } else if ((l->current_query != NULL) && @@ -3269,16 +3592,18 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { } query_detach(&query); + if (next == NULL) { + cancel_lookup(l); + } lookup_detach(&l); if (next != NULL) { start_tcp(next); + check_if_done(); } else { clear_current_lookup(); } - check_if_done(); - UNLOCK_LOOKUP; return; } @@ -3297,7 +3622,6 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { launch_next_query(query); query_detach(&query); lookup_detach(&l); - UNLOCK_LOOKUP; } /*% @@ -3359,13 +3683,15 @@ check_for_more_data(dig_lookup_t *lookup, dig_query_t *query, * it's an SOA */ if ((!query->first_soa_rcvd) && - (rdata.type != dns_rdatatype_soa)) { + (rdata.type != dns_rdatatype_soa)) + { puts("; Transfer failed. " "Didn't start with SOA answer."); return (true); } if ((!query->second_rr_rcvd) && - (rdata.type != dns_rdatatype_soa)) { + (rdata.type != dns_rdatatype_soa)) + { query->second_rr_rcvd = true; query->second_rr_serial = 0; debug("got the second rr as nonsoa"); @@ -3571,78 +3897,172 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, debug("recv_done(%p, %s, %p, %p)", handle, isc_result_totext(eresult), region, arg); - LOCK_LOOKUP; - isc_refcount_decrement0(&recvcount); debug("recvcount=%" PRIuFAST32, isc_refcount_current(&recvcount)); - if (eresult == ISC_R_CANCELED) { + lookup_attach(query->lookup, &l); + + if (eresult == ISC_R_CANCELED || eresult == ISC_R_SHUTTINGDOWN || + query->canceled) + { debug("recv_done: cancel"); isc_nmhandle_detach(&query->readhandle); + if (!query->canceled) { + cancel_lookup(l); + } query_detach(&query); + lookup_detach(&l); + clear_current_lookup(); return; } - lookup_attach(query->lookup, &l); - if (query->lookup->use_usec) { - TIME_NOW_HIRES(&query->time_recv); + query->time_recv = isc_time_now_hires(); } else { - TIME_NOW(&query->time_recv); + query->time_recv = isc_time_now(); } - if (eresult == ISC_R_TIMEDOUT && !l->tcp_mode && l->retries > 1) { - dig_query_t *newq = NULL; + if ((!l->pending && !l->ns_search_only) || cancel_now) { + debug("no longer pending. Got %s", isc_result_totext(eresult)); - l->retries--; - debug("resending UDP request to first server, %d tries left", - l->retries); - newq = new_query(l, query->servname, query->userarg); + goto next_lookup; + } - ISC_LIST_PREPEND(l->q, newq, link); + /* + * NSSEARCH mode is special, because the queries in the followup lookup + * are independent and they are being started in parallel, so if one of + * them fails there is no need to start the next query in the lookup, + * and this failure can be treated as a soft error (with a warning + * message), because there are usually more than one NS servers in the + * lookup's queries list. However, if there was not a single successful + * query in the followup lookup, then print an error message and exit + * with a non-zero exit code. + */ + if (l->ns_search_only && !l->trace_root) { + if (eresult == ISC_R_SUCCESS) { + l->ns_search_success = true; + } else { + char sockstr[ISC_SOCKADDR_FORMATSIZE]; + isc_sockaddr_format(&query->sockaddr, sockstr, + sizeof(sockstr)); - start_udp(ISC_LIST_HEAD(l->q)); - goto detach_query; - } + dighost_warning("communications error to %s: %s", + sockstr, isc_result_totext(eresult)); - if ((!l->pending && !l->ns_search_only) || atomic_load(&cancel_now)) { - debug("no longer pending. Got %s", isc_result_totext(eresult)); + /* + * If this is not the last query, then we detach the + * query, but keep the lookup running. + */ + if (!check_if_queries_done(l, query)) { + goto detach_query; + } - goto next_lookup; + /* + * This is the last query, and if there was not a + * single successful query in the whole lookup, then + * treat the situation as an error. + */ + if (!l->ns_search_success) { + dighost_error( + "NS servers could not be reached"); + if (exitcode < 9) { + exitcode = 9; + } + } + + goto cancel_lookup; + } } if (eresult != ISC_R_SUCCESS) { char sockstr[ISC_SOCKADDR_FORMATSIZE]; + isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); + dighost_warning("communications error to %s: %s", sockstr, + isc_result_totext(eresult)); - if (eresult == ISC_R_TIMEDOUT) { - if (l->retries > 1) { - debug("making new TCP request, %d tries left", - l->retries); + if (l->retries > 1 && !l->tcp_mode) { + dig_query_t *newq = NULL; + + /* + * For UDP, insert a copy of the current query just + * after itself in the list, and start it to retry the + * request. + */ + newq = new_query(l, query->servname, query->userarg); + ISC_LIST_INSERTAFTER(l->q, query, newq, link); + if (l->current_query == query) { + query_detach(&l->current_query); + } + if (l->current_query == NULL) { l->retries--; - requeue_lookup(l, true); - } else { - printf("%s", l->cmdline); - dighost_error("connection timed out; " - "no servers could be reached\n"); - if (exitcode < 9) { - exitcode = 9; - } + debug("making new UDP request, %d tries left", + l->retries); + start_udp(newq); + } + if (check_if_queries_done(l, query)) { + goto cancel_lookup; + } + + goto detach_query; + } else if (l->retries > 1 && l->tcp_mode) { + /* + * For TCP, we have to requeue the whole lookup, see + * the comments above the start_tcp() function. + */ + l->retries--; + debug("making new TCP request, %d tries left", + l->retries); + requeue_lookup(l, true); + + if (keep != NULL) { + isc_nmhandle_detach(&keep); } + + goto cancel_lookup; } else { - dighost_error("communications error to %s: %s\n", - sockstr, isc_result_totext(eresult)); - } + dig_query_t *next = ISC_LIST_NEXT(query, link); - if (keep != NULL) { - isc_nmhandle_detach(&keep); - } + /* + * No retries left, go to the next query, if there is + * one. + */ + if (next != NULL) { + if (l->current_query == query) { + query_detach(&l->current_query); + } + if (l->current_query == NULL) { + debug("starting next query %p", next); + if (l->tcp_mode) { + start_tcp(next); + } else { + start_udp(next); + } + } + if (check_if_queries_done(l, query)) { + goto cancel_lookup; + } - if (eresult == ISC_R_EOF) { - requeue_or_update_exitcode(l); - } + goto detach_query; + } - goto cancel_lookup; + /* + * Otherwise, print the cmdline and an error message, + * and cancel the lookup. + */ + printf("%s", l->cmdline); + dighost_error("no servers could be reached\n"); + + if (exitcode < 9) { + exitcode = 9; + } + + if (keep != NULL) { + isc_nmhandle_detach(&keep); + } + + goto cancel_lookup; + } } isc_buffer_init(&b, region->base, region->length); @@ -3713,8 +4133,7 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, &l->querysig); check_result(result, "dns_message_getquerytsig"); } - result = dns_message_setquerytsig(msg, l->querysig); - check_result(result, "dns_message_setquerytsig"); + dns_message_setquerytsig(msg, l->querysig); result = dns_message_settsigkey(msg, tsigkey); check_result(result, "dns_message_settsigkey"); msg->tsigctx = l->tsigctx; @@ -3840,7 +4259,8 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, } if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 && !l->ignore && - !l->tcp_mode) { + !l->tcp_mode) + { if (l->cookie == NULL && l->sendcookie && msg->opt != NULL) { process_opt(l, msg); } @@ -3858,6 +4278,11 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, { process_opt(l, msg); if (msg->cc_ok) { + if (l->showbadcookie) { + dighost_printmessage(query, &b, msg, true); + dighost_received(isc_buffer_usedlength(&b), + &peer, query); + } dighost_comments(l, "BADCOOKIE, retrying%s.", l->seenbadcookie ? " in TCP mode" : ""); @@ -3888,15 +4313,6 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, } else { start_udp(next); } - } - - /* - * If our query is at the head of the list and there - * is no next, we're the only one left, so fall - * through to print the message. - */ - if ((ISC_LIST_HEAD(l->q) != query) || - (ISC_LIST_NEXT(query, link) != NULL)) { dighost_comments(l, "Got %s from %s, trying next " "server", @@ -3904,7 +4320,11 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, ? "SERVFAIL reply" : "recursion not available", query->servname); - goto next_lookup; + if (check_if_queries_done(l, query)) { + goto cancel_lookup; + } + + goto detach_query; } } @@ -3972,7 +4392,8 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, if (!l->doing_xfr || l->xfr_q == query) { if (msg->rcode == dns_rcode_nxdomain && - (l->origin != NULL || l->need_search)) { + (l->origin != NULL || l->need_search)) + { if (!next_origin(l) || showsearch) { dighost_printmessage(query, &b, msg, true); dighost_received(isc_buffer_usedlength(&b), @@ -4022,7 +4443,12 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, l->trace_root = false; usesearch = false; } else { + /* + * This is a query in the followup lookup + */ dighost_printmessage(query, &b, msg, true); + + docancel = check_if_queries_done(l, query); } } } @@ -4080,7 +4506,6 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, if (donext) { clear_current_lookup(); } - UNLOCK_LOOKUP; } /*% @@ -4092,16 +4517,10 @@ isc_result_t get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) { int count; isc_result_t result; - bool is_running; - is_running = isc_app_isrunning(); - if (is_running) { - isc_app_block(); - } - result = bind9_getaddresses(host, myport, sockaddr, 1, &count); - if (is_running) { - isc_app_unblock(); - } + isc_loopmgr_blocking(loopmgr); + result = isc_getaddresses(host, myport, sockaddr, 1, &count); + isc_loopmgr_nonblocking(loopmgr); if (result != ISC_R_SUCCESS) { return (result); } @@ -4120,11 +4539,11 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) { dig_server_t *srv; char tmp[ISC_NETADDR_FORMATSIZE]; - result = bind9_getaddresses(host, 0, sockaddrs, DIG_MAX_ADDRESSES, - &count); - if (resultp != NULL) { - *resultp = result; - } + isc_loopmgr_blocking(loopmgr); + result = isc_getaddresses(host, 0, sockaddrs, DIG_MAX_ADDRESSES, + &count); + isc_loopmgr_nonblocking(loopmgr); + SET_IF_NOT_NULL(resultp, result); if (result != ISC_R_SUCCESS) { if (resultp == NULL) { fatal("couldn't get address for '%s': %s", host, @@ -4169,13 +4588,17 @@ do_lookup(dig_lookup_t *lookup) { * Start everything in action upon task startup. */ void -onrun_callback(isc_task_t *task, isc_event_t *event) { - UNUSED(task); +onrun_callback(void *arg) { + UNUSED(arg); + + start_lookup(); +} + +void +run_loop(void *arg) { + UNUSED(arg); - isc_event_free(&event); - LOCK_LOOKUP; start_lookup(); - UNLOCK_LOOKUP; } /*% @@ -4189,18 +4612,21 @@ cancel_all(void) { debug("cancel_all()"); - LOCK_LOOKUP; if (free_now) { - UNLOCK_LOOKUP; return; } - atomic_store(&cancel_now, true); + + cancel_now = true; + while (current_lookup != NULL) { for (q = ISC_LIST_HEAD(current_lookup->q); q != NULL; q = nq) { nq = ISC_LIST_NEXT(q, link); debug("canceling pending query %p, belonging to %p", q, current_lookup); - if (q->readhandle != NULL) { + q->canceled = true; + if (q->readhandle != NULL && + !isc_nm_is_http_handle(q->readhandle)) + { isc_nm_cancelread(q->readhandle); } query_detach(&q); @@ -4220,7 +4646,25 @@ cancel_all(void) { lookup_detach(&l); l = n; } - UNLOCK_LOOKUP; +} + +void +cleanup_openssl_refs(void) { + if (tsigkey != NULL) { + debug("freeing TSIG key %p", tsigkey); + dns_tsigkey_detach(&tsigkey); + } + + if (sig0key != NULL) { + debug("freeing SIG(0) key %p", sig0key); + dst_key_free(&sig0key); + } + + if (is_dst_up) { + debug("destroy DST lib"); + dst_lib_destroy(); + is_dst_up = false; + } } /*% @@ -4229,18 +4673,8 @@ cancel_all(void) { */ void destroy_libs(void) { - if (keep != NULL) { - isc_nmhandle_detach(&keep); - } debug("destroy_libs()"); - if (global_task != NULL) { - debug("freeing task"); - isc_task_detach(&global_task); - } - - isc_managers_destroy(&netmgr, &taskmgr, NULL, NULL); - LOCK_LOOKUP; isc_refcount_destroy(&recvcount); isc_refcount_destroy(&sendcount); @@ -4254,26 +4688,13 @@ destroy_libs(void) { clear_searchlist(); - if (commctx != NULL) { - debug("freeing commctx"); - isc_mempool_destroy(&commctx); - } - if (tsigkey != NULL) { - debug("freeing key %p", tsigkey); - dns_tsigkey_detach(&tsigkey); - } + cleanup_openssl_refs(); + if (namebuf != NULL) { + debug("freeing key %p", tsigkey); isc_buffer_free(&namebuf); } - if (is_dst_up) { - debug("destroy DST lib"); - dst_lib_destroy(); - is_dst_up = false; - } - - UNLOCK_LOOKUP; - isc_mutex_destroy(&lookup_lock); debug("Removing log context"); isc_log_destroy(&lctx); @@ -4281,54 +4702,60 @@ destroy_libs(void) { if (memdebugging != 0) { isc_mem_stats(mctx, stderr); } - if (mctx != NULL) { - isc_mem_destroy(&mctx); - } + + isc_managers_destroy(&mctx, &loopmgr, &netmgr); + +#if ENABLE_LEAK_DETECTION + isc__tls_setdestroycheck(true); + isc__uv_setdestroycheck(true); + isc__xml_setdestroycheck(true); +#endif + + isc_mem_checkdestroyed(stderr); } #ifdef HAVE_LIBIDN2 + static isc_result_t -idn_output_filter(isc_buffer_t *buffer, unsigned int used_org) { - char src[MXNAME], *dst; +idn_filter(isc_buffer_t *buffer, unsigned int start) { + char src[MXNAME]; + char *dst = NULL; size_t srclen, dstlen; + int res; /* * Copy name from 'buffer' to 'src' and terminate it with NULL. */ - srclen = isc_buffer_usedlength(buffer) - used_org; - if (srclen >= sizeof(src)) { - warn("Input name too long to perform IDN conversion"); - return (ISC_R_SUCCESS); - } - memmove(src, (char *)isc_buffer_base(buffer) + used_org, srclen); + srclen = isc_buffer_usedlength(buffer) - start; + INSIST(srclen < sizeof(src)); + memmove(src, (char *)isc_buffer_base(buffer) + start, srclen); src[srclen] = '\0'; /* - * Convert 'src' to the current locale's character encoding. + * Try to convert the name; leave it unchanged if conversion fails. */ - idn_ace_to_locale(src, &dst); + systemlocale(LC_ALL); + res = idn2_to_unicode_8zlz(src, &dst, IDN2_NONTRANSITIONAL); + if (res == IDN2_DISALLOWED) { + res = idn2_to_unicode_8zlz(src, &dst, IDN2_TRANSITIONAL); + } + resetlocale(LC_ALL); + if (res != IDN2_OK) { + return (ISC_R_SUCCESS); + } /* - * Check whether the converted name will fit back into 'buffer'. + * Copy the converted back into 'buffer' if it fits. */ dstlen = strlen(dst); - if (isc_buffer_length(buffer) < used_org + dstlen) { - idn2_free(dst); + if (isc_buffer_length(buffer) < start + dstlen) { return (ISC_R_NOSPACE); } - - /* - * Put the converted name back into 'buffer'. - */ isc_buffer_subtract(buffer, srclen); memmove(isc_buffer_used(buffer), dst, dstlen); isc_buffer_add(buffer, dstlen); - /* - * Clean up. - */ idn2_free(dst); - return (ISC_R_SUCCESS); } @@ -4340,111 +4767,42 @@ idn_output_filter(isc_buffer_t *buffer, unsigned int used_org) { * 'dst' MUST be large enough to hold any valid domain name. */ static void -idn_locale_to_ace(const char *src, char *dst, size_t dstlen) { - const char *final_src; - char *ascii_src; +idn_input(const char *src, char *dst, size_t dstlen) { + char *ascii = NULL; + size_t len; int res; /* * We trust libidn2 to return an error if 'src' is too large to be a * valid domain name. - */ - res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL); - if (res != IDN2_OK) { - fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin", - src, idn2_strerror(res)); - } - - /* - * idn2_to_ascii_lz() normalizes all strings to lower case, but we - * generally don't want to lowercase all input strings; make sure to - * return the original case if the two strings differ only in case. - */ - final_src = (strcasecmp(src, ascii_src) == 0 ? src : ascii_src); - - (void)strlcpy(dst, final_src, dstlen); - - idn2_free(ascii_src); -} - -/*% - * Convert 'src', which is an ACE string suitable for use in the DNS, into a - * string using the current locale's character encoding, storing the conversion - * result in 'dst'. - * - * The caller MUST subsequently release 'dst' using idn2_free(). - */ -static void -idn_ace_to_locale(const char *src, char **dst) { - char *local_src, *utf8_src; - int res; - - /* - * We need to: - * - * 1) check whether 'src' is a valid IDNA2008 name, - * 2) if it is, output it in the current locale's character encoding. - * - * Unlike idn2_to_ascii_*(), idn2_to_unicode_*() functions are unable - * to perform IDNA2008 validity checks. Thus, we need to decode any - * Punycode in 'src', check if the resulting name is a valid IDNA2008 - * name, and only once we ensure it is, output that name in the current - * locale's character encoding. * - * We could just use idn2_to_unicode_8zlz() + idn2_to_ascii_lz(), but - * then we would not be able to universally tell invalid names and - * character encoding errors apart (if the current locale uses ASCII - * for character encoding, the former function would fail even for a - * valid IDNA2008 name, as long as it contained any non-ASCII - * character). Thus, we need to take a longer route. - * - * First, convert 'src' to UTF-8, ignoring the current locale. - */ - res = idn2_to_unicode_8z8z(src, &utf8_src, 0); - if (res != IDN2_OK) { - fatal("Bad ACE string '%s' (%s), use +noidnout", src, - idn2_strerror(res)); - } - - /* - * Then, check whether decoded 'src' is a valid IDNA2008 name. + * If conversion fails under IDNA2008 rules, retry with transitional + * rules. The aim is that characters whose interpretation changed will + * be handled under the new rules, but we will accept characters (such + * as emoji) that were OK but are now forbidden. */ - res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); - if (res != IDN2_OK) { - fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", - src, idn2_strerror(res)); + systemlocale(LC_ALL); + res = idn2_to_ascii_lz(src, &ascii, IDN2_NONTRANSITIONAL); + if (res == IDN2_DISALLOWED) { + res = idn2_to_ascii_lz(src, &ascii, IDN2_TRANSITIONAL); } + resetlocale(LC_ALL); /* - * Finally, try converting the decoded 'src' into the current locale's - * character encoding. + * idn2_to_ascii_lz() normalizes all strings to lower case, but + * we generally don't want to lowercase all input strings; make + * sure to return the original case if the two strings differ + * only in case. */ - res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0); - if (res != IDN2_OK) { - static bool warned = false; - - res = idn2_to_ascii_8z(utf8_src, &local_src, 0); - if (res != IDN2_OK) { - fatal("Cannot represent '%s' " - "in the current locale nor ascii (%s), " - "use +noidnout or a different locale", - src, idn2_strerror(res)); - } else if (!warned) { - fprintf(stderr, - ";; Warning: cannot represent '%s' " - "in the current locale", - local_src); - warned = true; - } + if (res == IDN2_OK && strcasecmp(src, ascii) != 0) { + len = strlcpy(dst, ascii, dstlen); + } else { + len = strlcpy(dst, src, dstlen); } - - /* - * Free the interim conversion result. - */ - idn2_free(utf8_src); - - *dst = local_src; + INSIST(len < dstlen); + idn2_free(ascii); } + #endif /* HAVE_LIBIDN2 */ void @@ -4452,7 +4810,7 @@ dig_idnsetup(dig_lookup_t *lookup, bool active) { #ifdef HAVE_LIBIDN2 isc_result_t result; result = dns_name_settotextfilter( - (active && lookup->idnout) ? idn_output_filter : NULL); + (active && lookup->idnout) ? idn_filter : NULL); check_result(result, "dns_name_settotextfilter"); #else UNUSED(lookup); @@ -4460,3 +4818,12 @@ dig_idnsetup(dig_lookup_t *lookup, bool active) { return; #endif /* HAVE_LIBIDN2 */ } + +bool +dig_lookup_is_tls(const dig_lookup_t *lookup) { + if (lookup->tls_mode || (lookup->tls_ca_set && !lookup->https_mode)) { + return (true); + } + + return (false); +} diff --git a/bin/dig/dighost.h b/bin/dig/dighost.h index 8da437625b..af4379ce4c 100644 --- a/bin/dig/dighost.h +++ b/bin/dig/dighost.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef DIG_H -#define DIG_H +#pragma once /*! \file */ @@ -22,13 +23,13 @@ #include #include #include +#include #include #include #include -#include #include #include -#include +#include #include @@ -76,7 +77,6 @@ #define DEFAULT_EDNS_VERSION 0 #define DEFAULT_EDNS_BUFSIZE 1232 -#define DEFAULT_HTTPS_PATH "/dns-query" #define DEFAULT_HTTPS_QUERY "?dns=" /*% @@ -105,24 +105,25 @@ typedef struct dig_searchlist dig_searchlist_t; struct dig_lookup { unsigned int magic; isc_refcount_t references; - bool aaonly, adflag, badcookie, besteffort, cdflag, comments, + bool aaonly, adflag, badcookie, besteffort, cdflag, cleared, comments, dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa, - expire, header_only, identify, /*%< Append an "on server " - message */ - identify_previous_line, /*% Prepend a "Nameserver :" - message, with newline and tab */ - idnin, idnout, ignore, mapped, multiline, need_search, - new_search, noclass, nocrypto, nottl, - ns_search_only, /*%< dig +nssearch, host -C */ - nsid, /*% Name Server ID (RFC 5001) */ - onesoa, pending, /*%< Pending a successful answer */ + expire, fuzzing, header_only, identify, /*%< Append an "on + server " message + */ + identify_previous_line, /*% Prepend a "Nameserver :" + message, with newline and tab */ + idnin, idnout, ignore, multiline, need_search, new_search, + noclass, nocrypto, nottl, ns_search_only, /*%< dig +nssearch, + host -C */ + ns_search_success, nsid, /*% Name Server ID (RFC 5001) */ + onesoa, pending, /*%< Pending a successful answer */ print_unknown_format, qr, raflag, recurse, section_additional, section_answer, section_authority, section_question, seenbadcookie, sendcookie, servfail_stops, setqid, /*% use a speciied query ID */ - stats, tcflag, tcp_keepalive, tcp_mode, tcp_mode_set, - tls_mode, /*% connect using TLS */ - trace, /*% dig +trace */ + showbadcookie, stats, tcflag, tcp_keepalive, tcp_mode, + tcp_mode_set, tls_mode, /*% connect using TLS */ + trace, /*% dig +trace */ trace_root, /*% initial query for either +trace or +nssearch */ ttlunits, use_usec, waiting_connect, zflag; char textname[MXNAME]; /*% Name we're going to be looking up */ @@ -165,11 +166,9 @@ struct dig_lookup { char *cookie; dns_ednsopt_t *ednsopts; unsigned int ednsoptscnt; - isc_dscp_t dscp; unsigned int ednsflags; dns_opcode_t opcode; int rrcomments; - unsigned int eoferr; uint16_t qid; struct { bool http_plain; @@ -177,17 +176,30 @@ struct dig_lookup { bool https_get; char *https_path; }; + struct { + bool tls_ca_set; + char *tls_ca_file; + bool tls_hostname_set; + char *tls_hostname; + bool tls_cert_file_set; + char *tls_cert_file; + bool tls_key_file_set; + char *tls_key_file; + isc_tlsctx_cache_t *tls_ctx_cache; + }; + isc_stdtime_t fuzztime; }; /*% The dig_query structure */ struct dig_query { unsigned int magic; dig_lookup_t *lookup; - bool first_pass; + bool started; bool first_soa_rcvd; bool second_rr_rcvd; bool first_repeat_rcvd; bool warn_id; + bool canceled; uint32_t first_rr_serial; uint32_t second_rr_serial; uint32_t msg_count; @@ -208,7 +220,6 @@ struct dig_query { isc_time_t time_recv; uint64_t byte_count; isc_timer_t *timer; - isc_tlsctx_t *tlsctx; }; struct dig_server { @@ -248,12 +259,12 @@ extern isc_sockaddr_t localaddr; extern char keynametext[MXNAME]; extern char keyfile[MXNAME]; extern char keysecret[MXNAME]; -extern const dns_name_t *hmacname; +extern dst_algorithm_t hmac; extern unsigned int digestbits; extern dns_tsigkey_t *tsigkey; extern bool validated; -extern isc_taskmgr_t *taskmgr; -extern isc_task_t *global_task; +extern isc_loopmgr_t *loopmgr; +extern isc_loop_t *mainloop; extern bool free_now; extern bool debugging, debugtiming, memdebugging; extern bool keep_open; @@ -275,15 +286,18 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp); isc_result_t get_reverse(char *reverse, size_t len, char *value, bool strict); -ISC_NORETURN void +noreturn void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); void warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); -ISC_NORETURN void +noreturn void digexit(void); +void +cleanup_openssl_refs(void); + void debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); @@ -303,7 +317,10 @@ void start_lookup(void); void -onrun_callback(isc_task_t *task, isc_event_t *event); +onrun_callback(void *arg); + +void +run_loop(void *arg); int dhmain(int argc, char **argv); @@ -324,7 +341,7 @@ isc_result_t parse_netprefix(isc_sockaddr_t **sap, const char *value); void -parse_hmac(const char *hmacstr); +parse_hmac(const char *algname); dig_lookup_t * requeue_lookup(dig_lookup_t *lookold, bool servers); @@ -428,12 +445,6 @@ dig_query_setup(bool, bool, int argc, char **argv); void dig_startup(void); -/*% - * Initiates the next lookup cycle - */ -void -dig_query_start(void); - /*% * Activate/deactivate IDN filtering of output. */ @@ -446,6 +457,7 @@ dig_idnsetup(dig_lookup_t *lookup, bool active); void dig_shutdown(void); -ISC_LANG_ENDDECLS +bool +dig_lookup_is_tls(const dig_lookup_t *lookup); -#endif /* ifndef DIG_H */ +ISC_LANG_ENDDECLS diff --git a/bin/dig/host.c b/bin/dig/host.c index a79c852e22..314f937b6e 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -13,20 +15,15 @@ #include #include +#include #include #include -#ifdef HAVE_LOCALE_H -#include -#endif /* ifdef HAVE_LOCALE_H */ - -#include #include #include +#include #include -#include #include -#include #include #include @@ -102,7 +99,7 @@ rcode_totext(dns_rcode_t rcode) { return (totext.deconsttext); } -ISC_NORETURN static void +noreturn static void show_usage(void); static void @@ -140,7 +137,7 @@ show_usage(void) { static void host_shutdown(void) { - (void)isc_app_shutdown(); + isc_loopmgr_shutdown(loopmgr); } static void @@ -152,9 +149,9 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) { char fromtext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(from, fromtext, sizeof(fromtext)); if (query->lookup->use_usec) { - TIME_NOW_HIRES(&now); + now = isc_time_now_hires(); } else { - TIME_NOW(&now); + now = isc_time_now(); } diff = (int)isc_time_microdiff(&now, &query->time_sent); printf("Received %u bytes from %s in %d ms\n", bytes, fromtext, @@ -213,15 +210,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid, isc_region_t r; dns_name_t empty_name; // OQS updated from 4096 to 8192 - char tbuf[8192]; + char tbuf[8192] = { 0 }; bool first; - bool no_rdata; - - if (sectionid == DNS_SECTION_QUESTION) { - no_rdata = true; - } else { - no_rdata = false; - } + bool no_rdata = (sectionid == DNS_SECTION_QUESTION); if (headers) { printf(";; %s SECTION:\n", section_name); @@ -542,7 +533,8 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, } if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) && - !short_form) { + !short_form) + { printf("\n"); result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY", true, query); @@ -551,7 +543,8 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, } } if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) && - !short_form) { + !short_form) + { printf("\n"); result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL", true, query); @@ -587,12 +580,6 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:"; -/*% version */ -static void -version(void) { - fprintf(stderr, "host %s\n", PACKAGE_VERSION); -} - static void pre_parse_args(int argc, char **argv) { int c; @@ -605,10 +592,12 @@ pre_parse_args(int argc, char **argv) { { isc_mem_debugging |= ISC_MEM_DEBUGTRACE; } else if (strcasecmp("record", - isc_commandline_argument) == 0) { + isc_commandline_argument) == 0) + { isc_mem_debugging |= ISC_MEM_DEBUGRECORD; } else if (strcasecmp("usage", - isc_commandline_argument) == 0) { + isc_commandline_argument) == 0) + { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } break; @@ -666,7 +655,7 @@ pre_parse_args(int argc, char **argv) { case 'v': break; case 'V': - version(); + printf("host %s\n", PACKAGE_VERSION); exit(0); break; case 'w': @@ -719,7 +708,8 @@ parse_args(bool is_batchfile, int argc, char **argv) { break; case 't': if (strncasecmp(isc_commandline_argument, "ixfr=", 5) == - 0) { + 0) + { rdtype = dns_rdatatype_ixfr; /* XXXMPA add error checking */ serial = strtoul(isc_commandline_argument + 5, @@ -738,7 +728,8 @@ parse_args(bool is_batchfile, int argc, char **argv) { isc_commandline_argument); } if (!lookup->rdtypeset || - lookup->rdtype != dns_rdatatype_axfr) { + lookup->rdtype != dns_rdatatype_axfr) + { lookup->rdtype = rdtype; } lookup->rdtypeset = true; @@ -779,10 +770,11 @@ parse_args(bool is_batchfile, int argc, char **argv) { break; case 'A': list_almost_all = true; - /* FALL THROUGH */ + FALLTHROUGH; case 'a': if (!lookup->rdtypeset || - lookup->rdtype != dns_rdatatype_axfr) { + lookup->rdtype != dns_rdatatype_axfr) + { lookup->rdtype = dns_rdatatype_any; } list_type = dns_rdatatype_any; @@ -856,6 +848,7 @@ parse_args(bool is_batchfile, int argc, char **argv) { break; case 'p': port = atoi(isc_commandline_argument); + port_set = true; break; } } @@ -893,8 +886,6 @@ parse_args(bool is_batchfile, int argc, char **argv) { int main(int argc, char **argv) { - isc_result_t result; - tries = 2; ISC_LIST_INIT(lookup_list); @@ -912,8 +903,6 @@ main(int argc, char **argv) { debug("main()"); progname = argv[0]; pre_parse_args(argc, argv); - result = isc_app_start(); - check_result(result, "isc_app_start"); setup_libs(); setup_system(ipv4only, ipv6only); parse_args(false, argc, argv); @@ -922,11 +911,12 @@ main(int argc, char **argv) { } else if (keysecret[0] != 0) { setup_text_key(); } - result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); - check_result(result, "isc_app_onrun"); - isc_app_run(); + + isc_loopmgr_setup(loopmgr, run_loop, NULL); + isc_loopmgr_run(loopmgr); + cancel_all(); destroy_libs(); - isc_app_finish(); + return ((seen_error == 0) ? 0 : 1); } diff --git a/bin/dig/host.rst b/bin/dig/host.rst index c65c643d0f..2647d36a73 100644 --- a/bin/dig/host.rst +++ b/bin/dig/host.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: host +.. program:: host .. _man_host: host - DNS lookup utility @@ -34,55 +26,64 @@ Synopsis Description ~~~~~~~~~~~ -``host`` is a simple utility for performing DNS lookups. It is normally +:program:`host` is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments -or options are given, ``host`` prints a short summary of its +or options are given, :program:`host` prints a short summary of its command-line arguments and options. ``name`` is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which -case ``host`` by default performs a reverse lookup for that address. +case :program:`host` by default performs a reverse lookup for that address. ``server`` is an optional argument which is either the name or IP -address of the name server that ``host`` should query instead of the +address of the name server that :program:`host` should query instead of the server or servers listed in ``/etc/resolv.conf``. Options ~~~~~~~ -``-4`` - This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option. +.. option:: -4 + + This option specifies that only IPv4 should be used for query transport. See also the :option:`-6` option. -``-6`` - This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option. +.. option:: -6 -``-a`` - The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It - also affects the behavior of the ``-l`` list zone option. + This option specifies that only IPv6 should be used for query transport. See also the :option:`-4` option. -``-A`` - The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG, +.. option:: -a + + The :option:`-a` ("all") option is normally equivalent to :option:`-v` :option:`-t ANY <-t>`. It + also affects the behavior of the :option:`-l` list zone option. + +.. option:: -A + + The :option:`-A` ("almost all") option is equivalent to :option:`-a`, except that RRSIG, NSEC, and NSEC3 records are omitted from the output. -``-c class`` +.. option:: -c class + This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records. The default class is IN (Internet). -``-C`` - This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone +.. option:: -C + + This option indicates that :iscman:`named` should check consistency, meaning that :program:`host` queries the SOA records for zone ``name`` from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. -``-d`` - This option prints debugging traces, and is equivalent to the ``-v`` verbose option. +.. option:: -d + + This option prints debugging traces, and is equivalent to the :option:`-v` verbose option. -``-l`` - This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone +.. option:: -l + + This option tells :iscman:`named` to list the zone, meaning the :program:`host` command performs a zone transfer of zone ``name`` and prints out the NS, PTR, and address records (A/AAAA). - Together, the ``-l -a`` options print all records in the zone. + Together, the :option:`-l` :option:`-a` options print all records in the zone. + +.. option:: -N ndots -``-N ndots`` This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be considered absolute. The default value is that defined using the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement @@ -90,85 +91,96 @@ Options and are searched for in the domains listed in the ``search`` or ``domain`` directive in ``/etc/resolv.conf``. -``-p port`` +.. option:: -p port + This option specifies the port to query on the server. The default is 53. -``-r`` +.. option:: -r + This option specifies a non-recursive query; setting this option clears the RD (recursion desired) bit in the query. This means that the name server - receiving the query does not attempt to resolve ``name``. The ``-r`` - option enables ``host`` to mimic the behavior of a name server by + receiving the query does not attempt to resolve ``name``. The :option:`-r` + option enables :program:`host` to mimic the behavior of a name server by making non-recursive queries, and expecting to receive answers to those queries that can be referrals to other name servers. -``-R number`` +.. option:: -R number + This option specifies the number of retries for UDP queries. If ``number`` is negative or zero, the number of retries is silently set to 1. The default value is 1, or the value of the ``attempts`` option in ``/etc/resolv.conf``, if set. -``-s`` - This option tells ``named`` *not* to send the query to the next nameserver if any server responds +.. option:: -s + + This option tells :iscman:`named` *not* to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. -``-t type`` +.. option:: -t type + This option specifies the query type. The ``type`` argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc. - When no query type is specified, ``host`` automatically selects an + When no query type is specified, :program:`host` automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX - records. If the ``-C`` option is given, queries are made for SOA + records. If the :option:`-C` option is given, queries are made for SOA records. If ``name`` is a dotted-decimal IPv4 address or - colon-delimited IPv6 address, ``host`` queries for PTR records. + colon-delimited IPv6 address, :program:`host` queries for PTR records. If a query type of IXFR is chosen, the starting serial number can be specified by appending an equals sign (=), followed by the starting serial - number, e.g., ``-t IXFR=12345678``. + number, e.g., :option:`-t IXFR=12345678 <-t>`. -``-T``; ``-U`` - This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the - ``-T`` option makes it use a TCP connection when querying the name +.. option:: -T, -U + + This option specifies TCP or UDP. By default, :program:`host` uses UDP when making queries; the + :option:`-T` option makes it use a TCP connection when querying the name server. TCP is automatically selected for queries that require it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default - to TCP, but can be forced to use UDP initially via ``-U``. + to TCP, but can be forced to use UDP initially via :option:`-U`. + +.. option:: -m flag -``-m flag`` This option sets memory usage debugging: the flag can be ``record``, ``usage``, or - ``trace``. The ``-m`` option can be specified more than once to set + ``trace``. The :option:`-m` option can be specified more than once to set multiple flags. -``-v`` - This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output +.. option:: -v + + This option sets verbose output, and is equivalent to the :option:`-d` debug option. Verbose output can also be enabled by setting the ``debug`` option in ``/etc/resolv.conf``. -``-V`` +.. option:: -V + This option prints the version number and exits. -``-w`` +.. option:: -w + This option sets "wait forever": the query timeout is set to the maximum possible. See - also the ``-W`` option. + also the :option:`-W` option. + +.. option:: -W wait -``-W wait`` - This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is + This options sets the length of the wait timeout, indicating that :iscman:`named` should wait for up to ``wait`` seconds for a reply. If ``wait`` is less than 1, the wait interval is set to 1 second. - By default, ``host`` waits for 5 seconds for UDP responses and 10 + By default, :program:`host` waits for 5 seconds for UDP responses and 10 seconds for TCP connections. These defaults can be overridden by the ``timeout`` option in ``/etc/resolv.conf``. - See also the ``-w`` option. + See also the :option:`-w` option. IDN Support ~~~~~~~~~~~ -If ``host`` has been built with IDN (internationalized domain name) -support, it can accept and display non-ASCII domain names. ``host`` +If :program:`host` has been built with IDN (internationalized domain name) +support, it can accept and display non-ASCII domain names. :program:`host` appropriately converts character encoding of a domain name before sending a request to a DNS server or displaying a reply from the server. To turn off IDN support, define the ``IDN_DISABLE`` environment variable. IDN support is disabled if the variable is set -when ``host`` runs. +when :program:`host` runs. Files ~~~~~ @@ -178,4 +190,4 @@ Files See Also ~~~~~~~~ -:manpage:`dig(1)`, :manpage:`named(8)`. +:iscman:`dig(1) `, :iscman:`named(8) `. diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index 702e9af41d..dc43f7cdcf 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -14,17 +16,17 @@ #include #include -#include +#include #include #include #include -#include +#include +#include #include #include -#include #include -#include #include +#include #include #include @@ -39,6 +41,9 @@ #include "dighost.h" #include "readline.h" +static char cmdlinebuf[COMMSIZE]; +static char *cmdline = NULL; + static bool short_form = true, tcpmode = false, tcpmode_set = false, identify = false, stats = true, comments = true, section_question = true, section_answer = true, @@ -51,7 +56,6 @@ static bool interactive; static bool in_use = false; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; -static isc_event_t *global_event = NULL; static int query_error = 1, print_error = 0; static char domainopt[DNS_NAME_MAXTEXT]; @@ -110,9 +114,6 @@ static const char *rtypetext[] = { #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0])) -static void -getinput(isc_task_t *task, isc_event_t *event); - static char * rcode_totext(dns_rcode_t rcode) { static char buf[sizeof("?65535")]; @@ -130,20 +131,6 @@ rcode_totext(dns_rcode_t rcode) { return (totext.deconsttext); } -static void -query_finished(void) { - isc_event_t *event = global_event; - - debug("dighost_shutdown()"); - - if (!in_use) { - isc_app_shutdown(); - return; - } - - isc_task_send(global_task, &event); -} - static void printsoa(dns_rdata_t *rdata) { dns_rdata_soa_t soa; @@ -399,8 +386,6 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) { static isc_result_t printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, bool headers) { - char servtext[ISC_SOCKADDR_FORMATSIZE]; - UNUSED(msgbuf); /* I've we've gotten this far, we've reached a server. */ @@ -409,6 +394,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, debug("printmessage()"); if (!default_lookups || query->lookup->rdtype == dns_rdatatype_a) { + char servtext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); printf("Server:\t\t%s\n", query->userarg); @@ -580,6 +566,7 @@ set_port(const char *value) { isc_result_t result = parse_uint(&n, value, 65535, "port"); if (result == ISC_R_SUCCESS) { port = (uint16_t)n; + port_set = true; } } @@ -610,17 +597,10 @@ set_ndots(const char *value) { } } -static void -version(void) { - fprintf(stderr, "nslookup %s\n", PACKAGE_VERSION); -} - static void setoption(char *opt) { size_t l = strlen(opt); - debugging = true; - #define CHECKOPT(A, N) \ ((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0)) @@ -810,10 +790,8 @@ do_next_command(char *input) { } else if ((strcasecmp(ptr, "server") == 0) || (strcasecmp(ptr, "lserver") == 0)) { - isc_app_block(); set_nameserver(arg); check_ra = false; - isc_app_unblock(); show_settings(true, true); } else if (strcasecmp(ptr, "exit") == 0) { in_use = false; @@ -830,31 +808,34 @@ do_next_command(char *input) { } static void -get_next_command(void) { - char cmdlinebuf[COMMSIZE]; - char *cmdline, *ptr = NULL; +readline_next_command(void *arg) { + char *ptr = NULL; - isc_app_block(); - if (interactive) { - cmdline = ptr = readline("> "); - if (ptr != NULL && *ptr != 0) { - add_history(ptr); - } - } else { - cmdline = fgets(cmdlinebuf, COMMSIZE, stdin); - } - isc_app_unblock(); - if (cmdline == NULL) { - in_use = false; - } else { - do_next_command(cmdline); + UNUSED(arg); + + isc_loopmgr_blocking(loopmgr); + ptr = readline("> "); + isc_loopmgr_nonblocking(loopmgr); + if (ptr == NULL) { + return; } - if (ptr != NULL) { - free(ptr); + + if (*ptr != 0) { + add_history(ptr); + strlcpy(cmdlinebuf, ptr, COMMSIZE); + cmdline = cmdlinebuf; } + free(ptr); +} + +static void +fgets_next_command(void *arg) { + UNUSED(arg); + + cmdline = fgets(cmdlinebuf, COMMSIZE, stdin); } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -880,7 +861,7 @@ parse_args(int argc, char **argv) { debug("main parsing %s", argv[0]); if (argv[0][0] == '-') { if (strncasecmp(argv[0], "-ver", 4) == 0) { - version(); + printf("nslookup %s\n", PACKAGE_VERSION); exit(0); } else if (argv[0][1] != 0) { setoption(&argv[0][1]); @@ -904,25 +885,54 @@ parse_args(int argc, char **argv) { } static void -getinput(isc_task_t *task, isc_event_t *event) { - UNUSED(task); - if (global_event == NULL) { - global_event = event; - } - while (in_use) { - get_next_command(); +start_next_command(void); + +static void +process_next_command(void *arg ISC_ATTR_UNUSED) { + isc_loop_t *loop = isc_loop_main(loopmgr); + if (cmdline == NULL) { + in_use = false; + } else { + do_next_command(cmdline); if (ISC_LIST_HEAD(lookup_list) != NULL) { - start_lookup(); + isc_async_run(loop, run_loop, NULL); return; } } - isc_app_shutdown(); + + start_next_command(); +} + +static void +start_next_command(void) { + isc_loop_t *loop = isc_loop_main(loopmgr); + if (!in_use) { + isc_loopmgr_shutdown(loopmgr); + return; + } + + cmdline = NULL; + + isc_loopmgr_pause(loopmgr); + if (interactive) { + isc_work_enqueue(loop, readline_next_command, + process_next_command, loop); + } else { + isc_work_enqueue(loop, fgets_next_command, process_next_command, + loop); + } + isc_loopmgr_resume(loopmgr); +} + +static void +read_loop(void *arg) { + UNUSED(arg); + + start_next_command(); } int main(int argc, char **argv) { - isc_result_t result; - interactive = isatty(0); ISC_LIST_INIT(lookup_list); @@ -935,10 +945,7 @@ main(int argc, char **argv) { dighost_printmessage = printmessage; dighost_received = received; dighost_trying = trying; - dighost_shutdown = query_finished; - - result = isc_app_start(); - check_result(result, "isc_app_start"); + dighost_shutdown = start_next_command; setup_libs(); progname = argv[0]; @@ -954,23 +961,18 @@ main(int argc, char **argv) { set_search_domain(domainopt); } if (in_use) { - result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); + isc_loopmgr_setup(loopmgr, run_loop, NULL); } else { - result = isc_app_onrun(mctx, global_task, getinput, NULL); + isc_loopmgr_setup(loopmgr, read_loop, NULL); } - check_result(result, "isc_app_onrun"); in_use = !in_use; - (void)isc_app_run(); + isc_loopmgr_run(loopmgr); puts(""); debug("done, and starting to shut down"); - if (global_event != NULL) { - isc_event_free(&global_event); - } cancel_all(); destroy_libs(); - isc_app_finish(); return (query_error | print_error); } diff --git a/bin/dig/nslookup.rst b/bin/dig/nslookup.rst index 1dafd364a4..2b92aa761b 100644 --- a/bin/dig/nslookup.rst +++ b/bin/dig/nslookup.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: nslookup +.. program:: nslookup .. _man_nslookup: nslookup - query Internet name servers interactively @@ -34,8 +26,8 @@ Synopsis Description ~~~~~~~~~~~ -``nslookup`` is a program to query Internet domain name servers. -``nslookup`` has two modes: interactive and non-interactive. Interactive +:program:`nslookup` is a program to query Internet domain name servers. +:program:`nslookup` has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode prints just the name and requested @@ -64,16 +56,16 @@ seconds, type: nslookup -query=hinfo -timeout=10 -The ``-version`` option causes ``nslookup`` to print the version number +The ``-version`` option causes :program:`nslookup` to print the version number and immediately exit. Interactive Commands ~~~~~~~~~~~~~~~~~~~~ ``host [server]`` - This command looks up information for ``host`` using the current default server or - using ``server``, if specified. If ``host`` is an Internet address and the - query type is A or PTR, the name of the host is returned. If ``host`` is + This command looks up information for :iscman:`host` using the current default server or + using ``server``, if specified. If :iscman:`host` is an Internet address and the + query type is A or PTR, the name of the host is returned. If :iscman:`host` is a name and does not have a trailing period (``.``), the search list is used to qualify the name. @@ -191,19 +183,19 @@ Interactive Commands Return Values ~~~~~~~~~~~~~ -``nslookup`` returns with an exit status of 1 if any query failed, and 0 +:program:`nslookup` returns with an exit status of 1 if any query failed, and 0 otherwise. IDN Support ~~~~~~~~~~~ -If ``nslookup`` has been built with IDN (internationalized domain name) -support, it can accept and display non-ASCII domain names. ``nslookup`` +If :program:`nslookup` has been built with IDN (internationalized domain name) +support, it can accept and display non-ASCII domain names. :program:`nslookup` appropriately converts character encoding of a domain name before sending a request to a DNS server or displaying a reply from the server. To turn off IDN support, define the ``IDN_DISABLE`` environment variable. IDN support is disabled if the variable is set -when ``nslookup`` runs, or when the standard output is not a tty. +when :program:`nslookup` runs, or when the standard output is not a tty. Files ~~~~~ @@ -213,4 +205,4 @@ Files See Also ~~~~~~~~ -:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`. +:iscman:`dig(1) `, :iscman:`host(1) `, :iscman:`named(8) `. diff --git a/bin/dig/readline.h b/bin/dig/readline.h index 5e270854ec..68a38c3ef9 100644 --- a/bin/dig/readline.h +++ b/bin/dig/readline.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. diff --git a/bin/dnssec/Makefile.am b/bin/dnssec/Makefile.am index 7aeaccc97c..0017705a0d 100644 --- a/bin/dnssec/Makefile.am +++ b/bin/dnssec/Makefile.am @@ -4,15 +4,16 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) -AM_CPPFLAGS += \ +AM_CPPFLAGS += \ -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" noinst_LTLIBRARIES = libdnssectool.la -LDADD = \ +LDADD += \ libdnssectool.la \ $(LIBISC_LIBS) \ - $(LIBDNS_LIBS) + $(LIBDNS_LIBS) \ + $(OPENSSL_LIBS) bin_PROGRAMS = \ dnssec-cds \ @@ -31,8 +32,20 @@ libdnssectool_la_SOURCES = \ dnssec_keygen_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBISCCFG_CFLAGS) + $(LIBISCCFG_CFLAGS) \ + $(OPENSSL_CFLAGS) dnssec_keygen_LDADD = \ $(LDADD) \ - $(LIBISCCFG_LIBS) + $(LIBISCCFG_LIBS) \ + $(OPENSSL_LIBS) + +dnssec_signzone_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(LIBISCCFG_CFLAGS) \ + $(OPENSSL_CFLAGS) + +dnssec_signzone_LDADD = \ + $(LDADD) \ + $(LIBISCCFG_LIBS) \ + $(OPENSSL_LIBS) diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index 4da36c5f9e..2e2d8999f1 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -24,10 +26,11 @@ #include #include #include +#include #include #include #include -#include +#include #include #include #include @@ -49,15 +52,10 @@ #include #include #include -#include #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-cds"; @@ -123,17 +121,32 @@ typedef struct keyinfo { /* A replaceable function that can generate a DS RRset from some input */ typedef isc_result_t -ds_maker_func_t(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *rdata); +ds_maker_func_t(isc_buffer_t *buf, dns_rdata_t *ds, dns_dsdigest_t dt, + dns_rdata_t *crdata); -static dns_rdataset_t cdnskey_set, cdnskey_sig; -static dns_rdataset_t cds_set, cds_sig; -static dns_rdataset_t dnskey_set, dnskey_sig; -static dns_rdataset_t old_ds_set, new_ds_set; +static dns_rdataset_t cdnskey_set = DNS_RDATASET_INIT; +static dns_rdataset_t cdnskey_sig = DNS_RDATASET_INIT; +static dns_rdataset_t cds_set = DNS_RDATASET_INIT; +static dns_rdataset_t cds_sig = DNS_RDATASET_INIT; +static dns_rdataset_t dnskey_set = DNS_RDATASET_INIT; +static dns_rdataset_t dnskey_sig = DNS_RDATASET_INIT; +static dns_rdataset_t old_ds_set = DNS_RDATASET_INIT; +static dns_rdataset_t new_ds_set = DNS_RDATASET_INIT; -static keyinfo_t *old_key_tbl, *new_key_tbl; +static keyinfo_t *old_key_tbl = NULL, *new_key_tbl = NULL; isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */ +static dns_db_t *child_db = NULL; +static dns_dbnode_t *child_node = NULL; +static dns_db_t *parent_db = NULL; +static dns_dbnode_t *parent_node = NULL; +static dns_db_t *update_db = NULL; +static dns_dbnode_t *update_node = NULL; +static dns_dbversion_t *update_version = NULL; +static bool cleanup_dst = false; +static bool print_mem_stats = false; + static void verbose_time(int level, const char *msg, isc_stdtime_t time) { isc_result_t result; @@ -251,21 +264,27 @@ load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) { } static void -free_db(dns_db_t **dbp, dns_dbnode_t **nodep) { - dns_db_detachnode(*dbp, nodep); - dns_db_detach(dbp); +free_db(dns_db_t **dbp, dns_dbnode_t **nodep, dns_dbversion_t **versionp) { + if (*dbp != NULL) { + if (*nodep != NULL) { + dns_db_detachnode(*dbp, nodep); + } + if (versionp != NULL && *versionp != NULL) { + dns_db_closeversion(*dbp, versionp, false); + } + dns_db_detach(dbp); + } } static void load_child_sets(const char *file) { - dns_db_t *db = NULL; - dns_dbnode_t *node = NULL; - - load_db(file, &db, &node); - findset(db, node, dns_rdatatype_dnskey, &dnskey_set, &dnskey_sig); - findset(db, node, dns_rdatatype_cdnskey, &cdnskey_set, &cdnskey_sig); - findset(db, node, dns_rdatatype_cds, &cds_set, &cds_sig); - free_db(&db, &node); + load_db(file, &child_db, &child_node); + findset(child_db, child_node, dns_rdatatype_dnskey, &dnskey_set, + &dnskey_sig); + findset(child_db, child_node, dns_rdatatype_cdnskey, &cdnskey_set, + &cdnskey_sig); + findset(child_db, child_node, dns_rdatatype_cds, &cds_set, &cds_sig); + free_db(&child_db, &child_node, NULL); } static void @@ -314,8 +333,6 @@ get_dsset_name(char *filename, size_t size, const char *path, static void load_parent_set(const char *path) { isc_result_t result; - dns_db_t *db = NULL; - dns_dbnode_t *node = NULL; isc_time_t modtime; char filename[PATH_MAX + 1]; @@ -328,21 +345,20 @@ load_parent_set(const char *path) { } notbefore = isc_time_seconds(&modtime); if (startstr != NULL) { - isc_stdtime_t now; - isc_stdtime_get(&now); + isc_stdtime_t now = isc_stdtime_now(); notbefore = strtotime(startstr, now, notbefore, NULL); } verbose_time(1, "child records must not be signed before", notbefore); - load_db(filename, &db, &node); - findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL); + load_db(filename, &parent_db, &parent_node); + findset(parent_db, parent_node, dns_rdatatype_ds, &old_ds_set, NULL); if (!dns_rdataset_isassociated(&old_ds_set)) { fatal("could not find DS records for %s in %s", namestr, filename); } - free_db(&db, &node); + free_db(&parent_db, &parent_node, NULL); } #define MAX_CDS_RDATA_TEXT_SIZE DNS_RDATA_MAXLENGTH * 2 @@ -367,17 +383,18 @@ formatset(dns_rdataset_t *rdataset) { isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE); result = dns_master_rdatasettotext(name, rdataset, style, NULL, buf); + dns_master_styledestroy(&style, mctx); if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) { result = ISC_R_NOSPACE; } - check_result(result, "dns_rdataset_totext()"); + if (result != ISC_R_SUCCESS) { + isc_buffer_free(&buf); + check_result(result, "dns_rdataset_totext()"); + } isc_buffer_putuint8(buf, 0); - - dns_master_styledestroy(&style, mctx); - return (buf); } @@ -420,6 +437,7 @@ write_parent_set(const char *path, const char *inplace, bool nsupdate, result = isc_file_openunique(tmpname, &fp); if (result != ISC_R_SUCCESS) { + isc_buffer_free(&buf); fatal("open %s: %s", tmpname, isc_result_totext(result)); } fprintf(fp, "%s", (char *)r.base); @@ -477,7 +495,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) { "dns_ds_buildrdata(" "keytag=%d, algo=%d, digest=%d): %s\n", ds.key_tag, ds.algorithm, ds.digest_type, - dns_result_totext(result)); + isc_result_totext(result)); continue; } /* allow for both DS and CDS */ @@ -514,23 +532,22 @@ static keyinfo_t * match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset, strictness_t strictness) { isc_result_t result; - keyinfo_t *keytable; + keyinfo_t *keytable, *ki; int i; nkey = dns_rdataset_count(keyset); - keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey); + keytable = isc_mem_cget(mctx, nkey, sizeof(keytable[0])); - for (result = dns_rdataset_first(keyset), i = 0; - result == ISC_R_SUCCESS; result = dns_rdataset_next(keyset), i++) + for (result = dns_rdataset_first(keyset), i = 0, ki = keytable; + result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyset), i++, ki++) { - keyinfo_t *ki; dns_rdata_dnskey_t dnskey; dns_rdata_t *keyrdata; isc_region_t r; INSIST(i < nkey); - ki = &keytable[i]; keyrdata = &ki->rdata; dns_rdata_init(keyrdata); @@ -554,7 +571,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset, vbprintf(3, "dns_dnssec_keyfromrdata(" "keytag=%d, algo=%d): %s\n", - ki->tag, ki->algo, dns_result_totext(result)); + ki->tag, ki->algo, isc_result_totext(result)); } } @@ -568,14 +585,15 @@ free_keytable(keyinfo_t **keytable_p) { keyinfo_t *ki; int i; - for (i = 0; i < nkey; i++) { - ki = &keytable[i]; + REQUIRE(keytable != NULL); + + for (i = 0, ki = keytable; i < nkey; i++, ki++) { if (ki->dst != NULL) { dst_key_free(&ki->dst); } } - isc_mem_put(mctx, keytable, sizeof(keyinfo_t) * nkey); + isc_mem_cput(mctx, keytable, nkey, sizeof(keytable[0])); } /* @@ -594,8 +612,9 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset, dns_secalg_t *algo; int i; - algo = isc_mem_get(mctx, nkey); - memset(algo, 0, nkey); + REQUIRE(keytbl != NULL); + + algo = isc_mem_cget(mctx, nkey, sizeof(algo[0])); for (result = dns_rdataset_first(sigset); result == ISC_R_SUCCESS; result = dns_rdataset_next(sigset)) @@ -636,7 +655,8 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset, NULL); if (result != ISC_R_SUCCESS && - result != DNS_R_FROMWILDCARD) { + result != DNS_R_FROMWILDCARD) + { vbprintf(1, "skip RRSIG by key %d:" " verification failed: %s\n", @@ -677,7 +697,7 @@ signed_loose(dns_secalg_t *algo) { ok = true; } } - isc_mem_put(mctx, algo, nkey); + isc_mem_cput(mctx, algo, nkey, sizeof(algo[0])); return (ok); } @@ -719,86 +739,87 @@ signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) { } } - isc_mem_put(mctx, algo, nkey); + isc_mem_cput(mctx, algo, nkey, sizeof(algo[0])); return (all_ok); } -static dns_rdata_t * -rdata_get(void) { - dns_rdata_t *rdata; - - rdata = isc_mem_get(mctx, sizeof(*rdata)); - dns_rdata_init(rdata); - - return (rdata); -} - -static isc_result_t -rdata_put(isc_result_t result, dns_rdatalist_t *rdlist, dns_rdata_t *rdata) { - if (result == ISC_R_SUCCESS) { - ISC_LIST_APPEND(rdlist->rdata, rdata, link); - } else { - isc_mem_put(mctx, rdata, sizeof(*rdata)); - } - - return (result); -} - /* * This basically copies the rdata into the buffer, but going via the - * unpacked struct has the side-effect of changing the rdatatype. The - * dns_rdata_cds_t and dns_rdata_ds_t types are aliases. + * unpacked struct lets us change the rdatatype. (The dns_rdata_cds_t + * and dns_rdata_ds_t types are aliases.) */ static isc_result_t -ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *cds) { +ds_from_cds(isc_buffer_t *buf, dns_rdata_t *rds, dns_dsdigest_t dt, + dns_rdata_t *cds) { isc_result_t result; dns_rdata_ds_t ds; - dns_rdata_t *rdata; REQUIRE(buf != NULL); - rdata = rdata_get(); - result = dns_rdata_tostruct(cds, &ds, NULL); check_result(result, "dns_rdata_tostruct(CDS)"); ds.common.rdtype = dns_rdatatype_ds; - result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds, &ds, - buf); + if (ds.digest_type != dt) { + return (ISC_R_IGNORE); + } - return (rdata_put(result, dslist, rdata)); + return (dns_rdata_fromstruct(rds, rdclass, dns_rdatatype_ds, &ds, buf)); } static isc_result_t -ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf, +ds_from_cdnskey(isc_buffer_t *buf, dns_rdata_t *ds, dns_dsdigest_t dt, dns_rdata_t *cdnskey) { isc_result_t result; - unsigned i, n; + isc_region_t r; REQUIRE(buf != NULL); - n = sizeof(dtype) / sizeof(dtype[0]); - for (i = 0; i < n; i++) { - if (dtype[i] != 0) { - dns_rdata_t *rdata; - isc_region_t r; + isc_buffer_availableregion(buf, &r); + if (r.length < DNS_DS_BUFFERSIZE) { + return (ISC_R_NOSPACE); + } - isc_buffer_availableregion(buf, &r); - if (r.length < DNS_DS_BUFFERSIZE) { - return (ISC_R_NOSPACE); - } + result = dns_ds_buildrdata(name, cdnskey, dt, r.base, ds); + if (result == ISC_R_SUCCESS) { + isc_buffer_add(buf, DNS_DS_BUFFERSIZE); + } - rdata = rdata_get(); - result = dns_ds_buildrdata(name, cdnskey, dtype[i], - r.base, rdata); - if (result == ISC_R_SUCCESS) { - isc_buffer_add(buf, DNS_DS_BUFFERSIZE); - } + return (result); +} - result = rdata_put(result, dslist, rdata); - if (result != ISC_R_SUCCESS) { - return (result); - } +static isc_result_t +append_new_ds_set(ds_maker_func_t *ds_from_rdata, isc_buffer_t *buf, + dns_rdatalist_t *dslist, dns_dsdigest_t dt, + dns_rdataset_t *crdset) { + isc_result_t result; + + for (result = dns_rdataset_first(crdset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(crdset)) + { + dns_rdata_t crdata = DNS_RDATA_INIT; + dns_rdata_t *ds = NULL; + + dns_rdataset_current(crdset, &crdata); + + ds = isc_mem_get(mctx, sizeof(*ds)); + dns_rdata_init(ds); + + result = ds_from_rdata(buf, ds, dt, &crdata); + + switch (result) { + case ISC_R_SUCCESS: + ISC_LIST_APPEND(dslist->rdata, ds, link); + break; + case ISC_R_IGNORE: + isc_mem_put(mctx, ds, sizeof(*ds)); + continue; + case ISC_R_NOSPACE: + isc_mem_put(mctx, ds, sizeof(*ds)); + return (result); + default: + isc_mem_put(mctx, ds, sizeof(*ds)); + check_result(result, "ds_from_rdata()"); } } @@ -807,52 +828,45 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf, static void make_new_ds_set(ds_maker_func_t *ds_from_rdata, uint32_t ttl, - dns_rdataset_t *rdset) { + dns_rdataset_t *crdset) { unsigned int size = 16; + for (;;) { - isc_result_t result; - dns_rdatalist_t *dslist; + isc_result_t result = ISC_R_SUCCESS; + dns_rdatalist_t *dslist = NULL; + size_t n; dslist = isc_mem_get(mctx, sizeof(*dslist)); - dns_rdatalist_init(dslist); dslist->rdclass = rdclass; dslist->type = dns_rdatatype_ds; dslist->ttl = ttl; dns_rdataset_init(&new_ds_set); - result = dns_rdatalist_tordataset(dslist, &new_ds_set); - check_result(result, "dns_rdatalist_tordataset(dslist)"); + dns_rdatalist_tordataset(dslist, &new_ds_set); isc_buffer_allocate(mctx, &new_ds_buf, size); - for (result = dns_rdataset_first(rdset); - result == ISC_R_SUCCESS; result = dns_rdataset_next(rdset)) - { - isc_result_t tresult; - dns_rdata_t rdata = DNS_RDATA_INIT; - - dns_rdataset_current(rdset, &rdata); - - tresult = ds_from_rdata(dslist, new_ds_buf, &rdata); - if (tresult == ISC_R_NOSPACE) { - vbprintf(20, "DS list buffer size %u\n", size); - freelist(&new_ds_set); - isc_buffer_free(&new_ds_buf); - size *= 2; + n = sizeof(dtype) / sizeof(dtype[0]); + for (size_t i = 0; i < n && dtype[i] != 0; i++) { + result = append_new_ds_set(ds_from_rdata, new_ds_buf, + dslist, dtype[i], crdset); + if (result != ISC_R_SUCCESS) { break; } - - check_result(tresult, "ds_from_rdata()"); } - - if (result == ISC_R_NOMORE) { - break; + if (result == ISC_R_SUCCESS) { + return; } + + vbprintf(2, "doubling DS list buffer size from %u\n", size); + freelist(&new_ds_set); + isc_buffer_free(&new_ds_buf); + size *= 2; } } -static inline int +static int rdata_cmp(const void *rdata1, const void *rdata2) { return (dns_rdata_compare((const dns_rdata_t *)rdata1, (const dns_rdata_t *)rdata2)); @@ -873,13 +887,14 @@ consistent_digests(dns_rdataset_t *dsset) { int i, j, n, d; /* - * First sort the dsset. DS rdata fields are tag, algorithm, digest, - * so sorting them brings together all the records for each key. + * First sort the dsset. DS rdata fields are tag, algorithm, + * digest, so sorting them brings together all the records for + * each key. */ n = dns_rdataset_count(dsset); - arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t)); + arrdata = isc_mem_cget(mctx, n, sizeof(dns_rdata_t)); for (result = dns_rdataset_first(dsset), i = 0; result == ISC_R_SUCCESS; result = dns_rdataset_next(dsset), i++) @@ -893,7 +908,7 @@ consistent_digests(dns_rdataset_t *dsset) { /* * Convert sorted arrdata to more accessible format */ - ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t)); + ds = isc_mem_cget(mctx, n, sizeof(dns_rdata_ds_t)); for (i = 0; i < n; i++) { result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL); @@ -932,8 +947,8 @@ consistent_digests(dns_rdataset_t *dsset) { /* * Done! */ - isc_mem_put(mctx, ds, n * sizeof(dns_rdata_ds_t)); - isc_mem_put(mctx, arrdata, n * sizeof(dns_rdata_t)); + isc_mem_cput(mctx, ds, n, sizeof(dns_rdata_ds_t)); + isc_mem_cput(mctx, arrdata, n, sizeof(dns_rdata_t)); return (match); } @@ -961,32 +976,27 @@ static void update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset, dns_rdataset_t *delset) { isc_result_t result; - dns_db_t *db; - dns_dbnode_t *node; - dns_dbversion_t *ver; dns_rdataset_t diffset; uint32_t save; - db = NULL; result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0, - NULL, &db); + NULL, &update_db); check_result(result, "dns_db_create()"); - ver = NULL; - result = dns_db_newversion(db, &ver); + result = dns_db_newversion(update_db, &update_version); check_result(result, "dns_db_newversion()"); - node = NULL; - result = dns_db_findnode(db, name, true, &node); + result = dns_db_findnode(update_db, name, true, &update_node); check_result(result, "dns_db_findnode()"); dns_rdataset_init(&diffset); - result = dns_db_addrdataset(db, node, ver, 0, addset, DNS_DBADD_MERGE, - NULL); + result = dns_db_addrdataset(update_db, update_node, update_version, 0, + addset, DNS_DBADD_MERGE, NULL); check_result(result, "dns_db_addrdataset()"); - result = dns_db_subtractrdataset(db, node, ver, delset, 0, &diffset); + result = dns_db_subtractrdataset(update_db, update_node, update_version, + delset, 0, &diffset); if (result == DNS_R_UNCHANGED) { save = addset->ttl; addset->ttl = ttl; @@ -999,9 +1009,7 @@ update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset, dns_rdataset_disassociate(&diffset); } - dns_db_detachnode(db, &node); - dns_db_closeversion(db, &ver, false); - dns_db_detach(&db); + free_db(&update_db, &update_node, &update_version); } static void @@ -1021,7 +1029,7 @@ nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) { } } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -1051,6 +1059,32 @@ usage(void) { exit(1); } +static void +cleanup(void) { + free_db(&child_db, &child_node, NULL); + free_db(&parent_db, &parent_node, NULL); + free_db(&update_db, &update_node, &update_version); + if (old_key_tbl != NULL) { + free_keytable(&old_key_tbl); + } + if (new_key_tbl != NULL) { + free_keytable(&new_key_tbl); + } + free_all_sets(); + if (lctx != NULL) { + cleanup_logging(&lctx); + } + if (cleanup_dst) { + dst_lib_destroy(); + } + if (mctx != NULL) { + if (print_mem_stats && verbose > 10) { + isc_mem_stats(mctx, stdout); + } + isc_mem_destroy(&mctx); + } +} + int main(int argc, char *argv[]) { const char *child_path = NULL; @@ -1063,12 +1097,9 @@ main(int argc, char *argv[]) { int ch; char *endp; - isc_mem_create(&mctx); + setfatalcallback(cleanup); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); + isc_mem_create(&mctx); isc_commandline_errprint = false; @@ -1092,11 +1123,12 @@ main(int argc, char *argv[]) { break; case 'i': /* - * This is a bodge to make the argument optional, - * so that it works just like sed(1). + * This is a bodge to make the argument + * optional, so that it works just like sed(1). */ if (isc_commandline_argument == - argv[isc_commandline_index - 1]) { + argv[isc_commandline_index - 1]) + { isc_commandline_index--; inplace = ""; } else { @@ -1153,6 +1185,7 @@ main(int argc, char *argv[]) { fatal("could not initialize dst: %s", isc_result_totext(result)); } + cleanup_dst = true; if (ds_path == NULL) { fatal("missing -d DS pathname"); @@ -1188,7 +1221,8 @@ main(int argc, char *argv[]) { fatal("missing RRSIG CDNSKEY records for %s", namestr); } if (dns_rdataset_isassociated(&cds_set) && - !dns_rdataset_isassociated(&cds_sig)) { + !dns_rdataset_isassociated(&cds_sig)) + { fatal("missing RRSIG CDS records for %s", namestr); } @@ -1196,9 +1230,10 @@ main(int argc, char *argv[]) { old_key_tbl = match_keyset_dsset(&dnskey_set, &old_ds_set, LOOSE); /* - * We have now identified the keys that are allowed to authenticate - * the DNSKEY RRset (RFC 4035 section 5.2 bullet 2), and CDNSKEY and - * CDS RRsets (RFC 7344 section 4.1 bullet 2). + * We have now identified the keys that are allowed to + * authenticate the DNSKEY RRset (RFC 4035 section 5.2 bullet + * 2), and CDNSKEY and CDS RRsets (RFC 7344 section 4.1 bullet + * 2). */ vbprintf(1, "verify DNSKEY signature(s)\n"); @@ -1210,7 +1245,8 @@ main(int argc, char *argv[]) { if (dns_rdataset_isassociated(&cdnskey_set)) { vbprintf(1, "verify CDNSKEY signature(s)\n"); if (!signed_loose(matching_sigs(old_key_tbl, &cdnskey_set, - &cdnskey_sig))) { + &cdnskey_sig))) + { fatal("could not validate child CDNSKEY RRset for %s", namestr); } @@ -1218,7 +1254,8 @@ main(int argc, char *argv[]) { if (dns_rdataset_isassociated(&cds_set)) { vbprintf(1, "verify CDS signature(s)\n"); if (!signed_loose( - matching_sigs(old_key_tbl, &cds_set, &cds_sig))) { + matching_sigs(old_key_tbl, &cds_set, &cds_sig))) + { fatal("could not validate child CDS RRset for %s", namestr); } @@ -1248,7 +1285,7 @@ main(int argc, char *argv[]) { vbprintf(1, "%s has neither CDS nor CDNSKEY records\n", namestr); write_parent_set(ds_path, inplace, nsupdate, &old_ds_set); - exit(0); + goto cleanup; } /* @@ -1263,6 +1300,24 @@ main(int argc, char *argv[]) { make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set); } + /* + * Try to use CDNSKEY records if the CDS records are missing + * or did not match. + */ + if (dns_rdataset_count(&new_ds_set) == 0 && + dns_rdataset_isassociated(&cdnskey_set)) + { + vbprintf(1, "CDS records have no allowed digest types; " + "using CDNSKEY instead\n"); + freelist(&new_ds_set); + isc_buffer_free(&new_ds_buf); + make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set); + } + if (dns_rdataset_count(&new_ds_set) == 0) { + fatal("CDS records at %s do not match any -a digest types", + namestr); + } + /* * Now we have a candidate DS RRset, we need to check it * won't break the delegation. @@ -1296,13 +1351,8 @@ main(int argc, char *argv[]) { write_parent_set(ds_path, inplace, nsupdate, &new_ds_set); - free_all_sets(); - cleanup_logging(&lctx); - dst_lib_destroy(); - if (verbose > 10) { - isc_mem_stats(mctx, stdout); - } - isc_mem_destroy(&mctx); - +cleanup: + print_mem_stats = true; + cleanup(); exit(0); } diff --git a/bin/dnssec/dnssec-cds.rst b/bin/dnssec/dnssec-cds.rst index b49583bf45..09960e91d3 100644 --- a/bin/dnssec/dnssec-cds.rst +++ b/bin/dnssec/dnssec-cds.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-cds +.. program:: dnssec-cds .. _man_dnssec-cds: dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY @@ -34,93 +26,104 @@ Synopsis Description ~~~~~~~~~~~ -The ``dnssec-cds`` command changes DS records at a delegation point +The :program:`dnssec-cds` command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred. This enables a child zone to inform its parent of upcoming changes to -its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the +its key-signing keys (KSKs); by polling periodically with :program:`dnssec-cds`, the parent can keep the DS records up-to-date and enable automatic rolling of KSKs. -Two input files are required. The ``-f child-file`` option specifies a +Two input files are required. The :option:`-f child-file <-f>` option specifies a file containing the child's CDS and/or CDNSKEY records, plus RRSIG and -DNSKEY records so that they can be authenticated. The ``-d path`` option +DNSKEY records so that they can be authenticated. The :option:`-d path <-d>` option specifies the location of a file containing the current DS records. For example, this could be a ``dsset-`` file generated by -``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the -output of a previous run of ``dnssec-cds``. +:iscman:`dnssec-signzone`, or the output of :iscman:`dnssec-dsfromkey`, or the +output of a previous run of :program:`dnssec-cds`. -The ``dnssec-cds`` command uses special DNSSEC validation logic +The :program:`dnssec-cds` command uses special DNSSEC validation logic specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records be validly signed by a key represented in the existing DS records. This is typically the pre-existing KSK. For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of -``dnssec-cds``. Their age is obtained from the modification time of the -``dsset-`` file, or from the ``-s`` option. +:program:`dnssec-cds`. Their age is obtained from the modification time of the +``dsset-`` file, or from the :option:`-s` option. -To protect against breaking the delegation, ``dnssec-cds`` ensures that +To protect against breaking the delegation, :program:`dnssec-cds` ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type. By default, replacement DS records are written to the standard output; -with the ``-i`` option the input file is overwritten in place. The +with the :option:`-i` option the input file is overwritten in place. The replacement DS records are the same as the existing records, when no change is required. The output can be empty if the CDS/CDNSKEY records specify that the child zone wants to be insecure. .. warning:: - Be careful not to delete the DS records when ``dnssec-cds`` fails! + Be careful not to delete the DS records when :program:`dnssec-cds` fails! -Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the -standard output. The ``-u`` and ``-i`` options can be used together to -maintain a ``dsset-`` file as well as emit an ``nsupdate`` script. +Alternatively, :option`dnssec-cds -u` writes an :iscman:`nsupdate` script to the +standard output. The :option:`-u` and :option:`-i` options can be used together to +maintain a ``dsset-`` file as well as emit an :iscman:`nsupdate` script. Options ~~~~~~~ -``-a algorithm`` - This option specifies a digest algorithm to use when converting CDNSKEY records to - DS records. This option can be repeated, so that multiple DS records - are created for each CDNSKEY record. This option has no effect when - using CDS records. +.. option:: -a algorithm + + When converting CDS records to DS records, this option specifies + the acceptable digest algorithms. This option can be repeated, so + that multiple digest types are allowed. If none of the CDS records + use an acceptable digest type, :program:`dnssec-cds` will try to use CDNSKEY + records instead; if there are no CDNSKEY records, it reports an error. + + When converting CDNSKEY records to DS records, this option specifies the + digest algorithm to use. It can be repeated, so that multiple DS records + are created for each CDNSKEY records. The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case-insensitive, and the hyphen may be omitted. If no algorithm - is specified, the default is SHA-256. + is specified, the default is SHA-256 only. + +.. option:: -c class -``-c class`` This option specifies the DNS class of the zones. -``-D`` +.. option:: -D + This option generates DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone. By default CDS records are preferred. -``-d path`` +.. option:: -d path + This specifies the location of the parent DS records. The path can be the name of a file - containing the DS records; if it is a directory, ``dnssec-cds`` + containing the DS records; if it is a directory, :program:`dnssec-cds` looks for a ``dsset-`` file for the domain inside the directory. To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the ``dsset-`` - file. This can be adjusted with the ``-s`` option. + file. This can be adjusted with the :option:`-s` option. + +.. option:: -f child-file -``-f child-file`` This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records, so that they can be authenticated. The examples below describe how to generate this file. -``-iextension`` +.. option:: -i extension + This option updates the ``dsset-`` file in place, instead of writing DS records to the standard output. - There must be no space between the ``-i`` and the extension. If + There must be no space between the :option:`-i` and the extension. If no extension is provided, the old ``dsset-`` is discarded. If an extension is present, a backup of the old ``dsset-`` file is kept with the extension appended to its filename. @@ -130,7 +133,8 @@ Options child records, provided that it is later than the file's current modification time. -``-s start-time`` +.. option:: -s start-time + This option specifies the date and time after which RRSIG records become acceptable. This can be either an absolute or a relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS @@ -142,24 +146,28 @@ Options If no start-time is specified, the modification time of the ``dsset-`` file is used. -``-T ttl`` +.. option:: -T ttl + This option specifies a TTL to be used for new DS records. If not specified, the default is the TTL of the old DS records. If they had no explicit TTL, the new DS records also have no explicit TTL. -``-u`` - This option writes an ``nsupdate`` script to the standard output, instead of +.. option:: -u + + This option writes an :iscman:`nsupdate` script to the standard output, instead of printing the new DS reords. The output is empty if no change is needed. Note: The TTL of new records needs to be specified: it can be done in the - original ``dsset-`` file, with the ``-T`` option, or using the - ``nsupdate`` ``ttl`` command. + original ``dsset-`` file, with the :option:`-T` option, or using the + :iscman:`nsupdate` ``ttl`` command. + +.. option:: -V -``-V`` This option prints version information. -``-v level`` +.. option:: -v level + This option sets the debugging level. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers. @@ -169,7 +177,7 @@ Options Exit Status ~~~~~~~~~~~ -The ``dnssec-cds`` command exits 0 on success, or non-zero if an error +The :program:`dnssec-cds` command exits 0 on success, or non-zero if an error occurred. If successful, the DS records may or may not need to be @@ -178,12 +186,12 @@ changed. Examples ~~~~~~~~ -Before running ``dnssec-signzone``, ensure that the delegations -are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file. +Before running :iscman:`dnssec-signzone`, ensure that the delegations +are up-to-date by running :program:`dnssec-cds` on every ``dsset-`` file. -To fetch the child records required by ``dnssec-cds``, invoke -``dig`` as in the script below. It is acceptable if the ``dig`` fails, since -``dnssec-cds`` performs all the necessary checking. +To fetch the child records required by :program:`dnssec-cds`, invoke +:iscman:`dig` as in the script below. It is acceptable if the :iscman:`dig` fails, since +:program:`dnssec-cds` performs all the necessary checking. :: @@ -194,8 +202,8 @@ To fetch the child records required by ``dnssec-cds``, invoke dnssec-cds -i -f /dev/stdin -d $f $d done -When the parent zone is automatically signed by ``named``, -``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows. +When the parent zone is automatically signed by :iscman:`named`, +:program:`dnssec-cds` can be used with :iscman:`nsupdate` to maintain a delegation as follows. The ``dsset-`` file allows the script to avoid having to fetch and validate the parent DS records, and it maintains the replay attack protection time. @@ -209,5 +217,5 @@ protection time. See Also ~~~~~~~~ -:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator +:iscman:`dig(1) `, :iscman:`dnssec-settime(8) `, :iscman:`dnssec-signzone(8) `, :iscman:`nsupdate(1) `, BIND 9 Administrator Reference Manual, :rfc:`7344`. diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 618ab03cdc..f8f221ff5a 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -18,9 +20,10 @@ #include #include #include +#include #include #include -#include +#include #include #include @@ -38,14 +41,9 @@ #include #include #include -#include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-dsfromkey"; @@ -263,6 +261,10 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { fatal("can't convert DNSKEY"); } + if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + return; + } + if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) { return; } @@ -272,7 +274,7 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { fatal("can't build record"); } - result = dns_name_totext(name, false, &nameb); + result = dns_name_totext(name, 0, &nameb); if (result != ISC_R_SUCCESS) { fatal("can't print name"); } @@ -311,7 +313,7 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { static void emits(bool showall, bool cds, dns_rdata_t *rdata) { - unsigned i, n; + unsigned int i, n; n = sizeof(dtype) / sizeof(dtype[0]); for (i = 0; i < n; i++) { @@ -321,7 +323,7 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) { } } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -376,11 +378,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; #define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV" @@ -436,14 +433,14 @@ main(int argc, char **argv) { } break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst index 35d62c0bcb..9ca025a319 100644 --- a/bin/dnssec/dnssec-dsfromkey.rst +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-dsfromkey +.. program:: dnssec-dsfromkey .. _man_dnssec-dsfromkey: dnssec-dsfromkey - DNSSEC DS RR generation tool @@ -40,30 +32,37 @@ Synopsis Description ~~~~~~~~~~~ -The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records -(RRs), or CDS (Child DS) RRs with the ``-C`` option. +The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records +(RRs), or CDS (Child DS) RRs with the :option:`-C` option. + +By default, only KSKs are converted (keys with flags = 257). The +:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never +included. The input keys can be specified in a number of ways: -By default, ``dnssec-dsfromkey`` reads a key file named in the format -``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``. +By default, :program:`dnssec-dsfromkey` reads a key file named in the format +``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`. -With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone +With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone file or partial zone file (which can contain just the DNSKEY records). -With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file, -as generated by ``dnssec-keygen`` ``-C``. +With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file, +as generated by :iscman:`dnssec-keygen` :option:`-C`. Options ~~~~~~~ -``-1`` - This option is an abbreviation for ``-a SHA1``. +.. option:: -1 + + This option is an abbreviation for :option:`-a SHA1 <-a>`. + +.. option:: -2 + + This option is an abbreviation for :option:`-a SHA-256 <-a>`. -``-2`` - This option is an abbreviation for ``-a SHA-256``. +.. option:: -a algorithm -``-a algorithm`` This option specifies a digest algorithm to use when converting DNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each DNSKEY record. @@ -72,47 +71,57 @@ Options are case-insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256. -``-A`` +.. option:: -A + This option indicates that ZSKs are to be included when generating DS records. Without this option, only keys which have the KSK flag set are converted to DS records and - printed. This option is only useful in ``-f`` zone file mode. + printed. This option is only useful in :option:`-f` zone file mode. + +.. option:: -c class + + This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset + or :option:`-f` zone file mode. -``-c class`` - This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset - or ``-f`` zone file mode. +.. option:: -C -``-C`` This option generates CDS records rather than DS records. -``-f file`` - This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the +.. option:: -f file + + This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the DNS domain name of a zone whose master file can be read from ``file``. If the zone name is the same as ``file``, then it may be omitted. If ``file`` is ``-``, then the zone data is read from the standard - input. This makes it possible to use the output of the ``dig`` + input. This makes it possible to use the output of the :iscman:`dig` command as input, as in: ``dig dnskey example.com | dnssec-dsfromkey -f - example.com`` -``-h`` +.. option:: -h + This option prints usage information. -``-K directory`` +.. option:: -K directory + This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``. -``-s`` - This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS +.. option:: -s + + This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS domain name used to locate a ``keyset-`` file. -``-T TTL`` +.. option:: -T TTL + This option specifies the TTL of the DS records. By default the TTL is omitted. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-V`` +.. option:: -V + This option prints version information. Example @@ -132,7 +141,7 @@ Files The keyfile can be designated by the key identification ``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as -generated by ``dnssec-keygen``. +generated by :iscman:`dnssec-keygen`. The keyset file name is built from the ``directory``, the string ``keyset-``, and the ``dnsname``. @@ -145,6 +154,6 @@ A keyfile error may return "file not found," even if the file exists. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, +:iscman:`dnssec-keygen(8) `, :iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs), :rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs). diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 77ef407717..df01289e19 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -19,7 +21,7 @@ #include #include #include -#include +#include #include #include @@ -37,14 +39,9 @@ #include #include #include -#include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-importkey"; @@ -265,7 +262,7 @@ emit(const char *dir, dns_rdata_t *rdata) { dst_key_free(&key); } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -305,10 +302,9 @@ main(int argc, char **argv) { isc_log_t *log = NULL; dns_rdataset_t rdataset; dns_rdata_t rdata; - isc_stdtime_t now; + isc_stdtime_t now = isc_stdtime_now(); dns_rdata_init(&rdata); - isc_stdtime_get(&now); if (argc == 1) { usage(); @@ -316,11 +312,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; #define CMDLINE_FLAGS "D:f:hK:L:P:v:V" @@ -392,7 +383,7 @@ main(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff --git a/bin/dnssec/dnssec-importkey.rst b/bin/dnssec/dnssec-importkey.rst index e6cfcdbc1a..8f6a6b3a11 100644 --- a/bin/dnssec/dnssec-importkey.rst +++ b/bin/dnssec/dnssec-importkey.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-importkey +.. program:: dnssec-importkey .. _man_dnssec-importkey: dnssec-importkey - import DNSKEY records from external systems so they can be managed @@ -36,7 +28,7 @@ Synopsis Description ~~~~~~~~~~~ -``dnssec-importkey`` reads a public DNSKEY record and generates a pair +:program:`dnssec-importkey` reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file is generated, or it may be read from any other file or from the standard @@ -44,14 +36,15 @@ input, in which case both .key and .private files are generated. The newly created .private file does *not* contain private key data, and cannot be used for signing. However, having a .private file makes it -possible to set publication (``-P``) and deletion (``-D``) times for the +possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline. Options ~~~~~~~ -``-f filename`` +.. option:: -f filename + This option indicates the zone file mode. Instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from ``filename``. If the domain name is the same as ``filename``, then it may be @@ -60,64 +53,90 @@ Options If ``filename`` is set to ``"-"``, then the zone data is read from the standard input. -``-K directory`` +.. option:: -K directory + This option sets the directory in which the key files are to reside. -``-L ttl`` +.. option:: -L ttl + This option sets the default TTL to use for this key when it is converted into a DNSKEY RR. This is the TTL used when the key is imported into a zone, unless there was already a DNSKEY RRset in place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none`` removes it from the key. -``-h`` +.. option:: -h + This option emits a usage message and exits. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-V`` +.. option:: -V + This option prints version information. Timing Options ~~~~~~~~~~~~~~ -Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the -argument begins with a ``+`` or ``-``, it is interpreted as an offset from -the present time. For convenience, if such an offset is followed by one -of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is -computed in years (defined as 365 24-hour days, ignoring leap years), -months (defined as 30 24-hour days), weeks, days, hours, or minutes, -respectively. Without a suffix, the offset is computed in seconds. To -explicitly prevent a date from being set, use ``none`` or ``never``. +Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. +(which is the format used inside key files), +or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``), +or UNIX epoch time (as printed by ``dnssec-settime -up``), +or the literal ``now``. + +The argument can be followed by ``+`` or ``-`` and an offset from the +given time. The literal ``now`` can be omitted before an offset. The +offset can be followed by one of the suffixes ``y``, ``mo``, ``w``, +``d``, ``h``, or ``mi``, so that it is computed in years (defined as +365 24-hour days, ignoring leap years), months (defined as 30 24-hour +days), weeks, days, hours, or minutes, respectively. Without a suffix, +the offset is computed in seconds. + +To explicitly prevent a date from being set, use ``none``, ``never``, +or ``unset``. + +All these formats are case-insensitive. + +.. option:: -P date/offset -``-P date/offset`` This option sets the date on which a key is to be published to the zone. After that date, the key is included in the zone but is not used to sign it. -``-P sync date/offset`` - This option sets the date on which CDS and CDNSKEY records that match this key - are to be published to the zone. + .. program:: dnssec-importkey -P + .. option:: sync date/offset + + This option sets the date on which CDS and CDNSKEY records that match this key + are to be published to the zone. + +.. program:: dnssec-importkey + +.. option:: -D date/offset -``-D date/offset`` This option sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. (However, it may remain in the key repository.) -``-D sync date/offset`` - This option sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. + .. program:: dnssec-importkey -D + .. option:: sync date/offset + + This option sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + +.. program:: dnssec-importkey + Files ~~~~~ A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by -``dnssec-keygen``. +:iscman:`dnssec-keygen`. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, +:iscman:`dnssec-keygen(8) `, :iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`5011`. diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index bb94c98a18..9837b54523 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -20,35 +22,28 @@ #include #include #include -#include #include +#include #include #include -#include - #include #include #include #include #include #include -#include #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ const char *program = "dnssec-keyfromlabel"; -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -61,7 +56,7 @@ usage(void) { fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -a algorithm: \n" - " DH | RSASHA1 |\n" + " RSASHA1 |\n" " NSEC3RSASHA1 |\n" " RSASHA256 | RSASHA512 |\n" " ECDSAP256SHA256 | ECDSAP384SHA384 |\n" @@ -69,14 +64,7 @@ usage(void) { fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -E :\n"); -#if USE_PKCS11 - fprintf(stderr, - " path to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " name of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -K directory: directory in which to place " "key files\n"); @@ -147,7 +135,6 @@ main(int argc, char **argv) { dns_ttl_t ttl = 0; isc_stdtime_t publish = 0, activate = 0, revoke = 0; isc_stdtime_t inactive = 0, deltime = 0; - isc_stdtime_t now; int prepub = -1; bool setpub = false, setact = false; bool setrev = false, setinact = false; @@ -163,6 +150,7 @@ main(int argc, char **argv) { isc_stdtime_t syncadd = 0, syncdel = 0; bool unsetsyncadd = false, setsyncadd = false; bool unsetsyncdel = false, setsyncdel = false; + isc_stdtime_t now = isc_stdtime_now(); if (argc == 1) { usage(); @@ -170,15 +158,8 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; - isc_stdtime_get(&now); - #define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { @@ -331,14 +312,14 @@ main(int argc, char **argv) { prepub = strtottl(isc_commandline_argument); break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -404,9 +385,6 @@ main(int argc, char **argv) { if (ret != ISC_R_SUCCESS) { fatal("unknown algorithm %s", algname); } - if (alg == DST_ALG_DH) { - options |= DST_TYPE_KEY; - } if (use_nsec3) { switch (alg) { @@ -575,7 +553,8 @@ main(int argc, char **argv) { flags |= DNS_KEYOWNER_ZONE; } else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ if (strcasecmp(nametype, "host") == 0 || - strcasecmp(nametype, "entity") == 0) { + strcasecmp(nametype, "entity") == 0) + { flags |= DNS_KEYOWNER_ENTITY; } else if (strcasecmp(nametype, "user") == 0) { flags |= DNS_KEYOWNER_USER; @@ -602,7 +581,8 @@ main(int argc, char **argv) { if (protocol == -1) { protocol = DNS_KEYPROTO_DNSSEC; } else if ((options & DST_TYPE_KEY) == 0 && - protocol != DNS_KEYPROTO_DNSSEC) { + protocol != DNS_KEYPROTO_DNSSEC) + { fatal("invalid DNSKEY protocol: %d", protocol); } @@ -612,22 +592,10 @@ main(int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm '%s' cannot be a zone key", - algname); - } - isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, -#if USE_PKCS11 - "pkcs11", -#else /* if USE_PKCS11 */ - engine, -#endif /* if USE_PKCS11 */ + ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine, label, NULL, mctx, &key); if (ret != ISC_R_SUCCESS) { @@ -637,7 +605,7 @@ main(int argc, char **argv) { dns_secalg_format(alg, algstr, sizeof(algstr)); fatal("failed to get key %s/%s: %s", namestr, algstr, isc_result_totext(ret)); - /* NOTREACHED */ + UNREACHABLE(); exit(-1); } diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 86f03750ae..098feb9ecb 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-keyfromlabel +.. program:: dnssec-keyfromlabel .. _man_dnssec-keyfromlabel: dnssec-keyfromlabel - DNSSEC key generation tool @@ -34,10 +26,10 @@ Synopsis Description ~~~~~~~~~~~ -``dnssec-keyfromlabel`` generates a pair of key files that reference a +:program:`dnssec-keyfromlabel` generates a pair of key files that reference a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it -were a conventional signing key created by ``dnssec-keygen``, but the +were a conventional signing key created by :iscman:`dnssec-keygen`, but the key material is stored within the HSM and the actual signing takes place there. @@ -47,43 +39,40 @@ match the name of the zone for which the key is being generated. Options ~~~~~~~ -``-a algorithm`` +.. option:: -a algorithm + This option selects the cryptographic algorithm. The value of ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. - If no algorithm is specified, RSASHA1 is used by default - unless the ``-3`` option is specified, in which case NSEC3RSASHA1 - is used instead. (If ``-3`` is used and an algorithm is - specified, that algorithm is checked for compatibility with - NSEC3.) - These values are case-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3`` + ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` option, then NSEC3RSASHA1 is used instead. - Since BIND 9.12.0, this option is mandatory except when using the - ``-S`` option, which copies the algorithm from the predecessory key. - Previously, the default for newly generated keys was RSASHA1. + This option is mandatory except when using the + :option:`-S` option, which copies the algorithm from the predecessory key. + + .. versionchanged:: 9.12.0 + The default value RSASHA1 for newly generated keys was removed. + +.. option:: -3 -``-3`` This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version is used; for example, ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. -``-E engine`` +.. option:: -E engine + This option specifies the cryptographic hardware to use. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -l label -``-l label`` This option specifies the label for a key pair in the crypto hardware. When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is @@ -91,71 +80,67 @@ Options preceded by an optional OpenSSL engine name, followed by a colon, as in ``pkcs11:keylabel``. - When BIND 9 is built with native PKCS#11 support, the label is a - PKCS#11 URI string in the format - ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords - include ``token``, which identifies the HSM; ``object``, which identifies - the key; and ``pin-source``, which identifies a file from which the - HSM's PIN code can be obtained. The label is stored in the - on-disk ``private`` file. - - If the label contains a ``pin-source`` field, tools using the - generated key files are able to use the HSM for signing and other - operations without any need for an operator to manually enter a PIN. - Note: Making the HSM's PIN accessible in this manner may reduce the - security advantage of using an HSM; use caution - with this feature. - -``-n nametype`` +.. option:: -n nametype + This option specifies the owner type of the key. The value of ``nametype`` must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user (KEY)), or OTHER (DNSKEY). These values are case-insensitive. -``-C`` +.. option:: -C + This option enables compatibility mode, which generates an old-style key, without any metadata. - By default, ``dnssec-keyfromlabel`` includes the key's creation + By default, :program:`dnssec-keyfromlabel` includes the key's creation date in the metadata stored with the private key; other dates may be set there as well, including publication date, activation date, etc. Keys that include this data may be incompatible with older versions of - BIND; the ``-C`` option suppresses them. + BIND; the :option:`-C` option suppresses them. + +.. option:: -c class -``-c class`` This option indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -``-f flag`` +.. option:: -f flag + This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record. The only recognized flags are KSK (Key-Signing Key) and REVOKE. -``-G`` +.. option:: -G + This option generates a key, but does not publish it or sign with it. This option is - incompatible with ``-P`` and ``-A``. + incompatible with :option:`-P` and :option:`-A`. + +.. option:: -h -``-h`` This option prints a short summary of the options and arguments to - ``dnssec-keyfromlabel``. + :program:`dnssec-keyfromlabel`. + +.. option:: -K directory -``-K directory`` This option sets the directory in which the key files are to be written. -``-k`` +.. option:: -k + This option generates KEY records rather than DNSKEY records. -``-L`` ttl +.. option:: -L ttl + This option sets the default TTL to use for this key when it is converted into a DNSKEY RR. This is the TTL used when the key is imported into a zone, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to ``0`` or ``none`` removes it. -``-p protocol`` +.. option:: -p protocol + This option sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in :rfc:`2535` and its successors. -``-S key`` +.. option:: -S key + This option generates a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key are set to match the predecessor. The activation date of the new key is set to the @@ -163,19 +148,23 @@ Options set to the activation date minus the prepublication interval, which defaults to 30 days. -``-t type`` +.. option:: -t type + This option indicates the type of the key. ``type`` must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF to the ability to encrypt data. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-V`` +.. option:: -V + This option prints version information. -``-y`` +.. option:: -y + This option allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to enable if @@ -185,50 +174,74 @@ Options Timing Options ~~~~~~~~~~~~~~ -Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the -argument begins with a ``+`` or ``-``, it is interpreted as an offset from -the present time. For convenience, if such an offset is followed by one -of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is -computed in years (defined as 365 24-hour days, ignoring leap years), -months (defined as 30 24-hour days), weeks, days, hours, or minutes, -respectively. Without a suffix, the offset is computed in seconds. To -explicitly prevent a date from being set, use ``none`` or ``never``. +Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS +(which is the format used inside key files), +or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``), +or UNIX epoch time (as printed by ``dnssec-settime -up``), +or the literal ``now``. + +The argument can be followed by ``+`` or ``-`` and an offset from the +given time. The literal ``now`` can be omitted before an offset. The +offset can be followed by one of the suffixes ``y``, ``mo``, ``w``, +``d``, ``h``, or ``mi``, so that it is computed in years (defined as +365 24-hour days, ignoring leap years), months (defined as 30 24-hour +days), weeks, days, hours, or minutes, respectively. Without a suffix, +the offset is computed in seconds. + +To explicitly prevent a date from being set, use ``none``, ``never``, +or ``unset``. + +All these formats are case-insensitive. + +.. option:: -P date/offset -``-P date/offset`` This option sets the date on which a key is to be published to the zone. After that date, the key is included in the zone but is not used - to sign it. If not set, and if the ``-G`` option has not been used, the + to sign it. If not set, and if the :option:`-G` option has not been used, the default is the current date. -``-P sync date/offset`` - This option sets the date on which CDS and CDNSKEY records that match this key - are to be published to the zone. + .. program:: dnssec-keyfromlabel -P + .. option:: sync date/offset + + This option sets the date on which CDS and CDNSKEY records that match this key + are to be published to the zone. + +.. program:: dnssec-keyfromlabel + +.. option:: -A date/offset -``-A date/offset`` This option sets the date on which the key is to be activated. After that date, the key is included in the zone and used to sign it. If not set, - and if the ``-G`` option has not been used, the default is the current date. + and if the :option:`-G` option has not been used, the default is the current date. + +.. option:: -R date/offset -``-R date/offset`` This option sets the date on which the key is to be revoked. After that date, the key is flagged as revoked. It is included in the zone and is used to sign it. -``-I date/offset`` +.. option:: -I date/offset + This option sets the date on which the key is to be retired. After that date, the key is still included in the zone, but it is not used to sign it. -``-D date/offset`` +.. option:: -D date/offset + This option sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. (However, it may remain in the key repository.) -``-D sync date/offset`` - This option sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. + .. program:: dnssec-keyfromlabel -D + .. option:: sync date/offset + + This option sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + +.. program:: dnssec-keyfromlabel + +.. option:: -i interval -``-i interval`` This option sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication @@ -249,7 +262,7 @@ explicitly prevent a date from being set, use ``none`` or ``never``. Generated Key Files ~~~~~~~~~~~~~~~~~~~ -When ``dnssec-keyfromlabel`` completes successfully, it prints a string +When :program:`dnssec-keyfromlabel` completes successfully, it prints a string of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an identification string for the key files it has generated. @@ -259,7 +272,7 @@ identification string for the key files it has generated. - ``iiiii`` is the key identifier (or footprint). -``dnssec-keyfromlabel`` creates two files, with names based on the +:program:`dnssec-keyfromlabel` creates two files, with names based on the printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and ``Knnnn.+aaa+iiiii.private`` contains the private key. @@ -272,5 +285,5 @@ security reasons, this file does not have general read permission. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, +:iscman:`dnssec-keygen(8) `, :iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`4034`, :rfc:`7512`. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 7b448bf7c0..85757b24fa 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1,6 +1,8 @@ /* * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -31,17 +33,18 @@ #include #include +#include + #include #include #include +#include #include -#include #include +#include #include #include -#include - #include #include #include @@ -49,7 +52,6 @@ #include #include #include -#include #include #include @@ -58,20 +60,28 @@ #include #include #include - -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 +#include +#include +#endif #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ +#define MAX_DH 4096 /* should be long enough... */ const char *program = "dnssec-keygen"; +/* + * These are are set here for backwards compatibility. They are + * raised to 2048 in FIPS mode. + */ +static int min_rsa = 1024; +static int min_dh = 128; + isc_log_t *lctx = NULL; -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -85,7 +95,6 @@ struct keygen_ctx { char *algname; char *nametype; char *type; - int generator; int protocol; int size; int signatory; @@ -145,19 +154,25 @@ usage(void) { fprintf(stderr, " -l : configuration file with dnssec-policy " "statement\n"); fprintf(stderr, " -a :\n"); - fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); + if (!isc_fips_mode()) { + fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); + } fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); + fprintf(stderr, " ED25519 | ED448\n"); fprintf(stderr, " ED25519 | ED448 | DH\n"); fprintf(stderr, " FALCON512 | DILITHIUM2 |\n"); fprintf(stderr, " SPHINCS+-SHA256-128S\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); - fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " DH:\t\t[128..4096]\n"); + if (!isc_fips_mode()) { + fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa, + MAX_RSA); + fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa, + MAX_RSA); + } + fprintf(stderr, " RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA); + fprintf(stderr, " RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA); fprintf(stderr, " ECDSAP256SHA256:\tignored\n"); fprintf(stderr, " ECDSAP384SHA384:\tignored\n"); fprintf(stderr, " ED25519:\tignored\n"); @@ -173,17 +188,9 @@ usage(void) { fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); fprintf(stderr, " -E :\n"); -#if USE_PKCS11 - fprintf(stderr, - " path to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " name of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f : KSK | REVOKE\n"); - fprintf(stderr, " -g : use specified generator " - "(DH only)\n"); + fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -p : (default: 3 [dnssec])\n"); fprintf(stderr, " -s : strength value this key signs DNS " @@ -270,11 +277,12 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name, cfg_obj_t *kconfig = cfg_listelt_value(element); kasp = NULL; if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), - name) != 0) { + name) != 0) + { continue; } - result = cfg_kasp_fromconfig(kconfig, NULL, mctx, lctx, + result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx, &kasplist, &kasp); if (result != ISC_R_SUCCESS) { fatal("failed to configure dnssec-policy '%s': %s", @@ -336,8 +344,15 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("unsupported algorithm: %s", algstr); } - if (ctx->alg == DST_ALG_DH) { - ctx->options |= DST_TYPE_KEY; + if (isc_fips_mode()) { + /* verify only in FIPS mode */ + switch (ctx->alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + fatal("unsupported algorithm: %s", algstr); + default: + break; + } } if (ctx->use_nsec3) { @@ -382,6 +397,11 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { switch (ctx->alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: + if (isc_fips_mode()) { + fatal("key size not specified (-b " + "option)"); + } + FALLTHROUGH; case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: ctx->size = 2048; @@ -408,7 +428,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { if (!ctx->oldstyle && ctx->prepub > 0) { if (ctx->setpub && ctx->setact && - (ctx->activate - ctx->prepub) < ctx->publish) { + (ctx->activate - ctx->prepub) < ctx->publish) + { fatal("Activation and publication dates " "are closer together than the\n\t" "prepublication interval."); @@ -539,23 +560,18 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: - case DNS_KEYALG_RSASHA256: - if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA)) - { - fatal("RSA key size %d out of range", ctx->size); + if (isc_fips_mode()) { + fatal("SHA1 based keys not supported in FIPS mode"); } - break; + FALLTHROUGH; + case DNS_KEYALG_RSASHA256: case DNS_KEYALG_RSASHA512: - if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA)) + if (ctx->size != 0 && + (ctx->size < min_rsa || ctx->size > MAX_RSA)) { fatal("RSA key size %d out of range", ctx->size); } break; - case DNS_KEYALG_DH: - if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) { - fatal("DH key size %d out of range", ctx->size); - } - break; case DST_ALG_ECDSA256: ctx->size = 256; break; @@ -579,10 +595,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { break; } - if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) { - fatal("specified DH generator for a non-DH key"); - } - if (ctx->nametype == NULL) { if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */ fatal("no nametype specified"); @@ -632,12 +644,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - ctx->alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm %s cannot be a zone key", algstr); - } - switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: @@ -646,10 +652,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { show_progress = true; break; - case DNS_KEYALG_DH: - param = ctx->generator; - break; - case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: @@ -750,7 +752,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { if (ctx->setdel) { if (ctx->setinact && - ctx->deltime < ctx->inactive) { + ctx->deltime < ctx->inactive) + { fprintf(stderr, "%s: warning: Key is " "scheduled to be deleted " @@ -880,30 +883,30 @@ main(int argc, char **argv) { const char *engine = NULL; unsigned char c; int ch; + bool set_fips_mode = false; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + OSSL_PROVIDER *fips = NULL, *base = NULL; +#endif keygen_ctx_t ctx = { .options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, .prepub = -1, .protocol = -1, .size = -1, + .now = isc_stdtime_now(), }; if (argc == 1) { usage(); } -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; /* * Process memory debugging argument first. */ -#define CMDLINE_FLAGS \ - "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \ +#define CMDLINE_FLAGS \ + "3A:a:b:Cc:D:d:E:Ff:GhI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \ "T:t:v:V" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { @@ -920,12 +923,6 @@ main(int argc, char **argv) { { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } - if (strcasecmp(isc_commandline_argument, "size") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGSIZE; - } - if (strcasecmp(isc_commandline_argument, "mctx") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGCTX; - } break; default: break; @@ -934,7 +931,6 @@ main(int argc, char **argv) { isc_commandline_reset = true; isc_mem_create(&mctx); - isc_stdtime_get(&ctx.now); while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { @@ -965,10 +961,6 @@ main(int argc, char **argv) { case 'E': engine = isc_commandline_argument; break; - case 'e': - fprintf(stderr, "phased-out option -e " - "(was 'use (RSA) large exponent')\n"); - break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); if (toupper(c) == 'K') { @@ -980,13 +972,6 @@ main(int argc, char **argv) { isc_commandline_argument); } break; - case 'g': - ctx.generator = strtol(isc_commandline_argument, &endp, - 10); - if (*endp != '\0' || ctx.generator <= 0) { - fatal("-g requires a positive number"); - } - break; case 'K': ctx.directory = isc_commandline_argument; ret = try_dir(ctx.directory); @@ -1014,7 +999,8 @@ main(int argc, char **argv) { ctx.protocol = strtol(isc_commandline_argument, &endp, 10); if (*endp != '\0' || ctx.protocol < 0 || - ctx.protocol > 255) { + ctx.protocol > 255) + { fatal("-p must be followed by a number " "[0..255]"); } @@ -1030,7 +1016,8 @@ main(int argc, char **argv) { ctx.signatory = strtol(isc_commandline_argument, &endp, 10); if (*endp != '\0' || ctx.signatory < 0 || - ctx.signatory > 15) { + ctx.signatory > 15) + { fatal("-s must be followed by a number " "[0..15]"); } @@ -1141,14 +1128,14 @@ main(int argc, char **argv) { ctx.prepub = strtottl(isc_commandline_argument); break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + set_fips_mode = true; + break; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -1168,11 +1155,40 @@ main(int argc, char **argv) { ctx.quiet = true; } + if (set_fips_mode) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + fips = OSSL_PROVIDER_load(NULL, "fips"); + if (fips == NULL) { + ERR_clear_error(); + fatal("Failed to load FIPS provider"); + } + base = OSSL_PROVIDER_load(NULL, "base"); + if (base == NULL) { + OSSL_PROVIDER_unload(fips); + ERR_clear_error(); + fatal("Failed to load base provider"); + } +#endif + if (!isc_fips_mode()) { + if (isc_fips_set_mode(1) != ISC_R_SUCCESS) { + fatal("setting FIPS mode failed"); + } + } + } + ret = dst_lib_init(mctx, engine); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } + /* + * After dst_lib_init which will set FIPS mode if requested + * at build time. The minumums are both raised to 2048. + */ + if (isc_fips_mode()) { + min_rsa = min_dh = 2048; + } + setup_logging(mctx, &lctx); ctx.rdclass = strtoclass(classname); @@ -1312,6 +1328,14 @@ main(int argc, char **argv) { } isc_mem_destroy(&mctx); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (base != NULL) { + OSSL_PROVIDER_unload(base); + } + if (fips != NULL) { + OSSL_PROVIDER_unload(fips); + } +#endif if (freeit != NULL) { free(freeit); } diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 31c7b5ae51..121ced4e02 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-keygen +.. program:: dnssec-keygen .. _man_dnssec-keygen: dnssec-keygen: DNSSEC key generation tool @@ -29,12 +21,12 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ -``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in +:program:`dnssec-keygen` generates keys for DNSSEC (Secure DNS), as defined in :rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG (Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction Key) as defined in :rfc:`2930`. @@ -46,32 +38,33 @@ generated. Options ~~~~~~~ -``-3`` +.. option:: -3 + This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version is selected; for example, - ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + +.. option:: -a algorithm -``-a algorithm`` This option selects the cryptographic algorithm. For DNSSEC keys, the value of ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, - RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For - TKEY, the value must be DH (Diffie-Hellman); specifying this value - automatically sets the ``-T KEY`` option as well. + RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. These values are case-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3`` + ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` option, NSEC3RSASHA1 is used instead. - This parameter *must* be specified except when using the ``-S`` + This parameter *must* be specified except when using the :option:`-S` option, which copies the algorithm from the predecessor key. In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature was removed in BIND 9.13.0. Use - ``tsig-keygen`` to generate TSIG keys. + :iscman:`tsig-keygen` to generate TSIG keys. + +.. option:: -b keysize -``-b keysize`` This option specifies the number of bits in the key. The choice of key size depends on the algorithm used: RSA keys must be between 1024 and 4096 bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic @@ -80,66 +73,74 @@ Options If the key size is not specified, some algorithms have pre-defined defaults. For example, RSA keys for use as DNSSEC zone-signing keys have a default size of 1024 bits; RSA keys for use as key-signing - keys (KSKs, generated with ``-f KSK``) default to 2048 bits. + keys (KSKs, generated with :option:`-f KSK <-f>`) default to 2048 bits. + +.. option:: -C -``-C`` This option enables compatibility mode, which generates an old-style key, without any timing - metadata. By default, ``dnssec-keygen`` includes the key's + metadata. By default, :program:`dnssec-keygen` includes the key's creation date in the metadata stored with the private key; other dates may be set there as well, including publication date, activation date, etc. Keys that include this data may be incompatible with older - versions of BIND; the ``-C`` option suppresses them. + versions of BIND; the :option:`-C` option suppresses them. + +.. option:: -c class -``-c class`` This option indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -``-d bits`` +.. option:: -d bits + This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128 and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519, and ED448. -``-E engine`` +.. option:: -E engine + This option specifies the cryptographic hardware to use, when applicable. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -f flag -``-f flag`` This option sets the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key-Signing Key) and REVOKE. -``-G`` +.. option:: -F + + This options turns on FIPS (US Federal Information Processing Standards) + mode if the underlying crytographic library supports running in FIPS + mode. + +.. option:: -G + This option generates a key, but does not publish it or sign with it. This option is - incompatible with ``-P`` and ``-A``. + incompatible with :option:`-P` and :option:`-A`. -``-g generator`` - This option indicates the generator to use if generating a Diffie-Hellman key. Allowed - values are 2 and 5. If no generator is specified, a known prime from - :rfc:`2539` is used if possible; otherwise the default is 2. +.. option:: -h -``-h`` This option prints a short summary of the options and arguments to - ``dnssec-keygen``. + :program:`dnssec-keygen`. + +.. option:: -K directory -``-K directory`` This option sets the directory in which the key files are to be written. -``-k policy`` +.. option:: -k policy + This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys, - ``dnssec-keygen`` generates multiple keys. This also + :program:`dnssec-keygen` generates multiple keys. This also creates a ".state" file to keep track of the key state. This option creates keys according to the ``dnssec-policy`` configuration, hence it cannot be used at the same time as many of the other options that - ``dnssec-keygen`` provides. + :program:`dnssec-keygen` provides. + +.. option:: -L ttl -``-L ttl`` This option sets the default TTL to use for this key when it is converted into a DNSKEY RR. This is the TTL used when the key is imported into a zone, unless there was already a DNSKEY RRset in @@ -148,26 +149,30 @@ Options defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none`` is the same as leaving it unset. -``-l file`` +.. option:: -l file + This option provides a configuration file that contains a ``dnssec-policy`` statement - (matching the policy set with ``-k``). + (matching the policy set with :option:`-k`). + +.. option:: -n nametype -``-n nametype`` This option specifies the owner type of the key. The value of ``nametype`` must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user (KEY)), or OTHER (DNSKEY). These values are case-insensitive. The default is ZONE for DNSKEY generation. -``-p protocol`` +.. option:: -p protocol + This option sets the protocol value for the generated key, for use with - ``-T KEY``. The protocol is a number between 0 and 255. The default + :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in :rfc:`2535` and its successors. -``-q`` +.. option:: -q + This option sets quiet mode, which suppresses unnecessary output, including progress - indication. Without this option, when ``dnssec-keygen`` is run + indication. Without this option, when :program:`dnssec-keygen` is run interactively to generate an RSA or DSA key pair, it prints a string of symbols to ``stderr`` indicating the progress of the key generation. A ``.`` indicates that a random number has been found which @@ -175,7 +180,8 @@ Options round of the Miller-Rabin primality test; and a space ( ) means that the number has passed all the tests and is a satisfactory key. -``-S key`` +.. option:: -S key + This option creates a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key are set to match the existing key. The activation date of the new key is set to @@ -183,77 +189,104 @@ Options set to the activation date minus the prepublication interval, which defaults to 30 days. -``-s strength`` +.. option:: -s strength + This option specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -``-T rrtype`` +.. option:: -T rrtype + This option specifies the resource record type to use for the key. ``rrtype`` must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0). -``-t type`` - This option indicates the type of the key for use with ``-T KEY``. ``type`` +.. option:: -t type + + This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type`` must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF to the ability to encrypt data. -``-V`` +.. option:: -V + This option prints version information. -``-v level`` +.. option:: -v level + This option sets the debugging level. Timing Options ~~~~~~~~~~~~~~ -Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the -argument begins with a ``+`` or ``-``, it is interpreted as an offset from -the present time. For convenience, if such an offset is followed by one -of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is -computed in years (defined as 365 24-hour days, ignoring leap years), -months (defined as 30 24-hour days), weeks, days, hours, or minutes, -respectively. Without a suffix, the offset is computed in seconds. To -explicitly prevent a date from being set, use ``none`` or ``never``. +Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS +(which is the format used inside key files), +or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``), +or UNIX epoch time (as printed by ``dnssec-settime -up``), +or the literal ``now``. + +The argument can be followed by ``+`` or ``-`` and an offset from the +given time. The literal ``now`` can be omitted before an offset. The +offset can be followed by one of the suffixes ``y``, ``mo``, ``w``, +``d``, ``h``, or ``mi``, so that it is computed in years (defined as +365 24-hour days, ignoring leap years), months (defined as 30 24-hour +days), weeks, days, hours, or minutes, respectively. Without a suffix, +the offset is computed in seconds. + +To unset a date, use ``none``, ``never``, or ``unset``. + +.. option:: -P date/offset -``-P date/offset`` This option sets the date on which a key is to be published to the zone. After that date, the key is included in the zone but is not used - to sign it. If not set, and if the ``-G`` option has not been used, the + to sign it. If not set, and if the :option:`-G` option has not been used, the default is the current date. -``-P sync date/offset`` - This option sets the date on which CDS and CDNSKEY records that match this key - are to be published to the zone. + .. program:: dnssec-keygen -P + .. option:: sync date/offset + + This option sets the date on which CDS and CDNSKEY records that match this key + are to be published to the zone. + +.. program:: dnssec-keygen + +.. option:: -A date/offset -``-A date/offset`` This option sets the date on which the key is to be activated. After that date, the key is included in the zone and used to sign it. If not set, - and if the ``-G`` option has not been used, the default is the current date. If set, - and ``-P`` is not set, the publication date is set to the + and if the :option:`-G` option has not been used, the default is the current date. If set, + and :option:`-P` is not set, the publication date is set to the activation date minus the prepublication interval. -``-R date/offset`` +.. option:: -R date/offset + This option sets the date on which the key is to be revoked. After that date, the key is flagged as revoked. It is included in the zone and is used to sign it. -``-I date/offset`` +.. option:: -I date/offset + This option sets the date on which the key is to be retired. After that date, the key is still included in the zone, but it is not used to sign it. -``-D date/offset`` + +.. option:: -D date/offset + This option sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. (However, it may remain in the key repository.) -``-D sync date/offset`` - This option sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. + .. program:: dnssec-keygen -D + .. option:: sync date/offset + + This option sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + +.. program:: dnssec-keygen + +.. option:: -i interval -``-i interval`` This option sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication @@ -274,7 +307,7 @@ explicitly prevent a date from being set, use ``none`` or ``never``. Generated Keys ~~~~~~~~~~~~~~ -When ``dnssec-keygen`` completes successfully, it prints a string of the +When :program:`dnssec-keygen` completes successfully, it prints a string of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an identification string for the key it has generated. @@ -284,12 +317,12 @@ identification string for the key it has generated. - ``iiiii`` is the key identifier (or footprint). -``dnssec-keygen`` creates two files, with names based on the printed +:program:`dnssec-keygen` creates two files, with names based on the printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and ``Knnnn.+aaa+iiiii.private`` contains the private key. The ``.key`` file contains a DNSKEY or KEY record. When a zone is being -signed by ``named`` or ``dnssec-signzone -S``, DNSKEY records are +signed by :iscman:`named` or :option:`dnssec-signzone -S`, DNSKEY records are included automatically. In other cases, the ``.key`` file can be inserted into a zone file manually or with an ``$INCLUDE`` statement. @@ -308,7 +341,7 @@ The command prints a string of the form: ``Kexample.com.+013+26160`` -In this example, ``dnssec-keygen`` creates the files +In this example, :program:`dnssec-keygen` creates the files ``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``. To generate a matching key-signing key, issue the command: @@ -318,5 +351,5 @@ To generate a matching key-signing key, issue the command: See Also ~~~~~~~~ -:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`, +:iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`2539`, :rfc:`2845`, :rfc:`4034`. diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index cf611851f3..ada83fd96a 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -22,26 +24,21 @@ #include #include #include -#include +#include #include #include #include -#include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-revoke"; static isc_mem_t *mctx = NULL; -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -49,14 +46,7 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); -#if USE_PKCS11 - fprintf(stderr, - " -E engine: specify PKCS#11 provider " - "(default: %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " -E engine: specify OpenSSL engine\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f: force overwrite\n"); fprintf(stderr, " -h: help\n"); fprintf(stderr, " -K directory: use directory for key files\n"); @@ -94,11 +84,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) { @@ -133,7 +118,7 @@ main(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -150,7 +135,8 @@ main(int argc, char **argv) { } if (argc < isc_commandline_index + 1 || - argv[isc_commandline_index] == NULL) { + argv[isc_commandline_index] == NULL) + { fatal("The key file name was not specified"); } if (argc > isc_commandline_index + 1) { @@ -204,7 +190,7 @@ main(int argc, char **argv) { flags = dst_key_flags(key); if ((flags & DNS_KEYFLAG_REVOKE) == 0) { - isc_stdtime_t now; + isc_stdtime_t now = isc_stdtime_now(); if ((flags & DNS_KEYFLAG_KSK) == 0) { fprintf(stderr, @@ -214,7 +200,6 @@ main(int argc, char **argv) { program); } - isc_stdtime_get(&now); dst_key_settime(key, DST_TIME_REVOKE, now); dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE); diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index 31da670cc2..052865fb7c 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-revoke +.. program:: dnssec-revoke .. _man_dnssec-revoke: dnssec-revoke - set the REVOKED bit on a DNSSEC key @@ -34,48 +26,53 @@ Synopsis Description ~~~~~~~~~~~ -``dnssec-revoke`` reads a DNSSEC key file, sets the REVOKED bit on the +:program:`dnssec-revoke` reads a DNSSEC key file, sets the REVOKED bit on the key as defined in :rfc:`5011`, and creates a new pair of key files containing the now-revoked key. Options ~~~~~~~ -``-h`` +.. option:: -h + This option emits a usage message and exits. -``-K directory`` +.. option:: -K directory + This option sets the directory in which the key files are to reside. -``-r`` +.. option:: -r + This option indicates to remove the original keyset files after writing the new keyset files. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-V`` +.. option:: -V + This option prints version information. -``-E engine`` +.. option:: -E engine + This option specifies the cryptographic hardware to use, when applicable. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -f -``-f`` - This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair, + This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair, even if a file already exists matching the algorithm and key ID of the revoked key. -``-R`` +.. option:: -R + This option prints the key tag of the key with the REVOKE bit set, but does not revoke the key. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`5011`. +:iscman:`dnssec-keygen(8) `, BIND 9 Administrator Reference Manual, :rfc:`5011`. diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index ef497b112b..fcd8c0cb53 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -24,28 +26,23 @@ #include #include #include -#include +#include #include #include #include #include #include -#include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-settime"; static isc_mem_t *mctx = NULL; -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -54,17 +51,7 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "General options:\n"); -#if USE_PKCS11 - fprintf(stderr, - " -E engine: specify PKCS#11 provider " - "(default: %s)\n", - PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, " -E engine: specify OpenSSL engine " - "(default \"pkcs11\")\n"); -#else /* if USE_PKCS11 */ fprintf(stderr, " -E engine: specify OpenSSL engine\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); @@ -215,7 +202,6 @@ main(int argc, char **argv) { int prepub = -1; int options; dns_ttl_t ttl = 0; - isc_stdtime_t now; isc_stdtime_t dstime = 0, dnskeytime = 0; isc_stdtime_t krrsigtime = 0, zrrsigtime = 0; isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0; @@ -251,6 +237,7 @@ main(int argc, char **argv) { bool unsetdsadd = false, setdsadd = false; bool unsetdsdel = false, setdsdel = false; bool printdsadd = false, printdsdel = false; + isc_stdtime_t now = isc_stdtime_now(); options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE; @@ -262,15 +249,8 @@ main(int argc, char **argv) { setup_logging(mctx, &log); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; - isc_stdtime_get(&now); - #define CMDLINE_FLAGS "A:D:d:E:fg:hI:i:K:k:L:P:p:R:r:S:suv:Vz:" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { @@ -359,7 +339,7 @@ main(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -561,7 +541,8 @@ main(int argc, char **argv) { } if (argc < isc_commandline_index + 1 || - argv[isc_commandline_index] == NULL) { + argv[isc_commandline_index] == NULL) + { fatal("The key file name was not specified"); } if (argc > isc_commandline_index + 1) { @@ -569,7 +550,8 @@ main(int argc, char **argv) { } if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) && - !write_state) { + !write_state) + { fatal("Options -g, -d, -k, -r and -z require -s to be set"); } diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index 731e35ff8b..5cb4ea8370 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-settime +.. program:: dnssec-settime .. _man_dnssec-settime: dnssec-settime: set the key timing metadata for a DNSSEC key @@ -34,14 +26,14 @@ Synopsis Description ~~~~~~~~~~~ -``dnssec-settime`` reads a DNSSEC private key file and sets the key -timing metadata as specified by the ``-P``, ``-A``, ``-R``, ``-I``, and -``-D`` options. The metadata can then be used by ``dnssec-signzone`` or -other signing software to determine when a key is to be published, -whether it should be used for signing a zone, etc. +:program:`dnssec-settime` reads a DNSSEC private key file and sets the key +timing metadata as specified by the :option:`-P`, :option:`-A`, :option:`-R`, +:option:`-I`, and :option:`-D` options. The metadata can then be used by +:iscman:`dnssec-signzone` or other signing software to determine when a key is +to be published, whether it should be used for signing a zone, etc. If none of these options is set on the command line, -``dnssec-settime`` simply prints the key timing metadata already stored +:program:`dnssec-settime` simply prints the key timing metadata already stored in the key. When key metadata fields are changed, both files of a key pair @@ -54,12 +46,12 @@ the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600). When working with state files, it is possible to update the timing metadata in -those files as well with ``-s``. With this option, it is also possible to update key -states with ``-d`` (DS), ``-k`` (DNSKEY), ``-r`` (RRSIG of KSK), or ``-z`` -(RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and -UNRETENTIVE. +those files as well with :option:`-s`. With this option, it is also possible +to update key states with :option:`-d` (DS), :option:`-k` (DNSKEY), :option:`-r` +(RRSIG of KSK), or :option:`-z` (RRSIG of ZSK). Allowed states are HIDDEN, +RUMOURED, OMNIPRESENT, and UNRETENTIVE. -The goal state of the key can also be set with ``-g``. This should be either +The goal state of the key can also be set with :option:`-g`. This should be either HIDDEN or OMNIPRESENT, representing whether the key should be removed from the zone or published. @@ -69,19 +61,22 @@ purposes. Options ~~~~~~~ -``-f`` +.. option:: -f + This option forces an update of an old-format key with no metadata fields. Without - this option, ``dnssec-settime`` fails when attempting to update a + this option, :program:`dnssec-settime` fails when attempting to update a legacy key. With this option, the key is recreated in the new format, but with the original key data retained. The key's creation date is set to the present time. If no other values are specified, then the key's publication and activation dates are also set to the present time. -``-K directory`` +.. option:: -K directory + This option sets the directory in which the key files are to reside. -``-L ttl`` +.. option:: -L ttl + This option sets the default TTL to use for this key when it is converted into a DNSKEY RR. This is the TTL used when the key is imported into a zone, unless there was already a DNSKEY RRset in @@ -90,78 +85,104 @@ Options defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none`` removes it from the key. -``-h`` +.. option:: -h + This option emits a usage message and exits. -``-V`` +.. option:: -V + This option prints version information. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-E engine`` +.. option:: -E engine + This option specifies the cryptographic hardware to use, when applicable. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). Timing Options ~~~~~~~~~~~~~~ -Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the -argument begins with a ``+`` or ``-``, it is interpreted as an offset from -the present time. For convenience, if such an offset is followed by one -of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is -computed in years (defined as 365 24-hour days, ignoring leap years), -months (defined as 30 24-hour days), weeks, days, hours, or minutes, -respectively. Without a suffix, the offset is computed in seconds. To -explicitly prevent a date from being set, use ``none`` or ``never``. +Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS +(which is the format used inside key files), +or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``), +or UNIX epoch time (as printed by ``dnssec-settime -up``), +or the literal ``now``. + +The argument can be followed by ``+`` or ``-`` and an offset from the +given time. The literal ``now`` can be omitted before an offset. The +offset can be followed by one of the suffixes ``y``, ``mo``, ``w``, +``d``, ``h``, or ``mi``, so that it is computed in years (defined as +365 24-hour days, ignoring leap years), months (defined as 30 24-hour +days), weeks, days, hours, or minutes, respectively. Without a suffix, +the offset is computed in seconds. + +To unset a date, use ``none``, ``never``, or ``unset``. + +All these formats are case-insensitive. + +.. option:: -P date/offset -``-P date/offset`` This option sets the date on which a key is to be published to the zone. After that date, the key is included in the zone but is not used to sign it. -``-P ds date/offset`` - This option sets the date on which DS records that match this key have been - seen in the parent zone. + .. program:: dnssec-settime -P + .. option:: ds date/offset + + This option sets the date on which DS records that match this key have been + seen in the parent zone. + + .. option:: sync date/offset -``-P sync date/offset`` - This option sets the date on which CDS and CDNSKEY records that match this key - are to be published to the zone. + This option sets the date on which CDS and CDNSKEY records that match this key + are to be published to the zone. + +.. program:: dnssec-settime + +.. option:: -A date/offset -``-A date/offset`` This option sets the date on which the key is to be activated. After that date, - the key is included in the zone and used to sign it. + the key is included in the zone and used to sign it. + +.. option:: -R date/offset -``-R date/offset`` This option sets the date on which the key is to be revoked. After that date, the key is flagged as revoked. It is included in the zone and is used to sign it. -``-I date/offset`` +.. option:: -I date/offset + This option sets the date on which the key is to be retired. After that date, the key is still included in the zone, but it is not used to sign it. -``-D date/offset`` +.. option:: -D date/offset + This option sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. (However, it may remain in the key repository.) -``-D ds date/offset`` - This option sets the date on which the DS records that match this key have - been seen removed from the parent zone. + .. program:: dnssec-settime -D + .. option:: ds date/offset + + This option sets the date on which the DS records that match this key have + been seen removed from the parent zone. + + .. option:: sync date/offset + + This option sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + +.. program:: dnssec-settime -``-D sync date/offset`` - This option sets the date on which the CDS and CDNSKEY records that match this - key are to be deleted. +.. option:: -S predecessor key -``-S predecessor key`` This option selects a key for which the key being modified is an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation @@ -169,7 +190,8 @@ explicitly prevent a date from being set, use ``none`` or ``never``. predecessor. The publication date is set to the activation date minus the prepublication interval, which defaults to 30 days. -``-i interval`` +.. option:: -i interval + This option sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication @@ -196,36 +218,44 @@ purpose, but should never be used in production. Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE. -``-s`` +.. option:: -s + This option indicates that when setting key timing data, the state file should also be updated. -``-g state`` +.. option:: -g state + This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT. -``-d state date/offset`` +.. option:: -d state date/offset + This option sets the DS state for this key as of the specified date, offset from the current date. -``-k state date/offset`` +.. option:: -k state date/offset + This option sets the DNSKEY state for this key as of the specified date, offset from the current date. -``-r state date/offset`` +.. option:: -r state date/offset + This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date. -``-z state date/offset`` +.. option:: -z state date/offset + This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date. Printing Options ~~~~~~~~~~~~~~~~ -``dnssec-settime`` can also be used to print the timing metadata +:program:`dnssec-settime` can also be used to print the timing metadata associated with a key. -``-u`` +.. option:: -u + This option indicates that times should be printed in Unix epoch format. -``-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all`` +.. option:: -p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all + This option prints a specific metadata value or set of metadata values. - The ``-p`` option may be followed by one or more of the following letters or + The :option:`-p` option may be followed by one or more of the following letters or strings to indicate which value or values to print: ``C`` for the creation date, ``P`` for the publication date, ``Pds` for the DS publication date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the @@ -237,5 +267,5 @@ associated with a key. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, +:iscman:`dnssec-keygen(8) `, :iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`5011`. diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 63105f703b..311f451020 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,6 +1,8 @@ /* * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -31,28 +33,32 @@ #include #include -#include +#include + +#include #include #include #include #include -#include +#include #include +#include #include #include +#include #include #include #include #include #include -#include #include +#include #include #include #include #include #include -#include +#include #include #include @@ -62,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -75,17 +82,16 @@ #include #include #include -#include #include #include #include #include #include - -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 +#include +#include +#endif #include "dnssectool.h" @@ -116,16 +122,9 @@ static int nsec_datatype = dns_rdatatype_nsec; #define SOA_SERIAL_UNIXTIME 2 #define SOA_SERIAL_DATE 3 -typedef struct signer_event sevent_t; -struct signer_event { - ISC_EVENT_COMMON(sevent_t); - dns_fixedname_t *fname; - dns_dbnode_t *node; -}; - static dns_dnsseckeylist_t keylist; static unsigned int keycount = 0; -isc_rwlock_t keylist_lock; +static isc_rwlock_t keylist_lock; static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now; static int cycle = -1; static int jitter = 0; @@ -146,19 +145,18 @@ static unsigned int nverified = 0, nverifyfailed = 0; static const char *directory = NULL, *dsdir = NULL; static isc_mutex_t namelock, statslock; static isc_nm_t *netmgr = NULL; -static isc_taskmgr_t *taskmgr = NULL; +static isc_loopmgr_t *loopmgr = NULL; static dns_db_t *gdb; /* The database */ static dns_dbversion_t *gversion; /* The database version */ static dns_dbiterator_t *gdbiter; /* The database iterator */ static dns_rdataclass_t gclass; /* The class */ static dns_name_t *gorigin; /* The database origin */ static int nsec3flags = 0; -static dns_iterations_t nsec3iter = 10U; +static dns_iterations_t nsec3iter = 0U; static unsigned char saltbuf[255]; static unsigned char *gsalt = saltbuf; static size_t salt_length = 0; -static isc_task_t *master = NULL; -static unsigned int ntasks = 0; +static unsigned int nloops = 0; static atomic_bool shuttingdown; static atomic_bool finished; static bool nokeys = false; @@ -182,6 +180,7 @@ static bool output_stdout = false; static bool set_maxttl = false; static dns_ttl_t maxttl = 0; static bool no_max_check = false; +static const char *sync_records = "cdnskey,cds:sha-256"; #define INCSTAT(counter) \ if (printstats) { \ @@ -190,9 +189,6 @@ static bool no_max_check = false; UNLOCK(&statslock); \ } -static void -sign(isc_task_t *task, isc_event_t *event); - /*% * Store a copy of 'name' in 'fzonecut' and return a pointer to that copy. */ @@ -213,20 +209,13 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) { isc_buffer_t *buffer = NULL; isc_region_t r; isc_result_t result; - unsigned bufsize = 4096; - - if (outputformat != dns_masterformat_text) { - return; - } + unsigned int bufsize = 4096; if (!output_dnssec_only) { - result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, - name, masterstyle, outfp); - check_result(result, "dns_master_dumpnodetostream"); return; } - result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &iter); check_result(result, "dns_db_allrdatasets"); dns_rdataset_init(&rds); @@ -273,6 +262,17 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) { dns_rdatasetiter_destroy(&iter); } +static void +lock_and_dumpnode(dns_name_t *name, dns_dbnode_t *node) { + if (!output_dnssec_only) { + return; + } + + LOCK(&namelock); + dumpnode(name, node); + UNLOCK(&namelock); +} + /*% * Sign the given RRset with given key, and add the signature record to the * given tuple. @@ -326,28 +326,28 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, dns_diff_append(add, &tuple); } -static inline bool +static bool issigningkey(dns_dnsseckey_t *key) { return (key->force_sign || key->hint_sign); } -static inline bool +static bool ispublishedkey(dns_dnsseckey_t *key) { return ((key->force_publish || key->hint_publish) && !key->hint_remove); } -static inline bool +static bool iszonekey(dns_dnsseckey_t *key) { return (dns_name_equal(dst_key_name(key->key), gorigin) && dst_key_iszonekey(key->key)); } -static inline bool +static bool isksk(dns_dnsseckey_t *key) { return (key->ksk); } -static inline bool +static bool iszsk(dns_dnsseckey_t *key) { return (ignore_kskflag || !key->ksk); } @@ -363,7 +363,8 @@ keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) { dns_dnsseckey_t *key; for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (rrsig->keyid == dst_key_id(key->key) && rrsig->algorithm == dst_key_alg(key->key) && dns_name_equal(&rrsig->signer, dst_key_name(key->key))) @@ -384,9 +385,9 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { dst_key_t *pubkey = NULL, *privkey = NULL; dns_dnsseckey_t *key = NULL; - isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read); + RWLOCK(&keylist_lock, isc_rwlocktype_read); key = keythatsigned_unlocked(rrsig); - isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read); + RWUNLOCK(&keylist_lock, isc_rwlocktype_read); if (key != NULL) { return (key); } @@ -418,17 +419,15 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, directory, mctx, &privkey); if (result == ISC_R_SUCCESS) { dst_key_free(&pubkey); - result = dns_dnsseckey_create(mctx, &privkey, &key); + dns_dnsseckey_create(mctx, &privkey, &key); } else { - result = dns_dnsseckey_create(mctx, &pubkey, &key); + dns_dnsseckey_create(mctx, &pubkey, &key); } - if (result == ISC_R_SUCCESS) { - key->force_publish = false; - key->force_sign = false; - key->index = keycount++; - ISC_LIST_APPEND(keylist, key, link); - } + key->force_publish = false; + key->force_sign = false; + key->index = keycount++; + ISC_LIST_APPEND(keylist, key, link); isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write); return (key); @@ -458,15 +457,17 @@ expecttofindkey(dns_name_t *name) { case DNS_R_CNAME: case DNS_R_DNAME: return (false); + default: + break; } dns_name_format(name, namestr, sizeof(namestr)); fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); - /* NOTREACHED */ + UNREACHABLE(); return (false); /* removes a warning */ } -static inline bool +static bool setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dns_rdata_t *rrsig) { isc_result_t result; @@ -528,8 +529,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, if (!nosigs) { arraysize += dns_rdataset_count(&sigset); } - wassignedby = isc_mem_get(mctx, arraysize * sizeof(bool)); - nowsignedby = isc_mem_get(mctx, arraysize * sizeof(bool)); + wassignedby = isc_mem_cget(mctx, arraysize, sizeof(bool)); + nowsignedby = isc_mem_cget(mctx, arraysize, sizeof(bool)); for (i = 0; i < arraysize; i++) { wassignedby[i] = nowsignedby[i] = false; @@ -554,11 +555,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, key = keythatsigned(&rrsig); sig_format(&rrsig, sigstr, sizeof(sigstr)); - if (key != NULL && issigningkey(key)) { - expired = isc_serial_gt(now + cycle, rrsig.timeexpire); - } else { - expired = isc_serial_gt(now, rrsig.timeexpire); - } + expired = isc_serial_gt(now + cycle, rrsig.timeexpire); if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) { /* rrsig is dropped and not replaced */ @@ -567,7 +564,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, "invalid validity period\n", sigstr); } else if (key == NULL && !future && - expecttofindkey(&rrsig.signer)) { + expecttofindkey(&rrsig.signer)) + { /* rrsig is dropped and not replaced */ vbprintf(2, "\trrsig by %s dropped - " @@ -578,7 +576,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, vbprintf(2, "\trrsig by %s %s - dnskey not found\n", keep ? "retained" : "dropped", sigstr); } else if (!dns_dnssec_keyactive(key->key, now) && - remove_inactkeysigs) { + remove_inactkeysigs) + { keep = false; vbprintf(2, "\trrsig by %s dropped - key inactive\n", sigstr); @@ -648,7 +647,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, } } else { tuple = NULL; - vbprintf(2, "removing signature by %s\n", sigstr); + vbprintf(2, "\tremoving signature by %s\n", sigstr); result = dns_difftuple_create( mctx, DNS_DIFFOP_DELRESIGN, name, sigset.ttl, &sigrdata, &tuple); @@ -679,7 +678,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, } for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (nowsignedby[key->index]) { continue; } @@ -694,36 +694,96 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, dns_name_equal(name, gorigin)) { bool have_ksk; - dns_dnsseckey_t *tmpkey; + dns_dnsseckey_t *curr; have_ksk = isksk(key); - for (tmpkey = ISC_LIST_HEAD(keylist); tmpkey != NULL; - tmpkey = ISC_LIST_NEXT(tmpkey, link)) + for (curr = ISC_LIST_HEAD(keylist); curr != NULL; + curr = ISC_LIST_NEXT(curr, link)) { if (dst_key_alg(key->key) != - dst_key_alg(tmpkey->key)) { + dst_key_alg(curr->key)) + { continue; } - if (REVOKE(tmpkey->key)) { + if (REVOKE(curr->key)) { continue; } - if (isksk(tmpkey)) { + if (isksk(curr)) { have_ksk = true; } } if (isksk(key) || !have_ksk || - (iszsk(key) && !keyset_kskonly)) { + (iszsk(key) && !keyset_kskonly)) + { signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); } } else if (iszsk(key)) { - signwithkey(name, set, key->key, ttl, add, - "signing with dnskey"); + /* + * Sign with the ZSK unless there is a predecessor + * key that already signs this RRset. + */ + bool have_pre_sig = false; + dns_dnsseckey_t *curr; + uint32_t pre; + isc_result_t ret = dst_key_getnum( + key->key, DST_NUM_PREDECESSOR, &pre); + if (ret == ISC_R_SUCCESS) { + /* + * This key has a predecessor, look for the + * corresponding key in the keylist. The + * key we are looking for must be: + * - From the same cryptographic algorithm. + * - Have the ZSK type (iszsk). + * - Have key ID equal to the predecessor id. + * - Have a successor that matches 'key' id. + */ + for (curr = ISC_LIST_HEAD(keylist); + curr != NULL; + curr = ISC_LIST_NEXT(curr, link)) + { + uint32_t suc; + + if (dst_key_alg(key->key) != + dst_key_alg(curr->key) || + !iszsk(curr) || + dst_key_id(curr->key) != pre) + { + continue; + } + ret = dst_key_getnum(curr->key, + DST_NUM_SUCCESSOR, + &suc); + if (ret != ISC_R_SUCCESS || + dst_key_id(key->key) != suc) + { + continue; + } + + /* + * curr is the predecessor we were + * looking for. Check if this key + * signs this RRset. + */ + if (nowsignedby[curr->index]) { + have_pre_sig = true; + } + } + } + + /* + * If we have a signature of a predecessor key, + * skip signing with this key. + */ + if (!have_pre_sig) { + signwithkey(name, set, key->key, ttl, add, + "signing with dnskey"); + } } } - isc_mem_put(mctx, wassignedby, arraysize * sizeof(bool)); - isc_mem_put(mctx, nowsignedby, arraysize * sizeof(bool)); + isc_mem_cput(mctx, wassignedby, arraysize, sizeof(bool)); + isc_mem_cput(mctx, nowsignedby, arraysize, sizeof(bool)); } struct hashlist { @@ -1131,7 +1191,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_diff_init(mctx, &del); dns_diff_init(mctx, &add); rdsiter = NULL; - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1149,7 +1209,8 @@ signname(dns_dbnode_t *node, dns_name_t *name) { */ if (isdelegation) { if (rdataset.type != nsec_datatype && - rdataset.type != dns_rdatatype_ds) { + rdataset.type != dns_rdatatype_ds) + { goto skip; } } else if (rdataset.type == dns_rdatatype_ds) { @@ -1192,7 +1253,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { * See if the node contains any non RRSIG/NSEC records and report to * caller. Clean out extraneous RRSIG records for node. */ -static inline bool +static bool active_node(dns_dbnode_t *node) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdatasetiter_t *rdsiter2 = NULL; @@ -1204,7 +1265,7 @@ active_node(dns_dbnode_t *node) { bool found; dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1250,7 +1311,8 @@ active_node(dns_dbnode_t *node) { /* * Delete RRSIGs for types that no longer exist. */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter2); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -1298,7 +1360,8 @@ active_node(dns_dbnode_t *node) { check_result(result, "dns_db_deleterdataset(" "rrsig)"); } else if (result != ISC_R_NOMORE && - result != ISC_R_SUCCESS) { + result != ISC_R_SUCCESS) + { fatal("rdataset iteration failed: %s", isc_result_totext(result)); } @@ -1379,7 +1442,8 @@ setsoaserial(uint32_t serial, dns_updatemethod_t method) { old_serial = dns_soa_getserial(&rdata); if (method == dns_updatemethod_date || - method == dns_updatemethod_unixtime) { + method == dns_updatemethod_unixtime) + { new_serial = dns_update_soaserial(old_serial, method, &used); } else if (serial != 0 || method == dns_updatemethod_none) { /* Set SOA serial to the value provided. */ @@ -1436,47 +1500,6 @@ setsoaserial(uint32_t serial, dns_updatemethod_t method) { return (result); } -/*% - * Delete any RRSIG records at a node. - */ -static void -cleannode(dns_db_t *db, dns_dbversion_t *dbversion, dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdataset_t set; - isc_result_t result, dresult; - - if (outputformat != dns_masterformat_text || !disable_zone_check) { - return; - } - - dns_rdataset_init(&set); - result = dns_db_allrdatasets(db, node, dbversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - bool destroy = false; - dns_rdatatype_t covers = 0; - dns_rdatasetiter_current(rdsiter, &set); - if (set.type == dns_rdatatype_rrsig) { - covers = set.covers; - destroy = true; - } - dns_rdataset_disassociate(&set); - result = dns_rdatasetiter_next(rdsiter); - if (destroy) { - dresult = dns_db_deleterdataset(db, node, dbversion, - dns_rdatatype_rrsig, - covers); - check_result(dresult, "dns_db_deleterdataset"); - } - } - if (result != ISC_R_NOMORE) { - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - } - dns_rdatasetiter_destroy(&rdsiter); -} - /*% * Set up the iterator and global state before starting the tasks. */ @@ -1516,7 +1539,6 @@ signapex(void) { check_dns_dbiterator_current(result); signname(node, name); dumpnode(name, node); - cleannode(gdb, gversion, node); dns_db_detachnode(gdb, &node); result = dns_dbiterator_first(gdbiter); if (result == ISC_R_NOMORE) { @@ -1527,16 +1549,22 @@ signapex(void) { } } +static void +abortwork(void *arg) { + UNUSED(arg); + + atomic_store(&shuttingdown, true); +} + /*% - * Assigns a node to a worker thread. This is protected by the master task's + * Assigns a node to a worker thread. This is protected by the main task's * lock. */ static void -assignwork(isc_task_t *task, isc_task_t *worker) { - dns_fixedname_t *fname; - dns_name_t *name; - dns_dbnode_t *node; - sevent_t *sevent; +assignwork(void *arg) { + dns_fixedname_t fname; + dns_name_t *name = NULL; + dns_dbnode_t *node = NULL; dns_rdataset_t nsec; bool found; isc_result_t result; @@ -1544,6 +1572,8 @@ assignwork(isc_task_t *task, isc_task_t *worker) { static dns_fixedname_t fzonecut; /* Protected by namelock. */ static unsigned int ended = 0; /* Protected by namelock. */ + UNUSED(arg); + if (atomic_load(&shuttingdown)) { return; } @@ -1551,15 +1581,14 @@ assignwork(isc_task_t *task, isc_task_t *worker) { LOCK(&namelock); if (atomic_load(&finished)) { ended++; - if (ended == ntasks) { - isc_task_detach(&task); - isc_app_shutdown(); + if (ended == nloops) { + isc_loopmgr_shutdown(loopmgr); } - goto unlock; + UNLOCK(&namelock); + return; } - fname = isc_mem_get(mctx, sizeof(dns_fixedname_t)); - name = dns_fixedname_initname(fname); + name = dns_fixedname_initname(&fname); node = NULL; found = false; while (!found) { @@ -1594,10 +1623,12 @@ assignwork(isc_task_t *task, isc_task_t *worker) { !dns_name_issubdomain(name, zonecut))) { if (is_delegation(gdb, gversion, gorigin, name, - node, NULL)) { + node, NULL)) + { zonecut = savezonecut(&fzonecut, name); if (!OPTOUT(nsec3flags) || - secure(name, node)) { + secure(name, node)) + { found = true; } } else if (has_dname(gdb, gversion, node)) { @@ -1626,73 +1657,24 @@ assignwork(isc_task_t *task, isc_task_t *worker) { } if (!found) { ended++; - if (ended == ntasks) { - isc_task_detach(&task); - isc_app_shutdown(); + if (ended == nloops) { + isc_loopmgr_shutdown(loopmgr); } - isc_mem_put(mctx, fname, sizeof(dns_fixedname_t)); - goto unlock; + UNLOCK(&namelock); + return; } - sevent = (sevent_t *)isc_event_allocate(mctx, task, SIGNER_EVENT_WORK, - sign, NULL, sizeof(sevent_t)); - sevent->node = node; - sevent->fname = fname; - isc_task_send(worker, ISC_EVENT_PTR(&sevent)); -unlock: UNLOCK(&namelock); -} - -/*% - * Start a worker task - */ -static void -startworker(isc_task_t *task, isc_event_t *event) { - isc_task_t *worker; - worker = (isc_task_t *)event->ev_arg; - assignwork(task, worker); - isc_event_free(&event); -} + signname(node, dns_fixedname_name(&fname)); -/*% - * Write a node to the output file, and restart the worker task. - */ -static void -writenode(isc_task_t *task, isc_event_t *event) { - isc_task_t *worker; - sevent_t *sevent = (sevent_t *)event; - - worker = (isc_task_t *)event->ev_sender; - dumpnode(dns_fixedname_name(sevent->fname), sevent->node); - cleannode(gdb, gversion, sevent->node); - dns_db_detachnode(gdb, &sevent->node); - isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t)); - assignwork(task, worker); - isc_event_free(&event); -} + /*% + * Write a node to the output file, and restart the worker task. + */ + lock_and_dumpnode(dns_fixedname_name(&fname), node); + dns_db_detachnode(gdb, &node); -/*% - * Sign a database node. - */ -static void -sign(isc_task_t *task, isc_event_t *event) { - dns_fixedname_t *fname; - dns_dbnode_t *node; - sevent_t *sevent, *wevent; - - sevent = (sevent_t *)event; - node = sevent->node; - fname = sevent->fname; - isc_event_free(&event); - - signname(node, dns_fixedname_name(fname)); - wevent = (sevent_t *)isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE, - writenode, NULL, - sizeof(sevent_t)); - wevent->node = node; - wevent->fname = fname; - isc_task_send(master, ISC_EVENT_PTR(&wevent)); + isc_async_current(loopmgr, assignwork, NULL); } /*% @@ -1748,7 +1730,7 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which, bool checknsec) { /* * Delete any records of the given type at the apex. */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) @@ -1759,12 +1741,14 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which, bool checknsec) { dns_rdataset_disassociate(&rdataset); if (type == which || covers == which) { if (which == dns_rdatatype_nsec && checknsec && - !update_chain) { + !update_chain) + { fatal("Zone contains NSEC records. Use -u " "to update to NSEC3."); } if (which == dns_rdatatype_nsec3param && checknsec && - !update_chain) { + !update_chain) + { fatal("Zone contains NSEC3 chains. Use -u " "to update to NSEC."); } @@ -1789,7 +1773,7 @@ remove_sigs(dns_dbnode_t *node, bool delegation, dns_rdatatype_t which) { dns_rdataset_t rdataset; dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) @@ -1853,7 +1837,8 @@ nsecify(void) { { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -1978,7 +1963,7 @@ addnsec3param(const unsigned char *salt, size_t salt_len, nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1; nsec3param.iterations = iterations; nsec3param.salt_length = (unsigned char)salt_len; - DE_CONST(salt, nsec3param.salt); + nsec3param.salt = UNCONST(salt); isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf)); result = dns_rdata_fromstruct(&rdata, gclass, dns_rdatatype_nsec3param, @@ -1988,8 +1973,7 @@ addnsec3param(const unsigned char *salt, size_t salt_len, rdatalist.rdclass = rdata.rdclass; rdatalist.type = rdata.type; ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); - result = dns_rdatalist_tordataset(&rdatalist, &rdataset); - check_result(result, "dns_rdatalist_tordataset()"); + dns_rdatalist_tordataset(&rdatalist, &rdataset); result = dns_db_findnode(gdb, gorigin, true, &node); check_result(result, "dns_db_findnode(gorigin)"); @@ -2050,8 +2034,7 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node, const unsigned char *salt, rdatalist.type = rdata.type; rdatalist.ttl = ttl; ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); - result = dns_rdatalist_tordataset(&rdatalist, &rdataset); - check_result(result, "dns_rdatalist_tordataset()"); + dns_rdatalist_tordataset(&rdatalist, &rdataset); result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname), true, &nsec3node); check_result(result, "addnsec3: dns_db_findnode()"); @@ -2152,8 +2135,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, unsigned int hashalg, dns_rdata_init(&delrdata); dns_rdata_clone(&rdata, &delrdata); ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link); - result = dns_rdatalist_tordataset(&rdatalist, &delrdataset); - check_result(result, "dns_rdatalist_tordataset()"); + dns_rdatalist_tordataset(&rdatalist, &delrdataset); result = dns_db_subtractrdataset(gdb, node, gversion, &delrdataset, 0, NULL); dns_rdataset_disassociate(&delrdataset); @@ -2211,7 +2193,8 @@ rrset_cleanup(dns_name_t *name, dns_rdataset_t *rdataset, dns_diff_t *add, count2++; dns_rdataset_current(&tmprdataset, &rdata2); if (count1 < count2 && - dns_rdata_casecompare(&rdata1, &rdata2) == 0) { + dns_rdata_casecompare(&rdata1, &rdata2) == 0) + { vbprintf(2, "removing duplicate at %s/%s\n", namestr, typestr); result = dns_difftuple_create( @@ -2266,7 +2249,8 @@ cleanup_zone(void) { { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -2378,14 +2362,16 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, continue; } if (is_delegation(gdb, gversion, gorigin, nextname, - nextnode, &nsttl)) { + nextnode, &nsttl)) + { zonecut = savezonecut(&fzonecut, nextname); remove_sigs(nextnode, true, 0); if (generateds) { add_ds(nextname, nextnode, nsttl); } if (OPTOUT(nsec3flags) && - !secure(nextname, nextnode)) { + !secure(nextname, nextnode)) + { dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2519,10 +2505,12 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, continue; } if (is_delegation(gdb, gversion, gorigin, nextname, - nextnode, NULL)) { + nextnode, NULL)) + { zonecut = savezonecut(&fzonecut, nextname); if (OPTOUT(nsec3flags) && - !secure(nextname, nextnode)) { + !secure(nextname, nextnode)) + { dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2700,7 +2688,8 @@ loadexplicitkeys(char *keyfiles[], int n, bool setksk) { /* Skip any duplicates */ for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (dst_key_id(key->key) == dst_key_id(newkey) && dst_key_alg(key->key) == dst_key_alg(newkey)) { @@ -2751,6 +2740,51 @@ clear_keylist(dns_dnsseckeylist_t *list) { } } +static void +add_digest(char *str, size_t dlen, dns_kasp_digestlist_t *digests, + bool *cdnskey) { + isc_result_t result; + isc_textregion_t r; + dns_dsdigest_t alg; + dns_kasp_digest_t *digest; + + if (dlen == 7 && strncmp(str, "cdnskey", dlen) == 0) { + *cdnskey = true; + return; + } + + if (dlen < 5 || strncmp(str, "cds:", 4) != 0) { + fatal("digest must specify cds:algorithm ('%.*s')", (int)dlen, + str); + } + + r.base = str + 4; + r.length = dlen - 4; + result = dns_dsdigest_fromtext(&alg, &r); + if (result == DNS_R_UNKNOWN) { + fatal("bad digest '%.*s'", (int)dlen, str); + } else if (result != ISC_R_SUCCESS) { + fatal("bad digest '%.*s': %s", (int)dlen, str, + isc_result_totext(result)); + } else if (!dst_ds_digest_supported(alg)) { + fatal("unsupported digest '%.*s'", (int)dlen, str); + } + + /* Suppress duplicates */ + for (dns_kasp_digest_t *d = ISC_LIST_HEAD(*digests); d != NULL; + d = ISC_LIST_NEXT(d, link)) + { + if (d->digest == alg) { + return; + } + } + + digest = isc_mem_get(mctx, sizeof(*digest)); + digest->digest = alg; + ISC_LINK_INIT(digest, link); + ISC_LIST_APPEND(*digests, digest, link); +} + static void build_final_keylist(void) { isc_result_t result; @@ -2760,14 +2794,39 @@ build_final_keylist(void) { dns_dnsseckeylist_t rmkeys, matchkeys; char name[DNS_NAME_FORMATSIZE]; dns_rdataset_t cdsset, cdnskeyset, soaset; + dns_kasp_digestlist_t digests; + dns_kasp_digest_t *d, *d_next; + bool cdnskey = false; ISC_LIST_INIT(rmkeys); ISC_LIST_INIT(matchkeys); + ISC_LIST_INIT(digests); dns_rdataset_init(&soaset); dns_rdataset_init(&cdsset); dns_rdataset_init(&cdnskeyset); + if (strlen(sync_records) > 0) { + const char delim = ','; + char *digest; + char *s; + size_t dlen; + + digest = UNCONST(sync_records); + next_digest: + s = strchr(digest, delim); + if (s == NULL) { + dlen = strlen(digest); + add_digest(digest, dlen, &digests, &cdnskey); + goto findkeys; + } + dlen = s - digest; + add_digest(digest, dlen, &digests, &cdnskey); + digest = s + 1; + goto next_digest; + } + +findkeys: /* * Find keys that match this zone in the key repository. */ @@ -2809,8 +2868,9 @@ build_final_keylist(void) { /* * Update keylist with sync records. */ + dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now, - keyttl, &diff, mctx); + &digests, cdnskey, keyttl, &diff, mctx); dns_name_format(gorigin, name, sizeof(name)); @@ -2834,6 +2894,13 @@ build_final_keylist(void) { clear_keylist(&rmkeys); clear_keylist(&matchkeys); + + for (d = ISC_LIST_HEAD(digests); d != NULL; d = d_next) { + d_next = ISC_LIST_NEXT(d, link); + ISC_LIST_UNLINK(digests, d, link); + isc_mem_put(mctx, d, sizeof(*d)); + } + INSIST(ISC_LIST_EMPTY(digests)); } static void @@ -3011,7 +3078,7 @@ writeset(const char *prefix, dns_rdatatype_t type) { isc_buffer_t namebuf; isc_region_t r; isc_result_t result; - dns_dnsseckey_t *key, *tmpkey; + dns_dnsseckey_t *key, *curr; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; unsigned char keybuf[DST_KEY_MAXSIZE]; unsigned int filenamelen; @@ -3041,7 +3108,8 @@ writeset(const char *prefix, dns_rdatatype_t type) { name = gorigin; for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (REVOKE(key->key)) { continue; } @@ -3052,16 +3120,16 @@ writeset(const char *prefix, dns_rdatatype_t type) { have_ksk = false; have_non_ksk = true; } - for (tmpkey = ISC_LIST_HEAD(keylist); tmpkey != NULL; - tmpkey = ISC_LIST_NEXT(tmpkey, link)) + for (curr = ISC_LIST_HEAD(keylist); curr != NULL; + curr = ISC_LIST_NEXT(curr, link)) { - if (dst_key_alg(key->key) != dst_key_alg(tmpkey->key)) { + if (dst_key_alg(key->key) != dst_key_alg(curr->key)) { continue; } - if (REVOKE(tmpkey->key)) { + if (REVOKE(curr->key)) { continue; } - if (isksk(tmpkey)) { + if (isksk(curr)) { have_ksk = true; } else { have_non_ksk = true; @@ -3137,10 +3205,10 @@ print_version(FILE *fp) { return; } - fprintf(fp, "; dnssec_signzone version %s\n", PACKAGE_VERSION); + fprintf(fp, "; %s version %s\n", program, PACKAGE_VERSION); } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -3160,9 +3228,12 @@ usage(void) { fprintf(stderr, "\t\tdirectory to find key files (.)\n"); fprintf(stderr, "\t-d directory:\n"); fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n"); + fprintf(stderr, "\t-F:\tFIPS mode\n"); fprintf(stderr, "\t-g:\t"); fprintf(stderr, "update DS records based on child zones' " "dsset-* files\n"); + fprintf(stderr, "\t-G sync-records:\t"); + fprintf(stderr, "what CDNSKEY and CDS to publish\n"); fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); fprintf(stderr, "\t\tRRSIG start time " "- absolute|offset (now - 1 hour)\n"); @@ -3200,14 +3271,7 @@ usage(void) { fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if USE_PKCS11 - fprintf(stderr, - "\t\tpath to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-Q:\t"); @@ -3282,7 +3346,7 @@ print_stats(isc_time_t *timer_start, isc_time_t *timer_finish, int main(int argc, char *argv[]) { - int i, ch; + int ch; char *startstr = NULL, *endstr = NULL, *classname = NULL; char *dnskey_endstr = NULL; char *origin = NULL, *file = NULL, *output = NULL; @@ -3300,21 +3364,24 @@ main(int argc, char *argv[]) { bool free_output = false; int tempfilelen = 0; dns_rdataclass_t rdclass; - isc_task_t **tasks = NULL; hashlist_t hashlist; bool make_keyset = false; bool set_salt = false; bool set_optout = false; bool set_iter = false; bool nonsecify = false; + bool set_fips_mode = false; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + OSSL_PROVIDER *fips = NULL, *base = NULL; +#endif atomic_init(&shuttingdown, false); atomic_init(&finished, false); /* Unused letters: Bb G J q Yy (and F is reserved). */ -#define CMDLINE_FLAGS \ - "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:VX:" \ - "xzZ:" +#define CMDLINE_FLAGS \ + "3:AaCc:Dd:E:e:f:FgG:hH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \ + "VX:xzZ:" /* * Process memory debugging argument first. @@ -3334,12 +3401,6 @@ main(int argc, char *argv[]) { { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } - if (strcasecmp(isc_commandline_argument, "size") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGSIZE; - } - if (strcasecmp(isc_commandline_argument, "mctx") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGCTX; - } break; default: break; @@ -3349,17 +3410,7 @@ main(int argc, char *argv[]) { masterstyle = &dns_master_style_explicitttl; - check_result(isc_app_start(), "isc_app_start"); - - isc_mem_create(&mctx); - -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; - while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case '3': @@ -3435,6 +3486,10 @@ main(int argc, char *argv[]) { generateds = true; break; + case 'G': + sync_records = isc_commandline_argument; + break; + case 'H': set_iter = true; /* too-many is NOT DOCUMENTED */ @@ -3473,6 +3528,10 @@ main(int argc, char *argv[]) { } break; + case 'J': + journal = isc_commandline_argument; + break; + case 'K': directory = isc_commandline_argument; break; @@ -3519,8 +3578,8 @@ main(int argc, char *argv[]) { case 'n': endp = NULL; - ntasks = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0' || ntasks > INT32_MAX) { + nloops = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0' || nloops > INT32_MAX) { fatal("number of cpus must be numeric"); } break; @@ -3604,14 +3663,15 @@ main(int argc, char *argv[]) { break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + set_fips_mode = true; + break; + case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -3633,13 +3693,7 @@ main(int argc, char *argv[]) { } } - result = dst_lib_init(mctx, engine); - if (result != ISC_R_SUCCESS) { - fatal("could not initialize dst: %s", - isc_result_totext(result)); - } - - isc_stdtime_get(&now); + now = isc_stdtime_now(); if (startstr != NULL) { starttime = strtotime(startstr, now, now, NULL); @@ -3667,10 +3721,10 @@ main(int argc, char *argv[]) { cycle = (endtime - starttime) / 4; } - if (ntasks == 0) { - ntasks = isc_os_ncpus() * 2; + if (nloops == 0) { + nloops = isc_os_ncpus(); } - vbprintf(4, "using %d cpus\n", ntasks); + vbprintf(4, "using %d cpus\n", nloops); rdclass = strtoclass(classname); @@ -3678,6 +3732,35 @@ main(int argc, char *argv[]) { directory = "."; } + isc_managers_create(&mctx, nloops, &loopmgr, &netmgr); + + if (set_fips_mode) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + fips = OSSL_PROVIDER_load(NULL, "fips"); + if (fips == NULL) { + ERR_clear_error(); + fatal("Failed to load FIPS provider"); + } + base = OSSL_PROVIDER_load(NULL, "base"); + if (base == NULL) { + OSSL_PROVIDER_unload(fips); + ERR_clear_error(); + fatal("Failed to load base provider"); + } +#endif + if (!isc_fips_mode()) { + if (isc_fips_set_mode(1) != ISC_R_SUCCESS) { + fatal("setting FIPS mode failed"); + } + } + } + + result = dst_lib_init(mctx, engine); + if (result != ISC_R_SUCCESS) { + fatal("could not initialize dst: %s", + isc_result_totext(result)); + } + setup_logging(mctx, &log); argc -= isc_commandline_index; @@ -3707,8 +3790,6 @@ main(int argc, char *argv[]) { if (inputformatstr != NULL) { if (strcasecmp(inputformatstr, "text") == 0) { inputformat = dns_masterformat_text; - } else if (strcasecmp(inputformatstr, "map") == 0) { - inputformat = dns_masterformat_map; } else if (strcasecmp(inputformatstr, "raw") == 0) { inputformat = dns_masterformat_raw; } else if (strncasecmp(inputformatstr, "raw=", 4) == 0) { @@ -3726,8 +3807,6 @@ main(int argc, char *argv[]) { } else if (strcasecmp(outputformatstr, "full") == 0) { outputformat = dns_masterformat_text; masterstyle = &dns_master_style_full; - } else if (strcasecmp(outputformatstr, "map") == 0) { - outputformat = dns_masterformat_map; } else if (strcasecmp(outputformatstr, "raw") == 0) { outputformat = dns_masterformat_raw; } else if (strncasecmp(outputformatstr, "raw=", 4) == 0) { @@ -3736,7 +3815,8 @@ main(int argc, char *argv[]) { outputformat = dns_masterformat_raw; rawversion = strtol(outputformatstr + 4, &end, 10); if (end == outputformatstr + 4 || *end != '\0' || - rawversion > 1U) { + rawversion > 1U) + { fprintf(stderr, "unknown raw format version\n"); exit(1); } @@ -3778,8 +3858,11 @@ main(int argc, char *argv[]) { check_result(result, "dns_master_stylecreate"); gdb = NULL; - TIME_NOW(&timer_start); + timer_start = isc_time_now(); loadzone(file, origin, rdclass, &gdb); + if (journal != NULL) { + loadjournal(mctx, gdb, journal); + } gorigin = dns_db_origin(gdb); gclass = dns_db_class(gdb); get_soa_ttls(); @@ -3811,7 +3894,7 @@ main(int argc, char *argv[]) { * of keys rather early. */ ISC_LIST_INIT(keylist); - isc_rwlock_init(&keylist_lock, 0, 0); + isc_rwlock_init(&keylist_lock); /* * Fill keylist with: @@ -3842,7 +3925,8 @@ main(int argc, char *argv[]) { /* Now enumerate the key list */ for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { key->index = keycount++; } @@ -3864,9 +3948,10 @@ main(int argc, char *argv[]) { bool answer; hash_length = dns_nsec3_hashlength(dns_hash_sha1); - hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2, + hashlist_init(&hashlist, + dns_db_nodecount(gdb, dns_dbtree_main) * 2, hash_length); - result = dns_nsec_nseconly(gdb, gversion, &answer); + result = dns_nsec_nseconly(gdb, gversion, NULL, &answer); if (result == ISC_R_NOTFOUND) { fprintf(stderr, "%s: warning: NSEC3 generation " @@ -3944,11 +4029,7 @@ main(int argc, char *argv[]) { result = isc_file_mktemplate(output, tempfile, tempfilelen); check_result(result, "isc_file_mktemplate"); - if (outputformat == dns_masterformat_text) { - result = isc_file_openunique(tempfile, &outfp); - } else { - result = isc_file_bopenunique(tempfile, &outfp); - } + result = isc_file_openunique(tempfile, &outfp); if (result != ISC_R_SUCCESS) { fatal("failed to open temporary output file: %s", isc_result_totext(result)); @@ -3960,24 +4041,6 @@ main(int argc, char *argv[]) { print_time(outfp); print_version(outfp); - isc_managers_create(mctx, ntasks, 0, 0, &netmgr, &taskmgr, NULL, NULL); - - master = NULL; - result = isc_task_create(taskmgr, 0, &master); - if (result != ISC_R_SUCCESS) { - fatal("failed to create task: %s", isc_result_totext(result)); - } - - tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *)); - for (i = 0; i < (int)ntasks; i++) { - tasks[i] = NULL; - result = isc_task_create(taskmgr, 0, &tasks[i]); - if (result != ISC_R_SUCCESS) { - fatal("failed to create task: %s", - isc_result_totext(result)); - } - } - isc_mutex_init(&namelock); if (printstats) { @@ -3985,36 +4048,23 @@ main(int argc, char *argv[]) { } presign(); - TIME_NOW(&sign_start); + sign_start = isc_time_now(); signapex(); if (!atomic_load(&finished)) { /* * There is more work to do. Spread it out over multiple * processors if possible. */ - for (i = 0; i < (int)ntasks; i++) { - result = isc_app_onrun(mctx, master, startworker, - tasks[i]); - if (result != ISC_R_SUCCESS) { - fatal("failed to start task: %s", - isc_result_totext(result)); - } - } - (void)isc_app_run(); + isc_loopmgr_setup(loopmgr, assignwork, NULL); + isc_loopmgr_teardown(loopmgr, abortwork, NULL); + isc_loopmgr_run(loopmgr); + if (!atomic_load(&finished)) { fatal("process aborted by user"); } - } else { - isc_task_detach(&master); - } - atomic_store(&shuttingdown, true); - for (i = 0; i < (int)ntasks; i++) { - isc_task_detach(&tasks[i]); } - isc_managers_destroy(&netmgr, &taskmgr, NULL, NULL); - isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); - TIME_NOW(&sign_finish); + sign_finish = isc_time_now(); if (disable_zone_check) { vresult = ISC_R_SUCCESS; @@ -4029,7 +4079,7 @@ main(int argc, char *argv[]) { } } - if (outputformat != dns_masterformat_text) { + if (!output_dnssec_only) { dns_masterrawheader_t header; dns_master_initrawheader(&header); if (rawversion == 0U) { @@ -4041,12 +4091,7 @@ main(int argc, char *argv[]) { result = dns_master_dumptostream(mctx, gdb, gversion, masterstyle, outputformat, &header, outfp); - check_result(result, "dns_master_dumptostream3"); - } - - isc_mutex_destroy(&namelock); - if (printstats) { - isc_mutex_destroy(&statslock); + check_result(result, "dns_master_dumptostream"); } if (!output_stdout) { @@ -4092,15 +4137,25 @@ main(int argc, char *argv[]) { if (verbose > 10) { isc_mem_stats(mctx, stdout); } - isc_mem_destroy(&mctx); - (void)isc_app_finish(); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (base != NULL) { + OSSL_PROVIDER_unload(base); + } + if (fips != NULL) { + OSSL_PROVIDER_unload(fips); + } +#endif + + isc_managers_destroy(&mctx, &loopmgr, &netmgr); if (printstats) { - TIME_NOW(&timer_finish); + timer_finish = isc_time_now(); print_stats(&timer_start, &timer_finish, &sign_start, &sign_finish); + isc_mutex_destroy(&statslock); } + isc_mutex_destroy(&namelock); return (vresult == ISC_R_SUCCESS ? 0 : 1); } diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index a43d76954a..e6fb455c3d 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-signzone +.. program:: dnssec-signzone .. _man_dnssec-signzone: dnssec-signzone - DNSSEC zone signing tool @@ -29,12 +21,12 @@ dnssec-signzone - DNSSEC zone signing tool Synopsis ~~~~~~~~ -:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] +:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] Description ~~~~~~~~~~~ -``dnssec-signzone`` signs a zone; it generates NSEC and RRSIG records +:program:`dnssec-signzone` signs a zone; it generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure) is determined by the presence or absence of a ``keyset`` @@ -43,52 +35,72 @@ file for each child zone. Options ~~~~~~~ -``-a`` +.. option:: -a + This option verifies all generated signatures. -``-c class`` +.. option:: -c class + This option specifies the DNS class of the zone. -``-C`` +.. option:: -C + This option sets compatibility mode, in which a ``keyset-zonename`` file is generated in addition to ``dsset-zonename`` when signing a zone, for use by older versions - of ``dnssec-signzone``. + of :program:`dnssec-signzone`. + +.. option:: -d directory -``-d directory`` This option indicates the directory where BIND 9 should look for ``dsset-`` or ``keyset-`` files. -``-D`` +.. option:: -D + This option indicates that only those record types automatically managed by - ``dnssec-signzone``, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output. - If smart signing (``-S``) is used, DNSKEY records are also included. + :program:`dnssec-signzone`, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output. + If smart signing (:option:`-S`) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with - ``$INCLUDE``. This option cannot be combined with ``-O raw``, - ``-O map``, or serial-number updating. + ``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>` + or serial-number updating. + +.. option:: -E engine -``-E engine`` This option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing, when applicable. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -F + + This options turns on FIPS (US Federal Information Processing Standards) + mode if the underlying crytographic library supports running in FIPS + mode. + +.. option:: -g -``-g`` This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-`` file. Existing DS records are removed. -``-K directory`` +.. option:: -G sync-records + + This option indicates which CDS and CDNSKEY records should be generated. ``sync-records`` is a + comma-separated string with the following allowed items: ``cdnskey``, and ``cds:``, + where ``digest-type`` is an allowed algorithm such as SHA-256 (2), or SHA-384 (4). + Only works in combination with smart signing (``-S``). + +.. option:: -K directory + This option specifies the directory to search for DNSSEC keys. If not specified, it defaults to the current directory. -``-k key`` +.. option:: -k key + This option tells BIND 9 to treat the specified key as a key-signing key, ignoring any key flags. This option may be specified multiple times. -``-M maxttl`` +.. option:: -M maxttl + This option sets the maximum TTL for the signed zone. Any TTL higher than ``maxttl`` in the input zone is reduced to ``maxttl`` in the output. This provides certainty as to the largest possible TTL in the signed zone, @@ -96,10 +108,11 @@ Options possible time before signatures that have been retrieved by resolvers expire from resolver caches. Zones that are signed with this option should be configured to use a matching ``max-zone-ttl`` in - ``named.conf``. (Note: This option is incompatible with ``-D``, + :iscman:`named.conf`. (Note: This option is incompatible with :option:`-D`, because it modifies non-DNSSEC data in the output zone.) -``-s start-time`` +.. option:: -s start-time + This option specifies the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; @@ -108,7 +121,8 @@ Options time. If no ``start-time`` is specified, the current time minus 1 hour (to allow for clock skew) is used. -``-e end-time`` +.. option:: -e end-time + This option specifies the date and time when the generated RRSIG records expire. As with ``start-time``, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with ``+N``, @@ -117,7 +131,8 @@ Options specified, 30 days from the start time is the default. ``end-time`` must be later than ``start-time``. -``-X extended end-time`` +.. option:: -X extended end-time + This option specifies the date and time when the generated RRSIG records for the DNSKEY RRset expire. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; @@ -132,20 +147,24 @@ Options as the default. (``end-time``, in turn, defaults to 30 days from the start time.) ``extended end-time`` must be later than ``start-time``. -``-f output-file`` +.. option:: -f output-file + This option indicates the name of the output file containing the signed zone. The default is to append ``.signed`` to the input filename. If ``output-file`` is set to ``-``, then the signed zone is written to the standard output, with a default output format of ``full``. -``-h`` +.. option:: -h + This option prints a short summary of the options and arguments to - ``dnssec-signzone``. + :program:`dnssec-signzone`. + +.. option:: -V -``-V`` This option prints version information. -``-i interval`` +.. option:: -i interval + This option indicates that, when a previously signed zone is passed as input, records may be re-signed. The ``interval`` option specifies the cycle interval as an offset from the current time, in seconds. If a RRSIG record expires @@ -154,19 +173,21 @@ Options The default cycle interval is one quarter of the difference between the signature end and start times. So if neither ``end-time`` nor - ``start-time`` is specified, ``dnssec-signzone`` generates + ``start-time`` is specified, :program:`dnssec-signzone` generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they are replaced. -``-I input-format`` - This option sets the format of the input zone file. Possible formats are ``text`` - (the default), ``raw``, and ``map``. This option is primarily +.. option:: -I input-format + + This option sets the format of the input zone file. Possible formats are + ``text`` (the default), and ``raw``. This option is primarily intended to be used for dynamic signed zones, so that the dumped zone file in a non-text format containing updates can be signed directly. This option is not useful for non-dynamic zones. -``-j jitter`` +.. option:: -j jitter + When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expire simultaneously. If the zone is incrementally signed, i.e., a previously signed zone is passed @@ -181,16 +202,19 @@ Options less congestion than if all validators need to refetch at around the same time. -``-L serial`` - When writing a signed zone to "raw" or "map" format, this option sets the "source +.. option:: -L serial + + When writing a signed zone to "raw" format, this option sets the "source serial" value in the header to the specified ``serial`` number. (This is expected to be used primarily for testing purposes.) -``-n ncpus`` +.. option:: -n ncpus + This option specifies the number of threads to use. By default, one thread is started for each detected CPU. -``-N soa-serial-format`` +.. option:: -N soa-serial-format + This option sets the SOA serial number format of the signed zone. Possible formats are ``keep`` (the default), ``increment``, ``unixtime``, and ``date``. @@ -213,22 +237,24 @@ Options than or equal to that value, in which case it is simply incremented by one. -``-o origin`` +.. option:: -o origin + This option sets the zone origin. If not specified, the name of the zone file is assumed to be the origin. -``-O output-format`` - This option sets the format of the output file containing the signed zone. Possible - formats are ``text`` (the default), which is the standard textual - representation of the zone; ``full``, which is text output in a - format suitable for processing by external scripts; and ``map``, - ``raw``, and ``raw=N``, which store the zone in binary formats - for rapid loading by ``named``. ``raw=N`` specifies the format - version of the raw zone file: if N is 0, the raw file can be read by - any version of ``named``; if N is 1, the file can be read by release - 9.9.0 or higher. The default is 1. - -``-P`` +.. option:: -O output-format + + This option sets the format of the output file containing the signed + zone. Possible formats are ``text`` (the default), which is the standard + textual representation of the zone; ``full``, which is text output in a + format suitable for processing by external scripts; and ``raw`` and + ``raw=N``, which store the zone in binary formats for rapid loading by + :iscman:`named`. ``raw=N`` specifies the format version of the raw zone file: + if N is 0, the raw file can be read by any version of :iscman:`named`; if N is + 1, the file can be read by release 9.9.0 or higher. The default is 1. + +.. option:: -P + This option disables post-sign verification tests. The post-sign verification tests ensure that for each algorithm in @@ -236,36 +262,40 @@ Options revoked KSK keys are self-signed, and that all records in the zone are signed by the algorithm. This option skips these tests. -``-Q`` +.. option:: -Q + This option removes signatures from keys that are no longer active. Normally, when a previously signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate - with cached copies of the old DNSKEY RRset. The ``-Q`` option forces - ``dnssec-signzone`` to remove signatures from keys that are no longer + with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces + :program:`dnssec-signzone` to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in :rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover"). -``-q`` +.. option:: -q + This option enables quiet mode, which suppresses unnecessary output. Without this option, when - ``dnssec-signzone`` is run it prints three pieces of information to standard output: the number of + :program:`dnssec-signzone` is run it prints three pieces of information to standard output: the number of keys in use; the algorithms used to verify the zone was signed correctly and other status information; and the filename containing the signed zone. With the option that output is suppressed, leaving only the filename. -``-R`` +.. option:: -R + This option removes signatures from keys that are no longer published. - This option is similar to ``-Q``, except it forces - ``dnssec-signzone`` to remove signatures from keys that are no longer + This option is similar to :option:`-Q`, except it forces + :program:`dnssec-signzone` to remove signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in :rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key Rollover"). -``-S`` - This option enables smart signing, which instructs ``dnssec-signzone`` to search the key +.. option:: -S + + This option enables smart signing, which instructs :program:`dnssec-signzone` to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate. @@ -297,11 +327,12 @@ Options If the key's sync deletion date is set and is in the past, synchronization records (type CDS and/or CDNSKEY) are removed. -``-T ttl`` +.. option:: -T ttl + This option specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA record. This option is ignored when - signing without ``-S``, since DNSKEY records are not imported from + signing without :option:`-S`, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre-existing DNSKEY records at the zone apex, in which case new records' TTL values are set to match them, or if any of the @@ -309,51 +340,69 @@ Options conflict between TTL values in imported keys, the shortest one is used. -``-t`` +.. option:: -t + This option prints statistics at completion. -``-u`` +.. option:: -u + This option updates the NSEC/NSEC3 chain when re-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switched to NSEC or to NSEC3 with - different parameters. Without this option, ``dnssec-signzone`` + different parameters. Without this option, :program:`dnssec-signzone` retains the existing chain when re-signing. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-x`` +.. option:: -x + This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys, - and should omit signatures from zone-signing keys. (This is similar to the - ``dnssec-dnskey-kskonly yes;`` zone option in ``named``.) + and should omit signatures from zone-signing keys. + +.. option:: -z -``-z`` This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. - (This is similar to the ``update-check-ksk no;`` zone option in - ``named``.) -``-3 salt`` +.. option:: -3 salt + This option generates an NSEC3 chain with the given hex-encoded salt. A dash (-) can be used to indicate that no salt is to be used when generating the NSEC3 chain. -``-H iterations`` + .. note:: + ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + +.. option:: -H iterations + This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default - is 10. + is 0. + + .. warning:: + Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. + +.. option:: -A -``-A`` This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3 records and should not generate NSEC3 records for insecure delegations. - Using this option twice (i.e., ``-AA``) turns the OPTOUT flag off for - all records. This is useful when using the ``-u`` option to modify an + .. warning:: + Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + +.. option:: -AA + + This option turns the OPTOUT flag off for + all records. This is useful when using the :option:`-u` option to modify an NSEC3 chain which previously had OPTOUT set. -``zonefile`` +.. option:: zonefile + This option sets the file containing the zone to be signed. -``key`` +.. option:: key + This option specifies which keys should be used to sign the zone. If no keys are specified, the zone is examined for DNSKEY records at the zone apex. If these records are found and there are matching private keys in @@ -363,11 +412,11 @@ Example ~~~~~~~ The following command signs the ``example.com`` zone with the -ECDSAP256SHA256 key generated by ``dnssec-keygen`` -(Kexample.com.+013+17247). Because the ``-S`` option is not being used, +ECDSAP256SHA256 key generated by :iscman:`dnssec-keygen` +(Kexample.com.+013+17247). Because the :option:`-S` option is not being used, the zone's keys must be in the master file (``db.example.com``). This invocation looks for ``dsset`` files in the current directory, so that -DS records can be imported from them (``-g``). +DS records can be imported from them (:option:`-g`). :: @@ -376,9 +425,9 @@ DS records can be imported from them (``-g``). db.example.com.signed % -In the above example, ``dnssec-signzone`` creates the file +In the above example, :program:`dnssec-signzone` creates the file ``db.example.com.signed``. This file should be referenced in a zone -statement in the ``named.conf`` file. +statement in the :iscman:`named.conf` file. This example re-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory. @@ -393,5 +442,5 @@ The private keys are assumed to be in the current directory. See Also ~~~~~~~~ -:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`, +:iscman:`dnssec-keygen(8) `, BIND 9 Administrator Reference Manual, :rfc:`4033`, :rfc:`4641`. diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index eb845ffbc8..e6b8972b02 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,19 +17,17 @@ #include #include -#include #include #include #include -#include #include #include #include #include #include #include -#include #include +#include #include #include #include @@ -54,17 +54,12 @@ #include #include #include -#include #include #include #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-verify"; @@ -72,10 +67,10 @@ const char *program = "dnssec-verify"; static isc_stdtime_t now; static isc_mem_t *mctx = NULL; static dns_masterformat_t inputformat = dns_masterformat_text; -static dns_db_t *gdb; /* The database */ -static dns_dbversion_t *gversion; /* The database version */ -static dns_rdataclass_t gclass; /* The class */ -static dns_name_t *gorigin; /* The database origin */ +static dns_db_t *gdb = NULL; /* The database */ +static dns_dbversion_t *gversion = NULL; /* The database version */ +static dns_rdataclass_t gclass; /* The class */ +static dns_name_t *gorigin = NULL; /* The database origin */ static bool ignore_kskflag = false; static bool keyset_kskonly = false; @@ -134,14 +129,14 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) { "use -o to specify a different zone origin", origin, file); } - /* FALLTHROUGH */ + FALLTHROUGH; default: fatal("failed loading zone from '%s': %s", file, isc_result_totext(result)); } } -ISC_NORETURN static void +noreturn static void usage(void); static void @@ -163,14 +158,7 @@ usage(void) { fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if USE_PKCS11 - fprintf(stderr, - "\t\tpath to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, " "not ZSKs\n"); fprintf(stderr, "\t-z:\tAll records signed with KSKs\n"); @@ -189,7 +177,7 @@ main(int argc, char *argv[]) { char *endp; int ch; -#define CMDLINE_FLAGS "c:E:hm:o:I:qv:Vxz" +#define CMDLINE_FLAGS "c:E:hJ:m:o:I:qv:Vxz" /* * Process memory debugging argument first. @@ -209,27 +197,15 @@ main(int argc, char *argv[]) { { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } - if (strcasecmp(isc_commandline_argument, "size") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGSIZE; - } - if (strcasecmp(isc_commandline_argument, "mctx") == 0) { - isc_mem_debugging |= ISC_MEM_DEBUGCTX; - } break; default: break; } } isc_commandline_reset = true; - check_result(isc_app_start(), "isc_app_start"); isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - dns_result_register(); - isc_commandline_errprint = false; while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { @@ -246,6 +222,10 @@ main(int argc, char *argv[]) { inputformatstr = isc_commandline_argument; break; + case 'J': + journal = isc_commandline_argument; + break; + case 'm': break; @@ -278,7 +258,7 @@ main(int argc, char *argv[]) { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ @@ -301,7 +281,7 @@ main(int argc, char *argv[]) { isc_result_totext(result)); } - isc_stdtime_get(&now); + now = isc_stdtime_now(); rdclass = strtoclass(classname); @@ -339,6 +319,9 @@ main(int argc, char *argv[]) { gdb = NULL; report("Loading zone '%s' from file '%s'\n", origin, file); loadzone(file, origin, rdclass, &gdb); + if (journal != NULL) { + loadjournal(mctx, gdb, journal); + } gorigin = dns_db_origin(gdb); gclass = dns_db_class(gdb); @@ -359,7 +342,5 @@ main(int argc, char *argv[]) { } isc_mem_destroy(&mctx); - (void)isc_app_finish(); - return (result == ISC_R_SUCCESS ? 0 : 1); } diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index 7f2ba531bb..870089482b 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: dnssec-verify +.. program:: dnssec-verify .. _man_dnssec-verify: dnssec-verify - DNSSEC zone verification tool @@ -34,58 +26,64 @@ Synopsis Description ~~~~~~~~~~~ -``dnssec-verify`` verifies that a zone is fully signed for each +:program:`dnssec-verify` verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC/NSEC3 chains are complete. Options ~~~~~~~ -``-c class`` +.. option:: -c class + This option specifies the DNS class of the zone. -``-E engine`` +.. option:: -E engine + This option specifies the cryptographic hardware to use, when applicable. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -I input-format -``-I input-format`` This option sets the format of the input zone file. Possible formats are ``text`` (the default) and ``raw``. This option is primarily intended to be used for dynamic signed zones, so that the dumped zone file in a non-text format containing updates can be verified independently. This option is not useful for non-dynamic zones. -``-o origin`` +.. option:: -o origin + This option indicates the zone origin. If not specified, the name of the zone file is assumed to be the origin. -``-v level`` +.. option:: -v level + This option sets the debugging level. -``-V`` +.. option:: -V + This option prints version information. -``-q`` - This option sets quiet mode, which suppresses output. Without this option, when ``dnssec-verify`` +.. option:: -q + + This option sets quiet mode, which suppresses output. Without this option, when :program:`dnssec-verify` is run it prints to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly, and other status information. With this option, all non-error output is suppressed, and only the exit code indicates success. -``-x`` +.. option:: -x + This option verifies only that the DNSKEY RRset is signed with key-signing keys. Without this flag, it is assumed that the DNSKEY RRset is signed by all active keys. When this flag is set, it is not an error if the DNSKEY RRset is not signed by zone-signing keys. This corresponds - to the ``-x`` option in ``dnssec-signzone``. + to the :option:`-x option in dnssec-signzone `. + +.. option:: -z -``-z`` This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is correctly signed. Without this flag, it is assumed that there is a non-revoked, self-signed DNSKEY with the KSK flag set for each @@ -97,12 +95,13 @@ Options the KSK flag state, and that other RRsets be signed by a non-revoked key for the same algorithm that includes the self-signed key; the same key may be used for both purposes. This corresponds to - the ``-z`` option in ``dnssec-signzone``. + the :option:`-z option in dnssec-signzone `. + +.. option:: zonefile -``zonefile`` This option indicates the file containing the zone to be signed. See Also ~~~~~~~~ -:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`. +:iscman:`dnssec-signzone(8) `, BIND 9 Administrator Reference Manual, :rfc:`4033`. diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 6645c2dc3c..92980a8ca9 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -27,16 +29,18 @@ #include #include #include -#include -#include +#include #include #include +#include +#include #include #include #include #include #include +#include #include #include #include @@ -47,7 +51,6 @@ #include #include #include -#include #include #include @@ -63,7 +66,8 @@ static const char *keystates[KEYSTATES_NVALUES] = { int verbose = 0; bool quiet = false; -uint8_t dtype[8]; +const char *journal = NULL; +dns_dsdigest_t dtype[8]; static fatalcallback_t *fatalcallback = NULL; @@ -79,6 +83,7 @@ fatal(const char *format, ...) { if (fatalcallback != NULL) { (*fatalcallback)(); } + isc__tls_setfatalmode(); exit(1); } @@ -108,7 +113,7 @@ vbprintf(int level, const char *fmt, ...) { void version(const char *name) { - fprintf(stderr, "%s %s\n", name, PACKAGE_VERSION); + printf("%s %s\n", name, PACKAGE_VERSION); exit(0); } @@ -214,7 +219,7 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) { default: fatal("time value %s is invalid", str); } - /* NOTREACHED */ + UNREACHABLE(); break; case 'W': case 'w': @@ -232,14 +237,15 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) { default: fatal("time value %s is invalid", str); } - /* NOTREACHED */ + UNREACHABLE(); return (0); /* silence compiler warning */ } -static inline bool +static bool isnone(const char *str) { return ((strcasecmp(str, "none") == 0) || - (strcasecmp(str, "never") == 0)); + (strcasecmp(str, "never") == 0) || + (strcasecmp(str, "unset") == 0)); } dns_ttl_t @@ -272,7 +278,7 @@ strtokeystate(const char *str) { return ((dst_key_state_t)i); } } - fatal("unknown key state"); + fatal("unknown key state %s", str); } isc_stdtime_t @@ -282,17 +288,14 @@ strtotime(const char *str, int64_t now, int64_t base, bool *setp) { const char *orig = str; char *endp; size_t n; + struct tm tm; if (isnone(str)) { - if (setp != NULL) { - *setp = false; - } + SET_IF_NOT_NULL(setp, false); return ((isc_stdtime_t)0); } - if (setp != NULL) { - *setp = true; - } + SET_IF_NOT_NULL(setp, true); if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') { return ((isc_stdtime_t)0); @@ -303,11 +306,14 @@ strtotime(const char *str, int64_t now, int64_t base, bool *setp) { * now([+-]offset) * YYYYMMDD([+-]offset) * YYYYMMDDhhmmss([+-]offset) + * Day Mon DD HH:MM:SS YYYY([+-]offset) + * 1234567890([+-]offset) * [+-]offset */ n = strspn(str, "0123456789"); if ((n == 8u || n == 14u) && - (str[n] == '\0' || str[n] == '-' || str[n] == '+')) { + (str[n] == '\0' || str[n] == '-' || str[n] == '+')) + { char timestr[15]; strlcpy(timestr, str, sizeof(timestr)); @@ -322,9 +328,22 @@ strtotime(const char *str, int64_t now, int64_t base, bool *setp) { } base = val; str += n; + } else if (n == 10u && + (str[n] == '\0' || str[n] == '-' || str[n] == '+')) + { + base = strtoll(str, &endp, 0); + str += 10; } else if (strncmp(str, "now", 3) == 0) { base = now; str += 3; + } else if (str[0] >= 'A' && str[0] <= 'Z') { + /* parse ctime() format as written by `dnssec-settime -p` */ + endp = isc_tm_strptime(str, "%a %b %d %H:%M:%S %Y", &tm); + if (endp != str + 24) { + fatal("time value %s is invalid", orig); + } + base = mktime(&tm); + str += 24; } if (str[0] == '\0') { @@ -353,7 +372,7 @@ strtoclass(const char *str) { if (str == NULL) { return (dns_rdataclass_in); } - DE_CONST(str, r.base); + r.base = UNCONST(str); r.length = strlen(str); result = dns_rdataclass_fromtext(&rdclass, &r); if (result != ISC_R_SUCCESS) { @@ -368,7 +387,7 @@ strtodsdigest(const char *str) { dns_dsdigest_t alg; isc_result_t result; - DE_CONST(str, r.base); + r.base = UNCONST(str); r.length = strlen(str); result = dns_dsdigest_fromtext(&alg, &r); if (result != ISC_R_SUCCESS) { @@ -386,7 +405,7 @@ cmp_dtype(const void *ap, const void *bp) { void add_dtype(unsigned int dt) { - unsigned i, n; + unsigned int i, n; /* ensure there is space for a zero terminator */ n = sizeof(dtype) / sizeof(dtype[0]) - 1; @@ -453,8 +472,7 @@ set_keyversion(dst_key_t *key) { * set the creation date */ if (major < 1 || (major == 1 && minor <= 2)) { - isc_stdtime_t now; - isc_stdtime_get(&now); + isc_stdtime_t now = isc_stdtime_now(); dst_key_settime(key, DST_TIME_CREATED, now); } } @@ -469,9 +487,7 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, uint16_t id, oldid; uint32_t rid, roldid; dns_secalg_t alg; - char filename[NAME_MAX]; - isc_buffer_t fileb; - isc_stdtime_t now; + isc_stdtime_t now = isc_stdtime_now(); if (exact != NULL) { *exact = false; @@ -480,23 +496,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, id = dst_key_id(dstkey); rid = dst_key_rid(dstkey); alg = dst_key_alg(dstkey); - /* - * For Diffie Hellman just check if there is a direct collision as - * they can't be revoked. Additionally dns_dnssec_findmatchingkeys - * only handles DNSKEY which is not used for HMAC. - */ - if (alg == DST_ALG_DH) { - isc_buffer_init(&fileb, filename, sizeof(filename)); - result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir, - &fileb); - if (result != ISC_R_SUCCESS) { - return (true); - } - return (isc_file_exists(filename)); - } ISC_LIST_INIT(matchkeys); - isc_stdtime_get(&now); result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys); if (result == ISC_R_NOTFOUND) { return (false); @@ -562,3 +563,41 @@ isoptarg(const char *arg, char **argv, void (*usage)(void)) { } return (false); } + +void +loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *file) { + dns_journal_t *jnl = NULL; + isc_result_t result; + + result = dns_journal_open(mctx, file, DNS_JOURNAL_READ, &jnl); + if (result == ISC_R_NOTFOUND) { + fprintf(stderr, "%s: journal file %s not found\n", program, + file); + goto cleanup; + } else if (result != ISC_R_SUCCESS) { + fatal("unable to open journal %s: %s\n", file, + isc_result_totext(result)); + } + + if (dns_journal_empty(jnl)) { + dns_journal_destroy(&jnl); + return; + } + + result = dns_journal_rollforward(jnl, db, 0); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_UPTODATE: + break; + + case ISC_R_NOTFOUND: + case ISC_R_RANGE: + fatal("journal %s out of sync with zone", file); + + default: + fatal("journal %s: %s\n", file, isc_result_totext(result)); + } + +cleanup: + dns_journal_destroy(&jnl); +} diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 04c81c1a56..5bc69cd14d 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,15 +11,13 @@ * information regarding copyright ownership. */ -#ifndef DNSSECTOOL_H -#define DNSSECTOOL_H 1 +#pragma once #include #include #include #include -#include #include #include @@ -32,6 +32,9 @@ extern bool quiet; /*! program name, statically initialized in each program */ extern const char *program; +/*! journal file */ +extern const char *journal; + /*! * List of DS digest types used by dnssec-cds and dnssec-dsfromkey, * defined in dnssectool.c. Filled in by add_dtype() from -a @@ -43,12 +46,8 @@ extern uint8_t dtype[8]; typedef void(fatalcallback_t)(void); -#ifndef CPPCHECK -ISC_NORETURN void +noreturn void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); -#else /* CPPCHECK */ -#define fatal(...) exit(1) -#endif void setfatalcallback(fatalcallback_t *callback); @@ -59,7 +58,7 @@ check_result(isc_result_t result, const char *message); void vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3); -ISC_NORETURN void +noreturn void version(const char *program); void @@ -107,4 +106,5 @@ key_collision(dst_key_t *key, dns_name_t *name, const char *dir, bool isoptarg(const char *arg, char **argv, void (*usage)(void)); -#endif /* DNSSEC_DNSSECTOOL_H */ +void +loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal); diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am index bd276c96c7..291bab5e2a 100644 --- a/bin/named/Makefile.am +++ b/bin/named/Makefile.am @@ -7,13 +7,13 @@ AM_CPPFLAGS += \ $(LIBNS_CFLAGS) \ $(LIBISCCC_CFLAGS) \ $(LIBISCCFG_CFLAGS) \ - $(LIBBIND9_CFLAGS) \ $(OPENSSL_CFLAGS) \ $(LIBCAP_CFLAGS) \ $(LMDB_CFLAGS) \ $(MAXMINDDB_CFLAGS) \ $(DNSTAP_CFLAGS) \ $(LIBUV_CFLAGS) \ + $(LIBSYSTEMD_CFLAGS) \ $(ZLIB_CFLAGS) if HAVE_JSON_C @@ -21,6 +21,11 @@ AM_CPPFLAGS += \ $(JSON_C_CFLAGS) endif HAVE_JSON_C +if HAVE_LIBNGHTTP2 +AM_CPPFLAGS += \ + $(LIBNGHTTP2_CFLAGS) +endif HAVE_LIBNGHTTP2 + if HAVE_LIBXML2 AM_CPPFLAGS += \ $(LIBXML2_CFLAGS) @@ -33,8 +38,8 @@ AM_CPPFLAGS += \ sbin_PROGRAMS = named nodist_named_SOURCES = xsl.c -BUILT_SOURCES = xsl.c -CLEANFILES = xsl.c +BUILT_SOURCES += xsl.c +CLEANFILES += xsl.c EXTRA_DIST = bind9.xsl @@ -42,7 +47,7 @@ xsl.c: bind9.xsl Makefile (echo 'const char xslmsg[] =' && \ $(SED) -e 's,\",\\\",g' \ -e 's,^,\",' \ - -e 's,$$,\",' && \ + -e 's,$$,\\n\",' && \ echo ";") \ < "${srcdir}/bind9.xsl" > $@ @@ -97,14 +102,13 @@ named_LDADD = \ $(LIBNS_LIBS) \ $(LIBISCCC_LIBS) \ $(LIBISCCFG_LIBS) \ - $(LIBBIND9_LIBS) \ $(OPENSSL_LIBS) \ $(LIBCAP_LIBS) \ $(LMDB_LIBS) \ $(MAXMINDDB_LIBS) \ $(DNSTAP_LIBS) \ $(LIBUV_LIBS) \ - $(LIBXML2_LIBS) \ + $(LIBSYSTEMD_LIBS) \ $(ZLIB_LIBS) if HAVE_JSON_C @@ -112,5 +116,12 @@ named_LDADD += \ $(JSON_C_LIBS) endif HAVE_JSON_C -MAINTAINERCLEANFILES = \ - named.conf.rst +if HAVE_LIBNGHTTP2 +named_LDADD += \ + $(LIBNGHTTP2_LIBS) +endif HAVE_LIBNGHTTP2 + +if HAVE_LIBXML2 +named_LDADD += \ + $(LIBXML2_LIBS) +endif HAVE_LIBXML2 diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl index 5078115f27..91f59440d2 100644 --- a/bin/named/bind9.xsl +++ b/bin/named/bind9.xsl @@ -2,6 +2,7 @@ + + @@ -153,29 +156,6 @@ background-color: #99ddff; } - table.tasks { - border: 1px solid grey; - width: 500px; - } - table.tasks th { - text-align: center; - border: 1px solid grey; - width: 150px; - } - table.tasks td { - text-align: right; - font-family: monospace; - } - table.tasks td:nth-child(2) { - text-align: center; - } - table.tasks td:nth-child(4) { - text-align: center; - } - table.tasks tr:hover{ - background-color: #99ddff; - } - table.netstat { border: 1px solid grey; width: 500px; @@ -324,7 +304,6 @@ Server, Zones, Network, - Tasks, Memory and Traffic Size

@@ -928,134 +907,6 @@ - -

Network Status

- - - - - - - - - - - - - - - even - odd - - - - - - - - - - - - -
IDNameTypeReferencesLocalAddressPeerAddressState
- - - - - - - - - - - - - - - -
-
- - -

Task Manager Configuration

- - - - - - - - - - - - - - - - - - - - - -
Thread-Model - -
Worker Threads - -
Default Quantum - -
Tasks Running - -
Tasks Ready - -
-
- - -

Tasks

- - - - - - - - - - - - - - even - odd - - - - - - - - - - - -
IDNameReferencesStateQuantumEvents
- - - - - - - - - - - -
-
-

Memory Usage Summary

@@ -1085,12 +936,7 @@ - - - - - @@ -1113,24 +959,9 @@ - - - - - diff --git a/bin/named/builtin.c b/bin/named/builtin.c index c2bbc59655..1f46f0ad4f 100644 --- a/bin/named/builtin.c +++ b/bin/named/builtin.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -17,65 +19,217 @@ #include #include +#include #include -#include #include #include -#include -#include +#include +#include +#include +#include +#include #include #include #include #include -typedef struct builtin builtin_t; +#define BDBNODE_MAGIC ISC_MAGIC('B', 'D', 'B', 'N') +#define VALID_BDBNODE(bdbl) ISC_MAGIC_VALID(bdbl, BDBNODE_MAGIC) + +/*% + * Note that "impmagic" is not the first four bytes of the struct, so + * ISC_MAGIC_VALID cannot be used here. + */ +#define BDB_MAGIC ISC_MAGIC('B', 'D', 'B', '-') +#define VALID_BDB(bdb) ((bdb) != NULL && (bdb)->common.impmagic == BDB_MAGIC) + +#define BDB_DNS64 0x00000001U + +typedef struct bdbimplementation { + unsigned int flags; + dns_dbimplementation_t *dbimp; +} bdbimplementation_t; + +typedef struct bdbnode bdbnode_t; +typedef struct bdb { + dns_db_t common; + bdbimplementation_t *implementation; + isc_result_t (*lookup)(bdbnode_t *node); + char *server; + char *contact; +} bdb_t; + +struct bdbnode { + unsigned int magic; + isc_refcount_t references; + bdb_t *bdb; + ISC_LIST(dns_rdatalist_t) lists; + ISC_LIST(isc_buffer_t) buffers; + dns_name_t *name; + ISC_LINK(bdbnode_t) link; + dns_rdatacallbacks_t callbacks; +}; + +typedef struct bdb_rdatasetiter { + dns_rdatasetiter_t common; + dns_rdatalist_t *current; +} bdb_rdatasetiter_t; static isc_result_t -do_authors_lookup(dns_sdblookup_t *lookup); -static isc_result_t -do_dns64_lookup(dns_sdblookup_t *lookup); -static isc_result_t -do_empty_lookup(dns_sdblookup_t *lookup); -static isc_result_t -do_hostname_lookup(dns_sdblookup_t *lookup); -static isc_result_t -do_id_lookup(dns_sdblookup_t *lookup); +findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset DNS__DB_FLARG); + +static void +attachnode(dns_db_t *db, dns_dbnode_t *source, + dns_dbnode_t **targetp DNS__DB_FLARG); + +static void +detachnode(dns_db_t *db, dns_dbnode_t **nodep DNS__DB_FLARG); + +/* + * Helper functions to convert text to wire forma. + */ static isc_result_t -do_ipv4only_lookup(dns_sdblookup_t *lookup); +putrdata(bdbnode_t *node, dns_rdatatype_t typeval, dns_ttl_t ttl, + const unsigned char *rdatap, unsigned int rdlen) { + dns_rdatalist_t *rdatalist = NULL; + dns_rdata_t *rdata = NULL; + isc_buffer_t *rdatabuf = NULL; + isc_mem_t *mctx = NULL; + isc_region_t region; + + mctx = node->bdb->common.mctx; + + rdatalist = ISC_LIST_HEAD(node->lists); + while (rdatalist != NULL) { + if (rdatalist->type == typeval) { + break; + } + rdatalist = ISC_LIST_NEXT(rdatalist, link); + } + + if (rdatalist == NULL) { + rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t)); + dns_rdatalist_init(rdatalist); + rdatalist->rdclass = node->bdb->common.rdclass; + rdatalist->type = typeval; + rdatalist->ttl = ttl; + ISC_LIST_APPEND(node->lists, rdatalist, link); + } else if (rdatalist->ttl != ttl) { + return (DNS_R_BADTTL); + } + + rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); + + isc_buffer_allocate(mctx, &rdatabuf, rdlen); + region.base = UNCONST(rdatap); + region.length = rdlen; + isc_buffer_copyregion(rdatabuf, ®ion); + isc_buffer_usedregion(rdatabuf, ®ion); + dns_rdata_init(rdata); + dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type, + ®ion); + ISC_LIST_APPEND(rdatalist->rdata, rdata, link); + ISC_LIST_APPEND(node->buffers, rdatabuf, link); + + return (ISC_R_SUCCESS); +} + static isc_result_t -do_ipv4reverse_lookup(dns_sdblookup_t *lookup); +putrr(bdbnode_t *node, const char *type, dns_ttl_t ttl, const char *data) { + isc_result_t result; + dns_rdatatype_t typeval; + isc_lex_t *lex = NULL; + isc_mem_t *mctx = NULL; + const dns_name_t *origin = NULL; + isc_buffer_t *rb = NULL; + isc_buffer_t b; + + REQUIRE(VALID_BDBNODE(node)); + REQUIRE(type != NULL); + REQUIRE(data != NULL); + + mctx = node->bdb->common.mctx; + origin = &node->bdb->common.origin; + + isc_constregion_t r = { .base = type, .length = strlen(type) }; + result = dns_rdatatype_fromtext(&typeval, (isc_textregion_t *)&r); + if (result != ISC_R_SUCCESS) { + return (result); + } + + isc_lex_create(mctx, 64, &lex); + + size_t datalen = strlen(data); + isc_buffer_constinit(&b, data, datalen); + isc_buffer_add(&b, datalen); + + result = isc_lex_openbuffer(lex, &b); + if (result != ISC_R_SUCCESS) { + return (result); + } + + isc_buffer_allocate(mctx, &rb, DNS_RDATA_MAXLENGTH); + result = dns_rdata_fromtext(NULL, node->bdb->common.rdclass, typeval, + lex, origin, 0, mctx, rb, &node->callbacks); + isc_lex_destroy(&lex); + + if (result == ISC_R_SUCCESS) { + result = putrdata(node, typeval, ttl, isc_buffer_base(rb), + isc_buffer_usedlength(rb)); + } + + isc_buffer_free(&rb); + + return (result); +} + +/* Reasonable default SOA values */ +#define DEFAULT_REFRESH 28800U /* 8 hours */ +#define DEFAULT_RETRY 7200U /* 2 hours */ +#define DEFAULT_EXPIRE 604800U /* 7 days */ +#define DEFAULT_MINIMUM 86400U /* 1 day */ +#define DEFAULT_TTL (60 * 60 * 24) + static isc_result_t -do_version_lookup(dns_sdblookup_t *lookup); +putsoa(bdbnode_t *node, const char *mname, const char *rname, uint32_t serial) { + char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7]; + int n; -/* - * We can't use function pointers as the db_data directly - * because ANSI C does not guarantee that function pointers - * can safely be cast to void pointers and back. - */ + REQUIRE(mname != NULL); + REQUIRE(rname != NULL); -struct builtin { - isc_result_t (*do_lookup)(dns_sdblookup_t *lookup); - char *server; - char *contact; -}; + n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u", mname, rname, + serial, DEFAULT_REFRESH, DEFAULT_RETRY, DEFAULT_EXPIRE, + DEFAULT_MINIMUM); + if (n >= (int)sizeof(str) || n < 0) { + return (ISC_R_NOSPACE); + } + return (putrr(node, "SOA", DEFAULT_TTL, str)); +} -static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL }; -static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL }; -static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL }; -static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL }; -static builtin_t id_builtin = { do_id_lookup, NULL, NULL }; -static builtin_t ipv4only_builtin = { do_ipv4only_lookup, NULL, NULL }; -static builtin_t ipv4reverse_builtin = { do_ipv4reverse_lookup, NULL, NULL }; -static builtin_t version_builtin = { do_version_lookup, NULL, NULL }; +static isc_result_t +puttxt(bdbnode_t *node, const char *text) { + unsigned char buf[256]; + unsigned int len = strlen(text); -static dns_sdbimplementation_t *builtin_impl; -static dns_sdbimplementation_t *dns64_impl; + if (len > 255) { + len = 255; /* Silently truncate */ + } + buf[0] = len; + memmove(&buf[1], text, len); + return (putrdata(node, dns_rdatatype_txt, 0, buf, len + 1)); +} /* - * Pre computed HEX * 16 or 1 table. + * Builtin database implementation functions. */ + +/* Precomputed HEX * 16 or 1 table. */ static const unsigned char hex16[256] = { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*00*/ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*10*/ @@ -129,8 +283,7 @@ dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) { } static isc_result_t -dns64_cname(const dns_name_t *zone, const dns_name_t *name, - dns_sdblookup_t *lookup) { +dns64_cname(const dns_name_t *zone, const dns_name_t *name, bdbnode_t *node) { size_t zlen, nlen, j, len; unsigned char v[16], n; unsigned int i; @@ -151,13 +304,6 @@ dns64_cname(const dns_name_t *zone, const dns_name_t *name, return (ISC_R_NOTFOUND); } - /* - * We assume the zone name is well formed. - */ - - /* - * XXXMPA We could check the dns64 suffix here if we need to. - */ /* * Check that name is a series of nibbles. * Compute the byte values that correspond to the nibbles as we go. @@ -301,95 +447,87 @@ dns64_cname(const dns_name_t *zone, const dns_name_t *name, * Reverse of 192.0.0.170 or 192.0.0.171 maps to ipv4only.arpa. */ if ((v[0] == 170 || v[0] == 171) && v[1] == 0 && v[2] == 0 && - v[3] == 192) { - return (dns_sdb_putrdata(lookup, dns_rdatatype_ptr, 3600, - ipv4only, sizeof(ipv4only))); + v[3] == 192) + { + return (putrdata(node, dns_rdatatype_ptr, 3600, ipv4only, + sizeof(ipv4only))); } - return (dns_sdb_putrdata(lookup, dns_rdatatype_cname, 600, rdata, - (unsigned int)len)); + return (putrdata(node, dns_rdatatype_cname, 600, rdata, + (unsigned int)len)); } static isc_result_t -builtin_lookup(const char *zone, const char *name, void *dbdata, - dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo) { - builtin_t *b = (builtin_t *)dbdata; - - UNUSED(zone); - UNUSED(methods); - UNUSED(clientinfo); - - if (strcmp(name, "@") == 0) { - return (b->do_lookup(lookup)); +builtin_lookup(bdb_t *bdb, const dns_name_t *name, bdbnode_t *node) { + if (name->labels == 0 && name->length == 0) { + return (bdb->lookup(node)); + } else if ((node->bdb->implementation->flags & BDB_DNS64) != 0) { + return (dns64_cname(&bdb->common.origin, name, node)); } else { return (ISC_R_NOTFOUND); } } static isc_result_t -dns64_lookup(const dns_name_t *zone, const dns_name_t *name, void *dbdata, - dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo) { - builtin_t *b = (builtin_t *)dbdata; +builtin_authority(bdb_t *bdb, bdbnode_t *node) { + isc_result_t result; + const char *contact = "hostmaster"; + const char *server = "@"; - UNUSED(methods); - UNUSED(clientinfo); + if (bdb->server != NULL) { + server = bdb->server; + } + if (bdb->contact != NULL) { + contact = bdb->contact; + } - if (name->labels == 0 && name->length == 0) { - return (b->do_lookup(lookup)); - } else { - return (dns64_cname(zone, name, lookup)); + result = putsoa(node, server, contact, 0); + if (result != ISC_R_SUCCESS) { + return (ISC_R_FAILURE); } -} -static isc_result_t -put_txt(dns_sdblookup_t *lookup, const char *text) { - unsigned char buf[256]; - unsigned int len = strlen(text); - if (len > 255) { - len = 255; /* Silently truncate */ + result = putrr(node, "NS", 0, server); + if (result != ISC_R_SUCCESS) { + return (ISC_R_FAILURE); } - buf[0] = len; - memmove(&buf[1], text, len); - return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1)); + + return (ISC_R_SUCCESS); } static isc_result_t -do_version_lookup(dns_sdblookup_t *lookup) { +version_lookup(bdbnode_t *node) { if (named_g_server->version_set) { if (named_g_server->version == NULL) { return (ISC_R_SUCCESS); } else { - return (put_txt(lookup, named_g_server->version)); + return (puttxt(node, named_g_server->version)); } } else { - return (put_txt(lookup, PACKAGE_VERSION)); + return (puttxt(node, PACKAGE_VERSION)); } } static isc_result_t -do_hostname_lookup(dns_sdblookup_t *lookup) { +hostname_lookup(bdbnode_t *node) { if (named_g_server->hostname_set) { if (named_g_server->hostname == NULL) { return (ISC_R_SUCCESS); } else { - return (put_txt(lookup, named_g_server->hostname)); + return (puttxt(node, named_g_server->hostname)); } } else { char buf[256]; - isc_result_t result = named_os_gethostname(buf, sizeof(buf)); - if (result != ISC_R_SUCCESS) { - return (result); + if (gethostname(buf, sizeof(buf)) != 0) { + return (ISC_R_FAILURE); } - return (put_txt(lookup, buf)); + return (puttxt(node, buf)); } } static isc_result_t -do_authors_lookup(dns_sdblookup_t *lookup) { +authors_lookup(bdbnode_t *node) { isc_result_t result; - const char **p; + const char **p = NULL; static const char *authors[] = { "Mark Andrews", "Curtis Blackburn", "James Brister", "Ben Cottrell", "John H. DuBois III", "Francis Dupont", @@ -408,7 +546,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) { } for (p = authors; *p != NULL; p++) { - result = put_txt(lookup, *p); + result = puttxt(node, *p); if (result != ISC_R_SUCCESS) { return (result); } @@ -417,43 +555,34 @@ do_authors_lookup(dns_sdblookup_t *lookup) { } static isc_result_t -do_id_lookup(dns_sdblookup_t *lookup) { - if (named_g_server->sctx->gethostname != NULL) { +id_lookup(bdbnode_t *node) { + if (named_g_server->sctx->usehostname) { char buf[256]; - isc_result_t result; - - result = named_g_server->sctx->gethostname(buf, sizeof(buf)); - if (result != ISC_R_SUCCESS) { - return (result); + if (gethostname(buf, sizeof(buf)) != 0) { + return (ISC_R_FAILURE); } - return (put_txt(lookup, buf)); + return (puttxt(node, buf)); } else if (named_g_server->sctx->server_id != NULL) { - return (put_txt(lookup, named_g_server->sctx->server_id)); + return (puttxt(node, named_g_server->sctx->server_id)); } else { return (ISC_R_SUCCESS); } } static isc_result_t -do_dns64_lookup(dns_sdblookup_t *lookup) { - UNUSED(lookup); - return (ISC_R_SUCCESS); -} +empty_lookup(bdbnode_t *node) { + UNUSED(node); -static isc_result_t -do_empty_lookup(dns_sdblookup_t *lookup) { - UNUSED(lookup); return (ISC_R_SUCCESS); } static isc_result_t -do_ipv4only_lookup(dns_sdblookup_t *lookup) { +ipv4only_lookup(bdbnode_t *node) { isc_result_t result; unsigned char data[2][4] = { { 192, 0, 0, 170 }, { 192, 0, 0, 171 } }; for (int i = 0; i < 2; i++) { - result = dns_sdb_putrdata(lookup, dns_rdatatype_a, 3600, - data[i], 4); + result = putrdata(node, dns_rdatatype_a, 3600, data[i], 4); if (result != ISC_R_SUCCESS) { return (result); } @@ -462,191 +591,699 @@ do_ipv4only_lookup(dns_sdblookup_t *lookup) { } static isc_result_t -do_ipv4reverse_lookup(dns_sdblookup_t *lookup) { +ipv4reverse_lookup(bdbnode_t *node) { isc_result_t result; - result = dns_sdb_putrdata(lookup, dns_rdatatype_ptr, 3600, ipv4only, - sizeof(ipv4only)); + result = putrdata(node, dns_rdatatype_ptr, 3600, ipv4only, + sizeof(ipv4only)); return (result); } +/* + * Rdataset implementation methods. An rdataset in the builtin databases is + * implemented as an rdatalist which holds a reference to the dbnode, + * to prevent the node being freed while the rdataset is still in use, so + * we need local implementations of clone and disassociate but the rest of + * the implementation can be the same as dns_rdatalist.. + */ +static void +disassociate(dns_rdataset_t *rdataset DNS__DB_FLARG) { + dns_dbnode_t *node = rdataset->rdlist.node; + bdbnode_t *bdbnode = (bdbnode_t *)node; + dns_db_t *db = (dns_db_t *)bdbnode->bdb; + + detachnode(db, &node DNS__DB_FLARG_PASS); + dns_rdatalist_disassociate(rdataset DNS__DB_FLARG_PASS); +} + +static void +rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target DNS__DB_FLARG) { + dns_dbnode_t *node = source->rdlist.node; + bdbnode_t *bdbnode = (bdbnode_t *)node; + dns_db_t *db = (dns_db_t *)bdbnode->bdb; + + dns_rdatalist_clone(source, target DNS__DB_FLARG_PASS); + attachnode(db, node, &target->rdlist.node DNS__DB_FLARG_PASS); +} + +static dns_rdatasetmethods_t bdb_rdataset_methods = { + .disassociate = disassociate, + .first = dns_rdatalist_first, + .next = dns_rdatalist_next, + .current = dns_rdatalist_current, + .clone = rdataset_clone, + .count = dns_rdatalist_count, + .addnoqname = dns_rdatalist_addnoqname, + .getnoqname = dns_rdatalist_getnoqname, +}; + +static void +new_rdataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node, + dns_rdataset_t *rdataset) { + dns_rdatalist_tordataset(rdatalist, rdataset); + + rdataset->methods = &bdb_rdataset_methods; + dns_db_attachnode(db, node, &rdataset->rdlist.node); +} + +/* + * Rdataset iterator methods + */ + +static void +rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp DNS__DB_FLARG) { + bdb_rdatasetiter_t *bdbiterator = (bdb_rdatasetiter_t *)(*iteratorp); + detachnode(bdbiterator->common.db, + &bdbiterator->common.node DNS__DB_FLARG_PASS); + isc_mem_put(bdbiterator->common.db->mctx, bdbiterator, + sizeof(bdb_rdatasetiter_t)); + *iteratorp = NULL; +} + static isc_result_t -builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) { - isc_result_t result; - const char *contact = "hostmaster"; - const char *server = "@"; - builtin_t *b = (builtin_t *)dbdata; +rdatasetiter_first(dns_rdatasetiter_t *iterator DNS__DB_FLARG) { + bdb_rdatasetiter_t *bdbiterator = (bdb_rdatasetiter_t *)iterator; + bdbnode_t *bdbnode = (bdbnode_t *)iterator->node; - UNUSED(zone); - UNUSED(dbdata); + if (ISC_LIST_EMPTY(bdbnode->lists)) { + return (ISC_R_NOMORE); + } + bdbiterator->current = ISC_LIST_HEAD(bdbnode->lists); + return (ISC_R_SUCCESS); +} - if (b == &empty_builtin) { - server = "."; - contact = "."; +static isc_result_t +rdatasetiter_next(dns_rdatasetiter_t *iterator DNS__DB_FLARG) { + bdb_rdatasetiter_t *bdbiterator = (bdb_rdatasetiter_t *)iterator; + + bdbiterator->current = ISC_LIST_NEXT(bdbiterator->current, link); + if (bdbiterator->current == NULL) { + return (ISC_R_NOMORE); } else { - if (b->server != NULL) { - server = b->server; - } - if (b->contact != NULL) { - contact = b->contact; + return (ISC_R_SUCCESS); + } +} + +static void +rdatasetiter_current(dns_rdatasetiter_t *iterator, + dns_rdataset_t *rdataset DNS__DB_FLARG) { + bdb_rdatasetiter_t *bdbiterator = (bdb_rdatasetiter_t *)iterator; + + new_rdataset(bdbiterator->current, iterator->db, iterator->node, + rdataset); +} + +static dns_rdatasetitermethods_t rdatasetiter_methods = { + rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next, + rdatasetiter_current +}; + +/* + * Database implementation methods + */ +static void +destroy(dns_db_t *db) { + bdb_t *bdb = (bdb_t *)db; + isc_refcount_destroy(&bdb->common.references); + + if (bdb->server != NULL) { + isc_mem_free(named_g_mctx, bdb->server); + } + if (bdb->contact != NULL) { + isc_mem_free(named_g_mctx, bdb->contact); + } + + bdb->common.magic = 0; + bdb->common.impmagic = 0; + + dns_name_free(&bdb->common.origin, bdb->common.mctx); + + isc_mem_putanddetach(&bdb->common.mctx, bdb, sizeof(bdb_t)); +} + +/* + * A dummy 'version' value is used so that dns_db_createversion() + * can return a non-NULL version to the caller, but there can only be + * one version of these databases, so the version value is never used. + */ +static int dummy; + +static void +currentversion(dns_db_t *db, dns_dbversion_t **versionp) { + bdb_t *bdb = (bdb_t *)db; + + REQUIRE(VALID_BDB(bdb)); + + *versionp = (void *)&dummy; + return; +} + +static void +attachversion(dns_db_t *db, dns_dbversion_t *source, + dns_dbversion_t **targetp) { + bdb_t *bdb = (bdb_t *)db; + + REQUIRE(VALID_BDB(bdb)); + REQUIRE(source != NULL && source == (void *)&dummy); + REQUIRE(targetp != NULL && *targetp == NULL); + + *targetp = source; + return; +} + +static void +closeversion(dns_db_t *db, dns_dbversion_t **versionp, + bool commit DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + + REQUIRE(VALID_BDB(bdb)); + REQUIRE(versionp != NULL && *versionp == (void *)&dummy); + REQUIRE(!commit); + + *versionp = NULL; +} + +static isc_result_t +createnode(bdb_t *bdb, bdbnode_t **nodep) { + bdbnode_t *node = NULL; + + REQUIRE(VALID_BDB(bdb)); + + node = isc_mem_get(bdb->common.mctx, sizeof(bdbnode_t)); + *node = (bdbnode_t){ + .lists = ISC_LIST_INITIALIZER, + .buffers = ISC_LIST_INITIALIZER, + .link = ISC_LINK_INITIALIZER, + }; + + dns_db_attach((dns_db_t *)bdb, (dns_db_t **)&node->bdb); + dns_rdatacallbacks_init(&node->callbacks); + + isc_refcount_init(&node->references, 1); + node->magic = BDBNODE_MAGIC; + + *nodep = node; + return (ISC_R_SUCCESS); +} + +static void +destroynode(bdbnode_t *node) { + dns_rdatalist_t *list = NULL; + dns_rdata_t *rdata = NULL; + isc_buffer_t *b = NULL; + bdb_t *bdb = NULL; + isc_mem_t *mctx = NULL; + + bdb = node->bdb; + mctx = bdb->common.mctx; + + while (!ISC_LIST_EMPTY(node->lists)) { + list = ISC_LIST_HEAD(node->lists); + while (!ISC_LIST_EMPTY(list->rdata)) { + rdata = ISC_LIST_HEAD(list->rdata); + ISC_LIST_UNLINK(list->rdata, rdata, link); + isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); } + ISC_LIST_UNLINK(node->lists, list, link); + isc_mem_put(mctx, list, sizeof(dns_rdatalist_t)); } - result = dns_sdb_putsoa(lookup, server, contact, 0); + while (!ISC_LIST_EMPTY(node->buffers)) { + b = ISC_LIST_HEAD(node->buffers); + ISC_LIST_UNLINK(node->buffers, b, link); + isc_buffer_free(&b); + } + + if (node->name != NULL) { + dns_name_free(node->name, mctx); + isc_mem_put(mctx, node->name, sizeof(dns_name_t)); + } + + node->magic = 0; + isc_mem_put(mctx, node, sizeof(bdbnode_t)); + dns_db_detach((dns_db_t **)(void *)&bdb); +} + +static isc_result_t +getoriginnode(dns_db_t *db, dns_dbnode_t **nodep DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + bdbnode_t *node = NULL; + isc_result_t result; + dns_name_t relname; + dns_name_t *name = NULL; + + REQUIRE(VALID_BDB(bdb)); + REQUIRE(nodep != NULL && *nodep == NULL); + + dns_name_init(&relname, NULL); + name = &relname; + + result = createnode(bdb, &node); if (result != ISC_R_SUCCESS) { - return (ISC_R_FAILURE); + return (result); + } + + result = builtin_lookup(bdb, name, node); + if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { + destroynode(node); + return (result); } - result = dns_sdb_putrr(lookup, "ns", 0, server); + result = builtin_authority(bdb, node); if (result != ISC_R_SUCCESS) { - return (ISC_R_FAILURE); + destroynode(node); + return (result); } + *nodep = node; return (ISC_R_SUCCESS); } static isc_result_t -builtin_create(const char *zone, int argc, char **argv, void *driverdata, - void **dbdata) { - REQUIRE(argc >= 1); +findnode(dns_db_t *db, const dns_name_t *name, bool create, + dns_dbnode_t **nodep DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + bdbnode_t *node = NULL; + isc_result_t result; + bool isorigin; + dns_name_t relname; + unsigned int labels; - UNUSED(zone); - UNUSED(driverdata); + REQUIRE(VALID_BDB(bdb)); + REQUIRE(nodep != NULL && *nodep == NULL); - if (strcmp(argv[0], "dns64") == 0 || strcmp(argv[0], "empty") == 0 || - strcmp(argv[0], "ipv4only") == 0 || - strcmp(argv[0], "ipv4reverse") == 0) - { - if (argc != 3) { - return (DNS_R_SYNTAX); - } - } else if (argc != 1) { - return (DNS_R_SYNTAX); + UNUSED(create); + + isorigin = dns_name_equal(name, &bdb->common.origin); + + labels = dns_name_countlabels(name) - dns_name_countlabels(&db->origin); + dns_name_init(&relname, NULL); + dns_name_getlabelsequence(name, 0, labels, &relname); + name = &relname; + + result = createnode(bdb, &node); + if (result != ISC_R_SUCCESS) { + return (result); } - if (strcmp(argv[0], "authors") == 0) { - *dbdata = &authors_builtin; - } else if (strcmp(argv[0], "hostname") == 0) { - *dbdata = &hostname_builtin; - } else if (strcmp(argv[0], "id") == 0) { - *dbdata = &id_builtin; - } else if (strcmp(argv[0], "version") == 0) { - *dbdata = &version_builtin; - } else if (strcmp(argv[0], "dns64") == 0 || - strcmp(argv[0], "empty") == 0 || - strcmp(argv[0], "ipv4only") == 0 || - strcmp(argv[0], "ipv4reverse") == 0) + result = builtin_lookup(bdb, name, node); + if (result != ISC_R_SUCCESS && (!isorigin || result != ISC_R_NOTFOUND)) { - builtin_t *empty; - char *server; - char *contact; + destroynode(node); + return (result); + } - if (argc != 3) { - return (DNS_R_SYNTAX); + if (isorigin) { + result = builtin_authority(bdb, node); + if (result != ISC_R_SUCCESS) { + destroynode(node); + return (result); } + } + *nodep = node; + return (ISC_R_SUCCESS); +} + +static isc_result_t +find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, + dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_fixedname_t fname; + dns_rdataset_t xrdataset; + dns_name_t *xname = NULL; + unsigned int nlabels, olabels, i; + bool dns64; + + REQUIRE(VALID_BDB(bdb)); + REQUIRE(nodep == NULL || *nodep == NULL); + REQUIRE(version == NULL || version == (void *)&dummy); + + if (!dns_name_issubdomain(name, &db->origin)) { + return (DNS_R_NXDOMAIN); + } + + olabels = dns_name_countlabels(&db->origin); + nlabels = dns_name_countlabels(name); + + xname = dns_fixedname_initname(&fname); + + if (rdataset == NULL) { + dns_rdataset_init(&xrdataset); + rdataset = &xrdataset; + } + + result = DNS_R_NXDOMAIN; + dns64 = ((bdb->implementation->flags & BDB_DNS64) != 0); + for (i = (dns64 ? nlabels : olabels); i <= nlabels; i++) { /* - * We don't want built-in zones to fail. Fallback to - * the static configuration if memory allocation fails. + * Look up the next label. */ - empty = isc_mem_get(named_g_mctx, sizeof(*empty)); - server = isc_mem_strdup(named_g_mctx, argv[1]); - contact = isc_mem_strdup(named_g_mctx, argv[2]); - if (empty == NULL || server == NULL || contact == NULL) { - if (strcmp(argv[0], "dns64") == 0) { - *dbdata = &dns64_builtin; - } else if (strcmp(argv[0], "empty") == 0) { - *dbdata = &empty_builtin; - } else if (strcmp(argv[0], "ipv4only") == 0) { - *dbdata = &ipv4only_builtin; - } else { - *dbdata = &ipv4reverse_builtin; + dns_name_getlabelsequence(name, nlabels - i, i, xname); + result = findnode(db, xname, false, &node DNS__DB_FLARG_PASS); + if (result == ISC_R_NOTFOUND) { + /* + * No data at zone apex? + */ + if (i == olabels) { + return (DNS_R_BADDB); } - if (server != NULL) { - isc_mem_free(named_g_mctx, server); - } - if (contact != NULL) { - isc_mem_free(named_g_mctx, contact); + result = DNS_R_NXDOMAIN; + continue; + } + if (result != ISC_R_SUCCESS) { + return (result); + } + + /* + * DNS64 zones don't have DNAME or NS records. + */ + if (dns64) { + goto skip; + } + + /* + * Look for a DNAME at the current label, unless this is + * the qname. + */ + if (i < nlabels) { + result = findrdataset( + db, node, version, dns_rdatatype_dname, 0, now, + rdataset, sigrdataset DNS__DB_FLARG_PASS); + if (result == ISC_R_SUCCESS) { + result = DNS_R_DNAME; + break; } - if (empty != NULL) { - isc_mem_put(named_g_mctx, empty, - sizeof(*empty)); + } + + /* + * Look for an NS at the current label, unless this is the + * origin or glue is ok. + */ + if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) { + result = findrdataset( + db, node, version, dns_rdatatype_ns, 0, now, + rdataset, sigrdataset DNS__DB_FLARG_PASS); + if (result == ISC_R_SUCCESS) { + if (i == nlabels && type == dns_rdatatype_any) { + result = DNS_R_ZONECUT; + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated( + sigrdataset)) + { + dns_rdataset_disassociate( + sigrdataset); + } + } else { + result = DNS_R_DELEGATION; + } + break; } - } else { - if (strcmp(argv[0], "dns64") == 0) { - memmove(empty, &dns64_builtin, - sizeof(empty_builtin)); - } else if (strcmp(argv[0], "empty") == 0) { - memmove(empty, &empty_builtin, - sizeof(empty_builtin)); - } else if (strcmp(argv[0], "ipv4only") == 0) { - memmove(empty, &ipv4only_builtin, - sizeof(empty_builtin)); - } else { - memmove(empty, &ipv4reverse_builtin, - sizeof(empty_builtin)); + } + + /* + * If the current name is not the qname, add another label + * and try again. + */ + if (i < nlabels) { + destroynode(node); + node = NULL; + continue; + } + + skip: + /* + * If we're looking for ANY, we're done. + */ + if (type == dns_rdatatype_any) { + result = ISC_R_SUCCESS; + break; + } + + /* + * Look for the qtype. + */ + result = findrdataset(db, node, version, type, 0, now, rdataset, + sigrdataset DNS__DB_FLARG_PASS); + if (result == ISC_R_SUCCESS) { + break; + } + + /* + * Look for a CNAME. + */ + if (type != dns_rdatatype_cname) { + result = findrdataset( + db, node, version, dns_rdatatype_cname, 0, now, + rdataset, sigrdataset DNS__DB_FLARG_PASS); + if (result == ISC_R_SUCCESS) { + result = DNS_R_CNAME; + break; } - empty->server = server; - empty->contact = contact; - *dbdata = empty; } - } else { - return (ISC_R_NOTIMPLEMENTED); + + result = DNS_R_NXRRSET; + break; } - return (ISC_R_SUCCESS); + + if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + + if (foundname != NULL) { + dns_name_copy(xname, foundname); + } + + if (nodep != NULL) { + *nodep = node; + } else if (node != NULL) { + detachnode(db, &node DNS__DB_FLARG_PASS); + } + + return (result); } static void -builtin_destroy(const char *zone, void *driverdata, void **dbdata) { - builtin_t *b = (builtin_t *)*dbdata; +attachnode(dns_db_t *db, dns_dbnode_t *source, + dns_dbnode_t **targetp DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + bdbnode_t *node = (bdbnode_t *)source; - UNUSED(zone); - UNUSED(driverdata); + REQUIRE(VALID_BDB(bdb)); - /* - * Don't free the static versions. - */ - if (*dbdata == &authors_builtin || *dbdata == &dns64_builtin || - *dbdata == &empty_builtin || *dbdata == &hostname_builtin || - *dbdata == &id_builtin || *dbdata == &ipv4only_builtin || - *dbdata == &ipv4reverse_builtin || *dbdata == &version_builtin) - { - return; + isc_refcount_increment(&node->references); + + *targetp = source; +} + +static void +detachnode(dns_db_t *db, dns_dbnode_t **nodep DNS__DB_FLARG) { + bdb_t *bdb = (bdb_t *)db; + bdbnode_t *node = NULL; + + REQUIRE(VALID_BDB(bdb)); + REQUIRE(nodep != NULL && *nodep != NULL); + + node = (bdbnode_t *)(*nodep); + *nodep = NULL; + + if (isc_refcount_decrement(&node->references) == 1) { + destroynode(node); + } +} + +static isc_result_t +findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset DNS__DB_FLARG) { + bdbnode_t *bdbnode = (bdbnode_t *)node; + dns_rdatalist_t *list = NULL; + + REQUIRE(VALID_BDBNODE(bdbnode)); + + UNUSED(version); + UNUSED(covers); + UNUSED(now); + UNUSED(sigrdataset); + + if (type == dns_rdatatype_rrsig) { + return (ISC_R_NOTIMPLEMENTED); + } + + list = ISC_LIST_HEAD(bdbnode->lists); + while (list != NULL) { + if (list->type == type) { + break; + } + list = ISC_LIST_NEXT(list, link); + } + if (list == NULL) { + return (ISC_R_NOTFOUND); } - isc_mem_free(named_g_mctx, b->server); - isc_mem_free(named_g_mctx, b->contact); - isc_mem_put(named_g_mctx, b, sizeof(*b)); + new_rdataset(list, db, node, rdataset); + + return (ISC_R_SUCCESS); } -static dns_sdbmethods_t builtin_methods = { - builtin_lookup, builtin_authority, NULL, /* allnodes */ - builtin_create, builtin_destroy, NULL -}; +static isc_result_t +allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + unsigned int options, isc_stdtime_t now, + dns_rdatasetiter_t **iteratorp DNS__DB_FLARG) { + bdb_rdatasetiter_t *iterator = NULL; + + REQUIRE(version == NULL || version == &dummy); + + iterator = isc_mem_get(db->mctx, sizeof(bdb_rdatasetiter_t)); + *iterator = (bdb_rdatasetiter_t){ + .common.methods = &rdatasetiter_methods, + .common.db = db, + .common.version = version, + .common.options = options, + .common.now = now, + .common.magic = DNS_RDATASETITER_MAGIC, + }; + + attachnode(db, node, &iterator->common.node DNS__DB_FLARG_PASS); -static dns_sdbmethods_t dns64_methods = { - NULL, builtin_authority, NULL, /* allnodes */ - builtin_create, builtin_destroy, dns64_lookup, + *iteratorp = (dns_rdatasetiter_t *)iterator; + + return (ISC_R_SUCCESS); +} + +static dns_dbmethods_t bdb_methods = { + .destroy = destroy, + .currentversion = currentversion, + .attachversion = attachversion, + .closeversion = closeversion, + .attachnode = attachnode, + .detachnode = detachnode, + .findrdataset = findrdataset, + .allrdatasets = allrdatasets, + .getoriginnode = getoriginnode, + .findnode = findnode, + .find = find, }; +static isc_result_t +create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + dns_rdataclass_t rdclass, unsigned int argc, char *argv[], + void *implementation, dns_db_t **dbp) { + isc_result_t result; + bool needargs = false; + bdb_t *bdb = NULL; + + REQUIRE(implementation != NULL); + + if (type != dns_dbtype_zone) { + return (ISC_R_NOTIMPLEMENTED); + } + + bdb = isc_mem_get(mctx, sizeof(*bdb)); + *bdb = (bdb_t){ + .common = { .methods = &bdb_methods, .rdclass = rdclass }, + .implementation = implementation, + }; + + isc_refcount_init(&bdb->common.references, 1); + isc_mem_attach(mctx, &bdb->common.mctx); + dns_name_init(&bdb->common.origin, NULL); + dns_name_dupwithoffsets(origin, mctx, &bdb->common.origin); + + INSIST(argc >= 1); + if (strcmp(argv[0], "authors") == 0) { + bdb->lookup = authors_lookup; + } else if (strcmp(argv[0], "hostname") == 0) { + bdb->lookup = hostname_lookup; + } else if (strcmp(argv[0], "id") == 0) { + bdb->lookup = id_lookup; + } else if (strcmp(argv[0], "version") == 0) { + bdb->lookup = version_lookup; + } else if (strcmp(argv[0], "dns64") == 0) { + needargs = true; + bdb->lookup = empty_lookup; + } else if (strcmp(argv[0], "empty") == 0) { + needargs = true; + bdb->lookup = empty_lookup; + } else if (strcmp(argv[0], "ipv4only") == 0) { + needargs = true; + bdb->lookup = ipv4only_lookup; + } else { + needargs = true; + bdb->lookup = ipv4reverse_lookup; + } + + if (needargs) { + if (argc != 3) { + result = DNS_R_SYNTAX; + goto cleanup; + } + + bdb->server = isc_mem_strdup(named_g_mctx, argv[1]); + bdb->contact = isc_mem_strdup(named_g_mctx, argv[2]); + } else if (argc != 1) { + result = DNS_R_SYNTAX; + goto cleanup; + } + + bdb->common.magic = DNS_DB_MAGIC; + bdb->common.impmagic = BDB_MAGIC; + + *dbp = (dns_db_t *)bdb; + + return (ISC_R_SUCCESS); + +cleanup: + dns_name_free(&bdb->common.origin, mctx); + if (bdb->server != NULL) { + isc_mem_free(named_g_mctx, bdb->server); + } + if (bdb->contact != NULL) { + isc_mem_free(named_g_mctx, bdb->contact); + } + + isc_mem_putanddetach(&bdb->common.mctx, bdb, sizeof(bdb_t)); + return (result); +} + +/* + * Builtin database registration functions + */ +static bdbimplementation_t builtin = { .flags = 0 }; +static bdbimplementation_t dns64 = { .flags = BDB_DNS64 }; + isc_result_t named_builtin_init(void) { - RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL, - DNS_SDBFLAG_RELATIVEOWNER | - DNS_SDBFLAG_RELATIVERDATA, - named_g_mctx, - &builtin_impl) == ISC_R_SUCCESS); - RUNTIME_CHECK(dns_sdb_register("_dns64", &dns64_methods, NULL, - DNS_SDBFLAG_RELATIVEOWNER | - DNS_SDBFLAG_RELATIVERDATA | - DNS_SDBFLAG_DNS64, - named_g_mctx, - &dns64_impl) == ISC_R_SUCCESS); + isc_result_t result; + + result = dns_db_register("_builtin", create, &builtin, named_g_mctx, + &builtin.dbimp); + if (result != ISC_R_SUCCESS) { + return (result); + } + + result = dns_db_register("_dns64", create, &dns64, named_g_mctx, + &dns64.dbimp); + if (result != ISC_R_SUCCESS) { + dns_db_unregister(&builtin.dbimp); + return (result); + } + return (ISC_R_SUCCESS); } void named_builtin_deinit(void) { - dns_sdb_unregister(&builtin_impl); - dns_sdb_unregister(&dns64_impl); + if (builtin.dbimp != NULL) { + dns_db_unregister(&builtin.dbimp); + } + if (dns64.dbimp != NULL) { + dns_db_unregister(&dns64.dbimp); + } } diff --git a/bin/named/config.c b/bin/named/config.c index ccf52c6974..78dcae8716 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -18,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -25,9 +28,8 @@ #include #include -#include - #include +#include #include #include #include @@ -47,32 +49,22 @@ static char defaultconf[] = "\ options {\n\ answer-cookie true;\n\ automatic-interface-scan yes;\n\ - bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\ -# blackhole {none;};\n" - " cookie-algorithm siphash24;\n" - " coresize default;\n\ - datasize default;\n" - "\ -# deallocate-on-exit ;\n\ +# blackhole {none;};\n\ + cookie-algorithm siphash24;\n\ # directory \n\ dnssec-policy \"none\";\n\ dump-file \"named_dump.db\";\n\ - edns-udp-size 1232;\n\ -# fake-iquery ;\n\ - files unlimited;\n" + edns-udp-size 1232;\n" #if defined(HAVE_GEOIP2) - " geoip-directory \"" MAXMINDDB_PREFIX "/share/" - "GeoIP\";" - "\n" + "\ + geoip-directory \"" MAXMINDDB_PREFIX "/share/GeoIP\";\n" #elif defined(HAVE_GEOIP2) - " geoip-directory \".\";\n" + "\ + geoip-directory \".\";\n" #endif /* if defined(HAVE_GEOIP2) */ "\ -# has-old-clients ;\n\ heartbeat-interval 60;\n\ -# host-statistics ;\n\ interface-interval 60;\n\ -# keep-response-order {none;};\n\ listen-on {any;};\n\ listen-on-v6 {any;};\n\ # lock-file \"" NAMED_LOCALSTATEDIR "/run/named/named.lock\";\n\ @@ -81,36 +73,44 @@ options {\n\ max-rsa-exponent-size 0; /* no limit */\n\ max-udp-size 1232;\n\ memstatistics-file \"named.memstats\";\n\ -# multiple-cnames ;\n\ -# named-xfer ;\n\ nocookie-udp-size 8192;\n/*OQS updated from 4096*/\ notify-rate 20;\n\ nta-lifetime 3600;\n\ nta-recheck 300;\n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ - port 53;\n\ - tls-port 853;\n\ + port 53;\n" +#if HAVE_SO_REUSEPORT_LB + "\ + reuseport yes;\n" +#else + "\ + reuseport no;\n" +#endif + "\ + tls-port 853;\n" +#if HAVE_LIBNGHTTP2 + "\ http-port 80;\n\ https-port 443;\n\ + http-listener-clients 300;\n\ + http-streams-per-connection 100;\n" +#endif + "\ prefetch 2 9;\n\ recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ request-nsid false;\n\ - reserved-sockets 512;\n\ resolver-query-timeout 10;\n\ rrset-order { order random; };\n\ secroots-file \"named.secroots\";\n\ send-cookie true;\n\ -# serial-queries ;\n\ serial-query-rate 20;\n\ server-id none;\n\ session-keyalg hmac-sha256;\n\ # session-keyfile \"" NAMED_LOCALSTATEDIR "/run/named/session.key\";\n\ session-keyname local-ddns;\n\ - stacksize default;\n\ startup-notify-rate 20;\n\ statistics-file \"named.stats\";\n\ -# statistics-interval ;\n\ tcp-advertised-timeout 300;\n\ tcp-clients 150;\n\ tcp-idle-timeout 300;\n\ @@ -119,18 +119,16 @@ options {\n\ tcp-listen-queue 10;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-dhkey \n\ # tkey-domain \n\ # tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ transfers-in 10;\n\ transfers-out 10;\n\ transfers-per-ns 2;\n\ -# treat-cr-as-space ;\n\ trust-anchor-telemetry yes;\n\ -# use-id-pool ;\n\ udp-receive-buffer 0;\n\ udp-send-buffer 0;\n\ + update-quota 100;\n\ \n\ /* view */\n\ allow-new-zones no;\n\ @@ -143,23 +141,25 @@ options {\n\ auth-nxdomain false;\n\ check-dup-records warn;\n\ check-mx warn;\n\ - check-names master fail;\n\ + check-names primary fail;\n\ check-names response ignore;\n\ - check-names slave warn;\n\ + check-names secondary warn;\n\ check-spf warn;\n\ + check-svcb yes;\n\ clients-per-query 10;\n\ dnssec-accept-expired no;\n\ dnssec-validation " VALIDATION_DEFAULT "; \n" +#ifdef USE_DNSRPS + " dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n" +#endif /* ifdef USE_DNSRPS */ #ifdef HAVE_DNSTAP " dnstap-identity hostname;\n" #endif /* ifdef HAVE_DNSTAP */ "\ -# fetch-glue ;\n\ fetch-quota-params 100 0.1 0.3 0.7;\n\ fetches-per-server 0;\n\ fetches-per-zone 0;\n\ - glue-cache yes;\n\ - lame-ttl 600;\n" + lame-ttl 0;\n" #ifdef HAVE_LMDB " lmdb-mapsize 32M;\n" #endif /* ifdef HAVE_LMDB */ @@ -173,12 +173,13 @@ options {\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ min-cache-ttl 0; /* 0 seconds */\n\ -# min-roots ;\n\ minimal-any false;\n\ minimal-responses no-auth-recursive;\n\ notify-source *;\n\ notify-source-v6 *;\n\ nsec3-test-zone no;\n\ + parental-source *;\n\ + parental-source-v6 *;\n\ provide-ixfr true;\n\ qname-minimization relaxed;\n\ query-source address *;\n\ @@ -189,7 +190,6 @@ options {\n\ require-server-cookie no;\n\ resolver-nonbackoff-tries 3;\n\ resolver-retry-interval 800; /* in milliseconds */\n\ -# rfc2308-type1 ;\n\ root-key-sentinel yes;\n\ servfail-ttl 1;\n\ # sortlist \n\ @@ -198,7 +198,7 @@ options {\n\ stale-answer-ttl 30; /* 30 seconds */\n\ stale-cache-enable false;\n\ stale-refresh-time 30; /* 30 seconds */\n\ - synth-from-dnssec no;\n\ + synth-from-dnssec yes;\n\ # topology \n\ transfer-format many-answers;\n\ v6-bias 50;\n\ @@ -209,24 +209,17 @@ options {\n\ allow-query-on {any;};\n\ allow-transfer {any;};\n\ # also-notify \n\ - alt-transfer-source *;\n\ - alt-transfer-source-v6 *;\n\ check-integrity yes;\n\ check-mx-cname warn;\n\ check-sibling yes;\n\ check-srv-cname warn;\n\ check-wildcard yes;\n\ dialup no;\n\ - dnssec-dnskey-kskonly no;\n\ dnssec-loadkeys-interval 60;\n\ - dnssec-secure-to-insecure no;\n\ - dnssec-update-mode maintain;\n\ # forward \n\ # forwarders \n\ # inline-signing no;\n\ ixfr-from-differences false;\n\ -# maintain-ixfr-base ;\n\ -# max-ixfr-log-size \n\ max-journal-size default;\n\ max-records 0;\n\ max-refresh-time 2419200; /* 4 weeks */\n\ @@ -245,12 +238,9 @@ options {\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ sig-signing-type 65534;\n\ - sig-validity-interval 30; /* days */\n\ - dnskey-sig-validity 0; /* default: sig-validity-interval */\n\ transfer-source *;\n\ transfer-source-v6 *;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ - update-check-ksk yes;\n\ zero-no-soa-ttl yes;\n\ zone-statistics terse;\n\ };\n\ @@ -263,6 +253,7 @@ view \"_bind\" chaos {\n\ recursion no;\n\ notify no;\n\ allow-new-zones no;\n\ + max-cache-size 2M;\n\ \n\ # Prevent use of this zone in DNS amplified reflection DoS attacks\n\ rate-limit {\n\ @@ -272,45 +263,78 @@ view \"_bind\" chaos {\n\ };\n\ \n\ zone \"version.bind\" chaos {\n\ - type master;\n\ + type primary;\n\ database \"_builtin version\";\n\ };\n\ \n\ zone \"hostname.bind\" chaos {\n\ - type master;\n\ + type primary;\n\ database \"_builtin hostname\";\n\ };\n\ \n\ zone \"authors.bind\" chaos {\n\ - type master;\n\ + type primary;\n\ database \"_builtin authors\";\n\ };\n\ \n\ zone \"id.server\" chaos {\n\ - type master;\n\ + type primary;\n\ database \"_builtin id\";\n\ };\n\ };\n\ +" + "#\n\ +# Built-in DNSSEC key and signing policies.\n\ +#\n\ +dnssec-policy \"default\" {\n\ + keys {\n\ + csk key-directory lifetime unlimited algorithm 13;\n\ + };\n\ +\n\ + cdnskey yes;\n\ + cds-digest-types { 2; };\n\ + dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ + inline-signing yes;\n\ + publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ + retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ + purge-keys " DNS_KASP_PURGE_KEYS "; \n\ + signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\ + signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\ + signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\ + max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\ + zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\ + parent-ds-ttl " DNS_KASP_DS_TTL "; \n\ + parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\ +};\n\ +\n\ +dnssec-policy \"insecure\" {\n\ + max-zone-ttl 0; \n\ + keys { };\n\ + inline-signing yes;\n\ +};\n\ +\n\ " "#\n\ # Default trusted key(s), used if \n\ # \"dnssec-validation auto;\" is set and\n\ -# sysconfdir/bind.keys doesn't exist).\n\ +# " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\ #\n\ -# BEGIN DNSSEC KEYS\n" +# BEGIN TRUST ANCHORS\n" /* Imported from bind.keys.h: */ TRUST_ANCHORS - "# END MANAGED KEYS\n\ + "# END TRUST ANCHORS\n\ \n\ primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ - 2001:500:84::b; # b.root-servers.net\n\ + 2001:500:200::b; # b.root-servers.net\n\ + 2001:500:2::c; # c.root-servers.net\n\ 2001:500:2f::f; # f.root-servers.net\n\ + 2001:500:12::d0d; # g.root-servers.net\n\ 2001:7fd::1; # k.root-servers.net\n\ 2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\ 2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\ - 192.228.79.201; # b.root-servers.net\n\ + 199.9.14.201; # b.root-servers.net\n\ 192.33.4.12; # c.root-servers.net\n\ 192.5.5.241; # f.root-servers.net\n\ 192.112.36.4; # g.root-servers.net\n\ @@ -330,23 +354,26 @@ named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) { CFG_PCTX_NODEPRECATED, conf)); } +const char * +named_config_getdefault(void) { + return (defaultconf); +} + isc_result_t named_config_get(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj) { int i; - for (i = 0;; i++) { - if (maps[i] == NULL) { - return (ISC_R_NOTFOUND); - } + for (i = 0; maps[i] != NULL; i++) { if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) { return (ISC_R_SUCCESS); } } + return (ISC_R_NOTFOUND); } isc_result_t -named_checknames_get(const cfg_obj_t **maps, const char *which, +named_checknames_get(const cfg_obj_t **maps, const char *const names[], const cfg_obj_t **obj) { const cfg_listelt_t *element; const cfg_obj_t *checknames; @@ -355,16 +382,14 @@ named_checknames_get(const cfg_obj_t **maps, const char *which, int i; REQUIRE(maps != NULL); - REQUIRE(which != NULL); + REQUIRE(names != NULL); REQUIRE(obj != NULL && *obj == NULL); - for (i = 0;; i++) { - if (maps[i] == NULL) { - return (ISC_R_NOTFOUND); - } + for (i = 0; maps[i] != NULL; i++) { checknames = NULL; if (cfg_map_get(maps[i], "check-names", &checknames) == - ISC_R_SUCCESS) { + ISC_R_SUCCESS) + { /* * Zone map entry is not a list. */ @@ -377,14 +402,20 @@ named_checknames_get(const cfg_obj_t **maps, const char *which, { value = cfg_listelt_value(element); type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), which) == - 0) { - *obj = cfg_tuple_get(value, "mode"); - return (ISC_R_SUCCESS); + + for (size_t j = 0; names[j] != NULL; j++) { + if (strcasecmp(cfg_obj_asstring(type), + names[j]) == 0) + { + *obj = cfg_tuple_get(value, + "mode"); + return (ISC_R_SUCCESS); + } } } } } + return (ISC_R_NOTFOUND); } int @@ -409,7 +440,7 @@ named_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, *classp = defclass; return (ISC_R_SUCCESS); } - DE_CONST(cfg_obj_asstring(classobj), r.base); + r.base = UNCONST(cfg_obj_asstring(classobj)); r.length = strlen(r.base); result = dns_rdataclass_fromtext(classp, &r); if (result != ISC_R_SUCCESS) { @@ -429,7 +460,7 @@ named_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, *typep = deftype; return (ISC_R_SUCCESS); } - DE_CONST(cfg_obj_asstring(typeobj), r.base); + r.base = UNCONST(cfg_obj_asstring(typeobj)); r.length = strlen(r.base); result = dns_rdatatype_fromtext(typep, &r); if (result != ISC_R_SUCCESS) { @@ -446,10 +477,11 @@ named_config_getzonetype(const cfg_obj_t *zonetypeobj) { str = cfg_obj_asstring(zonetypeobj); if (strcasecmp(str, "primary") == 0 || strcasecmp(str, "master") == 0) { - ztype = dns_zone_master; + ztype = dns_zone_primary; } else if (strcasecmp(str, "secondary") == 0 || - strcasecmp(str, "slave") == 0) { - ztype = dns_zone_slave; + strcasecmp(str, "slave") == 0) + { + ztype = dns_zone_secondary; } else if (strcasecmp(str, "mirror") == 0) { ztype = dns_zone_mirror; } else if (strcasecmp(str, "stub") == 0) { @@ -459,118 +491,14 @@ named_config_getzonetype(const cfg_obj_t *zonetypeobj) { } else if (strcasecmp(str, "redirect") == 0) { ztype = dns_zone_redirect; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ztype); } -isc_result_t -named_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list, - in_port_t defport, isc_mem_t *mctx, - isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp, - uint32_t *countp) { - int count, i = 0; - const cfg_obj_t *addrlist; - const cfg_obj_t *portobj, *dscpobj; - const cfg_listelt_t *element; - isc_sockaddr_t *addrs; - in_port_t port; - isc_dscp_t dscp = -1, *dscps = NULL; - isc_result_t result; - - INSIST(addrsp != NULL && *addrsp == NULL); - INSIST(dscpsp == NULL || *dscpsp == NULL); - INSIST(countp != NULL); - - addrlist = cfg_tuple_get(list, "addresses"); - count = named_config_listcount(addrlist); - - portobj = cfg_tuple_get(list, "port"); - if (cfg_obj_isuint32(portobj)) { - uint32_t val = cfg_obj_asuint32(portobj); - if (val > UINT16_MAX) { - cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", val); - return (ISC_R_RANGE); - } - port = (in_port_t)val; - } else if (defport != 0) { - port = defport; - } else { - result = named_config_getport(config, "port", &port); - if (result != ISC_R_SUCCESS) { - return (result); - } - } - - if (dscpsp != NULL) { - dscpobj = cfg_tuple_get(list, "dscp"); - if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) { - if (cfg_obj_asuint32(dscpobj) > 63) { - cfg_obj_log(dscpobj, named_g_lctx, - ISC_LOG_ERROR, - "dscp value '%u' is out of range", - cfg_obj_asuint32(dscpobj)); - return (ISC_R_RANGE); - } - dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); - } - - dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t)); - } - - addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t)); - - for (element = cfg_list_first(addrlist); element != NULL; - element = cfg_list_next(element), i++) - { - const cfg_obj_t *addr; - INSIST(i < count); - addr = cfg_listelt_value(element); - addrs[i] = *cfg_obj_assockaddr(addr); - if (dscpsp != NULL) { - isc_dscp_t innerdscp; - innerdscp = cfg_obj_getdscp(addr); - if (innerdscp == -1) { - innerdscp = dscp; - } - dscps[i] = innerdscp; - } - if (isc_sockaddr_getport(&addrs[i]) == 0) { - isc_sockaddr_setport(&addrs[i], port); - } - } - INSIST(i == count); - - *addrsp = addrs; - *countp = count; - - if (dscpsp != NULL) { - *dscpsp = dscps; - } - - return (ISC_R_SUCCESS); -} - -void -named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - isc_dscp_t **dscpsp, uint32_t count) { - INSIST(addrsp != NULL && *addrsp != NULL); - INSIST(dscpsp == NULL || *dscpsp != NULL); - - isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t)); - *addrsp = NULL; - - if (dscpsp != NULL) { - isc_mem_put(mctx, *dscpsp, count * sizeof(isc_dscp_t)); - *dscpsp = NULL; - } -} - static isc_result_t -getprimariesdef(const cfg_obj_t *cctx, const char *list, const char *name, - const cfg_obj_t **ret) { +getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name, + const cfg_obj_t **ret) { isc_result_t result; const cfg_obj_t *obj = NULL; const cfg_listelt_t *elt; @@ -587,7 +515,8 @@ getprimariesdef(const cfg_obj_t *cctx, const char *list, const char *name, while (elt != NULL) { obj = cfg_listelt_value(elt); if (strcasecmp(cfg_obj_asstring(cfg_tuple_get(obj, "name")), - name) == 0) { + name) == 0) + { *ret = obj; return (ISC_R_SUCCESS); } @@ -597,15 +526,20 @@ getprimariesdef(const cfg_obj_t *cctx, const char *list, const char *name, } isc_result_t -named_config_getprimariesdef(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret) { +named_config_getremotesdef(const cfg_obj_t *cctx, const char *list, + const char *name, const cfg_obj_t **ret) { isc_result_t result; - result = getprimariesdef(cctx, "primaries", name, ret); - if (result != ISC_R_SUCCESS) { - result = getprimariesdef(cctx, "masters", name, ret); + if (strcmp(list, "parental-agents") == 0) { + return (getremotesdef(cctx, list, name, ret)); + } else if (strcmp(list, "primaries") == 0) { + result = getremotesdef(cctx, list, name, ret); + if (result != ISC_R_SUCCESS) { + result = getremotesdef(cctx, "masters", name, ret); + } + return (result); } - return (result); + return (ISC_R_NOTFOUND); } static isc_result_t @@ -642,64 +576,54 @@ named_config_getname(isc_mem_t *mctx, const cfg_obj_t *obj, return (ISC_R_SUCCESS); } -#define grow_array(mctx, array, newlen, oldlen) \ - if (newlen >= oldlen) { \ - size_t newsize = (newlen + 16) * sizeof(array[0]); \ - size_t oldsize = oldlen * sizeof(array[0]); \ - void *tmp = isc_mem_get(mctx, newsize); \ - memset(tmp, 0, newsize); \ - if (oldlen != 0) { \ - memmove(tmp, array, oldsize); \ - isc_mem_put(mctx, array, oldsize); \ - } \ - array = tmp; \ - oldlen = newlen + 16; \ +#define grow_array(mctx, array, newlen, oldlen) \ + if (newlen >= oldlen) { \ + array = isc_mem_creget(mctx, array, oldlen, newlen + 16, \ + sizeof(array[0])); \ + oldlen = newlen + 16; \ } -#define shrink_array(mctx, array, newlen, oldlen) \ - if (newlen < oldlen) { \ - void *tmp = NULL; \ - size_t newsize = newlen * sizeof(array[0]); \ - size_t oldsize = oldlen * sizeof(array[0]); \ - if (newlen != 0) { \ - tmp = isc_mem_get(mctx, newsize); \ - memset(tmp, 0, newsize); \ - memmove(tmp, array, newsize); \ - } else { \ - tmp = NULL; \ - } \ - isc_mem_put(mctx, array, oldsize); \ - array = tmp; \ - oldlen = newlen; \ +#define shrink_array(mctx, array, newlen, oldlen) \ + if (newlen < oldlen) { \ + array = isc_mem_creget(mctx, array, oldlen, newlen, \ + sizeof(array[0])); \ + oldlen = newlen; \ } isc_result_t -named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, - isc_mem_t *mctx, dns_ipkeylist_t *ipkl) { - uint32_t addrcount = 0, dscpcount = 0, keycount = 0, tlscount = 0, - i = 0; - uint32_t listcount = 0, l = 0, j; +named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype, + const cfg_obj_t *list, isc_mem_t *mctx, + dns_ipkeylist_t *ipkl) { + uint32_t addrcount = 0, srccount = 0; + uint32_t keycount = 0, tlscount = 0; + uint32_t listcount = 0, l = 0, i = 0; uint32_t stackcount = 0, pushed = 0; isc_result_t result; const cfg_listelt_t *element; const cfg_obj_t *addrlist; const cfg_obj_t *portobj; - const cfg_obj_t *dscpobj; + const cfg_obj_t *src4obj; + const cfg_obj_t *src6obj; in_port_t port = (in_port_t)0; in_port_t def_port; in_port_t def_tlsport; - isc_dscp_t dscp = -1; + isc_sockaddr_t src4; + isc_sockaddr_t src6; isc_sockaddr_t *addrs = NULL; - isc_dscp_t *dscps = NULL; + isc_sockaddr_t *sources = NULL; dns_name_t **keys = NULL; dns_name_t **tlss = NULL; struct { const char *name; + in_port_t port; + isc_sockaddr_t *src4s; + isc_sockaddr_t *src6s; } *lists = NULL; struct { const cfg_listelt_t *element; in_port_t port; - isc_dscp_t dscp; + isc_sockaddr_t src4; + isc_sockaddr_t src6; } *stack = NULL; REQUIRE(ipkl != NULL); @@ -707,7 +631,6 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, REQUIRE(ipkl->addrs == NULL); REQUIRE(ipkl->keys == NULL); REQUIRE(ipkl->tlss == NULL); - REQUIRE(ipkl->dscps == NULL); REQUIRE(ipkl->labels == NULL); REQUIRE(ipkl->allocated == 0); @@ -724,15 +647,11 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, goto cleanup; } - result = named_config_getdscp(config, &dscp); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - newlist: addrlist = cfg_tuple_get(list, "addresses"); portobj = cfg_tuple_get(list, "port"); - dscpobj = cfg_tuple_get(list, "dscp"); + src4obj = cfg_tuple_get(list, "source"); + src6obj = cfg_tuple_get(list, "source-v6"); if (cfg_obj_isuint32(portobj)) { uint32_t val = cfg_obj_asuint32(portobj); @@ -745,15 +664,16 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, port = (in_port_t)val; } - if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) { - if (cfg_obj_asuint32(dscpobj) > 63) { - cfg_obj_log(dscpobj, named_g_lctx, ISC_LOG_ERROR, - "dscp value '%u' is out of range", - cfg_obj_asuint32(dscpobj)); - result = ISC_R_RANGE; - goto cleanup; - } - dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); + if (src4obj != NULL && cfg_obj_issockaddr(src4obj)) { + src4 = *cfg_obj_assockaddr(src4obj); + } else { + isc_sockaddr_any(&src4); + } + + if (src6obj != NULL && cfg_obj_issockaddr(src6obj)) { + src6 = *cfg_obj_assockaddr(src6obj); + } else { + isc_sockaddr_any6(&src6); } result = ISC_R_NOMEMORY; @@ -766,13 +686,14 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, const cfg_obj_t *tls; addr = cfg_tuple_get(cfg_listelt_value(element), - "primarieselement"); + "remoteselement"); key = cfg_tuple_get(cfg_listelt_value(element), "key"); tls = cfg_tuple_get(cfg_listelt_value(element), "tls"); if (!cfg_obj_issockaddr(addr)) { const char *listname = cfg_obj_asstring(addr); isc_result_t tresult; + uint32_t j; /* Grow lists? */ grow_array(mctx, lists, l, listcount); @@ -787,11 +708,11 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, continue; } list = NULL; - tresult = named_config_getprimariesdef(config, listname, - &list); + tresult = named_config_getremotesdef(config, listtype, + listname, &list); if (tresult == ISC_R_NOTFOUND) { cfg_obj_log(addr, named_g_lctx, ISC_LOG_ERROR, - "primaries \"%s\" not found", + "%s \"%s\" not found", listtype, listname); result = tresult; @@ -809,21 +730,18 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, */ stack[pushed].element = cfg_list_next(element); stack[pushed].port = port; - stack[pushed].dscp = dscp; + stack[pushed].src4 = src4; + stack[pushed].src6 = src6; pushed++; goto newlist; } grow_array(mctx, addrs, i, addrcount); - grow_array(mctx, dscps, i, dscpcount); grow_array(mctx, keys, i, keycount); grow_array(mctx, tlss, i, tlscount); + grow_array(mctx, sources, i, srccount); addrs[i] = *cfg_obj_assockaddr(addr); - dscps[i] = cfg_obj_getdscp(addr); - if (dscps[i] == -1) { - dscps[i] = dscp; - } result = named_config_getname(mctx, key, &keys[i]); if (result != ISC_R_SUCCESS) { @@ -839,49 +757,67 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, goto cleanup; } - /* Set the default port or tls-port */ - if (port == 0) { - if (tlss[i] != NULL) { - port = def_tlsport; - } else { - port = def_port; + /* If the port is unset, take it from one of the upper levels */ + if (isc_sockaddr_getport(&addrs[i]) == 0) { + in_port_t addr_port = port; + + /* If unset, use the default port or tls-port */ + if (addr_port == 0) { + if (tlss[i] != NULL) { + addr_port = def_tlsport; + } else { + addr_port = def_port; + } } + + isc_sockaddr_setport(&addrs[i], addr_port); } - if (isc_sockaddr_getport(&addrs[i]) == 0) { - isc_sockaddr_setport(&addrs[i], port); + switch (isc_sockaddr_pf(&addrs[i])) { + case PF_INET: + sources[i] = src4; + break; + case PF_INET6: + sources[i] = src6; + break; + default: + i++; /* Increment here so that cleanup on error works. + */ + result = ISC_R_NOTIMPLEMENTED; + goto cleanup; } + i++; } if (pushed != 0) { pushed--; element = stack[pushed].element; port = stack[pushed].port; - dscp = stack[pushed].dscp; + src4 = stack[pushed].src4; + src6 = stack[pushed].src6; goto resume; } shrink_array(mctx, addrs, i, addrcount); - shrink_array(mctx, dscps, i, dscpcount); shrink_array(mctx, keys, i, keycount); shrink_array(mctx, tlss, i, tlscount); + shrink_array(mctx, sources, i, srccount); if (lists != NULL) { - isc_mem_put(mctx, lists, listcount * sizeof(lists[0])); + isc_mem_cput(mctx, lists, listcount, sizeof(lists[0])); } if (stack != NULL) { - isc_mem_put(mctx, stack, stackcount * sizeof(stack[0])); + isc_mem_cput(mctx, stack, stackcount, sizeof(stack[0])); } - INSIST(dscpcount == addrcount); INSIST(keycount == addrcount); INSIST(tlscount == addrcount); - INSIST(keycount == dscpcount); + INSIST(srccount == addrcount); ipkl->addrs = addrs; - ipkl->dscps = dscps; ipkl->keys = keys; ipkl->tlss = tlss; + ipkl->sources = sources; ipkl->count = addrcount; ipkl->allocated = addrcount; @@ -889,13 +825,10 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, cleanup: if (addrs != NULL) { - isc_mem_put(mctx, addrs, addrcount * sizeof(addrs[0])); - } - if (dscps != NULL) { - isc_mem_put(mctx, dscps, dscpcount * sizeof(dscps[0])); + isc_mem_cput(mctx, addrs, addrcount, sizeof(addrs[0])); } if (keys != NULL) { - for (j = 0; j < i; j++) { + for (size_t j = 0; j < i; j++) { if (keys[j] == NULL) { continue; } @@ -904,10 +837,10 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } isc_mem_put(mctx, keys[j], sizeof(*keys[j])); } - isc_mem_put(mctx, keys, keycount * sizeof(keys[0])); + isc_mem_cput(mctx, keys, keycount, sizeof(keys[0])); } if (tlss != NULL) { - for (j = 0; j < i; j++) { + for (size_t j = 0; j < i; j++) { if (tlss[j] == NULL) { continue; } @@ -916,13 +849,16 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } isc_mem_put(mctx, tlss[j], sizeof(*tlss[j])); } - isc_mem_put(mctx, tlss, tlscount * sizeof(tlss[0])); + isc_mem_cput(mctx, tlss, tlscount, sizeof(tlss[0])); + } + if (sources != NULL) { + isc_mem_cput(mctx, sources, srccount, sizeof(sources[0])); } if (lists != NULL) { - isc_mem_put(mctx, lists, listcount * sizeof(lists[0])); + isc_mem_cput(mctx, lists, listcount, sizeof(lists[0])); } if (stack != NULL) { - isc_mem_put(mctx, stack, stackcount * sizeof(stack[0])); + isc_mem_cput(mctx, stack, stackcount, sizeof(stack[0])); } return (result); } @@ -956,32 +892,6 @@ named_config_getport(const cfg_obj_t *config, const char *type, return (ISC_R_SUCCESS); } -isc_result_t -named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp) { - const cfg_obj_t *options = NULL; - const cfg_obj_t *dscpobj = NULL; - isc_result_t result; - - (void)cfg_map_get(config, "options", &options); - if (options == NULL) { - return (ISC_R_SUCCESS); - } - - result = cfg_map_get(options, "dscp", &dscpobj); - if (result != ISC_R_SUCCESS || dscpobj == NULL) { - *dscpp = -1; - return (ISC_R_SUCCESS); - } - if (cfg_obj_asuint32(dscpobj) >= 64) { - cfg_obj_log(dscpobj, named_g_lctx, ISC_LOG_ERROR, - "dscp '%u' out of range", - cfg_obj_asuint32(dscpobj)); - return (ISC_R_RANGE); - } - *dscpp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); - return (ISC_R_SUCCESS); -} - struct keyalgorithms { const char *str; enum { @@ -1006,14 +916,8 @@ struct keyalgorithms { { NULL, hmacnone, DST_ALG_UNKNOWN, 0 } }; isc_result_t -named_config_getkeyalgorithm(const char *str, const dns_name_t **name, +named_config_getkeyalgorithm(const char *str, unsigned int *typep, uint16_t *digestbits) { - return (named_config_getkeyalgorithm2(str, name, NULL, digestbits)); -} - -isc_result_t -named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, - unsigned int *typep, uint16_t *digestbits) { int i; size_t len = 0; uint16_t bits; @@ -1044,37 +948,7 @@ named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, } else { bits = algorithms[i].size; } - - if (name != NULL) { - switch (algorithms[i].hmac) { - case hmacmd5: - *name = dns_tsig_hmacmd5_name; - break; - case hmacsha1: - *name = dns_tsig_hmacsha1_name; - break; - case hmacsha224: - *name = dns_tsig_hmacsha224_name; - break; - case hmacsha256: - *name = dns_tsig_hmacsha256_name; - break; - case hmacsha384: - *name = dns_tsig_hmacsha384_name; - break; - case hmacsha512: - *name = dns_tsig_hmacsha512_name; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - } - if (typep != NULL) { - *typep = algorithms[i].type; - } - if (digestbits != NULL) { - *digestbits = bits; - } + SET_IF_NOT_NULL(typep, algorithms[i].type); + SET_IF_NOT_NULL(digestbits, bits); return (ISC_R_SUCCESS); } diff --git a/bin/named/control.c b/bin/named/control.c index 55a469925d..7f07db1240 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -13,19 +15,15 @@ #include -#include -#include #include #include +#include #include #include #include -#include - #include #include -#include #include #include @@ -59,7 +57,7 @@ getcommand(isc_lex_t *lex, char **cmdp) { return (ISC_R_SUCCESS); } -static inline bool +static bool command_compare(const char *str, const char *command) { return (strcasecmp(str, command) == 0); } @@ -98,10 +96,7 @@ named_control_docommand(isccc_sexpr_t *message, bool readonly, return (result); } - result = isc_lex_create(named_g_mctx, strlen(cmdline), &lex); - if (result != ISC_R_SUCCESS) { - return (result); - } + isc_lex_create(named_g_mctx, strlen(cmdline), &lex); isc_buffer_init(&src, cmdline, strlen(cmdline)); isc_buffer_add(&src, strlen(cmdline)); @@ -175,9 +170,8 @@ named_control_docommand(isccc_sexpr_t *message, bool readonly, named_smf_want_disable = 1; } /* - * If named_smf_got_instance = 0, named_smf_chroot - * is not relevant and we fall through to - * isc_app_shutdown below. + * If named_smf_got_instance = 0, named_smf_chroot is + * not relevant and we fall through to shutdown below. */ #endif /* ifdef HAVE_LIBSCF */ /* Do not flush master files */ @@ -218,6 +212,8 @@ named_control_docommand(isccc_sexpr_t *message, bool readonly, result = ISC_R_SUCCESS; } else if (command_compare(command, NAMED_COMMAND_DUMPSTATS)) { result = named_server_dumpstats(named_g_server); + } else if (command_compare(command, NAMED_COMMAND_FETCHLIMIT)) { + result = named_server_fetchlimit(named_g_server, lex, text); } else if (command_compare(command, NAMED_COMMAND_FLUSH)) { result = named_server_flushcache(named_g_server, lex); } else if (command_compare(command, NAMED_COMMAND_FLUSHNAME)) { @@ -278,15 +274,8 @@ named_control_docommand(isccc_sexpr_t *message, bool readonly, command_compare(command, NAMED_COMMAND_UNFREEZE)) { result = named_server_freeze(named_g_server, false, lex, text); - } else if (command_compare(command, NAMED_COMMAND_TIMERPOKE)) { - isc_timermgr_poke(named_g_timermgr); - result = ISC_R_SUCCESS; } else if (command_compare(command, NAMED_COMMAND_TRACE)) { result = named_server_setdebuglevel(named_g_server, lex); - } else if (command_compare(command, NAMED_COMMAND_TSIGDELETE)) { - result = named_server_tsigdelete(named_g_server, lex, text); - } else if (command_compare(command, NAMED_COMMAND_TSIGLIST)) { - result = named_server_tsiglist(named_g_server, text); } else if (command_compare(command, NAMED_COMMAND_VALIDATION)) { result = named_server_validation(named_g_server, lex, text); } else if (command_compare(command, NAMED_COMMAND_ZONESTATUS)) { diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index 00897d1b53..57783d19af 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -14,10 +16,9 @@ #include #include -#include +#include #include #include -#include #include #include #include @@ -26,32 +27,30 @@ #include #include #include +#include #include #include #include -#include #include -#include - #include #include #include -#include -#include #include #include #include +#include #include -#include - #include #include #include +#include #include +#undef NAMED_CONTROLCONF_TRACE + typedef struct controlkey controlkey_t; typedef ISC_LIST(controlkey_t) controlkeylist_t; @@ -69,12 +68,8 @@ struct controlkey { }; struct controlconnection { - isc_nmhandle_t *readhandle; - isc_nmhandle_t *sendhandle; - isc_nmhandle_t *cmdhandle; + isc_refcount_t references; isccc_ccmsg_t ccmsg; - bool reading; - bool sending; controllistener_t *listener; isccc_sexpr_t *ctrl; isc_buffer_t *buffer; @@ -87,6 +82,7 @@ struct controlconnection { isc_stdtime_t now; isc_result_t result; ISC_LINK(controlconnection_t) link; + bool shuttingdown; }; struct controllistener { @@ -96,7 +92,7 @@ struct controllistener { isc_nmsocket_t *sock; dns_acl_t *acl; bool exiting; - isc_refcount_t refs; + isc_refcount_t references; controlkeylist_t keys; isc_mutex_t connections_lock; controlconnectionlist_t connections; @@ -111,7 +107,7 @@ struct controllistener { struct named_controls { named_server_t *server; controllistenerlist_t listeners; - atomic_bool shuttingdown; + bool shuttingdown; isc_mutex_t symtab_lock; isccc_symtab_t *symtab; }; @@ -120,6 +116,35 @@ static isc_result_t control_newconn(isc_nmhandle_t *handle, isc_result_t result, void *arg); static void control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg); +static void +conn_cleanup(controlconnection_t *conn); +static void +conn_free(controlconnection_t *conn); + +#if NAMED_CONTROLCONF_TRACE +#define controllistener_ref(ptr) \ + controllistener__ref(ptr, __func__, __FILE__, __LINE__) +#define controllistener_unref(ptr) \ + controllistener__unref(ptr, __func__, __FILE__, __LINE__) +#define controllistener_attach(ptr, ptrp) \ + controllistener__attach(ptr, ptrp, __func__, __FILE__, __LINE__) +#define controllistener_detach(ptrp) \ + controllistener__detach(ptrp, __func__, __FILE__, __LINE__) +ISC_REFCOUNT_TRACE_DECL(controllistener); + +#define controlconnection_ref(ptr) \ + controlconnection__ref(ptr, __func__, __FILE__, __LINE__) +#define controlconnection_unref(ptr) \ + controlconnection__unref(ptr, __func__, __FILE__, __LINE__) +#define controlconnection_attach(ptr, ptrp) \ + controlconnection__attach(ptr, ptrp, __func__, __FILE__, __LINE__) +#define controlconnection_detach(ptrp) \ + controlconnection__detach(ptrp, __func__, __FILE__, __LINE__) +ISC_REFCOUNT_TRACE_DECL(controlconnection); +#else +ISC_REFCOUNT_DECL(controllistener); +ISC_REFCOUNT_DECL(controlconnection); +#endif #define CLOCKSKEW 300 @@ -148,11 +173,9 @@ free_listener(controllistener_t *listener) { INSIST(listener->exiting); INSIST(ISC_LIST_EMPTY(listener->connections)); - isc_refcount_destroy(&listener->refs); + isc_refcount_destroy(&listener->references); - if (listener->sock != NULL) { - isc_nmsocket_close(&listener->sock); - } + REQUIRE(listener->sock == NULL); free_controlkeylist(&listener->keys, listener->mctx); @@ -164,18 +187,27 @@ free_listener(controllistener_t *listener) { isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener)); } -static void -maybe_free_listener(controllistener_t *listener) { - if (isc_refcount_decrement(&listener->refs) == 1) { - free_listener(listener); - } -} +#if NAMED_CONTROLCONF_TRACE +ISC_REFCOUNT_TRACE_IMPL(controllistener, free_listener); +ISC_REFCOUNT_TRACE_IMPL(controlconnection, conn_free); +#else +ISC_REFCOUNT_IMPL(controllistener, free_listener); +ISC_REFCOUNT_IMPL(controlconnection, conn_free); +#endif static void shutdown_listener(controllistener_t *listener) { if (!listener->exiting) { char socktext[ISC_SOCKADDR_FORMATSIZE]; + for (controlconnection_t *conn = + ISC_LIST_HEAD(listener->connections); + conn != NULL; conn = ISC_LIST_HEAD(listener->connections)) + { + control_recvmessage(conn->ccmsg.handle, + ISC_R_SHUTTINGDOWN, conn); + } + ISC_LIST_UNLINK(listener->controls->listeners, listener, link); isc_sockaddr_format(&listener->address, socktext, @@ -193,7 +225,8 @@ shutdown_listener(controllistener_t *listener) { } isc_nm_stoplistening(listener->sock); - maybe_free_listener(listener); + isc_nmsocket_close(&listener->sock); + controllistener_detach(&listener); } static bool @@ -222,18 +255,12 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { controllistener_t *listener = conn->listener; isc_sockaddr_t peeraddr = isc_nmhandle_peeraddr(handle); - REQUIRE(conn->sending); - - conn->sending = false; - if (conn->result == ISC_R_SHUTTINGDOWN) { - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); goto cleanup_sendhandle; } - if (atomic_load_acquire(&listener->controls->shuttingdown) || - result == ISC_R_CANCELED) - { + if (listener->controls->shuttingdown || result == ISC_R_SHUTTINGDOWN) { goto cleanup_sendhandle; } else if (result != ISC_R_SUCCESS) { char socktext[ISC_SOCKADDR_FORMATSIZE]; @@ -246,19 +273,16 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { goto cleanup_sendhandle; } - isc_nmhandle_attach(handle, &conn->readhandle); - conn->reading = true; - - isc_nmhandle_detach(&conn->sendhandle); - isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage, conn); - return; cleanup_sendhandle: - isc_nmhandle_detach(&conn->sendhandle); + if (result != ISC_R_SUCCESS) { + control_recvmessage(handle, result, conn); + } + controlconnection_detach(&conn); } -static inline void +static void log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { char socktext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_t peeraddr = isc_nmhandle_peeraddr(ccmsg->handle); @@ -290,7 +314,7 @@ conn_cleanup(controlconnection_t *conn) { } static void -control_respond(isc_nmhandle_t *handle, controlconnection_t *conn) { +control_respond(controlconnection_t *conn) { controllistener_t *listener = conn->listener; isccc_sexpr_t *data = NULL; isc_buffer_t b; @@ -352,7 +376,7 @@ control_respond(isc_nmhandle_t *handle, controlconnection_t *conn) { result = isccc_cc_towire(conn->response, &conn->buffer, conn->alg, &conn->secret); if (result != ISC_R_SUCCESS) { - goto cleanup; + return; } isc_buffer_init(&b, conn->buffer->base, 4); @@ -361,68 +385,52 @@ control_respond(isc_nmhandle_t *handle, controlconnection_t *conn) { r.base = conn->buffer->base; r.length = conn->buffer->used; - isc_nmhandle_attach(handle, &conn->sendhandle); - conn->sending = true; - conn_cleanup(conn); - - isc_nmhandle_detach(&conn->cmdhandle); - - isc_nm_send(conn->sendhandle, &r, control_senddone, conn); - - return; + controlconnection_ref(conn); + isccc_ccmsg_sendmessage(&conn->ccmsg, &r, control_senddone, conn); cleanup: conn_cleanup(conn); - isc_nmhandle_detach(&conn->cmdhandle); } static void -control_command(isc_task_t *task, isc_event_t *event) { - controlconnection_t *conn = event->ev_arg; +control_command(void *arg) { + controlconnection_t *conn = (controlconnection_t *)arg; controllistener_t *listener = conn->listener; - UNUSED(task); - - if (atomic_load_acquire(&listener->controls->shuttingdown)) { - conn_cleanup(conn); - isc_nmhandle_detach(&conn->cmdhandle); - goto done; + if (!listener->controls->shuttingdown) { + conn->result = named_control_docommand( + conn->request, listener->readonly, &conn->text); + control_respond(conn); } - - conn->result = named_control_docommand(conn->request, - listener->readonly, &conn->text); - control_respond(conn->cmdhandle, conn); - -done: - isc_event_free(&event); + controlconnection_detach(&conn); } static void -control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { +control_recvmessage(isc_nmhandle_t *handle ISC_ATTR_UNUSED, isc_result_t result, + void *arg) { controlconnection_t *conn = (controlconnection_t *)arg; controllistener_t *listener = conn->listener; controlkey_t *key = NULL; - isc_event_t *event = NULL; isccc_time_t sent; isccc_time_t exp; uint32_t nonce; - conn->reading = false; + if (conn->shuttingdown) { + return; + } /* Is the server shutting down? */ - if (atomic_load_acquire(&listener->controls->shuttingdown)) { - goto cleanup_readhandle; + if (listener->controls->shuttingdown) { + result = ISC_R_SHUTTINGDOWN; } if (result != ISC_R_SUCCESS) { - if (result == ISC_R_CANCELED) { - atomic_store_release(&listener->controls->shuttingdown, - true); + if (result == ISC_R_SHUTTINGDOWN) { + listener->controls->shuttingdown = true; } else if (result != ISC_R_EOF) { log_invalid(&conn->ccmsg, result); } - - goto cleanup_readhandle; + goto cleanup; } for (key = ISC_LIST_HEAD(listener->keys); key != NULL; @@ -430,8 +438,7 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { { isccc_region_t ccregion; - ccregion.rstart = isc_buffer_base(conn->ccmsg.buffer); - ccregion.rend = isc_buffer_used(conn->ccmsg.buffer); + isccc_ccmsg_toregion(&conn->ccmsg, &ccregion); conn->secret.rstart = isc_mem_get(listener->mctx, key->secret.length); memmove(conn->secret.rstart, key->secret.base, @@ -445,10 +452,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { } isc_mem_put(listener->mctx, conn->secret.rstart, REGION_SIZE(conn->secret)); - if (result != ISCCC_R_BADAUTH) { - log_invalid(&conn->ccmsg, result); - goto cleanup; - } } if (key == NULL) { @@ -462,7 +465,7 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { goto cleanup; } - isc_stdtime_get(&conn->now); + conn->now = isc_stdtime_now(); /* * Limit exposure to replay attacks. @@ -475,7 +478,8 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { if (isccc_cc_lookupuint32(conn->ctrl, "_tim", &sent) == ISC_R_SUCCESS) { if ((sent + CLOCKSKEW) < conn->now || - (sent - CLOCKSKEW) > conn->now) { + (sent - CLOCKSKEW) > conn->now) + { log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW); goto cleanup; } @@ -521,9 +525,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isc_buffer_allocate(listener->mctx, &conn->text, 2 * 2048); - isc_nmhandle_attach(handle, &conn->cmdhandle); - isc_nmhandle_detach(&conn->readhandle); - if (conn->nonce == 0) { /* * Establish nonce. @@ -532,47 +533,33 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isc_nonce_buf(&conn->nonce, sizeof(conn->nonce)); } conn->result = ISC_R_SUCCESS; - control_respond(handle, conn); + control_respond(conn); return; } /* * Trigger the command. */ - - event = isc_event_allocate(listener->mctx, conn, NAMED_EVENT_COMMAND, - control_command, conn, sizeof(isc_event_t)); - isc_task_send(named_g_server->task, &event); + controlconnection_ref(conn); + isc_async_run(named_g_mainloop, control_command, conn); return; cleanup: - conn_cleanup(conn); - -cleanup_readhandle: - /* - * readhandle could be NULL if we're shutting down, - * but if not we need to detach it. - */ - if (conn->readhandle != NULL) { - isc_nmhandle_detach(&conn->readhandle); - } + conn->shuttingdown = true; + controlconnection_detach(&conn); } static void -conn_reset(void *arg) { - controlconnection_t *conn = (controlconnection_t *)arg; +conn_free(controlconnection_t *conn) { controllistener_t *listener = conn->listener; + conn_cleanup(conn); + if (conn->buffer != NULL) { isc_buffer_free(&conn->buffer); } - if (conn->reading) { - isccc_ccmsg_cancelread(&conn->ccmsg); - return; - } - LOCK(&listener->connections_lock); ISC_LIST_UNLINK(listener->connections, conn, link); UNLOCK(&listener->connections_lock); @@ -583,37 +570,29 @@ conn_reset(void *arg) { #endif /* ifdef ENABLE_AFL */ isccc_ccmsg_invalidate(&conn->ccmsg); -} - -static void -conn_put(void *arg) { - controlconnection_t *conn = (controlconnection_t *)arg; - controllistener_t *listener = conn->listener; isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_CONTROL, ISC_LOG_DEBUG(3), "freeing control connection"); - maybe_free_listener(listener); + + isc_mem_put(listener->mctx, conn, sizeof(*conn)); + + controllistener_detach(&listener); } static void newconnection(controllistener_t *listener, isc_nmhandle_t *handle) { - controlconnection_t *conn = NULL; + controlconnection_t *conn = isc_mem_get(listener->mctx, sizeof(*conn)); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_CONTROL, ISC_LOG_DEBUG(3), + "allocate new control connection"); - conn = isc_nmhandle_getdata(handle); - if (conn == NULL) { - conn = isc_nmhandle_getextra(handle); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_CONTROL, ISC_LOG_DEBUG(3), - "allocate new control connection"); - isc_nmhandle_setdata(handle, conn, conn_reset, conn_put); - isc_refcount_increment(&listener->refs); - } + *conn = (controlconnection_t){ .alg = DST_ALG_UNKNOWN }; - *conn = (controlconnection_t){ .listener = listener, - .reading = false, - .alg = DST_ALG_UNKNOWN }; + isc_refcount_init(&conn->references, 1); + controllistener_attach(listener, &conn->listener); + /* isccc_ccmsg_init() attaches to the handle */ isccc_ccmsg_init(listener->mctx, handle, &conn->ccmsg); /* Set a 32 KiB upper limit on incoming message. */ @@ -623,9 +602,6 @@ newconnection(controllistener_t *listener, isc_nmhandle_t *handle) { ISC_LIST_INITANDAPPEND(listener->connections, conn, link); UNLOCK(&listener->connections_lock); - isc_nmhandle_attach(handle, &conn->readhandle); - conn->reading = true; - isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage, conn); } @@ -635,7 +611,7 @@ control_newconn(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isc_sockaddr_t peeraddr; if (result != ISC_R_SUCCESS) { - if (result == ISC_R_CANCELED) { + if (result == ISC_R_SHUTTINGDOWN) { shutdown_listener(listener); } return (result); @@ -676,7 +652,7 @@ controls_shutdown(named_controls_t *controls) { void named_controls_shutdown(named_controls_t *controls) { controls_shutdown(controls); - atomic_store_release(&controls->shuttingdown, true); + controls->shuttingdown = true; } static isc_result_t @@ -766,8 +742,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - result = named_config_getkeyalgorithm2(algstr, NULL, - &algtype, NULL); + result = named_config_getkeyalgorithm(algstr, &algtype, + NULL); if (result != ISC_R_SUCCESS) { cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING, @@ -851,7 +827,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { CHECK(ISC_R_NOMEMORY); } - CHECK(bind9_check_key(key, named_g_lctx)); + CHECK(isccfg_check_key(key, named_g_lctx)); (void)cfg_map_get(key, "algorithm", &algobj); (void)cfg_map_get(key, "secret", &secretobj); @@ -860,7 +836,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - result = named_config_getkeyalgorithm2(algstr, NULL, &algtype, NULL); + result = named_config_getkeyalgorithm(algstr, &algtype, NULL); if (result != ISC_R_SUCCESS) { cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING, "unsupported algorithm '%s' in " @@ -919,7 +895,8 @@ get_key_info(const cfg_obj_t *config, const cfg_obj_t *control, control_keylist = cfg_tuple_get(control, "keys"); if (!cfg_obj_isvoid(control_keylist) && - cfg_list_first(control_keylist) != NULL) { + cfg_list_first(control_keylist) != NULL) + { result = cfg_map_get(config, "key", &global_keylist); if (result == ISC_R_SUCCESS) { @@ -1054,6 +1031,8 @@ update_listener(named_controls_t *cp, controllistener_t **listenerp, socktext, isc_result_totext(result)); } +#if 0 + /* XXX: no unix socket support yet */ if (result == ISC_R_SUCCESS && type == isc_socktype_unix) { uint32_t perm, owner, group; perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm")); @@ -1077,6 +1056,7 @@ update_listener(named_controls_t *cp, controllistener_t **listenerp, socktext); } } +#endif *listenerp = listener; } @@ -1104,7 +1084,7 @@ add_listener(named_controls_t *cp, controllistener_t **listenerp, ISC_LINK_INIT(listener, link); ISC_LIST_INIT(listener->keys); ISC_LIST_INIT(listener->connections); - isc_refcount_init(&listener->refs, 1); + isc_refcount_init(&listener->references, 1); /* * Make the ACL. @@ -1162,9 +1142,9 @@ add_listener(named_controls_t *cp, controllistener_t **listenerp, } #endif - CHECK(isc_nm_listentcp( - named_g_netmgr, &listener->address, control_newconn, listener, - sizeof(controlconnection_t), 5, NULL, &listener->sock)); + CHECK(isc_nm_listentcp(named_g_netmgr, ISC_NM_LISTEN_ONE, + &listener->address, control_newconn, listener, 5, + NULL, &listener->sock)); #if 0 /* XXX: no unix socket support yet */ if (type == isc_socktype_unix) { @@ -1186,7 +1166,7 @@ add_listener(named_controls_t *cp, controllistener_t **listenerp, return; cleanup: - isc_refcount_decrement(&listener->refs); + isc_refcount_decrement(&listener->references); listener->exiting = true; free_listener(listener); @@ -1202,8 +1182,6 @@ add_listener(named_controls_t *cp, controllistener_t **listenerp, } *listenerp = NULL; - - /* XXXDCL return error results? fail hard? */ } isc_result_t @@ -1464,7 +1442,6 @@ named_controls_create(named_server_t *server, named_controls_t **ctrlsp) { ISC_LIST_INIT(controls->listeners); - atomic_init(&controls->shuttingdown, false); isc_mutex_init(&controls->symtab_lock); LOCK(&controls->symtab_lock); result = isccc_cc_createsymtab(&controls->symtab); diff --git a/bin/named/dlz_dlopen_driver.c b/bin/named/dlz_dlopen_driver.c index e88ea6fc52..55c6e1e3b1 100644 --- a/bin/named/dlz_dlopen_driver.c +++ b/bin/named/dlz_dlopen_driver.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -14,16 +16,14 @@ #include #include #include -#include #include -#include #include #include +#include #include #include -#include #include #include @@ -224,12 +224,11 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], isc_mem_create(&mctx); cd = isc_mem_get(mctx, sizeof(*cd)); - memset(cd, 0, sizeof(*cd)); - - cd->mctx = mctx; - - cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]); - cd->dlzname = isc_mem_strdup(cd->mctx, dlzname); + *cd = (dlopen_data_t){ + .mctx = mctx, + .dl_path = isc_mem_strdup(mctx, argv[1]), + .dlzname = isc_mem_strdup(mctx, dlzname), + }; /* Initialize the lock */ isc_mutex_init(&cd->lock); @@ -531,8 +530,7 @@ dlz_dlopen_init(isc_mem_t *mctx) { mctx, &dlz_dlopen); if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "dns_sdlzregister() failed: %s", + UNEXPECTED_ERROR("dns_sdlzregister() failed: %s", isc_result_totext(result)); result = ISC_R_UNEXPECTED; } diff --git a/bin/named/fuzz.c b/bin/named/fuzz.c index 83fad72d17..59a7333e0c 100644 --- a/bin/named/fuzz.c +++ b/bin/named/fuzz.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -23,8 +25,8 @@ #include #include -#include #include +#include #include #include #include @@ -125,7 +127,7 @@ fuzz_thread_client(void *arg) { close(sockfd); named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); return (NULL); } raise(SIGSTOP); @@ -158,7 +160,7 @@ fuzz_thread_client(void *arg) { close(sockfd); named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); return (NULL); } @@ -374,7 +376,7 @@ fuzz_thread_resolver(void *arg) { close(listenfd); named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); return (NULL); } raise(SIGSTOP); @@ -574,7 +576,7 @@ fuzz_thread_resolver(void *arg) { close(sockfd); close(listenfd); named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); #ifdef __AFL_LOOP /* @@ -716,7 +718,7 @@ fuzz_thread_tcp(void *arg) { free(buf); close(sockfd); named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); return (NULL); } @@ -733,7 +735,7 @@ named_fuzz_notify(void) { #ifdef ENABLE_AFL if (getenv("AFL_CMIN")) { named_server_flushonshutdown(named_g_server, false); - isc_app_shutdown(); + isc_loopmgr_shutdown(named_g_loopmgr); return; } diff --git a/bin/named/geoip.c b/bin/named/geoip.c index f38b200505..6d94af266c 100644 --- a/bin/named/geoip.c +++ b/bin/named/geoip.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,7 +17,7 @@ #include #endif /* if defined(HAVE_GEOIP2) */ -#include +#include #include #include diff --git a/bin/named/include/dlz/dlz_dlopen_driver.h b/bin/named/include/dlz/dlz_dlopen_driver.h index b60f163747..64d6388c71 100644 --- a/bin/named/include/dlz/dlz_dlopen_driver.h +++ b/bin/named/include/dlz/dlz_dlopen_driver.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,12 +11,10 @@ * information regarding copyright ownership. */ -#ifndef DLZ_DLOPEN_DRIVER_H -#define DLZ_DLOPEN_DRIVER_H +#pragma once isc_result_t dlz_dlopen_init(isc_mem_t *mctx); void dlz_dlopen_clear(void); -#endif /* ifndef DLZ_DLOPEN_DRIVER_H */ diff --git a/contrib/dlz/drivers/include/.clang-format b/bin/named/include/named/.clang-format similarity index 100% rename from contrib/dlz/drivers/include/.clang-format rename to bin/named/include/named/.clang-format diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h index a05371e5e5..688510137c 100644 --- a/bin/named/include/named/builtin.h +++ b/bin/named/include/named/builtin.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,17 +11,25 @@ * information regarding copyright ownership. */ -#ifndef NAMED_BUILTIN_H -#define NAMED_BUILTIN_H 1 +#pragma once /*! \file */ +#include + +#include #include +#include +#include + +/*** + *** Functions + ***/ + +/* Initialization functions for builtin zone databases */ isc_result_t named_builtin_init(void); void named_builtin_deinit(void); - -#endif /* NAMED_BUILTIN_H */ diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index 7e005a29a1..c6ba4eae96 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_CONFIG_H -#define NAMED_CONFIG_H 1 +#pragma once /*! \file */ @@ -26,12 +27,15 @@ isc_result_t named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf); +const char * +named_config_getdefault(void); + isc_result_t named_config_get(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj); isc_result_t -named_checknames_get(const cfg_obj_t **maps, const char *name, +named_checknames_get(const cfg_obj_t **maps, const char *const names[], const cfg_obj_t **obj); int @@ -49,35 +53,18 @@ dns_zonetype_t named_config_getzonetype(const cfg_obj_t *zonetypeobj); isc_result_t -named_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list, - in_port_t defport, isc_mem_t *mctx, - isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp, - uint32_t *countp); - -void -named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - isc_dscp_t **dscpsp, uint32_t count); - -isc_result_t -named_config_getprimariesdef(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret); +named_config_getremotesdef(const cfg_obj_t *cctx, const char *list, + const char *name, const cfg_obj_t **ret); isc_result_t -named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, - isc_mem_t *mctx, dns_ipkeylist_t *ipkl); +named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype, + const cfg_obj_t *list, isc_mem_t *mctx, + dns_ipkeylist_t *ipkl); isc_result_t named_config_getport(const cfg_obj_t *config, const char *type, in_port_t *portp); isc_result_t -named_config_getkeyalgorithm(const char *str, const dns_name_t **name, +named_config_getkeyalgorithm(const char *str, unsigned int *typep, uint16_t *digestbits); -isc_result_t -named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, - unsigned int *typep, uint16_t *digestbits); - -isc_result_t -named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp); - -#endif /* NAMED_CONFIG_H */ diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 8c009d5c56..ee938a5973 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_CONTROL_H -#define NAMED_CONTROL_H 1 +#pragma once /*! \file * \brief @@ -19,9 +20,10 @@ #include +#include + #include -#include #include #define NAMED_CONTROL_PORT 953 @@ -42,12 +44,9 @@ #define NAMED_COMMAND_FLUSHNAME "flushname" #define NAMED_COMMAND_FLUSHTREE "flushtree" #define NAMED_COMMAND_STATUS "status" -#define NAMED_COMMAND_TSIGLIST "tsig-list" -#define NAMED_COMMAND_TSIGDELETE "tsig-delete" #define NAMED_COMMAND_FREEZE "freeze" #define NAMED_COMMAND_UNFREEZE "unfreeze" #define NAMED_COMMAND_THAW "thaw" -#define NAMED_COMMAND_TIMERPOKE "timerpoke" #define NAMED_COMMAND_RECURSING "recursing" #define NAMED_COMMAND_NULL "null" #define NAMED_COMMAND_NOTIFY "notify" @@ -70,6 +69,7 @@ #define NAMED_COMMAND_DNSTAP "dnstap" #define NAMED_COMMAND_TCPTIMEOUTS "tcp-timeouts" #define NAMED_COMMAND_SERVESTALE "serve-stale" +#define NAMED_COMMAND_FETCHLIMIT "fetchlimit" isc_result_t named_controls_create(named_server_t *server, named_controls_t **ctrlsp); @@ -105,5 +105,3 @@ named_controls_shutdown(named_controls_t *controls); isc_result_t named_control_docommand(isccc_sexpr_t *message, bool readonly, isc_buffer_t **text); - -#endif /* NAMED_CONTROL_H */ diff --git a/bin/named/include/named/fuzz.h b/bin/named/include/named/fuzz.h index 4284cab904..69af8daf93 100644 --- a/bin/named/include/named/fuzz.h +++ b/bin/named/include/named/fuzz.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -11,13 +13,10 @@ #include -#ifndef NAMED_FUZZ_H -#define NAMED_FUZZ_H +#pragma once void named_fuzz_notify(void); void named_fuzz_setup(void); - -#endif /* NAMED_FUZZ_H */ diff --git a/bin/named/include/named/geoip.h b/bin/named/include/named/geoip.h index a462c4c32f..d1852ef9d7 100644 --- a/bin/named/include/named/geoip.h +++ b/bin/named/include/named/geoip.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 8663eaf012..03e35f2cd4 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,14 +11,14 @@ * information regarding copyright ownership. */ -#ifndef NAMED_GLOBALS_H -#define NAMED_GLOBALS_H 1 +#pragma once /*! \file */ #include #include +#include #include #include #include @@ -24,10 +26,11 @@ #include #include +#include + #include #include -#include #include #include @@ -45,10 +48,12 @@ #define NAMED_RUN_PID_DIR 1 #endif /* ifndef NAMED_RUN_PID_DIR */ -EXTERN isc_mem_t *named_g_mctx INIT(NULL); -EXTERN unsigned int named_g_cpus INIT(0); -EXTERN unsigned int named_g_udpdisp INIT(0); -EXTERN isc_taskmgr_t *named_g_taskmgr INIT(NULL); +EXTERN isc_mem_t *named_g_mctx INIT(NULL); +EXTERN unsigned int named_g_cpus INIT(0); +EXTERN unsigned int named_g_udpdisp INIT(0); +EXTERN isc_loop_t *named_g_mainloop INIT(NULL); +EXTERN isc_loopmgr_t *named_g_loopmgr INIT(NULL); +EXTERN bool named_g_loopmgr_running INIT(false); EXTERN dns_dispatchmgr_t *named_g_dispatchmgr INIT(NULL); EXTERN unsigned int named_g_cpus_detected INIT(1); @@ -60,10 +65,8 @@ EXTERN bool named_g_run_done INIT(false); * for really short timers, another for client timers, and one * for zone timers. */ -EXTERN isc_timermgr_t *named_g_timermgr INIT(NULL); -EXTERN isc_socketmgr_t *named_g_socketmgr INIT(NULL); -EXTERN isc_nm_t *named_g_netmgr INIT(NULL); -EXTERN cfg_parser_t *named_g_parser INIT(NULL); +EXTERN isc_nm_t *named_g_netmgr INIT(NULL); +EXTERN cfg_parser_t *named_g_parser INIT(NULL); EXTERN cfg_parser_t *named_g_addparser INIT(NULL); EXTERN const char *named_g_version INIT(PACKAGE_VERSION); EXTERN const char *named_g_product INIT(PACKAGE_NAME); @@ -75,40 +78,34 @@ EXTERN in_port_t named_g_port INIT(0); EXTERN in_port_t named_g_tlsport INIT(0); EXTERN in_port_t named_g_httpsport INIT(0); EXTERN in_port_t named_g_httpport INIT(0); -EXTERN isc_dscp_t named_g_dscp INIT(-1); + +EXTERN in_port_t named_g_http_listener_clients INIT(0); +EXTERN in_port_t named_g_http_streams_per_conn INIT(0); EXTERN named_server_t *named_g_server INIT(NULL); /* * Logging. */ -EXTERN isc_log_t *named_g_lctx INIT(NULL); +EXTERN isc_log_t *named_g_lctx INIT(NULL); EXTERN isc_logcategory_t *named_g_categories INIT(NULL); -EXTERN isc_logmodule_t *named_g_modules INIT(NULL); -EXTERN unsigned int named_g_debuglevel INIT(0); +EXTERN isc_logmodule_t *named_g_modules INIT(NULL); +EXTERN unsigned int named_g_debuglevel INIT(0); /* * Current configuration information. */ -EXTERN cfg_obj_t *named_g_config INIT(NULL); +EXTERN cfg_obj_t *named_g_config INIT(NULL); EXTERN const cfg_obj_t *named_g_defaults INIT(NULL); EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); -EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys"); +EXTERN const char *named_g_defaultbindkeys INIT(NULL); EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); -EXTERN dns_tsigkey_t *named_g_sessionkey INIT(NULL); -EXTERN dns_name_t named_g_sessionkeyname; -EXTERN bool named_g_conffileset INIT(false); +EXTERN dns_tsigkey_t *named_g_sessionkey INIT(NULL); +EXTERN dns_name_t named_g_sessionkeyname; +EXTERN bool named_g_conffileset INIT(false); EXTERN cfg_aclconfctx_t *named_g_aclconfctx INIT(NULL); -/* - * Initial resource limits. - */ -EXTERN isc_resourcevalue_t named_g_initstacksize INIT(0); -EXTERN isc_resourcevalue_t named_g_initdatasize INIT(0); -EXTERN isc_resourcevalue_t named_g_initcoresize INIT(0); -EXTERN isc_resourcevalue_t named_g_initopenfiles INIT(0); - /* * Misc. */ @@ -159,5 +156,3 @@ EXTERN dns_acl_t *named_g_mapped INIT(NULL); #undef EXTERN #undef INIT - -#endif /* NAMED_GLOBALS_H */ diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h index cf43d1c47c..f18e93a17f 100644 --- a/bin/named/include/named/log.h +++ b/bin/named/include/named/log.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_LOG_H -#define NAMED_LOG_H 1 +#pragma once /*! \file */ @@ -59,6 +60,14 @@ named_log_setsafechannels(isc_logconfig_t *lcfg); * Like named_log_setdefaultchannels(), but omits any logging to files. */ +void +named_log_setdefaultsslkeylogfile(isc_logconfig_t *lcfg); +/*% + * If the SSLKEYLOGFILE environment variable is set, sets up a default + * logging channel for writing TLS pre-master secrets to the path stored + * in that environment variable (for debugging purposes). + */ + isc_result_t named_log_setdefaultcategory(isc_logconfig_t *lcfg); /*% @@ -73,5 +82,3 @@ named_log_setunmatchedcategory(isc_logconfig_t *lcfg); void named_log_shutdown(void); - -#endif /* NAMED_LOG_H */ diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h index 216a882f58..65add46007 100644 --- a/bin/named/include/named/logconf.h +++ b/bin/named/include/named/logconf.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_LOGCONF_H -#define NAMED_LOGCONF_H 1 +#pragma once /*! \file */ @@ -22,5 +23,3 @@ named_logconfig(isc_logconfig_t *logconf, const cfg_obj_t *logstmt); * Set up the logging configuration in '*logconf' according to * the named.conf data in 'logstmt'. */ - -#endif /* NAMED_LOGCONF_H */ diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h index eae85df8f7..bed5dd9787 100644 --- a/bin/named/include/named/main.h +++ b/bin/named/include/named/main.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -22,9 +24,9 @@ /* * Commandline arguments for named; */ -#define NAMED_MAIN_ARGS "46A:c:d:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:" +#define NAMED_MAIN_ARGS "46A:c:Cd:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:" -ISC_NORETURN void +noreturn void named_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); void @@ -32,3 +34,6 @@ named_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); void named_main_setmemstats(const char *); + +void +named_main_shutdown(void *arg, int signum); diff --git a/bin/named/include/named/os.h b/bin/named/include/named/os.h index 3ae48adc24..0f7c1c5385 100644 --- a/bin/named/include/named/os.h +++ b/bin/named/include/named/os.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_OS_H -#define NAMED_OS_H 1 +#pragma once /*! \file */ @@ -61,9 +62,6 @@ named_os_issingleton(const char *filename); void named_os_shutdown(void); -isc_result_t -named_os_gethostname(char *buf, size_t len); - void named_os_shutdownmsg(char *command, isc_buffer_t *text); @@ -75,5 +73,3 @@ named_os_started(void); const char * named_os_uname(void); - -#endif /* NAMED_OS_H */ diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 1628077677..509101f277 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_SERVER_H -#define NAMED_SERVER_H 1 +#pragma once /*! \file */ @@ -20,7 +21,9 @@ #include #include #include +#include #include +#include #include #include @@ -35,44 +38,35 @@ #include -#define NAMED_EVENTCLASS ISC_EVENTCLASS(0x4E43) -#define NAMED_EVENT_RELOAD (NAMED_EVENTCLASS + 0) -#define NAMED_EVENT_DELZONE (NAMED_EVENTCLASS + 1) -#define NAMED_EVENT_COMMAND (NAMED_EVENTCLASS + 2) -#define NAMED_EVENT_TATSEND (NAMED_EVENTCLASS + 3) - /*% * Name server state. Better here than in lots of separate global variables. */ struct named_server { unsigned int magic; - isc_mem_t * mctx; + isc_mem_t *mctx; ns_server_t *sctx; - isc_task_t *task; - char *statsfile; /*%< Statistics file name */ char *dumpfile; /*%< Dump file name */ char *secrootsfile; /*%< Secroots file name */ - char *bindkeysfile; /*%< bind.keys file name - * */ + char *bindkeysfile; /*%< bind.keys file name */ char *recfile; /*%< Recursive file name */ - bool version_set; /*%< User has set version - * */ + bool version_set; /*%< User has set version */ char *version; /*%< User-specified version */ - bool hostname_set; /*%< User has set hostname - * */ - char *hostname; /*%< User-specified hostname - * */ + bool hostname_set; /*%< User has set hostname */ + char *hostname; /*%< User-specified hostname */ +#ifdef USE_DNSRPS + char *dnsrpslib; +#endif /* ifdef USE_DNSRPS */ /* Server data structures. */ - dns_loadmgr_t * loadmgr; - dns_zonemgr_t * zonemgr; + dns_loadmgr_t *loadmgr; + dns_zonemgr_t *zonemgr; dns_viewlist_t viewlist; dns_kasplist_t kasplist; ns_interfacemgr_t *interfacemgr; - dns_db_t * in_roothints; + dns_db_t *in_roothints; isc_timer_t *interface_timer; isc_timer_t *heartbeat_timer; @@ -92,15 +86,15 @@ struct named_server { isc_stats_t *resolverstats; /*% Resolver stats */ isc_stats_t *sockstats; /*%< Socket stats */ - named_controls_t * controls; /*%< Control channels */ + named_controls_t *controls; /*%< Control channels */ unsigned int dispatchgen; named_dispatchlist_t dispatches; named_statschannellist_t statschannels; - dns_tsigkey_t *sessionkey; - char * session_keyfile; - dns_name_t * session_keyname; + dst_key_t *sessionkey; + char *session_keyfile; + dns_name_t *session_keyname; unsigned int session_keyalg; uint16_t session_keybits; bool interface_auto; @@ -110,6 +104,11 @@ struct named_server { dns_dtenv_t *dtenv; /*%< Dnstap environment */ char *lockfile; + + isc_tlsctx_cache_t *tlsctx_server_cache; + isc_tlsctx_cache_t *tlsctx_client_cache; + + isc_signal_t *sighup; }; #define NAMED_SERVER_MAGIC ISC_MAGIC('S', 'V', 'E', 'R') @@ -130,7 +129,7 @@ named_server_destroy(named_server_t **serverp); */ void -named_server_reloadwanted(named_server_t *server); +named_server_reloadwanted(void *arg, int signum); /*%< * Inform a server that a reload is wanted. This function * may be called asynchronously, from outside the server's task. @@ -250,19 +249,6 @@ named_server_flushnode(named_server_t *server, isc_lex_t *lex, bool tree); isc_result_t named_server_status(named_server_t *server, isc_buffer_t **text); -/*% - * Report a list of dynamic and static tsig keys, per view. - */ -isc_result_t -named_server_tsiglist(named_server_t *server, isc_buffer_t **text); - -/*% - * Delete a specific key (with optional view). - */ -isc_result_t -named_server_tsigdelete(named_server_t *server, isc_lex_t *lex, - isc_buffer_t **text); - /*% * Enable or disable updates for a zone. */ @@ -292,12 +278,6 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text); isc_result_t named_server_dumprecursing(named_server_t *server); -/*% - * Maintain a list of dispatches that require reserved ports. - */ -void -named_add_reserved_dispatch(named_server_t *server, const isc_sockaddr_t *addr); - /*% * Enable or disable dnssec validation. */ @@ -390,4 +370,9 @@ isc_result_t named_server_servestale(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text); -#endif /* NAMED_SERVER_H */ +/*% + * Report fetch-limited ADB server addresses. + */ +isc_result_t +named_server_fetchlimit(named_server_t *server, isc_lex_t *lex, + isc_buffer_t **text); diff --git a/bin/named/include/named/smf_globals.h b/bin/named/include/named/smf_globals.h index 850f6d3c91..b052822bfa 100644 --- a/bin/named/include/named/smf_globals.h +++ b/bin/named/include/named/smf_globals.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_SMF_GLOBALS_H -#define NAMED_SMF_GLOBALS_H 1 +#pragma once #include @@ -35,5 +36,3 @@ named_smf_get_instance(char **name, int debug, isc_mem_t *mctx); #undef EXTERN #undef INIT - -#endif /* NAMED_SMF_GLOBALS_H */ diff --git a/bin/named/include/named/statschannel.h b/bin/named/include/named/statschannel.h index 9779d336d8..8cce67083a 100644 --- a/bin/named/include/named/statschannel.h +++ b/bin/named/include/named/statschannel.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,17 +11,17 @@ * information regarding copyright ownership. */ -#ifndef NAMED_STATSCHANNEL_H -#define NAMED_STATSCHANNEL_H 1 +#pragma once /*! \file * \brief * The statistics channels built-in the name server. */ +#include + #include -#include #include #define NAMED_STATSCHANNEL_HTTPPORT 80 @@ -48,5 +50,3 @@ named_stats_dump(named_server_t *server, FILE *fp); /*%< * Dump statistics counters managed by the server to the file fp. */ - -#endif /* NAMED_STATSCHANNEL_H */ diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h index 968b09dd70..79639d625a 100644 --- a/bin/named/include/named/tkeyconf.h +++ b/bin/named/include/named/tkeyconf.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_TKEYCONF_H -#define NAMED_TKEYCONF_H 1 +#pragma once /*! \file */ @@ -40,5 +41,3 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, */ ISC_LANG_ENDDECLS - -#endif /* NAMED_TKEYCONF_H */ diff --git a/bin/named/include/named/transportconf.h b/bin/named/include/named/transportconf.h index 03142671f6..1e472ff45f 100644 --- a/bin/named/include/named/transportconf.h +++ b/bin/named/include/named/transportconf.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h index 27edf48c8c..240eebe130 100644 --- a/bin/named/include/named/tsigconf.h +++ b/bin/named/include/named/tsigconf.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_TSIGCONF_H -#define NAMED_TSIGCONF_H 1 +#pragma once /*! \file */ @@ -21,7 +22,7 @@ ISC_LANG_BEGINDECLS isc_result_t named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, - isc_mem_t *mctx, dns_tsig_keyring_t **ringp); + isc_mem_t *mctx, dns_tsigkeyring_t **ringp); /*%< * Create a TSIG key ring and configure it according to the 'key' * statements in the global and view configuration objects. @@ -38,5 +39,3 @@ named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, */ ISC_LANG_ENDDECLS - -#endif /* NAMED_TSIGCONF_H */ diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h index e7c4296dd9..585c14141d 100644 --- a/bin/named/include/named/types.h +++ b/bin/named/include/named/types.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_TYPES_H -#define NAMED_TYPES_H 1 +#pragma once /*! \file */ @@ -35,5 +36,3 @@ typedef enum { NAMED_RELOAD_IN_PROGRESS, NAMED_RELOAD_FAILED, } named_reload_t; - -#endif /* NAMED_TYPES_H */ diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index fadb3e1f38..dbecd4a79e 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef NAMED_ZONECONF_H -#define NAMED_ZONECONF_H 1 +#pragma once /*! \file */ @@ -45,7 +46,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, bool named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx); + dns_kasplist_t *kasplist); /*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return true. If the configuration data is so @@ -54,12 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, */ bool -named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx); +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist); /*%< * Determine if zone uses inline-signing. This is true if inline-signing - * is set to yes, or if there is a dnssec-policy on a non-dynamic zone. + * is set to yes, in the zone clause or in the zone's dnssec-policy clause. + * By default, dnssec-policy uses inline-signing. */ isc_result_t @@ -77,5 +78,3 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone, */ ISC_LANG_ENDDECLS - -#endif /* NAMED_ZONECONF_H */ diff --git a/bin/named/log.c b/bin/named/log.c index 2ae9282f96..d25382d89a 100644 --- a/bin/named/log.c +++ b/bin/named/log.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -11,7 +13,10 @@ /*! \file */ +#include + #include +#include #include @@ -46,6 +51,7 @@ isc_result_t named_log_init(bool safe) { isc_result_t result; isc_logconfig_t *lcfg = NULL; + isc_mem_t *log_mctx = NULL; named_g_categories = categories; named_g_modules = modules; @@ -53,7 +59,10 @@ named_log_init(bool safe) { /* * Setup a logging context. */ - isc_log_create(named_g_mctx, &named_g_lctx, &lcfg); + isc_mem_create(&log_mctx); + isc_mem_setname(log_mctx, "named_log"); + isc_log_create(log_mctx, &named_g_lctx, &lcfg); + isc_mem_detach(&log_mctx); /* * named-checktool.c:setup_logging() needs to be kept in sync. @@ -78,6 +87,8 @@ named_log_init(bool safe) { goto cleanup; } + named_log_setdefaultsslkeylogfile(lcfg); + return (ISC_R_SUCCESS); cleanup: @@ -167,6 +178,42 @@ named_log_setsafechannels(isc_logconfig_t *lcfg) { #endif /* if ISC_FACILITY != LOG_DAEMON */ } +/* + * If the SSLKEYLOGFILE environment variable is set, TLS pre-master secrets are + * logged (for debugging purposes) to the file whose path is provided in that + * variable. Set up a default logging channel which maintains up to 10 files + * containing TLS pre-master secrets, each up to 100 MB in size. If the + * SSLKEYLOGFILE environment variable is set to the string "config", suppress + * creation of the default channel, allowing custom logging channel + * configuration for TLS pre-master secrets to be provided via the "logging" + * stanza in the configuration file. + */ +void +named_log_setdefaultsslkeylogfile(isc_logconfig_t *lcfg) { + const char *sslkeylogfile_path = getenv("SSLKEYLOGFILE"); + isc_logdestination_t destination = { + .file = { + .name = sslkeylogfile_path, + .versions = 10, + .suffix = isc_log_rollsuffix_timestamp, + .maximum_size = 100 * 1024 * 1024, + }, + }; + isc_result_t result; + + if (sslkeylogfile_path == NULL || + strcmp(sslkeylogfile_path, "config") == 0) + { + return; + } + + isc_log_createchannel(lcfg, "default_sslkeylogfile", ISC_LOG_TOFILE, + ISC_LOG_INFO, &destination, 0); + result = isc_log_usechannel(lcfg, "default_sslkeylogfile", + ISC_LOGCATEGORY_SSLKEYLOG, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); +} + isc_result_t named_log_setdefaultcategory(isc_logconfig_t *lcfg) { isc_result_t result = ISC_R_SUCCESS; diff --git a/bin/named/logconf.c b/bin/named/logconf.c index 4aae8ca239..01151de8b8 100644 --- a/bin/named/logconf.c +++ b/bin/named/logconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,8 +17,6 @@ #include #include -#include -#include #include #include #include @@ -144,14 +144,14 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) { const cfg_obj_t *suffixobj = cfg_tuple_get(fileobj, "suffix"); int32_t versions = ISC_LOG_ROLLNEVER; isc_log_rollsuffix_t suffix = isc_log_rollsuffix_increment; - isc_offset_t size = 0; + off_t size = 0; uint64_t maxoffset; /* - * isc_offset_t is a signed integer type, so the maximum + * off_t is a signed integer type, so the maximum * value is all 1s except for the MSB. */ - switch (sizeof(isc_offset_t)) { + switch (sizeof(off_t)) { case 4: maxoffset = 0x7fffffffULL; break; @@ -159,8 +159,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) { maxoffset = 0x7fffffffffffffffULL; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } type = ISC_LOG_TOFILE; @@ -177,7 +176,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) { if (sizeobj != NULL && cfg_obj_isuint64(sizeobj) && cfg_obj_asuint64(sizeobj) < maxoffset) { - size = (isc_offset_t)cfg_obj_asuint64(sizeobj); + size = (off_t)cfg_obj_asuint64(sizeobj); } if (suffixobj != NULL && cfg_obj_isstring(suffixobj) && strcasecmp(cfg_obj_asstring(suffixobj), "timestamp") == 0) @@ -299,10 +298,6 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) { dest.file.name, isc_result_totext(result)); } - fprintf(stderr, - "isc_stdio_open '%s' failed: %s\n", - dest.file.name, - isc_result_totext(result)); } else { (void)isc_stdio_close(fp); } @@ -312,8 +307,6 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) { syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s", dest.file.name, isc_result_totext(result)); } - fprintf(stderr, "isc_file_isplainfile '%s' failed: %s\n", - dest.file.name, isc_result_totext(result)); } done: @@ -332,6 +325,7 @@ named_logconfig(isc_logconfig_t *logconfig, const cfg_obj_t *logstmt) { if (logconfig != NULL) { named_log_setdefaultchannels(logconfig); + named_log_setdefaultsslkeylogfile(logconfig); } (void)cfg_map_get(logstmt, "channel", &channels); diff --git a/bin/named/main.c b/bin/named/main.c index d595e3eef8..50c5d786cb 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -13,50 +15,41 @@ #include #include +#include #include #include #include -#include #ifdef HAVE_DNSTAP #include #endif -#include #include #include #include #include #include +#include #include -#include #include #include #include #include -#include -#include -#include +#include +#include #include #include -#include #include #include +#include +#include #include #include #include #include -#include #include -#include - -#include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include #ifdef HAVE_GPERFTOOLS_PROFILER @@ -93,7 +86,12 @@ #endif /* ifdef HAVE_LIBSCF */ #include +#include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 +#include +#include +#endif #ifdef HAVE_LIBXML2 #include #include @@ -101,30 +99,26 @@ #ifdef HAVE_ZLIB #include #endif /* ifdef HAVE_ZLIB */ +#ifdef HAVE_LIBNGHTTP2 #include -/* - * Include header files for database drivers here. - */ -/* #include "xxdb.h" */ +#endif -#ifdef CONTRIB_DLZ -/* - * Include contributed DLZ drivers if appropriate. - */ -#include -#endif /* ifdef CONTRIB_DLZ */ +/* On DragonFly BSD the header does not provide jemalloc API */ +#if defined(HAVE_MALLOC_NP_H) && !defined(__DragonFly__) +#include +#include /* For M_VERSION */ +#elif defined(HAVE_JEMALLOC) +#include +#endif /* - * The maximum number of stack frames to dump on assertion failure. + * Include header files for database drivers here. */ -#ifndef BACKTRACE_MAXFRAME -#define BACKTRACE_MAXFRAME 128 -#endif /* ifndef BACKTRACE_MAXFRAME */ +/* #include "xxdb.h" */ -LIBISC_EXTERNAL_DATA extern int isc_dscp_check_value; -LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_hour; -LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_day; -LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_month; +extern unsigned int dns_zone_mkey_hour; +extern unsigned int dns_zone_mkey_day; +extern unsigned int dns_zone_mkey_month; static bool want_stats = false; static char program_name[NAME_MAX] = "named"; @@ -133,7 +127,6 @@ static char absolute_conffile[PATH_MAX]; static char saved_command_line[8192] = { 0 }; static char ellipsis[5] = { 0 }; static char version[512]; -static unsigned int maxsocks = 0; static int maxudp = 0; /* @@ -150,6 +143,9 @@ static bool nonearest = false; static bool nosoa = false; static bool notcp = false; static bool sigvalinsecs = false; +static bool transferinsecs = false; +static bool transferslowly = false; +static bool transferstuck = false; /* * -4 and -6 @@ -157,6 +153,10 @@ static bool sigvalinsecs = false; static bool disable6 = false; static bool disable4 = false; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 +static OSSL_PROVIDER *fips = NULL, *base = NULL; +#endif + void named_main_earlywarning(const char *format, ...) { va_list args; @@ -198,16 +198,13 @@ named_main_earlyfatal(const char *format, ...) { exit(1); } -ISC_NORETURN static void +noreturn static void assertion_failed(const char *file, int line, isc_assertiontype_t type, const char *cond); static void assertion_failed(const char *file, int line, isc_assertiontype_t type, const char *cond) { - void *tracebuf[BACKTRACE_MAXFRAME]; - int nframes; - /* * Handle assertion failures. */ @@ -219,24 +216,12 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type, */ isc_assertion_setcallback(NULL); - nframes = isc_backtrace(tracebuf, BACKTRACE_MAXFRAME); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "%s:%d: %s(%s) failed%s", file, line, - isc_assertion_typetotext(type), cond, - (nframes > 0) ? ", back trace" : ""); - if (nframes > 0) { - char **strs = isc_backtrace_symbols(tracebuf, nframes); - if (strs != NULL) { - for (int i = 0; i < nframes; i++) { - isc_log_write(named_g_lctx, - NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, - ISC_LOG_CRITICAL, "%s", - strs[i]); - } - } - } + "%s:%d: %s(%s) failed", file, line, + isc_assertion_typetotext(type), cond); + isc_backtrace_log(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, "exiting (due to assertion failure)"); @@ -252,13 +237,13 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type, exit(1); } -ISC_NORETURN static void -library_fatal_error(const char *file, int line, const char *format, - va_list args) ISC_FORMAT_PRINTF(3, 0); +noreturn static void +library_fatal_error(const char *file, int line, const char *func, + const char *format, va_list args) ISC_FORMAT_PRINTF(3, 0); static void -library_fatal_error(const char *file, int line, const char *format, - va_list args) { +library_fatal_error(const char *file, int line, const char *func, + const char *format, va_list args) { /* * Handle isc_error_fatal() calls from our libraries. */ @@ -272,7 +257,7 @@ library_fatal_error(const char *file, int line, const char *format, isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "%s:%d: fatal error:", file, line); + "%s:%d:%s(): fatal error: ", file, line, func); isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, format, args); @@ -280,7 +265,7 @@ library_fatal_error(const char *file, int line, const char *format, NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, "exiting (due to fatal error in library)"); } else { - fprintf(stderr, "%s:%d: fatal error: ", file, line); + fprintf(stderr, "%s:%d:%s(): fatal error: ", file, line, func); vfprintf(stderr, format, args); fprintf(stderr, "\n"); fflush(stderr); @@ -293,12 +278,13 @@ library_fatal_error(const char *file, int line, const char *format, } static void -library_unexpected_error(const char *file, int line, const char *format, - va_list args) ISC_FORMAT_PRINTF(3, 0); +library_unexpected_error(const char *file, int line, const char *func, + const char *format, va_list args) + ISC_FORMAT_PRINTF(3, 0); static void -library_unexpected_error(const char *file, int line, const char *format, - va_list args) { +library_unexpected_error(const char *file, int line, const char *func, + const char *format, va_list args) { /* * Handle isc_error_unexpected() calls from our libraries. */ @@ -306,12 +292,13 @@ library_unexpected_error(const char *file, int line, const char *format, if (named_g_lctx != NULL) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_ERROR, - "%s:%d: unexpected error:", file, line); + "%s:%d:%s(): unexpected error: ", file, line, + func); isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_ERROR, format, args); } else { - fprintf(stderr, "%s:%d: fatal error: ", file, line); + fprintf(stderr, "%s:%d:%s(): fatal error: ", file, line, func); vfprintf(stderr, format, args); fprintf(stderr, "\n"); fflush(stderr); @@ -329,7 +316,7 @@ usage(void) { " [-X lockfile] [-m " "{usage|trace|record|size|mctx}]\n" " [-M fill|nofill]\n" - "usage: named [-v|-V]\n"); + "usage: named [-v|-V|-C]\n"); } static void @@ -431,8 +418,6 @@ static struct flag_def { { "trace", ISC_MEM_DEBUGTRACE, false }, { "record", ISC_MEM_DEBUGRECORD, false }, { "usage", ISC_MEM_DEBUGUSAGE, false }, - { "size", ISC_MEM_DEBUGSIZE, false }, - { "mctx", ISC_MEM_DEBUGCTX, false }, { NULL, 0, false } }, mem_context_flags[] = { { "fill", ISC_MEMFLAG_FILL, false }, { "nofill", ISC_MEMFLAG_FILL, true }, @@ -452,7 +437,8 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { arglen = (int)(end - arg); for (def = defs; def->name != NULL; def++) { if (arglen == (int)strlen(def->name) && - memcmp(arg, def->name, arglen) == 0) { + memcmp(arg, def->name, arglen) == 0) + { if (def->value == 0) { clear = true; } @@ -477,16 +463,109 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { } } +static void +list_dnssec_algorithms(isc_buffer_t *b) { + for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { + if (i == DST_ALG_GSSAPI || + (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) + { + continue; + } + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_secalg_totext(i, b); + } + } +} + +static void +list_ds_algorithms(isc_buffer_t *b) { + for (size_t i = 0; i < 256; i++) { + if (dst_ds_digest_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_dsdigest_totext(i, b); + } + } +} + +static void +list_hmac_algorithms(isc_buffer_t *b) { + isc_buffer_t sb = *b; + for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; + i++) + { + if (i == DST_ALG_GSSAPI) { + continue; + } + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + isc_buffer_putstr(b, dst_hmac_algorithm_totext(i)); + } + } + for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b); + s++) + { + *s = toupper(*s); + } +} + +static void +logit(isc_buffer_t *b) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +printit(isc_buffer_t *b) { + printf("%.*s\n", (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { + isc_buffer_t b; + char buf[512]; + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", "no"); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + (*emit)(&b); +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; -#if defined(HAVE_GEOIP2) isc_mem_t *mctx = NULL; + isc_result_t result; + isc_buffer_t b; + char buf[512]; +#if defined(HAVE_GEOIP2) cfg_parser_t *parser = NULL; cfg_obj_t *config = NULL; const cfg_obj_t *defaults = NULL, *obj = NULL; #endif /* if defined(HAVE_GEOIP2) */ - nghttp2_info *nginfo = NULL; printf("%s%s \n", PACKAGE_STRING, PACKAGE_DESCRIPTION, PACKAGE_SRCID); @@ -508,9 +587,6 @@ printversion(bool verbose) { #endif /* ifdef __GNUC__ */ #endif /* if defined(__ICC) || defined(__INTEL_COMPILER) */ #endif /* ifdef __clang__ */ -#ifdef _MSC_VER - printf("compiled by MSVC %d\n", _MSC_VER); -#endif /* ifdef _MSC_VER */ #ifdef __SUNPRO_C printf("compiled by Solaris Studio %x\n", __SUNPRO_C); #endif /* ifdef __SUNPRO_C */ @@ -528,9 +604,20 @@ printversion(bool verbose) { printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR, UV_VERSION_MINOR, UV_VERSION_PATCH); printf("linked to libuv version: %s\n", uv_version_string()); + printf("compiled with %s version: %s\n", RCU_FLAVOR, RCU_VERSION); +#if defined(JEMALLOC_VERSION) + printf("compiled with jemalloc version: %u.%u.%u\n", + JEMALLOC_VERSION_MAJOR, JEMALLOC_VERSION_MINOR, + JEMALLOC_VERSION_BUGFIX); +#elif defined(M_VERSION) + printf("compiled with system jemalloc version: %u\n", M_VERSION); +#endif +#if HAVE_LIBNGHTTP2 + nghttp2_info *nginfo = NULL; printf("compiled with libnghttp2 version: %s\n", NGHTTP2_VERSION); nginfo = nghttp2_version(1); printf("linked to libnghttp2 version: %s\n", nginfo->version_str); +#endif #ifdef HAVE_LIBXML2 printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION); printf("linked to libxml2 version: %s\n", xmlParserVersion); @@ -551,7 +638,19 @@ printversion(bool verbose) { printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION); printf("linked to protobuf-c version: %s\n", protobuf_c_version()); #endif /* if defined(HAVE_DNSTAP) */ - printf("threads support is enabled\n\n"); + printf("threads support is enabled\n"); + + isc_mem_create(&mctx); + result = dst_lib_init(mctx, named_g_engine); + if (result == ISC_R_SUCCESS) { + isc_buffer_init(&b, buf, sizeof(buf)); + format_supported_algorithms(printit); + printf("\n"); + dst_lib_destroy(); + } else { + printf("DST initialization failure: %s\n", + isc_result_totext(result)); + } /* * The default rndc.conf and rndc.key paths are in the same @@ -571,13 +670,11 @@ printversion(bool verbose) { printf("default paths:\n"); printf(" named configuration: %s\n", named_g_conffile); printf(" rndc configuration: %s\n", rndcconf); - printf(" DNSSEC root key: %s\n", named_g_defaultbindkeys); printf(" nsupdate session key: %s\n", named_g_defaultsessionkeyfile); printf(" named PID file: %s\n", named_g_defaultpidfile); printf(" named lock file: %s\n", named_g_defaultlockfile); #if defined(HAVE_GEOIP2) #define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - isc_mem_create(&mctx); RTC(cfg_parser_create(mctx, named_g_lctx, &parser)); RTC(named_config_parsedefaults(parser, &config)); RTC(cfg_map_get(config, "options", &defaults)); @@ -621,13 +718,9 @@ parse_T_opt(char *option) { /* * force the server to behave (or misbehave) in * specified ways for testing purposes. - * dscp=x: check that dscp values are as - * expected and assert otherwise. */ if (!strcmp(option, "dropedns")) { dropedns = true; - } else if (!strncmp(option, "dscp=", 5)) { - isc_dscp_check_value = atoi(option + 5); } else if (!strcmp(option, "ednsformerr")) { ednsformerr = true; } else if (!strcmp(option, "ednsnotimp")) { @@ -696,6 +789,12 @@ parse_T_opt(char *option) { } } else if (!strcmp(option, "sigvalinsecs")) { sigvalinsecs = true; + } else if (!strcmp(option, "transferinsecs")) { + transferinsecs = true; + } else if (!strcmp(option, "transferslowly")) { + transferslowly = true; + } else if (!strcmp(option, "transferstuck")) { + transferstuck = true; } else if (!strncmp(option, "tat=", 4)) { named_g_tat_interval = atoi(option + 4); } else { @@ -741,8 +840,7 @@ parse_port(char *arg) { named_g_httpport = port; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -792,6 +890,11 @@ parse_command_line(int argc, char *argv[]) { named_g_conffile = isc_commandline_argument; named_g_conffileset = true; break; + case 'C': + printf("# Built-in default values. " + "This is NOT the run-time configuration!\n"); + printf("%s", named_config_getdefault()); + exit(0); case 'd': named_g_debuglevel = parse_int(isc_commandline_argument, "debug " @@ -837,8 +940,7 @@ parse_command_line(int argc, char *argv[]) { want_stats = true; break; case 'S': - maxsocks = parse_int(isc_commandline_argument, - "max number of sockets"); + /* Formerly maxsocks */ break; case 't': /* XXXJAB should we make a copy? */ @@ -874,8 +976,29 @@ parse_command_line(int argc, char *argv[]) { } break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + fips = OSSL_PROVIDER_load(NULL, "fips"); + if (fips == NULL) { + ERR_clear_error(); + named_main_earlyfatal( + "Failed to load FIPS provider"); + } + base = OSSL_PROVIDER_load(NULL, "base"); + if (base == NULL) { + OSSL_PROVIDER_unload(fips); + ERR_clear_error(); + named_main_earlyfatal( + "Failed to load base provider"); + } +#endif + if (isc_fips_mode()) { /* Already in FIPS mode. */ + break; + } + if (isc_fips_set_mode(1) != ISC_R_SUCCESS) { + named_main_earlyfatal( + "setting FIPS mode failed"); + } + break; case '?': usage(); if (isc_commandline_option == '?') { @@ -890,7 +1013,7 @@ parse_command_line(int argc, char *argv[]) { "an argument", isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; default: named_main_earlyfatal("parsing options returned %d", ch); @@ -909,14 +1032,14 @@ parse_command_line(int argc, char *argv[]) { static isc_result_t create_managers(void) { - isc_result_t result; - unsigned int socks; - + /* + * Set the default named_g_cpus if it was not set from the command line + */ INSIST(named_g_cpus_detected > 0); - if (named_g_cpus == 0) { named_g_cpus = named_g_cpus_detected; } + isc_log_write( named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s", @@ -933,37 +1056,17 @@ create_managers(void) { "using %u UDP listener%s per interface", named_g_udpdisp, named_g_udpdisp == 1 ? "" : "s"); - result = isc_managers_create(named_g_mctx, named_g_cpus, - 0 /* quantum */, maxsocks, &named_g_netmgr, - &named_g_taskmgr, &named_g_timermgr, - &named_g_socketmgr); - if (result != ISC_R_SUCCESS) { - return (result); - } + isc_managers_create(&named_g_mctx, named_g_cpus, &named_g_loopmgr, + &named_g_netmgr); - isc_socketmgr_maxudp(named_g_socketmgr, maxudp); isc_nm_maxudp(named_g_netmgr, maxudp); - result = isc_socketmgr_getmaxsockets(named_g_socketmgr, &socks); - if (result == ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "using up to %u sockets", socks); - } - return (ISC_R_SUCCESS); } -static void -destroy_managers(void) { - isc_managers_destroy(&named_g_netmgr, &named_g_taskmgr, - &named_g_timermgr, &named_g_socketmgr); -} - static void setup(void) { isc_result_t result; - isc_resourcevalue_t old_openfiles; ns_server_t *sctx; #ifdef HAVE_LIBSCF char *instance = NULL; @@ -1031,16 +1134,6 @@ setup(void) { named_os_daemonize(); } - /* - * We call isc_app_start() here as some versions of FreeBSD's fork() - * destroys all the signal handling it sets up. - */ - result = isc_app_start(); - if (result != ISC_R_SUCCESS) { - named_main_earlyfatal("isc_app_start() failed: %s", - isc_result_totext(result)); - } - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "starting %s%s ", PACKAGE_STRING, @@ -1075,11 +1168,6 @@ setup(void) { #endif /* ifdef __GNUC__ */ #endif /* if defined(__ICC) || defined(__INTEL_COMPILER) */ #endif /* ifdef __clang__ */ -#ifdef _MSC_VER - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, - "compiled by MSVC %d", _MSC_VER); -#endif /* ifdef _MSC_VER */ #ifdef __SUNPRO_C isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, @@ -1102,6 +1190,37 @@ setup(void) { "linked to OpenSSL version: %s", SSLeay_version(SSLEAY_VERSION)); #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with libuv version: %d.%d.%d", UV_VERSION_MAJOR, + UV_VERSION_MINOR, UV_VERSION_PATCH); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "linked to libuv version: %s", uv_version_string()); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with %s version: %s", RCU_FLAVOR, RCU_VERSION); +#if defined(JEMALLOC_VERSION) + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with jemalloc version: %u.%u.%u", + JEMALLOC_VERSION_MAJOR, JEMALLOC_VERSION_MINOR, + JEMALLOC_VERSION_BUGFIX); +#elif defined(M_VERSION) + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with system jemalloc version: %u", M_VERSION); +#endif +#if HAVE_LIBNGHTTP2 + nghttp2_info *nginfo = NULL; + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with libnghttp2 version: %s", NGHTTP2_VERSION); + nginfo = nghttp2_version(1); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "linked to libnghttp2 version: %s", nginfo->version_str); +#endif #ifdef HAVE_LIBXML2 isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, @@ -1127,6 +1246,21 @@ setup(void) { NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "linked to zlib version: %s", zlibVersion()); #endif /* if defined(HAVE_ZLIB) && defined(ZLIB_VERSION) */ +#if defined(HAVE_GEOIP2) + /* Unfortunately, no version define on link time */ + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "linked to maxminddb version: %s", MMDB_lib_version()); +#endif /* if defined(HAVE_GEOIP2) */ +#if defined(HAVE_DNSTAP) + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with protobuf-c version: %s", + PROTOBUF_C_VERSION); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "linked to protobuf-c version: %s", protobuf_c_version()); +#endif /* if defined(HAVE_DNSTAP) */ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "----------------------------------------------------"); @@ -1146,39 +1280,11 @@ setup(void) { NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "----------------------------------------------------"); - /* - * Get the initial resource limits. - */ - RUNTIME_CHECK(isc_resource_getlimit(isc_resource_stacksize, - &named_g_initstacksize) == - ISC_R_SUCCESS); - RUNTIME_CHECK(isc_resource_getlimit(isc_resource_datasize, - &named_g_initdatasize) == - ISC_R_SUCCESS); - RUNTIME_CHECK(isc_resource_getlimit(isc_resource_coresize, - &named_g_initcoresize) == - ISC_R_SUCCESS); - RUNTIME_CHECK(isc_resource_getlimit(isc_resource_openfiles, - &named_g_initopenfiles) == - ISC_R_SUCCESS); - /* * System resources cannot effectively be tuned on some systems. * Raise the limit in such cases for safety. */ - old_openfiles = named_g_initopenfiles; named_os_adjustnofile(); - RUNTIME_CHECK(isc_resource_getlimit(isc_resource_openfiles, - &named_g_initopenfiles) == - ISC_R_SUCCESS); - if (old_openfiles != named_g_initopenfiles) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, - "adjusted limit on open files from " - "%" PRIu64 " to " - "%" PRIu64, - old_openfiles, named_g_initopenfiles); - } /* * If the named configuration filename is relative, prepend the current @@ -1200,11 +1306,7 @@ setup(void) { /* * Record the server's startup time. */ - result = isc_time_now(&named_g_boottime); - if (result != ISC_R_SUCCESS) { - named_main_earlyfatal("isc_time_now() failed: %s", - isc_result_totext(result)); - } + named_g_boottime = isc_time_now(); result = create_managers(); if (result != ISC_R_SUCCESS) { @@ -1228,21 +1330,16 @@ setup(void) { isc_result_totext(result)); } -#if CONTRIB_DLZ - /* - * Register any other contributed DLZ drivers. - */ - result = dlz_drivers_init(); - if (result != ISC_R_SUCCESS) { - named_main_earlyfatal("dlz_drivers_init() failed: %s", - isc_result_totext(result)); - } -#endif /* if CONTRIB_DLZ */ - named_server_create(named_g_mctx, &named_g_server); ENSURE(named_g_server != NULL); sctx = named_g_server->sctx; + /* + * Report supported algorithms now that dst_lib_init() has + * been called via named_server_create(). + */ + format_supported_algorithms(logit); + /* * Modify server context according to command line options */ @@ -1285,12 +1382,19 @@ setup(void) { if (sigvalinsecs) { ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true); } + if (transferinsecs) { + ns_server_setoption(sctx, NS_SERVER_TRANSFERINSECS, true); + } + if (transferslowly) { + ns_server_setoption(sctx, NS_SERVER_TRANSFERSLOWLY, true); + } + if (transferstuck) { + ns_server_setoption(sctx, NS_SERVER_TRANSFERSTUCK, true); + } } static void cleanup(void) { - destroy_managers(); - if (named_g_mapped != NULL) { dns_acl_detach(&named_g_mapped); } @@ -1304,12 +1408,6 @@ cleanup(void) { */ /* xxdb_clear(); */ -#ifdef CONTRIB_DLZ - /* - * Unregister contributed DLZ drivers. - */ - dlz_drivers_clear(); -#endif /* ifdef CONTRIB_DLZ */ /* * Unregister "dlopen" DLZ driver. */ @@ -1354,8 +1452,7 @@ named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { if ((h = scf_handle_create(SCF_VERSION)) == NULL) { if (debug) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_create() failed: %s", + UNEXPECTED_ERROR("scf_handle_create() failed: %s", scf_strerror(scf_error())); } return (ISC_R_FAILURE); @@ -1363,8 +1460,7 @@ named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { if (scf_handle_bind(h) == -1) { if (debug) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_bind() failed: %s", + UNEXPECTED_ERROR("scf_handle_bind() failed: %s", scf_strerror(scf_error())); } scf_handle_destroy(h); @@ -1373,8 +1469,7 @@ named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { if ((namelen = scf_myname(h, NULL, 0)) == -1) { if (debug) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", + UNEXPECTED_ERROR("scf_myname() failed: %s", scf_strerror(scf_error())); } scf_handle_destroy(h); @@ -1382,8 +1477,7 @@ named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { } if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "named_smf_get_instance memory " + UNEXPECTED_ERROR("named_smf_get_instance memory " "allocation failed: %s", isc_result_totext(ISC_R_NOMEMORY)); scf_handle_destroy(h); @@ -1392,8 +1486,7 @@ named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { if (scf_myname(h, instance, namelen + 1) == -1) { if (debug) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", + UNEXPECTED_ERROR("scf_myname() failed: %s", scf_strerror(scf_error())); } scf_handle_destroy(h); @@ -1420,9 +1513,17 @@ main(int argc, char *argv[]) { (void)ProfilerStart(NULL); #endif /* ifdef HAVE_GPERFTOOLS_PROFILER */ -#ifdef HAVE_LIBXML2 - xmlInitThreads(); -#endif /* HAVE_LIBXML2 */ + /* + * Technically, this call is superfluous because on startup of the main + * program, the portable "C" locale is selected by default. This + * explicit call here is for a reference that the BIND 9 code base is + * not locale aware and the locale MUST be set to "C" (or "POSIX") when + * calling any BIND 9 library code. If you are calling external + * libraries that use locale, such calls must be wrapped into + * setlocale(LC_ALL, ""); before the call and setlocale(LC_ALL, "C"); + * after the call, and no BIND 9 library calls must be made in between. + */ + setlocale(LC_ALL, "C"); /* * Record version in core image. @@ -1447,13 +1548,6 @@ main(int argc, char *argv[]) { named_os_init(program_name); - dns_result_register(); - dst_result_register(); - isccc_result_register(); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ - parse_command_line(argc, argv); #ifdef ENABLE_AFL @@ -1483,38 +1577,27 @@ main(int argc, char *argv[]) { } } - isc_mem_create(&named_g_mctx); + setup(); isc_mem_setname(named_g_mctx, "main"); + INSIST(named_g_server != NULL); - setup(); + /* + * Start things running + */ + isc_signal_start(named_g_server->sighup); /* - * Start things running and then wait for a shutdown request - * or reload. + * Pause the loop manager in fatal. */ - do { - result = isc_app_run(); - - if (result == ISC_R_RELOAD) { - named_server_reloadwanted(named_g_server); - } else if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_app_run(): %s", - isc_result_totext(result)); - /* - * Force exit. - */ - result = ISC_R_SUCCESS; - } - } while (result != ISC_R_SUCCESS); + named_g_loopmgr_running = true; + isc_loopmgr_run(named_g_loopmgr); #ifdef HAVE_LIBSCF if (named_smf_want_disable == 1) { result = named_smf_get_instance(&instance, 1, named_g_mctx); if (result == ISC_R_SUCCESS && instance != NULL) { if (smf_disable_instance(instance, 0) != 0) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_disable_instance() " + UNEXPECTED_ERROR("smf_disable_instance() " "failed for %s : %s", instance, scf_strerror(scf_error())); @@ -1530,7 +1613,6 @@ main(int argc, char *argv[]) { if (want_stats) { isc_mem_stats(named_g_mctx, stdout); - isc_mutex_stats(stdout); } if (named_g_memstatistics && memstats != NULL) { @@ -1538,24 +1620,34 @@ main(int argc, char *argv[]) { result = isc_stdio_open(memstats, "w", &fp); if (result == ISC_R_SUCCESS) { isc_mem_stats(named_g_mctx, fp); - isc_mutex_stats(fp); (void)isc_stdio_close(fp); } } - isc_mem_destroy(&named_g_mctx); + + isc_managers_destroy(&named_g_mctx, &named_g_loopmgr, &named_g_netmgr); + +#if ENABLE_LEAK_DETECTION + isc__tls_setdestroycheck(true); + isc__uv_setdestroycheck(true); + isc__xml_setdestroycheck(true); +#endif + isc_mem_checkdestroyed(stderr); named_main_setmemstats(NULL); - isc_app_finish(); - named_os_closedevnull(); named_os_shutdown(); -#ifdef HAVE_LIBXML2 - xmlCleanupThreads(); -#endif /* HAVE_LIBXML2 */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (base != NULL) { + OSSL_PROVIDER_unload(base); + } + if (fips != NULL) { + OSSL_PROVIDER_unload(fips); + } +#endif #ifdef HAVE_GPERFTOOLS_PROFILER ProfilerStop(); diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 39407490f6..89e76bd99c 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -1,5 +1,18 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + .. highlight: console +.. iscman:: named.conf + named.conf - configuration file for **named** --------------------------------------------- @@ -11,1068 +24,43 @@ Synopsis Description ~~~~~~~~~~~ -``named.conf`` is the configuration file for ``named``. Statements are -enclosed in braces and terminated with a semi-colon. Clauses in the -statements are also semi-colon terminated. The usual comment styles are -supported: - -C style: /\* \*/ - - C++ style: // to end of line - -Unix style: # to end of line - -ACL -^^^ - -:: - - acl string { address_match_element; ... }; - -CONTROLS -^^^^^^^^ - -:: - - controls { - inet ( ipv4_address | ipv6_address | - * ) [ port ( integer | * ) ] allow - { address_match_element; ... } [ - keys { string; ... } ] [ read-only - boolean ]; - unix quoted_string perm integer - owner integer group integer [ - keys { string; ... } ] [ read-only - boolean ]; - }; - -DLZ -^^^ - -:: - - dlz string { - database string; - search boolean; - }; - -DNSSEC-POLICY -^^^^^^^^^^^^^ - -:: - - dnssec-policy string { - dnskey-ttl duration; - keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime - duration_or_unlimited algorithm string [ integer ]; ... }; - max-zone-ttl duration; - nsec3param [ iterations integer ] [ optout boolean ] [ - salt-length integer ]; - parent-ds-ttl duration; - parent-propagation-delay duration; - publish-safety duration; - purge-keys duration; - retire-safety duration; - signatures-refresh duration; - signatures-validity duration; - signatures-validity-dnskey duration; - zone-propagation-delay duration; - }; - -DYNDB -^^^^^ - -:: - - dyndb string quoted_string { - unspecified-text }; - -HTTP -^^^^ - -:: - - http string { - endpoints { quoted_string; ... }; - }; - -KEY -^^^ - -:: - - key string { - algorithm string; - secret string; - }; - -LOGGING -^^^^^^^ - -:: - - logging { - category string { string; ... }; - channel string { - buffered boolean; - file quoted_string [ versions ( unlimited | integer ) ] - [ size size ] [ suffix ( increment | timestamp ) ]; - null; - print-category boolean; - print-severity boolean; - print-time ( iso8601 | iso8601-utc | local | boolean ); - severity log_severity; - stderr; - syslog [ syslog_facility ]; - }; - }; - -MANAGED-KEYS -^^^^^^^^^^^^ +:file:`named.conf` is the configuration file for :iscman:`named`. -See DNSSEC-KEYS. +For complete documentation about the configuration statements, please refer to +the Configuration Reference section in the BIND 9 Administrator Reference +Manual. -:: +Statements are enclosed in braces and terminated with a semi-colon. +Clauses in the statements are also semi-colon terminated. The usual +comment styles are supported: - managed-keys { string ( static-key - | initial-key | static-ds | - initial-ds ) integer integer - integer quoted_string; ... };, deprecated - -MASTERS -^^^^^^^ - -:: - - masters string [ port integer ] [ dscp - integer ] { ( primaries | ipv4_address - [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls - string ]; ... }; - -OPTIONS -^^^^^^^ - -:: - - options { - allow-new-zones boolean; - allow-notify { address_match_element; ... }; - allow-query { address_match_element; ... }; - allow-query-cache { address_match_element; ... }; - allow-query-cache-on { address_match_element; ... }; - allow-query-on { address_match_element; ... }; - allow-recursion { address_match_element; ... }; - allow-recursion-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - also-notify [ port integer ] [ dscp integer ] { ( primaries | - ipv4_address [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls string ]; ... }; - alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | - * ) ] [ dscp integer ]; - answer-cookie boolean; - attach-cache string; - auth-nxdomain boolean; - auto-dnssec ( allow | maintain | off ); - automatic-interface-scan boolean; - avoid-v4-udp-ports { portrange; ... }; - avoid-v6-udp-ports { portrange; ... }; - bindkeys-file quoted_string; - blackhole { address_match_element; ... }; - cache-file quoted_string; - catalog-zones { zone string [ default-masters [ port integer ] - [ dscp integer ] { ( primaries | ipv4_address [ port - integer ] | ipv6_address [ port integer ] ) [ key - string ] [ tls string ]; ... } ] [ zone-directory - quoted_string ] [ in-memory boolean ] [ min-update-interval - duration ]; ... }; - check-dup-records ( fail | warn | ignore ); - check-integrity boolean; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-names ( primary | master | - secondary | slave | response ) ( - fail | warn | ignore ); - check-sibling boolean; - check-spf ( warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-wildcard boolean; - clients-per-query integer; - cookie-algorithm ( aes | siphash24 ); - cookie-secret string; - coresize ( default | unlimited | sizeval ); - datasize ( default | unlimited | sizeval ); - deny-answer-addresses { address_match_element; ... } [ - except-from { string; ... } ]; - deny-answer-aliases { string; ... } [ except-from { string; ... - } ]; - dialup ( notify | notify-passive | passive | refresh | boolean ); - directory quoted_string; - disable-algorithms string { string; - ... }; - disable-ds-digests string { string; - ... }; - disable-empty-zone string; - dns64 netprefix { - break-dnssec boolean; - clients { address_match_element; ... }; - exclude { address_match_element; ... }; - mapped { address_match_element; ... }; - recursive-only boolean; - suffix ipv6_address; - }; - dns64-contact string; - dns64-server string; - dnskey-sig-validity integer; - dnsrps-enable boolean; - dnsrps-options { unspecified-text }; - dnssec-accept-expired boolean; - dnssec-dnskey-kskonly boolean; - dnssec-loadkeys-interval integer; - dnssec-must-be-secure string boolean; - dnssec-policy string; - dnssec-secure-to-insecure boolean; - dnssec-update-mode ( maintain | no-resign ); - dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver | update ) [ - ( query | response ) ]; ... }; - dnstap-identity ( quoted_string | none | hostname ); - dnstap-output ( file | unix ) quoted_string [ size ( unlimited | - size ) ] [ versions ( unlimited | integer ) ] [ suffix ( - increment | timestamp ) ]; - dnstap-version ( quoted_string | none ); - dscp integer; - dual-stack-servers [ port integer ] { ( quoted_string [ port - integer ] [ dscp integer ] | ipv4_address [ port - integer ] [ dscp integer ] | ipv6_address [ port - integer ] [ dscp integer ] ); ... }; - dump-file quoted_string; - edns-udp-size integer; - empty-contact string; - empty-server string; - empty-zones-enable boolean; - fetch-quota-params integer fixedpoint fixedpoint fixedpoint; - fetches-per-server integer [ ( drop | fail ) ]; - fetches-per-zone integer [ ( drop | fail ) ]; - files ( default | unlimited | sizeval ); - flush-zones-on-shutdown boolean; - forward ( first | only ); - forwarders [ port integer ] [ dscp integer ] { ( ipv4_address - | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; - fstrm-set-buffer-hint integer; - fstrm-set-flush-timeout integer; - fstrm-set-input-queue-size integer; - fstrm-set-output-notify-threshold integer; - fstrm-set-output-queue-model ( mpsc | spsc ); - fstrm-set-output-queue-size integer; - fstrm-set-reopen-interval duration; - geoip-directory ( quoted_string | none ); - glue-cache boolean;// deprecated - heartbeat-interval integer; - hostname ( quoted_string | none ); - http-port integer; - https-port integer; - interface-interval duration; - ipv4only-contact string; - ipv4only-enable boolean; - ipv4only-server string; - ixfr-from-differences ( primary | master | secondary | slave | - boolean ); - keep-response-order { address_match_element; ... }; - key-directory quoted_string; - lame-ttl duration; - listen-on [ port integer ] [ dscp - integer ] [ tls string ] [ http - string ] { - address_match_element; ... }; - listen-on-v6 [ port integer ] [ dscp - integer ] [ tls string ] [ http - string ] { - address_match_element; ... }; - lmdb-mapsize sizeval; - lock-file ( quoted_string | none ); - managed-keys-directory quoted_string; - masterfile-format ( map | raw | text ); - masterfile-style ( full | relative ); - match-mapped-addresses boolean; - max-cache-size ( default | unlimited | sizeval | percentage ); - max-cache-ttl duration; - max-clients-per-query integer; - max-ixfr-ratio ( unlimited | percentage ); - max-journal-size ( default | unlimited | sizeval ); - max-ncache-ttl duration; - max-records integer; - max-recursion-depth integer; - max-recursion-queries integer; - max-refresh-time integer; - max-retry-time integer; - max-rsa-exponent-size integer; - max-stale-ttl duration; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-udp-size integer; - max-zone-ttl ( unlimited | duration ); - memstatistics boolean; - memstatistics-file quoted_string; - message-compression boolean; - min-cache-ttl duration; - min-ncache-ttl duration; - min-refresh-time integer; - min-retry-time integer; - minimal-any boolean; - minimal-responses ( no-auth | no-auth-recursive | boolean ); - multi-master boolean; - new-zones-directory quoted_string; - no-case-compress { address_match_element; ... }; - nocookie-udp-size integer; - notify ( explicit | master-only | primary-only | boolean ); - notify-delay integer; - notify-rate integer; - notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] - [ dscp integer ]; - notify-to-soa boolean; - nta-lifetime duration; - nta-recheck duration; - nxdomain-redirect string; - pid-file ( quoted_string | none ); - port integer; - preferred-glue string; - prefetch integer [ integer ]; - provide-ixfr boolean; - qname-minimization ( strict | relaxed | disabled | off ); - query-source ( ( [ address ] ( ipv4_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - querylog boolean; - random-device ( quoted_string | none ); - rate-limit { - all-per-second integer; - errors-per-second integer; - exempt-clients { address_match_element; ... }; - ipv4-prefix-length integer; - ipv6-prefix-length integer; - log-only boolean; - max-table-size integer; - min-table-size integer; - nodata-per-second integer; - nxdomains-per-second integer; - qps-scale integer; - referrals-per-second integer; - responses-per-second integer; - slip integer; - window integer; - }; - recursing-file quoted_string; - recursion boolean; - recursive-clients integer; - request-expire boolean; - request-ixfr boolean; - request-nsid boolean; - require-server-cookie boolean; - reserved-sockets integer; - resolver-nonbackoff-tries integer; - resolver-query-timeout integer; - resolver-retry-interval integer; - response-padding { address_match_element; ... } block-size - integer; - response-policy { zone string [ add-soa boolean ] [ log - boolean ] [ max-policy-ttl duration ] [ min-update-interval - duration ] [ policy ( cname | disabled | drop | given | no-op - | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ - recursive-only boolean ] [ nsip-enable boolean ] [ - nsdname-enable boolean ]; ... } [ add-soa boolean ] [ - break-dnssec boolean ] [ max-policy-ttl duration ] [ - min-update-interval duration ] [ min-ns-dots integer ] [ - nsip-wait-recurse boolean ] [ nsdname-wait-recurse boolean - ] [ qname-wait-recurse boolean ] [ recursive-only boolean ] - [ nsip-enable boolean ] [ nsdname-enable boolean ] [ - dnsrps-enable boolean ] [ dnsrps-options { unspecified-text - } ]; - root-delegation-only [ exclude { string; ... } ]; - root-key-sentinel boolean; - rrset-order { [ class string ] [ type string ] [ name - quoted_string ] string string; ... }; - secroots-file quoted_string; - send-cookie boolean; - serial-query-rate integer; - serial-update-method ( date | increment | unixtime ); - server-id ( quoted_string | none | hostname ); - servfail-ttl duration; - session-keyalg string; - session-keyfile ( quoted_string | none ); - session-keyname string; - sig-signing-nodes integer; - sig-signing-signatures integer; - sig-signing-type integer; - sig-validity-interval integer [ integer ]; - sortlist { address_match_element; ... }; - stacksize ( default | unlimited | sizeval ); - stale-answer-client-timeout ( disabled | off | integer ); - stale-answer-enable boolean; - stale-answer-ttl duration; - stale-cache-enable boolean; - stale-refresh-time duration; - startup-notify-rate integer; - statistics-file quoted_string; - synth-from-dnssec boolean; - tcp-advertised-timeout integer; - tcp-clients integer; - tcp-idle-timeout integer; - tcp-initial-timeout integer; - tcp-keepalive-timeout integer; - tcp-listen-queue integer; - tcp-receive-buffer integer; - tcp-send-buffer integer; - tkey-dhkey quoted_string integer; - tkey-domain quoted_string; - tkey-gssapi-credential quoted_string; - tkey-gssapi-keytab quoted_string; - tls-port integer; - transfer-format ( many-answers | one-answer ); - transfer-message-size integer; - transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - transfers-in integer; - transfers-out integer; - transfers-per-ns integer; - trust-anchor-telemetry boolean; // experimental - try-tcp-refresh boolean; - udp-receive-buffer integer; - udp-send-buffer integer; - update-check-ksk boolean; - use-alt-transfer-source boolean; - use-v4-udp-ports { portrange; ... }; - use-v6-udp-ports { portrange; ... }; - v6-bias integer; - validate-except { string; ... }; - version ( quoted_string | none ); - zero-no-soa-ttl boolean; - zero-no-soa-ttl-cache boolean; - zone-statistics ( full | terse | none | boolean ); - }; - -PLUGIN -^^^^^^ - -:: - - plugin ( query ) string [ { unspecified-text - } ]; - -PRIMARIES -^^^^^^^^^ - -:: - - primaries string [ port integer ] [ dscp - integer ] { ( primaries | ipv4_address - [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls - string ]; ... }; - -SERVER -^^^^^^ - -:: - - server netprefix { - bogus boolean; - edns boolean; - edns-udp-size integer; - edns-version integer; - keys server_key; - max-udp-size integer; - notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] - [ dscp integer ]; - padding integer; - provide-ixfr boolean; - query-source ( ( [ address ] ( ipv4_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - request-expire boolean; - request-ixfr boolean; - request-nsid boolean; - send-cookie boolean; - tcp-keepalive boolean; - tcp-only boolean; - transfer-format ( many-answers | one-answer ); - transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - transfers integer; - }; - -STATISTICS-CHANNELS -^^^^^^^^^^^^^^^^^^^ - -:: - - statistics-channels { - inet ( ipv4_address | ipv6_address | - * ) [ port ( integer | * ) ] [ - allow { address_match_element; ... - } ]; - }; - -TLS -^^^ - -:: - - tls string { - ca-file quoted_string; - cert-file quoted_string; - ciphers string; // experimental - dh-param quoted_string; // experimental - hostname quoted_string; - key-file quoted_string; - protocols sslprotos; // experimental - }; - -TRUST-ANCHORS -^^^^^^^^^^^^^ - -:: - - trust-anchors { string ( static-key | - initial-key | static-ds | initial-ds ) - integer integer integer - quoted_string; ... }; - -TRUSTED-KEYS -^^^^^^^^^^^^ - -Deprecated - see DNSSEC-KEYS. - -:: - - trusted-keys { string integer - integer integer - quoted_string; ... };, deprecated - -VIEW -^^^^ +C style: /\* \*/ -:: +C++ style: // to end of line - view string [ class ] { - allow-new-zones boolean; - allow-notify { address_match_element; ... }; - allow-query { address_match_element; ... }; - allow-query-cache { address_match_element; ... }; - allow-query-cache-on { address_match_element; ... }; - allow-query-on { address_match_element; ... }; - allow-recursion { address_match_element; ... }; - allow-recursion-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - also-notify [ port integer ] [ dscp integer ] { ( primaries | - ipv4_address [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls string ]; ... }; - alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | - * ) ] [ dscp integer ]; - attach-cache string; - auth-nxdomain boolean; - auto-dnssec ( allow | maintain | off ); - cache-file quoted_string; - catalog-zones { zone string [ default-masters [ port integer ] - [ dscp integer ] { ( primaries | ipv4_address [ port - integer ] | ipv6_address [ port integer ] ) [ key - string ] [ tls string ]; ... } ] [ zone-directory - quoted_string ] [ in-memory boolean ] [ min-update-interval - duration ]; ... }; - check-dup-records ( fail | warn | ignore ); - check-integrity boolean; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-names ( primary | master | - secondary | slave | response ) ( - fail | warn | ignore ); - check-sibling boolean; - check-spf ( warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-wildcard boolean; - clients-per-query integer; - deny-answer-addresses { address_match_element; ... } [ - except-from { string; ... } ]; - deny-answer-aliases { string; ... } [ except-from { string; ... - } ]; - dialup ( notify | notify-passive | passive | refresh | boolean ); - disable-algorithms string { string; - ... }; - disable-ds-digests string { string; - ... }; - disable-empty-zone string; - dlz string { - database string; - search boolean; - }; - dns64 netprefix { - break-dnssec boolean; - clients { address_match_element; ... }; - exclude { address_match_element; ... }; - mapped { address_match_element; ... }; - recursive-only boolean; - suffix ipv6_address; - }; - dns64-contact string; - dns64-server string; - dnskey-sig-validity integer; - dnsrps-enable boolean; - dnsrps-options { unspecified-text }; - dnssec-accept-expired boolean; - dnssec-dnskey-kskonly boolean; - dnssec-loadkeys-interval integer; - dnssec-must-be-secure string boolean; - dnssec-policy string; - dnssec-secure-to-insecure boolean; - dnssec-update-mode ( maintain | no-resign ); - dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver | update ) [ - ( query | response ) ]; ... }; - dual-stack-servers [ port integer ] { ( quoted_string [ port - integer ] [ dscp integer ] | ipv4_address [ port - integer ] [ dscp integer ] | ipv6_address [ port - integer ] [ dscp integer ] ); ... }; - dyndb string quoted_string { - unspecified-text }; - edns-udp-size integer; - empty-contact string; - empty-server string; - empty-zones-enable boolean; - fetch-quota-params integer fixedpoint fixedpoint fixedpoint; - fetches-per-server integer [ ( drop | fail ) ]; - fetches-per-zone integer [ ( drop | fail ) ]; - forward ( first | only ); - forwarders [ port integer ] [ dscp integer ] { ( ipv4_address - | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; - glue-cache boolean;// deprecated - ipv4only-contact string; - ipv4only-enable boolean; - ipv4only-server string; - ixfr-from-differences ( primary | master | secondary | slave | - boolean ); - key string { - algorithm string; - secret string; - }; - key-directory quoted_string; - lame-ttl duration; - lmdb-mapsize sizeval; - managed-keys { string ( - static-key | initial-key - | static-ds | initial-ds - ) integer integer - integer - quoted_string; ... };, deprecated - masterfile-format ( map | raw | text ); - masterfile-style ( full | relative ); - match-clients { address_match_element; ... }; - match-destinations { address_match_element; ... }; - match-recursive-only boolean; - max-cache-size ( default | unlimited | sizeval | percentage ); - max-cache-ttl duration; - max-clients-per-query integer; - max-ixfr-ratio ( unlimited | percentage ); - max-journal-size ( default | unlimited | sizeval ); - max-ncache-ttl duration; - max-records integer; - max-recursion-depth integer; - max-recursion-queries integer; - max-refresh-time integer; - max-retry-time integer; - max-stale-ttl duration; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-udp-size integer; - max-zone-ttl ( unlimited | duration ); - message-compression boolean; - min-cache-ttl duration; - min-ncache-ttl duration; - min-refresh-time integer; - min-retry-time integer; - minimal-any boolean; - minimal-responses ( no-auth | no-auth-recursive | boolean ); - multi-master boolean; - new-zones-directory quoted_string; - no-case-compress { address_match_element; ... }; - nocookie-udp-size integer; - notify ( explicit | master-only | primary-only | boolean ); - notify-delay integer; - notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] - [ dscp integer ]; - notify-to-soa boolean; - nta-lifetime duration; - nta-recheck duration; - nxdomain-redirect string; - plugin ( query ) string [ { - unspecified-text } ]; - preferred-glue string; - prefetch integer [ integer ]; - provide-ixfr boolean; - qname-minimization ( strict | relaxed | disabled | off ); - query-source ( ( [ address ] ( ipv4_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( - integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] - port ( integer | * ) ) ) [ dscp integer ]; - rate-limit { - all-per-second integer; - errors-per-second integer; - exempt-clients { address_match_element; ... }; - ipv4-prefix-length integer; - ipv6-prefix-length integer; - log-only boolean; - max-table-size integer; - min-table-size integer; - nodata-per-second integer; - nxdomains-per-second integer; - qps-scale integer; - referrals-per-second integer; - responses-per-second integer; - slip integer; - window integer; - }; - recursion boolean; - request-expire boolean; - request-ixfr boolean; - request-nsid boolean; - require-server-cookie boolean; - resolver-nonbackoff-tries integer; - resolver-query-timeout integer; - resolver-retry-interval integer; - response-padding { address_match_element; ... } block-size - integer; - response-policy { zone string [ add-soa boolean ] [ log - boolean ] [ max-policy-ttl duration ] [ min-update-interval - duration ] [ policy ( cname | disabled | drop | given | no-op - | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ - recursive-only boolean ] [ nsip-enable boolean ] [ - nsdname-enable boolean ]; ... } [ add-soa boolean ] [ - break-dnssec boolean ] [ max-policy-ttl duration ] [ - min-update-interval duration ] [ min-ns-dots integer ] [ - nsip-wait-recurse boolean ] [ nsdname-wait-recurse boolean - ] [ qname-wait-recurse boolean ] [ recursive-only boolean ] - [ nsip-enable boolean ] [ nsdname-enable boolean ] [ - dnsrps-enable boolean ] [ dnsrps-options { unspecified-text - } ]; - root-delegation-only [ exclude { string; ... } ]; - root-key-sentinel boolean; - rrset-order { [ class string ] [ type string ] [ name - quoted_string ] string string; ... }; - send-cookie boolean; - serial-update-method ( date | increment | unixtime ); - server netprefix { - bogus boolean; - edns boolean; - edns-udp-size integer; - edns-version integer; - keys server_key; - max-udp-size integer; - notify-source ( ipv4_address | * ) [ port ( integer | * - ) ] [ dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer - | * ) ] [ dscp integer ]; - padding integer; - provide-ixfr boolean; - query-source ( ( [ address ] ( ipv4_address | * ) [ port - ( integer | * ) ] ) | ( [ [ address ] ( - ipv4_address | * ) ] port ( integer | * ) ) ) [ - dscp integer ]; - query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ - port ( integer | * ) ] ) | ( [ [ address ] ( - ipv6_address | * ) ] port ( integer | * ) ) ) [ - dscp integer ]; - request-expire boolean; - request-ixfr boolean; - request-nsid boolean; - send-cookie boolean; - tcp-keepalive boolean; - tcp-only boolean; - transfer-format ( many-answers | one-answer ); - transfer-source ( ipv4_address | * ) [ port ( integer | - * ) ] [ dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( - integer | * ) ] [ dscp integer ]; - transfers integer; - }; - servfail-ttl duration; - sig-signing-nodes integer; - sig-signing-signatures integer; - sig-signing-type integer; - sig-validity-interval integer [ integer ]; - sortlist { address_match_element; ... }; - stale-answer-client-timeout ( disabled | off | integer ); - stale-answer-enable boolean; - stale-answer-ttl duration; - stale-cache-enable boolean; - stale-refresh-time duration; - synth-from-dnssec boolean; - transfer-format ( many-answers | one-answer ); - transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - trust-anchor-telemetry boolean; // experimental - trust-anchors { string ( static-key | - initial-key | static-ds | initial-ds - ) integer integer integer - quoted_string; ... }; - trusted-keys { string - integer integer - integer - quoted_string; ... };, deprecated - try-tcp-refresh boolean; - update-check-ksk boolean; - use-alt-transfer-source boolean; - v6-bias integer; - validate-except { string; ... }; - zero-no-soa-ttl boolean; - zero-no-soa-ttl-cache boolean; - zone string [ class ] { - allow-notify { address_match_element; ... }; - allow-query { address_match_element; ... }; - allow-query-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - also-notify [ port integer ] [ dscp integer ] { ( - primaries | ipv4_address [ port integer ] | - ipv6_address [ port integer ] ) [ key string ] [ - tls string ]; ... }; - alt-transfer-source ( ipv4_address | * ) [ port ( - integer | * ) ] [ dscp integer ]; - alt-transfer-source-v6 ( ipv6_address | * ) [ port ( - integer | * ) ] [ dscp integer ]; - auto-dnssec ( allow | maintain | off ); - check-dup-records ( fail | warn | ignore ); - check-integrity boolean; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-names ( fail | warn | ignore ); - check-sibling boolean; - check-spf ( warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-wildcard boolean; - database string; - delegation-only boolean; - dialup ( notify | notify-passive | passive | refresh | - boolean ); - dlz string; - dnskey-sig-validity integer; - dnssec-dnskey-kskonly boolean; - dnssec-loadkeys-interval integer; - dnssec-policy string; - dnssec-secure-to-insecure boolean; - dnssec-update-mode ( maintain | no-resign ); - file quoted_string; - forward ( first | only ); - forwarders [ port integer ] [ dscp integer ] { ( - ipv4_address | ipv6_address ) [ port integer ] [ - dscp integer ]; ... }; - in-view string; - inline-signing boolean; - ixfr-from-differences boolean; - journal quoted_string; - key-directory quoted_string; - masterfile-format ( map | raw | text ); - masterfile-style ( full | relative ); - masters [ port integer ] [ dscp integer ] { ( - primaries | ipv4_address [ port integer ] | - ipv6_address [ port integer ] ) [ key string ] [ - tls string ]; ... }; - max-ixfr-ratio ( unlimited | percentage ); - max-journal-size ( default | unlimited | sizeval ); - max-records integer; - max-refresh-time integer; - max-retry-time integer; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-zone-ttl ( unlimited | duration ); - min-refresh-time integer; - min-retry-time integer; - multi-master boolean; - notify ( explicit | master-only | primary-only | boolean ); - notify-delay integer; - notify-source ( ipv4_address | * ) [ port ( integer | * - ) ] [ dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer - | * ) ] [ dscp integer ]; - notify-to-soa boolean; - primaries [ port integer ] [ dscp integer ] { ( - primaries | ipv4_address [ port integer ] | - ipv6_address [ port integer ] ) [ key string ] [ - tls string ]; ... }; - request-expire boolean; - request-ixfr boolean; - serial-update-method ( date | increment | unixtime ); - server-addresses { ( ipv4_address | ipv6_address ); ... }; - server-names { string; ... }; - sig-signing-nodes integer; - sig-signing-signatures integer; - sig-signing-type integer; - sig-validity-interval integer [ integer ]; - transfer-source ( ipv4_address | * ) [ port ( integer | - * ) ] [ dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( - integer | * ) ] [ dscp integer ]; - try-tcp-refresh boolean; - type ( primary | master | secondary | slave | mirror | - delegation-only | forward | hint | redirect | - static-stub | stub ); - update-check-ksk boolean; - update-policy ( local | { ( deny | grant ) string ( - 6to4-self | external | krb5-self | krb5-selfsub | - krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | - name | self | selfsub | selfwild | subdomain | tcp-self - | wildcard | zonesub ) [ string ] rrtypelist; ... }; - use-alt-transfer-source boolean; - zero-no-soa-ttl boolean; - zone-statistics ( full | terse | none | boolean ); - }; - zone-statistics ( full | terse | none | boolean ); - }; +Unix style: # to end of line -ZONE -^^^^ +.. literalinclude:: ../../doc/misc/options -:: +Any of these zone statements can also be set inside the view statement. - zone string [ class ] { - allow-notify { address_match_element; ... }; - allow-query { address_match_element; ... }; - allow-query-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - also-notify [ port integer ] [ dscp integer ] { ( primaries | - ipv4_address [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls string ]; ... }; - alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | - * ) ] [ dscp integer ]; - auto-dnssec ( allow | maintain | off ); - check-dup-records ( fail | warn | ignore ); - check-integrity boolean; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-names ( fail | warn | ignore ); - check-sibling boolean; - check-spf ( warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-wildcard boolean; - database string; - delegation-only boolean; - dialup ( notify | notify-passive | passive | refresh | boolean ); - dlz string; - dnskey-sig-validity integer; - dnssec-dnskey-kskonly boolean; - dnssec-loadkeys-interval integer; - dnssec-policy string; - dnssec-secure-to-insecure boolean; - dnssec-update-mode ( maintain | no-resign ); - file quoted_string; - forward ( first | only ); - forwarders [ port integer ] [ dscp integer ] { ( ipv4_address - | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; - in-view string; - inline-signing boolean; - ixfr-from-differences boolean; - journal quoted_string; - key-directory quoted_string; - masterfile-format ( map | raw | text ); - masterfile-style ( full | relative ); - masters [ port integer ] [ dscp integer ] { ( primaries | - ipv4_address [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls string ]; ... }; - max-ixfr-ratio ( unlimited | percentage ); - max-journal-size ( default | unlimited | sizeval ); - max-records integer; - max-refresh-time integer; - max-retry-time integer; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-zone-ttl ( unlimited | duration ); - min-refresh-time integer; - min-retry-time integer; - multi-master boolean; - notify ( explicit | master-only | primary-only | boolean ); - notify-delay integer; - notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] - [ dscp integer ]; - notify-to-soa boolean; - primaries [ port integer ] [ dscp integer ] { ( primaries | - ipv4_address [ port integer ] | ipv6_address [ port - integer ] ) [ key string ] [ tls string ]; ... }; - request-expire boolean; - request-ixfr boolean; - serial-update-method ( date | increment | unixtime ); - server-addresses { ( ipv4_address | ipv6_address ); ... }; - server-names { string; ... }; - sig-signing-nodes integer; - sig-signing-signatures integer; - sig-signing-type integer; - sig-validity-interval integer [ integer ]; - transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ - dscp integer ]; - transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) - ] [ dscp integer ]; - try-tcp-refresh boolean; - type ( primary | master | secondary | slave | mirror | - delegation-only | forward | hint | redirect | static-stub | - stub ); - update-check-ksk boolean; - update-policy ( local | { ( deny | grant ) string ( 6to4-self | - external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self - | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild - | subdomain | tcp-self | wildcard | zonesub ) [ string ] - rrtypelist; ... }; - use-alt-transfer-source boolean; - zero-no-soa-ttl boolean; - zone-statistics ( full | terse | none | boolean ); - }; +.. literalinclude:: ../../doc/misc/primary.zoneopt +.. literalinclude:: ../../doc/misc/secondary.zoneopt +.. literalinclude:: ../../doc/misc/mirror.zoneopt +.. literalinclude:: ../../doc/misc/forward.zoneopt +.. literalinclude:: ../../doc/misc/hint.zoneopt +.. literalinclude:: ../../doc/misc/redirect.zoneopt +.. literalinclude:: ../../doc/misc/static-stub.zoneopt +.. literalinclude:: ../../doc/misc/stub.zoneopt +.. literalinclude:: ../../doc/misc/in-view.zoneopt Files ~~~~~ -``/etc/named.conf`` +|named_conf| See Also ~~~~~~~~ -:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, :manpage:`tsig-keygen(8)`, BIND 9 Administrator Reference Manual. +:iscman:`named(8) `, :iscman:`named-checkconf(8) `, :iscman:`rndc(8) `, :iscman:`rndc-confgen(8) `, :iscman:`tsig-keygen(8) `, BIND 9 Administrator Reference Manual. diff --git a/bin/named/named.rst b/bin/named/named.rst index 60eb3fb751..698ffcdfd1 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: named +.. program:: named .. _man_named: named - Internet domain name server @@ -29,86 +21,114 @@ named - Internet domain name server Synopsis ~~~~~~~~ -:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-S** #max-socks] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] [**-x** cache-file] +:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] Description ~~~~~~~~~~~ -``named`` is a Domain Name System (DNS) server, part of the BIND 9 +:program:`named` is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see :rfc:`1033`, :rfc:`1034`, and :rfc:`1035`. -When invoked without arguments, ``named`` reads the default -configuration file ``/etc/named.conf``, reads any initial data, and +When invoked without arguments, :program:`named` reads the default +configuration file |named_conf|, reads any initial data, and listens for queries. Options ~~~~~~~ -``-4`` - This option tells ``named`` to use only IPv4, even if the host machine is capable of IPv6. ``-4`` and - ``-6`` are mutually exclusive. +.. option:: -4 + + This option tells :program:`named` to use only IPv4, even if the host machine is capable of IPv6. :option:`-4` and + :option:`-6` are mutually exclusive. + +.. option:: -6 -``-6`` - This option tells ``named`` to use only IPv6, even if the host machine is capable of IPv4. ``-4`` and - ``-6`` are mutually exclusive. + This option tells :program:`named` to use only IPv6, even if the host machine is capable of IPv4. :option:`-4` and + :option:`-6` are mutually exclusive. -``-c config-file`` - This option tells ``named`` to use ``config-file`` as its configuration file instead of the default, - ``/etc/named.conf``. To ensure that the configuration file +.. option:: -c config-file + + This option tells :program:`named` to use ``config-file`` as its configuration file instead of the default, + |named_conf|. To ensure that the configuration file can be reloaded after the server has changed its working directory due to to a possible ``directory`` option in the configuration file, ``config-file`` should be an absolute pathname. -``-d debug-level`` +.. option:: -C + + This option prints out the default built-in configuration and exits. + + NOTE: This is for debugging purposes only and is not an + accurate representation of the actual configuration used by :iscman:`named` + at runtime. + +.. option:: -d debug-level + This option sets the daemon's debug level to ``debug-level``. Debugging traces from - ``named`` become more verbose as the debug level increases. + :program:`named` become more verbose as the debug level increases. -``-D string`` - This option specifies a string that is used to identify a instance of ``named`` +.. option:: -D string + + This option specifies a string that is used to identify a instance of :program:`named` in a process listing. The contents of ``string`` are not examined. -``-E engine-name`` +.. option:: -E engine-name + When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing. When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). + +.. option:: -f -``-f`` This option runs the server in the foreground (i.e., do not daemonize). -``-g`` +.. option:: -F + + This options turns on FIPS (US Federal Information Processing Standards) + mode if the underlying crytographic library supports running in FIPS + mode. + +.. option:: -g + This option runs the server in the foreground and forces all logging to ``stderr``. -``-L logfile`` +.. option:: -L logfile + This option sets the log to the file ``logfile`` by default, instead of the system log. -``-M option`` - This option sets the default memory context options. If set to ``external``, - the internal memory manager is bypassed in favor of - system-provided memory allocation functions. If set to ``fill``, blocks - of memory are filled with tag values when allocated or freed, to - assist debugging of memory problems. ``nofill`` disables this behavior, - and is the default unless ``named`` has been compiled with developer - options. +.. option:: -M option + + This option sets the default (comma-separated) memory context + options. The possible flags are: + + - ``fill``: fill blocks of memory with tag values when they are + allocated or freed, to assist debugging of memory problems; this is + the implicit default if :program:`named` has been compiled with + ``--enable-developer``. + + - ``nofill``: disable the behavior enabled by ``fill``; this is the + implicit default unless :program:`named` has been compiled with + ``--enable-developer``. + +.. option:: -m flag -``-m flag`` This option turns on memory usage debugging flags. Possible flags are ``usage``, ``trace``, ``record``, ``size``, and ``mctx``. These correspond to the ``ISC_MEM_DEBUGXXXX`` flags described in ````. -``-n #cpus`` +.. option:: -n #cpus + This option creates ``#cpus`` worker threads to take advantage of multiple CPUs. If - not specified, ``named`` tries to determine the number of CPUs + not specified, :program:`named` tries to determine the number of CPUs present and creates one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread is created. -``-p value`` +.. option:: -p value + This option specifies the port(s) on which the server will listen for queries. If ``value`` is of the form ```` or ``dns=``, the server will listen for DNS queries on @@ -119,8 +139,9 @@ Options listen for HTTPS queries on ``portnum``; the default is 443. If ``value`` is of the form ``http=``, the server will listen for HTTP queries on ``portnum``; the default is 80. - -``-s`` + +.. option:: -s + This option writes memory usage statistics to ``stdout`` on exit. .. note:: @@ -128,83 +149,65 @@ Options This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. -``-S #max-socks`` - This option allows ``named`` to use up to ``#max-socks`` sockets. The default value is - 21000 on systems built with default configuration options, and 4096 - on systems built with ``configure --with-tuning=small``. - -.. warning:: +.. option:: -t directory - This option should be unnecessary for the vast majority of users. - The use of this option could even be harmful, because the specified - value may exceed the limitation of the underlying system API. It - is therefore set only when the default configuration causes - exhaustion of file descriptors and the operational environment is - known to support the specified number of sockets. Note also that - the actual maximum number is normally slightly fewer than the - specified value, because ``named`` reserves some file descriptors - for its internal use. - -``-t directory`` - This option tells ``named`` to chroot to ``directory`` after processing the command-line arguments, but + This option tells :program:`named` to chroot to ``directory`` after processing the command-line arguments, but before reading the configuration file. .. warning:: - This option should be used in conjunction with the ``-u`` option, + This option should be used in conjunction with the :option:`-u` option, as chrooting a process running as root doesn't enhance security on most systems; the way ``chroot`` is defined allows a process with root privileges to escape a chroot jail. -``-U #listeners`` - This option tells ``named`` the number of ``#listeners`` worker threads to listen on, for incoming UDP packets on - each address. If not specified, ``named`` calculates a default +.. option:: -U #listeners + + This option tells :program:`named` the number of ``#listeners`` worker threads to listen on, for incoming UDP packets on + each address. If not specified, :program:`named` calculates a default value based on the number of detected CPUs: 1 for 1 CPU, and the number of detected CPUs minus one for machines with more than 1 CPU. This cannot be increased to a value higher than the number of CPUs. - If ``-n`` has been set to a higher value than the number of detected - CPUs, then ``-U`` may be increased as high as that value, but no + If :option:`-n` has been set to a higher value than the number of detected + CPUs, then :option:`-U` may be increased as high as that value, but no higher. -``-u user`` +.. option:: -u user + This option sets the setuid to ``user`` after completing privileged operations, such as creating sockets that listen on privileged ports. .. note:: - On Linux, ``named`` uses the kernel's capability mechanism to drop + On Linux, :program:`named` uses the kernel's capability mechanism to drop all root privileges except the ability to ``bind`` to a privileged port and set process resource limits. Unfortunately, - this means that the ``-u`` option only works when ``named`` is run + this means that the :option:`-u` option only works when :program:`named` is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges to be retained after ``setuid``. -``-v`` +.. option:: -v + This option reports the version number and exits. -``-V`` - This option reports the version number and build options, and exits. +.. option:: -V -``-X lock-file`` - This option acquires a lock on the specified file at runtime; this helps to - prevent duplicate ``named`` instances from running simultaneously. - Use of this option overrides the ``lock-file`` option in - ``named.conf``. If set to ``none``, the lock file check is disabled. + This option reports the version number, build options, supported + cryptographics algorithms, and exits. -``-x cache-file`` - This option loads data from ``cache-file`` into the cache of the default view. +.. option:: -X lock-file -.. warning:: - - This option must not be used in normal operations. It is only of interest to BIND 9 - developers and may be removed or changed in a future release. + This option acquires a lock on the specified file at runtime; this helps to + prevent duplicate :program:`named` instances from running simultaneously. + Use of this option overrides the ``lock-file`` option in + :iscman:`named.conf`. If set to ``none``, the lock file check is disabled. Signals ~~~~~~~ In routine operation, signals should not be used to control the -nameserver; ``rndc`` should be used instead. +nameserver; :iscman:`rndc` should be used instead. SIGHUP This signal forces a reload of the server. @@ -217,25 +220,25 @@ The result of sending any other signals to the server is undefined. Configuration ~~~~~~~~~~~~~ -The ``named`` configuration file is too complex to describe in detail +The :program:`named` configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual. -``named`` inherits the ``umask`` (file creation mode mask) from the -parent process. If files created by ``named``, such as journal files, +:program:`named` inherits the ``umask`` (file creation mode mask) from the +parent process. If files created by :program:`named`, such as journal files, need to have custom permissions, the ``umask`` should be set explicitly -in the script used to start the ``named`` process. +in the script used to start the :program:`named` process. Files ~~~~~ -``/etc/named.conf`` +|named_conf| The default configuration file. -``/var/run/named/named.pid`` +|named_pid| The default process-id file. See Also ~~~~~~~~ -:rfc:`1033`, :rfc:`1034`, :rfc:`1035`, :manpage:`named-checkconf(8)`, :manpage:`named-checkzone(8)`, :manpage:`rndc(8)`, :manpage:`named.conf(5)`, BIND 9 Administrator Reference Manual. +:rfc:`1033`, :rfc:`1034`, :rfc:`1035`, :iscman:`named-checkconf(8) `, :iscman:`named-checkzone(8) `, :iscman:`rndc(8) `, :iscman:`named.conf(5) `, BIND 9 Administrator Reference Manual. diff --git a/bin/named/os.c b/bin/named/os.c index b434ff8e8b..858ccbff3f 100644 --- a/bin/named/os.c +++ b/bin/named/os.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -12,6 +14,7 @@ /*! \file */ #include #include +#include #include #include /* dev_t FreeBSD 2.1 */ #ifdef HAVE_UNAME @@ -34,14 +37,13 @@ #include #include -#include -#include #include #include #include #include #include +#include #include #include #ifdef HAVE_LIBSCF @@ -61,7 +63,7 @@ static struct passwd *runas_pw = NULL; static bool done_setuid = false; static int dfd[2] = { -1, -1 }; -#ifdef HAVE_SYS_CAPABILITY_H +#if HAVE_LIBCAP static bool non_root = false; static bool non_root_caps = false; @@ -247,7 +249,137 @@ linux_keepcaps(void) { } } -#endif /* HAVE_SYS_CAPABILITY_H */ +#endif /* HAVE_LIBCAP */ + +/* + * First define compatibility shims if {set,get}res{uid,gid} are not available + */ + +#if !HAVE_GETRESGID +static int +getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid) { + *rgid = -1; + *egid = getegid(); + *sgid = -1; + + return (0); +} +#endif /* !HAVE_GETRESGID */ + +#if !HAVE_SETRESGID +static int +setresgid(gid_t rgid, gid_t egid, gid_t sgid) { + REQUIRE(rgid == (gid_t)-1); + REQUIRE(sgid == (gid_t)-1); + +#if HAVE_SETREGID + return (setregid(rgid, egid)); +#else /* HAVE_SETREGID */ + return (setegid(egid)); +#endif /* HAVE_SETREGID */ +} +#endif /* !HAVE_SETRESGID */ + +#if !HAVE_GETRESUID +static int +getresuid(uid_t *ruid, uid_t *euid, uid_t *suid) { + *ruid = -1; + *euid = geteuid(); + *suid = -1; + + return (0); +} +#endif /* !HAVE_GETRESUID */ + +#if !HAVE_SETRESUID +static int +setresuid(uid_t ruid, uid_t euid, uid_t suid) { + REQUIRE(ruid == (uid_t)-1); + REQUIRE(suid == (uid_t)-1); + +#if HAVE_SETREGID + return (setregid(ruid, euid)); +#else /* HAVE_SETREGID */ + return (setegid(euid)); +#endif /* HAVE_SETREGID */ +} +#endif /* !HAVE_SETRESUID */ + +static int +set_effective_gid(gid_t gid) { + gid_t oldgid; + + if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) { + return (-1); + } + + if (oldgid == gid) { + return (0); + } + + if (setresgid(-1, gid, -1) == -1) { + return (-1); + } + + if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) { + return (-1); + } + + if (oldgid != gid) { + return (-1); + } + + return (0); +} + +static int +set_effective_uid(uid_t uid) { + uid_t olduid; + + if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) { + return (-1); + } + + if (olduid == uid) { + return (0); + } + + if (setresuid(-1, uid, -1) == -1) { + return (-1); + } + + if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) { + return (-1); + } + + if (olduid != uid) { + return (-1); + } + + /* Success */ + return (0); +} + +static void +setperms(uid_t uid, gid_t gid) { + char strbuf[ISC_STRERRORSIZE]; + + /* + * Drop the gid privilege first, because in some cases the gid privilege + * cannot be dropped after the uid privilege has been dropped. + */ + if (set_effective_gid(gid) == -1) { + strerror_r(errno, strbuf, sizeof(strbuf)); + named_main_earlywarning("unable to set effective gid to %d: %s", + gid, strbuf); + } + + if (set_effective_uid(uid) == -1) { + strerror_r(errno, strbuf, sizeof(strbuf)); + named_main_earlywarning("unable to set effective uid to %d: %s", + uid, strbuf); + } +} static void setup_syslog(const char *progname) { @@ -263,9 +395,9 @@ setup_syslog(const char *progname) { void named_os_init(const char *progname) { setup_syslog(progname); -#ifdef HAVE_SYS_CAPABILITY_H +#if HAVE_LIBCAP linux_initialprivs(); -#endif /* ifdef HAVE_SYS_CAPABILITY_H */ +#endif /* HAVE_LIBCAP */ #ifdef SIGXFSZ signal(SIGXFSZ, SIG_IGN); #endif /* ifdef SIGXFSZ */ @@ -458,7 +590,7 @@ named_os_changeuser(void) { named_main_earlyfatal("setuid(): %s", strbuf); } -#if defined(HAVE_SYS_CAPABILITY_H) +#if HAVE_LIBCAP /* * Restore the ability of named to drop core after the setuid() * call has disabled it. @@ -470,7 +602,7 @@ named_os_changeuser(void) { } linux_minprivs(); -#endif /* if defined(HAVE_SYS_CAPABILITY_H) */ +#endif /* HAVE_LIBCAP */ } uid_t @@ -483,30 +615,56 @@ ns_os_uid(void) { void named_os_adjustnofile(void) { -#if defined(__linux__) - isc_result_t result; - isc_resourcevalue_t newvalue; + int r; + struct rlimit rl; + rlim_t rlim_old; + char strbuf[ISC_STRERRORSIZE]; - /* - * Linux: max number of open files specified by one thread doesn't seem - * to apply to other threads on Linux. - */ - newvalue = ISC_RESOURCE_UNLIMITED; + r = getrlimit(RLIMIT_NOFILE, &rl); + if (r != 0) { + goto fail; + } + + rlim_old = rl.rlim_cur; + + if (rl.rlim_cur == rl.rlim_max) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "the limit on open files is already at the " + "maximum allowed value: " + "%" PRIu64, + (uint64_t)rl.rlim_max); + return; + } - result = isc_resource_setlimit(isc_resource_openfiles, newvalue); - if (result != ISC_R_SUCCESS) { - named_main_earlywarning("couldn't adjust limit on open files"); + rl.rlim_cur = rl.rlim_max; + r = setrlimit(RLIMIT_NOFILE, &rl); + if (r != 0) { + goto fail; } -#endif /* if defined(__linux__) */ + + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "adjusted limit on open files from " + "%" PRIu64 " to " + "%" PRIu64, + (uint64_t)rlim_old, (uint64_t)rl.rlim_cur); + return; + +fail: + strerror_r(errno, strbuf, sizeof(strbuf)); + named_main_earlywarning("adjusting limit on open files failed: %s", + strbuf); + return; } void named_os_minprivs(void) { -#if defined(HAVE_SYS_CAPABILITY_H) +#if HAVE_LIBCAP linux_keepcaps(); named_os_changeuser(); linux_minprivs(); -#endif /* if defined(HAVE_SYS_CAPABILITY_H) */ +#endif /* HAVE_LIBCAP */ } static int @@ -626,56 +784,6 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) { return (-1); } -#if !HAVE_SYS_CAPABILITY_H -static void -setperms(uid_t uid, gid_t gid) { -#if defined(HAVE_SETEGID) || defined(HAVE_SETRESGID) - char strbuf[ISC_STRERRORSIZE]; -#endif /* if defined(HAVE_SETEGID) || defined(HAVE_SETRESGID) */ -#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) - gid_t oldgid, tmpg; -#endif /* if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */ -#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) - uid_t olduid, tmpu; -#endif /* if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) */ -#if defined(HAVE_SETEGID) - if (getegid() != gid && setegid(gid) == -1) { - strerror_r(errno, strbuf, sizeof(strbuf)); - named_main_earlywarning("unable to set effective " - "gid to %ld: %s", - (long)gid, strbuf); - } -#elif defined(HAVE_SETRESGID) - if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) { - if (setresgid(-1, gid, -1) == -1) { - strerror_r(errno, strbuf, sizeof(strbuf)); - named_main_earlywarning("unable to set effective " - "gid to %d: %s", - gid, strbuf); - } - } -#endif /* if defined(HAVE_SETEGID) */ - -#if defined(HAVE_SETEUID) - if (geteuid() != uid && seteuid(uid) == -1) { - strerror_r(errno, strbuf, sizeof(strbuf)); - named_main_earlywarning("unable to set effective " - "uid to %ld: %s", - (long)uid, strbuf); - } -#elif defined(HAVE_SETRESUID) - if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) { - if (setresuid(-1, uid, -1) == -1) { - strerror_r(errno, strbuf, sizeof(strbuf)); - named_main_earlywarning("unable to set effective " - "uid to %d: %s", - uid, strbuf); - } - } -#endif /* if defined(HAVE_SETEUID) */ -} -#endif /* !HAVE_SYS_CAPABILITY_H */ - FILE * named_os_openfile(const char *filename, mode_t mode, bool switch_user) { char strbuf[ISC_STRERRORSIZE], *f; @@ -701,19 +809,17 @@ named_os_openfile(const char *filename, mode_t mode, bool switch_user) { if (switch_user && runas_pw != NULL) { uid_t olduid = getuid(); gid_t oldgid = getgid(); -#if HAVE_SYS_CAPABILITY_H - REQUIRE(olduid == runas_pw->pw_uid); - REQUIRE(oldgid == runas_pw->pw_gid); -#else /* HAVE_SYS_CAPABILITY_H */ - /* Set UID/GID to the one we'll be running with eventually */ + + /* + * Set UID/GID to the one we'll be running with + * eventually. + */ setperms(runas_pw->pw_uid, runas_pw->pw_gid); -#endif + fd = safe_open(filename, mode, false); -#if !HAVE_SYS_CAPABILITY_H /* Restore UID/GID to previous uid/gid */ setperms(olduid, oldgid); -#endif if (fd == -1) { fd = safe_open(filename, mode, false); @@ -865,14 +971,6 @@ named_os_shutdown(void) { cleanup_lockfile(); } -isc_result_t -named_os_gethostname(char *buf, size_t len) { - int n; - - n = gethostname(buf, len); - return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE); -} - void named_os_shutdownmsg(char *command, isc_buffer_t *text) { char *last, *ptr; diff --git a/bin/named/server.c b/bin/named/server.c index 3537ae8d5e..287a0b3e50 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -14,7 +16,9 @@ #include #include #include +#include #include +#include #include #include #include @@ -24,33 +28,37 @@ #include #endif +#ifdef HAVE_LIBSYSTEMD +#include +#endif + #include -#include +#include #include #include #include #include #include +#include #include #include #include #include +#include #include +#include #include +#include #include #include -#include #include -#include #include -#include +#include +#include #include -#include -#include #include #include #include -#include #include #include @@ -65,7 +73,6 @@ #include #include #include -#include #include #include #include @@ -74,9 +81,9 @@ #include #include #include -#include #include #include +#include #include #include #include @@ -102,8 +109,8 @@ #include #include -#include +#include #include #include #include @@ -113,8 +120,6 @@ #include #include -#include - #include #include #if defined(HAVE_GEOIP2) @@ -138,11 +143,9 @@ #ifdef HAVE_LMDB #include -#define count_newzones count_newzones_db #define configure_newzones configure_newzones_db #define dumpzone dumpzone_db #else /* HAVE_LMDB */ -#define count_newzones count_newzones_file #define configure_newzones configure_newzones_file #define dumpzone dumpzone_file #endif /* HAVE_LMDB */ @@ -155,20 +158,6 @@ #define SIZE_AS_PERCENT ((size_t)-2) #endif /* ifndef SIZE_AS_PERCENT */ -#ifndef ARRAYSIZE -#define ARRAYSIZE(x) (sizeof(x) / sizeof(x[0])) -#endif - -#ifdef TUNE_LARGE -#define RESOLVER_NTASKS_PERCPU 32 -#define UDPBUFFERS 32768 -#define EXCLBUFFERS 32768 -#else -#define RESOLVER_NTASKS_PERCPU 8 -#define UDPBUFFERS 1000 -#define EXCLBUFFERS 4096 -#endif /* TUNE_LARGE */ - /* RFC7828 defines timeout as 16-bit value specified in units of 100 * milliseconds, so the maximum and minimum advertised and keepalive * timeouts are capped by the data type (it's ~109 minutes) @@ -226,12 +215,13 @@ } \ } while (0) -#define CHECKFATAL(op, msg) \ - do { \ - result = (op); \ - if (result != ISC_R_SUCCESS) \ - fatal(server, msg, result); \ - } while (0) +#define CHECKFATAL(op, msg) \ + { \ + result = (op); \ + if (result != ISC_R_SUCCESS) { \ + fatal(msg, result); \ + } \ + } /*% * Maximum ADB size for views that share a cache. Use this limit to suppress @@ -272,7 +262,7 @@ struct dumpcontext { dns_dumpctx_t *mdctx; dns_db_t *db; dns_db_t *cache; - isc_task_t *task; + isc_loop_t *loop; dns_dbversion_t *version; }; @@ -322,14 +312,20 @@ typedef struct { named_server_t *server; } catz_cb_data_t; -typedef struct catz_chgzone_event { - ISC_EVENT_COMMON(struct catz_chgzone_event); +typedef struct catz_chgzone { + isc_mem_t *mctx; dns_catz_entry_t *entry; dns_catz_zone_t *origin; dns_view_t *view; catz_cb_data_t *cbd; bool mod; -} catz_chgzone_event_t; +} catz_chgzone_t; + +typedef enum { + CATZ_ADDZONE, + CATZ_MODZONE, + CATZ_DELZONE, +} catz_type_t; typedef struct { unsigned int magic; @@ -406,25 +402,29 @@ const char *empty_zones[] = { NULL }; -ISC_NORETURN static void -fatal(named_server_t *server, const char *msg, isc_result_t result); +noreturn static void +fatal(const char *msg, isc_result_t result); static void -named_server_reload(isc_task_t *task, isc_event_t *event); +named_server_reload(void *arg); +#ifdef HAVE_LIBNGHTTP2 static isc_result_t -listenelt_http(const cfg_obj_t *http, bool tls, const char *key, - const char *cert, in_port_t port, isc_mem_t *mctx, - ns_listenelt_t **target); +listenelt_http(const cfg_obj_t *http, const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, in_port_t port, + isc_mem_t *mctx, ns_listenelt_t **target); +#endif static isc_result_t listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, uint16_t family, - ns_listenelt_t **target); + isc_tlsctx_cache_t *tlsctx_cache, ns_listenelt_t **target); static isc_result_t listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, uint16_t family, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenlist_t **target); static isc_result_t @@ -438,25 +438,29 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, + const cfg_obj_t *vconfig, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, bool modify); +static void +configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, + dns_view_t *view); + static isc_result_t configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, cfg_aclconfctx_t *actx); + cfg_aclconfctx_t *actx); + +static const cfg_obj_t * +find_maplist(const cfg_obj_t *config, const char *listname, const char *name); static isc_result_t add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx); -static void -end_reserved_dispatches(named_server_t *server, bool all); - static void newzone_cfgctx_destroy(void **cfgp); -static inline isc_result_t +static isc_result_t putstr(isc_buffer_t **b, const char *str); static isc_result_t @@ -465,16 +469,10 @@ putmem(isc_buffer_t **b, const char *str, size_t len); static isc_result_t putuint8(isc_buffer_t **b, uint8_t val); -static inline isc_result_t +static isc_result_t putnull(isc_buffer_t **b); -static int -count_zones(const cfg_obj_t *conf); - #ifdef HAVE_LMDB -static isc_result_t -migrate_nzf(dns_view_t *view); - static isc_result_t nzd_writable(dns_view_t *view); @@ -489,14 +487,14 @@ nzd_env_close(dns_view_t *view); static isc_result_t nzd_close(MDB_txn **txnp, bool commit); - -static isc_result_t -nzd_count(dns_view_t *view, int *countp); #else /* ifdef HAVE_LMDB */ static isc_result_t nzf_append(dns_view_t *view, const cfg_obj_t *zconfig); #endif /* ifdef HAVE_LMDB */ +static isc_result_t +load_nzf(dns_view_t *view, ns_cfgctx_t *nzcfg); + /*% * Configure a single view ACL at '*aclp'. Get its configuration from * 'vconfig' (for per-view configuration) and maybe from 'config' @@ -605,21 +603,23 @@ configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config, static isc_result_t configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, const char *confname, const char *conftuplename, - isc_mem_t *mctx, dns_rbt_t **rbtp) { - isc_result_t result; + isc_mem_t *mctx, dns_nametree_t **ntp) { + isc_result_t result = ISC_R_SUCCESS; const cfg_obj_t *maps[3]; const cfg_obj_t *obj = NULL; - const cfg_listelt_t *element; + const cfg_listelt_t *element = NULL; int i = 0; dns_fixedname_t fixed; - dns_name_t *name; + dns_name_t *name = NULL; isc_buffer_t b; - const char *str; - const cfg_obj_t *nameobj; + const char *str = NULL; + const cfg_obj_t *nameobj = NULL; - if (*rbtp != NULL) { - dns_rbt_destroy(rbtp); + if (*ntp != NULL) { + dns_nametree_detach(ntp); } + dns_nametree_create(mctx, DNS_NAMETREE_BOOL, confname, ntp); + if (vconfig != NULL) { maps[i++] = cfg_tuple_get(vconfig, "options"); } @@ -635,7 +635,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, (void)named_config_get(maps, confname, &obj); if (obj == NULL) { /* - * No value available. *rbtp == NULL. + * No value available. *ntp == NULL. */ return (ISC_R_SUCCESS); } @@ -647,11 +647,6 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, } } - result = dns_rbt_create(mctx, NULL, NULL, rbtp); - if (result != ISC_R_SUCCESS) { - return (result); - } - name = dns_fixedname_initname(&fixed); for (element = cfg_list_first(obj); element != NULL; element = cfg_list_next(element)) @@ -661,14 +656,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - /* - * We don't need the node data, but need to set dummy data to - * avoid a partial match with an empty node. For example, if - * we have foo.example.com and bar.example.com, we'd get a match - * for baz.example.com, which is not the expected result. - * We simply use (void *)1 as the dummy data. - */ - result = dns_rbt_addname(*rbtp, name, (void *)1); + result = dns_nametree_add(*ntp, name, true); if (result != ISC_R_SUCCESS) { cfg_obj_log(nameobj, named_g_lctx, ISC_LOG_ERROR, "failed to add %s for %s: %s", str, @@ -677,10 +665,10 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, } } - return (result); + return (ISC_R_SUCCESS); cleanup: - dns_rbt_destroy(rbtp); + dns_nametree_detach(ntp); return (result); } @@ -869,8 +857,7 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp, break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -879,6 +866,13 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp, return (result); } +static void +sfd_add(const dns_name_t *name, void *arg) { + if (arg != NULL) { + dns_view_sfd_add(arg, name); + } +} + /*% * Parse 'key' in the context of view configuration 'vconfig'. If successful, * add the key to 'secroots' if both of the following conditions are true: @@ -892,8 +886,7 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp, */ static isc_result_t process_key(const cfg_obj_t *key, dns_keytable_t *secroots, - const dns_name_t *keyname_match, dns_resolver_t *resolver, - bool managed) { + const dns_name_t *keyname_match, dns_view_t *view, bool managed) { dns_fixedname_t fkeyname; dns_name_t *keyname = NULL; const char *namestr = NULL; @@ -966,7 +959,8 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, * its owner name. If it does not, do not load the key and log a * warning, but do not prevent further keys from being processed. */ - if (!dns_resolver_algorithm_supported(resolver, keyname, ds.algorithm)) + if (!dns_resolver_algorithm_supported(view->resolver, keyname, + ds.algorithm)) { cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING, "ignoring %s for '%s': algorithm is disabled", @@ -983,7 +977,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, * 'managed' and 'initializing' arguments to dns_keytable_add(). */ result = dns_keytable_add(secroots, initializing, initializing, keyname, - &ds); + &ds, sfd_add, view); done: return (result); @@ -1009,9 +1003,10 @@ load_view_keys(const cfg_obj_t *keys, dns_view_t *view, bool managed, keylist = cfg_listelt_value(elt); for (elt2 = cfg_list_first(keylist); elt2 != NULL; - elt2 = cfg_list_next(elt2)) { + elt2 = cfg_list_next(elt2)) + { CHECK(process_key(cfg_listelt_value(elt2), secroots, - keyname, view->resolver, managed)); + keyname, view, managed)); } } @@ -1042,7 +1037,7 @@ keyloaded(dns_view_t *view, const dns_name_t *name) { result = dns_keytable_find(secroots, name, &keynode); if (keynode != NULL) { - dns_keytable_detachkeynode(secroots, &keynode); + dns_keynode_detach(&keynode); } if (secroots != NULL) { dns_keytable_detach(&secroots); @@ -1060,7 +1055,7 @@ keyloaded(dns_view_t *view, const dns_name_t *name) { static isc_result_t configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *config, const cfg_obj_t *bindkeys, - bool auto_root, isc_mem_t *mctx) { + bool auto_root) { isc_result_t result = ISC_R_SUCCESS; const cfg_obj_t *view_keys = NULL; const cfg_obj_t *global_keys = NULL; @@ -1077,7 +1072,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, /* We don't need trust anchors for the _bind view */ if (strcmp(view->name, "_bind") == 0 && - view->rdclass == dns_rdataclass_chaos) { + view->rdclass == dns_rdataclass_chaos) + { return (ISC_R_SUCCESS); } @@ -1113,21 +1109,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, maps[i++] = named_g_defaults; maps[i] = NULL; - result = dns_view_initsecroots(view, mctx); - if (result != ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "couldn't create keytable"); - return (ISC_R_UNEXPECTED); - } - - result = dns_view_initntatable(view, named_g_taskmgr, named_g_timermgr); - if (result != ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "couldn't create NTA table"); - return (ISC_R_UNEXPECTED); - } + dns_view_initsecroots(view); + dns_view_initntatable(view, named_g_loopmgr); if (auto_root && view->rdclass == dns_rdataclass_in) { const cfg_obj_t *builtin_keys = NULL; @@ -1217,7 +1200,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, } } - CHECK(add_keydata_zone(view, directory, named_g_mctx)); + if (auto_root) { + CHECK(add_keydata_zone(view, directory, named_g_mctx)); + } cleanup: return (result); @@ -1258,15 +1243,11 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) { */ static isc_result_t get_view_querysource_dispatch(const cfg_obj_t **maps, int af, - dns_dispatch_t **dispatchp, isc_dscp_t *dscpp, - bool is_firstview) { + dns_dispatch_t **dispatchp, bool is_firstview) { isc_result_t result = ISC_R_FAILURE; - dns_dispatch_t *disp; + dns_dispatch_t *disp = NULL; isc_sockaddr_t sa; - unsigned int attrs, attrmask; const cfg_obj_t *obj = NULL; - unsigned int maxdispatchbuffers = UDPBUFFERS; - isc_dscp_t dscp = -1; switch (af) { case AF_INET: @@ -1278,18 +1259,12 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, int af, INSIST(result == ISC_R_SUCCESS); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } sa = *(cfg_obj_assockaddr(obj)); INSIST(isc_sockaddr_pf(&sa) == af); - dscp = cfg_obj_getdscp(obj); - if (dscp != -1 && dscpp != NULL) { - *dscpp = dscp; - } - /* * If we don't support this address family, we're done! */ @@ -1301,8 +1276,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, int af, result = isc_net_probeipv6(); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (result != ISC_R_SUCCESS) { return (ISC_R_SUCCESS); @@ -1311,20 +1285,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, int af, /* * Try to find a dispatcher that we can share. */ - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - switch (af) { - case AF_INET: - attrs |= DNS_DISPATCHATTR_IPV4; - break; - case AF_INET6: - attrs |= DNS_DISPATCHATTR_IPV6; - break; - } - if (isc_sockaddr_getport(&sa) == 0) { - attrs |= DNS_DISPATCHATTR_EXCLUSIVE; - maxdispatchbuffers = EXCLBUFFERS; - } else { + if (isc_sockaddr_getport(&sa) != 0) { INSIST(obj != NULL); if (is_firstview) { cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO, @@ -1334,18 +1295,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, int af, } } - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP; - attrmask |= DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4; - attrmask |= DNS_DISPATCHATTR_IPV6; - - disp = NULL; - result = dns_dispatch_getudp(named_g_dispatchmgr, named_g_socketmgr, - // OQS updated from 4096 to 8192 - named_g_taskmgr, &sa, 8192, - maxdispatchbuffers, 32768, 16411, 16433, - attrs, attrmask, &disp); + result = dns_dispatch_createudp(named_g_dispatchmgr, &sa, &disp); if (result != ISC_R_SUCCESS) { isc_sockaddr_t any; char buf[ISC_SOCKADDR_FORMATSIZE]; @@ -1430,8 +1380,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) { } else if (!strcasecmp(str, "none")) { mode = DNS_RDATASETATTR_NONE; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -1504,6 +1453,12 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setsendcookie(peer, cfg_obj_asboolean(obj))); } + obj = NULL; + (void)cfg_map_get(cpeer, "require-cookie", &obj); + if (obj != NULL) { + CHECK(dns_peer_setrequirecookie(peer, cfg_obj_asboolean(obj))); + } + obj = NULL; (void)cfg_map_get(cpeer, "edns", &obj); if (obj != NULL) { @@ -1589,8 +1544,7 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { } else if (strcasecmp(str, "one-answer") == 0) { CHECK(dns_peer_settransferformat(peer, dns_one_answer)); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1615,12 +1569,6 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_peer_settransferdscp(peer, cfg_obj_getdscp(obj)); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); } obj = NULL; @@ -1635,12 +1583,6 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_peer_setnotifydscp(peer, cfg_obj_getdscp(obj)); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); } obj = NULL; @@ -1654,12 +1596,6 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_peer_setquerydscp(peer, cfg_obj_getdscp(obj)); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); } *peerp = peer; @@ -1720,7 +1656,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { isc_textregion_t r; dns_secalg_t alg; - DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base); + r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element))); r.length = strlen(r.base); result = dns_secalg_fromtext(&alg, &r); @@ -1763,7 +1699,7 @@ disable_ds_digests(const cfg_obj_t *disabled, dns_resolver_t *resolver) { isc_textregion_t r; dns_dsdigest_t digest; - DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base); + r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element))); r.length = strlen(r.base); /* disable_ds_digests handles numeric values. */ @@ -1822,10 +1758,6 @@ check_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv, for (i = 0; i < dbtypec; i++) { if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) { CHECK(ISC_R_FAILURE); - - /* - * Check that there are not extra arguments. - */ } } @@ -1841,27 +1773,20 @@ check_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv, return (result); } -static isc_result_t +static void setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) { - isc_result_t result; isc_stats_t *zoneqrystats; dns_zone_setstatlevel(zone, level); zoneqrystats = NULL; if (level == dns_zonestat_full) { - result = isc_stats_create(mctx, &zoneqrystats, - ns_statscounter_max); - if (result != ISC_R_SUCCESS) { - return (result); - } + isc_stats_create(mctx, &zoneqrystats, ns_statscounter_max); } dns_zone_setrequeststats(zone, zoneqrystats); if (zoneqrystats != NULL) { isc_stats_detach(&zoneqrystats); } - - return (ISC_R_SUCCESS); } static named_cache_t * @@ -1995,12 +1920,12 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na, isc_buffer_constinit(&b, reverse, strlen(reverse)); isc_buffer_add(&b, strlen(reverse)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - CHECK(dns_zone_create(&zone, mctx)); + dns_zone_create(&zone, mctx, 0); CHECK(dns_zone_setorigin(zone, name)); dns_zone_setview(zone, view); CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone)); dns_zone_setclass(zone, view->rdclass); - dns_zone_settype(zone, dns_zone_master); + dns_zone_settype(zone, dns_zone_primary); dns_zone_setstats(zone, named_g_server->zonestats); dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype); if (view->queryacl != NULL) { @@ -2010,9 +1935,10 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na, dns_zone_setqueryonacl(zone, view->queryonacl); } dns_zone_setdialup(zone, dns_dialuptype_no); + dns_zone_setcheckdstype(zone, dns_checkdstype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true); - CHECK(setquerystats(zone, mctx, dns_zonestat_none)); /* XXXMPA */ + setquerystats(zone, mctx, dns_zonestat_none); CHECK(dns_view_addzone(view, zone)); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, @@ -2076,7 +2002,7 @@ conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) { } /* - * Get an DNSRPS configuration value using the global and view options + * Get a DNSRPS configuration value using the global and view options * for the default. Return false upon failure. */ static bool @@ -2092,7 +2018,8 @@ conf_dnsrps_get(const cfg_obj_t **sub_obj, const cfg_obj_t **maps, if (cfg_obj_isvoid(*sub_obj)) { *sub_obj = NULL; if (maps != NULL && - ISC_R_SUCCESS != named_config_get(maps, name, sub_obj)) { + ISC_R_SUCCESS != named_config_get(maps, name, sub_obj)) + { *sub_obj = NULL; } } @@ -2238,7 +2165,8 @@ conf_dnsrps(dns_view_t *view, const cfg_obj_t **maps, bool nsip_enabled, * statement in the view and the general options. */ if (conf_dnsrps_get(&obj, maps, rpz_obj, "dnsrps-options", &ctx) && - obj != NULL) { + obj != NULL) + { conf_dnsrps_sadd(&ctx, " %s\n", cfg_obj_asstring(obj)); } @@ -2261,7 +2189,8 @@ configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name, const char *str, const char *msg) { isc_result_t result; - result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx); + result = dns_name_fromstring(name, str, dns_rootname, DNS_NAME_DOWNCASE, + view->mctx); if (result != ISC_R_SUCCESS) { cfg_obj_log(obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL, "invalid %s '%s'", msg, str); @@ -2274,8 +2203,8 @@ configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name, const char *str, const dns_name_t *origin) { isc_result_t result; - result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE, - view->mctx); + result = dns_name_fromstring(name, str, origin, DNS_NAME_DOWNCASE, + view->mctx); if (result != ISC_R_SUCCESS) { cfg_obj_log(obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL, "invalid zone '%s'", str); @@ -2315,7 +2244,8 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, obj = cfg_tuple_get(rpz_obj, "recursive-only"); if (cfg_obj_isvoid(obj) ? recursive_only_default - : cfg_obj_asboolean(obj)) { + : cfg_obj_asboolean(obj)) + { view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(zone->num); } else { view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(zone->num); @@ -2334,6 +2264,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, } else { zone->max_policy_ttl = ttl_default; } + if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) { + *old_rpz_okp = false; + } obj = cfg_tuple_get(rpz_obj, "min-update-interval"); if (cfg_obj_isduration(obj)) { @@ -2341,8 +2274,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, } else { zone->min_update_interval = minupdateinterval_default; } - - if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) { + if (*old_rpz_okp && + zone->min_update_interval != old->min_update_interval) + { *old_rpz_okp = false; } @@ -2358,9 +2292,11 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, } if (!view->rpzs->p.dnsrps_enabled) { for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones - 1; - ++rpz_num) { + ++rpz_num) + { if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, - &zone->origin)) { + &zone->origin)) + { cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL, "duplicate '%s'", str); @@ -2437,18 +2373,33 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, *old_rpz_okp = false; } + obj = cfg_tuple_get(rpz_obj, "ede"); + if (!cfg_obj_isstring(obj)) { + zone->ede = 0; + } else { + str = cfg_obj_asstring(obj); + zone->ede = dns_rpz_str2ede(str); + INSIST(zone->ede != UINT16_MAX); + } + if (*old_rpz_okp && zone->ede != old->ede) { + *old_rpz_okp = false; + } + obj = cfg_tuple_get(rpz_obj, "add-soa"); if (cfg_obj_isvoid(obj)) { zone->addsoa = add_soa_default; } else { zone->addsoa = cfg_obj_asboolean(obj); } + if (*old_rpz_okp && zone->addsoa != old->addsoa) { + *old_rpz_okp = false; + } return (ISC_R_SUCCESS); } static isc_result_t -configure_rpz(dns_view_t *view, const cfg_obj_t **maps, +configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t **maps, const cfg_obj_t *rpz_obj, bool *old_rpz_okp) { bool dnsrps_enabled; const cfg_listelt_t *zone_element; @@ -2462,7 +2413,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, uint32_t minupdateinterval_default; dns_rpz_zones_t *zones; const dns_rpz_zones_t *old; - dns_view_t *pview; + bool pview_must_detach = false; const dns_rpz_zone_t *old_zone; isc_result_t result; int i; @@ -2533,9 +2484,8 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, } #endif /* ifndef USE_DNSRPS */ - result = dns_rpz_new_zones(&view->rpzs, rps_cstr, rps_cstr_size, - view->mctx, named_g_taskmgr, - named_g_timermgr); + result = dns_rpz_new_zones(view->mctx, named_g_loopmgr, rps_cstr, + rps_cstr_size, &view->rpzs); if (result != ISC_R_SUCCESS) { return (result); } @@ -2608,14 +2558,19 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, zones->p.nsip_wait_recurse = false; } - pview = NULL; - result = dns_viewlist_find(&named_g_server->viewlist, view->name, - view->rdclass, &pview); - if (result == ISC_R_SUCCESS) { + if (pview != NULL) { old = pview->rpzs; } else { - old = NULL; + result = dns_viewlist_find(&named_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result == ISC_R_SUCCESS) { + pview_must_detach = true; + old = pview->rpzs; + } else { + old = NULL; + } } + if (old == NULL) { *old_rpz_okp = false; } else { @@ -2637,7 +2592,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, add_soa_default, ttl_default, minupdateinterval_default, old_zone, old_rpz_okp); if (result != ISC_R_SUCCESS) { - if (pview != NULL) { + if (pview_must_detach) { dns_view_detach(&pview); } return (result); @@ -2651,10 +2606,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, */ if (*old_rpz_okp) { if (old != NULL && - memcmp(&old->p, &zones->p, sizeof(zones->p)) != 0) { + memcmp(&old->p, &zones->p, sizeof(zones->p)) != 0) + { *old_rpz_okp = false; } else if ((old == NULL || old->rps_cstr == NULL) != - (zones->rps_cstr == NULL)) { + (zones->rps_cstr == NULL)) + { *old_rpz_okp = false; } else if (old != NULL && zones->rps_cstr != NULL && strcmp(old->rps_cstr, zones->rps_cstr) != 0) @@ -2664,8 +2621,10 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, } if (*old_rpz_okp) { + dns_rpz_shutdown_rpzs(view->rpzs); dns_rpz_detach_rpzs(&view->rpzs); dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs); + dns_rpz_detach_rpzs(&pview->rpzs); } else if (old != NULL && pview != NULL) { ++pview->rpzs->rpz_ver; view->rpzs->rpz_ver = pview->rpzs->rpz_ver; @@ -2674,7 +2633,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, view->rpzs->rpz_ver); } - if (pview != NULL) { + if (pview_must_detach) { dns_view_detach(&pview); } @@ -2682,19 +2641,21 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, } static void -catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { - catz_chgzone_event_t *ev = (catz_chgzone_event_t *)event0; +catz_addmodzone_cb(void *arg) { + catz_chgzone_t *cz = (catz_chgzone_t *)arg; isc_result_t result; + dns_forwarders_t *dnsforwarders = NULL; + dns_name_t *name = NULL; isc_buffer_t namebuf; - isc_buffer_t *confbuf; + isc_buffer_t *confbuf = NULL; char nameb[DNS_NAME_FORMATSIZE]; const cfg_obj_t *zlist = NULL; cfg_obj_t *zoneconf = NULL; cfg_obj_t *zoneobj = NULL; - ns_cfgctx_t *cfg; + ns_cfgctx_t *cfg = NULL; dns_zone_t *zone = NULL; - cfg = (ns_cfgctx_t *)ev->view->new_zone_config; + cfg = (ns_cfgctx_t *)cz->view->new_zone_config; if (cfg == NULL) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -2703,72 +2664,105 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { goto cleanup; } + name = dns_catz_entry_getname(cz->entry); + isc_buffer_init(&namebuf, nameb, DNS_NAME_FORMATSIZE); - dns_name_totext(dns_catz_entry_getname(ev->entry), true, &namebuf); + dns_name_totext(name, DNS_NAME_OMITFINALDOT, &namebuf); isc_buffer_putuint8(&namebuf, 0); - /* Zone shouldn't already exist */ - result = dns_zt_find(ev->view->zonetable, - dns_catz_entry_getname(ev->entry), 0, NULL, &zone); + result = dns_fwdtable_find(cz->view->fwdtable, name, &dnsforwarders); + if (result == ISC_R_SUCCESS && + dnsforwarders->fwdpolicy == dns_fwdpolicy_only) + { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, + "catz: catz_addmodzone_cb: " + "zone '%s' will not be processed because of the " + "explicitly configured forwarding for that zone", + nameb); + goto cleanup; + } + + result = dns_view_findzone(cz->view, name, DNS_ZTFIND_EXACT, &zone); + + if (cz->mod) { + dns_catz_zone_t *parentcatz; - if (ev->mod) { if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, "catz: error \"%s\" while trying to " - "modify zone \"%s\"", + "modify zone '%s'", isc_result_totext(result), nameb); goto cleanup; - } else { - if (!dns_zone_getadded(zone)) { + } + + if (!dns_zone_getadded(zone)) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, + "catz: catz_addmodzone_cb: " + "zone '%s' is not a dynamically " + "added zone", + nameb); + goto cleanup; + } + + parentcatz = dns_zone_get_parentcatz(zone); + + if (parentcatz == NULL) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, + "catz: catz_addmodzone_cb: " + "zone '%s' exists and is not added by " + "a catalog zone, so won't be modified", + nameb); + goto cleanup; + } + if (parentcatz != cz->origin) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, + "catz: catz_addmodzone_cb: " + "zone '%s' exists in multiple " + "catalog zones", + nameb); + goto cleanup; + } + + dns_zone_detach(&zone); + } else { + /* Zone shouldn't already exist when adding */ + if (result == ISC_R_SUCCESS) { + if (dns_zone_get_parentcatz(zone) == NULL) { isc_log_write( named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, "catz: " - "catz_addmodzone_taskaction: " - "zone '%s' is not a dynamically " - "added zone", + "catz_addmodzone_cb: " + "zone '%s' will not be added " + "because it is an explicitly " + "configured zone", nameb); - goto cleanup; - } - if (dns_zone_get_parentcatz(zone) != ev->origin) { + } else { isc_log_write( named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: catz_delzone_taskaction: " - "zone '%s' exists in multiple " - "catalog zones", + "catz: " + "catz_addmodzone_cb: " + "zone '%s' will not be added " + "because another catalog zone " + "already contains an entry with " + "that zone", nameb); - goto cleanup; } - dns_zone_detach(&zone); - } - } else { - if (result == ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "catz: zone \"%s\" is overridden " - "by explicitly configured zone", - nameb); - goto cleanup; - } else if (result != ISC_R_NOTFOUND && - result != DNS_R_PARTIALMATCH) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: error \"%s\" while trying to " - "add zone \"%s\"", - isc_result_totext(result), nameb); goto cleanup; - } else { /* this can happen in case of DNS_R_PARTIALMATCH */ - if (zone != NULL) { - dns_zone_detach(&zone); - } + } else { + RUNTIME_CHECK(result == ISC_R_NOTFOUND); } } RUNTIME_CHECK(zone == NULL); /* Create a config for new zone */ confbuf = NULL; - result = dns_catz_generate_zonecfg(ev->origin, ev->entry, &confbuf); + result = dns_catz_generate_zonecfg(cz->origin, cz->entry, &confbuf); if (result == ISC_R_SUCCESS) { cfg_parser_reset(cfg->add_parser); result = cfg_parse_buffer(cfg->add_parser, confbuf, "catz", 0, @@ -2783,7 +2777,7 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "catz: error \"%s\" while trying to generate " - "config for zone \"%s\"", + "config for zone '%s'", isc_result_totext(result), nameb); goto cleanup; } @@ -2797,27 +2791,25 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { /* Mark view unfrozen so that zone can be added */ - result = isc_task_beginexclusive(task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_view_thaw(ev->view); - result = configure_zone( - cfg->config, zoneobj, cfg->vconfig, ev->cbd->server->mctx, - ev->view, &ev->cbd->server->viewlist, - &ev->cbd->server->kasplist, cfg->actx, true, false, ev->mod); - dns_view_freeze(ev->view); - isc_task_endexclusive(task); + isc_loopmgr_pause(named_g_loopmgr); + dns_view_thaw(cz->view); + result = configure_zone(cfg->config, zoneobj, cfg->vconfig, cz->view, + &cz->cbd->server->viewlist, + &cz->cbd->server->kasplist, cfg->actx, true, + false, cz->mod); + dns_view_freeze(cz->view); + isc_loopmgr_resume(named_g_loopmgr); if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: failed to configure zone \"%s\" - %d", - nameb, result); + "catz: failed to configure zone '%s' - %d", nameb, + result); goto cleanup; } /* Is it there yet? */ - CHECK(dns_zt_find(ev->view->zonetable, - dns_catz_entry_getname(ev->entry), 0, NULL, &zone)); + CHECK(dns_view_findzone(cz->view, name, DNS_ZTFIND_EXACT, &zone)); /* * Load the zone from the master file. If this fails, we'll @@ -2839,13 +2831,13 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { } /* Remove the zone from the zone table */ - dns_zt_unmount(ev->view->zonetable, zone); + dns_view_delzone(cz->view, zone); goto cleanup; } /* Flag the zone as having been added at runtime */ dns_zone_setadded(zone, true); - dns_zone_set_parentcatz(zone, ev->origin); + dns_zone_set_parentcatz(zone, cz->origin); cleanup: if (zone != NULL) { @@ -2854,32 +2846,34 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { if (zoneconf != NULL) { cfg_obj_destroy(cfg->add_parser, &zoneconf); } - dns_catz_entry_detach(ev->origin, &ev->entry); - dns_catz_zone_detach(&ev->origin); - dns_view_detach(&ev->view); - isc_event_free(ISC_EVENT_PTR(&ev)); + if (dnsforwarders != NULL) { + dns_forwarders_detach(&dnsforwarders); + } + dns_catz_entry_detach(cz->origin, &cz->entry); + dns_catz_zone_detach(&cz->origin); + dns_view_detach(&cz->view); + isc_mem_putanddetach(&cz->mctx, cz, sizeof(*cz)); } static void -catz_delzone_taskaction(isc_task_t *task, isc_event_t *event0) { - catz_chgzone_event_t *ev = (catz_chgzone_event_t *)event0; +catz_delzone_cb(void *arg) { + catz_chgzone_t *cz = (catz_chgzone_t *)arg; isc_result_t result; dns_zone_t *zone = NULL; dns_db_t *dbp = NULL; char cname[DNS_NAME_FORMATSIZE]; - const char *file; + const char *file = NULL; - result = isc_task_beginexclusive(task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); - dns_name_format(dns_catz_entry_getname(ev->entry), cname, + dns_name_format(dns_catz_entry_getname(cz->entry), cname, DNS_NAME_FORMATSIZE); - result = dns_zt_find(ev->view->zonetable, - dns_catz_entry_getname(ev->entry), 0, NULL, &zone); + result = dns_view_findzone(cz->view, dns_catz_entry_getname(cz->entry), + DNS_ZTFIND_EXACT, &zone); if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: catz_delzone_taskaction: " + "catz: catz_delzone_cb: " "zone '%s' not found", cname); goto cleanup; @@ -2888,16 +2882,16 @@ catz_delzone_taskaction(isc_task_t *task, isc_event_t *event0) { if (!dns_zone_getadded(zone)) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: catz_delzone_taskaction: " + "catz: catz_delzone_cb: " "zone '%s' is not a dynamically added zone", cname); goto cleanup; } - if (dns_zone_get_parentcatz(zone) != ev->origin) { + if (dns_zone_get_parentcatz(zone) != cz->origin) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: catz_delzone_taskaction: zone " + "catz: catz_delzone_cb: zone " "'%s' exists in multiple catalog zones", cname); goto cleanup; @@ -2909,109 +2903,121 @@ catz_delzone_taskaction(isc_task_t *task, isc_event_t *event0) { dns_zone_unload(zone); } - CHECK(dns_zt_unmount(ev->view->zonetable, zone)); + CHECK(dns_view_delzone(cz->view, zone)); file = dns_zone_getfile(zone); if (file != NULL) { isc_file_remove(file); + file = dns_zone_getjournal(zone); + if (file != NULL) { + isc_file_remove(file); + } } isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "catz: catz_delzone_taskaction: " + "catz: catz_delzone_cb: " "zone '%s' deleted", cname); cleanup: - isc_task_endexclusive(task); + isc_loopmgr_resume(named_g_loopmgr); if (zone != NULL) { dns_zone_detach(&zone); } - dns_catz_entry_detach(ev->origin, &ev->entry); - dns_catz_zone_detach(&ev->origin); - dns_view_detach(&ev->view); - isc_event_free(ISC_EVENT_PTR(&ev)); + dns_catz_entry_detach(cz->origin, &cz->entry); + dns_catz_zone_detach(&cz->origin); + dns_view_detach(&cz->view); + isc_mem_putanddetach(&cz->mctx, cz, sizeof(*cz)); } static isc_result_t -catz_create_chg_task(dns_catz_entry_t *entry, dns_catz_zone_t *origin, - dns_view_t *view, isc_taskmgr_t *taskmgr, void *udata, - isc_eventtype_t type) { - catz_chgzone_event_t *event; - isc_task_t *task; - isc_result_t result; - isc_taskaction_t action = NULL; +catz_run(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, + void *udata, catz_type_t type) { + catz_chgzone_t *cz = NULL; + isc_job_cb action = NULL; switch (type) { - case DNS_EVENT_CATZADDZONE: - case DNS_EVENT_CATZMODZONE: - action = catz_addmodzone_taskaction; + case CATZ_ADDZONE: + case CATZ_MODZONE: + action = catz_addmodzone_cb; break; - case DNS_EVENT_CATZDELZONE: - action = catz_delzone_taskaction; + case CATZ_DELZONE: + action = catz_delzone_cb; break; default: REQUIRE(0); + UNREACHABLE(); } - event = (catz_chgzone_event_t *)isc_event_allocate( - view->mctx, origin, type, action, NULL, sizeof(*event)); + cz = isc_mem_get(view->mctx, sizeof(*cz)); + *cz = (catz_chgzone_t){ + .cbd = (catz_cb_data_t *)udata, + .mod = (type == CATZ_MODZONE), + }; + isc_mem_attach(view->mctx, &cz->mctx); - event->cbd = (catz_cb_data_t *)udata; - event->entry = NULL; - event->origin = NULL; - event->view = NULL; - event->mod = (type == DNS_EVENT_CATZMODZONE); - dns_catz_entry_attach(entry, &event->entry); - dns_catz_zone_attach(origin, &event->origin); - dns_view_attach(view, &event->view); + dns_catz_entry_attach(entry, &cz->entry); + dns_catz_zone_attach(origin, &cz->origin); + dns_view_attach(view, &cz->view); - task = NULL; - result = isc_taskmgr_excltask(taskmgr, &task); - REQUIRE(result == ISC_R_SUCCESS); - isc_task_send(task, ISC_EVENT_PTR(&event)); - isc_task_detach(&task); + isc_async_run(named_g_mainloop, action, cz); return (ISC_R_SUCCESS); } static isc_result_t catz_addzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, - isc_taskmgr_t *taskmgr, void *udata) { - return (catz_create_chg_task(entry, origin, view, taskmgr, udata, - DNS_EVENT_CATZADDZONE)); + void *udata) { + return (catz_run(entry, origin, view, udata, CATZ_ADDZONE)); } static isc_result_t catz_delzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, - isc_taskmgr_t *taskmgr, void *udata) { - return (catz_create_chg_task(entry, origin, view, taskmgr, udata, - DNS_EVENT_CATZDELZONE)); + void *udata) { + return (catz_run(entry, origin, view, udata, CATZ_DELZONE)); } static isc_result_t catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, - isc_taskmgr_t *taskmgr, void *udata) { - return (catz_create_chg_task(entry, origin, view, taskmgr, udata, - DNS_EVENT_CATZMODZONE)); + void *udata) { + return (catz_run(entry, origin, view, udata, CATZ_MODZONE)); +} + +static void +catz_changeview(dns_catz_entry_t *entry, void *arg1, void *arg2) { + dns_view_t *pview = arg1; + dns_view_t *view = arg2; + + dns_zone_t *zone = NULL; + isc_result_t result = dns_view_findzone( + pview, dns_catz_entry_getname(entry), DNS_ZTFIND_EXACT, &zone); + + if (result != ISC_R_SUCCESS) { + return; + } + + dns_zone_setview(zone, view); + dns_view_addzone(view, zone); + + dns_zone_detach(&zone); } static isc_result_t -configure_catz_zone(dns_view_t *view, const cfg_obj_t *config, - const cfg_listelt_t *element) { +configure_catz_zone(dns_view_t *view, dns_view_t *pview, + const cfg_obj_t *config, const cfg_listelt_t *element) { const cfg_obj_t *catz_obj, *obj; dns_catz_zone_t *zone = NULL; const char *str; isc_result_t result; dns_name_t origin; dns_catz_options_t *opts; - dns_view_t *pview = NULL; dns_name_init(&origin, NULL); catz_obj = cfg_listelt_value(element); str = cfg_obj_asstring(cfg_tuple_get(catz_obj, "zone name")); - result = dns_name_fromstring(&origin, str, DNS_NAME_DOWNCASE, - view->mctx); + result = dns_name_fromstring(&origin, str, dns_rootname, + DNS_NAME_DOWNCASE, view->mctx); if (result == ISC_R_SUCCESS && dns_name_equal(&origin, dns_rootname)) { result = DNS_R_EMPTYLABEL; } @@ -3022,79 +3028,26 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config, goto cleanup; } - result = dns_catz_add_zone(view->catzs, &origin, &zone); - if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) { - cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL, - "catz: unable to create catalog zone '%s', " - "error %s", - str, isc_result_totext(result)); - goto cleanup; - } - + result = dns_catz_zone_add(view->catzs, &origin, &zone); if (result == ISC_R_EXISTS) { - isc_ht_iter_t *it = NULL; - - result = dns_viewlist_find(&named_g_server->viewlist, - view->name, view->rdclass, &pview); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* - * xxxwpk todo: reconfigure the zone!!!! - */ - cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL, - "catz: catalog zone '%s' will not be reconfigured", - str); /* - * We have to walk through all the member zones and attach + * We have to walk through all the member zones and re-attach * them to current view */ - result = dns_catz_get_iterator(zone, &it); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(catz_obj, named_g_lctx, - DNS_CATZ_ERROR_LEVEL, - "catz: unable to create iterator"); - goto cleanup; - } - - for (result = isc_ht_iter_first(it); result == ISC_R_SUCCESS; - result = isc_ht_iter_next(it)) - { - dns_name_t *name = NULL; - dns_zone_t *dnszone = NULL; - dns_catz_entry_t *entry = NULL; - isc_result_t tresult; - - isc_ht_iter_current(it, (void **)&entry); - name = dns_catz_entry_getname(entry); - - tresult = dns_view_findzone(pview, name, &dnszone); - RUNTIME_CHECK(tresult == ISC_R_SUCCESS); - - dns_zone_setview(dnszone, view); - dns_view_addzone(view, dnszone); - - /* - * The dns_view_findzone() call above increments the - * zone's reference count, which we need to decrement - * back. However, as dns_zone_detach() sets the - * supplied pointer to NULL, calling it is deferred - * until the dnszone variable is no longer used. - */ - dns_zone_detach(&dnszone); - } - - isc_ht_iter_destroy(&it); - - result = ISC_R_SUCCESS; + dns_catz_zone_for_each_entry2(zone, catz_changeview, pview, + view); } dns_catz_zone_resetdefoptions(zone); opts = dns_catz_zone_getdefoptions(zone); obj = cfg_tuple_get(catz_obj, "default-masters"); + if (obj == NULL || !cfg_obj_istuple(obj)) { + obj = cfg_tuple_get(catz_obj, "default-primaries"); + } if (obj != NULL && cfg_obj_istuple(obj)) { - result = named_config_getipandkeylist(config, obj, view->mctx, - &opts->masters); + result = named_config_getipandkeylist( + config, "primaries", obj, view->mctx, &opts->masters); } obj = cfg_tuple_get(catz_obj, "in-memory"); @@ -3122,9 +3075,6 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config, } cleanup: - if (pview != NULL) { - dns_view_detach(&pview); - } dns_name_free(&origin, view->mctx); return (result); @@ -3136,11 +3086,11 @@ static dns_catz_zonemodmethods_t ns_catz_zonemodmethods = { }; static isc_result_t -configure_catz(dns_view_t *view, const cfg_obj_t *config, +configure_catz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *config, const cfg_obj_t *catz_obj) { - const cfg_listelt_t *zone_element; + const cfg_listelt_t *zone_element = NULL; const dns_catz_zones_t *old = NULL; - dns_view_t *pview = NULL; + bool pview_must_detach = false; isc_result_t result; /* xxxwpk TODO do it cleaner, once, somewhere */ @@ -3151,24 +3101,28 @@ configure_catz(dns_view_t *view, const cfg_obj_t *config, return (ISC_R_SUCCESS); } - CHECK(dns_catz_new_zones(&view->catzs, &ns_catz_zonemodmethods, - view->mctx, named_g_taskmgr, - named_g_timermgr)); - - result = dns_viewlist_find(&named_g_server->viewlist, view->name, - view->rdclass, &pview); - if (result == ISC_R_SUCCESS) { + if (pview != NULL) { old = pview->catzs; + } else { + result = dns_viewlist_find(&named_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result == ISC_R_SUCCESS) { + pview_must_detach = true; + old = pview->catzs; + } } if (old != NULL) { - dns_catz_catzs_detach(&view->catzs); - dns_catz_catzs_attach(pview->catzs, &view->catzs); + dns_catz_zones_attach(pview->catzs, &view->catzs); + dns_catz_zones_detach(&pview->catzs); dns_catz_prereconfig(view->catzs); + } else { + view->catzs = dns_catz_zones_new(view->mctx, named_g_loopmgr, + &ns_catz_zonemodmethods); } while (zone_element != NULL) { - CHECK(configure_catz_zone(view, config, zone_element)); + CHECK(configure_catz_zone(view, pview, config, zone_element)); zone_element = cfg_list_next(zone_element); } @@ -3179,7 +3133,7 @@ configure_catz(dns_view_t *view, const cfg_obj_t *config, result = ISC_R_SUCCESS; cleanup: - if (pview != NULL) { + if (pview_must_detach) { dns_view_detach(&pview); } @@ -3365,7 +3319,7 @@ add_soa(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); dns_rdataset_init(&rdataset); - CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + dns_rdatalist_tordataset(&rdatalist, &rdataset); CHECK(dns_db_findnode(db, name, true, &node)); CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); @@ -3405,7 +3359,7 @@ add_ns(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); dns_rdataset_init(&rdataset); - CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + dns_rdatalist_tordataset(&rdatalist, &rdataset); CHECK(dns_db_findnode(db, name, true, &node)); CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); @@ -3457,7 +3411,7 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, { zconfig = cfg_listelt_value(element); str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - CHECK(dns_name_fromstring(zname, str, 0, NULL)); + CHECK(dns_name_fromstring(zname, str, dns_rootname, 0, NULL)); namereln = dns_name_fullcompare(zname, name, &order, &nlabels); if (namereln != dns_namereln_subdomain) { continue; @@ -3468,7 +3422,8 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, obj = NULL; (void)cfg_map_get(zoptions, "type", &obj); if (obj != NULL && - strcasecmp(cfg_obj_asstring(obj), "forward") == 0) { + strcasecmp(cfg_obj_asstring(obj), "forward") == 0) + { obj = NULL; (void)cfg_map_get(zoptions, "forward", &obj); if (obj == NULL) { @@ -3487,10 +3442,11 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, dns_name_clone(name, ns); } else { CHECK(dns_name_fromstring(ns, empty_dbtype[2], - 0, NULL)); + dns_rootname, 0, + NULL)); } - CHECK(dns_name_fromstring(contact, empty_dbtype[3], 0, - NULL)); + CHECK(dns_name_fromstring(contact, empty_dbtype[3], + dns_rootname, 0, NULL)); CHECK(add_soa(db, version, name, ns, contact)); CHECK(add_ns(db, version, name, ns)); } @@ -3517,7 +3473,8 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, pzone = NULL; } - if (pzone != NULL && dns_zone_gettype(pzone) != dns_zone_master) + if (pzone != NULL && + dns_zone_gettype(pzone) != dns_zone_primary) { pzone = NULL; } @@ -3541,7 +3498,7 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, dns_zone_setdbtype(zone, empty_dbtypec, empty_dbtype); } dns_zone_setclass(zone, view->rdclass); - dns_zone_settype(zone, dns_zone_master); + dns_zone_settype(zone, dns_zone_primary); dns_zone_setstats(zone, named_g_server->zonestats); } else { dns_zone_attach(pzone, &zone); @@ -3549,6 +3506,7 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, false); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true); + dns_zone_setcheckdstype(zone, dns_checkdstype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setdialup(zone, dns_dialuptype_no); dns_zone_setautomatic(zone, true); @@ -3569,7 +3527,7 @@ create_empty_zone(dns_zone_t *pzone, dns_name_t *name, dns_view_t *view, dns_zone_clearxfracl(zone); } - CHECK(setquerystats(zone, view->mctx, statlevel)); + setquerystats(zone, view->mctx, statlevel); if (db != NULL) { dns_db_closeversion(db, &version, true); CHECK(dns_zone_replacedb(zone, db, false)); @@ -3641,14 +3599,15 @@ create_ipv4only_zone(dns_zone_t *pzone, dns_view_t *view, /* * Create the actual zone. */ - CHECK(dns_zone_create(&zone, mctx)); + dns_zone_create(&zone, mctx, 0); CHECK(dns_zone_setorigin(zone, name)); CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone)); dns_zone_setclass(zone, view->rdclass); - dns_zone_settype(zone, dns_zone_master); + dns_zone_settype(zone, dns_zone_primary); dns_zone_setstats(zone, named_g_server->zonestats); dns_zone_setdbtype(zone, dbtypec, dbtype); dns_zone_setdialup(zone, dns_dialuptype_no); + dns_zone_setcheckdstype(zone, dns_checkdstype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setautomatic(zone, true); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true); @@ -3864,8 +3823,7 @@ configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) { } CHECKM(dns_dt_create(named_g_mctx, dmode, dpath, &fopt, - named_g_server->task, - &named_g_server->dtenv), + named_g_mainloop, &named_g_server->dtenv), "unable to create dnstap environment"); CHECKM(dns_dt_setupfile(named_g_server->dtenv, max_size, rolls, @@ -3892,8 +3850,7 @@ configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) { if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { /* "hostname" is interpreted as boolean true */ char buf[256]; - result = named_os_gethostname(buf, sizeof(buf)); - if (result == ISC_R_SUCCESS) { + if (gethostname(buf, sizeof(buf)) == 0) { dns_dt_setidentity(named_g_server->dtenv, buf); } } else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) { @@ -3976,6 +3933,44 @@ register_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj, return (result); } +/* + * Determine if a minimal-sized cache can be used for a given view, according + * to 'maps' (implicit defaults, global options, view options) and 'optionmaps' + * (global options, view options). This is only allowed for views which have + * recursion disabled and do not have "max-cache-size" set explicitly. Using + * minimal-sized caches prevents a situation in which all explicitly configured + * and built-in views inherit the default "max-cache-size 90%;" setting, which + * could lead to memory exhaustion with multiple views configured. + */ +static bool +minimal_cache_allowed(const cfg_obj_t *maps[4], + const cfg_obj_t *optionmaps[3]) { + const cfg_obj_t *obj; + + /* + * Do not use a minimal-sized cache for a view with recursion enabled. + */ + obj = NULL; + (void)named_config_get(maps, "recursion", &obj); + INSIST(obj != NULL); + if (cfg_obj_asboolean(obj)) { + return (false); + } + + /* + * Do not use a minimal-sized cache if a specific size was requested. + */ + obj = NULL; + (void)named_config_get(optionmaps, "max-cache-size", &obj); + if (obj != NULL) { + return (false); + } + + return (true); +} + +static const char *const response_synonyms[] = { "response", NULL }; + /* * Configure 'view' according to 'vconfig', taking defaults from * 'config' where values are missing in 'vconfig'. @@ -3999,12 +3994,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, const cfg_obj_t *zonelist; const cfg_obj_t *dlzlist; const cfg_obj_t *dlz; + const cfg_obj_t *prefetch_trigger; + const cfg_obj_t *prefetch_eligible; unsigned int dlzargc; char **dlzargv; const cfg_obj_t *dyndb_list, *plugin_list; const cfg_obj_t *disabled; const cfg_obj_t *obj, *obj2; - const cfg_listelt_t *element; + const cfg_listelt_t *element = NULL; + const cfg_listelt_t *zone_element_latest = NULL; in_port_t port; dns_cache_t *cache = NULL; isc_result_t result; @@ -4014,13 +4012,13 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, uint32_t lame_ttl, fail_ttl; uint32_t max_stale_ttl = 0; uint32_t stale_refresh_time = 0; - dns_tsig_keyring_t *ring = NULL; + dns_tsigkeyring_t *ring = NULL; dns_transport_list_t *transports = NULL; dns_view_t *pview = NULL; /* Production view */ - isc_mem_t *cmctx = NULL, *hmctx = NULL; dns_dispatch_t *dispatch4 = NULL; dns_dispatch_t *dispatch6 = NULL; - bool reused_cache = false; + bool rpz_configured = false; + bool catz_configured = false; bool shared_cache = false; int i = 0, j = 0, k = 0; const char *str; @@ -4041,11 +4039,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout, ndisp; bool old_rpz_ok = false; - isc_dscp_t dscp4 = -1, dscp6 = -1; dns_dyndbctx_t *dctx = NULL; unsigned int resolver_param; dns_ntatable_t *ntatable = NULL; const char *qminmode = NULL; + dns_adb_t *adb = NULL; REQUIRE(DNS_VIEW_VALID(view)); @@ -4091,14 +4089,25 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, if (view->rdclass == dns_rdataclass_in && need_hints && named_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - CHECK(configure_rpz(view, maps, obj, &old_rpz_ok)); + CHECK(configure_rpz(view, NULL, maps, obj, &old_rpz_ok)); + rpz_configured = true; + } + + obj = NULL; + if (view->rdclass != dns_rdataclass_in && need_hints && + named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS) + { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "'catalog-zones' option is only supported " + "for views with class IN"); } obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS) { - CHECK(configure_catz(view, config, obj)); + CHECK(configure_catz(view, NULL, config, obj)); + catz_configured = true; } /* @@ -4118,15 +4127,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, element = cfg_list_next(element)) { const cfg_obj_t *zconfig = cfg_listelt_value(element); - CHECK(configure_zone(config, zconfig, vconfig, mctx, view, - viewlist, kasplist, actx, false, - old_rpz_ok, false)); + CHECK(configure_zone(config, zconfig, vconfig, view, viewlist, + kasplist, actx, false, old_rpz_ok, false)); + zone_element_latest = element; } /* - * Check that a master or slave zone was found for each - * zone named in the response policy statement - * unless we are using RPZ service interface. + * Check that a primary or secondary zone was found for each + * zone named in the response policy statement, unless we are + * using RPZ service interface. */ if (view->rpzs != NULL && !view->rpzs->p.dnsrps_enabled) { dns_rpz_num_t n; @@ -4141,8 +4150,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, DNS_RPZ_ERROR_LEVEL, - "rpz '%s'" - " is not a master or slave zone", + "rpz '%s' is not a primary or a " + "secondary zone", namebuf); result = ISC_R_NOTFOUND; goto cleanup; @@ -4155,7 +4164,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, * from the newzone file for zones that were added during previous * runs. */ - CHECK(configure_newzones(view, config, vconfig, mctx, actx)); + CHECK(configure_newzones(view, config, vconfig, actx)); /* * Create Dynamically Loadable Zone driver. @@ -4196,7 +4205,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, dlzargv[0], dlzargc, dlzargv, &dlzdb); isc_mem_free(mctx, s); - isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); + isc_mem_cput(mctx, dlzargv, dlzargc, sizeof(*dlzargv)); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -4241,6 +4250,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, */ if (named_g_maxcachesize != 0) { max_cache_size = named_g_maxcachesize; + } else if (minimal_cache_allowed(maps, optionmaps)) { + /* + * dns_cache_setcachesize() will adjust this to the smallest + * allowed value. + */ + max_cache_size = 1; } else if (cfg_obj_isstring(obj)) { str = cfg_obj_asstring(obj); INSIST(strcasecmp(str, "unlimited") == 0); @@ -4249,8 +4264,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, max_cache_size = SIZE_AS_PERCENT; max_cache_size_percent = cfg_obj_aspercentage(obj); } else { - isc_resourcevalue_t value; - value = cfg_obj_asuint64(obj); + uint64_t value = cfg_obj_asuint64(obj); if (value > SIZE_MAX) { cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, "'max-cache-size " @@ -4286,7 +4300,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, /* Check-names. */ obj = NULL; - result = named_checknames_get(maps, "response", &obj); + result = named_checknames_get(maps, response_synonyms, &obj); INSIST(result == ISC_R_SUCCESS); str = cfg_obj_asstring(obj); @@ -4300,8 +4314,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(str, "ignore") == 0) { view->checknames = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -4593,7 +4606,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } if (pview != NULL) { if (!cache_reusable(pview, view, - zero_no_soattl)) { + zero_no_soattl)) + { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, @@ -4610,12 +4624,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(3), "reusing existing cache"); - reused_cache = true; dns_cache_attach(pview->cache, &cache); } - dns_view_getresstats(pview, &resstats); - dns_view_getresquerystats(pview, - &resquerystats); + dns_resolver_getstats(pview->resolver, + &resstats); + dns_resolver_getquerystats(pview->resolver, + &resquerystats); dns_view_detach(&pview); } } @@ -4627,21 +4641,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, * view but is not yet configured. If it is not the * view name but not a forward reference either, then it * is simply a named cache that is not shared. - * - * We use two separate memory contexts for the - * cache, for the main cache memory and the heap - * memory. */ - isc_mem_create(&cmctx); - isc_mem_setname(cmctx, "cache"); - isc_mem_create(&hmctx); - isc_mem_setname(hmctx, "cache_heap"); - CHECK(dns_cache_create(cmctx, hmctx, named_g_taskmgr, - named_g_timermgr, view->rdclass, - cachename, "rbt", 0, NULL, - &cache)); - isc_mem_detach(&cmctx); - isc_mem_detach(&hmctx); + CHECK(dns_cache_create(named_g_loopmgr, view->rdclass, + cachename, &cache)); } nsc = isc_mem_get(mctx, sizeof(*nsc)); nsc->cache = NULL; @@ -4655,19 +4657,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } dns_view_setcache(view, cache, shared_cache); - /* - * cache-file cannot be inherited if views are present, but this - * should be caught by the configuration checking stage. - */ - obj = NULL; - result = named_config_get(maps, "cache-file", &obj); - if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) { - CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj))); - if (!reused_cache && !shared_cache) { - CHECK(dns_cache_load(cache)); - } - } - dns_cache_setcachesize(cache, max_cache_size); dns_cache_setservestalettl(cache, max_stale_ttl); dns_cache_setservestalerefresh(cache, stale_refresh_time); @@ -4681,51 +4670,33 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, /* * Resolver. - * - * XXXRTH Hardwired number of tasks. */ CHECK(get_view_querysource_dispatch( - maps, AF_INET, &dispatch4, &dscp4, + maps, AF_INET, &dispatch4, (ISC_LIST_PREV(view, link) == NULL))); CHECK(get_view_querysource_dispatch( - maps, AF_INET6, &dispatch6, &dscp6, + maps, AF_INET6, &dispatch6, (ISC_LIST_PREV(view, link) == NULL))); if (dispatch4 == NULL && dispatch6 == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "unable to obtain neither an IPv4 nor" + UNEXPECTED_ERROR("unable to obtain either an IPv4 or" " an IPv6 dispatch"); result = ISC_R_UNEXPECTED; goto cleanup; } - if (resstats == NULL) { - CHECK(isc_stats_create(mctx, &resstats, - dns_resstatscounter_max)); - } - dns_view_setresstats(view, resstats); - if (resquerystats == NULL) { - CHECK(dns_rdatatypestats_create(mctx, &resquerystats)); - } - dns_view_setresquerystats(view, resquerystats); - ndisp = 4 * ISC_MIN(named_g_udpdisp, MAX_UDP_DISPATCH); CHECK(dns_view_createresolver( - view, named_g_taskmgr, RESOLVER_NTASKS_PERCPU * named_g_cpus, - ndisp, named_g_socketmgr, named_g_timermgr, resopts, - named_g_dispatchmgr, dispatch4, dispatch6)); + view, named_g_loopmgr, ndisp, named_g_netmgr, resopts, + named_g_server->tlsctx_client_cache, dispatch4, dispatch6)); - if (dscp4 == -1) { - dscp4 = named_g_dscp; - } - if (dscp6 == -1) { - dscp6 = named_g_dscp; - } - if (dscp4 != -1) { - dns_resolver_setquerydscp4(view->resolver, dscp4); + if (resstats == NULL) { + isc_stats_create(mctx, &resstats, dns_resstatscounter_max); } - if (dscp6 != -1) { - dns_resolver_setquerydscp6(view->resolver, dscp6); + dns_resolver_setstats(view->resolver, resstats); + if (resquerystats == NULL) { + dns_rdatatypestats_create(mctx, &resquerystats); } + dns_resolver_setquerystats(view->resolver, resquerystats); /* * Set the ADB cache size to 1/8th of the max-cache-size or @@ -4738,16 +4709,26 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, max_adb_size = 1; /* Force minimum. */ } if (view != nsc->primaryview && - max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) { + max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) + { max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE; if (!nsc->adbsizeadjusted) { - dns_adb_setadbsize(nsc->primaryview->adb, - MAX_ADB_SIZE_FOR_CACHESHARE); - nsc->adbsizeadjusted = true; + dns_view_getadb(nsc->primaryview, &adb); + if (adb != NULL) { + dns_adb_setadbsize( + adb, + MAX_ADB_SIZE_FOR_CACHESHARE); + nsc->adbsizeadjusted = true; + dns_adb_detach(&adb); + } } } } - dns_adb_setadbsize(view->adb, max_adb_size); + dns_view_getadb(view, &adb); + if (adb != NULL) { + dns_adb_setadbsize(adb, max_adb_size); + dns_adb_detach(&adb); + } /* * Set up ADB quotas @@ -4771,8 +4752,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(resp, "fail") == 0) { r = DNS_R_SERVFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_resolver_setquotaresponse(view->resolver, @@ -4795,7 +4775,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, obj2 = cfg_tuple_get(obj, "discount"); discount = (double)cfg_obj_asfixedpoint(obj2) / 100.0; - dns_adb_setquota(view->adb, fps, freq, low, high, discount); + dns_view_getadb(view, &adb); + if (adb != NULL) { + dns_adb_setquota(adb, fps, freq, low, high, discount); + dns_adb_detach(&adb); + } } /* @@ -4805,8 +4789,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "lame-ttl", &obj); INSIST(result == ISC_R_SUCCESS); lame_ttl = cfg_obj_asduration(obj); - if (lame_ttl > 1800) { - lame_ttl = 1800; + if (lame_ttl > 0) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "disabling lame cache despite lame-ttl > 0 as it " + "may cause performance issues"); + lame_ttl = 0; } dns_resolver_setlamettl(view->resolver, lame_ttl); @@ -4857,7 +4844,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, if (udpsize > 8192) { udpsize = 8192; } - dns_resolver_setudpsize(view->resolver, (uint16_t)udpsize); + dns_view_setudpsize(view, (uint16_t)udpsize); /* * Set the maximum UDP response size. @@ -4925,7 +4912,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, /* * Set supported DNSSEC algorithms. */ - dns_resolver_reset_algorithms(view->resolver); disabled = NULL; (void)named_config_get(maps, "disable-algorithms", &disabled); if (disabled != NULL) { @@ -4940,7 +4926,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, /* * Set supported DS digest types. */ - dns_resolver_reset_ds_digests(view->resolver); disabled = NULL; (void)named_config_get(maps, "disable-ds-digests", &disabled); if (disabled != NULL) { @@ -4990,7 +4975,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, */ if (view->hints == NULL) { dns_zone_t *rootzone = NULL; - (void)dns_view_findzone(view, dns_rootname, &rootzone); + (void)dns_view_findzone(view, dns_rootname, DNS_ZTFIND_EXACT, + &rootzone); if (rootzone != NULL) { dns_zone_detach(&rootzone); need_hints = false; @@ -5016,8 +5002,17 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, */ CHECK(named_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring)); if (named_g_server->sessionkey != NULL) { - CHECK(dns_tsigkeyring_add(ring, named_g_server->session_keyname, - named_g_server->sessionkey)); + dns_tsigkey_t *tsigkey = NULL; + result = dns_tsigkey_createfromkey( + named_g_server->session_keyname, + named_g_server->session_keyalg, + named_g_server->sessionkey, false, false, NULL, 0, 0, + mctx, &tsigkey); + if (result == ISC_R_SUCCESS) { + result = dns_tsigkeyring_add(ring, tsigkey); + dns_tsigkey_detach(&tsigkey); + } + CHECK(result); } dns_view_setkeyring(view, ring); dns_tsigkeyring_detach(&ring); @@ -5143,12 +5138,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, INSIST(result == ISC_R_SUCCESS); view->auth_nxdomain = cfg_obj_asboolean(obj); - /* deprecated */ - obj = NULL; - result = named_config_get(maps, "glue-cache", &obj); - INSIST(result == ISC_R_SUCCESS); - view->use_glue_cache = cfg_obj_asboolean(obj); - obj = NULL; result = named_config_get(maps, "minimal-any", &obj); INSIST(result == ISC_R_SUCCESS); @@ -5170,8 +5159,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(str, "no-auth-recursive") == 0) { view->minimalresponses = dns_minimal_noauthrec; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -5184,8 +5172,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(str, "one-answer") == 0) { view->transfer_format = dns_one_answer; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -5223,7 +5210,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, NULL, actx, named_g_mctx, &view->cacheonacl)); if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) { + view->rdclass != dns_rdataclass_chaos) + { /* named.conf only */ CHECK(configure_view_acl(vconfig, config, NULL, "allow-recursion", NULL, actx, @@ -5497,8 +5485,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(resp, "fail") == 0) { r = DNS_R_SERVFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_resolver_setquotaresponse(view->resolver, @@ -5507,33 +5494,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, obj = NULL; result = named_config_get(maps, "prefetch", &obj); - if (result == ISC_R_SUCCESS) { - const cfg_obj_t *trigger, *eligible; - - trigger = cfg_tuple_get(obj, "trigger"); - view->prefetch_trigger = cfg_obj_asuint32(trigger); - if (view->prefetch_trigger > 10) { - view->prefetch_trigger = 10; - } - eligible = cfg_tuple_get(obj, "eligible"); - if (cfg_obj_isvoid(eligible)) { - int m; - for (m = 1; maps[m] != NULL; m++) { - obj = NULL; - result = named_config_get(&maps[m], "prefetch", - &obj); - INSIST(result == ISC_R_SUCCESS); - eligible = cfg_tuple_get(obj, "eligible"); - if (cfg_obj_isuint32(eligible)) { - break; - } + INSIST(result == ISC_R_SUCCESS); + prefetch_trigger = cfg_tuple_get(obj, "trigger"); + view->prefetch_trigger = cfg_obj_asuint32(prefetch_trigger); + if (view->prefetch_trigger > 10) { + view->prefetch_trigger = 10; + } + prefetch_eligible = cfg_tuple_get(obj, "eligible"); + if (cfg_obj_isvoid(prefetch_eligible)) { + int m; + for (m = 1; maps[m] != NULL; m++) { + obj = NULL; + result = named_config_get(&maps[m], "prefetch", &obj); + INSIST(result == ISC_R_SUCCESS); + prefetch_eligible = cfg_tuple_get(obj, "eligible"); + if (cfg_obj_isuint32(prefetch_eligible)) { + break; } - INSIST(cfg_obj_isuint32(eligible)); - } - view->prefetch_eligible = cfg_obj_asuint32(eligible); - if (view->prefetch_eligible < view->prefetch_trigger + 6) { - view->prefetch_eligible = view->prefetch_trigger + 6; } + INSIST(cfg_obj_isuint32(prefetch_eligible)); + } + view->prefetch_eligible = cfg_obj_asuint32(prefetch_eligible); + if (view->prefetch_eligible < view->prefetch_trigger + 6) { + view->prefetch_eligible = view->prefetch_trigger + 6; } /* @@ -5541,8 +5524,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, * "security roots". */ CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys, - auto_root, mctx)); - dns_resolver_resetmustbesecure(view->resolver); + auto_root)); + obj = NULL; result = named_config_get(maps, "dnssec-must-be-secure", &obj); if (result == ISC_R_SUCCESS) { @@ -5574,29 +5557,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, view->preferred_glue = 0; } - obj = NULL; - result = named_config_get(maps, "root-delegation-only", &obj); - if (result == ISC_R_SUCCESS) { - dns_view_setrootdelonly(view, true); - } - if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) { - const cfg_obj_t *exclude; - dns_fixedname_t fixed; - dns_name_t *name; - - name = dns_fixedname_initname(&fixed); - for (element = cfg_list_first(obj); element != NULL; - element = cfg_list_next(element)) - { - exclude = cfg_listelt_value(element); - CHECK(dns_name_fromstring( - name, cfg_obj_asstring(exclude), 0, NULL)); - CHECK(dns_view_excludedelegationonly(view, name)); - } - } else { - dns_view_setrootdelonly(view, false); - } - /* * Load DynDB modules. */ @@ -5616,8 +5576,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, const void *hashinit = isc_hash_get_initializer(); CHECK(dns_dyndb_createctx(mctx, hashinit, named_g_lctx, view, named_g_server->zonemgr, - named_g_server->task, - named_g_timermgr, &dctx)); + named_g_loopmgr, &dctx)); } CHECK(configure_dyndb(dyndb, mctx, dctx)); @@ -5654,7 +5613,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, (void)named_config_get(maps, "empty-zones-enable", &obj); (void)named_config_get(maps, "disable-empty-zone", &disablelist); if (obj == NULL && disablelist == NULL && - view->rdclass == dns_rdataclass_in) { + view->rdclass == dns_rdataclass_in) + { empty_zones_enable = view->recursion; } else if (view->rdclass == dns_rdataclass_in) { if (obj != NULL) { @@ -5685,9 +5645,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "empty-server", &obj); if (result == ISC_R_SUCCESS) { CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), - 0, NULL)); + dns_rootname, 0, NULL)); isc_buffer_init(&buffer, server, sizeof(server) - 1); - CHECK(dns_name_totext(name, false, &buffer)); + CHECK(dns_name_totext(name, 0, &buffer)); server[isc_buffer_usedlength(&buffer)] = 0; empty_dbtype[2] = server; } else { @@ -5698,9 +5658,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "empty-contact", &obj); if (result == ISC_R_SUCCESS) { CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), - 0, NULL)); + dns_rootname, 0, NULL)); isc_buffer_init(&buffer, contact, sizeof(contact) - 1); - CHECK(dns_name_totext(name, false, &buffer)); + CHECK(dns_name_totext(name, 0, &buffer)); contact[isc_buffer_usedlength(&buffer)] = 0; empty_dbtype[3] = contact; } else { @@ -5725,8 +5685,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } else if (strcasecmp(levelstr, "none") == 0) { statlevel = dns_zonestat_none; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -5734,20 +5693,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, empty = empty_zones[++empty_zone]) { dns_forwarders_t *dnsforwarders = NULL; + dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none; /* * Look for zone on drop list. */ - CHECK(dns_name_fromstring(name, empty, 0, NULL)); + CHECK(dns_name_fromstring(name, empty, dns_rootname, 0, + NULL)); if (disablelist != NULL && - on_disable_list(disablelist, name)) { + on_disable_list(disablelist, name)) + { continue; } /* * This zone already exists. */ - (void)dns_view_findzone(view, name, &zone); + (void)dns_view_findzone(view, name, DNS_ZTFIND_EXACT, + &zone); if (zone != NULL) { dns_zone_detach(&zone); continue; @@ -5757,10 +5720,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, * If we would forward this name don't add a * empty zone for it. */ - result = dns_fwdtable_find(view->fwdtable, name, NULL, + result = dns_fwdtable_find(view->fwdtable, name, &dnsforwarders); - if (result == ISC_R_SUCCESS && - dnsforwarders->fwdpolicy == dns_fwdpolicy_only) { + if (result == ISC_R_SUCCESS || + result == DNS_R_PARTIALMATCH) + { + fwdpolicy = dnsforwarders->fwdpolicy; + dns_forwarders_detach(&dnsforwarders); + } + if (fwdpolicy == dns_fwdpolicy_only) { continue; } @@ -5776,7 +5744,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } if (pview != NULL) { - (void)dns_view_findzone(pview, name, &zone); + (void)dns_view_findzone( + pview, name, DNS_ZTFIND_EXACT, &zone); dns_view_detach(&pview); } @@ -5827,14 +5796,18 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } name = dns_fixedname_initname(&fixed); - for (ipv4only_zone = 0; ipv4only_zone < ARRAYSIZE(zones); - ipv4only_zone++) { + for (ipv4only_zone = 0; ipv4only_zone < ARRAY_SIZE(zones); + ipv4only_zone++) + { dns_forwarders_t *dnsforwarders = NULL; + dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none; - CHECK(dns_name_fromstring( - name, zones[ipv4only_zone].name, 0, NULL)); + CHECK(dns_name_fromstring(name, + zones[ipv4only_zone].name, + dns_rootname, 0, NULL)); - (void)dns_view_findzone(view, name, &zone); + (void)dns_view_findzone(view, name, DNS_ZTFIND_EXACT, + &zone); if (zone != NULL) { dns_zone_detach(&zone); continue; @@ -5843,10 +5816,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, /* * If we would forward this name don't add it. */ - result = dns_fwdtable_find(view->fwdtable, name, NULL, + result = dns_fwdtable_find(view->fwdtable, name, &dnsforwarders); - if (result == ISC_R_SUCCESS && - dnsforwarders->fwdpolicy == dns_fwdpolicy_only) { + if (result == ISC_R_SUCCESS || + result == DNS_R_PARTIALMATCH) + { + fwdpolicy = dnsforwarders->fwdpolicy; + dns_forwarders_detach(&dnsforwarders); + } + if (fwdpolicy == dns_fwdpolicy_only) { continue; } @@ -5862,7 +5840,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } if (pview != NULL) { - (void)dns_view_findzone(pview, name, &zone); + (void)dns_view_findzone( + pview, name, DNS_ZTFIND_EXACT, &zone); dns_view_detach(&pview); } @@ -5903,8 +5882,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "nxdomain-redirect", &obj); if (result == ISC_R_SUCCESS) { dns_name_t *name = dns_fixedname_name(&view->redirectfixed); - CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0, - NULL)); + CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), + dns_rootname, 0, NULL)); view->redirectzone = name; } else { view->redirectzone = NULL; @@ -5927,8 +5906,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, ntaname = dns_fixedname_initname(&fntaname); obj = cfg_listelt_value(element); - CHECK(dns_name_fromstring( - ntaname, cfg_obj_asstring(obj), 0, NULL)); + CHECK(dns_name_fromstring(ntaname, + cfg_obj_asstring(obj), + dns_rootname, 0, NULL)); CHECK(dns_ntatable_add(ntatable, ntaname, true, 0, 0xffffffffU)); } @@ -5945,6 +5925,95 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = ISC_R_SUCCESS; cleanup: + /* + * Revert to the old view if there was an error. + */ + if (result != ISC_R_SUCCESS) { + isc_result_t result2; + + result2 = dns_viewlist_find(&named_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result2 == ISC_R_SUCCESS) { + dns_view_thaw(pview); + + obj = NULL; + if (rpz_configured && + pview->rdclass == dns_rdataclass_in && need_hints && + named_config_get(maps, "response-policy", &obj) == + ISC_R_SUCCESS) + { + /* + * We are swapping the places of the `view` and + * `pview` in the function's parameters list + * because we are reverting the same operation + * done previously in the "correct" order. + */ + result2 = configure_rpz(pview, view, maps, obj, + &old_rpz_ok); + if (result2 != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, + NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "rpz configuration " + "revert failed for view " + "'%s'", + pview->name); + } + } + + obj = NULL; + if (catz_configured && + pview->rdclass == dns_rdataclass_in && need_hints && + named_config_get(maps, "catalog-zones", &obj) == + ISC_R_SUCCESS) + { + /* + * We are swapping the places of the `view` and + * `pview` in the function's parameters list + * because we are reverting the same operation + * done previously in the "correct" order. + */ + result2 = configure_catz(pview, view, config, + obj); + if (result2 != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, + NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "catz configuration " + "revert failed for view " + "'%s'", + pview->name); + } + } + + dns_view_freeze(pview); + } + + if (pview != NULL) { + dns_view_detach(&pview); + } + + if (zone_element_latest != NULL) { + for (element = cfg_list_first(zonelist); + element != NULL; element = cfg_list_next(element)) + { + const cfg_obj_t *zconfig = + cfg_listelt_value(element); + configure_zone_setviewcommit(result, zconfig, + view); + if (element == zone_element_latest) { + /* + * This was the latest element that was + * successfully configured earlier. + */ + break; + } + } + } + } + if (ntatable != NULL) { dns_ntatable_detach(&ntatable); } @@ -5978,12 +6047,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, if (order != NULL) { dns_order_detach(&order); } - if (cmctx != NULL) { - isc_mem_detach(&cmctx); - } - if (hmctx != NULL) { - isc_mem_detach(&hmctx); - } if (cache != NULL) { dns_cache_detach(&cache); } @@ -6074,8 +6137,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, } myport = (in_port_t)val; } - CHECK(dns_resolver_addalternate(view->resolver, NULL, - name, myport)); + dns_resolver_addalternate(view->resolver, NULL, name, + myport); continue; } @@ -6083,26 +6146,61 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, if (isc_sockaddr_getport(&sa) == 0) { isc_sockaddr_setport(&sa, port); } - CHECK(dns_resolver_addalternate(view->resolver, &sa, NULL, 0)); + dns_resolver_addalternate(view->resolver, &sa, NULL, 0); } cleanup: return (result); } +static isc_result_t +validate_tls(const cfg_obj_t *config, dns_view_t *view, const cfg_obj_t *obj, + isc_log_t *logctx, const char *str, dns_name_t **name) { + dns_fixedname_t fname; + dns_name_t *nm = dns_fixedname_initname(&fname); + isc_result_t result = dns_name_fromstring(nm, str, dns_rootname, 0, + NULL); + + if (result != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'%s' is not a valid name", str); + return (result); + } + + if (strcasecmp(str, "ephemeral") != 0) { + const cfg_obj_t *tlsmap = find_maplist(config, "tls", str); + + if (tlsmap == NULL) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "tls '%s' is not defined", str); + return (ISC_R_FAILURE); + } + } + + if (name != NULL && *name == NULL) { + *name = isc_mem_get(view->mctx, sizeof(dns_name_t)); + dns_name_init(*name, NULL); + dns_name_dup(nm, view->mctx, *name); + } + + return (ISC_R_SUCCESS); +} + static isc_result_t configure_forward(const cfg_obj_t *config, dns_view_t *view, const dns_name_t *origin, const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype) { - const cfg_obj_t *portobj, *dscpobj; - const cfg_obj_t *faddresses; - const cfg_listelt_t *element; + const cfg_obj_t *portobj = NULL; + const cfg_obj_t *tlspobj = NULL; + const cfg_obj_t *faddresses = NULL; + const cfg_listelt_t *element = NULL; dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none; dns_forwarderlist_t fwdlist; - dns_forwarder_t *fwd; + dns_forwarder_t *fwd = NULL; isc_result_t result; in_port_t port; - isc_dscp_t dscp = -1; + in_port_t tls_port; + const char *tls = NULL; ISC_LIST_INIT(fwdlist); @@ -6110,6 +6208,7 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, * Determine which port to send forwarded requests to. */ CHECKM(named_config_getport(config, "port", &port), "port"); + CHECKM(named_config_getport(config, "tls-port", &tls_port), "tls-port"); if (forwarders != NULL) { portobj = cfg_tuple_get(forwarders, "port"); @@ -6121,25 +6220,24 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, "port '%u' out of range", val); return (ISC_R_RANGE); } - port = (in_port_t)val; + port = tls_port = (in_port_t)val; } } /* - * DSCP value for forwarded requests. + * TLS value for forwarded requests. */ - dscp = named_g_dscp; if (forwarders != NULL) { - dscpobj = cfg_tuple_get(forwarders, "dscp"); - if (cfg_obj_isuint32(dscpobj)) { - if (cfg_obj_asuint32(dscpobj) > 63) { - cfg_obj_log(dscpobj, named_g_lctx, - ISC_LOG_ERROR, - "dscp value '%u' is out of range", - cfg_obj_asuint32(dscpobj)); - return (ISC_R_RANGE); + tlspobj = cfg_tuple_get(forwarders, "tls"); + if (cfg_obj_isstring(tlspobj)) { + tls = cfg_obj_asstring(tlspobj); + if (tls != NULL) { + result = validate_tls(config, view, tlspobj, + named_g_lctx, tls, NULL); + if (result != ISC_R_SUCCESS) { + return (result); + } } - dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); } } @@ -6152,14 +6250,28 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, element = cfg_list_next(element)) { const cfg_obj_t *forwarder = cfg_listelt_value(element); + const char *cur_tls = NULL; + fwd = isc_mem_get(view->mctx, sizeof(dns_forwarder_t)); + fwd->tlsname = NULL; + cur_tls = cfg_obj_getsockaddrtls(forwarder); + if (cur_tls == NULL) { + cur_tls = tls; + } + if (cur_tls != NULL) { + result = validate_tls(config, view, faddresses, + named_g_lctx, cur_tls, + &fwd->tlsname); + if (result != ISC_R_SUCCESS) { + isc_mem_put(view->mctx, fwd, + sizeof(dns_forwarder_t)); + goto cleanup; + } + } fwd->addr = *cfg_obj_assockaddr(forwarder); if (isc_sockaddr_getport(&fwd->addr) == 0) { - isc_sockaddr_setport(&fwd->addr, port); - } - fwd->dscp = cfg_obj_getdscp(forwarder); - if (fwd->dscp == -1) { - fwd->dscp = dscp; + isc_sockaddr_setport(&fwd->addr, + cur_tls != NULL ? tls_port : port); } ISC_LINK_INIT(fwd, link); ISC_LIST_APPEND(fwdlist, fwd, link); @@ -6182,8 +6294,7 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, } else if (strcasecmp(forwardstr, "only") == 0) { fwdpolicy = dns_fwdpolicy_only; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } } @@ -6199,6 +6310,10 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, goto cleanup; } + if (fwdpolicy == dns_fwdpolicy_only) { + dns_view_sfd_add(view, origin); + } + result = ISC_R_SUCCESS; cleanup: @@ -6206,6 +6321,11 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, while (!ISC_LIST_EMPTY(fwdlist)) { fwd = ISC_LIST_HEAD(fwdlist); ISC_LIST_UNLINK(fwdlist, fwd, link); + if (fwd->tlsname != NULL) { + dns_name_free(fwd->tlsname, view->mctx); + isc_mem_put(view->mctx, fwd->tlsname, + sizeof(dns_name_t)); + } isc_mem_put(view->mctx, fwd, sizeof(dns_forwarder_t)); } @@ -6304,7 +6424,8 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, } INSIST(view == NULL); - result = dns_view_create(named_g_mctx, viewclass, viewname, &view); + result = dns_view_create(named_g_mctx, named_g_dispatchmgr, viewclass, + viewname, &view); if (result != ISC_R_SUCCESS) { return (result); } @@ -6321,7 +6442,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, */ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, + const cfg_obj_t *vconfig, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, bool modify) { @@ -6335,9 +6456,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *forwarders = NULL; const cfg_obj_t *forwardtype = NULL; const cfg_obj_t *ixfrfromdiffs = NULL; - const cfg_obj_t *only = NULL; const cfg_obj_t *viewobj = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; isc_buffer_t buffer; dns_fixedname_t fixorigin; @@ -6349,6 +6469,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, bool zone_is_catz = false; bool zone_maybe_inline = false; bool inline_signing = false; + bool fullsign = false; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -6407,7 +6528,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, goto cleanup; } - result = dns_view_findzone(otherview, origin, &zone); + result = dns_view_findzone(otherview, origin, DNS_ZTFIND_EXACT, + &zone); dns_view_detach(&otherview); if (result != ISC_R_SUCCESS) { cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR, @@ -6463,17 +6585,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const char *hintsfile = cfg_obj_asstring(fileobj); CHECK(configure_hints(view, hintsfile)); - - /* - * Hint zones may also refer to delegation only points. - */ - only = NULL; - tresult = cfg_map_get(zoptions, "delegation-only", - &only); - if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) - { - CHECK(dns_view_adddelegationonly(view, origin)); - } } else { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, @@ -6497,23 +6608,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, (void)cfg_map_get(zoptions, "forwarders", &forwarders); CHECK(configure_forward(config, view, origin, forwarders, forwardtype)); - - /* - * Forward zones may also set delegation only. - */ - only = NULL; - tresult = cfg_map_get(zoptions, "delegation-only", &only); - if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) { - CHECK(dns_view_adddelegationonly(view, origin)); - } - goto cleanup; - } - - /* - * "delegation-only zones" aren't zones either. - */ - if (strcasecmp(ztypestr, "delegation-only") == 0) { - result = dns_view_adddelegationonly(view, origin); goto cleanup; } @@ -6554,7 +6648,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, /* * Check for duplicates in the new zone table. */ - result = dns_view_findzone(view, origin, &dupzone); + result = dns_view_findzone(view, origin, DNS_ZTFIND_EXACT, + &dupzone); if (result == ISC_R_SUCCESS) { /* * We already have this zone! @@ -6587,7 +6682,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, } if (view->catzs != NULL && - dns_catz_get_zone(view->catzs, origin) != NULL) { + dns_catz_zone_get(view->catzs, origin) != NULL) + { zone_is_catz = true; } @@ -6597,8 +6693,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * - The zone's view exists * - A zone with the right name exists in the view * - The zone is compatible with the config - * options (e.g., an existing master zone cannot - * be reused if the options specify a slave zone) + * options (e.g., an existing primary zone cannot + * be reused if the options specify a secondary zone) * - The zone was not and is still not a response policy zone * or the zone is a policy zone with an unchanged number * and we are using the old policy zone summary data. @@ -6609,16 +6705,18 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, goto cleanup; } if (pview != NULL) { - result = dns_view_findzone(pview, origin, &zone); + result = dns_view_findzone(pview, origin, DNS_ZTFIND_EXACT, + &zone); } if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) { goto cleanup; } if (zone != NULL && - !named_zone_reusable(zone, zconfig, vconfig, config, aclconf)) + !named_zone_reusable(zone, zconfig, vconfig, config, kasplist)) { dns_zone_detach(&zone); + fullsign = true; } if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || @@ -6659,6 +6757,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (zone_is_catz) { dns_zone_catz_enable(zone, view->catzs); + } else if (dns_zone_catz_is_enabled(zone)) { + dns_zone_catz_disable(zone); } /* @@ -6673,16 +6773,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, forwardtype)); } - /* - * Stub and forward zones may also refer to delegation only points. - */ - only = NULL; - if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) { - if (cfg_obj_asboolean(only)) { - CHECK(dns_view_adddelegationonly(view, origin)); - } - } - /* * Mark whether the zone was originally added at runtime or not */ @@ -6697,13 +6787,14 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, strcasecmp(ztypestr, "slave") == 0)); if (zone_maybe_inline) { - inline_signing = named_zone_inlinesigning( - zone, zconfig, vconfig, config, aclconf); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, + config, kasplist); } if (inline_signing) { dns_zone_getraw(zone, &raw); if (raw == NULL) { - CHECK(dns_zone_create(&raw, mctx)); + dns_zone_create(&raw, dns_zone_getmem(zone), + dns_zone_gettid(zone)); CHECK(dns_zone_setorigin(raw, origin)); dns_zone_setview(raw, view); dns_zone_setstats(raw, named_g_server->zonestats); @@ -6751,7 +6842,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Ensure that zone keys are reloaded on reconfig */ if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) { - dns_zone_rekey(zone, false); + dns_zone_rekey(zone, fullsign); } cleanup: @@ -6794,6 +6885,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) { dns_zone_attach(pview->managed_keys, &view->managed_keys); dns_zone_setview(pview->managed_keys, view); + dns_zone_setviewcommit(pview->managed_keys); dns_view_detach(&pview); dns_zone_synckeyzone(view->managed_keys); return (ISC_R_SUCCESS); @@ -6825,12 +6917,13 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) { dns_acl_detach(&none); dns_zone_setdialup(zone, dns_dialuptype_no); + dns_zone_setcheckdstype(zone, dns_checkdstype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true); dns_zone_setjournalsize(zone, 0); dns_zone_setstats(zone, named_g_server->zonestats); - CHECK(setquerystats(zone, mctx, dns_zonestat_none)); + setquerystats(zone, mctx, dns_zonestat_none); if (view->managed_keys != NULL) { dns_zone_detach(&view->managed_keys); @@ -6910,235 +7003,73 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { return (ISC_R_SUCCESS); } -static isc_result_t -add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, - isc_dscp_t dscp, bool wcardport_ok) { - ns_listenelt_t *lelt = NULL; - dns_acl_t *src_acl = NULL; - isc_result_t result; - isc_sockaddr_t any_sa6; - isc_netaddr_t netaddr; - - REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); +/* + * This event callback is invoked to do periodic network interface + * scanning. + */ - isc_sockaddr_any6(&any_sa6); - if (!isc_sockaddr_equal(&any_sa6, addr) && - (wcardport_ok || isc_sockaddr_getport(addr) != 0)) - { - isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr); +static void +interface_timer_tick(void *arg) { + named_server_t *server = (named_server_t *)arg; - result = dns_acl_create(mctx, 0, &src_acl); - if (result != ISC_R_SUCCESS) { - return (result); - } + (void)ns_interfacemgr_scan(server->interfacemgr, false, false); +} - result = dns_iptable_addprefix(src_acl->iptable, &netaddr, 128, - true); - if (result != ISC_R_SUCCESS) { - goto clean; - } +static void +heartbeat_timer_tick(void *arg) { + named_server_t *server = (named_server_t *)arg; + dns_view_t *view = NULL; - result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), - dscp, src_acl, false, NULL, NULL, - &lelt); - if (result != ISC_R_SUCCESS) { - goto clean; - } - ISC_LIST_APPEND(list->elts, lelt, link); + view = ISC_LIST_HEAD(server->viewlist); + while (view != NULL) { + dns_view_dialup(view); + view = ISC_LIST_NEXT(view, link); } +} - return (ISC_R_SUCCESS); - -clean: - INSIST(lelt == NULL); - dns_acl_detach(&src_acl); +typedef struct { + isc_mem_t *mctx; + isc_loop_t *loop; + dns_fetch_t *fetch; + dns_view_t *view; + dns_fixedname_t tatname; + dns_fixedname_t keyname; + dns_rdataset_t rdataset; + dns_rdataset_t sigrdataset; +} ns_tat_t; - return (result); +static int +cid(const void *a, const void *b) { + const uint16_t ida = *(const uint16_t *)a; + const uint16_t idb = *(const uint16_t *)b; + if (ida < idb) { + return (-1); + } else if (ida > idb) { + return (1); + } else { + return (0); + } } -/* - * Make a list of xxx-source addresses and call ns_interfacemgr_adjust() - * to update the listening interfaces accordingly. - * We currently only consider IPv6, because this only affects IPv6 wildcard - * sockets. - */ static void -adjust_interfaces(named_server_t *server, isc_mem_t *mctx) { - isc_result_t result; - ns_listenlist_t *list = NULL; - dns_view_t *view; - dns_zone_t *zone, *next; - isc_sockaddr_t addr, *addrp; - isc_dscp_t dscp = -1; +tat_done(void *arg) { + dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg; + ns_tat_t *tat = NULL; - result = ns_listenlist_create(mctx, &list); - if (result != ISC_R_SUCCESS) { - return; - } + INSIST(resp != NULL && resp->type == FETCHDONE); - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - dns_dispatch_t *dispatch6; + tat = resp->arg; - dispatch6 = dns_resolver_dispatchv6(view->resolver); - if (dispatch6 == NULL) { - continue; - } - result = dns_dispatch_getlocaladdress(dispatch6, &addr); - if (result != ISC_R_SUCCESS) { - goto fail; - } - - /* - * We always add non-wildcard address regardless of whether - * the port is 'any' (the fourth arg is TRUE): if the port is - * specific, we need to add it since it may conflict with a - * listening interface; if it's zero, we'll dynamically open - * query ports, and some of them may override an existing - * wildcard IPv6 port. - */ - /* XXXMPA fix dscp */ - result = add_listenelt(mctx, list, &addr, dscp, true); - if (result != ISC_R_SUCCESS) { - goto fail; - } - } - - zone = NULL; - for (result = dns_zone_first(server->zonemgr, &zone); - result == ISC_R_SUCCESS; - next = NULL, result = dns_zone_next(zone, &next), zone = next) - { - dns_view_t *zoneview; - - /* - * At this point the zone list may contain a stale zone - * just removed from the configuration. To see the validity, - * check if the corresponding view is in our current view list. - * There may also be old zones that are still in the process - * of shutting down and have detached from their old view - * (zoneview == NULL). - */ - zoneview = dns_zone_getview(zone); - if (zoneview == NULL) { - continue; - } - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL && view != zoneview; - view = ISC_LIST_NEXT(view, link)) - {} - if (view == NULL) { - continue; - } - - addrp = dns_zone_getnotifysrc6(zone); - dscp = dns_zone_getnotifysrc6dscp(zone); - result = add_listenelt(mctx, list, addrp, dscp, false); - if (result != ISC_R_SUCCESS) { - goto fail; - } - - addrp = dns_zone_getxfrsource6(zone); - dscp = dns_zone_getxfrsource6dscp(zone); - result = add_listenelt(mctx, list, addrp, dscp, false); - if (result != ISC_R_SUCCESS) { - goto fail; - } - } - - ns_interfacemgr_adjust(server->interfacemgr, list, true); - -clean: - ns_listenlist_detach(&list); - return; - -fail: - /* - * Even when we failed the procedure, most of other interfaces - * should work correctly. We therefore just warn it. - */ - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "could not adjust the listen-on list; " - "some interfaces may not work"); - goto clean; -} - -/* - * This event callback is invoked to do periodic network interface - * scanning. - */ - -static void -interface_timer_tick(isc_task_t *task, isc_event_t *event) { - named_server_t *server = (named_server_t *)event->ev_arg; - INSIST(task == server->task); - UNUSED(task); - - isc_event_free(&event); - ns_interfacemgr_scan(server->interfacemgr, false); -} - -static void -heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { - named_server_t *server = (named_server_t *)event->ev_arg; - dns_view_t *view; - - UNUSED(task); - isc_event_free(&event); - view = ISC_LIST_HEAD(server->viewlist); - while (view != NULL) { - dns_view_dialup(view); - view = ISC_LIST_NEXT(view, link); - } -} - -typedef struct { - isc_mem_t *mctx; - isc_task_t *task; - dns_fetch_t *fetch; - dns_view_t *view; - dns_fixedname_t tatname; - dns_fixedname_t keyname; - dns_rdataset_t rdataset; - dns_rdataset_t sigrdataset; -} ns_tat_t; - -static int -cid(const void *a, const void *b) { - const uint16_t ida = *(const uint16_t *)a; - const uint16_t idb = *(const uint16_t *)b; - if (ida < idb) { - return (-1); - } else if (ida > idb) { - return (1); - } else { - return (0); - } -} - -static void -tat_done(isc_task_t *task, isc_event_t *event) { - dns_fetchevent_t *devent; - ns_tat_t *tat; - - INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE); - INSIST(event->ev_arg != NULL); - - UNUSED(task); - - tat = event->ev_arg; - devent = (dns_fetchevent_t *)event; + INSIST(tat != NULL); /* Free resources which are not of interest */ - if (devent->node != NULL) { - dns_db_detachnode(devent->db, &devent->node); + if (resp->node != NULL) { + dns_db_detachnode(resp->db, &resp->node); } - if (devent->db != NULL) { - dns_db_detach(&devent->db); + if (resp->db != NULL) { + dns_db_detach(&resp->db); } - isc_event_free(&event); + isc_mem_putanddetach(&resp->mctx, resp, sizeof(*resp)); dns_resolver_destroyfetch(&tat->fetch); if (dns_rdataset_isassociated(&tat->rdataset)) { dns_rdataset_disassociate(&tat->rdataset); @@ -7147,13 +7078,12 @@ tat_done(isc_task_t *task, isc_event_t *event) { dns_rdataset_disassociate(&tat->sigrdataset); } dns_view_detach(&tat->view); - isc_task_detach(&tat->task); isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat)); } struct dotat_arg { dns_view_t *view; - isc_task_t *task; + isc_loop_t *loop; }; /*% @@ -7214,38 +7144,31 @@ get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) { r.base = label; r.length = sizeof(label); m = snprintf(r.base, r.length, "_ta"); - if (m < 0 || (unsigned)m > r.length) { + if (m < 0 || (unsigned int)m > r.length) { return (ISC_R_FAILURE); } isc_textregion_consume(&r, m); for (i = 0; i < n; i++) { m = snprintf(r.base, r.length, "-%04x", ids[i]); - if (m < 0 || (unsigned)m > r.length) { + if (m < 0 || (unsigned int)m > r.length) { return (ISC_R_FAILURE); } isc_textregion_consume(&r, m); } - return (dns_name_fromstring2(target, label, keyname, 0, NULL)); + return (dns_name_fromstring(target, label, keyname, 0, NULL)); } static void -tat_send(isc_task_t *task, isc_event_t *event) { - ns_tat_t *tat; +tat_send(void *arg) { + ns_tat_t *tat = (ns_tat_t *)arg; char namebuf[DNS_NAME_FORMATSIZE]; dns_fixedname_t fdomain; - dns_name_t *domain; + dns_name_t *domain = NULL; dns_rdataset_t nameservers; isc_result_t result; - dns_name_t *keyname; - dns_name_t *tatname; - - INSIST(event != NULL && event->ev_type == NAMED_EVENT_TATSEND); - INSIST(event->ev_arg != NULL); - - UNUSED(task); - - tat = event->ev_arg; + dns_name_t *keyname = NULL; + dns_name_t *tatname = NULL; keyname = dns_fixedname_name(&tat->keyname); tatname = dns_fixedname_name(&tat->tatname); @@ -7285,7 +7208,7 @@ tat_send(isc_task_t *task, isc_event_t *event) { result = dns_resolver_createfetch( tat->view->resolver, tatname, dns_rdatatype_null, domain, &nameservers, NULL, NULL, 0, 0, 0, NULL, - tat->task, tat_done, tat, &tat->rdataset, + tat->loop, tat_done, tat, &tat->rdataset, &tat->sigrdataset, &tat->fetch); } @@ -7306,46 +7229,38 @@ tat_send(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) { dns_view_detach(&tat->view); - isc_task_detach(&tat->task); isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat)); } - isc_event_free(&event); } static void dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, dns_name_t *keyname, void *arg) { - struct dotat_arg *dotat_arg = arg; + struct dotat_arg *dotat_arg = (struct dotat_arg *)arg; isc_result_t result; - dns_view_t *view; - isc_task_t *task; - ns_tat_t *tat; - isc_event_t *event; + dns_view_t *view = NULL; + ns_tat_t *tat = NULL; REQUIRE(keytable != NULL); REQUIRE(keynode != NULL); REQUIRE(dotat_arg != NULL); view = dotat_arg->view; - task = dotat_arg->task; - tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat)); + tat = isc_mem_get(view->mctx, sizeof(*tat)); + *tat = (ns_tat_t){ 0 }; - tat->fetch = NULL; - tat->mctx = NULL; - tat->task = NULL; - tat->view = NULL; dns_rdataset_init(&tat->rdataset); dns_rdataset_init(&tat->sigrdataset); dns_name_copy(keyname, dns_fixedname_initname(&tat->keyname)); result = get_tat_qname(dns_fixedname_initname(&tat->tatname), keyname, keynode); if (result != ISC_R_SUCCESS) { - isc_mem_put(dotat_arg->view->mctx, tat, sizeof(*tat)); + isc_mem_put(view->mctx, tat, sizeof(*tat)); return; } - isc_mem_attach(dotat_arg->view->mctx, &tat->mctx); - isc_task_attach(task, &tat->task); + isc_mem_attach(view->mctx, &tat->mctx); + tat->loop = dotat_arg->loop; dns_view_attach(view, &tat->view); /* @@ -7362,21 +7277,17 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, dns_name_t *keyname, * view->lock (dns_view_findzonecut) while holding keytable->lock * (dns_keytable_forall) */ - event = isc_event_allocate(tat->mctx, keytable, NAMED_EVENT_TATSEND, - tat_send, tat, sizeof(isc_event_t)); - isc_task_send(task, &event); + isc_async_run(named_g_mainloop, tat_send, tat); } static void -tat_timer_tick(isc_task_t *task, isc_event_t *event) { +tat_timer_tick(void *arg) { isc_result_t result; - named_server_t *server = (named_server_t *)event->ev_arg; - struct dotat_arg arg; - dns_view_t *view; + named_server_t *server = (named_server_t *)arg; + struct dotat_arg dotat_arg = { 0 }; + dns_view_t *view = NULL; dns_keytable_t *secroots = NULL; - isc_event_free(&event); - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { @@ -7389,20 +7300,19 @@ tat_timer_tick(isc_task_t *task, isc_event_t *event) { continue; } - arg.view = view; - arg.task = task; - (void)dns_keytable_forall(secroots, dotat, &arg); + dotat_arg.view = view; + dotat_arg.loop = named_g_mainloop; + dns_keytable_forall(secroots, dotat, &dotat_arg); dns_keytable_detach(&secroots); } } static void -pps_timer_tick(isc_task_t *task, isc_event_t *event) { +pps_timer_tick(void *arg) { static unsigned int oldrequests = 0; unsigned int requests = atomic_load_relaxed(&ns_client_requests); - UNUSED(task); - isc_event_free(&event); + UNUSED(arg); /* * Don't worry about wrapping as the overflow result will be right. @@ -7416,7 +7326,7 @@ pps_timer_tick(isc_task_t *task, isc_event_t *event) { * string or NULL, with a dynamically allocated copy of the * null-terminated string pointed to by 'value', or NULL. */ -static isc_result_t +static void setstring(named_server_t *server, char **field, const char *value) { char *copy; @@ -7431,7 +7341,6 @@ setstring(named_server_t *server, char **field, const char *value) { } *field = copy; - return (ISC_R_SUCCESS); } /* @@ -7439,58 +7348,13 @@ setstring(named_server_t *server, char **field, const char *value) { * string or NULL, with another dynamically allocated string * or NULL if whether 'obj' is a string or void value, respectively. */ -static isc_result_t +static void setoptstring(named_server_t *server, char **field, const cfg_obj_t *obj) { if (cfg_obj_isvoid(obj)) { - return (setstring(server, field, NULL)); - } else { - return (setstring(server, field, cfg_obj_asstring(obj))); - } -} - -static void -set_limit(const cfg_obj_t **maps, const char *configname, - const char *description, isc_resource_t resourceid, - isc_resourcevalue_t defaultvalue) { - const cfg_obj_t *obj = NULL; - const char *resource; - isc_resourcevalue_t value; - isc_result_t result; - - if (named_config_get(maps, configname, &obj) != ISC_R_SUCCESS) { - return; - } - - if (cfg_obj_isstring(obj)) { - resource = cfg_obj_asstring(obj); - if (strcasecmp(resource, "unlimited") == 0) { - value = ISC_RESOURCE_UNLIMITED; - } else { - INSIST(strcasecmp(resource, "default") == 0); - value = defaultvalue; - } + setstring(server, field, NULL); } else { - value = cfg_obj_asuint64(obj); + setstring(server, field, cfg_obj_asstring(obj)); } - - result = isc_resource_setlimit(resourceid, value); - isc_log_write( - named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, - result == ISC_R_SUCCESS ? ISC_LOG_DEBUG(3) : ISC_LOG_WARNING, - "set maximum %s to %" PRIu64 ": %s", description, value, - isc_result_totext(result)); -} - -#define SETLIMIT(cfgvar, resource, description) \ - set_limit(maps, cfgvar, description, isc_resource_##resource, \ - named_g_init##resource) - -static void -set_limits(const cfg_obj_t **maps) { - SETLIMIT("stacksize", stacksize, "stack size"); - SETLIMIT("datasize", datasize, "data size"); - SETLIMIT("coresize", coresize, "core size"); - SETLIMIT("files", openfiles, "open files"); } static void @@ -7558,7 +7422,7 @@ cleanup_session_key(named_server_t *server, isc_mem_t *mctx) { } if (server->sessionkey != NULL) { - dns_tsigkey_detach(&server->sessionkey); + dst_key_free(&server->sessionkey); } server->session_keyalg = DST_ALG_UNKNOWN; @@ -7567,10 +7431,9 @@ cleanup_session_key(named_server_t *server, isc_mem_t *mctx) { static isc_result_t generate_session_key(const char *filename, const char *keynamestr, - const dns_name_t *keyname, const char *algstr, - const dns_name_t *algname, unsigned int algtype, + const dns_name_t *keyname, dst_algorithm_t alg, uint16_t bits, isc_mem_t *mctx, bool first_time, - dns_tsigkey_t **tsigkeyp) { + dst_key_t **keyp) { isc_result_t result = ISC_R_SUCCESS; dst_key_t *key = NULL; isc_buffer_t key_txtbuffer; @@ -7578,8 +7441,6 @@ generate_session_key(const char *filename, const char *keynamestr, char key_txtsecret[256]; char key_rawsecret[64]; isc_region_t key_rawregion; - isc_stdtime_t now; - dns_tsigkey_t *tsigkey = NULL; FILE *fp = NULL; isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -7587,16 +7448,14 @@ generate_session_key(const char *filename, const char *keynamestr, "generating session key for dynamic DNS"); /* generate key */ - result = dst_key_generate(keyname, algtype, bits, 1, 0, - DNS_KEYPROTO_ANY, dns_rdataclass_in, mctx, - &key, NULL); + result = dst_key_generate(keyname, alg, bits, 1, 0, DNS_KEYPROTO_ANY, + dns_rdataclass_in, mctx, &key, NULL); if (result != ISC_R_SUCCESS) { return (result); } /* - * Dump the key to the buffer for later use. Should be done before - * we transfer the ownership of key to tsigkey. + * Dump the key to the buffer for later use. */ isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret)); CHECK(dst_key_tobuffer(key, &key_rawbuffer)); @@ -7605,11 +7464,6 @@ generate_session_key(const char *filename, const char *keynamestr, isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer)); - /* Store the key in tsigkey. */ - isc_stdtime_get(&now); - CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key, false, - NULL, now, now, mctx, NULL, &tsigkey)); - /* Dump the key to the key file. */ fp = named_os_openfile(filename, S_IRUSR | S_IWUSR, first_time); if (fp == NULL) { @@ -7624,20 +7478,17 @@ generate_session_key(const char *filename, const char *keynamestr, "key \"%s\" {\n" "\talgorithm %s;\n" "\tsecret \"%.*s\";\n};\n", - keynamestr, algstr, (int)isc_buffer_usedlength(&key_txtbuffer), + keynamestr, dst_hmac_algorithm_totext(alg), + (int)isc_buffer_usedlength(&key_txtbuffer), (char *)isc_buffer_base(&key_txtbuffer)); CHECK(isc_stdio_flush(fp)); result = isc_stdio_close(fp); - fp = NULL; if (result != ISC_R_SUCCESS) { goto cleanup; } - dst_key_free(&key); - - *tsigkeyp = tsigkey; - + *keyp = key; return (ISC_R_SUCCESS); cleanup: @@ -7650,9 +7501,6 @@ generate_session_key(const char *filename, const char *keynamestr, (void)isc_stdio_close(fp); (void)isc_file_remove(filename); } - if (tsigkey != NULL) { - dns_tsigkey_detach(&tsigkey); - } if (key != NULL) { dst_key_free(&key); } @@ -7663,14 +7511,13 @@ generate_session_key(const char *filename, const char *keynamestr, static isc_result_t configure_session_key(const cfg_obj_t **maps, named_server_t *server, isc_mem_t *mctx, bool first_time) { - const char *keyfile, *keynamestr, *algstr; + const char *keyfile = NULL, *keynamestr = NULL, *algstr = NULL; unsigned int algtype; dns_fixedname_t fname; - dns_name_t *keyname; - const dns_name_t *algname; + dns_name_t *keyname = NULL; isc_buffer_t buffer; uint16_t bits; - const cfg_obj_t *obj; + const cfg_obj_t *obj = NULL; bool need_deleteold = false; bool need_createnew = false; isc_result_t result; @@ -7703,9 +7550,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server, result = named_config_get(maps, "session-keyalg", &obj); INSIST(result == ISC_R_SUCCESS); algstr = cfg_obj_asstring(obj); - algname = NULL; - result = named_config_getkeyalgorithm2(algstr, &algname, &algtype, - &bits); + result = named_config_getkeyalgorithm(algstr, &algtype, &bits); if (result != ISC_R_SUCCESS) { const char *s = " (keeping current key)"; @@ -7756,9 +7601,9 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server, server->session_keyalg = algtype; server->session_keybits = bits; - CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr, - algname, algtype, bits, mctx, - first_time, &server->sessionkey)); + CHECK(generate_session_key(keyfile, keynamestr, keyname, + algtype, bits, mctx, first_time, + &server->sessionkey)); } return (result); @@ -7768,94 +7613,9 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server, return (result); } -#ifndef HAVE_LMDB -static isc_result_t -count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) { - isc_result_t result; - - /* The new zone file may not exist. That is OK. */ - if (!isc_file_exists(view->new_zone_file)) { - *num_zonesp = 0; - return (ISC_R_SUCCESS); - } - - /* - * In the case of NZF files, we also parse the configuration in - * the file at this stage. - * - * This may be called in multiple views, so we reset - * the parser each time. - */ - cfg_parser_reset(named_g_addparser); - result = cfg_parse_file(named_g_addparser, view->new_zone_file, - &cfg_type_addzoneconf, &nzcfg->nzf_config); - if (result == ISC_R_SUCCESS) { - int num_zones; - - num_zones = count_zones(nzcfg->nzf_config); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "NZF file '%s' contains %d zones", - view->new_zone_file, num_zones); - if (num_zonesp != NULL) { - *num_zonesp = num_zones; - } - } else { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "Error parsing NZF file '%s': %s", - view->new_zone_file, isc_result_totext(result)); - } - - return (result); -} - -#else /* HAVE_LMDB */ - -static isc_result_t -count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) { - isc_result_t result; - int n; - - UNUSED(nzcfg); - - REQUIRE(num_zonesp != NULL); - - LOCK(&view->new_zone_lock); - - CHECK(migrate_nzf(view)); - - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "loading NZD zone count from '%s' " - "for view '%s'", - view->new_zone_db, view->name); - - CHECK(nzd_count(view, &n)); - - *num_zonesp = n; - - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "NZD database '%s' contains %d zones", view->new_zone_db, - n); - -cleanup: - if (result != ISC_R_SUCCESS) { - *num_zonesp = 0; - } - - UNLOCK(&view->new_zone_lock); - - return (ISC_R_SUCCESS); -} - -#endif /* HAVE_LMDB */ - static isc_result_t setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - cfg_parser_t *conf_parser, cfg_aclconfctx_t *actx, - int *num_zones) { + cfg_parser_t *conf_parser, cfg_aclconfctx_t *actx) { isc_result_t result = ISC_R_SUCCESS; bool allow = false; ns_cfgctx_t *nzcfg = NULL; @@ -7890,9 +7650,7 @@ setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, result = named_config_get(maps, "new-zones-directory", &nzdir); if (result == ISC_R_SUCCESS) { dir = cfg_obj_asstring(nzdir); - if (dir != NULL) { - result = isc_file_isdirectory(dir); - } + result = isc_file_isdirectory(dir); if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -7953,28 +7711,29 @@ setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, if (!allow) { dns_view_setnewzones(view, false, NULL, NULL, 0ULL); - if (num_zones != NULL) { - *num_zones = 0; - } return (ISC_R_SUCCESS); } nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg)); + *nzcfg = (ns_cfgctx_t){ 0 }; /* * We attach the parser that was used for config as well * as the one that will be used for added zones, to avoid * a shutdown race later. */ - memset(nzcfg, 0, sizeof(*nzcfg)); + isc_mem_attach(view->mctx, &nzcfg->mctx); cfg_parser_attach(conf_parser, &nzcfg->conf_parser); cfg_parser_attach(named_g_addparser, &nzcfg->add_parser); - isc_mem_attach(view->mctx, &nzcfg->mctx); cfg_aclconfctx_attach(actx, &nzcfg->actx); result = dns_view_setnewzones(view, true, nzcfg, newzone_cfgctx_destroy, mapsize); if (result != ISC_R_SUCCESS) { + cfg_aclconfctx_detach(&nzcfg->actx); + cfg_parser_destroy(&nzcfg->add_parser); + cfg_parser_destroy(&nzcfg->conf_parser); + isc_mem_putanddetach(&nzcfg->mctx, nzcfg, sizeof(*nzcfg)); dns_view_setnewzones(view, false, NULL, NULL, 0ULL); return (result); } @@ -7984,7 +7743,7 @@ setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_attach(vconfig, &nzcfg->vconfig); } - result = count_newzones(view, nzcfg, num_zones); + result = load_nzf(view, nzcfg); return (result); } @@ -8001,7 +7760,7 @@ configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); origin = dns_fixedname_initname(&fixorigin); - result2 = dns_name_fromstring(origin, zname, 0, NULL); + result2 = dns_name_fromstring(origin, zname, dns_rootname, 0, NULL); if (result2 != ISC_R_SUCCESS) { return; } @@ -8012,7 +7771,7 @@ configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, return; } - result2 = dns_view_findzone(pview, origin, &zone); + result2 = dns_view_findzone(pview, origin, DNS_ZTFIND_EXACT, &zone); if (result2 != ISC_R_SUCCESS) { dns_view_detach(&pview); return; @@ -8032,7 +7791,7 @@ configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, static isc_result_t configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, cfg_aclconfctx_t *actx) { + cfg_aclconfctx_t *actx) { isc_result_t result; ns_cfgctx_t *nzctx; const cfg_obj_t *zonelist; @@ -8054,7 +7813,7 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, element = cfg_list_next(element)) { const cfg_obj_t *zconfig = cfg_listelt_value(element); - CHECK(configure_zone(config, zconfig, vconfig, mctx, view, + CHECK(configure_zone(config, zconfig, vconfig, view, &named_g_server->viewlist, &named_g_server->kasplist, actx, true, false, false)); @@ -8107,8 +7866,8 @@ data_to_cfg(dns_view_t *view, MDB_val *key, MDB_val *data, isc_buffer_t **text, INSIST(zone_config != NULL && zone_config_len > 0); /* zone zonename { config; }; */ - result = isc_buffer_reserve(text, 6 + zone_name_len + 2 + - zone_config_len + 2); + result = isc_buffer_reserve(*text, 6 + zone_name_len + 2 + + zone_config_len + 2); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -8151,7 +7910,7 @@ data_to_cfg(dns_view_t *view, MDB_val *key, MDB_val *data, isc_buffer_t **text, */ typedef isc_result_t (*newzone_cfg_cb_t)(const cfg_obj_t *zconfig, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, dns_view_t *view, + dns_view_t *view, cfg_aclconfctx_t *actx); /*% @@ -8167,7 +7926,7 @@ typedef isc_result_t (*newzone_cfg_cb_t)(const cfg_obj_t *zconfig, */ static isc_result_t for_all_newzone_cfgs(newzone_cfg_cb_t callback, cfg_obj_t *config, - cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, + cfg_obj_t *vconfig, dns_view_t *view, cfg_aclconfctx_t *actx, MDB_txn *txn, MDB_dbi dbi) { const cfg_obj_t *zconfig, *zlist; isc_result_t result = ISC_R_SUCCESS; @@ -8210,7 +7969,7 @@ for_all_newzone_cfgs(newzone_cfg_cb_t callback, cfg_obj_t *config, /* * Invoke callback. */ - result = callback(zconfig, config, vconfig, mctx, view, actx); + result = callback(zconfig, config, vconfig, view, actx); if (result != ISC_R_SUCCESS) { break; } @@ -8237,10 +7996,10 @@ for_all_newzone_cfgs(newzone_cfg_cb_t callback, cfg_obj_t *config, */ static isc_result_t configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config, - cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, + cfg_obj_t *vconfig, dns_view_t *view, cfg_aclconfctx_t *actx) { return (configure_zone( - config, zconfig, vconfig, mctx, view, &named_g_server->viewlist, + config, zconfig, vconfig, view, &named_g_server->viewlist, &named_g_server->kasplist, actx, true, false, false)); } @@ -8249,11 +8008,10 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config, */ static isc_result_t configure_newzone_revert(const cfg_obj_t *zconfig, cfg_obj_t *config, - cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, + cfg_obj_t *vconfig, dns_view_t *view, cfg_aclconfctx_t *actx) { UNUSED(config); UNUSED(vconfig); - UNUSED(mctx); UNUSED(actx); configure_zone_setviewcommit(ISC_R_FAILURE, zconfig, view); @@ -8263,7 +8021,7 @@ configure_newzone_revert(const cfg_obj_t *zconfig, cfg_obj_t *config, static isc_result_t configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, cfg_aclconfctx_t *actx) { + cfg_aclconfctx_t *actx) { isc_result_t result; MDB_txn *txn = NULL; MDB_dbi dbi; @@ -8286,8 +8044,8 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, "for view '%s'", view->new_zone_db, view->name); - result = for_all_newzone_cfgs(configure_newzone, config, vconfig, mctx, - view, actx, txn, dbi); + result = for_all_newzone_cfgs(configure_newzone, config, vconfig, view, + actx, txn, dbi); if (result != ISC_R_SUCCESS) { /* * An error was encountered while attempting to configure zones @@ -8298,7 +8056,7 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * terms of trying to make things right. */ (void)for_all_newzone_cfgs(configure_newzone_revert, config, - vconfig, mctx, view, actx, txn, dbi); + vconfig, view, actx, txn, dbi); } (void)nzd_close(&txn, false); @@ -8374,24 +8132,6 @@ get_newzone_config(dns_view_t *view, const char *zonename, #endif /* HAVE_LMDB */ -static int -count_zones(const cfg_obj_t *conf) { - const cfg_obj_t *zonelist = NULL; - const cfg_listelt_t *element; - int n = 0; - - REQUIRE(conf != NULL); - - cfg_map_get(conf, "zone", &zonelist); - for (element = cfg_list_first(zonelist); element != NULL; - element = cfg_list_next(element)) - { - n++; - } - - return (n); -} - static isc_result_t check_lockfile(named_server_t *server, const cfg_obj_t *config, bool first_time) { @@ -8489,25 +8229,22 @@ load_configuration(const char *filename, named_server_t *server, const cfg_obj_t *kasps; dns_kasp_t *kasp = NULL; dns_kasp_t *kasp_next = NULL; + dns_kasp_t *default_kasp = NULL; dns_kasplist_t tmpkasplist, kasplist; const cfg_obj_t *views; - dns_view_t *view = NULL; + dns_view_t *view_next = NULL; dns_viewlist_t tmpviewlist; dns_viewlist_t viewlist, builtin_viewlist; in_port_t listen_port, udpport_low, udpport_high; int i, backlog; - int num_zones = 0; - bool exclusive = false; isc_interval_t interval; isc_logconfig_t *logc = NULL; isc_portset_t *v4portset = NULL; isc_portset_t *v6portset = NULL; - isc_resourcevalue_t nfiles; - isc_result_t result, tresult; + isc_result_t result; uint32_t heartbeat_interval; uint32_t interface_interval; - uint32_t reserved; uint32_t udpsize; uint32_t transfer_message_size; uint32_t recv_tcp_buffer_size; @@ -8518,24 +8255,36 @@ load_configuration(const char *filename, named_server_t *server, named_cachelist_t cachelist, tmpcachelist; ns_altsecret_t *altsecret; ns_altsecretlist_t altsecrets, tmpaltsecrets; - unsigned int maxsocks; uint32_t softquota = 0; uint32_t max; uint64_t initial, idle, keepalive, advertised; + bool loadbalancesockets; + bool exclusive = true; dns_aclenv_t *env = ns_interfacemgr_getaclenv(named_g_server->interfacemgr); + /* + * Require the reconfiguration to happen always on the main loop + */ + REQUIRE(isc_loop_current(named_g_loopmgr) == named_g_mainloop); + ISC_LIST_INIT(kasplist); ISC_LIST_INIT(viewlist); ISC_LIST_INIT(builtin_viewlist); ISC_LIST_INIT(cachelist); ISC_LIST_INIT(altsecrets); + /* Ensure exclusive access to configuration data. */ + isc_loopmgr_pause(named_g_loopmgr); + /* Create the ACL configuration context */ if (named_g_aclconfctx != NULL) { cfg_aclconfctx_detach(&named_g_aclconfctx); } - CHECK(cfg_aclconfctx_create(named_g_mctx, &named_g_aclconfctx)); + result = cfg_aclconfctx_create(named_g_mctx, &named_g_aclconfctx); + if (result != ISC_R_SUCCESS) { + goto cleanup_exclusive; + } /* * Shut down all dyndb instances. @@ -8564,12 +8313,17 @@ load_configuration(const char *filename, named_server_t *server, isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "loading configuration from '%s'", filename); - CHECK(cfg_parser_create(named_g_mctx, named_g_lctx, &conf_parser)); + result = cfg_parser_create(named_g_mctx, named_g_lctx, &conf_parser); + if (result != ISC_R_SUCCESS) { + goto cleanup_exclusive; + } + cfg_parser_setcallback(conf_parser, directory_callback, NULL); result = cfg_parse_file(conf_parser, filename, &cfg_type_namedconf, &config); - - CHECK(result); + if (result != ISC_R_SUCCESS) { + goto cleanup_conf_parser; + } /* * Check the validity of the configuration. @@ -8578,7 +8332,27 @@ load_configuration(const char *filename, named_server_t *server, * checked later when the modules are actually loaded and * registered.) */ - CHECK(bind9_check_namedconf(config, false, named_g_lctx, named_g_mctx)); + result = isccfg_check_namedconf(config, BIND_CHECK_ALGORITHMS, + named_g_lctx, named_g_mctx); + if (result != ISC_R_SUCCESS) { + goto cleanup_config; + } + + /* Let's recreate the TLS context cache */ + if (server->tlsctx_server_cache != NULL) { + isc_tlsctx_cache_detach(&server->tlsctx_server_cache); + } + + isc_tlsctx_cache_create(named_g_mctx, &server->tlsctx_server_cache); + + if (server->tlsctx_client_cache != NULL) { + isc_tlsctx_cache_detach(&server->tlsctx_client_cache); + } + + isc_tlsctx_cache_create(named_g_mctx, &server->tlsctx_client_cache); + + dns_zonemgr_set_tlsctx_cache(server->zonemgr, + server->tlsctx_client_cache); /* * Fill in the maps array, used for resolving defaults. @@ -8592,6 +8366,7 @@ load_configuration(const char *filename, named_server_t *server, maps[i++] = named_g_defaults; maps[i] = NULL; +#if HAVE_LIBNGHTTP2 obj = NULL; result = named_config_get(maps, "http-port", &obj); INSIST(result == ISC_R_SUCCESS); @@ -8602,110 +8377,68 @@ load_configuration(const char *filename, named_server_t *server, INSIST(result == ISC_R_SUCCESS); named_g_httpsport = (in_port_t)cfg_obj_asuint32(obj); - /* - * If bind.keys exists, load it. If "dnssec-validation auto" - * is turned on, the root key found there will be used as a - * default trust anchor. - */ obj = NULL; - result = named_config_get(maps, "bindkeys-file", &obj); + result = named_config_get(maps, "http-listener-clients", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)), - "strdup"); - INSIST(server->bindkeysfile != NULL); + named_g_http_listener_clients = cfg_obj_asuint32(obj); - if (access(server->bindkeysfile, R_OK) == 0) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "reading built-in trust anchors " - "from file '%s'", - server->bindkeysfile); - - CHECK(cfg_parser_create(named_g_mctx, named_g_lctx, - &bindkeys_parser)); + obj = NULL; + result = named_config_get(maps, "http-streams-per-connection", &obj); + INSIST(result == ISC_R_SUCCESS); + named_g_http_streams_per_conn = cfg_obj_asuint32(obj); +#endif - result = cfg_parse_file(bindkeys_parser, server->bindkeysfile, - &cfg_type_bindkeys, &bindkeys); - if (result != ISC_R_SUCCESS) { + /* + * If "dnssec-validation auto" is turned on, the root key + * will be used as a default trust anchor. The root key + * is built in, but if bindkeys-file is set, then it will + * be overridden with the key in that file. + */ + obj = NULL; + (void)named_config_get(maps, "bindkeys-file", &obj); + if (obj != NULL) { + setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)); + INSIST(server->bindkeysfile != NULL); + if (access(server->bindkeysfile, R_OK) != 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to parse '%s' error '%s'; using " - "built-in keys instead", - server->bindkeysfile, - isc_result_totext(result)); + "unable to open '%s'; using built-in " + "keys instead", + server->bindkeysfile); + } else { + result = cfg_parser_create(named_g_mctx, named_g_lctx, + &bindkeys_parser); + if (result != ISC_R_SUCCESS) { + goto cleanup_config; + } + + result = cfg_parse_file(bindkeys_parser, + server->bindkeysfile, + &cfg_type_bindkeys, &bindkeys); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "unable to parse '%s' " + "error '%s'; using " + "built-in keys instead", + server->bindkeysfile, + isc_result_totext(result)); + } } } else { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s'; using built-in keys " - "instead", - server->bindkeysfile); - } - - /* Ensure exclusive access to configuration data. */ - if (!exclusive) { - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - exclusive = true; + setstring(server, &server->bindkeysfile, NULL); } /* - * Set process limits, which (usually) needs to be done as root. + * Check the process lockfile. */ - set_limits(maps); + result = check_lockfile(server, config, first_time); + if (result != ISC_R_SUCCESS) { + goto cleanup_bindkeys_parser; + } - /* - * Check the process lockfile. - */ - CHECK(check_lockfile(server, config, first_time)); - - /* - * Check if max number of open sockets that the system allows is - * sufficiently large. Failing this condition is not necessarily fatal, - * but may cause subsequent runtime failures for a busy recursive - * server. - */ - result = isc_socketmgr_getmaxsockets(named_g_socketmgr, &maxsocks); - if (result != ISC_R_SUCCESS) { - maxsocks = 0; - } - result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles); - if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "max open files (%" PRIu64 ")" - " is smaller than max sockets (%u)", - nfiles, maxsocks); - } - - /* - * Set the number of socket reserved for TCP, stdio etc. - */ - obj = NULL; - result = named_config_get(maps, "reserved-sockets", &obj); - INSIST(result == ISC_R_SUCCESS); - reserved = cfg_obj_asuint32(obj); - if (maxsocks != 0) { - if (maxsocks < 128U) { /* Prevent underflow. */ - reserved = 0; - } else if (reserved > maxsocks - 128U) { /* Minimum UDP space. - */ - reserved = maxsocks - 128; - } - } - /* Minimum TCP/stdio space. */ - if (reserved < 128U) { - reserved = 128; - } - if (reserved + 128U > maxsocks && maxsocks != 0) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "less than 128 UDP sockets available after " - "applying 'reserved-sockets' and 'maxsockets'"); - } - isc_socketmgr_setreserved(named_g_socketmgr, reserved); - -#if defined(HAVE_GEOIP2) +#if defined(HAVE_GEOIP2) /* * Release any previously opened GeoIP2 databases. */ @@ -8721,8 +8454,7 @@ load_configuration(const char *filename, named_server_t *server, result = named_config_get(maps, "geoip-directory", &obj); INSIST(result == ISC_R_SUCCESS); if (cfg_obj_isstring(obj)) { - char *dir; - DE_CONST(cfg_obj_asstring(obj), dir); + char *dir = UNCONST(cfg_obj_asstring(obj)); named_geoip_load(dir); } named_g_aclconfctx->geoip = named_g_geoip; @@ -8736,17 +8468,20 @@ load_configuration(const char *filename, named_server_t *server, configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota); configure_server_quota(maps, "recursive-clients", &server->sctx->recursionquota); + configure_server_quota(maps, "update-quota", &server->sctx->updquota); max = isc_quota_getmax(&server->sctx->recursionquota); if (max > 1000) { - unsigned margin = ISC_MAX(100, named_g_cpus + 1); + unsigned int margin = ISC_MAX(100, named_g_cpus + 1); if (margin + 100 > max) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "'recursive-clients %d' too low when " "running with %d worker threads", max, named_g_cpus); - CHECK(ISC_R_RANGE); + result = ISC_R_RANGE; + + goto cleanup_bindkeys_parser; } softquota = max - margin; } else { @@ -8759,32 +8494,23 @@ load_configuration(const char *filename, named_server_t *server, * Set "blackhole". Only legal at options level; there is * no default. */ - CHECK(configure_view_acl(NULL, config, NULL, "blackhole", NULL, - named_g_aclconfctx, named_g_mctx, - &server->sctx->blackholeacl)); + result = configure_view_acl(NULL, config, NULL, "blackhole", NULL, + named_g_aclconfctx, named_g_mctx, + &server->sctx->blackholeacl); + if (result != ISC_R_SUCCESS) { + goto cleanup_bindkeys_parser; + } + if (server->sctx->blackholeacl != NULL) { dns_dispatchmgr_setblackhole(named_g_dispatchmgr, server->sctx->blackholeacl); } - /* - * Set "keep-response-order". Only legal at options or - * global defaults level. - */ - CHECK(configure_view_acl(NULL, config, named_g_config, - "keep-response-order", NULL, - named_g_aclconfctx, named_g_mctx, - &server->sctx->keepresporder)); - obj = NULL; result = named_config_get(maps, "match-mapped-addresses", &obj); INSIST(result == ISC_R_SUCCESS); env->match_mapped = cfg_obj_asboolean(obj); - CHECKM(named_statschannels_configure(named_g_server, config, - named_g_aclconfctx), - "configuring statistics server(s)"); - /* * Configure the network manager */ @@ -8857,11 +8583,11 @@ load_configuration(const char *filename, named_server_t *server, isc_nm_settimeouts(named_g_netmgr, initial, idle, keepalive, advertised); -#define CAP_IF_NOT_ZERO(v, min, max) \ - if (v > 0 && v < min) { \ - recv_tcp_buffer_size = min; \ - } else if (v > max) { \ - recv_tcp_buffer_size = max; \ +#define CAP_IF_NOT_ZERO(v, min, max) \ + if (v > 0 && v < min) { \ + v = min; \ + } else if (v > max) { \ + v = max; \ } /* Set the kernel send and receive buffer sizes */ @@ -8901,10 +8627,22 @@ load_configuration(const char *filename, named_server_t *server, /* * Configure sets of UDP query source ports. */ - CHECKM(isc_portset_create(named_g_mctx, &v4portset), "creating UDP " - "port set"); - CHECKM(isc_portset_create(named_g_mctx, &v6portset), "creating UDP " - "port set"); + result = isc_portset_create(named_g_mctx, &v4portset); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "creating UDP/IPv4 port set: %s", + isc_result_totext(result)); + goto cleanup_bindkeys_parser; + } + result = isc_portset_create(named_g_mctx, &v6portset); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "creating UDP/IPv6 port set: %s", + isc_result_totext(result)); + goto cleanup_v4portset; + } usev4ports = NULL; usev6ports = NULL; @@ -8915,9 +8653,16 @@ load_configuration(const char *filename, named_server_t *server, if (usev4ports != NULL) { portset_fromconf(v4portset, usev4ports, true); } else { - CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low, - &udpport_high), - "get the default UDP/IPv4 port range"); + result = isc_net_getudpportrange(AF_INET, &udpport_low, + &udpport_high); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "get the default UDP/IPv4 port range: %s", + isc_result_totext(result)); + goto cleanup_v6portset; + } + if (udpport_low == udpport_high) { isc_portset_add(v4portset, udpport_low); } else { @@ -8941,9 +8686,15 @@ load_configuration(const char *filename, named_server_t *server, if (usev6ports != NULL) { portset_fromconf(v6portset, usev6ports, true); } else { - CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low, - &udpport_high), - "get the default UDP/IPv6 port range"); + result = isc_net_getudpportrange(AF_INET6, &udpport_low, + &udpport_high); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "get the default UDP/IPv6 port range: %s", + isc_result_totext(result)); + goto cleanup_v6portset; + } if (udpport_low == udpport_high) { isc_portset_add(v6portset, udpport_low); } else { @@ -9030,15 +8781,12 @@ load_configuration(const char *filename, named_server_t *server, if (named_g_port != 0) { listen_port = named_g_port; } else { - CHECKM(named_config_getport(config, "port", &listen_port), - "port"); + result = named_config_getport(config, "port", &listen_port); + if (result != ISC_R_SUCCESS) { + goto cleanup_v6portset; + } } - /* - * Determining the default DSCP code point. - */ - CHECKM(named_config_getdscp(config, &named_g_dscp), "dscp"); - /* * Find the listen queue depth. */ @@ -9051,6 +8799,27 @@ load_configuration(const char *filename, named_server_t *server, } ns_interfacemgr_setbacklog(server->interfacemgr, backlog); + obj = NULL; + result = named_config_get(maps, "reuseport", &obj); + INSIST(result == ISC_R_SUCCESS); + loadbalancesockets = cfg_obj_asboolean(obj); +#if HAVE_SO_REUSEPORT_LB + if (first_time) { + isc_nm_setloadbalancesockets(named_g_netmgr, + cfg_obj_asboolean(obj)); + } else if (loadbalancesockets != + isc_nm_getloadbalancesockets(named_g_netmgr)) + { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "changing reuseport value requires server restart"); + } +#else + if (loadbalancesockets) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "reuseport has no effect on this system"); + } +#endif + /* * Configure the interface manager according to the "listen-on" * statement. @@ -9059,7 +8828,6 @@ load_configuration(const char *filename, named_server_t *server, const cfg_obj_t *clistenon = NULL; ns_listenlist_t *listenon = NULL; - clistenon = NULL; /* * Even though listen-on is present in the default * configuration, this way is easier. @@ -9068,22 +8836,29 @@ load_configuration(const char *filename, named_server_t *server, (void)cfg_map_get(options, "listen-on", &clistenon); } if (clistenon != NULL) { - CHECK(listenlist_fromconfig( + result = listenlist_fromconfig( clistenon, config, named_g_aclconfctx, - named_g_mctx, AF_INET, &listenon)); + named_g_mctx, AF_INET, + server->tlsctx_server_cache, &listenon); } else { /* * Not specified, use default. */ - CHECK(ns_listenlist_default(named_g_mctx, listen_port, - -1, true, &listenon)); + result = ns_listenlist_default(named_g_mctx, + listen_port, true, + AF_INET, &listenon); + } + if (result != ISC_R_SUCCESS) { + goto cleanup_v6portset; } + if (listenon != NULL) { ns_interfacemgr_setlistenon4(server->interfacemgr, listenon); ns_listenlist_detach(&listenon); } } + /* * Ditto for IPv6. */ @@ -9095,15 +8870,20 @@ load_configuration(const char *filename, named_server_t *server, (void)cfg_map_get(options, "listen-on-v6", &clistenon); } if (clistenon != NULL) { - CHECK(listenlist_fromconfig( + result = listenlist_fromconfig( clistenon, config, named_g_aclconfctx, - named_g_mctx, AF_INET6, &listenon)); + named_g_mctx, AF_INET6, + server->tlsctx_server_cache, &listenon); } else { /* * Not specified, use default. */ - CHECK(ns_listenlist_default(named_g_mctx, listen_port, - -1, true, &listenon)); + result = ns_listenlist_default(named_g_mctx, + listen_port, true, + AF_INET6, &listenon); + } + if (result != ISC_R_SUCCESS) { + goto cleanup_v6portset; } if (listenon != NULL) { ns_interfacemgr_setlistenon6(server->interfacemgr, @@ -9112,25 +8892,29 @@ load_configuration(const char *filename, named_server_t *server, } } - /* - * Rescan the interface list to pick up changes in the - * listen-on option. It's important that we do this before we try - * to configure the query source, since the dispatcher we use might - * be shared with an interface. - */ - result = ns_interfacemgr_scan(server->interfacemgr, true); + if (first_time) { + /* + * Rescan the interface list to pick up changes in the + * listen-on option. This requires the loopmgr to be + * temporarily resumed. + */ + isc_loopmgr_resume(named_g_loopmgr); + result = ns_interfacemgr_scan(server->interfacemgr, true, true); + isc_loopmgr_pause(named_g_loopmgr); - /* - * Check that named is able to TCP listen on at least one - * interface. Otherwise, another named process could be running - * and we should fail. - */ - if (first_time && (result == ISC_R_ADDRINUSE)) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "unable to listen on any configured interfaces"); - result = ISC_R_FAILURE; - goto cleanup; + /* + * Check that named is able to TCP listen on at least one + * interface. Otherwise, another named process could be running + * and we should fail. + */ + if (result == ISC_R_ADDRINUSE) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "unable to listen on any configured " + "interfaces"); + result = ISC_R_FAILURE; + goto cleanup_v6portset; + } } /* @@ -9141,15 +8925,14 @@ load_configuration(const char *filename, named_server_t *server, result = named_config_get(maps, "interface-interval", &obj); INSIST(result == ISC_R_SUCCESS); interface_interval = cfg_obj_asduration(obj); - if (interface_interval == 0) { - CHECK(isc_timer_reset(server->interface_timer, - isc_timertype_inactive, NULL, NULL, - true)); - } else if (server->interface_interval != interface_interval) { - isc_interval_set(&interval, interface_interval, 0); - CHECK(isc_timer_reset(server->interface_timer, - isc_timertype_ticker, NULL, &interval, - false)); + if (server->interface_timer != NULL) { + if (interface_interval == 0) { + isc_timer_stop(server->interface_timer); + } else if (server->interface_interval != interface_interval) { + isc_interval_set(&interval, interface_interval, 0); + isc_timer_start(server->interface_timer, + isc_timertype_ticker, &interval); + } } server->interface_interval = interface_interval; @@ -9169,24 +8952,19 @@ load_configuration(const char *filename, named_server_t *server, INSIST(result == ISC_R_SUCCESS); heartbeat_interval = cfg_obj_asuint32(obj) * 60; if (heartbeat_interval == 0) { - CHECK(isc_timer_reset(server->heartbeat_timer, - isc_timertype_inactive, NULL, NULL, - true)); + isc_timer_stop(server->heartbeat_timer); } else if (server->heartbeat_interval != heartbeat_interval) { isc_interval_set(&interval, heartbeat_interval, 0); - CHECK(isc_timer_reset(server->heartbeat_timer, - isc_timertype_ticker, NULL, &interval, - false)); + isc_timer_start(server->heartbeat_timer, isc_timertype_ticker, + &interval); } server->heartbeat_interval = heartbeat_interval; isc_interval_set(&interval, 1200, 0); - CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL, - &interval, false)); + isc_timer_start(server->pps_timer, isc_timertype_ticker, &interval); isc_interval_set(&interval, named_g_tat_interval, 0); - CHECK(isc_timer_reset(server->tat_timer, isc_timertype_ticker, NULL, - &interval, false)); + isc_timer_start(server->tat_timer, isc_timertype_ticker, &interval); /* * Write the PID file. @@ -9215,42 +8993,90 @@ load_configuration(const char *filename, named_server_t *server, (void)configure_session_key(maps, server, named_g_mctx, first_time); /* - * Create the DNSSEC key and signing policies (KASP). + * Create the built-in kasp policies ("default", "insecure"). */ kasps = NULL; - (void)cfg_map_get(config, "dnssec-policy", &kasps); + (void)cfg_map_get(named_g_config, "dnssec-policy", &kasps); for (element = cfg_list_first(kasps); element != NULL; element = cfg_list_next(element)) { cfg_obj_t *kconfig = cfg_listelt_value(element); + kasp = NULL; - CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx, - named_g_lctx, &kasplist, &kasp)); + result = cfg_kasp_fromconfig(kconfig, default_kasp, true, + named_g_mctx, named_g_lctx, + &kasplist, &kasp); + if (result != ISC_R_SUCCESS) { + goto cleanup_kasplist; + } INSIST(kasp != NULL); dns_kasp_freeze(kasp); + + /* Insist that the first built-in policy is the default one. */ + if (default_kasp == NULL) { + INSIST(strcmp(dns_kasp_getname(kasp), "default") == 0); + dns_kasp_attach(kasp, &default_kasp); + } + dns_kasp_detach(&kasp); } + INSIST(default_kasp != NULL); + /* - * Create the built-in kasp policies ("default", "insecure"). + * Create the DNSSEC key and signing policies (KASP). */ - kasp = NULL; - CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx, - &kasplist, &kasp)); - INSIST(kasp != NULL); - dns_kasp_freeze(kasp); - dns_kasp_detach(&kasp); - - kasp = NULL; - CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx, - &kasplist, &kasp)); - INSIST(kasp != NULL); - dns_kasp_freeze(kasp); - dns_kasp_detach(&kasp); + kasps = NULL; + (void)cfg_map_get(config, "dnssec-policy", &kasps); + for (element = cfg_list_first(kasps); element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *kconfig = cfg_listelt_value(element); + kasp = NULL; + result = cfg_kasp_fromconfig(kconfig, default_kasp, true, + named_g_mctx, named_g_lctx, + &kasplist, &kasp); + if (result != ISC_R_SUCCESS) { + goto cleanup_kasplist; + } + INSIST(kasp != NULL); + dns_kasp_freeze(kasp); + dns_kasp_detach(&kasp); + } + dns_kasp_detach(&default_kasp); tmpkasplist = server->kasplist; server->kasplist = kasplist; kasplist = tmpkasplist; +#ifdef USE_DNSRPS + /* + * Find the path to the DNSRPS implementation library. + */ + obj = NULL; + if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) { + if (server->dnsrpslib != NULL) { + dns_dnsrps_server_destroy(); + isc_mem_free(server->mctx, server->dnsrpslib); + server->dnsrpslib = NULL; + } + setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj)); + result = dns_dnsrps_server_create(server->dnsrpslib); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), + "initializing DNSRPS RPZ provider '%s': %s", + server->dnsrpslib, isc_result_totext(result)); + /* + * It's okay if librpz isn't available. We'll complain + * later if it turns out to be needed for a view with + * "dnsrps-enable yes". + */ + if (result == ISC_R_FILENOTFOUND) { + result = ISC_R_SUCCESS; + } + CHECKFATAL(result, "initializing RPZ service interface"); + } +#endif /* ifdef USE_DNSRPS */ + /* * Configure the views. */ @@ -9258,36 +9084,27 @@ load_configuration(const char *filename, named_server_t *server, (void)cfg_map_get(config, "view", &views); /* - * Create the views and count all the configured zones in - * order to correctly size the zone manager's task table. - * (We only count zones for configured views; the built-in - * "bind" view can be ignored as it only adds a negligible - * number of zones.) - * - * If we're allowing new zones, we need to be able to find the - * new zone file and count those as well. So we setup the new - * zone configuration context, but otherwise view configuration - * waits until after the zone manager's task list has been sized. + * Create the views. */ for (element = cfg_list_first(views); element != NULL; element = cfg_list_next(element)) { cfg_obj_t *vconfig = cfg_listelt_value(element); - const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options"); - int nzf_num_zones; - - view = NULL; + dns_view_t *view = NULL; - CHECK(create_view(vconfig, &viewlist, &view)); + result = create_view(vconfig, &viewlist, &view); + if (result != ISC_R_SUCCESS) { + goto cleanup_viewlist; + } INSIST(view != NULL); - num_zones += count_zones(voptions); - - CHECK(setup_newzones(view, config, vconfig, conf_parser, - named_g_aclconfctx, &nzf_num_zones)); - num_zones += nzf_num_zones; - + result = setup_newzones(view, config, vconfig, conf_parser, + named_g_aclconfctx); dns_view_detach(&view); + + if (result != ISC_R_SUCCESS) { + goto cleanup_viewlist; + } } /* @@ -9295,28 +9112,23 @@ load_configuration(const char *filename, named_server_t *server, * view here. */ if (views == NULL) { - int nzf_num_zones; + dns_view_t *view = NULL; - CHECK(create_view(NULL, &viewlist, &view)); + result = create_view(NULL, &viewlist, &view); + if (result != ISC_R_SUCCESS) { + goto cleanup_viewlist; + } INSIST(view != NULL); - num_zones = count_zones(config); - - CHECK(setup_newzones(view, config, NULL, conf_parser, - named_g_aclconfctx, &nzf_num_zones)); - num_zones += nzf_num_zones; + result = setup_newzones(view, config, NULL, conf_parser, + named_g_aclconfctx); dns_view_detach(&view); + if (result != ISC_R_SUCCESS) { + goto cleanup_viewlist; + } } - /* - * Zones have been counted; set the zone manager task pool size. - */ - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "sizing zone task pool based on %d zones", num_zones); - CHECK(dns_zonemgr_setsize(named_g_server->zonemgr, num_zones)); - /* * Configure and freeze all explicit views. Explicit * views that have zones were already created at parsing @@ -9326,12 +9138,21 @@ load_configuration(const char *filename, named_server_t *server, element = cfg_list_next(element)) { cfg_obj_t *vconfig = cfg_listelt_value(element); + dns_view_t *view = NULL; view = NULL; - CHECK(find_view(vconfig, &viewlist, &view)); - CHECK(configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->kasplist, bindkeys, - named_g_mctx, named_g_aclconfctx, true)); + result = find_view(vconfig, &viewlist, &view); + if (result != ISC_R_SUCCESS) { + goto cleanup_cachelist; + } + + result = configure_view(view, &viewlist, config, vconfig, + &cachelist, &server->kasplist, bindkeys, + named_g_mctx, named_g_aclconfctx, true); + if (result != ISC_R_SUCCESS) { + dns_view_detach(&view); + goto cleanup_cachelist; + } dns_view_freeze(view); dns_view_detach(&view); } @@ -9341,11 +9162,18 @@ load_configuration(const char *filename, named_server_t *server, * were no explicit views. */ if (views == NULL) { - view = NULL; - CHECK(find_view(NULL, &viewlist, &view)); - CHECK(configure_view(view, &viewlist, config, NULL, &cachelist, - &server->kasplist, bindkeys, named_g_mctx, - named_g_aclconfctx, true)); + dns_view_t *view = NULL; + result = find_view(NULL, &viewlist, &view); + if (result != ISC_R_SUCCESS) { + goto cleanup_cachelist; + } + result = configure_view(view, &viewlist, config, NULL, + &cachelist, &server->kasplist, bindkeys, + named_g_mctx, named_g_aclconfctx, true); + if (result != ISC_R_SUCCESS) { + dns_view_detach(&view); + goto cleanup_cachelist; + } dns_view_freeze(view); dns_view_detach(&view); } @@ -9360,14 +9188,23 @@ load_configuration(const char *filename, named_server_t *server, element = cfg_list_next(element)) { cfg_obj_t *vconfig = cfg_listelt_value(element); + dns_view_t *view = NULL; + + result = create_view(vconfig, &builtin_viewlist, &view); + if (result != ISC_R_SUCCESS) { + goto cleanup_cachelist; + } - CHECK(create_view(vconfig, &builtin_viewlist, &view)); - CHECK(configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->kasplist, bindkeys, - named_g_mctx, named_g_aclconfctx, false)); + result = configure_view(view, &viewlist, config, vconfig, + &cachelist, &server->kasplist, bindkeys, + named_g_mctx, named_g_aclconfctx, + false); + if (result != ISC_R_SUCCESS) { + dns_view_detach(&view); + goto cleanup_cachelist; + } dns_view_freeze(view); dns_view_detach(&view); - view = NULL; } /* Now combine the two viewlists into one */ @@ -9377,7 +9214,7 @@ load_configuration(const char *filename, named_server_t *server, * Commit any dns_zone_setview() calls on all zones in the new * view. */ - for (view = ISC_LIST_HEAD(viewlist); view != NULL; + for (dns_view_t *view = ISC_LIST_HEAD(viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { dns_view_setviewcommit(view); @@ -9389,10 +9226,10 @@ load_configuration(const char *filename, named_server_t *server, viewlist = tmpviewlist; /* Make the view list available to each of the views */ - view = ISC_LIST_HEAD(server->viewlist); - while (view != NULL) { + for (dns_view_t *view = ISC_LIST_HEAD(server->viewlist); view != NULL; + view = ISC_LIST_NEXT(view, link)) + { view->viewlist = &server->viewlist; - view = ISC_LIST_NEXT(view, link); } /* Swap our new cache list with the production one. */ @@ -9402,22 +9239,23 @@ load_configuration(const char *filename, named_server_t *server, /* Load the TKEY information from the configuration. */ if (options != NULL) { - dns_tkeyctx_t *t = NULL; - CHECKM(named_tkeyctx_fromconfig(options, named_g_mctx, &t), - "configuring TKEY"); + dns_tkeyctx_t *tkeyctx = NULL; + + result = named_tkeyctx_fromconfig(options, named_g_mctx, + &tkeyctx); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "configuring TKEY: %s", + isc_result_totext(result)); + goto cleanup_cachelist; + } if (server->sctx->tkeyctx != NULL) { dns_tkeyctx_destroy(&server->sctx->tkeyctx); } - server->sctx->tkeyctx = t; + server->sctx->tkeyctx = tkeyctx; } - /* - * Bind the control port(s). - */ - CHECKM(named_controls_configure(named_g_server->controls, config, - named_g_aclconfctx), - "binding control channel(s)"); - #ifdef HAVE_LMDB /* * If we're using LMDB, we may have created newzones databases @@ -9426,8 +9264,8 @@ load_configuration(const char *filename, named_server_t *server, * after relinquishing privileges them. */ if (first_time) { - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) + for (dns_view_t *view = ISC_LIST_HEAD(server->viewlist); + view != NULL; view = ISC_LIST_NEXT(view, link)) { nzd_env_close(view); } @@ -9449,7 +9287,7 @@ load_configuration(const char *filename, named_server_t *server, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "the working directory is not writable"); result = ISC_R_NOPERM; - goto cleanup; + goto cleanup_cachelist; } #ifdef HAVE_LMDB @@ -9457,8 +9295,8 @@ load_configuration(const char *filename, named_server_t *server, * Reopen NZD databases. */ if (first_time) { - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) + for (dns_view_t *view = ISC_LIST_HEAD(server->viewlist); + view != NULL; view = ISC_LIST_NEXT(view, link)) { nzd_env_reopen(view); } @@ -9491,7 +9329,7 @@ load_configuration(const char *filename, named_server_t *server, "checking logging configuration " "failed: %s", isc_result_totext(result)); - goto cleanup; + goto cleanup_cachelist; } } } else { @@ -9502,14 +9340,38 @@ load_configuration(const char *filename, named_server_t *server, logobj = NULL; (void)cfg_map_get(config, "logging", &logobj); if (logobj != NULL) { - CHECKM(named_logconfig(logc, logobj), "configuring " - "logging"); + result = named_logconfig(logc, logobj); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "configuring logging: %s", + isc_result_totext(result)); + goto cleanup_logc; + } } else { named_log_setdefaultchannels(logc); - CHECKM(named_log_setunmatchedcategory(logc), - "setting up default 'category unmatched'"); - CHECKM(named_log_setdefaultcategory(logc), - "setting up default 'category default'"); + named_log_setdefaultsslkeylogfile(logc); + result = named_log_setunmatchedcategory(logc); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "setting up default 'category " + "unmatched': %s", + isc_result_totext(result)); + goto cleanup_logc; + } + result = named_log_setdefaultcategory(logc); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "setting up default 'category " + "default': %s", + isc_result_totext(result)); + goto cleanup_logc; + } } isc_logconfig_use(named_g_lctx, logc); @@ -9586,31 +9448,27 @@ load_configuration(const char *filename, named_server_t *server, obj = NULL; result = named_config_get(maps, "statistics-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)), - "strdup"); + setstring(server, &server->statsfile, cfg_obj_asstring(obj)); obj = NULL; result = named_config_get(maps, "dump-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)), - "strdup"); + setstring(server, &server->dumpfile, cfg_obj_asstring(obj)); obj = NULL; result = named_config_get(maps, "secroots-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)), - "strdup"); + setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)); obj = NULL; result = named_config_get(maps, "recursing-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)), - "strdup"); + setstring(server, &server->recfile, cfg_obj_asstring(obj)); obj = NULL; result = named_config_get(maps, "version", &obj); if (result == ISC_R_SUCCESS) { - CHECKM(setoptstring(server, &server->version, obj), "strdup"); + setoptstring(server, &server->version, obj); server->version_set = true; } else { server->version_set = false; @@ -9619,7 +9477,7 @@ load_configuration(const char *filename, named_server_t *server, obj = NULL; result = named_config_get(maps, "hostname", &obj); if (result == ISC_R_SUCCESS) { - CHECKM(setoptstring(server, &server->hostname, obj), "strdup"); + setoptstring(server, &server->hostname, obj); server->hostname_set = true; } else { server->hostname_set = false; @@ -9627,10 +9485,10 @@ load_configuration(const char *filename, named_server_t *server, obj = NULL; result = named_config_get(maps, "server-id", &obj); - server->sctx->gethostname = NULL; + server->sctx->usehostname = false; if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { /* The parser translates "hostname" to true */ - server->sctx->gethostname = named_os_gethostname; + server->sctx->usehostname = true; result = ns_server_setserverid(server->sctx, NULL); } else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) { /* Found a quoted string */ @@ -9662,8 +9520,7 @@ load_configuration(const char *filename, named_server_t *server, } else if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) { server->sctx->cookiealg = ns_cookiealg_aes; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -9688,8 +9545,9 @@ load_configuration(const char *filename, named_server_t *server, sizeof(server->sctx->secret)); result = isc_hex_decodestring(str, &b); if (result != ISC_R_SUCCESS && - result != ISC_R_NOSPACE) { - goto cleanup; + result != ISC_R_NOSPACE) + { + goto cleanup_altsecrets; } first = false; } else { @@ -9699,11 +9557,12 @@ load_configuration(const char *filename, named_server_t *server, sizeof(altsecret->secret)); result = isc_hex_decodestring(str, &b); if (result != ISC_R_SUCCESS && - result != ISC_R_NOSPACE) { + result != ISC_R_NOSPACE) + { isc_mem_put(server->sctx->mctx, altsecret, sizeof(*altsecret)); - goto cleanup; + goto cleanup_altsecrets; } ISC_LIST_INITANDAPPEND(altsecrets, altsecret, link); @@ -9714,16 +9573,31 @@ load_configuration(const char *filename, named_server_t *server, case ns_cookiealg_siphash24: expectedlength = ISC_SIPHASH24_KEY_LENGTH; if (usedlength != expectedlength) { - CHECKM(ISC_R_RANGE, "SipHash-2-4 " - "cookie-secret " - "must be 128 bits"); + result = ISC_R_RANGE; + isc_log_write( + named_g_lctx, + NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "SipHash-2-4 cookie-secret " + "must be 128 bits: %s", + isc_result_totext(result)); + goto cleanup_altsecrets; } break; case ns_cookiealg_aes: expectedlength = ISC_AES128_KEYLENGTH; if (usedlength != expectedlength) { - CHECKM(ISC_R_RANGE, "AES cookie-secret " - "must be 128 bits"); + result = ISC_R_RANGE; + isc_log_write( + named_g_lctx, + NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "AES cookie-secret must be 128 " + "bits: %s", + isc_result_totext(result)); + goto cleanup_altsecrets; } break; } @@ -9747,115 +9621,121 @@ load_configuration(const char *filename, named_server_t *server, * Start and connect to the DNS Response Policy Service * daemon, dnsrpzd, for each view that uses DNSRPS. */ - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; + for (dns_view_t *view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { result = dns_dnsrps_connect(view->rpzs); if (result != ISC_R_SUCCESS) { view = NULL; - goto cleanup; + goto cleanup_altsecrets; } } #endif /* ifdef USE_DNSRPS */ - result = ISC_R_SUCCESS; + /* + * Record the time of most recent configuration + */ + named_g_configtime = isc_time_now(); -cleanup: - if (logc != NULL) { - isc_logconfig_destroy(&logc); - } + isc_loopmgr_resume(named_g_loopmgr); + exclusive = false; - if (v4portset != NULL) { - isc_portset_destroy(named_g_mctx, &v4portset); + /* Configure the statistics channel(s) */ + result = named_statschannels_configure(named_g_server, config, + named_g_aclconfctx); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "configuring statistics server(s): %s", + isc_result_totext(result)); + goto cleanup_altsecrets; } - if (v6portset != NULL) { - isc_portset_destroy(named_g_mctx, &v6portset); + /* + * Bind the control port(s). + */ + result = named_controls_configure(named_g_server->controls, config, + named_g_aclconfctx); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "binding control channel(s): %s", + isc_result_totext(result)); + goto cleanup_altsecrets; } - if (conf_parser != NULL) { - if (config != NULL) { - cfg_obj_destroy(conf_parser, &config); - } - cfg_parser_destroy(&conf_parser); - } + (void)ns_interfacemgr_scan(server->interfacemgr, true, true); - if (bindkeys_parser != NULL) { - if (bindkeys != NULL) { - cfg_obj_destroy(bindkeys_parser, &bindkeys); - } - cfg_parser_destroy(&bindkeys_parser); + /* + * These cleans up either the old production view list + * or our temporary list depending on whether they + * were swapped above or not. + */ +cleanup_altsecrets: + while ((altsecret = ISC_LIST_HEAD(altsecrets)) != NULL) { + ISC_LIST_UNLINK(altsecrets, altsecret, link); + isc_mem_put(server->sctx->mctx, altsecret, sizeof(*altsecret)); } - if (view != NULL) { - dns_view_detach(&view); +cleanup_logc: + if (logc != NULL) { + isc_logconfig_destroy(&logc); } - if (kasp != NULL) { - dns_kasp_detach(&kasp); +cleanup_cachelist: + while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) { + ISC_LIST_UNLINK(cachelist, nsc, link); + dns_cache_detach(&nsc->cache); + isc_mem_put(server->mctx, nsc, sizeof(*nsc)); } ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link); - /* - * This cleans up either the old production view list - * or our temporary list depending on whether they - * were swapped above or not. - */ - for (view = ISC_LIST_HEAD(viewlist); view != NULL; view = view_next) { +cleanup_viewlist: + for (dns_view_t *view = ISC_LIST_HEAD(viewlist); view != NULL; + view = view_next) + { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(viewlist, view, link); if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) { dns_view_setviewrevert(view); - (void)dns_zt_apply(view->zonetable, false, NULL, - removed, view); + (void)dns_view_apply(view, false, NULL, removed, view); } dns_view_detach(&view); } - /* - * Same cleanup for kasp list. - */ +cleanup_kasplist: for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) { kasp_next = ISC_LIST_NEXT(kasp, link); ISC_LIST_UNLINK(kasplist, kasp, link); dns_kasp_detach(&kasp); } - /* Same cleanup for cache list. */ - while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) { - ISC_LIST_UNLINK(cachelist, nsc, link); - dns_cache_detach(&nsc->cache); - isc_mem_put(server->mctx, nsc, sizeof(*nsc)); - } +cleanup_v6portset: + isc_portset_destroy(named_g_mctx, &v6portset); - /* Cleanup for altsecrets list. */ - while ((altsecret = ISC_LIST_HEAD(altsecrets)) != NULL) { - ISC_LIST_UNLINK(altsecrets, altsecret, link); - isc_mem_put(server->sctx->mctx, altsecret, sizeof(*altsecret)); - } +cleanup_v4portset: + isc_portset_destroy(named_g_mctx, &v4portset); - /* - * Adjust the listening interfaces in accordance with the source - * addresses specified in views and zones. - */ - if (isc_net_probeipv6() == ISC_R_SUCCESS) { - adjust_interfaces(server, named_g_mctx); - } +cleanup_bindkeys_parser: - /* - * Record the time of most recent configuration - */ - tresult = isc_time_now(&named_g_configtime); - if (tresult != ISC_R_SUCCESS) { - named_main_earlyfatal("isc_time_now() failed: %s", - isc_result_totext(result)); + if (bindkeys_parser != NULL) { + if (bindkeys != NULL) { + cfg_obj_destroy(bindkeys_parser, &bindkeys); + } + cfg_parser_destroy(&bindkeys_parser); } - /* Relinquish exclusive access to configuration data. */ +cleanup_config: + cfg_obj_destroy(conf_parser, &config); + +cleanup_conf_parser: + cfg_parser_destroy(&conf_parser); + +cleanup_exclusive: if (exclusive) { - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); } isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -9873,7 +9753,7 @@ view_loaded(void *arg) { /* * Force zone maintenance. Do this after loading * so that we know when we need to force AXFR of - * slave zones whose master files are missing. + * secondary zones whose master files are missing. * * We use the zoneload reference counter to let us * know when all views are finished. @@ -9881,6 +9761,7 @@ view_loaded(void *arg) { if (isc_refcount_decrement(&zl->refs) == 1) { named_server_t *server = zl->server; bool reconfig = zl->reconfig; + dns_view_t *view = NULL; isc_refcount_destroy(&zl->refs); isc_mem_put(server->mctx, zl, sizeof(*zl)); @@ -9901,17 +9782,46 @@ view_loaded(void *arg) { "all zones loaded"); } + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (view->managed_keys != NULL) { + result = dns_zone_synckeyzone( + view->managed_keys); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_ERROR, + "failed to initialize " + "managed-keys for view %s " + "(%s): DNSSEC validation is " + "at risk", + view->name, + isc_result_totext(result)); + } + } + } + CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr), "forcing zone maintenance"); named_os_started(); -#ifdef HAVE_FIPS_MODE isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE, "FIPS mode is %s", - FIPS_mode() ? "enabled" : "disabled"); -#endif /* ifdef HAVE_FIPS_MODE */ + isc_fips_mode() ? "enabled" : "disabled"); + +#if HAVE_LIBSYSTEMD + sd_notifyf(0, + "READY=1\n" + "STATUS=running\n" + "MAINPID=%" PRId64 "\n", + (int64_t)getpid()); +#endif /* HAVE_LIBSYSTEMD */ + atomic_store(&server->reload_status, NAMED_RELOAD_DONE); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -9923,9 +9833,8 @@ view_loaded(void *arg) { } static isc_result_t -load_zones(named_server_t *server, bool init, bool reconfig) { - isc_result_t result; - isc_taskmgr_t *taskmgr = dns_zonemgr_gettaskmgr(server->zonemgr); +load_zones(named_server_t *server, bool reconfig) { + isc_result_t result = ISC_R_SUCCESS; ns_zoneload_t *zl = NULL; dns_view_t *view = NULL; @@ -9933,8 +9842,7 @@ load_zones(named_server_t *server, bool init, bool reconfig) { zl->server = server; zl->reconfig = reconfig; - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); isc_refcount_init(&zl->refs, 1); @@ -9981,40 +9889,22 @@ load_zones(named_server_t *server, bool init, bool reconfig) { isc_mem_put(server->mctx, zl, sizeof(*zl)); } - if (init) { - /* - * If we're setting up the server for the first time, set - * the task manager into privileged mode; this ensures - * that no other tasks will begin to run until after zone - * loading is complete. We won't return from exclusive mode - * until the loading is finished; we can then drop out of - * privileged mode. - * - * We do *not* want to do this in the case of reload or - * reconfig, as loading a large zone could cause the server - * to be inactive for too long a time. - */ - isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged); - isc_task_endexclusive(server->task); - isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_normal); - } else { - isc_task_endexclusive(server->task); - } + isc_loopmgr_resume(named_g_loopmgr); return (result); } static void -run_server(isc_task_t *task, isc_event_t *event) { +run_server(void *arg) { isc_result_t result; - named_server_t *server = (named_server_t *)event->ev_arg; - dns_geoip_databases_t *geoip; - - INSIST(task == server->task); + named_server_t *server = (named_server_t *)arg; + dns_geoip_databases_t *geoip = NULL; - isc_event_free(&event); + dns_zonemgr_create(named_g_mctx, named_g_loopmgr, named_g_netmgr, + &server->zonemgr); - CHECKFATAL(dns_dispatchmgr_create(named_g_mctx, &named_g_dispatchmgr), + CHECKFATAL(dns_dispatchmgr_create(named_g_mctx, named_g_netmgr, + &named_g_dispatchmgr), "creating dispatch manager"); dns_dispatchmgr_setstats(named_g_dispatchmgr, server->resolverstats); @@ -10025,34 +9915,37 @@ run_server(isc_task_t *task, isc_event_t *event) { geoip = NULL; #endif /* if defined(HAVE_GEOIP2) */ - CHECKFATAL(ns_interfacemgr_create( - named_g_mctx, server->sctx, named_g_taskmgr, - named_g_timermgr, named_g_socketmgr, named_g_netmgr, - named_g_dispatchmgr, server->task, named_g_udpdisp, - geoip, named_g_cpus, &server->interfacemgr), + CHECKFATAL(ns_interfacemgr_create(named_g_mctx, server->sctx, + named_g_loopmgr, named_g_netmgr, + named_g_dispatchmgr, geoip, true, + &server->interfacemgr), "creating interface manager"); - CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, - interface_timer_tick, server, - &server->interface_timer), - "creating interface timer"); + /* + * In some cases the user might expect a certain behaviour from + * the rescan timer, let's try to deduce that from the + * configuration options. + */ + if ((ns_interfacemgr_dynamic_updates_are_reliable() && + server->interface_auto) || + (server->interface_interval == 0)) + { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "Disabling periodic interface re-scans timer"); + } else { + isc_timer_create(named_g_mainloop, interface_timer_tick, server, + &server->interface_timer); + } - CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, - heartbeat_timer_tick, server, - &server->heartbeat_timer), - "creating heartbeat timer"); + isc_timer_create(named_g_mainloop, heartbeat_timer_tick, server, + &server->heartbeat_timer); - CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, tat_timer_tick, - server, &server->tat_timer), - "creating trust anchor telemetry timer"); + isc_timer_create(named_g_mainloop, tat_timer_tick, server, + &server->tat_timer); - CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, pps_timer_tick, - server, &server->pps_timer), - "creating pps timer"); + isc_timer_create(named_g_mainloop, pps_timer_tick, server, + &server->pps_timer); CHECKFATAL( cfg_parser_create(named_g_mctx, named_g_lctx, &named_g_parser), @@ -10065,7 +9958,7 @@ run_server(isc_task_t *task, isc_event_t *event) { CHECKFATAL(load_configuration(named_g_conffile, server, true), "loading configuration"); - CHECKFATAL(load_zones(server, true, false), "loading zones"); + CHECKFATAL(load_zones(server, false), "loading zones"); #ifdef ENABLE_AFL named_g_run_done = true; #endif /* ifdef ENABLE_AFL */ @@ -10079,16 +9972,19 @@ named_server_flushonshutdown(named_server_t *server, bool flush) { } static void -shutdown_server(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - dns_view_t *view, *view_next = NULL; - dns_kasp_t *kasp, *kasp_next = NULL; - named_server_t *server = (named_server_t *)event->ev_arg; +shutdown_server(void *arg) { + named_server_t *server = (named_server_t *)arg; + dns_view_t *view = NULL, *view_next = NULL; + dns_kasp_t *kasp = NULL, *kasp_next = NULL; bool flush = server->flushonshutdown; - named_cache_t *nsc; + named_cache_t *nsc = NULL; + +#if HAVE_LIBSYSTEMD + sd_notify(0, "STOPPING=1\n"); +#endif /* HAVE_LIBSYSTEMD */ - UNUSED(task); - INSIST(task == server->task); + isc_signal_stop(server->sighup); + isc_signal_destroy(&server->sighup); /* * We need to shutdown the interface before going @@ -10096,16 +9992,16 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { */ ns_interfacemgr_shutdown(server->interfacemgr); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + named_controls_shutdown(server->controls); + + named_statschannels_shutdown(server); + + isc_loopmgr_pause(named_g_loopmgr); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "shutting down%s", flush ? ": flushing changes" : ""); - named_statschannels_shutdown(server); - named_controls_shutdown(server->controls); - end_reserved_dispatches(server, true); cleanup_session_key(server, server->mctx); if (named_g_aclconfctx != NULL) { @@ -10119,21 +10015,20 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { (void)named_server_saventa(server); for (kasp = ISC_LIST_HEAD(server->kasplist); kasp != NULL; - kasp = kasp_next) { + kasp = kasp_next) + { kasp_next = ISC_LIST_NEXT(kasp, link); ISC_LIST_UNLINK(server->kasplist, kasp, link); dns_kasp_detach(&kasp); } for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = view_next) { + view = view_next) + { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(server->viewlist, view, link); - if (flush) { - dns_view_flushanddetach(&view); - } else { - dns_view_detach(&view); - } + dns_view_flushonshutdown(view, flush); + dns_view_detach(&view); } /* @@ -10147,14 +10042,16 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { isc_mem_put(server->mctx, nsc, sizeof(*nsc)); } - isc_timer_detach(&server->interface_timer); - isc_timer_detach(&server->heartbeat_timer); - isc_timer_detach(&server->pps_timer); - isc_timer_detach(&server->tat_timer); + if (server->interface_timer != NULL) { + isc_timer_destroy(&server->interface_timer); + } + isc_timer_destroy(&server->heartbeat_timer); + isc_timer_destroy(&server->pps_timer); + isc_timer_destroy(&server->tat_timer); ns_interfacemgr_detach(&server->interfacemgr); - dns_dispatchmgr_destroy(&named_g_dispatchmgr); + dns_dispatchmgr_detach(&named_g_dispatchmgr); dns_zonemgr_shutdown(server->zonemgr); @@ -10168,11 +10065,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { dns_db_detach(&server->in_roothints); - isc_task_endexclusive(server->task); - - isc_task_detach(&server->task); - - isc_event_free(&event); + isc_loopmgr_resume(named_g_loopmgr); } /*% @@ -10192,7 +10085,8 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, view = ISC_LIST_NEXT(view, link)) { if (message->rdclass == view->rdclass || - message->rdclass == dns_rdataclass_any) { + message->rdclass == dns_rdataclass_any) + { const dns_name_t *tsig = NULL; *sigresult = dns_message_rechecksig(message, view); @@ -10224,28 +10118,21 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { isc_result_t result; named_server_t *server = isc_mem_get(mctx, sizeof(*server)); - if (server == NULL) { - fatal(server, "allocating server object", ISC_R_NOMEMORY); - } - - server->mctx = mctx; - server->task = NULL; - server->zonemgr = NULL; - -#ifdef USE_DNSRPS - CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service " - "interface"); -#endif /* ifdef USE_DNSRPS */ + *server = (named_server_t){ + .mctx = mctx, + .statsfile = isc_mem_strdup(mctx, "named.stats"), + .dumpfile = isc_mem_strdup(mctx, "named_dump.db"), + .secrootsfile = isc_mem_strdup(mctx, "named.secroots"), + .recfile = isc_mem_strdup(mctx, "named.recursing"), + }; /* Initialize server data structures. */ - server->interfacemgr = NULL; ISC_LIST_INIT(server->kasplist); ISC_LIST_INIT(server->viewlist); - server->in_roothints = NULL; /* Must be first. */ - CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing " - "DST"); + CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), + "initializing DST"); CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, &server->in_roothints), @@ -10253,19 +10140,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { atomic_init(&server->reload_status, NAMED_RELOAD_IN_PROGRESS); - /* - * Setup the server task, which is responsible for coordinating - * startup and shutdown of the server, as well as all exclusive - * tasks. - */ - CHECKFATAL(isc_task_create_bound(named_g_taskmgr, 0, &server->task, 0), - "creating server task"); - isc_task_setname(server->task, "server", server); - isc_taskmgr_setexcltask(named_g_taskmgr, server->task); - - server->sctx = NULL; - CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx), - "creating server context"); + ns_server_create(mctx, get_matching_view, &server->sctx); #if defined(HAVE_GEOIP2) /* @@ -10281,95 +10156,34 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { server->sctx->fuzznotify = named_fuzz_notify; #endif /* ifdef ENABLE_AFL */ - CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server), - "isc_task_onshutdown"); - CHECKFATAL( - isc_app_onrun(named_g_mctx, server->task, run_server, server), - "isc_app_onrun"); - - server->interface_timer = NULL; - server->heartbeat_timer = NULL; - server->pps_timer = NULL; - server->tat_timer = NULL; - - server->interface_interval = 0; - server->heartbeat_interval = 0; - - CHECKFATAL(dns_zonemgr_create(named_g_mctx, named_g_taskmgr, - named_g_timermgr, named_g_socketmgr, - named_g_netmgr, &server->zonemgr), - "dns_zonemgr_create"); - CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000), "dns_zonemgr_" - "setsize"); - - server->statsfile = isc_mem_strdup(server->mctx, "named.stats"); - CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->bindkeysfile = isc_mem_strdup(server->mctx, - named_g_defaultbindkeys); - CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY - : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db"); - CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots"); - CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY - : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->recfile = isc_mem_strdup(server->mctx, "named.recursing"); - CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->hostname_set = false; - server->hostname = NULL; - server->version_set = false; - server->version = NULL; - - server->zonestats = NULL; - server->resolverstats = NULL; - server->sockstats = NULL; - CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats, - isc_sockstatscounter_max), - "isc_stats_create"); - isc_socketmgr_setstats(named_g_socketmgr, server->sockstats); - isc_nm_setstats(named_g_netmgr, server->sockstats); + named_g_mainloop = isc_loop_main(named_g_loopmgr); - CHECKFATAL(isc_stats_create(named_g_mctx, &server->zonestats, - dns_zonestatscounter_max), - "dns_stats_create (zone)"); + isc_loop_setup(named_g_mainloop, run_server, server); + isc_loop_teardown(named_g_mainloop, shutdown_server, server); + + /* Add SIGHUP reload handler */ + server->sighup = isc_signal_new( + named_g_loopmgr, named_server_reloadwanted, server, SIGHUP); + + isc_stats_create(server->mctx, &server->sockstats, + isc_sockstatscounter_max); + isc_nm_setstats(named_g_netmgr, server->sockstats); - CHECKFATAL(isc_stats_create(named_g_mctx, &server->resolverstats, - dns_resstatscounter_max), - "dns_stats_create (resolver)"); + isc_stats_create(named_g_mctx, &server->zonestats, + dns_zonestatscounter_max); - server->flushonshutdown = false; + isc_stats_create(named_g_mctx, &server->resolverstats, + dns_resstatscounter_max); - server->controls = NULL; CHECKFATAL(named_controls_create(server, &server->controls), "named_controls_create"); - server->dispatchgen = 0; - ISC_LIST_INIT(server->dispatches); ISC_LIST_INIT(server->statschannels); ISC_LIST_INIT(server->cachelist); - server->sessionkey = NULL; - server->session_keyfile = NULL; - server->session_keyname = NULL; - server->session_keyalg = DST_ALG_UNKNOWN; - server->session_keybits = 0; - - server->lockfile = NULL; - - server->dtenv = NULL; - server->magic = NAMED_SERVER_MAGIC; + *serverp = server; } @@ -10386,6 +10200,7 @@ named_server_destroy(named_server_t **serverp) { #ifdef USE_DNSRPS dns_dnsrps_server_destroy(); + isc_mem_free(server->mctx, server->dnsrpslib); #endif /* ifdef USE_DNSRPS */ named_controls_destroy(&server->controls); @@ -10399,164 +10214,68 @@ named_server_destroy(named_server_t **serverp) { } isc_mem_free(server->mctx, server->statsfile); - isc_mem_free(server->mctx, server->bindkeysfile); isc_mem_free(server->mctx, server->dumpfile); isc_mem_free(server->mctx, server->secrootsfile); isc_mem_free(server->mctx, server->recfile); + if (server->bindkeysfile != NULL) { + isc_mem_free(server->mctx, server->bindkeysfile); + } + if (server->version != NULL) { isc_mem_free(server->mctx, server->version); } if (server->hostname != NULL) { isc_mem_free(server->mctx, server->hostname); } - if (server->lockfile != NULL) { - isc_mem_free(server->mctx, server->lockfile); - } - - if (server->zonemgr != NULL) { - dns_zonemgr_detach(&server->zonemgr); - } - - dst_lib_destroy(); - - INSIST(ISC_LIST_EMPTY(server->kasplist)); - INSIST(ISC_LIST_EMPTY(server->viewlist)); - INSIST(ISC_LIST_EMPTY(server->cachelist)); - - server->magic = 0; - isc_mem_put(server->mctx, server, sizeof(*server)); - *serverp = NULL; -} - -static void -fatal(named_server_t *server, const char *msg, isc_result_t result) { - if (server != NULL && server->task != NULL) { - /* - * Prevent races between the OpenSSL on_exit registered - * function and any other OpenSSL calls from other tasks - * by requesting exclusive access to the task manager. - */ - (void)isc_task_beginexclusive(server->task); - } - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL, "%s: %s", msg, - isc_result_totext(result)); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL, - "exiting (due to fatal error)"); - named_os_shutdown(); - exit(1); -} - -static void -start_reserved_dispatches(named_server_t *server) { - REQUIRE(NAMED_SERVER_VALID(server)); - - server->dispatchgen++; -} - -static void -end_reserved_dispatches(named_server_t *server, bool all) { - named_dispatch_t *dispatch, *nextdispatch; - - REQUIRE(NAMED_SERVER_VALID(server)); - - for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL; - dispatch = nextdispatch) - { - nextdispatch = ISC_LIST_NEXT(dispatch, link); - if (!all && server->dispatchgen == dispatch->dispatchgen) { - continue; - } - ISC_LIST_UNLINK(server->dispatches, dispatch, link); - dns_dispatch_detach(&dispatch->dispatch); - isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); - } -} - -void -named_add_reserved_dispatch(named_server_t *server, - const isc_sockaddr_t *addr) { - named_dispatch_t *dispatch; - in_port_t port; - char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - isc_result_t result; - unsigned int attrs, attrmask; - - REQUIRE(NAMED_SERVER_VALID(server)); - - port = isc_sockaddr_getport(addr); - if (port == 0 || port >= 1024) { - return; - } - - for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL; - dispatch = ISC_LIST_NEXT(dispatch, link)) - { - if (isc_sockaddr_equal(&dispatch->addr, addr)) { - break; - } + if (server->lockfile != NULL) { + isc_mem_free(server->mctx, server->lockfile); } - if (dispatch != NULL) { - dispatch->dispatchgen = server->dispatchgen; - return; + + if (server->zonemgr != NULL) { + dns_zonemgr_detach(&server->zonemgr); } - dispatch = isc_mem_get(server->mctx, sizeof(*dispatch)); + dst_lib_destroy(); - dispatch->addr = *addr; - dispatch->dispatchgen = server->dispatchgen; - dispatch->dispatch = NULL; + INSIST(ISC_LIST_EMPTY(server->kasplist)); + INSIST(ISC_LIST_EMPTY(server->viewlist)); + INSIST(ISC_LIST_EMPTY(server->cachelist)); - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - switch (isc_sockaddr_pf(addr)) { - case AF_INET: - attrs |= DNS_DISPATCHATTR_IPV4; - break; - case AF_INET6: - attrs |= DNS_DISPATCHATTR_IPV6; - break; - default: - result = ISC_R_NOTIMPLEMENTED; - goto cleanup; - } - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP; - attrmask |= DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4; - attrmask |= DNS_DISPATCHATTR_IPV6; - - result = dns_dispatch_getudp(named_g_dispatchmgr, named_g_socketmgr, - // OQS updated from 4096 to 8192 - named_g_taskmgr, &dispatch->addr, 8192, - UDPBUFFERS, 32768, 16411, 16433, attrs, - attrmask, &dispatch->dispatch); - if (result != ISC_R_SUCCESS) { - goto cleanup; + if (server->tlsctx_server_cache != NULL) { + isc_tlsctx_cache_detach(&server->tlsctx_server_cache); } - ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link); + if (server->tlsctx_client_cache != NULL) { + isc_tlsctx_cache_detach(&server->tlsctx_client_cache); + } - return; + server->magic = 0; + isc_mem_put(server->mctx, server, sizeof(*server)); + *serverp = NULL; +} -cleanup: - isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); - isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); +static void +fatal(const char *msg, isc_result_t result) { + if (named_g_loopmgr_running) { + isc_loopmgr_pause(named_g_loopmgr); + } isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "unable to create dispatch for reserved port %s: %s", - addrbuf, isc_result_totext(result)); + NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL, "%s: %s", msg, + isc_result_totext(result)); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL, + "exiting (due to fatal error)"); + named_os_shutdown(); + isc__tls_setfatalmode(); + exit(1); } static isc_result_t loadconfig(named_server_t *server) { isc_result_t result; - start_reserved_dispatches(server); result = load_configuration(named_g_conffile, server, false); if (result == ISC_R_SUCCESS) { - end_reserved_dispatches(server, false); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "reloading configuration succeeded"); @@ -10576,10 +10295,14 @@ reload(named_server_t *server) { isc_result_t result; atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS); +#if HAVE_LIBSYSTEMD + sd_notify(0, "RELOADING=1\n" + "STATUS=reload command received\n"); +#endif /* HAVE_LIBSYSTEMD */ CHECK(loadconfig(server)); - result = load_zones(server, false, false); + result = load_zones(server, false); if (result == ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, @@ -10592,6 +10315,12 @@ reload(named_server_t *server) { atomic_store(&server->reload_status, NAMED_RELOAD_FAILED); } cleanup: +#if HAVE_LIBSYSTEMD + sd_notifyf(0, + "READY=1\n" + "STATUS=reload command finished: %s\n", + isc_result_totext(result)); +#endif /* HAVE_LIBSYSTEMD */ return (result); } @@ -10599,26 +10328,22 @@ reload(named_server_t *server) { * Handle a reload event (from SIGHUP). */ static void -named_server_reload(isc_task_t *task, isc_event_t *event) { - named_server_t *server = (named_server_t *)event->ev_sender; - - INSIST(task == server->task); - UNUSED(task); +named_server_reload(void *arg) { + named_server_t *server = (named_server_t *)arg; isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "received SIGHUP signal to reload zones"); (void)reload(server); - - isc_event_free(&event); } void -named_server_reloadwanted(named_server_t *server) { - isc_event_t *event = isc_event_allocate( - named_g_mctx, server, NAMED_EVENT_RELOAD, named_server_reload, - NULL, sizeof(isc_event_t)); - isc_task_send(server->task, &event); +named_server_reloadwanted(void *arg, int signum) { + named_server_t *server = (named_server_t *)arg; + + REQUIRE(signum == SIGHUP); + + isc_async_run(named_g_mainloop, named_server_reload, server); } void @@ -10627,7 +10352,7 @@ named_server_scan_interfaces(named_server_t *server) { NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "automatic interface rescan"); - ns_interfacemgr_scan(server->interfacemgr, true); + ns_interfacemgr_scan(server->interfacemgr, true, false); } /* @@ -10672,7 +10397,8 @@ next_token(isc_lex_t *lex, isc_buffer_t **text) { } if (token.type == isc_tokentype_string || - token.type == isc_tokentype_qstring) { + token.type == isc_tokentype_qstring) + { return (token.value.as_textregion.base); } @@ -10739,7 +10465,7 @@ zone_from_args(named_server_t *server, isc_lex_t *lex, const char *zonetxt, } name = dns_fixedname_initname(&fname); - CHECK(dns_name_fromstring(name, zonebuf, 0, NULL)); + CHECK(dns_name_fromstring(name, zonebuf, dns_rootname, 0, NULL)); /* Look for the optional class name. */ classtxt = next_token(lex, text); @@ -10801,8 +10527,8 @@ zone_from_args(named_server_t *server, isc_lex_t *lex, const char *zonetxt, result = ISC_R_NOTFOUND; } } else { - result = dns_zt_find(view->zonetable, name, 0, NULL, - zonep); + result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, + zonep); } if (result != ISC_R_SUCCESS) { snprintf(problem, sizeof(problem), @@ -10847,6 +10573,8 @@ named_server_retransfercommand(named_server_t *server, isc_lex_t *lex, dns_zone_t *raw = NULL; dns_zonetype_t type; + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &zone, NULL, text, true); if (result != ISC_R_SUCCESS) { return (result); @@ -10861,10 +10589,10 @@ named_server_retransfercommand(named_server_t *server, isc_lex_t *lex, dns_zone_detach(&raw); } type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_mirror || + if (type == dns_zone_secondary || type == dns_zone_mirror || type == dns_zone_stub || (type == dns_zone_redirect && - dns_zone_getredirecttype(zone) == dns_zone_slave)) + dns_zone_getredirecttype(zone) == dns_zone_secondary)) { dns_zone_forcereload(zone); } else { @@ -10894,6 +10622,8 @@ named_server_reloadcommand(named_server_t *server, isc_lex_t *lex, dns_zonetype_t type; const char *msg = NULL; + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &zone, NULL, text, true); if (result != ISC_R_SUCCESS) { return (result); @@ -10905,8 +10635,9 @@ named_server_reloadcommand(named_server_t *server, isc_lex_t *lex, } } else { type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_mirror || - type == dns_zone_stub) { + if (type == dns_zone_secondary || type == dns_zone_mirror || + type == dns_zone_stub) + { dns_zone_refresh(zone); dns_zone_detach(&zone); msg = "zone refresh queued"; @@ -10945,10 +10676,14 @@ isc_result_t named_server_reconfigcommand(named_server_t *server) { isc_result_t result; atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS); +#if HAVE_LIBSYSTEMD + sd_notify(0, "RELOADING=1\n" + "STATUS=reconfig command received\n"); +#endif /* HAVE_LIBSYSTEMD */ CHECK(loadconfig(server)); - result = load_zones(server, false, true); + result = load_zones(server, true); if (result == ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, @@ -10961,6 +10696,12 @@ named_server_reconfigcommand(named_server_t *server) { atomic_store(&server->reload_status, NAMED_RELOAD_FAILED); } cleanup: +#if HAVE_LIBSYSTEMD + sd_notifyf(0, + "READY=1\n" + "STATUS=reconfig command finished: %s\n", + isc_result_totext(result)); +#endif /* HAVE_LIBSYSTEMD */ return (result); } @@ -10974,6 +10715,8 @@ named_server_notifycommand(named_server_t *server, isc_lex_t *lex, dns_zone_t *zone = NULL; const char msg[] = "zone notify queued"; + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &zone, NULL, text, true); if (result != ISC_R_SUCCESS) { return (result); @@ -10999,9 +10742,11 @@ named_server_refreshcommand(named_server_t *server, isc_lex_t *lex, isc_result_t result; dns_zone_t *zone = NULL, *raw = NULL; const char msg1[] = "zone refresh queued"; - const char msg2[] = "not a slave, mirror, or stub zone"; + const char msg2[] = "not a secondary, mirror, or stub zone"; dns_zonetype_t type; + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &zone, NULL, text, true); if (result != ISC_R_SUCCESS) { return (result); @@ -11018,8 +10763,9 @@ named_server_refreshcommand(named_server_t *server, isc_lex_t *lex, } type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_mirror || - type == dns_zone_stub) { + if (type == dns_zone_secondary || type == dns_zone_mirror || + type == dns_zone_stub) + { dns_zone_refresh(zone); dns_zone_detach(&zone); (void)putstr(text, msg1); @@ -11076,6 +10822,7 @@ named_server_togglequerylog(named_server_t *server, isc_lex_t *lex) { static isc_result_t listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, uint16_t family, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenlist_t **target) { isc_result_t result; const cfg_listelt_t *element; @@ -11094,7 +10841,7 @@ listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, ns_listenelt_t *delt = NULL; const cfg_obj_t *listener = cfg_listelt_value(element); result = listenelt_fromconfig(listener, config, actx, mctx, - family, &delt); + family, tlsctx_cache, &delt); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -11123,10 +10870,12 @@ find_maplist(const cfg_obj_t *config, const char *listname, const char *name) { } for (elt = cfg_list_first(maplist); elt != NULL; - elt = cfg_list_next(elt)) { + elt = cfg_list_next(elt)) + { const cfg_obj_t *map = cfg_listelt_value(elt); if (strcasecmp(cfg_obj_asstring(cfg_map_getname(map)), name) == - 0) { + 0) + { return (map); } } @@ -11141,17 +10890,24 @@ find_maplist(const cfg_obj_t *config, const char *listname, const char *name) { static isc_result_t listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, uint16_t family, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenelt_t **target) { isc_result_t result; const cfg_obj_t *ltup = NULL; const cfg_obj_t *tlsobj = NULL, *httpobj = NULL; - const cfg_obj_t *portobj = NULL, *dscpobj = NULL; + const cfg_obj_t *portobj = NULL; const cfg_obj_t *http_server = NULL; in_port_t port = 0; - isc_dscp_t dscp = -1; - const char *key = NULL, *cert = NULL; + const char *key = NULL, *cert = NULL, *ca_file = NULL, + *dhparam_file = NULL, *ciphers = NULL; + bool tls_prefer_server_ciphers = false, + tls_prefer_server_ciphers_set = false; + bool tls_session_tickets = false, tls_session_tickets_set = false; bool do_tls = false, no_tls = false, http = false; ns_listenelt_t *delt = NULL; + uint32_t tls_protos = 0; + ns_listen_tls_params_t tls_params = { 0 }; + const char *tlsname = NULL; REQUIRE(target != NULL && *target == NULL); @@ -11160,15 +10916,20 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, tlsobj = cfg_tuple_get(ltup, "tls"); if (tlsobj != NULL && cfg_obj_isstring(tlsobj)) { - const char *tlsname = cfg_obj_asstring(tlsobj); + tlsname = cfg_obj_asstring(tlsobj); if (strcasecmp(tlsname, "none") == 0) { no_tls = true; } else if (strcasecmp(tlsname, "ephemeral") == 0) { do_tls = true; } else { - const cfg_obj_t *keyobj = NULL, *certobj = NULL; + const cfg_obj_t *keyobj = NULL, *certobj = NULL, + *ca_obj = NULL, *dhparam_obj = NULL; const cfg_obj_t *tlsmap = NULL; + const cfg_obj_t *tls_proto_list = NULL; + const cfg_obj_t *ciphers_obj = NULL; + const cfg_obj_t *prefer_server_ciphers_obj = NULL; + const cfg_obj_t *session_tickets_obj = NULL; do_tls = true; @@ -11185,9 +10946,81 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, CHECK(cfg_map_get(tlsmap, "cert-file", &certobj)); cert = cfg_obj_asstring(certobj); + + if (cfg_map_get(tlsmap, "ca-file", &ca_obj) == + ISC_R_SUCCESS) + { + ca_file = cfg_obj_asstring(ca_obj); + } + + if (cfg_map_get(tlsmap, "protocols", &tls_proto_list) == + ISC_R_SUCCESS) + { + const cfg_listelt_t *proto = NULL; + INSIST(tls_proto_list != NULL); + for (proto = cfg_list_first(tls_proto_list); + proto != 0; proto = cfg_list_next(proto)) + { + const cfg_obj_t *tls_proto_obj = + cfg_listelt_value(proto); + const char *tls_sver = + cfg_obj_asstring(tls_proto_obj); + const isc_tls_protocol_version_t ver = + isc_tls_protocol_name_to_version( + tls_sver); + + INSIST(ver != + ISC_TLS_PROTO_VER_UNDEFINED); + INSIST(isc_tls_protocol_supported(ver)); + tls_protos |= ver; + } + } + + if (cfg_map_get(tlsmap, "dhparam-file", &dhparam_obj) == + ISC_R_SUCCESS) + { + dhparam_file = cfg_obj_asstring(dhparam_obj); + } + + if (cfg_map_get(tlsmap, "ciphers", &ciphers_obj) == + ISC_R_SUCCESS) + { + ciphers = cfg_obj_asstring(ciphers_obj); + } + + if (cfg_map_get(tlsmap, "prefer-server-ciphers", + &prefer_server_ciphers_obj) == + ISC_R_SUCCESS) + { + tls_prefer_server_ciphers = cfg_obj_asboolean( + prefer_server_ciphers_obj); + tls_prefer_server_ciphers_set = true; + } + + if (cfg_map_get(tlsmap, "session-tickets", + &session_tickets_obj) == ISC_R_SUCCESS) + { + tls_session_tickets = + cfg_obj_asboolean(session_tickets_obj); + tls_session_tickets_set = true; + } } } + tls_params = (ns_listen_tls_params_t){ + .name = tlsname, + .key = key, + .cert = cert, + .ca_file = ca_file, + .protocols = tls_protos, + .dhparam_file = dhparam_file, + .ciphers = ciphers, + .prefer_server_ciphers = tls_prefer_server_ciphers, + .prefer_server_ciphers_set = tls_prefer_server_ciphers_set, + .session_tickets = tls_session_tickets, + .session_tickets_set = tls_session_tickets_set + }; + httpobj = cfg_tuple_get(ltup, "http"); if (httpobj != NULL && cfg_obj_isstring(httpobj)) { const char *httpname = cfg_obj_asstring(httpobj); @@ -11222,7 +11055,7 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, } } else if (http && !do_tls) { if (named_g_httpport != 0) { - port = named_g_port; + port = named_g_httpport; } else { result = named_config_getport( config, "http-port", &port); @@ -11258,27 +11091,21 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, port = (in_port_t)cfg_obj_asuint32(portobj); } - dscpobj = cfg_tuple_get(ltup, "dscp"); - if (!cfg_obj_isuint32(dscpobj)) { - dscp = named_g_dscp; - } else { - if (cfg_obj_asuint32(dscpobj) > 63) { - return (ISC_R_RANGE); - } - dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); +#ifdef HAVE_LIBNGHTTP2 + if (http) { + CHECK(listenelt_http(http_server, family, do_tls, &tls_params, + tlsctx_cache, port, mctx, &delt)); } +#endif /* HAVE_LIBNGHTTP2 */ - if (http) { - CHECK(listenelt_http(http_server, do_tls, key, cert, port, mctx, - &delt)); - } else { - CHECK(ns_listenelt_create(mctx, port, dscp, NULL, do_tls, key, - cert, &delt)); + if (!http) { + CHECK(ns_listenelt_create(mctx, port, NULL, family, do_tls, + &tls_params, tlsctx_cache, &delt)); } - result = cfg_acl_fromconfig2(cfg_tuple_get(listener, "acl"), config, - named_g_lctx, actx, mctx, 0, family, - &delt->acl); + result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), config, + named_g_lctx, actx, mctx, family, + &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); @@ -11289,19 +11116,27 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, return (result); } +#ifdef HAVE_LIBNGHTTP2 static isc_result_t -listenelt_http(const cfg_obj_t *http, bool tls, const char *key, - const char *cert, in_port_t port, isc_mem_t *mctx, - ns_listenelt_t **target) { +listenelt_http(const cfg_obj_t *http, const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, in_port_t port, + isc_mem_t *mctx, ns_listenelt_t **target) { isc_result_t result = ISC_R_SUCCESS; ns_listenelt_t *delt = NULL; char **endpoints = NULL; const cfg_obj_t *eplist = NULL; const cfg_listelt_t *elt = NULL; size_t len = 1, i = 0; + uint32_t max_clients = named_g_http_listener_clients; + uint32_t max_streams = named_g_http_streams_per_conn; REQUIRE(target != NULL && *target == NULL); - REQUIRE((key == NULL) == (cert == NULL)); + + if (tls) { + INSIST(tls_params != NULL); + INSIST((tls_params->key == NULL) == (tls_params->cert == NULL)); + } if (port == 0) { port = tls ? named_g_httpsport : named_g_httpport; @@ -11312,39 +11147,62 @@ listenelt_http(const cfg_obj_t *http, bool tls, const char *key, * of "/dns-query". */ if (http != NULL) { - CHECK(cfg_map_get(http, "endpoints", &eplist)); - len = cfg_list_length(eplist, false); + const cfg_obj_t *cfg_max_clients = NULL; + const cfg_obj_t *cfg_max_streams = NULL; + + if (cfg_map_get(http, "endpoints", &eplist) == ISC_R_SUCCESS) { + INSIST(eplist != NULL); + len = cfg_list_length(eplist, false); + } + + if (cfg_map_get(http, "listener-clients", &cfg_max_clients) == + ISC_R_SUCCESS) + { + INSIST(cfg_max_clients != NULL); + max_clients = cfg_obj_asuint32(cfg_max_clients); + } + + if (cfg_map_get(http, "streams-per-connection", + &cfg_max_streams) == ISC_R_SUCCESS) + { + INSIST(cfg_max_streams != NULL); + max_streams = cfg_obj_asuint32(cfg_max_streams); + } } endpoints = isc_mem_allocate(mctx, sizeof(endpoints[0]) * len); - if (http != NULL) { + if (http != NULL && eplist != NULL) { for (elt = cfg_list_first(eplist); elt != NULL; - elt = cfg_list_next(elt)) { + elt = cfg_list_next(elt)) + { const cfg_obj_t *ep = cfg_listelt_value(elt); const char *path = cfg_obj_asstring(ep); endpoints[i++] = isc_mem_strdup(mctx, path); } } else { - endpoints[i++] = isc_mem_strdup(mctx, "/dns-query"); + endpoints[i++] = isc_mem_strdup(mctx, ISC_NM_HTTP_DEFAULT_PATH); } INSIST(i == len); - result = ns_listenelt_create_http(mctx, port, named_g_dscp, NULL, tls, - key, cert, endpoints, len, &delt); + result = ns_listenelt_create_http(mctx, port, NULL, family, tls, + tls_params, tlsctx_cache, endpoints, + len, max_clients, max_streams, &delt); if (result != ISC_R_SUCCESS) { - if (delt != NULL) { - ns_listenelt_destroy(delt); - } - return (result); + goto error; } *target = delt; -cleanup: + return (result); +error: + if (delt != NULL) { + ns_listenelt_destroy(delt); + } return (result); } +#endif /* HAVE_LIBNGHTTP2 */ isc_result_t named_server_dumpstats(named_server_t *server) { @@ -11368,7 +11226,7 @@ named_server_dumpstats(named_server_t *server) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumpstats failed: %s", - dns_result_totext(result)); + isc_result_totext(result)); } return (result); } @@ -11409,8 +11267,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { ISC_LIST_INIT(vle->zonelist); ISC_LIST_APPEND(dctx->viewlist, vle, link); if (dctx->dumpzones) { - result = dns_zt_apply(view->zonetable, true, NULL, - add_zone_tolist, dctx); + result = dns_view_apply(view, true, NULL, add_zone_tolist, + dctx); } return (result); } @@ -11443,9 +11301,6 @@ dumpcontext_destroy(struct dumpcontext *dctx) { if (dctx->cache != NULL) { dns_db_detach(&dctx->cache); } - if (dctx->task != NULL) { - isc_task_detach(&dctx->task); - } if (dctx->fp != NULL) { (void)isc_stdio_close(dctx->fp); } @@ -11501,13 +11356,13 @@ dumpdone(void *arg, isc_result_t result) { dns_cache_getname(dctx->view->view->cache)); result = dns_master_dumptostreamasync( dctx->mctx, dctx->cache, NULL, style, dctx->fp, - dctx->task, dumpdone, dctx, &dctx->mdctx); - if (result == DNS_R_CONTINUE) { + named_g_mainloop, dumpdone, dctx, &dctx->mdctx); + if (result == ISC_R_SUCCESS) { return; } if (result == ISC_R_NOTIMPLEMENTED) { fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); + isc_result_totext(result)); } else if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -11522,7 +11377,12 @@ dumpdone(void *arg, isc_result_t result) { if (dctx->cache != NULL) { if (dctx->dumpadb) { - dns_adb_dump(dctx->view->view->adb, dctx->fp); + dns_adb_t *adb = NULL; + dns_view_getadb(dctx->view->view, &adb); + if (adb != NULL) { + dns_adb_dump(adb, dctx->fp); + dns_adb_detach(&adb); + } } if (dctx->dumpbad) { dns_resolver_printbadcache(dctx->view->view->resolver, @@ -11555,20 +11415,20 @@ dumpdone(void *arg, isc_result_t result) { result = dns_zone_getdb(dctx->zone->zone, &dctx->db); if (result != ISC_R_SUCCESS) { fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); + isc_result_totext(result)); goto nextzone; } dns_db_currentversion(dctx->db, &dctx->version); result = dns_master_dumptostreamasync( dctx->mctx, dctx->db, dctx->version, style, - dctx->fp, dctx->task, dumpdone, dctx, - &dctx->mdctx); - if (result == DNS_R_CONTINUE) { + dctx->fp, dns_zone_getloop(dctx->zone->zone), + dumpdone, dctx, &dctx->mdctx); + if (result == ISC_R_SUCCESS) { return; } if (result == ISC_R_NOTIMPLEMENTED) { fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); + isc_result_totext(result)); result = ISC_R_SUCCESS; POST(result); goto nextzone; @@ -11596,7 +11456,7 @@ dumpdone(void *arg, isc_result_t result) { if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "dumpdb failed: %s", dns_result_totext(result)); + "dumpdb failed: %s", isc_result_totext(result)); } dumpcontext_destroy(dctx); } @@ -11611,6 +11471,8 @@ named_server_dumpdb(named_server_t *server, isc_lex_t *lex, const char *sep; bool found; + REQUIRE(text != NULL); + /* Skip the command name. */ ptr = next_token(lex, NULL); if (ptr == NULL) { @@ -11618,25 +11480,14 @@ named_server_dumpdb(named_server_t *server, isc_lex_t *lex, } dctx = isc_mem_get(server->mctx, sizeof(*dctx)); - - dctx->mctx = server->mctx; - dctx->dumpcache = true; - dctx->dumpadb = true; - dctx->dumpbad = true; - dctx->dumpexpired = false; - dctx->dumpfail = true; - dctx->dumpzones = false; - dctx->fp = NULL; - ISC_LIST_INIT(dctx->viewlist); - dctx->view = NULL; - dctx->zone = NULL; - dctx->cache = NULL; - dctx->mdctx = NULL; - dctx->db = NULL; - dctx->cache = NULL; - dctx->task = NULL; - dctx->version = NULL; - isc_task_attach(server->task, &dctx->task); + *dctx = (struct dumpcontext){ + .mctx = server->mctx, + .dumpcache = true, + .dumpadb = true, + .dumpbad = true, + .dumpfail = true, + .viewlist = ISC_LIST_INITIALIZER, + }; CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp), "could not open dump file", server->dumpfile); @@ -11734,6 +11585,8 @@ named_server_dumpsecroots(named_server_t *server, isc_lex_t *lex, unsigned int used = isc_buffer_usedlength(*text); bool first = true; + REQUIRE(text != NULL); + /* Skip the command name. */ ptr = next_token(lex, text); if (ptr == NULL) { @@ -11754,7 +11607,7 @@ named_server_dumpsecroots(named_server_t *server, isc_lex_t *lex, } } - TIME_NOW(&now); + now = isc_time_now(); isc_time_formattimestamp(&now, tbuf, sizeof(tbuf)); CHECK(putstr(text, "secure roots as of ")); CHECK(putstr(text, tbuf)); @@ -11835,7 +11688,7 @@ named_server_dumpsecroots(named_server_t *server, isc_lex_t *lex, isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumpsecroots failed: %s", - dns_result_totext(result)); + isc_result_totext(result)); } return (result); } @@ -11874,7 +11727,7 @@ named_server_dumprecursing(named_server_t *server) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumprecursing failed: %s", - dns_result_totext(result)); + isc_result_totext(result)); } return (result); } @@ -11922,6 +11775,8 @@ named_server_validation(named_server_t *server, isc_lex_t *lex, isc_result_t result; bool enable = true, set = true, first = true; + REQUIRE(text != NULL); + /* Skip the command name. */ ptr = next_token(lex, text); if (ptr == NULL) { @@ -11951,8 +11806,7 @@ named_server_validation(named_server_t *server, isc_lex_t *lex, /* Look for the view name. */ ptr = next_token(lex, text); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { @@ -11990,7 +11844,7 @@ named_server_validation(named_server_t *server, isc_lex_t *lex, result = ISC_R_FAILURE; } cleanup: - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); return (result); } @@ -12012,8 +11866,7 @@ named_server_flushcache(named_server_t *server, isc_lex_t *lex) { /* Look for the view name. */ ptr = next_token(lex, NULL); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); flushed = true; found = false; @@ -12135,7 +11988,7 @@ named_server_flushcache(named_server_t *server, isc_lex_t *lex) { result = ISC_R_FAILURE; } } - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); return (result); } @@ -12175,8 +12028,7 @@ named_server_flushnode(named_server_t *server, isc_lex_t *lex, bool tree) { /* Look for the view name. */ viewname = next_token(lex, NULL); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); flushed = true; found = false; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; @@ -12227,7 +12079,7 @@ named_server_flushnode(named_server_t *server, isc_lex_t *lex, bool tree) { } result = ISC_R_FAILURE; } - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); return (result); } @@ -12242,6 +12094,8 @@ named_server_status(named_server_t *server, isc_buffer_t **text) { char line[1024], hostname[256]; named_reload_t reload_status; + REQUIRE(text != NULL); + if (named_g_server->version_set) { ob = " ("; cb = ")"; @@ -12271,8 +12125,7 @@ named_server_status(named_server_t *server, isc_buffer_t **text) { cb); CHECK(putstr(text, line)); - result = named_os_gethostname(hostname, sizeof(hostname)); - if (result != ISC_R_SUCCESS) { + if (gethostname(hostname, sizeof(hostname)) == 0) { strlcpy(hostname, "localhost", sizeof(hostname)); } snprintf(line, sizeof(line), "running on %s: %s\n", hostname, @@ -12339,8 +12192,8 @@ named_server_status(named_server_t *server, isc_buffer_t **text) { CHECK(putstr(text, line)); snprintf(line, sizeof(line), "TCP high-water: %u\n", - (unsigned)ns_stats_get_counter(server->sctx->nsstats, - ns_statscounter_tcphighwater)); + (unsigned int)ns_stats_get_counter( + server->sctx->nsstats, ns_statscounter_tcphighwater)); CHECK(putstr(text, line)); reload_status = atomic_load(&server->reload_status); @@ -12364,256 +12217,32 @@ isc_result_t named_server_testgen(isc_lex_t *lex, isc_buffer_t **text) { isc_result_t result; char *ptr; - unsigned long count; - unsigned long i; - const unsigned char chars[] = "abcdefghijklmnopqrstuvwxyz0123456789"; - - /* Skip the command name. */ - ptr = next_token(lex, text); - if (ptr == NULL) { - return (ISC_R_UNEXPECTEDEND); - } - - ptr = next_token(lex, text); - if (ptr == NULL) { - count = 26; - } else { - count = strtoul(ptr, NULL, 10); - } - - CHECK(isc_buffer_reserve(text, count)); - for (i = 0; i < count; i++) { - CHECK(putuint8(text, chars[i % (sizeof(chars) - 1)])); - } - - CHECK(putnull(text)); - -cleanup: - return (result); -} - -static isc_result_t -delete_keynames(dns_tsig_keyring_t *ring, char *target, - unsigned int *foundkeys) { - char namestr[DNS_NAME_FORMATSIZE]; - isc_result_t result; - dns_rbtnodechain_t chain; - dns_name_t foundname; - dns_fixedname_t fixedorigin; - dns_name_t *origin; - dns_rbtnode_t *node; - dns_tsigkey_t *tkey; - - dns_name_init(&foundname, NULL); - origin = dns_fixedname_initname(&fixedorigin); - -again: - dns_rbtnodechain_init(&chain); - result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin); - if (result == ISC_R_NOTFOUND) { - dns_rbtnodechain_invalidate(&chain); - return (ISC_R_SUCCESS); - } - if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { - dns_rbtnodechain_invalidate(&chain); - return (result); - } - - for (;;) { - node = NULL; - dns_rbtnodechain_current(&chain, &foundname, origin, &node); - tkey = node->data; - - if (tkey != NULL) { - if (!tkey->generated) { - goto nextkey; - } - - dns_name_format(&tkey->name, namestr, sizeof(namestr)); - if (strcmp(namestr, target) == 0) { - (*foundkeys)++; - dns_rbtnodechain_invalidate(&chain); - (void)dns_rbt_deletename(ring->keys, - &tkey->name, false); - goto again; - } - } - - nextkey: - result = dns_rbtnodechain_next(&chain, &foundname, origin); - if (result == ISC_R_NOMORE) { - break; - } - if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { - dns_rbtnodechain_invalidate(&chain); - return (result); - } - } - - return (ISC_R_SUCCESS); -} - -isc_result_t -named_server_tsigdelete(named_server_t *server, isc_lex_t *lex, - isc_buffer_t **text) { - isc_result_t result; - dns_view_t *view; - unsigned int foundkeys = 0; - char *ptr, *viewname; - char target[DNS_NAME_FORMATSIZE]; - char fbuf[16]; - - (void)next_token(lex, text); /* skip command name */ - - ptr = next_token(lex, text); - if (ptr == NULL) { - return (ISC_R_UNEXPECTEDEND); - } - strlcpy(target, ptr, DNS_NAME_FORMATSIZE); - - viewname = next_token(lex, text); - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - if (viewname == NULL || strcmp(view->name, viewname) == 0) { - RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write); - result = delete_keynames(view->dynamickeys, target, - &foundkeys); - RWUNLOCK(&view->dynamickeys->lock, - isc_rwlocktype_write); - if (result != ISC_R_SUCCESS) { - isc_task_endexclusive(server->task); - return (result); - } - } - } - isc_task_endexclusive(server->task); - - snprintf(fbuf, sizeof(fbuf), "%u", foundkeys); - - CHECK(putstr(text, fbuf)); - CHECK(putstr(text, " tsig keys deleted.")); - CHECK(putnull(text)); - -cleanup: - return (result); -} - -static isc_result_t -list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t **text, - unsigned int *foundkeys) { - char namestr[DNS_NAME_FORMATSIZE]; - char creatorstr[DNS_NAME_FORMATSIZE]; - isc_result_t result; - dns_rbtnodechain_t chain; - dns_name_t foundname; - dns_fixedname_t fixedorigin; - dns_name_t *origin; - dns_rbtnode_t *node; - dns_tsigkey_t *tkey; - const char *viewname; - - if (view != NULL) { - viewname = view->name; - } else { - viewname = "(global)"; - } - - dns_name_init(&foundname, NULL); - origin = dns_fixedname_initname(&fixedorigin); - dns_rbtnodechain_init(&chain); - result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin); - if (result == ISC_R_NOTFOUND) { - dns_rbtnodechain_invalidate(&chain); - return (ISC_R_SUCCESS); - } - if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { - dns_rbtnodechain_invalidate(&chain); - return (result); - } - - for (;;) { - node = NULL; - dns_rbtnodechain_current(&chain, &foundname, origin, &node); - tkey = node->data; - - if (tkey != NULL) { - dns_name_format(&tkey->name, namestr, sizeof(namestr)); - if (tkey->generated) { - dns_name_format(tkey->creator, creatorstr, - sizeof(creatorstr)); - if (*foundkeys != 0) { - CHECK(putstr(text, "\n")); - } - CHECK(putstr(text, "view \"")); - CHECK(putstr(text, viewname)); - CHECK(putstr(text, "\"; type \"dynamic\"; key " - "\"")); - CHECK(putstr(text, namestr)); - CHECK(putstr(text, "\"; creator \"")); - CHECK(putstr(text, creatorstr)); - CHECK(putstr(text, "\";")); - } else { - if (*foundkeys != 0) { - CHECK(putstr(text, "\n")); - } - CHECK(putstr(text, "view \"")); - CHECK(putstr(text, viewname)); - CHECK(putstr(text, "\"; type \"static\"; key " - "\"")); - CHECK(putstr(text, namestr)); - CHECK(putstr(text, "\";")); - } - (*foundkeys)++; - } - result = dns_rbtnodechain_next(&chain, &foundname, origin); - if (result == ISC_R_NOMORE || result == DNS_R_NEWORIGIN) { - break; - } - } - - return (ISC_R_SUCCESS); -cleanup: - dns_rbtnodechain_invalidate(&chain); - return (result); -} - -isc_result_t -named_server_tsiglist(named_server_t *server, isc_buffer_t **text) { - isc_result_t result = ISC_R_SUCCESS; - dns_view_t *view; - unsigned int foundkeys = 0; - - for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - RWLOCK(&view->statickeys->lock, isc_rwlocktype_read); - result = list_keynames(view, view->statickeys, text, - &foundkeys); - RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read); - if (result != ISC_R_SUCCESS) { - return (result); - } - RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); - result = list_keynames(view, view->dynamickeys, text, - &foundkeys); - RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); - if (result != ISC_R_SUCCESS) { - return (result); - } + unsigned long count; + unsigned long i; + const unsigned char chars[] = "abcdefghijklmnopqrstuvwxyz0123456789"; + + REQUIRE(text != NULL); + + /* Skip the command name. */ + ptr = next_token(lex, text); + if (ptr == NULL) { + return (ISC_R_UNEXPECTEDEND); } - if (foundkeys == 0) { - CHECK(putstr(text, "no tsig keys found.")); + ptr = next_token(lex, text); + if (ptr == NULL) { + count = 26; + } else { + count = strtoul(ptr, NULL, 10); } - if (isc_buffer_usedlength(*text) > 0) { - CHECK(putnull(text)); + CHECK(isc_buffer_reserve(*text, count)); + for (i = 0; i < count; i++) { + CHECK(putuint8(text, chars[i % (sizeof(chars) - 1)])); } + CHECK(putnull(text)); + cleanup: return (result); } @@ -12631,6 +12260,8 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex, bool fullsign = false; char *ptr; + REQUIRE(text != NULL); + ptr = next_token(lex, text); if (ptr == NULL) { return (ISC_R_UNEXPECTEDEND); @@ -12640,6 +12271,8 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex, fullsign = true; } + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &zone, NULL, text, false); if (result != ISC_R_SUCCESS) { return (result); @@ -12649,16 +12282,15 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex, } type = dns_zone_gettype(zone); - if (type != dns_zone_master) { + if (type != dns_zone_primary) { dns_zone_detach(&zone); - return (DNS_R_NOTMASTER); + return (DNS_R_NOTPRIMARY); } keyopts = dns_zone_getkeyopts(zone); /* - * "rndc loadkeys" requires "auto-dnssec maintain" - * or a "dnssec-policy". + * "rndc loadkeys" requires a "dnssec-policy". */ if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) { result = ISC_R_NOPERM; @@ -12705,42 +12337,46 @@ synczone(dns_zone_t *zone, void *uap) { isc_result_t named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { isc_result_t result, tresult; - dns_view_t *view; + dns_view_t *view = NULL; dns_zone_t *zone = NULL; char classstr[DNS_RDATACLASS_FORMATSIZE]; char zonename[DNS_NAME_FORMATSIZE]; - const char *vname, *sep, *arg; + const char *vname = NULL, *sep = NULL, *arg = NULL; bool cleanup = false; + REQUIRE(text != NULL); + (void)next_token(lex, text); arg = next_token(lex, text); if (arg != NULL && - (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0)) { + (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0)) + { cleanup = true; arg = next_token(lex, text); } + REQUIRE(text != NULL); + result = zone_from_args(server, lex, arg, &zone, NULL, text, false); if (result != ISC_R_SUCCESS) { return (result); } if (zone == NULL) { - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); tresult = ISC_R_SUCCESS; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - result = dns_zt_apply(view->zonetable, false, NULL, - synczone, &cleanup); + result = dns_view_apply(view, false, NULL, synczone, + &cleanup); if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS) { tresult = result; } } - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "dumping all zones%s: %s", @@ -12749,14 +12385,14 @@ named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { return (tresult); } - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); result = synczone(zone, &cleanup); - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); view = dns_zone_getview(zone); if (strcmp(view->name, "_default") == 0 || - strcmp(view->name, "_bind") == 0) { + strcmp(view->name, "_bind") == 0) + { vname = ""; sep = ""; } else { @@ -12791,13 +12427,14 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, bool frozen; const char *msg = NULL; + REQUIRE(text != NULL); + result = zone_from_args(server, lex, NULL, &mayberaw, NULL, text, true); if (result != ISC_R_SUCCESS) { return (result); } if (mayberaw == NULL) { - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); tresult = ISC_R_SUCCESS; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) @@ -12808,7 +12445,7 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, tresult = result; } } - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "%s all zones: %s", @@ -12823,9 +12460,9 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, dns_zone_detach(&raw); } type = dns_zone_gettype(mayberaw); - if (type != dns_zone_master) { + if (type != dns_zone_primary) { dns_zone_detach(&mayberaw); - return (DNS_R_NOTMASTER); + return (DNS_R_NOTPRIMARY); } if (freeze && !dns_zone_isdynamic(mayberaw, true)) { @@ -12833,8 +12470,7 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, return (DNS_R_NOTDYNAMIC); } - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); frozen = dns_zone_getupdatedisabled(mayberaw); if (freeze) { if (frozen) { @@ -12868,10 +12504,12 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, "Check the logs to see the result."; result = ISC_R_SUCCESS; break; + default: + break; } } } - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); if (msg != NULL) { (void)putstr(text, msg); @@ -12880,7 +12518,8 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, view = dns_zone_getview(mayberaw); if (strcmp(view->name, "_default") == 0 || - strcmp(view->name, "_bind") == 0) { + strcmp(view->name, "_bind") == 0) + { vname = ""; sep = ""; } else { @@ -12907,6 +12546,8 @@ named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex, */ isc_result_t named_smf_add_message(isc_buffer_t **text) { + REQUIRE(text != NULL); + return (putstr(text, "use svcadm(1M) to manage named")); } #endif /* HAVE_LIBSCF */ @@ -13011,12 +12652,13 @@ nzf_writeconf(const cfg_obj_t *config, dns_view_t *view) { CHECK(ISC_R_FAILURE); } - DE_CONST(&zl->value.list, list); + list = UNCONST(&zl->value.list); CHECK(add_comment(fp, view->name)); /* force a comment */ for (elt = ISC_LIST_HEAD(*list); elt != NULL; - elt = ISC_LIST_NEXT(elt, link)) { + elt = ISC_LIST_NEXT(elt, link)) + { const cfg_obj_t *zconfig = cfg_listelt_value(elt); CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL)); @@ -13041,7 +12683,32 @@ nzf_writeconf(const cfg_obj_t *config, dns_view_t *view) { return (result); } -#else /* HAVE_LMDB */ +static isc_result_t +load_nzf(dns_view_t *view, ns_cfgctx_t *nzcfg) { + isc_result_t result; + + /* The new zone file may not exist. That is OK. */ + if (!isc_file_exists(view->new_zone_file)) { + return (ISC_R_SUCCESS); + } + + /* + * Parse the configuration in the NZF file. This may be called in + * multiple views, so we reset the parser each time. + */ + cfg_parser_reset(named_g_addparser); + result = cfg_parse_file(named_g_addparser, view->new_zone_file, + &cfg_type_addzoneconf, &nzcfg->nzf_config); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "Error parsing NZF file '%s': %s", + view->new_zone_file, isc_result_totext(result)); + } + + return (result); +} +#else /* HAVE_LMDB */ static void nzd_setkey(MDB_val *key, dns_name_t *name, char *namebuf, size_t buflen) { @@ -13366,52 +13033,16 @@ nzd_close(MDB_txn **txnp, bool commit) { } /* - * Count the zones configured in the new zone database for 'view' and store the - * result in 'countp'. + * If there's an existing NZF file, load it and migrate its data + * to the NZD. * - * Caller must hold 'view->new_zone_lock'. - */ -static isc_result_t -nzd_count(dns_view_t *view, int *countp) { - isc_result_t result; - int status; - MDB_txn *txn = NULL; - MDB_dbi dbi; - MDB_stat statbuf; - - REQUIRE(countp != NULL); - - result = nzd_open(view, MDB_RDONLY, &txn, &dbi); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - - status = mdb_stat(txn, dbi, &statbuf); - if (status != MDB_SUCCESS) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, - "mdb_stat: %s", mdb_strerror(status)); - result = ISC_R_FAILURE; - goto cleanup; - } - - *countp = statbuf.ms_entries; - -cleanup: - (void)nzd_close(&txn, false); - - return (result); -} - -/* - * Migrate zone configuration from an NZF file to an NZD database. * Caller must hold view->new_zone_lock. */ static isc_result_t -migrate_nzf(dns_view_t *view) { +load_nzf(dns_view_t *view, ns_cfgctx_t *nzcfg) { isc_result_t result; cfg_obj_t *nzf_config = NULL; - int status, n; + int status; isc_buffer_t *text = NULL; bool commit = false; const cfg_obj_t *zonelist; @@ -13422,6 +13053,8 @@ migrate_nzf(dns_view_t *view) { MDB_val key, data; ns_dzarg_t dzarg; + UNUSED(nzcfg); + /* * If NZF file doesn't exist, or NZD DB exists and already * has data, return without attempting migration. @@ -13431,12 +13064,6 @@ migrate_nzf(dns_view_t *view) { goto cleanup; } - result = nzd_count(view, &n); - if (result == ISC_R_SUCCESS && n > 0) { - result = ISC_R_SUCCESS; - goto cleanup; - } - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "Migrating zones from NZF file '%s' to " @@ -13514,7 +13141,7 @@ migrate_nzf(dns_view_t *view) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "Error writing zone config to " - "buffer in migrate_nzf(): %s", + "buffer in load_nzf(): %s", isc_result_totext(result)); result = dzarg.result; goto cleanup; @@ -13567,7 +13194,6 @@ migrate_nzf(dns_view_t *view) { return (result); } - #endif /* HAVE_LMDB */ static isc_result_t @@ -13601,8 +13227,7 @@ newzone_parse(named_server_t *server, char *command, dns_view_t **viewp, } else if (strncasecmp(command, "mod", 3) == 0) { bn = "modzone"; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -13639,8 +13264,7 @@ newzone_parse(named_server_t *server, char *command, dns_view_t **viewp, } if (strcasecmp(cfg_obj_asstring(obj), "hint") == 0 || - strcasecmp(cfg_obj_asstring(obj), "forward") == 0 || - strcasecmp(cfg_obj_asstring(obj), "delegation-only") == 0) + strcasecmp(cfg_obj_asstring(obj), "forward") == 0) { (void)putstr(text, "'"); (void)putstr(text, cfg_obj_asstring(obj)); @@ -13716,23 +13340,24 @@ delete_zoneconf(dns_view_t *view, cfg_parser_t *pctx, const cfg_obj_t *config, CHECK(ISC_R_FAILURE); } - DE_CONST(&zl->value.list, list); + list = UNCONST(&zl->value.list); myname = dns_fixedname_initname(&myfixed); for (elt = ISC_LIST_HEAD(*list); elt != NULL; - elt = ISC_LIST_NEXT(elt, link)) { + elt = ISC_LIST_NEXT(elt, link)) + { const cfg_obj_t *zconf = cfg_listelt_value(elt); const char *zn; cfg_listelt_t *e; zn = cfg_obj_asstring(cfg_tuple_get(zconf, "name")); - result = dns_name_fromstring(myname, zn, 0, NULL); + result = dns_name_fromstring(myname, zn, dns_rootname, 0, NULL); if (result != ISC_R_SUCCESS || !dns_name_equal(zname, myname)) { continue; } - DE_CONST(elt, e); + e = UNCONST(elt); ISC_LIST_UNLINK(*list, e, link); cfg_obj_destroy(pctx, &e->obj); isc_mem_put(pctx->mctx, e, sizeof(*e)); @@ -13771,24 +13396,19 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, /* Zone shouldn't already exist */ if (redirect) { - result = (view->redirect != NULL) ? ISC_R_SUCCESS - : ISC_R_NOTFOUND; + result = (view->redirect == NULL) ? ISC_R_NOTFOUND + : ISC_R_EXISTS; } else { - result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); + result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone); + if (result == ISC_R_SUCCESS) { + result = ISC_R_EXISTS; + } } - if (result == ISC_R_SUCCESS) { - result = ISC_R_EXISTS; - goto cleanup; - } else if (result == DNS_R_PARTIALMATCH) { - /* Create our sub-zone anyway */ - dns_zone_detach(&zone); - zone = NULL; - } else if (result != ISC_R_NOTFOUND) { + if (result != ISC_R_NOTFOUND) { goto cleanup; } - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_loopmgr_pause(named_g_loopmgr); #ifndef HAVE_LMDB /* @@ -13796,7 +13416,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, */ result = isc_stdio_open(view->new_zone_file, "a", &fp); if (result != ISC_R_SUCCESS) { - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); TCHECK(putstr(text, "unable to create '")); TCHECK(putstr(text, view->new_zone_file)); TCHECK(putstr(text, "': ")); @@ -13812,7 +13432,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, /* Make sure we can open the NZD database */ result = nzd_writable(view); if (result != ISC_R_SUCCESS) { - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); TCHECK(putstr(text, "unable to open NZD database for '")); TCHECK(putstr(text, view->new_zone_db)); TCHECK(putstr(text, "'")); @@ -13823,13 +13443,12 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, /* Mark view unfrozen and configure zone */ dns_view_thaw(view); - result = configure_zone(cfg->config, zoneobj, cfg->vconfig, - server->mctx, view, &server->viewlist, - &server->kasplist, cfg->actx, true, false, - false); + result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view, + &server->viewlist, &server->kasplist, cfg->actx, + true, false, false); dns_view_freeze(view); - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); if (result != ISC_R_SUCCESS) { TCHECK(putstr(text, "configure_zone failed: ")); @@ -13844,7 +13463,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } dns_zone_attach(view->redirect, &zone); } else { - result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); + result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone); if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -13863,8 +13482,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, if (cfg->nzf_config == NULL) { cfg_obj_attach(zoneconf, &cfg->nzf_config); } else { - cfg_obj_t *z; - DE_CONST(zoneobj, z); + cfg_obj_t *z = UNCONST(zoneobj); CHECK(cfg_parser_mapadd(cfg->add_parser, cfg->nzf_config, z, "zone")); } @@ -13893,7 +13511,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } /* Remove the zone from the zone table */ - dns_zt_unmount(view->zonetable, zone); + dns_view_delzone(view, zone); goto cleanup; } @@ -13943,7 +13561,6 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, isc_result_t result, tresult; dns_zone_t *zone = NULL; bool added; - bool exclusive = false; #ifndef HAVE_LMDB FILE *fp = NULL; cfg_obj_t *z; @@ -13962,7 +13579,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, result = ISC_R_NOTFOUND; } } else { - result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); + result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone); } if (result != ISC_R_SUCCESS) { goto cleanup; @@ -13979,9 +13596,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } #endif /* ifndef HAVE_LMDB */ - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - exclusive = true; + isc_loopmgr_pause(named_g_loopmgr); #ifndef HAVE_LMDB /* Make sure we can open the configuration save file */ @@ -13991,6 +13606,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, TCHECK(putstr(text, view->new_zone_file)); TCHECK(putstr(text, "': ")); TCHECK(putstr(text, isc_result_totext(result))); + isc_loopmgr_resume(named_g_loopmgr); goto cleanup; } (void)isc_stdio_close(fp); @@ -14005,20 +13621,19 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, TCHECK(putstr(text, view->new_zone_db)); TCHECK(putstr(text, "'")); result = ISC_R_FAILURE; + isc_loopmgr_resume(named_g_loopmgr); goto cleanup; } #endif /* HAVE_LMDB */ /* Reconfigure the zone */ dns_view_thaw(view); - result = configure_zone(cfg->config, zoneobj, cfg->vconfig, - server->mctx, view, &server->viewlist, - &server->kasplist, cfg->actx, true, false, - true); + result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view, + &server->viewlist, &server->kasplist, cfg->actx, + true, false, true); dns_view_freeze(view); - exclusive = false; - isc_task_endexclusive(server->task); + isc_loopmgr_resume(named_g_loopmgr); if (result != ISC_R_SUCCESS) { TCHECK(putstr(text, "configure_zone failed: ")); @@ -14033,7 +13648,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } dns_zone_attach(view->redirect, &zone); } else { - CHECK(dns_zt_find(view->zonetable, name, 0, NULL, &zone)); + CHECK(dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone)); } #ifndef HAVE_LMDB @@ -14104,13 +13719,13 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } /* Remove the zone from the zone table */ - dns_zt_unmount(view->zonetable, zone); + dns_view_delzone(view, zone); goto cleanup; } #ifndef HAVE_LMDB /* Store the new zone configuration; also in NZF if applicable */ - DE_CONST(zoneobj, z); + z = UNCONST(zoneobj); CHECK(cfg_parser_mapadd(cfg->add_parser, cfg->nzf_config, z, "zone")); #endif /* HAVE_LMDB */ @@ -14138,9 +13753,6 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, } cleanup: - if (exclusive) { - isc_task_endexclusive(server->task); - } #ifndef HAVE_LMDB if (fp != NULL) { @@ -14180,6 +13792,8 @@ named_server_changezone(named_server_t *server, char *command, dns_fixedname_t fname; dns_name_t *dnsname; + REQUIRE(text != NULL); + if (strncasecmp(command, "add", 3) == 0) { addzone = true; } else { @@ -14240,7 +13854,7 @@ named_server_changezone(named_server_t *server, char *command, addzone ? NAMED_COMMAND_ADDZONE : NAMED_COMMAND_MODZONE); /* Changing a zone counts as reconfiguration */ - CHECK(isc_time_now(&named_g_configtime)); + named_g_configtime = isc_time_now(); cleanup: if (isc_buffer_usedlength(*text) > 0) { @@ -14281,12 +13895,13 @@ typedef struct { * Carry out a zone deletion scheduled by named_server_delzone(). */ static void -rmzone(isc_task_t *task, isc_event_t *event) { - ns_dzctx_t *dz = (ns_dzctx_t *)event->ev_arg; - dns_zone_t *zone, *raw = NULL, *mayberaw; +rmzone(void *arg) { + ns_dzctx_t *dz = (ns_dzctx_t *)arg; + dns_zone_t *zone = NULL, *raw = NULL, *mayberaw = NULL; + dns_catz_zone_t *catz = NULL; char zonename[DNS_NAME_FORMATSIZE]; - dns_view_t *view; - ns_cfgctx_t *cfg; + dns_view_t *view = NULL; + ns_cfgctx_t *cfg = NULL; dns_db_t *dbp = NULL; bool added; isc_result_t result; @@ -14297,8 +13912,6 @@ rmzone(isc_task_t *task, isc_event_t *event) { REQUIRE(dz != NULL); - isc_event_free(&event); - /* Dig out configuration for this zone */ zone = dz->zone; view = dns_zone_getview(zone); @@ -14310,10 +13923,14 @@ rmzone(isc_task_t *task, isc_event_t *event) { "deleting zone %s in view %s via delzone", zonename, view->name); - /* Remove the zone from configuration (and NZF file if applicable) */ + /* + * Remove the zone from configuration (and NZF file if applicable) + * (If this is a catalog zone member then nzf_config can be NULL) + */ added = dns_zone_getadded(zone); + catz = dns_zone_get_parentcatz(zone); - if (added && cfg != NULL) { + if (added && catz == NULL && cfg != NULL) { #ifdef HAVE_LMDB /* Make sure we can open the NZD database */ LOCK(&view->new_zone_lock); @@ -14330,8 +13947,7 @@ rmzone(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "unable to " - "delete zone configuration: %s", + "unable to delete zone configuration: %s", isc_result_totext(result)); } @@ -14346,8 +13962,7 @@ rmzone(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "unable to " - "delete zone configuration: %s", + "unable to delete zone configuration: %s", isc_result_totext(result)); } #endif /* HAVE_LMDB */ @@ -14368,8 +13983,7 @@ rmzone(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "unable to " - "delete zone configuration: %s", + "unable to delete zone configuration: %s", isc_result_totext(result)); } } @@ -14380,7 +13994,7 @@ rmzone(isc_task_t *task, isc_event_t *event) { dns_zone_unload(zone); } - /* Clean up stub/slave zone files if requested to do so */ + /* Clean up stub/secondary zone files if requested to do so */ dns_zone_getraw(zone, &raw); mayberaw = (raw != NULL) ? raw : zone; @@ -14433,7 +14047,6 @@ rmzone(isc_task_t *task, isc_event_t *event) { } dns_zone_detach(&zone); isc_mem_put(named_g_mctx, dz, sizeof(*dz)); - isc_task_detach(&task); } /* @@ -14452,8 +14065,8 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, const char *ptr; bool added; ns_dzctx_t *dz = NULL; - isc_event_t *dzevent = NULL; - isc_task_t *task = NULL; + + REQUIRE(text != NULL); /* Skip the command name. */ ptr = next_token(lex, text); @@ -14484,8 +14097,8 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, if (dns_zone_get_rpz_num(zone) != DNS_RPZ_INVALID_NUM) { TCHECK(putstr(text, "zone '")); TCHECK(putstr(text, zonename)); - TCHECK(putstr(text, "' cannot be deleted: response-policy " - "zone.")); + TCHECK(putstr(text, + "' cannot be deleted: response-policy zone.")); result = ISC_R_FAILURE; goto cleanup; } @@ -14494,23 +14107,18 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, if (dns_zone_gettype(zone) == dns_zone_redirect) { dns_zone_detach(&view->redirect); } else { - CHECK(dns_zt_unmount(view->zonetable, zone)); + CHECK(dns_view_delzone(view, zone)); } /* Send cleanup event */ dz = isc_mem_get(named_g_mctx, sizeof(*dz)); - - dz->cleanup = cleanup; - dz->zone = NULL; + *dz = (ns_dzctx_t){ + .cleanup = cleanup, + }; dns_zone_attach(zone, &dz->zone); - dzevent = isc_event_allocate(named_g_mctx, server, NAMED_EVENT_DELZONE, - rmzone, dz, sizeof(isc_event_t)); + isc_async_run(dns_zone_getloop(zone), rmzone, dz); - dns_zone_gettask(zone, &task); - isc_task_send(task, &dzevent); - dz = NULL; - - /* Inform user about cleaning up stub/slave zone files */ + /* Inform user about cleaning up stub/secondary zone files */ dns_zone_getraw(zone, &raw); mayberaw = (raw != NULL) ? raw : zone; @@ -14527,7 +14135,7 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, TCHECK(putstr(text, "zone '")); TCHECK(putstr(text, zonename)); TCHECK(putstr(text, "' and associated files will be deleted.")); - } else if (dns_zone_gettype(mayberaw) == dns_zone_slave || + } else if (dns_zone_gettype(mayberaw) == dns_zone_secondary || dns_zone_gettype(mayberaw) == dns_zone_mirror || dns_zone_gettype(mayberaw) == dns_zone_stub) { @@ -14558,7 +14166,7 @@ named_server_delzone(named_server_t *server, isc_lex_t *lex, "zone %s scheduled for removal via delzone", zonename); /* Removing a zone counts as reconfiguration */ - CHECK(isc_time_now(&named_g_configtime)); + named_g_configtime = isc_time_now(); result = ISC_R_SUCCESS; @@ -14590,7 +14198,8 @@ find_name_in_list_from_map(const cfg_obj_t *config, if (strcmp(map_key_for_list, "zone") == 0) { name1 = dns_fixedname_initname(&fixed1); name2 = dns_fixedname_initname(&fixed2); - result = dns_name_fromstring(name1, name, 0, NULL); + result = dns_name_fromstring(name1, name, dns_rootname, 0, + NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } @@ -14609,9 +14218,11 @@ find_name_in_list_from_map(const cfg_obj_t *config, } if (name1 != NULL) { - result = dns_name_fromstring(name2, vname, 0, NULL); + result = dns_name_fromstring(name2, vname, dns_rootname, + 0, NULL); if (result == ISC_R_SUCCESS && - dns_name_equal(name1, name2)) { + dns_name_equal(name1, name2)) + { const cfg_obj_t *zoptions; const cfg_obj_t *typeobj = NULL; zoptions = cfg_tuple_get(obj, "options"); @@ -14669,6 +14280,8 @@ named_server_showzone(named_server_t *server, isc_lex_t *lex, bool added, redirect; ns_dzarg_t dzarg; + REQUIRE(text != NULL); + /* Parse parameters */ CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true)); if (zone == NULL) { @@ -14803,6 +14416,9 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, unsigned char salt[255]; const char *ptr; size_t n; + bool kasp = false; + + REQUIRE(text != NULL); dns_rdataset_init(&privset); @@ -14821,7 +14437,8 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, if (strcasecmp(ptr, "-list") == 0) { list = true; } else if ((strcasecmp(ptr, "-clear") == 0) || - (strcasecmp(ptr, "-clean") == 0)) { + (strcasecmp(ptr, "-clean") == 0)) + { clear = true; ptr = next_token(lex, text); if (ptr == NULL) { @@ -14865,7 +14482,8 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, } if (hash > 0xffU || flags > 0xffU || - iter > dns_nsec3_maxiterations()) { + iter > dns_nsec3_maxiterations()) + { return (ISC_R_RANGE); } @@ -14906,17 +14524,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, } if (dns_zone_getkasp(zone) != NULL) { - (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec " - "command instead"); - (void)putnull(text); - goto cleanup; + kasp = true; } if (clear) { CHECK(dns_zone_keydone(zone, keystr)); (void)putstr(text, "request queued"); (void)putnull(text); - } else if (chain) { + } else if (chain && !kasp) { CHECK(dns_zone_setnsec3param( zone, (uint8_t)hash, (uint8_t)flags, iter, (uint8_t)saltlen, salt, true, resalt)); @@ -14948,7 +14563,12 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, result = dns_rdataset_next(&privset)) { dns_rdata_t priv = DNS_RDATA_INIT; - char output[BUFSIZ]; + /* + * In theory, the output buffer could hold a full RDATA + * record which is 16-bit and then some text around + * it + */ + char output[UINT16_MAX + BUFSIZ]; isc_buffer_t buf; dns_rdataset_current(&privset, &priv); @@ -14968,6 +14588,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; } + } else if (kasp) { + (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec " + "command instead"); + (void)putnull(text); } cleanup: @@ -14990,7 +14614,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, return (result); } -static inline bool +static bool argcheck(char *cmd, const char *full) { size_t l; @@ -15013,8 +14637,8 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, isc_result_t result = ISC_R_SUCCESS; dns_zone_t *zone = NULL; dns_kasp_t *kasp = NULL; - dns_dnsseckeylist_t keys, dnskeys; - dns_dnsseckey_t *key, *key_next = NULL; + dns_dnsseckeylist_t keys; + dns_dnsseckey_t *key; char *ptr, *zonetext = NULL; const char *msg = NULL; /* variables for -checkds */ @@ -15032,11 +14656,10 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, isc_stdtime_t now, when; isc_time_t timenow, timewhen; const char *dir; - dns_name_t *origin; dns_db_t *db = NULL; - dns_dbnode_t *node = NULL; dns_dbversion_t *version = NULL; - dns_rdataset_t keyset; + + REQUIRE(text != NULL); /* Skip the command name. */ ptr = next_token(lex, text); @@ -15051,13 +14674,11 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, } /* Initialize current time and key list. */ - TIME_NOW(&timenow); + timenow = isc_time_now(); now = isc_time_seconds(&timenow); when = now; - ISC_LIST_INIT(dnskeys); ISC_LIST_INIT(keys); - dns_rdataset_init(&keyset); if (strcasecmp(ptr, "-status") == 0) { status = true; @@ -15170,44 +14791,14 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, /* Get DNSSEC keys. */ dir = dns_zone_getkeydirectory(zone); - origin = dns_zone_getorigin(zone); CHECK(dns_zone_getdb(zone, &db)); - CHECK(dns_db_findnode(db, origin, false, &node)); dns_db_currentversion(db, &version); - /* Get keys from private key files. */ - dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), dir, now, - dns_zone_getmctx(zone), &keys); - dns_zone_unlock_keyfiles(zone); - if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { - goto cleanup; - } - /* Get public keys (dnskeys). */ - result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, - dns_rdatatype_none, 0, &keyset, NULL); - if (result == ISC_R_SUCCESS) { - CHECK(dns_dnssec_keylistfromrdataset( - origin, dir, dns_zone_getmctx(zone), &keyset, NULL, - NULL, false, false, &dnskeys)); - } else if (result != ISC_R_NOTFOUND) { - CHECK(result); - } - /* Add new 'dnskeys' to 'keys'. */ - for (dns_dnsseckey_t *k1 = ISC_LIST_HEAD(dnskeys); k1 != NULL; - k1 = key_next) { - dns_dnsseckey_t *k2 = NULL; - key_next = ISC_LIST_NEXT(k1, link); - - for (k2 = ISC_LIST_HEAD(keys); k2 != NULL; - k2 = ISC_LIST_NEXT(k2, link)) { - if (dst_key_compare(k1->key, k2->key)) { - break; - } - } - /* No match found, add the new key. */ - if (k2 == NULL) { - ISC_LIST_UNLINK(dnskeys, k1, link); - ISC_LIST_APPEND(keys, k1, link); + LOCK(&kasp->lock); + result = dns_zone_getdnsseckeys(zone, db, version, now, &keys); + UNLOCK(&kasp->lock); + if (result != ISC_R_SUCCESS) { + if (result != ISC_R_NOTFOUND) { + goto cleanup; } } @@ -15329,12 +14920,6 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, (void)putnull(text); } - if (dns_rdataset_isassociated(&keyset)) { - dns_rdataset_disassociate(&keyset); - } - if (node != NULL) { - dns_db_detachnode(db, &node); - } if (version != NULL) { dns_db_closeversion(db, &version, false); } @@ -15342,11 +14927,6 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, dns_db_detach(&db); } - while (!ISC_LIST_EMPTY(dnskeys)) { - key = ISC_LIST_HEAD(dnskeys); - ISC_LIST_UNLINK(dnskeys, key, link); - dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key); - } while (!ISC_LIST_EMPTY(keys)) { key = ISC_LIST_HEAD(keys); ISC_LIST_UNLINK(keys, key, link); @@ -15364,7 +14944,7 @@ static isc_result_t putmem(isc_buffer_t **b, const char *str, size_t len) { isc_result_t result; - result = isc_buffer_reserve(b, (unsigned int)len); + result = isc_buffer_reserve(*b, (unsigned int)len); if (result != ISC_R_SUCCESS) { return (ISC_R_NOSPACE); } @@ -15373,7 +14953,7 @@ putmem(isc_buffer_t **b, const char *str, size_t len) { return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t putstr(isc_buffer_t **b, const char *str) { return (putmem(b, str, strlen(str))); } @@ -15382,7 +14962,7 @@ static isc_result_t putuint8(isc_buffer_t **b, uint8_t val) { isc_result_t result; - result = isc_buffer_reserve(b, 1); + result = isc_buffer_reserve(*b, 1); if (result != ISC_R_SUCCESS) { return (ISC_R_NOSPACE); } @@ -15391,7 +14971,7 @@ putuint8(isc_buffer_t **b, uint8_t val) { return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t putnull(isc_buffer_t **b) { return (putuint8(b, 0)); } @@ -15421,6 +15001,8 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, char **incfiles = NULL; int nfiles = 0; + REQUIRE(text != NULL); + isc_time_settoepoch(&loadtime); isc_time_settoepoch(&refreshtime); isc_time_settoepoch(&expiretime); @@ -15466,7 +15048,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, } /* Database node count */ - nodes = dns_db_nodecount(hasraw ? rawdb : db); + nodes = dns_db_nodecount(hasraw ? rawdb : db, dns_dbtree_main); snprintf(nodebuf, sizeof(nodebuf), "%u", nodes); /* Security */ @@ -15483,7 +15065,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, isc_time_formathttptimestamp(&loadtime, lbuf, sizeof(lbuf)); /* Refresh/expire times */ - if (zonetype == dns_zone_slave || zonetype == dns_zone_mirror || + if (zonetype == dns_zone_secondary || zonetype == dns_zone_mirror || zonetype == dns_zone_stub || zonetype == dns_zone_redirect) { dns_zone_getexpiretime(mayberaw, &expiretime); @@ -15493,24 +15075,23 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, } /* Key refresh time */ - if (zonetype == dns_zone_master || - (zonetype == dns_zone_slave && hasraw)) { + if (zonetype == dns_zone_primary || + (zonetype == dns_zone_secondary && hasraw)) + { dns_zone_getrefreshkeytime(zone, &refreshkeytime); isc_time_formathttptimestamp(&refreshkeytime, kbuf, sizeof(kbuf)); } /* Dynamic? */ - if (zonetype == dns_zone_master) { + if (zonetype == dns_zone_primary) { dynamic = dns_zone_isdynamic(mayberaw, true); frozen = dynamic && !dns_zone_isdynamic(mayberaw, false); } /* Next resign event */ - if (secure && - (zonetype == dns_zone_master || - (zonetype == dns_zone_slave && hasraw)) && - ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_NORESIGN) == 0)) + if (secure && (zonetype == dns_zone_primary || + (zonetype == dns_zone_secondary && hasraw))) { dns_name_t *name; dns_fixedname_t fixed; @@ -15521,11 +15102,9 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, result = dns_db_getsigningtime(db, &next, name); if (result == ISC_R_SUCCESS) { - isc_stdtime_t timenow; char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; - isc_stdtime_get(&timenow); dns_name_format(name, namebuf, sizeof(namebuf)); dns_rdatatype_format(next.covers, typebuf, sizeof(typebuf)); @@ -15683,10 +15262,12 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, const dns_name_t *ntaname; dns_name_t *fname; dns_ttl_t ntattl; - bool ttlset = false, excl = false, viewfound = false; + bool ttlset = false, viewfound = false; dns_rdataclass_t rdclass = dns_rdataclass_in; bool first = true; + REQUIRE(text != NULL); + UNUSED(force); fname = dns_fixedname_initname(&fn); @@ -15823,11 +15404,9 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, CHECK(DNS_R_SYNTAX); } - isc_stdtime_get(&now); + now = isc_stdtime_now(); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - excl = true; + isc_loopmgr_pause(named_g_loopmgr); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { @@ -15897,7 +15476,7 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, } else if (result == ISC_R_NOTFOUND) { wasremoved = false; } else { - goto cleanup; + goto cleanup_exclusive; } if (!first) { @@ -15933,20 +15512,21 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, if (!viewfound) { msg = "No such view"; - CHECK(ISC_R_NOTFOUND); + result = ISC_R_NOTFOUND; + } else { + (void)putnull(text); } - (void)putnull(text); +cleanup_exclusive: + isc_loopmgr_resume(named_g_loopmgr); cleanup: + if (msg != NULL) { (void)putstr(text, msg); (void)putnull(text); } - if (excl) { - isc_task_endexclusive(server->task); - } if (ntatable != NULL) { dns_ntatable_detach(&ntatable); } @@ -16013,10 +15593,9 @@ mkey_refresh(dns_view_t *view, isc_buffer_t **text) { } static isc_result_t -mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) { +mkey_destroy(dns_view_t *view, isc_buffer_t **text) { isc_result_t result; char msg[DNS_NAME_FORMATSIZE + 500] = ""; - bool exclusive = false; const char *file = NULL; dns_db_t *dbp = NULL; dns_zone_t *mkzone = NULL; @@ -16030,9 +15609,7 @@ mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) { view->name); CHECK(putstr(text, msg)); - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - exclusive = true; + isc_loopmgr_pause(named_g_loopmgr); /* Remove and clean up managed keys zone from view */ mkzone = view->managed_keys; @@ -16077,9 +15654,7 @@ mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) { result = ISC_R_SUCCESS; cleanup: - if (exclusive) { - isc_task_endexclusive(server->task); - } + isc_loopmgr_resume(named_g_loopmgr); return (result); } @@ -16089,11 +15664,9 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) { dns_db_t *db = NULL; dns_dbversion_t *ver = NULL; dns_rriterator_t rrit; - isc_stdtime_t now; + isc_stdtime_t now = isc_stdtime_now(); dns_name_t *prevname = NULL; - isc_stdtime_get(&now); - CHECK(dns_zone_getdb(view->managed_keys, &db)); dns_db_currentversion(db, &ver); dns_rriterator_init(&rrit, db, ver, 0); @@ -16236,10 +15809,12 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex, dns_view_t *view = NULL; dns_rdataclass_t rdclass; char msg[DNS_NAME_FORMATSIZE + 500] = ""; - enum { NONE, STATUS, REFRESH, SYNC, DESTROY } opt = NONE; + enum { NONE, STAT, REFRESH, SYNC, DESTROY } opt = NONE; bool found = false; bool first = true; + REQUIRE(text != NULL); + /* Skip rndc command name */ cmd = next_token(lex, text); if (cmd == NULL) { @@ -16253,7 +15828,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex, } if (strcasecmp(cmd, "status") == 0) { - opt = STATUS; + opt = STAT; } else if (strcasecmp(cmd, "refresh") == 0) { opt = REFRESH; } else if (strcasecmp(cmd, "sync") == 0) { @@ -16312,7 +15887,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex, } CHECK(mkey_refresh(view, text)); break; - case STATUS: + case STAT: if (!first) { CHECK(putstr(text, "\n\n")); } @@ -16325,11 +15900,10 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex, if (!first) { CHECK(putstr(text, "\n")); } - CHECK(mkey_destroy(server, view, text)); + CHECK(mkey_destroy(view, text)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (viewtxt != NULL) { @@ -16359,6 +15933,8 @@ named_server_dnstap(named_server_t *server, isc_lex_t *lex, bool reopen = false; int backups = 0; + REQUIRE(text != NULL); + if (server->dtenv == NULL) { return (ISC_R_NOTFOUND); } @@ -16472,13 +16048,8 @@ named_server_tcptimeouts(isc_lex_t *lex, isc_buffer_t **text) { CHECK(ISC_R_RANGE); } - result = isc_task_beginexclusive(named_g_server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_nm_settimeouts(named_g_netmgr, initial, idle, keepalive, advertised); - - isc_task_endexclusive(named_g_server->task); } snprintf(msg, sizeof(msg), "tcp-initial-timeout=%u\n", initial / 100); @@ -16511,7 +16082,8 @@ named_server_servestale(named_server_t *server, isc_lex_t *lex, dns_stale_answer_t staleanswersok = dns_stale_answer_conf; bool wantstatus = false; isc_result_t result = ISC_R_SUCCESS; - bool exclusive = false; + + REQUIRE(text != NULL); /* Skip the command name. */ ptr = next_token(lex, text); @@ -16567,9 +16139,7 @@ named_server_servestale(named_server_t *server, isc_lex_t *lex, } } - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - exclusive = true; + isc_loopmgr_pause(named_g_loopmgr); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) @@ -16605,27 +16175,46 @@ named_server_servestale(named_server_t *server, isc_lex_t *lex, switch (view->staleanswersok) { case dns_stale_answer_yes: if (stale_ttl > 0) { - CHECK(putstr(text, "on (rndc)")); + CHECK(putstr(text, "stale cache " + "enabled; stale " + "answers enabled")); } else { - CHECK(putstr(text, "off (not-cached)")); + CHECK(putstr(text, "stale cache disabled; " + "stale " + "answers unavailable")); } break; case dns_stale_answer_no: - CHECK(putstr(text, "off (rndc)")); + if (stale_ttl > 0) { + CHECK(putstr(text, "stale cache " + "enabled; stale " + "answers disabled")); + } else { + CHECK(putstr(text, "stale cache disabled; " + "stale " + "answers unavailable")); + } break; case dns_stale_answer_conf: if (view->staleanswersenable && stale_ttl > 0) { - CHECK(putstr(text, "on")); - } else if (view->staleanswersenable) { - CHECK(putstr(text, "off (not-cached)")); + CHECK(putstr(text, "stale cache " + "enabled; stale " + "answers enabled")); + } else if (stale_ttl > 0) { + CHECK(putstr(text, "stale cache " + "enabled; stale " + "answers disabled")); } else { - CHECK(putstr(text, "off")); + CHECK(putstr(text, "stale cache disabled; " + "stale " + "answers unavailable")); } break; } if (stale_ttl > 0) { snprintf(msg, sizeof(msg), - " (stale-answer-ttl=%u max-stale-ttl=%u " + " (stale-answer-ttl=%u " + "max-stale-ttl=%u " "stale-refresh-time=%u)", view->staleanswerttl, stale_ttl, stale_refresh); @@ -16639,10 +16228,95 @@ named_server_servestale(named_server_t *server, isc_lex_t *lex, } cleanup: - if (exclusive) { - isc_task_endexclusive(named_g_server->task); + isc_loopmgr_resume(named_g_loopmgr); + + if (isc_buffer_usedlength(*text) > 0) { + (void)putnull(text); + } + + return (result); +} + +isc_result_t +named_server_fetchlimit(named_server_t *server, isc_lex_t *lex, + isc_buffer_t **text) { + isc_result_t result = ISC_R_SUCCESS; + dns_view_t *view = NULL; + char *ptr = NULL, *viewname = NULL; + bool first = true; + dns_adb_t *adb = NULL; + + REQUIRE(text != NULL); + + /* Skip the command name. */ + ptr = next_token(lex, text); + if (ptr == NULL) { + return (ISC_R_UNEXPECTEDEND); } + /* Look for the view name. */ + viewname = next_token(lex, text); + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + char tbuf[100]; + unsigned int used; + uint32_t val; + int s; + + if (view->rdclass != dns_rdataclass_in) { + continue; + } + + if (viewname != NULL && strcasecmp(view->name, viewname) != 0) { + continue; + } + + dns_view_getadb(view, &adb); + if (adb == NULL) { + continue; + } + + if (!first) { + CHECK(putstr(text, "\n")); + } + CHECK(putstr(text, "Rate limited servers, view ")); + CHECK(putstr(text, view->name)); + + dns_adb_getquota(adb, &val, NULL, NULL, NULL, NULL); + s = snprintf(tbuf, sizeof(tbuf), + " (fetches-per-server %u):", val); + if (s < 0 || (unsigned int)s > sizeof(tbuf)) { + CHECK(ISC_R_NOSPACE); + } + first = false; + CHECK(putstr(text, tbuf)); + used = isc_buffer_usedlength(*text); + CHECK(dns_adb_dumpquota(adb, text)); + if (used == isc_buffer_usedlength(*text)) { + CHECK(putstr(text, "\n None.")); + } + + CHECK(putstr(text, "\nRate limited servers, view ")); + CHECK(putstr(text, view->name)); + val = dns_resolver_getfetchesperzone(view->resolver); + s = snprintf(tbuf, sizeof(tbuf), + " (fetches-per-zone %u):", val); + if (s < 0 || (unsigned int)s > sizeof(tbuf)) { + CHECK(ISC_R_NOSPACE); + } + CHECK(putstr(text, tbuf)); + used = isc_buffer_usedlength(*text); + CHECK(dns_resolver_dumpquota(view->resolver, text)); + if (used == isc_buffer_usedlength(*text)) { + CHECK(putstr(text, "\n None.")); + } + dns_adb_detach(&adb); + } +cleanup: + if (adb != NULL) { + dns_adb_detach(&adb); + } if (isc_buffer_usedlength(*text) > 0) { (void)putnull(text); } diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 7e1e982646..349bec0eef 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -18,12 +20,11 @@ #include #include #include -#include -#include #include #include #include +#include #include #include #include @@ -53,6 +54,14 @@ #include "xsl_p.h" +#define STATS_XML_VERSION_MAJOR "3" +#define STATS_XML_VERSION_MINOR "14" +#define STATS_XML_VERSION STATS_XML_VERSION_MAJOR "." STATS_XML_VERSION_MINOR + +#define STATS_JSON_VERSION_MAJOR "1" +#define STATS_JSON_VERSION_MINOR "8" +#define STATS_JSON_VERSION STATS_JSON_VERSION_MAJOR "." STATS_JSON_VERSION_MINOR + #define CHECK(m) \ do { \ result = (m); \ @@ -68,13 +77,12 @@ struct named_statschannel { isc_mem_t *mctx; /* - * Locked by channel lock: can be referenced and modified by both - * the server task and the channel task. + * Locked by channel lock */ isc_mutex_t lock; dns_acl_t *acl; - /* Locked by server task */ + /* Locked by main loop. */ ISC_LINK(struct named_statschannel) link; }; @@ -104,8 +112,8 @@ user_zonetype(dns_zone_t *zone) { const dns_zonetype_t type; const char *const string; } typemap[] = { { dns_zone_none, "none" }, - { dns_zone_master, "master" }, - { dns_zone_slave, "slave" }, + { dns_zone_primary, "primary" }, + { dns_zone_secondary, "secondary" }, { dns_zone_mirror, "mirror" }, { dns_zone_stub, "stub" }, { dns_zone_staticstub, "static-stub" }, @@ -202,7 +210,7 @@ static int tcpoutsizestats_index[dns_sizecounter_out_max]; static int dnstapstats_index[dns_dnstapcounter_max]; static int gluecachestats_index[dns_gluecachestatscounter_max]; -static inline void +static void set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, const char *xdesc, const char **xdescs) { REQUIRE(counter < maxcounter); @@ -220,6 +228,30 @@ set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, #endif /* if defined(EXTENDED_STATS) */ } +static const char * +get_histo_desc(const char *prefix, int i, int inf, bool ext) { + static char buf[(DNS_SIZEHISTO_MAXIN + DNS_SIZEHISTO_MAXOUT) * 80]; + static size_t used = 0; + char *desc = buf + used; + size_t space = sizeof(buf) - used; + int min = DNS_SIZEHISTO_QUANTUM * i; + int max = DNS_SIZEHISTO_QUANTUM * (i + 1) - 1; + int len = 0; + + if (!ext && i < inf) { + len = snprintf(desc, space, "%s %u-%u bytes", prefix, min, max); + } else if (!ext && i >= inf) { + len = snprintf(desc, space, "%s %u+ bytes", prefix, min); + } else if (ext && i < inf) { + len = snprintf(desc, space, "%u-%u", min, max); + } else if (ext && i >= inf) { + len = snprintf(desc, space, "%u+", min); + } + INSIST(0 < len && (size_t)len < space); + used += len + 1; + return (desc); +} + static void init_desc(void) { int i; @@ -326,7 +358,7 @@ init_desc(void) { SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE"); SET_NSSTATDESC(nxdomainsynth, "synthesized a NXDOMAIN response", "SynthNXDOMAIN"); - SET_NSSTATDESC(nodatasynth, "syththesized a no-data response", + SET_NSSTATDESC(nodatasynth, "synthesized a no-data response", "SynthNODATA"); SET_NSSTATDESC(wildcardsynth, "synthesized a wildcard response", "SynthWILDCARD"); @@ -342,6 +374,7 @@ init_desc(void) { SET_NSSTATDESC(reclimitdropped, "queries dropped due to recursive client limit", "RecLimitDropped"); + SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota"); INSIST(i == ns_statscounter_max); @@ -431,6 +464,8 @@ init_desc(void) { SET_RESSTATDESC(zonequota, "spilled due to zone quota", "ZoneQuota"); SET_RESSTATDESC(serverquota, "spilled due to server quota", "ServerQuota"); + SET_RESSTATDESC(clientquota, "spilled due to clients per query quota", + "ClientQuota"); SET_RESSTATDESC(nextitem, "waited for next item", "NextItem"); SET_RESSTATDESC(priming, "priming queries", "Priming"); @@ -746,575 +781,49 @@ init_desc(void) { #endif /* if defined(EXTENDED_STATS) */ /* Initialize traffic size statistics */ - for (i = 0; i < dns_sizecounter_in_max; i++) { - udpinsizestats_desc[i] = NULL; - tcpinsizestats_desc[i] = NULL; -#if defined(EXTENDED_STATS) - udpinsizestats_xmldesc[i] = NULL; - tcpinsizestats_xmldesc[i] = NULL; -#endif /* if defined(EXTENDED_STATS) */ - } - for (i = 0; i < dns_sizecounter_out_max; i++) { - udpoutsizestats_desc[i] = NULL; - tcpoutsizestats_desc[i] = NULL; + + for (i = 0; i < DNS_SIZEHISTO_MAXOUT; i++) { + udpoutsizestats_index[i] = i; + tcpoutsizestats_index[i] = i; + udpoutsizestats_desc[i] = get_histo_desc( + "responses sent", i, DNS_SIZEHISTO_MAXOUT, false); + tcpoutsizestats_desc[i] = udpoutsizestats_desc[i]; #if defined(EXTENDED_STATS) - udpoutsizestats_xmldesc[i] = NULL; - tcpoutsizestats_xmldesc[i] = NULL; + udpoutsizestats_xmldesc[i] = get_histo_desc( + "responses sent", i, DNS_SIZEHISTO_MAXOUT, true); + tcpoutsizestats_xmldesc[i] = udpoutsizestats_xmldesc[i]; #endif /* if defined(EXTENDED_STATS) */ } -#define SET_SIZESTATDESC(counterid, desc, xmldesc, inout) \ - do { \ - set_desc(dns_sizecounter_##inout##_##counterid, \ - dns_sizecounter_##inout##_max, desc, \ - udp##inout##sizestats_desc, xmldesc, \ - udp##inout##sizestats_xmldesc); \ - set_desc(dns_sizecounter_##inout##_##counterid, \ - dns_sizecounter_##inout##_max, desc, \ - tcp##inout##sizestats_desc, xmldesc, \ - tcp##inout##sizestats_xmldesc); \ - udp##inout##sizestats_index[i] = \ - dns_sizecounter_##inout##_##counterid; \ - tcp##inout##sizestats_index[i] = \ - dns_sizecounter_##inout##_##counterid; \ - i++; \ - } while (0) - - i = 0; - SET_SIZESTATDESC(0, "requests received 0-15 bytes", "0-15", in); - SET_SIZESTATDESC(16, "requests received 16-31 bytes", "16-31", in); - SET_SIZESTATDESC(32, "requests received 32-47 bytes", "32-47", in); - SET_SIZESTATDESC(48, "requests received 48-63 bytes", "48-63", in); - SET_SIZESTATDESC(64, "requests received 64-79 bytes", "64-79", in); - SET_SIZESTATDESC(80, "requests received 80-95 bytes", "80-95", in); - SET_SIZESTATDESC(96, "requests received 96-111 bytes", "96-111", in); - SET_SIZESTATDESC(112, "requests received 112-127 bytes", "112-127", in); - SET_SIZESTATDESC(128, "requests received 128-143 bytes", "128-143", in); - SET_SIZESTATDESC(144, "requests received 144-159 bytes", "144-159", in); - SET_SIZESTATDESC(160, "requests received 160-175 bytes", "160-175", in); - SET_SIZESTATDESC(176, "requests received 176-191 bytes", "176-191", in); - SET_SIZESTATDESC(192, "requests received 192-207 bytes", "192-207", in); - SET_SIZESTATDESC(208, "requests received 208-223 bytes", "208-223", in); - SET_SIZESTATDESC(224, "requests received 224-239 bytes", "224-239", in); - SET_SIZESTATDESC(240, "requests received 240-255 bytes", "240-255", in); - SET_SIZESTATDESC(256, "requests received 256-271 bytes", "256-271", in); - SET_SIZESTATDESC(272, "requests received 272-287 bytes", "272-287", in); - SET_SIZESTATDESC(288, "requests received 288+ bytes", "288+", in); - INSIST(i == dns_sizecounter_in_max); - - i = 0; - SET_SIZESTATDESC(0, "responses sent 0-15 bytes", "0-15", out); - SET_SIZESTATDESC(16, "responses sent 16-31 bytes", "16-31", out); - SET_SIZESTATDESC(32, "responses sent 32-47 bytes", "32-47", out); - SET_SIZESTATDESC(48, "responses sent 48-63 bytes", "48-63", out); - SET_SIZESTATDESC(64, "responses sent 64-79 bytes", "64-79", out); - SET_SIZESTATDESC(80, "responses sent 80-95 bytes", "80-95", out); - SET_SIZESTATDESC(96, "responses sent 96-111 bytes", "96-111", out); - SET_SIZESTATDESC(112, "responses sent 112-127 bytes", "112-127", out); - SET_SIZESTATDESC(128, "responses sent 128-143 bytes", "128-143", out); - SET_SIZESTATDESC(144, "responses sent 144-159 bytes", "144-159", out); - SET_SIZESTATDESC(160, "responses sent 160-175 bytes", "160-175", out); - SET_SIZESTATDESC(176, "responses sent 176-191 bytes", "176-191", out); - SET_SIZESTATDESC(192, "responses sent 192-207 bytes", "192-207", out); - SET_SIZESTATDESC(208, "responses sent 208-223 bytes", "208-223", out); - SET_SIZESTATDESC(224, "responses sent 224-239 bytes", "224-239", out); - SET_SIZESTATDESC(240, "responses sent 240-255 bytes", "240-255", out); - SET_SIZESTATDESC(256, "responses sent 256-271 bytes", "256-271", out); - SET_SIZESTATDESC(272, "responses sent 272-287 bytes", "272-287", out); - SET_SIZESTATDESC(288, "responses sent 288-303 bytes", "288-303", out); - SET_SIZESTATDESC(304, "responses sent 304-319 bytes", "304-319", out); - SET_SIZESTATDESC(320, "responses sent 320-335 bytes", "320-335", out); - SET_SIZESTATDESC(336, "responses sent 336-351 bytes", "336-351", out); - SET_SIZESTATDESC(352, "responses sent 352-367 bytes", "352-367", out); - SET_SIZESTATDESC(368, "responses sent 368-383 bytes", "368-383", out); - SET_SIZESTATDESC(384, "responses sent 384-399 bytes", "384-399", out); - SET_SIZESTATDESC(400, "responses sent 400-415 bytes", "400-415", out); - SET_SIZESTATDESC(416, "responses sent 416-431 bytes", "416-431", out); - SET_SIZESTATDESC(432, "responses sent 432-447 bytes", "432-447", out); - SET_SIZESTATDESC(448, "responses sent 448-463 bytes", "448-463", out); - SET_SIZESTATDESC(464, "responses sent 464-479 bytes", "464-479", out); - SET_SIZESTATDESC(480, "responses sent 480-495 bytes", "480-495", out); - SET_SIZESTATDESC(496, "responses sent 496-511 bytes", "496-511", out); - SET_SIZESTATDESC(512, "responses sent 512-527 bytes", "512-527", out); - SET_SIZESTATDESC(528, "responses sent 528-543 bytes", "528-543", out); - SET_SIZESTATDESC(544, "responses sent 544-559 bytes", "544-559", out); - SET_SIZESTATDESC(560, "responses sent 560-575 bytes", "560-575", out); - SET_SIZESTATDESC(576, "responses sent 576-591 bytes", "576-591", out); - SET_SIZESTATDESC(592, "responses sent 592-607 bytes", "592-607", out); - SET_SIZESTATDESC(608, "responses sent 608-623 bytes", "608-623", out); - SET_SIZESTATDESC(624, "responses sent 624-639 bytes", "624-639", out); - SET_SIZESTATDESC(640, "responses sent 640-655 bytes", "640-655", out); - SET_SIZESTATDESC(656, "responses sent 656-671 bytes", "656-671", out); - SET_SIZESTATDESC(672, "responses sent 672-687 bytes", "672-687", out); - SET_SIZESTATDESC(688, "responses sent 688-703 bytes", "688-703", out); - SET_SIZESTATDESC(704, "responses sent 704-719 bytes", "704-719", out); - SET_SIZESTATDESC(720, "responses sent 720-735 bytes", "720-735", out); - SET_SIZESTATDESC(736, "responses sent 736-751 bytes", "736-751", out); - SET_SIZESTATDESC(752, "responses sent 752-767 bytes", "752-767", out); - SET_SIZESTATDESC(768, "responses sent 768-783 bytes", "768-783", out); - SET_SIZESTATDESC(784, "responses sent 784-799 bytes", "784-799", out); - SET_SIZESTATDESC(800, "responses sent 800-815 bytes", "800-815", out); - SET_SIZESTATDESC(816, "responses sent 816-831 bytes", "816-831", out); - SET_SIZESTATDESC(832, "responses sent 832-847 bytes", "832-847", out); - SET_SIZESTATDESC(848, "responses sent 848-863 bytes", "848-863", out); - SET_SIZESTATDESC(864, "responses sent 864-879 bytes", "864-879", out); - SET_SIZESTATDESC(880, "responses sent 880-895 bytes", "880-895", out); - SET_SIZESTATDESC(896, "responses sent 896-911 bytes", "896-911", out); - SET_SIZESTATDESC(912, "responses sent 912-927 bytes", "912-927", out); - SET_SIZESTATDESC(928, "responses sent 928-943 bytes", "928-943", out); - SET_SIZESTATDESC(944, "responses sent 944-959 bytes", "944-959", out); - SET_SIZESTATDESC(960, "responses sent 960-975 bytes", "960-975", out); - SET_SIZESTATDESC(976, "responses sent 976-991 bytes", "976-991", out); - SET_SIZESTATDESC(992, "responses sent 992-1007 bytes", "992-1007", out); - SET_SIZESTATDESC(1008, "responses sent 1008-1023 bytes", "1008-1023", - out); - SET_SIZESTATDESC(1024, "responses sent 1024-1039 bytes", "1024-1039", - out); - SET_SIZESTATDESC(1040, "responses sent 1040-1055 bytes", "1040-1055", - out); - SET_SIZESTATDESC(1056, "responses sent 1056-1071 bytes", "1056-1071", - out); - SET_SIZESTATDESC(1072, "responses sent 1072-1087 bytes", "1072-1087", - out); - SET_SIZESTATDESC(1088, "responses sent 1088-1103 bytes", "1088-1103", - out); - SET_SIZESTATDESC(1104, "responses sent 1104-1119 bytes", "1104-1119", - out); - SET_SIZESTATDESC(1120, "responses sent 1120-1135 bytes", "1120-1135", - out); - SET_SIZESTATDESC(1136, "responses sent 1136-1151 bytes", "1136-1151", - out); - SET_SIZESTATDESC(1152, "responses sent 1152-1167 bytes", "1152-1167", - out); - SET_SIZESTATDESC(1168, "responses sent 1168-1183 bytes", "1168-1183", - out); - SET_SIZESTATDESC(1184, "responses sent 1184-1199 bytes", "1184-1199", - out); - SET_SIZESTATDESC(1200, "responses sent 1200-1215 bytes", "1200-1215", - out); - SET_SIZESTATDESC(1216, "responses sent 1216-1231 bytes", "1216-1231", - out); - SET_SIZESTATDESC(1232, "responses sent 1232-1247 bytes", "1232-1247", - out); - SET_SIZESTATDESC(1248, "responses sent 1248-1263 bytes", "1248-1263", - out); - SET_SIZESTATDESC(1264, "responses sent 1264-1279 bytes", "1264-1279", - out); - SET_SIZESTATDESC(1280, "responses sent 1280-1295 bytes", "1280-1295", - out); - SET_SIZESTATDESC(1296, "responses sent 1296-1311 bytes", "1296-1311", - out); - SET_SIZESTATDESC(1312, "responses sent 1312-1327 bytes", "1312-1327", - out); - SET_SIZESTATDESC(1328, "responses sent 1328-1343 bytes", "1328-1343", - out); - SET_SIZESTATDESC(1344, "responses sent 1344-1359 bytes", "1344-1359", - out); - SET_SIZESTATDESC(1360, "responses sent 1360-1375 bytes", "1360-1375", - out); - SET_SIZESTATDESC(1376, "responses sent 1376-1391 bytes", "1376-1391", - out); - SET_SIZESTATDESC(1392, "responses sent 1392-1407 bytes", "1392-1407", - out); - SET_SIZESTATDESC(1408, "responses sent 1408-1423 bytes", "1408-1423", - out); - SET_SIZESTATDESC(1424, "responses sent 1424-1439 bytes", "1424-1439", - out); - SET_SIZESTATDESC(1440, "responses sent 1440-1455 bytes", "1440-1455", - out); - SET_SIZESTATDESC(1456, "responses sent 1456-1471 bytes", "1456-1471", - out); - SET_SIZESTATDESC(1472, "responses sent 1472-1487 bytes", "1472-1487", - out); - SET_SIZESTATDESC(1488, "responses sent 1488-1503 bytes", "1488-1503", - out); - SET_SIZESTATDESC(1504, "responses sent 1504-1519 bytes", "1504-1519", - out); - SET_SIZESTATDESC(1520, "responses sent 1520-1535 bytes", "1520-1535", - out); - SET_SIZESTATDESC(1536, "responses sent 1536-1551 bytes", "1536-1551", - out); - SET_SIZESTATDESC(1552, "responses sent 1552-1567 bytes", "1552-1567", - out); - SET_SIZESTATDESC(1568, "responses sent 1568-1583 bytes", "1568-1583", - out); - SET_SIZESTATDESC(1584, "responses sent 1584-1599 bytes", "1584-1599", - out); - SET_SIZESTATDESC(1600, "responses sent 1600-1615 bytes", "1600-1615", - out); - SET_SIZESTATDESC(1616, "responses sent 1616-1631 bytes", "1616-1631", - out); - SET_SIZESTATDESC(1632, "responses sent 1632-1647 bytes", "1632-1647", - out); - SET_SIZESTATDESC(1648, "responses sent 1648-1663 bytes", "1648-1663", - out); - SET_SIZESTATDESC(1664, "responses sent 1664-1679 bytes", "1664-1679", - out); - SET_SIZESTATDESC(1680, "responses sent 1680-1695 bytes", "1680-1695", - out); - SET_SIZESTATDESC(1696, "responses sent 1696-1711 bytes", "1696-1711", - out); - SET_SIZESTATDESC(1712, "responses sent 1712-1727 bytes", "1712-1727", - out); - SET_SIZESTATDESC(1728, "responses sent 1728-1743 bytes", "1728-1743", - out); - SET_SIZESTATDESC(1744, "responses sent 1744-1759 bytes", "1744-1759", - out); - SET_SIZESTATDESC(1760, "responses sent 1760-1775 bytes", "1760-1775", - out); - SET_SIZESTATDESC(1776, "responses sent 1776-1791 bytes", "1776-1791", - out); - SET_SIZESTATDESC(1792, "responses sent 1792-1807 bytes", "1792-1807", - out); - SET_SIZESTATDESC(1808, "responses sent 1808-1823 bytes", "1808-1823", - out); - SET_SIZESTATDESC(1824, "responses sent 1824-1839 bytes", "1824-1839", - out); - SET_SIZESTATDESC(1840, "responses sent 1840-1855 bytes", "1840-1855", - out); - SET_SIZESTATDESC(1856, "responses sent 1856-1871 bytes", "1856-1871", - out); - SET_SIZESTATDESC(1872, "responses sent 1872-1887 bytes", "1872-1887", - out); - SET_SIZESTATDESC(1888, "responses sent 1888-1903 bytes", "1888-1903", - out); - SET_SIZESTATDESC(1904, "responses sent 1904-1919 bytes", "1904-1919", - out); - SET_SIZESTATDESC(1920, "responses sent 1920-1935 bytes", "1920-1935", - out); - SET_SIZESTATDESC(1936, "responses sent 1936-1951 bytes", "1936-1951", - out); - SET_SIZESTATDESC(1952, "responses sent 1952-1967 bytes", "1952-1967", - out); - SET_SIZESTATDESC(1968, "responses sent 1968-1983 bytes", "1968-1983", - out); - SET_SIZESTATDESC(1984, "responses sent 1984-1999 bytes", "1984-1999", - out); - SET_SIZESTATDESC(2000, "responses sent 2000-2015 bytes", "2000-2015", - out); - SET_SIZESTATDESC(2016, "responses sent 2016-2031 bytes", "2016-2031", - out); - SET_SIZESTATDESC(2032, "responses sent 2032-2047 bytes", "2032-2047", - out); - SET_SIZESTATDESC(2048, "responses sent 2048-2063 bytes", "2048-2063", - out); - SET_SIZESTATDESC(2064, "responses sent 2064-2079 bytes", "2064-2079", - out); - SET_SIZESTATDESC(2080, "responses sent 2080-2095 bytes", "2080-2095", - out); - SET_SIZESTATDESC(2096, "responses sent 2096-2111 bytes", "2096-2111", - out); - SET_SIZESTATDESC(2112, "responses sent 2112-2127 bytes", "2112-2127", - out); - SET_SIZESTATDESC(2128, "responses sent 2128-2143 bytes", "2128-2143", - out); - SET_SIZESTATDESC(2144, "responses sent 2144-2159 bytes", "2144-2159", - out); - SET_SIZESTATDESC(2160, "responses sent 2160-2175 bytes", "2160-2175", - out); - SET_SIZESTATDESC(2176, "responses sent 2176-2191 bytes", "2176-2191", - out); - SET_SIZESTATDESC(2192, "responses sent 2192-2207 bytes", "2192-2207", - out); - SET_SIZESTATDESC(2208, "responses sent 2208-2223 bytes", "2208-2223", - out); - SET_SIZESTATDESC(2224, "responses sent 2224-2239 bytes", "2224-2239", - out); - SET_SIZESTATDESC(2240, "responses sent 2240-2255 bytes", "2240-2255", - out); - SET_SIZESTATDESC(2256, "responses sent 2256-2271 bytes", "2256-2271", - out); - SET_SIZESTATDESC(2272, "responses sent 2272-2287 bytes", "2272-2287", - out); - SET_SIZESTATDESC(2288, "responses sent 2288-2303 bytes", "2288-2303", - out); - SET_SIZESTATDESC(2304, "responses sent 2304-2319 bytes", "2304-2319", - out); - SET_SIZESTATDESC(2320, "responses sent 2320-2335 bytes", "2320-2335", - out); - SET_SIZESTATDESC(2336, "responses sent 2336-2351 bytes", "2336-2351", - out); - SET_SIZESTATDESC(2352, "responses sent 2352-2367 bytes", "2352-2367", - out); - SET_SIZESTATDESC(2368, "responses sent 2368-2383 bytes", "2368-2383", - out); - SET_SIZESTATDESC(2384, "responses sent 2384-2399 bytes", "2384-2399", - out); - SET_SIZESTATDESC(2400, "responses sent 2400-2415 bytes", "2400-2415", - out); - SET_SIZESTATDESC(2416, "responses sent 2416-2431 bytes", "2416-2431", - out); - SET_SIZESTATDESC(2432, "responses sent 2432-2447 bytes", "2432-2447", - out); - SET_SIZESTATDESC(2448, "responses sent 2448-2463 bytes", "2448-2463", - out); - SET_SIZESTATDESC(2464, "responses sent 2464-2479 bytes", "2464-2479", - out); - SET_SIZESTATDESC(2480, "responses sent 2480-2495 bytes", "2480-2495", - out); - SET_SIZESTATDESC(2496, "responses sent 2496-2511 bytes", "2496-2511", - out); - SET_SIZESTATDESC(2512, "responses sent 2512-2527 bytes", "2512-2527", - out); - SET_SIZESTATDESC(2528, "responses sent 2528-2543 bytes", "2528-2543", - out); - SET_SIZESTATDESC(2544, "responses sent 2544-2559 bytes", "2544-2559", - out); - SET_SIZESTATDESC(2560, "responses sent 2560-2575 bytes", "2560-2575", - out); - SET_SIZESTATDESC(2576, "responses sent 2576-2591 bytes", "2576-2591", - out); - SET_SIZESTATDESC(2592, "responses sent 2592-2607 bytes", "2592-2607", - out); - SET_SIZESTATDESC(2608, "responses sent 2608-2623 bytes", "2608-2623", - out); - SET_SIZESTATDESC(2624, "responses sent 2624-2639 bytes", "2624-2639", - out); - SET_SIZESTATDESC(2640, "responses sent 2640-2655 bytes", "2640-2655", - out); - SET_SIZESTATDESC(2656, "responses sent 2656-2671 bytes", "2656-2671", - out); - SET_SIZESTATDESC(2672, "responses sent 2672-2687 bytes", "2672-2687", - out); - SET_SIZESTATDESC(2688, "responses sent 2688-2703 bytes", "2688-2703", - out); - SET_SIZESTATDESC(2704, "responses sent 2704-2719 bytes", "2704-2719", - out); - SET_SIZESTATDESC(2720, "responses sent 2720-2735 bytes", "2720-2735", - out); - SET_SIZESTATDESC(2736, "responses sent 2736-2751 bytes", "2736-2751", - out); - SET_SIZESTATDESC(2752, "responses sent 2752-2767 bytes", "2752-2767", - out); - SET_SIZESTATDESC(2768, "responses sent 2768-2783 bytes", "2768-2783", - out); - SET_SIZESTATDESC(2784, "responses sent 2784-2799 bytes", "2784-2799", - out); - SET_SIZESTATDESC(2800, "responses sent 2800-2815 bytes", "2800-2815", - out); - SET_SIZESTATDESC(2816, "responses sent 2816-2831 bytes", "2816-2831", - out); - SET_SIZESTATDESC(2832, "responses sent 2832-2847 bytes", "2832-2847", - out); - SET_SIZESTATDESC(2848, "responses sent 2848-2863 bytes", "2848-2863", - out); - SET_SIZESTATDESC(2864, "responses sent 2864-2879 bytes", "2864-2879", - out); - SET_SIZESTATDESC(2880, "responses sent 2880-2895 bytes", "2880-2895", - out); - SET_SIZESTATDESC(2896, "responses sent 2896-2911 bytes", "2896-2911", - out); - SET_SIZESTATDESC(2912, "responses sent 2912-2927 bytes", "2912-2927", - out); - SET_SIZESTATDESC(2928, "responses sent 2928-2943 bytes", "2928-2943", - out); - SET_SIZESTATDESC(2944, "responses sent 2944-2959 bytes", "2944-2959", - out); - SET_SIZESTATDESC(2960, "responses sent 2960-2975 bytes", "2960-2975", - out); - SET_SIZESTATDESC(2976, "responses sent 2976-2991 bytes", "2976-2991", - out); - SET_SIZESTATDESC(2992, "responses sent 2992-3007 bytes", "2992-3007", - out); - SET_SIZESTATDESC(3008, "responses sent 3008-3023 bytes", "3008-3023", - out); - SET_SIZESTATDESC(3024, "responses sent 3024-3039 bytes", "3024-3039", - out); - SET_SIZESTATDESC(3040, "responses sent 3040-3055 bytes", "3040-3055", - out); - SET_SIZESTATDESC(3056, "responses sent 3056-3071 bytes", "3056-3071", - out); - SET_SIZESTATDESC(3072, "responses sent 3072-3087 bytes", "3072-3087", - out); - SET_SIZESTATDESC(3088, "responses sent 3088-3103 bytes", "3088-3103", - out); - SET_SIZESTATDESC(3104, "responses sent 3104-3119 bytes", "3104-3119", - out); - SET_SIZESTATDESC(3120, "responses sent 3120-3135 bytes", "3120-3135", - out); - SET_SIZESTATDESC(3136, "responses sent 3136-3151 bytes", "3136-3151", - out); - SET_SIZESTATDESC(3152, "responses sent 3152-3167 bytes", "3152-3167", - out); - SET_SIZESTATDESC(3168, "responses sent 3168-3183 bytes", "3168-3183", - out); - SET_SIZESTATDESC(3184, "responses sent 3184-3199 bytes", "3184-3199", - out); - SET_SIZESTATDESC(3200, "responses sent 3200-3215 bytes", "3200-3215", - out); - SET_SIZESTATDESC(3216, "responses sent 3216-3231 bytes", "3216-3231", - out); - SET_SIZESTATDESC(3232, "responses sent 3232-3247 bytes", "3232-3247", - out); - SET_SIZESTATDESC(3248, "responses sent 3248-3263 bytes", "3248-3263", - out); - SET_SIZESTATDESC(3264, "responses sent 3264-3279 bytes", "3264-3279", - out); - SET_SIZESTATDESC(3280, "responses sent 3280-3295 bytes", "3280-3295", - out); - SET_SIZESTATDESC(3296, "responses sent 3296-3311 bytes", "3296-3311", - out); - SET_SIZESTATDESC(3312, "responses sent 3312-3327 bytes", "3312-3327", - out); - SET_SIZESTATDESC(3328, "responses sent 3328-3343 bytes", "3328-3343", - out); - SET_SIZESTATDESC(3344, "responses sent 3344-3359 bytes", "3344-3359", - out); - SET_SIZESTATDESC(3360, "responses sent 3360-3375 bytes", "3360-3375", - out); - SET_SIZESTATDESC(3376, "responses sent 3376-3391 bytes", "3376-3391", - out); - SET_SIZESTATDESC(3392, "responses sent 3392-3407 bytes", "3392-3407", - out); - SET_SIZESTATDESC(3408, "responses sent 3408-3423 bytes", "3408-3423", - out); - SET_SIZESTATDESC(3424, "responses sent 3424-3439 bytes", "3424-3439", - out); - SET_SIZESTATDESC(3440, "responses sent 3440-3455 bytes", "3440-3455", - out); - SET_SIZESTATDESC(3456, "responses sent 3456-3471 bytes", "3456-3471", - out); - SET_SIZESTATDESC(3472, "responses sent 3472-3487 bytes", "3472-3487", - out); - SET_SIZESTATDESC(3488, "responses sent 3488-3503 bytes", "3488-3503", - out); - SET_SIZESTATDESC(3504, "responses sent 3504-3519 bytes", "3504-3519", - out); - SET_SIZESTATDESC(3520, "responses sent 3520-3535 bytes", "3520-3535", - out); - SET_SIZESTATDESC(3536, "responses sent 3536-3551 bytes", "3536-3551", - out); - SET_SIZESTATDESC(3552, "responses sent 3552-3567 bytes", "3552-3567", - out); - SET_SIZESTATDESC(3568, "responses sent 3568-3583 bytes", "3568-3583", - out); - SET_SIZESTATDESC(3584, "responses sent 3584-3599 bytes", "3584-3599", - out); - SET_SIZESTATDESC(3600, "responses sent 3600-3615 bytes", "3600-3615", - out); - SET_SIZESTATDESC(3616, "responses sent 3616-3631 bytes", "3616-3631", - out); - SET_SIZESTATDESC(3632, "responses sent 3632-3647 bytes", "3632-3647", - out); - SET_SIZESTATDESC(3648, "responses sent 3648-3663 bytes", "3648-3663", - out); - SET_SIZESTATDESC(3664, "responses sent 3664-3679 bytes", "3664-3679", - out); - SET_SIZESTATDESC(3680, "responses sent 3680-3695 bytes", "3680-3695", - out); - SET_SIZESTATDESC(3696, "responses sent 3696-3711 bytes", "3696-3711", - out); - SET_SIZESTATDESC(3712, "responses sent 3712-3727 bytes", "3712-3727", - out); - SET_SIZESTATDESC(3728, "responses sent 3728-3743 bytes", "3728-3743", - out); - SET_SIZESTATDESC(3744, "responses sent 3744-3759 bytes", "3744-3759", - out); - SET_SIZESTATDESC(3760, "responses sent 3760-3775 bytes", "3760-3775", - out); - SET_SIZESTATDESC(3776, "responses sent 3776-3791 bytes", "3776-3791", - out); - SET_SIZESTATDESC(3792, "responses sent 3792-3807 bytes", "3792-3807", - out); - SET_SIZESTATDESC(3808, "responses sent 3808-3823 bytes", "3808-3823", - out); - SET_SIZESTATDESC(3824, "responses sent 3824-3839 bytes", "3824-3839", - out); - SET_SIZESTATDESC(3840, "responses sent 3840-3855 bytes", "3840-3855", - out); - SET_SIZESTATDESC(3856, "responses sent 3856-3871 bytes", "3856-3871", - out); - SET_SIZESTATDESC(3872, "responses sent 3872-3887 bytes", "3872-3887", - out); - SET_SIZESTATDESC(3888, "responses sent 3888-3903 bytes", "3888-3903", - out); - SET_SIZESTATDESC(3904, "responses sent 3904-3919 bytes", "3904-3919", - out); - SET_SIZESTATDESC(3920, "responses sent 3920-3935 bytes", "3920-3935", - out); - SET_SIZESTATDESC(3936, "responses sent 3936-3951 bytes", "3936-3951", - out); - SET_SIZESTATDESC(3952, "responses sent 3952-3967 bytes", "3952-3967", - out); - SET_SIZESTATDESC(3968, "responses sent 3968-3983 bytes", "3968-3983", - out); - SET_SIZESTATDESC(3984, "responses sent 3984-3999 bytes", "3984-3999", - out); - SET_SIZESTATDESC(4000, "responses sent 4000-4015 bytes", "4000-4015", - out); - SET_SIZESTATDESC(4016, "responses sent 4016-4031 bytes", "4016-4031", - out); - SET_SIZESTATDESC(4032, "responses sent 4032-4047 bytes", "4032-4047", - out); - SET_SIZESTATDESC(4048, "responses sent 4048-4063 bytes", "4048-4063", - out); - SET_SIZESTATDESC(4064, "responses sent 4064-4079 bytes", "4064-4079", - out); - SET_SIZESTATDESC(4080, "responses sent 4080-4095 bytes", "4080-4095", - out); - SET_SIZESTATDESC(4096, "responses sent 4096+ bytes", "4096+", out); - INSIST(i == dns_sizecounter_out_max); - - /* Sanity check */ - for (i = 0; i < ns_statscounter_max; i++) { - INSIST(nsstats_desc[i] != NULL); - } - for (i = 0; i < dns_resstatscounter_max; i++) { - INSIST(resstats_desc[i] != NULL); - } - for (i = 0; i < dns_adbstats_max; i++) { - INSIST(adbstats_desc[i] != NULL); - } - for (i = 0; i < dns_zonestatscounter_max; i++) { - INSIST(zonestats_desc[i] != NULL); - } - for (i = 0; i < isc_sockstatscounter_max; i++) { - INSIST(sockstats_desc[i] != NULL); - } - for (i = 0; i < dns_dnssecstats_max; i++) { - INSIST(dnssecstats_desc[i] != NULL); - } - for (i = 0; i < dns_sizecounter_in_max; i++) { - INSIST(udpinsizestats_desc[i] != NULL); - INSIST(tcpinsizestats_desc[i] != NULL); - } - for (i = 0; i < dns_sizecounter_out_max; i++) { - INSIST(udpoutsizestats_desc[i] != NULL); - INSIST(tcpoutsizestats_desc[i] != NULL); - } + for (i = 0; i <= DNS_SIZEHISTO_MAXIN; i++) { + udpinsizestats_index[i] = i; + tcpinsizestats_index[i] = i; + udpinsizestats_desc[i] = get_histo_desc( + "requests received", i, DNS_SIZEHISTO_MAXIN, false); + tcpinsizestats_desc[i] = udpinsizestats_desc[i]; #if defined(EXTENDED_STATS) - for (i = 0; i < ns_statscounter_max; i++) { - INSIST(nsstats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_resstatscounter_max; i++) { - INSIST(resstats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_adbstats_max; i++) { - INSIST(adbstats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_zonestatscounter_max; i++) { - INSIST(zonestats_xmldesc[i] != NULL); - } - for (i = 0; i < isc_sockstatscounter_max; i++) { - INSIST(sockstats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_dnssecstats_max; i++) { - INSIST(dnssecstats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_sizecounter_in_max; i++) { - INSIST(udpinsizestats_xmldesc[i] != NULL); - INSIST(tcpinsizestats_xmldesc[i] != NULL); - } - for (i = 0; i < dns_sizecounter_out_max; i++) { - INSIST(udpoutsizestats_xmldesc[i] != NULL); - INSIST(tcpoutsizestats_xmldesc[i] != NULL); - } + if (i < DNS_SIZEHISTO_MAXIN) { + udpinsizestats_xmldesc[i] = udpoutsizestats_xmldesc[i]; + tcpinsizestats_xmldesc[i] = tcpoutsizestats_xmldesc[i]; + } else { + udpinsizestats_xmldesc[i] = + get_histo_desc("requests received", i, + DNS_SIZEHISTO_MAXIN, true); + tcpinsizestats_xmldesc[i] = udpinsizestats_xmldesc[i]; + } #endif /* if defined(EXTENDED_STATS) */ + } } /*% * Dump callback functions. */ + +static isc_result_t +dump_counters(isc_statsformat_t type, void *arg, const char *category, + const char **desc, int ncounters, int *indices, uint64_t *values, + int options); + static void generalstat_dump(isc_statscounter_t counter, uint64_t val, void *arg) { stats_dumparg_t *dumparg = arg; @@ -1324,12 +833,47 @@ generalstat_dump(isc_statscounter_t counter, uint64_t val, void *arg) { } static isc_result_t -dump_counters(isc_stats_t *stats, isc_statsformat_t type, void *arg, - const char *category, const char **desc, int ncounters, - int *indices, uint64_t *values, int options) { +dump_stats(isc_stats_t *stats, isc_statsformat_t type, void *arg, + const char *category, const char **desc, int ncounters, int *indices, + uint64_t *values, int options) { + stats_dumparg_t dumparg; + + dumparg.type = type; + dumparg.ncounters = ncounters; + dumparg.counterindices = indices; + dumparg.countervalues = values; + + memset(values, 0, sizeof(values[0]) * ncounters); + isc_stats_dump(stats, generalstat_dump, &dumparg, options); + + return (dump_counters(type, arg, category, desc, ncounters, indices, + values, options)); +} + +#if defined(EXTENDED_STATS) +static isc_result_t +dump_histo(isc_histomulti_t *hm, isc_statsformat_t type, void *arg, + const char *category, const char **desc, int ncounters, int *indices, + uint64_t *values, int options) { + isc_histo_t *hg = NULL; + + isc_histomulti_merge(&hg, hm); + for (int i = 0; i < ncounters; i++) { + isc_histo_get(hg, i, NULL, NULL, &values[i]); + } + isc_histo_destroy(&hg); + + return (dump_counters(type, arg, category, desc, ncounters, indices, + values, options)); +} +#endif /* defined(EXTENDED_STATS) */ + +static isc_result_t +dump_counters(isc_statsformat_t type, void *arg, const char *category, + const char **desc, int ncounters, int *indices, uint64_t *values, + int options) { int i, idx; uint64_t value; - stats_dumparg_t dumparg; FILE *fp; #ifdef HAVE_LIBXML2 void *writer; @@ -1343,14 +887,6 @@ dump_counters(isc_stats_t *stats, isc_statsformat_t type, void *arg, UNUSED(category); #endif /* if !defined(EXTENDED_STATS) */ - dumparg.type = type; - dumparg.ncounters = ncounters; - dumparg.counterindices = indices; - dumparg.countervalues = values; - - memset(values, 0, sizeof(values[0]) * ncounters); - isc_stats_dump(stats, generalstat_dump, &dumparg, options); - #ifdef HAVE_JSON_C cat = job = (json_object *)arg; if (ncounters > 0 && type == isc_statsformat_json) { @@ -1372,7 +908,7 @@ dump_counters(isc_stats_t *stats, isc_statsformat_t type, void *arg, continue; } - switch (dumparg.type) { + switch (type) { case isc_statsformat_file: fp = arg; fprintf(fp, "%20" PRIu64 " %s\n", value, desc[idx]); @@ -1454,7 +990,8 @@ rdtypestat_dump(dns_rdatastatstype_t type, uint64_t val, void *arg) { #endif /* ifdef HAVE_JSON_C */ if ((DNS_RDATASTATSTYPE_ATTR(type) & - DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) == 0) { + DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) == 0) + { dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf, sizeof(typebuf)); typestr = typebuf; @@ -1526,7 +1063,8 @@ rdatasetstats_dump(dns_rdatastatstype_t type, uint64_t val, void *arg) { #endif /* ifdef HAVE_JSON_C */ if ((DNS_RDATASTATSTYPE_ATTR(type) & - DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0) { + DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0) + { typestr = "NXDOMAIN"; } else if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) != 0) @@ -1703,7 +1241,7 @@ rcodestat_dump(dns_rcode_t code, uint64_t val, void *arg) { #if defined(EXTENDED_STATS) static void -dnssecsignstat_dump(dns_keytag_t tag, uint64_t val, void *arg) { +dnssecsignstat_dump(uint32_t kval, uint64_t val, void *arg) { FILE *fp; char tagbuf[64]; stats_dumparg_t *dumparg = arg; @@ -1715,7 +1253,11 @@ dnssecsignstat_dump(dns_keytag_t tag, uint64_t val, void *arg) { json_object *zoneobj, *obj; #endif /* ifdef HAVE_JSON_C */ - snprintf(tagbuf, sizeof(tagbuf), "%u", tag); + /* + * kval is '(algorithm << 16) | keyid'. + */ + snprintf(tagbuf, sizeof(tagbuf), "%u+%u", (kval >> 16) & 0xff, + kval & 0xffff); switch (dumparg->type) { case isc_statsformat_file: @@ -1762,7 +1304,6 @@ dnssecsignstat_dump(dns_keytag_t tag, uint64_t val, void *arg) { #define STATS_XML_STATUS 0x00 /* display only common statistics */ #define STATS_XML_SERVER 0x01 #define STATS_XML_ZONES 0x02 -#define STATS_XML_TASKS 0x04 #define STATS_XML_NET 0x08 #define STATS_XML_MEM 0x10 #define STATS_XML_TRAFFIC 0x20 @@ -1819,10 +1360,9 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { /* * Export zone timers to the statistics channel in XML format. For - * master zones, only include the loaded time. For slave zones, also - * include the expires and refresh times. + * primary zones, only include the loaded time. For secondary zones, + * also include the expire and refresh times. */ - CHECK(dns_zone_getloadtime(zone, ×tamp)); isc_time_formatISO8601(×tamp, buf, 64); @@ -1830,7 +1370,7 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf)); TRY0(xmlTextWriterEndElement(writer)); - if (dns_zone_gettype(zone) == dns_zone_slave) { + if (dns_zone_gettype(zone) == dns_zone_secondary) { CHECK(dns_zone_getexpiretime(zone, ×tamp)); isc_time_formatISO8601(×tamp, buf, 64); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "expires")); @@ -1860,11 +1400,10 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { ISC_XMLCHAR "type", ISC_XMLCHAR "rcode")); - CHECK(dump_counters(zonestats, isc_statsformat_xml, - writer, NULL, nsstats_xmldesc, - ns_statscounter_max, nsstats_index, - nsstat_values, - ISC_STATSDUMP_VERBOSE)); + CHECK(dump_stats(zonestats, isc_statsformat_xml, writer, + NULL, nsstats_xmldesc, + ns_statscounter_max, nsstats_index, + nsstat_values, ISC_STATSDUMP_VERBOSE)); /* counters type="rcode"*/ TRY0(xmlTextWriterEndElement(writer)); } @@ -1877,12 +1416,12 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { writer, ISC_XMLCHAR "type", ISC_XMLCHAR "gluecache")); - CHECK(dump_counters( - gluecachestats, isc_statsformat_xml, writer, - NULL, gluecachestats_xmldesc, - dns_gluecachestatscounter_max, - gluecachestats_index, gluecachestats_values, - ISC_STATSDUMP_VERBOSE)); + CHECK(dump_stats(gluecachestats, isc_statsformat_xml, + writer, NULL, gluecachestats_xmldesc, + dns_gluecachestatscounter_max, + gluecachestats_index, + gluecachestats_values, + ISC_STATSDUMP_VERBOSE)); /* counters type="rcode"*/ TRY0(xmlTextWriterEndElement(writer)); } @@ -1956,7 +1495,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, char boottime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"]; char configtime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"]; char nowstr[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"]; - isc_time_t now; + isc_time_t now = isc_time_now(); xmlTextWriterPtr writer = NULL; xmlDocPtr doc = NULL; int xmlrc; @@ -1968,16 +1507,15 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, uint64_t adbstat_values[dns_adbstats_max]; uint64_t zonestat_values[dns_zonestatscounter_max]; uint64_t sockstat_values[isc_sockstatscounter_max]; - uint64_t udpinsizestat_values[dns_sizecounter_in_max]; - uint64_t udpoutsizestat_values[dns_sizecounter_out_max]; - uint64_t tcpinsizestat_values[dns_sizecounter_in_max]; - uint64_t tcpoutsizestat_values[dns_sizecounter_out_max]; + uint64_t udpinsizestat_values[DNS_SIZEHISTO_MAXIN + 1]; + uint64_t udpoutsizestat_values[DNS_SIZEHISTO_MAXOUT + 1]; + uint64_t tcpinsizestat_values[DNS_SIZEHISTO_MAXIN + 1]; + uint64_t tcpoutsizestat_values[DNS_SIZEHISTO_MAXOUT + 1]; #ifdef HAVE_DNSTAP uint64_t dnstapstat_values[dns_dnstapcounter_max]; #endif /* ifdef HAVE_DNSTAP */ isc_result_t result; - isc_time_now(&now); isc_time_formatISO8601ms(&named_g_boottime, boottime, sizeof boottime); isc_time_formatISO8601ms(&named_g_configtime, configtime, sizeof configtime); @@ -1993,7 +1531,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, "href=\"/bind9.xsl\"")); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version", - ISC_XMLCHAR "3.11")); + ISC_XMLCHAR STATS_XML_VERSION)); /* Set common fields for statistics dump */ dumparg.type = isc_statsformat_xml; @@ -2052,11 +1590,11 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "nsstat")); - CHECK(dump_counters(ns_stats_get(server->sctx->nsstats), - isc_statsformat_xml, writer, NULL, - nsstats_xmldesc, ns_statscounter_max, - nsstats_index, nsstat_values, - ISC_STATSDUMP_VERBOSE)); + CHECK(dump_stats(ns_stats_get(server->sctx->nsstats), + isc_statsformat_xml, writer, NULL, + nsstats_xmldesc, ns_statscounter_max, + nsstats_index, nsstat_values, + ISC_STATSDUMP_VERBOSE)); TRY0(xmlTextWriterEndElement(writer)); /* /nsstat */ @@ -2064,10 +1602,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "zonestat")); - CHECK(dump_counters(server->zonestats, isc_statsformat_xml, - writer, NULL, zonestats_xmldesc, - dns_zonestatscounter_max, zonestats_index, - zonestat_values, ISC_STATSDUMP_VERBOSE)); + CHECK(dump_stats(server->zonestats, isc_statsformat_xml, writer, + NULL, zonestats_xmldesc, + dns_zonestatscounter_max, zonestats_index, + zonestat_values, ISC_STATSDUMP_VERBOSE)); TRY0(xmlTextWriterEndElement(writer)); /* /zonestat */ @@ -2078,10 +1616,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "resstat")); - CHECK(dump_counters(server->resolverstats, isc_statsformat_xml, - writer, NULL, resstats_xmldesc, - dns_resstatscounter_max, resstats_index, - resstat_values, 0)); + CHECK(dump_stats(server->resolverstats, isc_statsformat_xml, + writer, NULL, resstats_xmldesc, + dns_resstatscounter_max, resstats_index, + resstat_values, 0)); TRY0(xmlTextWriterEndElement(writer)); /* resstat */ @@ -2094,7 +1632,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, ISC_XMLCHAR "type", ISC_XMLCHAR "dnstap")); dns_dt_getstats(named_g_server->dtenv, &dnstapstats); - result = dump_counters( + result = dump_stats( dnstapstats, isc_statsformat_xml, writer, NULL, dnstapstats_xmldesc, dns_dnstapcounter_max, dnstapstats_index, dnstapstat_values, 0); @@ -2111,10 +1649,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "sockstat")); - CHECK(dump_counters(server->sockstats, isc_statsformat_xml, - writer, NULL, sockstats_xmldesc, - isc_sockstatscounter_max, sockstats_index, - sockstat_values, ISC_STATSDUMP_VERBOSE)); + CHECK(dump_stats(server->sockstats, isc_statsformat_xml, writer, + NULL, sockstats_xmldesc, + isc_sockstatscounter_max, sockstats_index, + sockstat_values, ISC_STATSDUMP_VERBOSE)); TRY0(xmlTextWriterEndElement(writer)); /* /sockstat */ } @@ -2128,10 +1666,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "request-size")); - CHECK(dump_counters( - server->sctx->udpinstats4, isc_statsformat_xml, writer, - NULL, udpinsizestats_xmldesc, dns_sizecounter_in_max, - udpinsizestats_index, udpinsizestat_values, 0)); + CHECK(dump_histo(server->sctx->udpinstats4, isc_statsformat_xml, + writer, NULL, udpinsizestats_xmldesc, + dns_sizecounter_in_max, udpinsizestats_index, + udpinsizestat_values, 0)); TRY0(xmlTextWriterEndElement(writer)); /* */ @@ -2139,7 +1677,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "response-size")); - CHECK(dump_counters( + CHECK(dump_histo( server->sctx->udpoutstats4, isc_statsformat_xml, writer, NULL, udpoutsizestats_xmldesc, dns_sizecounter_out_max, udpoutsizestats_index, udpoutsizestat_values, 0)); @@ -2152,17 +1690,17 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "request-size")); - CHECK(dump_counters( - server->sctx->tcpinstats4, isc_statsformat_xml, writer, - NULL, tcpinsizestats_xmldesc, dns_sizecounter_in_max, - tcpinsizestats_index, tcpinsizestat_values, 0)); + CHECK(dump_histo(server->sctx->tcpinstats4, isc_statsformat_xml, + writer, NULL, tcpinsizestats_xmldesc, + dns_sizecounter_in_max, tcpinsizestats_index, + tcpinsizestat_values, 0)); TRY0(xmlTextWriterEndElement(writer)); /* */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "response-size")); - CHECK(dump_counters( + CHECK(dump_histo( server->sctx->tcpoutstats4, isc_statsformat_xml, writer, NULL, tcpoutsizestats_xmldesc, dns_sizecounter_out_max, tcpoutsizestats_index, tcpoutsizestat_values, 0)); @@ -2177,10 +1715,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "request-size")); - CHECK(dump_counters( - server->sctx->udpinstats6, isc_statsformat_xml, writer, - NULL, udpinsizestats_xmldesc, dns_sizecounter_in_max, - udpinsizestats_index, udpinsizestat_values, 0)); + CHECK(dump_histo(server->sctx->udpinstats6, isc_statsformat_xml, + writer, NULL, udpinsizestats_xmldesc, + dns_sizecounter_in_max, udpinsizestats_index, + udpinsizestat_values, 0)); TRY0(xmlTextWriterEndElement(writer)); /* */ @@ -2188,7 +1726,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "response-size")); - CHECK(dump_counters( + CHECK(dump_histo( server->sctx->udpoutstats6, isc_statsformat_xml, writer, NULL, udpoutsizestats_xmldesc, dns_sizecounter_out_max, udpoutsizestats_index, udpoutsizestat_values, 0)); @@ -2201,10 +1739,10 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "request-size")); - CHECK(dump_counters( - server->sctx->tcpinstats6, isc_statsformat_xml, writer, - NULL, tcpinsizestats_xmldesc, dns_sizecounter_in_max, - tcpinsizestats_index, tcpinsizestat_values, 0)); + CHECK(dump_histo(server->sctx->tcpinstats6, isc_statsformat_xml, + writer, NULL, tcpinsizestats_xmldesc, + dns_sizecounter_in_max, tcpinsizestats_index, + tcpinsizestat_values, 0)); TRY0(xmlTextWriterEndElement(writer)); /* */ @@ -2212,7 +1750,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "response-size")); - CHECK(dump_counters( + CHECK(dump_histo( server->sctx->tcpoutstats6, isc_statsformat_xml, writer, NULL, tcpoutsizestats_xmldesc, dns_sizecounter_out_max, tcpoutsizestats_index, tcpoutsizestat_values, 0)); @@ -2230,7 +1768,12 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, view = ISC_LIST_HEAD(server->viewlist); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views")); while (view != NULL && - ((flags & (STATS_XML_SERVER | STATS_XML_ZONES)) != 0)) { + ((flags & (STATS_XML_SERVER | STATS_XML_ZONES)) != 0)) + { + isc_stats_t *istats = NULL; + dns_stats_t *dstats = NULL; + dns_adb_t *adb = NULL; + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name", ISC_XMLCHAR view->name)); @@ -2238,8 +1781,8 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, if ((flags & STATS_XML_ZONES) != 0) { TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones")); - CHECK(dns_zt_apply(view->zonetable, true, NULL, - zone_xmlrender, writer)); + CHECK(dns_view_apply(view, true, NULL, zone_xmlrender, + writer)); TRY0(xmlTextWriterEndElement(writer)); /* /zones */ } @@ -2253,25 +1796,29 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "resqtype")); - if (view->resquerystats != NULL) { + dns_resolver_getquerystats(view->resolver, &dstats); + if (dstats != NULL) { dumparg.result = ISC_R_SUCCESS; - dns_rdatatypestats_dump(view->resquerystats, - rdtypestat_dump, &dumparg, 0); + dns_rdatatypestats_dump(dstats, rdtypestat_dump, + &dumparg, 0); CHECK(dumparg.result); } + dns_stats_detach(&dstats); TRY0(xmlTextWriterEndElement(writer)); /* */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "resstats")); - if (view->resstats != NULL) { - CHECK(dump_counters(view->resstats, isc_statsformat_xml, - writer, NULL, resstats_xmldesc, - dns_resstatscounter_max, - resstats_index, resstat_values, - ISC_STATSDUMP_VERBOSE)); + dns_resolver_getstats(view->resolver, &istats); + if (istats != NULL) { + CHECK(dump_stats(istats, isc_statsformat_xml, writer, + NULL, resstats_xmldesc, + dns_resstatscounter_max, + resstats_index, resstat_values, + ISC_STATSDUMP_VERBOSE)); } + isc_stats_detach(&istats); TRY0(xmlTextWriterEndElement(writer)); /* */ cacherrstats = dns_db_getrrsetstats(view->cachedb); @@ -2292,12 +1839,15 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters")); TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type", ISC_XMLCHAR "adbstat")); - if (view->adbstats != NULL) { - CHECK(dump_counters(view->adbstats, isc_statsformat_xml, - writer, NULL, adbstats_xmldesc, - dns_adbstats_max, adbstats_index, - adbstat_values, - ISC_STATSDUMP_VERBOSE)); + dns_view_getadb(view, &adb); + if (adb != NULL) { + result = dump_stats(dns_adb_getstats(adb), + isc_statsformat_xml, writer, NULL, + adbstats_xmldesc, dns_adbstats_max, + adbstats_index, adbstat_values, + ISC_STATSDUMP_VERBOSE); + dns_adb_detach(&adb); + CHECK(result); } TRY0(xmlTextWriterEndElement(writer)); /* */ @@ -2314,19 +1864,6 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, } TRY0(xmlTextWriterEndElement(writer)); /* /views */ - if ((flags & STATS_XML_NET) != 0) { - TRY0(xmlTextWriterStartElement(writer, - ISC_XMLCHAR "socketmgr")); - TRY0(isc_socketmgr_renderxml(named_g_socketmgr, writer)); - TRY0(xmlTextWriterEndElement(writer)); /* /socketmgr */ - } - - if ((flags & STATS_XML_TASKS) != 0) { - TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr")); - TRY0(isc_taskmgr_renderxml(named_g_taskmgr, writer)); - TRY0(xmlTextWriterEndElement(writer)); /* /taskmgr */ - } - if ((flags & STATS_XML_MEM) != 0) { TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory")); TRY0(isc_mem_renderxml(writer)); @@ -2366,20 +1903,14 @@ wrap_xmlfree(isc_buffer_t *buffer, void *arg) { } static isc_result_t -render_xml(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, const char **mimetype, - isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { +render_xml(uint32_t flags, void *arg, unsigned int *retcode, + const char **retmsg, const char **mimetype, isc_buffer_t *b, + isc_httpdfree_t **freecb, void **freecb_args) { unsigned char *msg = NULL; int msglen; named_server_t *server = arg; isc_result_t result; - UNUSED(url); - UNUSED(urlinfo); - UNUSED(headers); - UNUSED(querystring); - result = generatexml(server, flags, &msglen, &msg); if (result == ISC_R_SUCCESS) { @@ -2400,91 +1931,80 @@ render_xml(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo, } static isc_result_t -render_xml_all(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_all(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_ALL, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_ALL, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_status(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_status(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_STATUS, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_STATUS, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_server(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_server(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_SERVER, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_SERVER, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_zones(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_zones(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_ZONES, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_ZONES, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_net(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_net(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_NET, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); -} - -static isc_result_t -render_xml_tasks(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, - const char **mimetype, isc_buffer_t *b, - isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_TASKS, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_NET, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_mem(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_mem(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_MEM, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_MEM, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_xml_traffic(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_xml_traffic(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_xml(STATS_XML_TRAFFIC, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_xml(STATS_XML_TRAFFIC, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } #endif /* HAVE_LIBXML2 */ @@ -2496,7 +2016,6 @@ render_xml_traffic(const char *url, isc_httpdurl_t *urlinfo, #define STATS_JSON_STATUS 0x00 /* display only common statistics */ #define STATS_JSON_SERVER 0x01 #define STATS_JSON_ZONES 0x02 -#define STATS_JSON_TASKS 0x04 #define STATS_JSON_NET 0x08 #define STATS_JSON_MEM 0x10 #define STATS_JSON_TRAFFIC 0x20 @@ -2553,6 +2072,7 @@ zone_jsonrender(dns_zone_t *zone, void *arg) { json_object *zonearray = (json_object *)arg; json_object *zoneobj = NULL; dns_zonestat_level_t statlevel; + isc_time_t timestamp; statlevel = dns_zone_getstatlevel(zone); if (statlevel == dns_zonestat_none) { @@ -2579,19 +2099,17 @@ zone_jsonrender(dns_zone_t *zone, void *arg) { } /* - * Export zone timers to the statistics channel in JSON format. For - * master zones, only include the loaded time. For slave zones, also - * include the expires and refresh times. + * Export zone timers to the statistics channel in JSON format. + * For primary zones, only include the loaded time. For secondary + * zones, also include the expire and refresh times. */ - isc_time_t timestamp; - CHECK(dns_zone_getloadtime(zone, ×tamp)); isc_time_formatISO8601(×tamp, buf, 64); json_object_object_add(zoneobj, "loaded", json_object_new_string(buf)); - if (dns_zone_gettype(zone) == dns_zone_slave) { + if (dns_zone_gettype(zone) == dns_zone_secondary) { CHECK(dns_zone_getexpiretime(zone, ×tamp)); isc_time_formatISO8601(×tamp, buf, 64); json_object_object_add(zoneobj, "expires", @@ -2619,10 +2137,10 @@ zone_jsonrender(dns_zone_t *zone, void *arg) { goto cleanup; } - result = dump_counters(zonestats, isc_statsformat_json, - counters, NULL, nsstats_xmldesc, - ns_statscounter_max, - nsstats_index, nsstat_values, 0); + result = dump_stats(zonestats, isc_statsformat_json, + counters, NULL, nsstats_xmldesc, + ns_statscounter_max, nsstats_index, + nsstat_values, 0); if (result != ISC_R_SUCCESS) { json_object_put(counters); goto cleanup; @@ -2644,7 +2162,7 @@ zone_jsonrender(dns_zone_t *zone, void *arg) { goto cleanup; } - result = dump_counters( + result = dump_stats( gluecachestats, isc_statsformat_json, counters, NULL, gluecachestats_xmldesc, dns_gluecachestatscounter_max, @@ -2726,7 +2244,8 @@ zone_jsonrender(dns_zone_t *zone, void *arg) { } if (json_object_get_object(refresh_counters)->count != - 0) { + 0) + { json_object_object_add(zoneobj, "dnssec-refresh", refresh_counters); @@ -2788,11 +2307,11 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, /* * These statistics are included no matter which URL we use. */ - obj = json_object_new_string("1.5"); + obj = json_object_new_string(STATS_JSON_VERSION); CHECKMEM(obj); json_object_object_add(bindstats, "json-stats-version", obj); - isc_time_now(&now); + now = isc_time_now(); isc_time_formatISO8601ms(&named_g_boottime, boottime, sizeof(boottime)); isc_time_formatISO8601ms(&named_g_configtime, configtime, sizeof configtime); @@ -2878,10 +2397,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, dumparg.result = ISC_R_SUCCESS; dumparg.arg = counters; - result = dump_counters(ns_stats_get(server->sctx->nsstats), - isc_statsformat_json, counters, NULL, - nsstats_xmldesc, ns_statscounter_max, - nsstats_index, nsstat_values, 0); + result = dump_stats(ns_stats_get(server->sctx->nsstats), + isc_statsformat_json, counters, NULL, + nsstats_xmldesc, ns_statscounter_max, + nsstats_index, nsstat_values, 0); if (result != ISC_R_SUCCESS) { json_object_put(counters); goto cleanup; @@ -2899,10 +2418,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, dumparg.result = ISC_R_SUCCESS; dumparg.arg = counters; - result = dump_counters(server->zonestats, isc_statsformat_json, - counters, NULL, zonestats_xmldesc, - dns_zonestatscounter_max, - zonestats_index, zonestat_values, 0); + result = dump_stats(server->zonestats, isc_statsformat_json, + counters, NULL, zonestats_xmldesc, + dns_zonestatscounter_max, zonestats_index, + zonestat_values, 0); if (result != ISC_R_SUCCESS) { json_object_put(counters); goto cleanup; @@ -2921,10 +2440,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, dumparg.result = ISC_R_SUCCESS; dumparg.arg = counters; - result = dump_counters( - server->resolverstats, isc_statsformat_json, counters, - NULL, resstats_xmldesc, dns_resstatscounter_max, - resstats_index, resstat_values, 0); + result = dump_stats(server->resolverstats, isc_statsformat_json, + counters, NULL, resstats_xmldesc, + dns_resstatscounter_max, resstats_index, + resstat_values, 0); if (result != ISC_R_SUCCESS) { json_object_put(counters); goto cleanup; @@ -2944,11 +2463,11 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, counters = json_object_new_object(); dumparg.result = ISC_R_SUCCESS; dumparg.arg = counters; - result = dump_counters( - dnstapstats, isc_statsformat_json, counters, - NULL, dnstapstats_xmldesc, - dns_dnstapcounter_max, dnstapstats_index, - dnstapstat_values, 0); + result = dump_stats(dnstapstats, isc_statsformat_json, + counters, NULL, dnstapstats_xmldesc, + dns_dnstapcounter_max, + dnstapstats_index, + dnstapstat_values, 0); isc_stats_detach(&dnstapstats); if (result != ISC_R_SUCCESS) { json_object_put(counters); @@ -2974,6 +2493,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, view = ISC_LIST_HEAD(server->viewlist); while (view != NULL) { json_object *za, *v = json_object_new_object(); + dns_adb_t *adb = NULL; CHECKMEM(v); json_object_object_add(viewlist, view->name, v); @@ -2982,8 +2502,8 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, CHECKMEM(za); if ((flags & STATS_JSON_ZONES) != 0) { - CHECK(dns_zt_apply(view->zonetable, true, NULL, - zone_jsonrender, za)); + CHECK(dns_view_apply(view, true, NULL, + zone_jsonrender, za)); } if (json_object_array_length(za) != 0) { @@ -2993,20 +2513,20 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, } if ((flags & STATS_JSON_SERVER) != 0) { - json_object *res; - dns_stats_t *dstats; - isc_stats_t *istats; + json_object *res = NULL; + dns_stats_t *dstats = NULL; + isc_stats_t *istats = NULL; res = json_object_new_object(); CHECKMEM(res); json_object_object_add(v, "resolver", res); - istats = view->resstats; + dns_resolver_getstats(view->resolver, &istats); if (istats != NULL) { counters = json_object_new_object(); CHECKMEM(counters); - result = dump_counters( + result = dump_stats( istats, isc_statsformat_json, counters, NULL, resstats_xmldesc, @@ -3021,9 +2541,11 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, json_object_object_add(res, "stats", counters); + isc_stats_detach(&istats); } - dstats = view->resquerystats; + dns_resolver_getquerystats(view->resolver, + &dstats); if (dstats != NULL) { counters = json_object_new_object(); CHECKMEM(counters); @@ -3041,6 +2563,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, json_object_object_add(res, "qtypes", counters); + dns_stats_detach(&dstats); } dstats = dns_db_getrrsetstats(view->cachedb); @@ -3076,12 +2599,16 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, json_object_object_add(res, "cachestats", counters); - istats = view->adbstats; + dns_view_getadb(view, &adb); + if (adb != NULL) { + istats = dns_adb_getstats(adb); + dns_adb_detach(&adb); + } if (istats != NULL) { counters = json_object_new_object(); CHECKMEM(counters); - result = dump_counters( + result = dump_stats( istats, isc_statsformat_json, counters, NULL, adbstats_xmldesc, @@ -3105,16 +2632,15 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, if ((flags & STATS_JSON_NET) != 0) { /* socket stat counters */ - json_object *sockets; counters = json_object_new_object(); dumparg.result = ISC_R_SUCCESS; dumparg.arg = counters; - result = dump_counters(server->sockstats, isc_statsformat_json, - counters, NULL, sockstats_xmldesc, - isc_sockstatscounter_max, - sockstats_index, sockstat_values, 0); + result = dump_stats(server->sockstats, isc_statsformat_json, + counters, NULL, sockstats_xmldesc, + isc_sockstatscounter_max, sockstats_index, + sockstat_values, 0); if (result != ISC_R_SUCCESS) { json_object_put(counters); goto cleanup; @@ -3126,30 +2652,6 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, } else { json_object_put(counters); } - - sockets = json_object_new_object(); - CHECKMEM(sockets); - - result = isc_socketmgr_renderjson(named_g_socketmgr, sockets); - if (result != ISC_R_SUCCESS) { - json_object_put(sockets); - goto cleanup; - } - - json_object_object_add(bindstats, "socketmgr", sockets); - } - - if ((flags & STATS_JSON_TASKS) != 0) { - json_object *tasks = json_object_new_object(); - CHECKMEM(tasks); - - result = isc_taskmgr_renderjson(named_g_taskmgr, tasks); - if (result != ISC_R_SUCCESS) { - json_object_put(tasks); - goto cleanup; - } - - json_object_object_add(bindstats, "taskmgr", tasks); } if ((flags & STATS_JSON_MEM) != 0) { @@ -3193,53 +2695,53 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, tcpresp6 = json_object_new_object(); CHECKMEM(tcpresp6); - CHECK(dump_counters( - server->sctx->udpinstats4, isc_statsformat_json, - udpreq4, NULL, udpinsizestats_xmldesc, - dns_sizecounter_in_max, udpinsizestats_index, - udpinsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->udpoutstats4, isc_statsformat_json, - udpresp4, NULL, udpoutsizestats_xmldesc, - dns_sizecounter_out_max, udpoutsizestats_index, - udpoutsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->tcpinstats4, isc_statsformat_json, - tcpreq4, NULL, tcpinsizestats_xmldesc, - dns_sizecounter_in_max, tcpinsizestats_index, - tcpinsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->tcpoutstats4, isc_statsformat_json, - tcpresp4, NULL, tcpoutsizestats_xmldesc, - dns_sizecounter_out_max, tcpoutsizestats_index, - tcpoutsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->udpinstats6, isc_statsformat_json, - udpreq6, NULL, udpinsizestats_xmldesc, - dns_sizecounter_in_max, udpinsizestats_index, - udpinsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->udpoutstats6, isc_statsformat_json, - udpresp6, NULL, udpoutsizestats_xmldesc, - dns_sizecounter_out_max, udpoutsizestats_index, - udpoutsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->tcpinstats6, isc_statsformat_json, - tcpreq6, NULL, tcpinsizestats_xmldesc, - dns_sizecounter_in_max, tcpinsizestats_index, - tcpinsizestat_values, 0)); - - CHECK(dump_counters( - server->sctx->tcpoutstats6, isc_statsformat_json, - tcpresp6, NULL, tcpoutsizestats_xmldesc, - dns_sizecounter_out_max, tcpoutsizestats_index, - tcpoutsizestat_values, 0)); + CHECK(dump_histo(server->sctx->udpinstats4, + isc_statsformat_json, udpreq4, NULL, + udpinsizestats_xmldesc, dns_sizecounter_in_max, + udpinsizestats_index, udpinsizestat_values, + 0)); + + CHECK(dump_histo(server->sctx->udpoutstats4, + isc_statsformat_json, udpresp4, NULL, + udpoutsizestats_xmldesc, + dns_sizecounter_out_max, udpoutsizestats_index, + udpoutsizestat_values, 0)); + + CHECK(dump_histo(server->sctx->tcpinstats4, + isc_statsformat_json, tcpreq4, NULL, + tcpinsizestats_xmldesc, dns_sizecounter_in_max, + tcpinsizestats_index, tcpinsizestat_values, + 0)); + + CHECK(dump_histo(server->sctx->tcpoutstats4, + isc_statsformat_json, tcpresp4, NULL, + tcpoutsizestats_xmldesc, + dns_sizecounter_out_max, tcpoutsizestats_index, + tcpoutsizestat_values, 0)); + + CHECK(dump_histo(server->sctx->udpinstats6, + isc_statsformat_json, udpreq6, NULL, + udpinsizestats_xmldesc, dns_sizecounter_in_max, + udpinsizestats_index, udpinsizestat_values, + 0)); + + CHECK(dump_histo(server->sctx->udpoutstats6, + isc_statsformat_json, udpresp6, NULL, + udpoutsizestats_xmldesc, + dns_sizecounter_out_max, udpoutsizestats_index, + udpoutsizestat_values, 0)); + + CHECK(dump_histo(server->sctx->tcpinstats6, + isc_statsformat_json, tcpreq6, NULL, + tcpinsizestats_xmldesc, dns_sizecounter_in_max, + tcpinsizestats_index, tcpinsizestat_values, + 0)); + + CHECK(dump_histo(server->sctx->tcpoutstats6, + isc_statsformat_json, tcpresp6, NULL, + tcpoutsizestats_xmldesc, + dns_sizecounter_out_max, tcpoutsizestats_index, + tcpoutsizestat_values, 0)); json_object_object_add(traffic, "dns-udp-requests-sizes-received-ipv4", @@ -3320,10 +2822,9 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, } static isc_result_t -render_json(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, const char **mimetype, - isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { +render_json(uint32_t flags, void *arg, unsigned int *retcode, + const char **retmsg, const char **mimetype, isc_buffer_t *b, + isc_httpdfree_t **freecb, void **freecb_args) { isc_result_t result; json_object *bindstats = NULL; named_server_t *server = arg; @@ -3331,17 +2832,12 @@ render_json(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo, size_t msglen = 0; char *p; - UNUSED(url); - UNUSED(urlinfo); - UNUSED(headers); - UNUSED(querystring); - result = generatejson(server, &msglen, &msg, &bindstats, flags); if (result == ISC_R_SUCCESS) { *retcode = 200; *retmsg = "OK"; *mimetype = "application/json"; - DE_CONST(msg, p); + p = UNCONST(msg); isc_buffer_reinit(b, p, msglen); isc_buffer_add(b, msglen); *freecb = wrap_jsonfree; @@ -3356,166 +2852,137 @@ render_json(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo, } static isc_result_t -render_json_all(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_all(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_ALL, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_ALL, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_json_status(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_status(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_STATUS, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_STATUS, arg, retcode, retmsg, mimetype, + b, freecb, freecb_args)); } static isc_result_t -render_json_server(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_server(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_SERVER, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_SERVER, arg, retcode, retmsg, mimetype, + b, freecb, freecb_args)); } static isc_result_t -render_json_zones(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_zones(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_ZONES, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_ZONES, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_json_mem(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_mem(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_MEM, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); -} - -static isc_result_t -render_json_tasks(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, - const char **mimetype, isc_buffer_t *b, - isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_TASKS, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_MEM, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_json_net(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_net(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_NET, url, urlinfo, querystring, headers, - arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_NET, arg, retcode, retmsg, mimetype, b, + freecb, freecb_args)); } static isc_result_t -render_json_traffic(const char *url, isc_httpdurl_t *urlinfo, - const char *querystring, const char *headers, void *arg, - unsigned int *retcode, const char **retmsg, +render_json_traffic(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, + void *arg, unsigned int *retcode, const char **retmsg, const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { - return (render_json(STATS_JSON_TRAFFIC, url, urlinfo, querystring, - headers, arg, retcode, retmsg, mimetype, b, freecb, - freecb_args)); + UNUSED(httpd); + UNUSED(urlinfo); + return (render_json(STATS_JSON_TRAFFIC, arg, retcode, retmsg, mimetype, + b, freecb, freecb_args)); } #endif /* HAVE_JSON_C */ static isc_result_t -render_xsl(const char *url, isc_httpdurl_t *urlinfo, const char *querystring, - const char *headers, void *args, unsigned int *retcode, - const char **retmsg, const char **mimetype, isc_buffer_t *b, - isc_httpdfree_t **freecb, void **freecb_args) { +render_xsl(const isc_httpd_t *httpd, const isc_httpdurl_t *urlinfo, void *args, + unsigned int *retcode, const char **retmsg, const char **mimetype, + isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) { isc_result_t result; - char *_headers = NULL; - char *p; + char *p = NULL; - UNUSED(url); - UNUSED(querystring); + UNUSED(httpd); UNUSED(args); *freecb = NULL; *freecb_args = NULL; *mimetype = "text/xslt+xml"; - if (urlinfo->isstatic) { - isc_time_t when; - char *line, *saveptr; - const char *if_modified_since = "If-Modified-Since: "; - _headers = strdup(headers); + if (isc_httpdurl_isstatic(urlinfo)) { + time_t t1, t2; + const isc_time_t *when; + const isc_time_t *loadtime; + + when = isc_httpd_if_modified_since(httpd); - if (_headers == NULL) { + if (isc_time_isepoch(when)) { goto send; } - saveptr = NULL; - for (line = strtok_r(_headers, "\n", &saveptr); line; - line = strtok_r(NULL, "\n", &saveptr)) - { - if (strncasecmp(line, if_modified_since, - strlen(if_modified_since)) == 0) { - time_t t1, t2; - line += strlen(if_modified_since); - result = isc_time_parsehttptimestamp(line, - &when); - if (result != ISC_R_SUCCESS) { - goto send; - } - - result = isc_time_secondsastimet(&when, &t1); - if (result != ISC_R_SUCCESS) { - goto send; - } + result = isc_time_secondsastimet(when, &t1); + if (result != ISC_R_SUCCESS) { + goto send; + } - result = isc_time_secondsastimet( - &urlinfo->loadtime, &t2); - if (result != ISC_R_SUCCESS) { - goto send; - } + loadtime = isc_httpdurl_loadtime(urlinfo); - if (t1 < t2) { - goto send; - } + result = isc_time_secondsastimet(loadtime, &t2); + if (result != ISC_R_SUCCESS) { + goto send; + } - *retcode = 304; - *retmsg = "Not modified"; - goto end; - } + if (t1 < t2) { + goto send; } + + *retcode = 304; + *retmsg = "Not modified"; + goto end; } send: *retcode = 200; *retmsg = "OK"; - DE_CONST(xslmsg, p); + p = UNCONST(xslmsg); isc_buffer_reinit(b, p, strlen(xslmsg)); isc_buffer_add(b, strlen(xslmsg)); end: - free(_headers); return (ISC_R_SUCCESS); } @@ -3621,42 +3088,52 @@ add_listener(named_server_t *server, named_statschannel_t **listenerp, server); isc_httpdmgr_addurl(listener->httpdmgr, "/xml", false, render_xml_all, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR, false, render_xml_all, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/status", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/status", false, render_xml_status, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/server", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/server", false, render_xml_server, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/zones", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/zones", false, render_xml_zones, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/net", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/net", false, render_xml_net, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/tasks", false, - render_xml_tasks, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/mem", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/mem", false, render_xml_mem, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/traffic", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/xml/v" STATS_XML_VERSION_MAJOR "/traffic", false, render_xml_traffic, server); #endif /* ifdef HAVE_LIBXML2 */ #ifdef HAVE_JSON_C isc_httpdmgr_addurl(listener->httpdmgr, "/json", false, render_json_all, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR, false, render_json_all, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/status", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/status", false, render_json_status, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/server", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/server", false, render_json_server, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/zones", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/zones", false, render_json_zones, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/tasks", false, - render_json_tasks, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/net", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/net", false, render_json_net, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/mem", false, + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/mem", false, render_json_mem, server); - isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/traffic", false, - render_json_traffic, server); + isc_httpdmgr_addurl(listener->httpdmgr, + "/json/v" STATS_JSON_VERSION_MAJOR "/traffic", + false, render_json_traffic, server); #endif /* ifdef HAVE_JSON_C */ isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", true, render_xsl, server); @@ -3740,7 +3217,7 @@ named_statschannels_configure(named_server_t *server, const cfg_obj_t *config, const cfg_listelt_t *element, *element2; char socktext[ISC_SOCKADDR_FORMATSIZE]; - RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS); + isc_once_do(&once, init_desc); ISC_LIST_INIT(new_listeners); @@ -3885,7 +3362,6 @@ named_statschannels_shutdown(named_server_t *server) { isc_result_t named_stats_dump(named_server_t *server, FILE *fp) { - isc_stdtime_t now; isc_result_t result; dns_view_t *view; dns_zone_t *zone, *next; @@ -3896,14 +3372,14 @@ named_stats_dump(named_server_t *server, FILE *fp) { uint64_t zonestat_values[dns_zonestatscounter_max]; uint64_t sockstat_values[isc_sockstatscounter_max]; uint64_t gluecachestats_values[dns_gluecachestatscounter_max]; + isc_stdtime_t now = isc_stdtime_now(); - RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS); + isc_once_do(&once, init_desc); /* Set common fields */ dumparg.type = isc_statsformat_file; dumparg.arg = fp; - isc_stdtime_get(&now); fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); fprintf(fp, "++ Incoming Requests ++\n"); @@ -3922,7 +3398,9 @@ named_stats_dump(named_server_t *server, FILE *fp) { for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->resquerystats == NULL) { + dns_stats_t *dstats = NULL; + dns_resolver_getquerystats(view->resolver, &dstats); + if (dstats == NULL) { continue; } if (strcmp(view->name, "_default") == 0) { @@ -3930,30 +3408,31 @@ named_stats_dump(named_server_t *server, FILE *fp) { } else { fprintf(fp, "[View: %s]\n", view->name); } - dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump, - &dumparg, 0); + dns_rdatatypestats_dump(dstats, rdtypestat_dump, &dumparg, 0); + dns_stats_detach(&dstats); } fprintf(fp, "++ Name Server Statistics ++\n"); - (void)dump_counters(ns_stats_get(server->sctx->nsstats), - isc_statsformat_file, fp, NULL, nsstats_desc, - ns_statscounter_max, nsstats_index, nsstat_values, - 0); + (void)dump_stats(ns_stats_get(server->sctx->nsstats), + isc_statsformat_file, fp, NULL, nsstats_desc, + ns_statscounter_max, nsstats_index, nsstat_values, 0); fprintf(fp, "++ Zone Maintenance Statistics ++\n"); - (void)dump_counters(server->zonestats, isc_statsformat_file, fp, NULL, - zonestats_desc, dns_zonestatscounter_max, - zonestats_index, zonestat_values, 0); + (void)dump_stats(server->zonestats, isc_statsformat_file, fp, NULL, + zonestats_desc, dns_zonestatscounter_max, + zonestats_index, zonestat_values, 0); fprintf(fp, "++ Resolver Statistics ++\n"); fprintf(fp, "[Common]\n"); - (void)dump_counters(server->resolverstats, isc_statsformat_file, fp, - NULL, resstats_desc, dns_resstatscounter_max, - resstats_index, resstat_values, 0); + (void)dump_stats(server->resolverstats, isc_statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, resstats_index, + resstat_values, 0); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->resstats == NULL) { + isc_stats_t *istats = NULL; + dns_resolver_getstats(view->resolver, &istats); + if (istats == NULL) { continue; } if (strcmp(view->name, "_default") == 0) { @@ -3961,10 +3440,10 @@ named_stats_dump(named_server_t *server, FILE *fp) { } else { fprintf(fp, "[View: %s]\n", view->name); } - (void)dump_counters(view->resstats, isc_statsformat_file, fp, - NULL, resstats_desc, - dns_resstatscounter_max, resstats_index, - resstat_values, 0); + (void)dump_stats(istats, isc_statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, + resstats_index, resstat_values, 0); + isc_stats_detach(&istats); } fprintf(fp, "++ Cache Statistics ++\n"); @@ -4017,7 +3496,15 @@ named_stats_dump(named_server_t *server, FILE *fp) { for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->adbstats == NULL) { + dns_adb_t *adb = NULL; + isc_stats_t *adbstats = NULL; + + dns_view_getadb(view, &adb); + if (adb != NULL) { + adbstats = dns_adb_getstats(adb); + dns_adb_detach(&adb); + } + if (adbstats == NULL) { continue; } if (strcmp(view->name, "_default") == 0) { @@ -4025,15 +3512,15 @@ named_stats_dump(named_server_t *server, FILE *fp) { } else { fprintf(fp, "[View: %s]\n", view->name); } - (void)dump_counters(view->adbstats, isc_statsformat_file, fp, - NULL, adbstats_desc, dns_adbstats_max, - adbstats_index, adbstat_values, 0); + (void)dump_stats(adbstats, isc_statsformat_file, fp, NULL, + adbstats_desc, dns_adbstats_max, + adbstats_index, adbstat_values, 0); } fprintf(fp, "++ Socket I/O Statistics ++\n"); - (void)dump_counters(server->sockstats, isc_statsformat_file, fp, NULL, - sockstats_desc, isc_sockstatscounter_max, - sockstats_index, sockstat_values, 0); + (void)dump_stats(server->sockstats, isc_statsformat_file, fp, NULL, + sockstats_desc, isc_sockstatscounter_max, + sockstats_index, sockstat_values, 0); fprintf(fp, "++ Per Zone Query Statistics ++\n"); zone = NULL; @@ -4058,10 +3545,10 @@ named_stats_dump(named_server_t *server, FILE *fp) { } fprintf(fp, "]\n"); - (void)dump_counters(zonestats, isc_statsformat_file, fp, - NULL, nsstats_desc, - ns_statscounter_max, nsstats_index, - nsstat_values, 0); + (void)dump_stats(zonestats, isc_statsformat_file, fp, + NULL, nsstats_desc, + ns_statscounter_max, nsstats_index, + nsstat_values, 0); } } @@ -4088,11 +3575,11 @@ named_stats_dump(named_server_t *server, FILE *fp) { } fprintf(fp, "]\n"); - (void)dump_counters( - gluecachestats, isc_statsformat_file, fp, NULL, - gluecachestats_desc, - dns_gluecachestatscounter_max, - gluecachestats_index, gluecachestats_values, 0); + (void)dump_stats(gluecachestats, isc_statsformat_file, + fp, NULL, gluecachestats_desc, + dns_gluecachestatscounter_max, + gluecachestats_index, + gluecachestats_values, 0); } } diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 0e85814e4a..24acdcd0c2 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,7 +17,7 @@ #include #include -#include /* Required for HP/UX (and others?) */ +#include #include #include @@ -46,32 +48,16 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, isc_result_t result; dns_tkeyctx_t *tctx = NULL; const char *s; - uint32_t n; dns_fixedname_t fname; dns_name_t *name; isc_buffer_t b; const cfg_obj_t *obj; - int type; result = dns_tkeyctx_create(mctx, &tctx); if (result != ISC_R_SUCCESS) { return (result); } - obj = NULL; - result = cfg_map_get(options, "tkey-dhkey", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH, - type, NULL, mctx, &tctx->dhkey)); - } - obj = NULL; result = cfg_map_get(options, "tkey-domain", &obj); if (result == ISC_R_SUCCESS) { diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c index ea696af73b..f24aab11dd 100644 --- a/bin/named/transportconf.c +++ b/bin/named/transportconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -47,6 +49,48 @@ } \ } +#define parse_transport_tls_versions(map, transport, name, setter) \ + { \ + const cfg_obj_t *obj = NULL; \ + cfg_map_get(map, name, &obj); \ + if (obj != NULL) { \ + { \ + uint32_t tls_protos = 0; \ + const cfg_listelt_t *proto = NULL; \ + INSIST(obj != NULL); \ + for (proto = cfg_list_first(obj); proto != 0; \ + proto = cfg_list_next(proto)) \ + { \ + const cfg_obj_t *tls_proto_obj = \ + cfg_listelt_value(proto); \ + const char *tls_sver = \ + cfg_obj_asstring( \ + tls_proto_obj); \ + const isc_tls_protocol_version_t ver = \ + isc_tls_protocol_name_to_version( \ + tls_sver); \ + INSIST(ver != \ + ISC_TLS_PROTO_VER_UNDEFINED); \ + INSIST(isc_tls_protocol_supported( \ + ver)); \ + tls_protos |= ver; \ + } \ + if (tls_protos != 0) { \ + setter(transport, tls_protos); \ + } \ + } \ + } \ + } + +#define parse_transport_bool_option(map, transport, name, setter) \ + { \ + const cfg_obj_t *obj = NULL; \ + cfg_map_get(map, name, &obj); \ + if (obj != NULL) { \ + setter(transport, cfg_obj_asboolean(obj)); \ + } \ + } + static isc_result_t add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { const cfg_obj_t *doh = NULL; @@ -67,14 +111,22 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { transport = dns_transport_new(&dohname, DNS_TRANSPORT_HTTP, list); + dns_transport_set_tlsname(transport, dohid); parse_transport_option(doh, transport, "key-file", dns_transport_set_keyfile); parse_transport_option(doh, transport, "cert-file", dns_transport_set_certfile); - parse_transport_option(doh, transport, "ca-file", - dns_transport_set_cafile); - parse_transport_option(doh, transport, "hostname", - dns_transport_set_hostname); + parse_transport_tls_versions(doh, transport, "protocols", + dns_transport_set_tls_versions); + parse_transport_option(doh, transport, "ciphers", + dns_transport_set_ciphers); + parse_transport_bool_option( + doh, transport, "prefer-server-ciphers", + dns_transport_set_prefer_server_ciphers) + parse_transport_option(doh, transport, "ca-file", + dns_transport_set_cafile); + parse_transport_option(doh, transport, "remote-hostname", + dns_transport_set_remote_hostname); } return (ISC_R_SUCCESS); @@ -111,14 +163,22 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS, list); + dns_transport_set_tlsname(transport, tlsid); parse_transport_option(tls, transport, "key-file", dns_transport_set_keyfile); parse_transport_option(tls, transport, "cert-file", dns_transport_set_certfile); - parse_transport_option(tls, transport, "ca-file", - dns_transport_set_cafile); - parse_transport_option(tls, transport, "hostname", - dns_transport_set_hostname); + parse_transport_tls_versions(tls, transport, "protocols", + dns_transport_set_tls_versions); + parse_transport_option(tls, transport, "ciphers", + dns_transport_set_ciphers); + parse_transport_bool_option( + tls, transport, "prefer-server-ciphers", + dns_transport_set_prefer_server_ciphers) + parse_transport_option(tls, transport, "ca-file", + dns_transport_set_cafile); + parse_transport_option(tls, transport, "remote-hostname", + dns_transport_set_remote_hostname); } return (ISC_R_SUCCESS); @@ -161,10 +221,12 @@ static void transport_list_add_ephemeral(dns_transport_list_t *list) { isc_result_t result; dns_name_t tlsname; + dns_transport_t *transport; create_name("ephemeral", &tlsname); - (void)dns_transport_new(&tlsname, DNS_TRANSPORT_TLS, list); + transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS, list); + dns_transport_set_tlsname(transport, "ephemeral"); return; failure: diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c index ef6d91a764..dfeadfd99f 100644 --- a/bin/named/tsigconf.c +++ b/bin/named/tsigconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -16,10 +18,10 @@ #include #include #include +#include #include #include -#include #include #include @@ -29,7 +31,7 @@ #include static isc_result_t -add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, +add_initial_keys(const cfg_obj_t *list, dns_tsigkeyring_t *ring, isc_mem_t *mctx) { dns_tsigkey_t *tsigkey = NULL; const cfg_listelt_t *element; @@ -37,10 +39,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, const char *keyid = NULL; unsigned char *secret = NULL; int secretalloc = 0; - int secretlen = 0; isc_result_t ret; - isc_stdtime_t now; - uint16_t bits; for (element = cfg_list_first(list); element != NULL; element = cfg_list_next(element)) @@ -48,12 +47,14 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, const cfg_obj_t *algobj = NULL; const cfg_obj_t *secretobj = NULL; dns_name_t keyname; - const dns_name_t *alg; - const char *algstr; + dst_algorithm_t alg = DST_ALG_UNKNOWN; + const char *algstr = NULL; char keynamedata[1024]; isc_buffer_t keynamesrc, keynamebuf; - const char *secretstr; + const char *secretstr = NULL; isc_buffer_t secretbuf; + int secretlen = 0; + uint16_t bits; key = cfg_listelt_value(element); keyid = cfg_obj_asstring(cfg_map_getname(key)); @@ -82,7 +83,8 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, */ algstr = cfg_obj_asstring(algobj); if (named_config_getkeyalgorithm(algstr, &alg, &bits) != - ISC_R_SUCCESS) { + ISC_R_SUCCESS) + { cfg_obj_log(algobj, named_g_lctx, ISC_LOG_ERROR, "key '%s': has a " "unsupported algorithm '%s'", @@ -101,13 +103,17 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, } secretlen = isc_buffer_usedlength(&secretbuf); - isc_stdtime_get(&now); - ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, - false, NULL, now, now, mctx, ring, + ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, mctx, &tsigkey); isc_mem_put(mctx, secret, secretalloc); secret = NULL; + if (ret == ISC_R_SUCCESS) { + ret = dns_tsigkeyring_add(ring, tsigkey); + } if (ret != ISC_R_SUCCESS) { + if (tsigkey != NULL) { + dns_tsigkey_detach(&tsigkey); + } goto failure; } /* @@ -120,21 +126,20 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, return (ISC_R_SUCCESS); failure: - cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR, - "configuring key '%s': %s", keyid, isc_result_totext(ret)); - if (secret != NULL) { isc_mem_put(mctx, secret, secretalloc); } + cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR, + "configuring key '%s': %s", keyid, isc_result_totext(ret)); return (ret); } isc_result_t named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, - isc_mem_t *mctx, dns_tsig_keyring_t **ringp) { + isc_mem_t *mctx, dns_tsigkeyring_t **ringp) { const cfg_obj_t *maps[3]; const cfg_obj_t *keylist; - dns_tsig_keyring_t *ring = NULL; + dns_tsigkeyring_t *ring = NULL; isc_result_t result; int i; @@ -149,10 +154,7 @@ named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, } maps[i] = NULL; - result = dns_tsigkeyring_create(mctx, &ring); - if (result != ISC_R_SUCCESS) { - return (result); - } + dns_tsigkeyring_create(mctx, &ring); for (i = 0;; i++) { if (maps[i] == NULL) { diff --git a/bin/named/xsl_p.h b/bin/named/xsl_p.h index d4d8a8ce38..56235349f2 100644 --- a/bin/named/xsl_p.h +++ b/bin/named/xsl_p.h @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 2e05cee6d4..fa34b4c7d4 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,9 +17,9 @@ #include #include #include -#include +#include #include -#include /* Required for HP/UX (and others?) */ +#include #include #include @@ -34,7 +36,6 @@ #include #include #include -#include #include #include #include @@ -131,8 +132,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, aclname = "allow-update-forwarding"; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* First check to see if ACL is defined within the zone */ @@ -202,7 +202,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, dns_ssutable_t *table = NULL; isc_mem_t *mctx = dns_zone_getmctx(zone); bool autoddns = false; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; (void)cfg_map_get(zconfig, "update-policy", &updatepolicy); @@ -218,10 +218,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, updatepolicy = NULL; } - result = dns_ssutable_create(mctx, &table); - if (result != ISC_R_SUCCESS) { - return (result); - } + dns_ssutable_create(mctx, &table); for (element = cfg_list_first(updatepolicy); element != NULL; element = cfg_list_next(element)) @@ -247,14 +244,14 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, } else if (strcasecmp(str, "deny") == 0) { grant = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } str = cfg_obj_asstring(matchtype); CHECK(dns_ssu_mtypefromstring(str, &mtype)); if (mtype == dns_ssumatchtype_subdomain && - strcasecmp(str, "zonesub") == 0) { + strcasecmp(str, "zonesub") == 0) + { usezone = true; } @@ -292,7 +289,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, if (n == 0) { types = NULL; } else { - types = isc_mem_get(mctx, n * sizeof(*types)); + types = isc_mem_cget(mctx, n, sizeof(*types)); } i = 0; @@ -308,7 +305,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, typeobj = cfg_listelt_value(element2); str = cfg_obj_asstring(typeobj); - DE_CONST(str, r.base); + r.base = UNCONST(str); bracket = strchr(str, '(' /*)*/); if (bracket != NULL) { @@ -316,13 +313,14 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, r.length = bracket - str; max = strtoul(bracket + 1, &end, 10); if (max > 0xffff || end[0] != /*(*/ ')' || - end[1] != 0) { + end[1] != 0) + { cfg_obj_log(identity, named_g_lctx, ISC_LOG_ERROR, "'%s' is not a valid count", bracket); - isc_mem_put(mctx, types, - n * sizeof(*types)); + isc_mem_cput(mctx, types, n, + sizeof(*types)); goto cleanup; } } else { @@ -336,20 +334,17 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, ISC_LOG_ERROR, "'%.*s' is not a valid type", (int)r.length, str); - isc_mem_put(mctx, types, n * sizeof(*types)); + isc_mem_cput(mctx, types, n, sizeof(*types)); goto cleanup; } } INSIST(i == n); - result = dns_ssutable_addrule( - table, grant, dns_fixedname_name(&fident), mtype, - dns_fixedname_name(&fname), n, types); + dns_ssutable_addrule(table, grant, dns_fixedname_name(&fident), + mtype, dns_fixedname_name(&fname), n, + types); if (types != NULL) { - isc_mem_put(mctx, types, n * sizeof(*types)); - } - if (result != ISC_R_SUCCESS) { - goto cleanup; + isc_mem_cput(mctx, types, n, sizeof(*types)); } } @@ -371,17 +366,12 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, goto cleanup; } - result = dns_ssutable_addrule( - table, true, named_g_server->session_keyname, - dns_ssumatchtype_local, dns_zone_getorigin(zone), 1, - &any); - - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + dns_ssutable_addrule(table, true, + named_g_server->session_keyname, + dns_ssumatchtype_local, + dns_zone_getorigin(zone), 1, &any); } - result = ISC_R_SUCCESS; dns_zone_setssutable(zone, table); cleanup: @@ -465,7 +455,8 @@ configure_staticstub_serveraddrs(const cfg_obj_t *zconfig, dns_zone_t *zone, * there's nothing to do anymore. */ if (ISC_LIST_EMPTY(rdatalist_a->rdata) && - ISC_LIST_EMPTY(rdatalist_aaaa->rdata)) { + ISC_LIST_EMPTY(rdatalist_aaaa->rdata)) + { return (ISC_R_SUCCESS); } @@ -632,17 +623,14 @@ configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone, CHECK(dns_db_findnode(db, &apexname, false, &apexnode)); /* Add NS RRset */ - RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_ns, &rdataset) == - ISC_R_SUCCESS); + dns_rdatalist_tordataset(&rdatalist_ns, &rdataset); CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset, 0, NULL)); dns_rdataset_disassociate(&rdataset); /* Add glue A RRset, if any */ if (!ISC_LIST_EMPTY(rdatalist_a.rdata)) { - RUNTIME_CHECK( - dns_rdatalist_tordataset(&rdatalist_a, &rdataset) == - ISC_R_SUCCESS); + dns_rdatalist_tordataset(&rdatalist_a, &rdataset); CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset, 0, NULL)); dns_rdataset_disassociate(&rdataset); @@ -650,9 +638,7 @@ configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone, /* Add glue AAAA RRset, if any */ if (!ISC_LIST_EMPTY(rdatalist_aaaa.rdata)) { - RUNTIME_CHECK( - dns_rdatalist_tordataset(&rdatalist_aaaa, &rdataset) == - ISC_R_SUCCESS); + dns_rdatalist_tordataset(&rdatalist_aaaa, &rdataset); CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset, 0, NULL)); dns_rdataset_disassociate(&rdataset); @@ -693,7 +679,7 @@ configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone, /*% * Convert a config file zone type into a server zone type. */ -static inline dns_zonetype_t +static dns_zonetype_t zonetype_fromconfig(const cfg_obj_t *map) { const cfg_obj_t *obj = NULL; isc_result_t result; @@ -719,7 +705,7 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp, if (*s == '\0') { /* We have reached the end of the string. */ *argcp = n; - *argvp = isc_mem_get(mctx, n * sizeof(char *)); + *argvp = isc_mem_cget(mctx, n, sizeof(char *)); } else { char *p = s; while (*p != ' ' && *p != '\t' && *p != '\0') { @@ -750,28 +736,25 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) { return (strtoargvsub(mctx, s, argcp, argvp, 0)); } +static const char *const primary_synonyms[] = { "primary", "master", NULL }; + +static const char *const secondary_synonyms[] = { "secondary", "slave", NULL }; + static void checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, const cfg_obj_t **objp) { isc_result_t result; switch (ztype) { - case dns_zone_slave: + case dns_zone_secondary: case dns_zone_mirror: - result = named_checknames_get(maps, "secondary", objp); - if (result != ISC_R_SUCCESS) { - result = named_checknames_get(maps, "slave", objp); - } + result = named_checknames_get(maps, secondary_synonyms, objp); break; - case dns_zone_master: - result = named_checknames_get(maps, "primary", objp); - if (result != ISC_R_SUCCESS) { - result = named_checknames_get(maps, "master", objp); - } + case dns_zone_primary: + result = named_checknames_get(maps, primary_synonyms, objp); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL); @@ -787,24 +770,27 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, */ static bool isself(dns_view_t *myview, dns_tsigkey_t *mykey, const isc_sockaddr_t *srcaddr, - const isc_sockaddr_t *dstaddr, dns_rdataclass_t rdclass, void *arg) { - ns_interfacemgr_t *interfacemgr = (ns_interfacemgr_t *)arg; - dns_aclenv_t *env = ns_interfacemgr_getaclenv(interfacemgr); - dns_view_t *view; + const isc_sockaddr_t *dstaddr, dns_rdataclass_t rdclass, + void *arg ISC_ATTR_UNUSED) { + dns_aclenv_t *env = NULL; + dns_view_t *view = NULL; dns_tsigkey_t *key = NULL; isc_netaddr_t netsrc; isc_netaddr_t netdst; - if (interfacemgr == NULL) { + /* interfacemgr can be destroyed only in exclusive mode. */ + if (named_g_server->interfacemgr == NULL) { return (true); } - if (!ns_interfacemgr_listeningon(interfacemgr, dstaddr)) { + if (!ns_interfacemgr_listeningon(named_g_server->interfacemgr, dstaddr)) + { return (false); } isc_netaddr_fromsockaddr(&netsrc, srcaddr); isc_netaddr_fromsockaddr(&netdst, dstaddr); + env = ns_interfacemgr_getaclenv(named_g_server->interfacemgr); for (view = ISC_LIST_HEAD(named_g_server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) @@ -823,7 +809,7 @@ isself(dns_view_t *myview, dns_tsigkey_t *mykey, const isc_sockaddr_t *srcaddr, bool match; isc_result_t result; - result = dns_view_gettsig(view, &mykey->name, &key); + result = dns_view_gettsig(view, mykey->name, &key); if (result != ISC_R_SUCCESS) { continue; } @@ -894,6 +880,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const char *filename = NULL; const char *kaspname = NULL; const char *dupcheck; + dns_checkdstype_t checkdstype = dns_checkdstype_yes; dns_notifytype_t notifytype = dns_notifytype_yes; uint32_t count; unsigned int dbargc; @@ -907,8 +894,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, int i; int32_t journal_size; bool multi; - bool alt; - dns_view_t *view = NULL; dns_kasp_t *kasp = NULL; bool check = false, fail = false; bool warn = false, ignore = false; @@ -920,9 +905,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_stats_t *rcvquerystats; dns_stats_t *dnssecsignstats; dns_zonestat_level_t statlevel = dns_zonestat_none; - int seconds; + dns_ttl_t maxttl = 0; /* unlimited */ dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; - isc_dscp_t dscp; + bool transferinsecs = ns_server_getoption(named_g_server->sctx, + NS_SERVER_TRANSFERINSECS); i = 0; if (zconfig != NULL) { @@ -946,8 +932,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, maps[i] = NULL; if (vconfig != NULL) { - RETERR(named_config_getclass(cfg_tuple_get(vconfig, "class"), - dns_rdataclass_in, &vclass)); + CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"), + dns_rdataclass_in, &vclass)); } else { vclass = dns_rdataclass_in; } @@ -958,8 +944,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - RETERR(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, - &zclass)); + CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, + &zclass)); dns_zone_setclass(zone, zclass); if (raw != NULL) { dns_zone_setclass(raw, zclass); @@ -968,7 +954,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ztype = zonetype_fromconfig(zoptions); if (raw != NULL) { dns_zone_settype(raw, ztype); - dns_zone_settype(zone, dns_zone_master); + dns_zone_settype(zone, dns_zone_primary); } else { dns_zone_settype(zone, ztype); } @@ -979,7 +965,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); } if (cpval == NULL) { - return (ISC_R_NOMEMORY); + CHECK(ISC_R_NOMEMORY); } obj = NULL; @@ -994,7 +980,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, "zone '%s': both 'database' and 'dlz' " "specified", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } len = strlen(dlzname) + 5; @@ -1005,7 +991,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, result = strtoargv(mctx, cpval, &dbargc, &dbargv); if (result != ISC_R_SUCCESS && cpval != default_dbtype) { isc_mem_free(mctx, cpval); - return (result); + CHECK(result); } /* @@ -1014,7 +1000,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * compiler w/o generating a warning. */ dns_zone_setdbtype(zone, dbargc, (const char *const *)dbargv); - isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv)); + isc_mem_cput(mctx, dbargv, dbargc, sizeof(*dbargv)); if (cpval != default_dbtype && cpval != dlz_dbtype) { isc_mem_free(mctx, cpval); } @@ -1026,18 +1012,19 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } /* - * Unless we're using some alternative database, a master zone + * Unless we're using some alternative database, a primary zone * will be needing a master file. */ - if (ztype == dns_zone_master && cpval == default_dbtype && - filename == NULL) { + if (ztype == dns_zone_primary && cpval == default_dbtype && + filename == NULL) + { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "zone '%s': 'file' not specified", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } - if (ztype == dns_zone_slave || ztype == dns_zone_mirror) { + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { masterformat = dns_masterformat_raw; } else { masterformat = dns_masterformat_text; @@ -1051,11 +1038,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, masterformat = dns_masterformat_text; } else if (strcasecmp(masterformatstr, "raw") == 0) { masterformat = dns_masterformat_raw; - } else if (strcasecmp(masterformatstr, "map") == 0) { - masterformat = dns_masterformat_map; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1070,7 +1054,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, "can only be used with " "'masterfile-format text'", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } if (strcasecmp(masterstylestr, "full") == 0) { @@ -1078,29 +1062,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(masterstylestr, "relative") == 0) { masterstyle = &dns_master_style_default; } else { - INSIST(0); - ISC_UNREACHABLE(); - } - } - - obj = NULL; - result = named_config_get(maps, "max-zone-ttl", &obj); - if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "zone '%s': 'max-zone-ttl' is not compatible " - "with 'masterfile-format map'", - zname); - return (ISC_R_FAILURE); - } else if (result == ISC_R_SUCCESS) { - dns_ttl_t maxttl = 0; /* unlimited */ - - if (cfg_obj_isduration(obj)) { - maxttl = cfg_obj_asduration(obj); - } - dns_zone_setmaxttl(zone, maxttl); - if (raw != NULL) { - dns_zone_setmaxttl(raw, maxttl); + UNREACHABLE(); } } @@ -1117,47 +1079,45 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, size_t signedlen = strlen(filename) + sizeof(SIGNED); char *signedname; - RETERR(dns_zone_setfile(raw, filename, masterformat, - masterstyle)); + CHECK(dns_zone_setfile(raw, filename, masterformat, + masterstyle)); signedname = isc_mem_get(mctx, signedlen); (void)snprintf(signedname, signedlen, "%s" SIGNED, filename); result = dns_zone_setfile(zone, signedname, dns_masterformat_raw, NULL); isc_mem_put(mctx, signedname, signedlen); - if (result != ISC_R_SUCCESS) { - return (result); - } + CHECK(result); } else { - RETERR(dns_zone_setfile(zone, filename, masterformat, - masterstyle)); + CHECK(dns_zone_setfile(zone, filename, masterformat, + masterstyle)); } obj = NULL; result = cfg_map_get(zoptions, "journal", &obj); if (result == ISC_R_SUCCESS) { - RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); + CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); } /* * Notify messages are processed by the raw zone if it exists. */ - if (ztype == dns_zone_slave || ztype == dns_zone_mirror) { - RETERR(configure_zone_acl( - zconfig, vconfig, config, allow_notify, ac, mayberaw, - dns_zone_setnotifyacl, dns_zone_clearnotifyacl)); + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify, + ac, mayberaw, dns_zone_setnotifyacl, + dns_zone_clearnotifyacl)); } /* * XXXAG This probably does not make sense for stubs. */ - RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, - zone, dns_zone_setqueryacl, - dns_zone_clearqueryacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, + zone, dns_zone_setqueryacl, + dns_zone_clearqueryacl)); - RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, - zone, dns_zone_setqueryonacl, - dns_zone_clearqueryonacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, + zone, dns_zone_setqueryonacl, + dns_zone_clearqueryonacl)); obj = NULL; result = named_config_get(maps, "dialup", &obj); @@ -1179,8 +1139,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(dialupstr, "passive") == 0) { dialup = dns_dialuptype_passive; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } if (raw != NULL) { @@ -1206,8 +1165,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(levelstr, "none") == 0) { statlevel = dns_zonestat_none; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } dns_zone_setstatlevel(zone, statlevel); @@ -1216,10 +1174,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, rcvquerystats = NULL; dnssecsignstats = NULL; if (statlevel == dns_zonestat_full) { - RETERR(isc_stats_create(mctx, &zoneqrystats, - ns_statscounter_max)); - RETERR(dns_rdatatypestats_create(mctx, &rcvquerystats)); - RETERR(dns_dnssecsignstats_create(mctx, &dnssecsignstats)); + isc_stats_create(mctx, &zoneqrystats, ns_statscounter_max); + dns_rdatatypestats_create(mctx, &rcvquerystats); + dns_dnssecsignstats_create(mctx, &dnssecsignstats); } dns_zone_setrequeststats(zone, zoneqrystats); dns_zone_setrcvquerystats(zone, rcvquerystats); @@ -1238,13 +1195,19 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } /* - * Configure master functionality. This applies + * Configure authoritative zone functionality. This applies * to primary servers (type "primary") and secondaries * acting as primaries (type "secondary"), but not to stubs. */ if (ztype != dns_zone_stub && ztype != dns_zone_staticstub && ztype != dns_zone_redirect) { + /* Make a reference to the default policy. */ + result = dns_kasplist_find(kasplist, "default", &kasp); + INSIST(result == ISC_R_SUCCESS && kasp != NULL); + dns_zone_setdefaultkasp(zone, kasp); + dns_kasp_detach(&kasp); + obj = NULL; result = named_config_get(maps, "dnssec-policy", &obj); if (result == ISC_R_SUCCESS) { @@ -1258,7 +1221,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ISC_LOG_ERROR, "dnssec-policy '%s' not found ", kaspname); - RETERR(result); + CHECK(result); } dns_zone_setkasp(zone, kasp); use_kasp = true; @@ -1286,8 +1249,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, { notifytype = dns_notifytype_masteronly; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } notifytype = process_notifytype(notifytype, ztype, zname, @@ -1303,46 +1265,40 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, (notifytype == dns_notifytype_yes || notifytype == dns_notifytype_explicit || (notifytype == dns_notifytype_masteronly && - ztype == dns_zone_master))) + ztype == dns_zone_primary))) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - RETERR(named_config_getipandkeylist(config, obj, mctx, - &ipkl)); - result = dns_zone_setalsonotify(zone, ipkl.addrs, - ipkl.dscps, ipkl.keys, - ipkl.tlss, ipkl.count); + CHECK(named_config_getipandkeylist(config, "primaries", + obj, mctx, &ipkl)); + dns_zone_setalsonotify(zone, ipkl.addrs, ipkl.sources, + ipkl.keys, ipkl.tlss, + ipkl.count); dns_ipkeylist_clear(mctx, &ipkl); - RETERR(result); } else { - RETERR(dns_zone_setalsonotify(zone, NULL, NULL, NULL, - NULL, 0)); + dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0); } + obj = NULL; + result = named_config_get(maps, "parental-source", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj))); + + obj = NULL; + result = named_config_get(maps, "parental-source-v6", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj))); + obj = NULL; result = named_config_get(maps, "notify-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setnotifysrc4dscp(zone, dscp)); - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); + CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); obj = NULL; result = named_config_get(maps, "notify-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setnotifysrc6dscp(zone, dscp)); - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); + CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); obj = NULL; result = named_config_get(maps, "notify-to-soa", &obj); @@ -1350,21 +1306,25 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA, cfg_obj_asboolean(obj)); - dns_zone_setisself(zone, isself, named_g_server->interfacemgr); + dns_zone_setisself(zone, isself, NULL); - RETERR(configure_zone_acl( + CHECK(configure_zone_acl( zconfig, vconfig, config, allow_transfer, ac, zone, dns_zone_setxfracl, dns_zone_clearxfracl)); obj = NULL; result = named_config_get(maps, "max-transfer-time-out", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60); + dns_zone_setmaxxfrout( + zone, transferinsecs ? cfg_obj_asuint32(obj) + : cfg_obj_asuint32(obj) * 60); obj = NULL; result = named_config_get(maps, "max-transfer-idle-out", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60); + dns_zone_setidleout(zone, transferinsecs + ? cfg_obj_asuint32(obj) + : cfg_obj_asuint32(obj) * 60); obj = NULL; result = named_config_get(maps, "max-journal-size", &obj); @@ -1382,15 +1342,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, journal_size = -1; } } else { - isc_resourcevalue_t value; - value = cfg_obj_asuint64(obj); + uint64_t value = cfg_obj_asuint64(obj); if (value > DNS_JOURNAL_SIZE_MAX) { cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR, "'max-journal-size " "%" PRId64 "' " "is too large", value); - RETERR(ISC_R_RANGE); + CHECK(ISC_R_RANGE); } journal_size = (uint32_t)value; } @@ -1406,13 +1365,13 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ixfrdiff = cfg_obj_asboolean(obj); } else if ((strcasecmp(cfg_obj_asstring(obj), "primary") == 0 || strcasecmp(cfg_obj_asstring(obj), "master") == 0) && - ztype == dns_zone_master) + ztype == dns_zone_primary) { ixfrdiff = true; } else if ((strcasecmp(cfg_obj_asstring(obj), "secondary") == 0 || strcasecmp(cfg_obj_asstring(obj), "slave") == 0) && - ztype == dns_zone_slave) + ztype == dns_zone_secondary) { ixfrdiff = true; } else { @@ -1458,8 +1417,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (raw != NULL) { dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES, check); @@ -1493,11 +1451,16 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check); + obj = NULL; + result = named_config_get(maps, "check-svcb", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSVCB, + cfg_obj_asboolean(obj)); + obj = NULL; result = named_config_get(maps, "zero-no-soa-ttl", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1524,31 +1487,46 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, journal_size = -1; } } else { - isc_resourcevalue_t value; - value = cfg_obj_asuint64(obj); + uint64_t value = cfg_obj_asuint64(obj); if (value > DNS_JOURNAL_SIZE_MAX) { cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR, "'max-journal-size " "%" PRId64 "' " "is too large", value); - RETERR(ISC_R_RANGE); + CHECK(ISC_R_RANGE); } journal_size = (uint32_t)value; } dns_zone_setjournalsize(zone, journal_size); } + if (use_kasp) { + maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false); + } else { + obj = NULL; + result = named_config_get(maps, "max-zone-ttl", &obj); + if (result == ISC_R_SUCCESS) { + if (cfg_obj_isduration(obj)) { + maxttl = cfg_obj_asduration(obj); + } + } + } + dns_zone_setmaxttl(zone, maxttl); + if (raw != NULL) { + dns_zone_setmaxttl(raw, maxttl); + } + /* * Configure update-related options. These apply to * primary servers only. */ - if (ztype == dns_zone_master) { + if (ztype == dns_zone_primary) { dns_acl_t *updateacl; - RETERR(configure_zone_acl( - zconfig, vconfig, config, allow_update, ac, mayberaw, - dns_zone_setupdateacl, dns_zone_clearupdateacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update, + ac, mayberaw, dns_zone_setupdateacl, + dns_zone_clearupdateacl)); updateacl = dns_zone_getupdateacl(mayberaw); if (updateacl != NULL && dns_acl_isinsecure(updateacl)) { @@ -1559,15 +1537,17 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, zname); } - RETERR(configure_zone_ssutable(zoptions, mayberaw, zname)); + CHECK(configure_zone_ssutable(zoptions, mayberaw, zname)); } - if (ztype == dns_zone_master || raw != NULL) { - const cfg_obj_t *validity, *resign; - bool allow = false, maint = false; - bool sigvalinsecs; - + /* + * Configure DNSSEC signing. These apply to primary zones or zones that + * use inline-signing (raw != NULL). + */ + if (ztype == dns_zone_primary || raw != NULL) { if (use_kasp) { + int seconds; + if (dns_kasp_nsec3(kasp)) { result = dns_zone_setnsec3param( zone, 1, dns_kasp_nsec3flags(kasp), @@ -1579,52 +1559,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, zone, 0, 0, 0, 0, NULL, true, false); } INSIST(result == ISC_R_SUCCESS); - } - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp); - } else { - obj = NULL; - result = named_config_get(maps, "dnskey-sig-validity", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - seconds = cfg_obj_asuint32(obj) * 86400; - } - dns_zone_setkeyvalidityinterval(zone, seconds); + dns_zone_setkeyvalidityinterval(zone, seconds); - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity(kasp); dns_zone_setsigvalidityinterval(zone, seconds); - seconds = (uint32_t)dns_kasp_sigrefresh(kasp); - dns_zone_setsigresigninginterval(zone, seconds); - } else { - obj = NULL; - result = named_config_get(maps, "sig-validity-interval", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - - sigvalinsecs = ns_server_getoption( - named_g_server->sctx, NS_SERVER_SIGVALINSECS); - validity = cfg_tuple_get(obj, "validity"); - seconds = cfg_obj_asuint32(validity); - if (!sigvalinsecs) { - seconds *= 86400; - } - dns_zone_setsigvalidityinterval(zone, seconds); - resign = cfg_tuple_get(obj, "re-sign"); - if (cfg_obj_isvoid(resign)) { - seconds /= 4; - } else if (!sigvalinsecs) { - uint32_t r = cfg_obj_asuint32(resign); - if (seconds > 7 * 86400) { - seconds = r * 86400; - } else { - seconds = r * 3600; - } - } else { - seconds = cfg_obj_asuint32(resign); - } + seconds = (uint32_t)dns_kasp_sigrefresh(kasp); dns_zone_setsigresigninginterval(zone, seconds); } @@ -1632,7 +1574,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, result = named_config_get(maps, "key-directory", &obj); if (result == ISC_R_SUCCESS) { filename = cfg_obj_asstring(obj); - RETERR(dns_zone_setkeydirectory(zone, filename)); + CHECK(dns_zone_setkeydirectory(zone, filename)); } obj = NULL; @@ -1650,70 +1592,80 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS && obj != NULL); dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj)); - obj = NULL; - result = named_config_get(maps, "update-check-ksk", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - - obj = NULL; - result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - obj = NULL; result = named_config_get(maps, "dnssec-loadkeys-interval", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setrefreshkeyinterval(zone, - cfg_obj_asuint32(obj))); + CHECK(dns_zone_setrefreshkeyinterval(zone, + cfg_obj_asuint32(obj))); - obj = NULL; - result = cfg_map_get(zoptions, "auto-dnssec", &obj); if (kasp != NULL) { bool s2i = (strcmp(dns_kasp_getname(kasp), "insecure") != 0); dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true); dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true); - } else if (result == ISC_R_SUCCESS) { - const char *arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "allow") == 0) { - allow = true; - } else if (strcasecmp(arg, "maintain") == 0) { - allow = maint = true; - } else if (strcasecmp(arg, "off") == 0) { - /* Default */ - } else { - INSIST(0); - ISC_UNREACHABLE(); - } - dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); } } - if (ztype == dns_zone_slave || ztype == dns_zone_mirror) { - RETERR(configure_zone_acl(zconfig, vconfig, config, - allow_update_forwarding, ac, mayberaw, - dns_zone_setforwardacl, - dns_zone_clearforwardacl)); + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { + CHECK(configure_zone_acl(zconfig, vconfig, config, + allow_update_forwarding, ac, mayberaw, + dns_zone_setforwardacl, + dns_zone_clearforwardacl)); } /*% - * Primary master functionality. + * Configure parental agents, applies to primary and secondary zones. */ - if (ztype == dns_zone_master) { + if (ztype == dns_zone_primary || ztype == dns_zone_secondary) { + const cfg_obj_t *parentals = NULL; + (void)cfg_map_get(zoptions, "parental-agents", &parentals); + if (parentals != NULL) { + dns_ipkeylist_t ipkl; + dns_ipkeylist_init(&ipkl); + CHECK(named_config_getipandkeylist( + config, "parental-agents", parentals, mctx, + &ipkl)); + dns_zone_setparentals(zone, ipkl.addrs, ipkl.sources, + ipkl.keys, ipkl.tlss, ipkl.count); + dns_ipkeylist_clear(mctx, &ipkl); + } else { + dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0); + } + + obj = NULL; + result = named_config_get(maps, "checkds", &obj); + if (result == ISC_R_SUCCESS) { + if (cfg_obj_isboolean(obj)) { + if (cfg_obj_asboolean(obj)) { + checkdstype = dns_checkdstype_yes; + } else { + checkdstype = dns_checkdstype_no; + } + } else { + const char *str = cfg_obj_asstring(obj); + if (strcasecmp(str, "explicit") == 0) { + checkdstype = dns_checkdstype_explicit; + } else { + UNREACHABLE(); + } + } + } else if (parentals != NULL) { + checkdstype = dns_checkdstype_explicit; + } else { + checkdstype = dns_checkdstype_yes; + } + if (raw != NULL) { + dns_zone_setcheckdstype(raw, dns_checkdstype_no); + } + dns_zone_setcheckdstype(zone, checkdstype); + } + + /*% + * Configure primary zone functionality. + */ + if (ztype == dns_zone_primary) { obj = NULL; result = named_config_get(maps, "check-wildcard", &obj); if (result == ISC_R_SUCCESS) { @@ -1723,26 +1675,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check); - /* - * With map files, the default is ignore duplicate - * records. With other master formats, the default is - * taken from the global configuration. - */ obj = NULL; - if (masterformat != dns_masterformat_map) { - result = named_config_get(maps, "check-dup-records", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dupcheck = cfg_obj_asstring(obj); - } else { - result = named_config_get(nodefault, - "check-dup-records", &obj); - if (result == ISC_R_SUCCESS) { - dupcheck = cfg_obj_asstring(obj); - } else { - dupcheck = "ignore"; - } - } + result = named_config_get(maps, "check-dup-records", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + dupcheck = cfg_obj_asstring(obj); if (strcasecmp(dupcheck, "warn") == 0) { fail = false; check = true; @@ -1751,8 +1687,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(dupcheck, "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check); dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail); @@ -1768,34 +1703,16 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check); dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail); - /* - * With map files, the default is *not* to check - * integrity. With other master formats, the default is - * taken from the global configuration. - */ obj = NULL; - if (masterformat != dns_masterformat_map) { - result = named_config_get(maps, "check-integrity", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY, - cfg_obj_asboolean(obj)); - } else { - check = false; - result = named_config_get(nodefault, "check-integrity", - &obj); - if (result == ISC_R_SUCCESS) { - check = cfg_obj_asboolean(obj); - } - dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY, - check); - } + result = named_config_get(maps, "check-integrity", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY, + cfg_obj_asboolean(obj)); obj = NULL; result = named_config_get(maps, "check-mx-cname", &obj); @@ -1808,8 +1725,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { warn = ignore = true; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn); dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore); @@ -1825,35 +1741,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { warn = ignore = true; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn); dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME, ignore); - obj = NULL; - result = named_config_get(maps, "dnssec-secure-to-insecure", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE, - cfg_obj_asboolean(obj)); - - obj = NULL; - result = cfg_map_get(zoptions, "dnssec-update-mode", &obj); - if (result == ISC_R_SUCCESS) { - const char *arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "no-resign") == 0) { - dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN, - true); - } else if (strcasecmp(arg, "maintain") == 0) { - /* Default */ - } else { - INSIST(0); - ISC_UNREACHABLE(); - } - } - obj = NULL; result = named_config_get(maps, "serial-update-method", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1870,7 +1763,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } /* - * Configure slave functionality. + * Configure secondary zone functionality. */ switch (ztype) { case dns_zone_mirror: @@ -1882,12 +1775,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, (void)cfg_map_get(zoptions, "allow-transfer", &obj); if (obj == NULL) { dns_acl_t *none; - RETERR(dns_acl_none(mctx, &none)); + CHECK(dns_acl_none(mctx, &none)); dns_zone_setxfracl(zone, none); dns_acl_detach(&none); } - /* FALLTHROUGH */ - case dns_zone_slave: + FALLTHROUGH; + case dns_zone_secondary: case dns_zone_stub: case dns_zone_redirect: count = 0; @@ -1904,28 +1797,26 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (obj == NULL && ztype == dns_zone_mirror && dns_name_equal(dns_zone_getorigin(zone), dns_rootname)) { - result = named_config_getprimariesdef( - named_g_config, + result = named_config_getremotesdef( + named_g_config, "primaries", DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj); - RETERR(result); + CHECK(result); } if (obj != NULL) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - RETERR(named_config_getipandkeylist(config, obj, mctx, - &ipkl)); - result = dns_zone_setprimaries(mayberaw, ipkl.addrs, - ipkl.keys, ipkl.tlss, - ipkl.count); + CHECK(named_config_getipandkeylist(config, "primaries", + obj, mctx, &ipkl)); + dns_zone_setprimaries(mayberaw, ipkl.addrs, + ipkl.sources, ipkl.keys, + ipkl.tlss, ipkl.count); count = ipkl.count; dns_ipkeylist_clear(mctx, &ipkl); - RETERR(result); } else { - result = dns_zone_setprimaries(mayberaw, NULL, NULL, - NULL, 0); + dns_zone_setprimaries(mayberaw, NULL, NULL, NULL, NULL, + 0); } - RETERR(result); multi = false; if (count > 1) { @@ -1939,12 +1830,16 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = named_config_get(maps, "max-transfer-time-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60); + dns_zone_setmaxxfrin( + mayberaw, transferinsecs ? cfg_obj_asuint32(obj) + : cfg_obj_asuint32(obj) * 60); obj = NULL; result = named_config_get(maps, "max-transfer-idle-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60); + dns_zone_setidlein(mayberaw, + transferinsecs ? cfg_obj_asuint32(obj) + : cfg_obj_asuint32(obj) * 60); obj = NULL; result = named_config_get(maps, "max-refresh-time", &obj); @@ -1969,69 +1864,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = named_config_get(maps, "transfer-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource4(mayberaw, - cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setxfrsource4dscp(mayberaw, dscp)); - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); + CHECK(dns_zone_setxfrsource4(mayberaw, + cfg_obj_assockaddr(obj))); obj = NULL; result = named_config_get(maps, "transfer-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource6(mayberaw, - cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setxfrsource6dscp(mayberaw, dscp)); - named_add_reserved_dispatch(named_g_server, - cfg_obj_assockaddr(obj)); - - obj = NULL; - result = named_config_get(maps, "alt-transfer-source", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource4(mayberaw, - cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setaltxfrsource4dscp(mayberaw, dscp)); - - obj = NULL; - result = named_config_get(maps, "alt-transfer-source-v6", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource6(mayberaw, - cfg_obj_assockaddr(obj))); - dscp = cfg_obj_getdscp(obj); - if (dscp == -1) { - dscp = named_g_dscp; - } - RETERR(dns_zone_setaltxfrsource6dscp(mayberaw, dscp)); - - obj = NULL; - (void)named_config_get(maps, "use-alt-transfer-source", &obj); - if (obj == NULL) { - /* - * Default off when views are in use otherwise - * on for BIND 8 compatibility. - */ - view = dns_zone_getview(zone); - if (view != NULL && strcmp(view->name, "_default") == 0) - { - alt = true; - } else { - alt = false; - } - } else { - alt = cfg_obj_asboolean(obj); - } - dns_zone_setoption(mayberaw, DNS_ZONEOPT_USEALTXFRSRC, alt); + CHECK(dns_zone_setxfrsource6(mayberaw, + cfg_obj_assockaddr(obj))); obj = NULL; (void)named_config_get(maps, "try-tcp-refresh", &obj); @@ -2040,15 +1880,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, break; case dns_zone_staticstub: - RETERR(configure_staticstub(zoptions, zone, zname, - default_dbtype)); + CHECK(configure_staticstub(zoptions, zone, zname, + default_dbtype)); break; default: break; } - return (ISC_R_SUCCESS); + result = ISC_R_SUCCESS; + +cleanup: + if (kasp != NULL) { + dns_kasp_detach(&kasp); + } + return (result); } /* @@ -2058,11 +1904,8 @@ isc_result_t named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone, dns_rdataclass_t rdclass, dns_name_t *name) { dns_db_t *db = NULL; - isc_time_t now; isc_result_t result; - TIME_NOW(&now); - dns_zone_settype(zone, dns_zone_dlz); result = dns_sdlz_setdb(dlzdatabase, rdclass, name, &db); if (result != ISC_R_SUCCESS) { @@ -2076,7 +1919,7 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone, bool named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx) { + dns_kasplist_t *kasplist) { const cfg_obj_t *zoptions = NULL; const cfg_obj_t *obj = NULL; const char *cfilename; @@ -2110,8 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, has_raw = false; } - inline_signing = named_zone_inlinesigning(zone, zconfig, vconfig, - config, actx); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, config, + kasplist); if (!inline_signing && has_raw) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: old zone was inline-signing"); @@ -2148,80 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, } bool -named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx) { - isc_result_t res; - const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *voptions = NULL; - const cfg_obj_t *options = NULL; +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist) { + const cfg_obj_t *maps[4]; const cfg_obj_t *signing = NULL; - const cfg_obj_t *allowupdate = NULL; - const cfg_obj_t *updatepolicy = NULL; - bool zone_is_dynamic = false; + const cfg_obj_t *policy = NULL; + dns_kasp_t *kasp = NULL; + isc_result_t res; bool inline_signing = false; + int i = 0; - (void)cfg_map_get(config, "options", &options); - - zoptions = cfg_tuple_get(zconfig, "options"); + maps[i++] = cfg_tuple_get(zconfig, "options"); if (vconfig != NULL) { - voptions = cfg_tuple_get(vconfig, "options"); + maps[i++] = cfg_tuple_get(vconfig, "options"); } - - inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) == - ISC_R_SUCCESS && - cfg_obj_asboolean(signing)); - if (inline_signing) { - return (true); + if (config != NULL) { + const cfg_obj_t *options = NULL; + (void)cfg_map_get(config, "options", &options); + if (options != NULL) { + maps[i++] = options; + } } + maps[i] = NULL; - if (cfg_map_get(zoptions, "update-policy", &updatepolicy) == - ISC_R_SUCCESS) { - zone_is_dynamic = true; - } else { - res = cfg_map_get(zoptions, "allow-update", &allowupdate); - if (res != ISC_R_SUCCESS && voptions != NULL) { - res = cfg_map_get(voptions, "allow-update", - &allowupdate); - } - if (res != ISC_R_SUCCESS && options != NULL) { - res = cfg_map_get(options, "allow-update", - &allowupdate); - } - if (res == ISC_R_SUCCESS) { - dns_acl_t *acl = NULL; - res = cfg_acl_fromconfig( - allowupdate, config, named_g_lctx, actx, - dns_zone_getmctx(zone), 0, &acl); - if (res == ISC_R_SUCCESS && acl != NULL && - !dns_acl_isnone(acl)) { - zone_is_dynamic = true; - } - if (acl != NULL) { - dns_acl_detach(&acl); - } - } + /* "inline-signing" is a zone-only clause, so look in maps[0] only. */ + res = cfg_map_get(maps[0], "inline-signing", &signing); + if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) { + return (cfg_obj_asboolean(signing)); } - /* - * If inline-signing is not set, perhaps implictly through a - * dnssec-policy. Since automated DNSSEC maintenance requires - * a dynamic zone, or inline-siging to be enabled, check if - * the zone with dnssec-policy allows updates. If not, enable - * inline-signing. - */ - signing = NULL; - if (!inline_signing && !zone_is_dynamic && - cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && - signing != NULL) + /* If inline-signing is not set, check the value in dnssec-policy. */ + policy = NULL; + res = named_config_get(maps, "dnssec-policy", &policy); + /* If no dnssec-policy found, then zone is not using inline-signing. */ + if (res != ISC_R_SUCCESS || + strcmp(cfg_obj_asstring(policy), "none") == 0) { - if (strcmp(cfg_obj_asstring(signing), "none") != 0) { - inline_signing = true; - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "inline-signing: " - "implicitly through dnssec-policy"); - } + return (false); + } + + /* Lookup the policy. */ + res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp); + if (res != ISC_R_SUCCESS) { + return (false); } + inline_signing = dns_kasp_inlinesigning(kasp); + dns_kasp_detach(&kasp); + return (inline_signing); } diff --git a/bin/nsupdate/Makefile.am b/bin/nsupdate/Makefile.am index fc0e62b99c..4ef15ed799 100644 --- a/bin/nsupdate/Makefile.am +++ b/bin/nsupdate/Makefile.am @@ -4,21 +4,17 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ $(LIBISCCFG_CFLAGS) \ - $(LIBIRS_CFLAGS) \ - $(LIBBIND9_CFLAGS) \ $(GSSAPI_CFLAGS) \ $(KRB5_CFLAGS) \ $(READLINE_CFLAGS) -AM_CPPFLAGS += \ +AM_CPPFLAGS += \ -DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" -LDADD = \ +LDADD += \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBISCCFG_LIBS) \ - $(LIBIRS_LIBS) \ - $(LIBBIND9_LIBS) \ $(GSSAPI_LIBS) \ $(KRB5_LIBS) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 9835c47b9e..3e673f493d 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -19,40 +21,36 @@ #include #include -#include +#include #include #include #include #include -#include #include +#include #include #include #include +#include #include #include +#include #include #include -#include #include -#include #include #include +#include #include -#include #include #include -#include -#include +#include #include #include -#include - #include #include #include -#include #include #include #include @@ -67,8 +65,8 @@ #include #include #include -#include #include +#include #include #include @@ -94,21 +92,17 @@ #endif /* HAVE_GSSAPI */ -#include - #include "../dig/readline.h" -#define MAXCMD (128 * 1024) -#define MAXWIRE (64 * 1024) -#define PACKETSIZE ((64 * 1024) - 1) -#define INITTEXT (2 * 1024) -#define MAXTEXT (128 * 1024) -#define FIND_TIMEOUT 5 -#define TTL_MAX 2147483647U /* Maximum signed 32 bit integer. */ +#define MAXCMD (128 * 1024) +#define MAXWIRE (64 * 1024) +#define INITTEXT (2 * 1024) +#define MAXTEXT (128 * 1024) +#define TTL_MAX 2147483647U /* Maximum signed 32 bit integer. */ #define DNSDEFAULTPORT 53 -/* Number of addresses to request from bind9_getaddresses() */ +/* Number of addresses to request from isc_getaddresses() */ #define MAX_SERVERADDRS 4 static uint16_t dnsport = DNSDEFAULTPORT; @@ -122,21 +116,16 @@ static bool memdebugging = false; static bool have_ipv4 = false; static bool have_ipv6 = false; static bool is_dst_up = false; +static bool use_tls = false; static bool usevc = false; static bool usegsstsig = false; -static bool use_win2k_gsstsig = false; -static bool tried_other_gsstsig = false; static bool local_only = false; static isc_nm_t *netmgr = NULL; -static isc_taskmgr_t *taskmgr = NULL; -static isc_task_t *global_task = NULL; -static isc_event_t *global_event = NULL; +static isc_loopmgr_t *loopmgr = NULL; static isc_log_t *glctx = NULL; static isc_mem_t *gmctx = NULL; static dns_dispatchmgr_t *dispatchmgr = NULL; static dns_requestmgr_t *requestmgr = NULL; -static isc_socketmgr_t *socketmgr = NULL; -static isc_timermgr_t *timermgr = NULL; static dns_dispatch_t *dispatchv4 = NULL; static dns_dispatch_t *dispatchv6 = NULL; static dns_message_t *updatemsg = NULL; @@ -145,19 +134,27 @@ static dns_fixedname_t fzname; static dns_name_t *userzone = NULL; static dns_name_t *zname = NULL; static dns_name_t tmpzonename = DNS_NAME_INITEMPTY; -static dns_name_t restart_master = DNS_NAME_INITEMPTY; -static dns_tsig_keyring_t *gssring = NULL; +static dns_name_t restart_primary = DNS_NAME_INITEMPTY; +static dns_tsigkeyring_t *gssring = NULL; static dns_tsigkey_t *tsigkey = NULL; static dst_key_t *sig0key = NULL; static isc_sockaddr_t *servers = NULL; -static isc_sockaddr_t *master_servers = NULL; +static isc_sockaddr_t *primary_servers = NULL; +static dns_transport_list_t *transport_list = NULL; +static dns_transport_t *transport = NULL; +static isc_tlsctx_cache_t *tls_ctx_cache = NULL; +static char *tls_hostname = NULL; +static char *tls_client_key_file = NULL; +static char *tls_client_cert_file = NULL; +static char *tls_ca_file = NULL; +static bool tls_always_verify_remote = true; static bool default_servers = true; static int ns_inuse = 0; -static int master_inuse = 0; +static int primary_inuse = 0; static int ns_total = 0; static int ns_alloc = 0; -static int master_total = 0; -static int master_alloc = 0; +static int primary_total = 0; +static int primary_alloc = 0; static isc_sockaddr_t *localaddr4 = NULL; static isc_sockaddr_t *localaddr6 = NULL; static const char *keyfile = NULL; @@ -179,6 +176,10 @@ static dns_message_t *answer = NULL; static uint32_t default_ttl = 0; static bool default_ttl_set = false; static bool checknames = true; +static bool checksvcb = true; +static const char *resolvconf = RESOLV_CONF; + +bool done = false; typedef struct nsu_requestinfo { dns_message_t *msg; @@ -189,9 +190,12 @@ static void sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, dns_request_t **request); static void -send_update(dns_name_t *zonename, isc_sockaddr_t *master); +send_update(dns_name_t *zonename, isc_sockaddr_t *primary); -ISC_NORETURN static void +static void +getinput(void *arg); + +noreturn static void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); static void @@ -215,12 +219,12 @@ typedef struct nsu_gssinfo { static void failed_gssrequest(void); static void -start_gssrequest(dns_name_t *master); +start_gssrequest(dns_name_t *primary); static void send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, dns_request_t **request, gss_ctx_id_t context); static void -recvgss(isc_task_t *task, isc_event_t *event); +recvgss(void *arg); #endif /* HAVE_GSSAPI */ static void @@ -232,15 +236,15 @@ error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); #define STATUS_SYNTAX (uint16_t)3 static void -master_from_servers(void) { - if (master_servers != NULL && master_servers != servers) { - isc_mem_put(gmctx, master_servers, - master_alloc * sizeof(isc_sockaddr_t)); - } - master_servers = servers; - master_total = ns_total; - master_alloc = ns_alloc; - master_inuse = ns_inuse; +primary_from_servers(void) { + if (primary_servers != NULL && primary_servers != servers) { + isc_mem_cput(gmctx, primary_servers, primary_alloc, + sizeof(isc_sockaddr_t)); + } + primary_servers = servers; + primary_total = ns_total; + primary_alloc = ns_alloc; + primary_inuse = ns_inuse; } static dns_rdataclass_t @@ -271,6 +275,7 @@ fatal(const char *format, ...) { vfprintf(stderr, format, args); va_end(args); fprintf(stderr, "\n"); + isc__tls_setfatalmode(); exit(1); } @@ -308,7 +313,7 @@ ddebug(const char *format, ...) { } } -static inline void +ISC_NO_SANITIZE_ADDRESS static void check_result(isc_result_t result, const char *msg) { if (result != ISC_R_SUCCESS) { fatal("%s: %s", msg, isc_result_totext(result)); @@ -369,18 +374,17 @@ reset_system(void) { if (gssring != NULL) { dns_tsigkeyring_detach(&gssring); } - tried_other_gsstsig = false; } } static bool -parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, +parse_hmac(const char *hmacstr, size_t len, dst_algorithm_t *hmac, uint16_t *digestbitsp) { uint16_t digestbits = 0; isc_result_t result; char buf[20]; - REQUIRE(hmac != NULL && *hmac == NULL); + REQUIRE(hmac != NULL); REQUIRE(hmacstr != NULL); if (len >= sizeof(buf)) { @@ -392,9 +396,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); if (strcasecmp(buf, "hmac-md5") == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmac = DST_ALG_HMACMD5; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmac = DST_ALG_HMACMD5; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { error("digest-bits out of range [0..128]"); @@ -402,9 +406,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha1") == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmac = DST_ALG_HMACSHA1; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmac = DST_ALG_HMACSHA1; result = isc_parse_uint16(&digestbits, &buf[10], 10); if (result != ISC_R_SUCCESS || digestbits > 160) { error("digest-bits out of range [0..160]"); @@ -412,9 +416,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha224") == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmac = DST_ALG_HMACSHA224; } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmac = DST_ALG_HMACSHA224; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 224) { error("digest-bits out of range [0..224]"); @@ -422,9 +426,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha256") == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmac = DST_ALG_HMACSHA256; } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmac = DST_ALG_HMACSHA256; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 256) { error("digest-bits out of range [0..256]"); @@ -432,9 +436,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha384") == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmac = DST_ALG_HMACSHA384; } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmac = DST_ALG_HMACSHA384; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 384) { error("digest-bits out of range [0..384]"); @@ -442,9 +446,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha512") == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmac = DST_ALG_HMACSHA512; } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmac = DST_ALG_HMACSHA512; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 512) { error("digest-bits out of range [0..512]"); @@ -479,12 +483,12 @@ setup_keystr(void) { isc_buffer_t secretbuf; isc_result_t result; isc_buffer_t keynamesrc; - char *secretstr; - char *s, *n; + char *secretstr = NULL; + char *s = NULL, *n = NULL; dns_fixedname_t fkeyname; - dns_name_t *mykeyname; - char *name; - const dns_name_t *hmacname = NULL; + dns_name_t *mykeyname = NULL; + char *name = NULL; + dst_algorithm_t hmac; uint16_t digestbits = 0; mykeyname = dns_fixedname_initname(&fkeyname); @@ -503,11 +507,11 @@ setup_keystr(void) { } name = secretstr; secretstr = n + 1; - if (!parse_hmac(&hmacname, keystr, s - keystr, &digestbits)) { + if (!parse_hmac(keystr, s - keystr, &hmac, &digestbits)) { exit(1); } } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; name = keystr; n = s; } @@ -534,11 +538,11 @@ setup_keystr(void) { secretlen = isc_buffer_usedlength(&secretbuf); debug("keycreate"); - result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen, - false, NULL, 0, 0, gmctx, NULL, &tsigkey); + result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx, + &tsigkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s: %s\n", keystr, - dns_result_totext(result)); + isc_result_totext(result)); } else { dst_key_setbits(tsigkey->key, digestbits); } @@ -618,7 +622,7 @@ static void setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { dst_key_t *dstkey = NULL; isc_result_t result; - const dns_name_t *hmacname = NULL; + dst_algorithm_t hmac = DST_ALG_UNKNOWN; debug("Creating key..."); @@ -649,56 +653,43 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { switch (dst_key_alg(dstkey)) { case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; case DST_ALG_HMACSHA1: - hmacname = DNS_TSIG_HMACSHA1_NAME; - break; case DST_ALG_HMACSHA224: - hmacname = DNS_TSIG_HMACSHA224_NAME; - break; case DST_ALG_HMACSHA256: - hmacname = DNS_TSIG_HMACSHA256_NAME; - break; case DST_ALG_HMACSHA384: - hmacname = DNS_TSIG_HMACSHA384_NAME; - break; case DST_ALG_HMACSHA512: - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = dst_key_alg(dstkey); break; - } - if (hmacname != NULL) { - result = dns_tsigkey_createfromkey( - dst_key_name(dstkey), hmacname, dstkey, false, NULL, 0, - 0, mctx, NULL, &tsigkey); - dst_key_free(&dstkey); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - keyfile, isc_result_totext(result)); - return; - } - } else { + default: dst_key_attach(dstkey, &sig0key); dst_key_free(&dstkey); + return; + } + + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, dstkey, + false, false, NULL, 0, 0, mctx, + &tsigkey); + dst_key_free(&dstkey); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "could not create key from %s: %s\n", keyfile, + isc_result_totext(result)); } } static void doshutdown(void) { - isc_task_detach(&global_task); - /* - * The isc_mem_put of master_servers must be before the + * The isc_mem_put of primary_servers must be before the * isc_mem_put of servers as it sets the servers pointer * to NULL. */ - if (master_servers != NULL && master_servers != servers) { - isc_mem_put(gmctx, master_servers, - master_alloc * sizeof(isc_sockaddr_t)); + if (primary_servers != NULL && primary_servers != servers) { + isc_mem_cput(gmctx, primary_servers, primary_alloc, + sizeof(isc_sockaddr_t)); } if (servers != NULL) { - isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t)); + isc_mem_cput(gmctx, servers, ns_alloc, sizeof(isc_sockaddr_t)); } if (localaddr4 != NULL) { @@ -723,12 +714,6 @@ doshutdown(void) { dns_message_detach(&updatemsg); } - if (is_dst_up) { - ddebug("Destroy DST lib"); - dst_lib_destroy(); - is_dst_up = false; - } - ddebug("Destroying request manager"); dns_requestmgr_detach(&requestmgr); @@ -741,14 +726,15 @@ doshutdown(void) { } ddebug("Shutting down dispatch manager"); - dns_dispatchmgr_destroy(&dispatchmgr); + dns_dispatchmgr_detach(&dispatchmgr); } static void maybeshutdown(void) { /* when called from getinput, doshutdown might be already finished */ - if (requestmgr == NULL) + if (requestmgr == NULL) { return; + } ddebug("Shutting down request manager"); dns_requestmgr_shutdown(requestmgr); @@ -761,12 +747,10 @@ maybeshutdown(void) { } static void -shutdown_program(isc_task_t *task, isc_event_t *event) { - REQUIRE(task == global_task); - UNUSED(task); +shutdown_program(void *arg) { + UNUSED(arg); ddebug("shutdown_program()"); - isc_event_free(&event); shuttingdown = true; maybeshutdown(); @@ -800,19 +784,31 @@ set_source_ports(dns_dispatchmgr_t *manager) { isc_portset_destroy(gmctx, &v6portset); } +static isc_result_t +create_name(const char *str, char *namedata, size_t len, dns_name_t *name) { + isc_buffer_t namesrc, namebuf; + + dns_name_init(name, NULL); + isc_buffer_constinit(&namesrc, str, strlen(str)); + isc_buffer_add(&namesrc, strlen(str)); + isc_buffer_init(&namebuf, namedata, len); + + return (dns_name_fromtext(name, &namesrc, dns_rootname, + DNS_NAME_DOWNCASE, &namebuf)); +} + static void setup_system(void) { isc_result_t result; isc_sockaddr_t bind_any, bind_any6; - unsigned int attrs, attrmask; isc_sockaddrlist_t *nslist; isc_logconfig_t *logconfig = NULL; irs_resconf_t *resconf = NULL; + dns_name_t tlsname; + char namedata[DNS_NAME_FORMATSIZE + 1]; ddebug("setup_system()"); - dns_result_register(); - isc_log_create(gmctx, &glctx, &logconfig); isc_log_setcontext(glctx); dns_log_init(glctx); @@ -823,18 +819,18 @@ setup_system(void) { isc_log_setdebuglevel(glctx, logdebuglevel); - result = irs_resconf_load(gmctx, RESOLV_CONF, &resconf); + result = irs_resconf_load(gmctx, resolvconf, &resconf); if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) { - fatal("parse of %s failed", RESOLV_CONF); + fatal("parse of %s failed", resolvconf); } nslist = irs_resconf_getnameservers(resconf); if (servers != NULL) { - if (master_servers == servers) { - master_servers = NULL; + if (primary_servers == servers) { + primary_servers = NULL; } - isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t)); + isc_mem_cput(gmctx, servers, ns_alloc, sizeof(isc_sockaddr_t)); } ns_inuse = 0; @@ -849,7 +845,7 @@ setup_system(void) { default_servers = !local_only; ns_total = ns_alloc = (have_ipv4 ? 1 : 0) + (have_ipv6 ? 1 : 0); - servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t)); + servers = isc_mem_cget(gmctx, ns_alloc, sizeof(isc_sockaddr_t)); if (have_ipv6) { memset(&in6, 0, sizeof(in6)); @@ -872,7 +868,8 @@ setup_system(void) { */ ns_total = 0; for (sa = ISC_LIST_HEAD(*nslist); sa != NULL; - sa = ISC_LIST_NEXT(sa, link)) { + sa = ISC_LIST_NEXT(sa, link)) + { switch (sa->type.sa.sa_family) { case AF_INET: if (have_ipv4) { @@ -890,11 +887,12 @@ setup_system(void) { } ns_alloc = ns_total; - servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t)); + servers = isc_mem_cget(gmctx, ns_alloc, sizeof(isc_sockaddr_t)); i = 0; for (sa = ISC_LIST_HEAD(*nslist); sa != NULL; - sa = ISC_LIST_NEXT(sa, link)) { + sa = ISC_LIST_NEXT(sa, link)) + { switch (sa->type.sa.sa_family) { case AF_INET: if (have_ipv4) { @@ -921,52 +919,56 @@ setup_system(void) { irs_resconf_destroy(&resconf); - result = dns_dispatchmgr_create(gmctx, &dispatchmgr); + result = dns_dispatchmgr_create(gmctx, netmgr, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); - isc_managers_create(gmctx, 1, 0, 0, &netmgr, &taskmgr, &timermgr, - &socketmgr); - - result = isc_task_create(taskmgr, 0, &global_task); - check_result(result, "isc_task_create"); - - result = isc_task_onshutdown(global_task, shutdown_program, NULL); - check_result(result, "isc_task_onshutdown"); - result = dst_lib_init(gmctx, NULL); check_result(result, "dst_lib_init"); is_dst_up = true; set_source_ports(dispatchmgr); - attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; - if (have_ipv6) { - attrs = DNS_DISPATCHATTR_UDP; - attrs |= DNS_DISPATCHATTR_MAKEQUERY; - attrs |= DNS_DISPATCHATTR_IPV6; isc_sockaddr_any6(&bind_any6); - result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, - &bind_any6, PACKETSIZE, 4, 2, 3, 5, - attrs, attrmask, &dispatchv6); - check_result(result, "dns_dispatch_getudp (v6)"); + result = dns_dispatch_createudp(dispatchmgr, &bind_any6, + &dispatchv6); + check_result(result, "dns_dispatch_createudp (v6)"); } if (have_ipv4) { - attrs = DNS_DISPATCHATTR_UDP; - attrs |= DNS_DISPATCHATTR_MAKEQUERY; - attrs |= DNS_DISPATCHATTR_IPV4; isc_sockaddr_any(&bind_any); - result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, - &bind_any, PACKETSIZE, 4, 2, 3, 5, - attrs, attrmask, &dispatchv4); - check_result(result, "dns_dispatch_getudp (v4)"); + result = dns_dispatch_createudp(dispatchmgr, &bind_any, + &dispatchv4); + check_result(result, "dns_dispatch_createudp (v4)"); } + transport_list = dns_transport_list_new(gmctx); - result = dns_requestmgr_create(gmctx, timermgr, socketmgr, taskmgr, - dispatchmgr, dispatchv4, dispatchv6, - &requestmgr); + isc_tlsctx_cache_create(gmctx, &tls_ctx_cache); + + if (tls_client_key_file == NULL) { + result = create_name("tls-non-auth-client", namedata, + sizeof(namedata), &tlsname); + check_result(result, "create_name (tls-non-auth-client)"); + transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS, + transport_list); + dns_transport_set_tlsname(transport, "tls-non-auth-client"); + } else { + result = create_name("tls-auth-client", namedata, + sizeof(namedata), &tlsname); + check_result(result, "create_name (tls-auth-client)"); + transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS, + transport_list); + dns_transport_set_tlsname(transport, "tls-auth-client"); + dns_transport_set_keyfile(transport, tls_client_key_file); + dns_transport_set_certfile(transport, tls_client_cert_file); + } + dns_transport_set_cafile(transport, tls_ca_file); + dns_transport_set_remote_hostname(transport, tls_hostname); + dns_transport_set_always_verify_remote(transport, + tls_always_verify_remote); + + result = dns_requestmgr_create(gmctx, loopmgr, dispatchmgr, dispatchv4, + dispatchv6, &requestmgr); check_result(result, "dns_requestmgr_create"); if (keystr != NULL) { @@ -990,9 +992,9 @@ get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr, int count = 0; isc_result_t result; - isc_app_block(); - result = bind9_getaddresses(host, port, sockaddr, naddrs, &count); - isc_app_unblock(); + isc_loopmgr_blocking(loopmgr); + result = isc_getaddresses(host, port, sockaddr, naddrs, &count); + isc_loopmgr_nonblocking(loopmgr); if (result != ISC_R_SUCCESS) { error("couldn't get address for '%s': %s", host, isc_result_totext(result)); @@ -1000,12 +1002,7 @@ get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr, return (count); } -static void -version(void) { - fprintf(stderr, "nsupdate %s\n", PACKAGE_VERSION); -} - -#define PARSE_ARGS_FMT "46dDML:y:ghilovk:p:Pr:R::t:Tu:V" +#define PARSE_ARGS_FMT "46A:C:dDE:ghH:iK:lL:MoOk:p:Pr:R:St:Tu:vVy:" static void pre_parse_args(int argc, char **argv) { @@ -1045,10 +1042,12 @@ pre_parse_args(int argc, char **argv) { fprintf(stderr, "%s: invalid argument -%c\n", argv[0], isc_commandline_option); } - fprintf(stderr, "usage: nsupdate [-dDi] [-L level] [-l]" - "[-g | -o | -y keyname:secret | -k " - "keyfile] " - "[-v] [-V] [-P] [-T] [-4 | -6] " + fprintf(stderr, "usage: nsupdate [-CdDi] [-L level] " + "[-l] [-g | -o | -y keyname:secret " + "| -k keyfile] [-p port] " + "[ -S [-K tlskeyfile] [-E tlscertfile] " + "[-A tlscafile] [-H tlshostname] " + "[-O] ] [-v] [-V] [-P] [-T] [-4 | -6] " "[filename]\n"); exit(1); @@ -1079,7 +1078,7 @@ pre_parse_args(int argc, char **argv) { break; case 'V': - version(); + printf("nsupdate %s\n", PACKAGE_VERSION); doexit = true; break; @@ -1120,6 +1119,13 @@ parse_args(int argc, char **argv) { fatal("can't find IPv6 networking"); } break; + case 'A': + use_tls = true; + tls_ca_file = isc_commandline_argument; + break; + case 'C': + resolvconf = isc_commandline_argument; + break; case 'd': debugging = true; break; @@ -1127,12 +1133,24 @@ parse_args(int argc, char **argv) { debugging = true; ddebugging = true; break; + case 'E': + use_tls = true; + tls_client_cert_file = isc_commandline_argument; + break; + case 'H': + use_tls = true; + tls_hostname = isc_commandline_argument; + break; case 'M': break; case 'i': force_interactive = true; interactive = true; break; + case 'K': + use_tls = true; + tls_client_key_file = isc_commandline_argument; + break; case 'l': local_only = true; break; @@ -1159,11 +1177,13 @@ parse_args(int argc, char **argv) { break; case 'g': usegsstsig = true; - use_win2k_gsstsig = false; break; case 'o': usegsstsig = true; - use_win2k_gsstsig = true; + break; + case 'O': + use_tls = true; + tls_always_verify_remote = false; break; case 'p': result = isc_parse_uint16(&dnsport, @@ -1176,6 +1196,9 @@ parse_args(int argc, char **argv) { exit(1); } break; + case 'S': + use_tls = true; + break; case 't': result = isc_parse_uint32(&timeout, isc_commandline_argument, 10); @@ -1196,9 +1219,6 @@ parse_args(int argc, char **argv) { isc_commandline_argument); exit(1); } - if (udp_timeout == 0) { - udp_timeout = UINT_MAX; - } break; case 'r': result = isc_parse_uint32(&udp_retries, @@ -1211,7 +1231,7 @@ parse_args(int argc, char **argv) { break; case 'R': - fatal("The -R options has been deprecated.\n"); + fatal("The -R option has been deprecated."); break; default: @@ -1241,6 +1261,26 @@ parse_args(int argc, char **argv) { } #endif /* HAVE_GSSAPI */ + if (use_tls) { + usevc = true; + if ((tls_client_key_file == NULL) != + (tls_client_cert_file == NULL)) + { + fprintf(stderr, + "%s: cannot specify the -K option without" + "the -E option, and vice versa.\n", + argv[0]); + exit(1); + } + if (tls_ca_file != NULL && tls_always_verify_remote == false) { + fprintf(stderr, + "%s: cannot specify the -A option in " + "conjuction with the -O option.\n", + argv[0]); + exit(1); + } + } + if (argv[isc_commandline_index] != NULL) { if (strcmp(argv[isc_commandline_index], "-") == 0) { input = stdin; @@ -1272,8 +1312,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) { return (STATUS_SYNTAX); } - result = dns_message_gettempname(msg, namep); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(msg, namep); isc_buffer_init(&source, word, strlen(word)); isc_buffer_add(&source, strlen(word)); result = dns_name_fromtext(*namep, &source, dns_rootname, 0, NULL); @@ -1308,8 +1347,7 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, if (*cmdline != 0) { dns_rdatacallbacks_init(&callbacks); - result = isc_lex_create(gmctx, strlen(cmdline), &lex); - check_result(result, "isc_lex_create"); + isc_lex_create(gmctx, strlen(cmdline), &lex); isc_buffer_init(&source, cmdline, strlen(cmdline)); isc_buffer_add(&source, strlen(cmdline)); result = isc_lex_openbuffer(lex, &source); @@ -1407,8 +1445,7 @@ make_prereq(char *cmdline, bool ispositive, bool isrrset) { rdatatype = dns_rdatatype_any; } - result = dns_message_gettemprdata(updatemsg, &rdata); - check_result(result, "dns_message_gettemprdata"); + dns_message_gettemprdata(updatemsg, &rdata); dns_rdata_init(rdata); @@ -1422,10 +1459,8 @@ make_prereq(char *cmdline, bool ispositive, bool isrrset) { rdata->flags = DNS_RDATA_UPDATE; } - result = dns_message_gettemprdatalist(updatemsg, &rdatalist); - check_result(result, "dns_message_gettemprdatalist"); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); + dns_message_gettemprdatalist(updatemsg, &rdatalist); + dns_message_gettemprdataset(updatemsg, &rdataset); rdatalist->type = rdatatype; if (ispositive) { if (isrrset && rdata->data != NULL) { @@ -1518,19 +1553,17 @@ evaluate_server(char *cmdline) { } if (servers != NULL) { - if (master_servers == servers) { - master_servers = NULL; + if (primary_servers == servers) { + primary_servers = NULL; } - isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t)); + isc_mem_cput(gmctx, servers, ns_alloc, sizeof(isc_sockaddr_t)); } default_servers = false; ns_alloc = MAX_SERVERADDRS; ns_inuse = 0; - servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t)); - - memset(servers, 0, ns_alloc * sizeof(isc_sockaddr_t)); + servers = isc_mem_cget(gmctx, ns_alloc, sizeof(isc_sockaddr_t)); ns_total = get_addresses(server, (in_port_t)port, servers, ns_alloc); if (ns_total == 0) { return (STATUS_SYNTAX); @@ -1600,7 +1633,7 @@ evaluate_key(char *cmdline) { int secretlen; unsigned char *secret = NULL; isc_buffer_t secretbuf; - const dns_name_t *hmacname = NULL; + dst_algorithm_t hmac = DST_ALG_UNKNOWN; uint16_t digestbits = 0; char *n; @@ -1614,12 +1647,12 @@ evaluate_key(char *cmdline) { n = strchr(namestr, ':'); if (n != NULL) { - if (!parse_hmac(&hmacname, namestr, n - namestr, &digestbits)) { + if (!parse_hmac(namestr, n - namestr, &hmac, &digestbits)) { return (STATUS_SYNTAX); } namestr = n + 1; } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; } isc_buffer_init(&b, namestr, strlen(namestr)); @@ -1651,12 +1684,12 @@ evaluate_key(char *cmdline) { if (tsigkey != NULL) { dns_tsigkey_detach(&tsigkey); } - result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen, - false, NULL, 0, 0, gmctx, NULL, &tsigkey); + result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx, + &tsigkey); isc_mem_free(gmctx, secret); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s %s: %s\n", - namestr, secretstr, dns_result_totext(result)); + namestr, secretstr, isc_result_totext(result)); return (STATUS_SYNTAX); } dst_key_setbits(tsigkey->key, digestbits); @@ -1809,8 +1842,7 @@ update_addordelete(char *cmdline, bool isdelete) { return (retval); } - result = dns_message_gettemprdata(updatemsg, &rdata); - check_result(result, "dns_message_gettemprdata"); + dns_message_gettemprdata(updatemsg, &rdata); dns_rdata_init(rdata); @@ -1937,7 +1969,8 @@ update_addordelete(char *cmdline, bool isdelete) { dns_name_t *bad; if (!dns_rdata_checkowner(name, rdata->rdclass, rdata->type, - true)) { + true)) + { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); @@ -1957,6 +1990,15 @@ update_addordelete(char *cmdline, bool isdelete) { } } + if (!isdelete && checksvcb && rdata->type == dns_rdatatype_svcb) { + result = dns_rdata_checksvcb(name, rdata); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "check-svcb failed: %s\n", + isc_result_totext(result)); + goto failure; + } + } + if (!isdelete && rdata->type == dns_rdatatype_nsec3param) { dns_rdata_nsec3param_t nsec3param; @@ -1972,10 +2014,8 @@ update_addordelete(char *cmdline, bool isdelete) { doneparsing: - result = dns_message_gettemprdatalist(updatemsg, &rdatalist); - check_result(result, "dns_message_gettemprdatalist"); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); + dns_message_gettemprdatalist(updatemsg, &rdatalist); + dns_message_gettemprdataset(updatemsg, &rdataset); rdatalist->type = rdatatype; rdatalist->rdclass = rdataclass; rdatalist->covers = rdatatype; @@ -2045,6 +2085,32 @@ evaluate_checknames(char *cmdline) { return (STATUS_MORE); } +static uint16_t +evaluate_checksvcb(char *cmdline) { + char *word; + + ddebug("evaluate_checksvcb()"); + word = nsu_strsep(&cmdline, " \t\r\n"); + if (word == NULL || *word == 0) { + fprintf(stderr, "could not read check-svcb directive\n"); + return (STATUS_SYNTAX); + } + if (strcasecmp(word, "yes") == 0 || strcasecmp(word, "true") == 0 || + strcasecmp(word, "on") == 0) + { + checksvcb = true; + } else if (strcasecmp(word, "no") == 0 || + strcasecmp(word, "false") == 0 || + strcasecmp(word, "off") == 0) + { + checksvcb = false; + } else { + fprintf(stderr, "incorrect check-svcb directive: %s\n", word); + return (STATUS_SYNTAX); + } + return (STATUS_MORE); +} + static void setzone(dns_name_t *zonename) { isc_result_t result; @@ -2066,11 +2132,9 @@ setzone(dns_name_t *zonename) { } if (zonename != NULL) { - result = dns_message_gettempname(updatemsg, &name); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(updatemsg, &name); dns_name_clone(zonename, name); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); + dns_message_gettemprdataset(updatemsg, &rdataset); dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); ISC_LIST_INIT(name->list); @@ -2203,13 +2267,18 @@ do_next_command(char *cmdline) { return (evaluate_realm(cmdline)); } if (strcasecmp(word, "check-names") == 0 || - strcasecmp(word, "checknames") == 0) { + strcasecmp(word, "checknames") == 0) + { return (evaluate_checknames(cmdline)); } + if (strcasecmp(word, "check-svcb") == 0 || + strcasecmp(word, "checksvcb") == 0) + { + return (evaluate_checksvcb(cmdline)); + } if (strcasecmp(word, "gsstsig") == 0) { #if HAVE_GSSAPI usegsstsig = true; - use_win2k_gsstsig = false; #else /* HAVE_GSSAPI */ fprintf(stderr, "gsstsig not supported\n"); #endif /* HAVE_GSSAPI */ @@ -2218,7 +2287,6 @@ do_next_command(char *cmdline) { if (strcasecmp(word, "oldgsstsig") == 0) { #if HAVE_GSSAPI usegsstsig = true; - use_win2k_gsstsig = true; #else /* HAVE_GSSAPI */ fprintf(stderr, "gsstsig not supported\n"); #endif /* HAVE_GSSAPI */ @@ -2228,7 +2296,7 @@ do_next_command(char *cmdline) { fprintf(stdout, "nsupdate " PACKAGE_VERSION ":\n" "local address [port] (set local " "resolver)\n" - "server address [port] (set master server " + "server address [port] (set primary server " "for zone)\n" "send (send the update " "request)\n" @@ -2237,15 +2305,13 @@ do_next_command(char *cmdline) { "answer (show the answer to " "the last request)\n" "quit (quit, any pending " - "update is not sent\n" + "update is not sent)\n" "help (display this " - "message_\n" + "message)\n" "key [hmac:]keyname secret (use TSIG to sign " "the request)\n" "gsstsig (use GSS_TSIG to " "sign the request)\n" - "oldgsstsig (use Microsoft's " - "GSS_TSIG to sign the request)\n" "zone name (set the zone to be " "updated)\n" "class CLASS (set the zone's DNS " @@ -2280,7 +2346,6 @@ get_next_command(void) { char cmdlinebuf[MAXCMD]; char *cmdline = NULL, *ptr = NULL; - isc_app_block(); if (interactive) { cmdline = ptr = readline("> "); if (ptr != NULL && *ptr != 0) { @@ -2289,7 +2354,6 @@ get_next_command(void) { } else { cmdline = fgets(cmdlinebuf, MAXCMD, input); } - isc_app_unblock(); if (cmdline != NULL) { char *tmp = cmdline; @@ -2327,9 +2391,9 @@ user_interaction(void) { static void done_update(void) { - isc_event_t *event = global_event; ddebug("done_update()"); - isc_task_send(global_task, &event); + + isc_async_current(loopmgr, getinput, NULL); } static void @@ -2360,13 +2424,13 @@ check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) { } static bool -next_master(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) { +next_primary(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) { char addrbuf[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); fprintf(stderr, "; Communication with %s failed: %s\n", addrbuf, isc_result_totext(eresult)); - if (++master_inuse >= master_total) { + if (++primary_inuse >= primary_total) { return (false); } ddebug("%s: trying next server", caller); @@ -2374,31 +2438,24 @@ next_master(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) { } static void -update_completed(isc_task_t *task, isc_event_t *event) { - dns_requestevent_t *reqev = NULL; +update_completed(void *arg) { + dns_request_t *request = (dns_request_t *)arg; isc_result_t result; - dns_request_t *request; - - UNUSED(task); ddebug("update_completed()"); requests--; - REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); - reqev = (dns_requestevent_t *)event; - request = reqev->request; - if (shuttingdown) { dns_request_destroy(&request); - isc_event_free(&event); maybeshutdown(); return; } - if (reqev->result != ISC_R_SUCCESS) { - if (!next_master("update_completed", - &master_servers[master_inuse], reqev->result)) + result = dns_request_getresult(request); + if (result != ISC_R_SUCCESS) { + if (!next_primary("update_completed", + &primary_servers[primary_inuse], result)) { seenerror = true; goto done; @@ -2408,8 +2465,7 @@ update_completed(isc_task_t *task, isc_event_t *event) { dns_request_destroy(&request); dns_message_renderreset(updatemsg); dns_message_settsigkey(updatemsg, NULL); - send_update(zname, &master_servers[master_inuse]); - isc_event_free(&event); + send_update(zname, &primary_servers[primary_inuse]); return; } @@ -2445,6 +2501,10 @@ update_completed(isc_task_t *task, isc_event_t *event) { check_result(result, "dns_request_getresponse"); } + if (answer->opcode != dns_opcode_update) { + fatal("invalid OPCODE in response to UPDATE request"); + } + if (answer->rcode != dns_rcode_noerror) { seenerror = true; if (!debugging) { @@ -2472,20 +2532,21 @@ update_completed(isc_task_t *task, isc_event_t *event) { dns_request_destroy(&request); if (usegsstsig) { dns_name_free(&tmpzonename, gmctx); - dns_name_free(&restart_master, gmctx); + dns_name_free(&restart_primary, gmctx); dns_name_init(&tmpzonename, 0); - dns_name_init(&restart_master, 0); + dns_name_init(&restart_primary, 0); } - isc_event_free(&event); done_update(); } static void -send_update(dns_name_t *zone, isc_sockaddr_t *master) { +send_update(dns_name_t *zone, isc_sockaddr_t *primary) { isc_result_t result; dns_request_t *request = NULL; - unsigned int options = DNS_REQUESTOPT_CASE; isc_sockaddr_t *srcaddr; + unsigned int options = DNS_REQUESTOPT_CASE | DNS_REQUESTOPT_LARGE; + dns_transport_t *req_transport = NULL; + isc_tlsctx_cache_t *req_tls_ctx_cache = NULL; ddebug("send_update()"); @@ -2493,7 +2554,12 @@ send_update(dns_name_t *zone, isc_sockaddr_t *master) { if (usevc) { options |= DNS_REQUESTOPT_TCP; + if (use_tls) { + req_transport = transport; + req_tls_ctx_cache = tls_ctx_cache; + } } + if (tsigkey == NULL && sig0key != NULL) { result = dns_message_setsig0key(updatemsg, sig0key); check_result(result, "dns_message_setsig0key"); @@ -2501,11 +2567,11 @@ send_update(dns_name_t *zone, isc_sockaddr_t *master) { if (debugging) { char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_format(master, addrbuf, sizeof(addrbuf)); + isc_sockaddr_format(primary, addrbuf, sizeof(addrbuf)); fprintf(stderr, "Sending update to %s\n", addrbuf); } - if (isc_sockaddr_pf(master) == AF_INET6) { + if (isc_sockaddr_pf(primary) == AF_INET6) { srcaddr = localaddr6; } else { srcaddr = localaddr4; @@ -2513,14 +2579,15 @@ send_update(dns_name_t *zone, isc_sockaddr_t *master) { /* Windows doesn't like the tsig name to be compressed. */ if (updatemsg->tsigname) { - updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; + updatemsg->tsigname->attributes.nocompress = true; } - result = dns_request_createvia(requestmgr, updatemsg, srcaddr, master, - -1, options, tsigkey, timeout, - udp_timeout, udp_retries, global_task, - update_completed, NULL, &request); - check_result(result, "dns_request_createvia"); + result = dns_request_create(requestmgr, updatemsg, srcaddr, primary, + req_transport, req_tls_ctx_cache, options, + tsigkey, timeout, udp_timeout, udp_retries, + isc_loop_main(loopmgr), update_completed, + NULL, &request); + check_result(result, "dns_request_create"); if (debugging) { show_message(stdout, updatemsg, "Outgoing update query:"); @@ -2544,10 +2611,11 @@ next_server(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) { } static void -recvsoa(isc_task_t *task, isc_event_t *event) { - dns_requestevent_t *reqev = NULL; - dns_request_t *request = NULL; - isc_result_t result, eresult; +recvsoa(void *arg) { + dns_request_t *request = (dns_request_t *)arg; + isc_result_t result, eresult = dns_request_getresult(request); + nsu_requestinfo_t *reqinfo = dns_request_getarg(request); + dns_message_t *soaquery = reqinfo->msg; dns_message_t *rcvmsg = NULL; dns_section_t section; dns_name_t *name = NULL; @@ -2555,34 +2623,21 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_rdata_soa_t soa; dns_rdata_t soarr = DNS_RDATA_INIT; int pass = 0; - dns_name_t master; - nsu_requestinfo_t *reqinfo; - dns_message_t *soaquery = NULL; - isc_sockaddr_t *addr; - isc_sockaddr_t *srcaddr; + dns_name_t primary; + isc_sockaddr_t *addr = reqinfo->addr; + isc_sockaddr_t *srcaddr = NULL; bool seencname = false; dns_name_t tname; unsigned int nlabels; - UNUSED(task); - ddebug("recvsoa()"); requests--; - REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); - reqev = (dns_requestevent_t *)event; - request = reqev->request; - eresult = reqev->result; - reqinfo = reqev->ev_arg; - soaquery = reqinfo->msg; - addr = reqinfo->addr; - if (shuttingdown) { dns_request_destroy(&request); dns_message_detach(&soaquery); isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t)); - isc_event_free(&event); maybeshutdown(); return; } @@ -2595,21 +2650,22 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_message_settsigkey(soaquery, NULL); sendrequest(&servers[ns_inuse], soaquery, &request); isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t)); - isc_event_free(&event); setzoneclass(dns_rdataclass_none); return; } isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t)); reqinfo = NULL; - isc_event_free(&event); - reqev = NULL; ddebug("About to create rcvmsg"); dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg); result = dns_request_getresponse(request, rcvmsg, DNS_MESSAGEPARSE_PRESERVEORDER); if (result == DNS_R_TSIGERRORSET && servers != NULL) { + unsigned int options = DNS_REQUESTOPT_CASE; + dns_transport_t *req_transport = NULL; + isc_tlsctx_cache_t *req_tls_ctx_cache = NULL; + dns_message_detach(&rcvmsg); ddebug("Destroying request [%p]", request); dns_request_destroy(&request); @@ -2619,29 +2675,54 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_message_renderreset(soaquery); ddebug("retrying soa request without TSIG"); + if (!default_servers && usevc) { + options |= DNS_REQUESTOPT_TCP; + if (use_tls) { + req_transport = transport; + req_tls_ctx_cache = tls_ctx_cache; + } + } + if (isc_sockaddr_pf(addr) == AF_INET6) { srcaddr = localaddr6; } else { srcaddr = localaddr4; } - result = dns_request_createvia( - requestmgr, soaquery, srcaddr, addr, -1, 0, NULL, - FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, global_task, - recvsoa, reqinfo, &request); - check_result(result, "dns_request_createvia"); + result = dns_request_create(requestmgr, soaquery, srcaddr, addr, + req_transport, req_tls_ctx_cache, + options, NULL, timeout, udp_timeout, + udp_retries, isc_loop_main(loopmgr), + recvsoa, reqinfo, &request); + check_result(result, "dns_request_create"); requests++; return; } check_result(result, "dns_request_getresponse"); + + if (rcvmsg->rcode == dns_rcode_refused) { + next_server("recvsoa", addr, DNS_R_REFUSED); + dns_message_detach(&rcvmsg); + dns_request_destroy(&request); + dns_message_renderreset(soaquery); + dns_message_settsigkey(soaquery, NULL); + sendrequest(&servers[ns_inuse], soaquery, &request); + return; + } + section = DNS_SECTION_ANSWER; POST(section); if (debugging) { show_message(stderr, rcvmsg, "Reply from SOA query:"); } + if (rcvmsg->opcode != dns_opcode_query) { + fatal("invalid OPCODE in response to SOA query"); + } + if (rcvmsg->rcode != dns_rcode_noerror && - rcvmsg->rcode != dns_rcode_nxdomain) { + rcvmsg->rcode != dns_rcode_nxdomain) + { fatal("response to SOA query was unsuccessful"); } @@ -2653,8 +2734,8 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_request_destroy(&request); dns_message_detach(&soaquery); ddebug("Out of recvsoa"); - done_update(); seenerror = true; + done_update(); return; } @@ -2719,8 +2800,8 @@ recvsoa(isc_task_t *task, isc_event_t *event) { result = dns_rdata_tostruct(&soarr, &soa, NULL); check_result(result, "dns_rdata_tostruct"); - dns_name_init(&master, NULL); - dns_name_clone(&soa.origin, &master); + dns_name_init(&primary, NULL); + dns_name_clone(&soa.origin, &primary); if (userzone != NULL) { zname = userzone; @@ -2735,37 +2816,41 @@ recvsoa(isc_task_t *task, isc_event_t *event) { if (debugging) { char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(&master, namestr, sizeof(namestr)); - fprintf(stderr, "The master is: %s\n", namestr); + dns_name_format(&primary, namestr, sizeof(namestr)); + fprintf(stderr, "The primary is: %s\n", namestr); } if (default_servers) { char serverstr[DNS_NAME_MAXTEXT + 1]; isc_buffer_t buf; - size_t size; isc_buffer_init(&buf, serverstr, sizeof(serverstr)); - result = dns_name_totext(&master, true, &buf); + result = dns_name_totext(&primary, DNS_NAME_OMITFINALDOT, &buf); check_result(result, "dns_name_totext"); serverstr[isc_buffer_usedlength(&buf)] = 0; - if (master_servers != NULL && master_servers != servers) { - isc_mem_put(gmctx, master_servers, - master_alloc * sizeof(isc_sockaddr_t)); + if (primary_servers != NULL && primary_servers != servers) { + isc_mem_cput(gmctx, primary_servers, primary_alloc, + sizeof(isc_sockaddr_t)); } - master_alloc = MAX_SERVERADDRS; - size = master_alloc * sizeof(isc_sockaddr_t); - master_servers = isc_mem_get(gmctx, size); - - memset(master_servers, 0, size); - master_total = get_addresses(serverstr, dnsport, master_servers, - master_alloc); - if (master_total == 0) { - exit(1); + primary_alloc = MAX_SERVERADDRS; + primary_servers = isc_mem_cget(gmctx, primary_alloc, + sizeof(isc_sockaddr_t)); + primary_total = get_addresses(serverstr, dnsport, + primary_servers, primary_alloc); + if (primary_total == 0) { + seenerror = true; + dns_rdata_freestruct(&soa); + dns_message_detach(&soaquery); + dns_request_destroy(&request); + dns_message_detach(&rcvmsg); + ddebug("Out of recvsoa"); + done_update(); + return; } - master_inuse = 0; + primary_inuse = 0; } else { - master_from_servers(); + primary_from_servers(); } dns_rdata_freestruct(&soa); @@ -2773,15 +2858,15 @@ recvsoa(isc_task_t *task, isc_event_t *event) { if (usegsstsig) { dns_name_init(&tmpzonename, NULL); dns_name_dup(zname, gmctx, &tmpzonename); - dns_name_init(&restart_master, NULL); - dns_name_dup(&master, gmctx, &restart_master); - start_gssrequest(&master); + dns_name_init(&restart_primary, NULL); + dns_name_dup(&primary, gmctx, &restart_primary); + start_gssrequest(&primary); } else { - send_update(zname, &master_servers[master_inuse]); + send_update(zname, &primary_servers[primary_inuse]); setzoneclass(dns_rdataclass_none); } #else /* HAVE_GSSAPI */ - send_update(zname, &master_servers[master_inuse]); + send_update(zname, &primary_servers[primary_inuse]); setzoneclass(dns_rdataclass_none); #endif /* HAVE_GSSAPI */ @@ -2818,6 +2903,17 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, isc_result_t result; nsu_requestinfo_t *reqinfo; isc_sockaddr_t *srcaddr; + unsigned int options = DNS_REQUESTOPT_CASE; + dns_transport_t *req_transport = NULL; + isc_tlsctx_cache_t *req_tls_ctx_cache = NULL; + + if (!default_servers && usevc) { + options |= DNS_REQUESTOPT_TCP; + if (use_tls) { + req_transport = transport; + req_tls_ctx_cache = tls_ctx_cache; + } + } reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t)); reqinfo->msg = msg; @@ -2829,11 +2925,12 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, srcaddr = localaddr4; } - result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, -1, - 0, default_servers ? NULL : tsigkey, - FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, - global_task, recvsoa, reqinfo, request); - check_result(result, "dns_request_createvia"); + result = dns_request_create( + requestmgr, msg, srcaddr, destaddr, req_transport, + req_tls_ctx_cache, options, default_servers ? NULL : tsigkey, + timeout, udp_timeout, udp_retries, isc_loop_main(loopmgr), + recvsoa, reqinfo, request); + check_result(result, "dns_request_create"); requests++; } @@ -2896,15 +2993,15 @@ failed_gssrequest(void) { seenerror = true; dns_name_free(&tmpzonename, gmctx); - dns_name_free(&restart_master, gmctx); + dns_name_free(&restart_primary, gmctx); dns_name_init(&tmpzonename, NULL); - dns_name_init(&restart_master, NULL); + dns_name_init(&restart_primary, NULL); done_update(); } static void -start_gssrequest(dns_name_t *master) { +start_gssrequest(dns_name_t *primary) { dns_gss_ctx_id_t context; isc_buffer_t buf; isc_result_t result; @@ -2923,20 +3020,16 @@ start_gssrequest(dns_name_t *master) { if (gssring != NULL) { dns_tsigkeyring_detach(&gssring); } - gssring = NULL; - result = dns_tsigkeyring_create(gmctx, &gssring); - if (result != ISC_R_SUCCESS) { - fatal("dns_tsigkeyring_create failed: %s", - isc_result_totext(result)); - } + dns_tsigkeyring_create(gmctx, &gssring); - dns_name_format(master, namestr, sizeof(namestr)); + dns_name_format(primary, namestr, sizeof(namestr)); if (kserver == NULL) { kserver = isc_mem_get(gmctx, sizeof(isc_sockaddr_t)); } - memmove(kserver, &master_servers[master_inuse], sizeof(isc_sockaddr_t)); + memmove(kserver, &primary_servers[primary_inuse], + sizeof(isc_sockaddr_t)); servname = dns_fixedname_initname(&fname); @@ -2973,16 +3066,15 @@ start_gssrequest(dns_name_t *master) { } /* Windows doesn't recognize name compression in the key name. */ - keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS; + keyname->attributes.nocompress = true; rmsg = NULL; dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &rmsg); /* Build first request. */ context = GSS_C_NO_CONTEXT; - result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0, - &context, use_win2k_gsstsig, gmctx, - &err_message); + result = dns_tkey_buildgssquery(rmsg, keyname, servname, 0, &context, + gmctx, &err_message); if (result == ISC_R_FAILURE) { fprintf(stderr, "tkey query failed: %s\n", err_message != NULL ? err_message : "unknown error"); @@ -3010,19 +3102,26 @@ static void send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, dns_request_t **request, gss_ctx_id_t context) { isc_result_t result; - nsu_gssinfo_t *reqinfo; - unsigned int options = 0; - isc_sockaddr_t *srcaddr; + nsu_gssinfo_t *reqinfo = NULL; + isc_sockaddr_t *srcaddr = NULL; + unsigned int options = DNS_REQUESTOPT_CASE | DNS_REQUESTOPT_TCP; + dns_transport_t *req_transport = NULL; + isc_tlsctx_cache_t *req_tls_ctx_cache = NULL; + + if (!default_servers && use_tls) { + req_transport = transport; + req_tls_ctx_cache = tls_ctx_cache; + } debug("send_gssrequest"); REQUIRE(destaddr != NULL); reqinfo = isc_mem_get(gmctx, sizeof(nsu_gssinfo_t)); - reqinfo->msg = msg; - reqinfo->addr = destaddr; - reqinfo->context = context; - - options |= DNS_REQUESTOPT_TCP; + *reqinfo = (nsu_gssinfo_t){ + .msg = msg, + .addr = destaddr, + .context = context, + }; if (isc_sockaddr_pf(destaddr) == AF_INET6) { srcaddr = localaddr6; @@ -3030,11 +3129,11 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, srcaddr = localaddr4; } - result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, -1, - options, tsigkey, FIND_TIMEOUT * 20, - FIND_TIMEOUT, 3, global_task, recvgss, - reqinfo, request); - check_result(result, "dns_request_createvia"); + result = dns_request_create( + requestmgr, msg, srcaddr, destaddr, req_transport, + req_tls_ctx_cache, options, tsigkey, timeout, udp_timeout, + udp_retries, isc_loop_main(loopmgr), recvgss, reqinfo, request); + check_result(result, "dns_request_create"); if (debugging) { show_message(stdout, msg, "Outgoing update query:"); } @@ -3042,40 +3141,27 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, } static void -recvgss(isc_task_t *task, isc_event_t *event) { - dns_requestevent_t *reqev = NULL; - dns_request_t *request = NULL; - isc_result_t result, eresult; +recvgss(void *arg) { + dns_request_t *request = (dns_request_t *)arg; + nsu_gssinfo_t *reqinfo = dns_request_getarg(request); + isc_result_t result, eresult = dns_request_getresult(request); dns_message_t *rcvmsg = NULL; - nsu_gssinfo_t *reqinfo; - dns_message_t *tsigquery = NULL; - isc_sockaddr_t *addr; - dns_gss_ctx_id_t context; + dns_message_t *tsigquery = reqinfo->msg; + dns_gss_ctx_id_t context = reqinfo->context; + isc_sockaddr_t *addr = reqinfo->addr; isc_buffer_t buf; - dns_name_t *servname; + dns_name_t *servname = NULL; dns_fixedname_t fname; char *err_message = NULL; - UNUSED(task); - ddebug("recvgss()"); requests--; - REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); - reqev = (dns_requestevent_t *)event; - request = reqev->request; - eresult = reqev->result; - reqinfo = reqev->ev_arg; - tsigquery = reqinfo->msg; - context = reqinfo->context; - addr = reqinfo->addr; - if (shuttingdown) { dns_request_destroy(&request); dns_message_detach(&tsigquery); isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t)); - isc_event_free(&event); maybeshutdown(); return; } @@ -3083,24 +3169,20 @@ recvgss(isc_task_t *task, isc_event_t *event) { if (eresult != ISC_R_SUCCESS) { ddebug("Destroying request [%p]", request); dns_request_destroy(&request); - if (!next_master("recvgss", addr, eresult)) { + if (!next_primary("recvgss", addr, eresult)) { dns_message_detach(&tsigquery); failed_gssrequest(); } else { dns_message_renderreset(tsigquery); - memmove(kserver, &master_servers[master_inuse], + memmove(kserver, &primary_servers[primary_inuse], sizeof(isc_sockaddr_t)); send_gssrequest(kserver, tsigquery, &request, context); } isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t)); - isc_event_free(&event); return; } isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t)); - isc_event_free(&event); - reqev = NULL; - ddebug("recvgss creating rcvmsg"); dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg); @@ -3113,22 +3195,23 @@ recvgss(isc_task_t *task, isc_event_t *event) { "recvmsg reply from GSS-TSIG query"); } - if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) { - ddebug("recvgss trying %s GSS-TSIG", - use_win2k_gsstsig ? "Standard" : "Win2k"); - if (use_win2k_gsstsig) { - use_win2k_gsstsig = false; - } else { - use_win2k_gsstsig = true; - } - tried_other_gsstsig = true; - start_gssrequest(&restart_master); - goto done; + if (rcvmsg->opcode != dns_opcode_query) { + fatal("invalid OPCODE in response to GSS-TSIG query"); } if (rcvmsg->rcode != dns_rcode_noerror && - rcvmsg->rcode != dns_rcode_nxdomain) { - fatal("response to GSS-TSIG query was unsuccessful"); + rcvmsg->rcode != dns_rcode_nxdomain) + { + char rcode[64]; + isc_buffer_t b; + + isc_buffer_init(&b, rcode, sizeof(rcode) - 1); + result = dns_rcode_totext(rcvmsg->rcode, &b); + check_result(result, "dns_rcode_totext"); + rcode[isc_buffer_usedlength(&b)] = 0; + + fatal("response to GSS-TSIG query was unsuccessful (%s)", + rcode); } servname = dns_fixedname_initname(&fname); @@ -3137,10 +3220,8 @@ recvgss(isc_task_t *task, isc_event_t *event) { result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL); check_result(result, "dns_name_fromtext"); - tsigkey = NULL; result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname, &context, - &tsigkey, gssring, use_win2k_gsstsig, - &err_message); + &tsigkey, gssring, &err_message); switch (result) { case DNS_R_CONTINUE: dns_message_detach(&rcvmsg); @@ -3166,20 +3247,8 @@ recvgss(isc_task_t *task, isc_event_t *event) { * the TSIG -- this too is a spec violation, but it's * the least insane thing to do. */ -#if 0 - /* - * Verify the signature. - */ - rcvmsg->state = DNS_SECTION_ANY; - dns_message_setquerytsig(rcvmsg, NULL); - result = dns_message_settsigkey(rcvmsg, tsigkey); - check_result(result, "dns_message_settsigkey"); - result = dns_message_checksig(rcvmsg, NULL); - ddebug("tsig verification: %s", dns_result_totext(result)); - check_result(result, "dns_message_checksig"); -#endif /* 0 */ - - send_update(&tmpzonename, &master_servers[master_inuse]); + + send_update(&tmpzonename, &primary_servers[primary_inuse]); setzoneclass(dns_rdataclass_none); break; @@ -3188,7 +3257,6 @@ recvgss(isc_task_t *task, isc_event_t *event) { err_message != NULL ? err_message : ""); } -done: dns_request_destroy(&request); dns_message_detach(&tsigquery); @@ -3218,11 +3286,11 @@ start_update(void) { /* * If we have both the zone and the servers we have enough information * to send the update straight away otherwise we need to discover - * the zone and / or the master server. + * the zone and / or the primary server. */ if (userzone != NULL && !default_servers && !usegsstsig) { - master_from_servers(); - send_update(userzone, &master_servers[master_inuse]); + primary_from_servers(); + send_update(userzone, &primary_servers[primary_inuse]); setzoneclass(dns_rdataclass_none); return; } @@ -3233,11 +3301,9 @@ start_update(void) { soaquery->flags |= DNS_MESSAGEFLAG_RD; } - result = dns_message_gettempname(soaquery, &name); - check_result(result, "dns_message_gettempname"); + dns_message_gettempname(soaquery, &name); - result = dns_message_gettemprdataset(soaquery, &rdataset); - check_result(result, "dns_message_gettemprdataset"); + dns_message_gettemprdataset(soaquery, &rdataset); dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); @@ -3289,6 +3355,14 @@ static void cleanup(void) { ddebug("cleanup()"); + if (tls_ctx_cache != NULL) { + isc_tlsctx_cache_detach(&tls_ctx_cache); + } + + if (transport_list != NULL) { + dns_transport_list_detach(&transport_list); + } + LOCK(&answer_lock); if (answer != NULL) { dns_message_detach(&answer); @@ -3310,16 +3384,7 @@ cleanup(void) { dst_key_free(&sig0key); } - ddebug("Shutting down managers"); - isc_managers_destroy(&netmgr, &taskmgr, &timermgr, &socketmgr); - - ddebug("Destroying event"); - isc_event_free(&global_event); - #ifdef HAVE_GSSAPI - /* - * Cleanup GSSAPI resources after taskmgr has been destroyed. - */ if (kserver != NULL) { isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t)); kserver = NULL; @@ -3331,8 +3396,8 @@ cleanup(void) { if (dns_name_dynamic(&tmpzonename)) { dns_name_free(&tmpzonename, gmctx); } - if (dns_name_dynamic(&restart_master)) { - dns_name_free(&restart_master, gmctx); + if (dns_name_dynamic(&restart_primary)) { + dns_name_free(&restart_primary, gmctx); } #endif /* ifdef HAVE_GSSAPI */ @@ -3343,47 +3408,53 @@ cleanup(void) { if (memdebugging) { isc_mem_stats(gmctx, stderr); } - isc_mem_destroy(&gmctx); isc_mutex_destroy(&answer_lock); + + if (is_dst_up) { + ddebug("Destroy DST lib"); + dst_lib_destroy(); + is_dst_up = false; + } + + ddebug("Shutting down managers"); + isc_managers_destroy(&gmctx, &loopmgr, &netmgr); } static void -getinput(isc_task_t *task, isc_event_t *event) { +getinput(void *arg) { bool more; - UNUSED(task); + UNUSED(arg); if (shuttingdown) { maybeshutdown(); return; } - if (global_event == NULL) { - global_event = event; - } - reset_system(); + isc_loopmgr_blocking(loopmgr); more = user_interaction(); + isc_loopmgr_nonblocking(loopmgr); if (!more) { - isc_app_shutdown(); + isc_loopmgr_shutdown(loopmgr); return; } + + done = false; start_update(); - return; } int main(int argc, char **argv) { - isc_result_t result; + uint32_t timeoutms; + style = &dns_master_style_debug; input = stdin; interactive = isatty(0); - isc_app_start(); - if (isc_net_probeipv4() == ISC_R_SUCCESS) { have_ipv4 = true; } @@ -3396,21 +3467,22 @@ main(int argc, char **argv) { pre_parse_args(argc, argv); - isc_mem_create(&gmctx); + isc_managers_create(&gmctx, 1, &loopmgr, &netmgr); parse_args(argc, argv); - setup_system(); + /* Set the network manager timeouts in milliseconds. */ + timeoutms = timeout * 1000; + isc_nm_settimeouts(netmgr, timeoutms, timeoutms, timeoutms, timeoutms); - result = isc_app_onrun(gmctx, global_task, getinput, NULL); - check_result(result, "isc_app_onrun"); + setup_system(); - (void)isc_app_run(); + isc_loopmgr_setup(loopmgr, getinput, NULL); + isc_loopmgr_teardown(loopmgr, shutdown_program, NULL); + isc_loopmgr_run(loopmgr); cleanup(); - isc_app_finish(); - if (seenerror) { return (2); } else { diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst index b6f7c6028c..88263904ed 100644 --- a/bin/nsupdate/nsupdate.rst +++ b/bin/nsupdate/nsupdate.rst @@ -1,26 +1,16 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. +.. iscman:: nsupdate +.. program:: nsupdate .. _man_nsupdate: nsupdate - dynamic DNS update utility @@ -29,23 +19,23 @@ nsupdate - dynamic DNS update utility Synopsis ~~~~~~~~ -:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename] +:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename] Description ~~~~~~~~~~~ -``nsupdate`` is used to submit Dynamic DNS Update requests, as defined in +:program:`nsupdate` is used to submit Dynamic DNS Update requests, as defined in :rfc:`2136`, to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record. -Zones that are under dynamic control via ``nsupdate`` or a DHCP server +Zones that are under dynamic control via :program:`nsupdate` or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. The resource records that are dynamically added or removed with -``nsupdate`` must be in the same zone. Requests are sent to the +:program:`nsupdate` must be in the same zone. Requests are sent to the zone's primary server, which is identified by the MNAME field of the zone's SOA record. @@ -54,84 +44,162 @@ updates. These use the TSIG resource record type described in :rfc:`2845`, the SIG(0) record described in :rfc:`2535` and :rfc:`2931`, or GSS-TSIG as described in :rfc:`3645`. -TSIG relies on a shared secret that should only be known to ``nsupdate`` +TSIG relies on a shared secret that should only be known to :program:`nsupdate` and the name server. For instance, suitable ``key`` and ``server`` -statements are added to ``/etc/named.conf`` so that the name server +statements are added to |named_conf| so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that is using TSIG -authentication. ``ddns-confgen`` can generate suitable -configuration fragments. ``nsupdate`` uses the ``-y`` or ``-k`` options +authentication. :iscman:`ddns-confgen` can generate suitable +configuration fragments. :program:`nsupdate` uses the :option:`-y` or :option:`-k` options to provide the TSIG shared secret; these options are mutually exclusive. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode is switched -on with the ``-g`` flag. A non-standards-compliant variant of GSS-TSIG -used by Windows 2000 can be switched on with the ``-o`` flag. +on with the :option:`-g` flag. A non-standards-compliant variant of GSS-TSIG +used by Windows 2000 can be switched on with the :option:`-o` flag. Options ~~~~~~~ -``-4`` +.. option:: -4 + This option sets use of IPv4 only. -``-6`` +.. option:: -6 + This option sets use of IPv6 only. -``-d`` +.. option:: -A tlscafile + + This option specifies the file of the certificate authorities (CA) certificates + (in PEM format) in order to verify the remote server TLS certificate when + using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will + override the certificates from the global certificates store, which are + otherwise used by default when :option:`-S` is enabled. This option can not + be used in conjuction with :option:`-O`, and it implies :option:`-S`. + +.. option:: -C + + Overrides the default `resolv.conf` file. This is only intended for testing. + +.. option:: -d + This option sets debug mode, which provides tracing information about the update requests that are made and the replies received from the name server. -``-D`` +.. option:: -D + This option sets extra debug mode. -``-i`` +.. option:: -E tlscertfile + + This option sets the certificate(s) file for authentication for the + DNS-over-TLS (DoT) transport to the remote server. The certificate + chain file is expected to be in PEM format. This option implies :option:`-S`, + and can only be used with :option:`-K`. + +.. option:: -g + + This option enables standard GSS-TSIG mode. + +.. option:: -H tlshostname + + This option makes :program:`nsupdate` use the provided hostname during remote + server TLS certificate verification. Otherwise, the DNS server name + is used. This option implies :option:`-S`. + +.. option:: -i + This option forces interactive mode, even when standard input is not a terminal. -``-k keyfile`` +.. option:: -k keyfile + This option indicates the file containing the TSIG authentication key. Keyfiles may be in - two formats: a single file containing a ``named.conf``-format ``key`` - statement, which may be generated automatically by ``ddns-confgen``; + two formats: a single file containing a :iscman:`named.conf`-format ``key`` + statement, which may be generated automatically by :iscman:`ddns-confgen`; or a pair of files whose names are of the format ``K{name}.+157.+{random}.key`` and ``K{name}.+157.+{random}.private``, which can be generated by - ``dnssec-keygen``. The ``-k`` option can also be used to specify a SIG(0) + :iscman:`dnssec-keygen`. The :option:`-k` option can also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key. -``-l`` +.. option:: -K tlskeyfile + + This option sets the key file for authenticated encryption for the + DNS-over-TLS (DoT) transport with the remote server. The private key file is + expected to be in PEM format. This option implies :option:`-S`, and can only + be used with :option:`-E`. + +.. option:: -l + This option sets local-host only mode, which sets the server address to localhost (disabling the ``server`` so that the server address cannot be overridden). Connections to the local server use a TSIG key - found in ``/var/run/named/session.key``, which is automatically - generated by ``named`` if any local ``primary`` zone has set + found in |session_key|, which is automatically + generated by :iscman:`named` if any local ``primary`` zone has set ``update-policy`` to ``local``. The location of this key file can be - overridden with the ``-k`` option. + overridden with the :option:`-k` option. + +.. option:: -L level -``-L level`` This option sets the logging debug level. If zero, logging is disabled. -``-p port`` +.. option:: -o + + This option is deprecated. Previously, it enabled a + non-standards-compliant variant of GSS-TSIG that was used by Windows + 2000. Since that OS is now long past its end of life, this option is + now treated as a synonym for :option:`-g`. + +.. option:: -O + + This option enables Opportunistic TLS. When used, the remote peer's TLS + certificate will not be verified. This option should be used for debugging + purposes only, and it is not recommended to use it in production. This + option can not be used in conjuction with :option:`-A`, and it implies + :option:`-S`. + +.. option:: -p port + This option sets the port to use for connections to a name server. The default is 53. -``-P`` +.. option:: -P + This option prints the list of private BIND-specific resource record types whose - format is understood by ``nsupdate``. See also the ``-T`` option. + format is understood by :program:`nsupdate`. See also the :option:`-T` option. + +.. option:: -r udpretries -``-r udpretries`` This option sets the number of UDP retries. The default is 3. If zero, only one update request is made. -``-t timeout`` +.. option:: -S + + This option indicates whether to use DNS-over-TLS (DoT) when querying + name servers specified by ``server servername port`` syntax in the input + file, and the primary server discovered through a SOA request. When the + :option:`-K` and :option:`-E` options are used, then the specified TLS + client certificate and private key pair are used for authentication + (Mutual TLS). This option implies :option:`-v`. + +.. option:: -t timeout + This option sets the maximum time an update request can take before it is aborted. The - default is 300 seconds. If zero, the timeout is disabled. + default is 300 seconds. If zero, the timeout is disabled for TCP mode. For UDP mode, + the option :option:`-u` takes precedence over this option, unless the option :option:`-u` + is set to zero, in which case the interval is computed from the :option:`-t` timeout interval + and the number of UDP retries. For UDP mode, the timeout can not be disabled, and will + be rounded up to 1 second in case if both :option:`-t` and :option:`-u` are set to zero. + +.. option:: -T -``-T`` This option prints the list of IANA standard resource record types whose format is - understood by ``nsupdate``. ``nsupdate`` exits after the lists - are printed. The ``-T`` option can be combined with the ``-P`` + understood by :program:`nsupdate`. :program:`nsupdate` exits after the lists + are printed. The :option:`-T` option can be combined with the :option:`-P` option. Other types can be entered using ``TYPEXXXXX`` where ``XXXXX`` is the @@ -139,21 +207,25 @@ Options present, is parsed using the UNKNOWN rdata format, ( ). -``-u udptimeout`` +.. option:: -u udptimeout + This option sets the UDP retry interval. The default is 3 seconds. If zero, the interval is computed from the timeout interval and number of UDP retries. -``-v`` - This option specifies that TCP should be used even for small update requests. By default, ``nsupdate`` uses +.. option:: -v + + This option specifies that TCP should be used even for small update requests. By default, :program:`nsupdate` uses UDP to send update requests to the name server unless they are too large to fit in a UDP request, in which case TCP is used. TCP may be preferable when a batch of update requests is made. -``-V`` +.. option:: -V + This option prints the version number and exits. -``-y [hmac:]keyname:secret`` +.. option:: -y [hmac:]keyname:secret + This option sets the literal TSIG authentication key. ``keyname`` is the name of the key, and ``secret`` is the base64 encoded shared secret. ``hmac`` is the name of the key algorithm; valid choices are ``hmac-md5``, @@ -161,7 +233,7 @@ Options ``hmac-sha512``. If ``hmac`` is not specified, the default is ``hmac-md5``, or if MD5 was disabled, ``hmac-sha256``. - NOTE: Use of the ``-y`` option is discouraged because the shared + NOTE: Use of the :option:`-y` option is discouraged because the shared secret is supplied as a command-line argument in clear text. This may be visible in the output from ps1 or in a history file maintained by the user's shell. @@ -169,7 +241,7 @@ Options Input Format ~~~~~~~~~~~~ -``nsupdate`` reads input from ``filename`` or standard input. Each +:program:`nsupdate` reads input from ``filename`` or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes; others are either update instructions or prerequisite checks on the contents of the zone. These checks set @@ -189,23 +261,25 @@ The command formats and their meanings are as follows: ``server servername port`` This command sends all dynamic update requests to the name server ``servername``. - When no server statement is provided, ``nsupdate`` sends updates + When no server statement is provided, :program:`nsupdate` sends updates to the primary server of the correct zone. The MNAME field of that zone's SOA record identify the primary server for that zone. ``port`` is the port number on ``servername`` where the dynamic update requests are sent. If no port number is specified, the default DNS port number of 53 is used. + .. note:: This command has no effect when GSS-TSIG is in use. + ``local address port`` This command sends all dynamic update requests using the local ``address``. When - no local statement is provided, ``nsupdate`` sends updates using + no local statement is provided, :program:`nsupdate` sends updates using an address and port chosen by the system. ``port`` can also be used to force requests to come from a specific port. If no port number is specified, the system assigns one. ``zone zonename`` This command specifies that all updates are to be made to the zone ``zonename``. - If no ``zone`` statement is provided, ``nsupdate`` attempts to + If no ``zone`` statement is provided, :program:`nsupdate` attempts to determine the correct zone to update based on the rest of the input. ``class classname`` @@ -221,27 +295,34 @@ The command formats and their meanings are as follows: ``keyname``-``secret`` pair. If ``hmac`` is specified, it sets the signing algorithm in use. The default is ``hmac-md5``; if MD5 was disabled, the default is ``hmac-sha256``. The ``key`` command overrides any key - specified on the command line via ``-y`` or ``-k``. + specified on the command line via :option:`-y` or :option:`-k`. ``gsstsig`` This command uses GSS-TSIG to sign the updates. This is equivalent to specifying - ``-g`` on the command line. + :option:`-g` on the command line. ``oldgsstsig`` - This command uses the Windows 2000 version of GSS-TSIG to sign the updates. This is - equivalent to specifying ``-o`` on the command line. + This command is deprecated and will be removed in a future release. + Previously, it caused ``nsupdate`` to use the Windows 2000 version of + GSS-TSIG to sign updates. It is now treated as a synonym for ``gsstsig``. ``realm [realm_name]`` When using GSS-TSIG, this command specifies the use of ``realm_name`` rather than the default realm in ``krb5.conf``. If no realm is specified, the saved realm is cleared. -``check-names [yes_or_no]`` +``check-names [boolean]`` This command turns on or off check-names processing on records to be added. Check-names has no effect on prerequisites or records to be deleted. By default check-names processing is on. If check-names processing fails, the record is not added to the UPDATE message. +``check-svbc [boolean]`` + This command turns on or off check-svcb processing on records to be added. + Check-svcb has no effect on prerequisites or records to be deleted. + By default check-svcb processing is on. If check-svcb processing + fails, the record is not added to the UPDATE message. + ``prereq nxdomain domain-name`` This command requires that no resource record of any type exist with the name ``domain-name``. @@ -303,7 +384,7 @@ Lines beginning with a semicolon (;) are comments and are ignored. Examples ~~~~~~~~ -The examples below show how ``nsupdate`` can be used to insert and +The examples below show how :program:`nsupdate` can be used to insert and delete resource records from the ``example.com`` zone. Notice that the input in each example contains a trailing blank line, so that a group of commands is sent as one dynamic update request to the primary name @@ -342,24 +423,24 @@ Files ``/etc/resolv.conf`` Used to identify the default name server -``/var/run/named/session.key`` +|session_key| Sets the default TSIG key for use in local-only mode ``K{name}.+157.+{random}.key`` - Base-64 encoding of the HMAC-MD5 key created by ``dnssec-keygen``. + Base-64 encoding of the HMAC-MD5 key created by :iscman:`dnssec-keygen`. ``K{name}.+157.+{random}.private`` - Base-64 encoding of the HMAC-MD5 key created by ``dnssec-keygen``. + Base-64 encoding of the HMAC-MD5 key created by :iscman:`dnssec-keygen`. See Also ~~~~~~~~ :rfc:`2136`, :rfc:`3007`, :rfc:`2104`, :rfc:`2845`, :rfc:`1034`, :rfc:`2535`, :rfc:`2931`, -:manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :manpage:`tsig-keygen(8)`. +:iscman:`named(8) `, :iscman:`dnssec-keygen(8) `, :iscman:`tsig-keygen(8) `. Bugs ~~~~ The TSIG key is redundantly stored in two separate files. This is a -consequence of ``nsupdate`` using the DST library for its cryptographic +consequence of :program:`nsupdate` using the DST library for its cryptographic operations, and may change in future releases. diff --git a/bin/pkcs11/.gitignore b/bin/pkcs11/.gitignore deleted file mode 100644 index d6c6dce33b..0000000000 --- a/bin/pkcs11/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -pkcs11-destroy -pkcs11-keygen -pkcs11-list -pkcs11-tokens diff --git a/bin/pkcs11/Makefile.am b/bin/pkcs11/Makefile.am deleted file mode 100644 index 1bcd014980..0000000000 --- a/bin/pkcs11/Makefile.am +++ /dev/null @@ -1,13 +0,0 @@ -include $(top_srcdir)/Makefile.top - -AM_CPPFLAGS += \ - $(LIBISC_CFLAGS) - -LDADD = \ - $(LIBISC_LIBS) - -bin_PROGRAMS = \ - pkcs11-list \ - pkcs11-destroy \ - pkcs11-keygen \ - pkcs11-tokens diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c deleted file mode 100644 index 4e1f4b0cd3..0000000000 --- a/bin/pkcs11/pkcs11-destroy.c +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] - * [-p $pin] [ -w $wait ] - */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - pk11_context_t pctx; - char *lib_name = NULL; - char *label = NULL; - char *pin = NULL; - int error = 0; - unsigned int id = 0, i = 0, wait = 5; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, - sizeof(attr_id) } }; - unsigned int j, len; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'i': - id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': - label = isc_commandline_argument; - break; - case 'p': - pin = isc_commandline_argument; - break; - case 'w': - wait = atoi(isc_commandline_argument); - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg || (id && (label != NULL))) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] " - "{-i id | -l label} [-p pin] [-w waittime]\n"); - exit(1); - } - - if (id) { - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label) { - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, OP_ANY, false, true, true, - (const char *)pin, slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - memset(pin, 0, strlen(pin)); - - hSession = pctx.session; - - rv = pkcs_C_FindObjectsInit(hSession, search_template, - ((id != 0) || (label != NULL)) ? 1 : 0); - - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - - rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - - if (ulObjectCount == 0) { - printf("No matching key objects found.\n"); - goto exit_search; - } else { - printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : ""); - } - - for (i = 0; i < ulObjectCount; i++) { - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_ATTRIBUTE attr_template[] = { - { CKA_CLASS, &oclass, sizeof(oclass) }, - { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, - { CKA_ID, idbuf, sizeof(idbuf) } - }; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template, - 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, - rv); - error = 1; - goto exit_search; - } - len = attr_template[2].ulValueLen; - printf(" object[%u]: class %lu, label '%s', id[%lu] ", i, - oclass, labelbuf, attr_template[2].ulValueLen); - if (len > 4) { - len = 4; - } - if (len > 0) { - printf("0x"); - } - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (attr_template[2].ulValueLen > len) { - printf("...\n"); - } else { - printf("\n"); - } - } - - if (wait != 0) { - printf("WARNING: This action is irreversible! " - "Destroying key objects in %u seconds\n ", - wait); - for (i = 0; i < wait; i++) { - printf("."); - fflush(stdout); - sleep(1); - } - printf("\n"); - } - - for (i = 0; i < ulObjectCount; i++) { - rv = pkcs_C_DestroyObject(hSession, akey[i]); - if (rv != CKR_OK) { - fprintf(stderr, - "C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i, - rv); - error = 1; - } - } - - if (error == 0) { - printf("Destruction complete.\n"); - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-destroy.rst b/bin/pkcs11/pkcs11-destroy.rst deleted file mode 100644 index af43f61748..0000000000 --- a/bin/pkcs11/pkcs11-destroy.rst +++ /dev/null @@ -1,71 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-destroy: - -pkcs11-destroy - destroy PKCS#11 objects - -Synopsis -~~~~~~~~ - -:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds] - -Description -~~~~~~~~~~~ - -``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified -by their ``ID`` or ``label``. - -Matching keys are displayed before being destroyed. By default, there is -a five-second delay to allow the user to interrupt the process before -the destruction takes place. - -Options -~~~~~~~ - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -``-i ID`` - This option destroys keys with the given object ID. - -``-l label`` - This option destroys keys with the given label. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-destroy`` prompts for it. - -``-w seconds`` - This option specifies how long, in seconds, to pause before carrying out key destruction. The - default is 5 seconds. If set to ``0``, destruction is - immediate. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c deleted file mode 100644 index ba004e1594..0000000000 --- a/bin/pkcs11/pkcs11-keygen.c +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pkcs11-keygen - PKCS#11 key generator - * - * Create a key in the keystore of an HSM - * - * The calculation of key tag is left to the script - * that converts the key into a DNSKEY RR and inserts - * it into a zone file. - * - * usage: - * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize] - * [-i id] [-p pin] -l label - * - */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include -#include - -/* Define static key template values */ -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -/* Static arrays of data used for key template initialization */ -static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1; -static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1; -static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519; -static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448; - -/* Key class: RSA, ECC, ECX, or unknown */ -typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; - -/* - * Private key template - */ -#define PRIVATE_LABEL 0 -#define PRIVATE_SIGN 1 -#define PRIVATE_TOKEN 2 -#define PRIVATE_PRIVATE 3 -#define PRIVATE_SENSITIVE 4 -#define PRIVATE_EXTRACTABLE 5 -#define PRIVATE_ID 6 -#define PRIVATE_ATTRS 7 -static CK_ATTRIBUTE private_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_SIGN, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &truevalue, sizeof(truevalue) }, - { CKA_SENSITIVE, &truevalue, sizeof(truevalue) }, - { CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Public key template for RSA keys - */ -#define RSA_LABEL 0 -#define RSA_VERIFY 1 -#define RSA_TOKEN 2 -#define RSA_PRIVATE 3 -#define RSA_MODULUS_BITS 4 -#define RSA_PUBLIC_EXPONENT 5 -#define RSA_ID 6 -#define RSA_ATTRS 7 -static CK_ATTRIBUTE rsa_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_VERIFY, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, - { CKA_MODULUS_BITS, NULL_PTR, 0 }, - { CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Public key template for ECC/ECX keys - */ -#define ECC_LABEL 0 -#define ECC_VERIFY 1 -#define ECC_TOKEN 2 -#define ECC_PRIVATE 3 -#define ECC_PARAMS 4 -#define ECC_ID 5 -#define ECC_ATTRS 6 -static CK_ATTRIBUTE ecc_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_VERIFY, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, - { CKA_EC_PARAMS, NULL_PTR, 0 }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Convert from text to key class. Accepts the names of DNSSEC - * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and - * NSEC3RSASHA1 maps to RSA. - */ -static key_class_t -keyclass_fromtext(const char *name) { - if (name == NULL) { - return (key_unknown); - } - - if (strncasecmp(name, "rsa", 3) == 0 || - strncasecmp(name, "nsec3rsa", 8) == 0) { - return (key_rsa); - } else if (strncasecmp(name, "ecc", 3) == 0 || - strncasecmp(name, "ecdsa", 5) == 0) - { - return (key_ecc); - } else if (strncasecmp(name, "ecx", 3) == 0 || - strncasecmp(name, "ed", 2) == 0) { - return (key_ecx); - } else { - return (key_unknown); - } -} - -static void -usage(void) { - fprintf(stderr, "Usage:\n" - "\tpkcs11-keygen -a algorithm -b keysize -l label\n" - "\t [-P] [-m module] " - "[-s slot] [-e] [-S] [-i id] [-p PIN]\n"); - exit(2); -} - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_MECHANISM mech; - CK_SESSION_HANDLE hSession; - char *lib_name = NULL; - char *pin = NULL; - CK_ULONG bits = 0; - CK_CHAR *label = NULL; - CK_OBJECT_HANDLE privatekey, publickey; - CK_BYTE exponent[5]; - CK_ULONG expsize = 0; - pk11_context_t pctx; - int error = 0; - int c, errflg = 0; - int hide = 1, quiet = 0; - int idlen = 0, id_offset = 0; - unsigned long id = 0; - CK_BYTE idbuf[4]; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } }; - CK_ATTRIBUTE *public_template = NULL; - CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS; - key_class_t keyclass = key_rsa; - pk11_optype_t op_type = OP_ANY; - -#define OPTIONS ":a:b:ei:l:m:Pp:qSs:" - while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { - switch (c) { - case 'a': - keyclass = keyclass_fromtext(isc_commandline_argument); - break; - case 'P': - hide = 0; - break; - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'e': - expsize = 5; - break; - case 'b': - bits = atoi(isc_commandline_argument); - break; - case 'l': - /* -l option is retained for backward compatibility * */ - label = (CK_CHAR *)isc_commandline_argument; - break; - case 'i': - id = strtoul(isc_commandline_argument, NULL, 0); - idlen = 4; - break; - case 'p': - pin = isc_commandline_argument; - break; - case 'q': - quiet = 1; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (label == NULL && isc_commandline_index < argc) { - label = (CK_CHAR *)argv[isc_commandline_index]; - } - - if (errflg || (label == NULL)) { - usage(); - } - - if (expsize != 0 && keyclass != key_rsa) { - fprintf(stderr, "The -e option is only compatible " - "with RSA key generation\n"); - exit(2); - } - - switch (keyclass) { - case key_rsa: - op_type = OP_RSA; - if (expsize == 0) { - expsize = 3; - } - if (bits == 0) { - usage(); - } - - mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = rsa_template; - public_attrcnt = RSA_ATTRS; - id_offset = RSA_ID; - - /* Set public exponent to F4 or F5 */ - exponent[0] = 0x01; - exponent[1] = 0x00; - if (expsize == 3) { - exponent[2] = 0x01; - } else { - exponent[2] = 0x00; - exponent[3] = 0x00; - exponent[4] = 0x01; - } - - public_template[RSA_MODULUS_BITS].pValue = &bits; - public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits); - public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent; - public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; - break; - case key_ecc: - op_type = OP_ECDSA; - if (bits == 0) { - bits = 256; - } else if (bits != 256 && bits != 384) { - fprintf(stderr, "ECC keys only support bit sizes of " - "256 and 384\n"); - exit(2); - } - - mech.mechanism = CKM_EC_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = ecc_template; - public_attrcnt = ECC_ATTRS; - id_offset = ECC_ID; - - if (bits == 256) { - public_template[4].pValue = pk11_ecc_prime256v1; - public_template[4].ulValueLen = - sizeof(pk11_ecc_prime256v1); - } else { - public_template[4].pValue = pk11_ecc_secp384r1; - public_template[4].ulValueLen = - sizeof(pk11_ecc_secp384r1); - } - - break; - case key_ecx: - op_type = OP_EDDSA; - if (bits == 0) { - bits = 256; - } else if (bits != 256 && bits != 456) { - fprintf(stderr, "ECX keys only support bit sizes of " - "256 and 456\n"); - exit(2); - } - - mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = ecc_template; - public_attrcnt = ECC_ATTRS; - id_offset = ECC_ID; - - if (bits == 256) { - public_template[4].pValue = pk11_ecx_ed25519; - public_template[4].ulValueLen = - sizeof(pk11_ecx_ed25519); - } else { - public_template[4].pValue = pk11_ecx_ed448; - public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); - } - - break; - case key_unknown: - usage(); - } - - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen((char *)label); - public_template[0].pValue = label; - public_template[0].ulValueLen = strlen((char *)label); - private_template[0].pValue = label; - private_template[0].ulValueLen = strlen((char *)label); - - if (idlen == 0) { - public_attrcnt--; - private_attrcnt--; - } else { - if (id <= 0xffff) { - idlen = 2; - idbuf[0] = (CK_BYTE)(id >> 8); - idbuf[1] = (CK_BYTE)id; - } else { - idbuf[0] = (CK_BYTE)(id >> 24); - idbuf[1] = (CK_BYTE)(id >> 16); - idbuf[2] = (CK_BYTE)(id >> 8); - idbuf[3] = (CK_BYTE)id; - } - - public_template[id_offset].pValue = idbuf; - public_template[id_offset].ulValueLen = idlen; - private_template[PRIVATE_ID].pValue = idbuf; - private_template[PRIVATE_ID].ulValueLen = idlen; - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, op_type, false, true, true, - (const char *)pin, slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - memset(pin, 0, strlen(pin)); - - hSession = pctx.session; - - /* check if a key with the same id already exists */ - rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount != 0) { - fprintf(stderr, "Key already exists.\n"); - error = 1; - goto exit_search; - } - - /* Set attributes if the key is not to be hidden */ - if (!hide) { - private_template[4].pValue = &falsevalue; - private_template[5].pValue = &truevalue; - } - - /* Generate Key pair for signing/verifying */ - rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template, - public_attrcnt, private_template, - private_attrcnt, &publickey, &privatekey); - - if (rv != CKR_OK) { - fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv); - error = 1; - } else if (!quiet) { - printf("Key pair generation complete.\n"); - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-keygen.rst b/bin/pkcs11/pkcs11-keygen.rst deleted file mode 100644 index 4eb1523f61..0000000000 --- a/bin/pkcs11/pkcs11-keygen.rst +++ /dev/null @@ -1,90 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-keygen: - -pkcs11-keygen - generate keys on a PKCS#11 device -------------------------------------------------- - -Synopsis -~~~~~~~~ - -:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label - -Description -~~~~~~~~~~~ - -``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair -with the given ``label`` (which must be unique) and with ``keysize`` -bits of prime. - -Options -~~~~~~~ - -``-a algorithm`` - This option specifies the key algorithm class: supported classes are RSA, DSA, DH, - ECC, and ECX. In addition to these strings, the ``algorithm`` can be - specified as a DNSSEC signing algorithm to be used with this - key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to - ECC, and ED25519 to ECX. The default class is ``RSA``. - -``-b keysize`` - This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the - only valid values are 256 and 384, and the default is 256. For ECX - keys, the only valid values are 256 and 456, and the default is 256. - -``-e`` - For RSA keys only, this option specifies use of a large exponent. - -``-i id`` - This option creates key objects with ``id``. The ID is either an unsigned short 2-byte - or an unsigned long 4-byte number. - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-P`` - This option sets the new private key to be non-sensitive and extractable, and - allows the private key data to be read from the PKCS#11 device. The - default is for private keys to be sensitive and non-extractable. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-keygen`` prompts for it. - -``-q`` - This option sets quiet mode, which suppresses unnecessary output. - -``-S`` - For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-, - or 1536-bit size and base (AKA generator) 2. If not specified, bit - size defaults to 1024. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)` diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c deleted file mode 100644 index c103a44abc..0000000000 --- a/bin/pkcs11/pkcs11-list.c +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - pk11_context_t pctx; - char *lib_name = NULL; - char *label = NULL; - char *pin = NULL; - bool error = false, logon = true, all = false; - unsigned int i = 0, id = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, - sizeof(attr_id) } }; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) { - switch (c) { - case 'P': - logon = false; - break; - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'i': - id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': - label = isc_commandline_argument; - break; - case 'p': - pin = isc_commandline_argument; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] " - "[-i id | -l label] [-p pin]\n"); - exit(1); - } - - if (!id && (label == NULL)) { - all = true; - } - - if (slot) { - printf("slot %lu\n", slot); - } - - if (id) { - printf("id %u\n", id); - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label != NULL) { - printf("label %s\n", label); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (logon && pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin, - slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - if (pin != NULL) { - memset(pin, 0, strlen(pin)); - } - - hSession = pctx.session; - - rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - - ulObjectCount = 1; - while (ulObjectCount) { - rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - for (i = 0; i < ulObjectCount; i++) { - unsigned int j, len; - - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_BBOOL extract = TRUE; - CK_BBOOL never = FALSE; - CK_ATTRIBUTE template[] = { - { CKA_CLASS, &oclass, sizeof(oclass) }, - { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, - { CKA_ID, idbuf, sizeof(idbuf) } - }; - CK_ATTRIBUTE priv_template[] = { - { CKA_EXTRACTABLE, &extract, sizeof(extract) }, - { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) } - }; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = pkcs_C_GetAttributeValue(hSession, akey[i], - template, 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%u]: " - "rv = 0x%.8lX\n", - i, rv); - if (rv == CKR_BUFFER_TOO_SMALL) { - fprintf(stderr, - "%u too small: %lu %lu %lu\n", - i, template[0].ulValueLen, - template[1].ulValueLen, - template[2].ulValueLen); - } - error = 1; - continue; - } - - len = template[2].ulValueLen; - printf("object[%u]: handle %lu class %lu " - "label[%lu] '%s' id[%lu] ", - i, akey[i], oclass, template[1].ulValueLen, - labelbuf, template[2].ulValueLen); - if (len == 2) { - id = (idbuf[0] << 8) & 0xff00; - id |= idbuf[1] & 0xff; - printf("%u", id); - } else { - if (len > 8) { - len = 8; - } - if (len > 0) { - printf("0x"); - } - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (template[2].ulValueLen > len) { - printf("..."); - } - } - if ((oclass == CKO_PRIVATE_KEY || - oclass == CKO_SECRET_KEY) && - pkcs_C_GetAttributeValue(hSession, akey[i], - priv_template, - 2) == CKR_OK) - { - printf(" E:%s", - extract ? "true" - : (never ? "never" : "false")); - } - printf("\n"); - } - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-list.rst b/bin/pkcs11/pkcs11-list.rst deleted file mode 100644 index e010d7ecfd..0000000000 --- a/bin/pkcs11/pkcs11-list.rst +++ /dev/null @@ -1,66 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-list: - -pkcs11-list - list PKCS#11 objects ----------------------------------- - -:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN] - -Description -~~~~~~~~~~~ - -``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by -default, all objects. The object class, label, and ID are displayed for -all keys. For private or secret keys, the extractability attribute is -also displayed, as either ``true``, ``false``, or ``never``. - -Options -~~~~~~~ - -``-P`` - This option lists only the public objects. (Note that on some PKCS#11 devices, all - objects are private.) - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -``-i ID`` - This option lists only key objects with the given object ID. - -``-l label`` - This option lists only key objects with the given label. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-list`` prompts for it. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c deleted file mode 100644 index 0db601d31a..0000000000 --- a/bin/pkcs11/pkcs11-tokens.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* pkcs11-tokens [-m module] */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - char *lib_name = NULL; - int c, errflg = 0; - isc_mem_t *mctx = NULL; - pk11_context_t pctx; - - while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 'v': - pk11_verbose_init = true; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n"); - exit(1); - } - - isc_mem_create(&mctx); - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n\n"); - } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - pk11_dump_tokens(); - - if (pctx.handle != NULL) { - pk11_return_session(&pctx); - } - (void)pk11_finalize(); - - isc_mem_destroy(&mctx); - - exit(0); -} diff --git a/bin/pkcs11/pkcs11-tokens.rst b/bin/pkcs11/pkcs11-tokens.rst deleted file mode 100644 index 4cb89a5395..0000000000 --- a/bin/pkcs11/pkcs11-tokens.rst +++ /dev/null @@ -1,53 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-tokens: - -pkcs11-tokens - list PKCS#11 available tokens ---------------------------------------------- - -Synopsis -~~~~~~~~ - -:program:`pkcs11-tokens` [**-m** module] [**-v**] - -Description -~~~~~~~~~~~ - -``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from -the slot/token scan performed at application initialization. - -Options -~~~~~~~ - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-v`` - This option makes the PKCS#11 libisc initialization verbose. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)` diff --git a/bin/plugins/filter-a.c b/bin/plugins/filter-a.c index 4361e975f5..9ee1e9f374 100644 --- a/bin/plugins/filter-a.c +++ b/bin/plugins/filter-a.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -20,7 +22,6 @@ #include #include #include -#include #include #include #include @@ -34,7 +35,6 @@ #include #include #include -#include #include #include @@ -77,12 +77,6 @@ typedef struct filter_instance { ns_plugin_t *module; isc_mem_t *mctx; - /* - * Memory pool for use with persistent data. - */ - isc_mempool_t *datapool; - isc_mutex_t plock; - /* * Hash table associating a client object with its persistent data. */ @@ -336,7 +330,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx, void *actx, ns_hooktable_t *hooktable, void **instp) { filter_instance_t *inst = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, ISC_LOG_INFO, @@ -345,7 +339,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, cfg_file, cfg_line, parameters != NULL ? "with" : "no"); inst = isc_mem_get(mctx, sizeof(*inst)); - memset(inst, 0, sizeof(*inst)); + *inst = (filter_instance_t){ 0 }; isc_mem_attach(mctx, &inst->mctx); if (parameters != NULL) { @@ -353,25 +347,9 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, cfg_line, mctx, lctx, actx)); } - isc_mempool_create(mctx, sizeof(filter_data_t), &inst->datapool); - CHECK(isc_ht_init(&inst->ht, mctx, 16)); + isc_ht_init(&inst->ht, mctx, 1, ISC_HT_CASE_SENSITIVE); isc_mutex_init(&inst->hlock); - /* - * Fill the mempool with 1K filter_a state objects at - * a time; ideally after a single allocation, the mempool will - * have enough to handle all the simultaneous queries the system - * requires and it won't be necessary to allocate more. - * - * We don't set any limit on the number of free state objects - * so that they'll always be returned to the pool and not - * freed until the pool is destroyed on shutdown. - */ - isc_mempool_setfillcount(inst->datapool, 1024); - isc_mempool_setfreemax(inst->datapool, UINT_MAX); - isc_mutex_init(&inst->plock); - isc_mempool_associatelock(inst->datapool, &inst->plock); - /* * Set hook points in the view's hooktable. */ @@ -380,7 +358,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, *instp = inst; cleanup: - if (result != ISC_R_SUCCESS && inst != NULL) { + if (result != ISC_R_SUCCESS) { plugin_destroy((void **)&inst); } @@ -427,10 +405,6 @@ plugin_destroy(void **instp) { isc_ht_destroy(&inst->ht); isc_mutex_destroy(&inst->hlock); } - if (inst->datapool != NULL) { - isc_mempool_destroy(&inst->datapool); - isc_mutex_destroy(&inst->plock); - } if (inst->a_acl != NULL) { dns_acl_detach(&inst->a_acl); } @@ -512,10 +486,7 @@ client_state_create(const query_ctx_t *qctx, filter_instance_t *inst) { filter_data_t *client_state; isc_result_t result; - client_state = isc_mempool_get(inst->datapool); - if (client_state == NULL) { - return; - } + client_state = isc_mem_get(inst->mctx, sizeof(*client_state)); client_state->mode = NONE; client_state->flags = 0; @@ -542,7 +513,7 @@ client_state_destroy(const query_ctx_t *qctx, filter_instance_t *inst) { UNLOCK(&inst->hlock); RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_mempool_put(inst->datapool, client_state); + isc_mem_put(inst->mctx, client_state, sizeof(*client_state)); } /*% @@ -648,7 +619,8 @@ process_section(const section_filter_t *filter) { } if (section == DNS_SECTION_ANSWER || - section == DNS_SECTION_AUTHORITY) { + section == DNS_SECTION_AUTHORITY) + { message->flags &= ~DNS_MESSAGEFLAG_AD; } } @@ -698,7 +670,8 @@ filter_prep_response_begin(void *arg, void *cbdata, isc_result_t *resp) { result = ns_client_checkaclsilent(qctx->client, NULL, inst->a_acl, true); if (result == ISC_R_SUCCESS && inst->v4_a != NONE && - is_v4_client(qctx->client)) { + is_v4_client(qctx->client)) + { client_state->mode = inst->v4_a; } else if (result == ISC_R_SUCCESS && inst->v6_a != NONE && is_v6_client(qctx->client)) diff --git a/bin/plugins/filter-a.rst b/bin/plugins/filter-a.rst index 58c4c4ccd0..16b3deea80 100644 --- a/bin/plugins/filter-a.rst +++ b/bin/plugins/filter-a.rst @@ -1,26 +1,17 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: filter-a .. _man_filter-a: filter-a.so - filter A in DNS responses when AAAA is present @@ -34,14 +25,14 @@ Synopsis Description ~~~~~~~~~~~ -``filter-a.so`` is a query plugin module for ``named``, enabling -``named`` to omit some IPv4 addresses when responding to clients. +:program:`filter-a.so` is a query plugin module for :iscman:`named`, enabling +:iscman:`named` to omit some IPv4 addresses when responding to clients. For example: :: - plugin query "/usr/local/lib/filter-a.so" { + plugin query "filter-a.so" { filter-a-on-v6 yes; filter-a-on-v4 yes; filter-a { 192.0.2.1; 2001:db8:2::1; }; diff --git a/bin/plugins/filter-aaaa.c b/bin/plugins/filter-aaaa.c index f530b596ad..9830639938 100644 --- a/bin/plugins/filter-aaaa.c +++ b/bin/plugins/filter-aaaa.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -20,7 +22,6 @@ #include #include #include -#include #include #include #include @@ -34,7 +35,6 @@ #include #include #include -#include #include #include @@ -77,12 +77,6 @@ typedef struct filter_instance { ns_plugin_t *module; isc_mem_t *mctx; - /* - * Memory pool for use with persistent data. - */ - isc_mempool_t *datapool; - isc_mutex_t plock; - /* * Hash table associating a client object with its persistent data. */ @@ -339,7 +333,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx, void *actx, ns_hooktable_t *hooktable, void **instp) { filter_instance_t *inst = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, ISC_LOG_INFO, @@ -348,7 +342,8 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, cfg_file, cfg_line, parameters != NULL ? "with" : "no"); inst = isc_mem_get(mctx, sizeof(*inst)); - memset(inst, 0, sizeof(*inst)); + *inst = (filter_instance_t){ 0 }; + isc_mem_attach(mctx, &inst->mctx); if (parameters != NULL) { @@ -356,25 +351,9 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, cfg_line, mctx, lctx, actx)); } - isc_mempool_create(mctx, sizeof(filter_data_t), &inst->datapool); - CHECK(isc_ht_init(&inst->ht, mctx, 16)); + isc_ht_init(&inst->ht, mctx, 1, ISC_HT_CASE_SENSITIVE); isc_mutex_init(&inst->hlock); - /* - * Fill the mempool with 1K filter_aaaa state objects at - * a time; ideally after a single allocation, the mempool will - * have enough to handle all the simultaneous queries the system - * requires and it won't be necessary to allocate more. - * - * We don't set any limit on the number of free state objects - * so that they'll always be returned to the pool and not - * freed until the pool is destroyed on shutdown. - */ - isc_mempool_setfillcount(inst->datapool, 1024); - isc_mempool_setfreemax(inst->datapool, UINT_MAX); - isc_mutex_init(&inst->plock); - isc_mempool_associatelock(inst->datapool, &inst->plock); - /* * Set hook points in the view's hooktable. */ @@ -383,7 +362,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file, *instp = inst; cleanup: - if (result != ISC_R_SUCCESS && inst != NULL) { + if (result != ISC_R_SUCCESS) { plugin_destroy((void **)&inst); } @@ -430,10 +409,6 @@ plugin_destroy(void **instp) { isc_ht_destroy(&inst->ht); isc_mutex_destroy(&inst->hlock); } - if (inst->datapool != NULL) { - isc_mempool_destroy(&inst->datapool); - isc_mutex_destroy(&inst->plock); - } if (inst->aaaa_acl != NULL) { dns_acl_detach(&inst->aaaa_acl); } @@ -515,10 +490,7 @@ client_state_create(const query_ctx_t *qctx, filter_instance_t *inst) { filter_data_t *client_state; isc_result_t result; - client_state = isc_mempool_get(inst->datapool); - if (client_state == NULL) { - return; - } + client_state = isc_mem_get(inst->mctx, sizeof(*client_state)); client_state->mode = NONE; client_state->flags = 0; @@ -545,7 +517,7 @@ client_state_destroy(const query_ctx_t *qctx, filter_instance_t *inst) { UNLOCK(&inst->hlock); RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_mempool_put(inst->datapool, client_state); + isc_mem_put(inst->mctx, client_state, sizeof(*client_state)); } /*% @@ -651,7 +623,8 @@ process_section(const section_filter_t *filter) { } if (section == DNS_SECTION_ANSWER || - section == DNS_SECTION_AUTHORITY) { + section == DNS_SECTION_AUTHORITY) + { message->flags &= ~DNS_MESSAGEFLAG_AD; } } diff --git a/bin/plugins/filter-aaaa.rst b/bin/plugins/filter-aaaa.rst index 98d8c1e744..89904da741 100644 --- a/bin/plugins/filter-aaaa.rst +++ b/bin/plugins/filter-aaaa.rst @@ -1,26 +1,17 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: filter-aaaa .. _man_filter-aaaa: filter-aaaa.so - filter AAAA in DNS responses when A is present @@ -34,18 +25,18 @@ Synopsis Description ~~~~~~~~~~~ -``filter-aaaa.so`` is a query plugin module for ``named``, enabling -``named`` to omit some IPv6 addresses when responding to clients. +:program:`filter-aaaa.so` is a query plugin module for :iscman:`named`, enabling +:iscman:`named` to omit some IPv6 addresses when responding to clients. -Until BIND 9.12, this feature was implemented natively in ``named`` and +Until BIND 9.12, this feature was implemented natively in :iscman:`named` and enabled with the ``filter-aaaa`` ACL and the ``filter-aaaa-on-v4`` and -``filter-aaaa-on-v6`` options. These options are now deprecated in -``named.conf`` but can be passed as parameters to the +``filter-aaaa-on-v6`` options. These options are no longer available in +:iscman:`named.conf` but can be passed as parameters to the ``filter-aaaa.so`` plugin, for example: :: - plugin query "/usr/local/lib/filter-aaaa.so" { + plugin query "filter-aaaa.so" { filter-aaaa-on-v4 yes; filter-aaaa-on-v6 yes; filter-aaaa { 192.0.2.1; 2001:db8:2::1; }; diff --git a/bin/rndc/Makefile.am b/bin/rndc/Makefile.am index a668522bc2..f8f0ac96d5 100644 --- a/bin/rndc/Makefile.am +++ b/bin/rndc/Makefile.am @@ -4,8 +4,7 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ $(LIBISCCFG_CFLAGS) \ - $(LIBISCCC_CFLAGS) \ - $(LIBBIND9_CFLAGS) + $(LIBISCCC_CFLAGS) AM_CPPFLAGS += \ -DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \ @@ -22,5 +21,4 @@ rndc_LDADD = \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBISCCC_LIBS) \ - $(LIBISCCFG_LIBS) \ - $(LIBBIND9_LIBS) + $(LIBISCCFG_LIBS) diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 97b182999f..6e8261c784 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,54 +17,47 @@ #include #include -#include -#include #include #include #include #include +#include #include +#include #include #include #include #include -#include #include #include -#include +#include #include #include -#include #include #include -#include - #include #include #include #include #include -#include #include #include #include #include -#include - #include "util.h" -#define SERVERADDRS 10 +#define SERVERADDRS 10 +#define RNDC_TIMEOUT 60 * 1000 const char *progname = NULL; bool verbose; static isc_nm_t *netmgr = NULL; -static isc_taskmgr_t *taskmgr = NULL; -static isc_task_t *rndc_task = NULL; +static isc_loopmgr_t *loopmgr = NULL; static const char *admin_conffile = NULL; static const char *admin_keyfile = NULL; @@ -81,23 +76,18 @@ static isccc_region_t secret; static bool failed = false; static bool c_flag = false; static isc_mem_t *rndc_mctx = NULL; -static atomic_uint_fast32_t sends = ATOMIC_VAR_INIT(0); -static atomic_uint_fast32_t recvs = ATOMIC_VAR_INIT(0); -static atomic_uint_fast32_t connects = ATOMIC_VAR_INIT(0); static char *command = NULL; static char *args = NULL; static char program[256]; static uint32_t serial; static bool quiet = false; static bool showresult = false; -static bool shuttingdown = false; -static isc_nmhandle_t *recvdone_handle = NULL; -static isc_nmhandle_t *recvnonce_handle = NULL; +static int32_t timeout = RNDC_TIMEOUT; static void rndc_startconnect(isc_sockaddr_t *addr); -ISC_NORETURN static void +noreturn static void usage(int status); static void @@ -126,7 +116,7 @@ command is one of the following:\n\ Requires the zone to have a dnssec-policy.\n\ dnstap -reopen\n\ Close, truncate and re-open the DNSTAP output file.\n\ - dnstap -roll count\n\ + dnstap -roll [count]\n\ Close, rename and re-open the DNSTAP output file(s).\n\ dumpdb [-all|-cache|-zones|-adb|-bad|-expired|-fail] [view ...]\n\ Dump cache(s) to the dump file (named_dump.db).\n\ @@ -222,10 +212,6 @@ command is one of the following:\n\ Enable updates to a frozen dynamic zone and reload it.\n\ trace Increment debugging level by one.\n\ trace level Change the debugging level.\n\ - tsig-delete keyname [view]\n\ - Delete a TKEY-negotiated TSIG key.\n\ - tsig-list List all currently active TSIG keys, including both statically\n\ - configured and TKEY-negotiated keys.\n\ validation [ on | off | status ] [view]\n\ Enable / disable DNSSEC validation.\n\ zonestatus zone [class [view]]\n\ @@ -237,7 +223,7 @@ Version: %s\n", exit(status); } -#define CMDLINE_FLAGS "46b:c:hk:Mmp:qrs:Vy:" +#define CMDLINE_FLAGS "46b:c:hk:Mmp:qrs:t:Vy:" static void preparse_args(int argc, char **argv) { @@ -282,7 +268,7 @@ get_addresses(const char *host, in_port_t port) { } } else { count = SERVERADDRS - nserveraddrs; - result = bind9_getaddresses( + result = isc_getaddresses( host, port, &serveraddrs[nserveraddrs], count, &found); nserveraddrs += found; } @@ -294,44 +280,26 @@ get_addresses(const char *host, in_port_t port) { } static void -rndc_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { - isc_nmhandle_t *sendhandle = (isc_nmhandle_t *)arg; - +rndc_senddone(isc_nmhandle_t *handle ISC_ATTR_UNUSED, isc_result_t result, + void *arg ISC_ATTR_UNUSED) { if (result != ISC_R_SUCCESS) { fatal("send failed: %s", isc_result_totext(result)); } - - REQUIRE(sendhandle == handle); - isc_nmhandle_detach(&sendhandle); - - if (atomic_fetch_sub_release(&sends, 1) == 1 && - atomic_load_acquire(&recvs) == 0) - { - shuttingdown = true; - isc_task_shutdown(rndc_task); - isc_app_shutdown(); - } } static void rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isccc_ccmsg_t *ccmsg = (isccc_ccmsg_t *)arg; isccc_sexpr_t *response = NULL; - isccc_sexpr_t *data; + isccc_sexpr_t *data = NULL; isccc_region_t source; char *errormsg = NULL; char *textmsg = NULL; + REQUIRE(handle != NULL); REQUIRE(ccmsg != NULL); - if (shuttingdown && (result == ISC_R_EOF || result == ISC_R_CANCELED)) { - atomic_fetch_sub_release(&recvs, 1); - if (handle != NULL) { - REQUIRE(recvdone_handle == handle); - isc_nmhandle_detach(&recvdone_handle); - } - return; - } else if (result == ISC_R_EOF) { + if (result == ISC_R_EOF) { fatal("connection to remote host closed.\n" "* This may indicate that the\n" "* remote server is using an older\n" @@ -340,7 +308,7 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { "* the clocks are not synchronized,\n" "* the key signing algorithm is incorrect,\n" "* or the key is invalid."); - } else if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) { + } else if (result != ISC_R_SUCCESS) { fatal("recv failed: %s", isc_result_totext(result)); } @@ -387,42 +355,27 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isccc_sexpr_free(&response); - REQUIRE(recvdone_handle == handle); - isc_nmhandle_detach(&recvdone_handle); - - if (atomic_load_acquire(&sends) == 0 && - atomic_fetch_sub_release(&recvs, 1) == 1) - { - shuttingdown = true; - isc_task_shutdown(rndc_task); - isc_app_shutdown(); - } + isccc_ccmsg_invalidate(ccmsg); + isc_loopmgr_shutdown(loopmgr); } static void -rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) { +rndc_recvnonce(isc_nmhandle_t *handle ISC_ATTR_UNUSED, isc_result_t result, + void *arg) { isccc_ccmsg_t *ccmsg = (isccc_ccmsg_t *)arg; isccc_sexpr_t *response = NULL; - isc_nmhandle_t *sendhandle = NULL; isccc_sexpr_t *_ctrl = NULL; isccc_region_t source; uint32_t nonce; isccc_sexpr_t *request = NULL; - isccc_time_t now; + isccc_time_t now = isc_stdtime_now(); isc_region_t r; isccc_sexpr_t *data = NULL; isc_buffer_t b; REQUIRE(ccmsg != NULL); - if (shuttingdown && result == ISC_R_EOF) { - atomic_fetch_sub_release(&recvs, 1); - if (handle != NULL) { - REQUIRE(recvnonce_handle == handle); - isc_nmhandle_detach(&recvnonce_handle); - } - return; - } else if (result == ISC_R_EOF) { + if (result == ISC_R_EOF) { fatal("connection to remote host closed.\n" "* This may indicate that the\n" "* remote server is using an older\n" @@ -450,8 +403,6 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) { nonce = 0; } - isc_stdtime_get(&now); - DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial, now, now + 60, &request)); data = isccc_alist_lookup(request, "_data"); @@ -484,17 +435,8 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) { r.base = databuf->base; r.length = databuf->used; - isc_nmhandle_attach(handle, &recvdone_handle); - atomic_fetch_add_relaxed(&recvs, 1); isccc_ccmsg_readmessage(ccmsg, rndc_recvdone, ccmsg); - - isc_nmhandle_attach(handle, &sendhandle); - atomic_fetch_add_relaxed(&sends, 1); - isc_nm_send(handle, &r, rndc_senddone, sendhandle); - - REQUIRE(recvnonce_handle == handle); - isc_nmhandle_detach(&recvnonce_handle); - atomic_fetch_sub_release(&recvs, 1); + isccc_ccmsg_sendmessage(ccmsg, &r, rndc_senddone, NULL); isccc_sexpr_free(&response); isccc_sexpr_free(&request); @@ -507,16 +449,13 @@ rndc_connected(isc_nmhandle_t *handle, isc_result_t result, void *arg) { char socktext[ISC_SOCKADDR_FORMATSIZE]; isccc_sexpr_t *request = NULL; isccc_sexpr_t *data = NULL; - isccc_time_t now; + isccc_time_t now = isc_stdtime_now(); isc_region_t r; isc_buffer_t b; - isc_nmhandle_t *connhandle = NULL; - isc_nmhandle_t *sendhandle = NULL; REQUIRE(ccmsg != NULL); if (result != ISC_R_SUCCESS) { - atomic_fetch_sub_release(&connects, 1); isc_sockaddr_format(&serveraddrs[currentaddr], socktext, sizeof(socktext)); if (++currentaddr < nserveraddrs) { @@ -530,9 +469,6 @@ rndc_connected(isc_nmhandle_t *handle, isc_result_t result, void *arg) { isc_result_totext(result)); } - isc_nmhandle_attach(handle, &connhandle); - - isc_stdtime_get(&now); DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial, now, now + 60, &request)); data = isccc_alist_lookup(request, "_data"); @@ -556,19 +492,12 @@ rndc_connected(isc_nmhandle_t *handle, isc_result_t result, void *arg) { r.base = databuf->base; r.length = databuf->used; + /* isccc_ccmsg_init() attaches to the handle */ isccc_ccmsg_init(rndc_mctx, handle, ccmsg); isccc_ccmsg_setmaxsize(ccmsg, 1024 * 1024); - isc_nmhandle_attach(handle, &recvnonce_handle); - atomic_fetch_add_relaxed(&recvs, 1); isccc_ccmsg_readmessage(ccmsg, rndc_recvnonce, ccmsg); - - isc_nmhandle_attach(handle, &sendhandle); - atomic_fetch_add_relaxed(&sends, 1); - isc_nm_send(handle, &r, rndc_senddone, sendhandle); - - isc_nmhandle_detach(&connhandle); - atomic_fetch_sub_release(&connects, 1); + isccc_ccmsg_sendmessage(ccmsg, &r, rndc_senddone, NULL); isccc_sexpr_free(&request); } @@ -595,20 +524,16 @@ rndc_startconnect(isc_sockaddr_t *addr) { */ fatal("UNIX domain sockets not currently supported"); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } - atomic_fetch_add_relaxed(&connects, 1); isc_nm_tcpconnect(netmgr, local, addr, rndc_connected, &rndc_ccmsg, - 60000, 0); + timeout); } static void -rndc_start(isc_task_t *task, isc_event_t *event) { - isc_event_free(&event); - - UNUSED(task); +rndc_start(void *arg) { + UNUSED(arg); currentaddr = 0; rndc_startconnect(&serveraddrs[currentaddr]); @@ -691,7 +616,8 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, (void)cfg_map_get(config, "server", &servers); if (servers != NULL) { for (elt = cfg_list_first(servers); elt != NULL; - elt = cfg_list_next(elt)) { + elt = cfg_list_next(elt)) + { const char *name = NULL; server = cfg_listelt_value(elt); name = cfg_obj_asstring( @@ -728,7 +654,8 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, } else { DO("get config key list", cfg_map_get(config, "key", &keys)); for (elt = cfg_list_first(keys); elt != NULL; - elt = cfg_list_next(elt)) { + elt = cfg_list_next(elt)) + { const char *name = NULL; key = cfg_listelt_value(elt); @@ -901,7 +828,7 @@ main(int argc, char **argv) { const char *keyname = NULL; struct in_addr in; struct in6_addr in6; - char *p; + char *p = NULL; size_t argslen; int ch; int i; @@ -918,11 +845,6 @@ main(int argc, char **argv) { isc_sockaddr_any(&local4); isc_sockaddr_any6(&local6); - result = isc_app_start(); - if (result != ISC_R_SUCCESS) { - fatal("isc_app_start() failed: %s", isc_result_totext(result)); - } - isc_commandline_errprint = false; preparse_args(argc, argv); @@ -943,11 +865,13 @@ main(int argc, char **argv) { break; case 'b': if (inet_pton(AF_INET, isc_commandline_argument, &in) == - 1) { + 1) + { isc_sockaddr_fromin(&local4, &in, 0); local4set = true; } else if (inet_pton(AF_INET6, isc_commandline_argument, - &in6) == 1) { + &in6) == 1) + { isc_sockaddr_fromin6(&local6, &in6, 0); local6set = true; } @@ -990,6 +914,15 @@ main(int argc, char **argv) { servername = isc_commandline_argument; break; + case 't': + timeout = strtol(isc_commandline_argument, &p, 10); + if (*p != '\0' || timeout < 0 || timeout > 86400) { + fatal("invalid timeout '%s'", + isc_commandline_argument); + } + timeout *= 1000; + break; + case 'V': verbose = true; break; @@ -1004,7 +937,7 @@ main(int argc, char **argv) { program, isc_commandline_option); usage(1); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': usage(0); break; @@ -1030,9 +963,11 @@ main(int argc, char **argv) { serial = isc_random32(); - isc_mem_create(&rndc_mctx); - isc_managers_create(rndc_mctx, 1, 0, 0, &netmgr, &taskmgr, NULL, NULL); - DO("create task", isc_task_create(taskmgr, 0, &rndc_task)); + isc_managers_create(&rndc_mctx, 1, &loopmgr, &netmgr); + isc_loopmgr_setup(loopmgr, rndc_start, NULL); + + isc_nm_settimeouts(netmgr, timeout, timeout, timeout, 0); + isc_log_create(rndc_mctx, &log, &logconfig); isc_log_setcontext(log); isc_log_settag(logconfig, progname); @@ -1048,8 +983,6 @@ main(int argc, char **argv) { parse_config(rndc_mctx, log, keyname, &pctx, &config); - isccc_result_register(); - isc_buffer_allocate(rndc_mctx, &databuf, 2048); /* @@ -1080,23 +1013,7 @@ main(int argc, char **argv) { get_addresses(servername, (in_port_t)remoteport); } - DO("post event", isc_app_onrun(rndc_mctx, rndc_task, rndc_start, NULL)); - - result = isc_app_run(); - if (result != ISC_R_SUCCESS) { - fatal("isc_app_run() failed: %s", isc_result_totext(result)); - } - - isc_task_detach(&rndc_task); - isc_managers_destroy(&netmgr, &taskmgr, NULL, NULL); - - /* - * Note: when TCP connections are shut down, there will be a final - * call to the isccc callback routine with &rndc_ccmsg as its - * argument. We therefore need to delay invalidating it until - * after the netmgr is closed down. - */ - isccc_ccmsg_invalidate(&rndc_ccmsg); + isc_loopmgr_run(loopmgr); isc_log_destroy(&log); isc_log_setcontext(NULL); @@ -1112,7 +1029,7 @@ main(int argc, char **argv) { isc_mem_stats(rndc_mctx, stderr); } - isc_mem_destroy(&rndc_mctx); + isc_managers_destroy(&rndc_mctx, &loopmgr, &netmgr); if (failed) { return (1); diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf index 68003315f9..78ee858515 100644 --- a/bin/rndc/rndc.conf +++ b/bin/rndc/rndc.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/rndc/rndc.conf.rst b/bin/rndc/rndc.conf.rst index 9a2bc3fafb..20e6bc97a4 100644 --- a/bin/rndc/rndc.conf.rst +++ b/bin/rndc/rndc.conf.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: rndc.conf +.. program:: rndc.conf .. _man_rndc.conf: rndc.conf - rndc configuration file @@ -34,9 +26,9 @@ Synopsis Description ~~~~~~~~~~~ -``rndc.conf`` is the configuration file for ``rndc``, the BIND 9 name +:program:`rndc.conf` is the configuration file for :iscman:`rndc`, the BIND 9 name server control utility. This file has a similar structure and syntax to -``named.conf``. Statements are enclosed in braces and terminated with a +:iscman:`named.conf`. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: @@ -46,13 +38,13 @@ C++ style: // to end of line Unix style: # to end of line -``rndc.conf`` is much simpler than ``named.conf``. The file uses three +:program:`rndc.conf` is much simpler than :iscman:`named.conf`. The file uses three statements: an options statement, a server statement, and a key statement. The ``options`` statement contains five clauses. The ``default-server`` clause is followed by the name or address of a name server. This host -is used when no name server is given as an argument to ``rndc``. +is used when no name server is given as an argument to :iscman:`rndc`. The ``default-key`` clause is followed by the name of a key, which is identified by a ``key`` statement. If no ``keyid`` is provided on the rndc command line, and no ``key`` clause is found in a matching @@ -77,14 +69,14 @@ IPv4 and IPv6 source address, respectively. The ``key`` statement begins with an identifying string, the name of the key. The statement has two clauses. ``algorithm`` identifies the -authentication algorithm for ``rndc`` to use; currently only HMAC-MD5 +authentication algorithm for :iscman:`rndc` to use; currently only HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default), HMAC-SHA384, and HMAC-SHA512 are supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's authentication key. The base-64 string is enclosed in double quotes. There are two common ways to generate the base-64 string for the secret. -The BIND 9 program ``rndc-confgen`` can be used to generate a random +The BIND 9 program :iscman:`rndc-confgen` can be used to generate a random key, or the ``mmencode`` program, also known as ``mimencode``, can be used to generate a base-64 string from known input. ``mmencode`` does not ship with BIND 9 but is available on many systems. See the Example @@ -128,7 +120,7 @@ Example }; -In the above example, ``rndc`` by default uses the server at +In the above example, :iscman:`rndc` by default uses the server at localhost (127.0.0.1) and the key called "samplekey". Commands to the localhost server use the "samplekey" key, which must also be defined in the server's configuration file with the same name and secret. The @@ -136,16 +128,16 @@ key statement indicates that "samplekey" uses the HMAC-SHA256 algorithm and its secret clause contains the base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes. -If ``rndc -s testserver`` is used, then ``rndc`` connects to the server +If :option:`rndc -s testserver ` is used, then :iscman:`rndc` connects to the server on localhost port 5353 using the key "testkey". -To generate a random secret with ``rndc-confgen``: +To generate a random secret with :iscman:`rndc-confgen`: -``rndc-confgen`` +:iscman:`rndc-confgen` -A complete ``rndc.conf`` file, including the randomly generated key, +A complete :program:`rndc.conf` file, including the randomly generated key, is written to the standard output. Commented-out ``key`` and -``controls`` statements for ``named.conf`` are also printed. +``controls`` statements for :iscman:`named.conf` are also printed. To generate a base-64 secret with ``mmencode``: @@ -155,12 +147,12 @@ Name Server Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~ The name server must be configured to accept rndc connections and to -recognize the key specified in the ``rndc.conf`` file, using the -controls statement in ``named.conf``. See the sections on the +recognize the key specified in the :program:`rndc.conf` file, using the +controls statement in :iscman:`named.conf`. See the sections on the ``controls`` statement in the BIND 9 Administrator Reference Manual for details. See Also ~~~~~~~~ -:manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, :manpage:`mmencode(1)`, BIND 9 Administrator Reference Manual. +:iscman:`rndc(8) `, :iscman:`rndc-confgen(8) `, :manpage:`mmencode(1)`, BIND 9 Administrator Reference Manual. diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 6221073ae8..db43974a4b 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -1,26 +1,18 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. .. highlight: console +.. iscman:: rndc +.. program:: rndc .. _man_rndc: rndc - name server control utility @@ -29,81 +21,97 @@ rndc - name server control utility Synopsis ~~~~~~~~ -:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** key_id] [[**-4**] | [**-6**]] {command} +:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** server_key] [[**-4**] | [**-6**]] {command} Description ~~~~~~~~~~~ -``rndc`` controls the operation of a name server; it supersedes the -``ndc`` utility. If ``rndc`` is +:program:`rndc` controls the operation of a name server. If :program:`rndc` is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. -``rndc`` communicates with the name server over a TCP connection, +:program:`rndc` communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current -versions of ``rndc`` and ``named``, the only supported authentication +versions of :program:`rndc` and :iscman:`named`, the only supported authentication algorithms are HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default), HMAC-SHA384, and HMAC-SHA512. They use a shared secret on each end of the connection, which provides TSIG-style authentication for the command request and the name server's response. -All commands sent over the channel must be signed by a key_id known to +All commands sent over the channel must be signed by a server_key known to the server. -``rndc`` reads a configuration file to determine how to contact the name +:program:`rndc` reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. Options ~~~~~~~ -``-4`` +.. option:: -4 + This option indicates use of IPv4 only. -``-6`` +.. option:: -6 + This option indicates use of IPv6 only. -``-b source-address`` +.. option:: -b source-address + This option indicates ``source-address`` as the source address for the connection to the server. Multiple instances are permitted, to allow setting of both the IPv4 and IPv6 source addresses. -``-c config-file`` +.. option:: -c config-file + This option indicates ``config-file`` as the configuration file instead of the default, - ``/etc/rndc.conf``. + |rndc_conf|. + +.. option:: -k key-file -``-k key-file`` This option indicates ``key-file`` as the key file instead of the default, - ``/etc/rndc.key``. The key in ``/etc/rndc.key`` is used to + |rndc_key|. The key in |rndc_key| is used to authenticate commands sent to the server if the config-file does not exist. -``-s server`` +.. option:: -s server + ``server`` is the name or address of the server which matches a server - statement in the configuration file for ``rndc``. If no server is + statement in the configuration file for :program:`rndc`. If no server is supplied on the command line, the host named by the default-server - clause in the options statement of the ``rndc`` configuration file + clause in the options statement of the :program:`rndc` configuration file is used. -``-p port`` +.. option:: -p port + This option instructs BIND 9 to send commands to TCP port ``port`` instead of its default control channel port, 953. -``-q`` +.. option:: -q + This option sets quiet mode, where message text returned by the server is not printed unless there is an error. -``-r`` - This option instructs ``rndc`` to print the result code returned by ``named`` +.. option:: -r + + This option instructs :program:`rndc` to print the result code returned by :iscman:`named` after executing the requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc.). -``-V`` +.. option:: -t timeout + + This option sets the idle timeout period for :program:`rndc` to + ``timeout`` seconds. The default is 60 seconds, and the maximum settable + value is 86400 seconds (1 day). If set to 0, there is no timeout. + +.. option:: -V + This option enables verbose logging. -``-y key_id`` - This option indicates use of the key ``key_id`` from the configuration file. For control message validation to succeed, ``key_id`` must be known - by ``named`` with the same algorithm and secret string. If no ``key_id`` is specified, - ``rndc`` first looks for a key clause in the server statement of +.. option:: -y server_key + + This option indicates use of the key ``server_key`` from the configuration file. For control message validation to succeed, ``server_key`` must be known + by :iscman:`named` with the same algorithm and secret string. If no ``server_key`` is specified, + :program:`rndc` first looks for a key clause in the server statement of the server being used, or if no server statement is present for that host, then in the default-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send @@ -113,37 +121,39 @@ Options Commands ~~~~~~~~ -A list of commands supported by ``rndc`` can be seen by running ``rndc`` +A list of commands supported by :program:`rndc` can be seen by running :program:`rndc` without arguments. Currently supported commands are: -``addzone`` *zone* [*class* [*view*]] *configuration* +.. option:: addzone zone [class [view]] configuration + This command adds a zone while the server is running. This command requires the ``allow-new-zones`` option to be set to ``yes``. The configuration string specified on the command line is the zone configuration text - that would ordinarily be placed in ``named.conf``. + that would ordinarily be placed in :iscman:`named.conf`. The configuration is saved in a file called ``viewname.nzf`` (or, if - ``named`` is compiled with liblmdb, an LMDB database file called + :iscman:`named` is compiled with liblmdb, an LMDB database file called ``viewname.nzd``). ``viewname`` is the name of the view, unless the view name contains characters that are incompatible with use as a file name, in which case a cryptographic hash of the view name is used - instead. When ``named`` is restarted, the file is loaded into + instead. When :iscman:`named` is restarted, the file is loaded into the view configuration so that zones that were added can persist after a restart. This sample ``addzone`` command adds the zone ``example.com`` to the default view: - ``rndc addzone example.com '{ type master; file "example.com.db"; };'`` + ``rndc addzone example.com '{ type primary; file "example.com.db"; };'`` (Note the brackets around and semi-colon after the zone configuration text.) - See also ``rndc delzone`` and ``rndc modzone``. + See also :option:`rndc delzone` and :option:`rndc modzone`. + +.. option:: delzone [-clean] zone [class [view]] -``delzone`` [**-clean**] *zone* [*class* [*view*]] This command deletes a zone while the server is running. If the ``-clean`` argument is specified, the zone's master file (and @@ -154,14 +164,15 @@ Currently supported commands are: If the zone was originally added via ``rndc addzone``, then it is removed permanently. However, if it was originally configured in - ``named.conf``, then that original configuration remains in place; + :iscman:`named.conf`, then that original configuration remains in place; when the server is restarted or reconfigured, the zone is recreated. To remove it permanently, it must also be removed from - ``named.conf``. + :iscman:`named.conf`. - See also ``rndc addzone`` and ``rndc modzone``. + See also :option:`rndc addzone` and :option:`rndc modzone`. + +.. option:: dnssec (-status | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time] published | withdrawn)) zone [class [view]] -``dnssec`` ( **-status** | **-rollover** **-key** id [**-alg** *algorithm*] [**-when** *time*] | **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]] This command allows you to interact with the "dnssec-policy" of a given zone. @@ -171,74 +182,95 @@ Currently supported commands are: ``rndc dnssec -rollover`` allows you to schedule key rollover for a specific key (overriding the original key lifetime). - ``rndc dnssec -checkds`` will let ``named`` know that the DS for the given - key has been seen published into or withdrawn from the parent. This is - required in order to complete a KSK rollover. If the ``-key id`` argument - is specified, look for the key with the given identifier, otherwise if there - is only one key acting as a KSK in the zone, assume the DS of that key (if - there are multiple keys with the same tag, use ``-alg algorithm`` to - select the correct algorithm). The time that the DS has been published or - withdrawn is set to now, unless otherwise specified with the argument ``-when time``. - -``dnstap`` ( **-reopen** | **-roll** [*number*] ) - This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows - the output file to be renamed externally, so that ``named`` can - truncate and re-open it. ``rndc dnstap -roll`` causes the output file + ``rndc dnssec -checkds`` informs :iscman:`named` that the DS for + a specified zone's key-signing key has been confirmed to be published + in, or withdrawn from, the parent zone. This is required in order to + complete a KSK rollover. The ``-key id`` and ``-alg algorithm`` arguments + can be used to specify a particular KSK, if necessary; if there is only + one key acting as a KSK for the zone, these arguments can be omitted. + The time of publication or withdrawal for the DS is set to the current + time by default, but can be overridden to a specific time with the + argument ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS + notation. + +.. option:: dnstap (-reopen | -roll [number]) + + This command closes and re-opens DNSTAP output files. + + ``rndc dnstap -reopen`` allows + the output file to be renamed externally, so that :iscman:`named` can + truncate and re-open it. + + ``rndc dnstap -roll`` causes the output file to be rolled automatically, similar to log files. The most recent output file has ".0" appended to its name; the previous most recent output file is moved to ".1", and so on. If ``number`` is specified, then the number of backup log files is limited to that number. -``dumpdb`` [**-all** | **-cache** | **-zones** | **-adb** | **-bad** | **-expired** | **-fail**] [*view ...*] +.. option:: dumpdb [-all | -cache | -zones | -adb | -bad | -expired | -fail] [view ...] + This command dumps the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped. (See the ``dump-file`` option in the BIND 9 Administrator Reference Manual.) -``flush`` +.. option:: fetchlimit [view] + + This command dumps a list of servers that are currently being + rate-limited as a result of ``fetches-per-server`` settings, and + a list of domain names that are currently being rate-limited as + a result of ``fetches-per-zone`` settings. + +.. option:: flush + This command flushes the server's cache. -``flushname`` *name* [*view*] +.. option:: flushname name [view] + This command flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database, bad server cache, and SERVFAIL cache. -``flushtree`` *name* [*view*] +.. option:: flushtree name [view] + This command flushes the given name, and all of its subdomains, from the view's DNS cache, address database, bad server cache, and SERVFAIL cache. -``freeze`` [*zone* [*class* [*view*]]] +.. option:: freeze [zone [class [view]]] + This command suspends updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update, and causes changes in the journal file to be synced into the master file. All dynamic update attempts are refused while the zone is frozen. - See also ``rndc thaw``. + See also :option:`rndc thaw`. + +.. option:: halt [-p] -``halt`` [**-p**] This command stops the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but are rolled forward from the journal files when the server is restarted. If - ``-p`` is specified, ``named``'s process ID is returned. This allows - an external process to determine when ``named`` has completed + ``-p`` is specified, :iscman:`named`'s process ID is returned. This allows + an external process to determine when :iscman:`named` has completed halting. - See also ``rndc stop``. + See also :option:`rndc stop`. + +.. option:: loadkeys [zone [class [view]]] -``loadkeys`` [*zone* [*class* [*view*]]] This command fetches all DNSSEC keys for the given zone from the key directory. If they are within their publication period, they are merged into the - zone's DNSKEY RRset. Unlike ``rndc sign``, however, the zone is not + zone's DNSKEY RRset. Unlike :option:`rndc sign`, however, the zone is not immediately re-signed by the new keys, but is allowed to incrementally re-sign over time. - This command requires that the zone be configured with a ``dnssec-policy``, or - that the ``auto-dnssec`` zone option be set to ``maintain``, and also requires the - zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in - the Administrator Reference Manual for more details.) + This command requires that the zone be configured with a ``dnssec-policy``, and + also requires the zone to be configured to allow dynamic DNS. (See "Dynamic + Update Policies" in the Administrator Reference Manual for more details.) + +.. option:: managed-keys (status | refresh | sync | destroy) [class [view]] -``managed-keys`` (*status* | *refresh* | *sync* | *destroy*) [*class* [*view*]] This command inspects and controls the "managed-keys" database which handles :rfc:`5011` DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise, they are applied to all @@ -264,11 +296,11 @@ Currently supported commands are: Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used. - However, key maintenance operations cease until ``named`` is + However, key maintenance operations cease until :iscman:`named` is restarted or reconfigured, and all existing key maintenance states are deleted. - Running ``rndc reconfig`` or restarting ``named`` immediately + Running :option:`rndc reconfig` or restarting :iscman:`named` immediately after this command causes key maintenance to be reinitialized from scratch, just as if the server were being started for the first time. This is primarily intended for testing, but it may @@ -276,47 +308,51 @@ Currently supported commands are: keys in the event of a trust anchor rollover, or as a brute-force repair for key maintenance problems. -``modzone`` *zone* [*class* [*view*]] *configuration* +.. option:: modzone zone [class [view]] configuration + This command modifies the configuration of a zone while the server is running. This command requires the ``allow-new-zones`` option to be set to ``yes``. As with ``addzone``, the configuration string specified on the command line is the zone configuration text that would ordinarily be - placed in ``named.conf``. + placed in :iscman:`named.conf`. - If the zone was originally added via ``rndc addzone``, the + If the zone was originally added via :option:`rndc addzone`, the configuration changes are recorded permanently and are still in effect after the server is restarted or reconfigured. However, if - it was originally configured in ``named.conf``, then that original + it was originally configured in :iscman:`named.conf`, then that original configuration remains in place; when the server is restarted or reconfigured, the zone reverts to its original configuration. To make the changes permanent, it must also be modified in - ``named.conf``. + :iscman:`named.conf`. + + See also :option:`rndc addzone` and :option:`rndc delzone`. - See also ``rndc addzone`` and ``rndc delzone``. +.. option:: notify zone [class [view]] -``notify`` *zone* [*class* [*view*]] This command resends NOTIFY messages for the zone. -``notrace`` +.. option:: notrace + This command sets the server's debugging level to 0. - See also ``rndc trace``. + See also :option:`rndc trace`. + +.. option:: nta [(-class class | -dump | -force | -remove | -lifetime duration)] domain [view] -``nta`` [( **-class** *class* | **-dump** | **-force** | **-remove** | **-lifetime** *duration*)] *domain* [*view*] This command sets a DNSSEC negative trust anchor (NTA) for ``domain``, with a lifetime of ``duration``. The default lifetime is configured in - ``named.conf`` via the ``nta-lifetime`` option, and defaults to one + :iscman:`named.conf` via the ``nta-lifetime`` option, and defaults to one hour. The lifetime cannot exceed one week. A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active - NTA (and above any other configured trust anchors), ``named`` + NTA (and above any other configured trust anchors), :iscman:`named` aborts the DNSSEC validation process and treats the data as insecure rather than bogus. This continues until the NTA's lifetime has elapsed. - NTAs persist across restarts of the ``named`` server. The NTAs for a + NTAs persist across restarts of the :iscman:`named` server. The NTAs for a view are saved in a file called ``name.nta``, where ``name`` is the name of the view; if it contains characters that are incompatible with use as a file name, a cryptographic hash is generated from the name of @@ -334,7 +370,7 @@ Currently supported commands are: of existing NTAs is printed. Note that this may include NTAs that are expired but have not yet been cleaned up. - Normally, ``named`` periodically tests to see whether data below + Normally, :iscman:`named` periodically tests to see whether data below an NTA can now be validated (see the ``nta-recheck`` option in the Administrator Reference Manual for details). If data can be validated, then the NTA is regarded as no longer necessary and is @@ -353,39 +389,62 @@ Currently supported commands are: view name that begins with a hyphen, use a double-hyphen (--) on the command line to indicate the end of options. -``querylog`` [(*on* | *off*)] +.. option:: querylog [(on | off)] + This command enables or disables query logging. For backward compatibility, this command can also be used without an argument to toggle query logging on and off. Query logging can also be enabled by explicitly directing the ``queries`` ``category`` to a ``channel`` in the ``logging`` section - of ``named.conf``, or by specifying ``querylog yes;`` in the - ``options`` section of ``named.conf``. + of :iscman:`named.conf`, or by specifying ``querylog yes;`` in the + ``options`` section of :iscman:`named.conf`. + +.. option:: reconfig -``reconfig`` This command reloads the configuration file and loads new zones, but does not reload existing zone files even if they have changed. This is faster than a - full ``reload`` when there is a large number of zones, because it + full :option:`rndc reload` when there is a large number of zones, because it avoids the need to examine the modification times of the zone files. -``recursing`` - This command dumps the list of queries ``named`` is currently recursing on, and the - list of domains to which iterative queries are currently being sent. - The second list includes the number of fetches currently active for - the given domain, and how many have been passed or dropped because of - the ``fetches-per-zone`` option. +.. option:: recursing + + This command dumps the list of queries :iscman:`named` is currently + recursing on, and the list of domains to which iterative queries + are currently being sent. + + The first list includes all unique clients that are waiting for + recursion to complete, including the query that is awaiting a + response and the timestamp (seconds since the Unix epoch) of + when named started processing this client query. + + The second list comprises of domains for which there are active + (or recently active) fetches in progress. It reports the number + of active fetches for each domain and the number of queries that + have been passed (allowed) or dropped (spilled) as a result of + the ``fetches-per-zone`` limit. (Note: these counters are not + cumulative over time; whenever the number of active fetches for + a domain drops to zero, the counter for that domain is deleted, + and the next time a fetch is sent to that domain, it is recreated + with the counters set to zero). + +.. option:: refresh zone [class [view]] -``refresh`` *zone* [*class* [*view*]] This command schedules zone maintenance for the given zone. -``reload`` +.. option:: reload + This command reloads the configuration file and zones. -``reload`` *zone* [*class* [*view*]] - This command reloads the given zone. + .. program:: rndc reload + .. option:: zone [class [view]] + + If a zone is specified, this command reloads only the given zone. + +.. program:: rndc + +.. option:: retransfer zone [class [view]] -``retransfer`` *zone* [*class* [*view*]] This command retransfers the given secondary zone from the primary server. If the zone is configured to use ``inline-signing``, the signed @@ -393,12 +452,14 @@ Currently supported commands are: unsigned version is complete, the signed version is regenerated with new signatures. -``scan`` +.. option:: scan + This command scans the list of available network interfaces for changes, without - performing a full ``reconfig`` or waiting for the + performing a full :option:`rndc reconfig` or waiting for the ``interface-interval`` timer. -``secroots`` [**-**] [*view* ...] +.. option:: secroots [-] [view ...] + This command dumps the security roots (i.e., trust anchors configured via ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements [both deprecated], or ``dnssec-validation auto``) and negative trust anchors @@ -408,48 +469,48 @@ Currently supported commands are: yet been updated by a successful key refresh query). If the first argument is ``-``, then the output is returned via the - ``rndc`` response channel and printed to the standard output. + :program:`rndc` response channel and printed to the standard output. Otherwise, it is written to the secroots dump file, which defaults to ``named.secroots``, but can be overridden via the ``secroots-file`` - option in ``named.conf``. + option in :iscman:`named.conf`. - See also ``rndc managed-keys``. + See also :option:`rndc managed-keys`. -``serve-stale`` (**on** | **off** | **reset** | **status**) [*class* [*view*]] - This command enables, disables, resets, or reports the current status of the serving - of stale answers as configured in ``named.conf``. +.. option:: serve-stale (on | off | reset | status) [class [view]] - If serving of stale answers is disabled by ``rndc-serve-stale off``, - then it remains disabled even if ``named`` is reloaded or - reconfigured. ``rndc serve-stale reset`` restores the setting as - configured in ``named.conf``. + This command enables, disables, resets, or reports the current status of + the serving of stale answers as configured in :iscman:`named.conf`. - ``rndc serve-stale status`` reports whether serving of stale - answers is currently enabled, disabled by the configuration, or - disabled by ``rndc``. It also reports the values of + If serving of stale answers is disabled by ``rndc-serve-stale off``, then it + remains disabled even if :iscman:`named` is reloaded or reconfigured. ``rndc + serve-stale reset`` restores the setting as configured in :iscman:`named.conf`. + + ``rndc serve-stale status`` reports whether caching and serving of stale + answers is currently enabled or disabled. It also reports the values of ``stale-answer-ttl`` and ``max-stale-ttl``. -``showzone`` *zone* [*class* [*view*]] +.. option:: showzone zone [class [view]] + This command prints the configuration of a running zone. - See also ``rndc zonestatus``. + See also :option:`rndc zonestatus`. + +.. option:: sign zone [class [view]] -``sign`` *zone* [*class* [*view*]] This command fetches all DNSSEC keys for the given zone from the key directory (see the ``key-directory`` option in the BIND 9 Administrator Reference Manual). If they are within their publication period, they are merged into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the zone is automatically re-signed with the new key set. - This command requires that the zone be configured with a ``dnssec-policy``, or - that the ``auto-dnssec`` zone option be set to ``allow`` or ``maintain``, - and also requires the zone to be configured to allow dynamic DNS. (See - "Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more - details.) + This command requires that the zone be configured with a ``dnssec-policy``, and + also requires the zone to be configured to allow dynamic DNS. (See "Dynamic + Update Policies" in the Administrator Reference Manual for more details.) + + See also :option:`rndc loadkeys`. - See also ``rndc loadkeys``. +.. option:: signing [(-list | -clear keyid/algorithm | -clear all | -nsec3param (parameters | none) | -serial value) zone [class [view]] -``signing`` [(**-list** | **-clear** *keyid/algorithm* | **-clear** *all* | **-nsec3param** ( *parameters* | none ) | **-serial** *value* ) *zone* [*class* [*view*]] This command lists, edits, or removes the DNSSEC signing-state records for the specified zone. The status of ongoing DNSSEC operations, such as signing or generating NSEC3 chains, is stored in the zone in the form @@ -476,15 +537,17 @@ Currently supported commands are: depending on whether the opt-out bit in the NSEC3 chain should be set. ``iterations`` defines the number of additional times to apply the algorithm when generating an NSEC3 hash. The ``salt`` is a string - of data expressed in hexadecimal, a hyphen (`-') if no salt is to be - used, or the keyword ``auto``, which causes ``named`` to generate a + of data expressed in hexadecimal, a hyphen (``-``) if no salt is to be + used, or the keyword ``auto``, which causes :iscman:`named` to generate a random 64-bit salt. - So, for example, to create an NSEC3 chain using the SHA-1 hash - algorithm, no opt-out flag, 10 iterations, and a salt value of - "FFFF", use: ``rndc signing -nsec3param 1 0 10 FFFF zone``. To set - the opt-out flag, 15 iterations, and no salt, use: - ``rndc signing -nsec3param 1 1 15 - zone``. + The only recommended configuration is ``rndc signing -nsec3param 1 0 0 - zone``, + i.e. no salt, no additional iterations, no opt-out. + + .. warning:: + Do not use extra iterations, salt, or opt-out unless all their implications + are fully understood. A higher number of iterations causes interoperability + problems and opens servers to CPU-exhausting DoS attacks. ``rndc signing -nsec3param none`` removes an existing NSEC3 chain and replaces it with NSEC. @@ -494,31 +557,36 @@ Currently supported commands are: is rejected. The primary use of this parameter is to set the serial number on inline signed zones. -``stats`` +.. option:: stats + This command writes server statistics to the statistics file. (See the ``statistics-file`` option in the BIND 9 Administrator Reference Manual.) -``status`` +.. option:: status + This command displays the status of the server. Note that the number of zones includes the internal ``bind/CH`` zone and the default ``./IN`` hint zone, if there is no explicit root zone configured. -``stop`` **-p** +.. option:: stop -p + This command stops the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated - zones. If ``-p`` is specified, ``named(8)`'s process ID is returned. - This allows an external process to determine when ``named`` has + zones. If ``-p`` is specified, :iscman:`named`'s process ID is returned. + This allows an external process to determine when :iscman:`named` has completed stopping. - See also ``rndc halt``. + See also :option:`rndc halt`. + +.. option:: sync -clean [zone [class [view]]] -``sync`` **-clean** [*zone* [*class* [*view*]]] This command syncs changes in the journal file for a dynamic zone to the master file. If the "-clean" option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. -``tcp-timeouts`` [*initial* *idle* *keepalive* *advertised*] +.. option:: tcp-timeouts [initial idle keepalive advertised] + When called without arguments, this command displays the current values of the ``tcp-initial-timeout``, ``tcp-idle-timeout``, ``tcp-keepalive-timeout``, and ``tcp-advertised-timeout`` options. @@ -527,7 +595,8 @@ Currently supported commands are: denial-of-service (DoS) attack. See the descriptions of these options in the BIND 9 Administrator Reference Manual for details of their use. -``thaw`` [*zone* [*class* [*view*]]] +.. option:: thaw [zone [class [view]]] + This command enables updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone from disk, and re-enables dynamic updates after the load has @@ -537,33 +606,33 @@ Currently supported commands are: changes in the zone. Otherwise, if the zone has changed, any existing journal file is removed. - See also ``rndc freeze``. + See also :option:`rndc freeze`. + +.. option:: trace [level] -``trace`` - This command increments the server's debugging level by one. + If no level is specified, this command increments the server's debugging + level by one. -``trace`` *level* - This command sets the server's debugging level to an explicit value. + .. program:: rndc trace + .. option:: level - See also ``rndc notrace``. + If specified, this command sets the server's debugging level to the + provided value. -``tsig-delete`` *keyname* [*view*] - This command deletes a given TKEY-negotiated key from the server. This does not - apply to statically configured TSIG keys. + See also :option:`rndc notrace`. -``tsig-list`` - This command lists the names of all TSIG keys currently configured for use by - ``named`` in each view. The list includes both statically configured keys and - dynamic TKEY-negotiated keys. +.. program:: rndc + +.. option:: validation (on | off | status) [view ...] -``validation`` (**on** | **off** | **status**) [*view* ...]`` This command enables, disables, or checks the current status of DNSSEC validation. By default, validation is enabled. The cache is flushed when validation is turned on or off to avoid using data that might differ between states. -``zonestatus`` *zone* [*class* [*view*]] +.. option:: zonestatus zone [class [view]] + This command displays the current status of the given zone, including the master file name and any include files from which it was loaded, when it was most recently loaded, the current serial number, the number of nodes, @@ -571,10 +640,10 @@ Currently supported commands are: signed, whether it uses automatic DNSSEC key management or inline signing, and the scheduled refresh or expiry times for the zone. - See also ``rndc showzone``. + See also :option:`rndc showzone`. -``rndc`` commands that specify zone names, such as ``reload``, -``retransfer``, or ``zonestatus``, can be ambiguous when applied to zones +:program:`rndc` commands that specify zone names, such as :option:`reload` +:option:`retransfer`, or :option:`zonestatus`, can be ambiguous when applied to zones of type ``redirect``. Redirect zones are always called ``.``, and can be confused with zones of type ``hint`` or with secondary copies of the root zone. To specify a redirect zone, use the special zone name @@ -584,7 +653,7 @@ would specify a zone called "-redirect".) Limitations ~~~~~~~~~~~ -There is currently no way to provide the shared secret for a ``key_id`` +There is currently no way to provide the shared secret for a ``server_key`` without using the configuration file. Several error messages could be clearer. @@ -592,6 +661,6 @@ Several error messages could be clearer. See Also ~~~~~~~~ -:manpage:`rndc.conf(5)`, :manpage:`rndc-confgen(8)`, -:manpage:`named(8)`, :manpage:`named.conf(5)`, :manpage:`ndc(8)`, BIND 9 Administrator +:iscman:`rndc.conf(5) `, :iscman:`rndc-confgen(8) `, +:iscman:`named(8) `, :iscman:`named.conf(5) `, BIND 9 Administrator Reference Manual. diff --git a/bin/rndc/util.c b/bin/rndc/util.c index 70afa2bc09..23b7f3fd57 100644 --- a/bin/rndc/util.c +++ b/bin/rndc/util.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -17,7 +19,7 @@ #include #include -#include +#include extern bool verbose; extern const char *progname; @@ -43,5 +45,6 @@ fatal(const char *format, ...) { vfprintf(stderr, format, args); va_end(args); fprintf(stderr, "\n"); + isc__tls_setfatalmode(); exit(1); } diff --git a/bin/rndc/util.h b/bin/rndc/util.h index 3426e70b7e..4ac83e5143 100644 --- a/bin/rndc/util.h +++ b/bin/rndc/util.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -9,15 +11,13 @@ * information regarding copyright ownership. */ -#ifndef RNDC_UTIL_H -#define RNDC_UTIL_H 1 +#pragma once /*! \file */ #include #include #include -#include #define NS_CONTROL_PORT 953 @@ -36,9 +36,7 @@ ISC_LANG_BEGINDECLS void notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); -ISC_NORETURN void +noreturn void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); ISC_LANG_ENDDECLS - -#endif /* RNDC_UTIL_H */ diff --git a/bin/tests/Makefile.am b/bin/tests/Makefile.am index 5366cc4496..56e81b118a 100644 --- a/bin/tests/Makefile.am +++ b/bin/tests/Makefile.am @@ -1,5 +1,7 @@ include $(top_srcdir)/Makefile.top +EXTRA_DIST = convert-trs-to-junit.py + SUBDIRS = system noinst_PROGRAMS = \ @@ -7,6 +9,9 @@ noinst_PROGRAMS = \ test_server \ wire_test +AM_CFLAGS += \ + $(TEST_CFLAGS) + test_client_CPPFLAGS = \ $(AM_CPPFLAGS) \ $(LIBISC_CFLAGS) @@ -31,5 +36,3 @@ wire_test_CPPFLAGS = \ wire_test_LDADD = \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) - -EXTRA_DIST = prepare-softhsm2.sh diff --git a/bin/tests/convert-trs-to-junit.py b/bin/tests/convert-trs-to-junit.py new file mode 100755 index 0000000000..85b37dd629 --- /dev/null +++ b/bin/tests/convert-trs-to-junit.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# Convert automake .trs files into JUnit format suitable for Gitlab + +import argparse +import os +import sys +from xml.etree import ElementTree +from xml.etree.ElementTree import Element +from xml.etree.ElementTree import SubElement + + +# getting explicit encoding specification right for Python 2/3 would be messy, +# so let's hope for the best +def read_whole_text(filename): + with open(filename) as inf: # pylint: disable-msg=unspecified-encoding + return inf.read().strip() + + +def read_trs_result(filename): + result = None + with open(filename, "r") as trs: # pylint: disable-msg=unspecified-encoding + for line in trs: + items = line.split() + if len(items) < 2: + raise ValueError("unsupported line in trs file", filename, line) + if items[0] != (":test-result:"): + continue + if result is not None: + raise NotImplementedError("double :test-result:", filename) + result = items[1].upper() + + if result is None: + raise ValueError(":test-result: not found", filename) + + return result + + +def find_test_relative_path(source_dir, in_path): + """Return {in_path}.c if it exists, with fallback to {in_path}""" + candidates_relative = [in_path + ".c", in_path] + for relative in candidates_relative: + absolute = os.path.join(source_dir, relative) + if os.path.exists(absolute): + return relative + raise KeyError + + +def err_out(exception): + raise exception + + +def walk_trss(source_dir): + for cur_dir, _dirs, files in os.walk(source_dir, onerror=err_out): + for filename in files: + if not filename.endswith(".trs"): + continue + + filename_prefix = filename[: -len(".trs")] + log_name = filename_prefix + ".log" + full_trs_path = os.path.join(cur_dir, filename) + full_log_path = os.path.join(cur_dir, log_name) + sub_dir = os.path.relpath(cur_dir, source_dir) + test_name = os.path.join(sub_dir, filename_prefix) + + t = { + "name": test_name, + "full_log_path": full_log_path, + "rel_log_path": os.path.relpath(full_log_path, source_dir), + } + t["result"] = read_trs_result(full_trs_path) + + # try to find dir/file path for a clickable link + try: + t["rel_file_path"] = find_test_relative_path(source_dir, test_name) + except KeyError: + pass # no existing path found + + yield t + + +def append_testcase(testsuite, t): + # attributes taken from + # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/lib/gitlab/ci/parsers/test/junit.rb + attrs = {"name": t["name"]} + if "rel_file_path" in t: + attrs["file"] = t["rel_file_path"] + + testcase = SubElement(testsuite, "testcase", attrs) + + # Gitlab accepts only [[ATTACHMENT| links for system-out, not raw text + s = SubElement(testcase, "system-out") + s.text = "[[ATTACHMENT|" + t["rel_log_path"] + "]]" + if t["result"].lower() == "pass": + return + + # Gitlab shows output only for failed or skipped tests + if t["result"].lower() == "skip": + err = SubElement(testcase, "skipped") + else: + err = SubElement(testcase, "failure") + err.text = read_whole_text(t["full_log_path"]) + + +def gen_junit(results): + testsuites = Element("testsuites") + testsuite = SubElement(testsuites, "testsuite") + for test in results: + append_testcase(testsuite, test) + return testsuites + + +def check_directory(path): + try: + os.listdir(path) + return path + except OSError as ex: + msg = "Path {} cannot be listed as a directory: {}".format(path, ex) + raise argparse.ArgumentTypeError(msg) + + +def main(): + parser = argparse.ArgumentParser( + description="Recursively search for .trs + .log files and compile " + "them into JUnit XML suitable for Gitlab. Paths in the " + "XML are relative to the specified top directory." + ) + parser.add_argument( + "top_directory", + type=check_directory, + help="root directory where to start scanning for .trs files", + ) + args = parser.parse_args() + junit = gen_junit(walk_trss(args.top_directory)) + + # encode results into file format, on Python 3 it produces bytes + xml = ElementTree.tostring(junit, "utf-8") + # use stdout as a binary file object, Python2/3 compatibility + output = getattr(sys.stdout, "buffer", sys.stdout) + output.write(xml) + + +if __name__ == "__main__": + main() diff --git a/bin/tests/named.conf b/bin/tests/named.conf deleted file mode 100644 index 6a5f6543ff..0000000000 --- a/bin/tests/named.conf +++ /dev/null @@ -1,609 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * This is a worthless, nonrunnable example of a named.conf file that has - * every conceivable syntax element in use. We use it to test the parser. - * It could also be used as a conceptual template for users of new features. - */ - -/* - * C-style comments are OK - */ - -// So are C++-style comments - -# So are shell-style comments - -// watch out for ";" -- it's important! - -options { - version "my version string"; - random-device "/dev/random"; - directory "/tmp"; - - port 666; - - sig-validity-interval 33; - -# Obsolete - named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER - - dump-file "named_dump.db"; // _PATH_DUMPFILE - pid-file "/var/run/named.pid"; // _PATH_PIDFILE - statistics-file "named.stats"; // _PATH_STATS - memstatistics-file "named.memstats"; // _PATH_MEMSTATS - - max-cache-ttl 999; - min-cache-ttl 66; - auth-nxdomain yes; // always set AA on NXDOMAIN. - // don't set this to 'no' unless - // you know what you're doing -- older - // servers won't like it. - -# Obsolete - deallocate-on-exit no; - - dialup yes; - -# Obsolete - fake-iquery no; - - fetch-glue yes; - has-old-clients yes; - host-statistics no; - -# Obsolete - multiple-cnames no; // if yes, then a name my have more - // than one CNAME RR. This use - // is non-standard and is not - // recommended, but it is available - // because previous releases supported - // it and it was used by large sites - // for load balancing. - - notify yes; // send NOTIFY messages. You can set - // notify on a zone-by-zone - // basis in the "zone" statement - // see (below) - recursion yes; - rfc2308-type1 no; - -# Obsolete - use-id-pool yes; - -# Obsolete - treat-cr-as-space yes; - - also-notify { 10.0.2.3; }; - - // The "forward" option is only meaningful if you've defined - // forwarders. "first" gives the normal BIND - // forwarding behavior, i.e. ask the forwarders first, and if that - // doesn't work then do the full lookup. You can also say - // "forward only;" which is what used to be specified with - // "slave" or "options forward-only". "only" will never attempt - // a full lookup; only the forwarders will be used. - forward first; - forwarders { - 1.2.3.4; - 5.6.7.8; - }; - - check-names master fail; - check-names slave warn; - check-names response ignore; - - allow-query { any; }; - allow-transfer { any; }; - allow-recursion { !any; }; - blackhole { 45/24; }; - keep-response-order { 46/24; }; - - listen-on { - 10/24; - 10.0.0.3; - }; - - listen-on port 53 { any; }; - - listen-on { 5.6.7.8; }; - - listen-on port 1234 { - !1.2.3.4; - 1.2.3/24; - }; - - listen-on-v6 { - 1:1:1:1:1:1:1:1; - }; - - listen-on-v6 port 777 { - 2:2:2:2:2:2:2:2; - }; - - query-source-v6 address 8:7:6:5:4:3:2:1 port *; - query-source port * address 10.0.0.54 ; - - lame-ttl 444; - - max-transfer-time-in 300; - max-transfer-time-out 10; - max-transfer-idle-in 100; - max-transfer-idle-out 11; - - max-retry-time 1234; - min-retry-time 1111; - max-refresh-time 888; - min-refresh-time 777; - - max-ncache-ttl 333; - min-ncache-ttl 22; - min-roots 15; - serial-queries 34; - - transfer-format one-answer; - - transfers-in 10; - transfers-per-ns 2; - transfers-out 0; - - transfer-source 10.0.0.5; - transfer-source-v6 4:3:2:1:5:6:7:8; - - request-ixfr yes; - provide-ixfr yes; - -# Now called 'provide-ixfr' -# maintain-ixfr-base no; // If yes, keep transaction log file for IXFR - - max-ixfr-log-size 20m; - coresize 100; - datasize 101; - files 230; - max-cache-size 1m; - stacksize 231; - heartbeat-interval 1001; - interface-interval 1002; - statistics-interval 1003; - - topology { - 10/8; - - !1.2.3/24; - - { 1.2/16; 3/8; }; - - - }; - - sortlist { 10/8; 11/8; }; - - tkey-domain "foo.com"; - tkey-dhkey "xyz" 666 ; - - rrset-order { - class IN type A name "foo" order random; - order cyclic; - }; -}; - -/* - * Control listeners, for "ndc". Every nameserver needs at least one. - */ -controls { - // 'inet' lines without a 'port' defaults to 'port 953' - // 'keys' must be used and the list must have at least one entry - inet * port 52 allow { any; } keys { "key2"; }; - unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named. - inet 10.0.0.1 allow { any; key foo; } keys { "key4";}; - inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; }; - inet 10.0.0.2 allow { none; }; -}; - -zone "master.demo.zone" { - type master; // what used to be called "primary" - database "somedb -option1 -option2 arg1 arg2 arg3"; - file "master.demo.zone"; - check-names fail; - allow-update { none; }; - allow-update-forwarding { 10.0.0.5; !any; }; - allow-transfer { any; }; - allow-query { any; }; - sig-validity-interval 990; - notify explicit; - also-notify { 1.0.0.1; }; // don't notify any nameservers other - // than those on the NS list for this - // zone - forward first; - forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; }; -}; - -zone "slave.demo.zone" { - type slave; // what used to be called "secondary" - file "slave.demo.zone"; - ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file - masters { - 1.2.3.4 port 10 key "foo"; // where to zone transfer from - 5.6.7.8; - 6.7.8.9 key "zippo"; - }; - transfer-source 10.0.0.53; // fixes multihoming problems - check-names warn; - allow-update { none; }; - allow-transfer { any; }; - allow-update-forwarding { any; }; - allow-query { any; }; - max-transfer-time-in 120; // if not set, global option is used. - max-transfer-time-out 1; // if not set, global option is used. - max-transfer-idle-in 2; // if not set, global option is used. - max-transfer-idle-out 3; // if not set, global option is used. - also-notify { 1.0.0.2; }; - forward only; - forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; }; -}; - -key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; }; - -view "test-view" in { - key "viewkey" { algorithm "xxx" ; secret "eXl5" ; }; - also-notify { 10.2.2.3; }; - managed-keys { - foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz"; - }; - sig-validity-interval 45; - max-cache-size 100000; - allow-query { 10.0.0.30;}; - match-clients { 10.0.0.1 ; }; - check-names master warn; - check-names slave ignore; - check-names response fail; - auth-nxdomain false; - recursion true; - provide-ixfr false; - request-ixfr true; - fetch-glue true; - notify false; - rfc2308-type1 false; - transfer-source 10.0.0.55; - transfer-source-v6 4:3:8:1:5:6:7:8; - query-source port * address 10.0.0.54 ; - query-source-v6 address 6:6:6:6:6:6:6:6 port *; - max-transfer-time-out 45; - max-transfer-idle-out 55; - min-roots 3; - lame-ttl 477; - max-ncache-ttl 333; - max-cache-ttl 777; - transfer-format many-answers; - max-retry-time 7; - min-retry-time 4; - max-refresh-time 999; - min-refresh-time 111; - - zone "view-zone.com" { - type master; - allow-update-forwarding { 10.0.0.34;}; - file "view-zone-master"; - }; - - server 5.6.7.8 { - keys "viewkey"; - }; - - server 10.9.8.7 { - keys "non-viewkey"; - }; - dialup yes; -}; - - -zone "stub.demo.zone" { - type stub; // stub zones are like slave zones, - // except that only the NS records - // are transferred. - dialup yes; - file "stub.demo.zone"; - masters { - 1.2.3.4 ; // where to zone transfer from - 5.6.7.8 port 999; - }; - check-names warn; - allow-update { none; }; - allow-transfer { any; }; - allow-query { any; }; - - max-retry-time 10; - min-retry-time 11; - max-refresh-time 12; - min-refresh-time 13; - - max-transfer-time-in 120; // if not set, global option is used. - pubkey 257 255 1 "a useless key"; - pubkey 257 255 1 "another useless key"; -}; - -zone "." { - type hint; // used to be specified w/ "cache" - file "cache.db"; -// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; -}; - -managed-keys { - "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; -}; - - -acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0 - // is disallowed; rest are OK -acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed - // by can_query are OK - -zone "disabled-zone.com" { - type master; - file "bar"; - - max-retry-time 100; - min-retry-time 110; - max-refresh-time 120; - min-refresh-time 130; -}; - -zone "non-default-acl.demo.zone" { - type master; - file "foo"; - allow-query { can_query; }; - allow-transfer { can_axfr; }; - allow-update { - 1.2.3.4; - 5.6.7.8; - }; - pubkey 666 665 664 "key of the beast"; - // Errors trapped by parser: - // identity or name not absolute - // 'wildcard' match type and no wildcard character in name - // - // issues: - // - certain rdatatype values (such as "key") are config file keywords and - // must be quoted or a syntax error will occur. - // - - update-policy { - grant root.domain. subdomain host.domain. A MX CNAME; - grant sub.root.domain. wildcard *.host.domain. A; - grant root.domain. name host.domain. a ns md mf cname soa mb mg - mr "null" wks ptr hinfo minfo mx txt rp afsdb x25 - isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx - cert a6 dname opt unspec uri tkey tsig ; - grant foo.bar.com. self foo.bar.com. a; - }; -}; - -key sample_key { // for TSIG; supported by parser - algorithm hmac-md5; // but not yet implemented in the - secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server -}; - -key key2 { - algorithm hmac-md5; - secret "ZXJlaCB0ZXJjZXMgcm91eQ=="; -}; - -acl key_acl { key sample_key; }; // a request signed with sample_key - -server 1.2.3.4 { - request-ixfr no; - provide-ixfr no; - bogus no; // if yes, we won't query or listen - // to this server - transfer-format one-answer; // set transfer format for this - // server (see the description of - // 'transfer-format' above) - // if not specified, the global option - // will be used - transfers 0; // not implemented - keys { "sample_key" }; // for TSIG; supported by the parser - // but not yet implemented in the - // rest of the server -}; - -logging { - /* - * All log output goes to one or more "channels"; you can make as - * many of them as you want. - */ - - channel syslog_errors { // this channel will send errors or - syslog user; // or worse to syslog (user facility) - severity error; - }; - - channel stderr_errors { - stderr; - }; - - /* - * Channels have a severity level. Messages at severity levels - * greater than or equal to the channel's level will be logged on - * the channel. In order of decreasing severity, the levels are: - * - * critical a fatal error - * error - * warning - * notice a normal, but significant event - * info an informational message - * debug 1 the least detailed debugging info - * ... - * debug 99 the most detailed debugging info - */ - - /* - * Here are the built-in channels: - * - * channel default_syslog { - * syslog daemon; - * severity info; - * }; - * - * channel default_debug { - * file "named.run"; // note: stderr is used instead - * // of "named.run" if the server - * // is started with the "-f" - * // option. - * severity dynamic; // this means log debugging - * // at whatever debugging level - * // the server is at, and don't - * // log anything if not - * // debugging. - * }; - * - * channel null { // this is the bit bucket; - * file "/dev/null"; // any logging to this channel - * // is discarded. - * }; - * - * channel default_stderr { // writes to stderr - * file ""; // this is illustrative only; - * // there's currently no way - * // of saying "stderr" in the - * // configuration language. - * // i.e. don't try this at home. - * severity info; - * }; - * - * default_stderr only works before the server daemonizes (i.e. - * during initial startup) or when it is running in foreground - * mode (-f command line option). - */ - - /* - * There are many categories, so you can send the logs - * you want to see wherever you want, without seeing logs you - * don't want. Right now the categories are - * - * default the catch-all. many things still - * aren't classified into categories, and - * they all end up here. also, if you - * don't specify any channels for a - * category, the default category is used - * instead. - * config high-level configuration file - * processing - * parser low-level configuration file processing - * queries what used to be called "query logging" - * lame-servers messages like "Lame server on ..." - * statistics - * panic if the server has to shut itself - * down due to an internal problem, it - * logs the problem here (as well as - * in the problem's native category) - * update dynamic update - * ncache negative caching - * xfer-in zone transfers we're receiving - * xfer-out zone transfers we're sending - * db all database operations - * eventlib debugging info from the event system - * (see below) - * packet dumps of packets received and sent - * (see below) - * notify the NOTIFY protocol - * cname messages like "XX points to a CNAME" - * security approved/unapproved requests - * os operating system problems - * insist consistency check failures - * maintenance periodic maintenance - * load zone loading - * response-checks messages like - * "Malformed response ..." - * "wrong ans. name ..." - * "unrelated additional info ..." - * "invalid RR type ..." - * "bad referral ..." - */ - - category parser { - syslog_errors; // you can log to as many channels - default_syslog; // as you want - }; - - category lame-servers { null; }; // don't log these at all - - channel moderate_debug { - file "foo"; // foo - severity debug 3; // level 3 debugging to file - print-time yes; // timestamp log entries - print-category yes; // print category name - print-severity yes; // print severity level - /* - * Note that debugging must have been turned on either - * on the command line or with a signal to get debugging - * output (non-debugging output will still be written to - * this channel). - */ - }; - - channel another { - file "bar" versions 99 size 10M; - severity info; - }; - - channel third { - file "bar" size 100000 versions unlimited; - severity debug; // use default debug level - }; - - /* - * If you don't want to see "zone XXXX loaded" messages but do - * want to see any problems, you could do the following. - */ - channel no_info_messages { - syslog; - severity notice; - }; - - category load { no_info_messages; }; - - /* - * You can also define category "default"; it gets used when no - * "category" statement has been given for a category. - */ - category default { - default_syslog; - moderate_debug; - }; - - /* - * If you don't define category default yourself, the default - * default category will be used. It is - * - * category default { default_syslog; default_debug; }; - */ - - /* - * If you don't define category panic yourself, the default - * panic category will be used. It is - * - * category panic { default_syslog; default_stderr; }; - */ - - /* - * Two categories, 'packet' and 'eventlib', are special. Only one - * channel may be assigned to each of them, and it must be a - * file channel. If you don't define them yourself, they default to - * - * category eventlib { default_debug; }; - * - * category packet { default_debug; }; - */ -}; - -#include "filename"; // can't do within a statement - diff --git a/bin/tests/prepare-softhsm2.sh b/bin/tests/prepare-softhsm2.sh deleted file mode 100755 index acd70bfe90..0000000000 --- a/bin/tests/prepare-softhsm2.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then - SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF") - mkdir -p "${SOFTHSM2_DIR}/tokens" - echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}" - echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}" - echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}" - softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -fi -exit 0 diff --git a/bin/tests/startperf/README b/bin/tests/startperf/README index 0b8185b9b2..2f0afa7198 100644 --- a/bin/tests/startperf/README +++ b/bin/tests/startperf/README @@ -1,3 +1,16 @@ + + These scripts generate a named.conf file with an arbitrary number of small zones, for testing startup performance. diff --git a/bin/tests/startperf/clean.sh b/bin/tests/startperf/clean.sh index be41ffc755..5f7e51a57a 100644 --- a/bin/tests/startperf/clean.sh +++ b/bin/tests/startperf/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/startperf/makenames.pl b/bin/tests/startperf/makenames.pl index 47f9b998f9..ba2c5a82c8 100644 --- a/bin/tests/startperf/makenames.pl +++ b/bin/tests/startperf/makenames.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -17,7 +19,7 @@ my @chars = split("", "abcdefghijklmnopqrstuvwxyz123456789"); -srand; +srand; for (my $i = 0; $i < @ARGV[0]; $i++) { my $name = ""; for (my $j = 0; $j < $len; $j++) { diff --git a/bin/tests/startperf/mkzonefile.pl b/bin/tests/startperf/mkzonefile.pl index ba4d220fe6..f8965a0433 100644 --- a/bin/tests/startperf/mkzonefile.pl +++ b/bin/tests/startperf/mkzonefile.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -29,7 +31,7 @@ NS ns ns A 10.53.0.3\n"; -srand; +srand; for (my $i = 0; $i < $nrecords; $i++) { my $name = ""; for (my $j = 0; $j < 8; $j++) { diff --git a/bin/tests/startperf/setup.sh b/bin/tests/startperf/setup.sh index ff93d7942d..66821386d7 100644 --- a/bin/tests/startperf/setup.sh +++ b/bin/tests/startperf/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -71,10 +73,10 @@ EOF $PERL makenames.pl $nzones | while read zonename; do if [ $single_file ]; then - echo "zone $zonename { type master; file \"smallzone.db\"; };" + echo "zone $zonename { type primary; file \"smallzone.db\"; };" else [ -d zones ] || mkdir zones $PERL mkzonefile.pl $zonename $nrecords > zones/$zonename.db - echo "zone $zonename { type master; file \"zones/$zonename.db\"; };" + echo "zone $zonename { type primary; file \"zones/$zonename.db\"; };" fi done diff --git a/bin/tests/startperf/smallzone.db b/bin/tests/startperf/smallzone.db index 20a3b9d4c8..3a26acd578 100644 --- a/bin/tests/startperf/smallzone.db +++ b/bin/tests/startperf/smallzone.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/.gitignore b/bin/tests/system/.gitignore index 525e889ba6..e2daf1cef5 100644 --- a/bin/tests/system/.gitignore +++ b/bin/tests/system/.gitignore @@ -1,4 +1,6 @@ .cache +.hypothesis +.mypy_cache __pycache__ dig.out* rndc.out* @@ -7,16 +9,20 @@ named.lock named.pid named.run /feature-test -/test.output.* /makejournal -/systests.output /random.data -parallel.mk /*.log /*.trs /resolve -/run.sh +/legacy.run.sh /run.log /start.sh /stop.sh /ifconfig.sh + +# Ignore file names with underscore in their name except python or shell files. +# This is done to ignore the temporary directories and symlinks created by the +# pytest runner, which contain underscore in their file names. +/*_* +!/*_*.py +!/*_*.sh diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 4ef54205a1..44282372de 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -11,27 +11,36 @@ dist-hook: SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver +if DNSRPS +SUBDIRS += rpz/testlib +endif + AM_CPPFLAGS += \ - $(LIBISC_CFLAGS) + $(LIBISC_CFLAGS) \ + $(LIBDNS_CFLAGS) -LDADD = \ - $(LIBISC_LIBS) +LDADD += \ + $(LIBISC_LIBS) \ + $(LIBDNS_LIBS) if HAVE_PERL -check_PROGRAMS = \ +noinst_PROGRAMS = \ feature-test \ makejournal \ pipelined/pipequeries \ - resolve \ rndc/gencheck \ - rpz/dnsrps \ - tkey/keycreate \ - tkey/keydelete + rpz/dnsrps feature_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) + $(LIBDNS_CFLAGS) \ + $(OPENSSL_CFLAGS) + +feature_test_LDADD = \ + $(LDADD) \ + $(LIBDNS_LIBS) \ + $(OPENSSL_LIBS) makejournal_CPPFLAGS = \ $(AM_CPPFLAGS) \ @@ -49,29 +58,15 @@ pipelined_pipequeries_LDADD = \ $(LDADD) \ $(LIBDNS_LIBS) -resolve_CPPFLAGS = \ +rpz_dnsrps_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) \ - $(LIBIRS_CFLAGS) - -resolve_LDADD = $(LIBISC_LIBS) $(LIBIRS_LIBS) $(LIBDNS_LIBS) - -tkey_keycreate_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) - -tkey_keycreate_LDADD = \ - $(LDADD) \ - $(LIBDNS_LIBS) - -tkey_keydelete_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) + -DLIBRPZ_LIB_OPEN=\"$(abs_builddir)/rpz/testlib/.libs/libdummyrpz.so\" -tkey_keydelete_LDADD = \ +rpz_dnsrps_LDADD = \ $(LDADD) \ - $(LIBDNS_LIBS) + $(LIBDNS_LIBS) \ + $(DLOPEN_LIBS) TESTS = @@ -84,6 +79,11 @@ TESTS += \ rpzrecurse endif HAVE_PERLMOD_NET_DNS +if HAVE_LIBNGHTTP2 +TESTS += \ + doth +endif + TESTS += \ acl \ additional \ @@ -99,19 +99,17 @@ TESTS += \ checkconf \ checknames \ checkzone \ - cpu \ database \ - dlz \ + dialup \ dlzexternal \ dns64 \ - doth \ - dscp \ dsdigest \ dyndb \ ecdsa \ eddsa \ ednscompliance \ emptyzones \ + enginepkcs11 \ filter-aaaa \ formerr \ geoip2 \ @@ -121,8 +119,10 @@ TESTS += \ inline \ integrity \ hooks \ + host \ journal \ keepalive \ + keyfromlabel \ legacy \ limits \ logfileconfig \ @@ -153,8 +153,8 @@ TESTS += \ staticstub \ stub \ synthfromdnssec \ - tkey \ tools \ + transport-acl \ tsig \ tsiggss \ ttl \ @@ -165,12 +165,6 @@ TESTS += \ xferquota \ zonechecks -# The "stress" test is not run by default since it creates enough -# load on the machine to make it unusable to other users. -# The "dialup", "delzone", and "dupsigs" tests are also not run by -# default because they take a very long time to complete. -# TESTS += delzone dialup dupsigs stress - if HAVE_LMDB TESTS += nzd2nzf endif # HAVE_LMDB @@ -178,13 +172,12 @@ endif # HAVE_LMDB if HAVE_PERLMOD_NET_DNS TESTS += \ - digdelv \ fetchlimit \ - forward \ ixfr \ nsupdate \ resolver \ statistics \ + stress \ upforwd \ zero @@ -207,30 +200,24 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER endif HAVE_PERLMOD_NET_DNS if HAVE_PYTHON -TESTS += kasp keymgr2kasp tcp pipelined +TESTS += kasp multisigner tcp pipelined -if HAVE_PYMOD_DNS -TESTS += qmin cookie timeouts +if HAVE_PYTEST +TESTS += checkds dispatch rpzextra shutdown timeouts +endif +if HAVE_PYMOD_DNS +TESTS += qmin cookie if HAVE_PERLMOD_NET_DNS -TESTS += dnssec +TESTS += digdelv dnssec forward if HAVE_PERLMOD_NET_DNS_NAMESERVER TESTS += chain endif HAVE_PERLMOD_NET_DNS_NAMESERVER endif HAVE_PERLMOD_NET_DNS - -if HAVE_PYTEST -TESTS += rpzextra shutdown -endif - endif HAVE_PYMOD_DNS endif HAVE_PYTHON -if HAVE_PKCS11 -TESTS += pkcs11 -endif - else !HAVE_PERL check: echo Perl is not available, no tests were ran @@ -245,9 +232,12 @@ LOG_DRIVER_V_1 = --verbose yes LOG_DRIVER = $(srcdir)/custom-test-driver AM_LOG_DRIVER_FLAGS = $(LOG_DRIVER_V) -LOG_COMPILER = $(builddir)/run.sh +LOG_COMPILER = $(builddir)/legacy.run.sh AM_LOG_FLAGS = -r -$(TESTS): run.sh +$(TESTS): legacy.run.sh test-local: check + +clean-local:: + -find $(builddir) -maxdepth 1 -type d -name "*_*" | xargs rm -rf diff --git a/bin/tests/system/README b/bin/tests/system/README index c0970ebd32..6c5bae15c1 100644 --- a/bin/tests/system/README +++ b/bin/tests/system/README @@ -1,6 +1,13 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. Introduction === @@ -60,18 +67,58 @@ then run ... as root. -Running the System Tests +Running the System Tests with pytest === +The pytest system test runner is currently in development, but it is the +recommended way to run tests. Please report issues to QA. + +Running an Individual Test +--- + +pytest -k + +Note that in comparison to the legacy test runner, some additional tests might +be picked up when specifying just the system test directory name. To check +which tests will be executed, you can use the `--collect-only` option. You +might also be able to find a more specific test name to provide to ensure only +your desired test is executed. See help for `-k` option in `pytest --help` for +more info. + +It is also possible to run a single individual pytest test case. For example, +you can use the name test_sslyze_dot to execute just the test_sslyze_dot() +function from doth/tests_sslyze.py. The entire needed setup and teardown will +be handled by the framework. + +Running All the System Tests +--- + +Issuing plain `pytest` command without any argument will execute all tests +sequenatially. To execute them in parallel, ensure you have pytest-xdist +installed and run: + +pytest -n + + +Running the System Tests Using the Legacy Runner +=== + +!!! WARNING !!! +--- +The legacy way to run system tests is currently being reworked into a pytest +system test runner described in the previous section. The contents of this +section might be out of date and no longer applicable. Please try and use the +pytest runner if possible and report issues and missing features. + Running an Individual Test --- The tests can be run individually using the following command: - sh run.sh [flags] [] + sh legacy.run.sh [flags] [] e.g. - sh run.sh [flags] notify + sh legacy.run.sh [flags] notify Optional flags are: @@ -110,13 +157,7 @@ Running All The System Tests --- To run all the system tests, enter the command: - sh runall.sh [-c] [-n] [numproc] - -The optional flag "-c" forces colored output (by default system test output is -not printed in color due to run.sh being piped through "tee"). - -The optional flag "-n" has the same effect as it does for "run.sh" - it causes -the retention of all output files from all tests. + make [-j numproc] test The optional "numproc" argument specifies the maximum number of tests that can run in parallel. The default is 1, which means that all of the tests run @@ -125,16 +166,7 @@ new tests being started as tests finish. Each test will get a unique set of ports, so there is no danger of tests interfering with one another. Parallel running will reduce the total time taken to run the BIND system tests, but will mean that the output from all the tests sent to the screen will be mixed up -with one another. However, the systests.output file produced at the end of the -run (in the bin/tests/system directory) will contain the output from each test -in sequential order. - -Note that it is not possible to pass arguments to tests though the "runall.sh" -script. - -A run of all the system tests can also be initiated via make: - - make [-j numproc] test +with one another. In this case, retention of the output files after a test completes successfully is specified by setting the environment variable SYSTEMTEST_NO_CLEAN to 1 prior @@ -146,38 +178,6 @@ while setting environment variable SYSTEMTEST_FORCE_COLOR to 1 forces system test output to be printed in color. -Running Multiple System Test Suites Simultaneously ---- -In some cases it may be desirable to have multiple instances of the system test -suite running simultaneously (e.g. from different terminal windows). To do -this: - -1. Each installation must have its own directory tree. The system tests create -files in the test directories, so separate directory trees are required to -avoid interference between the same test running in the different -installations. - -2. For one of the test suites, the starting port number must be specified by -setting the environment variable STARTPORT before starting the test suite. -Each test suite comprises about 100 tests, each being allocated a set of 100 -ports. The port ranges for each test are allocated sequentially, so each test -suite requires about 10,000 ports to itself. By default, the port allocation -starts at 5,000. So the following set of commands: - - Terminal Window 1: - cd /bin/tests/system - sh runall.sh 4 - - Terminal Window 2: - cd /bin/tests/system - STARTPORT=20000 sh runall.sh 4 - -... will start the test suite for installation-1 using the default base port -of 5,000, so the test suite will use ports 5,000 through 15,000 (or there -abouts). The use of "STARTPORT=20000" to prefix the run of the test suite for -installation-2 will mean the test suite uses ports 20,000 through 30,000 or so. - - Format of Test Output --- All output from the system tests is in the form of lines with the following @@ -187,7 +187,7 @@ structure: e.g. - I:catz:checking that dom1.example is not served by master (1) + I:catz:checking that dom1.example is not served by primary (1) The meanings of the fields are as follows: @@ -236,12 +236,12 @@ Re-Running the Tests --- If there is a requirement to re-run a test (or the entire test suite), the files produced by the tests should be deleted first. Normally, these files are -deleted if the test succeeds but are retained on error. The run.sh script -automatically calls a given test's clean.sh script before invoking its setup.sh -script. +deleted if the test succeeds but are retained on error. The legacy.run.sh +script automatically calls a given test's clean.sh script before invoking its +setup.sh script. -Deletion of the files produced by the set of tests (e.g. after the execution -of "runall.sh") can be carried out using the command: +Deletion of the files produced by the set of tests (e.g. after the execution of +make) can be carried out using the command: sh cleanall.sh @@ -278,8 +278,8 @@ tests.sh Runs the actual tests. This file is mandatory. clean.sh Run at the end to clean up temporary files, but only if the test was completed successfully and its running was not inhibited by the - "-n" switch being passed to "run.sh". Otherwise the temporary - files are left in place for inspection. + "-n" switch being passed to "legacy.run.sh". Otherwise the + temporary files are left in place for inspection. ns These subdirectories contain test name servers that can be queried or can interact with each other. The value of N indicates the @@ -298,8 +298,8 @@ ans Like ns[X], but these are simple mock name servers implemented in Port Usage --- In order for the tests to run in parallel, each test requires a unique set of -ports. These are specified by the "-p" option passed to "run.sh", which sets -environment variables that the scripts listed above can reference. +ports. These are specified by the "-p" option passed to "legacy.run.sh", which +sets environment variables that the scripts listed above can reference. The convention used in the system tests is that the number passed is the start of a range of 100 ports. The test is free to use the ports as required, @@ -330,7 +330,7 @@ port assignments would be: HIGHPORT = 5299 When running tests in parallel (i.e. giving a value of "numproc" greater than 1 -in the "make" or "runall.sh" commands listed above), it is guaranteed that each +in the "make" command listed above), it is guaranteed that each test will get a set of unique port numbers. @@ -351,10 +351,10 @@ General directory. 2. Arguments can be only passed to the script if the test is being run as a -one-off with "run.sh". In this case, everything on the command line after the -name of the test is passed to each script. For example, the command: +one-off with "legacy.run.sh". In this case, everything on the command line +after the name of the test is passed to each script. For example, the command: - sh run.sh -p 12300 mytest -D xyz + sh legacy.run.sh -p 12300 mytest -D xyz ... will run "mytest" with a port range of 12300 to 12399. Each of the framework scripts provided by the test will be invoked using the remaining @@ -366,7 +366,7 @@ arguments, e.g.: (cd mytest ; sh clean.sh -D xyz) No arguments will be passed to the test scripts if the test is run as part of -a run of the full test suite (e.g. the tests are started with "runall.sh"). +a run of the full test suite (e.g. the tests are started with make). 3. Each script should start with the following lines: @@ -441,14 +441,14 @@ This is the main test file and the contents depend on the test. The contents are completely up to the developer, although most test scripts have a form similar to the following for each sub-test: - 1. n=`expr $n + 1` + 1. n=$((n + 1)) 2. echo_i "prime cache nodata.example ($n)" 3. ret=0 4. $DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n 5. grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 6. grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 7. if [ $ret != 0 ]; then echo_i "failed"; fi - 8. status=`expr $status + $ret` + 8. status=$((status + ret)) 1. Increment the test number "n" (initialized to zero at the start of the script). @@ -525,8 +525,8 @@ Ideally, the directory numbers should start at 1 and work upwards. When running a test, the servers are started using "start.sh" (which is nothing more than a wrapper for start.pl). The options for "start.pl" are documented in the header for that file, so will not be repeated here. In summary, when -invoked by "run.sh", start.pl looks for directories named "nsN" or "ansN" in -the test directory and starts the servers it finds there. +invoked by "legacy.run.sh", start.pl looks for directories named "nsN" or +"ansN" in the test directory and starts the servers it finds there. "named" Command-Line Options @@ -546,7 +546,7 @@ By default, start.pl starts a "named" server with the following options: -g Runs the server in the foreground and logs everything to stderr. - -m record,size,mctx + -m record Turns on these memory usage debugging flags. -U 4 Uses four listeners. @@ -623,8 +623,8 @@ the options available are listed in the file's header and will not be repeated here. In summary though, the nameservers for a given test, if left running by -specifying the "-k" flag to "run.sh" when the test is started, can be stopped -by the command: +specifying the "-k" flag to "legacy.run.sh" when the test is started, can be +stopped by the command: sh stop.sh [server] @@ -636,13 +636,10 @@ Adding a Test to the System Test Suite --- Once a test has been created, the following files should be edited: -* conf.sh.in The name of the test should be added to the PARALLELDIRS or -SEQUENTIALDIRS variables as appropriate. The former is used for tests that -can run in parallel with other tests, the latter for tests that are unable to -do so. +* conf.sh.common The name of the test should be added to the PARALLEL_COMMON +variable. -* Makefile.in The name of the test should be added to one of the the PARALLEL -or SEQUENTIAL variables. +* Makefile.am The name of the test should be added to the TESTS variable. (It is likely that a future iteration of the system test suite will remove the need to edit multiple files to add a test.) @@ -656,30 +653,109 @@ completed. To enable this, set the USE_VALGRIND environment variable to "helgrind" to run the Helgrind tool, or any other value to run the Memcheck tool. To use "helgrind" effectively, build BIND with --disable-atomic. +Developer Notes for pytest runner +=== + +Test discovery and collection +--- +There are two distinct types of system tests. The first is a shell script +tests.sh containing individual test cases executed sequentially and the +success/failure is determined by return code. The second type is a regular +pytest file which contains test functions. + +Dealing with the regular pytest files doesn't require any special consideration +as long as the naming conventions are met. Discovering the tests.sh tests is +more complicated. + +The chosen solution is to add a bit of glue for each system test. For every +tests.sh, there is an accompanying tests_sh_*.py file that contains a test +function which utilizes a custom run_tests_sh fixture to call the tests.sh +script. Other solutions were tried and eventually rejected. While this +introduces a bit of extra glue, it is the most portable, compatible and least +complex solution. + +Module scope +--- +Pytest fixtures can have a scope. The "module" scope is the most important for +our use. A module is a python file which contains test functions. Every system +test directory may contain multiple modules (i.e. tests_*.py files)! + +The server setup/teardown is done for a module. Bundling test cases together +inside a single module may save some resources. However, test cases inside a +single module can't be executed in parallel. + +It is possible to execute different modules defined within a single system test +directory in parallel. This is possible thanks to executing the tests inside a +temporary directory and proper port assignment to ensure there won't be any +conflicts. + +Test logging +--- +Each module has a separate log which will be saved as pytest.log.txt in the +temporary directory in which the test is executed. This log includes messages +for this module setup/teardown as well as any logging from the tests using the +`logger` fixture. Logging level DEBUG and above will be present in this log. + +In general, any log messages using INFO or above will also be printed out +during pytest execution. In CI, the pytest output is also saved to +pytest.out.txt in the bin/tests/system directory. + +Parallel execution +--- +As mentioned in the previous section, test cases inside a single module can't +be executed in parallel. To put it differently, all tests cases inside the same +module must be performed by the same worker/thread. Otherwise, server +setup/teardown fixtures won't be shared and runtime issues due to port +collisions are likely to occur. + +Pytest-xdist is used for executing pytest test cases in parallel using the `-n +N_WORKERS` option. By default, xdist will distribute any test case to any +worker, which would lead to the issue described above. Therefore, conftest.py +enforces equivalent of `--dist loadscope` option which ensures that test cases +within the same (module) scope will be handled by the same worker. Parallelism +is automatically disabled when xdist.scheduler.loadscope library is not +available. + +$ pytest -n auto + +Test selection +--- +It is possible to run just a single pytest test case from any module. Use +standard pytest facility to select the desired test case(s), i.e. pass a +sufficiently unique identifier for `-k` parameter. You can also check which +tests will be executed by using the `--collect-only` flag to debug your `-k` +expression. + +Compatibility with older pytest version +--- +Keep in mind that the pytest runner must work with ancient versions of pytest. +When implementing new features, it is advisable to check feature support in +pytest and pytest-xdist in older distributions first. -Maintenance Notes +As a general rule, any changes to the pytest runner need to keep working on all +platforms in CI that use the pytest runner. As of 2023-01-13, the oldest +supported version is whatever is available in EL8. + +We may need to add more compat code eventually to handle breaking upstream +changes. For example, using request.fspath attribute is already deprecatred in +latest pytest. + +Maintenance Notes for legacy runner === This section is aimed at developers maintaining BIND's system test framework. Notes on Parallel Execution --- -Although execution of an individual test is controlled by "run.sh", which -executes the above shell scripts (and starts the relevant servers) for each -test, the running of all tests in the test suite is controlled by the Makefile. -("runall.sh" does little more than invoke "make" on the Makefile.) +Although execution of an individual test is controlled by "legacy.run.sh", +which executes the above shell scripts (and starts the relevant servers) for +each test, the running of all tests in the test suite is controlled by the +Makefile. All system tests are capable of being run in parallel. For this to work, each test needs to use a unique set of ports. To avoid the need to define which tests use which ports (and so risk port clashes as further tests are added), -the ports are assigned when the tests are run. This is achieved by having the -"test" target in the Makefile depend on "parallel.mk". That file is created -when "make check" is run, and contains a target for each test of the form: - - : - @$(SHELL) run.sh -p - -The is unique and the values of for each test are -separated by at least 100 ports. +the ports are determined by "get_ports.sh", a port broker script which keeps +track of ports given to each individual system test. Cleaning Up From Tests @@ -692,19 +768,11 @@ stored in the test directory. 2. Files produced by named which may not be cleaned up if named exits abnormally, e.g. core files, PID files etc., are stored in the test directory. -3. A file "test.output." containing the text written to stdout by the -test is written to bin/tests/system/. This file is only produced when the test -is run as part of the entire test suite (e.g. via "runall.sh"). - If the test fails, all these files are retained. But if the test succeeds, they are cleaned up at different times: 1. Files generated by the test itself are cleaned up by the test's own -"clean.sh", which is called from "run.sh". +"clean.sh", which is called from "legacy.run.sh". 2. Files that may not be cleaned up if named exits abnormally can be removed using the "cleanall.sh" script. - -3. "test.output.*" files are deleted when the test suite ends. At this point, -the file "testsummary.sh" is called which concatenates all the "test.output.*" -files into a single "systests.output" file before deleting them. diff --git a/bin/tests/system/acl/clean.sh b/bin/tests/system/acl/clean.sh index a80de95901..c8d26cc54f 100644 --- a/bin/tests/system/acl/clean.sh +++ b/bin/tests/system/acl/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index 60f22e1596..cbf461bcf0 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -30,15 +32,16 @@ options { notify yes; ixfr-from-differences yes; check-integrity no; + dnssec-validation no; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in index ada97bcf24..bb03efd75d 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -30,15 +32,16 @@ options { notify yes; ixfr-from-differences yes; check-integrity no; + dnssec-validation no; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in index 97684e4d9b..b4e20d5ebd 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -30,20 +32,21 @@ options { notify yes; ixfr-from-differences yes; check-integrity no; + dnssec-validation no; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key three { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in index 462b3fad6f..868d46492f 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -30,15 +32,16 @@ options { notify yes; ixfr-from-differences yes; check-integrity no; + dnssec-validation no; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in index 728da58d65..e24080f064 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -30,17 +32,18 @@ options { notify yes; ixfr-from-differences yes; check-integrity no; + dnssec-validation no; allow-query-on { 10.53.0.2; }; blackhole { 10.53.0.8; }; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns3/example.db b/bin/tests/system/acl/ns3/example.db index ae1ceabee9..34fe9e5911 100644 --- a/bin/tests/system/acl/ns3/example.db +++ b/bin/tests/system/acl/ns3/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/acl/ns3/named.conf.in b/bin/tests/system/acl/ns3/named.conf.in index 760c2bc8ff..31d3526b76 100644 --- a/bin/tests/system/acl/ns3/named.conf.in +++ b/bin/tests/system/acl/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -21,6 +23,7 @@ options { notify no; allow-new-zones yes; allow-transfer { none; }; + dnssec-validation no; }; controls { @@ -29,5 +32,5 @@ controls { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/acl/ns4/example.db b/bin/tests/system/acl/ns4/example.db index f5e178d5ab..91c8702299 100644 --- a/bin/tests/system/acl/ns4/example.db +++ b/bin/tests/system/acl/ns4/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/acl/ns4/existing.db b/bin/tests/system/acl/ns4/existing.db index f5e178d5ab..91c8702299 100644 --- a/bin/tests/system/acl/ns4/existing.db +++ b/bin/tests/system/acl/ns4/existing.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/acl/ns4/named.conf.in b/bin/tests/system/acl/ns4/named.conf.in index e4c57463c6..9b769d1849 100644 --- a/bin/tests/system/acl/ns4/named.conf.in +++ b/bin/tests/system/acl/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -21,6 +23,7 @@ options { notify no; allow-new-zones yes; allow-transfer { none; }; + dnssec-validation no; }; controls { @@ -29,7 +32,7 @@ controls { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; zone "existing" { diff --git a/bin/tests/system/acl/setup.sh b/bin/tests/system/acl/setup.sh index bdf3d22df7..7dcd87244b 100644 --- a/bin/tests/system/acl/setup.sh +++ b/bin/tests/system/acl/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index a48f8685fe..5753036026 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" @@ -19,16 +23,16 @@ t=0 echo_i "testing basic ACL processing" # key "one" should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # any other key should be fine -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } copy_setports ns2/named2.conf.in ns2/named.conf @@ -36,20 +40,20 @@ rndc_reload ns2 10.53.0.2 sleep 5 # prefix 10/8 should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # any other address should work, as long as it sends key "one" -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } echo_i "testing nested ACL processing" @@ -59,44 +63,44 @@ rndc_reload ns2 10.53.0.2 sleep 5 # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # but only one or the other should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; } # and other values? right out -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two @@ -105,63 +109,64 @@ rndc_reload ns2 10.53.0.2 sleep 5 # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # should fail -t=`expr $t + 1` +t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } echo_i "testing allow-query-on ACL processing" copy_setports ns2/named5.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 sleep 5 -t=`expr $t + 1` +t=$((t + 1)) $DIG -p ${PORT} +tcp soa example. \ @10.53.0.2 -b 10.53.0.3 > dig.out.${t} grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } echo_i "testing blackhole ACL processing" -t=`expr $t + 1` +t=$((t + 1)) ret=0 $DIG -p ${PORT} +tcp soa example. \ @10.53.0.2 -b 10.53.0.3 > dig.out.1.${t} grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} + @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} && ret=1 grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1 grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ @10.53.0.2 -b 10.53.0.3 > dig.out.3.${t} grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} + @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} && ret=1 grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1 -grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 +grep "timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 +grep ";; no servers could be reached" dig.out.4.${t} > /dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) # AXFR tests against ns3 @@ -171,26 +176,26 @@ echo_i "calling addzone example.com on ns3" $RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; ' sleep 1 -t=`expr $t + 1` +t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" $DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) echo_i "calling rndc reconfig" rndc_reconfig ns3 10.53.0.3 sleep 1 -t=`expr $t + 1` +t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" $DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) # AXFR tests against ns4 @@ -200,26 +205,26 @@ echo_i "calling addzone example.com on ns4" $RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; ' sleep 1 -t=`expr $t + 1` +t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" $DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) echo_i "calling rndc reconfig" rndc_reconfig ns4 10.53.0.4 sleep 1 -t=`expr $t + 1` +t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" $DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/acl/tests_sh_acl.py b/bin/tests/system/acl/tests_sh_acl.py new file mode 100644 index 0000000000..2c98644e01 --- /dev/null +++ b/bin/tests/system/acl/tests_sh_acl.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_acl(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/additional/clean.sh b/bin/tests/system/additional/clean.sh index 871c6a51ae..c43c36e9cd 100644 --- a/bin/tests/system/additional/clean.sh +++ b/bin/tests/system/additional/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/additional/ns1/mx.db b/bin/tests/system/additional/ns1/mx.db index 32a2b87ba7..6305e8bccd 100644 --- a/bin/tests/system/additional/ns1/mx.db +++ b/bin/tests/system/additional/ns1/mx.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/named.args b/bin/tests/system/additional/ns1/named.args index 15aa849355..45ac93a7c7 100644 --- a/bin/tests/system/additional/ns1/named.args +++ b/bin/tests/system/additional/ns1/named.args @@ -1,2 +1,2 @@ # this server runs named with only one worker thread --m record,size,mctx -c named.conf -d 99 -D additional-ns1 -X named.lock -g -n 1 -T maxcachesize=2097152 +-m record -c named.conf -d 99 -D additional-ns1 -X named.lock -g -n 1 -T maxcachesize=2097152 diff --git a/bin/tests/system/additional/ns1/named1.conf.in b/bin/tests/system/additional/ns1/named1.conf.in index 306e80fa20..d058d1e65c 100644 --- a/bin/tests/system/additional/ns1/named1.conf.in +++ b/bin/tests/system/additional/ns1/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/named2.conf.in b/bin/tests/system/additional/ns1/named2.conf.in index 6a341f1b33..56c6d4b70e 100644 --- a/bin/tests/system/additional/ns1/named2.conf.in +++ b/bin/tests/system/additional/ns1/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/named3.conf.in b/bin/tests/system/additional/ns1/named3.conf.in index 85d94d5e89..ad453a3fa4 100644 --- a/bin/tests/system/additional/ns1/named3.conf.in +++ b/bin/tests/system/additional/ns1/named3.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/named4.conf.in b/bin/tests/system/additional/ns1/named4.conf.in index 2808c438a3..69479b9f4c 100644 --- a/bin/tests/system/additional/ns1/named4.conf.in +++ b/bin/tests/system/additional/ns1/named4.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/naptr.db b/bin/tests/system/additional/ns1/naptr.db index d14bec455d..51d3c857eb 100644 --- a/bin/tests/system/additional/ns1/naptr.db +++ b/bin/tests/system/additional/ns1/naptr.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/naptr2.db b/bin/tests/system/additional/ns1/naptr2.db index fbdd179756..78ca4ad403 100644 --- a/bin/tests/system/additional/ns1/naptr2.db +++ b/bin/tests/system/additional/ns1/naptr2.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/nid.db b/bin/tests/system/additional/ns1/nid.db index 5d5bee8e09..f76b52e832 100644 --- a/bin/tests/system/additional/ns1/nid.db +++ b/bin/tests/system/additional/ns1/nid.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/root.db b/bin/tests/system/additional/ns1/root.db index 7db363b2bf..94cfddac24 100644 --- a/bin/tests/system/additional/ns1/root.db +++ b/bin/tests/system/additional/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/rt.db b/bin/tests/system/additional/ns1/rt.db index 6958f38fd6..c858f0d9cb 100644 --- a/bin/tests/system/additional/ns1/rt.db +++ b/bin/tests/system/additional/ns1/rt.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/rt2.db b/bin/tests/system/additional/ns1/rt2.db index 667eb118a8..b61a19850a 100644 --- a/bin/tests/system/additional/ns1/rt2.db +++ b/bin/tests/system/additional/ns1/rt2.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns1/srv.db b/bin/tests/system/additional/ns1/srv.db index bc8d58190b..0aee21a4c1 100644 --- a/bin/tests/system/additional/ns1/srv.db +++ b/bin/tests/system/additional/ns1/srv.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns2/named.conf.in b/bin/tests/system/additional/ns2/named.conf.in index 4c41816bbe..ed43ca6627 100644 --- a/bin/tests/system/additional/ns2/named.conf.in +++ b/bin/tests/system/additional/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -20,6 +22,7 @@ options { listen-on-v6 { none; }; notify no; minimal-responses yes; + dnssec-validation no; }; zone "." { diff --git a/bin/tests/system/additional/ns2/root.db b/bin/tests/system/additional/ns2/root.db index 3241240784..728bdde441 100644 --- a/bin/tests/system/additional/ns2/root.db +++ b/bin/tests/system/additional/ns2/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns3/ex.db b/bin/tests/system/additional/ns3/ex.db index 409c2dfd48..c893a844f6 100644 --- a/bin/tests/system/additional/ns3/ex.db +++ b/bin/tests/system/additional/ns3/ex.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns3/ex2.db b/bin/tests/system/additional/ns3/ex2.db index 30d4ca7c7a..f9039cf22f 100644 --- a/bin/tests/system/additional/ns3/ex2.db +++ b/bin/tests/system/additional/ns3/ex2.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns3/named.conf.in b/bin/tests/system/additional/ns3/named.conf.in index de87de56e4..2bd01c945d 100644 --- a/bin/tests/system/additional/ns3/named.conf.in +++ b/bin/tests/system/additional/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/additional/ns3/root.hint b/bin/tests/system/additional/ns3/root.hint index 775f78235a..ef6ee6fada 100644 --- a/bin/tests/system/additional/ns3/root.hint +++ b/bin/tests/system/additional/ns3/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/additional/setup.sh b/bin/tests/system/additional/setup.sh index 685e34ae57..2cbc08d7e9 100644 --- a/bin/tests/system/additional/setup.sh +++ b/bin/tests/system/additional/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh index dedfd018a9..a50004c5c8 100644 --- a/bin/tests/system/additional/tests.sh +++ b/bin/tests/system/additional/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="-p ${PORT}" @@ -18,7 +22,7 @@ status=0 n=0 dotests() { - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with RT, single zone (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -26,7 +30,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with RT, two zones (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 @@ -34,7 +38,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NAPTR, single zone (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 @@ -42,7 +46,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NAPTR, two zones (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 @@ -50,7 +54,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with LP (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -80,7 +84,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NID (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -96,7 +100,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NID + LP (+rec) ($n)" ret=0 $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -114,7 +118,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with RT, single zone (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -122,7 +126,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with RT, two zones (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 @@ -130,7 +134,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NAPTR, single zone (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 @@ -138,7 +142,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NAPTR, two zones (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 @@ -146,7 +150,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with LP (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -176,7 +180,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NID (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -192,7 +196,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NID + LP (+norec) ($n)" ret=0 $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 @@ -210,7 +214,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NS, root zone ($n)" ret=0 $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1 @@ -220,7 +224,7 @@ dotests() { echo_i "failed"; status=$((status+1)) fi - n=`expr $n + 1` + n=$((n + 1)) echo_i "test with NS, non-root zone ($n)" ret=0 $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -255,7 +259,7 @@ echo_i "testing with 'minimal-responses no;'" minimal=no dotests -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing with 'minimal-any no;' ($n)" ret=0 $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -268,7 +272,7 @@ echo_i "reconfiguring server: minimal-any yes" copy_setports ns1/named3.conf.in ns1/named.conf rndc_reconfig ns1 10.53.0.1 -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 $DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -276,7 +280,7 @@ grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over TCP ($n)" ret=0 @@ -286,7 +290,7 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 $DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -307,7 +311,7 @@ echo_i "testing with 'minimal-responses no-auth-recursive;'" minimal=no-auth-recursive dotests -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing returning TLSA records with MX query ($n)" ret=0 $DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1 @@ -318,7 +322,7 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing returning TLSA records with SRV query ($n)" ret=0 $DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1 @@ -333,7 +337,7 @@ echo_i "reconfiguring server: minimal-responses no" copy_setports ns1/named2.conf.in ns1/named.conf rndc_reconfig ns1 10.53.0.1 -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing NS handling in ANY responses (authoritative) ($n)" ret=0 $DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -343,7 +347,7 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing NS handling in ANY responses (recursive) ($n)" ret=0 $DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1 @@ -353,7 +357,7 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)" ret=0 $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 @@ -362,7 +366,7 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=$((status+1)) fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)" ret=0 $DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1 diff --git a/bin/tests/system/additional/tests_sh_additional.py b/bin/tests/system/additional/tests_sh_additional.py new file mode 100644 index 0000000000..cdc38f4d81 --- /dev/null +++ b/bin/tests/system/additional/tests_sh_additional.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_additional(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/addzone/clean.sh b/bin/tests/system/addzone/clean.sh index d87474aeb3..5e94b5c759 100644 --- a/bin/tests/system/addzone/clean.sh +++ b/bin/tests/system/addzone/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/addzone/ns1/inlinesec.db b/bin/tests/system/addzone/ns1/inlinesec.db index 5db7e024e3..eb9d042d6a 100644 --- a/bin/tests/system/addzone/ns1/inlinesec.db +++ b/bin/tests/system/addzone/ns1/inlinesec.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in index a3f4256a96..9015e1b9d9 100644 --- a/bin/tests/system/addzone/ns1/named.conf.in +++ b/bin/tests/system/addzone/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -26,6 +28,7 @@ options { allow-query { any; }; allow-new-zones yes; recursion no; + dnssec-validation no; }; zone "." { diff --git a/bin/tests/system/addzone/ns1/redirect.db.1 b/bin/tests/system/addzone/ns1/redirect.db.1 index 7b40db9c33..5dcdd1bba7 100644 --- a/bin/tests/system/addzone/ns1/redirect.db.1 +++ b/bin/tests/system/addzone/ns1/redirect.db.1 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns1/redirect.db.2 b/bin/tests/system/addzone/ns1/redirect.db.2 index a4f0d3806c..4dcbdbc012 100644 --- a/bin/tests/system/addzone/ns1/redirect.db.2 +++ b/bin/tests/system/addzone/ns1/redirect.db.2 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/added.db b/bin/tests/system/addzone/ns2/added.db index 9b54d19204..286e717532 100644 --- a/bin/tests/system/addzone/ns2/added.db +++ b/bin/tests/system/addzone/ns2/added.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/default.nzf.in b/bin/tests/system/addzone/ns2/default.nzf.in index 614bddeb43..d9740f5040 100644 --- a/bin/tests/system/addzone/ns2/default.nzf.in +++ b/bin/tests/system/addzone/ns2/default.nzf.in @@ -1 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + zone previous.example { type primary; file "previous.db"; }; diff --git a/bin/tests/system/addzone/ns2/hints.db b/bin/tests/system/addzone/ns2/hints.db index 418ea963fa..e0f186c2f8 100644 --- a/bin/tests/system/addzone/ns2/hints.db +++ b/bin/tests/system/addzone/ns2/hints.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/inline.db b/bin/tests/system/addzone/ns2/inline.db index a45d30e0b1..c968104811 100644 --- a/bin/tests/system/addzone/ns2/inline.db +++ b/bin/tests/system/addzone/ns2/inline.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/named1.conf.in b/bin/tests/system/addzone/ns2/named1.conf.in index dc1d26fc5d..23be60ef70 100644 --- a/bin/tests/system/addzone/ns2/named1.conf.in +++ b/bin/tests/system/addzone/ns2/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,6 +19,7 @@ options { allow-query { any; }; recursion no; allow-new-zones yes; + dnssec-validation no; }; include "../../common/rndc.key"; diff --git a/bin/tests/system/addzone/ns2/named2.conf.in b/bin/tests/system/addzone/ns2/named2.conf.in index 94724d50d9..8b0f23de2c 100644 --- a/bin/tests/system/addzone/ns2/named2.conf.in +++ b/bin/tests/system/addzone/ns2/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -22,6 +24,7 @@ options { listen-on { 10.53.0.2; 10.53.0.4; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; view internal { diff --git a/bin/tests/system/addzone/ns2/named3.conf.in b/bin/tests/system/addzone/ns2/named3.conf.in index f4d948e267..7078ce989e 100644 --- a/bin/tests/system/addzone/ns2/named3.conf.in +++ b/bin/tests/system/addzone/ns2/named3.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -22,6 +24,7 @@ options { listen-on-v6 { none; }; recursion no; new-zones-directory "new-zones"; + dnssec-validation no; }; view internal { diff --git a/bin/tests/system/addzone/ns2/normal.db b/bin/tests/system/addzone/ns2/normal.db index 50450928e9..fa05638f32 100644 --- a/bin/tests/system/addzone/ns2/normal.db +++ b/bin/tests/system/addzone/ns2/normal.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/previous.db b/bin/tests/system/addzone/ns2/previous.db index 7fe5517618..6d2e495a8d 100644 --- a/bin/tests/system/addzone/ns2/previous.db +++ b/bin/tests/system/addzone/ns2/previous.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/redirect.db.1 b/bin/tests/system/addzone/ns2/redirect.db.1 index 7b40db9c33..5dcdd1bba7 100644 --- a/bin/tests/system/addzone/ns2/redirect.db.1 +++ b/bin/tests/system/addzone/ns2/redirect.db.1 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns2/redirect.db.2 b/bin/tests/system/addzone/ns2/redirect.db.2 index a4f0d3806c..4dcbdbc012 100644 --- a/bin/tests/system/addzone/ns2/redirect.db.2 +++ b/bin/tests/system/addzone/ns2/redirect.db.2 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns3/e.db b/bin/tests/system/addzone/ns3/e.db index d5f7ff9c25..7f74f0a8b2 100644 --- a/bin/tests/system/addzone/ns3/e.db +++ b/bin/tests/system/addzone/ns3/e.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns3/example.db b/bin/tests/system/addzone/ns3/example.db index 4f150a030a..2bf4f8d1e5 100644 --- a/bin/tests/system/addzone/ns3/example.db +++ b/bin/tests/system/addzone/ns3/example.db @@ -1,2 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + @ IN SOA localhost. localhost.localhost. 1 10800 3600 605800 86400 @ IN NS localhost. diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in index 2ee5e26091..6c512a670c 100644 --- a/bin/tests/system/addzone/ns3/named1.conf.in +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,6 +25,7 @@ options { allow-query { any; }; recursion no; allow-new-zones yes; + dnssec-validation no; }; zone "." { diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in index 5aa682fb38..6ca25f1a19 100644 --- a/bin/tests/system/addzone/ns3/named2.conf.in +++ b/bin/tests/system/addzone/ns3/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,4 +25,5 @@ options { allow-query { any; }; recursion no; allow-new-zones yes; + dnssec-validation no; }; diff --git a/bin/tests/system/addzone/ns3/redirect.db.1 b/bin/tests/system/addzone/ns3/redirect.db.1 index 6444bad4d4..60a262202f 100644 --- a/bin/tests/system/addzone/ns3/redirect.db.1 +++ b/bin/tests/system/addzone/ns3/redirect.db.1 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/ns3/redirect.db.2 b/bin/tests/system/addzone/ns3/redirect.db.2 index aa98885563..3804fef909 100644 --- a/bin/tests/system/addzone/ns3/redirect.db.2 +++ b/bin/tests/system/addzone/ns3/redirect.db.2 @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/addzone/setup.sh b/bin/tests/system/addzone/setup.sh index ad9fec5a09..b2227c16b2 100644 --- a/bin/tests/system/addzone/setup.sh +++ b/bin/tests/system/addzone/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh index a3f7c6c603..131da00048 100755 --- a/bin/tests/system/addzone/tests.sh +++ b/bin/tests/system/addzone/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" @@ -28,9 +32,9 @@ ret=0 $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # When LMDB support is compiled in, this tests that migration from # NZF to NZD occurs during named startup @@ -39,16 +43,16 @@ ret=0 $DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -if [ -n "$NZD" ]; then +if $FEATURETEST --with-lmdb; then echo_i "checking that existing NZF file was renamed after migration ($n)" [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "adding new zone ($n)" @@ -60,27 +64,27 @@ _check_adding_new_zone () ( grep '^a.added.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_adding_new_zone || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking addzone errors are logged correctly" ret=0 $RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking modzone errors are logged correctly" ret=0 $RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "adding a zone that requires quotes ($n)" ret=0 @@ -92,9 +96,9 @@ _check_zone_that_requires_quotes() ( grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_zone_that_requires_quotes || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "adding a zone with a quote in the name ($n)" ret=0 @@ -105,48 +109,48 @@ _check_zone_with_a_quote() ( grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_zone_with_a_quote || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "adding new zone with missing file ($n)" ret=0 $DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1 grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n && ret=1 grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 $DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1 grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1 digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -if [ -z "$NZD" ]; then +if ! $FEATURETEST --with-lmdb; then echo_i "verifying no comments in NZF file ($n)" ret=0 - hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) [ $hcount -eq 0 ] || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "checking rndc showzone with previously added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n expected='zone "previous.example" { type primary; file "previous.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -if [ -n "$NZD" ]; then +if $FEATURETEST --with-lmdb; then echo_i "checking zone is present in NZD ($n)" ret=0 $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "deleting previously added zone ($n)" @@ -158,30 +162,30 @@ _check_deleting_previously_added_zone() ( ! grep '^a.previous.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_previously_added_zone || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) check_nzd2nzf() ( $NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n && ! grep previous.example nzd2nzf.out.$n > /dev/null ) -if [ -n "$NZD" ]; then +if $FEATURETEST --with-lmdb; then echo_i "checking zone was deleted from NZD ($n)" retry_quiet 10 check_nzd2nzf || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi -if [ -z "$NZD" ]; then +if ! $FEATURETEST --with-lmdb; then echo_i "checking NZF file now has comment ($n)" ret=0 - hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) [ $hcount -eq 1 ] || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "deleting newly added zone added.example ($n)" @@ -193,9 +197,9 @@ _check_deleting_newly_added_zone() ( ! grep '^a.added.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "deleting newly added zone with escaped quote ($n)" ret=0 @@ -206,45 +210,45 @@ _check_deleting_newly_added_zone_quote() ( ! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone ($n)" ret=0 $RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n expected='zone "normal.example" { type primary; file "normal.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)" ret=0 $RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n expected='zone "finaldot.example." { type primary; file "normal.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)" ret=0 $RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n expected='zone "." { type redirect; file "redirect.db"; };' -[ "`cat rndc.out.ns1.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)" ret=0 $RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1 grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc reload with a normally-loaded redirect zone ($n)" ret=0 @@ -252,9 +256,9 @@ sleep 1 cp -f ns1/redirect.db.2 ns1/redirect.db $RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n retry_quiet 5 check_zonestatus 1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "delete a normally-loaded zone ($n)" ret=0 @@ -268,9 +272,9 @@ _check_delete_normally_loaded_zone() ( ) retry_quiet 5 _check_delete_normally_loaded_zone || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to add primary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' @@ -280,17 +284,17 @@ _check_add_primary_zone_with_inline() ( grep '^a.inline.example' dig.out.ns2.$n > /dev/null ) retry_quiet 5 _check_add_primary_zone_with_inline || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to add primary zone with inline signing and missing file ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n && ret=1 grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to add secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' @@ -300,9 +304,9 @@ _check_add_secondary_with_inline() ( grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null ) retry_quiet 5 _check_add_secondary_with_inline || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to delete secondary zone with inline signing ($n)" ret=0 @@ -316,8 +320,8 @@ test ! -f inlinesec.bk.signed || grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || { echo_i "failed to report inlinesec.bk.signed"; ret=1; } -n=`expr $n + 1` -status=`expr $status + $ret` +n=$((n + 1)) +status=$((status + ret)) echo_i "restoring secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' @@ -327,17 +331,17 @@ _check_restoring_secondary_with_inline() ( grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null ) retry_quiet 5 _check_restoring_secondary_with_inline || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "deleting secondary zone with automatic zone file removal ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 $RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1 retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk -n=`expr $n + 1` -status=`expr $status + $ret` +n=$((n + 1)) +status=$((status + ret)) echo_i "modifying zone configuration ($n)" ret=0 @@ -347,23 +351,23 @@ grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 $RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i $DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1 $RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that adding a 'stub' zone works ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that adding a 'static-stub' zone works ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that adding a 'primary redirect' zone works ($n)" ret=0 @@ -376,9 +380,9 @@ _check_add_primary_redirect() ( grep "serial: 0" zonestatus.out.ns2.$n > /dev/null ) retry_quiet 10 _check_add_primary_redirect || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that reloading a added 'primary redirect' zone works ($n)" ret=0 @@ -386,16 +390,16 @@ sleep 1 cp -f ns2/redirect.db.2 ns2/redirect.db $RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n retry_quiet 10 check_zonestatus 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)" ret=0 $RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that deleting a 'primary redirect' zone works ($n)" ret=0 @@ -405,9 +409,9 @@ _check_deleting_primary_redirect() ( grep 'not found' showzone.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_primary_redirect || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that adding a 'secondary redirect' zone works ($n)" ret=0 @@ -420,9 +424,9 @@ _check_adding_secondary_redirect() ( grep "serial: 0" zonestatus.out.ns2.$n > /dev/null ) retry_quiet 10 _check_adding_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that retransfering a added 'secondary redirect' zone works ($n)" ret=0 @@ -435,9 +439,9 @@ _check_retransfering_secondary_redirect() ( grep "serial: 1" zonestatus.out.ns2.$n > /dev/null ) retry_quiet 10 _check_retransfering_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that deleting a 'secondary redirect' zone works ($n)" ret=0 @@ -447,41 +451,33 @@ _check_deleting_secondary_redirect() ( grep 'not found' showzone.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that zone type 'hint' is properly rejected ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1 grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that zone type 'forward' is properly rejected ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1 grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "check that zone type 'delegation-only' is properly rejected ($n)" -ret=0 -$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that 'in-view' zones are properly rejected ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "reconfiguring server with multiple views" rm -f ns2/named.conf @@ -506,27 +502,27 @@ grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -if [ -z "$NZD" ]; then +if ! $FEATURETEST --with-lmdb; then echo_i "checking new NZF file has comment ($n)" ret=0 - hcount=`grep "^# New zone file for view: external" ns2/external.nzf | wc -l` + hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) [ $hcount -eq 1 ] || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi -if [ -n "$NZD" ]; then +if $FEATURETEST --with-lmdb; then echo_i "verifying added.example in external view created an external.nzd DB ($n)" ret=0 [ -e ns2/external.nzd ] || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)" @@ -540,24 +536,24 @@ _check_rndc_reload_external_view_config() ( grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null ) retry_quiet 10 _check_rndc_reload_external_view_config || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking rndc showzone with newly added zone ($n)" _check_rndc_showzone_newly_added() ( - if [ -z "$NZD" ]; then + if ! $FEATURETEST --with-lmdb; then expected='zone "added.example" in external { type primary; file "added.db"; };' else expected='zone "added.example" { type primary; file "added.db"; };' fi $RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null && - [ "`cat rndc.out.ns2.$n`" = "$expected" ] + [ "$(cat rndc.out.ns2.$n)" = "$expected" ] ) retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "deleting newly added zone ($n)" ret=0 @@ -568,31 +564,31 @@ _check_deleting_newly_added_zone() ( ! grep '^a.added.example' dig.out.ns2.$n > /dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to add zone to internal view ($n)" ret=0 $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n && ret=1 grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "attempting to delete a policy zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 +$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 && ret=1 grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "adding new zone again to external view ($n)" ret=0 @@ -605,9 +601,9 @@ _check_adding_new_zone_again_external() ( grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null ) retry_quiet 10 _check_adding_new_zone_again_external || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "reconfiguring server with multiple views and new-zones-directory" rm -f ns2/named.conf @@ -619,9 +615,9 @@ ret=0 $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "deleting newly added zone from external ($n)" ret=0 @@ -629,9 +625,9 @@ $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "adding new zone to directory view ($n)" ret=0 @@ -649,11 +645,11 @@ grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 $DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1 grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -if [ -n "$NZD" ]; then +if $FEATURETEST --with-lmdb; then echo_i "checking NZD file was created in new-zones-directory ($n)" expect=ns2/new-zones/directory.nzd else @@ -663,9 +659,9 @@ fi $RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /' sleep 2 [ -e "$expect" ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "deleting newly added zone from directory ($n)" ret=0 @@ -673,17 +669,17 @@ $RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /' $DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "ensure the configuration context is cleaned up correctly ($n)" ret=0 rndc_reconfig ns2 10.53.0.2 $RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check delzone after reconfig failure ($n)" ret=0 @@ -691,9 +687,9 @@ $RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inline copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 $RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) if ! $FEATURETEST --with-lmdb then @@ -704,9 +700,9 @@ then $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1 grep test2.baz ns3/_default.nzf > /dev/null && ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi _check_version_bind() ( @@ -723,8 +719,8 @@ $RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; f $RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -stop_server addzone ns3 -start_server --noclean --restart --port ${PORT} addzone ns3 || ret=1 +stop_server ns3 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 retry_quiet 10 _check_version_bind || ret=1 $DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1 grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 @@ -745,8 +741,8 @@ $DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1 grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py index 4e1e1090ba..bd21d62a90 100755 --- a/bin/tests/system/addzone/tests_rndc_deadlock.py +++ b/bin/tests/system/addzone/tests_rndc_deadlock.py @@ -1,13 +1,13 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ import concurrent.futures import os @@ -16,65 +16,68 @@ def run_rndc(server, rndc_command): - ''' - Send the specified 'rndc_command' to 'server' with a timeout of 2 seconds - ''' - rndc = os.getenv('RNDC') - port = os.getenv('CONTROLPORT') + """ + Send the specified 'rndc_command' to 'server' with a timeout of 10 seconds + """ + rndc = os.getenv("RNDC") + port = os.getenv("CONTROLPORT") - cmdline = [rndc, '-c', '../common/rndc.conf', '-p', port, '-s', server] + cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) - subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=2) + subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) def rndc_loop(test_state, domain): - ''' + """ Run "rndc addzone", "rndc modzone", and "rndc delzone" in a tight loop until the test is considered finished, ignoring errors - ''' + """ rndc_commands = [ - ['addzone', domain, - '{ type master; file "example.db"; };'], - ['modzone', domain, - '{ type master; file "example.db"; allow-transfer { any; }; };'], - ['delzone', domain], + ["addzone", domain, '{ type primary; file "example.db"; };'], + [ + "modzone", + domain, + '{ type primary; file "example.db"; allow-transfer { any; }; };', + ], + ["delzone", domain], ] - while not test_state['finished']: + while not test_state["finished"]: for command in rndc_commands: try: - run_rndc('10.53.0.3', command) + run_rndc("10.53.0.3", command) except subprocess.SubprocessError: pass def check_if_server_is_responsive(): - ''' + """ Check if server status can be successfully retrieved using "rndc status" - ''' + """ try: - run_rndc('10.53.0.3', ['status']) + run_rndc("10.53.0.3", ["status"]) return True except subprocess.SubprocessError: return False def test_rndc_deadlock(): - ''' + """ Test whether running "rndc addzone", "rndc modzone", and "rndc delzone" commands concurrently does not trigger a deadlock - ''' - test_state = {'finished': False} + """ + test_state = {"finished": False} # Create 4 worker threads running "rndc" commands in a loop. with concurrent.futures.ThreadPoolExecutor() as executor: for i in range(1, 5): - domain = 'example%d' % i + domain = "example%d" % i executor.submit(rndc_loop, test_state, domain) - # Run "rndc status" in 1-second intervals for a maximum of 10 seconds. - # If any "rndc status" command fails, the loop will be interrupted. + # Run "rndc status" 10 times, with 1-second pauses between attempts. + # Each "rndc status" invocation has a timeout of 10 seconds. If any of + # them fails, the loop will be interrupted. server_is_responsive = True attempts = 10 while server_is_responsive and attempts > 0: @@ -83,7 +86,7 @@ def test_rndc_deadlock(): time.sleep(1) # Signal worker threads that the test is finished. - test_state['finished'] = True + test_state["finished"] = True # Check whether all "rndc status" commands succeeded. assert server_is_responsive diff --git a/bin/tests/system/addzone/tests_sh_addzone.py b/bin/tests/system/addzone/tests_sh_addzone.py new file mode 100644 index 0000000000..dca8e7415c --- /dev/null +++ b/bin/tests/system/addzone/tests_sh_addzone.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_addzone(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/allow-query/clean.sh b/bin/tests/system/allow-query/clean.sh index aff72a2047..9914de7469 100644 --- a/bin/tests/system/allow-query/clean.sh +++ b/bin/tests/system/allow-query/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/allow-query/ns1/named.conf.in b/bin/tests/system/allow-query/ns1/named.conf.in index 70e4d01cc2..dd786e2780 100644 --- a/bin/tests/system/allow-query/ns1/named.conf.in +++ b/bin/tests/system/allow-query/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.1; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; zone "." { diff --git a/bin/tests/system/allow-query/ns1/root.db b/bin/tests/system/allow-query/ns1/root.db index 32c7ea064a..456198e58a 100644 --- a/bin/tests/system/allow-query/ns1/root.db +++ b/bin/tests/system/allow-query/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/allow-query/ns2/generic.db b/bin/tests/system/allow-query/ns2/generic.db index b5d176ae6a..83e66f9462 100644 --- a/bin/tests/system/allow-query/ns2/generic.db +++ b/bin/tests/system/allow-query/ns2/generic.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/allow-query/ns2/named01.conf.in b/bin/tests/system/allow-query/ns2/named01.conf.in index faadc62936..3069010dfb 100644 --- a/bin/tests/system/allow-query/ns2/named01.conf.in +++ b/bin/tests/system/allow-query/ns2/named01.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named02.conf.in b/bin/tests/system/allow-query/ns2/named02.conf.in index 758aa602bb..678c41779c 100644 --- a/bin/tests/system/allow-query/ns2/named02.conf.in +++ b/bin/tests/system/allow-query/ns2/named02.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { any; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named03.conf.in b/bin/tests/system/allow-query/ns2/named03.conf.in index d7d7d4f008..cdc64ff98f 100644 --- a/bin/tests/system/allow-query/ns2/named03.conf.in +++ b/bin/tests/system/allow-query/ns2/named03.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { none; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named04.conf.in b/bin/tests/system/allow-query/ns2/named04.conf.in index 67938b5f4e..05446627d6 100644 --- a/bin/tests/system/allow-query/ns2/named04.conf.in +++ b/bin/tests/system/allow-query/ns2/named04.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { 10.53.0.2; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named05.conf.in b/bin/tests/system/allow-query/ns2/named05.conf.in index 77b16461fb..6f92049f96 100644 --- a/bin/tests/system/allow-query/ns2/named05.conf.in +++ b/bin/tests/system/allow-query/ns2/named05.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { 10.53.0.1; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named06.conf.in b/bin/tests/system/allow-query/ns2/named06.conf.in index 94f1a3fc05..261c75b988 100644 --- a/bin/tests/system/allow-query/ns2/named06.conf.in +++ b/bin/tests/system/allow-query/ns2/named06.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query {! 10.53.0.2; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named07.conf.in b/bin/tests/system/allow-query/ns2/named07.conf.in index 2752bab934..8050fa2204 100644 --- a/bin/tests/system/allow-query/ns2/named07.conf.in +++ b/bin/tests/system/allow-query/ns2/named07.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -18,6 +20,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { accept; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named08.conf.in b/bin/tests/system/allow-query/ns2/named08.conf.in index 316b1bbfbd..ffa4cdc8d6 100644 --- a/bin/tests/system/allow-query/ns2/named08.conf.in +++ b/bin/tests/system/allow-query/ns2/named08.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -18,6 +20,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { accept; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named09.conf.in b/bin/tests/system/allow-query/ns2/named09.conf.in index 211c8bff7b..49166e64fd 100644 --- a/bin/tests/system/allow-query/ns2/named09.conf.in +++ b/bin/tests/system/allow-query/ns2/named09.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -18,6 +20,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query {! accept; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in index 7d43e364bb..a9cb0b21f3 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; @@ -21,6 +23,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { key one; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in index 295251880d..372f4f3655 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -1,21 +1,23 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; @@ -27,6 +29,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { key one; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in index 0c01071987..5dc3e776ea 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; @@ -21,6 +23,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query {! key one; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named21.conf.in b/bin/tests/system/allow-query/ns2/named21.conf.in index 5d09497b26..c6204a3b6c 100644 --- a/bin/tests/system/allow-query/ns2/named21.conf.in +++ b/bin/tests/system/allow-query/ns2/named21.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named22.conf.in b/bin/tests/system/allow-query/ns2/named22.conf.in index 8b738992d9..454f24a59c 100644 --- a/bin/tests/system/allow-query/ns2/named22.conf.in +++ b/bin/tests/system/allow-query/ns2/named22.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named23.conf.in b/bin/tests/system/allow-query/ns2/named23.conf.in index 46f9013dfa..f62337bc28 100644 --- a/bin/tests/system/allow-query/ns2/named23.conf.in +++ b/bin/tests/system/allow-query/ns2/named23.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named24.conf.in b/bin/tests/system/allow-query/ns2/named24.conf.in index f4309fe797..1e277a95aa 100644 --- a/bin/tests/system/allow-query/ns2/named24.conf.in +++ b/bin/tests/system/allow-query/ns2/named24.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named25.conf.in b/bin/tests/system/allow-query/ns2/named25.conf.in index 5d1418882d..0548af2488 100644 --- a/bin/tests/system/allow-query/ns2/named25.conf.in +++ b/bin/tests/system/allow-query/ns2/named25.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named26.conf.in b/bin/tests/system/allow-query/ns2/named26.conf.in index 0bbdc4868d..40e5dfd175 100644 --- a/bin/tests/system/allow-query/ns2/named26.conf.in +++ b/bin/tests/system/allow-query/ns2/named26.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named27.conf.in b/bin/tests/system/allow-query/ns2/named27.conf.in index 4f6c9c7f5a..92fa1f8bd1 100644 --- a/bin/tests/system/allow-query/ns2/named27.conf.in +++ b/bin/tests/system/allow-query/ns2/named27.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,6 +19,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named28.conf.in b/bin/tests/system/allow-query/ns2/named28.conf.in index 408d49deec..2ecac7ce83 100644 --- a/bin/tests/system/allow-query/ns2/named28.conf.in +++ b/bin/tests/system/allow-query/ns2/named28.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,6 +19,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named29.conf.in b/bin/tests/system/allow-query/ns2/named29.conf.in index 8bd63deeb8..9a6c9e5a0e 100644 --- a/bin/tests/system/allow-query/ns2/named29.conf.in +++ b/bin/tests/system/allow-query/ns2/named29.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,6 +19,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in index 4c172929ca..975b039a5f 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; @@ -20,6 +22,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in index a2690a4523..c9b11aee82 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -1,21 +1,23 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; @@ -27,6 +29,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { key one; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in index a0708c8ee3..54a45f22ea 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; @@ -20,6 +22,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named33.conf.in b/bin/tests/system/allow-query/ns2/named33.conf.in index d11956db3b..be31b72051 100644 --- a/bin/tests/system/allow-query/ns2/named33.conf.in +++ b/bin/tests/system/allow-query/ns2/named33.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { none; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named34.conf.in b/bin/tests/system/allow-query/ns2/named34.conf.in index ff16428175..165ff06b05 100644 --- a/bin/tests/system/allow-query/ns2/named34.conf.in +++ b/bin/tests/system/allow-query/ns2/named34.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { any; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in index 687768ea38..2eb9191a37 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; @@ -29,6 +31,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named53.conf.in b/bin/tests/system/allow-query/ns2/named53.conf.in index 59e1485343..bd0af28420 100644 --- a/bin/tests/system/allow-query/ns2/named53.conf.in +++ b/bin/tests/system/allow-query/ns2/named53.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { none; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named54.conf.in b/bin/tests/system/allow-query/ns2/named54.conf.in index d96c24eed9..a6ca42442d 100644 --- a/bin/tests/system/allow-query/ns2/named54.conf.in +++ b/bin/tests/system/allow-query/ns2/named54.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,6 +18,7 @@ options { listen-on-v6 { none; }; recursion no; allow-query { any; }; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named55.conf.in b/bin/tests/system/allow-query/ns2/named55.conf.in index 8e336b5e7c..6bcba0771c 100644 --- a/bin/tests/system/allow-query/ns2/named55.conf.in +++ b/bin/tests/system/allow-query/ns2/named55.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named56.conf.in b/bin/tests/system/allow-query/ns2/named56.conf.in index 6c82c360ea..d89a5fbabc 100644 --- a/bin/tests/system/allow-query/ns2/named56.conf.in +++ b/bin/tests/system/allow-query/ns2/named56.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns2/named57.conf.in b/bin/tests/system/allow-query/ns2/named57.conf.in index cce8de7f47..bcc3a85dca 100644 --- a/bin/tests/system/allow-query/ns2/named57.conf.in +++ b/bin/tests/system/allow-query/ns2/named57.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,6 +17,7 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; recursion no; + dnssec-validation no; }; include "controls.conf"; diff --git a/bin/tests/system/allow-query/ns3/named.args b/bin/tests/system/allow-query/ns3/named.args index 35e99d8dd8..e875a57bc7 100644 --- a/bin/tests/system/allow-query/ns3/named.args +++ b/bin/tests/system/allow-query/ns3/named.args @@ -1,2 +1,2 @@ # this server only has 127.0.0.1 in its localhost/localnets ACLs --m record,size,mctx -c named.conf -d 99 -D allow-query-ns3 -X named.lock -g -T maxcachesize=2097152 -T fixedlocal +-m record -c named.conf -d 99 -D allow-query-ns3 -X named.lock -g -T maxcachesize=2097152 -T fixedlocal diff --git a/bin/tests/system/allow-query/ns3/named1.conf.in b/bin/tests/system/allow-query/ns3/named1.conf.in index 93db51303a..74b9885bcc 100644 --- a/bin/tests/system/allow-query/ns3/named1.conf.in +++ b/bin/tests/system/allow-query/ns3/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -20,7 +22,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/allow-query/ns3/named2.conf.in b/bin/tests/system/allow-query/ns3/named2.conf.in index b1ebeda527..c4a4e8fb88 100644 --- a/bin/tests/system/allow-query/ns3/named2.conf.in +++ b/bin/tests/system/allow-query/ns3/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,7 +25,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/allow-query/ns3/named3.conf.in b/bin/tests/system/allow-query/ns3/named3.conf.in index 97124c02b1..0e1f7b0211 100644 --- a/bin/tests/system/allow-query/ns3/named3.conf.in +++ b/bin/tests/system/allow-query/ns3/named3.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,7 +25,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/allow-query/ns3/named4.conf.in b/bin/tests/system/allow-query/ns3/named4.conf.in index 5f62658fda..36ff9114f3 100644 --- a/bin/tests/system/allow-query/ns3/named4.conf.in +++ b/bin/tests/system/allow-query/ns3/named4.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,7 +25,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/allow-query/setup.sh b/bin/tests/system/allow-query/setup.sh index b3f49de9c7..c85676ef8e 100644 --- a/bin/tests/system/allow-query/setup.sh +++ b/bin/tests/system/allow-query/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh index cdc970a121..4455130526 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -50,6 +52,8 @@ # and querying as necessary. # +set -e + . ../conf.sh DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" @@ -60,17 +64,17 @@ n=0 nextpart ns2/named.run > /dev/null # Test 1 - default, query allowed -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: default - query allowed" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 2 - explicit any, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named02.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -80,10 +84,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 3 - none, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named03.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -91,12 +95,26 @@ echo_i "test $n: none - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +noedns -p ${PORT}" + +echo_i "test $n: none - query refused (no edns)" +ret=0 +$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 4 - address allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named04.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -106,10 +124,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 5 - address not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named05.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -117,12 +135,13 @@ echo_i "test $n: address not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 6 - address disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named06.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -130,12 +149,13 @@ echo_i "test $n: address disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 7 - acl allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named07.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -145,10 +165,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 8 - acl not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named08.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -156,13 +176,14 @@ echo_i "test $n: acl not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 9 - acl disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named09.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -170,54 +191,57 @@ echo_i "test $n: acl disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 10 - key allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named10.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 11 - key not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named11.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 12 - key disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named12.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # The next set of tests check if allow-query works in a view n=20 # Test 21 - views default, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named21.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -227,10 +251,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 22 - views explicit any, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named22.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -240,10 +264,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 23 - views none, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named23.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -251,12 +275,13 @@ echo_i "test $n: views none - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 24 - views address allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named24.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -266,10 +291,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 25 - views address not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named25.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -277,12 +302,13 @@ echo_i "test $n: views address not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 26 - views address disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named26.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -290,12 +316,13 @@ echo_i "test $n: views address disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 27 - views acl allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named27.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -305,10 +332,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 28 - views acl not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named28.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -316,12 +343,13 @@ echo_i "test $n: views acl not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 29 - views acl disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named29.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -329,51 +357,54 @@ echo_i "test $n: views acl disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 30 - views key allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named30.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 31 - views key not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named31.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 32 - views key disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named32.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 33 - views over options, views allow, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named33.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -383,10 +414,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 34 - views over options, views disallow, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named34.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -394,16 +425,17 @@ echo_i "test $n: views over options, views disallow - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Tests for allow-query in the zone statements n=40 # Test 41 - zone default, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named40.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -413,120 +445,127 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 42 - zone explicit any, query allowed -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone explicit any - query allowed" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 43 - zone none, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone none - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 44 - zone address allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone address allowed - query allowed" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 45 - zone address not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone address not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 46 - zone address disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone address disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 47 - zone acl allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone acl allowed - query allowed" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 48 - zone acl not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone acl not allowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 49 - zone acl disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone acl disallowed - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 50 - zone key allowed, query allowed -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 51 - zone key not allowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 52 - zone key disallowed, query refused -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 53 - zones over options, zones allow, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named53.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -536,10 +575,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 54 - zones over options, zones disallow, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named54.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -547,12 +586,13 @@ echo_i "test $n: views over options, views disallow - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 55 - zones over views, zones allow, query allowed -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named55.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -562,10 +602,10 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 56 - zones over views, zones disallow, query refused -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named56.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -573,12 +613,13 @@ echo_i "test $n: zones over views, views disallow - query refused" ret=0 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 57 - zones over views, zones disallow, query refused (allow-query-on) -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns2/named57.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -589,34 +630,40 @@ grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1 grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 58 - allow-recursion default -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: default allow-recursion configuration" ret=0 +nextpart ns3/named.run > /dev/null $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 59 - allow-query-cache default -n=`expr $n + 1` +n=$((n + 1)) echo_i "test $n: default allow-query-cache configuration" ret=0 $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 60 - block recursion-on, allow query-cache-on -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 @@ -630,11 +677,12 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 61 - inheritance of allow-query-cache-on from allow-recursion-on -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 @@ -647,6 +695,7 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 # this should require recursion and should be allowed $DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 @@ -654,11 +703,13 @@ grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Test 62 - inheritance of allow-recursion-on from allow-query-cache-on -n=`expr $n + 1` +n=$((n + 1)) copy_setports ns3/named4.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 @@ -671,6 +722,7 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 # this should require recursion and should be allowed $DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 @@ -678,8 +730,10 @@ grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 $DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/allow-query/tests_sh_allowquery.py b/bin/tests/system/allow-query/tests_sh_allowquery.py new file mode 100644 index 0000000000..ce20d79a8e --- /dev/null +++ b/bin/tests/system/allow-query/tests_sh_allowquery.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_allowquery(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl index 8fcabc07ac..bbae89ef57 100644 --- a/bin/tests/system/ans.pl +++ b/bin/tests/system/ans.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -93,6 +95,8 @@ if (!$mainport) { $mainport = 5300; } my $ctrlport = int($ENV{'EXTRAPORT1'}); if (!$ctrlport) { $ctrlport = 5301; } +my $hmac_algorithm = $ENV{'DEFAULT_HMAC'}; +if (!defined($hmac_algorithm)) { $hmac_algorithm = "hmac-sha256"; } # XXX: we should also be able to set the port numbers to listen on. my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", @@ -172,6 +176,7 @@ sub handleUDP { } else { $tsig = Net::DNS::RR->new( name => $key_name, + algorithm => $hmac_algorithm, type => 'TSIG', key => $key_data); } @@ -200,7 +205,7 @@ sub handleUDP { $prev_tsig->mac); } } - + $packet->sign_tsig($tsig); } last; @@ -248,7 +253,7 @@ sub packetlen { } else { ($header, $offset) = Net::DNS::Header->parse(\$data); } - + for (1 .. $header->qdcount) { if ($decode) { ($q, $offset) = @@ -334,7 +339,7 @@ sub handleTCP { ($request, $err) = new Net::DNS::Packet(\$buf, 0); $err and die $err; } - + my @questions = $request->question; my $qname = $questions[0]->qname; my $qtype = $questions[0]->qtype; @@ -382,12 +387,13 @@ sub handleTCP { if (defined($key_name) && defined($key_data)) { my $tsig; # sign the packet - print " Signing the data with " . + print " Signing the data with " . "$key_name/$key_data\n"; if ($Net::DNS::VERSION < 0.69) { $tsig = Net::DNS::RR->new( "$key_name TSIG $key_data"); + $tsig->algorithm = $hmac_algorithm; } elsif ($Net::DNS::VERSION >= 0.81 && $continuation) { } elsif ($Net::DNS::VERSION >= 0.75 && @@ -396,6 +402,7 @@ sub handleTCP { } else { $tsig = Net::DNS::RR->new( name => $key_name, + algorithm => $hmac_algorithm, type => 'TSIG', key => $key_data); } @@ -424,7 +431,7 @@ sub handleTCP { $prev_tsig->mac); } } - + $tsig->sign_func($signer) if defined($signer); $tsig->continuation($continuation) if ($Net::DNS::VERSION >= 0.71 && diff --git a/bin/tests/system/auth/clean.sh b/bin/tests/system/auth/clean.sh index adb9b67e66..5fb37aca02 100644 --- a/bin/tests/system/auth/clean.sh +++ b/bin/tests/system/auth/clean.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/auth/ns1/chaos.db b/bin/tests/system/auth/ns1/chaos.db index f34e7b9a48..bbd489ab4a 100644 --- a/bin/tests/system/auth/ns1/chaos.db +++ b/bin/tests/system/auth/ns1/chaos.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db index a61c88229e..67688950ed 100644 --- a/bin/tests/system/auth/ns1/example.com.db +++ b/bin/tests/system/auth/ns1/example.com.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db index 66aa33dc5f..29885ca414 100644 --- a/bin/tests/system/auth/ns1/example.net.db +++ b/bin/tests/system/auth/ns1/example.net.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in index 38dbcd2749..9d0a517b68 100644 --- a/bin/tests/system/auth/ns1/named.conf.in +++ b/bin/tests/system/auth/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -19,6 +21,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; + dnssec-validation no; }; view main in { diff --git a/bin/tests/system/auth/ns2/named.conf.in b/bin/tests/system/auth/ns2/named.conf.in index f2b8b853fb..9b82c5005b 100644 --- a/bin/tests/system/auth/ns2/named.conf.in +++ b/bin/tests/system/auth/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -19,6 +21,7 @@ options { listen-on-v6 { none; }; recursion yes; notify no; + dnssec-validation no; }; zone example.net { diff --git a/bin/tests/system/auth/setup.sh b/bin/tests/system/auth/setup.sh index 5c160b922e..6929ec541d 100644 --- a/bin/tests/system/auth/setup.sh +++ b/bin/tests/system/auth/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh index da4fb95e9e..6cd4a272a1 100644 --- a/bin/tests/system/auth/tests.sh +++ b/bin/tests/system/auth/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="+tcp -p ${PORT}" @@ -16,7 +20,7 @@ DIGOPTS="+tcp -p ${PORT}" status=0 n=0 -n=`expr $n + 1` +n=$((n + 1)) echo_i "wait for zones to finish transferring to ns2 ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do @@ -30,13 +34,13 @@ do sleep 1 done [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) # # If recursion is unrequested or unavailable, then cross-zone CNAME records # should not be followed. If both requested and available, they should be. # -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" ret=0 $DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 @@ -45,9 +49,9 @@ grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" ret=0 $DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 @@ -56,9 +60,9 @@ grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" ret=0 $DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 @@ -67,9 +71,9 @@ grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 @@ -78,12 +82,12 @@ grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) # # In-zone CNAME records should always be followed regardless of RD and RA. # -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" ret=0 $DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 @@ -92,9 +96,9 @@ grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" ret=0 $DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 @@ -103,9 +107,9 @@ grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" ret=0 $DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 @@ -114,9 +118,9 @@ grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 @@ -125,9 +129,9 @@ grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 @@ -136,9 +140,9 @@ grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 @@ -147,9 +151,9 @@ grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 @@ -160,9 +164,9 @@ grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$ grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 @@ -173,16 +177,16 @@ grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$ grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that CHAOS addresses are compared correctly ($n)" ret=0 $DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n -lines=`wc -l < dig.out.test$n` +lines=$(wc -l < dig.out.test$n) [ ${lines:-0} -eq 2 ] || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/auth/tests_sh_auth.py b/bin/tests/system/auth/tests_sh_auth.py new file mode 100644 index 0000000000..97233fa27d --- /dev/null +++ b/bin/tests/system/auth/tests_sh_auth.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_auth(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 7a1101d6dd..02ae2c1ee1 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -1,14 +1,17 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +rm -f ./dsset-* rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk rm -f */core rm -f */example.bk @@ -16,56 +19,59 @@ rm -f */named.conf rm -f */named.memstats rm -f */named.run* rm -f */trusted.conf */private.conf -rm -f activate-now-publish-1day.key -rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key -rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* -rm -f digcomp.out.test* -rm -f missingzsk.key inactivezsk.key +rm -f activate-now-publish-1day.key prepub.key +rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key +rm -f delayksk.key delayzsk.key autoksk.key autozsk.key +rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key +rm -rf ns*/inactive rm -f ns*/managed-keys.bind* rm -f ns*/named.lock -rm -f ns*/named.lock -rm -f ns1/root.db +rm -f ns1/root.db ns1/root.db.1 ns1/root.db.2 ns1/root.db.3 +rm -f ns1/signing.out +rm -f ns2/bar.db +rm -f ns2/child.nsec3.example.db +rm -f ns2/child.optout.example.db rm -f ns2/example.db -rm -f ns2/private.secure.example.db ns2/bar.db +rm -f ns2/insecure.secure.example.db +rm -f ns2/optout-with-ent.db +rm -f ns2/private.secure.example.db +rm -f ns2/signing.* rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf +rm -f ns3/*.jbk rm -f ns3/autonsec3.example.db +rm -f ns3/delay.example.db ns3/delay.example.1 ns3/delay.example.2 rm -f ns3/delzsk.example.db rm -f ns3/dname-at-apex-nsec3.example.db -rm -f ns3/inacksk2.example.db -rm -f ns3/inacksk3.example.db rm -f ns3/inaczsk2.example.db -rm -f ns3/inaczsk3.example.db rm -f ns3/jitter.nsec3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/named.ns3.prev +rm -f ns3/noksk.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db -rm -f ns3/nsec.example.db +rm -f ns3/nsec-only.example.db rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/nsec3.example.db rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.optout.example.db -rm -f ns3/oldsigs.example.db +rm -f ns3/oldsigs.example.db ns3/oldsigs.example.db.bak rm -f ns3/optout.example.db rm -f ns3/optout.nsec3.example.db rm -f ns3/optout.optout.example.db rm -f ns3/prepub.example.db -rm -f ns3/prepub.example.db.in rm -f ns3/reconf.example.db rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db -rm -f ns3/secure-to-insecure.example.db -rm -f ns3/secure-to-insecure2.example.db rm -f ns3/secure.example.db rm -f ns3/secure.nsec3.example.db rm -f ns3/secure.optout.example.db rm -f ns3/settime.out.* rm -f ns3/sync.example.db rm -f ns3/ttl*.db -rm -f nsupdate.out +rm -f nsupdate.out.test* rm -f settime.out.* -rm -f signing.out.* +rm -f signing.* rm -f sync.key diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index a218c0521f..bc4836e876 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -17,20 +19,20 @@ infile=root.db.in (cd ../ns2 && $SHELL keygen.sh ) -cat $infile ../ns2/dsset-example$TP > $zonefile +cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile -zskact=`$KEYGEN -3 -a RSASHA1 -q $zone` -zskvanish=`$KEYGEN -3 -a RSASHA1 -q $zone` -zskdel=`$KEYGEN -3 -a RSASHA1 -q -D now $zone` -zskinact=`$KEYGEN -3 -a RSASHA1 -q -I now $zone` -zskunpub=`$KEYGEN -3 -a RSASHA1 -q -G $zone` -zsksby=`$KEYGEN -3 -a RSASHA1 -q -A none $zone` -zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -A now -P +1d $zone` -zsknopriv=`$KEYGEN -3 -a RSASHA1 -q $zone` +zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskdel=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -D now $zone) +zskinact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -I now $zone) +zskunpub=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -G $zone) +zsksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A none $zone) +zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone) +zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) rm $zsknopriv.private -ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone` -kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone` +ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now -fk $zone) +kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now -fk $zone) keyfile_to_static_ds $ksksby > trusted.conf cp trusted.conf ../ns2/trusted.conf @@ -49,3 +51,5 @@ echo $zsknopriv > ../nopriv.key echo $zsksby > ../standby.key echo $zskactnowpub1d > ../activate-now-publish-1day.key $REVOKE -R $kskrev > ../rev.key + +$SIGNER -S -o . -O full root.db > signing.out 2>&1 diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in index 0c3a4bf6b8..6421482595 100644 --- a/bin/tests/system/autosign/ns1/named.conf.in +++ b/bin/tests/system/autosign/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -26,7 +28,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -35,11 +37,10 @@ controls { zone "." { type primary; - file "root.db"; + file "root.db.signed"; allow-transfer { any; }; - allow-query { any; }; allow-update { any; }; - auto-dnssec maintain; + allow-query { any; }; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in index 4ed999092c..6715a026b3 100644 --- a/bin/tests/system/autosign/ns1/root.db.in +++ b/bin/tests/system/autosign/ns1/root.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30676.key b/bin/tests/system/autosign/ns2/Xbar.+005+30676.key deleted file mode 100644 index 7428d5caf7..0000000000 --- a/bin/tests/system/autosign/ns2/Xbar.+005+30676.key +++ /dev/null @@ -1,5 +0,0 @@ -; This is a key-signing key, keyid 30676, for bar. -; Created: Sat Dec 26 03:13:10 2009 -; Publish: Sat Dec 26 03:13:10 2009 -; Activate: Sat Dec 26 03:13:10 2009 -bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU= diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30676.private b/bin/tests/system/autosign/ns2/Xbar.+005+30676.private deleted file mode 100644 index dcc0fbdf17..0000000000 --- a/bin/tests/system/autosign/ns2/Xbar.+005+30676.private +++ /dev/null @@ -1,13 +0,0 @@ -Private-key-format: v1.3 -Algorithm: 5 (RSASHA1) -Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q== -PublicExponent: AQAB -PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q== -Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0= -Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk= -Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE= -Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE= -Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8= -Created: 20091226021310 -Publish: 20091226021310 -Activate: 20091226021310 diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30804.key b/bin/tests/system/autosign/ns2/Xbar.+005+30804.key deleted file mode 100644 index ab53d8c607..0000000000 --- a/bin/tests/system/autosign/ns2/Xbar.+005+30804.key +++ /dev/null @@ -1,5 +0,0 @@ -; This is a key-signing key, keyid 30804, for bar. -; Created: Sat Dec 26 03:13:10 2009 -; Publish: Sat Dec 26 03:13:10 2009 -; Activate: Sat Dec 26 03:13:10 2009 -bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU= diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30804.private b/bin/tests/system/autosign/ns2/Xbar.+005+30804.private deleted file mode 100644 index 79f8d3b4cf..0000000000 --- a/bin/tests/system/autosign/ns2/Xbar.+005+30804.private +++ /dev/null @@ -1,13 +0,0 @@ -Private-key-format: v1.3 -Algorithm: 5 (RSASHA1) -Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q== -PublicExponent: AQCB -PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ== -Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0= -Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk= -Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk= -Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk= -Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8= -Created: 20091226021310 -Publish: 20091226021310 -Activate: 20091226021310 diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.key b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key new file mode 100644 index 0000000000..1f4d1f4d45 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 59973, for bar. +; Created: 20220623022335 (Thu Jun 23 12:23:35 2022) +; Publish: 20220623022335 (Thu Jun 23 12:23:35 2022) +; Activate: 20220623022335 (Thu Jun 23 12:23:35 2022) +bar. IN DNSKEY 257 3 13 QT6CpMaV4BT072+NaKLY5H01Mj2r1MOgsxgoiTAq1Fbf6rrkEWpnbktu Dh9Ol9kuzcUrefxDuxNwsXJu3iDPxw== diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.private b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private new file mode 100644 index 0000000000..708d242da3 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: joFZ8vCdyqkgMb6rZ0zanrdrzOSCg1GyEJV6tp5F+Bw= +Created: 20220623022335 +Publish: 20220623022335 +Activate: 20220623022335 diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.key b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key new file mode 100644 index 0000000000..0c478408a6 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 60101, for bar. +; Created: 20220623022331 (Thu Jun 23 12:23:31 2022) +; Publish: 20220623022331 (Thu Jun 23 12:23:31 2022) +; Activate: 20220623022331 (Thu Jun 23 12:23:31 2022) +bar. IN DNSKEY 257 3 13 dLGGOAE5uJd53Gci9MdymaRTMwsXVn13j05IfGJoVt9ucpeXpoIKVViX JNVE/uO4eJvkHycdEAvdVUWcslEmMQ== diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.private b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private new file mode 100644 index 0000000000..6ca837002f --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: pTTXxZUTzeVBXHMUJxTMxjh9yU4oxDtEhEvpkj+olf0= +Created: 20220623022331 +Publish: 20220623022331 +Activate: 20220623022331 diff --git a/bin/tests/system/autosign/ns2/bar.db.in b/bin/tests/system/autosign/ns2/bar.db.in index a78c518b0b..8a9fa987a8 100644 --- a/bin/tests/system/autosign/ns2/bar.db.in +++ b/bin/tests/system/autosign/ns2/bar.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bin/tests/system/autosign/ns2/child.nsec3.example.db deleted file mode 100644 index 8c7db6531c..0000000000 --- a/bin/tests/system/autosign/ns2/child.nsec3.example.db +++ /dev/null @@ -1,18 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db.in b/bin/tests/system/autosign/ns2/child.nsec3.example.db.in new file mode 100644 index 0000000000..8fc3bc837e --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.nsec3.example.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db b/bin/tests/system/autosign/ns2/child.optout.example.db deleted file mode 100644 index 8c7db6531c..0000000000 --- a/bin/tests/system/autosign/ns2/child.optout.example.db +++ /dev/null @@ -1,18 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2006081400 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db.in b/bin/tests/system/autosign/ns2/child.optout.example.db.in new file mode 100644 index 0000000000..8fc3bc837e --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.optout.example.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/dst.example.db.in b/bin/tests/system/autosign/ns2/dst.example.db.in index 769d2b5f06..0039484964 100644 --- a/bin/tests/system/autosign/ns2/dst.example.db.in +++ b/bin/tests/system/autosign/ns2/dst.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in index d519863098..a970074dc8 100644 --- a/bin/tests/system/autosign/ns2/example.db.in +++ b/bin/tests/system/autosign/ns2/example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bin/tests/system/autosign/ns2/insecure.secure.example.db deleted file mode 100644 index 86552149e1..0000000000 --- a/bin/tests/system/autosign/ns2/insecure.secure.example.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db.in b/bin/tests/system/autosign/ns2/insecure.secure.example.db.in new file mode 100644 index 0000000000..14971bd7a6 --- /dev/null +++ b/bin/tests/system/autosign/ns2/insecure.secure.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 265928e510..f9aa3bcdf1 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -14,41 +16,55 @@ # Have the child generate subdomain keys and pass DS sets to us. ( cd ../ns3 && $SHELL keygen.sh ) -for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \ - dname-at-apex-nsec3 +for subdomain in secure nsec3 optout rsasha256 rsasha512 \ + nsec3-to-nsec oldsigs dname-at-apex-nsec3 do - cp ../ns3/dsset-$subdomain.example$TP . + cp ../ns3/dsset-$subdomain.example. . done # Create keys and pass the DS to the parent. zone=example zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile dsset-*.example$TP > $zonefile +cat $infile dsset-*.example. > $zonefile -kskname=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` -$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null -$DSFROMKEY $kskname.key > dsset-${zone}$TP +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +$DSFROMKEY $kskname.key > dsset-${zone}. # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` -$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null keyfile_to_static_ds $ksk > private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > signing.privsec.out 2>&1 # Extract saved keys for the revoke-to-duplicate-key test zone=bar zonefile="${zone}.db" infile="${zonefile}.in" cat $infile > $zonefile -for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \ - Xbar.+005+30804.private +for i in Xbar.+013+59973.key Xbar.+013+59973.private \ + Xbar.+013+60101.key Xbar.+013+60101.private do - cp $i `echo $i | sed s/X/K/` + cp $i $(echo $i | sed s/X/K/) done -$KEYGEN -a RSASHA1 -q $zone > /dev/null -$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP +$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null +$DSFROMKEY Kbar.+013+60101.key > dsset-bar. +$SIGNER -S -o bar. -O full $zonefile > signing.bar.out 2>&1 + +# a zone with empty non-terminals. +zone=optout-with-ent +zonefile=optout-with-ent.db +infile=optout-with-ent.db.in +cat $infile > $zonefile +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null + +# Copy zone input files +cp child.nsec3.example.db.in child.nsec3.example.db +cp child.optout.example.db.in child.optout.example.db +cp insecure.secure.example.db.in insecure.secure.example.db diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index 5cdf863a1a..0dad4bde0d 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -27,13 +29,47 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "autosign" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "private" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 2; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "optout" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 1 optout yes salt-length 0; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -45,17 +81,17 @@ zone "example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; + sig-signing-type 65280; }; zone "bar" { type primary; - file "bar.db"; + file "bar.db.signed"; allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; - dnssec-dnskey-kskonly yes; }; zone "private.secure.example" { @@ -64,7 +100,8 @@ zone "private.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy private; }; zone "insecure.secure.example" { @@ -73,7 +110,8 @@ zone "insecure.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "child.nsec3.example" { @@ -82,7 +120,8 @@ zone "child.nsec3.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "child.optout.example" { @@ -91,7 +130,18 @@ zone "child.optout.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy optout; +}; + +zone "optout-with-ent" { + type primary; + file "optout-with-ent.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + inline-signing no; + dnssec-policy optout; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/bin/tests/system/autosign/ns2/optout-with-ent.db.in new file mode 100644 index 0000000000..5a3e207f2c --- /dev/null +++ b/bin/tests/system/autosign/ns2/optout-with-ent.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +sub1.ent NS . +sub2.ent NS . diff --git a/bin/tests/system/autosign/ns2/private.secure.example.db.in b/bin/tests/system/autosign/ns2/private.secure.example.db.in index 37a77b72f5..29fcddf880 100644 --- a/bin/tests/system/autosign/ns2/private.secure.example.db.in +++ b/bin/tests/system/autosign/ns2/private.secure.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/autonsec3.example.db.in b/bin/tests/system/autosign/ns3/autonsec3.example.db.in index 0b160d79c2..17964e856d 100644 --- a/bin/tests/system/autosign/ns3/autonsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/autonsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/delay.example.db b/bin/tests/system/autosign/ns3/delay.example.db deleted file mode 100644 index cbfb691d08..0000000000 --- a/bin/tests/system/autosign/ns3/delay.example.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/delay.example.db.in b/bin/tests/system/autosign/ns3/delay.example.db.in new file mode 100644 index 0000000000..0b11a00b00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/delay.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/delzsk.example.db.in b/bin/tests/system/autosign/ns3/delzsk.example.db.in index 241de31828..14fef543e8 100644 --- a/bin/tests/system/autosign/ns3/delzsk.example.db.in +++ b/bin/tests/system/autosign/ns3/delzsk.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in index c4a378eba1..080d111ce2 100644 --- a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + $TTL 600 @ SOA ns3.example. . 1 1200 1200 1814400 3600 @ NS ns3.example. diff --git a/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bin/tests/system/autosign/ns3/inacksk2.example.db.in deleted file mode 100644 index 90dcba9daf..0000000000 --- a/bin/tests/system/autosign/ns3/inacksk2.example.db.in +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bin/tests/system/autosign/ns3/inacksk3.example.db.in deleted file mode 100644 index 90dcba9daf..0000000000 --- a/bin/tests/system/autosign/ns3/inacksk3.example.db.in +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bin/tests/system/autosign/ns3/inaczsk.example.db.in index 90dcba9daf..1376922f0a 100644 --- a/bin/tests/system/autosign/ns3/inaczsk.example.db.in +++ b/bin/tests/system/autosign/ns3/inaczsk.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in index 90dcba9daf..1376922f0a 100644 --- a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in +++ b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in deleted file mode 100644 index 90dcba9daf..0000000000 --- a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/insecure.example.db b/bin/tests/system/autosign/ns3/insecure.example.db index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/autosign/ns3/insecure.example.db +++ b/bin/tests/system/autosign/ns3/insecure.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in index aa08c7764d..8a96023454 100644 --- a/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index cc3462a727..fac4fc5811 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -24,32 +26,34 @@ setup () { zone="$1" zonefile="${zone}.db" infile="${zonefile}.in" - n=`expr ${n:-0} + 1` + n=$((${n:-0} + 1)) } +mkdir inactive + setup secure.example cp $infile $zonefile -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # NSEC3/NSEC test zone # setup secure.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # NSEC3/NSEC3 test zone # setup nsec3.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # Jitter/NSEC3 test zone @@ -60,7 +64,7 @@ count=1 while [ $count -le 1000 ] do echo "label${count} IN TXT label${count}" >> $zonefile - count=`expr $count + 1` + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -71,92 +75,99 @@ done # setup optout.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A nsec3 zone (non-optout). # setup nsec3.example -cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +cat $infile dsset-*.${zone}. > $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # An NSEC3 zone, with NSEC3 parameters set prior to signing # setup autonsec3.example cat $infile > $zonefile -ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out echo $ksk > ../autoksk.key -zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../autozsk.key -$DSFROMKEY $ksk.key > dsset-${zone}$TP +$DSFROMKEY $ksk.key > dsset-${zone}. # # OPTOUT/NSEC test zone # setup secure.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # OPTOUT/NSEC3 test zone # setup nsec3.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # OPTOUT/OPTOUT test zone # setup optout.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A optout nsec3 zone. # setup optout.example -cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +cat $infile dsset-*.${zone}. > $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A RSASHA256 zone. # setup rsasha256.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A RSASHA512 zone. # setup rsasha512.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # -# NSEC-only zone. +# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. +# None of these algorithms are supported for signing in FIPS mode +# as they are MD5 and SHA1 based. # -setup nsec.example -cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) +then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key > dsset-${zone}. +else + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" +fi # # Signature refresh test zone. Signatures are set to expire long @@ -168,48 +179,30 @@ count=1 while [ $count -le 1000 ] do echo "label${count} IN TXT label${count}" >> $zonefile - count=`expr $count + 1` + count=$((count + 1)) done -$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +cp $zonefile.signed $zonefile.bak mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out -# -# secure-to-insecure transition test zone; used to test removal of -# keys via nsupdate -# -setup secure-to-insecure.example -$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out - -# -# another secure-to-insecure transition test zone; used to test -# removal of keys on schedule. -# -setup secure-to-insecure2.example -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -echo $ksk > ../del1.key -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out -echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out - # # Introducing a pre-published key test. # setup prepub.example -infile="secure-to-insecure2.example.db.in" -$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out +infile="prepub.example.db.in" +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out +zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2> kg.out) || dumpit kg.out +echo $zsk > ../prepub.key $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # @@ -218,46 +211,59 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used -setup ttl2.example -$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +setup ttl2.example +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out echo $ksk > ../delayksk.key -zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../delayzsk.key +cp delay.example.db.in delay.example.db + +# +# A zone with signatures that are already expired, and the private KSK +# is missing. +# +setup noksk.example +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../noksk-ksk.key +rm -f ${ksk}.private # # A zone with signatures that are already expired, and the private ZSK # is missing. # setup nozsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../missingzsk.key +echo $ksk > ../nozsk-ksk.key +echo $zsk > ../nozsk-zsk.key rm -f ${zsk}.private # @@ -265,76 +271,48 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $zsk > ../inactivezsk.key +echo $ksk > ../inaczsk-ksk.key +echo $zsk > ../inaczsk-zsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # -# A zone that is set to 'auto-dnssec maintain' during a reconfig +# A zone that is set to 'dnssec-policy' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out # -# A zone which generates CDS and CDNSEY RRsets automatically +# A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK) # setup sync.example cp $infile $zonefile -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. echo ns3/$ksk > ../sync.key # -# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly +# A zone that generates CDS and CDNSKEY automatically # setup kskonly.example cp $infile $zonefile -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP - -# -# A zone that has a published inactive key that is autosigned. -# -setup inacksk2.example -cp $infile $zonefile -ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inaczsk2.example cp $infile $zonefile -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP - -# -# A zone that starts with a active KSK + ZSK and a inactive ZSK. -# -setup inacksk3.example -cp $infile $zonefile -$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP - -# -# A zone that starts with a active KSK + ZSK and a inactive ZSK. -# -setup inaczsk3.example -cp $infile $zonefile -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the @@ -342,16 +320,19 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup delzsk.example cp $infile $zonefile -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out +cat $zsk.key >> $zonefile +mv $zsk.key inactive/ +mv $zsk.private inactive/ echo $zsk > ../delzsk.key # -# Check that NSEC3 are correctly signed and returned from below a DNAME +# Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/kskonly.example.db.in b/bin/tests/system/autosign/ns3/kskonly.example.db.in index c3dbada717..c6c7f88ea5 100644 --- a/bin/tests/system/autosign/ns3/kskonly.example.db.in +++ b/bin/tests/system/autosign/ns3/kskonly.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7c8f74f19a..343c743af3 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -31,13 +33,93 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +# The default +dnssec-policy "autosign" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +# Additional CSK +dnssec-policy "sync" { + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +# NSEC3 +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +# NSEC3 opt-out +dnssec-policy "optout" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout yes salt-length 0; +}; + +# Jitter +dnssec-policy "jitter" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity P10D; + signatures-validity-dnskey P10D; + signatures-refresh P2D; +}; + +# Jitter, NSEC3 +dnssec-policy "jitter-nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; + + signatures-validity P10D; + signatures-validity-dnskey P10D; + signatures-refresh P2D; + +}; + +# RSASHA256 +dnssec-policy "rsasha256" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 2048; + }; +}; + +# RSASHA512 +dnssec-policy "rsasha512" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA512 2048; + zsk key-directory lifetime unlimited algorithm RSASHA512 2048; + }; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -59,48 +141,54 @@ zone "secure.example" { type primary; file "secure.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "insecure.example" { type primary; file "insecure.example.db"; + dnssec-policy none; }; zone "nsec3.example" { type primary; file "nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "autonsec3.example" { type primary; file "autonsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "optout.nsec3.example" { type primary; file "optout.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy optout; }; zone "nsec3.nsec3.example" { type primary; file "nsec3.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "jitter.nsec3.example" { type primary; file "jitter.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; - sig-validity-interval 10 2; + inline-signing no; + dnssec-policy jitter-nsec3; sig-signing-nodes 1000; sig-signing-signatures 100; }; @@ -109,86 +197,79 @@ zone "secure.nsec3.example" { type primary; file "secure.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "optout.example" { type primary; file "optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "secure.optout.example" { type primary; file "secure.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy optout; }; zone "nsec3.optout.example" { type primary; file "nsec3.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy optout; }; zone "optout.optout.example" { type primary; file "optout.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy optout; }; zone "rsasha256.example" { type primary; file "rsasha256.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy rsasha256; }; zone "rsasha512.example" { type primary; file "rsasha512.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy rsasha512; }; -zone "nsec.example" { +zone "nsec-only.example" { type primary; - file "nsec.example.db"; + file "nsec-only.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "secure-to-insecure.example" { - type primary; - file "secure-to-insecure.example.db"; - allow-update { any; }; - dnssec-secure-to-insecure yes; -}; - -zone "secure-to-insecure2.example" { - type primary; - file "secure-to-insecure2.example.db"; - allow-update { any; }; - auto-dnssec maintain; - dnssec-secure-to-insecure yes; + inline-signing no; + dnssec-policy nsec3; }; zone "oldsigs.example" { type primary; file "oldsigs.example.db"; allow-update { any; }; - auto-dnssec maintain; - sig-validity-interval 10 2; + inline-signing no; + dnssec-policy jitter; sig-signing-nodes 1000; sig-signing-signatures 100; }; @@ -197,115 +278,108 @@ zone "prepub.example" { type primary; file "prepub.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "ttl1.example" { type primary; file "ttl1.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "ttl2.example" { type primary; file "ttl2.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "ttl3.example" { type primary; file "ttl3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "ttl4.example" { type primary; file "ttl4.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "delay.example" { type primary; file "delay.example.db"; - allow-update { any; }; - auto-dnssec maintain; }; zone "nozsk.example" { type primary; file "nozsk.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "inaczsk.example" { type primary; file "inaczsk.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "sync.example" { - type primary; - file "sync.example.db"; - allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; -zone "kskonly.example" { +zone "noksk.example" { type primary; - file "kskonly.example.db"; + file "noksk.example.db"; allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; -zone "inacksk2.example" { +zone "sync.example" { type primary; - file "inacksk2.example.db"; + file "sync.example.db"; allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; + inline-signing no; + dnssec-policy sync; }; -zone "inacksk3.example" { +zone "kskonly.example" { type primary; - file "inacksk3.example.db"; + file "kskonly.example.db"; allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "inaczsk2.example" { type primary; file "inaczsk2.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "inaczsk3.example" { - type primary; - file "inaczsk3.example.db"; - allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy autosign; }; zone "delzsk.example." { type primary; file "delzsk.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; zone "dname-at-apex-nsec3.example" { type primary; file "dname-at-apex-nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + inline-signing no; + dnssec-policy nsec3; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in new file mode 100644 index 0000000000..1376922f0a --- /dev/null +++ b/bin/tests/system/autosign/ns3/noksk.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bin/tests/system/autosign/ns3/nozsk.example.db.in index 90dcba9daf..1376922f0a 100644 --- a/bin/tests/system/autosign/ns3/nozsk.example.db.in +++ b/bin/tests/system/autosign/ns3/nozsk.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/nsec-only.example.db.in b/bin/tests/system/autosign/ns3/nsec-only.example.db.in new file mode 100644 index 0000000000..0b11a00b00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec-only.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec.example.db.in deleted file mode 100644 index cbfb691d08..0000000000 --- a/bin/tests/system/autosign/ns3/nsec.example.db.in +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.example.db.in index 0b160d79c2..17964e856d 100644 --- a/bin/tests/system/autosign/ns3/nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in +++ b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bin/tests/system/autosign/ns3/oldsigs.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/oldsigs.example.db.in +++ b/bin/tests/system/autosign/ns3/oldsigs.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/optout.example.db.in b/bin/tests/system/autosign/ns3/optout.example.db.in index 5d5416db2e..fbb05af5bc 100644 --- a/bin/tests/system/autosign/ns3/optout.example.db.in +++ b/bin/tests/system/autosign/ns3/optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/optout.optout.example.db.in b/bin/tests/system/autosign/ns3/optout.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/optout.optout.example.db.in +++ b/bin/tests/system/autosign/ns3/optout.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/prepub.example.db.in b/bin/tests/system/autosign/ns3/prepub.example.db.in new file mode 100644 index 0000000000..14971bd7a6 --- /dev/null +++ b/bin/tests/system/autosign/ns3/prepub.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/rsasha256.example.db.in b/bin/tests/system/autosign/ns3/rsasha256.example.db.in index 862dadba98..f6c4fabdd3 100644 --- a/bin/tests/system/autosign/ns3/rsasha256.example.db.in +++ b/bin/tests/system/autosign/ns3/rsasha256.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/rsasha512.example.db.in b/bin/tests/system/autosign/ns3/rsasha512.example.db.in index 862dadba98..f6c4fabdd3 100644 --- a/bin/tests/system/autosign/ns3/rsasha512.example.db.in +++ b/bin/tests/system/autosign/ns3/rsasha512.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in +++ b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in deleted file mode 100644 index 86552149e1..0000000000 --- a/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/secure.example.db.in b/bin/tests/system/autosign/ns3/secure.example.db.in index a3abaefac9..9855ec00b5 100644 --- a/bin/tests/system/autosign/ns3/secure.example.db.in +++ b/bin/tests/system/autosign/ns3/secure.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in +++ b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/secure.optout.example.db.in b/bin/tests/system/autosign/ns3/secure.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/autosign/ns3/secure.optout.example.db.in +++ b/bin/tests/system/autosign/ns3/secure.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/sync.example.db.in b/bin/tests/system/autosign/ns3/sync.example.db.in index c3dbada717..c6c7f88ea5 100644 --- a/bin/tests/system/autosign/ns3/sync.example.db.in +++ b/bin/tests/system/autosign/ns3/sync.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/ttl1.example.db.in b/bin/tests/system/autosign/ns3/ttl1.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/ttl1.example.db.in +++ b/bin/tests/system/autosign/ns3/ttl1.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/ttl2.example.db.in b/bin/tests/system/autosign/ns3/ttl2.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/ttl2.example.db.in +++ b/bin/tests/system/autosign/ns3/ttl2.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/ttl3.example.db.in b/bin/tests/system/autosign/ns3/ttl3.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/ttl3.example.db.in +++ b/bin/tests/system/autosign/ns3/ttl3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns3/ttl4.example.db.in b/bin/tests/system/autosign/ns3/ttl4.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/autosign/ns3/ttl4.example.db.in +++ b/bin/tests/system/autosign/ns3/ttl4.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in index de98ac28f6..b46ce91cf0 100644 --- a/bin/tests/system/autosign/ns4/named.conf.in +++ b/bin/tests/system/autosign/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in index a271401c4e..710dfa8cd6 100644 --- a/bin/tests/system/autosign/ns5/named.conf.in +++ b/bin/tests/system/autosign/ns5/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh index 150d98d49c..e029fdf8aa 100644 --- a/bin/tests/system/autosign/setup.sh +++ b/bin/tests/system/autosign/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index c7bab90f1e..28045bc5c4 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -18,9 +22,13 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" # convert private-type records to readable form +# $1 is the zone +# $2 is the server +# $3 is ignored +# $4 is the alternate type showprivate () { echo "-- $@ --" - $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | + $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' | while read record; do $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; @@ -34,11 +42,15 @@ showprivate () { } # check that signing records are marked as complete +# if $3 is 1 then we are expecting "(incomplete)" +# if $3 is 2 then we are not expecting either "(complete)" or "(incomplete)" +# if $4 is present then that specifies any alternate type to check checkprivate () { _ret=0 expected="${3:-0}" - x=`showprivate "$@"` - echo $x | grep incomplete > /dev/null && _ret=1 + x=$(showprivate "$@") + echo $x | grep "(complete)" > /dev/null || _ret=2 + echo $x | grep "(incomplete)" > /dev/null && _ret=1 if [ $_ret = $expected ]; then return 0 @@ -79,7 +91,7 @@ checkjitter () { _count=0 # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as + # This number has been tuned for `signatures-validity 10d; signatures-refresh 2d`, as # 1 signature expiration dates should be spread out across at most 8 (10-2) days # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) @@ -143,32 +155,31 @@ do # # Wait for the root DNSKEY RRset to be fully signed. # - $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 - grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n.dnskey || ret=1 + grep "ANSWER: 11," dig.out.ns1.test$n.dnskey > /dev/null || ret=1 for z in . do - $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 - grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n.nsec || ret=1 + grep "NS SOA" dig.out.ns1.test$n.nsec > /dev/null || ret=1 done - for z in bar. example. private.secure.example. + for z in bar. example. # skip NSEC3 signed zones do - $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 - grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n.$z || ret=1 + grep "NS SOA" dig.out.ns2.test$n.$z > /dev/null || ret=1 done - for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example + for z in bar. example. inaczsk2.example. noksk.example nozsk.example do - $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 - grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n.$z || ret=1 + grep "NS SOA" dig.out.ns3.test$n.$z > /dev/null || ret=1 done - i=`expr $i + 1` + i=$((i + 1)) if [ $ret = 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 2 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "done"; fi -status=`expr $status + $ret` +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . @@ -181,7 +192,7 @@ do echo_i zone $z $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example +for z in inaczsk2.example. do echo_i zone $z $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i @@ -190,161 +201,9 @@ done # Set logfile offset for wait_for_log usage. nextpartreset ns3/named.run -# -# Check that DNSKEY is initially signed with a KSK and not a ZSK. -# -echo_i "check that zone with active and inactive KSK and active ZSK is properly" -echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" -echo_ic "is initially signed with a KSK and not a ZSK. ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n - -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'` -grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1 - -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 - -count=`awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 1 || ret=1 - -count=`awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 3 || ret=1 - -awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' -id=`awk "${awk}" dig.out.ns3.test$n` - -$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 - -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# -# Check that zone is initially signed with a ZSK and not a KSK. -# -echo_i "check that zone with active and inactive ZSK and active KSK is properly" -echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" -echo_ic "is initially signed with a ZSK and not a KSK. ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` -grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1 -grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 -count=`awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 3 || ret=1 -id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n` -$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" -ret=0 -# these commands should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" -ret=0 -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "converting zones from nsec to nsec3" -$NSUPDATE > /dev/null 2>&1 < nsupdate.out 2>&1 < dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for nsec3param signing record ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 -grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "resetting nsec3param via rndc signing ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 -for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 - grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=`grep "Pending " signing.out.test$n | wc -l` - [ $num -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "signing preset nsec3 zone" -zsk=`cat autozsk.key` -ksk=`cat autoksk.key` +zsk=$(cat autozsk.key) +ksk=$(cat autoksk.key) $SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 $SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 @@ -352,50 +211,54 @@ $SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 echo_i "waiting for changes to take effect" sleep 3 -echo_i "converting zone from nsec3 to nsec" -$NSUPDATE > /dev/null 2>&1 << END || status=1 -server 10.53.0.3 ${PORT} -zone nsec3-to-nsec.example. -update delete nsec3-to-nsec.example. NSEC3PARAM -send -END - -echo_i "waiting for change to take effect" -sleep 3 +missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)") +echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)" +ret=0 +$JOURNALPRINT ns3/noksk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -echo_i "checking that expired RRSIGs from missing key are not deleted ($n)" +missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") +echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)" ret=0 -missing=$(keyfile_to_key_id "$(cat missingzsk.key)") $JOURNALPRINT ns3/nozsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 -n=`expr $n + 1` + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)" +inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") +echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)" ret=0 -inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)") $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 -n=`expr $n + 1` + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)" ret=0 -loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 -n=`expr $n + 1` +loglines=$(grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l) +[ "$loglines" -eq 0 ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" +echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)" ret=0 -loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 -n=`expr $n + 1` +loglines=$(grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l) +[ "$loglines" -eq 0 ] || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Send rndc sync command to ns1, ns2 and ns3, to force the dynamically # signed zones to be dumped to their zone files @@ -420,18 +283,18 @@ $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || re $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0 $DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 @@ -442,9 +305,9 @@ $DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret= digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking direct NSEC3 autosigning succeeded ($n)" ret=0 @@ -456,85 +319,45 @@ $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" -ret=0 -grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking NSEC3->NSEC conversion succeeded ($n)" -ret=0 -# this command should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 -# this command should result in an empty file: -no_nsec3param() ( - $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1 - grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1 - return 0 -) -retry_quiet 10 no_nsec3param || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" ret=0 $DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 @@ -542,9 +365,9 @@ $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 @@ -554,9 +377,9 @@ $DIG $DIGOPTS +noauth a.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 @@ -566,9 +389,9 @@ $DIG $DIGOPTS +noauth a.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 @@ -577,9 +400,9 @@ $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 @@ -590,9 +413,9 @@ $DIG $DIGOPTS +noauth q.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 @@ -604,9 +427,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA NSEC ($n)" ret=0 @@ -616,9 +439,9 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 @@ -630,9 +453,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 @@ -644,9 +467,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the insecure.example domain @@ -658,9 +481,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 @@ -672,9 +495,9 @@ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the secure.example domain @@ -687,9 +510,9 @@ $DIG $DIGOPTS +noauth a.secure.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 @@ -700,9 +523,9 @@ $DIG $DIGOPTS +noauth a.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 @@ -713,9 +536,9 @@ $DIG $DIGOPTS +noauth a.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 @@ -726,9 +549,9 @@ $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 @@ -739,9 +562,9 @@ $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 @@ -752,9 +575,9 @@ $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 @@ -765,9 +588,9 @@ $DIG $DIGOPTS +noauth a.secure.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 @@ -778,9 +601,9 @@ $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 @@ -791,9 +614,9 @@ $DIG $DIGOPTS +noauth a.optout.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 @@ -804,9 +627,9 @@ $DIG $DIGOPTS +noauth empty.optout.example. \ digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) @@ -820,9 +643,9 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check a negative response in insecure.secure.example @@ -836,18 +659,18 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking security root query ($n)" ret=0 $DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 @@ -855,9 +678,9 @@ $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 @@ -865,9 +688,9 @@ $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 @@ -878,9 +701,9 @@ $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 @@ -892,18 +715,18 @@ digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Try validating with a revoked trusted key. # This should fail. @@ -913,69 +736,69 @@ ret=0 $DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that revoked key is present ($n)" ret=0 -id=`cat rev.key` +id=$(cat rev.key) $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that revoked key self-signs ($n)" ret=0 -id=`cat rev.key` +id=$(cat rev.key) $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat unpub.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for activated but unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that standby key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat standby.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking that deactivated key does not sign records ($n)" +echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking insertion of public-only key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat nopriv.key)") -file="ns1/`cat nopriv.key`.key" -keydata=`grep DNSKEY $file` +file="ns1/$(cat nopriv.key).key" +keydata=$(grep DNSKEY $file) $NSUPDATE > /dev/null 2>&1 < dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking key deletion ($n)" ret=0 id=$(keyfile_to_key_id "$(cat del.key)") $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking secure-to-insecure transition, nsupdate ($n)" -ret=0 -$NSUPDATE > /dev/null 2>&1 < dig.out.ns3.test$n || ret=1 - egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking secure-to-insecure transition, scheduled ($n)" -ret=0 -file="ns3/`cat del1.key`.key" -$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 -file="ns3/`cat del2.key`.key" -$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 -($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 - egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking jitter in a newly signed NSEC3 zone ($n)" -ret=0 -# Use DNS UPDATE to add an NSEC3PARAM record into the zone. -$NSUPDATE > nsupdate.out.test$n 2>&1 < /dev/null -# Trigger zone signing. -($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -# Wait until zone has been signed. -check_if_nsec3param_exists() { - $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1 - grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 -} -retry_quiet 40 check_if_nsec3param_exists || { - echo_i "error: NSEC3PARAM not present yet" - ret=1 -} -$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -# Check jitter distribution. -checkjitter dig.out.ns3.2.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" ret=0 -oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` -oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` - -$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null - -($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +oldserial=$(cat dig.out.ns3.test$n | awk '$0 !~ /SOA/ {print $3}') +oldinception=$(cat dig.out.ns3.test$n | awk '/SOA/ {print $6}' | sort -u) +id=$(keyfile_to_key_id "$(cat prepub.key)") +echo_i "prepublish key for ZSK $id" +($RNDCCMD 10.53.0.3 dnssec -rollover -key $id prepub.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 newserial=$oldserial try=0 while [ $oldserial -eq $newserial -a $try -lt 42 ] do - newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | - awk '$0 !~ /SOA/ {print $3}'` + $DIG $DIGOPTS +short soa prepub.example @10.53.0.3 > dig.out.ns3.test$n.2 + newserial=$(cat dig.out.ns3.test$n.2 | awk '$0 !~ /SOA/ {print $3}') sleep 1 - try=`expr $try + 1` + try=$((try + 1)) done -newinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` +newinception=$(cat dig.out.ns3.test$n.2 | awk '/SOA/ {print $6}' | sort -u) #echo "$oldserial : $newserial" #echo "$oldinception : $newinception" [ "$oldserial" = "$newserial" ] && ret=1 [ "$oldinception" = "$newinception" ] && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "preparing to test key change corner cases" -echo_i "removing a private key file" -file="ns1/`cat vanishing.key`.private" -rm -f $file +status=$((status + ret)) echo_i "preparing ZSK roll" -starttime=`$PERL -e 'print time(), "\n";'` -oldfile=`cat active.key` +starttime=$($PERL -e 'print time(), "\n";') +oldfile=$(cat active.key) oldid=$(keyfile_to_key_id "$(cat active.key)") -newfile=`cat standby.key` +newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") -$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -I now -D now+25 $oldfile > settime.out.test$n.1 || ret=1 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 # note previous zone serial number -oldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` +oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') -($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.1 +$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.1 > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 sleep 4 echo_i "revoking key to duplicated key ID" -$SETTIME -R now -K ns2 Kbar.+005+30676.key > settime.out.test$n.3 || ret=1 +$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 -($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.2 freeze bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +cp ns2/bar.db.signed ns2/bar.db +$SIGNER -S -o bar. -O full -K ns2 ns2/bar.db > signing.bar.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.2 thaw bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 5 @@ -1127,75 +882,85 @@ echo_i "checking former standby key $newid is now active ($n)" ret=0 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking former standby key has only signed incrementally ($n)" ret=0 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 -checkprivate . 10.53.0.1 || ret=1 -checkprivate bar 10.53.0.2 || ret=1 -checkprivate example 10.53.0.2 || ret=1 -checkprivate private.secure.example 10.53.0.3 || ret=1 +checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 +checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 -checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1 -checkprivate nsec.example 10.53.0.3 || ret=1 -checkprivate oldsigs.example 10.53.0.3 || ret=1 +checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed +if $SHELL ../testcrypto.sh -q RSASHA1 +then + checkprivate nsec-only.example 10.53.0.3 || ret=1 +fi +checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate optout.example 10.53.0.3 || ret=1 checkprivate optout.nsec3.example 10.53.0.3 || ret=1 checkprivate optout.optout.example 10.53.0.3 || ret=1 -checkprivate prepub.example 10.53.0.3 1 || ret=1 +checkprivate prepub.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate rsasha256.example 10.53.0.3 || ret=1 checkprivate rsasha512.example 10.53.0.3 || ret=1 checkprivate secure.example 10.53.0.3 || ret=1 checkprivate secure.nsec3.example 10.53.0.3 || ret=1 checkprivate secure.optout.example 10.53.0.3 || ret=1 -checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1 -checkprivate secure-to-insecure.example 10.53.0.3 || ret=1 checkprivate ttl1.example 10.53.0.3 || ret=1 checkprivate ttl2.example 10.53.0.3 || ret=1 checkprivate ttl3.example 10.53.0.3 || ret=1 checkprivate ttl4.example 10.53.0.3 || ret=1 -n=`expr $n + 1` -status=`expr $status + $ret` +n=$((n + 1)) +status=$((status + ret)) -echo_i "forcing full sign" -($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +echo_i "forcing full sign ($n)" +ret=0 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.2 +$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi echo_i "waiting for change to take effect" sleep 5 -echo_i "checking former standby key has now signed fully ($n)" +echo_i "checking former standby key $newid has now signed fully ($n)" ret=0 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking SOA serial number has been incremented ($n)" ret=0 -newserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'` +newserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') [ "$newserial" != "$oldserial" ] || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) + +echo_i "preparing to test key change corner cases" +echo_i "removing a private key file" +file="ns1/$(cat vanishing.key).private" +rm -f $file echo_i "checking delayed key publication/activation ($n)" ret=0 -zsk=`cat delayzsk.key` -ksk=`cat delayksk.key` +zsk=$(cat delayzsk.key) +ksk=$(cat delayksk.key) # publication and activation times should be unset $SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 @@ -1204,38 +969,41 @@ grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 # DNSKEY not expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking scheduled key publication, not activation ($n)" ret=0 # Ensure initial zone is loaded. wait_for_notifies "delay.example" "ns3" || ret=1 -$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 -($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 -echo_i "waiting for changes to take effect" -sleep 3 -wait_for_notifies "delay.example" "ns3" || ret=1 - -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 -# DNSKEY expected: -awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 -# RRSIG not expected: -awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 -n=`expr $n + 1` +$SETTIME -K ns3 -P now -A none $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A none $ksk > settime.out.test$n.ksk || ret=1 +cp ns3/delay.example.db ns3/delay.example.1 +# This will create a non valid DNSSEC zone, disable post-sign verification +$SIGNER -P -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.1 > signing.delay.out.$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1 +check_has_dnskey() { + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || return 1 + # DNSKEY expected: + awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || return 1 + # RRSIG not expected: + awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && return 1 + return 0 +} +retry_quiet 5 check_has_dnskey || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking scheduled key activation ($n)" ret=0 -$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 -($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 -echo_i "waiting for changes to take effect" -sleep 3 -wait_for_log 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run +sleep 1 # ensure file system time stamp of ns3/delay.example.db changes +$SETTIME -K ns3 -A now $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now $ksk > settime.out.test$n.ksk || ret=1 +cp ns3/delay.example.db ns3/delay.example.2 +$SIGNER -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.2 > signing.delay.out.$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1 check_is_signed() { $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 # DNSKEY expected: @@ -1250,101 +1018,65 @@ check_is_signed() { return 0 } retry_quiet 5 check_is_signed || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking former active key was removed ($n)" # # Work out how long we need to sleep. Allow 4 seconds for the records # to be removed. # -now=`$PERL -e 'print time(), "\n";'` -sleep=`expr $starttime + 29 - $now` +now=$($PERL -e 'print time(), "\n";') +sleep=$((starttime + 29 - now)) case $sleep in -*|0);; -*) echo_i "waiting for timer to have activated"; sleep $sleep;; +*) echo_i "waiting $sleep seconds for timer to have activated"; sleep $sleep;; esac ret=0 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.3 +$SIGNER -v 3 -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.3 > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking private key file removal caused no immediate harm ($n)" +id=$(keyfile_to_key_id "$(cat vanishing.key)") +echo_i "checking private key file $id removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS soa . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "checking revoked key with duplicate key ID (failure expected) ($n)" -lret=0 -id=30676 -$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1 -grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1 -$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1 -n=`expr $n + 1` -if [ $lret != 0 ]; then echo_i "not yet implemented"; fi +echo_i "checking revoked key with duplicate key ID ($n)" +ret=0 +id=59973 +rid=60101 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) +test $keys -eq 2 || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "checking key event timers are always set ($n)" +ret=0 # this is a regression test for a bug in which the next key event could # be scheduled for the present moment, and then never fire. check for # visible evidence of this error in the logs: awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# this confirms that key events are never scheduled more than -# 'dnssec-loadkeys-interval' minutes in the future, and that the -# event scheduled is within 10 seconds of expected interval. -check_interval () { - awk '/next key event/ {print $2 ":" $9}' $1/named.run | - sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | - awk -F: ' - { - x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); - # abs(x) < 1000 ms treat as 'now' - if (x < 1000 && x > -1000) - x = 0; - # convert to seconds - x = x/1000; - # handle end of day roll over - if (x < 0) - x = x + 24*3600; - # handle log timestamp being a few milliseconds later - if (x != int(x)) - x = int(x + 1); - if (int(x) > int(interval)) - exit (1); - } - END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 - return $? -} - -echo_i "checking automatic key reloading interval ($n)" -ret=0 -check_interval ns1 3600 || ret=1 -check_interval ns2 1800 || ret=1 -check_interval ns3 600 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for key reloading loops ($n)" -ret=0 -# every key event should schedule a successor, so these should be equal -rekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l` -rekey_events=`grep "next key event" ns*/named.run | wc -l` -[ "$rekey_calls" = "$rekey_events" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "forcing full sign with unreadable keys ($n)" ret=0 @@ -1352,31 +1084,31 @@ chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "test turning on auto-dnssec during reconfig ($n)" +echo_i "test turning on dnssec-policy during reconfig ($n)" ret=0 -# first create a zone that doesn't have auto-dnssec +# first create a zone that doesn't have dnssec-policy ($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` +rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) [ "$rekey_calls" -eq 0 ] || ret=1 -# ...then we add auto-dnssec and reconfigure -($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +# ...then we add dnssec-policy and reconfigure +($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy default; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do lret=0 - rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) [ "$rekey_calls" -gt 0 ] || lret=1 if [ "$lret" -eq 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 1 done -n=`expr $n + 1` +n=$((n + 1)) if [ "$lret" != 0 ]; then ret=$lret; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "test CDS and CDNSKEY auto generation ($n)" ret=0 @@ -1384,194 +1116,104 @@ $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" +echo_i "test 'csk' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n $DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n -lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" +echo_i "test 'ksk' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n $DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n -lines=`awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l` +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now `cat sync.key` > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 - -echo_i "checking that the CDS and CDNSKEY are deleted ($n)" -ret=0 -ensure_cds_and_cdnskey_are_deleted() { - $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 - $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 -} -retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +# XXXWMM Replace this test with dnssec-policy equivalent once we have +# implemented 'cdnskey "only-during-rollovers";'. +#echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" +#$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +#($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 +# +#echo_i "checking that the CDS and CDNSKEY are deleted ($n)" +#ret=0 +#ensure_cds_and_cdnskey_are_deleted() { +# $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 +# awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 +# $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 +# awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 +#} +#retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 +#n=$((n + 1)) +#if [ $ret != 0 ]; then echo_i "failed"; fi +#status=$((status + ret)) echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 -$SETTIME -p Dsync `cat sync.key` > settime.out.test$n || ret=1 +$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that dnssec-settime -p Psync works ($n)" ret=0 -$SETTIME -p Psync `cat sync.key` > settime.out.test$n || ret=1 +$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n - -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ` -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 - -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ` -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 - -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n -grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# -# Check that DNSKEY is now signed with the ZSK. -# -echo_i "check that zone with active and inactive KSK and active ZSK is properly" -echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" -echo_ic "is now signed with the ZSK. ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n - -zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ` -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 - -count=`awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 1 || ret=1 - -count=`awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 2 || ret=1 - -n=`expr $n + 1` +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# -# Check that zone is now signed with the KSK. -# -echo_i "check that zone with active and inactive ZSK and active KSK is properly" -echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" -echo_ic "is now signed with the KSK. ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` -grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 -count=`awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 1 || ret=1 -count=`awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n` -test $count -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 -# Switch the zone over to NSEC3 and wait until the transition is complete. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 - grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1 - if [ $? -eq 0 ]; then - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 - grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1 - if [ $? -ne 0 ]; then - _ret=0 - break - fi - fi - sleep 1 -done -if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for NSEC3 chain creation" - ret=1 -fi -# Mark the inactive ZSK as pending removal. -file="ns3/`cat delzsk.key`.key" -$SETTIME -D now-1h $file > settime.out.test$n || ret=1 -# Trigger removal of the inactive ZSK and wait until its completion. -($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 - grep "Signing " signing.out.3.test$n > /dev/null 2>&1 - if [ $? -ne 0 ]; then - if [ `grep "Done signing " signing.out.3.test$n | wc -l` -eq 2 ]; then - _ret=0 - break - fi - fi - sleep 1 -done -if [ $_ret -ne 0 ]; then +# Delete the ZSK +file="ns3/inactive/$(cat delzsk.key).key" +$NSUPDATE > nsupdate.out.test$n 2>&1 < dig.out.ns3.test$n || return 1 + grep '; key id = '"$oldid"'$' dig.out.ns3.test$n > /dev/null && return 1 + return 0 +} +retry_quiet 5 zsk_is_gone || ret=1 +if [ $ret -ne 0 ]; then echo_i "timed out waiting for key removal" - ret=1 fi + # Check whether key removal caused NSEC3 records to be erroneously created for # glue records due to a secure delegation already being signed by the active key # (i.e. a key other than the one being removed but using the same algorithm). @@ -1583,17 +1225,17 @@ fi # $DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" +echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-policy) ($n)" ret=0 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG NSEC3 7 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that DNAME is not treated as a delegation when signing ($n)" ret=0 @@ -1601,24 +1243,97 @@ $DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.tes grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 $DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking key maintenance events were logged correctly ($n)" ret=0 -pub=`grep "DNSKEY .* is now published" ns1/named.run | wc -l` -[ "$pub" -eq 6 ] || ret=1 -act=`grep "DNSKEY .* is now active" ns1/named.run | wc -l` -[ "$act" -eq 5 ] || ret=1 -rev=`grep "DNSKEY .* is now revoked" ns1/named.run | wc -l` -[ "$rev" -eq 1 ] || ret=1 -inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l` -[ "$inac" -eq 1 ] || ret=1 -del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l` -[ "$del" -eq 1 ] || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +pub=$(grep "DNSKEY .* is now published" ns2/named.run | grep -v "CDNSKEY" | wc -l) +[ "$pub" -eq 10 ] || ret=1 +act=$(grep "DNSKEY .* is now active" ns2/named.run | wc -l) +[ "$act" -eq 10 ] || ret=1 +rev=$(grep "DNSKEY .* is now revoked" ns2/named.run | wc -l) +[ "$rev" -eq 0 ] || ret=1 +inac=$(grep "DNSKEY .* is now inactive" ns2/named.run | wc -l) +[ "$inac" -eq 0 ] || ret=1 +del=$(grep "DNSKEY .* is now deleted" ns2/named.run | wc -l) +[ "$del" -eq 0 ] || ret=1 +pub=$(grep "DNSKEY .* is now published" ns3/named.run | grep -v "CDNSKEY" | wc -l) +act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l) +if $SHELL ../testcrypto.sh -q RSASHA1 +then + # Include two log lines for nsec-only zone. + [ "$pub" -eq 53 ] || ret=1 + [ "$act" -eq 53 ] || ret=1 +else + [ "$pub" -eq 51 ] || ret=1 + [ "$act" -eq 51 ] || ret=1 +fi +rev=$(grep "DNSKEY .* is now revoked" ns3/named.run | wc -l) +[ "$rev" -eq 0 ] || ret=1 +inac=$(grep "DNSKEY .* is now inactive" ns3/named.run | wc -l) +[ "$inac" -eq 0 ] || ret=1 +del=$(grep "DNSKEY .* is now deleted" ns3/named.run | wc -l) +[ "$del" -eq 3 ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed" +zone=optout-with-ent +hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL + +# check that NSEC3 for ENT is present +echo_i "check ENT NSEC3 is initially present" +ret=0 +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check ENT NSEC3 is still present after removing one of two delegations ($n)" +ret=0 +# remove first delegation of two delegations, NSEC3 for ENT should remain. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub1.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is still present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check ENT NSEC3 is gone after removing the second delegation ($n)" +ret=0 +# remove second delegation of two delegations, NSEC3 for ENT should be deleted. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub2.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is gone +echo_i "check ENT NSEC3 is gone for zone $zone hash $hash" +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/autosign/tests_sh_autosign.py b/bin/tests/system/autosign/tests_sh_autosign.py new file mode 100644 index 0000000000..16dfc29caf --- /dev/null +++ b/bin/tests/system/autosign/tests_sh_autosign.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_autosign(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/builtin/clean.sh b/bin/tests/system/builtin/clean.sh index 16c0da0b42..1ad33dc1aa 100644 --- a/bin/tests/system/builtin/clean.sh +++ b/bin/tests/system/builtin/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/builtin/ns1/named.conf.in b/bin/tests/system/builtin/ns1/named.conf.in index d181a36cfd..723e6b20c0 100644 --- a/bin/tests/system/builtin/ns1/named.conf.in +++ b/bin/tests/system/builtin/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -25,4 +27,5 @@ options { listen-on-v6 { none; }; recursion yes; notify no; + dnssec-validation no; }; diff --git a/bin/tests/system/builtin/ns2/named.conf.in b/bin/tests/system/builtin/ns2/named.conf.in index e875a92381..38b95f0036 100644 --- a/bin/tests/system/builtin/ns2/named.conf.in +++ b/bin/tests/system/builtin/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -26,4 +28,5 @@ options { recursion yes; notify no; server-id hostname; + dnssec-validation no; }; diff --git a/bin/tests/system/builtin/ns3/named.conf.in b/bin/tests/system/builtin/ns3/named.conf.in index 4bce9f7a72..df538dbbc8 100644 --- a/bin/tests/system/builtin/ns3/named.conf.in +++ b/bin/tests/system/builtin/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -28,4 +30,5 @@ options { hostname "this.is.a.test.of.hostname"; server-id "this.is.a.test.of.server-id"; version "this is a test of version"; + dnssec-validation no; }; diff --git a/bin/tests/system/builtin/setup.sh b/bin/tests/system/builtin/setup.sh index c4670066e3..7ffda5583c 100644 --- a/bin/tests/system/builtin/setup.sh +++ b/bin/tests/system/builtin/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh index 9edc42b409..9151fc30ee 100644 --- a/bin/tests/system/builtin/tests.sh +++ b/bin/tests/system/builtin/tests.sh @@ -1,12 +1,18 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="-p ${PORT}" @@ -116,7 +122,7 @@ B.E.F.IP6.ARPA EMPTY.AS112.ARPA HOME.ARPA" -n=`expr $n + 1` +n=$((n + 1)) ret=0 count=0 echo_i "Checking expected empty zones were configured ($n)" @@ -126,15 +132,15 @@ do echo_i "failed (empty zone $zone missing)" ret=1 } - count=`expr $count + 1` + count=$((count + 1)) done -lines=`grep "automatic empty zone: " ns1/named.run | wc -l` +lines=$(grep "automatic empty zone: " ns1/named.run | wc -l) test $count -eq $lines -a $count -eq 99 || { ret=1; echo_i "failed (count mismatch)"; } -if [ $ret != 0 ] ; then status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "Checking that reconfiguring empty zones is silent ($n)" $RNDCCMD 10.53.0.1 reconfig ret=0 @@ -143,9 +149,9 @@ grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 sleep 1 grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "Checking that reloading empty zones is silent ($n)" rndc_reload ns1 10.53.0.1 ret=0 @@ -154,89 +160,89 @@ grep "received control channel command 'reload'" ns1/named.run > /dev/null || re grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 sleep 1 grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -HOSTNAME=`$FEATURETEST --gethostname` +HOST_NAME=$($FEATURETEST --gethostname) BIND_VERSION_STRING=$($NAMED -V | head -1) BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p') -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that default version works for rndc ($n)" $RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1 -fgrep "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that custom version works for rndc ($n)" $RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1 -fgrep "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that default version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that custom version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that default hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "^\"$HOSTNAME\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that custom hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that default server-id is none for query ($n)" -$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n +$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n -grep "^\"$HOSTNAME\"$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n -grep "^; NSID: .* (\"$HOSTNAME\")$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n || ret=1 +grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n +$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n +$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n || ret=1 grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/builtin/tests_sh_builtin.py b/bin/tests/system/builtin/tests_sh_builtin.py new file mode 100644 index 0000000000..2246cb4595 --- /dev/null +++ b/bin/tests/system/builtin/tests_sh_builtin.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_builtin(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/cacheclean/clean.sh b/bin/tests/system/cacheclean/clean.sh index 2774699911..b346e65b5b 100644 --- a/bin/tests/system/cacheclean/clean.sh +++ b/bin/tests/system/cacheclean/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cacheclean/ns1/example.db b/bin/tests/system/cacheclean/ns1/example.db index 0231fbcd31..7262109dc3 100644 --- a/bin/tests/system/cacheclean/ns1/example.db +++ b/bin/tests/system/cacheclean/ns1/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cacheclean/ns1/expire-test.db b/bin/tests/system/cacheclean/ns1/expire-test.db index 32d708189a..80855430ff 100644 --- a/bin/tests/system/cacheclean/ns1/expire-test.db +++ b/bin/tests/system/cacheclean/ns1/expire-test.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cacheclean/ns1/flushtest.db b/bin/tests/system/cacheclean/ns1/flushtest.db index 72a1096fee..ac6b408c55 100644 --- a/bin/tests/system/cacheclean/ns1/flushtest.db +++ b/bin/tests/system/cacheclean/ns1/flushtest.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cacheclean/ns1/named.args b/bin/tests/system/cacheclean/ns1/named.args index 2ba9a1403d..b7ce00d2b7 100644 --- a/bin/tests/system/cacheclean/ns1/named.args +++ b/bin/tests/system/cacheclean/ns1/named.args @@ -1 +1 @@ --m record,size,mctx -c named.conf -d 1 -D cacheclean-ns1 -X named.lock -g -T maxcachesize=2097152 +-m record -c named.conf -d 1 -D cacheclean-ns1 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/cacheclean/ns1/named.conf.in b/bin/tests/system/cacheclean/ns1/named.conf.in index 2f9234cc72..98d2b281be 100644 --- a/bin/tests/system/cacheclean/ns1/named.conf.in +++ b/bin/tests/system/cacheclean/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cacheclean/ns2/named.args b/bin/tests/system/cacheclean/ns2/named.args index 1bcc5eab28..071016c00b 100644 --- a/bin/tests/system/cacheclean/ns2/named.args +++ b/bin/tests/system/cacheclean/ns2/named.args @@ -1 +1 @@ --m record,size,mctx -c named.conf -d 3 -D cacheclean-ns2 -X named.lock -g -T maxcachesize=2097152 +-m record -c named.conf -d 3 -D cacheclean-ns2 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/cacheclean/ns2/named.conf.in b/bin/tests/system/cacheclean/ns2/named.conf.in index 520264876b..0b5cd29813 100644 --- a/bin/tests/system/cacheclean/ns2/named.conf.in +++ b/bin/tests/system/cacheclean/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -25,7 +27,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/cacheclean/setup.sh b/bin/tests/system/cacheclean/setup.sh index 5c160b922e..6929ec541d 100644 --- a/bin/tests/system/cacheclean/setup.sh +++ b/bin/tests/system/cacheclean/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh index 01c2be1317..a648c95a50 100755 --- a/bin/tests/system/cacheclean/tests.sh +++ b/bin/tests/system/cacheclean/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -64,9 +68,9 @@ clear_cache () { } in_cache () { - ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'` + ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') [ -z "$ttl" ] && { - ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'` + ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') [ "$ttl" -ge 3599 ] && return 1 return 0 } @@ -89,39 +93,39 @@ filter_tree () { ' "$file" } -n=`expr $n + 1` +n=$((n + 1)) echo_i "check correctness of routine cache cleaning ($n)" $DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1 digcomp --lc dig.out.ns2 knowngood.dig.out || status=1 -n=`expr $n + 1` +n=$((n + 1)) echo_i "only one tcp socket was used ($n)" -tcpclients=`awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l` +tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l) test $tcpclients -eq 1 || { status=1; echo_i "failed"; } -n=`expr $n + 1` +n=$((n + 1)) echo_i "reset and check that records are correctly cached initially ($n)" ret=0 load_cache dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | egrep '(TXT|ANY)' | wc -l` +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) [ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing of the full cache ($n)" ret=0 clear_cache dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l` +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l) [ $nrecords -eq 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing of individual nodes (interior node) ($n)" ret=0 clear_cache @@ -131,9 +135,9 @@ in_cache txt top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushname top1.flushtest.example in_cache txt top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing of individual nodes (leaf node, under the interior node) ($n)" ret=0 # leaf node, under the interior node (should still exist) @@ -141,9 +145,9 @@ in_cache txt third2.second1.top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example in_cache txt third2.second1.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing of individual nodes (another leaf node, with both positive and negative cache entries) ($n)" ret=0 # another leaf node, with both positive and negative cache entries @@ -153,16 +157,16 @@ $RNDC $RNDCOPTS flushname third1.second1.top1.flushtest.example in_cache a third1.second1.top1.flushtest.example && ret=1 in_cache txt third1.second1.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing a nonexistent name ($n)" ret=0 $RNDC $RNDCOPTS flushname fake.flushtest.example || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing of namespaces ($n)" ret=0 clear_cache @@ -187,43 +191,43 @@ in_cache txt second1.top2.flushtest.example && ret=1 in_cache txt second2.top2.flushtest.example && ret=1 in_cache txt second3.top2.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushing a nonexistent namespace ($n)" ret=0 $RNDC $RNDCOPTS flushtree fake.flushtest.example || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | egrep '(TXT|ANY)' | wc -l` +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l) [ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check the check that flushname of a partial match works ($n)" ret=0 in_cache txt second2.top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushtree example in_cache txt second2.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | egrep '(TXT|ANY)' | wc -l` +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) [ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check flushtree clears adb correctly ($n)" ret=0 load_cache @@ -232,7 +236,6 @@ mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a sed -n '/plain success\/timeout/,/Unassociated entries/p' \ ns2/named_dump.db.test$n.a > sed.out.$n.a grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1 grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1 $RNDC $RNDCOPTS flushtree flushtest.example || ret=1 dump_cache @@ -240,26 +243,25 @@ mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b sed -n '/plain success\/timeout/,/Unassociated entries/p' \ ns2/named_dump.db.test$n.b > sed.out.$n.b grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1 grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check expire option returned from primary zone ($n)" ret=0 -$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire +$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 grep EXPIRE: dig.out.expire > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check expire option returned from secondary zone ($n)" ret=0 -$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire +$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 grep EXPIRE: dig.out.expire > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cacheclean/tests_sh_cacheclean.py b/bin/tests/system/cacheclean/tests_sh_cacheclean.py new file mode 100644 index 0000000000..e47157eb32 --- /dev/null +++ b/bin/tests/system/cacheclean/tests_sh_cacheclean.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_cacheclean(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/case/clean.sh b/bin/tests/system/case/clean.sh index 136b91b5d0..2c7bf979a6 100644 --- a/bin/tests/system/case/clean.sh +++ b/bin/tests/system/case/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/case/ns1/dynamic.db.in b/bin/tests/system/case/ns1/dynamic.db.in index ee1c464e38..b39b5196b5 100644 --- a/bin/tests/system/case/ns1/dynamic.db.in +++ b/bin/tests/system/case/ns1/dynamic.db.in @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL 300 ; 5 minutes $ORIGIN DyNaMiC. @ IN SOA mname1. . ( diff --git a/bin/tests/system/case/ns1/example.db b/bin/tests/system/case/ns1/example.db index 8aba293683..b58414c2f5 100644 --- a/bin/tests/system/case/ns1/example.db +++ b/bin/tests/system/case/ns1/example.db @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL 300 ; 5 minutes @ IN SOA mname1. . ( 2000042407 ; serial diff --git a/bin/tests/system/case/ns1/named.conf.in b/bin/tests/system/case/ns1/named.conf.in index c13ac69816..fa0d8084d8 100644 --- a/bin/tests/system/case/ns1/named.conf.in +++ b/bin/tests/system/case/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -22,6 +24,7 @@ options { ixfr-from-differences yes; check-integrity no; minimal-responses no; + dnssec-validation no; }; zone "example" { diff --git a/bin/tests/system/case/ns2/named.conf.in b/bin/tests/system/case/ns2/named.conf.in index 00dc52625f..fe0b52ca7a 100644 --- a/bin/tests/system/case/ns2/named.conf.in +++ b/bin/tests/system/case/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,6 +25,7 @@ options { check-integrity no; no-case-compress { 10.53.0.2; }; minimal-responses no; + dnssec-validation no; }; zone "example" { diff --git a/bin/tests/system/case/setup.sh b/bin/tests/system/case/setup.sh index 145e66e3ab..c9de4ee81c 100644 --- a/bin/tests/system/case/setup.sh +++ b/bin/tests/system/case/setup.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/case/tests.sh b/bin/tests/system/case/tests.sh index 2764a6066a..6b40574b66 100644 --- a/bin/tests/system/case/tests.sh +++ b/bin/tests/system/case/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" @@ -22,67 +26,67 @@ wait_for_serial() ( status=0 n=0 -n=`expr $n + 1` +n=$((n + 1)) echo_i "waiting for zone transfer to complete ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 do - $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n + $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n || true grep SOA dig.ns2.test$n > /dev/null && break sleep 1 done for i in 1 2 3 4 5 6 7 8 9 do - $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n + $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n || true grep SOA dig.ns2.test$n > /dev/null && break sleep 1 done -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing case preserving responses - no acl ($n)" ret=0 -$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n || ret=1 grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)" ret=0 # check that we preserve zone case for non-matching query (10.53.0.1) -$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n || ret=1 grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 # check that we don't preserve zone case for match (10.53.0.2) -$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n || ret=1 grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1 grep "mail.example" dig.ns2.test$n > /dev/null || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "change SOA owner case via update ($n)" $NSUPDATE << EOF server 10.53.0.1 ${PORT} @@ -90,31 +94,31 @@ zone dynamic update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600 send EOF -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "wait for zone to transfer ($n)" retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check SOA owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) #update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1 -n=`expr $n + 1` +n=$((n + 1)) echo_i "change A record owner case via update ($n)" $NSUPDATE << EOF server 10.53.0.1 ${PORT} @@ -122,26 +126,26 @@ zone dynamic update add Ns1.DyNaMIC. 300 IN A 10.53.0.1 send EOF -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postns1.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) ret=0 echo_i "wait for zone to transfer ($n)" retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check A owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postns1.good || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/case/tests_sh_case.py b/bin/tests/system/case/tests_sh_case.py new file mode 100644 index 0000000000..bbe94d3773 --- /dev/null +++ b/bin/tests/system/case/tests_sh_case.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_case(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/catz/.gitignore b/bin/tests/system/catz/.gitignore index 85e2e07384..aaae88df39 100644 --- a/bin/tests/system/catz/.gitignore +++ b/bin/tests/system/catz/.gitignore @@ -10,8 +10,11 @@ /ns2/catalog*.example.db /ns1/*dom*.example.db +/ns3/dom2.example.db /ns3/dom13.example.db /ns3/dom14.example.db +/ns3/dom17.example.db +/ns3/dom18.example.db /ns2/zonedir diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh index 7b90c69770..21dbc752c1 100644 --- a/bin/tests/system/catz/clean.sh +++ b/bin/tests/system/catz/clean.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -9,19 +13,25 @@ rm -f dig.out.* rm -f ns*/*.jnl +rm -f ns*/*.mkeys +rm -f ns*/*.nzd ns*/*.nzd-lock rm -f ns*/*.nzf +rm -f ns*/managed-keys.bind* +rm -f ns*/named.conf rm -f ns*/named.lock rm -f ns*/named.memstats -rm -f ns*/named.conf rm -f ns*/named.run rm -f ns*/named.run.prev rm -f ns1/*dom*example.db +rm -f ns1/tls1.example.db rm -f ns2/__catz__*db +rm -f ns2/catalog-bad*.db rm -f ns2/named.conf.tmp -rm -f ns3/dom13.example.db ns3/dom14.example.db -rm -f nsupdate.out.* +rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db +rm -f ns4/__catz__*db +rm -f ns4/catalog-self.example.db rm -f ns[123]/catalog[1234].example.db -rm -rf ns2/zonedir -rm -f ns*/*.nzd ns*/*.nzd-lock -rm -f ns*/managed-keys.bind* +rm -f ns[14]/catalog-tls.example.db +rm -f nsupdate.out.* rm -f wait_for_message.* +rm -rf ns2/zonedir diff --git a/bin/tests/system/catz/ns1/catalog-bad1.example.db b/bin/tests/system/catz/ns1/catalog-bad1.example.db new file mode 100644 index 0000000000..b8402de301 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad1.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. diff --git a/bin/tests/system/catz/ns1/catalog-bad2.example.db b/bin/tests/system/catz/ns1/catalog-bad2.example.db new file mode 100644 index 0000000000..06b9121f13 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad2.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "99" diff --git a/bin/tests/system/catz/ns1/catalog-bad3.example.db b/bin/tests/system/catz/ns1/catalog-bad3.example.db new file mode 100644 index 0000000000..0116697de3 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad3.example.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" +version IN TXT "2" diff --git a/bin/tests/system/catz/ns1/catalog-bad4.example.db b/bin/tests/system/catz/ns1/catalog-bad4.example.db new file mode 100644 index 0000000000..d04bab321c --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad4.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN A 10.53.0.1 diff --git a/bin/tests/system/catz/ns1/catalog-bad5.example.db b/bin/tests/system/catz/ns1/catalog-bad5.example.db new file mode 100644 index 0000000000..b014d0a2d2 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad5.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 CH NS invalid. +version CH TXT "2" diff --git a/bin/tests/system/catz/ns1/catalog.example.db.in b/bin/tests/system/catz/ns1/catalog.example.db.in index dc18bf5b73..6b52947922 100644 --- a/bin/tests/system/catz/ns1/catalog.example.db.in +++ b/bin/tests/system/catz/ns1/catalog.example.db.in @@ -1,12 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @ 3600 SOA . . 1 86400 3600 86400 3600 @ 3600 IN NS invalid. -version IN TXT "1" +version IN TXT "2" diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 121866910a..7ffec5a809 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -20,46 +22,124 @@ options { notify-source 10.53.0.1; transfer-source 10.53.0.1; port @PORT@; + tls-port @TLSPORT@; allow-new-zones yes; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on port @EXTRAPORT1@ { 10.53.0.1; }; + listen-on tls ephemeral { 10.53.0.1; }; listen-on-v6 { none; }; notify no; + notify-delay 0; recursion no; allow-transfer { any; }; + dnssec-validation no; }; -zone "catalog1.example" { - type primary; - file "catalog1.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; +view "default" { -zone "catalog3.example" { - type primary; - file "catalog3.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; + zone "catalog1.example" { + type primary; + file "catalog1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; -zone "catalog4.example" { - type primary; - file "catalog4.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; + /* catalog2 is provided by the ns3 primary */ + + zone "catalog3.example" { + type primary; + file "catalog3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + zone "catalog4.example" { + type primary; + file "catalog4.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + /* catalog5 is missing on purpose */ + + # No "version" property + zone "catalog-bad1.example" { + type primary; + file "catalog-bad1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # Unsupported "version" property + zone "catalog-bad2.example" { + type primary; + file "catalog-bad2.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # Two RRs in TXT RRset for the "version" property + zone "catalog-bad3.example" { + type primary; + file "catalog-bad3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # Type A "version" property + zone "catalog-bad4.example" { + type primary; + file "catalog-bad4.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # A catalog zone that requires TLS to be used + zone "catalog-tls.example" { + type primary; + file "catalog-tls.example.db"; + allow-transfer transport tls { key tsig_key; }; + allow-update { any; }; + also-notify { 10.53.0.4; }; + notify explicit; + }; }; -/* catalog5 is missing on purpose */ +view "ch" ch { + + # Non-IN class catalog zone + zone "catalog-bad5.example" ch { + type primary; + file "catalog-bad5.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + +}; key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/catz/ns2/dom-existing.example.db b/bin/tests/system/catz/ns2/dom-existing.example.db new file mode 100644 index 0000000000..b8402de301 --- /dev/null +++ b/bin/tests/system/catz/ns2/dom-existing.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in deleted file mode 100644 index 30333e6e1b..0000000000 --- a/bin/tests/system/catz/ns2/named.conf.in +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "../../common/rndc.key"; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { fd92:7065:b8e:ffff::2; }; - notify no; - recursion no; - serial-query-rate 100; - catalog-zones { - zone "catalog1.example" - default-masters { 10.53.0.1; } - in-memory no - zone-directory "zonedir"; - zone "catalog2.example" - default-masters { 10.53.0.1 port @EXTRAPORT1@; } - in-memory yes; - zone "catalog3.example" - default-masters { 10.53.0.1; } - zone-directory "nonexistent"; -#T1 zone "catalog4.example" -#T1 default-masters { 10.53.0.1; }; -#T2 zone "catalog5.example" -#T2 default-masters { 10.53.0.1; }; - }; -}; - -zone "catalog1.example" { - type secondary; - file "catalog1.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog2.example" { - type secondary; - file "catalog2.example.db"; - primaries { 10.53.0.3; }; -}; - -zone "catalog3.example" { - type secondary; - file "catalog3.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog4.example" { - type secondary; - file "catalog4.example.db"; - primaries { 10.53.0.1; }; -}; - -key tsig_key. { - secret "LSAnCU+Z"; - algorithm hmac-md5; -}; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in new file mode 100644 index 0000000000..2ee9da4d31 --- /dev/null +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -0,0 +1,194 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + dnssec-validation no; +}; + +/* + * The comment lines starting with "#Tn" markers below are designed to be + * uncommented by "tests.sh" when running the tests to perform some of required + * tests which need ns2 reconfgiuration. + */ + +view "default" { + + catalog-zones { + zone "catalog1.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory no + zone-directory "zonedir"; + zone "catalog2.example" + default-primaries { 10.53.0.1 port @EXTRAPORT1@; } + min-update-interval 1s + in-memory yes; + zone "catalog3.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + zone-directory "nonexistent"; +#T1 zone "catalog4.example" +#T1 min-update-interval 1s +#T1 default-masters { 10.53.0.1; }; +#T2 zone "catalog5.example" +#T2 min-update-interval 1s +#T2 default-primaries { 10.53.0.1; }; + zone "catalog-bad1.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory yes; + zone "catalog-bad2.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory yes; + zone "catalog-bad3.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory yes; + zone "catalog-bad4.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory yes; + }; + + # A faulty dlz configuration to check if named and catz survive a certain class + # of failed configuration attempts (see GL #3060). + # We use "dlz" because the dlz processing code is located in an ideal place in + # the view configuration function for the test to cover the view reverting code. +#T3 dlz "bad-dlz" { +#T3 database "dlopen bad-dlz.so example.org"; +#T3 }; + + zone "dom-existing.example" { + type primary; + file "dom-existing.example.db"; + }; + + zone "dom-existing-forward.example" { + type forward; + forward only; + forwarders { 10.53.0.1; }; + }; + + zone "dom-existing-forward-off.example" { + type forward; + forward only; + forwarders { }; + }; + + zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; + }; + + zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; + }; + + # When the following zone configuration is enabled, "dom3.example" should + # already exist as a member of "catalog1.example", and named should be able + # to deal with that situation (see GL #3911). Make sure that this duplicate + # zone comes after the the "catalog1.example" zone in the configuration file. +#T4 zone "dom3.example" { +#T4 type secondary; +#T4 file "dom2.example.db"; +#T4 }; + + # No "version" property + zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; + }; + + # Unsupported "version" property + zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; + }; + + # Two RRs in TXT RRset for the "version" property + zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; + }; + + # Type A "version" property + zone "catalog-bad4.example" { + type secondary; + file "catalog-bad4.example.db"; + primaries { 10.53.0.1; }; + }; + +}; + +view "ch" ch { + + catalog-zones { + zone "catalog-bad5.example" + default-masters { 10.53.0.1; } + in-memory yes; + }; + + # Non-IN class catalog zone + zone "catalog-bad5.example" ch { + type secondary; + file "catalog-bad5.example.db"; + primaries { 10.53.0.1; }; + }; + +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in new file mode 100644 index 0000000000..5ca4e3e7d6 --- /dev/null +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -0,0 +1,128 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + dnssec-validation no; +}; + +view "default" { + + # Removed catalog-zone option, otherwise this is + # identical to named1.conf.in + + zone "dom-existing.example" { + type primary; + file "dom-existing.example.db"; + }; + + zone "dom-existing-forward.example" { + type forward; + forward only; + forwarders { 10.53.0.1; }; + }; + + zone "dom-existing-forward-off.example" { + type forward; + forward only; + forwarders { }; + }; + + zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; + }; + + zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; + }; + + # No "version" property + zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; + }; + + # Unsupported "version" property + zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; + }; + + # Two RRs in TXT RRset for the "version" property + zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; + }; + + # Type A "version" property + zone "catalog-bad4.example" { + type secondary; + file "catalog-bad4.example.db"; + primaries { 10.53.0.1; }; + }; + +}; + +view "ch" ch { + + # Removed catalog-zone option, otherwise this is + # identical to named1.conf.in + + # Non-IN class catalog zone + zone "catalog-bad5.example" ch { + type secondary; + file "catalog-bad5.example.db"; + primaries { 10.53.0.1; }; + }; + +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns3/catalog.example.db.in b/bin/tests/system/catz/ns3/catalog.example.db.in new file mode 100644 index 0000000000..eccb4f1004 --- /dev/null +++ b/bin/tests/system/catz/ns3/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 2670950424 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/bin/tests/system/catz/ns3/dom5.example.db b/bin/tests/system/catz/ns3/dom5.example.db index f61860dd80..5779aaf34e 100644 --- a/bin/tests/system/catz/ns3/dom5.example.db +++ b/bin/tests/system/catz/ns3/dom5.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/catz/ns3/dom6.example.db b/bin/tests/system/catz/ns3/dom6.example.db index f61860dd80..5779aaf34e 100644 --- a/bin/tests/system/catz/ns3/dom6.example.db +++ b/bin/tests/system/catz/ns3/dom6.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in index 9ec5e0f23f..b1bbc1ea19 100644 --- a/bin/tests/system/catz/ns3/named.conf.in +++ b/bin/tests/system/catz/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -26,7 +28,9 @@ options { listen-on { 10.53.0.3; }; listen-on-v6 { fd92:7065:b8e:ffff::3; }; notify no; + notify-delay 0; recursion no; + dnssec-validation no; }; zone "catalog2.example" { diff --git a/bin/tests/system/catz/ns4/catalog.example.db.in b/bin/tests/system/catz/ns4/catalog.example.db.in new file mode 100644 index 0000000000..a0bab0dfe2 --- /dev/null +++ b/bin/tests/system/catz/ns4/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in new file mode 100644 index 0000000000..2f43c25e18 --- /dev/null +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -0,0 +1,66 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + tls-port @TLSPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + ixfr-from-differences yes; // GL #3777 + dnssec-validation no; + + catalog-zones { + zone "catalog-tls.example" + min-update-interval 1s + default-primaries { 10.53.0.1 key tsig_key tls ephemeral; }; + zone "catalog-self.example" + min-update-interval 1s + default-primaries { 10.53.0.4; }; + }; +}; + +zone "catalog-tls.example" { + type secondary; + file "catalog-tls.example.db"; + primaries { 10.53.0.1 key tsig_key tls ephemeral; }; +}; + +zone "catalog-self.example" { + type primary; + file "catalog-self.example.db"; + notify explicit; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh index 78a558913f..eb2e53bd1a 100644 --- a/bin/tests/system/catz/setup.sh +++ b/bin/tests/system/catz/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -14,12 +16,15 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db -cp -f ns1/catalog.example.db.in ns3/catalog2.example.db +cp -f ns3/catalog.example.db.in ns3/catalog2.example.db cp -f ns1/catalog.example.db.in ns1/catalog3.example.db cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db +cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db mkdir -p ns2/zonedir diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index e3328857f9..fffd17016e 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -1,9 +1,11 @@ #!/bin/sh -x -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -78,6 +80,53 @@ wait_for_no_zonefile() ( status=0 n=0 + +########################################################################## +n=$((n+1)) +echo_i "checking that catalog-bad1.example (with no version) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record and will not be processed" && +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad2.example (with unsupported version) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad3.example (with two supported version records) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" && +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" && +wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad4.example (with only spurious type A version record) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" && +wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad5.example (non-IN class) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" && +wait_for_message ns2/named.run "all zones loaded" || ret=1 +grep -F "catz: dns_catz_zone_add catalog-bad5.example" ns2/named.run && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + ########################################################################## echo_i "Testing adding/removing of domain in catalog zone" n=$((n+1)) @@ -90,9 +139,14 @@ status=$((status+ret)) n=$((n+1)) echo_i "Adding a domain dom1.example. to primary via RNDC ($n)" ret=0 +# enough initial content for IXFR response when TXT record is added below echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db -echo "@ IN NS invalid." >> ns1/dom1.example.db -rndccmd 10.53.0.1 addzone dom1.example. '{type primary; file "dom1.example.db";};' || ret=1 +echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db +echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db +rndccmd 10.53.0.1 addzone dom1.example. in default '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -120,7 +174,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -134,7 +188,94 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that zone-directory is populated ($n)" ret=0 -wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 +wait_for_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "update dom1.example. ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add dom1.example 0 IN TXT added record + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to be updated ($n)" +ret=0 +wait_for_txt() { + dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "IN.TXT." dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_txt || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that journal was created for cleanup test ($n)" +ret=0 +test -f ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "update catalog zone serial ($n)" +ret=0 +# default minimum update rate is once / 5 seconds +sleep 5 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for catalog zone to transfer ($n)" +ret=0 +wait_for_soa_equal_20() { + dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_soa_equal_20 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "update dom1.example. again ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add foo.dom1.example 0 IN TXT added record + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to be updated again ($n)" +ret=0 +wait_for_txt() { + dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1 + grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "IN.TXT." dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -152,7 +293,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom1.example' deleted" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -166,10 +307,13 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that zone-directory is emptied ($n)" ret=0 -wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 +wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 +wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + ########################################################################## echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" n=$((n+1)) @@ -177,7 +321,18 @@ echo_i "adding domain dom2.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db echo "@ IN NS invalid." >> ns1/dom2.example.db -rndccmd 10.53.0.1 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 +echo "@ IN A 192.0.2.1" >> ns1/dom2.example.db +rndccmd 10.53.0.1 addzone dom2.example. in default '{type primary; file "dom2.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding domain dom2.example. to primary ns3 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom2.example.db +echo "@ IN NS invalid." >> ns3/dom2.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom2.example.db +rndccmd 10.53.0.3 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -186,7 +341,7 @@ echo_i "adding domain dom4.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db echo "@ IN NS invalid." >> ns1/dom4.example.db -rndccmd 10.53.0.1 addzone dom4.example. '{type primary; file "dom4.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom4.example. in default '{type primary; file "dom4.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -196,6 +351,7 @@ ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." update add b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. update add trash.catalog1.example. 3600 IN A 1.2.3.4 @@ -207,7 +363,6 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 update add blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah" update add version.catalog1.example. 3600 IN A 1.2.3.4 send - END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -223,12 +378,14 @@ END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" && +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -239,7 +396,6 @@ wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - n=$((n+1)) echo_i "checking that dom3.example. is not served by primary ($n)" ret=0 @@ -252,7 +408,7 @@ echo_i "adding a domain dom3.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db echo "@ IN NS invalid." >> ns1/dom3.example.db -rndccmd 10.53.0.1 addzone dom3.example. '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 +rndccmd 10.53.0.1 addzone dom3.example. in default '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -266,10 +422,8 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -280,75 +434,76 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# The member zone's PTR RRset must have only one record in it. +# Check that adding a second record to the RRset is caught and such a +# catalog zone is not processed. n=$((n+1)) -echo_i "removing all records from catalog1 zone ($n)" +echo_i "adding domain dom4-reused-label.example. to catalog2 zone, reusing a label ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. - update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. - update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. - update delete trash.catalog1.example. 3600 IN A 1.2.3.4 - update delete trash2.foo.catalog1.example. 3600 IN A 1.2.3.4 - update delete trash3.zones.catalog1.example. 3600 IN NS a.dom2.example. - update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. - update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. - update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30 - update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah" - update delete version.catalog1.example. 3600 IN A 1.2.3.4 + server 10.53.0.3 ${PORT} + update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send - END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "removing all records from catalog2 zone ($n)" +echo_i "waiting for secondary to sync up, and checking that the reused label has been caught ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.3 ${PORT} - update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. - send -END +wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing masters suboption and random labels" +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "adding dom5.example. with a valid masters suboption (IP without TSIG) and a random label ($n)" +echo_i "deleting domain dom4-reused-label.example. from catalog2 zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. - update add masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + server 10.53.0.3 ${PORT} + update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# Test zone associated state reset. n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "renaming the label of domain dom4.example. in catalog2 zone ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. + update add dom4-renamed-label.zones.catalog2.example. 3600 IN PTR dom4.example. + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom5.example. is served by secondary ($n)" +echo_i "waiting for secondary to sync up, and checking that the zone has been reset ($n)" ret=0 -wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom4.example' unique label has changed, reset state" && +wait_for_message ns2/named.run "catz: deleting zone 'dom4.example' from catalog 'catalog2.example' - success" && +wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "removing dom5.example. ($n)" +echo_i "adding domain dom2.example. to catalog2 zone to test change of ownership ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. - update delete masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + server 10.53.0.3 ${PORT} + update add dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. + update add primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -357,28 +512,33 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom5.example. is no longer served by secondary ($n)" +echo_i "checking that unpermitted change of ownership did not happen ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 +wait_for_message ns2/named.run "catz_addmodzone_cb: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom2.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null -########################################################################## -echo_i "Testing masters global option" n=$((n+1)) -echo_i "adding dom6.example. and a valid global masters option (IP without TSIG) ($n)" +echo_i "adding change of ownership permission record for dom2.example. into catalog1 zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add masters.catalog1.example. 3600 IN A 10.53.0.3 - update add masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 - update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -387,54 +547,72 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom6.example/IN' from " > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog1.example'" && +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom6.example. is served by secondary ($n)" +echo_i "updating catalog2 zone to initiate a zone transfer ($n)" ret=0 -wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. + update delete primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 + update add dom2-with-coo.zones.catalog2.example. 3600 IN PTR dom2.example. + update add primaries.dom2-with-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "removing dom6.example. ($n)" +echo_i "waiting for secondary to sync up and checking that the change of ownership was successful ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete masters.catalog1.example. 3600 IN A 10.53.0.3 - update delete masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 - update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. - send -END +wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" && +wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" && +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" && +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "checking that dom2.example. is served by secondary and that it's now the one from ns3 ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1 +wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 +grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "checking that dom6.example. is no longer served by secondary ($n)" +echo_i "removing dom2.example. and its change of ownership permission record from catalog1 zone ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "adding dom6.example. and an invalid global masters option (TSIG without IP) ($n)" +echo_i "adding change of ownership permission record for dom2.example. into catalog2 zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update add label1.masters.catalog1.example. 3600 IN TXT "tsig_key" - update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + server 10.53.0.3 ${PORT} + update add coo.dom2-with-coo.zones.catalog2.example. 3600 IN PTR catalog1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -443,113 +621,120 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom6.example\"" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "removing dom6.example. ($n)" +echo_i "adding back dom2.example. into catalog1 zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update delete label1.masters.catalog1.example. 3600 IN TXT "tsig_key" - update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "checking that the change of ownership did not happen because version '1' catalog2 zone does not support the 'coo' property ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +wait_for_message ns2/named.run "catz_addmodzone_cb: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## n=$((n+1)) -echo_i "Checking that a missing zone directory forces in-memory ($n)" +echo_i "checking that dom2.example. is still served by secondary and that it's still the one from ns3 ($n)" ret=0 -grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 +grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing allow-query and allow-transfer ACLs" +nextpart ns2/named.run >/dev/null + +# GL #3060 n=$((n+1)) -echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" +echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db -echo "@ IN NS invalid." >> ns1/dom7.example.db -rndccmd 10.53.0.1 addzone dom7.example. '{type primary; file "dom7.example.db";};' || ret=1 +sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db -echo "@ IN NS invalid." >> ns1/dom8.example.db -rndccmd 10.53.0.1 addzone dom8.example. '{type primary; file "dom8.example.db";};' || ret=1 + +n=$((n+1)) +echo_i "checking again that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom7.example. is now served by primary ($n)" +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 -wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) nextpart ns2/named.run >/dev/null +# GL #3911 n=$((n+1)) -echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" +echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. - update add allow-query.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 - send -END +sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# catalog zone update can be deferred +sleep 2 + n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && -wait_for_message ns2/named.run "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 -wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" +echo_i "adding a domain dom-existing.example. to primary via RNDC ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing.example.db +echo "@ IN NS invalid." >> ns1/dom-existing.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom-existing.example.db +rndccmd 10.53.0.1 addzone dom-existing.example. in default '{type primary; file "dom-existing.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" +echo_i "checking that dom-existing.example. is served by primary ($n)" ret=0 -wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 +wait_for_a @10.53.0.1 dom-existing.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" +echo_i "adding domain dom-existing.example. to catalog1 zone to test that existing zones don't get overwritten ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example - update add allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 - update add allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + update add dom-existing.zones.catalog1.example. 3600 IN PTR dom-existing.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -558,117 +743,269 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && -wait_for_message ns2/named.run "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz_addmodzone_cb: zone 'dom-existing.example' will not be added because it is an explicitly configured zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +echo_i "checking that dom-existing.example. is served by secondary and that it's not the one from the primary ns1 ($n)" ret=0 -wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +wait_for_a @10.53.0.2 dom-existing.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" +echo_i "adding a domain dom-existing-forward.example. to primary via RNDC ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward.example.db +echo "@ IN NS invalid." >> ns1/dom-existing-forward.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward.example.db +rndccmd 10.53.0.1 addzone dom-existing-forward.example. in default '{type primary; file "dom-existing-forward.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" +echo_i "checking that dom-existing-forward.example. is served by primary ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n -grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +wait_for_a @10.53.0.1 dom-existing-forward.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +echo_i "adding domain dom-existing-forward.example. to catalog1 zone to test that existing forward zones don't get overwritten ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add dom-existing-forward.zones.catalog1.example. 3600 IN PTR dom-existing-forward.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz_addmodzone_cb: zone 'dom-existing-forward.example' will not be processed because of the explicitly configured forwarding for that zone" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom-existing-forward.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom-existing-forward.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "deleting global allow-query and allow-domain ACLs ($n)" +echo_i "adding a domain dom-existing-forward-off.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward-off.example.db +echo "@ IN NS invalid." >> ns1/dom-existing-forward-off.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward-off.example.db +rndccmd 10.53.0.1 addzone dom-existing-forward-off.example. in default '{type primary; file "dom-existing-forward-off.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom-existing-forward-off.example. is served by primary ($n)" +ret=0 +wait_for_a @10.53.0.1 dom-existing-forward-off.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding domain dom-existing-forward-off.example. to catalog1 zone to test that a zone with turned off forwarding can be used in a catalog zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update delete allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 - update delete allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + update add dom-existing-forward-off.zones.catalog1.example. 3600 IN PTR dom-existing-forward-off.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward-off.example' from catalog 'catalog1.example'" && if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +echo_i "checking that dom-existing-forward-off.example. is served by secondary ($n)" ret=0 -wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +wait_for_soa @10.53.0.2 dom-existing-forward-off.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" +echo_i "removing all records from catalog1 zone ($n)" ret=0 -wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." + update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. + update delete trash.catalog1.example. 3600 IN A 1.2.3.4 + update delete trash2.foo.catalog1.example. 3600 IN A 1.2.3.4 + update delete trash3.zones.catalog1.example. 3600 IN NS a.dom2.example. + update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30 + update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah" + update delete version.catalog1.example. 3600 IN A 1.2.3.4 + update delete dom-existing.zones.catalog1.example. 3600 IN PTR dom-existing.example. + update delete dom-existing-forward.zones.catalog1.example. 3600 IN PTR dom-existing-forward.example. + update delete dom-existing-forward-off.zones.catalog1.example. 3600 IN PTR dom-existing-forward.example. + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" +echo_i "removing all records from catalog2 zone ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete dom2-with-coo.zones.catalog2.example. 3600 IN PTR dom2.example. + update delete primaries.dom2-with-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 + update delete coo.dom2-with-coo.zones.catalog2.example. 3600 IN PTR catalog1.example. + update delete dom4-renamed-label.zones.catalog2.example. 3600 IN PTR dom4.example. + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +echo_i "Testing primaries suboption and random labels" n=$((n+1)) -echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +echo_i "adding dom5.example. with a valid primaries suboption (IP without TSIG) and a random label ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. + update add primaries.ext.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom5.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing dom5.example. ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. + update delete primaries.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom5.example' deleted" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom5.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) ########################################################################## -echo_i "Testing TSIG keys for masters set per-domain" +echo_i "Testing primaries global option" n=$((n+1)) -echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" +echo_i "adding dom6.example. and a valid global primaries option (IP without TSIG) ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS invalid." >> ns1/dom9.example.db -rndccmd 10.53.0.1 addzone dom9.example. '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 + update add primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 + update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom9.example. is now served by primary ($n)" +echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom6.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing dom6.example. ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 + update delete primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 + update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom6.example' deleted" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom6.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "adding domain dom9.example. to catalog1 zone with a valid masters suboption (IP with TSIG) ($n)" +echo_i "adding dom6.example. and an invalid global primaries option (TSIG without IP) ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. - update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 - update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" + update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -677,26 +1014,70 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom6.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom9.example. is accessible on secondary ($n)" +echo_i "removing dom6.example. ($n)" ret=0 -wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" + update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +n=$((n+1)) +echo_i "Checking that a missing zone directory forces in-memory ($n)" +ret=0 +grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing allow-query and allow-transfer ACLs" +n=$((n+1)) +echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db +echo "@ IN NS invalid." >> ns1/dom7.example.db +rndccmd 10.53.0.1 addzone dom7.example. in default '{type primary; file "dom7.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db +echo "@ IN NS invalid." >> ns1/dom8.example.db +rndccmd 10.53.0.1 addzone dom8.example. in default '{type primary; file "dom8.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. - update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 - update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. + update add allow-query.ext.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -705,26 +1086,748 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && +wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" +echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null +n=$((n+1)) +echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example + update add allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 + update add allow-transfer.ext.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && +wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 +grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null +n=$((n+1)) +echo_i "deleting global allow-query and allow-domain ACLs ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 + update delete allow-transfer.ext.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +########################################################################## +echo_i "Testing TSIG keys for primaries set per-domain" +n=$((n+1)) +echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db +echo "@ IN NS invalid." >> ns1/dom9.example.db +rndccmd 10.53.0.1 addzone dom9.example. in default '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom9.example. to catalog1 zone with a valid primaries suboption (IP with TSIG) ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 + update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is accessible on secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "change TSIG key name on primary ($n)" +ret=0 +rndccmd 10.53.0.1 modzone dom9.example. in default '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update TSIG key name in catalog zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update del label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update zone contents and reload ($n)" +ret=0 +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db +echo "@ IN NS ns2" >> ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +rndccmd 10.53.0.1 reload dom9.example. || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for primary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 + update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom9.example. to catalog1 zone with an invalid primaries suboption (TSIG without IP) ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom9.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing catalog entries that can't be represented as filenames" +# note: we need 4 backslashes in the shell to get 2 backslashes in DNS +# presentation format, which is 1 backslash on the wire. +for special in \ + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ + this.zone/domain.has.a.slash.dom10.example \ + this.zone\\\\domain.has.backslash.dom10.example \ + this.zone:domain.has.a.colon.dom.10.example +do + # hashes below are generated by: + # python ${TOP}/contrib/scripts/catzhash.py "${special}" + + case "$special" in + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) + hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 + db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db + ;; + this.zone/domain.has.a.slash.dom10.example) + hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa + db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db + ;; + this.zone\\\\domain.has.backslash.dom10.example) + hash=91e27e02153d38cf656a9b376d7747fbcd19f985 + db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db + ;; + this.zone:domain.has.a.colon.dom.10.example) + hash=8b7238bf4c34045834c573ba4116557ebb24d33c + db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db + ;; + esac + + n=$((n+1)) + echo_i "checking that ${special}. is not served by primary ($n)" + ret=0 + wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "Adding a domain ${special}. to primary via RNDC ($n)" + ret=0 + echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db + echo "@ IN NS invalid." >> ns1/dom10.example.db + rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is now served by primary ($n)" + ret=0 + wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + nextpart ns2/named.run >/dev/null + + n=$((n+1)) + echo_i "Adding domain ${special}. to catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. + send +END + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && + wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is served by secondary ($n)" + ret=0 + wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that zone-directory is populated with a hashed filename ($n)" + ret=0 + wait_for_zonefile "ns2/zonedir/$db" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "removing domain ${special}. from catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete ${hash}.zones.catalog1.example + send +END + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: catz_delzone_cb: zone '${special}' deleted" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is not served by secondary ($n)" + ret=0 + wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that zone-directory is emptied ($n)" + ret=0 + wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 + wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +########################################################################## +echo_i "Testing adding a domain and a subdomain of it" +n=$((n+1)) +echo_i "checking that dom11.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db +echo "@ IN NS invalid." >> ns1/dom11.example.db +rndccmd 10.53.0.1 addzone dom11.example. in default '{type primary; file "dom11.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom11.example. to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" +ret=0 +wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db +echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db +rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. in default '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain dom11.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom11.example' deleted" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'subdomain.of.dom11.example' deleted" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing adding a catalog zone at runtime with rndc reconfig" +n=$((n+1)) +echo_i "checking that dom12.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db +echo "@ IN NS invalid." >> ns1/dom12.example.db +rndccmd 10.53.0.1 addzone dom12.example. in default '{type primary; file "dom12.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom12.example. to catalog4 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +n=$((n+1)) +echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" +ret=0 +sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && +wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) + +echo_i "checking that dom12.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" +ret=0 +sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain dom12.example. from catalog4 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing having a zone in two different catalogs" +n=$((n+1)) +echo_i "checking that dom13.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db +echo "@ IN NS invalid." >> ns1/dom13.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db +rndccmd 10.53.0.1 addzone dom13.example. in default '{type primary; file "dom13.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is now served by primary ns1 ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db +echo "@ IN NS invalid." >> ns3/dom13.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db +rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is now served by primary ns3 ($n)" +ret=0 +wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) + nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "adding domain dom9.example. to catalog1 zone with an invalid masters suboption (TSIG without IP) ($n)" +echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. - update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. + update add primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -733,18 +1836,28 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom9.example\"" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. - update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + server 10.53.0.3 ${PORT} + update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. + update add primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -753,166 +1866,54 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing catalog entries that can't be represented as filenames" -# note: we need 4 backslashes in the shell to get 2 backslashes in DNS -# presentation format, which is 1 backslash on the wire. -for special in \ - this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ - this.zone/domain.has.a.slash.dom10.example \ - this.zone\\\\domain.has.backslash.dom10.example \ - this.zone:domain.has.a.colon.dom.10.example -do - # hashes below are generated by: - # python ${TOP}/contrib/scripts/catzhash.py "${special}" - - case "$special" in - this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) - hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 - db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db - ;; - this.zone/domain.has.a.slash.dom10.example) - hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa - db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db - ;; - this.zone\\\\domain.has.backslash.dom10.example) - hash=91e27e02153d38cf656a9b376d7747fbcd19f985 - db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db - ;; - this.zone:domain.has.a.colon.dom.10.example) - hash=8b7238bf4c34045834c573ba4116557ebb24d33c - db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db - ;; - esac - - n=$((n+1)) - echo_i "checking that ${special}. is not served by primary ($n)" - ret=0 - wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "Adding a domain ${special}. to primary via RNDC ($n)" - ret=0 - echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db - echo "@ IN NS invalid." >> ns1/dom10.example.db - rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is now served by primary ($n)" - ret=0 - wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - nextpart ns2/named.run >/dev/null - - n=$((n+1)) - echo_i "Adding domain ${special}. to catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. - send -END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && - wait_for_message ns2/named.run "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is served by secondary ($n)" - ret=0 - wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is populated with a hashed filename ($n)" - ret=0 - wait_for_zonefile "ns2/zonedir/$db" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "removing domain ${special}. from catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete ${hash}.zones.catalog1.example - send -END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN: shutting down" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is not served by secondary ($n)" - ret=0 - wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +n=$((n+1)) +echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) - n=$((n+1)) - echo_i "checking that zone-directory is emptied ($n)" - ret=0 - wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) -done +nextpart ns2/named.run >/dev/null -########################################################################## -echo_i "Testing adding a domain and a subdomain of it" n=$((n+1)) -echo_i "checking that dom11.example. is not served by primary ($n)" +echo_i "Deleting domain dom13.example. from catalog2 ($n)" ret=0 -wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. + update delete primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" +echo_i "waiting for secondary to sync up ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db -echo "@ IN NS invalid." >> ns1/dom11.example.db -rndccmd 10.53.0.1 addzone dom11.example. '{type primary; file "dom11.example.db";};' || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom11.example. is now served by primary ($n)" +echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 -wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null - n=$((n+1)) -echo_i "Adding domain dom11.example. to catalog1 zone ($n)" +echo_i "Deleting domain dom13.example. from catalog1 ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. + update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. + update delete primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -921,49 +1922,52 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom11.example. is served by secondary ($n)" +echo_i "checking that dom13.example. is no longer served by secondary ($n)" ret=0 -wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +echo_i "Testing recreation of a manually deleted zone after a reload" n=$((n+1)) -echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" +echo_i "checking that dom16.example. is not served by primary ($n)" ret=0 -wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" +echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db -echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db -rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db +echo "@ IN NS invalid." >> ns1/dom16.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db +rndccmd 10.53.0.1 addzone dom16.example. in default '{type primary; file "dom16.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" +echo_i "checking that dom16.example. is now served by primary ns1 ($n)" ret=0 -wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" +echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. + update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. + update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -972,57 +1976,78 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" +echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 -wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)" +ret=0 +rndccmd 10.53.0.2 delzone dom16.example. in default >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "removing domain dom11.example. from catalog1 zone ($n)" +echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example - send -END +wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +echo_i "Reloading secondary ns2 via RNDC ($n)" +ret=0 +rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom16.example' was expected to exist but can not be found, will be restored" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: catalog1.example: reload done: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom11.example. is not served by secondary ($n)" +echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" +echo_i "checking that dom8.example. was not accidentally deleted during the configuration ($n)" ret=0 -wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +_wait_for_message ns2/named.run "catz: zone 'dom8.example' was expected to exist but can not be found, will be restored" && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" +echo_i "Deleting domain dom16.example. from catalog1 ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example - send + server 10.53.0.1 ${PORT} + update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. + update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 + send END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1030,182 +2055,174 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" +echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 -wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) ########################################################################## -echo_i "Testing adding a catalog zone at runtime with rndc reconfig" +echo_i "Testing having a regular zone and a zone in catalog zone of the same name" n=$((n+1)) -echo_i "checking that dom12.example. is not served by primary ($n)" +echo_i "checking that dom14.example. is not served by primary ($n)" ret=0 -wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" +echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db -echo "@ IN NS invalid." >> ns1/dom12.example.db -rndccmd 10.53.0.1 addzone dom12.example. '{type primary; file "dom12.example.db";};' || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db +echo "@ IN NS invalid." >> ns1/dom14.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db +rndccmd 10.53.0.1 addzone dom14.example. in default '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom12.example. is now served by primary ($n)" +echo_i "checking that dom14.example. is now served by primary ns1 ($n)" ret=0 -wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null - n=$((n+1)) -echo_i "Adding domain dom12.example. to catalog4 zone ($n)" +echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. - send -END +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db +echo "@ IN NS invalid." >> ns3/dom14.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db +rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom12.example. is not served by secondary ($n)" +echo_i "checking that dom14.example. is now served by primary ns3 ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" +echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" ret=0 -sed -e "s/^#T1//g" < ns2/named.conf.in > ns2/named.conf.tmp -copy_setports ns2/named.conf.tmp ns2/named.conf -rndccmd 10.53.0.2 reconfig || ret=1 +rndccmd 10.53.0.2 addzone dom14.example. in default '{type secondary; primaries {10.53.0.1;};};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && -wait_for_message ns2/named.run "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -n=$((n+1)) -echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" -ret=0 -wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +nextpart ns2/named.run >/dev/null -echo_i "checking that dom12.example. is served by secondary ($n)" +n=$((n+1)) +echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 -wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" +echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -sed -e "s/^#T2//" < ns2/named.conf.in > ns2/named.conf.tmp -copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 && ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. + update add primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" +echo_i "waiting for secondary to sync up ($n)" ret=0 -copy_setports ns2/named.conf.in ns2/named.conf -rndccmd 10.53.0.2 reconfig || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom12.example. is not served by secondary ($n)" +echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "removing domain dom12.example. from catalog4 zone ($n)" +echo_i "Deleting domain dom14.example. from catalog2 ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. + server 10.53.0.3 ${PORT} + update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. + update delete primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing having a zone in two different catalogs" n=$((n+1)) -echo_i "checking that dom13.example. is not served by primary ($n)" +echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" +echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db -echo "@ IN NS invalid." >> ns1/dom13.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db -rndccmd 10.53.0.1 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +echo_i "Testing changing label for a member zone" n=$((n+1)) -echo_i "checking that dom13.example. is now served by primary ns1 ($n)" +echo_i "checking that dom15.example. is not served by primary ($n)" ret=0 -wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" +echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db -echo "@ IN NS invalid." >> ns3/dom13.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db -rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db +echo "@ IN NS invalid." >> ns1/dom15.example.db +rndccmd 10.53.0.1 addzone dom15.example. in default '{type primary; file "dom15.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom13.example. is now served by primary ns3 ($n)" +echo_i "checking that dom15.example. is now served by primary ns1 ($n)" ret=0 -wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - nextpart ns2/named.run >/dev/null -n=$((n+1)) -echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" +echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. - update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 + update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1214,28 +2231,28 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null +sleep 3 n=$((n+1)) -echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" +echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 -wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" +echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.3 ${PORT} - update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. - update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 + server 10.53.0.1 ${PORT} + update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. + update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1249,144 +2266,202 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" +echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 -wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null +########################################################################## +echo_i "Testing custom properties version '1' and version '2' syntaxes" +n=$((n+1)) +echo_i "checking that dom17.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) n=$((n+1)) -echo_i "Deleting domain dom13.example. from catalog2 ($n)" +echo_i "checking that dom18.example. is not served by primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.3 ${PORT} - update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. - update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 - send -END +wait_for_no_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "adding domains dom17.example. and dom18.example. to primary ns1 via RNDC ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom17.example.db +echo "@ IN NS invalid." >> ns1/dom17.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom17.example.db +rndccmd 10.53.0.1 addzone dom17.example. in default '{type primary; file "dom17.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom18.example.db +echo "@ IN NS invalid." >> ns1/dom18.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom18.example.db +rndccmd 10.53.0.1 addzone dom18.example. in default '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" +echo_i "checking that dom17.example. is now served by primary ns1 ($n)" ret=0 -wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +wait_for_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Deleting domain dom13.example. from catalog1 ($n)" +echo_i "checking that dom18.example. is now served by primary ns1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 - server 10.53.0.1 ${PORT} - update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. - update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 - send -END +wait_for_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "waiting for secondary to sync up ($n)" +echo_i "checking that dom17.example. is not served by primary ns3 ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_no_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom13.example. is no longer served by secondary ($n)" +echo_i "checking that dom18.example. is not served by primary ns3 ($n)" ret=0 -wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.3 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing having a regular zone and a zone in catalog zone of the same name" n=$((n+1)) -echo_i "checking that dom14.example. is not served by primary ($n)" +echo_i "adding domains dom17.example. and dom18.example. to primary ns3 via RNDC ($n)" ret=0 -wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom17.example.db +echo "@ IN NS invalid." >> ns3/dom17.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom17.example.db +rndccmd 10.53.0.3 addzone dom17.example. '{type primary; file "dom17.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom18.example.db +echo "@ IN NS invalid." >> ns3/dom18.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom18.example.db +rndccmd 10.53.0.3 addzone dom18.example. '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" +echo_i "checking that dom17.example. is now served by primary ns3 ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db -echo "@ IN NS invalid." >> ns1/dom14.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db -rndccmd 10.53.0.1 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 +wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom14.example. is now served by primary ns1 ($n)" +echo_i "checking that dom18.example. is now served by primary ns3 ($n)" ret=0 -wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" +echo_i "adding domains dom17.example. and dom18.example. to catalog1 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db -echo "@ IN NS invalid." >> ns3/dom14.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db -rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add dom17.zones.catalog1.example. 3600 IN PTR dom17.example. + update add dom18.zones.catalog1.example. 3600 IN PTR dom18.example. + update add primaries.dom17.zones.catalog1.example. 3600 IN A 10.53.0.3 + update add primaries.ext.dom18.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom14.example. is now served by primary ns3 ($n)" +echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" && +wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# The "primaries" custom property for dom17.example. was added using the legacy +# syntax into a version 2 catalog1 zone, so we expect that it was ignored, no +# override of the default setting happened, and dom17.example. was transferred +# from the ns1 primary (the default). +n=$((n+1)) +echo_i "checking that dom17.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# The "primaries" custom property for dom18.example. was added using a supported +# syntax into a version 2 catalog1 zone, so we expect that it was processed, +# will override the default setting, and dom18.example. was transferred +# from the ns3 primary. +n=$((n+1)) +echo_i "checking that dom18.example. is served by secondary and that it's the one from ns3 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 +grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" +echo_i "deleting domain dom17.example. and dom18.example. from catalog1 ($n)" ret=0 -rndccmd 10.53.0.2 addzone dom14.example. '{type secondary; primaries {10.53.0.1;};};' || ret=1 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete dom17.zones.catalog1.example. 3600 IN PTR dom17.example. + update delete dom18.zones.catalog1.example. 3600 IN PTR dom18.example. + update delete primaries.dom17.zones.catalog1.example. 3600 IN A 10.53.0.3 + update delete primaries.ext.dom18.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom17.example' deleted" && +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom18.example' deleted" && if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null +n=$((n+1)) +echo_i "checking that dom17.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" +echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 -wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" +echo_i "adding domains dom17.example. and dom18.example. to catalog2 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} - update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. - update add masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 + update add dom17.zones.catalog2.example. 3600 IN PTR dom17.example. + update add dom18.zones.catalog2.example. 3600 IN PTR dom18.example. + update add primaries.dom17.zones.catalog2.example. 3600 IN A 10.53.0.3 + update add primaries.ext.dom18.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1395,14 +2470,34 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" && +wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" && +wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# The "primaries" custom property for dom17.example. was added using a supported +# syntax into a version 1 catalog1 zone, so we expect that it was processed, +# will override the default setting, and dom17.example. was transferred +# from the ns3 primary. n=$((n+1)) -echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" +echo_i "checking that dom17.example. is served by secondary and that it's the one from ns3 ($n)" ret=0 -wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 +grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# The "primaries" custom property for dom18.example. was added using the new +# syntax into a version 1 catalog1 zone, so we expect that it was ignored, no +# override of the default setting happened, and dom18.example. was transferred +# from the ns1 primary (the default). +n=$((n+1)) +echo_i "checking that dom18.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1410,12 +2505,14 @@ status=$((status+ret)) nextpart ns2/named.run >/dev/null n=$((n+1)) -echo_i "Deleting domain dom14.example. from catalog2 ($n)" +echo_i "deleting domain dom17.example. and dom18.example. from catalog2 ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} - update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. - update delete masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 + update delete dom17.zones.catalog2.example. 3600 IN PTR dom17.example. + update delete dom18.zones.catalog2.example. 3600 IN PTR dom18.example. + update delete primaries.dom17.zones.catalog2.example. 3600 IN A 10.53.0.3 + update delete primaries.ext.dom18.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1424,50 +2521,62 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom17.example' deleted" && +wait_for_message ns2/named.run "catz: catz_delzone_cb: zone 'dom18.example' deleted" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" +echo_i "checking that dom17.example. is not served by secondary ($n)" ret=0 -wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -########################################################################## -echo_i "Testing changing label for a member zone" n=$((n+1)) -echo_i "checking that dom15.example. is not served by primary ($n)" +echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 -wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 +wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## n=$((n+1)) -echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" +echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db -echo "@ IN NS invalid." >> ns1/dom15.example.db -rndccmd 10.53.0.1 addzone dom15.example. '{type primary; file "dom15.example.db";};' || ret=1 +copy_setports ns2/named2.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +######################################################################### + +nextpart ns2/named.run >/dev/null + n=$((n+1)) -echo_i "checking that dom15.example. is now served by primary ns1 ($n)" +echo_i "Adding a dom19.example. to primary via RNDC ($n)" ret=0 -wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db +echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db +echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db +rndccmd 10.53.0.1 addzone dom19.example. in default '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null - -echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" +n=$((n+1)) +echo_i "add an entry to the restored catalog zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. + update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example. + update add label1.primaries.ext.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1 + update add label1.primaries.ext.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1476,28 +2585,41 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom19.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -sleep 3 +########################################################################## +n=$((n+1)) +echo_i "Adding a domain tls1.example. to primary via RNDC ($n)" +ret=0 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db +echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db +echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db +rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom15.example. is served by secondary ($n)" +echo_i "checking that tls1.example. is now served by primary ($n)" ret=0 -wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) -nextpart ns2/named.run >/dev/null +nextpart ns4/named.run >/dev/null n=$((n+1)) -echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" +echo_i "Adding domain tls1.example. to catalog-tls zone ($n)" ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} - update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. - update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. + update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1506,16 +2628,35 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" && +wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that dom15.example. is served by secondary ($n)" +echo_i "checking that tls1.example. is served by secondary ($n)" ret=0 -wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +# GL #3777 +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" +ret=0 +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +rndccmd 10.53.0.4 reload || ret=1 + +n=$((n+1)) +echo_i "Issuing another rndc reload command after 1 second ($n)" +sleep 1 +rndccmd 10.53.0.4 reload || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/catz/tests_sh_catz.py b/bin/tests/system/catz/tests_sh_catz.py new file mode 100644 index 0000000000..eae546fe45 --- /dev/null +++ b/bin/tests/system/catz/tests_sh_catz.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_catz(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl index d3f4ec37b1..be5358408f 100644 --- a/bin/tests/system/cds/checkmtime.pl +++ b/bin/tests/system/cds/checkmtime.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl index 692b840adc..d85fd9125c 100644 --- a/bin/tests/system/cds/checktime.pl +++ b/bin/tests/system/cds/checktime.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -22,4 +24,4 @@ die "missing notbefore time" unless $notbefore; die "missing inception time" unless $inception; my $delta = $inception - $notbefore; -die "bad inception time $delta" unless abs($delta - $target) < 3; +die "bad inception time $delta" unless abs($delta - $target) <= 10; diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh index 51cfc26901..b9743a560d 100644 --- a/bin/tests/system/cds/clean.sh +++ b/bin/tests/system/cds/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl index ec987010a7..9268cc0d0a 100644 --- a/bin/tests/system/cds/mangle.pl +++ b/bin/tests/system/cds/mangle.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 4d528eac12..6de5de5acb 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -1,25 +1,29 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -set -eu +set -e . ../conf.sh +set -u + touch empty Z=cds.test -keyz=`$KEYGEN -q -a RSASHA256 $Z` -key1=`$KEYGEN -q -a RSASHA256 -f KSK $Z` -key2=`$KEYGEN -q -a RSASHA256 -f KSK $Z` +keyz=$($KEYGEN -q -a $DEFAULT_ALGORITHM $Z) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) idz=$(keyfile_to_key_id $keyz) id1=$(keyfile_to_key_id $key1) @@ -35,16 +39,18 @@ id2=$id2 EOF tac() { - $PERL -e 'print reverse <>' "$@" + $PERL -e 'print reverse <>' } convert() { key=$1 n=$2 $DSFROMKEY -12 $key >DS.$n - grep ' 8 1 ' DS.$n >DS.$n-1 - grep ' 8 2 ' DS.$n >DS.$n-2 + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 sed 's/ IN DS / IN CDS /' >CDS.$n + sed 's/ IN DS / IN CDS /' >CDS.$n-1 + sed 's/ IN DS / IN CDS /' >CDS.$n-2 sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n sed 's/ IN DS / 3600 IN DS /' DS.ttl$n sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n @@ -61,9 +67,9 @@ $PERL -we 'utime time, time - 7200, "DS.inplace" or die' mangle="$PERL mangle.pl" -$mangle " IN DS $id1 8 1 " DS.broke1 -$mangle " IN DS $id1 8 2 " DS.broke2 -$mangle " IN DS $id1 8 [12] " DS.broke12 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.broke1 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.broke2 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} [12] " DS.broke12 sed 's/^/update add / $a\ @@ -109,20 +115,24 @@ tac sig.cds.rev1 cat db.null CDNSKEY.2 | sign cdnskey.2 cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2 +cat db.null CDS.1 CDNSKEY.2 | sign cds1.cdnskey2 + +cat db.null CDS.2-1 | sign cds.2.sha1 +cat db.null CDS.2-1 CDNSKEY.2 | sign cds.cdnskey.2.sha1 $mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \ brk.rrsig.cds.zsk $mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ brk.rrsig.cds.ksk -$mangle " IN CDS $id1 8 1 " out.$n 2> err.$n - echo $? + ("$@" 1> out.$n 2> err.$n; echo $?) || true } testcase() { - n=`expr $n + 1` + n=$((n + 1)) echo_i "$name ($n)" expect=$1 shift - result=`runcmd "$@"` + result=$(runcmd "$@") check_stdout check_stderr if [ "$expect" -ne "$result" ]; then @@ -40,17 +43,17 @@ testcase() { check_stderr() { if [ -n "${err:=}" ]; then - egrep "$err" err.$n >/dev/null && return 0 + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" else [ -s err.$n ] || return 0 fi - echo_d "stderr did not match '$err'" cat err.$n | cat_d fail } check_stdout() { - $DIFF out.$n "${out:-empty}" >/dev/null && return + diff out.$n "${out:-empty}" >/dev/null && return echo_d "stdout did not match '$out'" ( echo "wanted" cat "$out" @@ -117,7 +120,7 @@ $CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr testcase 0 $PERL checktime.pl 3600 xerr name='in-place reads modification time' -testcase 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z +testcase 0 $CDS -a1 -a2 -f sig.cds.1 -i.bak -d DS.inplace $Z name='in-place output correct modification time' testcase 0 $PERL checkmtime.pl 3600 DS.inplace @@ -126,29 +129,29 @@ name='in-place backup correct modification time' testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak name='in-place correct output' -testcase 0 $DIFF DS.1 DS.inplace +testcase 0 diff DS.1 DS.inplace name='in-place backup unmodified' -testcase 0 $DIFF DS.1 DS.inplace.bak +testcase 0 diff DS.1 DS.inplace.bak name='one mangled DS' err='found RRSIG by key' out=DS.1 -testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z +testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke1 $Z name='other mangled DS' err='found RRSIG by key' out=DS.1 -testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z +testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke2 $Z name='both mangled DS' err='could not validate child DNSKEY RRset' -testcase 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z +testcase 1 $CDS -v1 -a1 -a2 -s -7200 -f sig.cds.1 -d DS.broke12 $Z name='mangle RRSIG CDS by ZSK' err='found RRSIG by key' out=DS.1 -testcase 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z +testcase 0 $CDS -v1 -a1 -a2 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z name='mangle RRSIG CDS by KSK' err='could not validate child CDS RRset' @@ -156,11 +159,11 @@ testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z name='mangle CDS 1' err='could not validate child DNSKEY RRset with new DS records' -testcase 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z +testcase 1 $CDS -a1 -a2 -s -7200 -f sig.cds-mangled -d DS.1 $Z name='inconsistent digests' err='do not cover each key with the same set of digest types' -testcase 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z +testcase 1 $CDS -a1 -a2 -s -7200 -f sig.bad-digests -d DS.1 $Z name='inconsistent algorithms' err='missing signature for algorithm' @@ -168,49 +171,49 @@ testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z name='add DS records' out=DS.both -$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out +$CDS -a1 -a2 -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out # sort to allow for numerical vs lexical order of key tags testcase 0 sort DS.out name='update add' out=UP.add2 -testcase 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.both -d DS.1 $Z name='remove DS records' out=DS.2 -testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z +testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.both $Z name='update del' out=UP.del1 -testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z +testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.both $Z name='swap DS records' out=DS.2 -testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.2 -d DS.1 $Z name='update swap' out=UP.swap -testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.1 $Z name='TTL from -T' out=DS.ttl2 -testcase 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z name='update TTL from -T' out=UP.swapttl -testcase 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z name='update TTL from dsset' out=UP.swapttl -testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z +testcase 0 $CDS -a1 -a2 -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z name='TTL from -T overrides dsset' out=DS.ttlong2 -testcase 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z +testcase 0 $CDS -a1 -a2 -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z name='stable DS record order (changes)' out=DS.1 -testcase 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z +testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.rev1 -d DS.2 $Z name='CDNSKEY default algorithm' out=DS.2-2 @@ -230,11 +233,28 @@ testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z name='CDNSKEY and CDS' out=DS.2 -testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z +testcase 0 $CDS -a1 -a2 -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z name='prefer CDNSKEY' out=DS.2-2 -testcase 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z +testcase 0 $CDS -D -s -7200 -f sig.cds1.cdnskey2 -d DS.1 $Z + +name='CDS subset default (SHA-256)' +out=DS.2-2 +testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='CDS subset replace SHA1 with SHA2' +out=DS.2-2 +testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z + +name='CDS subset mismatch' +err='do not match any -a digest types' +testcase 1 $CDS -s -7200 -f sig.cds.2.sha1 -d DS.1 $Z + +name='CDS algorithm unavailable, use CDNSKEY' +err='using CDNSKEY instead' +out=DS.2-2 +testcase 0 $CDS -v1 -a SHA256 -s -7200 -f sig.cds.cdnskey.2.sha1 -d DS.1 $Z echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cds/tests_sh_cds.py b/bin/tests/system/cds/tests_sh_cds.py new file mode 100644 index 0000000000..d00a8ae51c --- /dev/null +++ b/bin/tests/system/cds/tests_sh_cds.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_cds(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/chain/README b/bin/tests/system/chain/README index 26e2d37e44..649142e913 100644 --- a/bin/tests/system/chain/README +++ b/bin/tests/system/chain/README @@ -1,6 +1,13 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. ns1 is the root server. diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl index 31d22d807b..271b2a44b2 100644 --- a/bin/tests/system/chain/ans3/ans.pl +++ b/bin/tests/system/chain/ans3/ans.pl @@ -1,9 +1,11 @@ #!/usr/bin/env perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/chain/ans4/README.anspy b/bin/tests/system/chain/ans4/README.anspy index 6ca2b68930..7cb0bf09e2 100644 --- a/bin/tests/system/chain/ans4/README.anspy +++ b/bin/tests/system/chain/ans4/README.anspy @@ -1,6 +1,13 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. REQUIREMENTS ans.py requires at least dnspython 1.12.0. diff --git a/bin/tests/system/chain/ans4/ans.py b/bin/tests/system/chain/ans4/ans.py index 45d650417f..839067faa5 100755 --- a/bin/tests/system/chain/ans4/ans.py +++ b/bin/tests/system/chain/ans4/ans.py @@ -1,13 +1,13 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ ############################################################################ # ans.py: See README.anspy for details. @@ -69,18 +69,22 @@ ############################################################################ actions = [] rrs = [] + + def ctl_channel(msg): global actions, rrs msg = msg.splitlines().pop(0) - print ('received control message: %s' % msg) + print("received control message: %s" % msg) - msg = msg.split(b'|') + msg = msg.split(b"|") if len(msg) == 0: return - actions = [x.strip() for x in msg[0].split(b',')] - n = functools.reduce(lambda n, act: (n + (2 if act == b'dname' else 1)), [0] + actions) + actions = [x.strip() for x in msg[0].split(b",")] + n = functools.reduce( + lambda n, act: (n + (2 if act == b"dname" else 1)), [0] + actions + ) if len(msg) == 1: rrs = [] @@ -89,29 +93,30 @@ def ctl_channel(msg): rrs.append((i, b)) return - rlist = [x.strip() for x in msg[1].split(b',')] + rlist = [x.strip() for x in msg[1].split(b",")] rrs = [] for item in rlist: - if item[0] == b's'[0]: + if item[0] == b"s"[0]: i = int(item[1:].strip()) - 1 if i > n: - print ('invalid index %d' + (i + 1)) + print("invalid index %d" + (i + 1)) continue rrs.append((int(item[1:]) - 1, True)) else: i = int(item) - 1 if i > n: - print ('invalid index %d' % (i + 1)) + print("invalid index %d" % (i + 1)) continue rrs.append((i, False)) + ############################################################################ # Respond to a DNS query. ############################################################################ def create_response(msg): m = dns.message.from_wire(msg) qname = m.question[0].name.to_text() - labels = qname.lower().split('.') + labels = qname.lower().split(".") wantsigs = True if m.ednsflags & dns.flags.DO else False # get qtype @@ -124,27 +129,27 @@ def create_response(msg): # - sld is 'example' # - tld is 'com.' name = labels.pop(0) - domain = '.'.join(labels) + domain = ".".join(labels) sld = labels.pop(0) - tld = '.'.join(labels) + tld = ".".join(labels) - print ('query: ' + qname + '/' + typename) - print ('domain: ' + domain) + print("query: " + qname + "/" + typename) + print("domain: " + domain) # default answers, depending on QTYPE. # currently only A, AAAA, TXT and NS are supported. ttl = 86400 - additionalA = '10.53.0.4' - additionalAAAA = 'fd92:7065:b8e:ffff::4' - if typename == 'A': - final = '10.53.0.4' - elif typename == 'AAAA': - final = 'fd92:7065:b8e:ffff::4' - elif typename == 'TXT': - final = 'Some\ text\ here' - elif typename == 'NS': + additionalA = "10.53.0.4" + additionalAAAA = "fd92:7065:b8e:ffff::4" + if typename == "A": + final = "10.53.0.4" + elif typename == "AAAA": + final = "fd92:7065:b8e:ffff::4" + elif typename == "TXT": + final = "Some\ text\ here" + elif typename == "NS": domain = qname - final = ('ns1.%s' % domain) + final = "ns1.%s" % domain else: final = None @@ -153,9 +158,9 @@ def create_response(msg): delta = timedelta(30) t1 = t - delta t2 = t + delta - inception=t1.strftime('%Y%m%d000000') - expiry=t2.strftime('%Y%m%d000000') - sigdata='OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso=' + inception = t1.strftime("%Y%m%d000000") + expiry = t2.strftime("%Y%m%d000000") + sigdata = "OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso=" # construct answer set. answers = [] @@ -165,76 +170,102 @@ def create_response(msg): i = 0 for action in actions: - if name != 'test': + if name != "test": continue - if action == b'xname': - owner = curname + '.' + curdom - newname = 'cname%d' % i + if action == b"xname": + owner = curname + "." + curdom + newname = "cname%d" % i i += 1 - newdom = 'domain%d.%s' % (i, tld) + newdom = "domain%d.%s" % (i, tld) i += 1 - target = newname + '.' + newdom - print ('add external CNAME %s to %s' % (owner, target)) + target = newname + "." + newdom + print("add external CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add external RRISG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add external RRISG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curname = newname curdom = newdom continue - if action == b'cname': - owner = curname + '.' + curdom - newname = 'cname%d' % i - target = newname + '.' + curdom + if action == b"cname": + owner = curname + "." + curdom + newname = "cname%d" % i + target = newname + "." + curdom i += 1 - print ('add CNAME %s to %s' % (owner, target)) + print("add CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add RRSIG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curname = newname continue - if action == b'dname': + if action == b"dname": owner = curdom - newdom = 'domain%d.%s' % (i, tld) + newdom = "domain%d.%s" % (i, tld) i += 1 - print ('add DNAME %s to %s' % (owner, newdom)) + print("add DNAME %s to %s" % (owner, newdom)) answers.append(dns.rrset.from_text(owner, ttl, IN, DNAME, newdom)) - rrsig = 'DNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add RRSIG(DNAME) %s to %s' % (owner, newdom)) + rrsig = "DNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(DNAME) %s to %s" % (owner, newdom)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) - owner = curname + '.' + curdom - target = curname + '.' + newdom - print ('add synthesized CNAME %s to %s' % (owner, target)) + owner = curname + "." + curdom + target = curname + "." + newdom + print("add synthesized CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add synthesized RRSIG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add synthesized RRSIG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curdom = newdom continue # now add the final answer - owner = curname + '.' + curdom + owner = curname + "." + curdom answers.append(dns.rrset.from_text(owner, ttl, IN, rrtype, final)) - rrsig = '%s 5 3 %d %s %s 12345 %s %s' % \ - (typename, ttl, expiry, inception, domain, sigdata) + rrsig = "%s 5 3 %d %s %s 12345 %s %s" % ( + typename, + ttl, + expiry, + inception, + domain, + sigdata, + ) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) # prepare the response and convert to wire format r = dns.message.make_response(m) - if name != 'test': + if name != "test": r.answer.append(answers[-1]) if wantsigs: r.answer.append(sigs[-1]) else: - for (i, sig) in rrs: + for i, sig in rrs: if sig and not wantsigs: continue elif sig: @@ -242,24 +273,29 @@ def create_response(msg): else: r.answer.append(answers[i]) - if typename != 'NS': - r.authority.append(dns.rrset.from_text(domain, ttl, IN, "NS", - ("ns1.%s" % domain))) - r.additional.append(dns.rrset.from_text(('ns1.%s' % domain), 86400, - IN, A, additionalA)) - r.additional.append(dns.rrset.from_text(('ns1.%s' % domain), 86400, - IN, AAAA, additionalAAAA)) + if typename != "NS": + r.authority.append( + dns.rrset.from_text(domain, ttl, IN, "NS", ("ns1.%s" % domain)) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, A, additionalA) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, AAAA, additionalAAAA) + ) r.flags |= dns.flags.AA r.use_edns() return r.to_wire() + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -270,11 +306,15 @@ def sigterm(signum, frame): ip4 = "10.53.0.4" ip6 = "fd92:7065:b8e:ffff::4" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 -try: ctrlport=int(os.environ['EXTRAPORT1']) -except: ctrlport=5300 +try: + ctrlport = int(os.environ["EXTRAPORT1"]) +except: + ctrlport = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -296,18 +336,18 @@ def sigterm(signum, frame): signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Control channel on %s port %d" % (ip4, ctrlport)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Control channel on %s port %d" % (ip4, ctrlport)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket, ctrl_socket] @@ -328,7 +368,7 @@ def sigterm(signum, frame): if s == ctrl_socket: # Handle control channel input conn, addr = s.accept() - print ("Control channel connected") + print("Control channel connected") while True: msg = conn.recv(65535) if not msg: @@ -336,8 +376,7 @@ def sigterm(signum, frame): ctl_channel(msg) conn.close() if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6)) + print("Query received on %s" % (ip4 if s == query4_socket else ip6)) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff --git a/bin/tests/system/chain/clean.sh b/bin/tests/system/chain/clean.sh index 2e33290d40..57b05a732d 100755 --- a/bin/tests/system/chain/clean.sh +++ b/bin/tests/system/chain/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/chain/ns1/named.conf.in b/bin/tests/system/chain/ns1/named.conf.in index 668af66eeb..550426126f 100644 --- a/bin/tests/system/chain/ns1/named.conf.in +++ b/bin/tests/system/chain/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns1/root.db b/bin/tests/system/chain/ns1/root.db index c076a77a1e..3469fb526b 100644 --- a/bin/tests/system/chain/ns1/root.db +++ b/bin/tests/system/chain/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns2/example.db b/bin/tests/system/chain/ns2/example.db index 5f29f86106..c13f2d22d4 100644 --- a/bin/tests/system/chain/ns2/example.db +++ b/bin/tests/system/chain/ns2/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns2/generic.db b/bin/tests/system/chain/ns2/generic.db index 566d22265b..9d59378dfd 100644 --- a/bin/tests/system/chain/ns2/generic.db +++ b/bin/tests/system/chain/ns2/generic.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns2/named.conf.in b/bin/tests/system/chain/ns2/named.conf.in index e8882dc666..922d2fa5f9 100644 --- a/bin/tests/system/chain/ns2/named.conf.in +++ b/bin/tests/system/chain/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -40,6 +42,11 @@ zone "signed-sub2.example" { file "sub.db"; }; +zone "wildcard-secure.example" { + type primary; + file "wildcard-secure.example.db.signed"; +}; + zone "wildcard-nsec.example" { type primary; file "wildcard-nsec.example.db.signed"; diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index d0aa9bb673..90d1912f3f 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -15,30 +17,38 @@ zone=example. zonefile=example.db signedfile=example.db.signed -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` -zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null + +zone=wildcard-secure.example. +zonefile=wildcard-secure.db +signedfile=wildcard-secure.example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) $SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null zone=wildcard-nsec.example. zonefile=wildcard.db signedfile=wildcard-nsec.example.db.signed -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` -zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) $SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null zone=wildcard-nsec3.example. zonefile=wildcard.db signedfile=wildcard-nsec3.example.db.signed -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` -zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) $SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null zone=wildcard-nsec3-optout.example. zonefile=wildcard.db signedfile=wildcard-nsec3-optout.example.db.signed -ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` -zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) $SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null diff --git a/bin/tests/system/chain/ns2/sub.db b/bin/tests/system/chain/ns2/sub.db index 5e65fdf5c8..ad03165ba8 100644 --- a/bin/tests/system/chain/ns2/sub.db +++ b/bin/tests/system/chain/ns2/sub.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns2/wildcard-secure.db b/bin/tests/system/chain/ns2/wildcard-secure.db new file mode 100644 index 0000000000..e39237a3c9 --- /dev/null +++ b/bin/tests/system/chain/ns2/wildcard-secure.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2021051901 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS localhost. + +delegation NS localhost. + DS 12345 13 2 0000000000000000000000000000000000000000000000000000000000000000 + +; CNAME pointing into a child zone +cname CNAME delegation + +; wildcard CNAME pointing at a CNAME pointing into a child zone +* CNAME cname diff --git a/bin/tests/system/chain/ns2/wildcard.db b/bin/tests/system/chain/ns2/wildcard.db index b934acd7f4..cc39e9c012 100644 --- a/bin/tests/system/chain/ns2/wildcard.db +++ b/bin/tests/system/chain/ns2/wildcard.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in index be34cfd445..86bbf26edc 100644 --- a/bin/tests/system/chain/ns5/named.conf.in +++ b/bin/tests/system/chain/ns5/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns5/sub.db b/bin/tests/system/chain/ns5/sub.db index 9ddb4313ed..df571fbc74 100644 --- a/bin/tests/system/chain/ns5/sub.db +++ b/bin/tests/system/chain/ns5/sub.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in index c314922a7c..32c9b5f569 100644 --- a/bin/tests/system/chain/ns7/named.conf.in +++ b/bin/tests/system/chain/ns7/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -30,7 +32,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/chain/ns7/root.hint b/bin/tests/system/chain/ns7/root.hint index ab755ba29f..4f3f48bd1f 100644 --- a/bin/tests/system/chain/ns7/root.hint +++ b/bin/tests/system/chain/ns7/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/chain/setup.sh b/bin/tests/system/chain/setup.sh index f9f4adf524..6f52e6526f 100644 --- a/bin/tests/system/chain/setup.sh +++ b/bin/tests/system/chain/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index 0b53bfd974..3ad8e31233 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -1,12 +1,18 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="-p ${PORT}" @@ -19,49 +25,49 @@ sendcmd() { status=0 n=0 -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking short DNAME from authoritative ($n)" ret=0 $DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1 grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking short DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1 grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking long DNAME from authoritative ($n)" ret=0 $DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1 grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking long DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1 grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking (too) long DNAME from authoritative ($n)" ret=0 $DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1 grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -69,9 +75,9 @@ $DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglon grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -79,7 +85,7 @@ $DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglon grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) find_records() { owner_name="$1" @@ -121,14 +127,45 @@ ensure_no_ds_in_bitmap() { find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' } -n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC ($n)" +n=$((n + 1)) +echo_i "checking secure delegation prepared using CNAME chaining ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# DS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an +# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "*.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -138,17 +175,19 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2 # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC records are different. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 exactly_one_record_exists_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -158,18 +197,20 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2 # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 # Check NSEC records in the AUTHORITY section. no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 @@ -179,7 +220,7 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2 # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Relevant NSEC3 hashes: # @@ -201,14 +242,16 @@ status=`expr $status + $ret` # $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3.example. # SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0) -n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC3 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -218,17 +261,19 @@ no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -238,18 +283,20 @@ exactly_one_record_exists_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.e # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 @@ -259,7 +306,7 @@ no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Relevant NSEC3 hashes: # @@ -284,14 +331,16 @@ status=`expr $status + $ret` # $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3-optout.example. # V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0) -n=`expr $n + 1` -echo_i "checking delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 @@ -300,17 +349,19 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. exactly_one_record_exists_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 @@ -319,18 +370,20 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` -echo_i "checking delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" +n=$((n + 1)) +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 -# Ensure that the AUTHORITY section contains an NS RRset. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 # Check NSEC3 records in the AUTHORITY section. no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 @@ -339,17 +392,17 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to DNAME from authoritative ($n)" ret=0 $DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to DNAME from recursive" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -360,9 +413,9 @@ grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -371,9 +424,9 @@ grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -383,9 +436,9 @@ grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-d grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME loops are detected ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -393,9 +446,9 @@ $DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to external delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -403,9 +456,9 @@ $DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to internal delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -413,27 +466,27 @@ $DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to signed external delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME to signed internal delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking CNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -472,9 +525,9 @@ $DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1 grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1 grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that only the initial CNAME is cached ($n)" ret=0 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i @@ -483,12 +536,12 @@ $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 sleep 1 $DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1 -ttl=`awk '{print $2}' dig.out.2.$n` +ttl=$(awk '{print $2}' dig.out.2.$n) [ "$ttl" -eq 86400 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -511,9 +564,9 @@ grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking external CNAME/DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -534,18 +587,18 @@ $DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking explicit DNAME query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME via ANY query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i @@ -553,25 +606,25 @@ $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i $DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Regression test for CVE-2021-25215 (authoritative server). -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME resolution via itself (authoritative) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Regression test for CVE-2021-25215 (recursive resolver). -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking DNAME resolution via itself (recursive) ($n)" ret=0 $DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/chain/tests_sh_chain.py b/bin/tests/system/chain/tests_sh_chain.py new file mode 100644 index 0000000000..ca3c05794e --- /dev/null +++ b/bin/tests/system/chain/tests_sh_chain.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_chain(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/checkconf/altdb.conf b/bin/tests/system/checkconf/altdb.conf index 0ee9680dcb..1d8aded687 100644 --- a/bin/tests/system/checkconf/altdb.conf +++ b/bin/tests/system/checkconf/altdb.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ view override_bind chaos { zone "version.bind" chaos { - type master; + type primary; database "_builtin version"; }; }; diff --git a/bin/tests/system/checkconf/altdlz.conf b/bin/tests/system/checkconf/altdlz.conf index 8633197166..db8eecc4cf 100644 --- a/bin/tests/system/checkconf/altdlz.conf +++ b/bin/tests/system/checkconf/altdlz.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ dlz external { }; zone "example.com" { - type master; + type primary; dlz external; }; diff --git a/bin/tests/system/checkconf/ancient.conf b/bin/tests/system/checkconf/ancient.conf index 2723eb824e..98189cc0f0 100644 --- a/bin/tests/system/checkconf/ancient.conf +++ b/bin/tests/system/checkconf/ancient.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-acl.conf b/bin/tests/system/checkconf/bad-acl.conf index 02d1cc0d10..5095059b48 100644 --- a/bin/tests/system/checkconf/bad-acl.conf +++ b/bin/tests/system/checkconf/bad-acl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-also-notify.conf b/bin/tests/system/checkconf/bad-also-notify.conf index bf27dab0a6..2ab8896c90 100644 --- a/bin/tests/system/checkconf/bad-also-notify.conf +++ b/bin/tests/system/checkconf/bad-also-notify.conf @@ -1,20 +1,22 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ /* - * Missing master in also-notify clause. + * Missing primary in also-notify clause. */ zone dummy { - type master; + type primary; file "xxxx"; also-notify { xxxx; }; }; diff --git a/bin/tests/system/checkconf/bad-catz-zone-dup.conf b/bin/tests/system/checkconf/bad-catz-zone-dup.conf new file mode 100644 index 0000000000..08fae428c1 --- /dev/null +++ b/bin/tests/system/checkconf/bad-catz-zone-dup.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + catalog-zones { zone example.com; zone example.com; }; +}; + +zone example.com { + type primary; + file "example.com"; +}; diff --git a/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf b/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf new file mode 100644 index 0000000000..55a2d7825e --- /dev/null +++ b/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + catalog-zones { + zone "catalog.example" + default-masters { 10.53.0.1; } + default-primaries { 10.53.0.1 port 5304; } + in-memory yes; + }; +}; + +zone "catalog.example" { + type secondary; + file "catalog.example.db"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-catz-zone.conf b/bin/tests/system/checkconf/bad-catz-zone.conf index 429a21456d..6f0677abeb 100644 --- a/bin/tests/system/checkconf/bad-catz-zone.conf +++ b/bin/tests/system/checkconf/bad-catz-zone.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-checkdstype-level.conf b/bin/tests/system/checkconf/bad-checkdstype-level.conf new file mode 100644 index 0000000000..f3bc1ad558 --- /dev/null +++ b/bin/tests/system/checkconf/bad-checkdstype-level.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * checkds only allowed at zone level + */ + +options { + checkds no; +}; + +zone dummy { + type primary; + file "xxxx"; +}; diff --git a/bin/tests/system/checkconf/bad-checkdstype.conf b/bin/tests/system/checkconf/bad-checkdstype.conf new file mode 100644 index 0000000000..56cd367ad3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-checkdstype.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Bad checkds type + */ + +zone dummy { + type primary; + file "xxxx"; + checkds foobar; +}; diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf index 5ac12cce9c..24e6ef9f33 100644 --- a/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf +++ b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf index b0934fac69..e746e84534 100644 --- a/bin/tests/system/checkconf/bad-checknames-primary-dup.conf +++ b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf index f60a84dfac..ea83d7ecf5 100644 --- a/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf +++ b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-dnskey-validity.conf b/bin/tests/system/checkconf/bad-dnskey-validity.conf deleted file mode 100644 index 16beccf527..0000000000 --- a/bin/tests/system/checkconf/bad-dnskey-validity.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 5000; /* maximum value 10 years, this is 14 */ -}; diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf index 9db164ed28..b6974eb86c 100644 --- a/bin/tests/system/checkconf/bad-dnssec.conf +++ b/bin/tests/system/checkconf/bad-dnssec.conf @@ -1,29 +1,27 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone not-inline { - type slave; - masters { 127.0.0.1; }; + type secondary; + primaries { 127.0.0.1; }; inline-signing no; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; zone inline { - type slave; - masters { 127.0.0.1; }; + type secondary; + primaries { 127.0.0.1; }; inline-signing yes; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; diff --git a/bin/tests/system/checkconf/bad-doh-1.conf b/bin/tests/system/checkconf/bad-doh-1.conf index 1d63d9765a..a10a236877 100644 --- a/bin/tests/system/checkconf/bad-doh-1.conf +++ b/bin/tests/system/checkconf/bad-doh-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-doh-2.conf b/bin/tests/system/checkconf/bad-doh-2.conf index 3f6d991c67..c797eee79d 100644 --- a/bin/tests/system/checkconf/bad-doh-2.conf +++ b/bin/tests/system/checkconf/bad-doh-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-doh-3.conf b/bin/tests/system/checkconf/bad-doh-3.conf index ff697ef578..7447a01b2e 100644 --- a/bin/tests/system/checkconf/bad-doh-3.conf +++ b/bin/tests/system/checkconf/bad-doh-3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-doh-badpath-1.conf b/bin/tests/system/checkconf/bad-doh-badpath-1.conf new file mode 100644 index 0000000000..9a0f449e9d --- /dev/null +++ b/bin/tests/system/checkconf/bad-doh-badpath-1.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# bad HTTP location +http local-http-server { + endpoints { "dns-query"; }; +}; + +options { + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-doh-badpath-2.conf b/bin/tests/system/checkconf/bad-doh-badpath-2.conf new file mode 100644 index 0000000000..e8013ee7cc --- /dev/null +++ b/bin/tests/system/checkconf/bad-doh-badpath-2.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# bad HTTP location +http local-http-server { + endpoints { "//"; }; +}; + +options { + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-doh-badpath-3.conf b/bin/tests/system/checkconf/bad-doh-badpath-3.conf new file mode 100644 index 0000000000..fc5464c78d --- /dev/null +++ b/bin/tests/system/checkconf/bad-doh-badpath-3.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# bad HTTP location +http local-http-server { + endpoints { "/dns-query?dns="; }; +}; + +options { + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-doh-default.conf b/bin/tests/system/checkconf/bad-doh-default.conf new file mode 100644 index 0000000000..dce7fe697e --- /dev/null +++ b/bin/tests/system/checkconf/bad-doh-default.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# 'default' is a built-in configuration intended to be used in +# 'listen-on' statements +http default { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; diff --git a/bin/tests/system/checkconf/bad-doh-duplicates.conf b/bin/tests/system/checkconf/bad-doh-duplicates.conf new file mode 100644 index 0000000000..a598d07369 --- /dev/null +++ b/bin/tests/system/checkconf/bad-doh-duplicates.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +http local-http-server { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; + +# duplicated HTTP configuration +http local-http-server { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; + +options { + listen-on { 10.53.0.1; }; + http-port 80; + https-port 443; + http-listener-clients 100; + http-streams-per-connection 100; + listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; }; + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-1.conf b/bin/tests/system/checkconf/bad-dot-1.conf index 5df1acacc6..436a2699e8 100644 --- a/bin/tests/system/checkconf/bad-dot-1.conf +++ b/bin/tests/system/checkconf/bad-dot-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf new file mode 100644 index 0000000000..7d807fdb51 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 99999 { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf new file mode 100644 index 0000000000..cba555786e --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 44344 transport blah { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf new file mode 100644 index 0000000000..e7725922c3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 44344 transport udp { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf new file mode 100644 index 0000000000..22956d272b --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 44344 transport http { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf new file mode 100644 index 0000000000..dfc779467e --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 44344 transport http-plain { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-badciphers.conf b/bin/tests/system/checkconf/bad-dot-badciphers.conf new file mode 100644 index 0000000000..42a9f64325 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-badciphers.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; + ciphers "$bad:ciphers"; +}; + +options { + listen-on port 853 tls local-tls { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-badprotocol.conf b/bin/tests/system/checkconf/bad-dot-badprotocol.conf new file mode 100644 index 0000000000..f1cc15adda --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-badprotocol.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; + protocols { unknown; TLSv1.2; }; # bad TLS protocol version name +}; + +options { + listen-on port 853 tls local-tls { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-duplicatetls.conf b/bin/tests/system/checkconf/bad-dot-duplicatetls.conf new file mode 100644 index 0000000000..508290f90b --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-duplicatetls.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +options { + listen-on port 853 tls local-tls { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-ephemeral.conf b/bin/tests/system/checkconf/bad-dot-ephemeral.conf new file mode 100644 index 0000000000..c9581f2142 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-ephemeral.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# ephemeral is reserved for internal use +tls ephemeral { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +options { + listen-on port 853 tls ephemeral { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-nocert.conf b/bin/tests/system/checkconf/bad-dot-nocert.conf new file mode 100644 index 0000000000..db02e9fd5e --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-nocert.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; +}; + +http local-http-server { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; + +options { + listen-on { 10.53.0.1; }; + http-port 80; + https-port 443; + http-listener-clients 100; + http-streams-per-connection 100; + listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; }; + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-nokey.conf b/bin/tests/system/checkconf/bad-dot-nokey.conf new file mode 100644 index 0000000000..1d5c3c55af --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-nokey.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + cert-file "cert.pem"; +}; + +http local-http-server { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; + +options { + listen-on { 10.53.0.1; }; + http-port 80; + https-port 443; + http-listener-clients 100; + http-streams-per-connection 100; + listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; }; + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-none.conf b/bin/tests/system/checkconf/bad-dot-none.conf new file mode 100644 index 0000000000..fa26ab101f --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-none.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# none is reserved for internal use +tls none { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +options { + listen-on port 853 tls none { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-dot-primaries.conf b/bin/tests/system/checkconf/bad-dot-primaries.conf new file mode 100644 index 0000000000..8958cbe956 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-primaries.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls undefined; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf index 90e5c6bf0e..17f22370e7 100644 --- a/bin/tests/system/checkconf/bad-duplicate-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf index cf10157770..3bbabded18 100644 --- a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf +++ b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf index b7c6f2146f..1d1c6f007f 100644 --- a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf +++ b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf index e7039d623c..1cbc7d4fb8 100644 --- a/bin/tests/system/checkconf/bad-duplicate-root-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-duration.conf b/bin/tests/system/checkconf/bad-duration.conf new file mode 100644 index 0000000000..1fbecc7229 --- /dev/null +++ b/bin/tests/system/checkconf/bad-duration.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "test" { + dnskey-ttl xPT1H; +}; diff --git a/bin/tests/system/checkconf/bad-empty-include.conf b/bin/tests/system/checkconf/bad-empty-include.conf new file mode 100644 index 0000000000..ef47166944 --- /dev/null +++ b/bin/tests/system/checkconf/bad-empty-include.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include ""; diff --git a/bin/tests/system/checkconf/bad-forwarders-dot-badtls-1.conf b/bin/tests/system/checkconf/bad-forwarders-dot-badtls-1.conf new file mode 100644 index 0000000000..68c1f144ed --- /dev/null +++ b/bin/tests/system/checkconf/bad-forwarders-dot-badtls-1.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls test-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; +}; + +# Bad: trying to use a TLS profile that has not been specified (another-tls). +zone "example" { + type forward; + forward only; + forwarders port 5300 tls test-tls { 10.53.0.1; 10.53.0.2 port 5301 tls another-tls; }; +}; diff --git a/bin/tests/system/checkconf/bad-forwarders-dot-badtls-2.conf b/bin/tests/system/checkconf/bad-forwarders-dot-badtls-2.conf new file mode 100644 index 0000000000..d95af2d5e5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-forwarders-dot-badtls-2.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls test-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; +}; + +# Bad: trying to use a TLS profile that has not been specified (another-tls). +zone "example" { + type forward; + forward only; + forwarders port 5300 tls another-tls { 10.53.0.1; 10.53.0.2 port 5301 tls test-tls; }; +}; diff --git a/bin/tests/system/checkconf/bad-glue-cache-bogus.conf b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf deleted file mode 100644 index be45bbd81c..0000000000 --- a/bin/tests/system/checkconf/bad-glue-cache-bogus.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - glue-cache bogusvalue; -}; diff --git a/bin/tests/system/checkconf/bad-hint.conf b/bin/tests/system/checkconf/bad-hint.conf index a99ddba450..7214a00ed4 100644 --- a/bin/tests/system/checkconf/bad-hint.conf +++ b/bin/tests/system/checkconf/bad-hint.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-in-view-dup.conf b/bin/tests/system/checkconf/bad-in-view-dup.conf index dfde12401c..1d8bd17ece 100644 --- a/bin/tests/system/checkconf/bad-in-view-dup.conf +++ b/bin/tests/system/checkconf/bad-in-view-dup.conf @@ -1,19 +1,21 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ view a { - zone x { type master; file "x"; }; + zone x { type primary; file "x"; }; }; view b { - zone x { type master; file "x"; }; + zone x { type primary; file "x"; }; zone x { in-view a; }; }; diff --git a/bin/tests/system/checkconf/bad-inline-options.conf b/bin/tests/system/checkconf/bad-inline-options.conf index fbbc69c074..f7c62dd6d2 100644 --- a/bin/tests/system/checkconf/bad-inline-options.conf +++ b/bin/tests/system/checkconf/bad-inline-options.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-inline-secondary.conf b/bin/tests/system/checkconf/bad-inline-secondary.conf new file mode 100644 index 0000000000..36462161ca --- /dev/null +++ b/bin/tests/system/checkconf/bad-inline-secondary.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + /* + * An inline-signing secondary should be forced to have a file option + */ + + zone "." { + type secondary; + inline-signing yes; + primaries { 10.53.0.1; }; + }; diff --git a/bin/tests/system/checkconf/bad-inline-slave.conf b/bin/tests/system/checkconf/bad-inline-slave.conf deleted file mode 100644 index ff283b62cd..0000000000 --- a/bin/tests/system/checkconf/bad-inline-slave.conf +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - - /* - * An inline-signing slave should be forced to have a file option - */ - - zone "." { - type slave; - inline-signing yes; - masters { 10.53.0.1; }; - }; \ No newline at end of file diff --git a/bin/tests/system/checkconf/bad-inline-view.conf b/bin/tests/system/checkconf/bad-inline-view.conf index 364b884ada..e46bd0b7c6 100644 --- a/bin/tests/system/checkconf/bad-inline-view.conf +++ b/bin/tests/system/checkconf/bad-inline-view.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-interface-interval.conf b/bin/tests/system/checkconf/bad-interface-interval.conf index f39a7c0e29..ba8341a8cc 100644 --- a/bin/tests/system/checkconf/bad-interface-interval.conf +++ b/bin/tests/system/checkconf/bad-interface-interval.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf index e07cc839c9..d7604eb8b1 100644 --- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf +++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + acl myacl { 127.1; /* Incomplete dotted IPv4 address / prefix */ }; diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf index ae098be5d5..cb53741a2a 100644 --- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf +++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + acl myacl { 127.1/8; /* No-zero bits */ }; diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf index 4d7738c955..98e724a8b5 100644 --- a/bin/tests/system/checkconf/bad-ipv4-prefix2.conf +++ b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + acl myacl { 127; /* Non-dotted quad IPv4 address (0.0.0.127) / prefix without length. */ }; diff --git a/bin/tests/system/checkconf/bad-kasp-define-default.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf index 65095c4f8e..73c90efe8a 100644 --- a/bin/tests/system/checkconf/bad-kasp-define-default.conf +++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ dnssec-policy "default" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf index 19ae2d56dd..b2d22d3217 100644 --- a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf +++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ dnssec-policy "insecure" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-define-none.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf index 4fc3781699..cea998887a 100644 --- a/bin/tests/system/checkconf/bad-kasp-define-none.conf +++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ dnssec-policy "none" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "none"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-digest-type.conf b/bin/tests/system/checkconf/bad-kasp-digest-type.conf new file mode 100644 index 0000000000..f1bd4d3029 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-digest-type.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-digesttype" { + cds-digest-types { foobar; 2; }; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy "baddigesttype"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf new file mode 100644 index 0000000000..bdb8c37a9d --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-digesttype" { + cds-digest-types { GOST; 2; }; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy "baddigesttype"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-duplicate.conf b/bin/tests/system/checkconf/bad-kasp-duplicate.conf new file mode 100644 index 0000000000..7f3ade6bf8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-duplicate.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy a { }; +dnssec-policy a { }; diff --git a/bin/tests/system/checkconf/bad-kasp-inline-signing.conf b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf new file mode 100644 index 0000000000..178be5e11e --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * inline-signing is a boolean value. + */ +dnssec-policy "inline" { + inline-signing never-ever; +}; + +zone "." { + type primary; + file "root.db"; + dnssec-policy "inline"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-key1.conf b/bin/tests/system/checkconf/bad-kasp-key1.conf index 628788c349..0bf80deff9 100644 --- a/bin/tests/system/checkconf/bad-kasp-key1.conf +++ b/bin/tests/system/checkconf/bad-kasp-key1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,7 +18,7 @@ dnssec-policy "badalg" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "badalg"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-key2.conf b/bin/tests/system/checkconf/bad-kasp-key2.conf index b6f513f18d..8e97e2acb6 100644 --- a/bin/tests/system/checkconf/bad-kasp-key2.conf +++ b/bin/tests/system/checkconf/bad-kasp-key2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,7 +18,7 @@ dnssec-policy "badalg" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "badalg"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-key3.conf b/bin/tests/system/checkconf/bad-kasp-key3.conf index 5a93301e45..85e4e48b9e 100644 --- a/bin/tests/system/checkconf/bad-kasp-key3.conf +++ b/bin/tests/system/checkconf/bad-kasp-key3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,7 +18,7 @@ dnssec-policy "badalg" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "badalg"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-key4.conf b/bin/tests/system/checkconf/bad-kasp-key4.conf index 785b3ca831..ca142a38ff 100644 --- a/bin/tests/system/checkconf/bad-kasp-key4.conf +++ b/bin/tests/system/checkconf/bad-kasp-key4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,7 +18,7 @@ dnssec-policy "badalg" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "badalg"; }; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf b/bin/tests/system/checkconf/bad-kasp-keydir1.conf deleted file mode 100644 index 5be13a1feb..0000000000 --- a/bin/tests/system/checkconf/bad-kasp-keydir1.conf +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key "keyforview1" { - algorithm "hmac-sha1"; - secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; -}; - -key "keyforview2" { - algorithm "hmac-sha1"; - secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; -}; - -view "example1" { - match-clients { key "keyforview1"; }; - - zone "example.net" { - type primary; - dnssec-policy "default"; - key-directory "."; - file "example1.db"; - }; -}; - -view "example2" { - match-clients { key "keyforview2"; }; - - zone "example.net" { - type primary; - dnssec-policy "insecure"; - key-directory "."; - file "example2.db"; - }; -}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in new file mode 100644 index 0000000000..b0deaeae33 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The same zone in different views is using different DNSSEC policies, so it + * may not have the same key-directory. + */ + + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + key-directory "."; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "."; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf b/bin/tests/system/checkconf/bad-kasp-keydir2.conf deleted file mode 100644 index 67161a8436..0000000000 --- a/bin/tests/system/checkconf/bad-kasp-keydir2.conf +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key "keyforview1" { - algorithm "hmac-sha1"; - secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; -}; - -key "keyforview2" { - algorithm "hmac-sha1"; - secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; -}; - -view "example1" { - match-clients { key "keyforview1"; }; - - zone "example.net" { - type primary; - dnssec-policy "default"; - file "example1.db"; - }; -}; - -view "example2" { - match-clients { key "keyforview2"; }; - - zone "example.net" { - type primary; - dnssec-policy "insecure"; - file "example2.db"; - }; -}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in new file mode 100644 index 0000000000..699c193aaa --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * No key-directory is set, so the default is used. + * Should fail because the same zone in different views is using different + * DNSSEC policies. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in new file mode 100644 index 0000000000..0dbd7e2265 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The zone in view "example1" inherits the key directory value from "options", + * but in view "example2" sets the key directory to the same value. This should + * be detected as an error because the zone is using different DNSSEC policies + * and should thus use different key directories. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +options { + key-directory "keys"; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + /* key-directory inherited from options. */ + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "keys"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in new file mode 100644 index 0000000000..af4a8f907b --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The zone inherits the key-directory from the "view" level. Both views use the + * same key-directory, but the zone uses a different DNSSEC policy per view. + * This is a configuration error. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in new file mode 100644 index 0000000000..1cca608326 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * In one view, the zone inherits the key-directory from the "view" level, while + * in the other it is set explicitly at the "zone" level. In both cases, the + * same key-directory is used, but the zone uses a different DNSSEC policy per + * view. This is a configuration error. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "keys"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf new file mode 100644 index 0000000000..0b5939478e --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy default; +}; + +zone "example.net" { + type primary; + file "example.db"; + max-zone-ttl 600; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf new file mode 100644 index 0000000000..ff25ecea38 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "badnsec3alg" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; + nsec3param iterations 0 optout 0 salt-length 0; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy "badnsec3alg"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf new file mode 100644 index 0000000000..12a26d38cc --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +view "test" { + dnssec-policy "notdefined"; + + zone "example.net" { + type primary; + file "example.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf new file mode 100644 index 0000000000..48514ac429 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy "notdefined"; +}; + +zone "example.net" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp10.conf b/bin/tests/system/checkconf/bad-kasp10.conf index 026fb52aaa..8253fae0c2 100644 --- a/bin/tests/system/checkconf/bad-kasp10.conf +++ b/bin/tests/system/checkconf/bad-kasp10.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // both using the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "none"; }; zone "example2.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; diff --git a/bin/tests/system/checkconf/bad-kasp11.conf b/bin/tests/system/checkconf/bad-kasp11.conf index 6d5f51813e..68177c2d5f 100644 --- a/bin/tests/system/checkconf/bad-kasp11.conf +++ b/bin/tests/system/checkconf/bad-kasp11.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; zone "example2.net" { - type master; + type primary; file "example.db"; allow-update { any; }; }; diff --git a/bin/tests/system/checkconf/bad-kasp12.conf b/bin/tests/system/checkconf/bad-kasp12.conf index 3251f61874..0ae8c1e797 100644 --- a/bin/tests/system/checkconf/bad-kasp12.conf +++ b/bin/tests/system/checkconf/bad-kasp12.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; zone "example2.net" { - type master; + type primary; file "example.db"; update-policy { grant * self * TXT; diff --git a/bin/tests/system/checkconf/bad-kasp13.conf b/bin/tests/system/checkconf/bad-kasp13.conf index 503859ba44..c74a5d7f5d 100644 --- a/bin/tests/system/checkconf/bad-kasp13.conf +++ b/bin/tests/system/checkconf/bad-kasp13.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; zone "example2.net" { - type master; + type primary; file "example.db"; allow-update { any; }; }; diff --git a/bin/tests/system/checkconf/bad-kasp2.conf b/bin/tests/system/checkconf/bad-kasp2.conf deleted file mode 100644 index a7b44ab6d0..0000000000 --- a/bin/tests/system/checkconf/bad-kasp2.conf +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "good-kasp.conf"; - -// Bad zone configuration because this has dnssec-policy and other DNSSEC sign -// configuration options (auto-dnssec). -zone "example.net" { - type master; - file "example.db"; - dnssec-policy "test"; - auto-dnssec maintain; - allow-update { any; }; -}; diff --git a/bin/tests/system/checkconf/bad-kasp3.conf b/bin/tests/system/checkconf/bad-kasp3.conf index 104100dc59..8c6d7b41ac 100644 --- a/bin/tests/system/checkconf/bad-kasp3.conf +++ b/bin/tests/system/checkconf/bad-kasp3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ include "good-kasp.conf"; // dnssec-policy configuration (good-kasp.conf has "test", zone refers to // "nosuchpolicy". zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "nosuchpolicy"; }; diff --git a/bin/tests/system/checkconf/bad-kasp4.conf b/bin/tests/system/checkconf/bad-kasp4.conf index efb2cbefa8..d35d12f03c 100644 --- a/bin/tests/system/checkconf/bad-kasp4.conf +++ b/bin/tests/system/checkconf/bad-kasp4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,7 +18,7 @@ dnssec-policy "badduration" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "badduration"; }; diff --git a/bin/tests/system/checkconf/bad-kasp6.conf b/bin/tests/system/checkconf/bad-kasp6.conf index 672f4df868..3304038cee 100644 --- a/bin/tests/system/checkconf/bad-kasp6.conf +++ b/bin/tests/system/checkconf/bad-kasp6.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,13 +14,13 @@ // Two zones with dnssec-policy with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; zone "example2.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; diff --git a/bin/tests/system/checkconf/bad-kasp7.conf b/bin/tests/system/checkconf/bad-kasp7.conf index b7ba4a9b2e..c5dfbe8e17 100644 --- a/bin/tests/system/checkconf/bad-kasp7.conf +++ b/bin/tests/system/checkconf/bad-kasp7.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; zone "example2.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; diff --git a/bin/tests/system/checkconf/bad-kasp8.conf b/bin/tests/system/checkconf/bad-kasp8.conf index af4f1a3d5a..1712fd075f 100644 --- a/bin/tests/system/checkconf/bad-kasp8.conf +++ b/bin/tests/system/checkconf/bad-kasp8.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // both with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; zone "example2.net" { - type master; + type primary; file "example.db"; dnssec-policy "none"; }; diff --git a/bin/tests/system/checkconf/bad-kasp9.conf b/bin/tests/system/checkconf/bad-kasp9.conf index 7fc5370afc..3bb54482ec 100644 --- a/bin/tests/system/checkconf/bad-kasp9.conf +++ b/bin/tests/system/checkconf/bad-kasp9.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,13 +15,13 @@ // (transitioning to inseure), both with the same zone file. zone "example1.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; zone "example2.net" { - type master; + type primary; file "example.db"; dnssec-policy "insecure"; }; diff --git a/bin/tests/system/checkconf/bad-keep-response-order.conf b/bin/tests/system/checkconf/bad-keep-response-order.conf deleted file mode 100644 index c2c8929ca5..0000000000 --- a/bin/tests/system/checkconf/bad-keep-response-order.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - keep-response-order { - does_not_exist; - }; -}; diff --git a/bin/tests/system/checkconf/bad-ksk-without-zsk.conf b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf new file mode 100644 index 0000000000..66e1b7f0c8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy ksk-without-zsk { + keys { + ksk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy ksk-without-zsk; +}; diff --git a/bin/tests/system/checkconf/bad-lifetime.conf b/bin/tests/system/checkconf/bad-lifetime.conf index b5926f0eae..f268076544 100644 --- a/bin/tests/system/checkconf/bad-lifetime.conf +++ b/bin/tests/system/checkconf/bad-lifetime.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf index 17d2ac5954..5655a16de8 100644 --- a/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf index 99540cae4d..006ca7d03f 100644 --- a/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf index e5e50f7f38..5dd1720341 100644 --- a/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf index 252ab3666c..f1e7b8888c 100644 --- a/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-many.conf b/bin/tests/system/checkconf/bad-many.conf deleted file mode 100644 index af2b4344fa..0000000000 --- a/bin/tests/system/checkconf/bad-many.conf +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - avoid-v4-udp-ports { 100; } - avoid-v6-udp-ports { 100; }; - blackhole { 10.0.0.0/8; }; - coresize 1G; - datasize 100M; - deallocate-on-exit yes; - directory "."; - dump-file "named_dumpdb"; - fake-iquery yes; - files 1000; - has-old-clients no; - heartbeat-interval 30; - host-statistics yes; - host-statistics-max 100; - hostname none; - interface-interval 30; - keep-response-order { 10.0.0.10/24; }; - listen-on port 90 { any; }; - listen-on port 100 { 127.0.0.1; }; - listen-on-v6 port 53 { none; }; - match-mapped-addresses yes; - memstatistics-file "named.memstats"; - multiple-cnames no; - named-xfer "this is no longer needed"; - pid-file none; - port 5300; - querylog yes; - recursing-file "named.recursing"; - recursive-clients 3000; - serial-queries 10; - serial-query-rate 100; - server-id none; -}; diff --git a/bin/tests/system/checkconf/bad-master-request-ixfr.conf b/bin/tests/system/checkconf/bad-master-request-ixfr.conf index 2d3913f71c..770afb38a7 100644 --- a/bin/tests/system/checkconf/bad-master-request-ixfr.conf +++ b/bin/tests/system/checkconf/bad-master-request-ixfr.conf @@ -1,20 +1,22 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ /* - * request-ixfr clause is not allowed in zone of type master. + * request-ixfr clause is not allowed in zone of type primary. */ zone dummy { - type master; + type primary; request-ixfr no; file "xxxx"; }; diff --git a/bin/tests/system/checkconf/bad-masterfile-format-map.conf b/bin/tests/system/checkconf/bad-masterfile-format-map.conf new file mode 100644 index 0000000000..634ca14307 --- /dev/null +++ b/bin/tests/system/checkconf/bad-masterfile-format-map.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format map; +}; diff --git a/bin/tests/system/checkconf/bad-masters-dup.conf b/bin/tests/system/checkconf/bad-masters-dup.conf deleted file mode 100644 index 18dc4590da..0000000000 --- a/bin/tests/system/checkconf/bad-masters-dup.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "example.net" { - type secondary; - primaries { 192.168.1.1; }; - masters { 192.168.1.2; }; -}; diff --git a/bin/tests/system/checkconf/bad-maxcachettl.conf b/bin/tests/system/checkconf/bad-maxcachettl.conf index ab5c2c2c25..47f06431de 100644 --- a/bin/tests/system/checkconf/bad-maxcachettl.conf +++ b/bin/tests/system/checkconf/bad-maxcachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-maxncachettl-1.conf b/bin/tests/system/checkconf/bad-maxncachettl-1.conf index 7e92adf7ea..ad852c3d0d 100644 --- a/bin/tests/system/checkconf/bad-maxncachettl-1.conf +++ b/bin/tests/system/checkconf/bad-maxncachettl-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-maxncachettl-2.conf b/bin/tests/system/checkconf/bad-maxncachettl-2.conf index e8eae8f186..ada5c831d3 100644 --- a/bin/tests/system/checkconf/bad-maxncachettl-2.conf +++ b/bin/tests/system/checkconf/bad-maxncachettl-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-maxncachettl-3.conf b/bin/tests/system/checkconf/bad-maxncachettl-3.conf index f31c133e26..771a0f3e29 100644 --- a/bin/tests/system/checkconf/bad-maxncachettl-3.conf +++ b/bin/tests/system/checkconf/bad-maxncachettl-3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-maxncachettl-4.conf b/bin/tests/system/checkconf/bad-maxncachettl-4.conf index c220ecd7b3..d9cd9394f2 100644 --- a/bin/tests/system/checkconf/bad-maxncachettl-4.conf +++ b/bin/tests/system/checkconf/bad-maxncachettl-4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-maxratio1.conf b/bin/tests/system/checkconf/bad-maxratio1.conf index f0d06be669..ade4de16e0 100644 --- a/bin/tests/system/checkconf/bad-maxratio1.conf +++ b/bin/tests/system/checkconf/bad-maxratio1.conf @@ -1,17 +1,19 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone example { - type master; - masterfile-format map; + type primary; + masterfile-format raw; file "example.db"; max-ixfr-ratio 0.9; }; diff --git a/bin/tests/system/checkconf/bad-maxratio2.conf b/bin/tests/system/checkconf/bad-maxratio2.conf index 902c334423..adb63f3950 100644 --- a/bin/tests/system/checkconf/bad-maxratio2.conf +++ b/bin/tests/system/checkconf/bad-maxratio2.conf @@ -1,17 +1,19 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone example { - type master; - masterfile-format map; + type primary; + masterfile-format raw; file "example.db"; max-ixfr-ratio 0%; }; diff --git a/bin/tests/system/checkconf/bad-maxttlmap.conf b/bin/tests/system/checkconf/bad-maxttlmap.conf deleted file mode 100644 index f404b3e86b..0000000000 --- a/bin/tests/system/checkconf/bad-maxttlmap.conf +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone example { - type master; - masterfile-format map; - file "example.db"; - max-zone-ttl 3600; -}; diff --git a/bin/tests/system/checkconf/bad-mincachettl.conf b/bin/tests/system/checkconf/bad-mincachettl.conf index 0a1c188461..cd02c66e7a 100644 --- a/bin/tests/system/checkconf/bad-mincachettl.conf +++ b/bin/tests/system/checkconf/bad-mincachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-minncachettl.conf b/bin/tests/system/checkconf/bad-minncachettl.conf index ac2e29b59c..1148bcc9f5 100644 --- a/bin/tests/system/checkconf/bad-minncachettl.conf +++ b/bin/tests/system/checkconf/bad-minncachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf index 9dabf8897e..1f4c8fe9ba 100644 --- a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf +++ b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,5 +18,5 @@ options { zone "." { type mirror; - masters { 127.0.0.1; }; + primaries { 127.0.0.1; }; }; diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf index 8d5b28a792..27ad850e04 100644 --- a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf +++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf index e212bed6ac..c9c8b03443 100644 --- a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf +++ b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf index 9b02f0dcb7..f5536ac564 100644 --- a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf +++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-mirror-zonename.conf b/bin/tests/system/checkconf/bad-mirror-zonename.conf index 3c4663ec69..6fc11c1902 100644 --- a/bin/tests/system/checkconf/bad-mirror-zonename.conf +++ b/bin/tests/system/checkconf/bad-mirror-zonename.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + zone "\0example" { type mirror; file "example.db"; diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf index d4e93dcbf6..203bf4dda5 100644 --- a/bin/tests/system/checkconf/bad-noddns.conf +++ b/bin/tests/system/checkconf/bad-noddns.conf @@ -1,17 +1,23 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ +dnssec-policy "test" { + inline-signing no; +}; + zone example { - type master; + type primary; file "example.db"; - auto-dnssec maintain; + dnssec-policy test; allow-update { none; }; }; diff --git a/bin/tests/system/checkconf/bad-notify-source-v6.conf b/bin/tests/system/checkconf/bad-notify-source-v6.conf new file mode 100644 index 0000000000..ef53c96e19 --- /dev/null +++ b/bin/tests/system/checkconf/bad-notify-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-notify-source.conf b/bin/tests/system/checkconf/bad-notify-source.conf new file mode 100644 index 0000000000..b950784a98 --- /dev/null +++ b/bin/tests/system/checkconf/bad-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-options-also-notify.conf b/bin/tests/system/checkconf/bad-options-also-notify.conf index d5a28c0e3a..889a88fa3a 100644 --- a/bin/tests/system/checkconf/bad-options-also-notify.conf +++ b/bin/tests/system/checkconf/bad-options-also-notify.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,6 +16,6 @@ options { }; zone "example.net" { - type slave; - masters { 192.168.1.1; }; + type secondary; + primaries { 192.168.1.1; }; }; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-options.conf b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf new file mode 100644 index 0000000000..20911552c7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + parental-agents { 192.168.1.2; }; +}; + +zone "example.net" { + type primary; + file "example.net.db"; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf new file mode 100644 index 0000000000..47c062a2a7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "test" { + parental-agents { 192.168.1.2; }; + zone "example.net" { + type primary; + file "example.net.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf new file mode 100644 index 0000000000..aa65a4d2aa --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "test" { + parental-agents "net" { + 192.168.1.2; + }; + zone "example.net" { + type primary; + file "example.net.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf new file mode 100644 index 0000000000..e2a8389b48 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents "net" { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-dup.conf b/bin/tests/system/checkconf/bad-parental-agents-dup.conf new file mode 100644 index 0000000000..cb5ac4412a --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-dup.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { 192.168.1.1; }; + parental-agents { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf new file mode 100644 index 0000000000..7ca88f73e2 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "net" { + 192.168.1.1; +}; + +parental-agents "net" { + 192.168.1.2; +}; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf new file mode 100644 index 0000000000..f61de06a62 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "net" { }; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty2.conf b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf new file mode 100644 index 0000000000..93b8f7b751 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-mirror.conf b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf new file mode 100644 index 0000000000..62926e21c5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; + file "root.mirror"; + parental-agents { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf new file mode 100644 index 0000000000..98075c437b --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "com" { + 192.168.1.2; +}; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-source-v6.conf b/bin/tests/system/checkconf/bad-parental-source-v6.conf new file mode 100644 index 0000000000..1b053d0186 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-parental-source.conf b/bin/tests/system/checkconf/bad-parental-source.conf new file mode 100644 index 0000000000..9587b3e129 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-port.conf b/bin/tests/system/checkconf/bad-port.conf new file mode 100644 index 0000000000..9650c8f57b --- /dev/null +++ b/bin/tests/system/checkconf/bad-port.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 99999; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-dup.conf b/bin/tests/system/checkconf/bad-primaries-dup.conf new file mode 100644 index 0000000000..ed761c971e --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-dup.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type secondary; + primaries { 192.168.1.1; }; + masters { 192.168.1.2; }; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf new file mode 100644 index 0000000000..f592293db4 --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-key.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type secondary; + primaries { 1.2.3.4 key a..b; }; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf new file mode 100644 index 0000000000..464009824d --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +primaries "net" { + 192.168.1.2; +}; + +zone "example.net" { + type secondary; + primaries { "foo"; }; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-tls.conf b/bin/tests/system/checkconf/bad-primaries-tls.conf new file mode 100644 index 0000000000..7858d1d09c --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-tls.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type secondary; + primaries { 1.2.3.4 tls a..b; }; +}; diff --git a/bin/tests/system/checkconf/bad-printtime.conf b/bin/tests/system/checkconf/bad-printtime.conf index 318e453324..80a53cb8e3 100644 --- a/bin/tests/system/checkconf/bad-printtime.conf +++ b/bin/tests/system/checkconf/bad-printtime.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-random-device.conf b/bin/tests/system/checkconf/bad-random-device.conf new file mode 100644 index 0000000000..bc1451d8d9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-random-device.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + random-device "/dev/urandom"; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-acl.conf b/bin/tests/system/checkconf/bad-rate-limit-acl.conf index b344a0ffe3..06543fbb77 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-acl.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-acl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf index 6a60a8bfc2..aae353e4a3 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf index bea963956f..b2c60971f8 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf index b94d8db732..b728575c57 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf index 4378e71846..6b5fda51d1 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf index ed05f576b8..95309dbef5 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf index 893640ee7f..ecfb5f84de 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf index 8e2f407953..77c5749776 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf index 585e90e275..0dc4532c21 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf index 21f528cdaf..0ea48364a3 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf index 784f529beb..8187244713 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-slip.conf b/bin/tests/system/checkconf/bad-rate-limit-slip.conf index c6162952ee..15d270cbca 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-slip.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-slip.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rate-limit-window.conf b/bin/tests/system/checkconf/bad-rate-limit-window.conf index 5a0bcdb4ab..7ded786144 100644 --- a/bin/tests/system/checkconf/bad-rate-limit-window.conf +++ b/bin/tests/system/checkconf/bad-rate-limit-window.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-root-mixed-key.conf b/bin/tests/system/checkconf/bad-root-mixed-key.conf index 16e91bf5be..7035066b2a 100644 --- a/bin/tests/system/checkconf/bad-root-mixed-key.conf +++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-rpz-ede.conf b/bin/tests/system/checkconf/bad-rpz-ede.conf new file mode 100644 index 0000000000..8d78f8df47 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede unsupported; + }; +}; diff --git a/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf index 92a13bed39..0eb9ef35c0 100644 --- a/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf +++ b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -79,68 +81,68 @@ options { }; }; -zone "max1" { type master; file "rpz.db"; }; -zone "max2" { type master; file "rpz.db"; }; -zone "max3" { type master; file "rpz.db"; }; -zone "max4" { type master; file "rpz.db"; }; -zone "max5" { type master; file "rpz.db"; }; -zone "max6" { type master; file "rpz.db"; }; -zone "max7" { type master; file "rpz.db"; }; -zone "max8" { type master; file "rpz.db"; }; -zone "max9" { type master; file "rpz.db"; }; -zone "max10" { type master; file "rpz.db"; }; -zone "max11" { type master; file "rpz.db"; }; -zone "max12" { type master; file "rpz.db"; }; -zone "max13" { type master; file "rpz.db"; }; -zone "max14" { type master; file "rpz.db"; }; -zone "max15" { type master; file "rpz.db"; }; -zone "max16" { type master; file "rpz.db"; }; -zone "max17" { type master; file "rpz.db"; }; -zone "max18" { type master; file "rpz.db"; }; -zone "max19" { type master; file "rpz.db"; }; -zone "max20" { type master; file "rpz.db"; }; -zone "max21" { type master; file "rpz.db"; }; -zone "max22" { type master; file "rpz.db"; }; -zone "max23" { type master; file "rpz.db"; }; -zone "max24" { type master; file "rpz.db"; }; -zone "max25" { type master; file "rpz.db"; }; -zone "max26" { type master; file "rpz.db"; }; -zone "max27" { type master; file "rpz.db"; }; -zone "max28" { type master; file "rpz.db"; }; -zone "max29" { type master; file "rpz.db"; }; -zone "max30" { type master; file "rpz.db"; }; -zone "max31" { type master; file "rpz.db"; }; -zone "max32" { type master; file "rpz.db"; }; -zone "max33" { type master; file "rpz.db"; }; -zone "max34" { type master; file "rpz.db"; }; -zone "max35" { type master; file "rpz.db"; }; -zone "max36" { type master; file "rpz.db"; }; -zone "max37" { type master; file "rpz.db"; }; -zone "max38" { type master; file "rpz.db"; }; -zone "max39" { type master; file "rpz.db"; }; -zone "max40" { type master; file "rpz.db"; }; -zone "max41" { type master; file "rpz.db"; }; -zone "max42" { type master; file "rpz.db"; }; -zone "max43" { type master; file "rpz.db"; }; -zone "max44" { type master; file "rpz.db"; }; -zone "max45" { type master; file "rpz.db"; }; -zone "max46" { type master; file "rpz.db"; }; -zone "max47" { type master; file "rpz.db"; }; -zone "max48" { type master; file "rpz.db"; }; -zone "max49" { type master; file "rpz.db"; }; -zone "max50" { type master; file "rpz.db"; }; -zone "max51" { type master; file "rpz.db"; }; -zone "max52" { type master; file "rpz.db"; }; -zone "max53" { type master; file "rpz.db"; }; -zone "max54" { type master; file "rpz.db"; }; -zone "max55" { type master; file "rpz.db"; }; -zone "max56" { type master; file "rpz.db"; }; -zone "max57" { type master; file "rpz.db"; }; -zone "max58" { type master; file "rpz.db"; }; -zone "max59" { type master; file "rpz.db"; }; -zone "max60" { type master; file "rpz.db"; }; -zone "max61" { type master; file "rpz.db"; }; -zone "max62" { type master; file "rpz.db"; }; -zone "max63" { type master; file "rpz.db"; }; -zone "max64" { type master; file "rpz.db"; }; -zone "max65" { type master; file "rpz.db"; }; +zone "max1" { type primary; file "rpz.db"; }; +zone "max2" { type primary; file "rpz.db"; }; +zone "max3" { type primary; file "rpz.db"; }; +zone "max4" { type primary; file "rpz.db"; }; +zone "max5" { type primary; file "rpz.db"; }; +zone "max6" { type primary; file "rpz.db"; }; +zone "max7" { type primary; file "rpz.db"; }; +zone "max8" { type primary; file "rpz.db"; }; +zone "max9" { type primary; file "rpz.db"; }; +zone "max10" { type primary; file "rpz.db"; }; +zone "max11" { type primary; file "rpz.db"; }; +zone "max12" { type primary; file "rpz.db"; }; +zone "max13" { type primary; file "rpz.db"; }; +zone "max14" { type primary; file "rpz.db"; }; +zone "max15" { type primary; file "rpz.db"; }; +zone "max16" { type primary; file "rpz.db"; }; +zone "max17" { type primary; file "rpz.db"; }; +zone "max18" { type primary; file "rpz.db"; }; +zone "max19" { type primary; file "rpz.db"; }; +zone "max20" { type primary; file "rpz.db"; }; +zone "max21" { type primary; file "rpz.db"; }; +zone "max22" { type primary; file "rpz.db"; }; +zone "max23" { type primary; file "rpz.db"; }; +zone "max24" { type primary; file "rpz.db"; }; +zone "max25" { type primary; file "rpz.db"; }; +zone "max26" { type primary; file "rpz.db"; }; +zone "max27" { type primary; file "rpz.db"; }; +zone "max28" { type primary; file "rpz.db"; }; +zone "max29" { type primary; file "rpz.db"; }; +zone "max30" { type primary; file "rpz.db"; }; +zone "max31" { type primary; file "rpz.db"; }; +zone "max32" { type primary; file "rpz.db"; }; +zone "max33" { type primary; file "rpz.db"; }; +zone "max34" { type primary; file "rpz.db"; }; +zone "max35" { type primary; file "rpz.db"; }; +zone "max36" { type primary; file "rpz.db"; }; +zone "max37" { type primary; file "rpz.db"; }; +zone "max38" { type primary; file "rpz.db"; }; +zone "max39" { type primary; file "rpz.db"; }; +zone "max40" { type primary; file "rpz.db"; }; +zone "max41" { type primary; file "rpz.db"; }; +zone "max42" { type primary; file "rpz.db"; }; +zone "max43" { type primary; file "rpz.db"; }; +zone "max44" { type primary; file "rpz.db"; }; +zone "max45" { type primary; file "rpz.db"; }; +zone "max46" { type primary; file "rpz.db"; }; +zone "max47" { type primary; file "rpz.db"; }; +zone "max48" { type primary; file "rpz.db"; }; +zone "max49" { type primary; file "rpz.db"; }; +zone "max50" { type primary; file "rpz.db"; }; +zone "max51" { type primary; file "rpz.db"; }; +zone "max52" { type primary; file "rpz.db"; }; +zone "max53" { type primary; file "rpz.db"; }; +zone "max54" { type primary; file "rpz.db"; }; +zone "max55" { type primary; file "rpz.db"; }; +zone "max56" { type primary; file "rpz.db"; }; +zone "max57" { type primary; file "rpz.db"; }; +zone "max58" { type primary; file "rpz.db"; }; +zone "max59" { type primary; file "rpz.db"; }; +zone "max60" { type primary; file "rpz.db"; }; +zone "max61" { type primary; file "rpz.db"; }; +zone "max62" { type primary; file "rpz.db"; }; +zone "max63" { type primary; file "rpz.db"; }; +zone "max64" { type primary; file "rpz.db"; }; +zone "max65" { type primary; file "rpz.db"; }; diff --git a/bin/tests/system/checkconf/bad-rpz-ttl.conf b/bin/tests/system/checkconf/bad-rpz-ttl.conf index af35952982..7b3a6ef27f 100644 --- a/bin/tests/system/checkconf/bad-rpz-ttl.conf +++ b/bin/tests/system/checkconf/bad-rpz-ttl.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com." { - type master; + type primary; file "example.com.zone"; }; diff --git a/bin/tests/system/checkconf/bad-rpz-update.conf b/bin/tests/system/checkconf/bad-rpz-update.conf index 1c06bfd508..a03f179682 100644 --- a/bin/tests/system/checkconf/bad-rpz-update.conf +++ b/bin/tests/system/checkconf/bad-rpz-update.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com." { - type master; + type primary; file "example.com.zone"; }; diff --git a/bin/tests/system/checkconf/bad-rpz-zone.conf b/bin/tests/system/checkconf/bad-rpz-zone.conf index 120c8e4fe4..4aadc61afd 100644 --- a/bin/tests/system/checkconf/bad-rpz-zone.conf +++ b/bin/tests/system/checkconf/bad-rpz-zone.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bin/tests/system/checkconf/bad-sharedwritable1.conf index 38d244a696..3fcb1af5e6 100644 --- a/bin/tests/system/checkconf/bad-sharedwritable1.conf +++ b/bin/tests/system/checkconf/bad-sharedwritable1.conf @@ -1,20 +1,22 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone a { - type master; + type primary; file "shared.db"; }; zone b { - type slave; + type secondary; file "shared.db"; - masters { 1.2.3.4; }; + primaries { 1.2.3.4; }; }; diff --git a/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bin/tests/system/checkconf/bad-sharedwritable2.conf index 31c77c417c..e8c940ccb3 100644 --- a/bin/tests/system/checkconf/bad-sharedwritable2.conf +++ b/bin/tests/system/checkconf/bad-sharedwritable2.conf @@ -1,21 +1,23 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone a { - type slave; + type secondary; file "shared.db"; - masters { 1.2.3.4; }; + primaries { 1.2.3.4; }; }; zone b { - type slave; + type secondary; file "shared.db"; - masters { 1.2.3.4; }; + primaries { 1.2.3.4; }; }; diff --git a/bin/tests/system/checkconf/bad-sharedzone1.conf b/bin/tests/system/checkconf/bad-sharedzone1.conf index 3782991fa5..fccffe9f05 100644 --- a/bin/tests/system/checkconf/bad-sharedzone1.conf +++ b/bin/tests/system/checkconf/bad-sharedzone1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ view "first" { "none"; }; zone "clone" { - type master; + type primary; file "xxx"; }; }; @@ -24,6 +26,6 @@ view "second" { }; zone "clone" { in-view "first"; - type slave; + type secondary; }; }; diff --git a/bin/tests/system/checkconf/bad-sharedzone2.conf b/bin/tests/system/checkconf/bad-sharedzone2.conf index 91b0472d9a..76032e3c22 100644 --- a/bin/tests/system/checkconf/bad-sharedzone2.conf +++ b/bin/tests/system/checkconf/bad-sharedzone2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ view "first" { "none"; }; zone "clone" { - type master; + type primary; file "xxx"; }; }; @@ -26,6 +28,6 @@ view "second" { in-view "first"; forward only; forwarders { 10.0.0.100; }; - type slave; + type secondary; }; }; diff --git a/bin/tests/system/checkconf/bad-sharedzone3.conf b/bin/tests/system/checkconf/bad-sharedzone3.conf index e174ab1165..07e92bde4e 100644 --- a/bin/tests/system/checkconf/bad-sharedzone3.conf +++ b/bin/tests/system/checkconf/bad-sharedzone3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,7 +19,7 @@ view first { view second { zone shared.example { - type master; + type primary; file "shared.example.db"; }; }; diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf deleted file mode 100644 index 3934e15390..0000000000 --- a/bin/tests/system/checkconf/bad-sig-validity.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - sig-validity-interval 5000; -}; diff --git a/bin/tests/system/checkconf/bad-static-initial-1.conf b/bin/tests/system/checkconf/bad-static-initial-1.conf index a21495774a..91a5c10234 100644 --- a/bin/tests/system/checkconf/bad-static-initial-1.conf +++ b/bin/tests/system/checkconf/bad-static-initial-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-static-initial-2.conf b/bin/tests/system/checkconf/bad-static-initial-2.conf index 42ae422925..3b4754d7fd 100644 --- a/bin/tests/system/checkconf/bad-static-initial-2.conf +++ b/bin/tests/system/checkconf/bad-static-initial-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-static-initial-3.conf b/bin/tests/system/checkconf/bad-static-initial-3.conf index 8e85f8fa42..c396d9c212 100644 --- a/bin/tests/system/checkconf/bad-static-initial-3.conf +++ b/bin/tests/system/checkconf/bad-static-initial-3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-static-initial-4.conf b/bin/tests/system/checkconf/bad-static-initial-4.conf index d2c499cdf3..2170d52217 100644 --- a/bin/tests/system/checkconf/bad-static-initial-4.conf +++ b/bin/tests/system/checkconf/bad-static-initial-4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-stub-masters-dialup.conf b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf index 750daf886f..a30236ca1e 100644 --- a/bin/tests/system/checkconf/bad-stub-masters-dialup.conf +++ b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + controls { /* empty */ }; options { query-source address 10.53.0.2; @@ -19,5 +32,5 @@ zone "example." { dialup notify; notify no; file "example.bk"; - // masters { 10.53.0.1; }; + // primaries { 10.53.0.1; }; }; diff --git a/bin/tests/system/checkconf/bad-transfer-source-v6.conf b/bin/tests/system/checkconf/bad-transfer-source-v6.conf new file mode 100644 index 0000000000..da182ff35c --- /dev/null +++ b/bin/tests/system/checkconf/bad-transfer-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-transfer-source.conf b/bin/tests/system/checkconf/bad-transfer-source.conf new file mode 100644 index 0000000000..315c4109a6 --- /dev/null +++ b/bin/tests/system/checkconf/bad-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf deleted file mode 100644 index 21be03e9d2..0000000000 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* Bad secret */ -key "badtsig" { - algorithm hmac-md5; - secret "jEdD+BPKg=="; -}; - diff --git a/bin/tests/system/checkconf/bad-tsig.conf.in b/bin/tests/system/checkconf/bad-tsig.conf.in new file mode 100644 index 0000000000..3e3023c5df --- /dev/null +++ b/bin/tests/system/checkconf/bad-tsig.conf.in @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* Bad secret */ +key "badtsig" { + algorithm @DEFAULT_HMAC@; + secret "jEdD+BPKg=="; +}; diff --git a/bin/tests/system/checkconf/bad-unpaired-keys.conf b/bin/tests/system/checkconf/bad-unpaired-keys.conf new file mode 100644 index 0000000000..63b6dc2c65 --- /dev/null +++ b/bin/tests/system/checkconf/bad-unpaired-keys.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy unpaired-keys { + keys { + /* zsk without ksk */ + zsk lifetime 30d algorithm 13; + /* ksk without zsk */ + ksk lifetime 30d algorithm 7; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy unpaired-keys; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy1.conf b/bin/tests/system/checkconf/bad-update-policy1.conf index 13e21db605..fa1330c718 100644 --- a/bin/tests/system/checkconf/bad-update-policy1.conf +++ b/bin/tests/system/checkconf/bad-update-policy1.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * self TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy10.conf b/bin/tests/system/checkconf/bad-update-policy10.conf index 8c9a4adebf..39ac656d80 100644 --- a/bin/tests/system/checkconf/bad-update-policy10.conf +++ b/bin/tests/system/checkconf/bad-update-policy10.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * krb5-selfsub TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy11.conf b/bin/tests/system/checkconf/bad-update-policy11.conf index 6f81c31017..d148b588d1 100644 --- a/bin/tests/system/checkconf/bad-update-policy11.conf +++ b/bin/tests/system/checkconf/bad-update-policy11.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * ms-selfsub TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy12.conf b/bin/tests/system/checkconf/bad-update-policy12.conf index c636f1bf65..dc79db393a 100644 --- a/bin/tests/system/checkconf/bad-update-policy12.conf +++ b/bin/tests/system/checkconf/bad-update-policy12.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * external TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy13.conf b/bin/tests/system/checkconf/bad-update-policy13.conf index 4fb16f204a..694c73b48c 100644 --- a/bin/tests/system/checkconf/bad-update-policy13.conf +++ b/bin/tests/system/checkconf/bad-update-policy13.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant a-key-name name TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy14.conf b/bin/tests/system/checkconf/bad-update-policy14.conf index 1498180d45..af02ef240b 100644 --- a/bin/tests/system/checkconf/bad-update-policy14.conf +++ b/bin/tests/system/checkconf/bad-update-policy14.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant a-key-name subdomain TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy15.conf b/bin/tests/system/checkconf/bad-update-policy15.conf index 7591b0b36c..f8f7d1356f 100644 --- a/bin/tests/system/checkconf/bad-update-policy15.conf +++ b/bin/tests/system/checkconf/bad-update-policy15.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant a-key-name wildcard TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy16.conf b/bin/tests/system/checkconf/bad-update-policy16.conf index 6870e65e62..747c381c42 100644 --- a/bin/tests/system/checkconf/bad-update-policy16.conf +++ b/bin/tests/system/checkconf/bad-update-policy16.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * tcp-self . "ptr(10 )"; diff --git a/bin/tests/system/checkconf/bad-update-policy17.conf b/bin/tests/system/checkconf/bad-update-policy17.conf new file mode 100644 index 0000000000..a2955f27c4 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy17.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant realm krb5-subdomain-self-rhs PTR; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy18.conf b/bin/tests/system/checkconf/bad-update-policy18.conf new file mode 100644 index 0000000000..090f621578 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy18.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant realm krb5-subdomain-self-rhs SRV; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy19.conf b/bin/tests/system/checkconf/bad-update-policy19.conf new file mode 100644 index 0000000000..b8c636bc92 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy19.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant realm ms-subdomain-self-rhs PTR; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy2.conf b/bin/tests/system/checkconf/bad-update-policy2.conf index 987e0967c3..0d5adf61a1 100644 --- a/bin/tests/system/checkconf/bad-update-policy2.conf +++ b/bin/tests/system/checkconf/bad-update-policy2.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfsub TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy20.conf b/bin/tests/system/checkconf/bad-update-policy20.conf new file mode 100644 index 0000000000..9775e2ced0 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy20.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant realm ms-subdomain-self-rhs SRV; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy3.conf b/bin/tests/system/checkconf/bad-update-policy3.conf index ff0811f947..4583ede941 100644 --- a/bin/tests/system/checkconf/bad-update-policy3.conf +++ b/bin/tests/system/checkconf/bad-update-policy3.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfwild TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy4.conf b/bin/tests/system/checkconf/bad-update-policy4.conf index 396f69b81e..52a074d195 100644 --- a/bin/tests/system/checkconf/bad-update-policy4.conf +++ b/bin/tests/system/checkconf/bad-update-policy4.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * ms-self TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy5.conf b/bin/tests/system/checkconf/bad-update-policy5.conf index 718dad5346..38a6d4f19a 100644 --- a/bin/tests/system/checkconf/bad-update-policy5.conf +++ b/bin/tests/system/checkconf/bad-update-policy5.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * krb5-self TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy6.conf b/bin/tests/system/checkconf/bad-update-policy6.conf index 992e384a50..acca627438 100644 --- a/bin/tests/system/checkconf/bad-update-policy6.conf +++ b/bin/tests/system/checkconf/bad-update-policy6.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * ms-subdomain TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy7.conf b/bin/tests/system/checkconf/bad-update-policy7.conf index 3bd2185aeb..95541d41dc 100644 --- a/bin/tests/system/checkconf/bad-update-policy7.conf +++ b/bin/tests/system/checkconf/bad-update-policy7.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * krb5-subdomain TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy8.conf b/bin/tests/system/checkconf/bad-update-policy8.conf index c88b0e2519..d0534c46e1 100644 --- a/bin/tests/system/checkconf/bad-update-policy8.conf +++ b/bin/tests/system/checkconf/bad-update-policy8.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * tcp-self TXT; diff --git a/bin/tests/system/checkconf/bad-update-policy9.conf b/bin/tests/system/checkconf/bad-update-policy9.conf index 382f899fec..96d201c36a 100644 --- a/bin/tests/system/checkconf/bad-update-policy9.conf +++ b/bin/tests/system/checkconf/bad-update-policy9.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * 6to4-self TXT; diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf index 295b393329..bd6f547999 100644 --- a/bin/tests/system/checkconf/bad-validation-auto-key.conf +++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/bad-view-also-notify.conf b/bin/tests/system/checkconf/bad-view-also-notify.conf index 418fa47a8f..071a621ee7 100644 --- a/bin/tests/system/checkconf/bad-view-also-notify.conf +++ b/bin/tests/system/checkconf/bad-view-also-notify.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,7 +14,7 @@ view example { also-notify { missing; }; zone "example.net" { - type slave; - masters { 192.168.1.1; }; + type secondary; + primaries { 192.168.1.1; }; }; }; diff --git a/bin/tests/system/checkconf/bad-zsk-without-ksk.conf b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf new file mode 100644 index 0000000000..31b031cdc8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy zsk-without-ksk { + keys { + zsk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy zsk-without-ksk; +}; diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf index 684e8c6ee0..04880b6f00 100644 --- a/bin/tests/system/checkconf/check-dup-records-fail.conf +++ b/bin/tests/system/checkconf/check-dup-records-fail.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "check-dup-records" { - type master; + type primary; file "check-dup-records.db"; check-dup-records fail; }; diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db index 3d148e5d39..558686c3c3 100644 --- a/bin/tests/system/checkconf/check-dup-records.db +++ b/bin/tests/system/checkconf/check-dup-records.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-missing-zone.conf b/bin/tests/system/checkconf/check-missing-zone.conf index f43d3e2575..daf2cf7155 100644 --- a/bin/tests/system/checkconf/check-missing-zone.conf +++ b/bin/tests/system/checkconf/check-missing-zone.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,14 +13,14 @@ view missing { zone missing.example { - type master; + type primary; file "missing.example.db"; }; }; view good { zone shared.example { - type master; + type primary; file "shared.example.db"; }; }; diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf index acdb67addc..1dd018dc03 100644 --- a/bin/tests/system/checkconf/check-mixed-keys.conf +++ b/bin/tests/system/checkconf/check-mixed-keys.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf index 71292c8881..ac52ec0c98 100644 --- a/bin/tests/system/checkconf/check-mx-cname-fail.conf +++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "check-mx-cname" { - type master; + type primary; file "check-mx-cname.db"; check-mx-cname fail; }; diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db index 321c38e107..dc30f0881d 100644 --- a/bin/tests/system/checkconf/check-mx-cname.db +++ b/bin/tests/system/checkconf/check-mx-cname.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf index 2eb8ad676b..aa7a6663a5 100644 --- a/bin/tests/system/checkconf/check-mx-fail.conf +++ b/bin/tests/system/checkconf/check-mx-fail.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "check-mx" { - type master; + type primary; file "check-mx.db"; check-mx fail; }; diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db index 28331b4a19..dced6449f0 100644 --- a/bin/tests/system/checkconf/check-mx.db +++ b/bin/tests/system/checkconf/check-mx.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf index 9c0ac26eae..86be82d5c3 100644 --- a/bin/tests/system/checkconf/check-names-fail.conf +++ b/bin/tests/system/checkconf/check-names-fail.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "check-names" { - type master; + type primary; file "check-names.db"; check-names fail; }; diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db index 7763647fbc..0274ec96ac 100644 --- a/bin/tests/system/checkconf/check-names.db +++ b/bin/tests/system/checkconf/check-names.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf index d499ca7544..d422635139 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2010.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf index 2cdcc327b7..72f6fb4df8 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2017.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf index 408e832ce1..88c308f2a3 100644 --- a/bin/tests/system/checkconf/check-root-ksk-both.conf +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-static-ds.conf b/bin/tests/system/checkconf/check-root-static-ds.conf index 9f4f055260..eb37b855a1 100644 --- a/bin/tests/system/checkconf/check-root-static-ds.conf +++ b/bin/tests/system/checkconf/check-root-static-ds.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf index 4f3bf5bdc7..7be5304c33 100644 --- a/bin/tests/system/checkconf/check-root-static-key.conf +++ b/bin/tests/system/checkconf/check-root-static-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-root-trusted-key.conf b/bin/tests/system/checkconf/check-root-trusted-key.conf index ebefd9c977..65261a8677 100644 --- a/bin/tests/system/checkconf/check-root-trusted-key.conf +++ b/bin/tests/system/checkconf/check-root-trusted-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf index e84630729a..3897bf8253 100644 --- a/bin/tests/system/checkconf/check-srv-cname-fail.conf +++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "check-srv-cname" { - type master; + type primary; file "check-srv-cname.db"; check-srv-cname fail; }; diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db index 8bc71bdbe7..0671ab18a1 100644 --- a/bin/tests/system/checkconf/check-srv-cname.db +++ b/bin/tests/system/checkconf/check-srv-cname.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/check-wildcard-no.conf b/bin/tests/system/checkconf/check-wildcard-no.conf new file mode 100644 index 0000000000..beb641a9bd --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard-no.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "check-wildcard" { + type primary; + file "check-wildcard.db"; + check-wildcard no; +}; diff --git a/bin/tests/system/checkconf/check-wildcard.conf b/bin/tests/system/checkconf/check-wildcard.conf new file mode 100644 index 0000000000..263f8b4a65 --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "check-wildcard" { + type primary; + file "check-wildcard.db"; + check-wildcard yes; +}; diff --git a/bin/tests/system/checkconf/check-wildcard.db b/bin/tests/system/checkconf/check-wildcard.db new file mode 100644 index 0000000000..1db5af00e3 --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +; an interior wildcard name +foo.* TXT The owner name contains an interior wildcard diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh index aed6231e46..088c2f4731 100644 --- a/bin/tests/system/checkconf/clean.sh +++ b/bin/tests/system/checkconf/clean.sh @@ -1,17 +1,27 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f good.conf.in good.conf.out badzero.conf *.out -rm -f good-kasp.conf.in -rm -rf test.keydir +rm -f bad-kasp-keydir1.conf +rm -f bad-kasp-keydir2.conf +rm -f bad-kasp-keydir3.conf +rm -f bad-kasp-keydir4.conf +rm -f bad-kasp-keydir5.conf +rm -f bad-tsig.conf rm -f checkconf.out* rm -f diff.out* +rm -f good-kasp.conf.in +rm -f good-server-christmas-tree.conf +rm -f good.conf good.conf.raw good.conf.out badzero.conf *.out +rm -rf keys rm -f ns*/named.lock +rm -rf test.keydir diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index d4f30a0b0c..15d719d6a4 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -1,16 +1,33 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ +server 1.2.3.4 { + query-source 10.10.10.10 port 5353; +}; + options { dnssec-validation yes; + max-zone-ttl 600; + + dialup yes; + heartbeat-interval 60; + + use-v4-udp-ports { range 1024 65535; }; + use-v6-udp-ports { range 1024 65535; }; + avoid-v4-udp-ports { range 1 1023; }; + avoid-v6-udp-ports { range 1 1023; }; + + dnssec-must-be-secure mustbesecure.example yes; }; trusted-keys { @@ -34,3 +51,9 @@ managed-keys { RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU="; }; + +zone example.com { + type primary; + file "maxttl-bad.db"; + max-zone-ttl 120; +}; diff --git a/bin/tests/system/checkconf/dlz-bad.conf b/bin/tests/system/checkconf/dlz-bad.conf index 2ba89b19d3..7332112036 100644 --- a/bin/tests/system/checkconf/dlz-bad.conf +++ b/bin/tests/system/checkconf/dlz-bad.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -18,8 +20,8 @@ dlz two { search no; }; -zone master { - type master; +zone primary { + type primary; database "none"; dlz two; }; diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1 deleted file mode 100644 index edef76fde7..0000000000 --- a/bin/tests/system/checkconf/dnssec.1 +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -view view1 { - match-clients { any; }; - dnssec-validation yes; -}; - -view view2 { - match-clients { none; }; - dnssec-validation auto; -}; - -view view3 { - match-clients { none; }; - auto-dnssec maintain; -}; diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2 deleted file mode 100644 index 56c4a52fe6..0000000000 --- a/bin/tests/system/checkconf/dnssec.2 +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -view view1 { - match-clients { any; }; -}; - -view view2 { - match-clients { none; }; -}; - -view view3 { - match-clients { none; }; - dnssec-validation auto; -}; - -view view4 { - match-clients { none; }; -}; - -view view5 { - match-clients { none; }; - auto-dnssec off; -}; diff --git a/bin/tests/system/checkconf/good-acl.conf b/bin/tests/system/checkconf/good-acl.conf index 532189916a..be32923292 100644 --- a/bin/tests/system/checkconf/good-acl.conf +++ b/bin/tests/system/checkconf/good-acl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf index 0c2aeb8ddb..5bc9232978 100644 --- a/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf +++ b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding.conf b/bin/tests/system/checkconf/good-allow-update-forwarding.conf index 08203e1cf8..d7e89be0e5 100644 --- a/bin/tests/system/checkconf/good-allow-update-forwarding.conf +++ b/bin/tests/system/checkconf/good-allow-update-forwarding.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-allow-update-view.conf b/bin/tests/system/checkconf/good-allow-update-view.conf index a893b9a2c5..da799a201e 100644 --- a/bin/tests/system/checkconf/good-allow-update-view.conf +++ b/bin/tests/system/checkconf/good-allow-update-view.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-allow-update.conf b/bin/tests/system/checkconf/good-allow-update.conf index 67f41d6aa0..6b7a67ef09 100644 --- a/bin/tests/system/checkconf/good-allow-update.conf +++ b/bin/tests/system/checkconf/good-allow-update.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-class.conf b/bin/tests/system/checkconf/good-class.conf index 1839fe231b..2f8c321cb7 100644 --- a/bin/tests/system/checkconf/good-class.conf +++ b/bin/tests/system/checkconf/good-class.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf deleted file mode 100644 index 2a69951faa..0000000000 --- a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 3660; /* maximum value 10 years */ -}; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf deleted file mode 100644 index 3f8967044b..0000000000 --- a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 0; /* 0 is disabled */ -}; diff --git a/bin/tests/system/checkconf/good-doh-1.conf b/bin/tests/system/checkconf/good-doh-1.conf index 8f983778b1..0c642ecba0 100644 --- a/bin/tests/system/checkconf/good-doh-1.conf +++ b/bin/tests/system/checkconf/good-doh-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,12 +18,16 @@ tls local-tls { http local-http-server { endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; }; options { listen-on { 10.53.0.1; }; http-port 80; https-port 443; + http-listener-clients 100; + http-streams-per-connection 100; listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; }; listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; }; diff --git a/bin/tests/system/checkconf/good-doh-2.conf b/bin/tests/system/checkconf/good-doh-2.conf index 52f2be3e9f..1bbe9e08cc 100644 --- a/bin/tests/system/checkconf/good-doh-2.conf +++ b/bin/tests/system/checkconf/good-doh-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-doh-3.conf b/bin/tests/system/checkconf/good-doh-3.conf index c570e6c447..cd410b9074 100644 --- a/bin/tests/system/checkconf/good-doh-3.conf +++ b/bin/tests/system/checkconf/good-doh-3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-doh-4.conf b/bin/tests/system/checkconf/good-doh-4.conf new file mode 100644 index 0000000000..d191347254 --- /dev/null +++ b/bin/tests/system/checkconf/good-doh-4.conf @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + key-file "key.pem"; + cert-file "cert.pem"; +}; + +# Use the default values only - just to make sure that we could +# override only values which we need and there is no required ones. +http empty-http-server { +}; + +options { + listen-on { 10.53.0.1; }; + http-port 80; + https-port 443; + http-listener-clients 100; + listen-on port 443 tls local-tls http empty-http-server { 10.53.0.1; }; + listen-on port 8080 tls none http empty-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/good-doh-tlsopts.conf b/bin/tests/system/checkconf/good-doh-tlsopts.conf new file mode 100644 index 0000000000..7ba4bdb598 --- /dev/null +++ b/bin/tests/system/checkconf/good-doh-tlsopts.conf @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + protocols { TLSv1.2; }; + key-file "key.pem"; + cert-file "cert.pem"; + dhparam-file "dhparam.pem"; + ciphers "HIGH:!aNULL:!MD5:!RC4"; + prefer-server-ciphers yes; + session-tickets no; +}; + +http local-http-server { + endpoints { "/dns-query"; }; + listener-clients 100; + streams-per-connection 100; +}; + +options { + listen-on { 10.53.0.1; }; + http-port 80; + https-port 443; + http-listener-clients 100; + http-streams-per-connection 100; + listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; }; + listen-on port 8080 tls none http local-http-server { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-1.conf b/bin/tests/system/checkconf/good-dot-1.conf index 2a1729752d..d94616a839 100644 --- a/bin/tests/system/checkconf/good-dot-1.conf +++ b/bin/tests/system/checkconf/good-dot-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf b/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf new file mode 100644 index 0000000000..74c7969c7e --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example1" { + type primary; + file "example1.db"; + allow-transfer port 44344 transport tls { any; }; +}; + +zone "example2" { + type primary; + file "example2.db"; + allow-transfer port 44344 transport tcp { any; }; +}; + +zone "example3" { + type primary; + file "example3.db"; + allow-transfer transport tls { any; }; +}; + +zone "example4" { + type primary; + file "example4.db"; + allow-transfer transport tcp { any; }; +}; + + +zone "example5" { + type primary; + file "example5.db"; + allow-transfer port 53 { any; }; +}; + +zone "example6" { + type primary; + file "example6.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf new file mode 100644 index 0000000000..d541d1508a --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# In some cases a "tls" statement may omit key-file and cert-file. +tls local-tls { + protocols {TLSv1.2;}; + remote-hostname "fqdn.example.com"; +}; diff --git a/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf new file mode 100644 index 0000000000..2b33cf30b9 --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls ephemeral; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-primaries.conf b/bin/tests/system/checkconf/good-dot-primaries.conf new file mode 100644 index 0000000000..592a94cd29 --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-primaries.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls local-tls; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-tlsopts.conf b/bin/tests/system/checkconf/good-dot-tlsopts.conf new file mode 100644 index 0000000000..fc7e248254 --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-tlsopts.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + protocols { TLSv1.2; }; + key-file "key.pem"; + cert-file "cert.pem"; + dhparam-file "dhparam.pem"; + ciphers "HIGH:!aNULL:!MD5:!RC4"; + prefer-server-ciphers yes; + session-tickets no; +}; + +options { + listen-on port 853 tls local-tls { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/good-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf index c222c60abe..de7de848e0 100644 --- a/bin/tests/system/checkconf/good-ds-key-1.conf +++ b/bin/tests/system/checkconf/good-ds-key-1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf index 87adbb9439..060fb2f2d6 100644 --- a/bin/tests/system/checkconf/good-ds-key-2.conf +++ b/bin/tests/system/checkconf/good-ds-key-2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf index ee738c70fb..2f91247e1d 100644 --- a/bin/tests/system/checkconf/good-dup-managed-key.conf +++ b/bin/tests/system/checkconf/good-dup-managed-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf index fc344ba4e9..46089c46d3 100644 --- a/bin/tests/system/checkconf/good-dup-trusted-key.conf +++ b/bin/tests/system/checkconf/good-dup-trusted-key.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-forwarders-dot.conf b/bin/tests/system/checkconf/good-forwarders-dot.conf new file mode 100644 index 0000000000..0d9bfa329c --- /dev/null +++ b/bin/tests/system/checkconf/good-forwarders-dot.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls test-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; +}; + +tls another-tls { + protocols { TLSv1.2; }; + session-tickets no; +}; + +zone "example" { + type forward; + forward only; + forwarders port 5300 tls test-tls { 10.53.0.1; 10.53.0.2 port 5301 tls another-tls; }; +}; diff --git a/bin/tests/system/checkconf/good-glue-cache.conf b/bin/tests/system/checkconf/good-glue-cache.conf deleted file mode 100644 index f5e9f79ac3..0000000000 --- a/bin/tests/system/checkconf/good-glue-cache.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - glue-cache yes; -}; diff --git a/bin/tests/system/checkconf/good-initial-ds.conf b/bin/tests/system/checkconf/good-initial-ds.conf index 01c25a364c..b54a2b390d 100644 --- a/bin/tests/system/checkconf/good-initial-ds.conf +++ b/bin/tests/system/checkconf/good-initial-ds.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-interface-interval.conf b/bin/tests/system/checkconf/good-interface-interval.conf index 16aee1d69f..60c50b37e8 100644 --- a/bin/tests/system/checkconf/good-interface-interval.conf +++ b/bin/tests/system/checkconf/good-interface-interval.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 2aa3091a8a..fb3fceab0a 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,12 @@ /* cut here */ dnssec-policy "test" { + cdnskey yes; + cds-digest-types { + "sha-256"; + }; dnskey-ttl 3600; + inline-signing yes; keys { ksk key-directory lifetime P1Y algorithm ecdsa256; zsk lifetime P30D algorithm 13; @@ -36,26 +43,29 @@ options { dnssec-policy "default"; }; zone "example1" { - type master; + type primary; file "example1.db"; }; zone "example2" { - type master; + type primary; file "example2.db"; + allow-update { + "any"; + }; dnssec-policy "test"; }; zone "example3" { - type master; + type primary; file "example3.db"; dnssec-policy "default"; }; zone "dnssec-policy-none-shared-zonefile1" { - type master; + type primary; file "shared.db"; dnssec-policy "none"; }; zone "dnssec-policy-none-shared-zonefile2" { - type master; + type primary; file "shared.db"; dnssec-policy "none"; }; diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf new file mode 100644 index 0000000000..07deb28993 --- /dev/null +++ b/bin/tests/system/checkconf/good-key-directory.conf @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "internet" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P90D algorithm ecdsa256; + }; + + nsec3param iterations 15 optout no salt-length 8; +}; + +dnssec-policy "intranet" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P30D algorithm ecdsa256; + }; + nsec3param iterations 15 optout no salt-length 8; +}; + +dnssec-policy "localhost" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P30D algorithm ecdsa256; + }; + nsec3param iterations 15 optout no salt-length 8; +}; + +options { + key-directory "global/keys"; +}; + +view "localhost" { + match-clients { 127.0.0.1; ::1; }; + zone "example.com" IN { + type primary; + file "localhost/example.com.zone"; + dnssec-policy "localhost"; + }; +}; + +view "external" { + match-clients { 0/0; }; + key-directory "external/keys"; + zone "example.com" IN { + type primary; + file "external/example.com.zone"; + dnssec-policy "internet"; + }; +}; + +view "internal" { + match-clients { ::/0; }; + key-directory "internal/keys"; + zone "example.com" IN { + type primary; + file "internal/example.com.zone"; + dnssec-policy "intranet"; + }; +}; diff --git a/bin/tests/system/checkconf/good-masterfile-format-raw.conf b/bin/tests/system/checkconf/good-masterfile-format-raw.conf new file mode 100644 index 0000000000..b6f3cbfefe --- /dev/null +++ b/bin/tests/system/checkconf/good-masterfile-format-raw.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format raw; +}; diff --git a/bin/tests/system/checkconf/good-masterfile-format-text.conf b/bin/tests/system/checkconf/good-masterfile-format-text.conf new file mode 100644 index 0000000000..8138058677 --- /dev/null +++ b/bin/tests/system/checkconf/good-masterfile-format-text.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format text; +}; diff --git a/bin/tests/system/checkconf/good-masters-and-primaries.conf b/bin/tests/system/checkconf/good-masters-and-primaries.conf index 156c63c3f5..d84657fce5 100644 --- a/bin/tests/system/checkconf/good-masters-and-primaries.conf +++ b/bin/tests/system/checkconf/good-masters-and-primaries.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-maxcachettl.conf b/bin/tests/system/checkconf/good-maxcachettl.conf index 2ebef0afd3..58f6901487 100644 --- a/bin/tests/system/checkconf/good-maxcachettl.conf +++ b/bin/tests/system/checkconf/good-maxcachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-maxncachettl.conf b/bin/tests/system/checkconf/good-maxncachettl.conf index 198f3bd568..80dc75362c 100644 --- a/bin/tests/system/checkconf/good-maxncachettl.conf +++ b/bin/tests/system/checkconf/good-maxncachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-maxratio1.conf b/bin/tests/system/checkconf/good-maxratio1.conf index 80ff113f21..4161a24b50 100644 --- a/bin/tests/system/checkconf/good-maxratio1.conf +++ b/bin/tests/system/checkconf/good-maxratio1.conf @@ -1,17 +1,19 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone example { - type master; - masterfile-format map; + type primary; + masterfile-format raw; file "example.db"; max-ixfr-ratio 50%; }; diff --git a/bin/tests/system/checkconf/good-maxratio2.conf b/bin/tests/system/checkconf/good-maxratio2.conf index e057dfe6e1..0ef2f3c838 100644 --- a/bin/tests/system/checkconf/good-maxratio2.conf +++ b/bin/tests/system/checkconf/good-maxratio2.conf @@ -1,17 +1,19 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone example { - type master; - masterfile-format map; + type primary; + masterfile-format raw; file "example.db"; max-ixfr-ratio unlimited; }; diff --git a/bin/tests/system/checkconf/good-mincachettl.conf b/bin/tests/system/checkconf/good-mincachettl.conf index 7afb8d005d..b619a73846 100644 --- a/bin/tests/system/checkconf/good-mincachettl.conf +++ b/bin/tests/system/checkconf/good-mincachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-minncachettl.conf b/bin/tests/system/checkconf/good-minncachettl.conf index 6bfc663f73..3e4101b4f8 100644 --- a/bin/tests/system/checkconf/good-minncachettl.conf +++ b/bin/tests/system/checkconf/good-minncachettl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf index 241a77ca0c..09bbf94a0d 100644 --- a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf +++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf index 1b7a1cdd6f..9723b7abaf 100644 --- a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf +++ b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-nested.conf b/bin/tests/system/checkconf/good-nested.conf index 4523b40108..12a027c095 100644 --- a/bin/tests/system/checkconf/good-nested.conf +++ b/bin/tests/system/checkconf/good-nested.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-notify-source-v6.conf b/bin/tests/system/checkconf/good-notify-source-v6.conf new file mode 100644 index 0000000000..797f966c4f --- /dev/null +++ b/bin/tests/system/checkconf/good-notify-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-notify-source.conf b/bin/tests/system/checkconf/good-notify-source.conf new file mode 100644 index 0000000000..6b97314149 --- /dev/null +++ b/bin/tests/system/checkconf/good-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-options-also-notify.conf b/bin/tests/system/checkconf/good-options-also-notify.conf index fcb01638d9..e10403db57 100644 --- a/bin/tests/system/checkconf/good-options-also-notify.conf +++ b/bin/tests/system/checkconf/good-options-also-notify.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ options { }; zone "example.net" { - type slave; + type secondary; notify no; - masters { 192.168.1.1; }; + primaries { 192.168.1.1; }; }; diff --git a/bin/tests/system/checkconf/good-parental-source-v6.conf b/bin/tests/system/checkconf/good-parental-source-v6.conf new file mode 100644 index 0000000000..fe998f101c --- /dev/null +++ b/bin/tests/system/checkconf/good-parental-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-parental-source.conf b/bin/tests/system/checkconf/good-parental-source.conf new file mode 100644 index 0000000000..e45856a9ef --- /dev/null +++ b/bin/tests/system/checkconf/good-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-printtime.conf b/bin/tests/system/checkconf/good-printtime.conf index deff1d878a..06bb7beece 100644 --- a/bin/tests/system/checkconf/good-printtime.conf +++ b/bin/tests/system/checkconf/good-printtime.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-response-dot.conf b/bin/tests/system/checkconf/good-response-dot.conf index 68e511f9be..f21daeb193 100644 --- a/bin/tests/system/checkconf/good-response-dot.conf +++ b/bin/tests/system/checkconf/good-response-dot.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com." { - type master; + type primary; file "example.com.zone"; }; diff --git a/bin/tests/system/checkconf/good-rpz-ede-none.conf b/bin/tests/system/checkconf/good-rpz-ede-none.conf new file mode 100644 index 0000000000..c0ffab91e2 --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede-none.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede none; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ede.conf b/bin/tests/system/checkconf/good-rpz-ede.conf new file mode 100644 index 0000000000..616f9ee63e --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede filtered; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ttl.conf b/bin/tests/system/checkconf/good-rpz-ttl.conf index 96d09a9b85..26d41bbea3 100644 --- a/bin/tests/system/checkconf/good-rpz-ttl.conf +++ b/bin/tests/system/checkconf/good-rpz-ttl.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com." { - type master; + type primary; file "example.com.zone"; }; diff --git a/bin/tests/system/checkconf/good-rpz-update.conf b/bin/tests/system/checkconf/good-rpz-update.conf index 188b559f48..34b3ec5cdb 100644 --- a/bin/tests/system/checkconf/good-rpz-update.conf +++ b/bin/tests/system/checkconf/good-rpz-update.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com." { - type master; + type primary; file "example.com.zone"; }; diff --git a/bin/tests/system/checkconf/good-rrset-order-none.conf b/bin/tests/system/checkconf/good-rrset-order-none.conf index afd0ab660b..f0818ca630 100644 --- a/bin/tests/system/checkconf/good-rrset-order-none.conf +++ b/bin/tests/system/checkconf/good-rrset-order-none.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { rrset-order { order none; diff --git a/bin/tests/system/checkconf/good-server-christmas-tree.conf.in b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in new file mode 100644 index 0000000000..f619913bee --- /dev/null +++ b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key example { + algorithm hmac-sha256; + secret "aaaaaaaaaaaaaaaaaaaaaaaa"; +}; + +server 0.0.0.0 { + bogus no; + edns no; + edns-udp-size 512; + edns-version 0; + keys example; + max-udp-size 512; + notify-source 0.0.0.0; + padding 512; + provide-ixfr no; + query-source 0.0.0.0; + request-expire no; + request-ixfr no; + request-nsid no; + require-cookie no; + send-cookie no; + tcp-keepalive no; + tcp-only no; + transfer-format one-answer; + transfer-source 0.0.0.0; + transfers 1; +}; + +server :: { + bogus no; + edns no; + edns-udp-size 512; + edns-version 0; + keys example; + max-udp-size 512; + notify-source-v6 ::; + padding 512; + provide-ixfr no; + query-source-v6 ::; + request-expire no; + request-ixfr no; + request-nsid no; + require-cookie no; + send-cookie no; + tcp-keepalive no; + tcp-only no; + transfer-format one-answer; + transfer-source-v6 ::; + transfers 1; +}; diff --git a/bin/tests/system/checkconf/good-sig-signing-type.conf b/bin/tests/system/checkconf/good-sig-signing-type.conf new file mode 100644 index 0000000000..dda1b73303 --- /dev/null +++ b/bin/tests/system/checkconf/good-sig-signing-type.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type primary; + file "example.db"; + sig-signing-type 65280; +}; diff --git a/bin/tests/system/checkconf/good-static-ds.conf b/bin/tests/system/checkconf/good-static-ds.conf index dcb59d4ed1..be7412ac60 100644 --- a/bin/tests/system/checkconf/good-static-ds.conf +++ b/bin/tests/system/checkconf/good-static-ds.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/good-transfer-source-v6.conf b/bin/tests/system/checkconf/good-transfer-source-v6.conf new file mode 100644 index 0000000000..0527b85395 --- /dev/null +++ b/bin/tests/system/checkconf/good-transfer-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-transfer-source.conf b/bin/tests/system/checkconf/good-transfer-source.conf new file mode 100644 index 0000000000..df23d1cb53 --- /dev/null +++ b/bin/tests/system/checkconf/good-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-update-policy1.conf b/bin/tests/system/checkconf/good-update-policy1.conf index 8d345186bc..b312590d37 100644 --- a/bin/tests/system/checkconf/good-update-policy1.conf +++ b/bin/tests/system/checkconf/good-update-policy1.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * self * TXT; diff --git a/bin/tests/system/checkconf/good-update-policy10.conf b/bin/tests/system/checkconf/good-update-policy10.conf index 60bea6b56f..360583496c 100644 --- a/bin/tests/system/checkconf/good-update-policy10.conf +++ b/bin/tests/system/checkconf/good-update-policy10.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * krb5-subdomain . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy11.conf b/bin/tests/system/checkconf/good-update-policy11.conf index ba6f396f5b..92be3400d0 100644 --- a/bin/tests/system/checkconf/good-update-policy11.conf +++ b/bin/tests/system/checkconf/good-update-policy11.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * tcp-self . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy12.conf b/bin/tests/system/checkconf/good-update-policy12.conf index 09bd926a4c..b76e5831ba 100644 --- a/bin/tests/system/checkconf/good-update-policy12.conf +++ b/bin/tests/system/checkconf/good-update-policy12.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * 6to4-self . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy13.conf b/bin/tests/system/checkconf/good-update-policy13.conf index e67e01f319..e0030e8503 100644 --- a/bin/tests/system/checkconf/good-update-policy13.conf +++ b/bin/tests/system/checkconf/good-update-policy13.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * tcp-self . ptr(1); diff --git a/bin/tests/system/checkconf/good-update-policy2.conf b/bin/tests/system/checkconf/good-update-policy2.conf index 5b453e7307..9af4d8a152 100644 --- a/bin/tests/system/checkconf/good-update-policy2.conf +++ b/bin/tests/system/checkconf/good-update-policy2.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * self . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy3.conf b/bin/tests/system/checkconf/good-update-policy3.conf index 3f4cef24ab..2d4f8ee6c6 100644 --- a/bin/tests/system/checkconf/good-update-policy3.conf +++ b/bin/tests/system/checkconf/good-update-policy3.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfsub . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy4.conf b/bin/tests/system/checkconf/good-update-policy4.conf index a3ef5343a3..480ec5e5ed 100644 --- a/bin/tests/system/checkconf/good-update-policy4.conf +++ b/bin/tests/system/checkconf/good-update-policy4.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfsub * TXT; diff --git a/bin/tests/system/checkconf/good-update-policy5.conf b/bin/tests/system/checkconf/good-update-policy5.conf index 1f70f0c2f6..561918874e 100644 --- a/bin/tests/system/checkconf/good-update-policy5.conf +++ b/bin/tests/system/checkconf/good-update-policy5.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfwild * TXT; diff --git a/bin/tests/system/checkconf/good-update-policy6.conf b/bin/tests/system/checkconf/good-update-policy6.conf index ac43c48dda..7e9d8c0abd 100644 --- a/bin/tests/system/checkconf/good-update-policy6.conf +++ b/bin/tests/system/checkconf/good-update-policy6.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * selfwild . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy7.conf b/bin/tests/system/checkconf/good-update-policy7.conf index 96431a3e49..8b0b821812 100644 --- a/bin/tests/system/checkconf/good-update-policy7.conf +++ b/bin/tests/system/checkconf/good-update-policy7.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * krb5-self . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy8.conf b/bin/tests/system/checkconf/good-update-policy8.conf index cd33559dda..b00e8c4786 100644 --- a/bin/tests/system/checkconf/good-update-policy8.conf +++ b/bin/tests/system/checkconf/good-update-policy8.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * ms-self . TXT; diff --git a/bin/tests/system/checkconf/good-update-policy9.conf b/bin/tests/system/checkconf/good-update-policy9.conf index dcb5b461d9..491e07c3f3 100644 --- a/bin/tests/system/checkconf/good-update-policy9.conf +++ b/bin/tests/system/checkconf/good-update-policy9.conf @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone "example.com" { - type master; + type primary; file "example.com.db"; update-policy { grant * ms-subdomain . TXT; diff --git a/bin/tests/system/checkconf/good-view-also-notify.conf b/bin/tests/system/checkconf/good-view-also-notify.conf index b8a46e9857..54d90ba53f 100644 --- a/bin/tests/system/checkconf/good-view-also-notify.conf +++ b/bin/tests/system/checkconf/good-view-also-notify.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,8 +14,8 @@ view example { also-notify { missing; }; zone "example.net" { - type slave; + type secondary; notify no; - masters { 192.168.1.1; }; + primaries { 192.168.1.1; }; }; }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf deleted file mode 100644 index 6b950996cc..0000000000 --- a/bin/tests/system/checkconf/good.conf +++ /dev/null @@ -1,261 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * This is just a random selection of configuration options. - */ - -/* cut here */ -dnssec-policy "test" { - dnskey-ttl 3600; - keys { - ksk key-directory lifetime P1Y algorithm 13 256; - zsk key-directory lifetime P30D algorithm 13; - csk key-directory lifetime P30D algorithm 8 2048; - }; - max-zone-ttl 86400; - nsec3param ; - parent-ds-ttl 7200; - parent-propagation-delay PT1H; - publish-safety PT3600S; - purge-keys P90D; - retire-safety PT3600S; - signatures-refresh P3D; - signatures-validity P2W; - signatures-validity-dnskey P14D; - zone-propagation-delay PT5M; -}; -options { - avoid-v4-udp-ports { - 100; - }; - avoid-v6-udp-ports { - 100; - }; - blackhole { - 10.0.0.0/8; - }; - coresize 1073741824; - datasize 104857600; - directory "."; - dscp 41; - dump-file "named_dumpdb"; - files 1000; - heartbeat-interval 30; - hostname none; - interface-interval 30; - keep-response-order { - 10.0.10.0/24; - }; - listen-on port 90 { - "any"; - }; - listen-on port 100 dscp 33 { - 127.0.0.1/32; - }; - listen-on-v6 port 53 dscp 57 { - "none"; - }; - match-mapped-addresses yes; - memstatistics-file "named.memstats"; - pid-file none; - port 5300; - querylog yes; - recursing-file "named.recursing"; - recursive-clients 3000; - serial-query-rate 100; - server-id none; - check-names primary warn; - check-names secondary ignore; - max-cache-size 20000000000000; - nta-lifetime 604800; - nta-recheck 604800; - validate-except { - "corp"; - }; - dnssec-policy "test"; - max-ixfr-ratio 90%; - transfer-source 0.0.0.0 dscp 63; - zone-statistics none; -}; -view "first" { - match-clients { - "none"; - }; - zone "example1" { - type master; - file "xxx"; - update-policy local; - max-ixfr-ratio 20%; - notify-source 10.10.10.10 port 53 dscp 55; - }; - zone "clone" { - type master; - file "yyy"; - max-ixfr-ratio unlimited; - }; - dnssec-validation auto; - zone-statistics terse; -}; -view "second" { - match-clients { - "any"; - }; - zone "example1" { - type master; - file "zzz"; - update-policy local; - zone-statistics yes; - }; - zone "example2" { - type static-stub; - forward only; - forwarders { - 10.53.0.4; - }; - zone-statistics no; - }; - zone "example3" { - type static-stub; - server-addresses { - 1.2.3.4; - }; - }; - zone "clone" { - in-view "first"; - }; - zone "." { - type redirect; - masters { - 1.2.3.4; - }; - }; - dnssec-validation auto; - zone-statistics full; -}; -view "third" { - match-clients { - "none"; - }; - zone "clone" { - in-view "first"; - forward only; - forwarders { - 10.0.0.100; - }; - }; - zone "dnssec" { - type master; - file "file"; - allow-update { - "any"; - }; - auto-dnssec maintain; - }; - zone "p" { - type primary; - file "pfile"; - }; - zone "s" { - type secondary; - masters { - 1.2.3.4; - }; - notify primary-only; - }; -}; -view "fourth" { - zone "dnssec-test" { - type master; - file "dnssec-test.db"; - dnssec-policy "test"; - }; - zone "dnssec-default" { - type master; - file "dnssec-default.db"; - dnssec-policy "default"; - }; - zone "dnssec-inherit" { - type master; - file "dnssec-inherit.db"; - }; - zone "dnssec-none" { - type master; - file "dnssec-none.db"; - dnssec-policy "none"; - }; - zone "dnssec-view1" { - type master; - file "dnssec-view41.db"; - dnssec-policy "test"; - }; - zone "dnssec-view2" { - type master; - file "dnssec-view42.db"; - }; - zone "dnssec-view3" { - type master; - file "dnssec-view43.db"; - dnssec-policy "none"; - key-directory "keys"; - }; - zone "dnssec-view4" { - type master; - file "dnssec-view44.db"; - dnssec-policy "none"; - }; - dnssec-policy "default"; - key-directory "."; -}; -view "fifth" { - zone "dnssec-view1" { - type master; - file "dnssec-view51.db"; - dnssec-policy "test"; - }; - zone "dnssec-view2" { - type master; - file "dnssec-view52.db"; - dnssec-policy "test"; - key-directory "keys"; - }; - zone "dnssec-view3" { - type master; - file "dnssec-view53.db"; - dnssec-policy "default"; - key-directory "keys"; - }; - zone "dnssec-view4" { - type master; - file "dnssec-view54.db"; - dnssec-policy "none"; - }; - key-directory "."; -}; -view "chaos" chaos { - zone "hostname.bind" chaos { - type master; - database "_builtin hostname"; - }; -}; -dyndb "name" "library.so" { - this; - \}; - is a { - "test" { \{ of; the; }; - } bracketed; - "text \""; - system; -}; -key "mykey" { - algorithm "hmac-md5"; - secret "qwertyuiopasdfgh"; -}; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in new file mode 100644 index 0000000000..7d1f6b8576 --- /dev/null +++ b/bin/tests/system/checkconf/good.conf.in @@ -0,0 +1,277 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This is just a random selection of configuration options. + */ + +/* cut here */ +dnssec-policy "test" { + cdnskey yes; + cds-digest-types { + "sha-256"; + }; + dnskey-ttl 3600; + keys { + ksk key-directory lifetime P1Y algorithm 13 256; + zsk key-directory lifetime P30D algorithm 13; + csk key-directory lifetime P30D algorithm 8 2048; + }; + max-zone-ttl 86400; + nsec3param ; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + publish-safety PT3600S; + purge-keys P90D; + retire-safety PT3600S; + signatures-refresh P3D; + signatures-validity P2W; + signatures-validity-dnskey P14D; + zone-propagation-delay PT5M; +}; +options { + avoid-v4-udp-ports { + 100; + }; + avoid-v6-udp-ports { + 100; + }; + blackhole { + 10.0.0.0/8; + }; + directory "."; + dump-file "named_dumpdb"; + heartbeat-interval 30; + hostname none; + interface-interval 30; + listen-on port 90 { + "any"; + }; + listen-on port 100 { + 127.0.0.1/32; + }; + listen-on-v6 port 53 { + "none"; + }; + match-mapped-addresses yes; + memstatistics-file "named.memstats"; + pid-file none; + port 5300; + querylog yes; + recursing-file "named.recursing"; + recursive-clients 3000; + serial-query-rate 100; + server-id none; + update-quota 200; + check-names primary warn; + check-names secondary ignore; + max-cache-size 20000000000000; + nta-lifetime 604800; + nta-recheck 604800; + validate-except { + "corp"; + }; + dnssec-policy "test"; + max-ixfr-ratio 90%; + transfer-source 0.0.0.0; + zone-statistics none; +}; +parental-agents "parents" port 5353 source 10.10.10.10 port 5354 source-v6 2001:db8::10 port 5355 { + 10.10.10.11; + 2001:db8::11; +}; +view "first" { + match-clients { + "none"; + }; + zone "example1" { + type primary; + file "xxx"; + update-policy local; + max-ixfr-ratio 20%; + notify-source 10.10.10.10 port 53; + }; + zone "clone" { + type primary; + file "yyy"; + max-ixfr-ratio unlimited; + }; + dnssec-validation auto; + zone-statistics terse; +}; +view "second" { + match-clients { + "any"; + }; + zone "example1" { + type primary; + file "zzz"; + update-policy local; + zone-statistics yes; + }; + zone "example2" { + type static-stub; + forward only; + forwarders tls "ephemeral" { + 10.53.0.4 port 8053 tls "ephemeral"; + }; + zone-statistics no; + }; + zone "example3" { + type static-stub; + server-addresses { + 1.2.3.4; + }; + }; + zone "clone" { + in-view "first"; + }; + zone "." { + type redirect; + primaries { + 1.2.3.4; + }; + }; + dnssec-validation auto; + zone-statistics full; +}; +view "third" { + match-clients { + "none"; + }; + zone "clone" { + in-view "first"; + forward only; + forwarders { + 10.0.0.100; + }; + }; + zone "dnssec" { + type primary; + file "file"; + allow-update { + "any"; + }; + dnssec-policy "default"; + }; + zone "p" { + type primary; + file "pfile"; + }; + zone "s" { + type secondary; + file "sfile"; + primaries { + 1.2.3.4; + }; + notify primary-only; + }; +}; +view "fourth" { + zone "dnssec-test" { + type primary; + checkds explicit; + file "dnssec-test.db"; + parental-agents { + 1.2.3.4; + 1.2.3.5; + }; + dnssec-policy "test"; + parental-source 10.10.10.10 port 53; + }; + zone "dnssec-default" { + type primary; + file "dnssec-default.db"; + parental-agents { + "parents"; + }; + dnssec-policy "default"; + }; + zone "dnssec-inherit" { + type primary; + checkds no; + file "dnssec-inherit.db"; + }; + zone "dnssec-none" { + type primary; + file "dnssec-none.db"; + dnssec-policy "none"; + }; + zone "dnssec-view1" { + type primary; + checkds yes; + file "dnssec-view41.db"; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type primary; + file "dnssec-view42.db"; + }; + zone "dnssec-view3" { + type primary; + file "dnssec-view43.db"; + dnssec-policy "none"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type primary; + file "dnssec-view44.db"; + dnssec-policy "none"; + }; + dnssec-policy "default"; + key-directory "."; +}; +view "fifth" { + zone "dnssec-view1" { + type primary; + file "dnssec-view51.db"; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type primary; + file "dnssec-view52.db"; + dnssec-policy "test"; + key-directory "keys"; + }; + zone "dnssec-view3" { + type primary; + file "dnssec-view53.db"; + dnssec-policy "default"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type primary; + file "dnssec-view54.db"; + dnssec-policy "none"; + }; + key-directory "."; +}; +view "chaos" chaos { + zone "hostname.bind" chaos { + type primary; + database "_builtin hostname"; + }; +}; +dyndb "name" "library.so" { + this; + \}; + is a { + "test" { \{ of; the; }; + } bracketed; + "text \""; + system; +}; +key "mykey" { + algorithm "@DEFAULT_HMAC@"; + secret "qwertyuiopasdfgh"; +}; diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist index 08a5665afd..a5fbfdae18 100644 --- a/bin/tests/system/checkconf/good.zonelist +++ b/bin/tests/system/checkconf/good.zonelist @@ -1,24 +1,24 @@ -example1 IN first master -clone IN first master -example1 IN second master +example1 IN first primary +clone IN first primary +example1 IN second primary example2 IN second static-stub example3 IN second static-stub clone IN second in-view first . IN second redirect clone IN third in-view first -dnssec IN third master +dnssec IN third primary p IN third primary s IN third secondary -dnssec-test IN fourth master -dnssec-default IN fourth master -dnssec-inherit IN fourth master -dnssec-none IN fourth master -dnssec-view1 IN fourth master -dnssec-view2 IN fourth master -dnssec-view3 IN fourth master -dnssec-view4 IN fourth master -dnssec-view1 IN fifth master -dnssec-view2 IN fifth master -dnssec-view3 IN fifth master -dnssec-view4 IN fifth master -hostname.bind chaos chaos master +dnssec-test IN fourth primary +dnssec-default IN fourth primary +dnssec-inherit IN fourth primary +dnssec-none IN fourth primary +dnssec-view1 IN fourth primary +dnssec-view2 IN fourth primary +dnssec-view3 IN fourth primary +dnssec-view4 IN fourth primary +dnssec-view1 IN fifth primary +dnssec-view2 IN fifth primary +dnssec-view3 IN fifth primary +dnssec-view4 IN fifth primary +hostname.bind chaos chaos primary diff --git a/bin/tests/system/checkconf/hint-nofile.conf b/bin/tests/system/checkconf/hint-nofile.conf index f0ef89fb14..1d1dee2e87 100644 --- a/bin/tests/system/checkconf/hint-nofile.conf +++ b/bin/tests/system/checkconf/hint-nofile.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/in-view-good.conf b/bin/tests/system/checkconf/in-view-good.conf index 3161c38131..e5e860dc71 100644 --- a/bin/tests/system/checkconf/in-view-good.conf +++ b/bin/tests/system/checkconf/in-view-good.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ view internal { zone shared.example { - type master; + type primary; file "shared.example.db"; }; }; diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf index 011bea91be..4662e5a900 100644 --- a/bin/tests/system/checkconf/inline-bad.conf +++ b/bin/tests/system/checkconf/inline-bad.conf @@ -1,25 +1,27 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ acl "transferees" {}; -masters "stealthMasters" {127.0.0.1;}; -masters "publicSlaves" {127.0.0.1;}; +primaries "stealthPrimaries" {127.0.0.1;}; +primaries "publicSecondaries" {127.0.0.1;}; zone "example.net" { - type slave; + type secondary; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing yes; - masters { stealthMasters; }; + primaries { stealthPrimaries; }; notify explicit; - also-notify { publicSlaves; }; + also-notify { publicSecondaries; }; allow-transfer { localhost; transferees; }; }; diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf index 8e3115b19c..88c403c2db 100644 --- a/bin/tests/system/checkconf/inline-good.conf +++ b/bin/tests/system/checkconf/inline-good.conf @@ -1,26 +1,28 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ acl "transferees" {}; -masters "stealthMasters" {127.0.0.1;}; -masters "publicSlaves" {127.0.0.1;}; +primaries "stealthPrimaries" {127.0.0.1;}; +primaries "publicSecondaries" {127.0.0.1;}; zone "example.net" { - type slave; + type secondary; file "/var/cache/bind/example.net.db"; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing yes; - masters { stealthMasters; }; + primaries { stealthPrimaries; }; notify explicit; - also-notify { publicSlaves; }; + also-notify { publicSecondaries; }; allow-transfer { localhost; transferees; }; }; diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf index c441fa9c9a..af7c14130f 100644 --- a/bin/tests/system/checkconf/inline-no.conf +++ b/bin/tests/system/checkconf/inline-no.conf @@ -1,25 +1,27 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ acl "transferees" {}; -masters "stealthMasters" {127.0.0.1;}; -masters "publicSlaves" {127.0.0.1;}; +primaries "stealthPrimaries" {127.0.0.1;}; +primaries "publicSecondaries" {127.0.0.1;}; zone "example.net" { - type slave; + type secondary; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing no; - masters { stealthMasters; }; + primaries { stealthPrimaries; }; notify explicit; - also-notify { publicSlaves; }; + also-notify { publicSecondaries; }; allow-transfer { localhost; transferees; }; }; diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index a3eae44f73..6e2f8c7606 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,16 +14,8 @@ include "good-kasp.conf"; zone "nsec3.net" { - type master; + type primary; file "nsec3.db"; dnssec-policy "test"; - auto-dnssec maintain; - dnskey-sig-validity 3600; - dnssec-dnskey-kskonly yes; - dnssec-secure-to-insecure yes; - dnssec-update-mode maintain; inline-signing no; - sig-validity-interval 3600; - update-check-ksk yes; }; - diff --git a/bin/tests/system/checkconf/kasp-bad-keylen.conf b/bin/tests/system/checkconf/kasp-bad-keylen.conf index ec52436fe8..385de8c58a 100644 --- a/bin/tests/system/checkconf/kasp-bad-keylen.conf +++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,12 +13,12 @@ dnssec-policy "bad-keylen" { keys { - csk lifetime P10Y algorithm rsasha1 511; + csk lifetime P10Y algorithm rsasha256 511; }; }; zone "example.net" { - type master; + type primary; file "example.db"; - dnssec-policy "badkeylen"; + dnssec-policy "bad-keylen"; }; diff --git a/bin/tests/system/checkconf/kasp-bad-lifetime.conf b/bin/tests/system/checkconf/kasp-bad-lifetime.conf new file mode 100644 index 0000000000..225b38690c --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-lifetime.conf @@ -0,0 +1,91 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-lifetime-ksk" { + /* + * The KSK lifetime is too short. + * The ZSK lifetime is good enough but should trigger a warning. + */ + keys { + ksk lifetime PT3H algorithm 13; + zsk lifetime P8DT2H1S algorithm 13; + }; + + dnskey-ttl PT1H; + publish-safety PT1H; + retire-safety PT1H; + zone-propagation-delay PT1H; + max-zone-ttl P1D; + signatures-validity P10D; + signatures-refresh P3D; + parent-ds-ttl PT1H; + parent-propagation-delay PT5M; +}; + +dnssec-policy "bad-lifetime-zsk" { + /* + * The ZSK lifetime is too short. + * The KSK lifetime is good enough but should trigger a warning. + */ + keys { + ksk lifetime PT3H1S algorithm 13; + zsk lifetime P8DT2H algorithm 13; + }; + + dnskey-ttl PT1H; + publish-safety PT1H; + retire-safety PT1H; + zone-propagation-delay PT1H; + max-zone-ttl P1D; + signatures-validity P10D; + signatures-refresh P3D; + parent-ds-ttl PT1H; + parent-propagation-delay PT5M; +}; + +dnssec-policy "bad-lifetime-csk" { + /* + * The CSK lifetime is too short. + */ + keys { + csk lifetime PT3H algorithm 13; + }; + + dnskey-ttl PT1H; + publish-safety PT1H; + retire-safety PT1H; + zone-propagation-delay PT1H; + max-zone-ttl P1D; + signatures-validity P10D; + signatures-refresh P3D; + parent-ds-ttl PT1H; + parent-propagation-delay PT5M; +}; + +zone "bad-lifetime-ksk.example.net" { + type primary; + file "bad-lifetime-ksk.example.db"; + dnssec-policy "bad-lifetime-ksk"; +}; + +zone "bad-lifetime-zsk.example.net" { + type primary; + file "bad-lifetime-zsk.example.db"; + dnssec-policy "bad-lifetime-zsk"; +}; + +zone "bad-lifetime-csk.example.net" { + type primary; + file "bad-lifetime-csk.example.db"; + dnssec-policy "bad-lifetime-csk"; +}; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf index 515d79f2bd..8691b6c9c3 100644 --- a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,7 +19,7 @@ dnssec-policy "bad-salt" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "bad-salt"; }; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf new file mode 100644 index 0000000000..e54df3b360 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "rsasha256" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha256-bad" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 151; +}; + +dnssec-policy "rsasha512" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha512-bad" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 151; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy "default"; + inline-signing yes; +}; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf index 5d6e72695c..8dc710f29c 100644 --- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -52,7 +54,7 @@ dnssec-policy "rsasha512-bad" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "default"; }; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf index 7701d3b4dd..708e5809fe 100644 --- a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -14,7 +16,7 @@ dnssec-policy "bad-salt" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "bad-salt"; }; diff --git a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf new file mode 100644 index 0000000000..dd907dddd2 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-sigrefresh" { + keys { + csk lifetime unlimited algorithm 13; + }; + + signatures-validity P10D; + signatures-validity-dnskey P20D; + signatures-refresh P9DT1S; +}; + +dnssec-policy "bad-sigrefresh-dnskey" { + keys { + csk lifetime unlimited algorithm 13; + }; + + signatures-validity P20D; + signatures-validity-dnskey P10D; + signatures-refresh P9DT1S; +}; + +zone "sigrefresh.example.net" { + type primary; + file "sigrefresh.example.db"; + dnssec-policy "bad-sigrefresh"; +}; + +zone "dnskey.example.net" { + type primary; + file "dnskey.example.db"; + dnssec-policy "bad-sigrefresh-dnskey"; +}; diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf index b2680bd74d..fae3e4120d 100644 --- a/bin/tests/system/checkconf/kasp-ignore-keylen.conf +++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,7 +19,7 @@ dnssec-policy "warn-length" { }; zone "example.net" { - type master; + type primary; file "example.db"; dnssec-policy "warn-length"; }; diff --git a/bin/tests/system/checkconf/kasp-warning.conf b/bin/tests/system/checkconf/kasp-warning.conf new file mode 100644 index 0000000000..4c05b5ad02 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-warning.conf @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "warn1" { + keys { + // This policy has keys in the same algorithm with the same + // role, this should trigger a warning. + ksk lifetime unlimited algorithm ecdsa256; + zsk lifetime unlimited algorithm ecdsa256; + zsk lifetime unlimited algorithm ecdsa256; + ksk lifetime unlimited algorithm ecdsa256; + }; +}; + +dnssec-policy "warn2" { + keys { + // This policy has keys in the same algorithm with the same + // role, this should trigger a warning. + csk lifetime unlimited algorithm rsasha256; + ksk lifetime unlimited algorithm rsasha256; + zsk lifetime unlimited algorithm rsasha256; + }; +}; + +dnssec-policy "warn3" { + keys { + // This policy has a key with a very short lifetime. + csk lifetime PT2591999S algorithm rsasha256; + }; +}; + +zone "warn1.example.net" { + type primary; + file "warn1.example.db"; + dnssec-policy "warn1"; +}; + +zone "warn2.example.net" { + type primary; + file "warn2.example.db"; + dnssec-policy "warn2"; +}; + +zone "warn3.example.net" { + type primary; + file "warn3.example.db"; + dnssec-policy "warn3"; +}; + diff --git a/bin/tests/system/checkconf/lmdb-mapsize-largest.conf b/bin/tests/system/checkconf/lmdb-mapsize-largest.conf index a01fbc494a..a55b835435 100644 --- a/bin/tests/system/checkconf/lmdb-mapsize-largest.conf +++ b/bin/tests/system/checkconf/lmdb-mapsize-largest.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf b/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf index 797395f83e..447870679b 100644 --- a/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf +++ b/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/max-cache-size-good.conf b/bin/tests/system/checkconf/max-cache-size-good.conf index ff9dc8fc9e..bb1277587b 100644 --- a/bin/tests/system/checkconf/max-cache-size-good.conf +++ b/bin/tests/system/checkconf/max-cache-size-good.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/max-ttl.conf b/bin/tests/system/checkconf/max-ttl.conf index 074bc2cbbd..b91a5fdcb3 100644 --- a/bin/tests/system/checkconf/max-ttl.conf +++ b/bin/tests/system/checkconf/max-ttl.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,18 +17,18 @@ options { }; zone "maxttl1.example" { - type master; + type primary; file "maxttl-bad.db"; }; zone "maxttl2.example" { - type master; + type primary; file "maxttl-bad.db"; max-zone-ttl 300; }; zone "maxttl3.example" { - type master; + type primary; file "maxttl-bad.db"; max-zone-ttl 120; }; diff --git a/bin/tests/system/checkconf/maxttl-bad.conf b/bin/tests/system/checkconf/maxttl-bad.conf index ac4ca6548b..66bbebd296 100644 --- a/bin/tests/system/checkconf/maxttl-bad.conf +++ b/bin/tests/system/checkconf/maxttl-bad.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -15,7 +17,7 @@ options { }; zone "maxttl.example" { - type master; + type primary; file "maxttl-bad.db"; }; diff --git a/bin/tests/system/checkconf/maxttl-bad.db b/bin/tests/system/checkconf/maxttl-bad.db index 9c8aa7e19e..978f0ecf19 100644 --- a/bin/tests/system/checkconf/maxttl-bad.db +++ b/bin/tests/system/checkconf/maxttl-bad.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/maxttl.db b/bin/tests/system/checkconf/maxttl.db index 21536b484f..3ad695ea98 100644 --- a/bin/tests/system/checkconf/maxttl.db +++ b/bin/tests/system/checkconf/maxttl.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/notify.conf b/bin/tests/system/checkconf/notify.conf index 60c4f15dda..297811886f 100644 --- a/bin/tests/system/checkconf/notify.conf +++ b/bin/tests/system/checkconf/notify.conf @@ -1,27 +1,29 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ view one { - notify master-only; + notify primary-only; - # also-notify inconsistent with master-only notify option - zone "slave" { - type slave; - masters { 1.2.3.4; }; + # also-notify inconsistent with primary-only notify option + zone "secondary" { + type secondary; + primaries { 1.2.3.4; }; also-notify { 5.6.7.8; }; }; # OK - zone "master" { - type master; + zone "primary" { + type primary; file "filename"; also-notify { 5.6.7.8; }; }; @@ -31,15 +33,15 @@ view two { notify no; # also-notify inconsistent with notify option at the view level - zone "slave" { - type slave; - masters { 1.2.3.4; }; + zone "secondary" { + type secondary; + primaries { 1.2.3.4; }; also-notify { 5.6.7.8; }; }; # OK - zone "master" { - type master; + zone "primary" { + type primary; file "filename"; notify yes; also-notify { 5.6.7.8; }; @@ -48,16 +50,16 @@ view two { view three { # also-notify inconsistent with notify option at the zone level - zone "slave" { - type slave; - masters { 1.2.3.4; }; + zone "secondary" { + type secondary; + primaries { 1.2.3.4; }; notify no; also-notify { 5.6.7.8; }; }; # OK - zone "master" { - type master; + zone "primary" { + type primary; file "filename"; also-notify { 5.6.7.8; }; }; @@ -67,15 +69,15 @@ view four { also-notify { 5.6.7.8; }; # OK - zone "slave" { - type slave; - masters { 1.2.3.4; }; - notify master-only; + zone "secondary" { + type secondary; + primaries { 1.2.3.4; }; + notify primary-only; }; # OK - zone "master" { - type master; + zone "primary" { + type primary; file "filename"; notify no; }; diff --git a/bin/tests/system/checkconf/portrange-good.conf b/bin/tests/system/checkconf/portrange-good.conf index e02097f138..c4eb582599 100644 --- a/bin/tests/system/checkconf/portrange-good.conf +++ b/bin/tests/system/checkconf/portrange-good.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/range.conf b/bin/tests/system/checkconf/range.conf index a7f94d9f50..c254f5c998 100644 --- a/bin/tests/system/checkconf/range.conf +++ b/bin/tests/system/checkconf/range.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,13 +13,4 @@ options { port 999999; - dscp 222; - listen-on port 100 dscp 444 { - 127.0.0.1/32; - }; -}; - -zone "example" { - type master; - file "example.db"; }; diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf index 2e58140c2a..3ff6b0d0e2 100644 --- a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf +++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf index 92fe8dcf8c..9e0669c5c9 100644 --- a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf +++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/setup.sh b/bin/tests/system/checkconf/setup.sh new file mode 100644 index 0000000000..77707226c9 --- /dev/null +++ b/bin/tests/system/checkconf/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports bad-kasp-keydir1.conf.in bad-kasp-keydir1.conf +copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf +copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf +copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf +copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf +copy_setports bad-tsig.conf.in bad-tsig.conf +copy_setports good.conf.in good.conf +cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf diff --git a/bin/tests/system/checkconf/shared.example.db b/bin/tests/system/checkconf/shared.example.db index 7b40db9c33..5dcdd1bba7 100644 --- a/bin/tests/system/checkconf/shared.example.db +++ b/bin/tests/system/checkconf/shared.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 23d2c430f9..464879c975 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -1,56 +1,62 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 n=0 -mkdir keys +mkdir -p keys -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 $CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in -[ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -cmp good.conf.in good.conf.out || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw +[ -s good.conf.raw ] || ret=1 +$CHECKCONF -p good.conf.raw > checkconf.out$n || ret=1 +grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +cmp good.conf.raw good.conf.out || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +grep 'secret "' good.conf.raw > /dev/null || ret=1 +grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1 +grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) for bad in bad-*.conf do - n=`expr $n + 1` + n=$((n + 1)) echo_i "checking that named-checkconf detects error in $bad ($n)" ret=0 - $CHECKCONF $bad > checkconf.out$n 2>&1 - if [ $? != 1 ]; then ret=1; fi + { $CHECKCONF $bad > checkconf.out$n 2>&1; rc=$?; } || true + if [ $rc -ne 1 ]; then ret=1; fi grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 case $bad in bad-update-policy[123].conf) @@ -61,115 +67,118 @@ do pat="name field not set to placeholder value" grep "$pat" < checkconf.out$n > /dev/null || ret=1 ;; - bad-update-policy[67].conf|bad-update-policy1[2345].conf) + bad-update-policy[67].conf|bad-update-policy1[2345789].conf|bad-update-policy20.conf) pat="missing name field type '.*' found" grep "$pat" < checkconf.out$n > /dev/null || ret=1 ;; esac - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done for good in good-*.conf do - n=`expr $n + 1` + n=$((n + 1)) echo_i "checking that named-checkconf detects no error in $good ($n)" ret=0 - $CHECKCONF $good > checkconf.out$n 2>&1 - if [ $? != 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` + if ! $FEATURETEST --with-libnghttp2 + then + case $good in + good-doh-*.conf) continue;; + good-dot-*.conf) continue;; + esac + fi + { $CHECKCONF $good > checkconf.out$n 2>&1; rc=$?; } || true + if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi + status=$((status + ret)) done for lmdb in lmdb-*.conf do - n=`expr $n + 1` + n=$((n + 1)) ret=0 - $FEATURETEST --with-lmdb - if [ $? -eq 0 ]; then + if $FEATURETEST --with-lmdb; then echo_i "checking that named-checkconf detects no error in $lmdb ($n)" - $CHECKCONF $lmdb > checkconf.out$n 2>&1 - if [ $? != 0 ]; then echo_i "failed"; ret=1; fi + { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true + if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi else echo_i "checking that named-checkconf detects error in $lmdb ($n)" - $CHECKCONF $lmdb > checkconf.out$n 2>&1 - if [ $? == 0 ]; then echo_i "failed"; ret=1; fi + { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true + if [ $rc -eq 0 ]; then echo_i "failed"; ret=1; fi fi - status=`expr $status + $ret` + status=$((status + ret)) done -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that ancient options report a fatal error ($n)" ret=0 $CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 grep "no longer exists" ancient.out > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 $CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf catches range errors ($n)" ret=0 $CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" ret=0 $CHECKCONF notify.conf > checkconf.out$n 2>&1 -warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` +warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l) [ $warnings -eq 3 ] || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` -echo_i "checking named-checkconf dnssec warnings ($n)" -ret=0 -# dnssec.1: auto-dnssec warning -$CHECKCONF dnssec.1 > checkconf.out$n.2 2>&1 -grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 -# dnssec.2: should have no warnings -$CHECKCONF dnssec.2 > checkconf.out$n.3 2>&1 -grep '.*' < checkconf.out$n.3 > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "option 'max-zone-ttl' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) # set -i to ignore deprecate warnings $CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking named-checkconf servestale warnings ($n)" ret=0 $CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) ret=0 $CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "range checking fields that do not allow zero ($n)" ret=0 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do @@ -178,15 +187,15 @@ options { $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 - [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } + { $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1; rc=$?; } || true + [ $rc -eq 1 ] || { echo_i "options $field failed" ; ret=1; } cat > badzero.conf << EOF view dummy { $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 - [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } + { $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1; rc=$?; } || true + [ $rc -eq 1 ] || { echo_i "view $field failed" ; ret=1; } cat > badzero.conf << EOF options { $field 0; @@ -194,8 +203,8 @@ options { view dummy { }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 - [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } + { $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1; rc=$?; } || true + [ $rc -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } cat > badzero.conf << EOF zone dummy { type secondary; @@ -203,355 +212,415 @@ zone dummy { $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 - [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } + { $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1; rc=$?; } || true + [ $rc -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 -l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` -[ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 -l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` +$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1 +l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 -l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` -[ $l -eq 1 ] || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check file + inline-signing for secondary zones ($n)" -$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` +$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 && ret=1 +l=$(grep "missing 'file' entry" < checkconf.out$n.1 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` +$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 || ret=1 +l=$(grep "missing 'file' entry" < checkconf.out$n.2 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` +$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 && ret=1 +l=$(grep "missing 'file' entry" < checkconf.out$n.3 | wc -l) [ $l -eq 1 ] || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking named-checkconf DLZ warnings ($n)" ret=0 -$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 +$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 && ret=1 grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking for missing key directory warning ($n)" ret=0 rm -rf test.keydir $CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 -l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` +l=$(grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l) [ $l -eq 1 ] || ret=1 touch test.keydir $CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 -l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` +l=$(grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 rm -f test.keydir mkdir test.keydir $CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 -l=`grep "key-directory" < checkconf.out$n.3 | wc -l` +l=$(grep "key-directory" < checkconf.out$n.3 | wc -l) [ $l -eq 0 ] || ret=1 rm -rf test.keydir -if [ $ret != 0 ]; then echo_i "failed"; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl.conf > check.out 2>&1 +$CHECKCONF -z max-ttl.conf > check.out 2>&1 && ret=1 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" ret=0 $CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" ret=0 $CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" ret=0 $CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" ret=0 $CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" ret=0 $CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with IN class ($n)" ret=0 $CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" ret=0 $CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-names fails as configured ($n)" ret=0 $CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-dup-records fails as configured ($n)" ret=0 $CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-mx-cname fails as configured ($n)" ret=0 $CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that check-srv-cname fails as configured ($n)" ret=0 $CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that named-checkconf -p properly print a port range ($n)" ret=0 $CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 $CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" ret=0 $CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that named-checkconf prints max-cache-size correctly ($n)" ret=0 $CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that named-checkconf -l prints out the zone list ($n)" ret=0 $CHECKCONF -l good.conf | +grep -v "is deprecated" | grep -v "is not implemented" | +grep -v "is not recommended" | grep -v "no longer exists" | grep -v "is obsolete" > checkconf.out$n || ret=1 diff good.zonelist checkconf.out$n > diff.out$n || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" ret=0 $CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" ret=0 $CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" ret=0 $CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that a static root key generates a warning ($n)" ret=0 $CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that a static root DS trust anchor generates a warning ($n)" ret=0 $CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that a trusted-keys entry for root generates a warning ($n)" ret=0 $CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 $CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 +if ! ($SHELL ../testcrypto.sh -q RSASHA1); then + conf=kasp-bad-nsec3-iter-fips.conf + expect=2 +else + conf=kasp-bad-nsec3-iter.conf + expect=3 +fi +$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 lines=$(wc -l < "checkconf.out$n") -if [ $lines != 3 ]; then ret=1; fi -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $lines -ne $expect ]; then ret=1; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" ret=0 $CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +if ! ($SHELL ../testcrypto.sh -q RSASHA1); then + grep "dnssec-policy: algorithm rsasha1 not supported" < checkconf.out$n > /dev/null || ret=1 +else + grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "checking named-checkconf kasp key errors ($n)" ret=0 $CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking named-checkconf kasp signatures refresh errors ($n)" +ret=0 +$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1 +lines=$(wc -l < "checkconf.out$n") +if [ $lines -ne 2 ]; then ret=1; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) +echo_i "checking named-checkconf kasp key lifetime errors ($n)" +ret=0 +$CHECKCONF kasp-bad-lifetime.conf > checkconf.out$n 2>&1 && ret=1 +lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" < checkconf.out$n | wc -l) || ret=1 +if [ $lines -ne 3 ]; then ret=1; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "checking named-checkconf kasp predefined key length ($n)" ret=0 $CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking named-checkconf kasp warns about weird policies ($n)" +ret=0 +$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1 +lines=$(wc -l < "checkconf.out$n") +if [ $lines -ne 5 ]; then ret=1; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 $CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking that named-checkconf prints a known good kasp config ($n)" ret=0 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in [ -s good-kasp.conf.in ] || ret=1 $CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" ret=0 $CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that *-source options with specified port generate warnings ($n)" +ret=0 +$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" +ret=0 +$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +status=$((status + ret)) -rmdir keys +n=$((n + 1)) +echo_i "check that 'check-wildcard yes;' warns as configured ($n)" +ret=0 +$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkconf/tests_sh_checkconf.py b/bin/tests/system/checkconf/tests_sh_checkconf.py new file mode 100644 index 0000000000..3a348ba2f8 --- /dev/null +++ b/bin/tests/system/checkconf/tests_sh_checkconf.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_checkconf(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/checkconf/view-class-any1.conf b/bin/tests/system/checkconf/view-class-any1.conf index 9832ce02aa..8b39456692 100644 --- a/bin/tests/system/checkconf/view-class-any1.conf +++ b/bin/tests/system/checkconf/view-class-any1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/view-class-any2.conf b/bin/tests/system/checkconf/view-class-any2.conf index 03f08030df..049ccf6cb9 100644 --- a/bin/tests/system/checkconf/view-class-any2.conf +++ b/bin/tests/system/checkconf/view-class-any2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/view-class-in1.conf b/bin/tests/system/checkconf/view-class-in1.conf index 794f9e00de..1d203e6253 100644 --- a/bin/tests/system/checkconf/view-class-in1.conf +++ b/bin/tests/system/checkconf/view-class-in1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/view-class-in2.conf b/bin/tests/system/checkconf/view-class-in2.conf index c519b1a66b..38b356e706 100644 --- a/bin/tests/system/checkconf/view-class-in2.conf +++ b/bin/tests/system/checkconf/view-class-in2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checkconf/warn-keydir.conf b/bin/tests/system/checkconf/warn-keydir.conf index 502a4f3d30..960007149b 100644 --- a/bin/tests/system/checkconf/warn-keydir.conf +++ b/bin/tests/system/checkconf/warn-keydir.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,7 +19,7 @@ options { }; zone dummy { - type master; + type primary; file "xxxx"; key-directory "test.keydir"; }; diff --git a/bin/tests/system/checkconf/warn-maxratio1.conf b/bin/tests/system/checkconf/warn-maxratio1.conf index 519dcc484c..eedf2633a7 100644 --- a/bin/tests/system/checkconf/warn-maxratio1.conf +++ b/bin/tests/system/checkconf/warn-maxratio1.conf @@ -1,17 +1,19 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ zone example { - type master; - masterfile-format map; + type primary; + masterfile-format raw; file "example.db"; max-ixfr-ratio 101%; }; diff --git a/bin/tests/system/checkconf/warn-notify-source.conf b/bin/tests/system/checkconf/warn-notify-source.conf new file mode 100644 index 0000000000..4d840ccce9 --- /dev/null +++ b/bin/tests/system/checkconf/warn-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkconf/warn-parental-source.conf b/bin/tests/system/checkconf/warn-parental-source.conf new file mode 100644 index 0000000000..2bbb34bcf3 --- /dev/null +++ b/bin/tests/system/checkconf/warn-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkconf/warn-transfer-source.conf b/bin/tests/system/checkconf/warn-transfer-source.conf new file mode 100644 index 0000000000..eb31041ec4 --- /dev/null +++ b/bin/tests/system/checkconf/warn-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkds/README b/bin/tests/system/checkds/README new file mode 100644 index 0000000000..ec38140355 --- /dev/null +++ b/bin/tests/system/checkds/README @@ -0,0 +1,98 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the checkds tests. + +These servers are parent servers: +- ns1 is the root server. + +- ns2 is a primary authoritative server that serves the parent zone for zones + configured in ns9. +- ns4 is the secondary server for ns2. +- ns8 is the secondary server for ns2 that is not part of the NS RRset, + used for testing explicit parental-agents. + +- ns5 is a primary authoritative server that serves the parent zone for zones + configured in ns9, but this one does not publish DS records (to test cases + where the DS is missing and the DS needs to be withdrawn). +- ns7 is the secondary server for ns5. +- ns10 is the secondary server for ns5 that is not part of the NS RRset, + used for testing explicit parental-agents. + +- ns6 is an authoritative server for a different zone, to test badly configured + parental agents. + +- ns3 is a resolver that can be configured as a parental agent. + +- Finally, ns9 is the authoritative server for the various DNSSEC enabled test + domains. + +We need multiple test cases for testing the "checkds" functionality. Basically, +the behavior of "checkds" is of importance in three cases: + +1. Enabling DNSSEC +2. KSK rollover +3. Going insecure + +All these three cases involve publishing DS records into the parent, and +withdrawing them. The named instance is responsible for checking that the +relevant DS records are published or removed from the parent zone. Therefor, +it needs to know what the parental agents are (the servers that it can send +the DS queries to). + +Then there are two ways of retrieving parental agents, either through explicit +configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In +the latter case, the parental agents are retrieved by querying for the parent NS +RRset. + +The third value is "checkds no;", which disables the feature. + +Depending on the DS publication status, the DS state of the key needs to be +updated. In case of DS publication, the "DSPublish" state should be set, only +if all parental agents have the relevant DS published. In case of DS withdrawal, +the "DSRemoved" state should be set, only if none of the parental agents have +the relevant DS in their zone. + +Regardless of how parental agents are retrieved, we identify the following test +cases: + +1. Enabling DNSSEC + +1.1. - With one parental agent +1.1.1. - DS is correctly published in the parent: DSPublish +1.1.2. - DS is not (yet) published in the parent: !DSPublish +1.1.3. - The parental agent is badly configured: !DSPublish +1.1.4. - DS is published, but has bogus signature: !DSPublish + +1.2. - With multiple parental agents +1.2.1. - DS is correctly published in all parents: DSPublish +1.2.2. - DS is not (yet) published in some parents: !DSPublish +1.2.3. - One parental agent is badly configured: !DSPublish +1.2.4. - DS is completely published, bogus signature: !DSPublish + +2. Going insecure + +2.1. - With one parental agent +2.1.1. - DS is correctly withdrawn from the parent: DSRemoved +2.1.2. - DS is (still) published in the parent: !DSRemoved +2.1.3. - The parental agent is badly configured: !DSRemoved +2.1.4. - DS is withdrawn, but has bogus signature: !DSRemoved + +2.2. - With multiple parental agents +2.2.1. - DS is correctly withdrawn from all parents: DSRemoved +2.2.2. - DS is not (yet) withdrawn from some parents: !DSRemoved +2.2.3. - One parental agent is badly configured: !DSRemoved +2.2.4. - DS is removed completely, bogus signature: !DSRemoved + +We deliberately don't test the "KSK Rollover" case in this system test as this +can be considered as the same as "Enabling DNSSEC" for one key and +"Going insecure" for another case. In other words, it is covered by the two +other scenarios (although we might still add the test cases in the future). diff --git a/bin/tests/system/checkds/clean.sh b/bin/tests/system/checkds/clean.sh new file mode 100644 index 0000000000..ec51f996dd --- /dev/null +++ b/bin/tests/system/checkds/clean.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f dig.out* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/*.jnl ns*/*.jbk +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/*.keyname +rm -f ns*/dsset-* +rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile +rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* +rm -f ns*/managed-keys.bind* +rm -f ns*/trusted.conf +rm -f ns*/*.mkeys +rm -f ns*/zones +rm -f ./*.out diff --git a/bin/tests/system/checkds/ns1/named.conf.in b/bin/tests/system/checkds/ns1/named.conf.in new file mode 100644 index 0000000000..5b1c9fe7ca --- /dev/null +++ b/bin/tests/system/checkds/ns1/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; diff --git a/bin/tests/system/checkds/ns1/root.db.in b/bin/tests/system/checkds/ns1/root.db.in new file mode 100644 index 0000000000..89e1b936e6 --- /dev/null +++ b/bin/tests/system/checkds/ns1/root.db.in @@ -0,0 +1,68 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +ns2. NS ns2.ns2. +ns2.ns2. A 10.53.0.2 + +ns2-4. NS ns2.ns2-4. +ns2-4. NS ns4.ns2-4. +ns2.ns2-4. A 10.53.0.2 +ns4.ns2-4. A 10.53.0.4 + +ns2-4-5. NS ns2.ns2-4-5. +ns2-4-5. NS ns4.ns2-4-5. +ns2-4-5. NS ns5.ns2-4-5. +ns2.ns2-4-5. A 10.53.0.2 +ns4.ns2-4-5. A 10.53.0.4 +ns5.ns2-4-5. A 10.53.0.5 + +ns2-4-6. NS ns2.ns2-4-6. +ns2-4-6. NS ns4.ns2-4-6. +ns2-4-6. NS ns6.ns2-4-6. +ns2.ns2-4-6. A 10.53.0.2 +ns4.ns2-4-6. A 10.53.0.4 +ns6.ns2-4-6. A 10.53.0.6 + +ns2-5-7. NS ns2.ns2-5-7. +ns2-5-7. NS ns5.ns2-5-7. +ns2-5-7. NS ns7.ns2-5-7. +ns2.ns2-5-7. A 10.53.0.2 +ns5.ns2-5-7. A 10.53.0.5 +ns7.ns2-5-7. A 10.53.0.7 + +ns5. NS ns5.ns5. +ns5.ns5. A 10.53.0.5 + +ns5-6-7. NS ns5.ns5-6-7. +ns5-6-7. NS ns6.ns5-6-7. +ns5-6-7. NS ns7.ns5-6-7. +ns5.ns5-6-7. A 10.53.0.5 +ns6.ns5-6-7. A 10.53.0.6 +ns7.ns5-6-7. A 10.53.0.7 + +ns5-7. NS ns5.ns5-7. +ns5-7. NS ns7.ns5-7. +ns5.ns5-7. A 10.53.0.5 +ns7.ns5-7. A 10.53.0.7 + +ns6. NS ns6.ns6. +ns6.ns6. A 10.53.0.6 diff --git a/bin/tests/system/checkds/ns1/setup.sh b/bin/tests/system/checkds/ns1/setup.sh new file mode 100644 index 0000000000..26bc14c36c --- /dev/null +++ b/bin/tests/system/checkds/ns1/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/setup.sh" + +ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$ksk" > trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns9/trusted.conf diff --git a/bin/tests/system/checkds/ns10/named.conf.in b/bin/tests/system/checkds/ns10/named.conf.in new file mode 100644 index 0000000000..ef2ec416e0 --- /dev/null +++ b/bin/tests/system/checkds/ns10/named.conf.in @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS10 + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "ns2" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns2.db"; +}; + +zone "ns2-4" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; }; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in new file mode 100644 index 0000000000..5d0b0d4408 --- /dev/null +++ b/bin/tests/system/checkds/ns2/named.conf.in @@ -0,0 +1,122 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "ns2" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns2.db"; +}; + +zone "ns2-4" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns5-7.db"; +}; + +zone "ns6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; }; + also-notify { 10.53.0.4; 10.53.0.8; }; + dnssec-policy default; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns2/ns2-4-5.db.in b/bin/tests/system/checkds/ns2/ns2-4-5.db.in new file mode 100644 index 0000000000..3a8b69432e --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4-5.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns5 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4-6.db.in b/bin/tests/system/checkds/ns2/ns2-4-6.db.in new file mode 100644 index 0000000000..b29fabc982 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4-6.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns6 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4.db.in b/bin/tests/system/checkds/ns2/ns2-4.db.in new file mode 100644 index 0000000000..d5761a52fe --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-4.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 + +$ORIGIN explicit.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-5-7.db.in b/bin/tests/system/checkds/ns2/ns2-5-7.db.in new file mode 100644 index 0000000000..b1fe39c6a5 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2-5-7.db.in @@ -0,0 +1,34 @@ + ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns5 + NS ns7 +ns2 A 10.53.0.2 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2.db.in b/bin/tests/system/checkds/ns2/ns2.db.in new file mode 100644 index 0000000000..5d59a06b66 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns2.db.in @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +no-ent NS ns9.no-ent +ns9.no-ent A 10.53.0.9 + +$ORIGIN explicit.dspublish.ns2. +good NS ns9.good +reference NS ns9.reference +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.reference A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-6-7.db.in b/bin/tests/system/checkds/ns2/ns5-6-7.db.in new file mode 100644 index 0000000000..6be4649886 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5-6-7.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns6 + NS ns7 +ns5 A 10.53.0.5 +ns6 A 10.53.0.6 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-7.db.in b/bin/tests/system/checkds/ns2/ns5-7.db.in new file mode 100644 index 0000000000..14e19858d8 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5-7.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns7 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5.db.in b/bin/tests/system/checkds/ns2/ns5.db.in new file mode 100644 index 0000000000..640af0f78e --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns5.db.in @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +no-ent NS ns9.no-ent +ns9.no-ent A 10.53.0.9 + +$ORIGIN explicit.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN yes.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns6.db.in b/bin/tests/system/checkds/ns2/ns6.db.in new file mode 100644 index 0000000000..59e28543e0 --- /dev/null +++ b/bin/tests/system/checkds/ns2/ns6.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh new file mode 100644 index 0000000000..a549e3a2ca --- /dev/null +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +for zn in \ + ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \ + ns5 ns5-6-7 ns5-7 ns6 +do + zone="${zn}" + infile="${zn}.db.infile" + zonefile="${zn}.db" + + # The signing key is copied from ns5. + CSK=$(cat "${zn}.keyname") + cat "${zn}.db.in" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 + + cp "dsset-${zn}." ../ns1/ +done diff --git a/bin/tests/system/checkds/ns3/named.conf.in b/bin/tests/system/checkds/ns3/named.conf.in new file mode 100644 index 0000000000..54bfc99898 --- /dev/null +++ b/bin/tests/system/checkds/ns3/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + session-keyfile "session.key"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/checkds/ns4/named.conf.in b/bin/tests/system/checkds/ns4/named.conf.in new file mode 100644 index 0000000000..75bd470b85 --- /dev/null +++ b/bin/tests/system/checkds/ns4/named.conf.in @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "ns2" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2.db"; +}; + +zone "ns2-4" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; }; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in new file mode 100644 index 0000000000..01a2d11f94 --- /dev/null +++ b/bin/tests/system/checkds/ns5/named.conf.in @@ -0,0 +1,122 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "ns2" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns2.db"; +}; + +zone "ns2-4" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns5-7.db"; +}; + +zone "ns6" { + type primary; + allow-update { any; }; + allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; }; + also-notify { 10.53.0.7; 10.53.0.10; }; + dnssec-policy default; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns5/ns2-4-5.db.in b/bin/tests/system/checkds/ns5/ns2-4-5.db.in new file mode 100644 index 0000000000..3a8b69432e --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4-5.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns5 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 + +$ORIGIN explicit.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4-6.db.in b/bin/tests/system/checkds/ns5/ns2-4-6.db.in new file mode 100644 index 0000000000..b29fabc982 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4-6.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 + NS ns6 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4.db.in b/bin/tests/system/checkds/ns5/ns2-4.db.in new file mode 100644 index 0000000000..d5761a52fe --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-4.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns4 +ns2 A 10.53.0.2 +ns4 A 10.53.0.4 + +$ORIGIN explicit.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-5-7.db.in b/bin/tests/system/checkds/ns5/ns2-5-7.db.in new file mode 100644 index 0000000000..b1fe39c6a5 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2-5-7.db.in @@ -0,0 +1,34 @@ + ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns5 + NS ns7 +ns2 A 10.53.0.2 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2.db.in b/bin/tests/system/checkds/ns5/ns2.db.in new file mode 100644 index 0000000000..5d59a06b66 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns2.db.in @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +no-ent NS ns9.no-ent +ns9.no-ent A 10.53.0.9 + +$ORIGIN explicit.dspublish.ns2. +good NS ns9.good +reference NS ns9.reference +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.reference A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-6-7.db.in b/bin/tests/system/checkds/ns5/ns5-6-7.db.in new file mode 100644 index 0000000000..6be4649886 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5-6-7.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns6 + NS ns7 +ns5 A 10.53.0.5 +ns6 A 10.53.0.6 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-7.db.in b/bin/tests/system/checkds/ns5/ns5-7.db.in new file mode 100644 index 0000000000..14e19858d8 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5-7.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 + NS ns7 +ns5 A 10.53.0.5 +ns7 A 10.53.0.7 + +$ORIGIN explicit.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5.db.in b/bin/tests/system/checkds/ns5/ns5.db.in new file mode 100644 index 0000000000..640af0f78e --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns5.db.in @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +no-ent NS ns9.no-ent +ns9.no-ent A 10.53.0.9 + +$ORIGIN explicit.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN yes.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 + +$ORIGIN no.dsremoved.ns5. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns6.db.in b/bin/tests/system/checkds/ns5/ns6.db.in new file mode 100644 index 0000000000..59e28543e0 --- /dev/null +++ b/bin/tests/system/checkds/ns5/ns6.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +$ORIGIN explicit.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN explicit.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh new file mode 100644 index 0000000000..d2466f51e5 --- /dev/null +++ b/bin/tests/system/checkds/ns5/setup.sh @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns5/setup.sh" + +for zn in \ + ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \ + ns5 ns5-6-7 ns5-7 ns6 +do + zone="${zn}" + infile="${zn}.db.infile" + zonefile="${zn}.db" + + CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) + cat "${zn}.db.in" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + $SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 + + # Copy key to ns2, the other primary. + echo "${CSK}" > "../ns2/${zn}.keyname" + cp "${CSK}.key" ../ns2/ + cp "${CSK}.private" ../ns2/ +done diff --git a/bin/tests/system/checkds/ns6/named.conf.in b/bin/tests/system/checkds/ns6/named.conf.in new file mode 100644 index 0000000000..cc226fbd95 --- /dev/null +++ b/bin/tests/system/checkds/ns6/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "foo" { + type primary; + file "foo.db"; +}; diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in new file mode 100644 index 0000000000..f3e562b697 --- /dev/null +++ b/bin/tests/system/checkds/ns7/named.conf.in @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "ns2" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2.db"; +}; + +zone "ns2-4" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; }; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns8/named.conf.in b/bin/tests/system/checkds/ns8/named.conf.in new file mode 100644 index 0000000000..69e75eecd3 --- /dev/null +++ b/bin/tests/system/checkds/ns8/named.conf.in @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "ns2" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns2.db"; +}; + +zone "ns2-4" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns2-4.db"; +}; + +zone "ns2-4-5" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns2-4-5.db"; +}; + +zone "ns2-4-6" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns2-4-6.db"; +}; + +zone "ns2-5-7" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns2-5-7.db"; +}; + +zone "ns5" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns5.db"; +}; + +zone "ns5-6-7" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns5-6-7.db"; +}; + +zone "ns5-7" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns5-7.db"; +}; + +zone "ns6" { + type secondary; + primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; }; + file "ns6.db"; +}; diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in new file mode 100644 index 0000000000..54dea08527 --- /dev/null +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -0,0 +1,395 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +include "trusted.conf"; + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +parental-agents "ns8" port @PORT@ { + 10.53.0.8; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.1. - DS is correctly published in the parent. + */ +zone "good.explicit.dspublish.ns2" { + type primary; + file "good.explicit.dspublish.ns2.db"; + dnssec-policy "default"; + parental-agents { 10.53.0.8 port @PORT@; }; +}; + +/* Same as above, but now with a reference to parental-agents. */ +zone "reference.explicit.dspublish.ns2" { + type primary; + file "reference.explicit.dspublish.ns2.db"; + dnssec-policy "default"; + parental-agents { "ns8"; }; +}; + +/* Same as above, but now with resolver parental agent configured. */ +zone "resolver.explicit.dspublish.ns2" { + type primary; + file "resolver.explicit.dspublish.ns2.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.3 port @PORT@; + }; +}; + +/* Same as above, but now with auto parental agents. */ +zone "good.yes.dspublish.ns2" { + type primary; + file "good.yes.dspublish.ns2.db"; + dnssec-policy "default"; +}; + +/* Same as above, but with checkds disabled. */ +zone "good.no.dspublish.ns2" { + type primary; + file "good.no.dspublish.ns2.db"; + dnssec-policy "default"; + checkds no; +}; + +/* Same as auto parental agents, but now without empty non-terminals. */ +zone "no-ent.ns2" { + type primary; + file "no-ent.ns2.db"; + dnssec-policy "default"; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.2. - DS is not (yet) published in the parent. + */ +zone "not-yet.explicit.dspublish.ns5" { + type primary; + file "not-yet.explicit.dspublish.ns5.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.5 port @PORT@; // missing + }; +}; + +zone "not-yet.yes.dspublish.ns5" { + type primary; + file "not-yet.yes.dspublish.ns5.db"; + dnssec-policy "default"; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.3. - The parental agent is badly configured. + */ +zone "bad.explicit.dspublish.ns6" { + type primary; + file "bad.explicit.dspublish.ns6.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +zone "bad.yes.dspublish.ns6" { + type primary; + file "bad.yes.dspublish.ns6.db"; + dnssec-policy "default"; +}; + +/* + * 1. Enabling DNSSEC + * 1.1 - With one parental agent + * 1.1.4. - DS is published, but has bogus signature + */ +// TODO + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.1. - DS is correctly published in all parents. + */ +zone "good.explicit.dspublish.ns2-4" { + type primary; + file "good.explicit.dspublish.ns2-4.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.8 port @PORT@; + 10.53.0.4 port @PORT@; + }; +}; + +zone "good.yes.dspublish.ns2-4" { + type primary; + file "good.yes.dspublish.ns2-4.db"; + dnssec-policy "default"; +}; + +zone "good.no.dspublish.ns2-4" { + type primary; + file "good.no.dspublish.ns2-4.db"; + dnssec-policy "default"; + checkds no; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.2. - DS is not (yet) published in some parents. + */ +zone "incomplete.explicit.dspublish.ns2-4-5" { + type primary; + file "incomplete.explicit.dspublish.ns2-4-5.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.8 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.5 port @PORT@; // missing + }; +}; + +zone "incomplete.yes.dspublish.ns2-4-5" { + type primary; + file "incomplete.yes.dspublish.ns2-4-5.db"; + dnssec-policy "default"; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.3. - DS is not (yet) published in some parents. + */ +zone "bad.explicit.dspublish.ns2-4-6" { + type primary; + file "bad.explicit.dspublish.ns2-4-6.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.8 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; + +zone "bad.yes.dspublish.ns2-4-6" { + type primary; + file "bad.yes.dspublish.ns2-4-6.db"; + dnssec-policy "default"; +}; + +/* + * 1. Enabling DNSSEC + * 1.2 - With multiple parental agent + * 1.2.4. - DS is completely published, bogus signature. + */ +// TODO + +// TODO: Other test cases: +// - check with TSIG +// - check with TLS + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.1. - DS is correctly withdrawn from the parent. + */ +zone "good.explicit.dsremoved.ns5" { + type primary; + file "good.explicit.dsremoved.ns5.db"; + dnssec-policy "insecure"; + parental-agents { 10.53.0.10 port @PORT@; }; +}; + +zone "resolver.explicit.dsremoved.ns5" { + type primary; + file "resolver.explicit.dsremoved.ns5.db"; + dnssec-policy "default"; + parental-agents { + 10.53.0.3 port @PORT@; + }; +}; + +zone "good.yes.dsremoved.ns5" { + type primary; + file "good.yes.dsremoved.ns5.db"; + dnssec-policy "insecure"; +}; + +zone "good.no.dsremoved.ns5" { + type primary; + file "good.no.dsremoved.ns5.db"; + dnssec-policy "insecure"; + checkds no; +}; + +zone "no-ent.ns5" { + type primary; + file "no-ent.ns5.db"; + dnssec-policy "default"; +}; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.2. - DS is (still) published in the parent. + */ +zone "still-there.explicit.dsremoved.ns2" { + type primary; + file "still-there.explicit.dsremoved.ns2.db"; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + }; +}; + +zone "still-there.yes.dsremoved.ns2" { + type primary; + file "still-there.yes.dsremoved.ns2.db"; + dnssec-policy "insecure"; +}; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.3. - The parental agent is badly configured. + */ +zone "bad.explicit.dsremoved.ns6" { + type primary; + file "bad.explicit.dsremoved.ns6.db"; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +zone "bad.yes.dsremoved.ns6" { + type primary; + file "bad.yes.dsremoved.ns6.db"; + dnssec-policy "insecure"; +}; + +/* + * 2. Going insecure + * 2.1 - With one parental agent + * 2.1.4. - DS is withdrawn, but has bogus signature. + */ +// TODO + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.1. - DS is correctly withdrawn from all parents. + */ +zone "good.explicit.dsremoved.ns5-7" { + type primary; + file "good.explicit.dsremoved.ns5-7.db"; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.10 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +zone "good.yes.dsremoved.ns5-7" { + type primary; + file "good.yes.dsremoved.ns5-7.db"; + dnssec-policy "insecure"; +}; + +zone "good.no.dsremoved.ns5-7" { + type primary; + file "good.no.dsremoved.ns5-7.db"; + dnssec-policy "insecure"; + checkds no; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.2. - DS is not (yet) withdrawn from some parents. + */ +zone "incomplete.explicit.dsremoved.ns2-5-7" { + type primary; + file "incomplete.explicit.dsremoved.ns2-5-7.db"; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + 10.53.0.10 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +zone "incomplete.yes.dsremoved.ns2-5-7" { + type primary; + file "incomplete.yes.dsremoved.ns2-5-7.db"; + dnssec-policy "insecure"; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.3. - One parental agent is badly configured. + */ +zone "bad.explicit.dsremoved.ns5-6-7" { + type primary; + file "bad.explicit.dsremoved.ns5-6-7.db"; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.10 port @PORT@; + 10.53.0.7 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; + +zone "bad.yes.dsremoved.ns5-6-7" { + type primary; + file "bad.yes.dsremoved.ns5-6-7.db"; + dnssec-policy "insecure"; +}; + +/* + * 2. Going insecure + * 2.2. - With multiple parental agents + * 2.2.4. - DS is removed completely, bogus signature + */ +// TODO diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh new file mode 100644 index 0000000000..d3ea25dee9 --- /dev/null +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -0,0 +1,98 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns9/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >> zones +} + +sign_dspublish() { + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 + cat "$zonefile" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + cp "dsset-${zone}." ../ns2/ +} + +sign_dsremoved() { + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 + cat "$zonefile" "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + cp "dsset-${zone}." ../ns2/ +} + +# Short environment variable names for key states and times. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" +T="now-30d" +Y="now-1y" + +# DS Publication. +for checkds in explicit yes no +do + for zn in \ + good.${checkds}.dspublish.ns2 \ + reference.${checkds}.dspublish.ns2 \ + resolver.${checkds}.dspublish.ns2 \ + not-yet.${checkds}.dspublish.ns5 \ + bad.${checkds}.dspublish.ns6 \ + good.${checkds}.dspublish.ns2-4 \ + incomplete.${checkds}.dspublish.ns2-4-5 \ + bad.${checkds}.dspublish.ns2-4-6 + do + setup "${zn}" + sign_dspublish + done +done + +# DS Withdrawal. +for checkds in explicit yes no +do + for zn in \ + good.${checkds}.dsremoved.ns5 \ + resolver.${checkds}.dsremoved.ns5 \ + still-there.${checkds}.dsremoved.ns2 \ + bad.${checkds}.dsremoved.ns6 \ + good.${checkds}.dsremoved.ns5-7 \ + incomplete.${checkds}.dsremoved.ns2-5-7 \ + bad.${checkds}.dsremoved.ns5-6-7 + do + setup "${zn}" + sign_dsremoved + done +done + +setup "no-ent.ns2" +sign_dspublish + +setup "no-ent.ns5" +sign_dsremoved diff --git a/bin/tests/system/checkds/ns9/template.db.in b/bin/tests/system/checkds/ns9/template.db.in new file mode 100644 index 0000000000..cf0601502e --- /dev/null +++ b/bin/tests/system/checkds/ns9/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns9 +ns9 A 10.53.0.9 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh new file mode 100644 index 0000000000..828b2e6ace --- /dev/null +++ b/bin/tests/system/checkds/setup.sh @@ -0,0 +1,48 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf + +# Setup zones +( + cd ns9 + $SHELL setup.sh +) +( + cd ns5 + $SHELL setup.sh +) +( + cd ns2 + $SHELL setup.sh +) +( + cd ns1 + $SHELL setup.sh +) diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py new file mode 100755 index 0000000000..99c91c6168 --- /dev/null +++ b/bin/tests/system/checkds/tests_checkds.py @@ -0,0 +1,674 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import mmap +import os +import subprocess +import sys +import time + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.exception +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdataclass +import dns.rdatatype +import dns.resolver + + +pytestmark = pytest.mark.skipif( + sys.version_info < (3, 7), reason="Python >= 3.7 required [GL #3001]" +) + + +def has_signed_apex_nsec(zone, response): + has_nsec = False + has_rrsig = False + + ttl = 300 + nextname = "a." + labelcount = zone.count(".") # zone is specified as FQDN + types = "NS SOA RRSIG NSEC DNSKEY" + match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types) + sig = "{0} {1} IN RRSIG NSEC 13 {2} 300".format(zone, ttl, labelcount) + + for rr in response.answer: + if match in rr.to_text(): + has_nsec = True + if sig in rr.to_text(): + has_rrsig = True + + if not has_nsec: + print("error: missing apex NSEC record in response") + if not has_rrsig: + print("error: missing NSEC signature in response") + + return has_nsec and has_rrsig + + +def do_query(server, qname, qtype, tcp=False): + query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True) + try: + if tcp: + response = dns.query.tcp( + query, server.nameservers[0], timeout=3, port=server.port + ) + else: + response = dns.query.udp( + query, server.nameservers[0], timeout=3, port=server.port + ) + except dns.exception.Timeout: + print( + "error: query timeout for query {} {} to {}".format( + qname, qtype, server.nameservers[0] + ) + ) + return None + + return response + + +def verify_zone(zone, transfer): + verify = os.getenv("VERIFY") + assert verify is not None + + filename = "{}out".format(zone) + with open(filename, "w", encoding="utf-8") as file: + for rr in transfer.answer: + file.write(rr.to_text()) + file.write("\n") + + # dnssec-verify command with default arguments. + verify_cmd = [verify, "-z", "-o", zone, filename] + + verifier = subprocess.run(verify_cmd, capture_output=True, check=True) + + if verifier.returncode != 0: + print("error: dnssec-verify {} failed".format(zone)) + sys.stderr.buffer.write(verifier.stderr) + + return verifier.returncode == 0 + + +def read_statefile(server, zone): + addr = server.nameservers[0] + count = 0 + keyid = 0 + state = {} + + response = do_query(server, zone, "DS", tcp=True) + if not isinstance(response, dns.message.Message): + print("error: no response for {} DS from {}".format(zone, addr)) + return {} + + if response.rcode() == dns.rcode.NOERROR: + # fetch key id from response. + for rr in response.answer: + if rr.match( + dns.name.from_text(zone), + dns.rdataclass.IN, + dns.rdatatype.DS, + dns.rdatatype.NONE, + ): + if count == 0: + keyid = list(dict(rr.items).items())[0][0].key_tag + count += 1 + + if count != 1: + print( + "error: expected a single DS in response for {} from {}," + "got {}".format(zone, addr, count) + ) + return {} + else: + print( + "error: {} response for {} DNSKEY from {}".format( + dns.rcode.to_text(response.rcode()), zone, addr + ) + ) + return {} + + filename = "ns9/K{}+013+{:05d}.state".format(zone, keyid) + print("read state file {}".format(filename)) + + try: + with open(filename, "r", encoding="utf-8") as file: + for line in file: + if line.startswith(";"): + continue + key, val = line.strip().split(":", 1) + state[key.strip()] = val.strip() + + except FileNotFoundError: + # file may not be written just yet. + return {} + + return state + + +def zone_check(server, zone): + addr = server.nameservers[0] + fqdn = "{}.".format(zone) + + # wait until zone is fully signed. + signed = False + for _ in range(10): + response = do_query(server, fqdn, "NSEC") + if not isinstance(response, dns.message.Message): + print("error: no response for {} NSEC from {}".format(fqdn, addr)) + elif response.rcode() == dns.rcode.NOERROR: + signed = has_signed_apex_nsec(fqdn, response) + else: + print( + "error: {} response for {} NSEC from {}".format( + dns.rcode.to_text(response.rcode()), fqdn, addr + ) + ) + + if signed: + break + + time.sleep(1) + + assert signed + + # check if zone if DNSSEC valid. + verified = False + transfer = do_query(server, fqdn, "AXFR", tcp=True) + if not isinstance(transfer, dns.message.Message): + print("error: no response for {} AXFR from {}".format(fqdn, addr)) + elif transfer.rcode() == dns.rcode.NOERROR: + verified = verify_zone(fqdn, transfer) + else: + print( + "error: {} response for {} AXFR from {}".format( + dns.rcode.to_text(transfer.rcode()), fqdn, addr + ) + ) + + assert verified + + +def keystate_check(server, zone, key): + fqdn = "{}.".format(zone) + val = 0 + deny = False + + search = key + if key.startswith("!"): + deny = True + search = key[1:] + + for _ in range(10): + state = read_statefile(server, fqdn) + try: + val = state[search] + except KeyError: + pass + + if not deny and val != 0: + break + if deny and val == 0: + break + + time.sleep(1) + + if deny: + assert val == 0 + else: + assert val != 0 + + +def rekey(zone): + rndc = os.getenv("RNDC") + assert rndc is not None + + port = os.getenv("CONTROLPORT") + assert port is not None + + # rndc loadkeys. + rndc_cmd = [ + rndc, + "-c", + "../common/rndc.conf", + "-p", + port, + "-s", + "10.53.0.9", + "loadkeys", + zone, + ] + controller = subprocess.run(rndc_cmd, capture_output=True, check=True) + + if controller.returncode != 0: + print("error: rndc loadkeys {} failed".format(zone)) + sys.stderr.buffer.write(controller.stderr) + + assert controller.returncode == 0 + + +def wait_for_log(filename, zone, log): + found = False + + for _ in range(10): + print("read log file {}".format(filename)) + + try: + with open(filename, "r", encoding="utf-8") as file: + s = mmap.mmap(file.fileno(), 0, access=mmap.ACCESS_READ) + if s.find(bytes(log, "ascii")) != -1: + found = True + except FileNotFoundError: + print("file not found {}".format(filename)) + + if found: + break + + print("rekey") + rekey(zone) + + print("sleep") + time.sleep(1) + + assert found + + +def checkds_dspublished(named_port, checkds, addr): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # + # 1.1.1: DS is correctly published in parent. + # parental-agents: ns2 + # + + # The simple case. + zone = "good.{}.dspublish.ns2".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from {}".format(zone, addr), + ) + keystate_check(parent, zone, "DSPublish") + + # + # 1.1.2: DS is not published in parent. + # parental-agents: ns5 + # + zone = "not-yet.{}.dspublish.ns5".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.5".format(zone), + ) + keystate_check(parent, zone, "!DSPublish") + + # + # 1.1.3: The parental agent is badly configured. + # parental-agents: ns6 + # + zone = "bad.{}.dspublish.ns6".format(checkds) + zone_check(server, zone) + if checkds == "explicit": + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: bad DS response from 10.53.0.6".format(zone), + ) + elif checkds == "yes": + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: error during parental-agents processing".format( + zone + ), + ) + keystate_check(parent, zone, "!DSPublish") + + # + # 1.1.4: DS is published, but has bogus signature. + # + # TBD + + # + # 1.2.1: DS is correctly published in all parents. + # parental-agents: ns2, ns4 + # + zone = "good.{}.dspublish.ns2-4".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.4".format(zone), + ) + keystate_check(parent, zone, "DSPublish") + + # + # 1.2.2: DS is not published in some parents. + # parental-agents: ns2, ns4, ns5 + # + zone = "incomplete.{}.dspublish.ns2-4-5".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.4".format(zone), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.5".format(zone), + ) + keystate_check(parent, zone, "!DSPublish") + + # + # 1.2.3: One parental agent is badly configured. + # parental-agents: ns2, ns4, ns6 + # + zone = "bad.{}.dspublish.ns2-4-6".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.4".format(zone), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: bad DS response from 10.53.0.6".format(zone), + ) + keystate_check(parent, zone, "!DSPublish") + + # + # 1.2.4: DS is completely published, bogus signature. + # + # TBD + + # TBD: Check with TSIG + # TBD: Check with TLS + + +def checkds_dswithdrawn(named_port, checkds, addr): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # + # 2.1.1: DS correctly withdrawn from the parent. + # parental-agents: ns5 + # + + # The simple case. + zone = "good.{}.dsremoved.ns5".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from {}".format(zone, addr), + ) + keystate_check(parent, zone, "DSRemoved") + + # + # 2.1.2: DS is published in the parent. + # parental-agents: ns2 + # + zone = "still-there.{}.dsremoved.ns2".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.2".format(zone), + ) + keystate_check(parent, zone, "!DSRemoved") + + # + # 2.1.3: The parental agent is badly configured. + # parental-agents: ns6 + # + zone = "bad.{}.dsremoved.ns6".format(checkds) + zone_check(server, zone) + if checkds == "explicit": + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: bad DS response from 10.53.0.6".format(zone), + ) + elif checkds == "yes": + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: error during parental-agents processing".format( + zone + ), + ) + keystate_check(parent, zone, "!DSRemoved") + + # + # 2.1.4: DS is withdrawn, but has bogus signature. + # + # TBD + + # + # 2.2.1: DS is correctly withdrawn from all parents. + # parental-agents: ns5, ns7 + # + zone = "good.{}.dsremoved.ns5-7".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.7".format(zone), + ) + keystate_check(parent, zone, "DSRemoved") + + # + # 2.2.2: DS is not withdrawn from some parents. + # parental-agents: ns2, ns5, ns7 + # + zone = "incomplete.{}.dsremoved.ns2-5-7".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.2".format(zone), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.7".format(zone), + ) + keystate_check(parent, zone, "!DSRemoved") + + # + # 2.2.3: One parental agent is badly configured. + # parental-agents: ns5, ns6, ns7 + # + zone = "bad.{}.dsremoved.ns5-6-7".format(checkds) + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from {}".format(zone, addr), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.7".format(zone), + ) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: bad DS response from 10.53.0.6".format(zone), + ) + keystate_check(parent, zone, "!DSRemoved") + + # + # 2.2.4:: DS is removed completely, bogus signature. + # + # TBD + + +def test_checkds_reference(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # Using a reference to parental-agents. + zone = "reference.explicit.dspublish.ns2" + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.8".format(zone), + ) + keystate_check(parent, zone, "DSPublish") + + +def test_checkds_resolver(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # Using a resolver as parental-agent (ns3). + zone = "resolver.explicit.dspublish.ns2" + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.3".format(zone), + ) + keystate_check(parent, zone, "DSPublish") + + # Using a resolver as parental-agent (ns3). + zone = "resolver.explicit.dsremoved.ns5" + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: empty DS response from 10.53.0.3".format(zone), + ) + keystate_check(parent, zone, "DSRemoved") + + +def test_checkds_no_ent(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + zone = "no-ent.ns2" + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.2".format(zone), + ) + keystate_check(parent, zone, "DSPublish") + + zone = "no-ent.ns5" + zone_check(server, zone) + wait_for_log( + "ns9/named.run", + zone, + "zone {}/IN (signed): checkds: DS response from 10.53.0.5".format(zone), + ) + keystate_check(parent, zone, "DSRemoved") + + +def test_checkds_dspublished(named_port): + checkds_dspublished(named_port, "explicit", "10.53.0.8") + checkds_dspublished(named_port, "yes", "10.53.0.2") + + +def test_checkds_dswithdrawn(named_port): + checkds_dswithdrawn(named_port, "explicit", "10.53.0.10") + checkds_dswithdrawn(named_port, "yes", "10.53.0.5") + + +def test_checkds_no(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + zone_check(server, "good.no.dspublish.ns2") + keystate_check(parent, "good.no.dspublish.ns2", "!DSPublish") + + zone_check(server, "good.no.dspublish.ns2-4") + keystate_check(parent, "good.no.dspublish.ns2-4", "!DSPublish") + + zone_check(server, "good.no.dsremoved.ns5") + keystate_check(parent, "good.no.dsremoved.ns5", "!DSRemoved") + + zone_check(server, "good.no.dsremoved.ns5-7") + keystate_check(parent, "good.no.dsremoved.ns5-7", "!DSRemoved") diff --git a/bin/tests/system/checknames/clean.sh b/bin/tests/system/checknames/clean.sh index 1f439b08db..fcbd504469 100644 --- a/bin/tests/system/checknames/clean.sh +++ b/bin/tests/system/checknames/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -17,6 +19,8 @@ rm -f ns1/*.update.db rm -f ns1/*.update.db.jnl rm -f ns4/*.update.db rm -f ns4/*.update.db.jnl +rm -f ns5/*.update.db +rm -f ns5/*.update.db.jnl rm -f */named.memstats rm -f */named.run rm -f ns*/named.lock diff --git a/bin/tests/system/checknames/ns1/fail.example.db.in b/bin/tests/system/checknames/ns1/fail.example.db.in index a984471212..c4c06c3681 100644 --- a/bin/tests/system/checknames/ns1/fail.example.db.in +++ b/bin/tests/system/checknames/ns1/fail.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/fail.update.db.in b/bin/tests/system/checknames/ns1/fail.update.db.in index 218f6bc35b..a360cfd5d3 100644 --- a/bin/tests/system/checknames/ns1/fail.update.db.in +++ b/bin/tests/system/checknames/ns1/fail.update.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/ignore.example.db.in b/bin/tests/system/checknames/ns1/ignore.example.db.in index 050041e2eb..148fa6ab68 100644 --- a/bin/tests/system/checknames/ns1/ignore.example.db.in +++ b/bin/tests/system/checknames/ns1/ignore.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/ignore.update.db.in b/bin/tests/system/checknames/ns1/ignore.update.db.in index f7864ab322..0925cef3b8 100644 --- a/bin/tests/system/checknames/ns1/ignore.update.db.in +++ b/bin/tests/system/checknames/ns1/ignore.update.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/named.conf.in b/bin/tests/system/checknames/ns1/named.conf.in index 11ddbc2f26..a6a3a663f4 100644 --- a/bin/tests/system/checknames/ns1/named.conf.in +++ b/bin/tests/system/checknames/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/root.db b/bin/tests/system/checknames/ns1/root.db index 1a0d44bdc5..bc026a54d1 100644 --- a/bin/tests/system/checknames/ns1/root.db +++ b/bin/tests/system/checknames/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/warn.example.db.in b/bin/tests/system/checknames/ns1/warn.example.db.in index bc4d1c08fc..7b636fdca1 100644 --- a/bin/tests/system/checknames/ns1/warn.example.db.in +++ b/bin/tests/system/checknames/ns1/warn.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns1/warn.update.db.in b/bin/tests/system/checknames/ns1/warn.update.db.in index 1bf280a907..9a9af979a9 100644 --- a/bin/tests/system/checknames/ns1/warn.update.db.in +++ b/bin/tests/system/checknames/ns1/warn.update.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns2/named.conf.in b/bin/tests/system/checknames/ns2/named.conf.in index 84699440c8..3ba62e1a8d 100644 --- a/bin/tests/system/checknames/ns2/named.conf.in +++ b/bin/tests/system/checknames/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns2/root.hints b/bin/tests/system/checknames/ns2/root.hints index 962d33d9d0..5e89d74e6c 100644 --- a/bin/tests/system/checknames/ns2/root.hints +++ b/bin/tests/system/checknames/ns2/root.hints @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns3/named.conf.in b/bin/tests/system/checknames/ns3/named.conf.in index 00c6836d50..7c0cacb5ae 100644 --- a/bin/tests/system/checknames/ns3/named.conf.in +++ b/bin/tests/system/checknames/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns3/root.hints b/bin/tests/system/checknames/ns3/root.hints index 962d33d9d0..5e89d74e6c 100644 --- a/bin/tests/system/checknames/ns3/root.hints +++ b/bin/tests/system/checknames/ns3/root.hints @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns4/master-ignore.update.db.in b/bin/tests/system/checknames/ns4/master-ignore.update.db.in deleted file mode 100644 index f7864ab322..0000000000 --- a/bin/tests/system/checknames/ns4/master-ignore.update.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -@ SOA ns1.ignore.update. hostmaster.ignore.update. ( - 1 3600 1200 604800 3600 ) - NS ns1.ignore.update. -ns1.ignore.update. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns4/named.conf.in b/bin/tests/system/checknames/ns4/named.conf.in index 9043dbd381..f0cb87093b 100644 --- a/bin/tests/system/checknames/ns4/named.conf.in +++ b/bin/tests/system/checknames/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -20,6 +22,7 @@ options { recursion yes; dnssec-validation yes; check-names primary ignore; + check-names secondary ignore; notify yes; }; @@ -28,8 +31,14 @@ zone "." { file "root.hints"; }; -zone "master-ignore.update" { +zone "primary-ignore.update" { type primary; - file "master-ignore.update.db"; + file "primary-ignore.update.db"; allow-update { any; }; }; + +zone "master-ignore.update" { + type secondary; + primaries { 10.53.0.5; }; + file "secondary-ignore.update.db"; +}; diff --git a/bin/tests/system/checknames/ns4/primary-ignore.update.db.in b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in new file mode 100644 index 0000000000..b343cb1ed3 --- /dev/null +++ b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns4 hostmaster.ignore.update. ( + 1 3600 1200 604800 3600 ) + NS ns4 + NS ns5 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/checknames/ns4/root.hints b/bin/tests/system/checknames/ns4/root.hints index 962d33d9d0..5e89d74e6c 100644 --- a/bin/tests/system/checknames/ns4/root.hints +++ b/bin/tests/system/checknames/ns4/root.hints @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checknames/ns5/master-ignore.update.db.in b/bin/tests/system/checknames/ns5/master-ignore.update.db.in new file mode 100644 index 0000000000..1057248842 --- /dev/null +++ b/bin/tests/system/checknames/ns5/master-ignore.update.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns5. hostmaster.ignore.update. ( + 1 3600 1200 604800 3600 ) + NS ns4 + NS ns5 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/checknames/ns5/named.conf.in b/bin/tests/system/checknames/ns5/named.conf.in new file mode 100644 index 0000000000..1797aa1eb2 --- /dev/null +++ b/bin/tests/system/checknames/ns5/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + check-names master ignore; + check-names slave ignore; + notify yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "master-ignore.update" { + type primary; + file "master-ignore.update.db"; + allow-update { any; }; +}; + +zone "primary-ignore.update" { + type secondary; + primaries { 10.53.0.4; }; + file "primary-ignore.update.db"; +}; diff --git a/bin/tests/system/checknames/ns5/root.hints b/bin/tests/system/checknames/ns5/root.hints new file mode 100644 index 0000000000..5e89d74e6c --- /dev/null +++ b/bin/tests/system/checknames/ns5/root.hints @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/checknames/setup.sh b/bin/tests/system/checknames/setup.sh index ce5a04d237..d80e746223 100644 --- a/bin/tests/system/checknames/setup.sh +++ b/bin/tests/system/checknames/setup.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -15,6 +19,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf cp ns1/ignore.example.db.in ns1/ignore.example.db cp ns1/warn.example.db.in ns1/warn.example.db @@ -24,4 +29,6 @@ cp ns1/ignore.update.db.in ns1/ignore.update.db cp ns1/warn.update.db.in ns1/warn.update.db cp ns1/fail.update.db.in ns1/fail.update.db -cp ns4/master-ignore.update.db.in ns4/master-ignore.update.db +cp ns4/primary-ignore.update.db.in ns4/primary-ignore.update.db + +cp ns5/master-ignore.update.db.in ns5/master-ignore.update.db diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh index 9b48da3147..47ba8013fe 100644 --- a/bin/tests/system/checknames/tests.sh +++ b/bin/tests/system/checknames/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -16,6 +20,12 @@ n=1 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" +wait_for_record () { + $DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1 + grep NOERROR "$4" > /dev/null || return 1 + return 0 +} + # Entry should exist. echo_i "check for failure from on zone load for 'check-names fail;' ($n)" ret=0 @@ -23,24 +33,24 @@ $DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1 grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) # Entry should exist. echo_i "check for warnings from on zone load for 'check-names warn;' ($n)" ret=0 grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) # Entry should not exist. echo_i "check for warnings from on zone load for 'check-names ignore;' ($n)" ret=1 grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response warn;' works ($n)" @@ -50,8 +60,8 @@ $DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (owner) fails;' works ($n)" @@ -62,8 +72,8 @@ grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1 grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (rdata) fails;' works ($n)" @@ -74,8 +84,8 @@ grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1 grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names fail;' are rejected ($n)" ret=0 @@ -91,8 +101,8 @@ $DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)" ret=0 @@ -106,8 +116,8 @@ $DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)" ret=0 @@ -123,8 +133,8 @@ if [ $not != 0 ]; then ret=1; fi $DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)" ret=0 @@ -132,16 +142,51 @@ not=1 $NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.4 ${PORT} -update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 +update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$((status + ret)) +n=$((n + 1)) + +echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" +ret=0 +not=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +check-names off +server 10.53.0.5 ${PORT} +update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 +send +END +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0 +if [ $not != 0 ]; then ret=1; fi +$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1 +grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) + +echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)" +ret=0 +# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary) +# and the zone is still loading when we get to this point. +retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n + 1)) + +echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" +ret=0 +retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checknames/tests_sh_checknames.py b/bin/tests/system/checknames/tests_sh_checknames.py new file mode 100644 index 0000000000..e0e035b439 --- /dev/null +++ b/bin/tests/system/checknames/tests_sh_checknames.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_checknames(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/checkzone/clean.sh b/bin/tests/system/checkzone/clean.sh index 6cc28c57ea..cb189a306e 100644 --- a/bin/tests/system/checkzone/clean.sh +++ b/bin/tests/system/checkzone/clean.sh @@ -1,12 +1,17 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f test.* good1.db.map good1.db.raw named-compilezone +rm -f test.* good1.db.raw named-compilezone rm -f ns*/named.lock +rm -f zones/bad-tsig.db rm -f zones/zone1_*.txt diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh index 317ee4650d..4518c5669f 100644 --- a/bin/tests/system/checkzone/setup.sh +++ b/bin/tests/system/checkzone/setup.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -13,5 +17,5 @@ ln -s $CHECKZONE named-compilezone ./named-compilezone -D -F raw -o good1.db.raw example \ zones/good1.db > /dev/null 2>&1 -./named-compilezone -D -F map -o good1.db.map example \ - zones/good1.db > /dev/null 2>&1 + +copy_setports zones/bad-tsig.db.in zones/bad-tsig.db diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 8bab669a50..169e411c9e 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -1,12 +1,18 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -27,9 +33,9 @@ do $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 ;; esac - n=`expr $n + 1` + n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status+ret)) done for db in zones/bad*.db @@ -37,7 +43,7 @@ do echo_i "checking $db ($n)" ret=0 v=0 case $db in - zones/bad-dns-sd-reverse.db) + zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db) $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$? ;; *) @@ -45,9 +51,9 @@ do ;; esac test $v = 1 || ret=1 - n=`expr $n + 1` + n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status+ret)) done echo_i "checking with journal file ($n)" @@ -55,16 +61,16 @@ ret=0 $CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 $CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 -jlines=`$JOURNALPRINT test.orig.db.jnl | wc -l` +jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) [ $jlines = 3 ] || ret=1 $CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out1.db || ret=1 mv -f test.orig.db.jnl test.journal $CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out2.db || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with spf warnings ($n)" ret=0 @@ -76,65 +82,57 @@ grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with max ttl (text) ($n)" ret=0 $CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 $CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with max ttl (raw) ($n)" ret=0 $CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 $CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking with max ttl (map) ($n)" -ret=0 -$CHECKZONE -f map -l 300 example good1.db.map > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -f map -l 600 example good1.db.map > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)" ret=0 $CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" ret=0 $CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" ret=0 $CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that raw zone with bad class is handled ($n)" ret=0 $CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 grep "failed: bad class" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 @@ -161,47 +159,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 $CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 $CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "checking that named-compilezone works when reading input from stdin ($n)" ret=0 # Step 1: take raw input from stdin and convert it to text/relative format. # Last argument "-" is optional, but it says more explicitly that we're reading from stdin. cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \ -o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1 -status=`expr $status + $ret` +status=$((status+ret)) ret=0 # Step 2: take raw input from file and convert it to text format. ./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \ zone1.com zones/zone1.db > /dev/null || ret=1 -status=`expr $status + $ret` +status=$((status+ret)) ret=0 # Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file. -$DIFF zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1 -status=`expr $status + $ret` +diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) +ret=0 +echo_i "checking integer overflow is prevented in \$GENERATE ($n)" +$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +lines=$(grep -c CNAME test.out.$n) +echo $lines +[ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/tests_sh_checkzone.py b/bin/tests/system/checkzone/tests_sh_checkzone.py new file mode 100644 index 0000000000..87613cbb26 --- /dev/null +++ b/bin/tests/system/checkzone/tests_sh_checkzone.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_checkzone(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb1.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb1.db new file mode 100644 index 0000000000..539db80d49 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb1.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no alpn specified +_dns SVCB 1 ns dohpath=/{?dns} diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb2.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb2.db new file mode 100644 index 0000000000..43cfb6bff2 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb2.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no dohpath +_dns SVCB 1 ns alpn=http/1.1 diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb3.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb3.db new file mode 100644 index 0000000000..8323af525d --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb3.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no dohpath +_dns SVCB 1 ns alpn=h2 diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb4.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb4.db new file mode 100644 index 0000000000..389f1a317f --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb4.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no dohpath +_dns SVCB 1 ns alpn=h3 diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb5.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb5.db new file mode 100644 index 0000000000..50265a34a2 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb5.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no dohpath +_443._dns SVCB 1 ns alpn=h1\\,h2 diff --git a/bin/tests/system/checkzone/zones/bad-_dns-svcb6.db b/bin/tests/system/checkzone/zones/bad-_dns-svcb6.db new file mode 100644 index 0000000000..7a563dfa52 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-_dns-svcb6.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; no dohpath +_443._dns SVCB 1 ns alpn=x1\\,h2 diff --git a/bin/tests/system/checkzone/zones/bad-caa-rr.db b/bin/tests/system/checkzone/zones/bad-caa-rr.db index 9d22cd3327..fb7b8618da 100644 Binary files a/bin/tests/system/checkzone/zones/bad-caa-rr.db and b/bin/tests/system/checkzone/zones/bad-caa-rr.db differ diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db index e3c0ded019..d109423759 100644 --- a/bin/tests/system/checkzone/zones/bad-cdnskey.db +++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db @@ -1,4 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -example. 0 CDNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDNSKEY 257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db index 9cd48a164f..2ce4a0d0da 100644 --- a/bin/tests/system/checkzone/zones/bad-cds.db +++ b/bin/tests/system/checkzone/zones/bad-cds.db @@ -1,6 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -; Actual CDS -; example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C -example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B +example. 0 CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B diff --git a/bin/tests/system/checkzone/zones/bad-dhcid.db b/bin/tests/system/checkzone/zones/bad-dhcid.db index 74381086d4..df36eb7d91 100644 --- a/bin/tests/system/checkzone/zones/bad-dhcid.db +++ b/bin/tests/system/checkzone/zones/bad-dhcid.db @@ -1,2 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + @ 3600 DHCID @ 3600 DHCID diff --git a/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db index 9635a7ab1e..c766c8f0de 100644 --- a/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db +++ b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-ds-2.db b/bin/tests/system/checkzone/zones/bad-ds-2.db new file mode 100644 index 0000000000..09d29f72d5 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-ds-2.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +foo.example. 0 DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C diff --git a/bin/tests/system/checkzone/zones/bad-ds.db b/bin/tests/system/checkzone/zones/bad-ds.db index 723843a995..9363cb0ae0 100644 --- a/bin/tests/system/checkzone/zones/bad-ds.db +++ b/bin/tests/system/checkzone/zones/bad-ds.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/bad-eid.db b/bin/tests/system/checkzone/zones/bad-eid.db index 65a44fd83e..ba568ef09f 100644 --- a/bin/tests/system/checkzone/zones/bad-eid.db +++ b/bin/tests/system/checkzone/zones/bad-eid.db @@ -1,2 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + @ EID @ EID diff --git a/bin/tests/system/checkzone/zones/bad-generate-garbage.db b/bin/tests/system/checkzone/zones/bad-generate-garbage.db new file mode 100644 index 0000000000..0d66e753b6 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-garbage.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,dgarbagegarbage} diff --git a/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db new file mode 100644 index 0000000000..314583e71a --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1000 diff --git a/bin/tests/system/checkzone/zones/bad-generate-range.db b/bin/tests/system/checkzone/zones/bad-generate-range.db new file mode 100644 index 0000000000..62a9e15684 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-range.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; 2147483647 + 1 overflows what can be represented in an 'int' +$GENERATE 1-1 host$ TXT foo${2147483647} diff --git a/bin/tests/system/checkzone/zones/bad-generate-tkey.db b/bin/tests/system/checkzone/zones/bad-generate-tkey.db index f86f15c793..8c05e51dfc 100644 --- a/bin/tests/system/checkzone/zones/bad-generate-tkey.db +++ b/bin/tests/system/checkzone/zones/bad-generate-tkey.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-nimloc.db b/bin/tests/system/checkzone/zones/bad-nimloc.db index fa059416d9..56d04c627b 100644 --- a/bin/tests/system/checkzone/zones/bad-nimloc.db +++ b/bin/tests/system/checkzone/zones/bad-nimloc.db @@ -1,2 +1,10 @@ -@ 3600 NIMLOC -@ 3600 NIMLOC +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. \ No newline at end of file diff --git a/bin/tests/system/checkzone/zones/bad-nsap-empty.db b/bin/tests/system/checkzone/zones/bad-nsap-empty.db index 3ed2451a8a..fb8fdd04db 100644 --- a/bin/tests/system/checkzone/zones/bad-nsap-empty.db +++ b/bin/tests/system/checkzone/zones/bad-nsap-empty.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db index f8c82f5a07..d287648ec6 100644 --- a/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db +++ b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-nsec3-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db index 77d8ead2ab..8212bc4588 100644 --- a/bin/tests/system/checkzone/zones/bad-nsec3-padded.db +++ b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db index 3f9bbb6a9c..bf3c5abc46 100644 --- a/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db +++ b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db new file mode 100644 index 0000000000..368f0ca309 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 0 . mandatory=alpn diff --git a/bin/tests/system/checkzone/zones/bad-svcb-servername.db b/bin/tests/system/checkzone/zones/bad-svcb-servername.db new file mode 100644 index 0000000000..61751a02c3 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb-servername.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 1 _underscore.example. port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE=" diff --git a/bin/tests/system/checkzone/zones/bad-svcb.db b/bin/tests/system/checkzone/zones/bad-svcb.db new file mode 100644 index 0000000000..ad710bf0cc --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 0 . unknown=wha diff --git a/bin/tests/system/checkzone/zones/bad-tkey.db b/bin/tests/system/checkzone/zones/bad-tkey.db index 00f25db9a8..a030074985 100644 --- a/bin/tests/system/checkzone/zones/bad-tkey.db +++ b/bin/tests/system/checkzone/zones/bad-tkey.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db b/bin/tests/system/checkzone/zones/bad-tsig.db deleted file mode 100644 index 76af2e9a2b..0000000000 --- a/bin/tests/system/checkzone/zones/bad-tsig.db +++ /dev/null @@ -1,15 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 600 -@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 - NS ns -ns A 192.0.2.1 - -tsig TSIG hmac-sha1. 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0 diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db.in b/bin/tests/system/checkzone/zones/bad-tsig.db.in new file mode 100644 index 0000000000..daef06c394 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-tsig.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +tsig TSIG @DEFAULT_HMAC@ 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0 diff --git a/bin/tests/system/checkzone/zones/bad-unspec.db b/bin/tests/system/checkzone/zones/bad-unspec.db index 2352ff95f0..e5abefea21 100644 --- a/bin/tests/system/checkzone/zones/bad-unspec.db +++ b/bin/tests/system/checkzone/zones/bad-unspec.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad1.db b/bin/tests/system/checkzone/zones/bad1.db index c17ab0cdf8..05ab829644 100644 Binary files a/bin/tests/system/checkzone/zones/bad1.db and b/bin/tests/system/checkzone/zones/bad1.db differ diff --git a/bin/tests/system/checkzone/zones/bad2.db b/bin/tests/system/checkzone/zones/bad2.db index e6afacdd4a..38e82e6956 100644 --- a/bin/tests/system/checkzone/zones/bad2.db +++ b/bin/tests/system/checkzone/zones/bad2.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad3.db b/bin/tests/system/checkzone/zones/bad3.db index 44e45e5102..1391afe7f0 100644 --- a/bin/tests/system/checkzone/zones/bad3.db +++ b/bin/tests/system/checkzone/zones/bad3.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/bad4.db b/bin/tests/system/checkzone/zones/bad4.db index 4e6ec79b18..99def7a70c 100644 --- a/bin/tests/system/checkzone/zones/bad4.db +++ b/bin/tests/system/checkzone/zones/bad4.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/badttl.db b/bin/tests/system/checkzone/zones/badttl.db index 43fb41a3ca..95cd422bb0 100644 --- a/bin/tests/system/checkzone/zones/badttl.db +++ b/bin/tests/system/checkzone/zones/badttl.db @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL @ SOA ns hostmaster 2011012708 3600 1200 604800 1200 NS ns diff --git a/bin/tests/system/checkzone/zones/crashzone.db b/bin/tests/system/checkzone/zones/crashzone.db index c6bd4e948d..2a62e2a09d 100644 --- a/bin/tests/system/checkzone/zones/crashzone.db +++ b/bin/tests/system/checkzone/zones/crashzone.db @@ -2,7 +2,7 @@ ; ; This Source Code Form is subject to the terms of the Mozilla Public ; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db index d26f51b5d6..78c1029171 100644 --- a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db +++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/generate-overflow.db b/bin/tests/system/checkzone/zones/generate-overflow.db new file mode 100644 index 0000000000..c16b517481 --- /dev/null +++ b/bin/tests/system/checkzone/zones/generate-overflow.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 19-28/2147483645 $ CNAME x diff --git a/bin/tests/system/checkzone/zones/good-cdnskey.db b/bin/tests/system/checkzone/zones/good-cdnskey.db index 7ab4b3f4eb..7892f13c16 100644 --- a/bin/tests/system/checkzone/zones/good-cdnskey.db +++ b/bin/tests/system/checkzone/zones/good-cdnskey.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/good-cds-unsigned.db b/bin/tests/system/checkzone/zones/good-cds-unsigned.db index affb60039f..9b1737db48 100644 --- a/bin/tests/system/checkzone/zones/good-cds-unsigned.db +++ b/bin/tests/system/checkzone/zones/good-cds-unsigned.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 CDS 0 0 0 00 diff --git a/bin/tests/system/checkzone/zones/good-cds.db b/bin/tests/system/checkzone/zones/good-cds.db index dcd5f3997d..9200657d32 100644 --- a/bin/tests/system/checkzone/zones/good-cds.db +++ b/bin/tests/system/checkzone/zones/good-cds.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db index 566ce5b3e9..fffd27b834 100644 --- a/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db +++ b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-gc-msdcs.db b/bin/tests/system/checkzone/zones/good-gc-msdcs.db index cf9bc74585..defd550fc0 100644 --- a/bin/tests/system/checkzone/zones/good-gc-msdcs.db +++ b/bin/tests/system/checkzone/zones/good-gc-msdcs.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-generate-modifier.db b/bin/tests/system/checkzone/zones/good-generate-modifier.db new file mode 100644 index 0000000000..3c811d60e0 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-generate-modifier.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,d} +$GENERATE 8-9 host$ A 1.2.3.${1,0} +$GENERATE 10-11 host$ A 1.2.3.${1} +$GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x} diff --git a/bin/tests/system/checkzone/zones/good-nsap.db b/bin/tests/system/checkzone/zones/good-nsap.db index c7bc655a1c..8ad9ee050a 100644 --- a/bin/tests/system/checkzone/zones/good-nsap.db +++ b/bin/tests/system/checkzone/zones/good-nsap.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db index 4b4d4e4c57..5bd378ca4e 100644 --- a/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db +++ b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db index caa78561aa..80fc4a6ff9 100644 --- a/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db +++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db index bdc8c6b335..38913b9b77 100644 --- a/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db +++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-spf-exception.db b/bin/tests/system/checkzone/zones/good-spf-exception.db index 1de8cec52b..212bfbc642 100644 --- a/bin/tests/system/checkzone/zones/good-spf-exception.db +++ b/bin/tests/system/checkzone/zones/good-spf-exception.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/good-svcb.db b/bin/tests/system/checkzone/zones/good-svcb.db new file mode 100644 index 0000000000..df868f3d4e --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-svcb.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb0 SVCB 0 example.net. +svcb1 SVCB 1 . port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE=" +svcb2 SVCB 2 . no-default-alpn alpn=alpn +svcb3 SVCB 3 . ipv4hint="10.10.10.10" +svcb4 SVCB 4 . ipv6hint="feed:a::bee" +svcb5 SVCB 5 . key9999="something" +svcb6 SVCB 6 . mandatory=port,alpn port=60 alpn=h3 +svcb7 SVCB 7 . mandatory=port,alpn port=60 alpn=h1,h3 +svcb8 SVCB 8 . mandatory=port,alpn port=60 alpn="h1\\,h2,h3" +svcb9 SVCB 0 44._svbc.example.net. +svcb10 SVCB 7 . alpn="h2,h3" dohpath=/{?dns} diff --git a/bin/tests/system/checkzone/zones/good1.db b/bin/tests/system/checkzone/zones/good1.db index f77f3ec226..59eaa54be4 100644 --- a/bin/tests/system/checkzone/zones/good1.db +++ b/bin/tests/system/checkzone/zones/good1.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/inherit.db b/bin/tests/system/checkzone/zones/inherit.db index 61c9d2a497..e075d416dc 100644 --- a/bin/tests/system/checkzone/zones/inherit.db +++ b/bin/tests/system/checkzone/zones/inherit.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db index 4083210eb5..db26217c1f 100644 --- a/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db +++ b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bin/tests/system/checkzone/zones/ns-address-below-dname.db index 7e65e577ae..e15ad5cbd2 100644 --- a/bin/tests/system/checkzone/zones/ns-address-below-dname.db +++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/spf.db b/bin/tests/system/checkzone/zones/spf.db index 6c0e7e5512..9527b1bd1c 100644 --- a/bin/tests/system/checkzone/zones/spf.db +++ b/bin/tests/system/checkzone/zones/spf.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/test1.db b/bin/tests/system/checkzone/zones/test1.db index bb75d3ce82..55669d764d 100644 --- a/bin/tests/system/checkzone/zones/test1.db +++ b/bin/tests/system/checkzone/zones/test1.db @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL 600 @ SOA ns hostmaster 2012010901 3600 1200 604800 1200 NS ns diff --git a/bin/tests/system/checkzone/zones/test2.db b/bin/tests/system/checkzone/zones/test2.db index cee52ca6c5..0cb1184d5f 100644 --- a/bin/tests/system/checkzone/zones/test2.db +++ b/bin/tests/system/checkzone/zones/test2.db @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL 600 @ SOA ns hostmaster 2012010902 3600 1200 604800 1200 NS ns diff --git a/bin/tests/system/checkzone/zones/warn.inherit.origin.db b/bin/tests/system/checkzone/zones/warn.inherit.origin.db index 5057cd9536..a348a8f5a4 100644 --- a/bin/tests/system/checkzone/zones/warn.inherit.origin.db +++ b/bin/tests/system/checkzone/zones/warn.inherit.origin.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/warn.inherited.owner.db b/bin/tests/system/checkzone/zones/warn.inherited.owner.db index 0879149f6d..dbbd9d1078 100644 --- a/bin/tests/system/checkzone/zones/warn.inherited.owner.db +++ b/bin/tests/system/checkzone/zones/warn.inherited.owner.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/checkzone/zones/zone1.db b/bin/tests/system/checkzone/zones/zone1.db index df9a018b36..c2f395d4b5 100644 --- a/bin/tests/system/checkzone/zones/zone1.db +++ b/bin/tests/system/checkzone/zones/zone1.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + zone1.com. 86400 IN SOA dns1.zone1.com. hostmaster.zone1.com. 2001062501 21600 3600 604800 86400 zone1.com. 86400 IN NS dns1.zone1.com. zone1.com. 86400 IN NS dns2.zone1.com. diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh index 755a65075b..1bbf28a97d 100644 --- a/bin/tests/system/ckdnsrps.sh +++ b/bin/tests/system/ckdnsrps.sh @@ -1,9 +1,11 @@ -#! /bin/sh -# +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -12,9 +14,9 @@ set -e # Say on stdout whether to test DNSRPS -# and create dnsrps.conf and dnsrps-slave.conf -# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf -# and differ from dnsrpz.conf which is used by dnsrpzd. +# and creates dnsrps.conf +# Note that dnsrps.conf is included in named.conf +# and differs from dnsrpz.conf which is used by dnsrpzd. . ../conf.sh @@ -24,19 +26,17 @@ DNSRPS_CMD=../rpz/dnsrps AS_NS= TEST_DNSRPS= MCONF=dnsrps.conf -SCONF=dnsrps-slave.conf -USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]" +USAGE="$0: [-xAD] [-M dnsrps.conf]" while getopts "xADM:S:" c; do case $c in x) set -x; DEBUG=-x;; A) AS_NS=yes;; D) TEST_DNSRPS=yes;; M) MCONF="$OPTARG";; - S) SCONF="$OPTARG";; *) echo "$USAGE" 1>&2; exit 1;; esac done -shift `expr $OPTIND - 1 || true` +shift $(expr $OPTIND - 1 || true) if [ "$#" -ne 0 ]; then echo "$USAGE" 1>&2 exit 1 @@ -44,11 +44,9 @@ fi # erase any existing conf files cat /dev/null > $MCONF -cat /dev/null > $SCONF add_conf () { echo "$*" >>$MCONF - echo "$*" >>$SCONF } if ! $FEATURETEST --enable-dnsrps; then @@ -67,7 +65,7 @@ else add_conf "## testing with DNSRPS" fi -if [ ! -x $DNSRPS_CMD ]; then +if [ ! -x "$DNSRPS_CMD" ]; then add_conf "## make $DNSRPS_CMD to test DNSRPS" add_conf '#skip' exit 0 @@ -80,86 +78,6 @@ else exit 0 fi -CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf - dnsrpzd-sock ../dnsrpzd.sock - dnsrpzd-rpzf ../dnsrpzd.rpzf - dnsrpzd-args '-dddd -L stdout' - log-level 3" - -MASTER="$CMN" -if [ -n "$AS_NS" ]; then - MASTER="$MASTER - qname-as-ns yes - ip-as-ns yes" -fi - -# write dnsrps settings for master resolver -cat <>$MCONF -$MASTER }; -EOF - -# write dnsrps settings for resolvers that should not start dnsrpzd -cat <>$SCONF -$CMN - dnsrpzd '' }; # do not start dnsrpzd -EOF - - -# DNSRPS is available. -# The test should fail if the license is bad. -add_conf "dnsrps-enable yes;" - -# Use alt-dnsrpzd-license.conf if it exists -CUR_L=dnsrpzd-license-cur.conf -ALT_L=alt-dnsrpzd-license.conf -# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist -[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf -if [ -s $ALT_L ]; then - SRC_L=$ALT_L - USE_ALT= -else - SRC_L=../rpz/dnsrpzd-license.conf - USE_ALT="## consider installing alt-dnsrpzd-license.conf" -fi -cp $SRC_L $CUR_L - -# parse $CUR_L for the license zone name, master IP addresses, and optional -# transfer-source IP addresses -eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ - -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ - -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ - -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - $CUR_L` -if [ -z "$NAME" ]; then - add_conf "## no DNSRPS tests; no license domain name in $SRC_L" - add_conf '#fail' - exit 0 -fi -if [ -z "$IPV4" ]; then - IPV4=license1.fastrpz.com - TS4= -fi -if [ -z "$IPV6" ]; then - IPV6=license1.fastrpz.com - TS6= -fi - -# This TSIG key is common and NOT a secret -KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' - -# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems -if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 -fi -if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 -fi - -add_conf "## DNSRPS lacks a valid license via $SRC_L" -[ -z "$USE_ALT" ] || add_conf "$USE_ALT" -add_conf '#fail' +add_conf 'dnsrps-options { log-level 3 };' +add_conf 'dnsrps-enable yes;' +add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";' diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh index e04eb333f3..5fafffd203 100644 --- a/bin/tests/system/cleanall.sh +++ b/bin/tests/system/cleanall.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -29,6 +31,5 @@ rm -f ../random.data for d in $SUBDIRS do test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh ) - rm -f test.output.$d test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null done diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh deleted file mode 100644 index bbd98c45c2..0000000000 --- a/bin/tests/system/cleanpkcs11.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ./conf.sh - -[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1 diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf deleted file mode 100644 index 8cd709cb65..0000000000 --- a/bin/tests/system/common/controls.conf +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; -}; - diff --git a/bin/tests/system/common/controls.conf.in b/bin/tests/system/common/controls.conf.in index 69581151d0..1db9286eba 100644 --- a/bin/tests/system/common/controls.conf.in +++ b/bin/tests/system/common/controls.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf index 8fe0bc3b4f..b887ec3eda 100644 --- a/bin/tests/system/common/rndc.conf +++ b/bin/tests/system/common/rndc.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key index b9def8ec5d..3ef41c30f5 100644 --- a/bin/tests/system/common/rndc.key +++ b/bin/tests/system/common/rndc.key @@ -3,7 +3,7 @@ * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/common/root.hint index 418ea963fa..e0f186c2f8 100644 --- a/bin/tests/system/common/root.hint +++ b/bin/tests/system/common/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index cd0838a893..53065625eb 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -2,6 +2,8 @@ # # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -24,18 +26,6 @@ export LANG=C # # Common lists of system tests to run. # -# The "stress" test is not run by default since it creates enough -# load on the machine to make it unusable to other users. -# The "dialup", "delzone", and "dupsigs" tests are also not run by -# default because they take a very long time to complete. -# -# The following tests are hard-coded to use ports 5300 and 9953. For -# this reason, these must be run sequentially. -# -# Sequential tests that only run on unix/linux should be added to -# SEQUENTIAL_UNIX in conf.sh.in -# -SEQUENTIAL_COMMON="" # # These tests can use ports assigned by the caller (other than 5300 @@ -49,7 +39,9 @@ SEQUENTIAL_COMMON="" # rpzrecurse are scheduled first, in order to get more benefit from # parallelism. # -PARALLEL_COMMON="rpzrecurse serve-stale +PARALLEL_COMMON=" +rpzrecurse +serve-stale acl additional addzone @@ -68,7 +60,6 @@ database digdelv dlz dns64 -dscp dsdigest ecdsa eddsa @@ -138,25 +129,25 @@ zonechecks" # Set up color-coded test output # if [ ${SYSTEMTEST_FORCE_COLOR:-0} -eq 1 ] || test -t 1 && type tput > /dev/null 2>&1 && tput setaf 7 > /dev/null 2>&1 ; then - COLOR_END=`tput setaf 4` # blue - COLOR_FAIL=`tput setaf 1` # red - COLOR_INFO=`tput bold` # bold - COLOR_NONE=`tput sgr0` - COLOR_PASS=`tput setaf 2` # green - COLOR_START=`tput setaf 4` # blue - COLOR_WARN=`tput setaf 3` # yellow + export COLOR_END=$(tput setaf 4) # blue + export COLOR_FAIL=$(tput setaf 1) # red + export COLOR_INFO=$(tput bold) # bold + export COLOR_NONE=$(tput sgr0) + export COLOR_PASS=$(tput setaf 2) # green + export COLOR_START=$(tput setaf 4) # blue + export COLOR_WARN=$(tput setaf 3) # yellow else # set to empty strings so printf succeeds - COLOR_END='' - COLOR_FAIL='' - COLOR_INFO='' - COLOR_NONE='' - COLOR_PASS='' - COLOR_START='' - COLOR_WARN='' + export COLOR_END='' + export COLOR_FAIL='' + export COLOR_INFO='' + export COLOR_NONE='' + export COLOR_PASS='' + export COLOR_START='' + export COLOR_WARN='' fi -SYSTESTDIR="`basename $PWD`" +export SYSTESTDIR="$(basename $PWD)" if type printf > /dev/null 2>&1 then @@ -179,19 +170,19 @@ then printf "${COLOR_END}%s${COLOR_NONE}\n" "$*" } echo_i() { - printf '%s\n' "$*" | while read -r __LINE ; do + printf '%s\n' "$*" | while IFS= read -r __LINE ; do echoinfo "I:$SYSTESTDIR:$__LINE" done } echo_ic() { - printf '%s\n' "$*" | while read -r __LINE ; do + printf '%s\n' "$*" | while IFS= read -r __LINE ; do echoinfo "I:$SYSTESTDIR: $__LINE" done } echo_d() { - printf '%s\n' "$*" | while read -r __LINE ; do + printf '%s\n' "$*" | while IFS= read -r __LINE ; do echoinfo "D:$SYSTESTDIR:$__LINE" done } @@ -216,49 +207,48 @@ else } echo_i() { - echo "$@" | while read -r __LINE ; do + echo "$@" | while IFS= read -r __LINE ; do echoinfo "I:$SYSTESTDIR:$__LINE" done } echo_ic() { - echo "$@" | while read -r __LINE ; do + echo "$@" | while IFS= read -r __LINE ; do echoinfo "I:$SYSTESTDIR: $__LINE" done } echo_d() { - echo "$@" | while read -r __LINE ; do + echo "$@" | while IFS= read -r __LINE ; do echoinfo "D:$SYSTESTDIR:$__LINE" done } fi cat_i() { - while read -r __LINE ; do + while IFS= read -r __LINE ; do echoinfo "I:$SYSTESTDIR:$__LINE" done } cat_d() { - while read -r __LINE ; do + while IFS= read -r __LINE ; do echoinfo "D:$SYSTESTDIR:$__LINE" done } digcomp() { - output=`$PERL $TOP_SRCDIR/bin/tests/system/digcomp.pl "$@"` - result=$? + { output=$($PERL $TOP_SRCDIR/bin/tests/system/digcomp.pl "$@"); result=$?; } || true [ -n "$output" ] && { echo "digcomp failed:"; echo "$output"; } | cat_i return $result } start_server() { - $PERL "$TOP_SRCDIR/bin/tests/system/start.pl" "$@" + $PERL "$TOP_SRCDIR/bin/tests/system/start.pl" "$SYSTESTDIR" "$@" } stop_server() { - $PERL "$TOP_SRCDIR/bin/tests/system/stop.pl" "$@" + $PERL "$TOP_SRCDIR/bin/tests/system/stop.pl" "$SYSTESTDIR" "$@" } send() { @@ -269,24 +259,37 @@ send() { # Useful variables in test scripts # +# The following script sets the following algorithm-related variables. These +# are selected randomly at runtime from a list of supported algorithms. The +# randomization is deterministic and remains stable for a period of time for a +# given platform. +# # Default algorithm for testing. -DEFAULT_ALGORITHM=ECDSAP256SHA256 -DEFAULT_ALGORITHM_NUMBER=13 -DEFAULT_BITS=256 - -# This is an alternative algorithm for test cases that require more than -# one algorithm (for example algorithm rollover). Must be different from +# DEFAULT_ALGORITHM +# DEFAULT_ALGORITHM_NUMBER +# DEFAULT_BITS +# +# This is an alternative algorithm for test cases that require more than one +# algorithm (for example algorithm rollover). Must be different from # DEFAULT_ALGORITHM. -ALTERNATIVE_ALGORITHM=RSASHA256 -ALTERNATIVE_ALGORITHM_NUMBER=8 -ALTERNATIVE_BITS=1280 +# ALTERNATIVE_ALGORITHM +# ALTERNATIVE_ALGORITHM_NUMBER +# ALTERNATIVE_BITS +# +# This is an algorithm that is used for tests against the "disable-algorithms" +# configuration option. Must be different from above algorithms. +# DISABLED_ALGORITHM +# DISABLED_ALGORITHM_NUMBER +# DISABLED_BITS +# +# There are multiple algoritms sets to choose from (see get_algorithms.py). To +# override the default choice, set the ALGORITHM_SET env var (see mkeys system +# test for example). +eval "$($PYTHON "$TOP_SRCDIR/bin/tests/system/get_algorithms.py")" -# This is an algorithm that is used for tests against the -# "disable-algorithms" configuration option. Must be different from above -# algorithms. -DISABLED_ALGORITHM=ECDSAP384SHA384 -DISABLED_ALGORITHM_NUMBER=14 -DISABLED_BITS=384 +# Default HMAC algorithm. +# also update common/rndc.conf and common/rndc.key when updating DEFAULT_HMAC +export DEFAULT_HMAC=hmac-sha256 # # Useful functions in test scripts @@ -397,6 +400,22 @@ keyfile_to_key_id() { echo "$1" | sed "s/.*+0\{0,4\}//" } +# private_type_record: write a private type record recording the state of the +# signing process +# +# For a given zone ($1), algorithm number ($2) and key file ($3), print the +# private type record with default type value of 65534, indicating that the +# signing process for this key is completed. +private_type_record() { + _zone=$1 + _algorithm=$2 + _keyfile=$3 + + _id=$(keyfile_to_key_id "$_keyfile") + + printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" +} + # nextpart*() - functions for reading files incrementally # # These functions aim to facilitate looking for (or waiting for) @@ -450,25 +469,25 @@ nextpartreset() { # nextpartread: read everything that's been appended to a file since the # last time nextpart() was called and print it to stdout, print the -# total number of lines read from that file so far to stderr +# total number of lines read from that file so far to file descriptor 3 nextpartread() { [ -f $1.prev ] || nextpartreset $1 - prev=`cat $1.prev` + prev=$(cat $1.prev) awk "NR > $prev "'{ print } - END { print NR > "/dev/stderr" }' $1 + END { print NR > "/dev/stderr" }' $1 2>&3 } # nextpart: read everything that's been appended to a file since the # last time nextpart() was called nextpart() { - nextpartread $1 2> $1.prev.tmp + nextpartread $1 3> $1.prev.tmp mv $1.prev.tmp $1.prev } # nextpartpeek: read everything that's been appended to a file since the # last time nextpart() was called nextpartpeek() { - nextpartread $1 2> /dev/null + nextpartread $1 3> /dev/null } # _search_log: look for message $1 in file $2 with nextpart(). @@ -478,6 +497,13 @@ _search_log() ( nextpart "$file" | grep -F -e "$msg" > /dev/null ) +# _search_log_re: same as _search_log but the message is an grep -E regex +_search_log_re() ( + msg="$1" + file="$2" + nextpart "$file" | grep -E -e "$msg" > /dev/null +) + # _search_log_peek: look for message $1 in file $2 with nextpartpeek(). _search_log_peek() ( msg="$1" @@ -495,7 +521,17 @@ wait_for_log() ( msg="$2" file="$3" retry_quiet "$timeout" _search_log "$msg" "$file" && return 0 - echo_i "exceeded time limit waiting for '$msg' in $file" + echo_i "exceeded time limit waiting for literal '$msg' in $file" + return 1 +) + +# wait_for_log_re: same as wait_for_log, but the message is an grep -E regex +wait_for_log_re() ( + timeout="$1" + msg="$2" + file="$3" + retry_quiet "$timeout" _search_log_re "$msg" "$file" && return 0 + echo_i "exceeded time limit waiting for regex '$msg' in $file" return 1 ) @@ -506,7 +542,7 @@ wait_for_log_peek() ( msg="$2" file="$3" retry_quiet "$timeout" _search_log_peek "$msg" "$file" && return 0 - echo_i "exceeded time limit waiting for '$msg' in $file" + echo_i "exceeded time limit waiting for literal '$msg' in $file" return 1 ) @@ -560,23 +596,28 @@ _repeat() ( return 0 ) +_times() { + awk "BEGIN{ for(i = 1; i <= $1; i++) print i}"; +} + rndc_reload() { - echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'$1' /'`" + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' # reloading single zone is synchronous, if we're reloading whole server # we need to wait for reload to finish if [ -z "$3" ]; then - for __try in 0 1 2 3 4 5 6 7 8 9; do - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break - sleep 1 - done + for _ in $(_times 10); do + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break + sleep 1 + done fi } rndc_reconfig() { - echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/'$1' /'`" - for __try in 0 1 2 3 4 5 6 7 8 9; do - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break - sleep 1 + seconds=${3:-10} + $RNDC -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + for _ in $(_times "$seconds"); do + "$RNDC" -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" status | grep "reload/reconfig in progress" > /dev/null || break + sleep 1 done } @@ -637,8 +678,8 @@ get_dig_xfer_stats() { # them to a format used by some system tests. get_named_xfer_stats() { LOGFILE="$1" - PEER="`echo $2 | sed 's/\./\\\\./g'`" - ZONE="`echo $3 | sed 's/\./\\\\./g'`" + PEER="$(echo $2 | sed 's/\./\\./g')" + ZONE="$(echo $3 | sed 's/\./\\./g')" MESSAGE="$4" grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \ sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) messages.*/messages=\1/p" | tail -1 @@ -652,16 +693,19 @@ get_named_xfer_stats() { # # Convenience function to copy a configuration file, replacing the tokens # QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent -# environment variables. (These values are set by "run.sh", which calls the +# environment variables. (These values are set by test runner, which calls the # scripts invoking this function.) # # Usage: # copy_setports infile outfile # copy_setports() { - sed -e "s/@PORT@/${PORT}/g" \ + dir=$(echo "$TMPDIR" | sed 's/\//\\\//g') + + sed -e "s/@TMPDIR@/${dir}/g" \ + -e "s/@PORT@/${PORT}/g" \ -e "s/@TLSPORT@/${TLSPORT}/g" \ - -e "s/@HTTPPORT@/${HTTPPORT}/g" \ + -e "s/@HTTPPORT@/${HTTPPORT}/g" \ -e "s/@HTTPSPORT@/${HTTPSPORT}/g" \ -e "s/@EXTRAPORT1@/${EXTRAPORT1}/g" \ -e "s/@EXTRAPORT2@/${EXTRAPORT2}/g" \ @@ -678,53 +722,33 @@ copy_setports() { -e "s/@ALTERNATIVE_ALGORITHM@/${ALTERNATIVE_ALGORITHM}/g" \ -e "s/@ALTERNATIVE_ALGORITHM_NUMBER@/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \ -e "s/@ALTERNATIVE_BITS@/${ALTERNATIVE_BITS}/g" \ + -e "s/@DEFAULT_HMAC@/${DEFAULT_HMAC}/g" \ -e "s/@DISABLED_ALGORITHM@/${DISABLED_ALGORITHM}/g" \ -e "s/@DISABLED_ALGORITHM_NUMBER@/${DISABLED_ALGORITHM_NUMBER}/g" \ -e "s/@DISABLED_BITS@/${DISABLED_BITS}/g" \ $1 > $2 } -# -# Export command paths -# -export ARPANAME -export BIGKEY -export CDS -export CHECKZONE -export CYGWIN -export DESCRIPTION -export DIG -export FEATURETEST -export FSTRM_CAPTURE -export GENCHECK -export JOURNALPRINT -export KEYCREATE -export KEYDELETE -export KEYFRLAB -export KEYGEN -export KEYSETTOOL -export KEYSIGNER -export KRB5_CONFIG -export KRB5_KTNAME -export MAKEJOURNAL -export MDIG -export NAMED -export NSEC3HASH -export NSLOOKUP -export NSUPDATE -export NZD2NZF -export PERL -export PIPEQUERIES -export PK11DEL -export PK11GEN -export PK11LIST -export PSSUSPEND -export PYTHON -export RESOLVE -export RNDC -export RRCHECKER -export SIGNER -export SUBDIRS -export TMPDIR -export TSIGKEYGEN -export WIRETEST +# parse_openssl_config - Parse OpenSSL configuration for HSM settings +# +# Will set SOFTHSM2_MODULE, OPENSSL_ENGINE and ENGINE_ARG based on openssl configuration. +parse_openssl_config() { + ENGINE_ARG="" + [ -f "$OPENSSL_CONF" ] || return 0 + while IFS="=" read key val; do + # trim variables + key="${key## }" + key="${key%% }" + val="${val## }" + val="${val%% }" + case "$key" in + "engine_id") + OPENSSL_ENGINE="$val" + ENGINE_ARG="-E $OPENSSL_ENGINE" + ;; + "MODULE_PATH"|"pkcs11-module-path") + SOFTHSM2_MODULE="$val" + ;; + esac + done < "$OPENSSL_CONF" +} diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 699edba607..44fe4cd308 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -2,6 +2,8 @@ # # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -15,133 +17,104 @@ # # Find the top of the BIND9 tree. -TOP_BUILDDIR=@abs_top_builddir@ -TOP_SRCDIR=@abs_top_srcdir@ +export TOP_BUILDDIR=@abs_top_builddir@ +export TOP_SRCDIR=@abs_top_srcdir@ # Provide TMPDIR variable for tests that need it. -TMPDIR=${TMPDIR:-/tmp} - -# This is not the windows build. -CYGWIN="" +export TMPDIR=${TMPDIR:-/tmp} + +export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname +export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds +export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf +export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP_BUILDDIR/bin/delv/delv +else + export DELV=: +fi +export DIG=$TOP_BUILDDIR/bin/dig/dig +export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read +export DSFROMKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-dsfromkey +export FEATURETEST=$TOP_BUILDDIR/bin/tests/system/feature-test +export FSTRM_CAPTURE=@FSTRM_CAPTURE@ +export HOST=$TOP_BUILDDIR/bin/dig/host +export IMPORTKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-importkey +export JOURNALPRINT=$TOP_BUILDDIR/bin/tools/named-journalprint +export KEYFRLAB=$TOP_BUILDDIR/bin/dnssec/dnssec-keyfromlabel +export KEYGEN=$TOP_BUILDDIR/bin/dnssec/dnssec-keygen +export MDIG=$TOP_BUILDDIR/bin/tools/mdig +export NAMED=$TOP_BUILDDIR/bin/named/named +export NSEC3HASH=$TOP_BUILDDIR/bin/tools/nsec3hash +export NSLOOKUP=$TOP_BUILDDIR/bin/dig/nslookup +export NSUPDATE=$TOP_BUILDDIR/bin/nsupdate/nsupdate +export NZD2NZF=$TOP_BUILDDIR/bin/tools/named-nzd2nzf +export REVOKE=$TOP_BUILDDIR/bin/dnssec/dnssec-revoke +export RNDC=$TOP_BUILDDIR/bin/rndc/rndc +export RNDCCONFGEN=$TOP_BUILDDIR/bin/confgen/rndc-confgen +export RRCHECKER=$TOP_BUILDDIR/bin/tools/named-rrchecker +export SETTIME=$TOP_BUILDDIR/bin/dnssec/dnssec-settime +export SIGNER=$TOP_BUILDDIR/bin/dnssec/dnssec-signzone +export TSIGKEYGEN=$TOP_BUILDDIR/bin/confgen/tsig-keygen +export VERIFY=$TOP_BUILDDIR/bin/dnssec/dnssec-verify +export WIRETEST=$TOP_BUILDDIR/bin/tests/wire_test + +export BIGKEY=$TOP_BUILDDIR/bin/tests/system/rsabigexponent/bigkey +export GENCHECK=$TOP_BUILDDIR/bin/tests/system/rndc/gencheck +export MAKEJOURNAL=$TOP_BUILDDIR/bin/tests/system/makejournal +export PIPEQUERIES=$TOP_BUILDDIR/bin/tests/system/pipelined/pipequeries -# Load common values -. $TOP_SRCDIR/bin/tests/system/conf.sh.common +# we don't want a KRB5_CONFIG setting breaking the tests +export KRB5_CONFIG=/dev/null +# use local keytab instead of default /etc/krb5.keytab +export KRB5_KTNAME=dns.keytab -ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname -CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds -CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf -CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone -DELV=$TOP_BUILDDIR/bin/delv/delv -DIG=$TOP_BUILDDIR/bin/dig/dig -DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read -DSFROMKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-dsfromkey -FEATURETEST=$TOP_BUILDDIR/bin/tests/system/feature-test -FSTRM_CAPTURE=@FSTRM_CAPTURE@ -HOST=$TOP_BUILDDIR/bin/dig/host -IMPORTKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-importkey -JOURNALPRINT=$TOP_BUILDDIR/bin/tools/named-journalprint -KEYFRLAB=$TOP_BUILDDIR/bin/dnssec/dnssec-keyfromlabel -KEYGEN=$TOP_BUILDDIR/bin/dnssec/dnssec-keygen -MDIG=$TOP_BUILDDIR/bin/tools/mdig -NAMED=$TOP_BUILDDIR/bin/named/named -NSEC3HASH=$TOP_BUILDDIR/bin/tools/nsec3hash -NSLOOKUP=$TOP_BUILDDIR/bin/dig/nslookup -NSUPDATE=$TOP_BUILDDIR/bin/nsupdate/nsupdate -NZD2NZF=$TOP_BUILDDIR/bin/tools/named-nzd2nzf -PK11DEL="$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" -PK11GEN="$TOP_BUILDDIR/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" -PK11LIST="$TOP_BUILDDIR/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" -RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve -REVOKE=$TOP_BUILDDIR/bin/dnssec/dnssec-revoke -RNDC=$TOP_BUILDDIR/bin/rndc/rndc -RNDCCONFGEN=$TOP_BUILDDIR/bin/confgen/rndc-confgen -RRCHECKER=$TOP_BUILDDIR/bin/tools/named-rrchecker -SETTIME=$TOP_BUILDDIR/bin/dnssec/dnssec-settime -SIGNER=$TOP_BUILDDIR/bin/dnssec/dnssec-signzone -TSIGKEYGEN=$TOP_BUILDDIR/bin/confgen/tsig-keygen -VERIFY=$TOP_BUILDDIR/bin/dnssec/dnssec-verify -WIRETEST=$TOP_BUILDDIR/bin/tests/wire_test +# +# Programs detected by configure +# Variables will be empty if no program was found by configure +# +export SHELL=@SHELL@ +export CURL=@CURL@ +export NC=@NC@ +export XMLLINT=@XMLLINT@ +export XSLTPROC=@XSLTPROC@ +export PYTEST=@PYTEST@ -BIGKEY=$TOP_BUILDDIR/bin/tests/system/rsabigexponent/bigkey -GENCHECK=$TOP_BUILDDIR/bin/tests/system/rndc/gencheck -KEYCREATE=$TOP_BUILDDIR/bin/tests/system/tkey/keycreate -KEYDELETE=$TOP_BUILDDIR/bin/tests/system/tkey/keydelete -MAKEJOURNAL=$TOP_BUILDDIR/bin/tests/system/makejournal -PIPEQUERIES=$TOP_BUILDDIR/bin/tests/system/pipelined/pipequeries +# +# Interpreters for system tests detected by configure +# +export PERL=$(command -v "@PERL@" || true) +if ! test -x "$PERL"; then + echo "Perl interpreter is required for system tests." + exit 77 +fi +export PYTHON=$(command -v "@PYTHON@" || true) +if ! test -x "$PYTHON"; then + echo "Python interpreter is required for system tests." + exit 77 +fi -# we don't want a KRB5_CONFIG setting breaking the tests -KRB5_CONFIG=/dev/null -# use local keytab instead of default /etc/krb5.keytab -KRB5_KTNAME=dns.keytab +# Load common values +. $TOP_SRCDIR/bin/tests/system/conf.sh.common # # Construct the lists of tests to run # -SEQUENTIAL_UNIX="@PKCS11_TEST@" -SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX" - -PARALLEL_UNIX="@DNSTAP@ -chain +PARALLEL_UNIX="chain +checkds cookie dlzexternal dnssec dyndb +enginepkcs11 filter-aaaa kasp -keymgr2kasp +keyfromlabel legacy logfileconfig +multisigner nzd2nzf pipelined qmin shutdown tcp" -PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_UNIX" - -SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS" - - -# Things that are different on Windows -KILL=kill -DIFF=diff -DOS2UNIX=true -# There's no trailing period on Windows -TP=. - -# Use the CONFIG_SHELL detected by configure for tests -SHELL=@SHELL@ - -# CURL will be empty if no program was found by configure -CURL=@CURL@ - -# XMLLINT will be empty if no program was found by configure -XMLLINT=@XMLLINT@ - -# XSLTPROC will be empty if no program was found by configure -XSLTPROC=@XSLTPROC@ - -# PERL will be an empty string if no perl interpreter was found. -PERL=$(command -v "@PERL@") - -# Windows process management leave empty -PSSUSPEND= - -PYTHON=$(command -v "@PYTHON@" || true) -PYTEST=@PYTEST@ - -# -# Determine if we support various optional features. -# -LIBXML2_LIBS="@LIBXML2_LIBS@" -HAVEXMLSTATS=${LIBXML2_LIBS:+1} -JSON_C_LIBS="@JSON_C_LIBS@" -HAVEJSONSTATS=${JSON_C_LIBS:+1} -MAXMINDDB_LIBS="@MAXMINDDB_LIBS@" -HAVEGEOIP2=${MAXMINDDB_LIBS:+1} -ZLIB_LIBS="@ZLIB_LIBS@" -HAVEZLIB=${ZLIB_LIBS:+1} -LMDB_LIBS="@LMDB_LIBS@" -NZD=${LMDB_LIBS:+1} -CRYPTO=@CRYPTO@ - -export HAVEXMLSTATS HAVEJSONSTATS +SUBDIRS="$PARALLEL_COMMON $PARALLEL_UNIX" diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py new file mode 100644 index 0000000000..0be546b810 --- /dev/null +++ b/bin/tests/system/conftest.py @@ -0,0 +1,638 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import logging +import os +import pytest + + +# ======================= LEGACY=COMPATIBLE FIXTURES ========================= +# The following fixtures are designed to work with both pytest system test +# runner and the legacy system test framework. +# +# FUTURE: Rewrite the individual port fixtures to re-use the `ports` fixture. + + +@pytest.fixture(scope="module") +def named_port(): + return int(os.environ.get("PORT", default=5300)) + + +@pytest.fixture(scope="module") +def named_tlsport(): + return int(os.environ.get("TLSPORT", default=8853)) + + +@pytest.fixture(scope="module") +def named_httpsport(): + return int(os.environ.get("HTTPSPORT", default=4443)) + + +@pytest.fixture(scope="module") +def control_port(): + return int(os.environ.get("CONTROLPORT", default=9953)) + + +if os.getenv("LEGACY_TEST_RUNNER", "0") != "0": + + @pytest.fixture + def logger(request): + """Logging facility specific to a particular test.""" + return logging.getLogger(request.node.name) + +else: + # ======================= PYTEST SYSTEM TEST RUNNER ========================== + # From this point onward, any setting, fixtures or functions only apply to the + # new pytest runner. Ideally, these would be in a separate file. However, due + # to how pytest works and how it's used by the legacy runner, the best approach + # is to have everything in this file to avoid duplication and set the + # LEGACY_TEST_RUNNER if pytest is executed from the legacy framework. + # + # FUTURE: Once legacy runner is no longer supported, remove the env var and + # don't branch the code. + + from functools import partial + from pathlib import Path + import re + import shutil + import subprocess + import tempfile + import time + from typing import Any, Dict, List, Optional + + # Silence warnings caused by passing a pytest fixture to another fixture. + # pylint: disable=redefined-outer-name + + # ----------------- Older pytest / xdist compatibility ------------------- + # As of 2023-01-11, the minimal supported pytest / xdist versions are + # determined by what is available in EL8/EPEL8: + # - pytest 3.4.2 + # - pytest-xdist 1.24.1 + _pytest_ver = pytest.__version__.split(".") + _pytest_major_ver = int(_pytest_ver[0]) + if _pytest_major_ver < 7: + # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0 + # for older versions, use regular dictionary with string keys instead + FIXTURE_OK = "fixture_ok" # type: Any + else: + FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member + + # ----------------------- Globals definition ----------------------------- + + LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s" + XDIST_WORKER = os.environ.get("PYTEST_XDIST_WORKER", "") + FILE_DIR = os.path.abspath(Path(__file__).parent) + ENV_RE = re.compile(b"([^=]+)=(.*)") + PORT_MIN = 5001 + PORT_MAX = 32767 + PORTS_PER_TEST = 20 + PRIORITY_TESTS = [ + # Tests that are scheduled first. Speeds up parallel execution. + "rpz/", + "rpzrecurse/", + "serve-stale/", + "timeouts/", + "upforwd/", + ] + PRIORITY_TESTS_RE = re.compile("|".join(PRIORITY_TESTS)) + CONFTEST_LOGGER = logging.getLogger("conftest") + SYSTEM_TEST_DIR_GIT_PATH = "bin/tests/system" + SYSTEM_TEST_NAME_RE = re.compile(f"{SYSTEM_TEST_DIR_GIT_PATH}" + r"/([^/]+)") + SYMLINK_REPLACEMENT_RE = re.compile(r"/tests(_sh(?=_))?(.*)\.py") + + # ---------------------- Module initialization --------------------------- + + def init_pytest_conftest_logger(conftest_logger): + """ + This initializes the conftest logger which is used for pytest setup + and configuration before tests are executed -- aka any logging in this + file that is _not_ module-specific. + """ + conftest_logger.setLevel(logging.DEBUG) + file_handler = logging.FileHandler("pytest.conftest.log.txt") + file_handler.setLevel(logging.DEBUG) + file_handler.setFormatter(logging.Formatter(LOG_FORMAT)) + conftest_logger.addHandler(file_handler) + + init_pytest_conftest_logger(CONFTEST_LOGGER) + + def avoid_duplicated_logs(): + """ + Remove direct root logger output to file descriptors. + This default is causing duplicates because all our messages go through + regular logging as well and are thus displayed twice. + """ + todel = [] + for handler in logging.root.handlers: + if handler.__class__ == logging.StreamHandler: + # Beware: As for pytest 7.2.2, LiveLogging and LogCapture + # handlers inherit from logging.StreamHandler + todel.append(handler) + for handler in todel: + logging.root.handlers.remove(handler) + + def parse_env(env_bytes): + """Parse the POSIX env format into Python dictionary.""" + out = {} + for line in env_bytes.splitlines(): + match = ENV_RE.match(line) + if match: + # EL8+ workaround for https://access.redhat.com/solutions/6994985 + # FUTURE: can be removed when we no longer need to parse env vars + if match.groups()[0] in [b"which_declare", b"BASH_FUNC_which%%"]: + continue + out[match.groups()[0]] = match.groups()[1] + return out + + def get_env_bytes(cmd): + try: + proc = subprocess.run( + [cmd], + shell=True, + check=True, + cwd=FILE_DIR, + stdout=subprocess.PIPE, + ) + except subprocess.CalledProcessError as exc: + CONFTEST_LOGGER.error("failed to get shell env: %s", exc) + raise exc + env_bytes = proc.stdout + return parse_env(env_bytes) + + # Read common environment variables for running tests from conf.sh. + # FUTURE: Remove conf.sh entirely and define all variables in pytest only. + CONF_ENV = get_env_bytes(". ./conf.sh && env") + os.environb.update(CONF_ENV) + CONFTEST_LOGGER.debug( + "variables in env: %s", ", ".join([str(key) for key in CONF_ENV]) + ) + + # --------------------------- pytest hooks ------------------------------- + + def pytest_addoption(parser): + parser.addoption( + "--noclean", + action="store_true", + default=False, + help="don't remove the temporary test directories with artifacts", + ) + + def pytest_configure(config): + # Ensure this hook only runs on the main pytest instance if xdist is + # used to spawn other workers. + if not XDIST_WORKER: + if config.pluginmanager.has_plugin("xdist") and config.option.numprocesses: + # system tests depend on module scope for setup & teardown + # enforce use "loadscope" scheduler or disable paralelism + try: + import xdist.scheduler.loadscope # pylint: disable=unused-import + except ImportError: + CONFTEST_LOGGER.debug( + "xdist is too old and does not have " + "scheduler.loadscope, disabling parallelism" + ) + config.option.dist = "no" + else: + config.option.dist = "loadscope" + + def pytest_ignore_collect(path): + # System tests are executed in temporary directories inside + # bin/tests/system. These temporary directories contain all files + # needed for the system tests - including tests_*.py files. Make sure to + # ignore these during test collection phase. Otherwise, test artifacts + # from previous runs could mess with the runner. Also ignore the + # convenience symlinks to those test directories. In both of those + # cases, the system test name (directory) contains an underscore, which + # is otherwise and invalid character for a system test name. + match = SYSTEM_TEST_NAME_RE.search(str(path)) + if match is None: + CONFTEST_LOGGER.warning("unexpected test path: %s (ignored)", path) + return True + system_test_name = match.groups()[0] + return "_" in system_test_name + + def pytest_collection_modifyitems(items): + """Schedule long-running tests first to get more benefit from parallelism.""" + priority = [] + other = [] + for item in items: + if PRIORITY_TESTS_RE.search(item.nodeid): + priority.append(item) + else: + other.append(item) + items[:] = priority + other + + class NodeResult: + def __init__(self, report=None): + self.outcome = None + self.messages = [] + if report is not None: + self.update(report) + + def update(self, report): + if self.outcome is None or report.outcome != "passed": + self.outcome = report.outcome + if report.longreprtext: + self.messages.append(report.longreprtext) + + @pytest.hookimpl(tryfirst=True, hookwrapper=True) + def pytest_runtest_makereport(item): + """Hook that is used to expose test results to session (for use in fixtures).""" + # execute all other hooks to obtain the report object + outcome = yield + report = outcome.get_result() + + # Set the test outcome in session, so we can access it from module-level + # fixture using nodeid. Note that this hook is called three times: for + # setup, call and teardown. We only care about the overall result so we + # merge the results together and preserve the information whether a test + # passed. + test_results = {} + try: + test_results = getattr(item.session, "test_results") + except AttributeError: + setattr(item.session, "test_results", test_results) + node_result = test_results.setdefault(item.nodeid, NodeResult()) + node_result.update(report) + + # --------------------------- Fixtures ----------------------------------- + + @pytest.fixture(scope="session") + def modules(): + """Sorted list of all modules. Used to determine port distribution.""" + mods = [] + for dirpath, _dirs, files in os.walk(os.getcwd()): + for file in files: + if file.startswith("tests_") and file.endswith(".py"): + mod = f"{dirpath}/{file}" + mods.append(mod) + return sorted(mods) + + @pytest.fixture(scope="session") + def module_base_ports(modules): + """ + Dictionary containing assigned base port for every module. + + Note that this is a session-wide fixture. The port numbers are + deterministically assigned before any testing starts. This fixture MUST + return the same value when called again during the same test session. + When running tests in parallel, this is exactly what happens - every + worker thread will call this fixture to determine test ports. + """ + port_min = PORT_MIN + port_max = PORT_MAX - len(modules) * PORTS_PER_TEST + if port_max < port_min: + raise RuntimeError( + "not enough ports to assign unique port set to each module" + ) + + # Rotate the base port value over time to detect possible test issues + # with using random ports. This introduces a very slight race condition + # risk. If this value changes between pytest invocation and spawning + # worker threads, multiple tests may have same port values assigned. If + # these tests are then executed simultaneously, the test results will + # be misleading. + base_port = int(time.time() // 3600) % (port_max - port_min) + port_min + + return {mod: base_port + i * PORTS_PER_TEST for i, mod in enumerate(modules)} + + @pytest.fixture(scope="module") + def base_port(request, module_base_ports): + """Start of the port range assigned to a particular test module.""" + port = module_base_ports[request.fspath] + return port + + @pytest.fixture(scope="module") + def ports(base_port): + """Dictionary containing port names and their assigned values.""" + return { + "PORT": str(base_port), + "TLSPORT": str(base_port + 1), + "HTTPPORT": str(base_port + 2), + "HTTPSPORT": str(base_port + 3), + "EXTRAPORT1": str(base_port + 4), + "EXTRAPORT2": str(base_port + 5), + "EXTRAPORT3": str(base_port + 6), + "EXTRAPORT4": str(base_port + 7), + "EXTRAPORT5": str(base_port + 8), + "EXTRAPORT6": str(base_port + 9), + "EXTRAPORT7": str(base_port + 10), + "EXTRAPORT8": str(base_port + 11), + "CONTROLPORT": str(base_port + 12), + } + + @pytest.fixture(scope="module") + def env(ports): + """Dictionary containing environment variables for the test.""" + env = os.environ.copy() + env.update(ports) + env["builddir"] = f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + env["srcdir"] = f"{env['TOP_SRCDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + return env + + @pytest.fixture(scope="module") + def system_test_name(request): + """Name of the system test directory.""" + path = Path(request.fspath) + return path.parent.name + + @pytest.fixture(scope="module") + def mlogger(system_test_name): + """Logging facility specific to this test module.""" + avoid_duplicated_logs() + return logging.getLogger(system_test_name) + + @pytest.fixture + def logger(request, system_test_name): + """Logging facility specific to a particular test.""" + return logging.getLogger(f"{system_test_name}.{request.node.name}") + + @pytest.fixture(scope="module") + def system_test_dir( + request, env, system_test_name, mlogger + ): # pylint: disable=too-many-statements,too-many-locals + """ + Temporary directory for executing the test. + + This fixture is responsible for creating (and potentially removing) a + copy of the system test directory which is used as a temporary + directory for the test execution. + + FUTURE: This removes the need to have clean.sh scripts. + """ + + def get_test_result(): + """Aggregate test results from all individual tests from this module + into a single result: failed > skipped > passed.""" + try: + all_test_results = request.session.test_results + except AttributeError: + # This may happen if pytest execution is interrupted and + # pytest_runtest_makereport() is never called. + mlogger.debug("can't obtain test results, test run was interrupted") + return "error" + test_results = { + node.nodeid: all_test_results[node.nodeid] + for node in request.node.collect() + if node.nodeid in all_test_results + } + assert len(test_results) + messages = [] + for node, result in test_results.items(): + mlogger.debug("%s %s", result.outcome.upper(), node) + messages.extend(result.messages) + for message in messages: + mlogger.debug("\n" + message) + failed = any(res.outcome == "failed" for res in test_results.values()) + skipped = any(res.outcome == "skipped" for res in test_results.values()) + if failed: + return "failed" + if skipped: + return "skipped" + assert all(res.outcome == "passed" for res in test_results.values()) + return "passed" + + def unlink(path): + try: + path.unlink() # missing_ok=True isn't available on Python 3.6 + except FileNotFoundError: + pass + + # Create a temporary directory with a copy of the original system test dir contents + system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}") + testdir = Path( + tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root) + ) + shutil.rmtree(testdir) + shutil.copytree(system_test_root / system_test_name, testdir) + + # Create a convenience symlink with a stable and predictable name + module_name = SYMLINK_REPLACEMENT_RE.sub(r"\2", request.node.name) + symlink_dst = system_test_root / module_name + unlink(symlink_dst) + symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root)) + + # Configure logger to write to a file inside the temporary test directory + mlogger.handlers.clear() + mlogger.setLevel(logging.DEBUG) + handler = logging.FileHandler(testdir / "pytest.log.txt", mode="w") + formatter = logging.Formatter(LOG_FORMAT) + handler.setFormatter(formatter) + mlogger.addHandler(handler) + + # System tests are meant to be executed from their directory - switch to it. + old_cwd = os.getcwd() + os.chdir(testdir) + mlogger.debug("switching to tmpdir: %s", testdir) + try: + yield testdir # other fixtures / tests will execute here + finally: + os.chdir(old_cwd) + mlogger.debug("changed workdir to: %s", old_cwd) + + result = get_test_result() + + # Clean temporary dir unless it should be kept + keep = False + if request.config.getoption("--noclean"): + mlogger.debug( + "--noclean requested, keeping temporary directory %s", testdir + ) + keep = True + elif result == "failed": + mlogger.debug( + "test failure detected, keeping temporary directory %s", testdir + ) + keep = True + elif not request.node.stash[FIXTURE_OK]: + mlogger.debug( + "test setup/teardown issue detected, keeping temporary directory %s", + testdir, + ) + keep = True + + if keep: + mlogger.info( + "test artifacts in: %s", symlink_dst.relative_to(system_test_root) + ) + else: + mlogger.debug("deleting temporary directory") + handler.flush() + handler.close() + shutil.rmtree(testdir) + unlink(symlink_dst) + + def _run_script( # pylint: disable=too-many-arguments + env, + mlogger, + system_test_dir: Path, + interpreter: str, + script: str, + args: Optional[List[str]] = None, + ): + """Helper function for the shell / perl script invocations (through fixtures below).""" + if args is None: + args = [] + path = Path(script) + if not path.is_absolute(): + # make sure relative paths are always relative to system_dir + path = system_test_dir.parent / path + script = str(path) + cwd = os.getcwd() + if not path.exists(): + raise FileNotFoundError(f"script {script} not found in {cwd}") + mlogger.debug("running script: %s %s %s", interpreter, script, " ".join(args)) + mlogger.debug(" workdir: %s", cwd) + returncode = 1 + + cmd = [interpreter, script] + args + with subprocess.Popen( + cmd, + env=env, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + bufsize=1, + universal_newlines=True, + errors="backslashreplace", + ) as proc: + if proc.stdout: + for line in proc.stdout: + mlogger.info(" %s", line.rstrip("\n")) + proc.communicate() + returncode = proc.returncode + if returncode: + raise subprocess.CalledProcessError(returncode, cmd) + mlogger.debug(" exited with %d", returncode) + + @pytest.fixture(scope="module") + def shell(env, system_test_dir, mlogger): + """Function to call a shell script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["SHELL"]) + + @pytest.fixture(scope="module") + def perl(env, system_test_dir, mlogger): + """Function to call a perl script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["PERL"]) + + @pytest.fixture(scope="module") + def run_tests_sh(system_test_dir, shell): + """Utility function to execute tests.sh as a python test.""" + + def run_tests(): + shell(f"{system_test_dir}/tests.sh") + + return run_tests + + @pytest.fixture(scope="module", autouse=True) + def system_test( # pylint: disable=too-many-arguments,too-many-statements + request, + env: Dict[str, str], + mlogger, + system_test_dir, + shell, + perl, + ): + """ + Driver of the test setup/teardown process. Used automatically for every test module. + + This is the most important one-fixture-to-rule-them-all. Note the + autouse=True which causes this fixture to be loaded by every test + module without the need to explicitly specify it. + + When this fixture is used, it utilizes other fixtures, such as + system_test_dir, which handles the creation of the temporary test + directory. + + Afterwards, it checks the test environment and takes care of starting + the servers. When everything is ready, that's when the actual tests are + executed. Once that is done, this fixture stops the servers and checks + for any artifacts indicating an issue (e.g. coredumps). + + Finally, when this fixture reaches an end (or encounters an exception, + which may be caused by fail/skip invocations), any fixtures which is + used by this one are finalized - e.g. system_test_dir performs final + checks and cleans up the temporary test directory. + """ + + def check_net_interfaces(): + try: + perl("testsock.pl", ["-p", env["PORT"]]) + except subprocess.CalledProcessError as exc: + mlogger.error("testsock.pl: exited with code %d", exc.returncode) + pytest.skip("Network interface aliases not set up.") + + def check_prerequisites(): + try: + shell(f"{system_test_dir}/prereq.sh") + except FileNotFoundError: + pass # prereq.sh is optional + except subprocess.CalledProcessError: + pytest.skip("Prerequisites missing.") + + def setup_test(): + try: + shell(f"{system_test_dir}/setup.sh") + except FileNotFoundError: + pass # setup.sh is optional + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to run test setup") + pytest.fail(f"setup.sh exited with {exc.returncode}") + + def start_servers(): + try: + perl("start.pl", ["--port", env["PORT"], system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to start servers") + pytest.fail(f"start.pl exited with {exc.returncode}") + + def stop_servers(): + try: + perl("stop.pl", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to stop servers") + get_core_dumps() + pytest.fail(f"stop.pl exited with {exc.returncode}") + + def get_core_dumps(): + try: + shell("get_core_dumps.sh", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Found core dumps or sanitizer reports") + pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}") + + os.environ.update(env) # Ensure pytests have the same env vars as shell tests. + mlogger.info(f"test started: {request.node.name}") + port = int(env["PORT"]) + mlogger.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1) + + if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0 + request.node.stash = {} # use regular dict instead of pytest.Stash + request.node.stash[FIXTURE_OK] = True + + # Perform checks which may skip this test. + check_net_interfaces() + check_prerequisites() + + # Store the fact that this fixture hasn't successfully finished yet. + # This is checked before temporary directory teardown to decide whether + # it's okay to remove the directory. + request.node.stash[FIXTURE_OK] = False + + setup_test() + try: + start_servers() + mlogger.debug("executing test(s)") + yield + finally: + mlogger.debug("test(s) finished") + stop_servers() + get_core_dumps() + request.node.stash[FIXTURE_OK] = True diff --git a/bin/tests/system/cookie/ans9/ans.py b/bin/tests/system/cookie/ans9/ans.py index b454fc8c91..5813475ece 100644 --- a/bin/tests/system/cookie/ans9/ans.py +++ b/bin/tests/system/cookie/ans9/ans.py @@ -1,13 +1,13 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ from __future__ import print_function import os @@ -35,28 +35,27 @@ from dns.rdatatype import * from dns.tsig import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + # DNS 2.0 keyring specifies the algorithm try: - keyring = dns.tsigkeyring.from_text({ "foo" : { - "hmac-sha256", - "aaaaaaaaaaaa" - } , - "fake" : { - "hmac-sha256", - "aaaaaaaaaaaa" - } - }) + keyring = dns.tsigkeyring.from_text( + { + "foo": {os.getenv("DEFAULT_HMAC", "hmac-sha256"), "aaaaaaaaaaaa"}, + "fake": {os.getenv("DEFAULT_HMAC", "hmac-sha256"), "aaaaaaaaaaaa"}, + } + ) except: - keyring = dns.tsigkeyring.from_text({ "foo" : "aaaaaaaaaaaa", - "fake" : "aaaaaaaaaaaa" }) + keyring = dns.tsigkeyring.from_text({"foo": "aaaaaaaaaaaa", "fake": "aaaaaaaaaaaa"}) dopass2 = False + ############################################################################ # # This server will serve valid and spoofed answers. A spoofed answer will @@ -81,7 +80,7 @@ def create_response(msg, tcp, first, ns10): m = dns.message.from_wire(msg, keyring=keyring) qname = m.question[0].name.to_text() lqname = qname.lower() - labels = lqname.split('.') + labels = lqname.split(".") rrtype = m.question[0].rdtype typename = dns.rdatatype.to_text(rrtype) @@ -113,27 +112,31 @@ def create_response(msg, tcp, first, ns10): # Add a server cookie to the response if labels[0] != "nocookie": for o in m.options: - if o.otype == 10: # Use 10 instead of COOKIE - if first and labels[0] == "withtsig" and not tcp: - r.use_tsig(keyring = keyring, - keyname = dns.name.from_text("fake"), - algorithm = HMAC_SHA256) - elif labels[0] != "tcponly" or tcp: - cookie = o - if len(o.data) == 8: - cookie.data = o.data + o.data - else: - cookie.data = o.data - r.use_edns(options=[cookie]) + if o.otype == 10: # Use 10 instead of COOKIE + if first and labels[0] == "withtsig" and not tcp: + r.use_tsig( + keyring=keyring, + keyname=dns.name.from_text("fake"), + algorithm=HMAC_SHA256, + ) + elif labels[0] != "tcponly" or tcp: + cookie = o + if len(o.data) == 8: + cookie.data = o.data + o.data + else: + cookie.data = o.data + r.use_edns(options=[cookie]) r.flags |= dns.flags.AA return r + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -146,19 +149,25 @@ def sigterm(signum, frame): ip6_addr1 = "fd92:7065:b8e:ffff::9" ip6_addr2 = "fd92:7065:b8e:ffff::10" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_udp1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query4_udp1.bind((ip4_addr1, port)) query4_tcp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +query4_tcp1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query4_tcp1.bind((ip4_addr1, port)) query4_tcp1.listen(1) query4_tcp1.settimeout(1) query4_udp2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_udp2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query4_udp2.bind((ip4_addr2, port)) query4_tcp2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +query4_tcp2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query4_tcp2.bind((ip4_addr2, port)) query4_tcp2.listen(1) query4_tcp2.settimeout(1) @@ -170,15 +179,19 @@ def sigterm(signum, frame): query6_tcp2 = None try: query6_udp1 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + query6_udp1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query6_udp1.bind((ip6_addr1, port)) query6_tcp1 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + query6_tcp1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query6_tcp1.bind((ip6_addr1, port)) query6_tcp1.listen(1) query6_tcp1.settimeout(1) query6_udp2 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + query6_udp2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query6_udp2.bind((ip6_addr2, port)) query6_tcp2 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + query6_tcp2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) query6_tcp2.bind((ip6_addr2, port)) query6_tcp2.listen(1) query6_tcp2.settimeout(1) @@ -195,24 +208,32 @@ def sigterm(signum, frame): signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Using DNS version %s" % dns.version.version) -print ("Listening on %s port %d" % (ip4_addr1, port)) -print ("Listening on %s port %d" % (ip4_addr2, port)) +print("Using DNS version %s" % dns.version.version) +print("Listening on %s port %d" % (ip4_addr1, port)) +print("Listening on %s port %d" % (ip4_addr2, port)) if havev6: - print ("Listening on %s port %d" % (ip6_addr1, port)) - print ("Listening on %s port %d" % (ip6_addr2, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6_addr1, port)) + print("Listening on %s port %d" % (ip6_addr2, port)) +print("Ctrl-c to quit") if havev6: - input = [query4_udp1, query6_udp1, query4_tcp1, query6_tcp1, - query4_udp2, query6_udp2, query4_tcp2, query6_tcp2] + input = [ + query4_udp1, + query6_udp1, + query4_tcp1, + query6_tcp1, + query4_udp2, + query6_udp2, + query4_tcp2, + query6_tcp2, + ] else: input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2] @@ -228,14 +249,19 @@ def sigterm(signum, frame): for s in inputready: ns10 = False - if s == query4_udp1 or s == query6_udp1 or \ - s == query4_udp2 or s == query6_udp2: + if s == query4_udp1 or s == query6_udp1 or s == query4_udp2 or s == query6_udp2: if s == query4_udp1 or s == query6_udp1: - print ("UDP Query received on %s" % - (ip4_addr1 if s == query4_udp1 else ip6_addr1), end=" ") + print( + "UDP Query received on %s" + % (ip4_addr1 if s == query4_udp1 else ip6_addr1), + end=" ", + ) if s == query4_udp2 or s == query6_udp2: - print ("UDP Query received on %s" % - (ip4_addr2 if s == query4_udp2 else ip6_addr2), end=" ") + print( + "UDP Query received on %s" + % (ip4_addr2 if s == query4_udp2 else ip6_addr2), + end=" ", + ) ns10 = True # Handle incoming queries msg = s.recvfrom(65535) @@ -244,31 +270,36 @@ def sigterm(signum, frame): print(dns.rcode.to_text(rsp.rcode())) s.sendto(rsp.to_wire(), msg[1]) if dopass2: - print ("Sending second UDP response without TSIG", end=" ") + print("Sending second UDP response without TSIG", end=" ") rsp = create_response(msg[0], False, False, ns10) s.sendto(rsp.to_wire(), msg[1]) print(dns.rcode.to_text(rsp.rcode())) - if s == query4_tcp1 or s == query6_tcp1 or \ - s == query4_tcp2 or s == query6_tcp2: + if s == query4_tcp1 or s == query6_tcp1 or s == query4_tcp2 or s == query6_tcp2: try: (cs, _) = s.accept() if s == query4_tcp1 or s == query6_tcp1: - print ("TCP Query received on %s" % - (ip4_addr1 if s == query4_tcp1 else ip6_addr1), end=" ") + print( + "TCP Query received on %s" + % (ip4_addr1 if s == query4_tcp1 else ip6_addr1), + end=" ", + ) if s == query4_tcp2 or s == query6_tcp2: - print ("TCP Query received on %s" % - (ip4_addr2 if s == query4_tcp2 else ip6_addr2), end=" ") + print( + "TCP Query received on %s" + % (ip4_addr2 if s == query4_tcp2 else ip6_addr2), + end=" ", + ) ns10 = True # get TCP message length buf = cs.recv(2) - length = struct.unpack('>H', buf[:2])[0] + length = struct.unpack(">H", buf[:2])[0] # grep DNS message msg = cs.recv(length) rsp = create_response(msg, True, True, ns10) print(dns.rcode.to_text(rsp.rcode())) wire = rsp.to_wire() - cs.send(struct.pack('>H', len(wire))) + cs.send(struct.pack(">H", len(wire))) cs.send(wire) cs.close() except s.timeout: diff --git a/bin/tests/system/cookie/bad-cookie-badaes.conf b/bin/tests/system/cookie/bad-cookie-badaes.conf index 6c8e42cabd..7d8cfe3b83 100644 --- a/bin/tests/system/cookie/bad-cookie-badaes.conf +++ b/bin/tests/system/cookie/bad-cookie-badaes.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/bad-cookie-badhex.conf b/bin/tests/system/cookie/bad-cookie-badhex.conf index 318425f96a..43c11adae2 100644 --- a/bin/tests/system/cookie/bad-cookie-badhex.conf +++ b/bin/tests/system/cookie/bad-cookie-badhex.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/bad-cookie-badsiphash24.conf b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf index 392cb04473..25ff78f045 100644 --- a/bin/tests/system/cookie/bad-cookie-badsiphash24.conf +++ b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/bad-cookie-toolong.conf b/bin/tests/system/cookie/bad-cookie-toolong.conf index 3171b3c567..5ea67b9f2f 100644 --- a/bin/tests/system/cookie/bad-cookie-toolong.conf +++ b/bin/tests/system/cookie/bad-cookie-toolong.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/clean.sh b/bin/tests/system/cookie/clean.sh index a9130d709d..d0675aa4fb 100644 --- a/bin/tests/system/cookie/clean.sh +++ b/bin/tests/system/cookie/clean.sh @@ -1,7 +1,11 @@ +#!/bin/sh + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cookie/good-cookie-aes.conf b/bin/tests/system/cookie/good-cookie-aes.conf index efb56a67a4..97a6f67896 100644 --- a/bin/tests/system/cookie/good-cookie-aes.conf +++ b/bin/tests/system/cookie/good-cookie-aes.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/good-cookie-siphash24.conf b/bin/tests/system/cookie/good-cookie-siphash24.conf index 2e2f628543..c937d71277 100644 --- a/bin/tests/system/cookie/good-cookie-siphash24.conf +++ b/bin/tests/system/cookie/good-cookie-siphash24.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns1/example.db b/bin/tests/system/cookie/ns1/example.db index fae6856e80..75a6d3c96a 100644 --- a/bin/tests/system/cookie/ns1/example.db +++ b/bin/tests/system/cookie/ns1/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in index d26ea7463e..20ebca30c0 100644 --- a/bin/tests/system/cookie/ns1/named.conf.in +++ b/bin/tests/system/cookie/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,12 +13,12 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; key foo { secret "aaaaaaaaaaaa"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; server 10.53.0.10 { @@ -28,9 +30,9 @@ controls { }; options { - query-source address 10.53.0.1 dscp 1; - notify-source 10.53.0.1 dscp 2; - transfer-source 10.53.0.1 dscp 3; + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; diff --git a/bin/tests/system/cookie/ns1/root.hint b/bin/tests/system/cookie/ns1/root.hint index 64769b9fe6..993227deb6 100644 --- a/bin/tests/system/cookie/ns1/root.hint +++ b/bin/tests/system/cookie/ns1/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns2/named.conf.in b/bin/tests/system/cookie/ns2/named.conf.in index e1073f92b6..cd74d8adca 100644 --- a/bin/tests/system/cookie/ns2/named.conf.in +++ b/bin/tests/system/cookie/ns2/named.conf.in @@ -1,18 +1,20 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ options { - query-source address 10.53.0.2 dscp 1; - notify-source 10.53.0.2 dscp 2; - transfer-source 10.53.0.2 dscp 3; + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; diff --git a/bin/tests/system/cookie/ns2/root.db b/bin/tests/system/cookie/ns2/root.db index d0cea9acd9..533ab88ee8 100644 --- a/bin/tests/system/cookie/ns2/root.db +++ b/bin/tests/system/cookie/ns2/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns3/named.conf.in b/bin/tests/system/cookie/ns3/named.conf.in index abb688e0e3..090d528ba3 100644 --- a/bin/tests/system/cookie/ns3/named.conf.in +++ b/bin/tests/system/cookie/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -19,9 +21,9 @@ controls { }; options { - query-source address 10.53.0.3 dscp 1; - notify-source 10.53.0.3 dscp 2; - transfer-source 10.53.0.3 dscp 3; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; diff --git a/bin/tests/system/cookie/ns3/root.hint b/bin/tests/system/cookie/ns3/root.hint index 64769b9fe6..993227deb6 100644 --- a/bin/tests/system/cookie/ns3/root.hint +++ b/bin/tests/system/cookie/ns3/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns4/named.conf.in b/bin/tests/system/cookie/ns4/named.conf.in index 7ed0760f17..c49b87ec10 100644 --- a/bin/tests/system/cookie/ns4/named.conf.in +++ b/bin/tests/system/cookie/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/cookie/ns4/root.hint b/bin/tests/system/cookie/ns4/root.hint index 64769b9fe6..993227deb6 100644 --- a/bin/tests/system/cookie/ns4/root.hint +++ b/bin/tests/system/cookie/ns4/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns5/named.conf.in b/bin/tests/system/cookie/ns5/named.conf.in index 7dd681b7f3..87210adbf8 100644 --- a/bin/tests/system/cookie/ns5/named.conf.in +++ b/bin/tests/system/cookie/ns5/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/cookie/ns5/root.hint b/bin/tests/system/cookie/ns5/root.hint index 64769b9fe6..993227deb6 100644 --- a/bin/tests/system/cookie/ns5/root.hint +++ b/bin/tests/system/cookie/ns5/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns6/named.conf.in b/bin/tests/system/cookie/ns6/named.conf.in index 2cfd462d22..158d8988c5 100644 --- a/bin/tests/system/cookie/ns6/named.conf.in +++ b/bin/tests/system/cookie/ns6/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/cookie/ns6/root.hint b/bin/tests/system/cookie/ns6/root.hint index 64769b9fe6..993227deb6 100644 --- a/bin/tests/system/cookie/ns6/root.hint +++ b/bin/tests/system/cookie/ns6/root.hint @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns7/from-no-cookie-server.example.db b/bin/tests/system/cookie/ns7/from-no-cookie-server.example.db new file mode 100644 index 0000000000..8e466a6921 --- /dev/null +++ b/bin/tests/system/cookie/ns7/from-no-cookie-server.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns7 hostmaster.isc.org. 1 600 600 1200 600 +@ NS ns7 +ns7 A 10.53.0.7 diff --git a/bin/tests/system/cookie/ns7/named.conf.in b/bin/tests/system/cookie/ns7/named.conf.in index 62ced15bb2..9426d233cb 100644 --- a/bin/tests/system/cookie/ns7/named.conf.in +++ b/bin/tests/system/cookie/ns7/named.conf.in @@ -1,18 +1,20 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ options { - query-source address 10.53.0.7 dscp 1; - notify-source 10.53.0.7 dscp 2; - transfer-source 10.53.0.7 dscp 3; + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.7; }; @@ -21,9 +23,15 @@ options { answer-cookie no; send-cookie yes; nocookie-udp-size 512; + dnssec-validation no; }; zone "." { type primary; file "root.db"; }; + +zone "from-no-cookie-server.example" { + type primary; + file "from-no-cookie-server.example.db"; +}; diff --git a/bin/tests/system/cookie/ns7/root.db b/bin/tests/system/cookie/ns7/root.db index 96410eeffd..39a63da9bb 100644 --- a/bin/tests/system/cookie/ns7/root.db +++ b/bin/tests/system/cookie/ns7/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/cookie/ns8/example.db b/bin/tests/system/cookie/ns8/example.db index 0693de0629..443d5db417 100644 --- a/bin/tests/system/cookie/ns8/example.db +++ b/bin/tests/system/cookie/ns8/example.db @@ -1,11 +1,15 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -@ 3600 SOA . . 0 0 0 0 0 -@ 3600 NS . +@ 3600 SOA . . 0 0 0 0 0 +@ 3600 NS . +from-no-cookie-server 3600 NS ns7.from-no-cookie-server +ns7.from-no-cookie-server 3600 A 10.53.0.7 diff --git a/bin/tests/system/cookie/ns8/named.conf.in b/bin/tests/system/cookie/ns8/named.conf.in index c90a2b95dd..693f06a81e 100644 --- a/bin/tests/system/cookie/ns8/named.conf.in +++ b/bin/tests/system/cookie/ns8/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -11,7 +13,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -31,6 +33,8 @@ options { require-server-cookie yes; }; +server 10.53.0.7 { require-cookie yes; }; + zone "example" { type primary; file "example.db"; diff --git a/bin/tests/system/cookie/setup.sh b/bin/tests/system/cookie/setup.sh index 8ed3fe8671..88c7518dd0 100644 --- a/bin/tests/system/cookie/setup.sh +++ b/bin/tests/system/cookie/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh index 021b3d7566..570b7351ff 100755 --- a/bin/tests/system/cookie/tests.sh +++ b/bin/tests/system/cookie/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="-p ${PORT}" @@ -20,7 +24,7 @@ n=0 getcookie() { awk '$2 == "COOKIE:" { print $3; - }' < $1 | tr -d '\r' + }' < $1 } fullcookie() { @@ -35,172 +39,229 @@ havetc() { for bad in bad*.conf do - n=`expr $n + 1` + n=$((n + 1)) echo_i "checking that named-checkconf detects error in $bad ($n)" ret=0 $CHECKCONF $bad > /dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) done for good in good*.conf do - n=`expr $n + 1` + n=$((n + 1)) echo_i "checking that named-checkconf detects accepts $good ($n)" ret=0 $CHECKCONF $good > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) done -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n +$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 grep COOKIE: dig.out.test$n > /dev/null && ret=1 grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n +$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 grep COOKIE: dig.out.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 grep COOKIE: dig.out.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n +oldcookie=b71d3138bb984fc50100000064a65cffbbf02482dfb99ba5 +$DIG $DIGOPTS +cookie=$oldcookie version.bind txt ch @10.53.0.7 > dig.out.test$n || ret=1 grep COOKIE: dig.out.test$n > /dev/null && ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking response size without COOKIE ($n)" ret=0 -$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking response size without valid COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking response size with COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l -cookie=`getcookie dig.out.test$n.l` -$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l || ret=1 +cookie=$(getcookie dig.out.test$n.l) +$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking response size with COOKIE recursive ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking COOKIE is learnt for TCP retry ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n || ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 3 ]; then ret=1; fi -checkfull=`getcookie dig.out.test$n | fullcookie` +checkfull=$(getcookie dig.out.test$n | fullcookie) if [ $checkfull != 1 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking for COOKIE value in adb ($n)" ret=0 rndc_dumpdb ns1 grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking require-server-cookie default (no) ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n -grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n || ret=1 +grep "status: BADCOOKIE" dig.out.test$n > /dev/null && ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "checking require-server-cookie yes ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) +echo_i "checking +qr +showbadcookie ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) +badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) +server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) +good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) +linecount=$(getcookie dig.out.test$n | wc -l) +if [ $noerror != 3 ]; then ret=1; fi +if [ $badcookie != 1 ]; then ret=1; fi +if [ $server != 3 ]; then ret=1; fi +if [ $good != 2 ]; then ret=1; fi +if [ $linecount != 4 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n + 1)) + +echo_i "checking +showbadcookie ($n)" +ret=0 +$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) +badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) +server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) +good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) +linecount=$(getcookie dig.out.test$n | wc -l) +if [ $noerror != 1 ]; then ret=1; fi +if [ $badcookie != 1 ]; then ret=1; fi +if [ $server != 2 ]; then ret=1; fi +if [ $good != 2 ]; then ret=1; fi +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "checking require-server-cookie yes with rate-limit ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n +$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n || ret=1 grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking 'server { require-cookie yes; };' triggers TCP when cookie not returned ($n)" +ret=0 +nextpart ns8/named.run > /dev/null +$DIG $DIGOPTS +cookie soa from-no-cookie-server.example @10.53.0.8 > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +wait_for_log_peek 3 "missing required cookie from 10.53.0.7#" ns8/named.run || ret=1 +wait_for_log_peek 3 "connected from" ns8/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "send undersized cookie ($n)" ret=0 $DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "send oversized for named cookie ($n)" ret=0 $DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "send oversized for named cookie with server requiring a good cookie ($n)" ret=0 $DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) + +echo_i "check that BADCOOKIE is returned for a bad server COOKIE ($n)" +ret=0 +badcookie=$(echo $cookie | sed 's/[a-f0-9]/0/g') +$DIG $DIGOPTS +qr +cookie=$badcookie +nobadcookie soa example @10.53.0.1 > dig.out.test$n || ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 +grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1 +linecount=`getcookie dig.out.test$n | wc -l` +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) # # Test shared cookie-secret support. @@ -219,116 +280,116 @@ status=`expr $status + $ret` # Force local address so that the client's address is the same to all servers. # -n=`expr $n + 1` +n=$((n + 1)) echo_i "get NS4 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns4cookie=`getcookie dig.out.test$n` +ns4cookie=$(getcookie dig.out.test$n) test -n "$ns4cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "get NS5 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns5cookie=`getcookie dig.out.test$n` +ns5cookie=$(getcookie dig.out.test$n) test -n "$ns5cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "get NS6 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns6cookie=`getcookie dig.out.test$n` +ns6cookie=$(getcookie dig.out.test$n) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS4 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS5 cookie on NS4 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "test NS6 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" #UDP -$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 +$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 || ret=1 grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 || ret=1 grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 +$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 || ret=1 grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 +$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 || ret=1 grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1 @@ -336,7 +397,7 @@ grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1 #TCP -$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 +$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 || ret=1 grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 @@ -365,35 +426,35 @@ grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that spoofed response is dropped when we have a server cookie ($n)" ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 rndc_dumpdb ns1 grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 || ret=1 wait_for_log 5 "$msg" ns1/named.run || ret=1 grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)" ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 rndc_dumpdb ns1 grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 @@ -405,20 +466,20 @@ grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -n=`expr $n + 1` +n=$((n + 1)) echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)" ret=0 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 rndc_dumpdb ns1 grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 || ret=1 grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 @@ -426,7 +487,7 @@ nextpart ns1/named.run > named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) if $PYTHON -c ' import dns.version, sys; @@ -434,27 +495,27 @@ if dns.version.MAJOR > 1: sys.exit(0); if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); sys.exit(1)' then - n=`expr $n + 1` + n=$((n + 1)) echo_i "check that TSIG test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" - key=hmac-sha256:foo:aaaaaaaaaaaa + key="${DEFAULT_HMAC}:foo:aaaaaaaaaaaa" #UDP - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 || ret=1 grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 || ret=1 grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 || ret=1 grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 @@ -462,21 +523,21 @@ then grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 #TCP - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 || ret=1 grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 || ret=1 grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 || ret=1 grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 @@ -484,9 +545,9 @@ then grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) - n=`expr $n + 1` + n=$((n + 1)) echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)" ret=0 pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' @@ -505,7 +566,7 @@ then count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "exit status: $status" diff --git a/bin/tests/system/cookie/tests_sh_cookie.py b/bin/tests/system/cookie/tests_sh_cookie.py new file mode 100644 index 0000000000..2f1d029925 --- /dev/null +++ b/bin/tests/system/cookie/tests_sh_cookie.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_cookie(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/cpu/clean.sh b/bin/tests/system/cpu/clean.sh deleted file mode 100644 index 0a6c10bb75..0000000000 --- a/bin/tests/system/cpu/clean.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -rm -f ps.out -rm -f ns1/named.conf ns1/managed-keys.* ns1/named.run ns1/named.memstats diff --git a/bin/tests/system/cpu/ns1/named.conf.in b/bin/tests/system/cpu/ns1/named.conf.in deleted file mode 100644 index d152b2709d..0000000000 --- a/bin/tests/system/cpu/ns1/named.conf.in +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; -}; diff --git a/bin/tests/system/cpu/prereq.sh b/bin/tests/system/cpu/prereq.sh deleted file mode 100644 index e9cae418d9..0000000000 --- a/bin/tests/system/cpu/prereq.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -e -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -# shellcheck source=conf.sh -. ../conf.sh - -case $(uname) in - Linux*) - ;; - *) - echo_i "cpu test only runs on Linux" - exit 255 - ;; -esac - -# TASKSET will be an empty string if no taskset program was found. -TASKSET=$(command -v "taskset" || true) -if ! test -x "$TASKSET" ; then - exit 255 -fi - -if ! $TASKSET fff0 true > /dev/null 2>&1; then - echo_i "taskset failed" - exit 255 -fi diff --git a/bin/tests/system/cpu/setup.sh b/bin/tests/system/cpu/setup.sh deleted file mode 100644 index 5d4286829d..0000000000 --- a/bin/tests/system/cpu/setup.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -e -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../conf.sh - -set -e - -$SHELL clean.sh - -copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/cpu/tests.sh b/bin/tests/system/cpu/tests.sh deleted file mode 100644 index 54cdb0abfc..0000000000 --- a/bin/tests/system/cpu/tests.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../conf.sh - -status=0 -n=0 - -n=$((n+1)) -echo_i "stop server ($n)" -ret=0 -$PERL ../stop.pl cpu ns1 || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -n=$((n+1)) -echo_i "start server with taskset ($n)" -ret=0 -start_server --noclean --taskset fff0 --restart --port "${PORT}" cpu ns1 || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -n=$((n+1)) -echo_i "check ps output ($n)" -ret=0 -ps -T -o pid,psr,time,comm -e > ps.out -pid=$(cat ns1/named.pid) -echo_i "pid=$pid" -psr=$(awk -v pid="$pid" '$1 == pid && $4 == "isc-net-0000" {print $2}' < ps.out) -echo_i "psr=$psr" -# The next available cpu relative to the existing affinity mask is 4. -test "$psr" -eq 4 || ret=1 -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/custom-test-driver b/bin/tests/system/custom-test-driver index e0371202c9..7499aa0bc0 100755 --- a/bin/tests/system/custom-test-driver +++ b/bin/tests/system/custom-test-driver @@ -1,10 +1,13 @@ -#! /bin/sh +#!/bin/sh + # test-driver - basic testsuite driver script. -scriptversion=2020-05-12.10; # UTC +scriptversion=2021-09-20.08; # UTC # Copyright (C) 2011-2020 Free Software Foundation, Inc. # +# SPDX-License-Identifier: GPL-2.0-or-later WITH LicenseRef-Automake-exception-2.0 +# # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) diff --git a/bin/tests/system/database/clean.sh b/bin/tests/system/database/clean.sh index 1fe28f3ce2..f86404c1b2 100644 --- a/bin/tests/system/database/clean.sh +++ b/bin/tests/system/database/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/database/ns1/named1.conf.in b/bin/tests/system/database/ns1/named1.conf.in index 4d60860340..5fa7ce5ce4 100644 --- a/bin/tests/system/database/ns1/named1.conf.in +++ b/bin/tests/system/database/ns1/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,7 +15,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/database/ns1/named2.conf.in b/bin/tests/system/database/ns1/named2.conf.in index 3393548e81..80cfab28b8 100644 --- a/bin/tests/system/database/ns1/named2.conf.in +++ b/bin/tests/system/database/ns1/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,7 +15,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/database/setup.sh b/bin/tests/system/database/setup.sh index 0c15866125..f3f0088a23 100644 --- a/bin/tests/system/database/setup.sh +++ b/bin/tests/system/database/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/database/tests.sh b/bin/tests/system/database/tests.sh index f39dbf3500..408b094be0 100644 --- a/bin/tests/system/database/tests.sh +++ b/bin/tests/system/database/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -25,9 +29,9 @@ echo_i "checking pre reload zone ($n)" ret=0 $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) copy_setports ns1/named2.conf.in ns1/named.conf $RNDCCMD reload 2>&1 >/dev/null @@ -41,12 +45,12 @@ do ret=0 $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 - try=`expr $try + 1` + try=$((try + 1)) test $ret -eq 0 && break done -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/database/tests_sh_database.py b/bin/tests/system/database/tests_sh_database.py new file mode 100644 index 0000000000..b48469e3fb --- /dev/null +++ b/bin/tests/system/database/tests_sh_database.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_database(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/delzone/clean.sh b/bin/tests/system/delzone/clean.sh deleted file mode 100644 index f9fbe9405c..0000000000 --- a/bin/tests/system/delzone/clean.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -rm -f dig.out.* -rm -f rndc.out* -rm -f */named.memstats -rm -f ns2/*.nzf -rm -f ns2/*.nzd ns2/*nzd-lock -rm -f ns2/core* -rm -f ns2/inline.db.jbk -rm -f ns2/inline.db.signed -rm -f ns2/inlinesec.bk* -rm -f ns*/named.lock -rm -f ns2/nzf-* -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/delzone/ns1/inlinesec.db b/bin/tests/system/delzone/ns1/inlinesec.db deleted file mode 100644 index 5db7e024e3..0000000000 --- a/bin/tests/system/delzone/ns1/inlinesec.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$ORIGIN inlinesec.example. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 - MX 10 mail - -a A 10.0.0.1 -mail A 10.0.0.2 diff --git a/bin/tests/system/delzone/ns1/named.conf b/bin/tests/system/delzone/ns1/named.conf deleted file mode 100644 index 8cbe61d0b4..0000000000 --- a/bin/tests/system/delzone/ns1/named.conf +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - allow-query { any; }; - recursion no; - dnssec-validation no; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; - -zone "inlinesec.example" { - type primary; - file "inlinesec.db"; -}; diff --git a/bin/tests/system/delzone/ns2/added.db b/bin/tests/system/delzone/ns2/added.db deleted file mode 100644 index 9b54d19204..0000000000 --- a/bin/tests/system/delzone/ns2/added.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -;$ORIGIN added.example. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 - MX 10 mail - -a A 10.0.0.1 -mail A 10.0.0.2 diff --git a/bin/tests/system/delzone/ns2/named.args b/bin/tests/system/delzone/ns2/named.args deleted file mode 100644 index be9241ed54..0000000000 --- a/bin/tests/system/delzone/ns2/named.args +++ /dev/null @@ -1 +0,0 @@ --D delzone-ns2 -X named.lock -m record,size,mctx -c named.conf -g -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/delzone/ns2/named.conf b/bin/tests/system/delzone/ns2/named.conf deleted file mode 100644 index 708754c384..0000000000 --- a/bin/tests/system/delzone/ns2/named.conf +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - allow-query { any; }; - recursion no; - dnssec-validation no; - allow-new-zones yes; -}; - -include "../../common/controls.conf"; - -zone "." { - type hint; - file "../../common/root.hint"; -}; - -zone "normal.example" { - type master; - file "normal.db"; -}; diff --git a/bin/tests/system/delzone/ns2/normal.db b/bin/tests/system/delzone/ns2/normal.db deleted file mode 100644 index 50450928e9..0000000000 --- a/bin/tests/system/delzone/ns2/normal.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$ORIGIN normal.example. -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 - MX 10 mail - -a A 10.0.0.1 -mail A 10.0.0.2 diff --git a/bin/tests/system/delzone/setup.sh b/bin/tests/system/delzone/setup.sh deleted file mode 100644 index 9e800d29e4..0000000000 --- a/bin/tests/system/delzone/setup.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -$SHELL clean.sh diff --git a/bin/tests/system/delzone/tests.sh b/bin/tests/system/delzone/tests.sh deleted file mode 100755 index 73b098ca33..0000000000 --- a/bin/tests/system/delzone/tests.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p 5300" -status=0 -n=0 - -echo_i "checking normally loaded zone ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -if [ -x "$PYTHON" ]; then -echo_i "adding and deleting 20000 new zones ($n)" -ret=0 - time ( - echo_i "adding" - $PYTHON << EOF -import sys -sys.path.insert(0, '../../../../bin/python') -from isc import rndc -r = rndc(('10.53.0.2', 9953), 'hmac-sha256', '1234abcd8765') -for i in range(20000): - res = r.call('addzone z%d.example { type master; file "added.db"; };' % i) - if 'text' in res: - print ('I:n2:' + res['text']) -EOF - ) - time ( - echo_i "deleting" - $PYTHON << EOF -import sys -sys.path.insert(0, '../../../../bin/python') -from isc import rndc -r = rndc(('10.53.0.2', 9953), 'hmac-sha256', '1234abcd8765') -for i in range(20000): - res = r.call('delzone z%d.example' % i) - if 'text' in res: - print ('I:n2:' + res['text']) -EOF - ) - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -fi - -echo_i "exit status: $status" -exit $status diff --git a/bin/tests/system/dialup/clean.sh b/bin/tests/system/dialup/clean.sh index 0ec62d5bce..9318255bfa 100644 --- a/bin/tests/system/dialup/clean.sh +++ b/bin/tests/system/dialup/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -12,3 +14,5 @@ rm -f ns2/example.bk rm -f ns3/example.bk rm -f */named.memstats */named.run +rm -f ns*/named.conf +rm -f ns*/named.lock diff --git a/bin/tests/system/dialup/ns1/example.db b/bin/tests/system/dialup/ns1/example.db index e1f203ee64..3ce33f9acb 100644 --- a/bin/tests/system/dialup/ns1/example.db +++ b/bin/tests/system/dialup/ns1/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dialup/ns1/named.conf b/bin/tests/system/dialup/ns1/named.conf deleted file mode 100644 index 9811b7f432..0000000000 --- a/bin/tests/system/dialup/ns1/named.conf +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - heartbeat-interval 2; - recursion no; - dnssec-validation no; -}; - -zone "." { - type master; - file "root.db"; -}; - -zone "example." { - type master; - notify explicit; - also-notify { 10.53.0.2; }; - dialup yes; - file "example.db"; -}; diff --git a/bin/tests/system/dialup/ns1/named.conf.in b/bin/tests/system/dialup/ns1/named.conf.in new file mode 100644 index 0000000000..4b8302bcfa --- /dev/null +++ b/bin/tests/system/dialup/ns1/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example." { + type primary; + notify explicit; + also-notify { 10.53.0.2; }; + dialup yes; + file "example.db"; +}; diff --git a/bin/tests/system/dialup/ns1/root.db b/bin/tests/system/dialup/ns1/root.db index 7baffd2bf3..882da96696 100644 --- a/bin/tests/system/dialup/ns1/root.db +++ b/bin/tests/system/dialup/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dialup/ns2/hint.db b/bin/tests/system/dialup/ns2/hint.db index ffb6dcff3d..0198f2578a 100644 --- a/bin/tests/system/dialup/ns2/hint.db +++ b/bin/tests/system/dialup/ns2/hint.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dialup/ns2/named.conf b/bin/tests/system/dialup/ns2/named.conf deleted file mode 100644 index fdf06029e7..0000000000 --- a/bin/tests/system/dialup/ns2/named.conf +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - heartbeat-interval 2; - recursion no; - dnssec-validation no; -}; - -zone "." { - type hint; - file "hint.db"; -}; - -zone "example." { - type slave; - dialup passive; - notify no; - file "example.bk"; - masters { 10.53.0.1; }; -}; diff --git a/bin/tests/system/dialup/ns2/named.conf.in b/bin/tests/system/dialup/ns2/named.conf.in new file mode 100644 index 0000000000..382f5ce9a4 --- /dev/null +++ b/bin/tests/system/dialup/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +zone "example." { + type secondary; + dialup passive; + notify no; + file "example.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/dialup/ns3/hint.db b/bin/tests/system/dialup/ns3/hint.db index ffb6dcff3d..0198f2578a 100644 --- a/bin/tests/system/dialup/ns3/hint.db +++ b/bin/tests/system/dialup/ns3/hint.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dialup/ns3/named.conf b/bin/tests/system/dialup/ns3/named.conf deleted file mode 100644 index 864b026b0c..0000000000 --- a/bin/tests/system/dialup/ns3/named.conf +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - heartbeat-interval 2; - recursion no; - dnssec-validation no; -}; - -zone "." { - type hint; - file "hint.db"; -}; - -zone "example." { - type slave; - dialup refresh; - notify no; - file "example.bk"; - masters { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dialup/ns3/named.conf.in b/bin/tests/system/dialup/ns3/named.conf.in new file mode 100644 index 0000000000..054a65893c --- /dev/null +++ b/bin/tests/system/dialup/ns3/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +zone "example." { + type secondary; + dialup refresh; + notify no; + file "example.bk"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dialup/setup.sh b/bin/tests/system/dialup/setup.sh new file mode 100644 index 0000000000..dad3589a35 --- /dev/null +++ b/bin/tests/system/dialup/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh index 8c150cdeeb..b68c71e049 100644 --- a/bin/tests/system/dialup/tests.sh +++ b/bin/tests/system/dialup/tests.sh @@ -1,21 +1,25 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 rm -f dig.out.* -DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p 5300" +DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}" # Check the example. domain @@ -28,7 +32,7 @@ do $DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1 if grep SERVFAIL dig.out.ns2.test > /dev/null then - try=`expr $try + 1` + try=$((try + 1)) sleep 1 else digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 @@ -37,7 +41,7 @@ do done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that second zone transfer worked" ret=0 @@ -47,7 +51,7 @@ do $DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1 if grep SERVFAIL dig.out.ns3.test > /dev/null then - try=`expr $try + 1` + try=$((try + 1)) sleep 1 else digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 @@ -56,7 +60,7 @@ do done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dialup/tests_sh_dialup.py b/bin/tests/system/dialup/tests_sh_dialup.py new file mode 100644 index 0000000000..fa28e86dcf --- /dev/null +++ b/bin/tests/system/dialup/tests_sh_dialup.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dialup(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/digcomp.pl b/bin/tests/system/digcomp.pl index 228caf4173..8024dea5e3 100644 --- a/bin/tests/system/digcomp.pl +++ b/bin/tests/system/digcomp.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme index e69de29bb2..8b13789179 100644 --- a/bin/tests/system/digdelv/ans4/startme +++ b/bin/tests/system/digdelv/ans4/startme @@ -0,0 +1 @@ + diff --git a/bin/tests/system/digdelv/ans5/ans.pl b/bin/tests/system/digdelv/ans5/ans.pl index 83754e7db8..63964060d7 100644 --- a/bin/tests/system/digdelv/ans5/ans.pl +++ b/bin/tests/system/digdelv/ans5/ans.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/digdelv/ans6/ans.pl b/bin/tests/system/digdelv/ans6/ans.pl index 5505b22535..39d02b2c69 100755 --- a/bin/tests/system/digdelv/ans6/ans.pl +++ b/bin/tests/system/digdelv/ans6/ans.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -w -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/digdelv/ans7/ans.pl b/bin/tests/system/digdelv/ans7/ans.pl index 0c62043c82..a7aa60eb9d 100755 --- a/bin/tests/system/digdelv/ans7/ans.pl +++ b/bin/tests/system/digdelv/ans7/ans.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -w -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/digdelv/ans8/ans.py b/bin/tests/system/digdelv/ans8/ans.py new file mode 100644 index 0000000000..3e18edc1cc --- /dev/null +++ b/bin/tests/system/digdelv/ans8/ans.py @@ -0,0 +1,202 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +import struct + +import dns, dns.message +from dns.rcode import * + +modes = [ + b"silent", # Do not respond + b"close", # UDP: same as silent; TCP: also close the connection + b"servfail", # Always respond with SERVFAIL + b"unstable", # Constantly switch between "silent" and "servfail" +] +mode = modes[0] +n = 0 + + +def ctrl_channel(msg): + global modes, mode, n + + msg = msg.splitlines().pop(0) + print("Received control message: %s" % msg) + + if msg in modes: + mode = msg + n = 0 + print("New mode: %s" % str(mode)) + + +def create_servfail(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(SERVFAIL) + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +ip4 = "10.53.0.8" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +try: + ctrlport = int(os.environ["EXTRAPORT1"]) +except: + ctrlport = 5300 + +query4_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_udp.bind((ip4, port)) + +query4_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +query4_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +query4_tcp.bind((ip4, port)) +query4_tcp.listen(100) + +ctrl4_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +ctrl4_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +ctrl4_tcp.bind((ip4, ctrlport)) +ctrl4_tcp.listen(100) + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, ctrlport)) +print("Ctrl-c to quit") + +input = [query4_udp, query4_tcp, ctrl4_tcp] + +hung_conns = [] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_udp: + n = n + 1 + print("UDP query received on %s" % ip4, end=" ") + msg = s.recvfrom(65535) + if ( + mode == b"silent" + or mode == b"close" + or (mode == b"unstable" and n % 2 == 1) + ): + # Do not respond. + print("NO RESPONSE (%s)" % str(mode)) + continue + elif mode == b"servfail" or (mode == b"unstable" and n % 2 == 0): + rsp = create_servfail(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE (can not create a response)") + else: + raise (Exception("unsupported mode: %s" % mode)) + elif s == query4_tcp: + n = n + 1 + print("TCP query received on %s" % ip4, end=" ") + conn = None + try: + if mode == b"silent" or (mode == b"unstable" and n % 2 == 1): + conn, addr = s.accept() + # Do not respond and hang the connection. + print("NO RESPONSE (%s)" % str(mode)) + hung_conns.append(conn) + continue + elif mode == b"close": + conn, addr = s.accept() + # Do not respond and close the connection. + print("NO RESPONSE (%s)" % str(mode)) + conn.close() + continue + elif mode == b"servfail" or (mode == b"unstable" and n % 2 == 0): + conn, addr = s.accept() + # get TCP message length + msg = conn.recv(2) + if len(msg) != 2: + print("NO RESPONSE (can not read the message length)") + conn.close() + continue + length = struct.unpack(">H", msg[:2])[0] + msg = conn.recv(length) + if len(msg) != length: + print("NO RESPONSE (can not read the message)") + conn.close() + continue + rsp = create_servfail(msg) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + wire = rsp.to_wire() + conn.send(struct.pack(">H", len(wire))) + conn.send(wire) + else: + print("NO RESPONSE (can not create a response)") + else: + raise (Exception("unsupported mode: %s" % mode)) + except socket.error as e: + print("NO RESPONSE (error: %s)" % str(e)) + if conn: + conn.close() + elif s == ctrl4_tcp: + print("Control channel connected") + conn = None + try: + # Handle control channel input + conn, addr = s.accept() + msg = conn.recv(1024) + if msg: + ctrl_channel(msg) + conn.close() + except s.timeout: + pass + if conn: + conn.close() + + if not running: + break diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh index 5eeca086b3..70797f0b93 100644 --- a/bin/tests/system/digdelv/clean.sh +++ b/bin/tests/system/digdelv/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -11,10 +13,12 @@ set -e -rm -f ./*/anchor.* +rm -f ./anchor.* ./*/anchor.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run +rm -f ./ans*/ans.run +rm -f ./ans*/query.log rm -f ./delv.out.test* rm -f ./dig.out.*test* rm -f ./dig.out.mm.* @@ -24,7 +28,11 @@ rm -f ./dig.out.nn.* rm -f ./host.out.test* rm -f ./ns*/managed-keys.bind* rm -f ./ns*/named.lock -rm -f ./ns2/dsset-example. -rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata +rm -f ./ns*/K* ./ns*/keyid ./ns*/keydata +rm -f ./ns1/root.db +rm -f ./ns*/dsset-* +rm -f ./ns2/example.db +rm -f ./ns2/example.tld.db rm -f ./nslookup.out.test* +rm -f ./nsupdate.out.test* rm -f ./yamlget.out.* diff --git a/bin/tests/system/digdelv/ns1/named.conf.in b/bin/tests/system/digdelv/ns1/named.conf.in index ff1317892e..df552bd021 100644 --- a/bin/tests/system/digdelv/ns1/named.conf.in +++ b/bin/tests/system/digdelv/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db deleted file mode 100644 index 76ed2a0310..0000000000 --- a/bin/tests/system/digdelv/ns1/root.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -. IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 600 ; minimum - ) -. NS a.root-servers.nil. -a.root-servers.nil. A 10.53.0.1 -a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1 - -example. NS ns2.example. -ns2.example. A 10.53.0.2 -ns2.example. AAAA fd92:7065:b8e:ffff::2 diff --git a/bin/tests/system/digdelv/ns1/root.db.in b/bin/tests/system/digdelv/ns1/root.db.in new file mode 100644 index 0000000000..b43cc40390 --- /dev/null +++ b/bin/tests/system/digdelv/ns1/root.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +ns2.example. AAAA fd92:7065:b8e:ffff::2 diff --git a/bin/tests/system/digdelv/ns1/sign.sh b/bin/tests/system/digdelv/ns1/sign.sh new file mode 100644 index 0000000000..2651c191c1 --- /dev/null +++ b/bin/tests/system/digdelv/ns1/sign.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +(cd ../ns2 && $SHELL sign.sh ) + +cp "../ns2/dsset-example." . + +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone .) + +cp root.db.in root.db + +"$SIGNER" -Sgz -f root.db -o . root.db.in > /dev/null 2>&1 + +keyfile_to_key_id "$ksk" > keyid +grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata +keyfile_to_initial_keys "$ksk" > anchor.dnskey diff --git a/bin/tests/system/digdelv/ns2/example.db.in b/bin/tests/system/digdelv/ns2/example.db.in index d69a7cb4b2..c711049e98 100644 --- a/bin/tests/system/digdelv/ns2/example.db.in +++ b/bin/tests/system/digdelv/ns2/example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in index 6a90c358de..6a6c2b9fb7 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.in +++ b/bin/tests/system/digdelv/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -30,3 +32,8 @@ zone "example" { type primary; file "example.db"; }; + +zone "example.tld" { + type primary; + file "example.tld.db"; +}; diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index f6310e95c3..782b7a1a24 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -25,3 +27,6 @@ grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds + +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.tld.) +"$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in > /dev/null 2>&1 diff --git a/bin/tests/system/digdelv/ns3/named.conf.in b/bin/tests/system/digdelv/ns3/named.conf.in index 5017085f70..66bb74891f 100644 --- a/bin/tests/system/digdelv/ns3/named.conf.in +++ b/bin/tests/system/digdelv/ns3/named.conf.in @@ -1,16 +1,18 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ options { - query-source address 10.53.0.3 dscp 1; + query-source address 10.53.0.3; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; diff --git a/bin/tests/system/digdelv/setup.sh b/bin/tests/system/digdelv/setup.sh index aa966a40d5..92dd6bf3b2 100644 --- a/bin/tests/system/digdelv/setup.sh +++ b/bin/tests/system/digdelv/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -18,4 +20,4 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -cd ns2 && $SHELL sign.sh +cd ns1 && $SHELL sign.sh diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index a30577139a..dbcb0c4449 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1,19 +1,21 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + # shellcheck source=conf.sh . ../conf.sh -set -e - status=0 n=0 @@ -40,19 +42,18 @@ check_ttl_range() { case "$pos" in "3") - awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + { awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true ;; *) - awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + { awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true ;; esac - result=$? [ $result -eq 0 ] || echo_i "ttl check failed" return $result } -# using delv insecure mode as not testing dnssec here +# use delv insecure mode by default, as we're mostly not testing dnssec delv_with_opts() { "$DELV" +noroot -p "$PORT" "$@" } @@ -101,6 +102,24 @@ if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then fi +if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then + + n=$((n+1)) + echo_i "check nsupdate handles UPDATE response to QUERY ($n)" + ret=0 + res=0 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$? +server 10.53.0.7 ${PORT} +add x.example.com 300 in a 1.2.3.4 +send +EOF + test $res -eq 1 || ret=1 + grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +fi + if [ -x "$DIG" ] ; then if [ $checkupdate -eq 1 ] ; then @@ -369,24 +388,11 @@ if [ -x "$DIG" ] ; then fi n=$((n+1)) - echo_i "checking dig @IPv4addr -6 +mapped A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null && [ "$(uname -s)" != "OpenBSD" ] - then - ret=0 - dig_with_opts +tcp @10.53.0.2 -6 +mapped A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - else - echo_i "IPv6 or IPv4-to-IPv6 mapping unavailable; skipping" - fi - - n=$((n+1)) - echo_i "checking dig +tcp @IPv4addr -6 +nomapped A a.example ($n)" + echo_i "checking dig +tcp @IPv4addr -6 A a.example ($n)" if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null then ret=0 - dig_with_opts +tcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +tcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -395,11 +401,11 @@ if [ -x "$DIG" ] ; then fi n=$((n+1)) - echo_i "checking dig +notcp @IPv4addr -6 +nomapped A a.example ($n)" + echo_i "checking dig +notcp @IPv4addr -6 A a.example ($n)" if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null then ret=0 - dig_with_opts +notcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +notcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -535,17 +541,6 @@ if [ -x "$DIG" ] ; then if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - n=$((n+1)) - echo_i "checking dig +dscp ($n)" - ret=0 - dig_with_opts @10.53.0.3 +dscp=32 a a.example > /dev/null 2>&1 || ret=1 - dig_with_opts @10.53.0.3 +dscp=-1 a a.example > /dev/null 2>&1 && ret=1 - dig_with_opts @10.53.0.3 +dscp=64 a a.example > /dev/null 2>&1 && ret=1 - #TODO add a check to make sure dig is actually setting the dscp on the query - #we might have to add better logging to named for this - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - n=$((n+1)) echo_i "checking dig +ednsopt with option number ($n)" ret=0 @@ -569,7 +564,7 @@ if [ -x "$DIG" ] ; then ret=0 dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1 pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -668,7 +663,7 @@ if [ -x "$DIG" ] ; then # First defined EDE code, additional text "foo". dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 0 (Other): (foo)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -677,7 +672,7 @@ if [ -x "$DIG" ] ; then # Last defined EDE code, no additional text. dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 24 (Invalid Data)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -686,7 +681,7 @@ if [ -x "$DIG" ] ; then # First undefined EDE code, additional text "foo". dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 25: (foo)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -695,7 +690,7 @@ if [ -x "$DIG" ] ; then # EDE payload is too short dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 pat='^; EDE:$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -704,7 +699,7 @@ if [ -x "$DIG" ] ; then # EDE payload is too short dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 00 (".")$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -792,7 +787,7 @@ if [ -x "$DIG" ] ; then ret=0 dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1 pat='^;-m\..*IN.*A$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -803,7 +798,7 @@ if [ -x "$DIG" ] ; then echo "no_response no_response" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -813,7 +808,7 @@ if [ -x "$DIG" ] ; then echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -823,7 +818,7 @@ if [ -x "$DIG" ] ; then echo "no_response partial_axfr" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -833,7 +828,7 @@ if [ -x "$DIG" ] ; then echo "partial_axfr no_response" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -843,7 +838,7 @@ if [ -x "$DIG" ] ; then echo "no_response complete_axfr" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -853,7 +848,7 @@ if [ -x "$DIG" ] ; then echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -863,7 +858,7 @@ if [ -x "$DIG" ] ; then echo "no_response no_response" | sendcmd 10.53.0.5 dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -872,7 +867,7 @@ if [ -x "$DIG" ] ; then ret=0 dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -906,7 +901,7 @@ if [ -x "$DIG" ] ; then ret=0 dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "$pat" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -950,8 +945,8 @@ if [ -x "$DIG" ] ; then echo_i "check that dig +bufsize restores default bufsize ($n)" ret=0 dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1 - lines=`grep "EDNS:.* udp:" dig.out.test$n | wc -l` - lines1232=`grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l` + lines=$(grep "EDNS:.* udp:" dig.out.test$n | wc -l) + lines1232=$(grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l) test $lines -eq 2 || ret=1 test $lines1232 -eq 2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -991,6 +986,116 @@ if [ -x "$DIG" ] ; then if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) + # See [GL #3020] for more information + n=$((n+1)) + echo_i "check that dig handles UDP timeout followed by a SERVFAIL correctly ($n)" + # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) + echo "unstable" | sendcmd 10.53.0.8 + ret=0 + dig_with_opts +timeout=1 +nofail @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig handles TCP timeout followed by a SERVFAIL correctly ($n)" + # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) + echo "unstable" | sendcmd 10.53.0.8 + ret=0 + dig_with_opts +timeout=1 +nofail +tcp @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after a UDP socket network unreachable error ($n)" + ret=0 + dig_with_opts @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after a TCP socket network unreachable error ($n)" + ret=0 + dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after a UDP socket read error ($n)" + ret=0 + dig_with_opts @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after a TCP socket read error ($n)" + # Ask ans8 to be in "close" mode, which closes the connection after accepting it + echo "close" | sendcmd 10.53.0.8 + ret=0 + dig_with_opts +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # Note that we combine TCP socket "connection error" and "timeout" cases in + # one, because it is not trivial to simulate the timeout case in a system test + # in Linux without a firewall, but the code which handles error cases during + # the connection establishment time does not differentiate between timeout and + # other types of errors (unlike during reading), so this one check should be + # sufficient for both cases. + n=$((n+1)) + echo_i "check that dig tries the next server after a TCP socket connection error/timeout ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after UDP socket read timeouts ($n)" + # Ask ans8 to be in "silent" mode + echo "silent" | sendcmd 10.53.0.8 + ret=0 + dig_with_opts +timeout=1 @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig tries the next server after TCP socket read timeouts ($n)" + # Ask ans8 to be in "silent" mode + echo "silent" | sendcmd 10.53.0.8 + ret=0 + dig_with_opts +timeout=1 +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # See [GL #3248] for more information + n=$((n+1)) + echo_i "check that dig correctly refuses to use a server with a IPv4 mapped IPv6 address after failing with a regular IP address ($n)" + ret=0 + dig_with_opts @10.53.0.8 @::ffff:10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F ";; Skipping mapped address" dig.out.test$n > /dev/null || ret=1 + grep -F ";; No acceptable nameservers" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # See [GL #3244] for more information + n=$((n+1)) + echo_i "check that dig handles printing query information with +qr and +y when multiple queries are involved (including a failed query) ($n)" + ret=0 + dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep -F "IN A 10.0.0.1" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi @@ -1276,7 +1381,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "check delv +yaml output ($n)" ret=0 - delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n 2>&1 || ret=1 + delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1 $PYTHON yamlget.py delv.out.test$n status > yamlget.out.test$n 2>&1 || ret=1 read -r value < yamlget.out.test$n [ "$value" = "success" ] || ret=1 @@ -1290,6 +1395,55 @@ if [ -x "$DELV" ] ; then if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) fi + + n=$((n+1)) + echo_i "check that delv handles REFUSED when chasing DS records ($n)" + delv_with_opts @10.53.0.2 +root xxx.example.tld A > delv.out.test$n 2>&1 || ret=1 + grep ";; resolution failed: broken trust chain" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check NS output from delv +ns ($n)" + delv_with_opts -i +ns +nortrace +nostrace +nomtrace +novtrace +hint=../common/root.hint ns example > delv.out.test$n || ret=1 + lines=$(awk '$1 == "example." && $4 == "NS" {print}' delv.out.test$n | wc -l) + [ $lines -eq 2 ] || ret=1 + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +ns (no validation) ($n)" + ret=0 + delv_with_opts -i +ns +hint=../common/root.hint a a.example > delv.out.test$n || ret=1 + grep -q '; authoritative' delv.out.test$n || ret=1 + grep -q '_.example' delv.out.test$n && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +ns +qmin (no validation) ($n)" + ret=0 + delv_with_opts -i +ns +qmin +hint=../common/root.hint a a.example > delv.out.test$n || ret=1 + grep -q '; authoritative' delv.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +ns (with validation) ($n)" + ret=0 + delv_with_opts -a ns1/anchor.dnskey +root +ns +hint=../common/root.hint a a.example > delv.out.test$n || ret=1 + grep -q '; fully validated' delv.out.test$n || ret=1 + grep -q '_.example' delv.out.test$n && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +ns +qmin (with validation) ($n)" + ret=0 + delv_with_opts -a ns1/anchor.dnskey +root +ns +qmin +hint=../common/root.hint a a.example > delv.out.test$n || ret=1 + grep -q '; fully validated' delv.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else echo_i "$DELV is needed, so skipping these delv tests" fi diff --git a/bin/tests/system/digdelv/tests_sh_digdelv.py b/bin/tests/system/digdelv/tests_sh_digdelv.py new file mode 100644 index 0000000000..2973c26a9f --- /dev/null +++ b/bin/tests/system/digdelv/tests_sh_digdelv.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_digdelv(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/digdelv/yamlget.py b/bin/tests/system/digdelv/yamlget.py index 60b14cb2d4..afa582dd9c 100644 --- a/bin/tests/system/digdelv/yamlget.py +++ b/bin/tests/system/digdelv/yamlget.py @@ -1,25 +1,24 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ import sys try: import yaml -# flake8: noqa: E722 # pylint: disable=bare-except except: print("No python yaml module, skipping") sys.exit(1) -with open(sys.argv[1], "r") as f: +with open(sys.argv[1], "r", encoding="utf-8") as f: for item in yaml.safe_load_all(f): for key in sys.argv[2:]: try: diff --git a/bin/tests/system/dispatch/ans3/ans.py b/bin/tests/system/dispatch/ans3/ans.py new file mode 100644 index 0000000000..4e4ebacb0b --- /dev/null +++ b/bin/tests/system/dispatch/ans3/ans.py @@ -0,0 +1,99 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import select +import signal +import socket +import sys +import time + +import dns.flags +import dns.message + + +def port(): + env_port = os.getenv("PORT") + if env_port is None: + env_port = 5300 + else: + env_port = int(env_port) + + return env_port + + +def udp_listen(port): + udp = socket.socket(type=socket.SOCK_DGRAM) + udp.bind(("10.53.0.3", port)) + + return udp + + +def tcp_listen(port): + tcp = socket.socket(type=socket.SOCK_STREAM) + tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + tcp.bind(("10.53.0.3", port)) + tcp.listen(100) + + return tcp + + +def udp_tc_once(udp): + qrybytes, clientaddr = udp.recvfrom(65535) + qry = dns.message.from_wire(qrybytes) + answ = dns.message.make_response(qry) + answ.flags |= dns.flags.TC + answbytes = answ.to_wire() + udp.sendto(answbytes, clientaddr) + + +def tcp_once(tcp): + csock, _clientaddr = tcp.accept() + time.sleep(5) + csock.close() + + +def sigterm(signum, frame): + os.remove("ans.pid") + sys.exit(0) + + +def write_pid(): + with open("ans.pid", "w") as f: + pid = os.getpid() + f.write("{}".format(pid)) + + +signal.signal(signal.SIGTERM, sigterm) +write_pid() + +udp = udp_listen(port()) +tcp = tcp_listen(port()) + +input = [udp, tcp] + +while True: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error: + break + except socket.error: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == udp: + udp_tc_once(udp) + if s == tcp: + tcp_once(tcp) + +sigterm(signal.SIGTERM, 0) diff --git a/bin/tests/system/dispatch/clean.sh b/bin/tests/system/dispatch/clean.sh new file mode 100644 index 0000000000..608ec5ccf4 --- /dev/null +++ b/bin/tests/system/dispatch/clean.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.run ns*/named.conf ns*/named.pid ns*/managed-keys.bind* +rm -f ans*/ans.run ans*/ans.pid +rm -f ns*/named.memstats diff --git a/bin/tests/system/dispatch/ns1/named.conf.in b/bin/tests/system/dispatch/ns1/named.conf.in new file mode 100644 index 0000000000..d3337a5db4 --- /dev/null +++ b/bin/tests/system/dispatch/ns1/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + + listen-on { 10.53.0.1; }; + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + query-source-v6 address fd92:7065:b8e:ffff::1; + notify-source-v6 fd92:7065:b8e:ffff::1; + transfer-source-v6 fd92:7065:b8e:ffff::1; + + recursion no; + servfail-ttl 0; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/dispatch/ns1/root.db b/bin/tests/system/dispatch/ns1/root.db new file mode 100644 index 0000000000..b6b73675fd --- /dev/null +++ b/bin/tests/system/dispatch/ns1/root.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 300 SOA . . 0 0 0 0 0 +. 300 NS ns.nil. +ns.nil. 300 A 10.53.0.1 +example. 300 NS ns.example. +ns.example. 300 A 10.53.0.2 diff --git a/bin/tests/system/dispatch/ns2/example.db b/bin/tests/system/dispatch/ns2/example.db new file mode 100644 index 0000000000..f60a47e37a --- /dev/null +++ b/bin/tests/system/dispatch/ns2/example.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 86400 IN SOA ns.example. root.example. 43 10800 900 604800 86400 +example. 86400 IN NS ns.example. +ns.example. A 10.53.0.2 + +ns.sub.example. A 10.53.0.3 +sub.example. NS ns.sub.example. diff --git a/bin/tests/system/dispatch/ns2/named.conf.in b/bin/tests/system/dispatch/ns2/named.conf.in new file mode 100644 index 0000000000..50f2c34494 --- /dev/null +++ b/bin/tests/system/dispatch/ns2/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + + listen-on { 10.53.0.2; }; + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + query-source-v6 address fd92:7065:b8e:ffff::2; + notify-source-v6 fd92:7065:b8e:ffff::2; + transfer-source-v6 fd92:7065:b8e:ffff::2; + + recursion yes; + servfail-ttl 0; + dnssec-validation no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/dispatch/setup.sh b/bin/tests/system/dispatch/setup.sh new file mode 100644 index 0000000000..6929ec541d --- /dev/null +++ b/bin/tests/system/dispatch/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/dispatch/tests_connreset.py b/bin/tests/system/dispatch/tests_connreset.py new file mode 100644 index 0000000000..f74bfd719a --- /dev/null +++ b/bin/tests/system/dispatch/tests_connreset.py @@ -0,0 +1,27 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query +import dns.rcode + + +def test_connreset(named_port): + msg = dns.message.make_query( + "sub.example.", "A", want_dnssec=True, use_edns=0, payload=1232 + ) + ans = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + assert ans.rcode() == dns.rcode.SERVFAIL diff --git a/bin/tests/system/ditch.pl b/bin/tests/system/ditch.pl index 5a62a524b4..e2082503d7 100644 --- a/bin/tests/system/ditch.pl +++ b/bin/tests/system/ditch.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dlz/.gitignore b/bin/tests/system/dlz/.gitignore deleted file mode 100644 index eee491d3c6..0000000000 --- a/bin/tests/system/dlz/.gitignore +++ /dev/null @@ -1 +0,0 @@ -prereq.sh diff --git a/bin/tests/system/dlz/clean.sh b/bin/tests/system/dlz/clean.sh deleted file mode 100644 index 9e70fbb004..0000000000 --- a/bin/tests/system/dlz/clean.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -rm -f ns*/named.conf -rm -f dig.out.* -rm -f */named.memstats -rm -f */named.run -rm -f ns*/named.lock -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= deleted file mode 100644 index 50d2ad0c40..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "DNAME 10 example.net.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= deleted file mode 100644 index 5faa45cefc..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "NS 10 example.com.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= deleted file mode 100644 index ee74e03ede..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 None None None None" which is a malformed SOA record. diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= deleted file mode 100644 index 50d2ad0c40..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "DNAME 10 example.net.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= deleted file mode 100644 index 5faa45cefc..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "NS 10 example.com.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= deleted file mode 100644 index 2f63999a56..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file is not read by the filesystem driver. -This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 0 0 0 10". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 b/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 deleted file mode 100644 index 8a07d4faee..0000000000 --- a/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 +++ /dev/null @@ -1,6 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. - -The contents of this file are not read by the filesystem driver. -The presence of this file allows 10.53.0.1 to transfer this zone. diff --git a/bin/tests/system/dlz/ns1/named.conf.in b/bin/tests/system/dlz/ns1/named.conf.in deleted file mode 100644 index 273ff02c79..0000000000 --- a/bin/tests/system/dlz/ns1/named.conf.in +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; -}; - -dlz fszone { - database "filesystem dns-root/ dns.d xfr.d 0 ="; -}; diff --git a/bin/tests/system/dlz/prereq.sh b/bin/tests/system/dlz/prereq.sh deleted file mode 100644 index 7d8a3463df..0000000000 --- a/bin/tests/system/dlz/prereq.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -if ! $FEATURETEST --with-dlz-filesystem; then - echo_i "DLZ filesystem driver not supported" - exit 255 -fi -exit 0 diff --git a/bin/tests/system/dlz/setup.sh b/bin/tests/system/dlz/setup.sh deleted file mode 100644 index 7e31a69049..0000000000 --- a/bin/tests/system/dlz/setup.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -$SHELL clean.sh -copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dlz/tests.sh b/bin/tests/system/dlz/tests.sh deleted file mode 100644 index 4e75b0dba8..0000000000 --- a/bin/tests/system/dlz/tests.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -status=0 -n=0 - -rm -f dig.out.* - -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" - -# Check the example.com. domain - -echo_i "checking DNAME at apex works ($n)" -ret=0 -$DIG $DIGOPTS +norec foo.example.com. \ - @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking DLZ IXFR=2010062899 (less than serial) ($n)" -ret=0 -$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking DLZ IXFR=2010062900 (equal serial) ($n)" -ret=0 -$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking DLZ IXFR=2010062901 (greater than serial) ($n)" -ret=0 -$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking DLZ with a malformed SOA record" -ret=0 -$DIG $DIGOPTS broken.com type600 @10.53.0.1 > dig.out.ns1.test$n -grep status: dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dlzexternal/clean.sh b/bin/tests/system/dlzexternal/clean.sh index 65b4725a8a..2bbf75b214 100644 --- a/bin/tests/system/dlzexternal/clean.sh +++ b/bin/tests/system/dlzexternal/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dlzexternal/driver/Makefile.am b/bin/tests/system/dlzexternal/driver/Makefile.am index a8211d1fb1..0028edb573 100644 --- a/bin/tests/system/dlzexternal/driver/Makefile.am +++ b/bin/tests/system/dlzexternal/driver/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ $(LIBDNS_CFLAGS) -check_LTLIBRARIES = dlzexternal.la +noinst_LTLIBRARIES = dlzexternal.la dlzexternal_la_SOURCES = \ driver.c \ diff --git a/bin/tests/system/dlzexternal/driver/driver.c b/bin/tests/system/dlzexternal/driver/driver.c index 3a98a32f5b..20edfd03e4 100644 --- a/bin/tests/system/dlzexternal/driver/driver.c +++ b/bin/tests/system/dlzexternal/driver/driver.c @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. @@ -255,10 +257,9 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata, struct dlz_example_data *state; const char *helper_name; va_list ap; - char soa_data[1024]; - const char *extra; + char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")]; isc_result_t result; - int n; + size_t n; UNUSED(dlzname); @@ -292,19 +293,19 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata, sprintf(state->zone_name, "%s.", argv[1]); } + /* + * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + */ if (strcmp(state->zone_name, ".") == 0) { - extra = ".root"; + n = strlcpy(soa_data, + "@ hostmaster.root 123 900 600 86400 3600", + sizeof(soa_data)); } else { - extra = "."; + n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600", + sizeof(soa_data)); } - n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600", - state->zone_name, extra, state->zone_name); - - if (n < 0) { - CHECK(ISC_R_FAILURE); - } - if ((unsigned)n >= sizeof(soa_data)) { + if (n >= sizeof(soa_data)) { CHECK(ISC_R_NOSPACE); } @@ -479,8 +480,7 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, * If the DLZ only operates on 'live' data, then version * wouldn't necessarily be needed. */ - if (clientinfo != NULL && clientinfo->version >= DNS_CLIENTINFO_VERSION) - { + if (clientinfo != NULL && clientinfo->version >= 2) { dbversion = clientinfo->dbversion; if (dbversion != NULL && *(bool *)dbversion) { loginfo("dlz_example: lookup against live transaction"); @@ -488,6 +488,7 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, } if (strcmp(name, "source-addr") == 0) { + char ecsbuf[DNS_ECS_FORMATSIZE] = "not supported"; strncpy(buf, "unknown", sizeof(buf)); if (methods != NULL && methods->sourceip != NULL && (methods->version - methods->age <= @@ -497,6 +498,17 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, methods->sourceip(clientinfo, &src); fmt_address(src, buf, sizeof(buf)); } + if (clientinfo != NULL && clientinfo->version >= 3) { + if (clientinfo->ecs.addr.family != AF_UNSPEC) { + dns_ecs_format(&clientinfo->ecs, ecsbuf, + sizeof(ecsbuf)); + } else { + snprintf(ecsbuf, sizeof(ecsbuf), "%s", + "not present"); + } + } + i = strlen(buf); + snprintf(buf + i, sizeof(buf) - i - 1, " ECS %s", ecsbuf); loginfo("dlz_example: lookup connection from %s", buf); @@ -508,7 +520,8 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, } if (strcmp(name, "too-long") == 0 || - strcmp(zone, "bigcname.domain") == 0) { + strcmp(zone, "bigcname.domain") == 0) + { for (i = 0; i < 511; i++) { buf[i] = 'x'; } @@ -530,7 +543,8 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, } if (strcmp(name, "long.name.is.not.there") == 0 && - strcmp(zone, ".") == 0) { + strcmp(zone, ".") == 0) + { result = state->putrr(lookup, "A", 0, "100.100.100.3"); found = true; if (result != ISC_R_SUCCESS) { diff --git a/bin/tests/system/dlzexternal/driver/driver.h b/bin/tests/system/dlzexternal/driver/driver.h index 3dc3cb1175..2c1a594a29 100644 --- a/bin/tests/system/dlzexternal/driver/driver.h +++ b/bin/tests/system/dlzexternal/driver/driver.h @@ -1,6 +1,8 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in index 1fa0d45809..f8b36e9620 100644 --- a/bin/tests/system/dlzexternal/ns1/named.conf.in +++ b/bin/tests/system/dlzexternal/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -21,11 +23,12 @@ options { allow-transfer { !10.53.0.1; any; }; recursion no; notify yes; + dnssec-validation no; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; include "ddns.key"; @@ -46,6 +49,11 @@ dlz "example three" { database "dlopen ../driver/.libs/dlzexternal.so example.org"; }; +dlz "example four" { + // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + database "dlopen ../driver/.libs/dlzexternal.so 123456789.123456789.123456789.123456789.123456789.example.foo"; +}; + dlz "unsearched1" { database "dlopen ../driver/.libs/dlzexternal.so other.nil"; search no; diff --git a/bin/tests/system/dlzexternal/ns1/root.db b/bin/tests/system/dlzexternal/ns1/root.db index 45a6b04c59..6cbe5798ca 100644 --- a/bin/tests/system/dlzexternal/ns1/root.db +++ b/bin/tests/system/dlzexternal/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dlzexternal/prereq.sh b/bin/tests/system/dlzexternal/prereq.sh index 4e1817215a..066a74eb09 100644 --- a/bin/tests/system/dlzexternal/prereq.sh +++ b/bin/tests/system/dlzexternal/prereq.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh index ffa6e337bd..dda16df058 100644 --- a/bin/tests/system/dlzexternal/setup.sh +++ b/bin/tests/system/dlzexternal/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index 39af1bba17..a86ea7e9ca 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -18,7 +22,7 @@ DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie" RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=`expr $n + 1` + n=$((n + 1)) echo_i "${1} (${n})" ret=0 } @@ -43,8 +47,8 @@ EOF return 1 } - out=`$DIG $DIGOPTS -t $type -q $host | egrep "^$host"` - lines=`echo "$out" | grep "$digout" | wc -l` + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") + lines=$(echo "$out" | grep "$digout" | wc -l) [ $lines -eq 1 ] || { [ "$should_fail" ] || \ echo_i "dig output incorrect for $host $type $cmd: $out" @@ -54,22 +58,22 @@ EOF } test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) test_update testdc3.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1 -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing nxrrset" -$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n +$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n || ret=1 grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing prerequisites are checked correctly" cat > ns1/update.txt << EOF @@ -79,17 +83,17 @@ update add testdc3.example.nil 86500 in a 10.53.0.12 send EOF $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1 -out=`$DIG $DIGOPTS +short a testdc3.example.nil` +out=$($DIG $DIGOPTS +short a testdc3.example.nil) [ "$out" = "10.53.0.12" ] && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing passing client info into DLZ driver" -out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'` -addr=`eval echo "$out" | cut -f1 -d'#'` +out=$($DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;') +addr=$(eval echo "$out" | cut -f1 -d'#') [ "$addr" = "10.53.0.1" ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing DLZ driver is cleaned up on reload" rndc_reload ns1 10.53.0.1 @@ -100,95 +104,95 @@ for i in 0 1 2 3 4 5 6 7 8 9; do sleep 1 done [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing multiple DLZ drivers" test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing AXFR from DLZ drivers" -$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n -lines=`cat dig.out.example.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 +lines=$(cat dig.out.example.ns1.test$n | wc -l) [ ${lines:-0} -eq 4 ] || ret=1 -$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n -lines=`cat dig.out.alternate.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 +lines=$(cat dig.out.alternate.ns1.test$n | wc -l) [ ${lines:-0} -eq 5 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing AXFR denied from DLZ drivers" -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing AXFR denied based on view ACL" # 10.53.0.1 should be disallowed -$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 +$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 || ret=1 grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1 # 10.53.0.2 should be allowed -$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 +$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 || ret=1 grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing unsearched/unregistered DLZ zone is not found" -$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n +$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n || ret=1 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n +$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n +$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing correct behavior with findzone returning ISC_R_NOMORE" $DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database -lines=`grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -lines=`grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing findzone can return different results per client" $DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database -lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 $DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1 # we should find several logged lookups this time -lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 -lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing zone returning oversized data" $DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1 grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "testing zone returning oversized data at zone origin" $DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1 grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$((status + ret)) newtest "checking redirected lookup for nonexistent name" $DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1 @@ -196,24 +200,32 @@ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) newtest "checking no redirected lookup for nonexistent type" $DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) newtest "checking redirected lookup for a long nonexistent name" $DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1 grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 -lookups=`grep "lookup #.*\.not\.there" ns1/named.run | wc -l` +lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l) [ "$lookups" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) + +newtest "checking ECS data is passed to driver in clientinfo" +$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1 +grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1 +grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dlzexternal/tests_sh_dlzexternal.py b/bin/tests/system/dlzexternal/tests_sh_dlzexternal.py new file mode 100644 index 0000000000..1c0f7e5a29 --- /dev/null +++ b/bin/tests/system/dlzexternal/tests_sh_dlzexternal.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dlzexternal(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/dns64/clean.sh b/bin/tests/system/dns64/clean.sh index 3bfa5166ed..b773e2d70f 100644 --- a/bin/tests/system/dns64/clean.sh +++ b/bin/tests/system/dns64/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dns64/conf/bad1.conf b/bin/tests/system/dns64/conf/bad1.conf index 3f749175fd..a4b7e7f027 100644 --- a/bin/tests/system/dns64/conf/bad1.conf +++ b/bin/tests/system/dns64/conf/bad1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad10.conf b/bin/tests/system/dns64/conf/bad10.conf index efd5d20ae3..21855f69b4 100644 --- a/bin/tests/system/dns64/conf/bad10.conf +++ b/bin/tests/system/dns64/conf/bad10.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:0100:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad11.conf b/bin/tests/system/dns64/conf/bad11.conf index 0e420a5322..c3bdd92fed 100644 --- a/bin/tests/system/dns64/conf/bad11.conf +++ b/bin/tests/system/dns64/conf/bad11.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad12.conf b/bin/tests/system/dns64/conf/bad12.conf index 539b184c54..6ffe7209f2 100644 --- a/bin/tests/system/dns64/conf/bad12.conf +++ b/bin/tests/system/dns64/conf/bad12.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad13.conf b/bin/tests/system/dns64/conf/bad13.conf index 3728ecfc70..dc6c06474f 100644 --- a/bin/tests/system/dns64/conf/bad13.conf +++ b/bin/tests/system/dns64/conf/bad13.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad14.conf b/bin/tests/system/dns64/conf/bad14.conf index c2ac4f9d98..985101abf5 100644 --- a/bin/tests/system/dns64/conf/bad14.conf +++ b/bin/tests/system/dns64/conf/bad14.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad15.conf b/bin/tests/system/dns64/conf/bad15.conf index 357ae80684..0931a55bca 100644 --- a/bin/tests/system/dns64/conf/bad15.conf +++ b/bin/tests/system/dns64/conf/bad15.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad16.conf b/bin/tests/system/dns64/conf/bad16.conf index 5e17457f16..3a8b962b90 100644 --- a/bin/tests/system/dns64/conf/bad16.conf +++ b/bin/tests/system/dns64/conf/bad16.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad17.conf b/bin/tests/system/dns64/conf/bad17.conf index 71966d2758..6c9079b452 100644 --- a/bin/tests/system/dns64/conf/bad17.conf +++ b/bin/tests/system/dns64/conf/bad17.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf index 82fac1ad4e..566e177503 100644 --- a/bin/tests/system/dns64/conf/bad18.conf +++ b/bin/tests/system/dns64/conf/bad18.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf index 79290c116d..8a9fb76184 100644 --- a/bin/tests/system/dns64/conf/bad19.conf +++ b/bin/tests/system/dns64/conf/bad19.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */ }; diff --git a/bin/tests/system/dns64/conf/bad2.conf b/bin/tests/system/dns64/conf/bad2.conf index 79bc04f319..d27599853c 100644 --- a/bin/tests/system/dns64/conf/bad2.conf +++ b/bin/tests/system/dns64/conf/bad2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad3.conf b/bin/tests/system/dns64/conf/bad3.conf index 76f160693a..24971b3dd6 100644 --- a/bin/tests/system/dns64/conf/bad3.conf +++ b/bin/tests/system/dns64/conf/bad3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad4.conf b/bin/tests/system/dns64/conf/bad4.conf index fbf60d1b81..bc73ca5cf3 100644 --- a/bin/tests/system/dns64/conf/bad4.conf +++ b/bin/tests/system/dns64/conf/bad4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad5.conf b/bin/tests/system/dns64/conf/bad5.conf index fbf60d1b81..bc73ca5cf3 100644 --- a/bin/tests/system/dns64/conf/bad5.conf +++ b/bin/tests/system/dns64/conf/bad5.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad6.conf b/bin/tests/system/dns64/conf/bad6.conf index c29bb3e8ed..1d85ab941a 100644 --- a/bin/tests/system/dns64/conf/bad6.conf +++ b/bin/tests/system/dns64/conf/bad6.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad7.conf b/bin/tests/system/dns64/conf/bad7.conf index 06919f99b9..afbf437d56 100644 --- a/bin/tests/system/dns64/conf/bad7.conf +++ b/bin/tests/system/dns64/conf/bad7.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad8.conf b/bin/tests/system/dns64/conf/bad8.conf index 794ad7e4a3..9aa423f695 100644 --- a/bin/tests/system/dns64/conf/bad8.conf +++ b/bin/tests/system/dns64/conf/bad8.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/bad9.conf b/bin/tests/system/dns64/conf/bad9.conf index af4b6d912f..b74204c004 100644 --- a/bin/tests/system/dns64/conf/bad9.conf +++ b/bin/tests/system/dns64/conf/bad9.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/good1.conf b/bin/tests/system/dns64/conf/good1.conf index 8013b94b69..d84733e201 100644 --- a/bin/tests/system/dns64/conf/good1.conf +++ b/bin/tests/system/dns64/conf/good1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/good2.conf b/bin/tests/system/dns64/conf/good2.conf index 4bd4780a58..41b57304ac 100644 --- a/bin/tests/system/dns64/conf/good2.conf +++ b/bin/tests/system/dns64/conf/good2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/good3.conf b/bin/tests/system/dns64/conf/good3.conf index aa07886dcb..450b2e0eb8 100644 --- a/bin/tests/system/dns64/conf/good3.conf +++ b/bin/tests/system/dns64/conf/good3.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/good4.conf b/bin/tests/system/dns64/conf/good4.conf index 7ba43076cd..2c57f23656 100644 --- a/bin/tests/system/dns64/conf/good4.conf +++ b/bin/tests/system/dns64/conf/good4.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/conf/good5.conf b/bin/tests/system/dns64/conf/good5.conf index 8a558ba310..f6027a42cc 100644 --- a/bin/tests/system/dns64/conf/good5.conf +++ b/bin/tests/system/dns64/conf/good5.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/ns1/example.db b/bin/tests/system/dns64/ns1/example.db index d91fccede6..8253f1dfa0 100644 --- a/bin/tests/system/dns64/ns1/example.db +++ b/bin/tests/system/dns64/ns1/example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dns64/ns1/ipv4only.arpa.db b/bin/tests/system/dns64/ns1/ipv4only.arpa.db index 92257ad079..9e0726ded0 100644 --- a/bin/tests/system/dns64/ns1/ipv4only.arpa.db +++ b/bin/tests/system/dns64/ns1/ipv4only.arpa.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + ipv4only.arpa. 3600 IN SOA . . 2018112766 7200 3600 604800 3600 ipv4only.arpa. 3600 IN NS . ipv4only.arpa. 3600 IN A 192.0.0.170 diff --git a/bin/tests/system/dns64/ns1/named.conf1.in b/bin/tests/system/dns64/ns1/named.conf1.in index f2c3a2c473..aaf7aab096 100644 --- a/bin/tests/system/dns64/ns1/named.conf1.in +++ b/bin/tests/system/dns64/ns1/named.conf1.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -56,6 +58,6 @@ zone "signed" { }; zone "ipv4only.arpa" { - type master; + type primary; file "ipv4only.arpa.db"; }; diff --git a/bin/tests/system/dns64/ns1/named.conf2.in b/bin/tests/system/dns64/ns1/named.conf2.in index 5b5b0b455c..f3fc40f645 100644 --- a/bin/tests/system/dns64/ns1/named.conf2.in +++ b/bin/tests/system/dns64/ns1/named.conf2.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -59,6 +61,6 @@ zone "signed" { }; zone "ipv4only.arpa" { - type master; + type primary; file "ipv4only.arpa.db"; }; diff --git a/bin/tests/system/dns64/ns1/named.conf3.in b/bin/tests/system/dns64/ns1/named.conf3.in index 2b4212cd0d..cb6237b0e7 100644 --- a/bin/tests/system/dns64/ns1/named.conf3.in +++ b/bin/tests/system/dns64/ns1/named.conf3.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -48,6 +50,6 @@ zone "signed" { }; zone "ipv4only.arpa" { - type master; + type primary; file "ipv4only.arpa.db"; }; diff --git a/bin/tests/system/dns64/ns1/root.db b/bin/tests/system/dns64/ns1/root.db index 532063c05c..0e3bbeeb8a 100644 --- a/bin/tests/system/dns64/ns1/root.db +++ b/bin/tests/system/dns64/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh index 7e2a38873a..348ca8af53 100644 --- a/bin/tests/system/dns64/ns1/sign.sh +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -15,8 +17,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -a rsasha256 $zone` -key2=`$KEYGEN -q -a rsasha256 -fk $zone` +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone) cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/dns64/ns2/named.conf.in b/bin/tests/system/dns64/ns2/named.conf.in index 47f937f978..be92d1a045 100644 --- a/bin/tests/system/dns64/ns2/named.conf.in +++ b/bin/tests/system/dns64/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dns64/ns2/rpz.db b/bin/tests/system/dns64/ns2/rpz.db index d08a83b38b..014cbf0e16 100644 --- a/bin/tests/system/dns64/ns2/rpz.db +++ b/bin/tests/system/dns64/ns2/rpz.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dns64/setup.sh b/bin/tests/system/dns64/setup.sh index 1ab143111c..6771f3f2b2 100644 --- a/bin/tests/system/dns64/setup.sh +++ b/bin/tests/system/dns64/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh index bf0ca7a51f..4ee42dce4c 100644 --- a/bin/tests/system/dns64/tests.sh +++ b/bin/tests/system/dns64/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -23,9 +27,9 @@ do echo_i "checking that $conf is accepted ($n)" ret=0 $CHECKCONF "$conf" || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) done for conf in conf/bad*.conf @@ -33,9 +37,9 @@ do echo_i "checking that $conf is rejected ($n)" ret=0 $CHECKCONF "$conf" >/dev/null && ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) done # Check the example. domain @@ -45,45 +49,45 @@ ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)" ret=0 $DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)" ret=0 @@ -92,27 +96,27 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1 grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1 grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking default exclude acl works with AAAA only ($n)" ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking default exclude acl A only lookup works ($n)" ret=0 $DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works ($n)" ret=0 @@ -120,9 +124,9 @@ $DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > di grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)" ret=0 @@ -130,9 +134,9 @@ $DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > d grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)" ret=0 @@ -140,125 +144,125 @@ $DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only lookup works ($n)" ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only lookup works ($n)" ret=0 $DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA lookup works ($n)" ret=0 $DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A lookup works ($n)" ret=0 $DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA lookup works ($n)" ret=0 $DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA lookup works ($n)" ret=0 $DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works ($n)" ret=0 @@ -266,9 +270,9 @@ $DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works ($n)" ret=0 @@ -276,18 +280,18 @@ $DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works ($n)" ret=0 $DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the example. domain recursive only @@ -296,36 +300,36 @@ ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)" ret=0 @@ -333,9 +337,9 @@ $DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > di grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 @@ -343,9 +347,9 @@ $DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > d grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 @@ -353,89 +357,89 @@ $DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)" ret=0 @@ -443,36 +447,36 @@ $DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 @@ -480,9 +484,9 @@ $DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)" ret=0 @@ -490,18 +494,18 @@ $DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)" ret=0 $DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the example. domain recursive only w/o recursion @@ -510,9 +514,9 @@ ret=0 $DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 @@ -520,9 +524,9 @@ $DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.o grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 @@ -530,18 +534,18 @@ $DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 @@ -550,9 +554,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 @@ -561,9 +565,9 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 @@ -572,71 +576,71 @@ grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -644,9 +648,9 @@ $DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -654,9 +658,9 @@ $DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -664,18 +668,18 @@ $DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -683,18 +687,18 @@ $DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.ou grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -702,9 +706,9 @@ $DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 @@ -712,18 +716,18 @@ $DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.o grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 $DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the example. domain from non client @@ -732,152 +736,152 @@ ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)" ret=0 @@ -885,9 +889,9 @@ $DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)" ret=0 @@ -895,18 +899,18 @@ $DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)" ret=0 $DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the signed. domain @@ -915,152 +919,152 @@ ret=0 $DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 @@ -1068,9 +1072,9 @@ $DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out. grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)" ret=0 @@ -1078,18 +1082,18 @@ $DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.t grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)" ret=0 $DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the signed. domain echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)" @@ -1097,134 +1101,134 @@ ret=0 $DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 @@ -1232,18 +1236,18 @@ $DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.ou grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 @@ -1251,9 +1255,9 @@ $DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 @@ -1261,43 +1265,43 @@ $DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.o grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 $DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking reverse mapping ($n)" ret=0 $DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -list=`$DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort` +list=$($DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort) for a in $list do ret=0 echo_i "checking reverse mapping of $a ($n)" $DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) done -rev=`$ARPANAME 2001:aaaa::10.0.0.1` +rev=$($ARPANAME 2001:aaaa::10.0.0.1) regex='..\(.*.IP6.ARPA\)' -rev=`expr "${rev}" : "${regex}"` -fin=`expr "${rev}" : "............${regex}"` +rev=$(expr "${rev}" : "${regex}") +fin=$(expr "${rev}" : "............${regex}") while test "${rev}" != "${fin}" do ret=0 @@ -1305,107 +1309,107 @@ do $DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 - n=`expr $n + 1` + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - rev=`expr "${rev}" : "${regex}"` + status=$((status + ret)) + rev=$(expr "${rev}" : "${regex}") done echo_i "checking dns64-server and dns64-contact ($n)" ret=0 $DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL less than 600 from zone ($n)" ret=0 #expect 500 $DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL more than 600 from zone ($n)" ret=0 #expect 700 $DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL less than minimum from zone ($n)" ret=0 #expect 1100 $DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL limited to minimum from zone ($n)" ret=0 #expect 1200 $DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL less than 600 via cache ($n)" ret=0 #expect 500 $DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL more than 600 via cache ($n)" ret=0 #expect 700 $DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL less than minimum via cache ($n)" ret=0 #expect 1100 $DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TTL limited to minimum via cache ($n)" ret=0 #expect 1200 $DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)" ret=0 $DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking 'dig +dns64prefix' ($n)" $DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 test $(wc -l < dig.out.ns1.test$n) -eq 1 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) copy_setports ns1/named.conf2.in ns1/named.conf rndc_reload ns1 10.53.0.1 @@ -1415,9 +1419,9 @@ $DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 grep '2001:aaaa::/64' dig.out.ns1.test$n > /dev/null || ret=1 test $(wc -l < dig.out.ns1.test$n) -eq 2 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) copy_setports ns1/named.conf3.in ns1/named.conf rndc_reload ns1 10.53.0.1 @@ -1425,18 +1429,18 @@ rndc_reload ns1 10.53.0.1 echo_i "checking 'dig +dns64prefix' with no prefixes ($n)" $DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 test $(wc -l < dig.out.ns1.test$n) -eq 0 || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking synthesis of AAAA from builtin ipv4only.arpa ($n)" ret=0 $DIG $DIGOPTS aaaa ipv4only.arpa -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:aa' dig.out.ns2.test$n >/dev/null || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:ab' dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking reverse of dns64 mapped ipv4only.arpa addresses returns ipv4only.arpa ($n)" ret=0 @@ -1444,9 +1448,9 @@ $DIG $DIGOPTS ptr -x 2001:96::192.0.0.170 -b 10.53.0.7 @10.53.0.2 > dig.out.170. $DIG $DIGOPTS ptr -x 2001:96::192.0.0.171 -b 10.53.0.7 @10.53.0.2 > dig.out.171.ns2.test$n || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.170.ns2.test$n >/dev/null || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.171.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dns64/tests_sh_dns64.py b/bin/tests/system/dns64/tests_sh_dns64.py new file mode 100644 index 0000000000..7eb152c7f4 --- /dev/null +++ b/bin/tests/system/dns64/tests_sh_dns64.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dns64(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index 11a0db6589..fcaa3b6c80 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -1,6 +1,13 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. The test setup for the DNSSEC tests has a secure root. diff --git a/bin/tests/system/dnssec/ans10/ans.py b/bin/tests/system/dnssec/ans10/ans.py index 93e2deb7ae..dbe49e5e5a 100644 --- a/bin/tests/system/dnssec/ans10/ans.py +++ b/bin/tests/system/dnssec/ans10/ans.py @@ -1,13 +1,13 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ from __future__ import print_function import os @@ -25,11 +25,13 @@ from dns.rcode import * from dns.name import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + ############################################################################ # Respond to a DNS query. # SOA gets a unsigned response. @@ -54,10 +56,16 @@ def create_response(msg): now = datetime.today() expire = now + timedelta(days=30) inception = now - timedelta(days=1) - rrsig = "A 13 2 60 " + expire.strftime("%Y%m%d%H%M%S") + " " + \ - inception.strftime("%Y%m%d%H%M%S") + " 12345 " + qname + \ - " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + \ - "y2Qs7y5VCjSMOGn85bnaMoAc7w==" + rrsig = ( + "A 13 2 60 " + + expire.strftime("%Y%m%d%H%M%S") + + " " + + inception.strftime("%Y%m%d%H%M%S") + + " 12345 " + + qname + + " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + + "y2Qs7y5VCjSMOGn85bnaMoAc7w==" + ) r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig)) elif rrtype == NS: @@ -69,12 +77,14 @@ def create_response(msg): r.flags |= dns.flags.AA return r + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -85,8 +95,10 @@ def sigterm(signum, frame): ip4 = "10.53.0.10" ip6 = "fd92:7065:b8e:ffff::10" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -102,17 +114,17 @@ def sigterm(signum, frame): havev6 = False signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket] @@ -131,8 +143,9 @@ def sigterm(signum, frame): for s in inputready: if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6), end=" ") + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index adcb52f7d2..c245688c79 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -11,7 +13,7 @@ set -e -rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed +rm -f ./K* ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed rm -f ./*/example.bk rm -f ./*/named.conf rm -f ./*/named.memstats @@ -19,40 +21,39 @@ rm -f ./*/named.run ./*/named.run.prev rm -f ./*/named.secroots rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf -rm -f ./Kexample.* ./Kkeygen* ./keygen*.err +rm -f ./Kexample.* ./Kkeygen* ./keygen*.err* rm -f ./ans10/query.log ./ans10/ans.run rm -f ./canonical?.* rm -f ./delv.out* rm -f ./delve.out* rm -f ./dig.out.* -rm -f ./ns2/too-many-iterations.db rm -f ./dnssectools.out* rm -f ./dsfromkey.out.* rm -f ./keygen.err rm -f ./named.secroots.test* -rm -f ./nosign.before rm -f ./ns*/*.nta -rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys* +rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys* rm -f ./ns*/named.lock rm -f ./ns1/managed.key.id rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db rm -f ./ns1/trusted.keys rm -f ./ns2/algroll.db rm -f ./ns2/badparam.db ./ns2/badparam.db.bad -rm -f ./ns2/cdnskey-kskonly.secure.db -rm -f ./ns2/cdnskey-kskonly.secure.id rm -f ./ns2/cdnskey-update.secure.db +rm -f ./ns2/cdnskey-update.secure.id rm -f ./ns2/cdnskey-x.secure.db rm -f ./ns2/cdnskey.secure.db rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl -rm -f ./ns2/cds-kskonly.secure.db -rm -f ./ns2/cds-kskonly.secure.id rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl +rm -f ./ns2/cds-update.secure.id rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db +rm -f ./ns2/settime.out.* rm -f ./ns2/single-nsec3.db +rm -f ./ns2/too-many-iterations.db rm -f ./ns2/updatecheck-kskonly.secure.* +rm -f ./ns3/NSEC ./ns3/NSEC3 rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db rm -f ./ns3/badds.example.db rm -f ./ns3/dname-at-apex-nsec3.example.db @@ -66,7 +67,7 @@ rm -f ./ns3/dnskey-unsupported.example.db rm -f ./ns3/dnskey-unsupported.example.db.tmp rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db -rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db +rm -f ./ns3/expiring.example.db rm -f ./ns3/future.example.db ./ns3/trusted-future.key rm -f ./ns3/inline.example.db.signed rm -f ./ns3/kskonly.example.db @@ -79,8 +80,9 @@ rm -f ./ns3/occluded.example.db rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db rm -f ./ns3/optout.nsec3.example.db rm -f ./ns3/optout.optout.example.db -rm -f ./ns3/publish-inactive.example.db rm -f ./ns3/revkey.example.db +rm -f ./ns3/rsasha1-1024.example.tmp +rm -f ./ns3/rsasha1.example.tmp rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db rm -f ./ns3/secure.below-cname.example.db rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db @@ -94,7 +96,6 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed rm -f ./ns3/ttlpatch.example.db.patched rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp -rm -f ./ns4/managed-keys.bind* rm -f ./ns4/named_dump.db* rm -f ./ns6/optout-tld.db rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk @@ -107,9 +108,12 @@ rm -f ./signer/*.signed.post* rm -f ./signer/*.signed.pre* rm -f ./signer/example.db.after ./signer/example.db.before rm -f ./signer/example.db.changed +rm -f ./signer/general/*.jnl rm -f ./signer/general/dsset* rm -f ./signer/general/signed.zone +rm -f ./signer/general/signer.err.* rm -f ./signer/general/signer.out.* rm -f ./signer/nsec3param.out +rm -f ./signer/signer.err.* rm -f ./signer/signer.out.* rm -f ./signing.out* diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl index 23a40f4b6d..a06c563e3c 100644 --- a/bin/tests/system/dnssec/dnssec_update_test.pl +++ b/bin/tests/system/dnssec/dnssec_update_test.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.in index 6f20491689..bd1ccc4081 100644 --- a/bin/tests/system/dnssec/ns1/named.conf.in +++ b/bin/tests/system/dnssec/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 9c1296e899..526e36c38c 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index e59e534c51..21c6d71b7d 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -24,19 +26,19 @@ zonefile=root.db echo_i "ns1/sign.sh" -cp "../ns2/dsset-example$TP" . -cp "../ns2/dsset-in-addr.arpa$TP" . -cp "../ns2/dsset-too-many-iterations$TP" . +cp "../ns2/dsset-example." . +cp "../ns2/dsset-in-addr.arpa." . +cp "../ns2/dsset-too-many-iterations." . -grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP" -cp "../ns6/dsset-optout-tld$TP" . +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll." +cp "../ns6/dsset-optout-tld." . ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 # Configure the resolving server with a staitc key. keyfile_to_static_ds "$ksk" > trusted.conf diff --git a/bin/tests/system/dnssec/ns2/algroll.db.in b/bin/tests/system/dnssec/ns2/algroll.db.in index 73c0d6bda8..6f66fc9191 100644 --- a/bin/tests/system/dnssec/ns2/algroll.db.in +++ b/bin/tests/system/dnssec/ns2/algroll.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/dnssec/ns2/badparam.db.in index 091e4ea24f..b18d1863d5 100644 --- a/bin/tests/system/dnssec/ns2/badparam.db.in +++ b/bin/tests/system/dnssec/ns2/badparam.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in deleted file mode 100644 index e42cb4a29e..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in +++ /dev/null @@ -1,12 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in deleted file mode 100644 index e42cb4a29e..0000000000 --- a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in +++ /dev/null @@ -1,12 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/cds.secure.db.in +++ b/bin/tests/system/dnssec/ns2/cds.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db index 8c7db6531c..8fc3bc837e 100644 --- a/bin/tests/system/dnssec/ns2/child.nsec3.example.db +++ b/bin/tests/system/dnssec/ns2/child.nsec3.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db index 8c7db6531c..8fc3bc837e 100644 --- a/bin/tests/system/dnssec/ns2/child.optout.example.db +++ b/bin/tests/system/dnssec/ns2/child.optout.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/dnssec/ns2/corp.db index 70c96299c2..b2912bc6e3 100644 --- a/bin/tests/system/dnssec/ns2/corp.db +++ b/bin/tests/system/dnssec/ns2/corp.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in index 769d2b5f06..0039484964 100644 --- a/bin/tests/system/dnssec/ns2/dst.example.db.in +++ b/bin/tests/system/dnssec/ns2/dst.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 2545faf6b9..015be5fd1d 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -53,6 +55,10 @@ ns3.secure A 10.53.0.3 insecure NS ns.insecure ns.insecure A 10.53.0.3 +; A second insecure subdomain +insecure2 NS ns.insecure2 +ns.insecure2 A 10.53.0.3 + ; A secure subdomain we're going to inject bogus data into bogus NS ns.bogus ns.bogus A 10.53.0.3 @@ -162,4 +168,10 @@ ns.managed-future A 10.53.0.3 revkey NS ns.revkey ns.revkey A 10.53.0.3 +rsasha1 NS ns.rsasha1 +ns.rsasha1 A 10.53.0.3 + +rsasha1-1024 NS ns.rsasha1-1024 +ns.rsasha1-1024 A 10.53.0.3 + dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/hours-vs-days.db.in b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in index 2545faf6b9..5ec88013c9 100644 --- a/bin/tests/system/dnssec/ns2/hours-vs-days.db.in +++ b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in index 0884ad0c14..874b915682 100644 --- a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in +++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns2/insecure.secure.example.db index 78f3325788..62862f5305 100644 --- a/bin/tests/system/dnssec/ns2/insecure.secure.example.db +++ b/bin/tests/system/dnssec/ns2/insecure.secure.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/key.db.in b/bin/tests/system/dnssec/ns2/key.db.in index 4a91fff2a3..2ff5df4178 100644 --- a/bin/tests/system/dnssec/ns2/key.db.in +++ b/bin/tests/system/dnssec/ns2/key.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 3928ec03ad..92cc03d8fc 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -28,13 +30,42 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "kskonly" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 10d; + signatures-validity-dnskey 40d; +}; + +dnssec-policy "not-enough-hours-in-day" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + /* validity 500 days, resign in 449 days */ + signatures-validity-dnskey 500d; + signatures-validity 500d; + signatures-refresh 449d; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -121,17 +152,10 @@ zone "cds-update.secure" { allow-update { any; }; }; -zone "cds-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cds-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cds-auto.secure" { type primary; file "cds-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; @@ -151,29 +175,17 @@ zone "cdnskey-update.secure" { allow-update { any; }; }; -zone "cdnskey-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cdnskey-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cdnskey-auto.secure" { type primary; file "cdnskey-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; zone "updatecheck-kskonly.secure" { type primary; - auto-dnssec maintain; - key-directory "."; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; - sig-validity-interval 10; - dnskey-sig-validity 40; file "updatecheck-kskonly.secure.db.signed"; + dnssec-policy kskonly; allow-update { any; }; }; @@ -183,16 +195,14 @@ zone "corp" { }; zone "hours-vs-days" { - type master; + type primary; file "hours-vs-days.db.signed"; - auto-dnssec maintain; - /* validity 500 days, resign in 499 days */ - sig-validity-interval 500 499; + dnssec-policy not-enough-hours-in-day; allow-update { any; }; }; zone "too-many-iterations" { - type master; + type primary; file "too-many-iterations.db.signed"; }; diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in index 98b43a017b..94042ae40a 100644 --- a/bin/tests/system/dnssec/ns2/private.secure.example.db.in +++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db index b8b477ea84..78e9326fd8 100644 --- a/bin/tests/system/dnssec/ns2/rfc2335.example.db +++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + ; File written on Fri Apr 30 12:19:15 2004 ; dnssec_signzone version 9.2.4rc3 rfc2335.example. 300 IN SOA mname1. . ( diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index af2717825f..70203db01c 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -22,8 +24,8 @@ echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. for subdomain in secure unsupported disabled enabled do - cp "../ns3/dsset-$subdomain.managed$TP" . - cp "../ns3/dsset-$subdomain.trusted$TP" . + cp "../ns3/dsset-$subdomain.managed." . + cp "../ns3/dsset-$subdomain.trusted." . done # Sign the "trusted." and "managed." zones. @@ -36,7 +38,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,7 +49,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # The "example." zone. zone=example. @@ -61,9 +63,9 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded + dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 do - cp "../ns3/dsset-$subdomain.example$TP" . + cp "../ns3/dsset-$subdomain.example." . done # Sign the "example." zone. @@ -72,7 +74,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -81,7 +83,6 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 "$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -tr -d '\r' | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { @@ -134,7 +135,7 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # Sign the badparam secure file @@ -147,7 +148,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" @@ -162,7 +163,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -180,7 +181,7 @@ keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -204,7 +205,7 @@ done >> "$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in @@ -213,7 +214,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") "$DSFROMKEY" -C "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -223,7 +224,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") "$DSFROMKEY" -C "$key2.key" > "$key2.cds" cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in @@ -231,16 +232,8 @@ zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cds-kskonly.secure -infile=cds-kskonly.secure.db.in -zonefile=cds-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cds-update.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in @@ -257,7 +250,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -267,7 +260,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in @@ -275,16 +268,8 @@ zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cdnskey-kskonly.secure -infile=cdnskey-kskonly.secure.db.in -zonefile=cdnskey-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cdnskey-update.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in @@ -304,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id keyfile_to_key_id "$key2" > $zone.zsk.id echo "${key1}" > $zone.ksk.key echo "${key2}" > $zone.zsk.key -# Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" -# Don't sign, let auto-dnssec maintain do it. +# Make sure dnssec-policy adds CDS and CDNSKEY records +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1 +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1 +# Don't sign, let dnssec-policy maintain do it. +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" mv $zonefile "$zonefile.signed" zone=hours-vs-days diff --git a/bin/tests/system/dnssec/ns2/single-nsec3.db.in b/bin/tests/system/dnssec/ns2/single-nsec3.db.in index 6fe1dd0a55..b2e3c1384a 100644 --- a/bin/tests/system/dnssec/ns2/single-nsec3.db.in +++ b/bin/tests/system/dnssec/ns2/single-nsec3.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in index e42cb4a29e..aa3aaabfaf 100644 --- a/bin/tests/system/dnssec/ns2/template.secure.db.in +++ b/bin/tests/system/dnssec/ns2/template.secure.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in index e6f502fe69..1527e07c6e 100644 --- a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in +++ b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in index 0e0e5e09e5..a7792fd3b8 100644 --- a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in +++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in index 0e0e5e09e5..a7792fd3b8 100644 --- a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in index 8d49000ec1..0feb441cdd 100644 --- a/bin/tests/system/dnssec/ns3/bogus.example.db.in +++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in index c538b735df..e758cdd5a3 100644 --- a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in @@ -1,3 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + $TTL 600 @ SOA ns3.example. . 1 1200 1200 1814400 3600 @ NS ns3.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in index e1475c533f..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in +++ b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in @@ -1,13 +1,14 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. - $TTL 300 ; 5 minutes @ IN SOA mname1. . ( 2000042407 ; serial diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in +++ b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in index c7dab83089..babf54c2a5 100644 --- a/bin/tests/system/dnssec/ns3/dynamic.example.db.in +++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in index af312f2a16..b7706d3c9f 100644 --- a/bin/tests/system/dnssec/ns3/expired.example.db.in +++ b/bin/tests/system/dnssec/ns3/expired.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in index 4d8db53010..8acf7b121e 100644 --- a/bin/tests/system/dnssec/ns3/expiring.example.db.in +++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in index ddda25d2fd..20c19c5216 100644 --- a/bin/tests/system/dnssec/ns3/future.example.db.in +++ b/bin/tests/system/dnssec/ns3/future.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/generic.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in index dd1778e21a..5cc3ecc1bb 100644 --- a/bin/tests/system/dnssec/ns3/generic.example.db.in +++ b/bin/tests/system/dnssec/ns3/generic.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/inline.example.db +++ b/bin/tests/system/dnssec/ns3/inline.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db +++ b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db index 98777d674f..76e3f47f21 100644 --- a/bin/tests/system/dnssec/ns3/insecure.example.db +++ b/bin/tests/system/dnssec/ns3/insecure.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db +++ b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/insecure.optout.example.db +++ b/bin/tests/system/dnssec/ns3/insecure.optout.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db new file mode 100644 index 0000000000..76e3f47f21 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure2.example.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/key.db.in b/bin/tests/system/dnssec/ns3/key.db.in index 3847e2ea10..0165e3f8c6 100644 --- a/bin/tests/system/dnssec/ns3/key.db.in +++ b/bin/tests/system/dnssec/ns3/key.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in index cbfb691d08..0b11a00b00 100644 --- a/bin/tests/system/dnssec/ns3/kskonly.example.db.in +++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in index 7a3879fa78..a04793e312 100644 --- a/bin/tests/system/dnssec/ns3/lower.example.db.in +++ b/bin/tests/system/dnssec/ns3/lower.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in index ddda25d2fd..20c19c5216 100644 --- a/bin/tests/system/dnssec/ns3/managed-future.example.db.in +++ b/bin/tests/system/dnssec/ns3/managed-future.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/multiple.example.db.in +++ b/bin/tests/system/dnssec/ns3/multiple.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 233db0cc91..ee4b766d9f 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -28,13 +30,49 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "autonsec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; +}; + +dnssec-policy "autonsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -76,6 +114,12 @@ zone "insecure.example" { allow-update { any; }; }; +zone "insecure2.example" { + type primary; + file "insecure2.example.db"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; @@ -201,20 +245,21 @@ zone "expired.example" { zone "update-nsec3.example" { type primary; + dnssec-policy nsec3; allow-update { any; }; file "update-nsec3.example.db.signed"; }; zone "auto-nsec.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec; allow-update { !0.0.0.0; }; file "auto-nsec.example.db.signed"; }; zone "auto-nsec3.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec3; allow-update { !0.0.0.0; }; file "auto-nsec3.example.db.signed"; }; @@ -256,13 +301,6 @@ zone "expiring.example" { file "expiring.example.db.signed"; }; -zone "nosign.example" { - type primary; - allow-update { any; }; - dnssec-update-mode no-resign; - file "nosign.example.db.signed"; -}; - zone "upper.example" { type primary; file "upper.example.db.signed"; @@ -277,14 +315,7 @@ zone "inline.example" { type primary; file "inline.example.db"; inline-signing yes; - auto-dnssec maintain; -}; - -zone "publish-inactive.example" { - type primary; - file "publish-inactive.example.db"; - auto-dnssec maintain; - update-policy local; + dnssec-policy dnssec; }; zone "future.example" { @@ -369,6 +400,38 @@ zone "too-many-iterations" { file "too-many-iterations.bk"; }; +zone "rsasha1.example" { + type primary; + file "rsasha1.example.db"; +}; + +zone "rsasha1-1024.example" { + type primary; + file "rsasha1-1024.example.db"; +}; + +dnssec-policy "siginterval1" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 1d; + signatures-refresh 21h; + signatures-validity-dnskey 90d; +}; + +dnssec-policy "siginterval2" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 35d; + signatures-refresh 28d; + signatures-validity-dnskey 90d; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in index f066e3c836..2be8a2833a 100644 --- a/bin/tests/system/dnssec/ns3/nosign.example.db.in +++ b/bin/tests/system/dnssec/ns3/nosign.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in index 8761ebb017..55b38776da 100644 --- a/bin/tests/system/dnssec/ns3/nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/occluded.example.db.in b/bin/tests/system/dnssec/ns3/occluded.example.db.in index 77a1cfb63d..ee9c900540 100644 --- a/bin/tests/system/dnssec/ns3/occluded.example.db.in +++ b/bin/tests/system/dnssec/ns3/occluded.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in index c9e7c2b3da..f37dd750ce 100644 --- a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in index ddda25d2fd..20c19c5216 100644 --- a/bin/tests/system/dnssec/ns3/optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in +++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db new file mode 100644 index 0000000000..d51672c03c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db @@ -0,0 +1,63 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; File written on Tue Jan 11 18:07:57 2022 +; dnssec_signzone version 9.17.21 +rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8= +; resign=20900129082204 +rsasha1-1024.example. 300 IN NS ns.rsasha1-1024.example. +rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8= +; resign=20900129082204 +rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY +rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc= +; resign=20900129082204 +rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR +rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30= +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk= +; resign=20900129082204 +z.rsasha1-1024.example. 300 IN A 10.0.0.26 +z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c= +; resign=20900129082204 +z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC +z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME= +; resign=20900129082204 +b.rsasha1-1024.example. 300 IN A 10.0.0.2 +b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk= +; resign=20900129082204 +b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC +b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU= +; resign=20900129082204 +a.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo= +; resign=20900129082204 +a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC +a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0= +; resign=20900129082204 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN A 10.0.0.27 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg= +; resign=20900129082204 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN NSEC ns.rsasha1-1024.example. A RRSIG NSEC +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ= +; resign=20900129082204 +d.rsasha1-1024.example. 300 IN A 10.0.0.4 +d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo= +; resign=20900129082204 +d.rsasha1-1024.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC +d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU= +; resign=20900129082204 +ns.rsasha1-1024.example. 300 IN A 10.53.0.3 +ns.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps= +; resign=20900129082204 +ns.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC +ns.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk= +; resign=20900129082204 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in new file mode 100644 index 0000000000..b2e7e21e20 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db b/bin/tests/system/dnssec/ns3/rsasha1.example.db new file mode 100644 index 0000000000..2d16e503d4 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1.example.db @@ -0,0 +1,63 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; File written on Tue Jan 4 17:29:34 2022 +; dnssec_signzone version 9.17.20 +rsasha1.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1.example. 300 IN RRSIG SOA 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. wg8k4y/Cs/+u2QfUnBURhD4isSFTzCofpdhMzVJEUfBqu1DBVO+FECQ4 U80NCg9iksxm7xsWAZiQx6Rzvh1rUqEA7OhCy7XiPuz+jR1TYHXJhRMu t9gu7aCdTkcXYCMtppd49/2vT+WPKB98QIKD6wgl4LFFhwbUCoXavin4 babUiJrJeAnuxmIeD5HtM5a+++p0F8QemdP5FkX3WCRBHNFGnoVYJjc7 PZ+L8ZpKElah47XzJwAYWDr34TwqU9llCOcXlXYKBqDKO9fEtJJ1hyk9 Sf4fGOdzZD9Pj4Zz83UlHumeZPfIC1N0xVBYvGPu8LU41WZ4BgZfKSoS UIpbPQ== +; resign=20900122074341 +rsasha1.example. 300 IN NS ns.rsasha1.example. +rsasha1.example. 300 IN RRSIG NS 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. VqOKkNo7CRH2uquL/46cIVoIPvFYT2WrpwpG6ienlJoLF/mZn0ReoMaK G29R8Q0tklalk14CGShiD409lXDRynyHgmLGIFjkXMd6aNRQOdD1O+7C wEhAj4/FEz+qpk/xRGMslxCCF1P7DxpX5ZPI9DuPVVvTRk4131CALaFQ EPblDzEgd7JeoO0tKnPjpzXLdr86NDeDVZXonimjEhQNrvrrurQ5/u2F x7jVmovN47Z06+XCbleC2ag8ZazNkYfU8GlFvkozZMGZtnpja1/SllNJ ZdURisd3JFMw/xsZd1v2MspKYcZePTfzyk/keXSJ0AlO7TA1X2sjiFOo 1fhSnQ== +; resign=20900122074341 +rsasha1.example. 300 IN NSEC a.rsasha1.example. NS SOA RRSIG NSEC DNSKEY +rsasha1.example. 300 IN RRSIG NSEC 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. U7SEGuJ95CKk6+sWNCNHfPuvjJ2KChhutImWmSTc9lgb3uSfptzwbYnP UZ3xG0IqkayRJhBSizLb5kntvBZbcz4pEWZ+o7ZJdiBHcCARj82OJaLF d147VB3XJa6rIi+o/Zm8SIbxU7gugqRds7KfSTxAIjHzLpCcu12hlgfc Qso1LYiVeU5GVnmfuNJQL7QvS3BQuTylTI1+HQpiY6W8Bzev/TcbhoDJ Ywp4hvgF4VGCvrO2glSO4VycLjluawKSlrNaLbAtWIYYUSPbvtktM8tQ GBqOij4l7eMCTGRCoExWEnr+CzWAauoemhLDh27Bq6VNjD5iIvjzt3Ym uGDQUg== +; resign=20900122074341 +rsasha1.example. 300 IN DNSKEY 256 3 5 AwEAAe31msH3kL5cIQ6C1vTnB8GvbFDm0t/j5XWnLonaKDSUoHtKLlRq pBPuwlORRUZxRSs7VDAaKE0YGky/YklSCqvo8gBD4dkNjWD/6XGkmtEq DOL8XCz1KO+djs7WLCuCyGIkG282+sntuZJj4IMd+ZDW1urCwaP94t3u W9N+PgrSacK9Ff1bwLR9KIgkRFpJ+JxPeaFYnVEyB4ZaZ8DgPWYNJ+aC awL0nATybC8asPeCGvft3lSS99z55IMfkpjF1rwHIVybqhiukRighazQ ljjVQdlXj3YxFgD0fpscJ6yN0QXdseagxiT4PahnwaHYHUhgGm+HB1zA pA49L9dg2RE= +rsasha1.example. 300 IN DNSKEY 257 3 5 AwEAAcQdnpcda8XlNxllEGbWy9EGkD5TtHEbxThaB9c6ZNQPTf3gJw0A LpIZ787sepWND7vPcq6Qb/xZEmC6ER5OfaYbDznUh8q5NaaTbSwv0tng gE8KPwtvlgH+4eUmOcEkGrfR9G6J9S8JTT5bUWKTUbprxE65/8xcY33S cEeOpi34DLR9GLNvPLTSLuWQcYrq1YZFHbivQ45oFD9PvWPJWOoAN68N T28e0ZV8QHuXqW0IEheeW+AEemywupdaxun6Cvvolfz2EMYFnYX8YycE 0qUoDC4W9w3xB4nOllWQfJzgQkSTr/I4XCgepFunBeuAHZhCoQHPt9fK IfPUYxQzaa8= +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 30286 rsasha1.example. tODh3LiRuG/ao3ZtJSLBPCy74pkfHXMPRUgFP7MhNR3X6gq75daTVHLi ApTesgAXPAbHI404ps/8M2Z84dkMKBhRDdp1e9OwR8IB4Iw0IOGp2rV7 oZSYNzgnlwRfQ2G75G3xbCjiQhY0H+7IlSiys3sAaI67plvI3nDC3C/r zyDKiY90pK31e+q72SSK+1t/MlsRm0nAYHyUZGLuBMoXYHwonLImeH9Q jwy+cXLwhzOfPfm97ailNifEk38+P+H+Yq35Cp1ezpMzxAi67AcY83sR XB7RVRCf/4uUErh5rYcl6EcnHFh1xA9oSHsaPQbd39PO2fNanyvdPH+p b0ey0A== +rsasha1.example. 300 IN RRSIG DNSKEY 5 2 300 20900122074341 20220104052934 9662 rsasha1.example. Ksyrf1lseBMSQGyPWrSve/X09Nb1CWB//Yvjw9HAEBwna9wseI6cH6mi B1G2JyFmTFzxGgVmf0wB+oec2w7nt5/uUJbyVfLQvCs9RXBGEpKAwhVf GKIwcSF1VTyVfx+PYPHvCpeN01Qm3C/5pJ28dkT65Hry2a7f39kk/8YZ 4zVM1nYaTsBUQdQWvR5UlSm0S3SUMBc2MIEUGUFBhtBJ10W8VkIfNzma ONjMHthu8vLAfwuBYX8zzJIVB31XvnxZDa4LSM4PesyPZ+KVR27o5dlL gQS62u3PWJDgEhUNFIa8A+5kDENC24p7DSfG+Aipe3upefBpBAW3VEdN A/nwQQ== +; resign=20900122074341 +b.rsasha1.example. 300 IN A 10.0.0.2 +b.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ivXu+xAyZThIsY2T1c1wczdeeIG/37z+nO9sbUOzcUyf4+T9lX+6rU0D gxQTxHVdcsw3ge/C+dU2qcrs3EHHW4JcpT1yZMbXcyo+w5ocj5oHGYD2 L3iKLCEZrzdkIwmY4GXNyTznk0X5GKuaP7P6PeNrwWEBficB6xLSiLm7 tsswVcc4XyHa+zKBbxevIt2bKvRUfruyztgENZXJ5125Kx1Ee70Hwvgw bNc2J7lqpJw5c5O8yUaXq5gsxcaLBuONbQ4ANL5PtFQJJY7B5GhqlRTy gVrThJsoZj66pfa8gK92yn8uRG6sFpAbtPrTMQaReiExOhCUdBZRBmA+ RWUTKQ== +; resign=20900122074341 +b.rsasha1.example. 300 IN NSEC d.rsasha1.example. A RRSIG NSEC +b.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. hHtS5Bev1RkOJhsz4QnWJzzn/BBRLJil1l1RCbX+nbVbPE93l/2aDi12 jgctWKIfAiVfdFn93uno11+7Lq+bJaiMvaozJ+f7XWMAPsITOlKGNtiw l9kqZJExugH3q0RC1W0xxnb6HlIbwYGn6refUexaZKjgBsUg302pY7bh 6z4WuPakuxAqsaI6KLxLAlm7CWmdXvpFMCc1dnIVDplxOAvEINTrEesY sffjfmRbP3YAXC6/xvu0WVlikgklJjjiRqdeiSqPLGlnb79OAF5whHSL nYvWscX00/f+SOiniFoAFH2KeSb7VdJ2jvpTaqWjrYxxvwuZMsKNzwRI 4pnH/w== +; resign=20900122074341 +a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN A 10.0.0.27 +a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG A 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. BQT+sZ6SJUbGDJ0eG6WBM19+UoBGZEie96E7EXaeS4It3M+EaMkIWIGD hp0MwiC0yW8u0zWjlA57t3yRpVhvCic8kl4SPs5tOmDXyy5RRJ7YOHNx 3PCuAbkoTfoLt5ReVtGcs5LTz+lmPUKZw/dwols5x8v1PIC2O/Ud6Yep TE9Qeymj1/C3GxxLVPLxXQhirkhT6LfMmFH6fNwec6U7bVRyMo3twcvK TDxkEZu5qA0+6bSrLC/xdyZYE38RQOlicmmGfYAIkDWKDdDXYbfBeJq6 zP8aFvdqOckDBvXQcnP9Cq+IvQX1noO90ePYf5AzNxAEQFJ4S1LUm/0q mQqNLA== +; resign=20900122074341 +a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN NSEC ns.rsasha1.example. A RRSIG NSEC +a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. 300 IN RRSIG NSEC 5 13 300 20900122074341 20220104052934 30286 rsasha1.example. jvJup/Pg4BpAjh+eLMKEYFkpK/iOVt3QggGL7CRMxzxkYYMJNPwXqdAt 5MovIAFjFKBQm0RDe8/tqav/zdOZrDTyRZ2Zsh9qOp7hlOhy4oqQF+4n Wqg3x8v9gSgrzSAsiJAhb3fbbfdAb3Esc1R0Ec/RcLYEUXiD1eLTG0cB qtVmX3McwXTmu0OGpn0Dsg8CTSuQnrvo24bvsah5SEL1/NVkPtEE7KDT Q8orR7LNM0EeIL1CHxT5dqCAo5MvUm9L8GL/YIOZgtifD/uL23T0ej4j 0JYN7EYoDyFT0fyGeBoS2jkCZTsQZivfnkE5J4Ch1nAU5bUmSeX1eZHK nvce9Q== +; resign=20900122074341 +d.rsasha1.example. 300 IN A 10.0.0.4 +d.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 1mZnG0HsIygSfEue9vMlqWpIQ59EmrktvFrGBzNUEDQDjsoGHv+syMFi A8BtRPkrHZzGaYTqy4L8ZL6V5vZPN1icETNVebx7teBTNFIwlvubdKoQ Zg/37W8gW6U1PN4khQlfX7W5XMFifF4qfCfI3XhkPgKacVaucHQhvGth ZzgCbhCQBVMooRb+v+nzknin0qpIWm7pVPh94BaajxQJ0mNwVQ8hjdJP jy16PH4z/aQ6oPjPKMbnMwTQOdWVUKsZtEkBGcAjJWLFmUJYpR5PPdRB /VsEtjexNKZtDwn0/QUIqUi4GcSp0ISTDBTNDjImJhWVJUoFh6S6zuRW tPYZGA== +; resign=20900122074341 +d.rsasha1.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1.example. A RRSIG NSEC +d.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. oWJRAhXbXUA84Nc56NyMocBq93bn3k4uGeqv+XL2L5l6yjxQYxKzjqq1 O5m72K6GiIjoIeun5TxJlEI7/o1EivTxdGYVP4Fsb//Wrv422QcHwS27 xNsFhLMFQglBCOaZzj1v3G2nXRRjP8x81ysg048THlhH5Jm7cW3aUmuS P6kXebWVwIc2nywLHVr/U4dCT2sHOk2gkUuaj8p6rMLVYwj/5dBRijVl Wm131ZeimetxrrRVxXtOfof7W4pqx3bpYRqb/Exdh035Hen+QesxRYTA zcxY7CywJY59afc9/abQBWGkPLfF7rgfJjPIc3MpJlP4SPf0SV4bTNUU nptZ/A== +; resign=20900122074341 +ns.rsasha1.example. 300 IN A 10.53.0.3 +ns.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. ONQph6nkFWSS6dqe/agbVnbjwTtA8ZZATpTCqoRJp2QoEgIjZ/0Yh7Fl Axz4PnpMYsEoie0IZ0/g+xTH7nXYphZzzzgedK8WK0vdTW3Pspyoiek/ tWjiGshqq1atHgi+jjRiuhnEvkaX0UDipMCQvI7oFHMOJxmnwZBCNWMc kBu9vbqtr/+HM4y+jGywg5l2XVkmHC5RZv1CoYc5PhfvV4zMI2RCb/Km i5eNCrUZefRfAq4fK9M67Jh/WnfRWfnHZKZN3O0yiRdnKOh2tOQP3X46 fIuNldCeg1PPnkbs4R+ekqJYhpEydNuWKEoKw2ZgeIrmbcRqepD6y3SZ UP/TAw== +; resign=20900122074341 +ns.rsasha1.example. 300 IN NSEC z.rsasha1.example. A RRSIG NSEC +ns.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. s7P7k9FDJrO1JhUVjgVUDQXNXfNOJrYVt44OoD45e7w4Q7QkyeZe+6z1 Arj9tW1bI9nIVNo63DT51bsJmj4vPf4SuJgHO05ElkLFSvHn17qMdw8Q Kpx8MQa7plAISqzl9hJip0exMuV+1IHujO9VGE42CxKl0q6l2b/x3+Il afx47bcEePkdhHXyhOSdrtxFTayzjMd/7uSy6p1jFSEVrheejQ/r44t3 9uxEc4EYfiP+HVfnjJ178j2Xa4dZyi3ljhJjaH5oleiy5c2Y5kXRIuXH OcIQ2axO7LT/yupRcBPlo7ulwI9iEVd2Q2gueMqaJ9YEWlcoOSFu1H75 7IRAbA== +; resign=20900122074341 +z.rsasha1.example. 300 IN A 10.0.0.26 +z.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. nuqG+ILECKKCQockETu4yLRKZzv9qjXJpfD0/yw5Cw7nSrZFvAjpkQR2 f+xmzbcxP4xiYqs1I+nz8cnHs6NNkJA8vcmk9dnzRu78X0x8MFFV0Yha jQKK/cSzhEhys7GMYv3Jz6lKfmFOAoq1et9PaQT6w8zQD8Q5vBzKrvZm pg+QzZvvgToZfj4e5J7nrhnyOVo7Jec5l/aBCGJbgRMDxjyyC0ufOjnm POvsTZk+wM3+wuN6zYwDpproPiH/6vC/yPlDHeh6kDt971dMsdvRv+kS KAzPyN8rweptJ/HRprb9x6zcAJOrK0T1sJ+EhMbYMgC/py6aAn+T7G5D FGY1tg== +; resign=20900122074341 +z.rsasha1.example. 300 IN NSEC rsasha1.example. A RRSIG NSEC +z.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. Wj5DkrGppeMFn8bWLUMfFPCzDAO2HeabbEIMaAHBH/g0hdn+2PPkQc8D D6WCSc4q5gyGNRSXj2Kik2TojD9n/5WuwDAA3W2AOso+4d616lSy9pyj x+e4WZ6y6tAYRRIGIVTdDEOxrZ8KspclWk7H6OAAPIYvgZeYjox21qXN BknpIifVoaYUoxi3e81k25erm/Xww4uU2SMQgvq3sBrs0YGANembfxas BRVmSmBykpugHgS1/Fl19Hp40y/JTBzqOLrHgPgHO4aH89dgta0WlMhb 8uCUOjHNjcR+KO3KUpKDZkH8IuJHWWFd0TabdV0KBhpInQh6Yorhpjg7 qNBbgA== +; resign=20900122074341 +a.rsasha1.example. 300 IN A 10.0.0.1 +a.rsasha1.example. 300 IN RRSIG A 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. eJyAqMArSagK54kSFvJxE5qYXFSDYxj6Vt8l4gi58BQigO7p5v0BUWcS icToRx3a9+rSdhnBuGbOWGNlrKFfCKrLmqYrlI9GFSAFLAFj7DETSKDJ X5dQ0KnpyGL3SneQsDWAvAof0y9B17dnBHQMSjeVqqQLjYEnq3ZIdT3c b6emCGMhcbfIAOYWt7t9nk/J2tsTsdoKtTCHP1SHjn5sE++BPXOce49X gFnNMD+pOcoLH8Z07RcTQ8IeNIa9hO8UaypyicaHQ2F0JtsiL1pqREXf QsBeLC12Gbi0rxJX3gdj0LXsmSerVl6BgaNjPTp3840WKrW3nTG/8Lre bxgkow== +; resign=20900122074341 +a.rsasha1.example. 300 IN NSEC b.rsasha1.example. A RRSIG NSEC +a.rsasha1.example. 300 IN RRSIG NSEC 5 3 300 20900122074341 20220104052934 30286 rsasha1.example. 6fZ5/GXrFAc9lEspMNlPa40F8O/tGq1oaSZXVstwLH124TNWxRK+i8eT H77Kq80vZkDus8rkLr4fiLP3ApXVBffCRHZWecGrYaPGDbQXALQEktld NhmLr9Nf30Jq7KvVV9Qf4daPC7ZwkB8EsikJxjpQ/paHlU/Pua7ZonnH /x9HHRJBLWb/PPQWEc++8SSjA79+HZVbB8rBwXyxHO1tFBCbBpK/JNwu KpRqNp/mwxPpSaJGZIuhHlzfbLsS4WoXjdG+fob4RqsPPwrf/uAAzKM2 dHVuqZ1erH3ryb4JdRo+MhqD0+vC/7+eNccEXraBsE5xGw4M62Se37WC kyQDQA== +; resign=20900122074341 diff --git a/bin/tests/system/dnssec/ns3/rsasha1.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in new file mode 100644 index 0000000000..b2e7e21e20 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in index 862dadba98..f6c4fabdd3 100644 --- a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in index 862dadba98..f6c4fabdd3 100644 --- a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in +++ b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 27f2b2401c..ec39308e9a 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in index 3f10748395..15fe621fd0 100644 --- a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in index 703a306346..ec6603a91f 100644 --- a/bin/tests/system/dnssec/ns3/siginterval.example.db.in +++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf index 83753efd60..1d82f680d1 100644 --- a/bin/tests/system/dnssec/ns3/siginterval1.conf +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 1 23; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval1; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf index d2bd0d59c6..fa9c6267fe 100644 --- a/bin/tests/system/dnssec/ns3/siginterval2.conf +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 35 28; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval2; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh new file mode 100644 index 0000000000..59d152926f --- /dev/null +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh @@ -0,0 +1,27 @@ +#!/bin/sh -ef + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# RSASHA1 is validate only in FIPS mode so we need to have a pre-signed +# version of the zone to test with in FIPS mode. This requires a non +# FIPS build which supports RSASHA1 to be used to generate it. + +. ../../conf.sh + +zone=rsasha1-1024.example +k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone) +k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone) +cat $zone.db.in $k1.key $k2.key > $zone.tmp +# use maximum expirey period (-e 2^31-1-3600) +# use output format full for easy extraction of KSK (-O full) +"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp +rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh new file mode 100644 index 0000000000..3c35fa07f9 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1.sh @@ -0,0 +1,27 @@ +#!/bin/sh -ef + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# RSASHA1 is validate only in FIPS mode so we need to have a pre-signed +# version of the zone to test with in FIPS mode. This requires a non +# FIPS build which supports RSASHA1 to be used to generate it. + +. ../../conf.sh + +zone=rsasha1.example +k1=$("$KEYGEN" -a rsasha1 $zone) +k2=$("$KEYGEN" -a rsasha1 -f KSK $zone) +cat $zone.db.in $k1.key $k2.key > $zone.tmp +# use maximum expirey period (-e 2^31-1-3600) +# use output format full for easy extraction of KSK (-O full) +"$SIGNER" +2147480047 -o $zone -f $zone.db -O full $zone.tmp +rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c32e462a11..89fbe25b7f 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -49,7 +51,7 @@ do keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed # Make trusted-keys and managed keys conf sections for ns8. @@ -86,7 +88,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null zone=bogus.example. infile=bogus.example.db.in @@ -96,7 +98,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,7 +109,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -o "$zone" "$zonefile" > /dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,14 +119,14 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null -# Change the signer field of the a.b.keyless.example SIG A -# to point to a provably nonexistent KEY record. +# Change the signer field of the a.b.keyless.example RRSIG A +# to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" <"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../NXT/;' > "$zonefile.signed" + if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" rm -f "$zonefiletmp" # @@ -138,7 +140,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null # # NSEC3/NSEC3 test zone @@ -151,7 +153,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -164,7 +166,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout). @@ -177,7 +179,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC test zone @@ -190,7 +192,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -203,7 +205,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/OPTOUT test zone @@ -216,7 +218,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone. @@ -229,7 +231,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,7 +244,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,7 +257,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,11 +271,11 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed -DSFILE="dsset-${zone}${TP}" +DSFILE="dsset-${zone}." $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" # @@ -288,11 +290,11 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed -DSFILE="dsset-${zone}${TP}" +DSFILE="dsset-${zone}." $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" # @@ -308,7 +310,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,11 +324,11 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed -DSFILE="dsset-${zone}${TP}" +DSFILE="dsset-${zone}." $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" # @@ -340,17 +342,18 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null -mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC +"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 +"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 +"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null +cat NSEC NSEC3 >> "$zonefile".signed # # A RSASHA256 zone. @@ -416,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC signed zone that will have auto-dnssec enabled and +# A NSEC signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec.example. @@ -425,13 +428,13 @@ zonefile=auto-nsec.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # -# A NSEC3 signed zone that will have auto-dnssec enabled and +# A NSEC3 signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec3.example. @@ -440,8 +443,8 @@ zonefile=auto-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null @@ -542,23 +545,6 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone" cp "$infile" "$zonefile" "$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null -# -# Zone with signatures about to expire, and dynamic, but configured -# not to resign with 'auto-resign no;' -# -zone="nosign.example." -infile="nosign.example.db.in" -zonefile="nosign.example.db" -signedfile="nosign.example.db.signed" -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null -# preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before - # # An inline signing zone # @@ -567,21 +553,7 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # -# publish a new key while deactivating another key at the same time. -# -zone=publish-inactive.example -infile=publish-inactive.example.db.in -zonefile=publish-inactive.example.db -now=$(date -u +%Y%m%d%H%M%S) -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null - -# -# A zone which will change its sig-validity-interval +# A zone which will change its signatures-validity # zone=siginterval.example infile=siginterval.example.db.in @@ -603,7 +575,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP +sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example. # # A zone with future signatures. @@ -656,7 +628,7 @@ cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC zone with occuded data at the delegation +# A NSEC zone with occluded data at the delegation # zone=occluded.example infile=occluded.example.db.in @@ -664,8 +636,25 @@ zonefile=occluded.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") -keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone") +$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" + "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# Pre-signed zone for FIPS validation of RSASHA1 signed zones +# See sign-rsasha1.sh for how to regenerate rsasha1.example.db +# with non-FIPS compliant instance. +# +# We only need to generate the dsset. +# +zone=rsasha1.example +zonefile=rsasha1.example.db +awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" | +$DSFROMKEY -f - "$zone" > "dsset-${zone}." + +zone=rsasha1-1024.example +zonefile=rsasha1-1024.example.db +awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" | +$DSFROMKEY -f - "$zone" > "dsset-${zone}." diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in index 8761ebb017..55b38776da 100644 --- a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in +++ b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in index 8761ebb017..55b38776da 100644 --- a/bin/tests/system/dnssec/ns3/split-smart.example.db.in +++ b/bin/tests/system/dnssec/ns3/split-smart.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in index 86552149e1..14971bd7a6 100644 --- a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in +++ b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in index 0e0e5e09e5..a7792fd3b8 100644 --- a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in +++ b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in index 703a306346..ec6603a91f 100644 --- a/bin/tests/system/dnssec/ns3/upper.example.db.in +++ b/bin/tests/system/dnssec/ns3/upper.example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns4/managed-keys.bind.in b/bin/tests/system/dnssec/ns4/managed-keys.bind.in new file mode 100644 index 0000000000..570669df3c --- /dev/null +++ b/bin/tests/system/dnssec/ns4/managed-keys.bind.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 0 ; 0 seconds +@ IN SOA . . ( + 2 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) + KEYDATA 20221028094934 19700101000000 19700101000000 0 0 0 ; placeholder diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 9559a00c01..280217e50b 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,9 +14,9 @@ // NS4 options { - query-source address 10.53.0.4 dscp 1; - notify-source 10.53.0.4 dscp 2; - transfer-source 10.53.0.4 dscp 3; + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.4; }; @@ -39,7 +41,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index f1ec362032..b01979bb52 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -12,10 +14,9 @@ // NS4 options { - query-source address 10.53.0.4 dscp 4; - notify-source 10.53.0.4 dscp 5; - transfer-source 10.53.0.4 dscp 6; - dscp 16; + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.4; }; @@ -28,7 +29,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 097ed33de4..3a64e9d27a 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -28,7 +30,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 6e5b40a830..5d3bf3f0c7 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -23,7 +25,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -32,7 +34,7 @@ controls { key auth { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in index 7ab0eb6946..b9d0ba8025 100644 --- a/bin/tests/system/dnssec/ns4/named5.conf.in +++ b/bin/tests/system/dnssec/ns4/named5.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -20,11 +22,12 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; bindkeys-file "managed.conf"; + dnssec-validation no; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -33,5 +36,5 @@ controls { key auth { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in index 62d43b5ff7..ccb3de919c 100644 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -25,7 +27,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named2.conf.in index de10865599..6d0474b9d5 100644 --- a/bin/tests/system/dnssec/ns5/named2.conf.in +++ b/bin/tests/system/dnssec/ns5/named2.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -13,7 +15,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { @@ -29,6 +31,7 @@ options { listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; recursion yes; + dnssec-validation yes; }; view root { diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index a4e910acfc..df0b208d2f 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args index 65b7dbcc93..4b96405caa 100644 --- a/bin/tests/system/dnssec/ns6/named.args +++ b/bin/tests/system/dnssec/ns6/named.args @@ -1 +1 @@ --m record,size,mctx -c named.conf -d 99 -D dnssec-ns6 -X named.lock -g -T maxcachesize=2097152 -T nonearest -T tat=1 +-m record -c named.conf -d 99 -D dnssec-ns6 -X named.lock -g -T maxcachesize=2097152 -T nonearest -T tat=1 diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index fa74b6043b..4bdc79c5f7 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns6/optout-tld.db.in b/bin/tests/system/dnssec/ns6/optout-tld.db.in index b90c9eaef9..b2aa3934d8 100644 --- a/bin/tests/system/dnssec/ns6/optout-tld.db.in +++ b/bin/tests/system/dnssec/ns6/optout-tld.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 4eb2fa5b71..6102e52917 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -24,4 +26,4 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in index 70d71f6eff..55cbec9ee9 100644 --- a/bin/tests/system/dnssec/ns7/named.conf.in +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa index b8aab6c39b..caefbbba46 100644 --- a/bin/tests/system/dnssec/ns7/named.nosoa +++ b/bin/tests/system/dnssec/ns7/named.nosoa @@ -1,5 +1,12 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. Add -T nosoa. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db index e8949475c7..d3c98783ea 100644 --- a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db +++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index 296434413d..551b2173fc 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns7/split-rrsig.db.in index 14300c3b08..48c2f878c2 100644 --- a/bin/tests/system/dnssec/ns7/split-rrsig.db.in +++ b/bin/tests/system/dnssec/ns7/split-rrsig.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in index 4cf0753e96..d0278caeb9 100644 --- a/bin/tests/system/dnssec/ns8/named.conf.in +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -28,7 +30,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.in index 1933c76700..06530a08c1 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.in +++ b/bin/tests/system/dnssec/ns9/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -27,7 +29,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/dnssec/ntadiff.pl index 041e7bcafc..ca80eac9b8 100755 --- a/bin/tests/system/dnssec/ntadiff.pl +++ b/bin/tests/system/dnssec/ntadiff.pl @@ -1,9 +1,11 @@ #!/usr/bin/perl -w -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 35b9b29ac4..6aa0cd0a0f 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnssec/signer/example.db.in b/bin/tests/system/dnssec/signer/example.db.in index dbf60c1d59..3ab6aa2fc5 100644 --- a/bin/tests/system/dnssec/signer/example.db.in +++ b/bin/tests/system/dnssec/signer/example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key deleted file mode 100644 index e4bdce2c17..0000000000 --- a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key +++ /dev/null @@ -1 +0,0 @@ -example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private deleted file mode 100644 index db928c5b4b..0000000000 --- a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk= -PublicExponent: AQAB -PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE= -Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ== -Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ== -Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ== -Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ== -Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow== diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key new file mode 100644 index 0000000000..104face02c --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 19857, for example.com. +; Created: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022) +example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private new file mode 100644 index 0000000000..91171b032b --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw== +PublicExponent: AQAB +PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ== +Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk= +Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM= +Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE= +Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k= +Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI= +Created: 20220902075244 +Publish: 20220902075244 +Activate: 20220902075244 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key deleted file mode 100644 index 6f4fec8c4b..0000000000 --- a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key +++ /dev/null @@ -1 +0,0 @@ -example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private deleted file mode 100644 index 2d299d0e2e..0000000000 --- a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM= -PublicExponent: AQAB -PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE= -Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q== -Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw== -Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ== -Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw== -Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw== diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key new file mode 100644 index 0000000000..717d65f256 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 45884, for example.com. +; Created: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022) +example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private new file mode 100644 index 0000000000..891c6c3831 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w== +PublicExponent: AQAB +PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ== +Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc= +Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0= +Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys= +Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE= +Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc= +Created: 20220902075336 +Publish: 20220902075336 +Activate: 20220902075336 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key new file mode 100644 index 0000000000..47003a44c2 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18240, for example.com. +; Created: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021) +example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private new file mode 100644 index 0000000000..f16b62708a --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw== +PublicExponent: AQAB +PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ== +Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0= +Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8= +Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE= +Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98= +Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0= +Created: 20211221062121 +Publish: 20211221062121 +Activate: 20211221062121 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key new file mode 100644 index 0000000000..37bd259f6b --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 28633, for example.com. +; Created: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021) +example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private new file mode 100644 index 0000000000..6d7f72e48b --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw== +PublicExponent: AQAB +PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ== +Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98= +Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0= +Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0= +Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0= +Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro= +Created: 20211221062130 +Publish: 20211221062130 +Activate: 20211221062130 diff --git a/bin/tests/system/dnssec/signer/general/bogus-ksk.key b/bin/tests/system/dnssec/signer/general/bogus-ksk.key index af4640baeb..e4685741ff 100644 --- a/bin/tests/system/dnssec/signer/general/bogus-ksk.key +++ b/bin/tests/system/dnssec/signer/general/bogus-ksk.key @@ -1,6 +1,6 @@ ; ; This is a bogus key. It will not have a .private file. ; -; This will be key id 7091 +; This will be key id 23221 ; -example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz +example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc= diff --git a/bin/tests/system/dnssec/signer/general/bogus-zsk.key b/bin/tests/system/dnssec/signer/general/bogus-zsk.key index 2e53d5c52a..aa45938426 100644 --- a/bin/tests/system/dnssec/signer/general/bogus-zsk.key +++ b/bin/tests/system/dnssec/signer/general/bogus-zsk.key @@ -1,6 +1,6 @@ ; ; This is a bogus key. It will not have a .private file. ; -; This will be key id 7092 +; This will be key id 48930 ; -example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz +example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s= diff --git a/bin/tests/system/dnssec/signer/general/test1.zone b/bin/tests/system/dnssec/signer/general/test1.zone index 8c11a0e734..98c9f0233c 100644 --- a/bin/tests/system/dnssec/signer/general/test1.zone +++ b/bin/tests/system/dnssec/signer/general/test1.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,5 +15,5 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+07065.key -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssec/signer/general/test10.zone b/bin/tests/system/dnssec/signer/general/test10.zone new file mode 100644 index 0000000000..10a8bc97e1 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test10.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00100000 1200 3600 604800 300 +extra.example.com. IN A 1.2.3.4 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssec/signer/general/test11.zone b/bin/tests/system/dnssec/signer/general/test11.zone new file mode 100644 index 0000000000..538305fc14 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test11.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+19857.key +$include Kexample.com.+005+45884.key diff --git a/bin/tests/system/dnssec/signer/general/test2.zone b/bin/tests/system/dnssec/signer/general/test2.zone index b603931a52..97c0d3d8dc 100644 --- a/bin/tests/system/dnssec/signer/general/test2.zone +++ b/bin/tests/system/dnssec/signer/general/test2.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,4 +15,4 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+07065.key +$include Kexample.com.+010+18240.key diff --git a/bin/tests/system/dnssec/signer/general/test3.zone b/bin/tests/system/dnssec/signer/general/test3.zone index 70f2a869f1..bf9bc66c56 100644 --- a/bin/tests/system/dnssec/signer/general/test3.zone +++ b/bin/tests/system/dnssec/signer/general/test3.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,4 +15,4 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssec/signer/general/test4.zone b/bin/tests/system/dnssec/signer/general/test4.zone index fb5b6c446f..9f05de50fb 100644 --- a/bin/tests/system/dnssec/signer/general/test4.zone +++ b/bin/tests/system/dnssec/signer/general/test4.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,6 +15,6 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+07065.key -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key $include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test5.zone b/bin/tests/system/dnssec/signer/general/test5.zone index 7f33e271ff..d61504fbf9 100644 --- a/bin/tests/system/dnssec/signer/general/test5.zone +++ b/bin/tests/system/dnssec/signer/general/test5.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -12,6 +14,6 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+07065.key -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key $include bogus-ksk.key diff --git a/bin/tests/system/dnssec/signer/general/test6.zone b/bin/tests/system/dnssec/signer/general/test6.zone index aad2838680..fcfb1ec260 100644 --- a/bin/tests/system/dnssec/signer/general/test6.zone +++ b/bin/tests/system/dnssec/signer/general/test6.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,7 +15,7 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+07065.key -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key $include bogus-ksk.key $include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test7.zone b/bin/tests/system/dnssec/signer/general/test7.zone index acf443d9de..e52c535527 100644 --- a/bin/tests/system/dnssec/signer/general/test7.zone +++ b/bin/tests/system/dnssec/signer/general/test7.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/signer/general/test8.zone b/bin/tests/system/dnssec/signer/general/test8.zone index abfc58f818..893d32da10 100644 --- a/bin/tests/system/dnssec/signer/general/test8.zone +++ b/bin/tests/system/dnssec/signer/general/test8.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. @@ -13,5 +15,5 @@ ; $TTL 3600 example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 -$include Kexample.com.+005+23362.key +$include Kexample.com.+010+28633.key $include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test9.zone b/bin/tests/system/dnssec/signer/general/test9.zone index 5cfac09189..14c47d040c 100644 --- a/bin/tests/system/dnssec/signer/general/test9.zone +++ b/bin/tests/system/dnssec/signer/general/test9.zone @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/signer/prepub.db.in b/bin/tests/system/dnssec/signer/prepub.db.in new file mode 100644 index 0000000000..946aac1bf5 --- /dev/null +++ b/bin/tests/system/dnssec/signer/prepub.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +prepub. 60 IN SOA prepub. . 0 0 0 0 0 +prepub. 60 IN NS prepub. +prepub. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/signer/remove.db.in b/bin/tests/system/dnssec/signer/remove.db.in index 8e0fccdd66..5629a426ae 100644 --- a/bin/tests/system/dnssec/signer/remove.db.in +++ b/bin/tests/system/dnssec/signer/remove.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/signer/remove2.db.in b/bin/tests/system/dnssec/signer/remove2.db.in index aa1d2f55af..b2962b9ff1 100644 --- a/bin/tests/system/dnssec/signer/remove2.db.in +++ b/bin/tests/system/dnssec/signer/remove2.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9e50a0edf1..f3e579d1fd 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1,19 +1,21 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + # shellcheck source=conf.sh . ../conf.sh -set -e - status=0 n=1 @@ -81,8 +83,7 @@ israw0 () { < "$1" $PERL -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 0);' - return $? + exit 1 if ($style != 2 || $version != 0);' || return $? } # check that a zone file is raw format, version 1 @@ -91,8 +92,7 @@ israw1 () { < "$1" $PERL -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 1);' - return $? + exit 1 if ($style != 2 || $version != 1);' || return $? } # strip NS and RRSIG NS from input @@ -107,13 +107,11 @@ stripns () { # Ensure there is not a blank line before "Secure roots:". # check_secroots_layout () { - tr -d '\r' < "$1" | \ awk '$0 == "" { if (empty) exit(1); empty=1; next } /Start view/ { if (!empty) exit(1) } /Secure roots:/ { if (empty) exit(1) } /Negative trust anchors:/ { if (!empty) exit(1) } - { empty=0 }' - return $? + { empty=0 }' $1 || return $? } # Check that for a query against a validating resolver where the @@ -196,7 +194,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 @@ -228,7 +226,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 @@ -253,7 +251,7 @@ status=$((status+ret)) SP="[[:space:]]+" -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 @@ -279,7 +277,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 @@ -321,7 +319,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 @@ -347,7 +345,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 @@ -369,7 +367,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 @@ -392,7 +390,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -416,7 +414,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 @@ -438,7 +436,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 @@ -462,7 +460,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -486,7 +484,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 @@ -507,7 +505,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 @@ -527,7 +525,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -551,7 +549,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -575,7 +573,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 @@ -597,7 +595,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 @@ -619,7 +617,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 @@ -643,7 +641,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 @@ -667,7 +665,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -691,7 +689,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 @@ -888,7 +886,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking failed validation using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 @@ -933,11 +931,11 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking that validation fails when key record is missing using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -952,7 +950,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 @@ -1099,6 +1097,38 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Should work with FIPS mode as we are only validating +echo_i "checking positive validation RSASHA1 NSEC ($n)" +ret=0 +if $FEATURETEST --rsasha1 +then + dig_with_opts +noauth a.rsasha1.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + dig_with_opts +noauth a.rsasha1.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +else + echo_i "skip: RSASHA1 not supported by OS" +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Should work with FIPS mode as we are only validating +echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)" +ret=0 +if $FEATURETEST --rsasha1 +then + dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +else + echo_i "skip: RSASHA1 not supported by OS" +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -1393,6 +1423,44 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" +ret=0 +if $FEATURETEST --fips-provider +then + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test1.zone > signer.out.$n + test -f signed.zone + ) || ret=1 +else + echo_i "skipped no FIPS provider available" +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" +ret=0 +if ! $FEATURETEST --fips-provider +then + echo_i "skipped no FIPS provider available" +elif ! $SHELL ../testcrypto.sh -q RSASHA1 +then + echo_i "skipped: RSASHA1 is not supported" +else + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1 + grep -F -e "fatal: No signing keys specified or found" \ + -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null + ) || ret=1 +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 ( @@ -1405,6 +1473,20 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_ic "check that dnssec-signzone -J loads journal files ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl +$SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone > signer.out.$n +grep -q extra signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" ret=0 ( @@ -1417,6 +1499,91 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +get_default_algorithm_key_ids_from_sigs() { + zone=$1 + + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + NF < 8 { next } + $(NF-5) != "RRSIG" { next } + $(NF-3) != alg { next } + $NF != "(" { next } + { + getline; + print $3; + } + ' signer/$zone.db.signed | sort -u +} + +# Test dnssec-signzone ZSK prepublish smooth rollover. +echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" +ret=0 +zone=prepub +# Generate keys. +ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zskid1=$(keyfile_to_key_id "$zsk1") +zskid2=$(keyfile_to_key_id "$zsk2") +( +cd signer || exit 1 +# Set times such that the current set of keys are introduced 60 days ago and +# start signing now. The successor key is prepublished now and will be active +# next day. +$SETTIME -P now-60d -A now $ksk > /dev/null +$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null +$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null +$SETTIME -P now -A now+1d $zsk2.key > /dev/null +# Sign the zone with initial keys and prepublish successor. The zone signatures +# are valid for 30 days and the DNSKEY signature is valid for 60 days. +cp -f $zone.db.in $zone.db +$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null +echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" +status=$((status+ret)) + +echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" +ret=0 +zone=prepub +( +cd signer || exit 1 +# Roll the ZSK. The predecessor is inactive from now on and the successor is +# activated. The zone signatures are valid for 30 days and the DNSKEY +# signature is valid for 60 days. Because of the predecessor/successor +# relationship, the signatures of the predecessor are retained and no new +# signatures with the successor should be generated. +$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null +$SETTIME -A now $zsk2 > /dev/null +$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" +ret=0 +zone=prepub +( +cd signer || exit 1 +# After some time the signatures should be replaced. When signing, set the +# interval to 30 days plus one second, meaning all predecessor signatures +# are within the refresh interval and should be replaced with successor +# signatures. +$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null +$SETTIME -A now-20d $zsk2 > /dev/null +$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 zone=example @@ -1458,26 +1625,11 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -get_rsasha1_key_ids_from_sigs() { - tr -d '\r' < signer/example.db.signed | \ - awk ' - NF < 8 { next } - $(NF-5) != "RRSIG" { next } - $(NF-3) != "5" { next } - $NF != "(" { next } - { - getline; - print $3; - } - ' | \ - sort -u -} - echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 zone=example -key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) -key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db @@ -1490,8 +1642,8 @@ status=$((status+ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 zone=example -key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) -key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db @@ -1515,8 +1667,8 @@ status=$((status+ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 zone=example -key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) -key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example3.db @@ -1541,8 +1693,8 @@ status=$((status+ret)) echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" ret=0 zone=example -key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) -key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db @@ -1550,7 +1702,7 @@ $SIGNER -o example -f example.db.before example.db > /dev/null sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed $SIGNER -o example -f example.db.after example.db.changed > /dev/null ) -grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1558,10 +1710,10 @@ status=$((status+ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 zone=example -key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) -key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) +key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid2=$(keyfile_to_key_id "$key2") -key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) +key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid3=$(keyfile_to_key_id "$key3") ( cd signer || exit 1 @@ -1573,8 +1725,8 @@ cat example.db.in "$key1.key" "$key3.key" > example.db echo "\$INCLUDE \"example.db.signed\"" >> example.db $SIGNER -D -o example example.db > /dev/null ) || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1585,8 +1737,8 @@ ret=0 cd signer || exit 1 $SIGNER -RD -o example example.db > /dev/null ) || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1603,8 +1755,8 @@ echo "\$INCLUDE \"example.db.signed\"" >> example.db $SETTIME -I now "$key2" > /dev/null 2>&1 $SIGNER -SD -o example example.db > /dev/null ) || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1615,8 +1767,8 @@ ret=0 cd signer || exit 1 $SIGNER -SDQ -o example example.db > /dev/null ) || ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 -get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1719,8 +1871,12 @@ $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null $SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null ) || ret=1 -awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 -awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 @@ -1753,6 +1909,140 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "checking dnssec-signzone -G ($n)" +ret=0 +( +cd signer || exit 1 +$SETTIME -P ds now -P sync now "$key1" > /dev/null +$SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (default) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (empty) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (no CDS) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db > /dev/null +) || ret=1 +test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1 +test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (bad argument) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2> signer.err.$n && ret=1 +grep "digest must specify cds:algorithm ('foobar')" signer.err.$n > /dev/null || ret=1 +) +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (bad digest - name) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2> signer.err.$n && ret=1 +grep "bad digest 'cds:foobar'" signer.err.$n > /dev/null || ret=1 +) +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (bad digest - number) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2> signer.err.$n && ret=1 +grep "bad digest 'cds:256': out of range" signer.err.$n > /dev/null || ret=1 +) +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2> signer.err.$n && ret=1 +grep "unsupported digest 'cds:gost'" signer.err.$n > /dev/null || ret=1 +) +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2> signer.err.$n && ret=1 +grep "unsupported digest 'cds:200'" signer.err.$n > /dev/null || ret=1 +) +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -1772,7 +2062,7 @@ keyid=$(cat ns1/managed.key.id) rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; static" named.secroots.test$n || true) +linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 linecount=$(< named.secroots.test$n wc -l) [ "$linecount" -eq 10 ] || ret=1 @@ -2078,7 +2368,7 @@ status=$((status+ret)) ret=0 echo_i "killing ns4 with SIGTERM" -$KILL -TERM "$(cat ns4/named.pid)" +kill -TERM "$(cat ns4/named.pid)" rm -f ns4/named.pid # @@ -2090,7 +2380,7 @@ echo_i "waiting till 14s have passed since NTAs were added before restarting ns4 $PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - start_server --noclean --restart --port "$PORT" dnssec ns4 + start_server --noclean --restart --port "$PORT" ns4 then echo_i "restarted server ns4" else @@ -2140,7 +2430,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 echo_i "killing ns4 with SIGTERM" -$KILL -TERM "$(cat ns4/named.pid)" +kill -TERM "$(cat ns4/named.pid)" rm -f ns4/named.pid echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" @@ -2156,7 +2446,7 @@ echo "secure.example. regular $future" > ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" dnssec ns4 + start_server --noclean --restart --port "$PORT" ns4 then echo_i "restarted server ns4" else @@ -2198,7 +2488,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 echo_i "killing ns4 with SIGTERM" -$KILL -TERM "$(cat ns4/named.pid)" +kill -TERM "$(cat ns4/named.pid)" rm -f named.pid echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" @@ -2212,7 +2502,7 @@ echo "secure.example. forced $future" > ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" dnssec ns4 + start_server --noclean --restart --port "$PORT" ns4 then echo_i "restarted server ns4" else @@ -2246,7 +2536,7 @@ n=$((n+1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" -$KILL -TERM "$(cat ns4/named.pid)" +kill -TERM "$(cat ns4/named.pid)" rm -f ns4/named.pid echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" @@ -2260,7 +2550,7 @@ echo "secure.example. forced $future" > ns4/_default.nta added=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" dnssec ns4 + start_server --noclean --restart --port "$PORT" ns4 then echo_i "restarted server ns4" else @@ -2353,8 +2643,8 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null then echo_i "running DNSSEC update test" ret=0 - output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) - test "$?" -eq 0 || ret=1 + { output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.); rc=$?; } || true + test "$rc" -eq 0 || ret=1 echo "$output" | cat_i [ $ret -eq 1 ] && status=1 else @@ -2371,7 +2661,10 @@ status=$((status+ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. +# Also setup a placeholder managed-keys zone to check if named can process it +# correctly. echo_i "switching to automatic root key configuration" +cp ns4/managed-keys.bind.in ns4/managed-keys.bind copy_setports ns4/named2.conf.in ns4/named.conf rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i sleep 5 @@ -2470,8 +2763,7 @@ status=$((status+ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 -kskname=$($KEYGEN -q -3 -a RSASHA1 -fk update-nsec3.example) +kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) ( echo zone update-nsec3.example echo server 10.53.0.3 "$PORT" @@ -2482,12 +2774,12 @@ echo send dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NSEC3 1 0 0 - .*" dig.out.ns4.test$n > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2497,7 +2789,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2510,7 +2802,6 @@ status=$((status+ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 checkprivate dynamic.example 10.53.0.3 || ret=1 -checkprivate update-nsec3.example 10.53.0.3 || ret=1 checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 @@ -2550,148 +2841,13 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "-" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "-" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" -ret=0 -oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "$oldsalt" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check rndc signing -list output ($n)" ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 -grep -q "No signing records found" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i -} -{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 -grep -q "Done signing with key .*/NSEC3RSASHA1" signing.out || { +{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out.dynamic.example; } 2>&1 +grep -q "No signing records found" signing.out.dynamic.example || { ret=1 - sed 's/^/ns3 /' signing.out | cat_i -} -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "clear signing records ($n)" -{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 -check_no_signing_record_found() { - { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 - grep -q "No signing records found" signing.out || { - sed 's/^/ns3 /' signing.out | cat_i - return 1 - } - return 0 + sed 's/^/ns3 /' signing.out.dynamic.example | cat_i } -retry_quiet 5 check_no_signing_record_found || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -2758,40 +2914,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" -ret=0 -( -echo zone nsec3chain-test -echo server 10.53.0.2 "$PORT" -echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 -echo send -) | $NSUPDATE -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 - if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null - then - break; - fi - echo_i "sleeping ...." - sleep 3 -done -grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi -dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 -s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) -for i in 1 2 3 4 5 6 7 8 9 10 -do - dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) - test "$s2" = "$s3" && break - sleep 1 -done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 dig_with_opts dnskey algroll. @10.53.0.2 | \ @@ -2808,8 +2930,8 @@ awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < ns1/dsset-algroll$TP > canonical2.$n || ret=1 -$DIFF -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 +}' < ns1/dsset-algroll. > canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -2818,7 +2940,7 @@ status=$((status+ret)) # includes it anyway to avoid confusion (RT #21731) echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" ret=0 -key=$($KEYGEN -a RSASHA1 -q example.) || ret=1 +key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 mv "$key.key" "$key" $DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 @@ -2826,53 +2948,23 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" +echo_i "check dnssec-dsfromkey with revoked key ($n)" ret=0 -dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 -# there must be a signature here -[ -s dig.out.ns3.test$n ] || ret=1 +dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 +test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "testing new records are signed with 'no-resign' ($n)" -ret=0 -( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send -) | $NSUPDATE -sleep 1 -dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" -ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 -# the NS RRSIG should not be changed -$DIFF nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) -echo_i "testing updates fail with no private key ($n)" +echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" ret=0 -rm -f ns3/Knosign.example.*.private -( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 -dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -[ -s dig.out.ns3.test$n ] && ret=1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +# there must be a signature here +[ -s dig.out.ns3.test$n ] || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -2880,7 +2972,7 @@ status=$((status+ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 + > dig.out.ns4.test$n 2>&1 || ret=1 grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 n=$((n+1)) @@ -2890,7 +2982,7 @@ status=$((status+ret)) echo_i "testing that we lower case signer name ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 + > dig.out.ns4.test$n 2>&1 || ret=1 grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 n=$((n+1)) @@ -3148,26 +3240,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" -ret=0 -cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 -done -test "$keys" -gt 2 || ret=1 -sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) -test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" +echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" ret=0 before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) cp ns3/siginterval2.conf ns3/siginterval.conf @@ -3184,17 +3257,17 @@ if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi status=$((status+ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" + echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)" ret=0 rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i # convert expiry date to a comma-separated list of integers python can # use as input to date(). strip leading 0s in months and days so # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n || ret=1 soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n || ret=1 dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | sed 's/ 0/ /g') @@ -3290,16 +3363,10 @@ do alg=$((alg+1)) continue;; 1|5|7|8|10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) + key1=$($KEYGEN -a "$alg" -b "2048" -n zone "$zone" 2> "keygen-$alg.err" || true) ;; 15|16) key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - # Soft-fail in case HSM doesn't support Edwards curves - if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then - echo_i "Algorithm $alg not supported by HSM: skipping" - alg=$((alg+1)) - continue - fi ;; *) key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) @@ -3329,6 +3396,44 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode +then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider +then + echo_i "skipped no FIPS provider available" +elif ! $SHELL ../testcrypto.sh -q RSASHA1 +then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a rsasha1 example.fips 2> keygen.err$n || true + grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1 +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)" +ret=0 +if $FEATURETEST --have-fips-mode +then + echo_i "skipped: already in FIPS mode" +elif ! $FEATURETEST --fips-provider +then + echo_i "skipped: cannot switch to FIPS mode" +elif ! $SHELL ../testcrypto.sh -q RSASHA1 +then + echo_i "skipped: RSASHA1 is not supported" +else + $KEYGEN -F -a nsec3rsasha1 example.fips 2> keygen.err$n || true + grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1 +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n @@ -3359,31 +3464,11 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" +echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that a lone non matching CDS record is rejected ($n)" -ret=0 -( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3400,14 +3485,15 @@ echo send dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cds-update.secure.id) ( echo zone cds-update.secure echo server 10.53.0.2 "$PORT" @@ -3421,30 +3507,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDS records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) -( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3454,25 +3516,24 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)" ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) +keyid=$(cat ns2/cds-update.secure.id) ( -echo zone cds-kskonly.secure +echo zone cds-update.secure echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 +echo update delete cds-update.secure CDS +echo update add cds-update.secure 0 CDS 0 0 0 00 echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -3509,7 +3570,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 n=$((n+1)) @@ -3558,7 +3619,7 @@ echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n) ret=0 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3601,25 +3662,6 @@ status=$((status+ret)) # precedes the supported one in the DNSKEY RRset, and verify the result still # validates succesfully. -echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" -ret=0 -( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( @@ -3632,7 +3674,7 @@ echo send dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) +lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -3649,8 +3691,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cdnskey-update.secure.id) ( echo zone cdnskey-update.secure echo server 10.53.0.2 "$PORT" @@ -3661,27 +3704,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDNSKEY records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3691,29 +3713,8 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +echo_i "status: $status" +exit $status echo_i "checking initialization with a revoked managed key ($n)" ret=0 @@ -3740,7 +3741,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 n=$((n+1)) @@ -3752,8 +3753,8 @@ ret=0 # generate signed zone with MX and AAAA records at apex. ( cd signer || exit 1 -$KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null -$KEYGEN -q -a RSASHA1 -33 remove > /dev/null +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null +$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null echo > remove.db.signed $SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n ) @@ -3838,9 +3839,9 @@ ret=0 dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 -$PERL ../stop.pl dnssec ns1 || ret=1 +stop_server ns1 || ret=1 nextpart ns1/named.run > /dev/null -start_server --noclean --restart --port ${PORT} dnssec ns1 || ret=1 +start_server --noclean --restart --port ${PORT} ns1 || ret=1 n=$(($n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3862,7 +3863,7 @@ status=$((status+ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4050,10 +4051,10 @@ status=$((status+ret)) # Save some useful information zone="updatecheck-kskonly.secure" -KSK=`cat ns2/${zone}.ksk.key` -ZSK=`cat ns2/${zone}.zsk.key` -KSK_ID=`cat ns2/${zone}.ksk.id` -ZSK_ID=`cat ns2/${zone}.zsk.id` +KSK=$(cat ns2/${zone}.ksk.key) +ZSK=$(cat ns2/${zone}.zsk.key) +KSK_ID=$(cat ns2/${zone}.ksk.id) +ZSK_ID=$(cat ns2/${zone}.zsk.id) SECTIONS="+answer +noauthority +noadditional" echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" @@ -4069,7 +4070,7 @@ get_keys_which_signed() { # Basic checks to make sure everything is fine before the KSK is made offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4081,7 +4082,7 @@ do status=$((status+ret)) done -echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" +echo_i "checking SOA RRset is signed with ZSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) @@ -4095,11 +4096,10 @@ status=$((status+ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 -ZSK_ID2=`cat ns2/$zone.zsk.id2` - -echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" +ZSK_ID2=$(cat ns2/$zone.zsk.id2) ret=0 -dnssec_loadkeys_on 2 $zone || ret=1 +echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)" +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4108,7 +4108,7 @@ status=$((status+ret)) echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 $SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 > /dev/null dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4131,7 +4131,7 @@ echo send # Redo the tests now that the zone is updated and the KSK is offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4146,7 +4146,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4167,14 +4167,14 @@ mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 -ZSK_ID3=`cat ns2/$zone.zsk.id3` +ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null +$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK > /dev/null $SETTIME -I +3600 -K ns2 $zsk2 > /dev/null $SETTIME -A +3600 -K ns2 $zsk3 > /dev/null -dnssec_loadkeys_on 2 $zone || ret=1 +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4196,7 +4196,7 @@ echo send # Redo the tests now that the ZSK roll has deleted the old key. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4212,7 +4212,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4228,8 +4228,9 @@ done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 > /dev/null + dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4263,7 +4264,7 @@ status=$((status+ret)) # Redo the tests one more time. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4279,7 +4280,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4302,9 +4303,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking sig-validity-interval second field hours vs days ($n)" +echo_i "checking signatures-validity second field hours vs days ($n)" ret=0 -# zone configured with 'sig-validity-interval 500 499;' +# zone configured with 'signatures-validity 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n @@ -4382,5 +4383,23 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Check that a query against a validating resolver succeeds when there is +# a negative cache entry with trust level "pending" for the DS. Prime +# with a +cd DS query to produce the negative cache entry, then send a +# query that uses that entry as part of the validation process. [GL #3279] +echo_i "check that pending negative DS cache entry validates ($n)" +ret=0 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py new file mode 100644 index 0000000000..65c3d4341f --- /dev/null +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dnssec(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/dnstap/README b/bin/tests/system/dnstap/README index 5ff797b613..856fe482f3 100644 --- a/bin/tests/system/dnstap/README +++ b/bin/tests/system/dnstap/README @@ -1,6 +1,13 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. The "large-answer.fstrm" file was generated by configuring a named instance compiled with --enable-dnstap and --enable-fixed-rrset with the following diff --git a/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf index dafa894852..fd673d6df7 100644 --- a/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf +++ b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf index 4f90895dc2..cdab66b791 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf index 14cfa3e897..c5444e9a6c 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf index aac8dd929f..05ab1d97b6 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf index 9bca0c11d6..398b1abdf1 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf index d04a1b07a3..d6c4120579 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf index 35f8cf7b62..787f656275 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf index a82c42cf23..ae713d3aec 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf index 264dce8967..643e2b84e9 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf index a250f50ec8..853713fe76 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf index ea6852a151..7940c89f54 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf index e602bfc20c..9cfa9e3538 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf index acd1d7ea62..be6a640c65 100644 --- a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf +++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf index 4864fb0def..853da36d0c 100644 --- a/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf +++ b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + view "view" { dnstap { client; auth; }; }; diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf index 822e4e6b19..b5565e2065 100644 --- a/bin/tests/system/dnstap/bad-missing-dnstap-output.conf +++ b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dnstap { client; auth; }; recursion yes; diff --git a/bin/tests/system/dnstap/bad-size-version.conf b/bin/tests/system/dnstap/bad-size-version.conf index 41d32ef154..8e31528cf7 100644 --- a/bin/tests/system/dnstap/bad-size-version.conf +++ b/bin/tests/system/dnstap/bad-size-version.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/clean.sh b/bin/tests/system/dnstap/clean.sh index 424568657e..b9e476f661 100644 --- a/bin/tests/system/dnstap/clean.sh +++ b/bin/tests/system/dnstap/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -15,9 +17,8 @@ rm -f */named.run rm -f */named.run.prev rm -f */named.stats rm -f dig.out* -rm -f dnstap.out dnstap.hex -rm -f dnstap.out.save -rm -f fstrm_capture.out +rm -f dnstap.* +rm -f fstrm_capture.out.* rm -f ns*/dnstap.out rm -f ns*/dnstap.out.save rm -f ns*/dnstap.out.save.? diff --git a/bin/tests/system/dnstap/good-dnstap-in-options.conf b/bin/tests/system/dnstap/good-dnstap-in-options.conf index f7d55f7bf0..17feb5eb58 100644 --- a/bin/tests/system/dnstap/good-dnstap-in-options.conf +++ b/bin/tests/system/dnstap/good-dnstap-in-options.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dnstap-output unix "/var/run/named/dnstap.sock"; dnstap-identity hostname; diff --git a/bin/tests/system/dnstap/good-dnstap-in-view.conf b/bin/tests/system/dnstap/good-dnstap-in-view.conf index 61a446b2db..2c17f6c5e4 100644 --- a/bin/tests/system/dnstap/good-dnstap-in-view.conf +++ b/bin/tests/system/dnstap/good-dnstap-in-view.conf @@ -1,3 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + options { dnstap-output unix "/var/run/named/dnstap.sock"; dnstap-identity hostname; diff --git a/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf index 5e63a59606..d52526227b 100644 --- a/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf +++ b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf index abaaa73c4a..c550647203 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf index dbc9364e6b..dd9abf0ced 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf index 1c3b5ef5ce..d01b8f880c 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf index e18ec38f74..2619dc01d8 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf index 05ad706dfb..a81ff7cb63 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf index ef735a67d7..7b394ebb6d 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf index 9f93bb6848..87bf028d60 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf index fe6462b022..116d3ae8b7 100644 --- a/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf +++ b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-size-unlimited.conf b/bin/tests/system/dnstap/good-size-unlimited.conf index c37a0b8ffc..8cb971298f 100644 --- a/bin/tests/system/dnstap/good-size-unlimited.conf +++ b/bin/tests/system/dnstap/good-size-unlimited.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/good-size-version.conf b/bin/tests/system/dnstap/good-size-version.conf index b3e127bb0d..ca1fba3594 100644 --- a/bin/tests/system/dnstap/good-size-version.conf +++ b/bin/tests/system/dnstap/good-size-version.conf @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/ns1/named.conf.in b/bin/tests/system/dnstap/ns1/named.conf.in index 4e58a855a4..7f3fb296d7 100644 --- a/bin/tests/system/dnstap/ns1/named.conf.in +++ b/bin/tests/system/dnstap/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -32,7 +34,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnstap/ns1/root.db b/bin/tests/system/dnstap/ns1/root.db index dab5cea7f7..17780d13f0 100644 --- a/bin/tests/system/dnstap/ns1/root.db +++ b/bin/tests/system/dnstap/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/ns2/example.db.in b/bin/tests/system/dnstap/ns2/example.db.in index 4073dc2682..7f88dec354 100644 --- a/bin/tests/system/dnstap/ns2/example.db.in +++ b/bin/tests/system/dnstap/ns2/example.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dnstap/ns2/named.conf.in b/bin/tests/system/dnstap/ns2/named.conf.in index 9ea4629182..badc2257bb 100644 --- a/bin/tests/system/dnstap/ns2/named.conf.in +++ b/bin/tests/system/dnstap/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -32,7 +34,7 @@ options { key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnstap/ns3/named.args b/bin/tests/system/dnstap/ns3/named.args index fb42af211a..7937dee5fb 100644 --- a/bin/tests/system/dnstap/ns3/named.args +++ b/bin/tests/system/dnstap/ns3/named.args @@ -1,2 +1,2 @@ # Using "-n 1" allows GL #1795 to be reliably reproduced --D dnstap-ns3 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -n 1 -T maxcachesize=2097152 +-D dnstap-ns3 -X named.lock -m record -c named.conf -d 99 -g -U 4 -n 1 -T maxcachesize=2097152 diff --git a/bin/tests/system/dnstap/ns3/named.conf.in b/bin/tests/system/dnstap/ns3/named.conf.in index e1920cadd0..a5ee2ede8b 100644 --- a/bin/tests/system/dnstap/ns3/named.conf.in +++ b/bin/tests/system/dnstap/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -35,7 +37,7 @@ server 10.53.0.1 { tcp-only yes; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnstap/ns4/named.conf.in b/bin/tests/system/dnstap/ns4/named.conf.in index 2b572f7b9d..e2a9207d1f 100644 --- a/bin/tests/system/dnstap/ns4/named.conf.in +++ b/bin/tests/system/dnstap/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -34,7 +36,7 @@ server 10.53.0.1 { tcp-only yes; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-sha256; + algorithm @DEFAULT_HMAC@; }; controls { diff --git a/bin/tests/system/dnstap/prereq.sh b/bin/tests/system/dnstap/prereq.sh new file mode 100644 index 0000000000..f0748f3bf3 --- /dev/null +++ b/bin/tests/system/dnstap/prereq.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +$FEATURETEST --enable-dnstap || { + echo_i "This test requires dnstap support." >&2 + exit 255 +} +exit 0 diff --git a/bin/tests/system/dnstap/setup.sh b/bin/tests/system/dnstap/setup.sh index 2590a5f75d..90a257e391 100644 --- a/bin/tests/system/dnstap/setup.sh +++ b/bin/tests/system/dnstap/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh index ceaf30df5f..c5d4f0aa55 100644 --- a/bin/tests/system/dnstap/tests.sh +++ b/bin/tests/system/dnstap/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh DIGOPTS="+short -p ${PORT}" @@ -27,7 +31,7 @@ dnstap_data_ready() { min_size_expected=$3 kill -HUP $fstrm_capture_pid - file_size=`wc -c < "$capture_file" | tr -d ' '` + file_size=$(wc -c < "$capture_file" | tr -d ' ') if [ $file_size -lt $min_size_expected ]; then return 1 fi @@ -38,18 +42,18 @@ for bad in bad-*.conf do ret=0 echo_i "checking that named-checkconf detects error in $bad" - $CHECKCONF $bad > /dev/null 2>&1 - if [ $? != 1 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` + { $CHECKCONF $bad > /dev/null 2>&1; rc=$?; } || true + if [ $rc != 1 ]; then echo_i "failed"; ret=1; fi + status=$((status + ret)) done for good in good-*.conf do ret=0 echo_i "checking that named-checkconf detects no error in $good" - $CHECKCONF $good > /dev/null 2>&1 - if [ $? != 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` + { $CHECKCONF $good > /dev/null 2>&1; rc=$?; } || true + if [ $rc != 0 ]; then echo_i "failed"; ret=1; fi + status=$((status + ret)) done echo_i "wait for servers to finish loading" @@ -59,14 +63,18 @@ wait_for_log 20 "all zones loaded" ns2/named.run || ret=1 wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 wait_for_log 20 "all zones loaded" ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # both the 'a.example/A' lookup and the './NS' lookup to ns1 # need to complete before reopening/rolling for the counts to # be correct. -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out +echo_i "prime cache" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || true wait_for_log 20 "(.): reset client" ns1/named.run || true +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) # check three different dnstap reopen/roll methods: # ns1: dnstap-reopen; ns2: dnstap -reopen; ns3: dnstap -roll @@ -74,17 +82,26 @@ mv ns1/dnstap.out ns1/dnstap.out.save mv ns2/dnstap.out ns2/dnstap.out.save if [ -n "$FSTRM_CAPTURE" ] ; then + ret=0 + echo_i "starting fstrm_capture" $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out 2>&1 & + -w dnstap.out > fstrm_capture.out.1 2>&1 & fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi +echo_i "reopen/roll capture streams" +ret=0 $RNDCCMD -s 10.53.0.1 dnstap-reopen | sed 's/^/ns1 /' | cat_i $RNDCCMD -s 10.53.0.2 dnstap -reopen | sed 's/^/ns2 /' | cat_i $RNDCCMD -s 10.53.0.3 dnstap -roll | sed 's/^/ns3 /' | cat_i $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out +echo_i "send test traffic" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || ret=1 # send an UPDATE to ns2 $NSUPDATE <<- EOF @@ -107,39 +124,39 @@ sleep 1 echo_i "checking initial message counts" -udp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l` -tcp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l` -aq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l` -ar1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l` -cq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l` -cr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l` -rq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l` -rr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l` -uq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l` -ur1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l` - -udp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l` -tcp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l` -aq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l` -ar2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l` -cq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l` -cr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l` -rq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l` -rr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l` -uq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l` -ur2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l` +udp1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l) +tcp1=$($DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l) +aq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l) +ar1=$($DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l) +cq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l) +cr1=$($DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l) +rq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l) +rr1=$($DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l) +uq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l) +ur1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l) + +udp2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l) +tcp2=$($DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l) +aq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l) +ar2=$($DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l) +cq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l) +cr2=$($DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l) +rq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l) +rr2=$($DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l) +uq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l) +ur2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l) mv ns3/dnstap.out.0 ns3/dnstap.out.save -udp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l` -tcp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l` -aq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l` -ar3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l` -cq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l` -cr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l` -rq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l` -rr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l` -uq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l` -ur3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l` +udp3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l) +tcp3=$($DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l) +aq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l) +ar3=$($DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l) +cq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l) +cr3=$($DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l) +rq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l) +rr3=$($DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l) +uq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l) +ur3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 @@ -156,7 +173,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TCP message counts" ret=0 @@ -173,7 +190,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 @@ -190,7 +207,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 @@ -207,7 +224,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 @@ -224,7 +241,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 @@ -241,7 +258,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 @@ -258,7 +275,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 @@ -275,7 +292,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 @@ -292,7 +309,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 @@ -309,42 +326,42 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking reopened message counts" -udp1=`$DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l` -tcp1=`$DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l` -aq1=`$DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l` -ar1=`$DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l` -cq1=`$DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l` -cr1=`$DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l` -rq1=`$DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l` -rr1=`$DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l` -uq1=`$DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l` -ur1=`$DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l` - -udp2=`$DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l` -tcp2=`$DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l` -aq2=`$DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l` -ar2=`$DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l` -cq2=`$DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l` -cr2=`$DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l` -rq2=`$DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l` -rr2=`$DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l` -uq2=`$DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l` -ur2=`$DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l` - -udp3=`$DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l` -tcp3=`$DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l` -aq3=`$DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l` -ar3=`$DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l` -cq3=`$DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l` -cr3=`$DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l` -rq3=`$DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l` -rr3=`$DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l` -uq3=`$DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l` -ur3=`$DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l` +udp1=$($DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l) +tcp1=$($DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l) +aq1=$($DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l) +ar1=$($DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l) +cq1=$($DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l) +cr1=$($DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l) +rq1=$($DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l) +rr1=$($DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l) +uq1=$($DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l) +ur1=$($DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l) + +udp2=$($DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l) +tcp2=$($DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l) +aq2=$($DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l) +ar2=$($DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l) +cq2=$($DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l) +cr2=$($DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l) +rq2=$($DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l) +rr2=$($DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l) +uq2=$($DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l) +ur2=$($DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l) + +udp3=$($DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l) +tcp3=$($DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l) +aq3=$($DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l) +ar3=$($DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l) +cq3=$($DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l) +cr3=$($DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l) +rq3=$($DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l) +rr3=$($DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l) +uq3=$($DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l) +ur3=$($DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 @@ -361,7 +378,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking TCP message counts" ret=0 @@ -378,7 +395,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 @@ -395,7 +412,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 @@ -412,7 +429,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 @@ -429,7 +446,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 @@ -446,7 +463,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 @@ -463,7 +480,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 @@ -480,7 +497,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 @@ -497,7 +514,7 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 @@ -514,7 +531,13 @@ ret=0 ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) + +echo_i "checking whether destination UDP port is logged for client queries" +ret=0 +$DNSTAPREAD ns3/dnstap.out.save | grep -Eq "CQ [0-9:.]+ -> 10.53.0.3:${PORT} UDP" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) HAS_PYYAML=0 if [ -x "$PYTHON" ] ; then @@ -528,23 +551,23 @@ if [ $HAS_PYYAML -ne 0 ] ; then $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1 } | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "checking dnstap-read hex output" ret=0 -hex=`$DNSTAPREAD -x ns3/dnstap.out | tail -1` +hex=$($DNSTAPREAD -x ns3/dnstap.out | tail -1) echo $hex | $WIRETEST > dnstap.hex grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1 grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) if [ -n "$FSTRM_CAPTURE" ] ; then $DIG $DIGOPTS @10.53.0.4 a.example > dig.out # send an UPDATE to ns4 - $NSUPDATE <<- EOF > nsupdate.out 2>&1 + $NSUPDATE <<- EOF > nsupdate.out 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 @@ -554,19 +577,24 @@ EOF echo_i "checking unix socket message counts" sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 470 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) kill $fstrm_capture_pid wait - udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` - tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` - aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` - ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` - cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` - cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` - rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` - rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` - uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` - ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 @@ -575,7 +603,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking TCP message counts" ret=0 @@ -584,7 +612,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 @@ -593,7 +621,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 @@ -602,7 +630,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 @@ -611,7 +639,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 @@ -620,7 +648,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 @@ -629,7 +657,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 @@ -645,7 +673,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 @@ -654,31 +682,41 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) mv dnstap.out dnstap.out.save + echo_i "restarting fstrm_capture" $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out 2>&1 & + -w dnstap.out > fstrm_capture.out.2 2>&1 & fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { + echo_i "failed" + ret=1 + } $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i $DIG $DIGOPTS @10.53.0.4 a.example > dig.out echo_i "checking reopened unix socket message counts" sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) kill $fstrm_capture_pid wait - udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` - tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` - aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` - ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` - cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` - cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` - rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` - rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` - uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` - ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 @@ -687,7 +725,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking TCP message counts" ret=0 @@ -696,7 +734,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 @@ -705,7 +743,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 @@ -714,7 +752,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 @@ -723,7 +761,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 @@ -732,7 +770,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 @@ -741,7 +779,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 @@ -757,7 +795,7 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 @@ -766,40 +804,54 @@ EOF ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi echo_i "checking large packet printing" ret=0 # Expect one occurrence of "opcode: QUERY" below "reponse_message_data" and # another one below "response_message". -lines=`$DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY"` +lines=$($DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY") [ $lines -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) -test_dnstap_roll() ( +_test_dnstap_roll() ( ip="$1" ns="$2" n="$3" + $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i && files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) && - test "$files" -le "${n}" && test "$files" -ge "1" + test "$files" -eq "${n}" && test "$files" -ge "1" || return 1 ) -echo_i "checking 'rndc -roll ' (no versions)" -ret=0 -start_server --noclean --restart --port "${PORT}" dnstap ns3 -_repeat 5 test_dnstap_roll 10.53.0.3 ns3 3 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo_i "checking 'rndc -roll ' (versions)" -ret=0 -start_server --noclean --restart --port "${PORT}" dnstap ns2 -_repeat 5 test_dnstap_roll 10.53.0.2 ns2 3 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +test_dnstap_roll() { + echo_i "checking 'rndc -roll $4' ($1)" + ret=0 + + try=0 + while test $try -lt 12 + do + touch "$3/dnstap.out.$try" + try=$((try + 1)) + done + + _repeat 10 _test_dnstap_roll $2 $3 $4 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +start_server --noclean --restart --port "${PORT}" ns3 +test_dnstap_roll "no versions" 10.53.0.3 ns3 6 +test_dnstap_roll "no versions" 10.53.0.3 ns3 3 +test_dnstap_roll "no versions" 10.53.0.3 ns3 1 + +start_server --noclean --restart --port "${PORT}" ns2 +test_dnstap_roll "versions" 10.53.0.2 ns2 6 +test_dnstap_roll "versions" 10.53.0.2 ns2 3 +test_dnstap_roll "versions" 10.53.0.2 ns2 1 echo_i "exit status: $status" [ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnstap/tests_dnstap.py b/bin/tests/system/dnstap/tests_dnstap.py new file mode 100644 index 0000000000..ca687b0fc2 --- /dev/null +++ b/bin/tests/system/dnstap/tests_dnstap.py @@ -0,0 +1,83 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re +import subprocess + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.resolver + + +def run_rndc(server, rndc_command): + """ + Send the specified 'rndc_command' to 'server' with a timeout of 10 seconds + """ + rndc = os.getenv("RNDC") + port = os.getenv("CONTROLPORT") + + cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline.extend(rndc_command) + + subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) + + +def test_dnstap_dispatch_socket_addresses(named_port): + # Prepare for querying ns3. + resolver = dns.resolver.Resolver() + resolver.nameservers = ["10.53.0.3"] + resolver.port = named_port + + # Send some query to ns3 so that it records something in its dnstap file. + ans = resolver.resolve("mail.example.", "A") + assert ans[0].address == "10.0.0.2" + + # Before continuing, roll dnstap file to ensure it is flushed to disk. + run_rndc("10.53.0.3", ["dnstap", "-roll", "1"]) + + # Move the dnstap file aside so that it is retained for troubleshooting. + os.rename(os.path.join("ns3", "dnstap.out.0"), "dnstap.out.resolver_addresses") + + # Read the contents of the dnstap file using dnstap-read. + output = subprocess.check_output( + [os.getenv("DNSTAPREAD"), "dnstap.out.resolver_addresses"], encoding="utf-8" + ) + + # Check whether all frames contain the expected addresses. + # + # Expected dnstap-read output format: + # + # 22-Jun-2022 12:09:06.168 RR 10.53.0.3:0 -> 10.53.0.1:7523 TCP ... + # 22-Jun-2022 12:09:06.168 RR 10.53.0.3:0 <- 10.53.0.1:7523 TCP ... + # 22-Jun-2022 12:09:06.168 RQ 10.53.0.3:56306 -> 10.53.0.2:7523 UDP ... + # 22-Jun-2022 12:09:06.168 RQ 10.53.0.3:56306 <- 10.53.0.2:7523 UDP ... + # + bad_frames = [] + inspected_frames = 0 + addr_regex = r"^10\.53\.0\.[0-9]+:[0-9]{1,5}$" + for line in output.splitlines(): + _, _, frame_type, addr1, _, addr2, _ = line.split(" ", 6) + # Only inspect RESOLVER_QUERY and RESOLVER_RESPONSE frames. + if frame_type not in ("RQ", "RR"): + continue + inspected_frames += 1 + if not re.match(addr_regex, addr1) or not re.match(addr_regex, addr2): + bad_frames.append(line) + + assert ( + len(bad_frames) == 0 + ), "{} out of {} inspected frames contain unexpected addresses:\n\n{}".format( + len(bad_frames), inspected_frames, "\n".join(bad_frames) + ) diff --git a/bin/tests/system/dnstap/tests_sh_dnstap.py b/bin/tests/system/dnstap/tests_sh_dnstap.py new file mode 100644 index 0000000000..8094f0d6c8 --- /dev/null +++ b/bin/tests/system/dnstap/tests_sh_dnstap.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dnstap(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/dnstap/ydump.py b/bin/tests/system/dnstap/ydump.py index 05ebe72c03..ab7e3c9ada 100644 --- a/bin/tests/system/dnstap/ydump.py +++ b/bin/tests/system/dnstap/ydump.py @@ -1,13 +1,13 @@ -############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -############################################################################ import sys @@ -22,7 +22,7 @@ DNSTAP_READ = sys.argv[1] DATAFILE = sys.argv[2] -ARGS = [DNSTAP_READ, '-y', DATAFILE] +ARGS = [DNSTAP_READ, "-y", DATAFILE] with subprocess.Popen(ARGS, stdout=subprocess.PIPE) as f: for y in yaml.load_all(f.stdout, Loader=yaml.SafeLoader): diff --git a/bin/tests/system/doth/.gitignore b/bin/tests/system/doth/.gitignore new file mode 100644 index 0000000000..c33e4785f1 --- /dev/null +++ b/bin/tests/system/doth/.gitignore @@ -0,0 +1,9 @@ +gnutls-cli.* +headers.* +ns*/example.db +ns*/named.conf +# temporary files generated by "openssl ca" +/CA/*.old +# there is little point in keeping the certificate requests +# for the issued certificates +/CA/certs/*.csr diff --git a/bin/tests/system/doth/CA/CA.cfg b/bin/tests/system/doth/CA/CA.cfg new file mode 100644 index 0000000000..dcdff1f136 --- /dev/null +++ b/bin/tests/system/doth/CA/CA.cfg @@ -0,0 +1,121 @@ +## How To +# To issue a certificate: +# +# 1. Generate the next certificate serial (if the file does not exist): +# xxd -l 8 -u -ps /dev/urandom > ./serial +# 2. Create the new certificate request (e.g. for foo.example.com): +# openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \ +# -addext "subjectAltName=DNS:foo.example.com,IP:X.X.X.X" \ +# -newkey rsa -keyout ./certs/foo.example.com.key \ +# -out ./certs/foo.example.com.csr +# +# The above will generate request for an RSA-based certificate. One +# can issue an ECDSA-based certificate by replacing "-newkey rsa" with +# "-newkey ec -pkeyopt ec_paramgen_curve:secp384r1". +# +# 3. Issue the certificate: +# openssl ca -config ./CA.cfg -in ./certs/foo.example.com.csr \ +# -out ./certs/foo.example.com.pem +# +# To cleanup the internal database from expired certificates: +# +# 1. openssl ca -config ./CA.cfg -updatedb +# +# To revoke a certificate: +# +# 1. Revoke the certificate via file (e.g. for foo.example.com): +# openssl ca -config ./CA.cfg -revoke ./certs/foo.example.com.pem +# 2. Optionally remove the certificate file if you do not need it anymore: +# rm ./certs/foo.example.com.pem +# 3. Generate the certificate revocation list file: CRL (e.g. revoked.crl): +# openssl ca -config ./CA.cfg -gencrl > ./revoked.crl +# +# The key for CA was generated like follows +# openssl genrsa -out ./CA.key 3072 +# openssl req -x509 -new -key ./CA.key -days 10950 -out ./CA.pem +# +# See also: +# +# - https://jamielinux.com/docs/openssl-certificate-authority/index.html +# - https://www.openssl.org/docs/man1.1.1/man1/ca.html +# - https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html +# - https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line +# - https://security.stackexchange.com/a/190646 - for ECDSA certificates +# - https://gist.github.com/Soarez/9688998 +# - https://habr.com/ru/post/192446/ - Beware, your screen might "go Cyrillic"! + +# certificate authority configuration +[ca] +default_ca = CA_default # The default ca section + +[CA_default] +dir = . +new_certs_dir = $dir/newcerts # new certs dir (must be created) +certificate = $dir/CA.pem # The CA cert +private_key = $dir/private/CA.key # CA private key + +serial = $dir/serial # serial number file for the next certificate + # Update before issuing it: + # xxd -l 8 -u -ps /dev/urandom > ./serial +database = $dir/index.txt # (must be created manually: touch ./index.txt) + +default_days = 10950 # how long to certify for + +#default_crl_days = 30 # the number of days before the +default_crl_days = 10950 # next CRL is due. That is the + # days from now to place in the + # CRL nextUpdate field. If CRL + # is expired, certificate + # verifications will fail even + # for otherwise valid + # certificates. Clients might + # cache the CRL, so the expiry + # period should normally be + # relatively short (default: + # 30) for production CAs. + +default_md = sha256 # digest to use + +policy = policy_default # default policy +email_in_dn = no # Don't add the email into cert DN + +name_opt = ca_default # Subject name display option +cert_opt = ca_default # Certificate display option + +# We need the following in order to copy Subject Alt Name(s) from a +# request to the certificate. +copy_extensions = copy # copy extensions from request + +[policy_default] +countryName = optional +stateOrProvinceName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# default certificate requests settings +[req] +# Options for the `req` tool (`man req`). +default_bits = 3072 # for RSA only +distinguished_name = req_default +string_mask = utf8only +# SHA-1 is deprecated, so use SHA-256 instead. +default_md = sha256 +# do not encrypt the private key file +encrypt_key = no + +[req_default] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (e.g., city) +0.organizationName = Organization Name (e.g., company) +organizationalUnitName = Organizational Unit Name (e.g. department) +commonName = Common Name (e.g. server FQDN or YOUR name) +emailAddress = Email Address +# defaults +countryName_default = UA +stateOrProvinceName_default = Kharkiv Oblast +localityName_default = Kharkiv +0.organizationName_default = ISC +organizationalUnitName_default = Software Engeneering (BIND 9) diff --git a/bin/tests/system/doth/CA/CA.pem b/bin/tests/system/doth/CA/CA.pem new file mode 100644 index 0000000000..1f725dbb8a --- /dev/null +++ b/bin/tests/system/doth/CA/CA.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL +BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G +A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0 +aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1 +NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh +cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l +dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j +b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo +Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI +B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF +ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5 +3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee +wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia +eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX +z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ +ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD +VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y +SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB +AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc +TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig +TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod +CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz +qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO +70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS +wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE +rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2 +8Q== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/README b/bin/tests/system/doth/CA/README new file mode 100644 index 0000000000..13069ca2f8 --- /dev/null +++ b/bin/tests/system/doth/CA/README @@ -0,0 +1,2 @@ +Please take a look at the contents of the CA.cfg file for further +instructions and configurations options. diff --git a/bin/tests/system/doth/CA/certs/srv01.client01.example.com.key b/bin/tests/system/doth/CA/certs/srv01.client01.example.com.key new file mode 100644 index 0000000000..9da02ddb1b --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCq9Z95YLiCPSevj5Xm +lB/ijFFlZb8AT2bHUyL1fmivBm8JfjSa/j3pZePAF7rltyChZANiAARek2p62nXM +ZAjk+PkvK4U27uHf+s1MYPFEtRZ7+QPPoAhnb64no5WKaB5jq88uIGJS54w+Hu/e +DWlkZbbk3/4aSPhodYSDEfuBWQ7Blkh/JNoR3azLCsUJeCQxOt835rM= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.client01.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.client01.example.com.pem new file mode 100644 index 0000000000..0b4c115d1c --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client01.example.com.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207431 (0x6bb3183cdef52007) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 10 17:44:20 2022 GMT + Not After : Feb 3 17:44:20 2052 GMT + Subject: CN=srv01.client01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:5e:93:6a:7a:da:75:cc:64:08:e4:f8:f9:2f:2b: + 85:36:ee:e1:df:fa:cd:4c:60:f1:44:b5:16:7b:f9: + 03:cf:a0:08:67:6f:ae:27:a3:95:8a:68:1e:63:ab: + cf:2e:20:62:52:e7:8c:3e:1e:ef:de:0d:69:64:65: + b6:e4:df:fe:1a:48:f8:68:75:84:83:11:fb:81:59: + 0e:c1:96:48:7f:24:da:11:dd:ac:cb:0a:c5:09:78: + 24:31:3a:df:37:e6:b3 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client01.example.com + Signature Algorithm: sha256WithRSAEncryption + 82:bd:eb:8f:4e:a5:d2:46:c7:d8:70:3c:34:1d:58:43:1b:81: + 16:5d:c2:b0:76:4b:a9:f2:10:14:23:e4:ef:dc:59:03:b6:7f: + b0:40:34:e5:d0:82:4b:95:a6:07:9a:45:51:94:cf:08:c2:4e: + c9:44:d5:f3:b6:ed:f2:a0:01:94:ad:e0:0e:0f:ab:85:6f:35: + 4b:07:c8:97:25:fb:69:ff:a1:99:bc:ec:70:6c:51:b5:32:95: + e9:c9:45:cf:45:e2:c5:5e:b1:59:a2:e1:f2:83:c8:87:68:c4: + 60:e2:db:50:6c:18:64:1b:9a:9a:cc:7c:e7:fd:d9:f2:b7:d1: + de:1d:ec:29:c9:58:db:7b:9a:a1:06:9a:ce:36:a0:45:10:dc: + 7d:81:24:21:34:30:4c:71:f9:fc:96:37:d6:cf:0d:9d:11:12: + c7:62:bc:19:5b:79:e5:e0:37:e8:17:36:4b:13:af:fa:2c:2e: + 36:d9:be:53:e1:c3:f9:bc:94:a6:7a:97:14:99:36:f9:14:38: + 11:20:3a:2a:9d:fd:64:63:d0:a2:8f:f0:99:a9:02:ca:57:48: + d2:7d:65:44:b6:85:a0:38:ec:e8:19:7e:c2:48:e3:1d:22:53: + cf:3b:d4:0a:98:e1:72:62:ec:8b:01:3f:5a:ea:26:2c:8c:16: + c3:80:5a:c2:5d:40:c5:65:1c:e2:9a:e3:d6:65:16:ee:dc:17: + 30:d8:26:87:92:d0:ef:c7:72:07:99:86:05:9e:49:35:41:33: + b9:bb:cb:1b:25:50:70:85:e3:0f:c7:b9:b2:37:00:1b:87:a2: + 47:97:34:5b:cd:dc:66:22:e5:de:25:ec:57:fe:37:75:2c:03: + 10:f4:d4:a7:cc:f5:4b:0b:ff:eb:d3:a6:78:2e:cd:8f:65:51: + a7:8c:ef:83:67:ec:94:13:c2:1f:74:74:55:7c:a3:0b:b7:2f: + 80:5a:62:04:1d:a2:c0:c1:de:b2:7d:31:3b:a1:fa:f7:40:a7: + bd:12:25:95:5b:8b +-----BEGIN CERTIFICATE----- +MIIDITCCAYmgAwIBAgIIa7MYPN71IAcwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIxMDE3NDQyMFoYDzIwNTIwMjAz +MTc0NDIwWjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLmNvbTB2 +MBAGByqGSM49AgEGBSuBBAAiA2IABF6TanradcxkCOT4+S8rhTbu4d/6zUxg8US1 +Fnv5A8+gCGdvriejlYpoHmOrzy4gYlLnjD4e794NaWRltuTf/hpI+Gh1hIMR+4FZ +DsGWSH8k2hHdrMsKxQl4JDE63zfms6MpMCcwJQYDVR0RBB4wHIIac3J2MDEuY2xp +ZW50MDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggGBAIK9649OpdJGx9hw +PDQdWEMbgRZdwrB2S6nyEBQj5O/cWQO2f7BANOXQgkuVpgeaRVGUzwjCTslE1fO2 +7fKgAZSt4A4Pq4VvNUsHyJcl+2n/oZm87HBsUbUylenJRc9F4sVesVmi4fKDyIdo +xGDi21BsGGQbmprMfOf92fK30d4d7CnJWNt7mqEGms42oEUQ3H2BJCE0MExx+fyW +N9bPDZ0REsdivBlbeeXgN+gXNksTr/osLjbZvlPhw/m8lKZ6lxSZNvkUOBEgOiqd +/WRj0KKP8JmpAspXSNJ9ZUS2haA47OgZfsJI4x0iU8871AqY4XJi7IsBP1rqJiyM +FsOAWsJdQMVlHOKa49ZlFu7cFzDYJoeS0O/HcgeZhgWeSTVBM7m7yxslUHCF4w/H +ubI3ABuHokeXNFvN3GYi5d4l7Ff+N3UsAxD01KfM9UsL/+vTpnguzY9lUaeM74Nn +7JQTwh90dFV8owu3L4BaYgQdosDB3rJ9MTuh+vdAp70SJZVbiw== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.key b/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.key new file mode 100644 index 0000000000..91cb6cafe9 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD1/sp/yNsAc9Z6TPhm +0xT0ZhSf/9XJD6daSpdUDJ/nEJKa+sBXDWJHuXrbNRqUK2qhZANiAATmRfpXEmxZ +ECOLelx2M+s7Qfq3HJCzLzMtRXvj5baloqKkFPRQnbDGOLrpRWWkZbkQMi+Tm9XY +z7QpW9xOyOymn1h2JPTF0UhVUutdsIWThe4+uMSxzQhZlRL/e5vuark= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.pem new file mode 100644 index 0000000000..1b43bbd293 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client02-ns2.example.com.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207432 (0x6bb3183cdef52008) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 11 13:21:12 2022 GMT + Not After : Feb 4 13:21:12 2052 GMT + Subject: CN=srv01.client02-ns2.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:e6:45:fa:57:12:6c:59:10:23:8b:7a:5c:76:33: + eb:3b:41:fa:b7:1c:90:b3:2f:33:2d:45:7b:e3:e5: + b6:a5:a2:a2:a4:14:f4:50:9d:b0:c6:38:ba:e9:45: + 65:a4:65:b9:10:32:2f:93:9b:d5:d8:cf:b4:29:5b: + dc:4e:c8:ec:a6:9f:58:76:24:f4:c5:d1:48:55:52: + eb:5d:b0:85:93:85:ee:3e:b8:c4:b1:cd:08:59:95: + 12:ff:7b:9b:ee:6a:b9 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client02-ns2.example.com + Signature Algorithm: sha256WithRSAEncryption + 43:ec:0f:62:17:f6:f4:90:3b:7c:36:21:f2:18:94:a6:42:51: + 1e:1d:2a:43:8f:05:b7:8d:3c:ca:f0:20:2f:65:4b:be:48:ad: + 6a:0a:cc:2d:1f:d6:27:1d:af:4a:36:86:ed:0d:03:75:c5:71: + ec:58:9b:ec:f9:0f:e4:83:ef:6f:91:da:20:73:47:ac:e7:c7: + 8b:22:b2:d1:6e:a0:b0:d6:1c:4c:70:1e:74:08:1d:7f:61:06: + e5:be:f3:e8:c4:15:60:e2:b0:02:9b:f0:13:af:76:5b:a8:c7: + 91:2c:10:5f:0d:32:89:51:5a:7f:17:1b:7c:c6:46:97:ee:e7: + bb:8a:48:38:a2:52:d4:ff:3b:1c:ec:4a:a9:8c:a5:23:3a:04: + bb:d7:b8:ad:5b:69:7f:1d:be:ca:96:e0:eb:56:05:43:ee:c8: + ff:2c:48:03:00:c6:c2:ac:fc:4e:15:47:86:c5:33:ed:70:f6: + 98:bc:0b:07:b9:5b:1a:ec:fd:3c:bf:26:61:68:fc:db:02:55: + 07:ae:76:0e:be:ff:c5:b8:56:fb:52:54:a4:b1:2d:64:b4:1d: + 55:02:4f:da:06:bd:26:e4:22:d2:94:1f:7e:29:c4:97:10:d1: + 75:7d:41:53:be:46:52:70:b1:d9:ff:bb:9f:96:19:e3:a0:ba: + d0:4a:5a:8d:da:22:73:89:f0:4c:e6:18:80:53:be:bd:64:56: + 6a:c9:58:71:40:66:9e:4a:3e:31:3b:74:9e:6e:6a:f5:65:ca: + 93:06:52:00:74:65:a0:3a:eb:2e:56:56:d2:a5:4b:0e:85:17: + 25:78:cb:f3:f9:53:7b:85:f9:82:15:87:bc:36:70:b5:69:64: + 48:11:79:b9:2c:2e:cc:09:fd:0f:b0:b7:cd:97:3b:c7:0f:49: + 1a:fc:15:49:d6:1c:a9:dc:14:ff:44:d2:be:5a:36:00:66:0c: + d5:b8:bf:16:9e:60:27:79:c0:f5:b4:ff:2f:af:8c:b2:49:75: + 61:44:05:1a:e8:cd +-----BEGIN CERTIFICATE----- +MIIDKTCCAZGgAwIBAgIIa7MYPN71IAgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIxMTEzMjExMloYDzIwNTIwMjA0 +MTMyMTEyWjApMScwJQYDVQQDDB5zcnYwMS5jbGllbnQwMi1uczIuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATmRfpXEmxZECOLelx2M+s7Qfq3HJCz +LzMtRXvj5baloqKkFPRQnbDGOLrpRWWkZbkQMi+Tm9XYz7QpW9xOyOymn1h2JPTF +0UhVUutdsIWThe4+uMSxzQhZlRL/e5vuarmjLTArMCkGA1UdEQQiMCCCHnNydjAx +LmNsaWVudDAyLW5zMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAYEAQ+wP +Yhf29JA7fDYh8hiUpkJRHh0qQ48Ft408yvAgL2VLvkitagrMLR/WJx2vSjaG7Q0D +dcVx7Fib7PkP5IPvb5HaIHNHrOfHiyKy0W6gsNYcTHAedAgdf2EG5b7z6MQVYOKw +ApvwE692W6jHkSwQXw0yiVFafxcbfMZGl+7nu4pIOKJS1P87HOxKqYylIzoEu9e4 +rVtpfx2+ypbg61YFQ+7I/yxIAwDGwqz8ThVHhsUz7XD2mLwLB7lbGuz9PL8mYWj8 +2wJVB652Dr7/xbhW+1JUpLEtZLQdVQJP2ga9JuQi0pQffinElxDRdX1BU75GUnCx +2f+7n5YZ46C60Epajdoic4nwTOYYgFO+vWRWaslYcUBmnko+MTt0nm5q9WXKkwZS +AHRloDrrLlZW0qVLDoUXJXjL8/lTe4X5ghWHvDZwtWlkSBF5uSwuzAn9D7C3zZc7 +xw9JGvwVSdYcqdwU/0TSvlo2AGYM1bi/Fp5gJ3nA9bT/L6+Mskl1YUQFGujN +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.key b/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.key new file mode 100644 index 0000000000..5d3d283d09 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCQvnl9FD/mrb+KQaC8 +VMhKW2sxrYFHhZnUYBc3Luz/X3vECNVqLVc5asLu+NrkioyhZANiAAQ4mpvCaoKm +0VCKeHrRvmG+1LbT1qICl6RIUMDFHdgtIxklbpECHWnCd9bxqE9Kmh08aVqJQQry +4GRXGw6e359MezxC3CHILJWrs0xfVsRw7oqk5EbEnpj1yHuyc9dFk/A= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.pem new file mode 100644 index 0000000000..99e4a71e33 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.client03-ns2-expired.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207433 (0x6bb3183cdef52009) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Aug 14 05:00:00 2012 GMT + Not After : Aug 14 06:00:00 2012 GMT + Subject: CN=srv01.client03-ns2-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:38:9a:9b:c2:6a:82:a6:d1:50:8a:78:7a:d1:be: + 61:be:d4:b6:d3:d6:a2:02:97:a4:48:50:c0:c5:1d: + d8:2d:23:19:25:6e:91:02:1d:69:c2:77:d6:f1:a8: + 4f:4a:9a:1d:3c:69:5a:89:41:0a:f2:e0:64:57:1b: + 0e:9e:df:9f:4c:7b:3c:42:dc:21:c8:2c:95:ab:b3: + 4c:5f:56:c4:70:ee:8a:a4:e4:46:c4:9e:98:f5:c8: + 7b:b2:73:d7:45:93:f0 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client03-ns2-expired.example.com + Signature Algorithm: sha256WithRSAEncryption + 38:12:1f:5f:26:b6:8e:9b:3f:77:89:5a:b8:e8:46:78:c3:d6: + f0:0c:67:5f:d5:a3:9c:f6:f2:0a:ae:9c:87:74:9f:a3:5b:8a: + 27:58:47:e5:78:1a:e9:db:b5:cc:28:a7:f8:18:e3:e7:20:43: + cf:82:06:5d:a1:d0:82:ab:15:be:86:46:1e:e6:4d:ad:78:a4: + 16:6c:99:41:3d:29:21:c8:6b:9d:3d:4a:cd:93:37:1f:1c:88: + c7:ae:b6:7c:73:42:57:57:32:9d:e8:c6:e2:3e:da:12:57:3e: + c8:56:4a:bb:d4:01:fc:8e:30:8d:19:fe:61:3d:5e:02:64:65: + a2:46:b3:6e:ea:f9:cb:4e:f0:b9:f6:bc:6b:38:10:19:d0:93: + f8:f7:d9:4c:d2:87:2c:7f:dc:f5:00:c6:29:dd:00:5e:d2:f4: + df:52:fb:7a:5a:ad:98:36:77:72:1f:01:ed:48:91:48:16:2d: + 35:a5:15:21:98:ff:7e:5d:a1:45:c9:5f:9d:c2:3e:e5:98:e2: + ee:ce:4d:18:76:3d:8a:0a:64:9b:f1:19:9d:b6:82:af:1b:15: + d3:48:69:f1:9b:67:76:1b:41:8e:1d:69:d5:31:64:95:01:41: + 73:c1:a9:29:53:6b:f3:29:ad:e0:96:52:8e:3e:8d:c1:8e:d8: + b5:0c:94:5f:a2:6c:3c:0f:3e:5b:10:af:21:00:74:d0:b7:30: + 6c:44:fb:3d:09:46:8d:1d:e6:c2:e4:0a:5b:f4:eb:e1:71:c7: + d5:36:13:90:05:fe:65:16:61:24:b5:41:f2:10:bd:2c:c3:34: + 69:15:25:d1:32:f2:b3:d7:da:23:1b:e9:5b:33:63:43:c8:dc: + 68:f2:31:b5:93:0e:64:ea:9a:45:36:9f:96:44:38:1e:4e:d8: + 45:ba:37:68:06:4d:da:d4:16:d3:3e:77:86:4e:8d:58:d6:06: + a8:60:11:4d:d9:81:f3:85:2b:ee:58:50:6e:ea:2b:f7:84:00: + 9c:ec:a1:90:d4:94 +-----BEGIN CERTIFICATE----- +MIIDNzCCAZ+gAwIBAgIIa7MYPN71IAkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTEyMDgxNDA1MDAwMFoXDTEyMDgxNDA2 +MDAwMFowMTEvMC0GA1UEAwwmc3J2MDEuY2xpZW50MDMtbnMyLWV4cGlyZWQuZXhh +bXBsZS5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ4mpvCaoKm0VCKeHrRvmG+ +1LbT1qICl6RIUMDFHdgtIxklbpECHWnCd9bxqE9Kmh08aVqJQQry4GRXGw6e359M +ezxC3CHILJWrs0xfVsRw7oqk5EbEnpj1yHuyc9dFk/CjNTAzMDEGA1UdEQQqMCiC +JnNydjAxLmNsaWVudDAzLW5zMi1leHBpcmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3 +DQEBCwUAA4IBgQA4Eh9fJraOmz93iVq46EZ4w9bwDGdf1aOc9vIKrpyHdJ+jW4on +WEfleBrp27XMKKf4GOPnIEPPggZdodCCqxW+hkYe5k2teKQWbJlBPSkhyGudPUrN +kzcfHIjHrrZ8c0JXVzKd6MbiPtoSVz7IVkq71AH8jjCNGf5hPV4CZGWiRrNu6vnL +TvC59rxrOBAZ0JP499lM0ocsf9z1AMYp3QBe0vTfUvt6Wq2YNndyHwHtSJFIFi01 +pRUhmP9+XaFFyV+dwj7lmOLuzk0Ydj2KCmSb8RmdtoKvGxXTSGnxm2d2G0GOHWnV +MWSVAUFzwakpU2vzKa3gllKOPo3Bjti1DJRfomw8Dz5bEK8hAHTQtzBsRPs9CUaN +HebC5Apb9OvhccfVNhOQBf5lFmEktUHyEL0swzRpFSXRMvKz19ojG+lbM2NDyNxo +8jG1kw5k6ppFNp+WRDgeTthFujdoBk3a1BbTPneGTo1Y1gaoYBFN2YHzhSvuWFBu +6iv3hACc7KGQ1JQ= +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.key b/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.key new file mode 100644 index 0000000000..a4194bd684 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB/BdYjkgkVy4gTuXX3 +20DWo80uWsQkKDwMeOoaQ2cYy5Cm2AdTALDdBihGKRfACPqhZANiAAQSoXsPefIp +9Y9qBtAogxRDjxlMKZE2MA8GplbnV5tYLJ78nKNO9uNvkEDVCf2Ulo4UaHRv6Ken +q4w1lvLWj12XXdG5IlvvMRWh4ettb6+xL4Dlpak48m/5ZRRwp6Ws4Ro= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.pem new file mode 100644 index 0000000000..8671dd3a77 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt01.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207425 (0x6bb3183cdef52001) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:18:52 2022 GMT + Not After : Feb 1 17:18:52 2052 GMT + Subject: CN=srv01.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:12:a1:7b:0f:79:f2:29:f5:8f:6a:06:d0:28:83: + 14:43:8f:19:4c:29:91:36:30:0f:06:a6:56:e7:57: + 9b:58:2c:9e:fc:9c:a3:4e:f6:e3:6f:90:40:d5:09: + fd:94:96:8e:14:68:74:6f:e8:a7:a7:ab:8c:35:96: + f2:d6:8f:5d:97:5d:d1:b9:22:5b:ef:31:15:a1:e1: + eb:6d:6f:af:b1:2f:80:e5:a5:a9:38:f2:6f:f9:65: + 14:70:a7:a5:ac:e1:1a + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.crt01.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 79:0f:08:ab:18:cc:f9:7a:bd:47:21:99:a1:a3:76:04:7f:d7: + 08:33:91:49:3d:2d:fc:8d:ff:c5:c1:8d:b8:70:05:65:32:cd: + e2:26:21:49:19:66:a2:94:4f:42:7d:83:3c:4f:ed:c1:87:89: + 5b:73:2c:64:64:67:29:f5:73:83:23:72:b7:a8:2e:d6:9a:de: + 13:0c:ba:35:d3:38:b1:c4:51:7d:81:fc:25:ca:a6:d9:d2:fa: + bb:6d:1f:a4:61:90:50:2d:8a:ed:70:1a:eb:56:2f:fc:7b:f3: + 76:df:68:8d:e8:a4:7d:82:b9:5c:c6:cb:d8:06:f7:78:dc:a7: + 94:35:d4:83:98:28:51:36:1c:73:47:e4:5b:32:d2:cd:de:1c: + 44:f6:de:37:8a:46:d0:14:8d:71:e5:10:22:b1:f9:73:f7:1b: + 4f:82:e1:a1:00:73:18:17:71:a2:bf:a2:0c:59:aa:43:58:46: + 82:f8:38:c4:5a:5a:9f:13:d7:a9:54:1f:58:9b:5d:52:16:d3: + a0:ba:6b:aa:cf:68:3a:d1:12:9c:94:ac:78:6b:7e:bc:69:6c: + 75:07:5d:fb:68:cd:e8:8d:bb:8c:b0:7c:6c:9e:f6:a5:7c:32: + 74:ef:c5:b1:1f:1d:ec:7b:2f:79:c0:3b:52:60:9b:48:89:09: + b4:46:34:69:d3:7b:1b:15:ef:0c:dd:64:1d:58:fe:a7:0b:b1: + 9d:28:1f:1e:9e:3c:c0:b1:a6:38:ab:9d:54:24:0e:75:6c:9e: + 90:13:b9:39:dc:43:fe:37:e3:14:0f:78:7e:2b:56:a2:d2:60: + 51:57:88:3b:4c:cf:24:67:36:77:21:bb:c8:07:eb:48:f7:b0: + 1e:e4:99:61:84:15:bb:61:3a:21:55:df:31:43:67:73:8f:6b: + e9:04:83:be:2d:8b:94:39:89:cf:40:d5:04:f7:6b:c9:c6:8c: + 6e:36:0f:5d:7a:9b:57:86:36:76:2c:75:35:47:50:ed:9a:84: + 7e:37:83:b5:21:a2 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3MTg1MloYDzIwNTIwMjAx +MTcxODUyWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABBKhew958in1j2oG0CiDFEOPGUwpkTYwDwamVudX +m1gsnvyco07242+QQNUJ/ZSWjhRodG/op6erjDWW8taPXZdd0bkiW+8xFaHh621v +r7EvgOWlqTjyb/llFHCnpazhGqM+MDwwOgYDVR0RBDMwMYIXc3J2MDEuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAGHEP2ScGULjv//AAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggGBAHkPCKsYzPl6vUchmaGjdgR/1wgzkUk9LfyN/8XBjbhwBWUyzeImIUkZ +ZqKUT0J9gzxP7cGHiVtzLGRkZyn1c4MjcreoLtaa3hMMujXTOLHEUX2B/CXKptnS ++rttH6RhkFAtiu1wGutWL/x783bfaI3opH2CuVzGy9gG93jcp5Q11IOYKFE2HHNH +5Fsy0s3eHET23jeKRtAUjXHlECKx+XP3G0+C4aEAcxgXcaK/ogxZqkNYRoL4OMRa +Wp8T16lUH1ibXVIW06C6a6rPaDrREpyUrHhrfrxpbHUHXftozeiNu4ywfGye9qV8 +MnTvxbEfHex7L3nAO1Jgm0iJCbRGNGnTexsV7wzdZB1Y/qcLsZ0oHx6ePMCxpjir +nVQkDnVsnpATuTncQ/434xQPeH4rVqLSYFFXiDtMzyRnNnchu8gH60j3sB7kmWGE +FbthOiFV3zFDZ3OPa+kEg74ti5Q5ic9A1QT3a8nGjG42D116m1eGNnYsdTVHUO2a +hH43g7Uhog== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.key b/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.key new file mode 100644 index 0000000000..db770c1dbc --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC3sc7RaI9GyH5Z1e0D +WcccNjr43zpavmMqA8bcS9dBBjkiEdvGH47r3EIXTjp0f46hZANiAASjLTP9kpDc +A+82+aSokPFHab7ojmUI2uWzgmMcr5o3tHV8zkb7GRe8kHJPdLZFOfeWs0SFHK1q +26R2hu6OJz33YXjf4QSK65GLAWe2aTJUUBxWhtov7+Q9lLr3WwIUtRM= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.pem new file mode 100644 index 0000000000..65f0f9ff18 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt02-no-san.example.com.pem @@ -0,0 +1,64 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 7760573232607207426 (0x6bb3183cdef52002) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:21:43 2022 GMT + Not After : Feb 1 17:21:43 2052 GMT + Subject: CN=srv01.crt02-no-san.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:a3:2d:33:fd:92:90:dc:03:ef:36:f9:a4:a8:90: + f1:47:69:be:e8:8e:65:08:da:e5:b3:82:63:1c:af: + 9a:37:b4:75:7c:ce:46:fb:19:17:bc:90:72:4f:74: + b6:45:39:f7:96:b3:44:85:1c:ad:6a:db:a4:76:86: + ee:8e:27:3d:f7:61:78:df:e1:04:8a:eb:91:8b:01: + 67:b6:69:32:54:50:1c:56:86:da:2f:ef:e4:3d:94: + ba:f7:5b:02:14:b5:13 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + Signature Algorithm: sha256WithRSAEncryption + 07:20:2a:a6:7a:52:52:ba:1e:b7:79:cf:e6:11:9c:ca:3f:43: + 2b:f3:d7:2e:74:74:57:81:a1:aa:e6:68:c9:fd:d1:a8:a6:5b: + a2:ff:ea:f7:f0:b7:46:dc:a0:5a:64:5f:ce:e7:0f:76:63:14: + 6d:c2:51:4b:30:ea:51:7e:4a:1b:d3:b2:f8:c2:3d:3f:c1:bf: + ad:db:4d:f8:28:31:e7:75:ae:84:37:90:00:e5:0b:6b:dc:23: + 98:69:d5:ef:ce:e2:0d:e7:19:f1:31:01:1f:2a:6c:23:a3:94: + 62:7a:bf:b3:b0:13:d0:62:fc:a5:a6:0d:52:bb:f4:31:ff:f3: + ce:3a:74:66:30:7f:29:04:8d:34:90:7a:9b:8f:da:82:2e:5c: + 81:dd:af:fa:3a:a1:4e:bb:0a:4c:62:01:40:39:67:9c:29:27: + 6e:2f:76:81:2d:33:68:ee:ee:ed:00:7f:12:7a:af:43:00:7b: + 2d:34:8a:26:9a:66:1c:e5:96:17:7c:f8:6d:1e:8c:17:39:ce: + 4f:0b:9e:40:72:e1:5e:33:3f:9e:84:b5:07:f5:ab:58:d7:37: + ed:d0:29:ad:ce:02:0d:fa:6f:96:a9:0e:6c:6e:32:d2:dc:11: + 23:a3:4a:60:54:b4:98:31:db:8f:4b:4c:58:64:39:4f:ff:27: + d0:02:e5:cc:b2:17:e8:46:dc:aa:cb:dc:3d:ed:14:52:ec:6d: + a6:cd:04:2f:fd:54:16:6c:7e:63:34:17:f1:1d:b8:37:dd:20: + 6c:f6:21:19:6f:bb:62:dd:bc:6c:41:34:ad:b1:90:eb:2a:e0: + 63:ea:70:60:6a:02:e8:fe:46:51:b1:9d:3c:54:54:73:25:b7: + 41:d1:4c:34:aa:88:48:b8:01:21:ae:d8:d3:06:38:05:65:78: + e7:38:f0:f6:e6:2e:61:c0:42:5e:3b:09:59:eb:09:48:4d:55: + 7c:af:f4:de:c1:09:a0:b4:60:f7:9e:a2:d5:46:fc:05:61:69: + e0:c1:2d:26:dc:42 +-----BEGIN CERTIFICATE----- +MIIC9TCCAV0CCGuzGDze9SACMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAlVB +MRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJraXYxJDAi +BgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UEAwwTY2Eu +dGVzdC5leGFtcGxlLmNvbTAgFw0yMjAyMDgxNzIxNDNaGA8yMDUyMDIwMTE3MjE0 +M1owKTEnMCUGA1UEAwwec3J2MDEuY3J0MDItbm8tc2FuLmV4YW1wbGUuY29tMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEoy0z/ZKQ3APvNvmkqJDxR2m+6I5lCNrls4Jj +HK+aN7R1fM5G+xkXvJByT3S2RTn3lrNEhRytatukdobujic992F43+EEiuuRiwFn +tmkyVFAcVobaL+/kPZS691sCFLUTMA0GCSqGSIb3DQEBCwUAA4IBgQAHICqmelJS +uh63ec/mEZzKP0Mr89cudHRXgaGq5mjJ/dGoplui/+r38LdG3KBaZF/O5w92YxRt +wlFLMOpRfkob07L4wj0/wb+t2034KDHnda6EN5AA5Qtr3COYadXvzuIN5xnxMQEf +Kmwjo5Rier+zsBPQYvylpg1Su/Qx//POOnRmMH8pBI00kHqbj9qCLlyB3a/6OqFO +uwpMYgFAOWecKSduL3aBLTNo7u7tAH8Seq9DAHstNIommmYc5ZYXfPhtHowXOc5P +C55AcuFeMz+ehLUH9atY1zft0CmtzgIN+m+WqQ5sbjLS3BEjo0pgVLSYMduPS0xY +ZDlP/yfQAuXMshfoRtyqy9w97RRS7G2mzQQv/VQWbH5jNBfxHbg33SBs9iEZb7ti +3bxsQTStsZDrKuBj6nBgagLo/kZRsZ08VFRzJbdB0Uw0qohIuAEhrtjTBjgFZXjn +OPD25i5hwEJeOwlZ6wlITVV8r/TewQmgtGD3nqLVRvwFYWngwS0m3EI= +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.key b/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.key new file mode 100644 index 0000000000..caef1f0a89 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAtAQNSdzyxR3sm6gyx +2Ob3SNCsYvdsE6+gobSUJWYbdus0CCFBIN6Qpms9oc0hAgqhZANiAAQf1Xurc7Jw +Ff0zJgJcdhaADHB9V4N1rDy3SgJGNcEbwXq9vvIEmn9pg39UmhsQYtdwve8mkFFQ +EHdWtxovRF6RRjbhLqRMZy5iqH8aFRBEaIsY6s+4lgm/tTrR7xCPn7s= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.pem b/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.pem new file mode 100644 index 0000000000..4befde4237 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv01.crt03-expired.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207430 (0x6bb3183cdef52006) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Aug 15 08:00:00 2012 GMT + Not After : Aug 15 09:00:00 2012 GMT + Subject: CN=srv01.crt03-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:1f:d5:7b:ab:73:b2:70:15:fd:33:26:02:5c:76: + 16:80:0c:70:7d:57:83:75:ac:3c:b7:4a:02:46:35: + c1:1b:c1:7a:bd:be:f2:04:9a:7f:69:83:7f:54:9a: + 1b:10:62:d7:70:bd:ef:26:90:51:50:10:77:56:b7: + 1a:2f:44:5e:91:46:36:e1:2e:a4:4c:67:2e:62:a8: + 7f:1a:15:10:44:68:8b:18:ea:cf:b8:96:09:bf:b5: + 3a:d1:ef:10:8f:9f:bb + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.crt03-expired.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 25:35:08:f6:e7:f0:83:81:be:65:31:1b:78:a8:04:84:fe:6a: + 2a:1a:5d:c1:73:20:88:08:11:d8:27:be:a5:8e:3c:df:e2:a6: + 19:c5:41:40:ea:01:91:85:99:8d:17:4e:4d:9a:3c:03:f9:78: + 4c:8a:20:41:5e:96:d6:64:83:2f:b2:fe:e7:77:09:f9:91:bd: + 22:1a:57:8b:f6:24:bc:7b:48:2b:2e:14:b7:32:bd:46:91:99: + 5e:21:9a:d3:15:a7:27:e1:c0:3a:c7:f5:f9:94:3f:6d:14:7e: + 0b:02:bf:05:d9:ac:10:8a:7e:b0:37:36:cd:cb:4a:b4:e1:01: + c7:04:8d:83:f3:c6:79:ff:ff:6c:f0:a4:bf:3c:12:61:ea:15: + ac:30:62:26:e3:c3:4e:7d:5c:68:d8:88:de:35:8d:44:75:8c: + a8:c1:0d:07:67:b5:d0:42:43:41:1f:39:a0:47:35:46:d7:0f: + 89:aa:e8:d3:86:45:9a:fb:33:01:06:23:64:53:24:48:5b:69: + fa:cf:d9:81:fb:5e:7e:7b:82:65:56:c6:46:65:5c:e1:4f:f2: + 3c:09:3c:28:5f:c9:e3:a5:24:e3:7b:aa:b5:b1:8a:6a:b2:02: + 32:5f:24:05:f1:67:c8:54:17:0c:cd:ca:3d:e4:44:3e:23:3a: + 7c:63:b6:f9:61:3a:21:e7:8f:27:ad:c3:26:86:39:49:6c:41: + 40:7f:1d:48:69:8d:db:6f:42:e4:09:fe:24:62:bd:8e:2e:54: + 25:f0:14:c2:d8:43:95:09:2e:5f:72:4f:43:b5:9a:8b:bb:8c: + 44:c6:77:c9:05:fb:1a:9f:d7:b6:a6:42:d9:5c:3d:a5:09:0f: + 9e:e0:c7:06:32:f1:ff:c9:53:5e:42:d4:2a:33:ad:06:ea:ec: + b0:26:d3:3c:ef:65:af:15:8e:7b:20:49:ad:f1:56:ef:17:6b: + fc:f4:d8:7c:82:9f:30:19:d0:bc:9c:79:e2:dc:9d:a7:f9:6b: + 6f:65:ae:21:a0:94 +-----BEGIN CERTIFICATE----- +MIIDQTCCAamgAwIBAgIIa7MYPN71IAYwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTEyMDgxNTA4MDAwMFoXDTEyMDgxNTA5 +MDAwMFowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDMtZXhwaXJlZC5leGFtcGxlLmNv +bTB2MBAGByqGSM49AgEGBSuBBAAiA2IABB/Ve6tzsnAV/TMmAlx2FoAMcH1Xg3Ws +PLdKAkY1wRvBer2+8gSaf2mDf1SaGxBi13C97yaQUVAQd1a3Gi9EXpFGNuEupExn +LmKofxoVEERoixjqz7iWCb+1OtHvEI+fu6NGMEQwQgYDVR0RBDswOYIfc3J2MDEu +Y3J0MDMtZXhwaXJlZC5leGFtcGxlLmNvbYcECjUAAYcQ/ZJwZQuO//8AAAAAAAAA +ATANBgkqhkiG9w0BAQsFAAOCAYEAJTUI9ufwg4G+ZTEbeKgEhP5qKhpdwXMgiAgR +2Ce+pY483+KmGcVBQOoBkYWZjRdOTZo8A/l4TIogQV6W1mSDL7L+53cJ+ZG9IhpX +i/YkvHtIKy4UtzK9RpGZXiGa0xWnJ+HAOsf1+ZQ/bRR+CwK/BdmsEIp+sDc2zctK +tOEBxwSNg/PGef//bPCkvzwSYeoVrDBiJuPDTn1caNiI3jWNRHWMqMENB2e10EJD +QR85oEc1RtcPiaro04ZFmvszAQYjZFMkSFtp+s/ZgftefnuCZVbGRmVc4U/yPAk8 +KF/J46Uk43uqtbGKarICMl8kBfFnyFQXDM3KPeREPiM6fGO2+WE6IeePJ63DJoY5 +SWxBQH8dSGmN229C5An+JGK9ji5UJfAUwthDlQkuX3JPQ7Wai7uMRMZ3yQX7Gp/X +tqZC2Vw9pQkPnuDHBjLx/8lTXkLUKjOtBurssCbTPO9lrxWOeyBJrfFW7xdr/PTY +fIKfMBnQvJx54tydp/lrb2WuIaCU +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.key b/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.key new file mode 100644 index 0000000000..cf495c1c95 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC/rdGBnhOuZ8hc7fUO +6v0LO2xd2LMjTS0TCb0pVwsccYN/f6OxWJtu0uGSt0DaN6ihZANiAARD1PvMuIhg +lRaqKtAxlss+qFzkdqzBv807ZYW7LMv6w0g8g8gI7txZFZciuEIXjHUJ+T62nPLF +2122impDSAqi3RPCNuRzs2RUebv41H5I9AW+DHdjAf5PMLCqYrzy7fk= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem b/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem new file mode 100644 index 0000000000..d061c2c754 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207427 (0x6bb3183cdef52003) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:57:59 2022 GMT + Not After : Feb 1 17:57:59 2052 GMT + Subject: CN=srv02.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:43:d4:fb:cc:b8:88:60:95:16:aa:2a:d0:31:96: + cb:3e:a8:5c:e4:76:ac:c1:bf:cd:3b:65:85:bb:2c: + cb:fa:c3:48:3c:83:c8:08:ee:dc:59:15:97:22:b8: + 42:17:8c:75:09:f9:3e:b6:9c:f2:c5:db:5d:b6:8a: + 6a:43:48:0a:a2:dd:13:c2:36:e4:73:b3:64:54:79: + bb:f8:d4:7e:48:f4:05:be:0c:77:63:01:fe:4f:30: + b0:aa:62:bc:f2:ed:f9 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.com, IP Address:10.53.0.2, IP Address:FD92:7065:B8E:FFFF:0:0:0:2 + Signature Algorithm: sha256WithRSAEncryption + 89:ba:ae:4f:f8:3e:da:48:1f:5c:8f:ff:ee:d8:42:b0:0b:9b: + f1:b5:e2:90:c9:76:40:09:77:a3:31:d5:73:8f:eb:7d:69:94: + 1c:2b:10:31:da:d4:0c:29:e7:80:4e:61:53:ba:15:9d:e1:e8: + 0c:0d:19:77:2b:a8:74:46:e3:03:ae:ab:96:ea:af:80:c3:18: + e0:93:8e:e9:58:0e:79:47:98:a4:06:95:6b:8f:2c:d1:f7:29: + b1:98:85:e8:a4:9c:45:52:ad:c8:60:20:dc:3a:6a:40:78:15: + d1:b4:d0:c3:c5:f3:ac:fe:ec:d3:94:ef:66:0b:d7:8c:46:f3: + 62:30:c4:c2:78:65:de:40:4e:d8:26:84:8e:18:a7:71:f2:b7: + 65:d8:d0:c2:c8:e6:a0:fb:ea:01:de:2f:03:8a:50:3d:f6:6c: + 0b:ef:ce:f5:25:1f:80:54:3e:c2:6d:2c:d3:2b:bd:23:b7:3b: + 82:6b:91:7f:ea:ff:e6:11:37:d3:f0:d4:db:9f:32:ac:12:cc: + ec:25:25:81:58:16:18:90:73:c3:ad:7c:09:a7:08:99:16:ce: + e8:6c:4b:9a:e6:09:96:11:c2:f1:cf:19:43:a6:a6:81:f2:57: + 21:fa:b1:91:58:39:76:17:89:32:4c:4b:df:fa:59:03:b2:32: + b4:b3:95:89:af:f4:5e:94:b1:df:e9:bf:21:73:14:06:5d:08: + 1e:0f:d2:84:14:44:20:91:19:72:b9:38:0b:3c:2e:4f:ea:3a: + 9b:ef:93:61:e7:36:82:df:49:e2:d7:45:ea:87:45:1d:74:36: + 18:f4:aa:30:d5:65:da:1f:c7:98:61:ab:64:2a:49:98:64:a1: + 8c:33:3a:a5:97:4a:69:a6:9d:6f:00:b9:6b:81:8d:09:0f:98: + 63:0f:85:ae:e4:21:70:a3:da:5a:27:eb:df:6d:82:ac:bb:48: + 6b:01:4e:36:95:5a:d3:f0:b9:30:43:72:87:af:41:7a:30:13: + f2:92:15:f1:69:e7 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTc1OVoYDzIwNTIwMjAx +MTc1NzU5WjAiMSAwHgYDVQQDDBdzcnYwMi5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABEPU+8y4iGCVFqoq0DGWyz6oXOR2rMG/zTtlhbss +y/rDSDyDyAju3FkVlyK4QheMdQn5Prac8sXbXbaKakNICqLdE8I25HOzZFR5u/jU +fkj0Bb4Md2MB/k8wsKpivPLt+aM+MDwwOgYDVR0RBDMwMYIXc3J2MDIuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAKHEP2ScGULjv//AAAAAAAAAAIwDQYJKoZIhvcNAQEL +BQADggGBAIm6rk/4PtpIH1yP/+7YQrALm/G14pDJdkAJd6Mx1XOP631plBwrEDHa +1Awp54BOYVO6FZ3h6AwNGXcrqHRG4wOuq5bqr4DDGOCTjulYDnlHmKQGlWuPLNH3 +KbGYheiknEVSrchgINw6akB4FdG00MPF86z+7NOU72YL14xG82IwxMJ4Zd5ATtgm +hI4Yp3Hyt2XY0MLI5qD76gHeLwOKUD32bAvvzvUlH4BUPsJtLNMrvSO3O4JrkX/q +/+YRN9Pw1NufMqwSzOwlJYFYFhiQc8OtfAmnCJkWzuhsS5rmCZYRwvHPGUOmpoHy +VyH6sZFYOXYXiTJMS9/6WQOyMrSzlYmv9F6Usd/pvyFzFAZdCB4P0oQURCCRGXK5 +OAs8Lk/qOpvvk2HnNoLfSeLXReqHRR10Nhj0qjDVZdofx5hhq2QqSZhkoYwzOqWX +SmmmnW8AuWuBjQkPmGMPha7kIXCj2lon699tgqy7SGsBTjaVWtPwuTBDcoevQXow +E/KSFfFp5w== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.key b/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.key new file mode 100644 index 0000000000..72f8a40122 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBMJxQaJB76ywjBuhZI +LUz05LQuwmDBAFeZFqe10HG+r0cZvVw4Cr5M7jr2RVLqKRChZANiAARF27kbN2W/ +saGKWjkAjUoVO0OauC//qH2Zg6ic3LbCqp/4UaEOLpcPkBMiTIvx/zxr65EpfUzf +fAXdrepKTK0K1m+OUbCIWEKILBbURx24j7NODRLfTBT2JyA/lJojgUg= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.pem b/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.pem new file mode 100644 index 0000000000..39b48eeb40 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv03.crt01.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207428 (0x6bb3183cdef52004) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:58:15 2022 GMT + Not After : Feb 1 17:58:15 2052 GMT + Subject: CN=srv03.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:45:db:b9:1b:37:65:bf:b1:a1:8a:5a:39:00:8d: + 4a:15:3b:43:9a:b8:2f:ff:a8:7d:99:83:a8:9c:dc: + b6:c2:aa:9f:f8:51:a1:0e:2e:97:0f:90:13:22:4c: + 8b:f1:ff:3c:6b:eb:91:29:7d:4c:df:7c:05:dd:ad: + ea:4a:4c:ad:0a:d6:6f:8e:51:b0:88:58:42:88:2c: + 16:d4:47:1d:b8:8f:b3:4e:0d:12:df:4c:14:f6:27: + 20:3f:94:9a:23:81:48 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01.example.com, IP Address:10.53.0.3, IP Address:FD92:7065:B8E:FFFF:0:0:0:3 + Signature Algorithm: sha256WithRSAEncryption + 8f:96:88:82:94:76:8e:97:b6:75:8b:e9:2b:4f:f3:8f:14:5c: + 50:00:ca:67:96:9e:2e:bd:53:25:25:40:6d:c5:56:e6:1a:f6: + cb:fb:58:fc:b3:56:9d:fc:0b:e2:8e:99:7e:e8:e6:ad:b6:e7: + e6:3e:8a:59:ef:3e:76:a4:ed:7b:58:fd:a3:4b:aa:4e:11:e1: + 57:bf:b1:23:a5:a1:00:f8:95:07:c8:7d:ee:ac:a7:c8:24:ee: + cf:e8:c5:a4:9f:96:27:c9:47:c1:7d:11:de:66:d0:6d:d1:8d: + e7:8f:a0:0f:46:d9:2e:70:f3:9f:ac:6a:b0:3f:5a:dc:70:d4: + b9:a5:f3:ff:5c:21:50:5d:c2:a2:46:26:25:2a:2f:8a:aa:7a: + fd:76:31:5f:e0:25:a3:ee:df:36:f0:ab:05:a1:5d:0d:3c:6b: + 2c:1d:d5:c5:73:9c:a0:57:1f:c4:26:e6:dc:a1:7c:25:08:21: + 61:28:e2:b3:f5:51:83:20:73:14:19:8f:47:79:69:bc:2b:22: + f2:17:62:1d:83:f7:4f:a9:c4:51:68:e0:a9:d7:9f:17:6a:d2: + fd:f7:04:ce:a4:f5:8e:eb:31:b4:bf:c6:2d:da:0c:70:6e:0c: + a5:75:21:54:3c:f6:3d:36:b8:8a:d8:b6:7b:77:7e:54:1d:9f: + 91:8f:02:a6:d1:2c:a7:30:d1:cc:e6:d9:6b:76:80:15:4b:ba: + fd:55:20:cc:b2:99:85:57:60:11:97:c5:e7:28:50:a6:17:af: + d2:bd:1b:7e:06:48:7f:63:dc:70:f8:3f:22:9f:41:a1:66:f5: + a7:81:99:cb:07:0e:8a:9a:bb:12:f6:c0:fe:59:0c:00:37:15: + b2:9d:f0:f9:93:d1:1a:b6:f8:0a:6b:bd:9e:92:32:45:f5:a2: + 44:f0:45:8d:1a:d0:10:b2:db:98:c4:c7:5e:c1:e8:f3:94:33: + 6c:06:f5:1a:cc:51:23:72:ae:37:2f:57:d4:f8:ac:1f:25:b4: + d3:bf:99:9b:ac:fc +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAQwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTgxNVoYDzIwNTIwMjAx +MTc1ODE1WjAiMSAwHgYDVQQDDBdzcnYwMy5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABEXbuRs3Zb+xoYpaOQCNShU7Q5q4L/+ofZmDqJzc +tsKqn/hRoQ4ulw+QEyJMi/H/PGvrkSl9TN98Bd2t6kpMrQrWb45RsIhYQogsFtRH +HbiPs04NEt9MFPYnID+UmiOBSKM+MDwwOgYDVR0RBDMwMYIXc3J2MDMuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAOHEP2ScGULjv//AAAAAAAAAAMwDQYJKoZIhvcNAQEL +BQADggGBAI+WiIKUdo6XtnWL6StP848UXFAAymeWni69UyUlQG3FVuYa9sv7WPyz +Vp38C+KOmX7o5q225+Y+ilnvPnak7XtY/aNLqk4R4Ve/sSOloQD4lQfIfe6sp8gk +7s/oxaSflifJR8F9Ed5m0G3RjeePoA9G2S5w85+sarA/Wtxw1Lml8/9cIVBdwqJG +JiUqL4qqev12MV/gJaPu3zbwqwWhXQ08aywd1cVznKBXH8Qm5tyhfCUIIWEo4rP1 +UYMgcxQZj0d5abwrIvIXYh2D90+pxFFo4KnXnxdq0v33BM6k9Y7rMbS/xi3aDHBu +DKV1IVQ89j02uIrYtnt3flQdn5GPAqbRLKcw0czm2Wt2gBVLuv1VIMyymYVXYBGX +xecoUKYXr9K9G34GSH9j3HD4PyKfQaFm9aeBmcsHDoqauxL2wP5ZDAA3FbKd8PmT +0Rq2+AprvZ6SMkX1okTwRY0a0BCy25jEx17B6POUM2wG9RrMUSNyrjcvV9T4rB8l +tNO/mZus/A== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.key b/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.key new file mode 100644 index 0000000000..5356fc14cc --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDq5a0oiMxJiOdwaSmk +U2NPPJXOWPZVWpIGxB0kczGcCS6Xq0VinNqLe5YI9M1YwXehZANiAASeQ9fMKeGO +SzWhj7ePMA9Ws1t/wGKbIyFwsSvnc/nqOAFmS1JDMc8QaRW/awjzaQc/mbu4cNA7 +iSId8iVCWj5VkcP8tL7HLYZRFMSr/nxUNGfHXtuGhMxm61SvnX3czhg= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.pem b/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.pem new file mode 100644 index 0000000000..b4e2d22a88 --- /dev/null +++ b/bin/tests/system/doth/CA/certs/srv04.crt01.example.com.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207429 (0x6bb3183cdef52005) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:59:14 2022 GMT + Not After : Feb 1 17:59:14 2052 GMT + Subject: CN=srv04.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:9e:43:d7:cc:29:e1:8e:4b:35:a1:8f:b7:8f:30: + 0f:56:b3:5b:7f:c0:62:9b:23:21:70:b1:2b:e7:73: + f9:ea:38:01:66:4b:52:43:31:cf:10:69:15:bf:6b: + 08:f3:69:07:3f:99:bb:b8:70:d0:3b:89:22:1d:f2: + 25:42:5a:3e:55:91:c3:fc:b4:be:c7:2d:86:51:14: + c4:ab:fe:7c:54:34:67:c7:5e:db:86:84:cc:66:eb: + 54:af:9d:7d:dc:ce:18 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv04.crt01.example.com, IP Address:10.53.0.4, IP Address:FD92:7065:B8E:FFFF:0:0:0:4 + Signature Algorithm: sha256WithRSAEncryption + 48:b5:38:59:79:e6:51:a6:ea:80:d7:d1:3c:29:03:70:31:e4: + 43:b4:e3:09:e7:e1:37:8c:d0:0f:2a:19:7a:f2:5a:6d:76:cd: + 17:7a:66:1c:3e:74:56:24:b8:29:06:55:b2:1c:af:9a:42:05: + 93:a4:70:cb:a5:68:85:ab:71:53:da:d9:29:a3:f4:2a:1e:df: + 0c:ec:7d:52:55:fa:9b:e6:a0:18:d5:4c:da:e6:d2:60:da:bc: + 09:5b:13:53:6d:c7:d2:30:b9:a8:a5:02:7f:a3:66:28:34:93: + de:55:a0:de:b5:c8:dc:43:7b:b9:03:06:1f:ce:8c:5f:82:d8: + af:40:56:ce:f8:b9:d4:73:1c:ae:c9:cb:1d:0f:a2:52:71:9b: + 8b:05:f4:d6:0b:1e:a8:db:0f:29:a0:43:b5:2f:56:09:d8:68: + 58:9c:e5:6a:df:38:91:56:9d:44:e5:d2:ca:9a:b1:41:a1:01: + 0c:68:a0:f5:0a:f7:98:4f:d5:a0:6f:99:59:a0:e0:cb:49:57: + 26:20:09:5a:fa:c2:75:40:f6:1b:6a:ac:55:47:50:8d:38:81: + 61:79:44:e7:d5:d1:b3:c7:3b:db:ec:44:59:ef:e1:82:31:a3: + 38:4c:de:40:11:31:52:8b:bb:1c:af:be:ce:c5:2b:f5:0d:c0: + 60:13:fb:7e:da:22:41:d4:85:5e:4d:ba:db:f8:f7:26:61:32: + 26:fe:fe:9e:37:a3:cc:25:3b:3c:c8:b5:a7:a5:5c:d9:4d:8f: + a8:f2:86:98:79:b3:00:08:0f:f2:c9:1f:c6:3f:07:ad:e4:a7: + 8d:86:3d:15:fa:5b:1a:0f:96:67:b6:0a:78:0a:bb:6e:05:a6: + 54:29:48:b4:f9:48:0d:7f:f0:13:65:32:2f:c5:ee:ab:b8:e8: + 0d:b2:f9:c9:96:d2:cf:51:a2:64:3c:58:0f:65:6f:c6:99:93: + 76:2c:42:08:d9:f3:f3:13:cd:41:b6:67:8f:1d:9a:2f:da:93: + 3d:26:4c:9a:11:c1 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAUwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTkxNFoYDzIwNTIwMjAx +MTc1OTE0WjAiMSAwHgYDVQQDDBdzcnYwNC5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABJ5D18wp4Y5LNaGPt48wD1azW3/AYpsjIXCxK+dz ++eo4AWZLUkMxzxBpFb9rCPNpBz+Zu7hw0DuJIh3yJUJaPlWRw/y0vscthlEUxKv+ +fFQ0Z8de24aEzGbrVK+dfdzOGKM+MDwwOgYDVR0RBDMwMYIXc3J2MDQuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AASHEP2ScGULjv//AAAAAAAAAAQwDQYJKoZIhvcNAQEL +BQADggGBAEi1OFl55lGm6oDX0TwpA3Ax5EO04wnn4TeM0A8qGXryWm12zRd6Zhw+ +dFYkuCkGVbIcr5pCBZOkcMulaIWrcVPa2Smj9Coe3wzsfVJV+pvmoBjVTNrm0mDa +vAlbE1Ntx9IwuailAn+jZig0k95VoN61yNxDe7kDBh/OjF+C2K9AVs74udRzHK7J +yx0PolJxm4sF9NYLHqjbDymgQ7UvVgnYaFic5WrfOJFWnUTl0sqasUGhAQxooPUK +95hP1aBvmVmg4MtJVyYgCVr6wnVA9htqrFVHUI04gWF5ROfV0bPHO9vsRFnv4YIx +ozhM3kARMVKLuxyvvs7FK/UNwGAT+37aIkHUhV5Nutv49yZhMib+/p43o8wlOzzI +taelXNlNj6jyhph5swAID/LJH8Y/B63kp42GPRX6WxoPlme2CngKu24FplQpSLT5 +SA1/8BNlMi/F7qu46A2y+cmW0s9RomQ8WA9lb8aZk3YsQgjZ8/MTzUG2Z48dmi/a +kz0mTJoRwQ== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/index.txt b/bin/tests/system/doth/CA/index.txt new file mode 100644 index 0000000000..230127d72b --- /dev/null +++ b/bin/tests/system/doth/CA/index.txt @@ -0,0 +1,9 @@ +V 20520201171852Z 6BB3183CDEF52001 unknown /CN=srv01.crt01.example.com +V 20520201172143Z 6BB3183CDEF52002 unknown /CN=srv01.crt02-no-san.example.com +V 20520201175759Z 6BB3183CDEF52003 unknown /CN=srv02.crt01.example.com +V 20520201175815Z 6BB3183CDEF52004 unknown /CN=srv03.crt01.example.com +V 20520201175914Z 6BB3183CDEF52005 unknown /CN=srv04.crt01.example.com +V 120815090000Z 6BB3183CDEF52006 unknown /CN=srv01.crt03-expired.example.com +V 20520203174420Z 6BB3183CDEF52007 unknown /CN=srv01.client01.example.com +V 20520204132112Z 6BB3183CDEF52008 unknown /CN=srv01.client02-ns2.example.com +V 120814060000Z 6BB3183CDEF52009 unknown /CN=srv01.client03-ns2-expired.example.com diff --git a/bin/tests/system/doth/CA/index.txt.attr b/bin/tests/system/doth/CA/index.txt.attr new file mode 100644 index 0000000000..8f7e63a347 --- /dev/null +++ b/bin/tests/system/doth/CA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52001.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52001.pem new file mode 100644 index 0000000000..8671dd3a77 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52001.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207425 (0x6bb3183cdef52001) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:18:52 2022 GMT + Not After : Feb 1 17:18:52 2052 GMT + Subject: CN=srv01.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:12:a1:7b:0f:79:f2:29:f5:8f:6a:06:d0:28:83: + 14:43:8f:19:4c:29:91:36:30:0f:06:a6:56:e7:57: + 9b:58:2c:9e:fc:9c:a3:4e:f6:e3:6f:90:40:d5:09: + fd:94:96:8e:14:68:74:6f:e8:a7:a7:ab:8c:35:96: + f2:d6:8f:5d:97:5d:d1:b9:22:5b:ef:31:15:a1:e1: + eb:6d:6f:af:b1:2f:80:e5:a5:a9:38:f2:6f:f9:65: + 14:70:a7:a5:ac:e1:1a + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.crt01.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 79:0f:08:ab:18:cc:f9:7a:bd:47:21:99:a1:a3:76:04:7f:d7: + 08:33:91:49:3d:2d:fc:8d:ff:c5:c1:8d:b8:70:05:65:32:cd: + e2:26:21:49:19:66:a2:94:4f:42:7d:83:3c:4f:ed:c1:87:89: + 5b:73:2c:64:64:67:29:f5:73:83:23:72:b7:a8:2e:d6:9a:de: + 13:0c:ba:35:d3:38:b1:c4:51:7d:81:fc:25:ca:a6:d9:d2:fa: + bb:6d:1f:a4:61:90:50:2d:8a:ed:70:1a:eb:56:2f:fc:7b:f3: + 76:df:68:8d:e8:a4:7d:82:b9:5c:c6:cb:d8:06:f7:78:dc:a7: + 94:35:d4:83:98:28:51:36:1c:73:47:e4:5b:32:d2:cd:de:1c: + 44:f6:de:37:8a:46:d0:14:8d:71:e5:10:22:b1:f9:73:f7:1b: + 4f:82:e1:a1:00:73:18:17:71:a2:bf:a2:0c:59:aa:43:58:46: + 82:f8:38:c4:5a:5a:9f:13:d7:a9:54:1f:58:9b:5d:52:16:d3: + a0:ba:6b:aa:cf:68:3a:d1:12:9c:94:ac:78:6b:7e:bc:69:6c: + 75:07:5d:fb:68:cd:e8:8d:bb:8c:b0:7c:6c:9e:f6:a5:7c:32: + 74:ef:c5:b1:1f:1d:ec:7b:2f:79:c0:3b:52:60:9b:48:89:09: + b4:46:34:69:d3:7b:1b:15:ef:0c:dd:64:1d:58:fe:a7:0b:b1: + 9d:28:1f:1e:9e:3c:c0:b1:a6:38:ab:9d:54:24:0e:75:6c:9e: + 90:13:b9:39:dc:43:fe:37:e3:14:0f:78:7e:2b:56:a2:d2:60: + 51:57:88:3b:4c:cf:24:67:36:77:21:bb:c8:07:eb:48:f7:b0: + 1e:e4:99:61:84:15:bb:61:3a:21:55:df:31:43:67:73:8f:6b: + e9:04:83:be:2d:8b:94:39:89:cf:40:d5:04:f7:6b:c9:c6:8c: + 6e:36:0f:5d:7a:9b:57:86:36:76:2c:75:35:47:50:ed:9a:84: + 7e:37:83:b5:21:a2 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3MTg1MloYDzIwNTIwMjAx +MTcxODUyWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABBKhew958in1j2oG0CiDFEOPGUwpkTYwDwamVudX +m1gsnvyco07242+QQNUJ/ZSWjhRodG/op6erjDWW8taPXZdd0bkiW+8xFaHh621v +r7EvgOWlqTjyb/llFHCnpazhGqM+MDwwOgYDVR0RBDMwMYIXc3J2MDEuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAGHEP2ScGULjv//AAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggGBAHkPCKsYzPl6vUchmaGjdgR/1wgzkUk9LfyN/8XBjbhwBWUyzeImIUkZ +ZqKUT0J9gzxP7cGHiVtzLGRkZyn1c4MjcreoLtaa3hMMujXTOLHEUX2B/CXKptnS ++rttH6RhkFAtiu1wGutWL/x783bfaI3opH2CuVzGy9gG93jcp5Q11IOYKFE2HHNH +5Fsy0s3eHET23jeKRtAUjXHlECKx+XP3G0+C4aEAcxgXcaK/ogxZqkNYRoL4OMRa +Wp8T16lUH1ibXVIW06C6a6rPaDrREpyUrHhrfrxpbHUHXftozeiNu4ywfGye9qV8 +MnTvxbEfHex7L3nAO1Jgm0iJCbRGNGnTexsV7wzdZB1Y/qcLsZ0oHx6ePMCxpjir +nVQkDnVsnpATuTncQ/434xQPeH4rVqLSYFFXiDtMzyRnNnchu8gH60j3sB7kmWGE +FbthOiFV3zFDZ3OPa+kEg74ti5Q5ic9A1QT3a8nGjG42D116m1eGNnYsdTVHUO2a +hH43g7Uhog== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52002.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52002.pem new file mode 100644 index 0000000000..65f0f9ff18 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52002.pem @@ -0,0 +1,64 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 7760573232607207426 (0x6bb3183cdef52002) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:21:43 2022 GMT + Not After : Feb 1 17:21:43 2052 GMT + Subject: CN=srv01.crt02-no-san.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:a3:2d:33:fd:92:90:dc:03:ef:36:f9:a4:a8:90: + f1:47:69:be:e8:8e:65:08:da:e5:b3:82:63:1c:af: + 9a:37:b4:75:7c:ce:46:fb:19:17:bc:90:72:4f:74: + b6:45:39:f7:96:b3:44:85:1c:ad:6a:db:a4:76:86: + ee:8e:27:3d:f7:61:78:df:e1:04:8a:eb:91:8b:01: + 67:b6:69:32:54:50:1c:56:86:da:2f:ef:e4:3d:94: + ba:f7:5b:02:14:b5:13 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + Signature Algorithm: sha256WithRSAEncryption + 07:20:2a:a6:7a:52:52:ba:1e:b7:79:cf:e6:11:9c:ca:3f:43: + 2b:f3:d7:2e:74:74:57:81:a1:aa:e6:68:c9:fd:d1:a8:a6:5b: + a2:ff:ea:f7:f0:b7:46:dc:a0:5a:64:5f:ce:e7:0f:76:63:14: + 6d:c2:51:4b:30:ea:51:7e:4a:1b:d3:b2:f8:c2:3d:3f:c1:bf: + ad:db:4d:f8:28:31:e7:75:ae:84:37:90:00:e5:0b:6b:dc:23: + 98:69:d5:ef:ce:e2:0d:e7:19:f1:31:01:1f:2a:6c:23:a3:94: + 62:7a:bf:b3:b0:13:d0:62:fc:a5:a6:0d:52:bb:f4:31:ff:f3: + ce:3a:74:66:30:7f:29:04:8d:34:90:7a:9b:8f:da:82:2e:5c: + 81:dd:af:fa:3a:a1:4e:bb:0a:4c:62:01:40:39:67:9c:29:27: + 6e:2f:76:81:2d:33:68:ee:ee:ed:00:7f:12:7a:af:43:00:7b: + 2d:34:8a:26:9a:66:1c:e5:96:17:7c:f8:6d:1e:8c:17:39:ce: + 4f:0b:9e:40:72:e1:5e:33:3f:9e:84:b5:07:f5:ab:58:d7:37: + ed:d0:29:ad:ce:02:0d:fa:6f:96:a9:0e:6c:6e:32:d2:dc:11: + 23:a3:4a:60:54:b4:98:31:db:8f:4b:4c:58:64:39:4f:ff:27: + d0:02:e5:cc:b2:17:e8:46:dc:aa:cb:dc:3d:ed:14:52:ec:6d: + a6:cd:04:2f:fd:54:16:6c:7e:63:34:17:f1:1d:b8:37:dd:20: + 6c:f6:21:19:6f:bb:62:dd:bc:6c:41:34:ad:b1:90:eb:2a:e0: + 63:ea:70:60:6a:02:e8:fe:46:51:b1:9d:3c:54:54:73:25:b7: + 41:d1:4c:34:aa:88:48:b8:01:21:ae:d8:d3:06:38:05:65:78: + e7:38:f0:f6:e6:2e:61:c0:42:5e:3b:09:59:eb:09:48:4d:55: + 7c:af:f4:de:c1:09:a0:b4:60:f7:9e:a2:d5:46:fc:05:61:69: + e0:c1:2d:26:dc:42 +-----BEGIN CERTIFICATE----- +MIIC9TCCAV0CCGuzGDze9SACMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAlVB +MRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJraXYxJDAi +BgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UEAwwTY2Eu +dGVzdC5leGFtcGxlLmNvbTAgFw0yMjAyMDgxNzIxNDNaGA8yMDUyMDIwMTE3MjE0 +M1owKTEnMCUGA1UEAwwec3J2MDEuY3J0MDItbm8tc2FuLmV4YW1wbGUuY29tMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEoy0z/ZKQ3APvNvmkqJDxR2m+6I5lCNrls4Jj +HK+aN7R1fM5G+xkXvJByT3S2RTn3lrNEhRytatukdobujic992F43+EEiuuRiwFn +tmkyVFAcVobaL+/kPZS691sCFLUTMA0GCSqGSIb3DQEBCwUAA4IBgQAHICqmelJS +uh63ec/mEZzKP0Mr89cudHRXgaGq5mjJ/dGoplui/+r38LdG3KBaZF/O5w92YxRt +wlFLMOpRfkob07L4wj0/wb+t2034KDHnda6EN5AA5Qtr3COYadXvzuIN5xnxMQEf +Kmwjo5Rier+zsBPQYvylpg1Su/Qx//POOnRmMH8pBI00kHqbj9qCLlyB3a/6OqFO +uwpMYgFAOWecKSduL3aBLTNo7u7tAH8Seq9DAHstNIommmYc5ZYXfPhtHowXOc5P +C55AcuFeMz+ehLUH9atY1zft0CmtzgIN+m+WqQ5sbjLS3BEjo0pgVLSYMduPS0xY +ZDlP/yfQAuXMshfoRtyqy9w97RRS7G2mzQQv/VQWbH5jNBfxHbg33SBs9iEZb7ti +3bxsQTStsZDrKuBj6nBgagLo/kZRsZ08VFRzJbdB0Uw0qohIuAEhrtjTBjgFZXjn +OPD25i5hwEJeOwlZ6wlITVV8r/TewQmgtGD3nqLVRvwFYWngwS0m3EI= +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52003.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52003.pem new file mode 100644 index 0000000000..d061c2c754 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52003.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207427 (0x6bb3183cdef52003) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:57:59 2022 GMT + Not After : Feb 1 17:57:59 2052 GMT + Subject: CN=srv02.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:43:d4:fb:cc:b8:88:60:95:16:aa:2a:d0:31:96: + cb:3e:a8:5c:e4:76:ac:c1:bf:cd:3b:65:85:bb:2c: + cb:fa:c3:48:3c:83:c8:08:ee:dc:59:15:97:22:b8: + 42:17:8c:75:09:f9:3e:b6:9c:f2:c5:db:5d:b6:8a: + 6a:43:48:0a:a2:dd:13:c2:36:e4:73:b3:64:54:79: + bb:f8:d4:7e:48:f4:05:be:0c:77:63:01:fe:4f:30: + b0:aa:62:bc:f2:ed:f9 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.com, IP Address:10.53.0.2, IP Address:FD92:7065:B8E:FFFF:0:0:0:2 + Signature Algorithm: sha256WithRSAEncryption + 89:ba:ae:4f:f8:3e:da:48:1f:5c:8f:ff:ee:d8:42:b0:0b:9b: + f1:b5:e2:90:c9:76:40:09:77:a3:31:d5:73:8f:eb:7d:69:94: + 1c:2b:10:31:da:d4:0c:29:e7:80:4e:61:53:ba:15:9d:e1:e8: + 0c:0d:19:77:2b:a8:74:46:e3:03:ae:ab:96:ea:af:80:c3:18: + e0:93:8e:e9:58:0e:79:47:98:a4:06:95:6b:8f:2c:d1:f7:29: + b1:98:85:e8:a4:9c:45:52:ad:c8:60:20:dc:3a:6a:40:78:15: + d1:b4:d0:c3:c5:f3:ac:fe:ec:d3:94:ef:66:0b:d7:8c:46:f3: + 62:30:c4:c2:78:65:de:40:4e:d8:26:84:8e:18:a7:71:f2:b7: + 65:d8:d0:c2:c8:e6:a0:fb:ea:01:de:2f:03:8a:50:3d:f6:6c: + 0b:ef:ce:f5:25:1f:80:54:3e:c2:6d:2c:d3:2b:bd:23:b7:3b: + 82:6b:91:7f:ea:ff:e6:11:37:d3:f0:d4:db:9f:32:ac:12:cc: + ec:25:25:81:58:16:18:90:73:c3:ad:7c:09:a7:08:99:16:ce: + e8:6c:4b:9a:e6:09:96:11:c2:f1:cf:19:43:a6:a6:81:f2:57: + 21:fa:b1:91:58:39:76:17:89:32:4c:4b:df:fa:59:03:b2:32: + b4:b3:95:89:af:f4:5e:94:b1:df:e9:bf:21:73:14:06:5d:08: + 1e:0f:d2:84:14:44:20:91:19:72:b9:38:0b:3c:2e:4f:ea:3a: + 9b:ef:93:61:e7:36:82:df:49:e2:d7:45:ea:87:45:1d:74:36: + 18:f4:aa:30:d5:65:da:1f:c7:98:61:ab:64:2a:49:98:64:a1: + 8c:33:3a:a5:97:4a:69:a6:9d:6f:00:b9:6b:81:8d:09:0f:98: + 63:0f:85:ae:e4:21:70:a3:da:5a:27:eb:df:6d:82:ac:bb:48: + 6b:01:4e:36:95:5a:d3:f0:b9:30:43:72:87:af:41:7a:30:13: + f2:92:15:f1:69:e7 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTc1OVoYDzIwNTIwMjAx +MTc1NzU5WjAiMSAwHgYDVQQDDBdzcnYwMi5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABEPU+8y4iGCVFqoq0DGWyz6oXOR2rMG/zTtlhbss +y/rDSDyDyAju3FkVlyK4QheMdQn5Prac8sXbXbaKakNICqLdE8I25HOzZFR5u/jU +fkj0Bb4Md2MB/k8wsKpivPLt+aM+MDwwOgYDVR0RBDMwMYIXc3J2MDIuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAKHEP2ScGULjv//AAAAAAAAAAIwDQYJKoZIhvcNAQEL +BQADggGBAIm6rk/4PtpIH1yP/+7YQrALm/G14pDJdkAJd6Mx1XOP631plBwrEDHa +1Awp54BOYVO6FZ3h6AwNGXcrqHRG4wOuq5bqr4DDGOCTjulYDnlHmKQGlWuPLNH3 +KbGYheiknEVSrchgINw6akB4FdG00MPF86z+7NOU72YL14xG82IwxMJ4Zd5ATtgm +hI4Yp3Hyt2XY0MLI5qD76gHeLwOKUD32bAvvzvUlH4BUPsJtLNMrvSO3O4JrkX/q +/+YRN9Pw1NufMqwSzOwlJYFYFhiQc8OtfAmnCJkWzuhsS5rmCZYRwvHPGUOmpoHy +VyH6sZFYOXYXiTJMS9/6WQOyMrSzlYmv9F6Usd/pvyFzFAZdCB4P0oQURCCRGXK5 +OAs8Lk/qOpvvk2HnNoLfSeLXReqHRR10Nhj0qjDVZdofx5hhq2QqSZhkoYwzOqWX +SmmmnW8AuWuBjQkPmGMPha7kIXCj2lon699tgqy7SGsBTjaVWtPwuTBDcoevQXow +E/KSFfFp5w== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52004.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52004.pem new file mode 100644 index 0000000000..39b48eeb40 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52004.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207428 (0x6bb3183cdef52004) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:58:15 2022 GMT + Not After : Feb 1 17:58:15 2052 GMT + Subject: CN=srv03.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:45:db:b9:1b:37:65:bf:b1:a1:8a:5a:39:00:8d: + 4a:15:3b:43:9a:b8:2f:ff:a8:7d:99:83:a8:9c:dc: + b6:c2:aa:9f:f8:51:a1:0e:2e:97:0f:90:13:22:4c: + 8b:f1:ff:3c:6b:eb:91:29:7d:4c:df:7c:05:dd:ad: + ea:4a:4c:ad:0a:d6:6f:8e:51:b0:88:58:42:88:2c: + 16:d4:47:1d:b8:8f:b3:4e:0d:12:df:4c:14:f6:27: + 20:3f:94:9a:23:81:48 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01.example.com, IP Address:10.53.0.3, IP Address:FD92:7065:B8E:FFFF:0:0:0:3 + Signature Algorithm: sha256WithRSAEncryption + 8f:96:88:82:94:76:8e:97:b6:75:8b:e9:2b:4f:f3:8f:14:5c: + 50:00:ca:67:96:9e:2e:bd:53:25:25:40:6d:c5:56:e6:1a:f6: + cb:fb:58:fc:b3:56:9d:fc:0b:e2:8e:99:7e:e8:e6:ad:b6:e7: + e6:3e:8a:59:ef:3e:76:a4:ed:7b:58:fd:a3:4b:aa:4e:11:e1: + 57:bf:b1:23:a5:a1:00:f8:95:07:c8:7d:ee:ac:a7:c8:24:ee: + cf:e8:c5:a4:9f:96:27:c9:47:c1:7d:11:de:66:d0:6d:d1:8d: + e7:8f:a0:0f:46:d9:2e:70:f3:9f:ac:6a:b0:3f:5a:dc:70:d4: + b9:a5:f3:ff:5c:21:50:5d:c2:a2:46:26:25:2a:2f:8a:aa:7a: + fd:76:31:5f:e0:25:a3:ee:df:36:f0:ab:05:a1:5d:0d:3c:6b: + 2c:1d:d5:c5:73:9c:a0:57:1f:c4:26:e6:dc:a1:7c:25:08:21: + 61:28:e2:b3:f5:51:83:20:73:14:19:8f:47:79:69:bc:2b:22: + f2:17:62:1d:83:f7:4f:a9:c4:51:68:e0:a9:d7:9f:17:6a:d2: + fd:f7:04:ce:a4:f5:8e:eb:31:b4:bf:c6:2d:da:0c:70:6e:0c: + a5:75:21:54:3c:f6:3d:36:b8:8a:d8:b6:7b:77:7e:54:1d:9f: + 91:8f:02:a6:d1:2c:a7:30:d1:cc:e6:d9:6b:76:80:15:4b:ba: + fd:55:20:cc:b2:99:85:57:60:11:97:c5:e7:28:50:a6:17:af: + d2:bd:1b:7e:06:48:7f:63:dc:70:f8:3f:22:9f:41:a1:66:f5: + a7:81:99:cb:07:0e:8a:9a:bb:12:f6:c0:fe:59:0c:00:37:15: + b2:9d:f0:f9:93:d1:1a:b6:f8:0a:6b:bd:9e:92:32:45:f5:a2: + 44:f0:45:8d:1a:d0:10:b2:db:98:c4:c7:5e:c1:e8:f3:94:33: + 6c:06:f5:1a:cc:51:23:72:ae:37:2f:57:d4:f8:ac:1f:25:b4: + d3:bf:99:9b:ac:fc +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAQwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTgxNVoYDzIwNTIwMjAx +MTc1ODE1WjAiMSAwHgYDVQQDDBdzcnYwMy5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABEXbuRs3Zb+xoYpaOQCNShU7Q5q4L/+ofZmDqJzc +tsKqn/hRoQ4ulw+QEyJMi/H/PGvrkSl9TN98Bd2t6kpMrQrWb45RsIhYQogsFtRH +HbiPs04NEt9MFPYnID+UmiOBSKM+MDwwOgYDVR0RBDMwMYIXc3J2MDMuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AAOHEP2ScGULjv//AAAAAAAAAAMwDQYJKoZIhvcNAQEL +BQADggGBAI+WiIKUdo6XtnWL6StP848UXFAAymeWni69UyUlQG3FVuYa9sv7WPyz +Vp38C+KOmX7o5q225+Y+ilnvPnak7XtY/aNLqk4R4Ve/sSOloQD4lQfIfe6sp8gk +7s/oxaSflifJR8F9Ed5m0G3RjeePoA9G2S5w85+sarA/Wtxw1Lml8/9cIVBdwqJG +JiUqL4qqev12MV/gJaPu3zbwqwWhXQ08aywd1cVznKBXH8Qm5tyhfCUIIWEo4rP1 +UYMgcxQZj0d5abwrIvIXYh2D90+pxFFo4KnXnxdq0v33BM6k9Y7rMbS/xi3aDHBu +DKV1IVQ89j02uIrYtnt3flQdn5GPAqbRLKcw0czm2Wt2gBVLuv1VIMyymYVXYBGX +xecoUKYXr9K9G34GSH9j3HD4PyKfQaFm9aeBmcsHDoqauxL2wP5ZDAA3FbKd8PmT +0Rq2+AprvZ6SMkX1okTwRY0a0BCy25jEx17B6POUM2wG9RrMUSNyrjcvV9T4rB8l +tNO/mZus/A== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52005.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52005.pem new file mode 100644 index 0000000000..b4e2d22a88 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52005.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207429 (0x6bb3183cdef52005) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 8 17:59:14 2022 GMT + Not After : Feb 1 17:59:14 2052 GMT + Subject: CN=srv04.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:9e:43:d7:cc:29:e1:8e:4b:35:a1:8f:b7:8f:30: + 0f:56:b3:5b:7f:c0:62:9b:23:21:70:b1:2b:e7:73: + f9:ea:38:01:66:4b:52:43:31:cf:10:69:15:bf:6b: + 08:f3:69:07:3f:99:bb:b8:70:d0:3b:89:22:1d:f2: + 25:42:5a:3e:55:91:c3:fc:b4:be:c7:2d:86:51:14: + c4:ab:fe:7c:54:34:67:c7:5e:db:86:84:cc:66:eb: + 54:af:9d:7d:dc:ce:18 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv04.crt01.example.com, IP Address:10.53.0.4, IP Address:FD92:7065:B8E:FFFF:0:0:0:4 + Signature Algorithm: sha256WithRSAEncryption + 48:b5:38:59:79:e6:51:a6:ea:80:d7:d1:3c:29:03:70:31:e4: + 43:b4:e3:09:e7:e1:37:8c:d0:0f:2a:19:7a:f2:5a:6d:76:cd: + 17:7a:66:1c:3e:74:56:24:b8:29:06:55:b2:1c:af:9a:42:05: + 93:a4:70:cb:a5:68:85:ab:71:53:da:d9:29:a3:f4:2a:1e:df: + 0c:ec:7d:52:55:fa:9b:e6:a0:18:d5:4c:da:e6:d2:60:da:bc: + 09:5b:13:53:6d:c7:d2:30:b9:a8:a5:02:7f:a3:66:28:34:93: + de:55:a0:de:b5:c8:dc:43:7b:b9:03:06:1f:ce:8c:5f:82:d8: + af:40:56:ce:f8:b9:d4:73:1c:ae:c9:cb:1d:0f:a2:52:71:9b: + 8b:05:f4:d6:0b:1e:a8:db:0f:29:a0:43:b5:2f:56:09:d8:68: + 58:9c:e5:6a:df:38:91:56:9d:44:e5:d2:ca:9a:b1:41:a1:01: + 0c:68:a0:f5:0a:f7:98:4f:d5:a0:6f:99:59:a0:e0:cb:49:57: + 26:20:09:5a:fa:c2:75:40:f6:1b:6a:ac:55:47:50:8d:38:81: + 61:79:44:e7:d5:d1:b3:c7:3b:db:ec:44:59:ef:e1:82:31:a3: + 38:4c:de:40:11:31:52:8b:bb:1c:af:be:ce:c5:2b:f5:0d:c0: + 60:13:fb:7e:da:22:41:d4:85:5e:4d:ba:db:f8:f7:26:61:32: + 26:fe:fe:9e:37:a3:cc:25:3b:3c:c8:b5:a7:a5:5c:d9:4d:8f: + a8:f2:86:98:79:b3:00:08:0f:f2:c9:1f:c6:3f:07:ad:e4:a7: + 8d:86:3d:15:fa:5b:1a:0f:96:67:b6:0a:78:0a:bb:6e:05:a6: + 54:29:48:b4:f9:48:0d:7f:f0:13:65:32:2f:c5:ee:ab:b8:e8: + 0d:b2:f9:c9:96:d2:cf:51:a2:64:3c:58:0f:65:6f:c6:99:93: + 76:2c:42:08:d9:f3:f3:13:cd:41:b6:67:8f:1d:9a:2f:da:93: + 3d:26:4c:9a:11:c1 +-----BEGIN CERTIFICATE----- +MIIDMzCCAZugAwIBAgIIa7MYPN71IAUwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTkxNFoYDzIwNTIwMjAx +MTc1OTE0WjAiMSAwHgYDVQQDDBdzcnYwNC5jcnQwMS5leGFtcGxlLmNvbTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABJ5D18wp4Y5LNaGPt48wD1azW3/AYpsjIXCxK+dz ++eo4AWZLUkMxzxBpFb9rCPNpBz+Zu7hw0DuJIh3yJUJaPlWRw/y0vscthlEUxKv+ +fFQ0Z8de24aEzGbrVK+dfdzOGKM+MDwwOgYDVR0RBDMwMYIXc3J2MDQuY3J0MDEu +ZXhhbXBsZS5jb22HBAo1AASHEP2ScGULjv//AAAAAAAAAAQwDQYJKoZIhvcNAQEL +BQADggGBAEi1OFl55lGm6oDX0TwpA3Ax5EO04wnn4TeM0A8qGXryWm12zRd6Zhw+ +dFYkuCkGVbIcr5pCBZOkcMulaIWrcVPa2Smj9Coe3wzsfVJV+pvmoBjVTNrm0mDa +vAlbE1Ntx9IwuailAn+jZig0k95VoN61yNxDe7kDBh/OjF+C2K9AVs74udRzHK7J +yx0PolJxm4sF9NYLHqjbDymgQ7UvVgnYaFic5WrfOJFWnUTl0sqasUGhAQxooPUK +95hP1aBvmVmg4MtJVyYgCVr6wnVA9htqrFVHUI04gWF5ROfV0bPHO9vsRFnv4YIx +ozhM3kARMVKLuxyvvs7FK/UNwGAT+37aIkHUhV5Nutv49yZhMib+/p43o8wlOzzI +taelXNlNj6jyhph5swAID/LJH8Y/B63kp42GPRX6WxoPlme2CngKu24FplQpSLT5 +SA1/8BNlMi/F7qu46A2y+cmW0s9RomQ8WA9lb8aZk3YsQgjZ8/MTzUG2Z48dmi/a +kz0mTJoRwQ== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52006.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52006.pem new file mode 100644 index 0000000000..4befde4237 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52006.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207430 (0x6bb3183cdef52006) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Aug 15 08:00:00 2012 GMT + Not After : Aug 15 09:00:00 2012 GMT + Subject: CN=srv01.crt03-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:1f:d5:7b:ab:73:b2:70:15:fd:33:26:02:5c:76: + 16:80:0c:70:7d:57:83:75:ac:3c:b7:4a:02:46:35: + c1:1b:c1:7a:bd:be:f2:04:9a:7f:69:83:7f:54:9a: + 1b:10:62:d7:70:bd:ef:26:90:51:50:10:77:56:b7: + 1a:2f:44:5e:91:46:36:e1:2e:a4:4c:67:2e:62:a8: + 7f:1a:15:10:44:68:8b:18:ea:cf:b8:96:09:bf:b5: + 3a:d1:ef:10:8f:9f:bb + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.crt03-expired.example.com, IP Address:10.53.0.1, IP Address:FD92:7065:B8E:FFFF:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 25:35:08:f6:e7:f0:83:81:be:65:31:1b:78:a8:04:84:fe:6a: + 2a:1a:5d:c1:73:20:88:08:11:d8:27:be:a5:8e:3c:df:e2:a6: + 19:c5:41:40:ea:01:91:85:99:8d:17:4e:4d:9a:3c:03:f9:78: + 4c:8a:20:41:5e:96:d6:64:83:2f:b2:fe:e7:77:09:f9:91:bd: + 22:1a:57:8b:f6:24:bc:7b:48:2b:2e:14:b7:32:bd:46:91:99: + 5e:21:9a:d3:15:a7:27:e1:c0:3a:c7:f5:f9:94:3f:6d:14:7e: + 0b:02:bf:05:d9:ac:10:8a:7e:b0:37:36:cd:cb:4a:b4:e1:01: + c7:04:8d:83:f3:c6:79:ff:ff:6c:f0:a4:bf:3c:12:61:ea:15: + ac:30:62:26:e3:c3:4e:7d:5c:68:d8:88:de:35:8d:44:75:8c: + a8:c1:0d:07:67:b5:d0:42:43:41:1f:39:a0:47:35:46:d7:0f: + 89:aa:e8:d3:86:45:9a:fb:33:01:06:23:64:53:24:48:5b:69: + fa:cf:d9:81:fb:5e:7e:7b:82:65:56:c6:46:65:5c:e1:4f:f2: + 3c:09:3c:28:5f:c9:e3:a5:24:e3:7b:aa:b5:b1:8a:6a:b2:02: + 32:5f:24:05:f1:67:c8:54:17:0c:cd:ca:3d:e4:44:3e:23:3a: + 7c:63:b6:f9:61:3a:21:e7:8f:27:ad:c3:26:86:39:49:6c:41: + 40:7f:1d:48:69:8d:db:6f:42:e4:09:fe:24:62:bd:8e:2e:54: + 25:f0:14:c2:d8:43:95:09:2e:5f:72:4f:43:b5:9a:8b:bb:8c: + 44:c6:77:c9:05:fb:1a:9f:d7:b6:a6:42:d9:5c:3d:a5:09:0f: + 9e:e0:c7:06:32:f1:ff:c9:53:5e:42:d4:2a:33:ad:06:ea:ec: + b0:26:d3:3c:ef:65:af:15:8e:7b:20:49:ad:f1:56:ef:17:6b: + fc:f4:d8:7c:82:9f:30:19:d0:bc:9c:79:e2:dc:9d:a7:f9:6b: + 6f:65:ae:21:a0:94 +-----BEGIN CERTIFICATE----- +MIIDQTCCAamgAwIBAgIIa7MYPN71IAYwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTEyMDgxNTA4MDAwMFoXDTEyMDgxNTA5 +MDAwMFowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDMtZXhwaXJlZC5leGFtcGxlLmNv +bTB2MBAGByqGSM49AgEGBSuBBAAiA2IABB/Ve6tzsnAV/TMmAlx2FoAMcH1Xg3Ws +PLdKAkY1wRvBer2+8gSaf2mDf1SaGxBi13C97yaQUVAQd1a3Gi9EXpFGNuEupExn +LmKofxoVEERoixjqz7iWCb+1OtHvEI+fu6NGMEQwQgYDVR0RBDswOYIfc3J2MDEu +Y3J0MDMtZXhwaXJlZC5leGFtcGxlLmNvbYcECjUAAYcQ/ZJwZQuO//8AAAAAAAAA +ATANBgkqhkiG9w0BAQsFAAOCAYEAJTUI9ufwg4G+ZTEbeKgEhP5qKhpdwXMgiAgR +2Ce+pY483+KmGcVBQOoBkYWZjRdOTZo8A/l4TIogQV6W1mSDL7L+53cJ+ZG9IhpX +i/YkvHtIKy4UtzK9RpGZXiGa0xWnJ+HAOsf1+ZQ/bRR+CwK/BdmsEIp+sDc2zctK +tOEBxwSNg/PGef//bPCkvzwSYeoVrDBiJuPDTn1caNiI3jWNRHWMqMENB2e10EJD +QR85oEc1RtcPiaro04ZFmvszAQYjZFMkSFtp+s/ZgftefnuCZVbGRmVc4U/yPAk8 +KF/J46Uk43uqtbGKarICMl8kBfFnyFQXDM3KPeREPiM6fGO2+WE6IeePJ63DJoY5 +SWxBQH8dSGmN229C5An+JGK9ji5UJfAUwthDlQkuX3JPQ7Wai7uMRMZ3yQX7Gp/X +tqZC2Vw9pQkPnuDHBjLx/8lTXkLUKjOtBurssCbTPO9lrxWOeyBJrfFW7xdr/PTY +fIKfMBnQvJx54tydp/lrb2WuIaCU +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52007.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52007.pem new file mode 100644 index 0000000000..0b4c115d1c --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52007.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207431 (0x6bb3183cdef52007) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 10 17:44:20 2022 GMT + Not After : Feb 3 17:44:20 2052 GMT + Subject: CN=srv01.client01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:5e:93:6a:7a:da:75:cc:64:08:e4:f8:f9:2f:2b: + 85:36:ee:e1:df:fa:cd:4c:60:f1:44:b5:16:7b:f9: + 03:cf:a0:08:67:6f:ae:27:a3:95:8a:68:1e:63:ab: + cf:2e:20:62:52:e7:8c:3e:1e:ef:de:0d:69:64:65: + b6:e4:df:fe:1a:48:f8:68:75:84:83:11:fb:81:59: + 0e:c1:96:48:7f:24:da:11:dd:ac:cb:0a:c5:09:78: + 24:31:3a:df:37:e6:b3 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client01.example.com + Signature Algorithm: sha256WithRSAEncryption + 82:bd:eb:8f:4e:a5:d2:46:c7:d8:70:3c:34:1d:58:43:1b:81: + 16:5d:c2:b0:76:4b:a9:f2:10:14:23:e4:ef:dc:59:03:b6:7f: + b0:40:34:e5:d0:82:4b:95:a6:07:9a:45:51:94:cf:08:c2:4e: + c9:44:d5:f3:b6:ed:f2:a0:01:94:ad:e0:0e:0f:ab:85:6f:35: + 4b:07:c8:97:25:fb:69:ff:a1:99:bc:ec:70:6c:51:b5:32:95: + e9:c9:45:cf:45:e2:c5:5e:b1:59:a2:e1:f2:83:c8:87:68:c4: + 60:e2:db:50:6c:18:64:1b:9a:9a:cc:7c:e7:fd:d9:f2:b7:d1: + de:1d:ec:29:c9:58:db:7b:9a:a1:06:9a:ce:36:a0:45:10:dc: + 7d:81:24:21:34:30:4c:71:f9:fc:96:37:d6:cf:0d:9d:11:12: + c7:62:bc:19:5b:79:e5:e0:37:e8:17:36:4b:13:af:fa:2c:2e: + 36:d9:be:53:e1:c3:f9:bc:94:a6:7a:97:14:99:36:f9:14:38: + 11:20:3a:2a:9d:fd:64:63:d0:a2:8f:f0:99:a9:02:ca:57:48: + d2:7d:65:44:b6:85:a0:38:ec:e8:19:7e:c2:48:e3:1d:22:53: + cf:3b:d4:0a:98:e1:72:62:ec:8b:01:3f:5a:ea:26:2c:8c:16: + c3:80:5a:c2:5d:40:c5:65:1c:e2:9a:e3:d6:65:16:ee:dc:17: + 30:d8:26:87:92:d0:ef:c7:72:07:99:86:05:9e:49:35:41:33: + b9:bb:cb:1b:25:50:70:85:e3:0f:c7:b9:b2:37:00:1b:87:a2: + 47:97:34:5b:cd:dc:66:22:e5:de:25:ec:57:fe:37:75:2c:03: + 10:f4:d4:a7:cc:f5:4b:0b:ff:eb:d3:a6:78:2e:cd:8f:65:51: + a7:8c:ef:83:67:ec:94:13:c2:1f:74:74:55:7c:a3:0b:b7:2f: + 80:5a:62:04:1d:a2:c0:c1:de:b2:7d:31:3b:a1:fa:f7:40:a7: + bd:12:25:95:5b:8b +-----BEGIN CERTIFICATE----- +MIIDITCCAYmgAwIBAgIIa7MYPN71IAcwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIxMDE3NDQyMFoYDzIwNTIwMjAz +MTc0NDIwWjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLmNvbTB2 +MBAGByqGSM49AgEGBSuBBAAiA2IABF6TanradcxkCOT4+S8rhTbu4d/6zUxg8US1 +Fnv5A8+gCGdvriejlYpoHmOrzy4gYlLnjD4e794NaWRltuTf/hpI+Gh1hIMR+4FZ +DsGWSH8k2hHdrMsKxQl4JDE63zfms6MpMCcwJQYDVR0RBB4wHIIac3J2MDEuY2xp +ZW50MDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggGBAIK9649OpdJGx9hw +PDQdWEMbgRZdwrB2S6nyEBQj5O/cWQO2f7BANOXQgkuVpgeaRVGUzwjCTslE1fO2 +7fKgAZSt4A4Pq4VvNUsHyJcl+2n/oZm87HBsUbUylenJRc9F4sVesVmi4fKDyIdo +xGDi21BsGGQbmprMfOf92fK30d4d7CnJWNt7mqEGms42oEUQ3H2BJCE0MExx+fyW +N9bPDZ0REsdivBlbeeXgN+gXNksTr/osLjbZvlPhw/m8lKZ6lxSZNvkUOBEgOiqd +/WRj0KKP8JmpAspXSNJ9ZUS2haA47OgZfsJI4x0iU8871AqY4XJi7IsBP1rqJiyM +FsOAWsJdQMVlHOKa49ZlFu7cFzDYJoeS0O/HcgeZhgWeSTVBM7m7yxslUHCF4w/H +ubI3ABuHokeXNFvN3GYi5d4l7Ff+N3UsAxD01KfM9UsL/+vTpnguzY9lUaeM74Nn +7JQTwh90dFV8owu3L4BaYgQdosDB3rJ9MTuh+vdAp70SJZVbiw== +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52008.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52008.pem new file mode 100644 index 0000000000..1b43bbd293 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52008.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207432 (0x6bb3183cdef52008) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Feb 11 13:21:12 2022 GMT + Not After : Feb 4 13:21:12 2052 GMT + Subject: CN=srv01.client02-ns2.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:e6:45:fa:57:12:6c:59:10:23:8b:7a:5c:76:33: + eb:3b:41:fa:b7:1c:90:b3:2f:33:2d:45:7b:e3:e5: + b6:a5:a2:a2:a4:14:f4:50:9d:b0:c6:38:ba:e9:45: + 65:a4:65:b9:10:32:2f:93:9b:d5:d8:cf:b4:29:5b: + dc:4e:c8:ec:a6:9f:58:76:24:f4:c5:d1:48:55:52: + eb:5d:b0:85:93:85:ee:3e:b8:c4:b1:cd:08:59:95: + 12:ff:7b:9b:ee:6a:b9 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client02-ns2.example.com + Signature Algorithm: sha256WithRSAEncryption + 43:ec:0f:62:17:f6:f4:90:3b:7c:36:21:f2:18:94:a6:42:51: + 1e:1d:2a:43:8f:05:b7:8d:3c:ca:f0:20:2f:65:4b:be:48:ad: + 6a:0a:cc:2d:1f:d6:27:1d:af:4a:36:86:ed:0d:03:75:c5:71: + ec:58:9b:ec:f9:0f:e4:83:ef:6f:91:da:20:73:47:ac:e7:c7: + 8b:22:b2:d1:6e:a0:b0:d6:1c:4c:70:1e:74:08:1d:7f:61:06: + e5:be:f3:e8:c4:15:60:e2:b0:02:9b:f0:13:af:76:5b:a8:c7: + 91:2c:10:5f:0d:32:89:51:5a:7f:17:1b:7c:c6:46:97:ee:e7: + bb:8a:48:38:a2:52:d4:ff:3b:1c:ec:4a:a9:8c:a5:23:3a:04: + bb:d7:b8:ad:5b:69:7f:1d:be:ca:96:e0:eb:56:05:43:ee:c8: + ff:2c:48:03:00:c6:c2:ac:fc:4e:15:47:86:c5:33:ed:70:f6: + 98:bc:0b:07:b9:5b:1a:ec:fd:3c:bf:26:61:68:fc:db:02:55: + 07:ae:76:0e:be:ff:c5:b8:56:fb:52:54:a4:b1:2d:64:b4:1d: + 55:02:4f:da:06:bd:26:e4:22:d2:94:1f:7e:29:c4:97:10:d1: + 75:7d:41:53:be:46:52:70:b1:d9:ff:bb:9f:96:19:e3:a0:ba: + d0:4a:5a:8d:da:22:73:89:f0:4c:e6:18:80:53:be:bd:64:56: + 6a:c9:58:71:40:66:9e:4a:3e:31:3b:74:9e:6e:6a:f5:65:ca: + 93:06:52:00:74:65:a0:3a:eb:2e:56:56:d2:a5:4b:0e:85:17: + 25:78:cb:f3:f9:53:7b:85:f9:82:15:87:bc:36:70:b5:69:64: + 48:11:79:b9:2c:2e:cc:09:fd:0f:b0:b7:cd:97:3b:c7:0f:49: + 1a:fc:15:49:d6:1c:a9:dc:14:ff:44:d2:be:5a:36:00:66:0c: + d5:b8:bf:16:9e:60:27:79:c0:f5:b4:ff:2f:af:8c:b2:49:75: + 61:44:05:1a:e8:cd +-----BEGIN CERTIFICATE----- +MIIDKTCCAZGgAwIBAgIIa7MYPN71IAgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIxMTEzMjExMloYDzIwNTIwMjA0 +MTMyMTEyWjApMScwJQYDVQQDDB5zcnYwMS5jbGllbnQwMi1uczIuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATmRfpXEmxZECOLelx2M+s7Qfq3HJCz +LzMtRXvj5baloqKkFPRQnbDGOLrpRWWkZbkQMi+Tm9XYz7QpW9xOyOymn1h2JPTF +0UhVUutdsIWThe4+uMSxzQhZlRL/e5vuarmjLTArMCkGA1UdEQQiMCCCHnNydjAx +LmNsaWVudDAyLW5zMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAYEAQ+wP +Yhf29JA7fDYh8hiUpkJRHh0qQ48Ft408yvAgL2VLvkitagrMLR/WJx2vSjaG7Q0D +dcVx7Fib7PkP5IPvb5HaIHNHrOfHiyKy0W6gsNYcTHAedAgdf2EG5b7z6MQVYOKw +ApvwE692W6jHkSwQXw0yiVFafxcbfMZGl+7nu4pIOKJS1P87HOxKqYylIzoEu9e4 +rVtpfx2+ypbg61YFQ+7I/yxIAwDGwqz8ThVHhsUz7XD2mLwLB7lbGuz9PL8mYWj8 +2wJVB652Dr7/xbhW+1JUpLEtZLQdVQJP2ga9JuQi0pQffinElxDRdX1BU75GUnCx +2f+7n5YZ46C60Epajdoic4nwTOYYgFO+vWRWaslYcUBmnko+MTt0nm5q9WXKkwZS +AHRloDrrLlZW0qVLDoUXJXjL8/lTe4X5ghWHvDZwtWlkSBF5uSwuzAn9D7C3zZc7 +xw9JGvwVSdYcqdwU/0TSvlo2AGYM1bi/Fp5gJ3nA9bT/L6+Mskl1YUQFGujN +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52009.pem b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52009.pem new file mode 100644 index 0000000000..99e4a71e33 --- /dev/null +++ b/bin/tests/system/doth/CA/newcerts/6BB3183CDEF52009.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7760573232607207433 (0x6bb3183cdef52009) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Aug 14 05:00:00 2012 GMT + Not After : Aug 14 06:00:00 2012 GMT + Subject: CN=srv01.client03-ns2-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:38:9a:9b:c2:6a:82:a6:d1:50:8a:78:7a:d1:be: + 61:be:d4:b6:d3:d6:a2:02:97:a4:48:50:c0:c5:1d: + d8:2d:23:19:25:6e:91:02:1d:69:c2:77:d6:f1:a8: + 4f:4a:9a:1d:3c:69:5a:89:41:0a:f2:e0:64:57:1b: + 0e:9e:df:9f:4c:7b:3c:42:dc:21:c8:2c:95:ab:b3: + 4c:5f:56:c4:70:ee:8a:a4:e4:46:c4:9e:98:f5:c8: + 7b:b2:73:d7:45:93:f0 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv01.client03-ns2-expired.example.com + Signature Algorithm: sha256WithRSAEncryption + 38:12:1f:5f:26:b6:8e:9b:3f:77:89:5a:b8:e8:46:78:c3:d6: + f0:0c:67:5f:d5:a3:9c:f6:f2:0a:ae:9c:87:74:9f:a3:5b:8a: + 27:58:47:e5:78:1a:e9:db:b5:cc:28:a7:f8:18:e3:e7:20:43: + cf:82:06:5d:a1:d0:82:ab:15:be:86:46:1e:e6:4d:ad:78:a4: + 16:6c:99:41:3d:29:21:c8:6b:9d:3d:4a:cd:93:37:1f:1c:88: + c7:ae:b6:7c:73:42:57:57:32:9d:e8:c6:e2:3e:da:12:57:3e: + c8:56:4a:bb:d4:01:fc:8e:30:8d:19:fe:61:3d:5e:02:64:65: + a2:46:b3:6e:ea:f9:cb:4e:f0:b9:f6:bc:6b:38:10:19:d0:93: + f8:f7:d9:4c:d2:87:2c:7f:dc:f5:00:c6:29:dd:00:5e:d2:f4: + df:52:fb:7a:5a:ad:98:36:77:72:1f:01:ed:48:91:48:16:2d: + 35:a5:15:21:98:ff:7e:5d:a1:45:c9:5f:9d:c2:3e:e5:98:e2: + ee:ce:4d:18:76:3d:8a:0a:64:9b:f1:19:9d:b6:82:af:1b:15: + d3:48:69:f1:9b:67:76:1b:41:8e:1d:69:d5:31:64:95:01:41: + 73:c1:a9:29:53:6b:f3:29:ad:e0:96:52:8e:3e:8d:c1:8e:d8: + b5:0c:94:5f:a2:6c:3c:0f:3e:5b:10:af:21:00:74:d0:b7:30: + 6c:44:fb:3d:09:46:8d:1d:e6:c2:e4:0a:5b:f4:eb:e1:71:c7: + d5:36:13:90:05:fe:65:16:61:24:b5:41:f2:10:bd:2c:c3:34: + 69:15:25:d1:32:f2:b3:d7:da:23:1b:e9:5b:33:63:43:c8:dc: + 68:f2:31:b5:93:0e:64:ea:9a:45:36:9f:96:44:38:1e:4e:d8: + 45:ba:37:68:06:4d:da:d4:16:d3:3e:77:86:4e:8d:58:d6:06: + a8:60:11:4d:d9:81:f3:85:2b:ee:58:50:6e:ea:2b:f7:84:00: + 9c:ec:a1:90:d4:94 +-----BEGIN CERTIFICATE----- +MIIDNzCCAZ+gAwIBAgIIa7MYPN71IAkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE +BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp +djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD +DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTEyMDgxNDA1MDAwMFoXDTEyMDgxNDA2 +MDAwMFowMTEvMC0GA1UEAwwmc3J2MDEuY2xpZW50MDMtbnMyLWV4cGlyZWQuZXhh +bXBsZS5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ4mpvCaoKm0VCKeHrRvmG+ +1LbT1qICl6RIUMDFHdgtIxklbpECHWnCd9bxqE9Kmh08aVqJQQry4GRXGw6e359M +ezxC3CHILJWrs0xfVsRw7oqk5EbEnpj1yHuyc9dFk/CjNTAzMDEGA1UdEQQqMCiC +JnNydjAxLmNsaWVudDAzLW5zMi1leHBpcmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3 +DQEBCwUAA4IBgQA4Eh9fJraOmz93iVq46EZ4w9bwDGdf1aOc9vIKrpyHdJ+jW4on +WEfleBrp27XMKKf4GOPnIEPPggZdodCCqxW+hkYe5k2teKQWbJlBPSkhyGudPUrN +kzcfHIjHrrZ8c0JXVzKd6MbiPtoSVz7IVkq71AH8jjCNGf5hPV4CZGWiRrNu6vnL +TvC59rxrOBAZ0JP499lM0ocsf9z1AMYp3QBe0vTfUvt6Wq2YNndyHwHtSJFIFi01 +pRUhmP9+XaFFyV+dwj7lmOLuzk0Ydj2KCmSb8RmdtoKvGxXTSGnxm2d2G0GOHWnV +MWSVAUFzwakpU2vzKa3gllKOPo3Bjti1DJRfomw8Dz5bEK8hAHTQtzBsRPs9CUaN +HebC5Apb9OvhccfVNhOQBf5lFmEktUHyEL0swzRpFSXRMvKz19ojG+lbM2NDyNxo +8jG1kw5k6ppFNp+WRDgeTthFujdoBk3a1BbTPneGTo1Y1gaoYBFN2YHzhSvuWFBu +6iv3hACc7KGQ1JQ= +-----END CERTIFICATE----- diff --git a/bin/tests/system/doth/CA/private/CA.key b/bin/tests/system/doth/CA/private/CA.key new file mode 100644 index 0000000000..2d5419d89a --- /dev/null +++ b/bin/tests/system/doth/CA/private/CA.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC +aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D +lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm +PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy +VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy +nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH +EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp +Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL +wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc +bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI +r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC +GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9 +DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x +E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB +wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8 +V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC +SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke +s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx +HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx +r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp +tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk +AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx +LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa +IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn +RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf +ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv +NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao +ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev +dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr +q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj +bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw +HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3 +nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9 +r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c +j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn +HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd +B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw== +-----END RSA PRIVATE KEY----- diff --git a/bin/tests/system/doth/CA/serial b/bin/tests/system/doth/CA/serial new file mode 100644 index 0000000000..a20b06826d --- /dev/null +++ b/bin/tests/system/doth/CA/serial @@ -0,0 +1 @@ +6BB3183CDEF5200A diff --git a/bin/tests/system/doth/README.curl b/bin/tests/system/doth/README.curl new file mode 100644 index 0000000000..475f20f53a --- /dev/null +++ b/bin/tests/system/doth/README.curl @@ -0,0 +1,38 @@ + + +DoH query values that can be passed on the command line for testing +with curl can be obtained by encoding binary DNS messages into +base64url, with trailing '='s removed. + +For example: + +$ perl bin/tests/system/fromhex.pl << EOF | base64url + # Transaction ID + 0001 + # Standard query + 0000 + # Questions: 1, Additional: 0 + 0001 0000 0000 0000 + # QNAME: example + 07 6578616d706c65 00 + # Type: SOA + 0006 + Class: IN + 0001 +EOF + +This produces the string "AAEAAAABAAAAAAAAB2V4YW1wbGUAAAbFrMonAAE=". With +the trailing '=' removed, this can then be passed to curl: + +curl "https:///dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAbFrMonAAE" diff --git a/bin/tests/system/doth/clean.sh b/bin/tests/system/doth/clean.sh index 3f86885245..c81c6a1bdc 100644 --- a/bin/tests/system/doth/clean.sh +++ b/bin/tests/system/doth/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -18,4 +20,7 @@ rm -f ./*/named.memstats rm -f ./*/named.run rm -f ./*/named.run.prev rm -f ./dig.out.* -rm -f ./*/example.db +rm -f ./gnutls-cli.* +rm -f ./sslyze.log.* +rm -f ./*/example*.db +rm -rf ./headers.* diff --git a/bin/tests/system/doth/conftest.py b/bin/tests/system/doth/conftest.py new file mode 100644 index 0000000000..813be146f4 --- /dev/null +++ b/bin/tests/system/doth/conftest.py @@ -0,0 +1,47 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import shutil +import subprocess + +import pytest + + +@pytest.fixture +def gnutls_cli_executable(): + # Ensure gnutls-cli is available. + executable = shutil.which("gnutls-cli") + if not executable: + pytest.skip("gnutls-cli not found in PATH") + + # Ensure gnutls-cli supports the --logfile command-line option. + output = subprocess.run( + [executable, "--logfile=/dev/null"], + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + check=False, + ).stdout + if b"illegal option" in output: + pytest.skip("gnutls-cli does not support the --logfile option") + + return executable + + +@pytest.fixture +def sslyze_executable(): + # Check whether sslyze is available. + executable = shutil.which("sslyze") + if not executable: + pytest.skip("sslyze not found in PATH") + + return executable diff --git a/bin/tests/system/doth/dhparam3072.pem b/bin/tests/system/doth/dhparam3072.pem new file mode 100644 index 0000000000..9c2e0aa42b --- /dev/null +++ b/bin/tests/system/doth/dhparam3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K +3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab +EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os +O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H +0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR +JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp +eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ +vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX +GKz9+uk5eS6jAgEC +-----END DH PARAMETERS----- diff --git a/bin/tests/system/doth/example.axfr.good b/bin/tests/system/doth/example.axfr.good index 2d610c6634..539e58bfef 100644 --- a/bin/tests/system/doth/example.axfr.good +++ b/bin/tests/system/doth/example.axfr.good @@ -23,6 +23,2506 @@ atma02.example. 3600 IN ATMA +61200000000 atma03.example. 3600 IN ATMA 1234567890abcdef atma04.example. 3600 IN ATMA fedcba0987654321 avc.example. 3600 IN AVC "foo:bar" +biganswer.example. 3600 IN A 10.10.1.1 +biganswer.example. 3600 IN A 10.10.1.2 +biganswer.example. 3600 IN A 10.10.1.3 +biganswer.example. 3600 IN A 10.10.1.4 +biganswer.example. 3600 IN A 10.10.1.5 +biganswer.example. 3600 IN A 10.10.1.6 +biganswer.example. 3600 IN A 10.10.1.7 +biganswer.example. 3600 IN A 10.10.1.8 +biganswer.example. 3600 IN A 10.10.1.9 +biganswer.example. 3600 IN A 10.10.1.10 +biganswer.example. 3600 IN A 10.10.1.11 +biganswer.example. 3600 IN A 10.10.1.12 +biganswer.example. 3600 IN A 10.10.1.13 +biganswer.example. 3600 IN A 10.10.1.14 +biganswer.example. 3600 IN A 10.10.1.15 +biganswer.example. 3600 IN A 10.10.1.16 +biganswer.example. 3600 IN A 10.10.1.17 +biganswer.example. 3600 IN A 10.10.1.18 +biganswer.example. 3600 IN A 10.10.1.19 +biganswer.example. 3600 IN A 10.10.1.20 +biganswer.example. 3600 IN A 10.10.1.21 +biganswer.example. 3600 IN A 10.10.1.22 +biganswer.example. 3600 IN A 10.10.1.23 +biganswer.example. 3600 IN A 10.10.1.24 +biganswer.example. 3600 IN A 10.10.1.25 +biganswer.example. 3600 IN A 10.10.1.26 +biganswer.example. 3600 IN A 10.10.1.27 +biganswer.example. 3600 IN A 10.10.1.28 +biganswer.example. 3600 IN A 10.10.1.29 +biganswer.example. 3600 IN A 10.10.1.30 +biganswer.example. 3600 IN A 10.10.1.31 +biganswer.example. 3600 IN A 10.10.1.32 +biganswer.example. 3600 IN A 10.10.1.33 +biganswer.example. 3600 IN A 10.10.1.34 +biganswer.example. 3600 IN A 10.10.1.35 +biganswer.example. 3600 IN A 10.10.1.36 +biganswer.example. 3600 IN A 10.10.1.37 +biganswer.example. 3600 IN A 10.10.1.38 +biganswer.example. 3600 IN A 10.10.1.39 +biganswer.example. 3600 IN A 10.10.1.40 +biganswer.example. 3600 IN A 10.10.1.41 +biganswer.example. 3600 IN A 10.10.1.42 +biganswer.example. 3600 IN A 10.10.1.43 +biganswer.example. 3600 IN A 10.10.1.44 +biganswer.example. 3600 IN A 10.10.1.45 +biganswer.example. 3600 IN A 10.10.1.46 +biganswer.example. 3600 IN A 10.10.1.47 +biganswer.example. 3600 IN A 10.10.1.48 +biganswer.example. 3600 IN A 10.10.1.49 +biganswer.example. 3600 IN A 10.10.1.50 +biganswer.example. 3600 IN A 10.10.2.1 +biganswer.example. 3600 IN A 10.10.2.2 +biganswer.example. 3600 IN A 10.10.2.3 +biganswer.example. 3600 IN A 10.10.2.4 +biganswer.example. 3600 IN A 10.10.2.5 +biganswer.example. 3600 IN A 10.10.2.6 +biganswer.example. 3600 IN A 10.10.2.7 +biganswer.example. 3600 IN A 10.10.2.8 +biganswer.example. 3600 IN A 10.10.2.9 +biganswer.example. 3600 IN A 10.10.2.10 +biganswer.example. 3600 IN A 10.10.2.11 +biganswer.example. 3600 IN A 10.10.2.12 +biganswer.example. 3600 IN A 10.10.2.13 +biganswer.example. 3600 IN A 10.10.2.14 +biganswer.example. 3600 IN A 10.10.2.15 +biganswer.example. 3600 IN A 10.10.2.16 +biganswer.example. 3600 IN A 10.10.2.17 +biganswer.example. 3600 IN A 10.10.2.18 +biganswer.example. 3600 IN A 10.10.2.19 +biganswer.example. 3600 IN A 10.10.2.20 +biganswer.example. 3600 IN A 10.10.2.21 +biganswer.example. 3600 IN A 10.10.2.22 +biganswer.example. 3600 IN A 10.10.2.23 +biganswer.example. 3600 IN A 10.10.2.24 +biganswer.example. 3600 IN A 10.10.2.25 +biganswer.example. 3600 IN A 10.10.2.26 +biganswer.example. 3600 IN A 10.10.2.27 +biganswer.example. 3600 IN A 10.10.2.28 +biganswer.example. 3600 IN A 10.10.2.29 +biganswer.example. 3600 IN A 10.10.2.30 +biganswer.example. 3600 IN A 10.10.2.31 +biganswer.example. 3600 IN A 10.10.2.32 +biganswer.example. 3600 IN A 10.10.2.33 +biganswer.example. 3600 IN A 10.10.2.34 +biganswer.example. 3600 IN A 10.10.2.35 +biganswer.example. 3600 IN A 10.10.2.36 +biganswer.example. 3600 IN A 10.10.2.37 +biganswer.example. 3600 IN A 10.10.2.38 +biganswer.example. 3600 IN A 10.10.2.39 +biganswer.example. 3600 IN A 10.10.2.40 +biganswer.example. 3600 IN A 10.10.2.41 +biganswer.example. 3600 IN A 10.10.2.42 +biganswer.example. 3600 IN A 10.10.2.43 +biganswer.example. 3600 IN A 10.10.2.44 +biganswer.example. 3600 IN A 10.10.2.45 +biganswer.example. 3600 IN A 10.10.2.46 +biganswer.example. 3600 IN A 10.10.2.47 +biganswer.example. 3600 IN A 10.10.2.48 +biganswer.example. 3600 IN A 10.10.2.49 +biganswer.example. 3600 IN A 10.10.2.50 +biganswer.example. 3600 IN A 10.10.3.1 +biganswer.example. 3600 IN A 10.10.3.2 +biganswer.example. 3600 IN A 10.10.3.3 +biganswer.example. 3600 IN A 10.10.3.4 +biganswer.example. 3600 IN A 10.10.3.5 +biganswer.example. 3600 IN A 10.10.3.6 +biganswer.example. 3600 IN A 10.10.3.7 +biganswer.example. 3600 IN A 10.10.3.8 +biganswer.example. 3600 IN A 10.10.3.9 +biganswer.example. 3600 IN A 10.10.3.10 +biganswer.example. 3600 IN A 10.10.3.11 +biganswer.example. 3600 IN A 10.10.3.12 +biganswer.example. 3600 IN A 10.10.3.13 +biganswer.example. 3600 IN A 10.10.3.14 +biganswer.example. 3600 IN A 10.10.3.15 +biganswer.example. 3600 IN A 10.10.3.16 +biganswer.example. 3600 IN A 10.10.3.17 +biganswer.example. 3600 IN A 10.10.3.18 +biganswer.example. 3600 IN A 10.10.3.19 +biganswer.example. 3600 IN A 10.10.3.20 +biganswer.example. 3600 IN A 10.10.3.21 +biganswer.example. 3600 IN A 10.10.3.22 +biganswer.example. 3600 IN A 10.10.3.23 +biganswer.example. 3600 IN A 10.10.3.24 +biganswer.example. 3600 IN A 10.10.3.25 +biganswer.example. 3600 IN A 10.10.3.26 +biganswer.example. 3600 IN A 10.10.3.27 +biganswer.example. 3600 IN A 10.10.3.28 +biganswer.example. 3600 IN A 10.10.3.29 +biganswer.example. 3600 IN A 10.10.3.30 +biganswer.example. 3600 IN A 10.10.3.31 +biganswer.example. 3600 IN A 10.10.3.32 +biganswer.example. 3600 IN A 10.10.3.33 +biganswer.example. 3600 IN A 10.10.3.34 +biganswer.example. 3600 IN A 10.10.3.35 +biganswer.example. 3600 IN A 10.10.3.36 +biganswer.example. 3600 IN A 10.10.3.37 +biganswer.example. 3600 IN A 10.10.3.38 +biganswer.example. 3600 IN A 10.10.3.39 +biganswer.example. 3600 IN A 10.10.3.40 +biganswer.example. 3600 IN A 10.10.3.41 +biganswer.example. 3600 IN A 10.10.3.42 +biganswer.example. 3600 IN A 10.10.3.43 +biganswer.example. 3600 IN A 10.10.3.44 +biganswer.example. 3600 IN A 10.10.3.45 +biganswer.example. 3600 IN A 10.10.3.46 +biganswer.example. 3600 IN A 10.10.3.47 +biganswer.example. 3600 IN A 10.10.3.48 +biganswer.example. 3600 IN A 10.10.3.49 +biganswer.example. 3600 IN A 10.10.3.50 +biganswer.example. 3600 IN A 10.10.4.1 +biganswer.example. 3600 IN A 10.10.4.2 +biganswer.example. 3600 IN A 10.10.4.3 +biganswer.example. 3600 IN A 10.10.4.4 +biganswer.example. 3600 IN A 10.10.4.5 +biganswer.example. 3600 IN A 10.10.4.6 +biganswer.example. 3600 IN A 10.10.4.7 +biganswer.example. 3600 IN A 10.10.4.8 +biganswer.example. 3600 IN A 10.10.4.9 +biganswer.example. 3600 IN A 10.10.4.10 +biganswer.example. 3600 IN A 10.10.4.11 +biganswer.example. 3600 IN A 10.10.4.12 +biganswer.example. 3600 IN A 10.10.4.13 +biganswer.example. 3600 IN A 10.10.4.14 +biganswer.example. 3600 IN A 10.10.4.15 +biganswer.example. 3600 IN A 10.10.4.16 +biganswer.example. 3600 IN A 10.10.4.17 +biganswer.example. 3600 IN A 10.10.4.18 +biganswer.example. 3600 IN A 10.10.4.19 +biganswer.example. 3600 IN A 10.10.4.20 +biganswer.example. 3600 IN A 10.10.4.21 +biganswer.example. 3600 IN A 10.10.4.22 +biganswer.example. 3600 IN A 10.10.4.23 +biganswer.example. 3600 IN A 10.10.4.24 +biganswer.example. 3600 IN A 10.10.4.25 +biganswer.example. 3600 IN A 10.10.4.26 +biganswer.example. 3600 IN A 10.10.4.27 +biganswer.example. 3600 IN A 10.10.4.28 +biganswer.example. 3600 IN A 10.10.4.29 +biganswer.example. 3600 IN A 10.10.4.30 +biganswer.example. 3600 IN A 10.10.4.31 +biganswer.example. 3600 IN A 10.10.4.32 +biganswer.example. 3600 IN A 10.10.4.33 +biganswer.example. 3600 IN A 10.10.4.34 +biganswer.example. 3600 IN A 10.10.4.35 +biganswer.example. 3600 IN A 10.10.4.36 +biganswer.example. 3600 IN A 10.10.4.37 +biganswer.example. 3600 IN A 10.10.4.38 +biganswer.example. 3600 IN A 10.10.4.39 +biganswer.example. 3600 IN A 10.10.4.40 +biganswer.example. 3600 IN A 10.10.4.41 +biganswer.example. 3600 IN A 10.10.4.42 +biganswer.example. 3600 IN A 10.10.4.43 +biganswer.example. 3600 IN A 10.10.4.44 +biganswer.example. 3600 IN A 10.10.4.45 +biganswer.example. 3600 IN A 10.10.4.46 +biganswer.example. 3600 IN A 10.10.4.47 +biganswer.example. 3600 IN A 10.10.4.48 +biganswer.example. 3600 IN A 10.10.4.49 +biganswer.example. 3600 IN A 10.10.4.50 +biganswer.example. 3600 IN A 10.10.5.1 +biganswer.example. 3600 IN A 10.10.5.2 +biganswer.example. 3600 IN A 10.10.5.3 +biganswer.example. 3600 IN A 10.10.5.4 +biganswer.example. 3600 IN A 10.10.5.5 +biganswer.example. 3600 IN A 10.10.5.6 +biganswer.example. 3600 IN A 10.10.5.7 +biganswer.example. 3600 IN A 10.10.5.8 +biganswer.example. 3600 IN A 10.10.5.9 +biganswer.example. 3600 IN A 10.10.5.10 +biganswer.example. 3600 IN A 10.10.5.11 +biganswer.example. 3600 IN A 10.10.5.12 +biganswer.example. 3600 IN A 10.10.5.13 +biganswer.example. 3600 IN A 10.10.5.14 +biganswer.example. 3600 IN A 10.10.5.15 +biganswer.example. 3600 IN A 10.10.5.16 +biganswer.example. 3600 IN A 10.10.5.17 +biganswer.example. 3600 IN A 10.10.5.18 +biganswer.example. 3600 IN A 10.10.5.19 +biganswer.example. 3600 IN A 10.10.5.20 +biganswer.example. 3600 IN A 10.10.5.21 +biganswer.example. 3600 IN A 10.10.5.22 +biganswer.example. 3600 IN A 10.10.5.23 +biganswer.example. 3600 IN A 10.10.5.24 +biganswer.example. 3600 IN A 10.10.5.25 +biganswer.example. 3600 IN A 10.10.5.26 +biganswer.example. 3600 IN A 10.10.5.27 +biganswer.example. 3600 IN A 10.10.5.28 +biganswer.example. 3600 IN A 10.10.5.29 +biganswer.example. 3600 IN A 10.10.5.30 +biganswer.example. 3600 IN A 10.10.5.31 +biganswer.example. 3600 IN A 10.10.5.32 +biganswer.example. 3600 IN A 10.10.5.33 +biganswer.example. 3600 IN A 10.10.5.34 +biganswer.example. 3600 IN A 10.10.5.35 +biganswer.example. 3600 IN A 10.10.5.36 +biganswer.example. 3600 IN A 10.10.5.37 +biganswer.example. 3600 IN A 10.10.5.38 +biganswer.example. 3600 IN A 10.10.5.39 +biganswer.example. 3600 IN A 10.10.5.40 +biganswer.example. 3600 IN A 10.10.5.41 +biganswer.example. 3600 IN A 10.10.5.42 +biganswer.example. 3600 IN A 10.10.5.43 +biganswer.example. 3600 IN A 10.10.5.44 +biganswer.example. 3600 IN A 10.10.5.45 +biganswer.example. 3600 IN A 10.10.5.46 +biganswer.example. 3600 IN A 10.10.5.47 +biganswer.example. 3600 IN A 10.10.5.48 +biganswer.example. 3600 IN A 10.10.5.49 +biganswer.example. 3600 IN A 10.10.5.50 +biganswer.example. 3600 IN A 10.10.6.1 +biganswer.example. 3600 IN A 10.10.6.2 +biganswer.example. 3600 IN A 10.10.6.3 +biganswer.example. 3600 IN A 10.10.6.4 +biganswer.example. 3600 IN A 10.10.6.5 +biganswer.example. 3600 IN A 10.10.6.6 +biganswer.example. 3600 IN A 10.10.6.7 +biganswer.example. 3600 IN A 10.10.6.8 +biganswer.example. 3600 IN A 10.10.6.9 +biganswer.example. 3600 IN A 10.10.6.10 +biganswer.example. 3600 IN A 10.10.6.11 +biganswer.example. 3600 IN A 10.10.6.12 +biganswer.example. 3600 IN A 10.10.6.13 +biganswer.example. 3600 IN A 10.10.6.14 +biganswer.example. 3600 IN A 10.10.6.15 +biganswer.example. 3600 IN A 10.10.6.16 +biganswer.example. 3600 IN A 10.10.6.17 +biganswer.example. 3600 IN A 10.10.6.18 +biganswer.example. 3600 IN A 10.10.6.19 +biganswer.example. 3600 IN A 10.10.6.20 +biganswer.example. 3600 IN A 10.10.6.21 +biganswer.example. 3600 IN A 10.10.6.22 +biganswer.example. 3600 IN A 10.10.6.23 +biganswer.example. 3600 IN A 10.10.6.24 +biganswer.example. 3600 IN A 10.10.6.25 +biganswer.example. 3600 IN A 10.10.6.26 +biganswer.example. 3600 IN A 10.10.6.27 +biganswer.example. 3600 IN A 10.10.6.28 +biganswer.example. 3600 IN A 10.10.6.29 +biganswer.example. 3600 IN A 10.10.6.30 +biganswer.example. 3600 IN A 10.10.6.31 +biganswer.example. 3600 IN A 10.10.6.32 +biganswer.example. 3600 IN A 10.10.6.33 +biganswer.example. 3600 IN A 10.10.6.34 +biganswer.example. 3600 IN A 10.10.6.35 +biganswer.example. 3600 IN A 10.10.6.36 +biganswer.example. 3600 IN A 10.10.6.37 +biganswer.example. 3600 IN A 10.10.6.38 +biganswer.example. 3600 IN A 10.10.6.39 +biganswer.example. 3600 IN A 10.10.6.40 +biganswer.example. 3600 IN A 10.10.6.41 +biganswer.example. 3600 IN A 10.10.6.42 +biganswer.example. 3600 IN A 10.10.6.43 +biganswer.example. 3600 IN A 10.10.6.44 +biganswer.example. 3600 IN A 10.10.6.45 +biganswer.example. 3600 IN A 10.10.6.46 +biganswer.example. 3600 IN A 10.10.6.47 +biganswer.example. 3600 IN A 10.10.6.48 +biganswer.example. 3600 IN A 10.10.6.49 +biganswer.example. 3600 IN A 10.10.6.50 +biganswer.example. 3600 IN A 10.10.7.1 +biganswer.example. 3600 IN A 10.10.7.2 +biganswer.example. 3600 IN A 10.10.7.3 +biganswer.example. 3600 IN A 10.10.7.4 +biganswer.example. 3600 IN A 10.10.7.5 +biganswer.example. 3600 IN A 10.10.7.6 +biganswer.example. 3600 IN A 10.10.7.7 +biganswer.example. 3600 IN A 10.10.7.8 +biganswer.example. 3600 IN A 10.10.7.9 +biganswer.example. 3600 IN A 10.10.7.10 +biganswer.example. 3600 IN A 10.10.7.11 +biganswer.example. 3600 IN A 10.10.7.12 +biganswer.example. 3600 IN A 10.10.7.13 +biganswer.example. 3600 IN A 10.10.7.14 +biganswer.example. 3600 IN A 10.10.7.15 +biganswer.example. 3600 IN A 10.10.7.16 +biganswer.example. 3600 IN A 10.10.7.17 +biganswer.example. 3600 IN A 10.10.7.18 +biganswer.example. 3600 IN A 10.10.7.19 +biganswer.example. 3600 IN A 10.10.7.20 +biganswer.example. 3600 IN A 10.10.7.21 +biganswer.example. 3600 IN A 10.10.7.22 +biganswer.example. 3600 IN A 10.10.7.23 +biganswer.example. 3600 IN A 10.10.7.24 +biganswer.example. 3600 IN A 10.10.7.25 +biganswer.example. 3600 IN A 10.10.7.26 +biganswer.example. 3600 IN A 10.10.7.27 +biganswer.example. 3600 IN A 10.10.7.28 +biganswer.example. 3600 IN A 10.10.7.29 +biganswer.example. 3600 IN A 10.10.7.30 +biganswer.example. 3600 IN A 10.10.7.31 +biganswer.example. 3600 IN A 10.10.7.32 +biganswer.example. 3600 IN A 10.10.7.33 +biganswer.example. 3600 IN A 10.10.7.34 +biganswer.example. 3600 IN A 10.10.7.35 +biganswer.example. 3600 IN A 10.10.7.36 +biganswer.example. 3600 IN A 10.10.7.37 +biganswer.example. 3600 IN A 10.10.7.38 +biganswer.example. 3600 IN A 10.10.7.39 +biganswer.example. 3600 IN A 10.10.7.40 +biganswer.example. 3600 IN A 10.10.7.41 +biganswer.example. 3600 IN A 10.10.7.42 +biganswer.example. 3600 IN A 10.10.7.43 +biganswer.example. 3600 IN A 10.10.7.44 +biganswer.example. 3600 IN A 10.10.7.45 +biganswer.example. 3600 IN A 10.10.7.46 +biganswer.example. 3600 IN A 10.10.7.47 +biganswer.example. 3600 IN A 10.10.7.48 +biganswer.example. 3600 IN A 10.10.7.49 +biganswer.example. 3600 IN A 10.10.7.50 +biganswer.example. 3600 IN A 10.10.8.1 +biganswer.example. 3600 IN A 10.10.8.2 +biganswer.example. 3600 IN A 10.10.8.3 +biganswer.example. 3600 IN A 10.10.8.4 +biganswer.example. 3600 IN A 10.10.8.5 +biganswer.example. 3600 IN A 10.10.8.6 +biganswer.example. 3600 IN A 10.10.8.7 +biganswer.example. 3600 IN A 10.10.8.8 +biganswer.example. 3600 IN A 10.10.8.9 +biganswer.example. 3600 IN A 10.10.8.10 +biganswer.example. 3600 IN A 10.10.8.11 +biganswer.example. 3600 IN A 10.10.8.12 +biganswer.example. 3600 IN A 10.10.8.13 +biganswer.example. 3600 IN A 10.10.8.14 +biganswer.example. 3600 IN A 10.10.8.15 +biganswer.example. 3600 IN A 10.10.8.16 +biganswer.example. 3600 IN A 10.10.8.17 +biganswer.example. 3600 IN A 10.10.8.18 +biganswer.example. 3600 IN A 10.10.8.19 +biganswer.example. 3600 IN A 10.10.8.20 +biganswer.example. 3600 IN A 10.10.8.21 +biganswer.example. 3600 IN A 10.10.8.22 +biganswer.example. 3600 IN A 10.10.8.23 +biganswer.example. 3600 IN A 10.10.8.24 +biganswer.example. 3600 IN A 10.10.8.25 +biganswer.example. 3600 IN A 10.10.8.26 +biganswer.example. 3600 IN A 10.10.8.27 +biganswer.example. 3600 IN A 10.10.8.28 +biganswer.example. 3600 IN A 10.10.8.29 +biganswer.example. 3600 IN A 10.10.8.30 +biganswer.example. 3600 IN A 10.10.8.31 +biganswer.example. 3600 IN A 10.10.8.32 +biganswer.example. 3600 IN A 10.10.8.33 +biganswer.example. 3600 IN A 10.10.8.34 +biganswer.example. 3600 IN A 10.10.8.35 +biganswer.example. 3600 IN A 10.10.8.36 +biganswer.example. 3600 IN A 10.10.8.37 +biganswer.example. 3600 IN A 10.10.8.38 +biganswer.example. 3600 IN A 10.10.8.39 +biganswer.example. 3600 IN A 10.10.8.40 +biganswer.example. 3600 IN A 10.10.8.41 +biganswer.example. 3600 IN A 10.10.8.42 +biganswer.example. 3600 IN A 10.10.8.43 +biganswer.example. 3600 IN A 10.10.8.44 +biganswer.example. 3600 IN A 10.10.8.45 +biganswer.example. 3600 IN A 10.10.8.46 +biganswer.example. 3600 IN A 10.10.8.47 +biganswer.example. 3600 IN A 10.10.8.48 +biganswer.example. 3600 IN A 10.10.8.49 +biganswer.example. 3600 IN A 10.10.8.50 +biganswer.example. 3600 IN A 10.10.9.1 +biganswer.example. 3600 IN A 10.10.9.2 +biganswer.example. 3600 IN A 10.10.9.3 +biganswer.example. 3600 IN A 10.10.9.4 +biganswer.example. 3600 IN A 10.10.9.5 +biganswer.example. 3600 IN A 10.10.9.6 +biganswer.example. 3600 IN A 10.10.9.7 +biganswer.example. 3600 IN A 10.10.9.8 +biganswer.example. 3600 IN A 10.10.9.9 +biganswer.example. 3600 IN A 10.10.9.10 +biganswer.example. 3600 IN A 10.10.9.11 +biganswer.example. 3600 IN A 10.10.9.12 +biganswer.example. 3600 IN A 10.10.9.13 +biganswer.example. 3600 IN A 10.10.9.14 +biganswer.example. 3600 IN A 10.10.9.15 +biganswer.example. 3600 IN A 10.10.9.16 +biganswer.example. 3600 IN A 10.10.9.17 +biganswer.example. 3600 IN A 10.10.9.18 +biganswer.example. 3600 IN A 10.10.9.19 +biganswer.example. 3600 IN A 10.10.9.20 +biganswer.example. 3600 IN A 10.10.9.21 +biganswer.example. 3600 IN A 10.10.9.22 +biganswer.example. 3600 IN A 10.10.9.23 +biganswer.example. 3600 IN A 10.10.9.24 +biganswer.example. 3600 IN A 10.10.9.25 +biganswer.example. 3600 IN A 10.10.9.26 +biganswer.example. 3600 IN A 10.10.9.27 +biganswer.example. 3600 IN A 10.10.9.28 +biganswer.example. 3600 IN A 10.10.9.29 +biganswer.example. 3600 IN A 10.10.9.30 +biganswer.example. 3600 IN A 10.10.9.31 +biganswer.example. 3600 IN A 10.10.9.32 +biganswer.example. 3600 IN A 10.10.9.33 +biganswer.example. 3600 IN A 10.10.9.34 +biganswer.example. 3600 IN A 10.10.9.35 +biganswer.example. 3600 IN A 10.10.9.36 +biganswer.example. 3600 IN A 10.10.9.37 +biganswer.example. 3600 IN A 10.10.9.38 +biganswer.example. 3600 IN A 10.10.9.39 +biganswer.example. 3600 IN A 10.10.9.40 +biganswer.example. 3600 IN A 10.10.9.41 +biganswer.example. 3600 IN A 10.10.9.42 +biganswer.example. 3600 IN A 10.10.9.43 +biganswer.example. 3600 IN A 10.10.9.44 +biganswer.example. 3600 IN A 10.10.9.45 +biganswer.example. 3600 IN A 10.10.9.46 +biganswer.example. 3600 IN A 10.10.9.47 +biganswer.example. 3600 IN A 10.10.9.48 +biganswer.example. 3600 IN A 10.10.9.49 +biganswer.example. 3600 IN A 10.10.9.50 +biganswer.example. 3600 IN A 10.10.10.1 +biganswer.example. 3600 IN A 10.10.10.2 +biganswer.example. 3600 IN A 10.10.10.3 +biganswer.example. 3600 IN A 10.10.10.4 +biganswer.example. 3600 IN A 10.10.10.5 +biganswer.example. 3600 IN A 10.10.10.6 +biganswer.example. 3600 IN A 10.10.10.7 +biganswer.example. 3600 IN A 10.10.10.8 +biganswer.example. 3600 IN A 10.10.10.9 +biganswer.example. 3600 IN A 10.10.10.10 +biganswer.example. 3600 IN A 10.10.10.11 +biganswer.example. 3600 IN A 10.10.10.12 +biganswer.example. 3600 IN A 10.10.10.13 +biganswer.example. 3600 IN A 10.10.10.14 +biganswer.example. 3600 IN A 10.10.10.15 +biganswer.example. 3600 IN A 10.10.10.16 +biganswer.example. 3600 IN A 10.10.10.17 +biganswer.example. 3600 IN A 10.10.10.18 +biganswer.example. 3600 IN A 10.10.10.19 +biganswer.example. 3600 IN A 10.10.10.20 +biganswer.example. 3600 IN A 10.10.10.21 +biganswer.example. 3600 IN A 10.10.10.22 +biganswer.example. 3600 IN A 10.10.10.23 +biganswer.example. 3600 IN A 10.10.10.24 +biganswer.example. 3600 IN A 10.10.10.25 +biganswer.example. 3600 IN A 10.10.10.26 +biganswer.example. 3600 IN A 10.10.10.27 +biganswer.example. 3600 IN A 10.10.10.28 +biganswer.example. 3600 IN A 10.10.10.29 +biganswer.example. 3600 IN A 10.10.10.30 +biganswer.example. 3600 IN A 10.10.10.31 +biganswer.example. 3600 IN A 10.10.10.32 +biganswer.example. 3600 IN A 10.10.10.33 +biganswer.example. 3600 IN A 10.10.10.34 +biganswer.example. 3600 IN A 10.10.10.35 +biganswer.example. 3600 IN A 10.10.10.36 +biganswer.example. 3600 IN A 10.10.10.37 +biganswer.example. 3600 IN A 10.10.10.38 +biganswer.example. 3600 IN A 10.10.10.39 +biganswer.example. 3600 IN A 10.10.10.40 +biganswer.example. 3600 IN A 10.10.10.41 +biganswer.example. 3600 IN A 10.10.10.42 +biganswer.example. 3600 IN A 10.10.10.43 +biganswer.example. 3600 IN A 10.10.10.44 +biganswer.example. 3600 IN A 10.10.10.45 +biganswer.example. 3600 IN A 10.10.10.46 +biganswer.example. 3600 IN A 10.10.10.47 +biganswer.example. 3600 IN A 10.10.10.48 +biganswer.example. 3600 IN A 10.10.10.49 +biganswer.example. 3600 IN A 10.10.10.50 +biganswer.example. 3600 IN A 10.10.11.1 +biganswer.example. 3600 IN A 10.10.11.2 +biganswer.example. 3600 IN A 10.10.11.3 +biganswer.example. 3600 IN A 10.10.11.4 +biganswer.example. 3600 IN A 10.10.11.5 +biganswer.example. 3600 IN A 10.10.11.6 +biganswer.example. 3600 IN A 10.10.11.7 +biganswer.example. 3600 IN A 10.10.11.8 +biganswer.example. 3600 IN A 10.10.11.9 +biganswer.example. 3600 IN A 10.10.11.10 +biganswer.example. 3600 IN A 10.10.11.11 +biganswer.example. 3600 IN A 10.10.11.12 +biganswer.example. 3600 IN A 10.10.11.13 +biganswer.example. 3600 IN A 10.10.11.14 +biganswer.example. 3600 IN A 10.10.11.15 +biganswer.example. 3600 IN A 10.10.11.16 +biganswer.example. 3600 IN A 10.10.11.17 +biganswer.example. 3600 IN A 10.10.11.18 +biganswer.example. 3600 IN A 10.10.11.19 +biganswer.example. 3600 IN A 10.10.11.20 +biganswer.example. 3600 IN A 10.10.11.21 +biganswer.example. 3600 IN A 10.10.11.22 +biganswer.example. 3600 IN A 10.10.11.23 +biganswer.example. 3600 IN A 10.10.11.24 +biganswer.example. 3600 IN A 10.10.11.25 +biganswer.example. 3600 IN A 10.10.11.26 +biganswer.example. 3600 IN A 10.10.11.27 +biganswer.example. 3600 IN A 10.10.11.28 +biganswer.example. 3600 IN A 10.10.11.29 +biganswer.example. 3600 IN A 10.10.11.30 +biganswer.example. 3600 IN A 10.10.11.31 +biganswer.example. 3600 IN A 10.10.11.32 +biganswer.example. 3600 IN A 10.10.11.33 +biganswer.example. 3600 IN A 10.10.11.34 +biganswer.example. 3600 IN A 10.10.11.35 +biganswer.example. 3600 IN A 10.10.11.36 +biganswer.example. 3600 IN A 10.10.11.37 +biganswer.example. 3600 IN A 10.10.11.38 +biganswer.example. 3600 IN A 10.10.11.39 +biganswer.example. 3600 IN A 10.10.11.40 +biganswer.example. 3600 IN A 10.10.11.41 +biganswer.example. 3600 IN A 10.10.11.42 +biganswer.example. 3600 IN A 10.10.11.43 +biganswer.example. 3600 IN A 10.10.11.44 +biganswer.example. 3600 IN A 10.10.11.45 +biganswer.example. 3600 IN A 10.10.11.46 +biganswer.example. 3600 IN A 10.10.11.47 +biganswer.example. 3600 IN A 10.10.11.48 +biganswer.example. 3600 IN A 10.10.11.49 +biganswer.example. 3600 IN A 10.10.11.50 +biganswer.example. 3600 IN A 10.10.12.1 +biganswer.example. 3600 IN A 10.10.12.2 +biganswer.example. 3600 IN A 10.10.12.3 +biganswer.example. 3600 IN A 10.10.12.4 +biganswer.example. 3600 IN A 10.10.12.5 +biganswer.example. 3600 IN A 10.10.12.6 +biganswer.example. 3600 IN A 10.10.12.7 +biganswer.example. 3600 IN A 10.10.12.8 +biganswer.example. 3600 IN A 10.10.12.9 +biganswer.example. 3600 IN A 10.10.12.10 +biganswer.example. 3600 IN A 10.10.12.11 +biganswer.example. 3600 IN A 10.10.12.12 +biganswer.example. 3600 IN A 10.10.12.13 +biganswer.example. 3600 IN A 10.10.12.14 +biganswer.example. 3600 IN A 10.10.12.15 +biganswer.example. 3600 IN A 10.10.12.16 +biganswer.example. 3600 IN A 10.10.12.17 +biganswer.example. 3600 IN A 10.10.12.18 +biganswer.example. 3600 IN A 10.10.12.19 +biganswer.example. 3600 IN A 10.10.12.20 +biganswer.example. 3600 IN A 10.10.12.21 +biganswer.example. 3600 IN A 10.10.12.22 +biganswer.example. 3600 IN A 10.10.12.23 +biganswer.example. 3600 IN A 10.10.12.24 +biganswer.example. 3600 IN A 10.10.12.25 +biganswer.example. 3600 IN A 10.10.12.26 +biganswer.example. 3600 IN A 10.10.12.27 +biganswer.example. 3600 IN A 10.10.12.28 +biganswer.example. 3600 IN A 10.10.12.29 +biganswer.example. 3600 IN A 10.10.12.30 +biganswer.example. 3600 IN A 10.10.12.31 +biganswer.example. 3600 IN A 10.10.12.32 +biganswer.example. 3600 IN A 10.10.12.33 +biganswer.example. 3600 IN A 10.10.12.34 +biganswer.example. 3600 IN A 10.10.12.35 +biganswer.example. 3600 IN A 10.10.12.36 +biganswer.example. 3600 IN A 10.10.12.37 +biganswer.example. 3600 IN A 10.10.12.38 +biganswer.example. 3600 IN A 10.10.12.39 +biganswer.example. 3600 IN A 10.10.12.40 +biganswer.example. 3600 IN A 10.10.12.41 +biganswer.example. 3600 IN A 10.10.12.42 +biganswer.example. 3600 IN A 10.10.12.43 +biganswer.example. 3600 IN A 10.10.12.44 +biganswer.example. 3600 IN A 10.10.12.45 +biganswer.example. 3600 IN A 10.10.12.46 +biganswer.example. 3600 IN A 10.10.12.47 +biganswer.example. 3600 IN A 10.10.12.48 +biganswer.example. 3600 IN A 10.10.12.49 +biganswer.example. 3600 IN A 10.10.12.50 +biganswer.example. 3600 IN A 10.10.13.1 +biganswer.example. 3600 IN A 10.10.13.2 +biganswer.example. 3600 IN A 10.10.13.3 +biganswer.example. 3600 IN A 10.10.13.4 +biganswer.example. 3600 IN A 10.10.13.5 +biganswer.example. 3600 IN A 10.10.13.6 +biganswer.example. 3600 IN A 10.10.13.7 +biganswer.example. 3600 IN A 10.10.13.8 +biganswer.example. 3600 IN A 10.10.13.9 +biganswer.example. 3600 IN A 10.10.13.10 +biganswer.example. 3600 IN A 10.10.13.11 +biganswer.example. 3600 IN A 10.10.13.12 +biganswer.example. 3600 IN A 10.10.13.13 +biganswer.example. 3600 IN A 10.10.13.14 +biganswer.example. 3600 IN A 10.10.13.15 +biganswer.example. 3600 IN A 10.10.13.16 +biganswer.example. 3600 IN A 10.10.13.17 +biganswer.example. 3600 IN A 10.10.13.18 +biganswer.example. 3600 IN A 10.10.13.19 +biganswer.example. 3600 IN A 10.10.13.20 +biganswer.example. 3600 IN A 10.10.13.21 +biganswer.example. 3600 IN A 10.10.13.22 +biganswer.example. 3600 IN A 10.10.13.23 +biganswer.example. 3600 IN A 10.10.13.24 +biganswer.example. 3600 IN A 10.10.13.25 +biganswer.example. 3600 IN A 10.10.13.26 +biganswer.example. 3600 IN A 10.10.13.27 +biganswer.example. 3600 IN A 10.10.13.28 +biganswer.example. 3600 IN A 10.10.13.29 +biganswer.example. 3600 IN A 10.10.13.30 +biganswer.example. 3600 IN A 10.10.13.31 +biganswer.example. 3600 IN A 10.10.13.32 +biganswer.example. 3600 IN A 10.10.13.33 +biganswer.example. 3600 IN A 10.10.13.34 +biganswer.example. 3600 IN A 10.10.13.35 +biganswer.example. 3600 IN A 10.10.13.36 +biganswer.example. 3600 IN A 10.10.13.37 +biganswer.example. 3600 IN A 10.10.13.38 +biganswer.example. 3600 IN A 10.10.13.39 +biganswer.example. 3600 IN A 10.10.13.40 +biganswer.example. 3600 IN A 10.10.13.41 +biganswer.example. 3600 IN A 10.10.13.42 +biganswer.example. 3600 IN A 10.10.13.43 +biganswer.example. 3600 IN A 10.10.13.44 +biganswer.example. 3600 IN A 10.10.13.45 +biganswer.example. 3600 IN A 10.10.13.46 +biganswer.example. 3600 IN A 10.10.13.47 +biganswer.example. 3600 IN A 10.10.13.48 +biganswer.example. 3600 IN A 10.10.13.49 +biganswer.example. 3600 IN A 10.10.13.50 +biganswer.example. 3600 IN A 10.10.14.1 +biganswer.example. 3600 IN A 10.10.14.2 +biganswer.example. 3600 IN A 10.10.14.3 +biganswer.example. 3600 IN A 10.10.14.4 +biganswer.example. 3600 IN A 10.10.14.5 +biganswer.example. 3600 IN A 10.10.14.6 +biganswer.example. 3600 IN A 10.10.14.7 +biganswer.example. 3600 IN A 10.10.14.8 +biganswer.example. 3600 IN A 10.10.14.9 +biganswer.example. 3600 IN A 10.10.14.10 +biganswer.example. 3600 IN A 10.10.14.11 +biganswer.example. 3600 IN A 10.10.14.12 +biganswer.example. 3600 IN A 10.10.14.13 +biganswer.example. 3600 IN A 10.10.14.14 +biganswer.example. 3600 IN A 10.10.14.15 +biganswer.example. 3600 IN A 10.10.14.16 +biganswer.example. 3600 IN A 10.10.14.17 +biganswer.example. 3600 IN A 10.10.14.18 +biganswer.example. 3600 IN A 10.10.14.19 +biganswer.example. 3600 IN A 10.10.14.20 +biganswer.example. 3600 IN A 10.10.14.21 +biganswer.example. 3600 IN A 10.10.14.22 +biganswer.example. 3600 IN A 10.10.14.23 +biganswer.example. 3600 IN A 10.10.14.24 +biganswer.example. 3600 IN A 10.10.14.25 +biganswer.example. 3600 IN A 10.10.14.26 +biganswer.example. 3600 IN A 10.10.14.27 +biganswer.example. 3600 IN A 10.10.14.28 +biganswer.example. 3600 IN A 10.10.14.29 +biganswer.example. 3600 IN A 10.10.14.30 +biganswer.example. 3600 IN A 10.10.14.31 +biganswer.example. 3600 IN A 10.10.14.32 +biganswer.example. 3600 IN A 10.10.14.33 +biganswer.example. 3600 IN A 10.10.14.34 +biganswer.example. 3600 IN A 10.10.14.35 +biganswer.example. 3600 IN A 10.10.14.36 +biganswer.example. 3600 IN A 10.10.14.37 +biganswer.example. 3600 IN A 10.10.14.38 +biganswer.example. 3600 IN A 10.10.14.39 +biganswer.example. 3600 IN A 10.10.14.40 +biganswer.example. 3600 IN A 10.10.14.41 +biganswer.example. 3600 IN A 10.10.14.42 +biganswer.example. 3600 IN A 10.10.14.43 +biganswer.example. 3600 IN A 10.10.14.44 +biganswer.example. 3600 IN A 10.10.14.45 +biganswer.example. 3600 IN A 10.10.14.46 +biganswer.example. 3600 IN A 10.10.14.47 +biganswer.example. 3600 IN A 10.10.14.48 +biganswer.example. 3600 IN A 10.10.14.49 +biganswer.example. 3600 IN A 10.10.14.50 +biganswer.example. 3600 IN A 10.10.15.1 +biganswer.example. 3600 IN A 10.10.15.2 +biganswer.example. 3600 IN A 10.10.15.3 +biganswer.example. 3600 IN A 10.10.15.4 +biganswer.example. 3600 IN A 10.10.15.5 +biganswer.example. 3600 IN A 10.10.15.6 +biganswer.example. 3600 IN A 10.10.15.7 +biganswer.example. 3600 IN A 10.10.15.8 +biganswer.example. 3600 IN A 10.10.15.9 +biganswer.example. 3600 IN A 10.10.15.10 +biganswer.example. 3600 IN A 10.10.15.11 +biganswer.example. 3600 IN A 10.10.15.12 +biganswer.example. 3600 IN A 10.10.15.13 +biganswer.example. 3600 IN A 10.10.15.14 +biganswer.example. 3600 IN A 10.10.15.15 +biganswer.example. 3600 IN A 10.10.15.16 +biganswer.example. 3600 IN A 10.10.15.17 +biganswer.example. 3600 IN A 10.10.15.18 +biganswer.example. 3600 IN A 10.10.15.19 +biganswer.example. 3600 IN A 10.10.15.20 +biganswer.example. 3600 IN A 10.10.15.21 +biganswer.example. 3600 IN A 10.10.15.22 +biganswer.example. 3600 IN A 10.10.15.23 +biganswer.example. 3600 IN A 10.10.15.24 +biganswer.example. 3600 IN A 10.10.15.25 +biganswer.example. 3600 IN A 10.10.15.26 +biganswer.example. 3600 IN A 10.10.15.27 +biganswer.example. 3600 IN A 10.10.15.28 +biganswer.example. 3600 IN A 10.10.15.29 +biganswer.example. 3600 IN A 10.10.15.30 +biganswer.example. 3600 IN A 10.10.15.31 +biganswer.example. 3600 IN A 10.10.15.32 +biganswer.example. 3600 IN A 10.10.15.33 +biganswer.example. 3600 IN A 10.10.15.34 +biganswer.example. 3600 IN A 10.10.15.35 +biganswer.example. 3600 IN A 10.10.15.36 +biganswer.example. 3600 IN A 10.10.15.37 +biganswer.example. 3600 IN A 10.10.15.38 +biganswer.example. 3600 IN A 10.10.15.39 +biganswer.example. 3600 IN A 10.10.15.40 +biganswer.example. 3600 IN A 10.10.15.41 +biganswer.example. 3600 IN A 10.10.15.42 +biganswer.example. 3600 IN A 10.10.15.43 +biganswer.example. 3600 IN A 10.10.15.44 +biganswer.example. 3600 IN A 10.10.15.45 +biganswer.example. 3600 IN A 10.10.15.46 +biganswer.example. 3600 IN A 10.10.15.47 +biganswer.example. 3600 IN A 10.10.15.48 +biganswer.example. 3600 IN A 10.10.15.49 +biganswer.example. 3600 IN A 10.10.15.50 +biganswer.example. 3600 IN A 10.10.16.1 +biganswer.example. 3600 IN A 10.10.16.2 +biganswer.example. 3600 IN A 10.10.16.3 +biganswer.example. 3600 IN A 10.10.16.4 +biganswer.example. 3600 IN A 10.10.16.5 +biganswer.example. 3600 IN A 10.10.16.6 +biganswer.example. 3600 IN A 10.10.16.7 +biganswer.example. 3600 IN A 10.10.16.8 +biganswer.example. 3600 IN A 10.10.16.9 +biganswer.example. 3600 IN A 10.10.16.10 +biganswer.example. 3600 IN A 10.10.16.11 +biganswer.example. 3600 IN A 10.10.16.12 +biganswer.example. 3600 IN A 10.10.16.13 +biganswer.example. 3600 IN A 10.10.16.14 +biganswer.example. 3600 IN A 10.10.16.15 +biganswer.example. 3600 IN A 10.10.16.16 +biganswer.example. 3600 IN A 10.10.16.17 +biganswer.example. 3600 IN A 10.10.16.18 +biganswer.example. 3600 IN A 10.10.16.19 +biganswer.example. 3600 IN A 10.10.16.20 +biganswer.example. 3600 IN A 10.10.16.21 +biganswer.example. 3600 IN A 10.10.16.22 +biganswer.example. 3600 IN A 10.10.16.23 +biganswer.example. 3600 IN A 10.10.16.24 +biganswer.example. 3600 IN A 10.10.16.25 +biganswer.example. 3600 IN A 10.10.16.26 +biganswer.example. 3600 IN A 10.10.16.27 +biganswer.example. 3600 IN A 10.10.16.28 +biganswer.example. 3600 IN A 10.10.16.29 +biganswer.example. 3600 IN A 10.10.16.30 +biganswer.example. 3600 IN A 10.10.16.31 +biganswer.example. 3600 IN A 10.10.16.32 +biganswer.example. 3600 IN A 10.10.16.33 +biganswer.example. 3600 IN A 10.10.16.34 +biganswer.example. 3600 IN A 10.10.16.35 +biganswer.example. 3600 IN A 10.10.16.36 +biganswer.example. 3600 IN A 10.10.16.37 +biganswer.example. 3600 IN A 10.10.16.38 +biganswer.example. 3600 IN A 10.10.16.39 +biganswer.example. 3600 IN A 10.10.16.40 +biganswer.example. 3600 IN A 10.10.16.41 +biganswer.example. 3600 IN A 10.10.16.42 +biganswer.example. 3600 IN A 10.10.16.43 +biganswer.example. 3600 IN A 10.10.16.44 +biganswer.example. 3600 IN A 10.10.16.45 +biganswer.example. 3600 IN A 10.10.16.46 +biganswer.example. 3600 IN A 10.10.16.47 +biganswer.example. 3600 IN A 10.10.16.48 +biganswer.example. 3600 IN A 10.10.16.49 +biganswer.example. 3600 IN A 10.10.16.50 +biganswer.example. 3600 IN A 10.10.17.1 +biganswer.example. 3600 IN A 10.10.17.2 +biganswer.example. 3600 IN A 10.10.17.3 +biganswer.example. 3600 IN A 10.10.17.4 +biganswer.example. 3600 IN A 10.10.17.5 +biganswer.example. 3600 IN A 10.10.17.6 +biganswer.example. 3600 IN A 10.10.17.7 +biganswer.example. 3600 IN A 10.10.17.8 +biganswer.example. 3600 IN A 10.10.17.9 +biganswer.example. 3600 IN A 10.10.17.10 +biganswer.example. 3600 IN A 10.10.17.11 +biganswer.example. 3600 IN A 10.10.17.12 +biganswer.example. 3600 IN A 10.10.17.13 +biganswer.example. 3600 IN A 10.10.17.14 +biganswer.example. 3600 IN A 10.10.17.15 +biganswer.example. 3600 IN A 10.10.17.16 +biganswer.example. 3600 IN A 10.10.17.17 +biganswer.example. 3600 IN A 10.10.17.18 +biganswer.example. 3600 IN A 10.10.17.19 +biganswer.example. 3600 IN A 10.10.17.20 +biganswer.example. 3600 IN A 10.10.17.21 +biganswer.example. 3600 IN A 10.10.17.22 +biganswer.example. 3600 IN A 10.10.17.23 +biganswer.example. 3600 IN A 10.10.17.24 +biganswer.example. 3600 IN A 10.10.17.25 +biganswer.example. 3600 IN A 10.10.17.26 +biganswer.example. 3600 IN A 10.10.17.27 +biganswer.example. 3600 IN A 10.10.17.28 +biganswer.example. 3600 IN A 10.10.17.29 +biganswer.example. 3600 IN A 10.10.17.30 +biganswer.example. 3600 IN A 10.10.17.31 +biganswer.example. 3600 IN A 10.10.17.32 +biganswer.example. 3600 IN A 10.10.17.33 +biganswer.example. 3600 IN A 10.10.17.34 +biganswer.example. 3600 IN A 10.10.17.35 +biganswer.example. 3600 IN A 10.10.17.36 +biganswer.example. 3600 IN A 10.10.17.37 +biganswer.example. 3600 IN A 10.10.17.38 +biganswer.example. 3600 IN A 10.10.17.39 +biganswer.example. 3600 IN A 10.10.17.40 +biganswer.example. 3600 IN A 10.10.17.41 +biganswer.example. 3600 IN A 10.10.17.42 +biganswer.example. 3600 IN A 10.10.17.43 +biganswer.example. 3600 IN A 10.10.17.44 +biganswer.example. 3600 IN A 10.10.17.45 +biganswer.example. 3600 IN A 10.10.17.46 +biganswer.example. 3600 IN A 10.10.17.47 +biganswer.example. 3600 IN A 10.10.17.48 +biganswer.example. 3600 IN A 10.10.17.49 +biganswer.example. 3600 IN A 10.10.17.50 +biganswer.example. 3600 IN A 10.10.18.1 +biganswer.example. 3600 IN A 10.10.18.2 +biganswer.example. 3600 IN A 10.10.18.3 +biganswer.example. 3600 IN A 10.10.18.4 +biganswer.example. 3600 IN A 10.10.18.5 +biganswer.example. 3600 IN A 10.10.18.6 +biganswer.example. 3600 IN A 10.10.18.7 +biganswer.example. 3600 IN A 10.10.18.8 +biganswer.example. 3600 IN A 10.10.18.9 +biganswer.example. 3600 IN A 10.10.18.10 +biganswer.example. 3600 IN A 10.10.18.11 +biganswer.example. 3600 IN A 10.10.18.12 +biganswer.example. 3600 IN A 10.10.18.13 +biganswer.example. 3600 IN A 10.10.18.14 +biganswer.example. 3600 IN A 10.10.18.15 +biganswer.example. 3600 IN A 10.10.18.16 +biganswer.example. 3600 IN A 10.10.18.17 +biganswer.example. 3600 IN A 10.10.18.18 +biganswer.example. 3600 IN A 10.10.18.19 +biganswer.example. 3600 IN A 10.10.18.20 +biganswer.example. 3600 IN A 10.10.18.21 +biganswer.example. 3600 IN A 10.10.18.22 +biganswer.example. 3600 IN A 10.10.18.23 +biganswer.example. 3600 IN A 10.10.18.24 +biganswer.example. 3600 IN A 10.10.18.25 +biganswer.example. 3600 IN A 10.10.18.26 +biganswer.example. 3600 IN A 10.10.18.27 +biganswer.example. 3600 IN A 10.10.18.28 +biganswer.example. 3600 IN A 10.10.18.29 +biganswer.example. 3600 IN A 10.10.18.30 +biganswer.example. 3600 IN A 10.10.18.31 +biganswer.example. 3600 IN A 10.10.18.32 +biganswer.example. 3600 IN A 10.10.18.33 +biganswer.example. 3600 IN A 10.10.18.34 +biganswer.example. 3600 IN A 10.10.18.35 +biganswer.example. 3600 IN A 10.10.18.36 +biganswer.example. 3600 IN A 10.10.18.37 +biganswer.example. 3600 IN A 10.10.18.38 +biganswer.example. 3600 IN A 10.10.18.39 +biganswer.example. 3600 IN A 10.10.18.40 +biganswer.example. 3600 IN A 10.10.18.41 +biganswer.example. 3600 IN A 10.10.18.42 +biganswer.example. 3600 IN A 10.10.18.43 +biganswer.example. 3600 IN A 10.10.18.44 +biganswer.example. 3600 IN A 10.10.18.45 +biganswer.example. 3600 IN A 10.10.18.46 +biganswer.example. 3600 IN A 10.10.18.47 +biganswer.example. 3600 IN A 10.10.18.48 +biganswer.example. 3600 IN A 10.10.18.49 +biganswer.example. 3600 IN A 10.10.18.50 +biganswer.example. 3600 IN A 10.10.19.1 +biganswer.example. 3600 IN A 10.10.19.2 +biganswer.example. 3600 IN A 10.10.19.3 +biganswer.example. 3600 IN A 10.10.19.4 +biganswer.example. 3600 IN A 10.10.19.5 +biganswer.example. 3600 IN A 10.10.19.6 +biganswer.example. 3600 IN A 10.10.19.7 +biganswer.example. 3600 IN A 10.10.19.8 +biganswer.example. 3600 IN A 10.10.19.9 +biganswer.example. 3600 IN A 10.10.19.10 +biganswer.example. 3600 IN A 10.10.19.11 +biganswer.example. 3600 IN A 10.10.19.12 +biganswer.example. 3600 IN A 10.10.19.13 +biganswer.example. 3600 IN A 10.10.19.14 +biganswer.example. 3600 IN A 10.10.19.15 +biganswer.example. 3600 IN A 10.10.19.16 +biganswer.example. 3600 IN A 10.10.19.17 +biganswer.example. 3600 IN A 10.10.19.18 +biganswer.example. 3600 IN A 10.10.19.19 +biganswer.example. 3600 IN A 10.10.19.20 +biganswer.example. 3600 IN A 10.10.19.21 +biganswer.example. 3600 IN A 10.10.19.22 +biganswer.example. 3600 IN A 10.10.19.23 +biganswer.example. 3600 IN A 10.10.19.24 +biganswer.example. 3600 IN A 10.10.19.25 +biganswer.example. 3600 IN A 10.10.19.26 +biganswer.example. 3600 IN A 10.10.19.27 +biganswer.example. 3600 IN A 10.10.19.28 +biganswer.example. 3600 IN A 10.10.19.29 +biganswer.example. 3600 IN A 10.10.19.30 +biganswer.example. 3600 IN A 10.10.19.31 +biganswer.example. 3600 IN A 10.10.19.32 +biganswer.example. 3600 IN A 10.10.19.33 +biganswer.example. 3600 IN A 10.10.19.34 +biganswer.example. 3600 IN A 10.10.19.35 +biganswer.example. 3600 IN A 10.10.19.36 +biganswer.example. 3600 IN A 10.10.19.37 +biganswer.example. 3600 IN A 10.10.19.38 +biganswer.example. 3600 IN A 10.10.19.39 +biganswer.example. 3600 IN A 10.10.19.40 +biganswer.example. 3600 IN A 10.10.19.41 +biganswer.example. 3600 IN A 10.10.19.42 +biganswer.example. 3600 IN A 10.10.19.43 +biganswer.example. 3600 IN A 10.10.19.44 +biganswer.example. 3600 IN A 10.10.19.45 +biganswer.example. 3600 IN A 10.10.19.46 +biganswer.example. 3600 IN A 10.10.19.47 +biganswer.example. 3600 IN A 10.10.19.48 +biganswer.example. 3600 IN A 10.10.19.49 +biganswer.example. 3600 IN A 10.10.19.50 +biganswer.example. 3600 IN A 10.10.20.1 +biganswer.example. 3600 IN A 10.10.20.2 +biganswer.example. 3600 IN A 10.10.20.3 +biganswer.example. 3600 IN A 10.10.20.4 +biganswer.example. 3600 IN A 10.10.20.5 +biganswer.example. 3600 IN A 10.10.20.6 +biganswer.example. 3600 IN A 10.10.20.7 +biganswer.example. 3600 IN A 10.10.20.8 +biganswer.example. 3600 IN A 10.10.20.9 +biganswer.example. 3600 IN A 10.10.20.10 +biganswer.example. 3600 IN A 10.10.20.11 +biganswer.example. 3600 IN A 10.10.20.12 +biganswer.example. 3600 IN A 10.10.20.13 +biganswer.example. 3600 IN A 10.10.20.14 +biganswer.example. 3600 IN A 10.10.20.15 +biganswer.example. 3600 IN A 10.10.20.16 +biganswer.example. 3600 IN A 10.10.20.17 +biganswer.example. 3600 IN A 10.10.20.18 +biganswer.example. 3600 IN A 10.10.20.19 +biganswer.example. 3600 IN A 10.10.20.20 +biganswer.example. 3600 IN A 10.10.20.21 +biganswer.example. 3600 IN A 10.10.20.22 +biganswer.example. 3600 IN A 10.10.20.23 +biganswer.example. 3600 IN A 10.10.20.24 +biganswer.example. 3600 IN A 10.10.20.25 +biganswer.example. 3600 IN A 10.10.20.26 +biganswer.example. 3600 IN A 10.10.20.27 +biganswer.example. 3600 IN A 10.10.20.28 +biganswer.example. 3600 IN A 10.10.20.29 +biganswer.example. 3600 IN A 10.10.20.30 +biganswer.example. 3600 IN A 10.10.20.31 +biganswer.example. 3600 IN A 10.10.20.32 +biganswer.example. 3600 IN A 10.10.20.33 +biganswer.example. 3600 IN A 10.10.20.34 +biganswer.example. 3600 IN A 10.10.20.35 +biganswer.example. 3600 IN A 10.10.20.36 +biganswer.example. 3600 IN A 10.10.20.37 +biganswer.example. 3600 IN A 10.10.20.38 +biganswer.example. 3600 IN A 10.10.20.39 +biganswer.example. 3600 IN A 10.10.20.40 +biganswer.example. 3600 IN A 10.10.20.41 +biganswer.example. 3600 IN A 10.10.20.42 +biganswer.example. 3600 IN A 10.10.20.43 +biganswer.example. 3600 IN A 10.10.20.44 +biganswer.example. 3600 IN A 10.10.20.45 +biganswer.example. 3600 IN A 10.10.20.46 +biganswer.example. 3600 IN A 10.10.20.47 +biganswer.example. 3600 IN A 10.10.20.48 +biganswer.example. 3600 IN A 10.10.20.49 +biganswer.example. 3600 IN A 10.10.20.50 +biganswer.example. 3600 IN A 10.10.21.1 +biganswer.example. 3600 IN A 10.10.21.2 +biganswer.example. 3600 IN A 10.10.21.3 +biganswer.example. 3600 IN A 10.10.21.4 +biganswer.example. 3600 IN A 10.10.21.5 +biganswer.example. 3600 IN A 10.10.21.6 +biganswer.example. 3600 IN A 10.10.21.7 +biganswer.example. 3600 IN A 10.10.21.8 +biganswer.example. 3600 IN A 10.10.21.9 +biganswer.example. 3600 IN A 10.10.21.10 +biganswer.example. 3600 IN A 10.10.21.11 +biganswer.example. 3600 IN A 10.10.21.12 +biganswer.example. 3600 IN A 10.10.21.13 +biganswer.example. 3600 IN A 10.10.21.14 +biganswer.example. 3600 IN A 10.10.21.15 +biganswer.example. 3600 IN A 10.10.21.16 +biganswer.example. 3600 IN A 10.10.21.17 +biganswer.example. 3600 IN A 10.10.21.18 +biganswer.example. 3600 IN A 10.10.21.19 +biganswer.example. 3600 IN A 10.10.21.20 +biganswer.example. 3600 IN A 10.10.21.21 +biganswer.example. 3600 IN A 10.10.21.22 +biganswer.example. 3600 IN A 10.10.21.23 +biganswer.example. 3600 IN A 10.10.21.24 +biganswer.example. 3600 IN A 10.10.21.25 +biganswer.example. 3600 IN A 10.10.21.26 +biganswer.example. 3600 IN A 10.10.21.27 +biganswer.example. 3600 IN A 10.10.21.28 +biganswer.example. 3600 IN A 10.10.21.29 +biganswer.example. 3600 IN A 10.10.21.30 +biganswer.example. 3600 IN A 10.10.21.31 +biganswer.example. 3600 IN A 10.10.21.32 +biganswer.example. 3600 IN A 10.10.21.33 +biganswer.example. 3600 IN A 10.10.21.34 +biganswer.example. 3600 IN A 10.10.21.35 +biganswer.example. 3600 IN A 10.10.21.36 +biganswer.example. 3600 IN A 10.10.21.37 +biganswer.example. 3600 IN A 10.10.21.38 +biganswer.example. 3600 IN A 10.10.21.39 +biganswer.example. 3600 IN A 10.10.21.40 +biganswer.example. 3600 IN A 10.10.21.41 +biganswer.example. 3600 IN A 10.10.21.42 +biganswer.example. 3600 IN A 10.10.21.43 +biganswer.example. 3600 IN A 10.10.21.44 +biganswer.example. 3600 IN A 10.10.21.45 +biganswer.example. 3600 IN A 10.10.21.46 +biganswer.example. 3600 IN A 10.10.21.47 +biganswer.example. 3600 IN A 10.10.21.48 +biganswer.example. 3600 IN A 10.10.21.49 +biganswer.example. 3600 IN A 10.10.21.50 +biganswer.example. 3600 IN A 10.10.22.1 +biganswer.example. 3600 IN A 10.10.22.2 +biganswer.example. 3600 IN A 10.10.22.3 +biganswer.example. 3600 IN A 10.10.22.4 +biganswer.example. 3600 IN A 10.10.22.5 +biganswer.example. 3600 IN A 10.10.22.6 +biganswer.example. 3600 IN A 10.10.22.7 +biganswer.example. 3600 IN A 10.10.22.8 +biganswer.example. 3600 IN A 10.10.22.9 +biganswer.example. 3600 IN A 10.10.22.10 +biganswer.example. 3600 IN A 10.10.22.11 +biganswer.example. 3600 IN A 10.10.22.12 +biganswer.example. 3600 IN A 10.10.22.13 +biganswer.example. 3600 IN A 10.10.22.14 +biganswer.example. 3600 IN A 10.10.22.15 +biganswer.example. 3600 IN A 10.10.22.16 +biganswer.example. 3600 IN A 10.10.22.17 +biganswer.example. 3600 IN A 10.10.22.18 +biganswer.example. 3600 IN A 10.10.22.19 +biganswer.example. 3600 IN A 10.10.22.20 +biganswer.example. 3600 IN A 10.10.22.21 +biganswer.example. 3600 IN A 10.10.22.22 +biganswer.example. 3600 IN A 10.10.22.23 +biganswer.example. 3600 IN A 10.10.22.24 +biganswer.example. 3600 IN A 10.10.22.25 +biganswer.example. 3600 IN A 10.10.22.26 +biganswer.example. 3600 IN A 10.10.22.27 +biganswer.example. 3600 IN A 10.10.22.28 +biganswer.example. 3600 IN A 10.10.22.29 +biganswer.example. 3600 IN A 10.10.22.30 +biganswer.example. 3600 IN A 10.10.22.31 +biganswer.example. 3600 IN A 10.10.22.32 +biganswer.example. 3600 IN A 10.10.22.33 +biganswer.example. 3600 IN A 10.10.22.34 +biganswer.example. 3600 IN A 10.10.22.35 +biganswer.example. 3600 IN A 10.10.22.36 +biganswer.example. 3600 IN A 10.10.22.37 +biganswer.example. 3600 IN A 10.10.22.38 +biganswer.example. 3600 IN A 10.10.22.39 +biganswer.example. 3600 IN A 10.10.22.40 +biganswer.example. 3600 IN A 10.10.22.41 +biganswer.example. 3600 IN A 10.10.22.42 +biganswer.example. 3600 IN A 10.10.22.43 +biganswer.example. 3600 IN A 10.10.22.44 +biganswer.example. 3600 IN A 10.10.22.45 +biganswer.example. 3600 IN A 10.10.22.46 +biganswer.example. 3600 IN A 10.10.22.47 +biganswer.example. 3600 IN A 10.10.22.48 +biganswer.example. 3600 IN A 10.10.22.49 +biganswer.example. 3600 IN A 10.10.22.50 +biganswer.example. 3600 IN A 10.10.23.1 +biganswer.example. 3600 IN A 10.10.23.2 +biganswer.example. 3600 IN A 10.10.23.3 +biganswer.example. 3600 IN A 10.10.23.4 +biganswer.example. 3600 IN A 10.10.23.5 +biganswer.example. 3600 IN A 10.10.23.6 +biganswer.example. 3600 IN A 10.10.23.7 +biganswer.example. 3600 IN A 10.10.23.8 +biganswer.example. 3600 IN A 10.10.23.9 +biganswer.example. 3600 IN A 10.10.23.10 +biganswer.example. 3600 IN A 10.10.23.11 +biganswer.example. 3600 IN A 10.10.23.12 +biganswer.example. 3600 IN A 10.10.23.13 +biganswer.example. 3600 IN A 10.10.23.14 +biganswer.example. 3600 IN A 10.10.23.15 +biganswer.example. 3600 IN A 10.10.23.16 +biganswer.example. 3600 IN A 10.10.23.17 +biganswer.example. 3600 IN A 10.10.23.18 +biganswer.example. 3600 IN A 10.10.23.19 +biganswer.example. 3600 IN A 10.10.23.20 +biganswer.example. 3600 IN A 10.10.23.21 +biganswer.example. 3600 IN A 10.10.23.22 +biganswer.example. 3600 IN A 10.10.23.23 +biganswer.example. 3600 IN A 10.10.23.24 +biganswer.example. 3600 IN A 10.10.23.25 +biganswer.example. 3600 IN A 10.10.23.26 +biganswer.example. 3600 IN A 10.10.23.27 +biganswer.example. 3600 IN A 10.10.23.28 +biganswer.example. 3600 IN A 10.10.23.29 +biganswer.example. 3600 IN A 10.10.23.30 +biganswer.example. 3600 IN A 10.10.23.31 +biganswer.example. 3600 IN A 10.10.23.32 +biganswer.example. 3600 IN A 10.10.23.33 +biganswer.example. 3600 IN A 10.10.23.34 +biganswer.example. 3600 IN A 10.10.23.35 +biganswer.example. 3600 IN A 10.10.23.36 +biganswer.example. 3600 IN A 10.10.23.37 +biganswer.example. 3600 IN A 10.10.23.38 +biganswer.example. 3600 IN A 10.10.23.39 +biganswer.example. 3600 IN A 10.10.23.40 +biganswer.example. 3600 IN A 10.10.23.41 +biganswer.example. 3600 IN A 10.10.23.42 +biganswer.example. 3600 IN A 10.10.23.43 +biganswer.example. 3600 IN A 10.10.23.44 +biganswer.example. 3600 IN A 10.10.23.45 +biganswer.example. 3600 IN A 10.10.23.46 +biganswer.example. 3600 IN A 10.10.23.47 +biganswer.example. 3600 IN A 10.10.23.48 +biganswer.example. 3600 IN A 10.10.23.49 +biganswer.example. 3600 IN A 10.10.23.50 +biganswer.example. 3600 IN A 10.10.24.1 +biganswer.example. 3600 IN A 10.10.24.2 +biganswer.example. 3600 IN A 10.10.24.3 +biganswer.example. 3600 IN A 10.10.24.4 +biganswer.example. 3600 IN A 10.10.24.5 +biganswer.example. 3600 IN A 10.10.24.6 +biganswer.example. 3600 IN A 10.10.24.7 +biganswer.example. 3600 IN A 10.10.24.8 +biganswer.example. 3600 IN A 10.10.24.9 +biganswer.example. 3600 IN A 10.10.24.10 +biganswer.example. 3600 IN A 10.10.24.11 +biganswer.example. 3600 IN A 10.10.24.12 +biganswer.example. 3600 IN A 10.10.24.13 +biganswer.example. 3600 IN A 10.10.24.14 +biganswer.example. 3600 IN A 10.10.24.15 +biganswer.example. 3600 IN A 10.10.24.16 +biganswer.example. 3600 IN A 10.10.24.17 +biganswer.example. 3600 IN A 10.10.24.18 +biganswer.example. 3600 IN A 10.10.24.19 +biganswer.example. 3600 IN A 10.10.24.20 +biganswer.example. 3600 IN A 10.10.24.21 +biganswer.example. 3600 IN A 10.10.24.22 +biganswer.example. 3600 IN A 10.10.24.23 +biganswer.example. 3600 IN A 10.10.24.24 +biganswer.example. 3600 IN A 10.10.24.25 +biganswer.example. 3600 IN A 10.10.24.26 +biganswer.example. 3600 IN A 10.10.24.27 +biganswer.example. 3600 IN A 10.10.24.28 +biganswer.example. 3600 IN A 10.10.24.29 +biganswer.example. 3600 IN A 10.10.24.30 +biganswer.example. 3600 IN A 10.10.24.31 +biganswer.example. 3600 IN A 10.10.24.32 +biganswer.example. 3600 IN A 10.10.24.33 +biganswer.example. 3600 IN A 10.10.24.34 +biganswer.example. 3600 IN A 10.10.24.35 +biganswer.example. 3600 IN A 10.10.24.36 +biganswer.example. 3600 IN A 10.10.24.37 +biganswer.example. 3600 IN A 10.10.24.38 +biganswer.example. 3600 IN A 10.10.24.39 +biganswer.example. 3600 IN A 10.10.24.40 +biganswer.example. 3600 IN A 10.10.24.41 +biganswer.example. 3600 IN A 10.10.24.42 +biganswer.example. 3600 IN A 10.10.24.43 +biganswer.example. 3600 IN A 10.10.24.44 +biganswer.example. 3600 IN A 10.10.24.45 +biganswer.example. 3600 IN A 10.10.24.46 +biganswer.example. 3600 IN A 10.10.24.47 +biganswer.example. 3600 IN A 10.10.24.48 +biganswer.example. 3600 IN A 10.10.24.49 +biganswer.example. 3600 IN A 10.10.24.50 +biganswer.example. 3600 IN A 10.10.25.1 +biganswer.example. 3600 IN A 10.10.25.2 +biganswer.example. 3600 IN A 10.10.25.3 +biganswer.example. 3600 IN A 10.10.25.4 +biganswer.example. 3600 IN A 10.10.25.5 +biganswer.example. 3600 IN A 10.10.25.6 +biganswer.example. 3600 IN A 10.10.25.7 +biganswer.example. 3600 IN A 10.10.25.8 +biganswer.example. 3600 IN A 10.10.25.9 +biganswer.example. 3600 IN A 10.10.25.10 +biganswer.example. 3600 IN A 10.10.25.11 +biganswer.example. 3600 IN A 10.10.25.12 +biganswer.example. 3600 IN A 10.10.25.13 +biganswer.example. 3600 IN A 10.10.25.14 +biganswer.example. 3600 IN A 10.10.25.15 +biganswer.example. 3600 IN A 10.10.25.16 +biganswer.example. 3600 IN A 10.10.25.17 +biganswer.example. 3600 IN A 10.10.25.18 +biganswer.example. 3600 IN A 10.10.25.19 +biganswer.example. 3600 IN A 10.10.25.20 +biganswer.example. 3600 IN A 10.10.25.21 +biganswer.example. 3600 IN A 10.10.25.22 +biganswer.example. 3600 IN A 10.10.25.23 +biganswer.example. 3600 IN A 10.10.25.24 +biganswer.example. 3600 IN A 10.10.25.25 +biganswer.example. 3600 IN A 10.10.25.26 +biganswer.example. 3600 IN A 10.10.25.27 +biganswer.example. 3600 IN A 10.10.25.28 +biganswer.example. 3600 IN A 10.10.25.29 +biganswer.example. 3600 IN A 10.10.25.30 +biganswer.example. 3600 IN A 10.10.25.31 +biganswer.example. 3600 IN A 10.10.25.32 +biganswer.example. 3600 IN A 10.10.25.33 +biganswer.example. 3600 IN A 10.10.25.34 +biganswer.example. 3600 IN A 10.10.25.35 +biganswer.example. 3600 IN A 10.10.25.36 +biganswer.example. 3600 IN A 10.10.25.37 +biganswer.example. 3600 IN A 10.10.25.38 +biganswer.example. 3600 IN A 10.10.25.39 +biganswer.example. 3600 IN A 10.10.25.40 +biganswer.example. 3600 IN A 10.10.25.41 +biganswer.example. 3600 IN A 10.10.25.42 +biganswer.example. 3600 IN A 10.10.25.43 +biganswer.example. 3600 IN A 10.10.25.44 +biganswer.example. 3600 IN A 10.10.25.45 +biganswer.example. 3600 IN A 10.10.25.46 +biganswer.example. 3600 IN A 10.10.25.47 +biganswer.example. 3600 IN A 10.10.25.48 +biganswer.example. 3600 IN A 10.10.25.49 +biganswer.example. 3600 IN A 10.10.25.50 +biganswer.example. 3600 IN A 10.10.26.1 +biganswer.example. 3600 IN A 10.10.26.2 +biganswer.example. 3600 IN A 10.10.26.3 +biganswer.example. 3600 IN A 10.10.26.4 +biganswer.example. 3600 IN A 10.10.26.5 +biganswer.example. 3600 IN A 10.10.26.6 +biganswer.example. 3600 IN A 10.10.26.7 +biganswer.example. 3600 IN A 10.10.26.8 +biganswer.example. 3600 IN A 10.10.26.9 +biganswer.example. 3600 IN A 10.10.26.10 +biganswer.example. 3600 IN A 10.10.26.11 +biganswer.example. 3600 IN A 10.10.26.12 +biganswer.example. 3600 IN A 10.10.26.13 +biganswer.example. 3600 IN A 10.10.26.14 +biganswer.example. 3600 IN A 10.10.26.15 +biganswer.example. 3600 IN A 10.10.26.16 +biganswer.example. 3600 IN A 10.10.26.17 +biganswer.example. 3600 IN A 10.10.26.18 +biganswer.example. 3600 IN A 10.10.26.19 +biganswer.example. 3600 IN A 10.10.26.20 +biganswer.example. 3600 IN A 10.10.26.21 +biganswer.example. 3600 IN A 10.10.26.22 +biganswer.example. 3600 IN A 10.10.26.23 +biganswer.example. 3600 IN A 10.10.26.24 +biganswer.example. 3600 IN A 10.10.26.25 +biganswer.example. 3600 IN A 10.10.26.26 +biganswer.example. 3600 IN A 10.10.26.27 +biganswer.example. 3600 IN A 10.10.26.28 +biganswer.example. 3600 IN A 10.10.26.29 +biganswer.example. 3600 IN A 10.10.26.30 +biganswer.example. 3600 IN A 10.10.26.31 +biganswer.example. 3600 IN A 10.10.26.32 +biganswer.example. 3600 IN A 10.10.26.33 +biganswer.example. 3600 IN A 10.10.26.34 +biganswer.example. 3600 IN A 10.10.26.35 +biganswer.example. 3600 IN A 10.10.26.36 +biganswer.example. 3600 IN A 10.10.26.37 +biganswer.example. 3600 IN A 10.10.26.38 +biganswer.example. 3600 IN A 10.10.26.39 +biganswer.example. 3600 IN A 10.10.26.40 +biganswer.example. 3600 IN A 10.10.26.41 +biganswer.example. 3600 IN A 10.10.26.42 +biganswer.example. 3600 IN A 10.10.26.43 +biganswer.example. 3600 IN A 10.10.26.44 +biganswer.example. 3600 IN A 10.10.26.45 +biganswer.example. 3600 IN A 10.10.26.46 +biganswer.example. 3600 IN A 10.10.26.47 +biganswer.example. 3600 IN A 10.10.26.48 +biganswer.example. 3600 IN A 10.10.26.49 +biganswer.example. 3600 IN A 10.10.26.50 +biganswer.example. 3600 IN A 10.10.27.1 +biganswer.example. 3600 IN A 10.10.27.2 +biganswer.example. 3600 IN A 10.10.27.3 +biganswer.example. 3600 IN A 10.10.27.4 +biganswer.example. 3600 IN A 10.10.27.5 +biganswer.example. 3600 IN A 10.10.27.6 +biganswer.example. 3600 IN A 10.10.27.7 +biganswer.example. 3600 IN A 10.10.27.8 +biganswer.example. 3600 IN A 10.10.27.9 +biganswer.example. 3600 IN A 10.10.27.10 +biganswer.example. 3600 IN A 10.10.27.11 +biganswer.example. 3600 IN A 10.10.27.12 +biganswer.example. 3600 IN A 10.10.27.13 +biganswer.example. 3600 IN A 10.10.27.14 +biganswer.example. 3600 IN A 10.10.27.15 +biganswer.example. 3600 IN A 10.10.27.16 +biganswer.example. 3600 IN A 10.10.27.17 +biganswer.example. 3600 IN A 10.10.27.18 +biganswer.example. 3600 IN A 10.10.27.19 +biganswer.example. 3600 IN A 10.10.27.20 +biganswer.example. 3600 IN A 10.10.27.21 +biganswer.example. 3600 IN A 10.10.27.22 +biganswer.example. 3600 IN A 10.10.27.23 +biganswer.example. 3600 IN A 10.10.27.24 +biganswer.example. 3600 IN A 10.10.27.25 +biganswer.example. 3600 IN A 10.10.27.26 +biganswer.example. 3600 IN A 10.10.27.27 +biganswer.example. 3600 IN A 10.10.27.28 +biganswer.example. 3600 IN A 10.10.27.29 +biganswer.example. 3600 IN A 10.10.27.30 +biganswer.example. 3600 IN A 10.10.27.31 +biganswer.example. 3600 IN A 10.10.27.32 +biganswer.example. 3600 IN A 10.10.27.33 +biganswer.example. 3600 IN A 10.10.27.34 +biganswer.example. 3600 IN A 10.10.27.35 +biganswer.example. 3600 IN A 10.10.27.36 +biganswer.example. 3600 IN A 10.10.27.37 +biganswer.example. 3600 IN A 10.10.27.38 +biganswer.example. 3600 IN A 10.10.27.39 +biganswer.example. 3600 IN A 10.10.27.40 +biganswer.example. 3600 IN A 10.10.27.41 +biganswer.example. 3600 IN A 10.10.27.42 +biganswer.example. 3600 IN A 10.10.27.43 +biganswer.example. 3600 IN A 10.10.27.44 +biganswer.example. 3600 IN A 10.10.27.45 +biganswer.example. 3600 IN A 10.10.27.46 +biganswer.example. 3600 IN A 10.10.27.47 +biganswer.example. 3600 IN A 10.10.27.48 +biganswer.example. 3600 IN A 10.10.27.49 +biganswer.example. 3600 IN A 10.10.27.50 +biganswer.example. 3600 IN A 10.10.28.1 +biganswer.example. 3600 IN A 10.10.28.2 +biganswer.example. 3600 IN A 10.10.28.3 +biganswer.example. 3600 IN A 10.10.28.4 +biganswer.example. 3600 IN A 10.10.28.5 +biganswer.example. 3600 IN A 10.10.28.6 +biganswer.example. 3600 IN A 10.10.28.7 +biganswer.example. 3600 IN A 10.10.28.8 +biganswer.example. 3600 IN A 10.10.28.9 +biganswer.example. 3600 IN A 10.10.28.10 +biganswer.example. 3600 IN A 10.10.28.11 +biganswer.example. 3600 IN A 10.10.28.12 +biganswer.example. 3600 IN A 10.10.28.13 +biganswer.example. 3600 IN A 10.10.28.14 +biganswer.example. 3600 IN A 10.10.28.15 +biganswer.example. 3600 IN A 10.10.28.16 +biganswer.example. 3600 IN A 10.10.28.17 +biganswer.example. 3600 IN A 10.10.28.18 +biganswer.example. 3600 IN A 10.10.28.19 +biganswer.example. 3600 IN A 10.10.28.20 +biganswer.example. 3600 IN A 10.10.28.21 +biganswer.example. 3600 IN A 10.10.28.22 +biganswer.example. 3600 IN A 10.10.28.23 +biganswer.example. 3600 IN A 10.10.28.24 +biganswer.example. 3600 IN A 10.10.28.25 +biganswer.example. 3600 IN A 10.10.28.26 +biganswer.example. 3600 IN A 10.10.28.27 +biganswer.example. 3600 IN A 10.10.28.28 +biganswer.example. 3600 IN A 10.10.28.29 +biganswer.example. 3600 IN A 10.10.28.30 +biganswer.example. 3600 IN A 10.10.28.31 +biganswer.example. 3600 IN A 10.10.28.32 +biganswer.example. 3600 IN A 10.10.28.33 +biganswer.example. 3600 IN A 10.10.28.34 +biganswer.example. 3600 IN A 10.10.28.35 +biganswer.example. 3600 IN A 10.10.28.36 +biganswer.example. 3600 IN A 10.10.28.37 +biganswer.example. 3600 IN A 10.10.28.38 +biganswer.example. 3600 IN A 10.10.28.39 +biganswer.example. 3600 IN A 10.10.28.40 +biganswer.example. 3600 IN A 10.10.28.41 +biganswer.example. 3600 IN A 10.10.28.42 +biganswer.example. 3600 IN A 10.10.28.43 +biganswer.example. 3600 IN A 10.10.28.44 +biganswer.example. 3600 IN A 10.10.28.45 +biganswer.example. 3600 IN A 10.10.28.46 +biganswer.example. 3600 IN A 10.10.28.47 +biganswer.example. 3600 IN A 10.10.28.48 +biganswer.example. 3600 IN A 10.10.28.49 +biganswer.example. 3600 IN A 10.10.28.50 +biganswer.example. 3600 IN A 10.10.29.1 +biganswer.example. 3600 IN A 10.10.29.2 +biganswer.example. 3600 IN A 10.10.29.3 +biganswer.example. 3600 IN A 10.10.29.4 +biganswer.example. 3600 IN A 10.10.29.5 +biganswer.example. 3600 IN A 10.10.29.6 +biganswer.example. 3600 IN A 10.10.29.7 +biganswer.example. 3600 IN A 10.10.29.8 +biganswer.example. 3600 IN A 10.10.29.9 +biganswer.example. 3600 IN A 10.10.29.10 +biganswer.example. 3600 IN A 10.10.29.11 +biganswer.example. 3600 IN A 10.10.29.12 +biganswer.example. 3600 IN A 10.10.29.13 +biganswer.example. 3600 IN A 10.10.29.14 +biganswer.example. 3600 IN A 10.10.29.15 +biganswer.example. 3600 IN A 10.10.29.16 +biganswer.example. 3600 IN A 10.10.29.17 +biganswer.example. 3600 IN A 10.10.29.18 +biganswer.example. 3600 IN A 10.10.29.19 +biganswer.example. 3600 IN A 10.10.29.20 +biganswer.example. 3600 IN A 10.10.29.21 +biganswer.example. 3600 IN A 10.10.29.22 +biganswer.example. 3600 IN A 10.10.29.23 +biganswer.example. 3600 IN A 10.10.29.24 +biganswer.example. 3600 IN A 10.10.29.25 +biganswer.example. 3600 IN A 10.10.29.26 +biganswer.example. 3600 IN A 10.10.29.27 +biganswer.example. 3600 IN A 10.10.29.28 +biganswer.example. 3600 IN A 10.10.29.29 +biganswer.example. 3600 IN A 10.10.29.30 +biganswer.example. 3600 IN A 10.10.29.31 +biganswer.example. 3600 IN A 10.10.29.32 +biganswer.example. 3600 IN A 10.10.29.33 +biganswer.example. 3600 IN A 10.10.29.34 +biganswer.example. 3600 IN A 10.10.29.35 +biganswer.example. 3600 IN A 10.10.29.36 +biganswer.example. 3600 IN A 10.10.29.37 +biganswer.example. 3600 IN A 10.10.29.38 +biganswer.example. 3600 IN A 10.10.29.39 +biganswer.example. 3600 IN A 10.10.29.40 +biganswer.example. 3600 IN A 10.10.29.41 +biganswer.example. 3600 IN A 10.10.29.42 +biganswer.example. 3600 IN A 10.10.29.43 +biganswer.example. 3600 IN A 10.10.29.44 +biganswer.example. 3600 IN A 10.10.29.45 +biganswer.example. 3600 IN A 10.10.29.46 +biganswer.example. 3600 IN A 10.10.29.47 +biganswer.example. 3600 IN A 10.10.29.48 +biganswer.example. 3600 IN A 10.10.29.49 +biganswer.example. 3600 IN A 10.10.29.50 +biganswer.example. 3600 IN A 10.10.30.1 +biganswer.example. 3600 IN A 10.10.30.2 +biganswer.example. 3600 IN A 10.10.30.3 +biganswer.example. 3600 IN A 10.10.30.4 +biganswer.example. 3600 IN A 10.10.30.5 +biganswer.example. 3600 IN A 10.10.30.6 +biganswer.example. 3600 IN A 10.10.30.7 +biganswer.example. 3600 IN A 10.10.30.8 +biganswer.example. 3600 IN A 10.10.30.9 +biganswer.example. 3600 IN A 10.10.30.10 +biganswer.example. 3600 IN A 10.10.30.11 +biganswer.example. 3600 IN A 10.10.30.12 +biganswer.example. 3600 IN A 10.10.30.13 +biganswer.example. 3600 IN A 10.10.30.14 +biganswer.example. 3600 IN A 10.10.30.15 +biganswer.example. 3600 IN A 10.10.30.16 +biganswer.example. 3600 IN A 10.10.30.17 +biganswer.example. 3600 IN A 10.10.30.18 +biganswer.example. 3600 IN A 10.10.30.19 +biganswer.example. 3600 IN A 10.10.30.20 +biganswer.example. 3600 IN A 10.10.30.21 +biganswer.example. 3600 IN A 10.10.30.22 +biganswer.example. 3600 IN A 10.10.30.23 +biganswer.example. 3600 IN A 10.10.30.24 +biganswer.example. 3600 IN A 10.10.30.25 +biganswer.example. 3600 IN A 10.10.30.26 +biganswer.example. 3600 IN A 10.10.30.27 +biganswer.example. 3600 IN A 10.10.30.28 +biganswer.example. 3600 IN A 10.10.30.29 +biganswer.example. 3600 IN A 10.10.30.30 +biganswer.example. 3600 IN A 10.10.30.31 +biganswer.example. 3600 IN A 10.10.30.32 +biganswer.example. 3600 IN A 10.10.30.33 +biganswer.example. 3600 IN A 10.10.30.34 +biganswer.example. 3600 IN A 10.10.30.35 +biganswer.example. 3600 IN A 10.10.30.36 +biganswer.example. 3600 IN A 10.10.30.37 +biganswer.example. 3600 IN A 10.10.30.38 +biganswer.example. 3600 IN A 10.10.30.39 +biganswer.example. 3600 IN A 10.10.30.40 +biganswer.example. 3600 IN A 10.10.30.41 +biganswer.example. 3600 IN A 10.10.30.42 +biganswer.example. 3600 IN A 10.10.30.43 +biganswer.example. 3600 IN A 10.10.30.44 +biganswer.example. 3600 IN A 10.10.30.45 +biganswer.example. 3600 IN A 10.10.30.46 +biganswer.example. 3600 IN A 10.10.30.47 +biganswer.example. 3600 IN A 10.10.30.48 +biganswer.example. 3600 IN A 10.10.30.49 +biganswer.example. 3600 IN A 10.10.30.50 +biganswer.example. 3600 IN A 10.10.31.1 +biganswer.example. 3600 IN A 10.10.31.2 +biganswer.example. 3600 IN A 10.10.31.3 +biganswer.example. 3600 IN A 10.10.31.4 +biganswer.example. 3600 IN A 10.10.31.5 +biganswer.example. 3600 IN A 10.10.31.6 +biganswer.example. 3600 IN A 10.10.31.7 +biganswer.example. 3600 IN A 10.10.31.8 +biganswer.example. 3600 IN A 10.10.31.9 +biganswer.example. 3600 IN A 10.10.31.10 +biganswer.example. 3600 IN A 10.10.31.11 +biganswer.example. 3600 IN A 10.10.31.12 +biganswer.example. 3600 IN A 10.10.31.13 +biganswer.example. 3600 IN A 10.10.31.14 +biganswer.example. 3600 IN A 10.10.31.15 +biganswer.example. 3600 IN A 10.10.31.16 +biganswer.example. 3600 IN A 10.10.31.17 +biganswer.example. 3600 IN A 10.10.31.18 +biganswer.example. 3600 IN A 10.10.31.19 +biganswer.example. 3600 IN A 10.10.31.20 +biganswer.example. 3600 IN A 10.10.31.21 +biganswer.example. 3600 IN A 10.10.31.22 +biganswer.example. 3600 IN A 10.10.31.23 +biganswer.example. 3600 IN A 10.10.31.24 +biganswer.example. 3600 IN A 10.10.31.25 +biganswer.example. 3600 IN A 10.10.31.26 +biganswer.example. 3600 IN A 10.10.31.27 +biganswer.example. 3600 IN A 10.10.31.28 +biganswer.example. 3600 IN A 10.10.31.29 +biganswer.example. 3600 IN A 10.10.31.30 +biganswer.example. 3600 IN A 10.10.31.31 +biganswer.example. 3600 IN A 10.10.31.32 +biganswer.example. 3600 IN A 10.10.31.33 +biganswer.example. 3600 IN A 10.10.31.34 +biganswer.example. 3600 IN A 10.10.31.35 +biganswer.example. 3600 IN A 10.10.31.36 +biganswer.example. 3600 IN A 10.10.31.37 +biganswer.example. 3600 IN A 10.10.31.38 +biganswer.example. 3600 IN A 10.10.31.39 +biganswer.example. 3600 IN A 10.10.31.40 +biganswer.example. 3600 IN A 10.10.31.41 +biganswer.example. 3600 IN A 10.10.31.42 +biganswer.example. 3600 IN A 10.10.31.43 +biganswer.example. 3600 IN A 10.10.31.44 +biganswer.example. 3600 IN A 10.10.31.45 +biganswer.example. 3600 IN A 10.10.31.46 +biganswer.example. 3600 IN A 10.10.31.47 +biganswer.example. 3600 IN A 10.10.31.48 +biganswer.example. 3600 IN A 10.10.31.49 +biganswer.example. 3600 IN A 10.10.31.50 +biganswer.example. 3600 IN A 10.10.32.1 +biganswer.example. 3600 IN A 10.10.32.2 +biganswer.example. 3600 IN A 10.10.32.3 +biganswer.example. 3600 IN A 10.10.32.4 +biganswer.example. 3600 IN A 10.10.32.5 +biganswer.example. 3600 IN A 10.10.32.6 +biganswer.example. 3600 IN A 10.10.32.7 +biganswer.example. 3600 IN A 10.10.32.8 +biganswer.example. 3600 IN A 10.10.32.9 +biganswer.example. 3600 IN A 10.10.32.10 +biganswer.example. 3600 IN A 10.10.32.11 +biganswer.example. 3600 IN A 10.10.32.12 +biganswer.example. 3600 IN A 10.10.32.13 +biganswer.example. 3600 IN A 10.10.32.14 +biganswer.example. 3600 IN A 10.10.32.15 +biganswer.example. 3600 IN A 10.10.32.16 +biganswer.example. 3600 IN A 10.10.32.17 +biganswer.example. 3600 IN A 10.10.32.18 +biganswer.example. 3600 IN A 10.10.32.19 +biganswer.example. 3600 IN A 10.10.32.20 +biganswer.example. 3600 IN A 10.10.32.21 +biganswer.example. 3600 IN A 10.10.32.22 +biganswer.example. 3600 IN A 10.10.32.23 +biganswer.example. 3600 IN A 10.10.32.24 +biganswer.example. 3600 IN A 10.10.32.25 +biganswer.example. 3600 IN A 10.10.32.26 +biganswer.example. 3600 IN A 10.10.32.27 +biganswer.example. 3600 IN A 10.10.32.28 +biganswer.example. 3600 IN A 10.10.32.29 +biganswer.example. 3600 IN A 10.10.32.30 +biganswer.example. 3600 IN A 10.10.32.31 +biganswer.example. 3600 IN A 10.10.32.32 +biganswer.example. 3600 IN A 10.10.32.33 +biganswer.example. 3600 IN A 10.10.32.34 +biganswer.example. 3600 IN A 10.10.32.35 +biganswer.example. 3600 IN A 10.10.32.36 +biganswer.example. 3600 IN A 10.10.32.37 +biganswer.example. 3600 IN A 10.10.32.38 +biganswer.example. 3600 IN A 10.10.32.39 +biganswer.example. 3600 IN A 10.10.32.40 +biganswer.example. 3600 IN A 10.10.32.41 +biganswer.example. 3600 IN A 10.10.32.42 +biganswer.example. 3600 IN A 10.10.32.43 +biganswer.example. 3600 IN A 10.10.32.44 +biganswer.example. 3600 IN A 10.10.32.45 +biganswer.example. 3600 IN A 10.10.32.46 +biganswer.example. 3600 IN A 10.10.32.47 +biganswer.example. 3600 IN A 10.10.32.48 +biganswer.example. 3600 IN A 10.10.32.49 +biganswer.example. 3600 IN A 10.10.32.50 +biganswer.example. 3600 IN A 10.10.33.1 +biganswer.example. 3600 IN A 10.10.33.2 +biganswer.example. 3600 IN A 10.10.33.3 +biganswer.example. 3600 IN A 10.10.33.4 +biganswer.example. 3600 IN A 10.10.33.5 +biganswer.example. 3600 IN A 10.10.33.6 +biganswer.example. 3600 IN A 10.10.33.7 +biganswer.example. 3600 IN A 10.10.33.8 +biganswer.example. 3600 IN A 10.10.33.9 +biganswer.example. 3600 IN A 10.10.33.10 +biganswer.example. 3600 IN A 10.10.33.11 +biganswer.example. 3600 IN A 10.10.33.12 +biganswer.example. 3600 IN A 10.10.33.13 +biganswer.example. 3600 IN A 10.10.33.14 +biganswer.example. 3600 IN A 10.10.33.15 +biganswer.example. 3600 IN A 10.10.33.16 +biganswer.example. 3600 IN A 10.10.33.17 +biganswer.example. 3600 IN A 10.10.33.18 +biganswer.example. 3600 IN A 10.10.33.19 +biganswer.example. 3600 IN A 10.10.33.20 +biganswer.example. 3600 IN A 10.10.33.21 +biganswer.example. 3600 IN A 10.10.33.22 +biganswer.example. 3600 IN A 10.10.33.23 +biganswer.example. 3600 IN A 10.10.33.24 +biganswer.example. 3600 IN A 10.10.33.25 +biganswer.example. 3600 IN A 10.10.33.26 +biganswer.example. 3600 IN A 10.10.33.27 +biganswer.example. 3600 IN A 10.10.33.28 +biganswer.example. 3600 IN A 10.10.33.29 +biganswer.example. 3600 IN A 10.10.33.30 +biganswer.example. 3600 IN A 10.10.33.31 +biganswer.example. 3600 IN A 10.10.33.32 +biganswer.example. 3600 IN A 10.10.33.33 +biganswer.example. 3600 IN A 10.10.33.34 +biganswer.example. 3600 IN A 10.10.33.35 +biganswer.example. 3600 IN A 10.10.33.36 +biganswer.example. 3600 IN A 10.10.33.37 +biganswer.example. 3600 IN A 10.10.33.38 +biganswer.example. 3600 IN A 10.10.33.39 +biganswer.example. 3600 IN A 10.10.33.40 +biganswer.example. 3600 IN A 10.10.33.41 +biganswer.example. 3600 IN A 10.10.33.42 +biganswer.example. 3600 IN A 10.10.33.43 +biganswer.example. 3600 IN A 10.10.33.44 +biganswer.example. 3600 IN A 10.10.33.45 +biganswer.example. 3600 IN A 10.10.33.46 +biganswer.example. 3600 IN A 10.10.33.47 +biganswer.example. 3600 IN A 10.10.33.48 +biganswer.example. 3600 IN A 10.10.33.49 +biganswer.example. 3600 IN A 10.10.33.50 +biganswer.example. 3600 IN A 10.10.34.1 +biganswer.example. 3600 IN A 10.10.34.2 +biganswer.example. 3600 IN A 10.10.34.3 +biganswer.example. 3600 IN A 10.10.34.4 +biganswer.example. 3600 IN A 10.10.34.5 +biganswer.example. 3600 IN A 10.10.34.6 +biganswer.example. 3600 IN A 10.10.34.7 +biganswer.example. 3600 IN A 10.10.34.8 +biganswer.example. 3600 IN A 10.10.34.9 +biganswer.example. 3600 IN A 10.10.34.10 +biganswer.example. 3600 IN A 10.10.34.11 +biganswer.example. 3600 IN A 10.10.34.12 +biganswer.example. 3600 IN A 10.10.34.13 +biganswer.example. 3600 IN A 10.10.34.14 +biganswer.example. 3600 IN A 10.10.34.15 +biganswer.example. 3600 IN A 10.10.34.16 +biganswer.example. 3600 IN A 10.10.34.17 +biganswer.example. 3600 IN A 10.10.34.18 +biganswer.example. 3600 IN A 10.10.34.19 +biganswer.example. 3600 IN A 10.10.34.20 +biganswer.example. 3600 IN A 10.10.34.21 +biganswer.example. 3600 IN A 10.10.34.22 +biganswer.example. 3600 IN A 10.10.34.23 +biganswer.example. 3600 IN A 10.10.34.24 +biganswer.example. 3600 IN A 10.10.34.25 +biganswer.example. 3600 IN A 10.10.34.26 +biganswer.example. 3600 IN A 10.10.34.27 +biganswer.example. 3600 IN A 10.10.34.28 +biganswer.example. 3600 IN A 10.10.34.29 +biganswer.example. 3600 IN A 10.10.34.30 +biganswer.example. 3600 IN A 10.10.34.31 +biganswer.example. 3600 IN A 10.10.34.32 +biganswer.example. 3600 IN A 10.10.34.33 +biganswer.example. 3600 IN A 10.10.34.34 +biganswer.example. 3600 IN A 10.10.34.35 +biganswer.example. 3600 IN A 10.10.34.36 +biganswer.example. 3600 IN A 10.10.34.37 +biganswer.example. 3600 IN A 10.10.34.38 +biganswer.example. 3600 IN A 10.10.34.39 +biganswer.example. 3600 IN A 10.10.34.40 +biganswer.example. 3600 IN A 10.10.34.41 +biganswer.example. 3600 IN A 10.10.34.42 +biganswer.example. 3600 IN A 10.10.34.43 +biganswer.example. 3600 IN A 10.10.34.44 +biganswer.example. 3600 IN A 10.10.34.45 +biganswer.example. 3600 IN A 10.10.34.46 +biganswer.example. 3600 IN A 10.10.34.47 +biganswer.example. 3600 IN A 10.10.34.48 +biganswer.example. 3600 IN A 10.10.34.49 +biganswer.example. 3600 IN A 10.10.34.50 +biganswer.example. 3600 IN A 10.10.35.1 +biganswer.example. 3600 IN A 10.10.35.2 +biganswer.example. 3600 IN A 10.10.35.3 +biganswer.example. 3600 IN A 10.10.35.4 +biganswer.example. 3600 IN A 10.10.35.5 +biganswer.example. 3600 IN A 10.10.35.6 +biganswer.example. 3600 IN A 10.10.35.7 +biganswer.example. 3600 IN A 10.10.35.8 +biganswer.example. 3600 IN A 10.10.35.9 +biganswer.example. 3600 IN A 10.10.35.10 +biganswer.example. 3600 IN A 10.10.35.11 +biganswer.example. 3600 IN A 10.10.35.12 +biganswer.example. 3600 IN A 10.10.35.13 +biganswer.example. 3600 IN A 10.10.35.14 +biganswer.example. 3600 IN A 10.10.35.15 +biganswer.example. 3600 IN A 10.10.35.16 +biganswer.example. 3600 IN A 10.10.35.17 +biganswer.example. 3600 IN A 10.10.35.18 +biganswer.example. 3600 IN A 10.10.35.19 +biganswer.example. 3600 IN A 10.10.35.20 +biganswer.example. 3600 IN A 10.10.35.21 +biganswer.example. 3600 IN A 10.10.35.22 +biganswer.example. 3600 IN A 10.10.35.23 +biganswer.example. 3600 IN A 10.10.35.24 +biganswer.example. 3600 IN A 10.10.35.25 +biganswer.example. 3600 IN A 10.10.35.26 +biganswer.example. 3600 IN A 10.10.35.27 +biganswer.example. 3600 IN A 10.10.35.28 +biganswer.example. 3600 IN A 10.10.35.29 +biganswer.example. 3600 IN A 10.10.35.30 +biganswer.example. 3600 IN A 10.10.35.31 +biganswer.example. 3600 IN A 10.10.35.32 +biganswer.example. 3600 IN A 10.10.35.33 +biganswer.example. 3600 IN A 10.10.35.34 +biganswer.example. 3600 IN A 10.10.35.35 +biganswer.example. 3600 IN A 10.10.35.36 +biganswer.example. 3600 IN A 10.10.35.37 +biganswer.example. 3600 IN A 10.10.35.38 +biganswer.example. 3600 IN A 10.10.35.39 +biganswer.example. 3600 IN A 10.10.35.40 +biganswer.example. 3600 IN A 10.10.35.41 +biganswer.example. 3600 IN A 10.10.35.42 +biganswer.example. 3600 IN A 10.10.35.43 +biganswer.example. 3600 IN A 10.10.35.44 +biganswer.example. 3600 IN A 10.10.35.45 +biganswer.example. 3600 IN A 10.10.35.46 +biganswer.example. 3600 IN A 10.10.35.47 +biganswer.example. 3600 IN A 10.10.35.48 +biganswer.example. 3600 IN A 10.10.35.49 +biganswer.example. 3600 IN A 10.10.35.50 +biganswer.example. 3600 IN A 10.10.36.1 +biganswer.example. 3600 IN A 10.10.36.2 +biganswer.example. 3600 IN A 10.10.36.3 +biganswer.example. 3600 IN A 10.10.36.4 +biganswer.example. 3600 IN A 10.10.36.5 +biganswer.example. 3600 IN A 10.10.36.6 +biganswer.example. 3600 IN A 10.10.36.7 +biganswer.example. 3600 IN A 10.10.36.8 +biganswer.example. 3600 IN A 10.10.36.9 +biganswer.example. 3600 IN A 10.10.36.10 +biganswer.example. 3600 IN A 10.10.36.11 +biganswer.example. 3600 IN A 10.10.36.12 +biganswer.example. 3600 IN A 10.10.36.13 +biganswer.example. 3600 IN A 10.10.36.14 +biganswer.example. 3600 IN A 10.10.36.15 +biganswer.example. 3600 IN A 10.10.36.16 +biganswer.example. 3600 IN A 10.10.36.17 +biganswer.example. 3600 IN A 10.10.36.18 +biganswer.example. 3600 IN A 10.10.36.19 +biganswer.example. 3600 IN A 10.10.36.20 +biganswer.example. 3600 IN A 10.10.36.21 +biganswer.example. 3600 IN A 10.10.36.22 +biganswer.example. 3600 IN A 10.10.36.23 +biganswer.example. 3600 IN A 10.10.36.24 +biganswer.example. 3600 IN A 10.10.36.25 +biganswer.example. 3600 IN A 10.10.36.26 +biganswer.example. 3600 IN A 10.10.36.27 +biganswer.example. 3600 IN A 10.10.36.28 +biganswer.example. 3600 IN A 10.10.36.29 +biganswer.example. 3600 IN A 10.10.36.30 +biganswer.example. 3600 IN A 10.10.36.31 +biganswer.example. 3600 IN A 10.10.36.32 +biganswer.example. 3600 IN A 10.10.36.33 +biganswer.example. 3600 IN A 10.10.36.34 +biganswer.example. 3600 IN A 10.10.36.35 +biganswer.example. 3600 IN A 10.10.36.36 +biganswer.example. 3600 IN A 10.10.36.37 +biganswer.example. 3600 IN A 10.10.36.38 +biganswer.example. 3600 IN A 10.10.36.39 +biganswer.example. 3600 IN A 10.10.36.40 +biganswer.example. 3600 IN A 10.10.36.41 +biganswer.example. 3600 IN A 10.10.36.42 +biganswer.example. 3600 IN A 10.10.36.43 +biganswer.example. 3600 IN A 10.10.36.44 +biganswer.example. 3600 IN A 10.10.36.45 +biganswer.example. 3600 IN A 10.10.36.46 +biganswer.example. 3600 IN A 10.10.36.47 +biganswer.example. 3600 IN A 10.10.36.48 +biganswer.example. 3600 IN A 10.10.36.49 +biganswer.example. 3600 IN A 10.10.36.50 +biganswer.example. 3600 IN A 10.10.37.1 +biganswer.example. 3600 IN A 10.10.37.2 +biganswer.example. 3600 IN A 10.10.37.3 +biganswer.example. 3600 IN A 10.10.37.4 +biganswer.example. 3600 IN A 10.10.37.5 +biganswer.example. 3600 IN A 10.10.37.6 +biganswer.example. 3600 IN A 10.10.37.7 +biganswer.example. 3600 IN A 10.10.37.8 +biganswer.example. 3600 IN A 10.10.37.9 +biganswer.example. 3600 IN A 10.10.37.10 +biganswer.example. 3600 IN A 10.10.37.11 +biganswer.example. 3600 IN A 10.10.37.12 +biganswer.example. 3600 IN A 10.10.37.13 +biganswer.example. 3600 IN A 10.10.37.14 +biganswer.example. 3600 IN A 10.10.37.15 +biganswer.example. 3600 IN A 10.10.37.16 +biganswer.example. 3600 IN A 10.10.37.17 +biganswer.example. 3600 IN A 10.10.37.18 +biganswer.example. 3600 IN A 10.10.37.19 +biganswer.example. 3600 IN A 10.10.37.20 +biganswer.example. 3600 IN A 10.10.37.21 +biganswer.example. 3600 IN A 10.10.37.22 +biganswer.example. 3600 IN A 10.10.37.23 +biganswer.example. 3600 IN A 10.10.37.24 +biganswer.example. 3600 IN A 10.10.37.25 +biganswer.example. 3600 IN A 10.10.37.26 +biganswer.example. 3600 IN A 10.10.37.27 +biganswer.example. 3600 IN A 10.10.37.28 +biganswer.example. 3600 IN A 10.10.37.29 +biganswer.example. 3600 IN A 10.10.37.30 +biganswer.example. 3600 IN A 10.10.37.31 +biganswer.example. 3600 IN A 10.10.37.32 +biganswer.example. 3600 IN A 10.10.37.33 +biganswer.example. 3600 IN A 10.10.37.34 +biganswer.example. 3600 IN A 10.10.37.35 +biganswer.example. 3600 IN A 10.10.37.36 +biganswer.example. 3600 IN A 10.10.37.37 +biganswer.example. 3600 IN A 10.10.37.38 +biganswer.example. 3600 IN A 10.10.37.39 +biganswer.example. 3600 IN A 10.10.37.40 +biganswer.example. 3600 IN A 10.10.37.41 +biganswer.example. 3600 IN A 10.10.37.42 +biganswer.example. 3600 IN A 10.10.37.43 +biganswer.example. 3600 IN A 10.10.37.44 +biganswer.example. 3600 IN A 10.10.37.45 +biganswer.example. 3600 IN A 10.10.37.46 +biganswer.example. 3600 IN A 10.10.37.47 +biganswer.example. 3600 IN A 10.10.37.48 +biganswer.example. 3600 IN A 10.10.37.49 +biganswer.example. 3600 IN A 10.10.37.50 +biganswer.example. 3600 IN A 10.10.38.1 +biganswer.example. 3600 IN A 10.10.38.2 +biganswer.example. 3600 IN A 10.10.38.3 +biganswer.example. 3600 IN A 10.10.38.4 +biganswer.example. 3600 IN A 10.10.38.5 +biganswer.example. 3600 IN A 10.10.38.6 +biganswer.example. 3600 IN A 10.10.38.7 +biganswer.example. 3600 IN A 10.10.38.8 +biganswer.example. 3600 IN A 10.10.38.9 +biganswer.example. 3600 IN A 10.10.38.10 +biganswer.example. 3600 IN A 10.10.38.11 +biganswer.example. 3600 IN A 10.10.38.12 +biganswer.example. 3600 IN A 10.10.38.13 +biganswer.example. 3600 IN A 10.10.38.14 +biganswer.example. 3600 IN A 10.10.38.15 +biganswer.example. 3600 IN A 10.10.38.16 +biganswer.example. 3600 IN A 10.10.38.17 +biganswer.example. 3600 IN A 10.10.38.18 +biganswer.example. 3600 IN A 10.10.38.19 +biganswer.example. 3600 IN A 10.10.38.20 +biganswer.example. 3600 IN A 10.10.38.21 +biganswer.example. 3600 IN A 10.10.38.22 +biganswer.example. 3600 IN A 10.10.38.23 +biganswer.example. 3600 IN A 10.10.38.24 +biganswer.example. 3600 IN A 10.10.38.25 +biganswer.example. 3600 IN A 10.10.38.26 +biganswer.example. 3600 IN A 10.10.38.27 +biganswer.example. 3600 IN A 10.10.38.28 +biganswer.example. 3600 IN A 10.10.38.29 +biganswer.example. 3600 IN A 10.10.38.30 +biganswer.example. 3600 IN A 10.10.38.31 +biganswer.example. 3600 IN A 10.10.38.32 +biganswer.example. 3600 IN A 10.10.38.33 +biganswer.example. 3600 IN A 10.10.38.34 +biganswer.example. 3600 IN A 10.10.38.35 +biganswer.example. 3600 IN A 10.10.38.36 +biganswer.example. 3600 IN A 10.10.38.37 +biganswer.example. 3600 IN A 10.10.38.38 +biganswer.example. 3600 IN A 10.10.38.39 +biganswer.example. 3600 IN A 10.10.38.40 +biganswer.example. 3600 IN A 10.10.38.41 +biganswer.example. 3600 IN A 10.10.38.42 +biganswer.example. 3600 IN A 10.10.38.43 +biganswer.example. 3600 IN A 10.10.38.44 +biganswer.example. 3600 IN A 10.10.38.45 +biganswer.example. 3600 IN A 10.10.38.46 +biganswer.example. 3600 IN A 10.10.38.47 +biganswer.example. 3600 IN A 10.10.38.48 +biganswer.example. 3600 IN A 10.10.38.49 +biganswer.example. 3600 IN A 10.10.38.50 +biganswer.example. 3600 IN A 10.10.39.1 +biganswer.example. 3600 IN A 10.10.39.2 +biganswer.example. 3600 IN A 10.10.39.3 +biganswer.example. 3600 IN A 10.10.39.4 +biganswer.example. 3600 IN A 10.10.39.5 +biganswer.example. 3600 IN A 10.10.39.6 +biganswer.example. 3600 IN A 10.10.39.7 +biganswer.example. 3600 IN A 10.10.39.8 +biganswer.example. 3600 IN A 10.10.39.9 +biganswer.example. 3600 IN A 10.10.39.10 +biganswer.example. 3600 IN A 10.10.39.11 +biganswer.example. 3600 IN A 10.10.39.12 +biganswer.example. 3600 IN A 10.10.39.13 +biganswer.example. 3600 IN A 10.10.39.14 +biganswer.example. 3600 IN A 10.10.39.15 +biganswer.example. 3600 IN A 10.10.39.16 +biganswer.example. 3600 IN A 10.10.39.17 +biganswer.example. 3600 IN A 10.10.39.18 +biganswer.example. 3600 IN A 10.10.39.19 +biganswer.example. 3600 IN A 10.10.39.20 +biganswer.example. 3600 IN A 10.10.39.21 +biganswer.example. 3600 IN A 10.10.39.22 +biganswer.example. 3600 IN A 10.10.39.23 +biganswer.example. 3600 IN A 10.10.39.24 +biganswer.example. 3600 IN A 10.10.39.25 +biganswer.example. 3600 IN A 10.10.39.26 +biganswer.example. 3600 IN A 10.10.39.27 +biganswer.example. 3600 IN A 10.10.39.28 +biganswer.example. 3600 IN A 10.10.39.29 +biganswer.example. 3600 IN A 10.10.39.30 +biganswer.example. 3600 IN A 10.10.39.31 +biganswer.example. 3600 IN A 10.10.39.32 +biganswer.example. 3600 IN A 10.10.39.33 +biganswer.example. 3600 IN A 10.10.39.34 +biganswer.example. 3600 IN A 10.10.39.35 +biganswer.example. 3600 IN A 10.10.39.36 +biganswer.example. 3600 IN A 10.10.39.37 +biganswer.example. 3600 IN A 10.10.39.38 +biganswer.example. 3600 IN A 10.10.39.39 +biganswer.example. 3600 IN A 10.10.39.40 +biganswer.example. 3600 IN A 10.10.39.41 +biganswer.example. 3600 IN A 10.10.39.42 +biganswer.example. 3600 IN A 10.10.39.43 +biganswer.example. 3600 IN A 10.10.39.44 +biganswer.example. 3600 IN A 10.10.39.45 +biganswer.example. 3600 IN A 10.10.39.46 +biganswer.example. 3600 IN A 10.10.39.47 +biganswer.example. 3600 IN A 10.10.39.48 +biganswer.example. 3600 IN A 10.10.39.49 +biganswer.example. 3600 IN A 10.10.39.50 +biganswer.example. 3600 IN A 10.10.40.1 +biganswer.example. 3600 IN A 10.10.40.2 +biganswer.example. 3600 IN A 10.10.40.3 +biganswer.example. 3600 IN A 10.10.40.4 +biganswer.example. 3600 IN A 10.10.40.5 +biganswer.example. 3600 IN A 10.10.40.6 +biganswer.example. 3600 IN A 10.10.40.7 +biganswer.example. 3600 IN A 10.10.40.8 +biganswer.example. 3600 IN A 10.10.40.9 +biganswer.example. 3600 IN A 10.10.40.10 +biganswer.example. 3600 IN A 10.10.40.11 +biganswer.example. 3600 IN A 10.10.40.12 +biganswer.example. 3600 IN A 10.10.40.13 +biganswer.example. 3600 IN A 10.10.40.14 +biganswer.example. 3600 IN A 10.10.40.15 +biganswer.example. 3600 IN A 10.10.40.16 +biganswer.example. 3600 IN A 10.10.40.17 +biganswer.example. 3600 IN A 10.10.40.18 +biganswer.example. 3600 IN A 10.10.40.19 +biganswer.example. 3600 IN A 10.10.40.20 +biganswer.example. 3600 IN A 10.10.40.21 +biganswer.example. 3600 IN A 10.10.40.22 +biganswer.example. 3600 IN A 10.10.40.23 +biganswer.example. 3600 IN A 10.10.40.24 +biganswer.example. 3600 IN A 10.10.40.25 +biganswer.example. 3600 IN A 10.10.40.26 +biganswer.example. 3600 IN A 10.10.40.27 +biganswer.example. 3600 IN A 10.10.40.28 +biganswer.example. 3600 IN A 10.10.40.29 +biganswer.example. 3600 IN A 10.10.40.30 +biganswer.example. 3600 IN A 10.10.40.31 +biganswer.example. 3600 IN A 10.10.40.32 +biganswer.example. 3600 IN A 10.10.40.33 +biganswer.example. 3600 IN A 10.10.40.34 +biganswer.example. 3600 IN A 10.10.40.35 +biganswer.example. 3600 IN A 10.10.40.36 +biganswer.example. 3600 IN A 10.10.40.37 +biganswer.example. 3600 IN A 10.10.40.38 +biganswer.example. 3600 IN A 10.10.40.39 +biganswer.example. 3600 IN A 10.10.40.40 +biganswer.example. 3600 IN A 10.10.40.41 +biganswer.example. 3600 IN A 10.10.40.42 +biganswer.example. 3600 IN A 10.10.40.43 +biganswer.example. 3600 IN A 10.10.40.44 +biganswer.example. 3600 IN A 10.10.40.45 +biganswer.example. 3600 IN A 10.10.40.46 +biganswer.example. 3600 IN A 10.10.40.47 +biganswer.example. 3600 IN A 10.10.40.48 +biganswer.example. 3600 IN A 10.10.40.49 +biganswer.example. 3600 IN A 10.10.40.50 +biganswer.example. 3600 IN A 10.10.41.1 +biganswer.example. 3600 IN A 10.10.41.2 +biganswer.example. 3600 IN A 10.10.41.3 +biganswer.example. 3600 IN A 10.10.41.4 +biganswer.example. 3600 IN A 10.10.41.5 +biganswer.example. 3600 IN A 10.10.41.6 +biganswer.example. 3600 IN A 10.10.41.7 +biganswer.example. 3600 IN A 10.10.41.8 +biganswer.example. 3600 IN A 10.10.41.9 +biganswer.example. 3600 IN A 10.10.41.10 +biganswer.example. 3600 IN A 10.10.41.11 +biganswer.example. 3600 IN A 10.10.41.12 +biganswer.example. 3600 IN A 10.10.41.13 +biganswer.example. 3600 IN A 10.10.41.14 +biganswer.example. 3600 IN A 10.10.41.15 +biganswer.example. 3600 IN A 10.10.41.16 +biganswer.example. 3600 IN A 10.10.41.17 +biganswer.example. 3600 IN A 10.10.41.18 +biganswer.example. 3600 IN A 10.10.41.19 +biganswer.example. 3600 IN A 10.10.41.20 +biganswer.example. 3600 IN A 10.10.41.21 +biganswer.example. 3600 IN A 10.10.41.22 +biganswer.example. 3600 IN A 10.10.41.23 +biganswer.example. 3600 IN A 10.10.41.24 +biganswer.example. 3600 IN A 10.10.41.25 +biganswer.example. 3600 IN A 10.10.41.26 +biganswer.example. 3600 IN A 10.10.41.27 +biganswer.example. 3600 IN A 10.10.41.28 +biganswer.example. 3600 IN A 10.10.41.29 +biganswer.example. 3600 IN A 10.10.41.30 +biganswer.example. 3600 IN A 10.10.41.31 +biganswer.example. 3600 IN A 10.10.41.32 +biganswer.example. 3600 IN A 10.10.41.33 +biganswer.example. 3600 IN A 10.10.41.34 +biganswer.example. 3600 IN A 10.10.41.35 +biganswer.example. 3600 IN A 10.10.41.36 +biganswer.example. 3600 IN A 10.10.41.37 +biganswer.example. 3600 IN A 10.10.41.38 +biganswer.example. 3600 IN A 10.10.41.39 +biganswer.example. 3600 IN A 10.10.41.40 +biganswer.example. 3600 IN A 10.10.41.41 +biganswer.example. 3600 IN A 10.10.41.42 +biganswer.example. 3600 IN A 10.10.41.43 +biganswer.example. 3600 IN A 10.10.41.44 +biganswer.example. 3600 IN A 10.10.41.45 +biganswer.example. 3600 IN A 10.10.41.46 +biganswer.example. 3600 IN A 10.10.41.47 +biganswer.example. 3600 IN A 10.10.41.48 +biganswer.example. 3600 IN A 10.10.41.49 +biganswer.example. 3600 IN A 10.10.41.50 +biganswer.example. 3600 IN A 10.10.42.1 +biganswer.example. 3600 IN A 10.10.42.2 +biganswer.example. 3600 IN A 10.10.42.3 +biganswer.example. 3600 IN A 10.10.42.4 +biganswer.example. 3600 IN A 10.10.42.5 +biganswer.example. 3600 IN A 10.10.42.6 +biganswer.example. 3600 IN A 10.10.42.7 +biganswer.example. 3600 IN A 10.10.42.8 +biganswer.example. 3600 IN A 10.10.42.9 +biganswer.example. 3600 IN A 10.10.42.10 +biganswer.example. 3600 IN A 10.10.42.11 +biganswer.example. 3600 IN A 10.10.42.12 +biganswer.example. 3600 IN A 10.10.42.13 +biganswer.example. 3600 IN A 10.10.42.14 +biganswer.example. 3600 IN A 10.10.42.15 +biganswer.example. 3600 IN A 10.10.42.16 +biganswer.example. 3600 IN A 10.10.42.17 +biganswer.example. 3600 IN A 10.10.42.18 +biganswer.example. 3600 IN A 10.10.42.19 +biganswer.example. 3600 IN A 10.10.42.20 +biganswer.example. 3600 IN A 10.10.42.21 +biganswer.example. 3600 IN A 10.10.42.22 +biganswer.example. 3600 IN A 10.10.42.23 +biganswer.example. 3600 IN A 10.10.42.24 +biganswer.example. 3600 IN A 10.10.42.25 +biganswer.example. 3600 IN A 10.10.42.26 +biganswer.example. 3600 IN A 10.10.42.27 +biganswer.example. 3600 IN A 10.10.42.28 +biganswer.example. 3600 IN A 10.10.42.29 +biganswer.example. 3600 IN A 10.10.42.30 +biganswer.example. 3600 IN A 10.10.42.31 +biganswer.example. 3600 IN A 10.10.42.32 +biganswer.example. 3600 IN A 10.10.42.33 +biganswer.example. 3600 IN A 10.10.42.34 +biganswer.example. 3600 IN A 10.10.42.35 +biganswer.example. 3600 IN A 10.10.42.36 +biganswer.example. 3600 IN A 10.10.42.37 +biganswer.example. 3600 IN A 10.10.42.38 +biganswer.example. 3600 IN A 10.10.42.39 +biganswer.example. 3600 IN A 10.10.42.40 +biganswer.example. 3600 IN A 10.10.42.41 +biganswer.example. 3600 IN A 10.10.42.42 +biganswer.example. 3600 IN A 10.10.42.43 +biganswer.example. 3600 IN A 10.10.42.44 +biganswer.example. 3600 IN A 10.10.42.45 +biganswer.example. 3600 IN A 10.10.42.46 +biganswer.example. 3600 IN A 10.10.42.47 +biganswer.example. 3600 IN A 10.10.42.48 +biganswer.example. 3600 IN A 10.10.42.49 +biganswer.example. 3600 IN A 10.10.42.50 +biganswer.example. 3600 IN A 10.10.43.1 +biganswer.example. 3600 IN A 10.10.43.2 +biganswer.example. 3600 IN A 10.10.43.3 +biganswer.example. 3600 IN A 10.10.43.4 +biganswer.example. 3600 IN A 10.10.43.5 +biganswer.example. 3600 IN A 10.10.43.6 +biganswer.example. 3600 IN A 10.10.43.7 +biganswer.example. 3600 IN A 10.10.43.8 +biganswer.example. 3600 IN A 10.10.43.9 +biganswer.example. 3600 IN A 10.10.43.10 +biganswer.example. 3600 IN A 10.10.43.11 +biganswer.example. 3600 IN A 10.10.43.12 +biganswer.example. 3600 IN A 10.10.43.13 +biganswer.example. 3600 IN A 10.10.43.14 +biganswer.example. 3600 IN A 10.10.43.15 +biganswer.example. 3600 IN A 10.10.43.16 +biganswer.example. 3600 IN A 10.10.43.17 +biganswer.example. 3600 IN A 10.10.43.18 +biganswer.example. 3600 IN A 10.10.43.19 +biganswer.example. 3600 IN A 10.10.43.20 +biganswer.example. 3600 IN A 10.10.43.21 +biganswer.example. 3600 IN A 10.10.43.22 +biganswer.example. 3600 IN A 10.10.43.23 +biganswer.example. 3600 IN A 10.10.43.24 +biganswer.example. 3600 IN A 10.10.43.25 +biganswer.example. 3600 IN A 10.10.43.26 +biganswer.example. 3600 IN A 10.10.43.27 +biganswer.example. 3600 IN A 10.10.43.28 +biganswer.example. 3600 IN A 10.10.43.29 +biganswer.example. 3600 IN A 10.10.43.30 +biganswer.example. 3600 IN A 10.10.43.31 +biganswer.example. 3600 IN A 10.10.43.32 +biganswer.example. 3600 IN A 10.10.43.33 +biganswer.example. 3600 IN A 10.10.43.34 +biganswer.example. 3600 IN A 10.10.43.35 +biganswer.example. 3600 IN A 10.10.43.36 +biganswer.example. 3600 IN A 10.10.43.37 +biganswer.example. 3600 IN A 10.10.43.38 +biganswer.example. 3600 IN A 10.10.43.39 +biganswer.example. 3600 IN A 10.10.43.40 +biganswer.example. 3600 IN A 10.10.43.41 +biganswer.example. 3600 IN A 10.10.43.42 +biganswer.example. 3600 IN A 10.10.43.43 +biganswer.example. 3600 IN A 10.10.43.44 +biganswer.example. 3600 IN A 10.10.43.45 +biganswer.example. 3600 IN A 10.10.43.46 +biganswer.example. 3600 IN A 10.10.43.47 +biganswer.example. 3600 IN A 10.10.43.48 +biganswer.example. 3600 IN A 10.10.43.49 +biganswer.example. 3600 IN A 10.10.43.50 +biganswer.example. 3600 IN A 10.10.44.1 +biganswer.example. 3600 IN A 10.10.44.2 +biganswer.example. 3600 IN A 10.10.44.3 +biganswer.example. 3600 IN A 10.10.44.4 +biganswer.example. 3600 IN A 10.10.44.5 +biganswer.example. 3600 IN A 10.10.44.6 +biganswer.example. 3600 IN A 10.10.44.7 +biganswer.example. 3600 IN A 10.10.44.8 +biganswer.example. 3600 IN A 10.10.44.9 +biganswer.example. 3600 IN A 10.10.44.10 +biganswer.example. 3600 IN A 10.10.44.11 +biganswer.example. 3600 IN A 10.10.44.12 +biganswer.example. 3600 IN A 10.10.44.13 +biganswer.example. 3600 IN A 10.10.44.14 +biganswer.example. 3600 IN A 10.10.44.15 +biganswer.example. 3600 IN A 10.10.44.16 +biganswer.example. 3600 IN A 10.10.44.17 +biganswer.example. 3600 IN A 10.10.44.18 +biganswer.example. 3600 IN A 10.10.44.19 +biganswer.example. 3600 IN A 10.10.44.20 +biganswer.example. 3600 IN A 10.10.44.21 +biganswer.example. 3600 IN A 10.10.44.22 +biganswer.example. 3600 IN A 10.10.44.23 +biganswer.example. 3600 IN A 10.10.44.24 +biganswer.example. 3600 IN A 10.10.44.25 +biganswer.example. 3600 IN A 10.10.44.26 +biganswer.example. 3600 IN A 10.10.44.27 +biganswer.example. 3600 IN A 10.10.44.28 +biganswer.example. 3600 IN A 10.10.44.29 +biganswer.example. 3600 IN A 10.10.44.30 +biganswer.example. 3600 IN A 10.10.44.31 +biganswer.example. 3600 IN A 10.10.44.32 +biganswer.example. 3600 IN A 10.10.44.33 +biganswer.example. 3600 IN A 10.10.44.34 +biganswer.example. 3600 IN A 10.10.44.35 +biganswer.example. 3600 IN A 10.10.44.36 +biganswer.example. 3600 IN A 10.10.44.37 +biganswer.example. 3600 IN A 10.10.44.38 +biganswer.example. 3600 IN A 10.10.44.39 +biganswer.example. 3600 IN A 10.10.44.40 +biganswer.example. 3600 IN A 10.10.44.41 +biganswer.example. 3600 IN A 10.10.44.42 +biganswer.example. 3600 IN A 10.10.44.43 +biganswer.example. 3600 IN A 10.10.44.44 +biganswer.example. 3600 IN A 10.10.44.45 +biganswer.example. 3600 IN A 10.10.44.46 +biganswer.example. 3600 IN A 10.10.44.47 +biganswer.example. 3600 IN A 10.10.44.48 +biganswer.example. 3600 IN A 10.10.44.49 +biganswer.example. 3600 IN A 10.10.44.50 +biganswer.example. 3600 IN A 10.10.45.1 +biganswer.example. 3600 IN A 10.10.45.2 +biganswer.example. 3600 IN A 10.10.45.3 +biganswer.example. 3600 IN A 10.10.45.4 +biganswer.example. 3600 IN A 10.10.45.5 +biganswer.example. 3600 IN A 10.10.45.6 +biganswer.example. 3600 IN A 10.10.45.7 +biganswer.example. 3600 IN A 10.10.45.8 +biganswer.example. 3600 IN A 10.10.45.9 +biganswer.example. 3600 IN A 10.10.45.10 +biganswer.example. 3600 IN A 10.10.45.11 +biganswer.example. 3600 IN A 10.10.45.12 +biganswer.example. 3600 IN A 10.10.45.13 +biganswer.example. 3600 IN A 10.10.45.14 +biganswer.example. 3600 IN A 10.10.45.15 +biganswer.example. 3600 IN A 10.10.45.16 +biganswer.example. 3600 IN A 10.10.45.17 +biganswer.example. 3600 IN A 10.10.45.18 +biganswer.example. 3600 IN A 10.10.45.19 +biganswer.example. 3600 IN A 10.10.45.20 +biganswer.example. 3600 IN A 10.10.45.21 +biganswer.example. 3600 IN A 10.10.45.22 +biganswer.example. 3600 IN A 10.10.45.23 +biganswer.example. 3600 IN A 10.10.45.24 +biganswer.example. 3600 IN A 10.10.45.25 +biganswer.example. 3600 IN A 10.10.45.26 +biganswer.example. 3600 IN A 10.10.45.27 +biganswer.example. 3600 IN A 10.10.45.28 +biganswer.example. 3600 IN A 10.10.45.29 +biganswer.example. 3600 IN A 10.10.45.30 +biganswer.example. 3600 IN A 10.10.45.31 +biganswer.example. 3600 IN A 10.10.45.32 +biganswer.example. 3600 IN A 10.10.45.33 +biganswer.example. 3600 IN A 10.10.45.34 +biganswer.example. 3600 IN A 10.10.45.35 +biganswer.example. 3600 IN A 10.10.45.36 +biganswer.example. 3600 IN A 10.10.45.37 +biganswer.example. 3600 IN A 10.10.45.38 +biganswer.example. 3600 IN A 10.10.45.39 +biganswer.example. 3600 IN A 10.10.45.40 +biganswer.example. 3600 IN A 10.10.45.41 +biganswer.example. 3600 IN A 10.10.45.42 +biganswer.example. 3600 IN A 10.10.45.43 +biganswer.example. 3600 IN A 10.10.45.44 +biganswer.example. 3600 IN A 10.10.45.45 +biganswer.example. 3600 IN A 10.10.45.46 +biganswer.example. 3600 IN A 10.10.45.47 +biganswer.example. 3600 IN A 10.10.45.48 +biganswer.example. 3600 IN A 10.10.45.49 +biganswer.example. 3600 IN A 10.10.45.50 +biganswer.example. 3600 IN A 10.10.46.1 +biganswer.example. 3600 IN A 10.10.46.2 +biganswer.example. 3600 IN A 10.10.46.3 +biganswer.example. 3600 IN A 10.10.46.4 +biganswer.example. 3600 IN A 10.10.46.5 +biganswer.example. 3600 IN A 10.10.46.6 +biganswer.example. 3600 IN A 10.10.46.7 +biganswer.example. 3600 IN A 10.10.46.8 +biganswer.example. 3600 IN A 10.10.46.9 +biganswer.example. 3600 IN A 10.10.46.10 +biganswer.example. 3600 IN A 10.10.46.11 +biganswer.example. 3600 IN A 10.10.46.12 +biganswer.example. 3600 IN A 10.10.46.13 +biganswer.example. 3600 IN A 10.10.46.14 +biganswer.example. 3600 IN A 10.10.46.15 +biganswer.example. 3600 IN A 10.10.46.16 +biganswer.example. 3600 IN A 10.10.46.17 +biganswer.example. 3600 IN A 10.10.46.18 +biganswer.example. 3600 IN A 10.10.46.19 +biganswer.example. 3600 IN A 10.10.46.20 +biganswer.example. 3600 IN A 10.10.46.21 +biganswer.example. 3600 IN A 10.10.46.22 +biganswer.example. 3600 IN A 10.10.46.23 +biganswer.example. 3600 IN A 10.10.46.24 +biganswer.example. 3600 IN A 10.10.46.25 +biganswer.example. 3600 IN A 10.10.46.26 +biganswer.example. 3600 IN A 10.10.46.27 +biganswer.example. 3600 IN A 10.10.46.28 +biganswer.example. 3600 IN A 10.10.46.29 +biganswer.example. 3600 IN A 10.10.46.30 +biganswer.example. 3600 IN A 10.10.46.31 +biganswer.example. 3600 IN A 10.10.46.32 +biganswer.example. 3600 IN A 10.10.46.33 +biganswer.example. 3600 IN A 10.10.46.34 +biganswer.example. 3600 IN A 10.10.46.35 +biganswer.example. 3600 IN A 10.10.46.36 +biganswer.example. 3600 IN A 10.10.46.37 +biganswer.example. 3600 IN A 10.10.46.38 +biganswer.example. 3600 IN A 10.10.46.39 +biganswer.example. 3600 IN A 10.10.46.40 +biganswer.example. 3600 IN A 10.10.46.41 +biganswer.example. 3600 IN A 10.10.46.42 +biganswer.example. 3600 IN A 10.10.46.43 +biganswer.example. 3600 IN A 10.10.46.44 +biganswer.example. 3600 IN A 10.10.46.45 +biganswer.example. 3600 IN A 10.10.46.46 +biganswer.example. 3600 IN A 10.10.46.47 +biganswer.example. 3600 IN A 10.10.46.48 +biganswer.example. 3600 IN A 10.10.46.49 +biganswer.example. 3600 IN A 10.10.46.50 +biganswer.example. 3600 IN A 10.10.47.1 +biganswer.example. 3600 IN A 10.10.47.2 +biganswer.example. 3600 IN A 10.10.47.3 +biganswer.example. 3600 IN A 10.10.47.4 +biganswer.example. 3600 IN A 10.10.47.5 +biganswer.example. 3600 IN A 10.10.47.6 +biganswer.example. 3600 IN A 10.10.47.7 +biganswer.example. 3600 IN A 10.10.47.8 +biganswer.example. 3600 IN A 10.10.47.9 +biganswer.example. 3600 IN A 10.10.47.10 +biganswer.example. 3600 IN A 10.10.47.11 +biganswer.example. 3600 IN A 10.10.47.12 +biganswer.example. 3600 IN A 10.10.47.13 +biganswer.example. 3600 IN A 10.10.47.14 +biganswer.example. 3600 IN A 10.10.47.15 +biganswer.example. 3600 IN A 10.10.47.16 +biganswer.example. 3600 IN A 10.10.47.17 +biganswer.example. 3600 IN A 10.10.47.18 +biganswer.example. 3600 IN A 10.10.47.19 +biganswer.example. 3600 IN A 10.10.47.20 +biganswer.example. 3600 IN A 10.10.47.21 +biganswer.example. 3600 IN A 10.10.47.22 +biganswer.example. 3600 IN A 10.10.47.23 +biganswer.example. 3600 IN A 10.10.47.24 +biganswer.example. 3600 IN A 10.10.47.25 +biganswer.example. 3600 IN A 10.10.47.26 +biganswer.example. 3600 IN A 10.10.47.27 +biganswer.example. 3600 IN A 10.10.47.28 +biganswer.example. 3600 IN A 10.10.47.29 +biganswer.example. 3600 IN A 10.10.47.30 +biganswer.example. 3600 IN A 10.10.47.31 +biganswer.example. 3600 IN A 10.10.47.32 +biganswer.example. 3600 IN A 10.10.47.33 +biganswer.example. 3600 IN A 10.10.47.34 +biganswer.example. 3600 IN A 10.10.47.35 +biganswer.example. 3600 IN A 10.10.47.36 +biganswer.example. 3600 IN A 10.10.47.37 +biganswer.example. 3600 IN A 10.10.47.38 +biganswer.example. 3600 IN A 10.10.47.39 +biganswer.example. 3600 IN A 10.10.47.40 +biganswer.example. 3600 IN A 10.10.47.41 +biganswer.example. 3600 IN A 10.10.47.42 +biganswer.example. 3600 IN A 10.10.47.43 +biganswer.example. 3600 IN A 10.10.47.44 +biganswer.example. 3600 IN A 10.10.47.45 +biganswer.example. 3600 IN A 10.10.47.46 +biganswer.example. 3600 IN A 10.10.47.47 +biganswer.example. 3600 IN A 10.10.47.48 +biganswer.example. 3600 IN A 10.10.47.49 +biganswer.example. 3600 IN A 10.10.47.50 +biganswer.example. 3600 IN A 10.10.48.1 +biganswer.example. 3600 IN A 10.10.48.2 +biganswer.example. 3600 IN A 10.10.48.3 +biganswer.example. 3600 IN A 10.10.48.4 +biganswer.example. 3600 IN A 10.10.48.5 +biganswer.example. 3600 IN A 10.10.48.6 +biganswer.example. 3600 IN A 10.10.48.7 +biganswer.example. 3600 IN A 10.10.48.8 +biganswer.example. 3600 IN A 10.10.48.9 +biganswer.example. 3600 IN A 10.10.48.10 +biganswer.example. 3600 IN A 10.10.48.11 +biganswer.example. 3600 IN A 10.10.48.12 +biganswer.example. 3600 IN A 10.10.48.13 +biganswer.example. 3600 IN A 10.10.48.14 +biganswer.example. 3600 IN A 10.10.48.15 +biganswer.example. 3600 IN A 10.10.48.16 +biganswer.example. 3600 IN A 10.10.48.17 +biganswer.example. 3600 IN A 10.10.48.18 +biganswer.example. 3600 IN A 10.10.48.19 +biganswer.example. 3600 IN A 10.10.48.20 +biganswer.example. 3600 IN A 10.10.48.21 +biganswer.example. 3600 IN A 10.10.48.22 +biganswer.example. 3600 IN A 10.10.48.23 +biganswer.example. 3600 IN A 10.10.48.24 +biganswer.example. 3600 IN A 10.10.48.25 +biganswer.example. 3600 IN A 10.10.48.26 +biganswer.example. 3600 IN A 10.10.48.27 +biganswer.example. 3600 IN A 10.10.48.28 +biganswer.example. 3600 IN A 10.10.48.29 +biganswer.example. 3600 IN A 10.10.48.30 +biganswer.example. 3600 IN A 10.10.48.31 +biganswer.example. 3600 IN A 10.10.48.32 +biganswer.example. 3600 IN A 10.10.48.33 +biganswer.example. 3600 IN A 10.10.48.34 +biganswer.example. 3600 IN A 10.10.48.35 +biganswer.example. 3600 IN A 10.10.48.36 +biganswer.example. 3600 IN A 10.10.48.37 +biganswer.example. 3600 IN A 10.10.48.38 +biganswer.example. 3600 IN A 10.10.48.39 +biganswer.example. 3600 IN A 10.10.48.40 +biganswer.example. 3600 IN A 10.10.48.41 +biganswer.example. 3600 IN A 10.10.48.42 +biganswer.example. 3600 IN A 10.10.48.43 +biganswer.example. 3600 IN A 10.10.48.44 +biganswer.example. 3600 IN A 10.10.48.45 +biganswer.example. 3600 IN A 10.10.48.46 +biganswer.example. 3600 IN A 10.10.48.47 +biganswer.example. 3600 IN A 10.10.48.48 +biganswer.example. 3600 IN A 10.10.48.49 +biganswer.example. 3600 IN A 10.10.48.50 +biganswer.example. 3600 IN A 10.10.49.1 +biganswer.example. 3600 IN A 10.10.49.2 +biganswer.example. 3600 IN A 10.10.49.3 +biganswer.example. 3600 IN A 10.10.49.4 +biganswer.example. 3600 IN A 10.10.49.5 +biganswer.example. 3600 IN A 10.10.49.6 +biganswer.example. 3600 IN A 10.10.49.7 +biganswer.example. 3600 IN A 10.10.49.8 +biganswer.example. 3600 IN A 10.10.49.9 +biganswer.example. 3600 IN A 10.10.49.10 +biganswer.example. 3600 IN A 10.10.49.11 +biganswer.example. 3600 IN A 10.10.49.12 +biganswer.example. 3600 IN A 10.10.49.13 +biganswer.example. 3600 IN A 10.10.49.14 +biganswer.example. 3600 IN A 10.10.49.15 +biganswer.example. 3600 IN A 10.10.49.16 +biganswer.example. 3600 IN A 10.10.49.17 +biganswer.example. 3600 IN A 10.10.49.18 +biganswer.example. 3600 IN A 10.10.49.19 +biganswer.example. 3600 IN A 10.10.49.20 +biganswer.example. 3600 IN A 10.10.49.21 +biganswer.example. 3600 IN A 10.10.49.22 +biganswer.example. 3600 IN A 10.10.49.23 +biganswer.example. 3600 IN A 10.10.49.24 +biganswer.example. 3600 IN A 10.10.49.25 +biganswer.example. 3600 IN A 10.10.49.26 +biganswer.example. 3600 IN A 10.10.49.27 +biganswer.example. 3600 IN A 10.10.49.28 +biganswer.example. 3600 IN A 10.10.49.29 +biganswer.example. 3600 IN A 10.10.49.30 +biganswer.example. 3600 IN A 10.10.49.31 +biganswer.example. 3600 IN A 10.10.49.32 +biganswer.example. 3600 IN A 10.10.49.33 +biganswer.example. 3600 IN A 10.10.49.34 +biganswer.example. 3600 IN A 10.10.49.35 +biganswer.example. 3600 IN A 10.10.49.36 +biganswer.example. 3600 IN A 10.10.49.37 +biganswer.example. 3600 IN A 10.10.49.38 +biganswer.example. 3600 IN A 10.10.49.39 +biganswer.example. 3600 IN A 10.10.49.40 +biganswer.example. 3600 IN A 10.10.49.41 +biganswer.example. 3600 IN A 10.10.49.42 +biganswer.example. 3600 IN A 10.10.49.43 +biganswer.example. 3600 IN A 10.10.49.44 +biganswer.example. 3600 IN A 10.10.49.45 +biganswer.example. 3600 IN A 10.10.49.46 +biganswer.example. 3600 IN A 10.10.49.47 +biganswer.example. 3600 IN A 10.10.49.48 +biganswer.example. 3600 IN A 10.10.49.49 +biganswer.example. 3600 IN A 10.10.49.50 +biganswer.example. 3600 IN A 10.10.50.1 +biganswer.example. 3600 IN A 10.10.50.2 +biganswer.example. 3600 IN A 10.10.50.3 +biganswer.example. 3600 IN A 10.10.50.4 +biganswer.example. 3600 IN A 10.10.50.5 +biganswer.example. 3600 IN A 10.10.50.6 +biganswer.example. 3600 IN A 10.10.50.7 +biganswer.example. 3600 IN A 10.10.50.8 +biganswer.example. 3600 IN A 10.10.50.9 +biganswer.example. 3600 IN A 10.10.50.10 +biganswer.example. 3600 IN A 10.10.50.11 +biganswer.example. 3600 IN A 10.10.50.12 +biganswer.example. 3600 IN A 10.10.50.13 +biganswer.example. 3600 IN A 10.10.50.14 +biganswer.example. 3600 IN A 10.10.50.15 +biganswer.example. 3600 IN A 10.10.50.16 +biganswer.example. 3600 IN A 10.10.50.17 +biganswer.example. 3600 IN A 10.10.50.18 +biganswer.example. 3600 IN A 10.10.50.19 +biganswer.example. 3600 IN A 10.10.50.20 +biganswer.example. 3600 IN A 10.10.50.21 +biganswer.example. 3600 IN A 10.10.50.22 +biganswer.example. 3600 IN A 10.10.50.23 +biganswer.example. 3600 IN A 10.10.50.24 +biganswer.example. 3600 IN A 10.10.50.25 +biganswer.example. 3600 IN A 10.10.50.26 +biganswer.example. 3600 IN A 10.10.50.27 +biganswer.example. 3600 IN A 10.10.50.28 +biganswer.example. 3600 IN A 10.10.50.29 +biganswer.example. 3600 IN A 10.10.50.30 +biganswer.example. 3600 IN A 10.10.50.31 +biganswer.example. 3600 IN A 10.10.50.32 +biganswer.example. 3600 IN A 10.10.50.33 +biganswer.example. 3600 IN A 10.10.50.34 +biganswer.example. 3600 IN A 10.10.50.35 +biganswer.example. 3600 IN A 10.10.50.36 +biganswer.example. 3600 IN A 10.10.50.37 +biganswer.example. 3600 IN A 10.10.50.38 +biganswer.example. 3600 IN A 10.10.50.39 +biganswer.example. 3600 IN A 10.10.50.40 +biganswer.example. 3600 IN A 10.10.50.41 +biganswer.example. 3600 IN A 10.10.50.42 +biganswer.example. 3600 IN A 10.10.50.43 +biganswer.example. 3600 IN A 10.10.50.44 +biganswer.example. 3600 IN A 10.10.50.45 +biganswer.example. 3600 IN A 10.10.50.46 +biganswer.example. 3600 IN A 10.10.50.47 +biganswer.example. 3600 IN A 10.10.50.48 +biganswer.example. 3600 IN A 10.10.50.49 +biganswer.example. 3600 IN A 10.10.50.50 caa01.example. 3600 IN CAA 0 issue "ca.example.net; policy=ev" caa02.example. 3600 IN CAA 128 tbs "Unknown" caa03.example. 3600 IN CAA 128 tbs "" @@ -58,6 +2558,8 @@ hinfo01.example. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" hinfo02.example. 3600 IN HINFO "PC" "NetBSD" hip1.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D hip2.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com. +https0.example. 3600 IN HTTPS 0 example.net. +https1.example. 3600 IN HTTPS 1 . port=60 ipseckey01.example. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ipseckey02.example. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ipseckey03.example. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== @@ -134,6 +2636,8 @@ srv01.example. 3600 IN SRV 0 0 0 . srv02.example. 3600 IN SRV 65535 65535 65535 old-slow-box.example. sshfp01.example. 3600 IN SSHFP 4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83 sshfp02.example. 3600 IN SSHFP 1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC +svcb0.example. 3600 IN SVCB 0 example.net. +svcb1.example. 3600 IN SVCB 1 . port=60 ta.example. 3600 IN TA 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 talink0.example. 3600 IN TALINK . talink1.example. talink1.example. 3600 IN TALINK talink0.example. talink2.example. diff --git a/bin/tests/system/doth/example8.axfr.good b/bin/tests/system/doth/example8.axfr.good new file mode 100644 index 0000000000..3eb511ce7a --- /dev/null +++ b/bin/tests/system/doth/example8.axfr.good @@ -0,0 +1,2676 @@ +example8. 86400 IN SOA ns2.example8. hostmaster.example8. 1397051952 5 5 1814400 3600 +example8. 3600 IN NS ns2.example8. +a01.example8. 3600 IN A 0.0.0.0 +a02.example8. 3600 IN A 255.255.255.255 +a601.example8. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +a601.example8. 3600 IN A6 64 ::ffff:ffff:ffff:ffff foo. +a601.example8. 3600 IN A6 127 ::1 foo. +a601.example8. 3600 IN A6 128 . +aaaa01.example8. 3600 IN AAAA ::1 +aaaa02.example8. 3600 IN AAAA fd92:7065:b8e:ffff::5 +afsdb01.example8. 3600 IN AFSDB 0 hostname.example8. +afsdb02.example8. 3600 IN AFSDB 65535 . +amtrelay01.example8. 3600 IN AMTRELAY 0 0 0 +amtrelay02.example8. 3600 IN AMTRELAY 0 1 0 +amtrelay03.example8. 3600 IN AMTRELAY 0 0 1 0.0.0.0 +amtrelay04.example8. 3600 IN AMTRELAY 0 0 2 :: +amtrelay05.example8. 3600 IN AMTRELAY 0 0 3 example.net. +amtrelay06.example8. 3600 IN AMTRELAY \# 2 0004 +apl01.example8. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.0/24 +apl02.example8. 3600 IN APL +atma01.example8. 3600 IN ATMA +61200000000 +atma02.example8. 3600 IN ATMA +61200000000 +atma03.example8. 3600 IN ATMA 1234567890abcdef +atma04.example8. 3600 IN ATMA fedcba0987654321 +avc.example8. 3600 IN AVC "foo:bar" +biganswer.example8. 3600 IN A 10.10.1.1 +biganswer.example8. 3600 IN A 10.10.1.2 +biganswer.example8. 3600 IN A 10.10.1.3 +biganswer.example8. 3600 IN A 10.10.1.4 +biganswer.example8. 3600 IN A 10.10.1.5 +biganswer.example8. 3600 IN A 10.10.1.6 +biganswer.example8. 3600 IN A 10.10.1.7 +biganswer.example8. 3600 IN A 10.10.1.8 +biganswer.example8. 3600 IN A 10.10.1.9 +biganswer.example8. 3600 IN A 10.10.1.10 +biganswer.example8. 3600 IN A 10.10.1.11 +biganswer.example8. 3600 IN A 10.10.1.12 +biganswer.example8. 3600 IN A 10.10.1.13 +biganswer.example8. 3600 IN A 10.10.1.14 +biganswer.example8. 3600 IN A 10.10.1.15 +biganswer.example8. 3600 IN A 10.10.1.16 +biganswer.example8. 3600 IN A 10.10.1.17 +biganswer.example8. 3600 IN A 10.10.1.18 +biganswer.example8. 3600 IN A 10.10.1.19 +biganswer.example8. 3600 IN A 10.10.1.20 +biganswer.example8. 3600 IN A 10.10.1.21 +biganswer.example8. 3600 IN A 10.10.1.22 +biganswer.example8. 3600 IN A 10.10.1.23 +biganswer.example8. 3600 IN A 10.10.1.24 +biganswer.example8. 3600 IN A 10.10.1.25 +biganswer.example8. 3600 IN A 10.10.1.26 +biganswer.example8. 3600 IN A 10.10.1.27 +biganswer.example8. 3600 IN A 10.10.1.28 +biganswer.example8. 3600 IN A 10.10.1.29 +biganswer.example8. 3600 IN A 10.10.1.30 +biganswer.example8. 3600 IN A 10.10.1.31 +biganswer.example8. 3600 IN A 10.10.1.32 +biganswer.example8. 3600 IN A 10.10.1.33 +biganswer.example8. 3600 IN A 10.10.1.34 +biganswer.example8. 3600 IN A 10.10.1.35 +biganswer.example8. 3600 IN A 10.10.1.36 +biganswer.example8. 3600 IN A 10.10.1.37 +biganswer.example8. 3600 IN A 10.10.1.38 +biganswer.example8. 3600 IN A 10.10.1.39 +biganswer.example8. 3600 IN A 10.10.1.40 +biganswer.example8. 3600 IN A 10.10.1.41 +biganswer.example8. 3600 IN A 10.10.1.42 +biganswer.example8. 3600 IN A 10.10.1.43 +biganswer.example8. 3600 IN A 10.10.1.44 +biganswer.example8. 3600 IN A 10.10.1.45 +biganswer.example8. 3600 IN A 10.10.1.46 +biganswer.example8. 3600 IN A 10.10.1.47 +biganswer.example8. 3600 IN A 10.10.1.48 +biganswer.example8. 3600 IN A 10.10.1.49 +biganswer.example8. 3600 IN A 10.10.1.50 +biganswer.example8. 3600 IN A 10.10.2.1 +biganswer.example8. 3600 IN A 10.10.2.2 +biganswer.example8. 3600 IN A 10.10.2.3 +biganswer.example8. 3600 IN A 10.10.2.4 +biganswer.example8. 3600 IN A 10.10.2.5 +biganswer.example8. 3600 IN A 10.10.2.6 +biganswer.example8. 3600 IN A 10.10.2.7 +biganswer.example8. 3600 IN A 10.10.2.8 +biganswer.example8. 3600 IN A 10.10.2.9 +biganswer.example8. 3600 IN A 10.10.2.10 +biganswer.example8. 3600 IN A 10.10.2.11 +biganswer.example8. 3600 IN A 10.10.2.12 +biganswer.example8. 3600 IN A 10.10.2.13 +biganswer.example8. 3600 IN A 10.10.2.14 +biganswer.example8. 3600 IN A 10.10.2.15 +biganswer.example8. 3600 IN A 10.10.2.16 +biganswer.example8. 3600 IN A 10.10.2.17 +biganswer.example8. 3600 IN A 10.10.2.18 +biganswer.example8. 3600 IN A 10.10.2.19 +biganswer.example8. 3600 IN A 10.10.2.20 +biganswer.example8. 3600 IN A 10.10.2.21 +biganswer.example8. 3600 IN A 10.10.2.22 +biganswer.example8. 3600 IN A 10.10.2.23 +biganswer.example8. 3600 IN A 10.10.2.24 +biganswer.example8. 3600 IN A 10.10.2.25 +biganswer.example8. 3600 IN A 10.10.2.26 +biganswer.example8. 3600 IN A 10.10.2.27 +biganswer.example8. 3600 IN A 10.10.2.28 +biganswer.example8. 3600 IN A 10.10.2.29 +biganswer.example8. 3600 IN A 10.10.2.30 +biganswer.example8. 3600 IN A 10.10.2.31 +biganswer.example8. 3600 IN A 10.10.2.32 +biganswer.example8. 3600 IN A 10.10.2.33 +biganswer.example8. 3600 IN A 10.10.2.34 +biganswer.example8. 3600 IN A 10.10.2.35 +biganswer.example8. 3600 IN A 10.10.2.36 +biganswer.example8. 3600 IN A 10.10.2.37 +biganswer.example8. 3600 IN A 10.10.2.38 +biganswer.example8. 3600 IN A 10.10.2.39 +biganswer.example8. 3600 IN A 10.10.2.40 +biganswer.example8. 3600 IN A 10.10.2.41 +biganswer.example8. 3600 IN A 10.10.2.42 +biganswer.example8. 3600 IN A 10.10.2.43 +biganswer.example8. 3600 IN A 10.10.2.44 +biganswer.example8. 3600 IN A 10.10.2.45 +biganswer.example8. 3600 IN A 10.10.2.46 +biganswer.example8. 3600 IN A 10.10.2.47 +biganswer.example8. 3600 IN A 10.10.2.48 +biganswer.example8. 3600 IN A 10.10.2.49 +biganswer.example8. 3600 IN A 10.10.2.50 +biganswer.example8. 3600 IN A 10.10.3.1 +biganswer.example8. 3600 IN A 10.10.3.2 +biganswer.example8. 3600 IN A 10.10.3.3 +biganswer.example8. 3600 IN A 10.10.3.4 +biganswer.example8. 3600 IN A 10.10.3.5 +biganswer.example8. 3600 IN A 10.10.3.6 +biganswer.example8. 3600 IN A 10.10.3.7 +biganswer.example8. 3600 IN A 10.10.3.8 +biganswer.example8. 3600 IN A 10.10.3.9 +biganswer.example8. 3600 IN A 10.10.3.10 +biganswer.example8. 3600 IN A 10.10.3.11 +biganswer.example8. 3600 IN A 10.10.3.12 +biganswer.example8. 3600 IN A 10.10.3.13 +biganswer.example8. 3600 IN A 10.10.3.14 +biganswer.example8. 3600 IN A 10.10.3.15 +biganswer.example8. 3600 IN A 10.10.3.16 +biganswer.example8. 3600 IN A 10.10.3.17 +biganswer.example8. 3600 IN A 10.10.3.18 +biganswer.example8. 3600 IN A 10.10.3.19 +biganswer.example8. 3600 IN A 10.10.3.20 +biganswer.example8. 3600 IN A 10.10.3.21 +biganswer.example8. 3600 IN A 10.10.3.22 +biganswer.example8. 3600 IN A 10.10.3.23 +biganswer.example8. 3600 IN A 10.10.3.24 +biganswer.example8. 3600 IN A 10.10.3.25 +biganswer.example8. 3600 IN A 10.10.3.26 +biganswer.example8. 3600 IN A 10.10.3.27 +biganswer.example8. 3600 IN A 10.10.3.28 +biganswer.example8. 3600 IN A 10.10.3.29 +biganswer.example8. 3600 IN A 10.10.3.30 +biganswer.example8. 3600 IN A 10.10.3.31 +biganswer.example8. 3600 IN A 10.10.3.32 +biganswer.example8. 3600 IN A 10.10.3.33 +biganswer.example8. 3600 IN A 10.10.3.34 +biganswer.example8. 3600 IN A 10.10.3.35 +biganswer.example8. 3600 IN A 10.10.3.36 +biganswer.example8. 3600 IN A 10.10.3.37 +biganswer.example8. 3600 IN A 10.10.3.38 +biganswer.example8. 3600 IN A 10.10.3.39 +biganswer.example8. 3600 IN A 10.10.3.40 +biganswer.example8. 3600 IN A 10.10.3.41 +biganswer.example8. 3600 IN A 10.10.3.42 +biganswer.example8. 3600 IN A 10.10.3.43 +biganswer.example8. 3600 IN A 10.10.3.44 +biganswer.example8. 3600 IN A 10.10.3.45 +biganswer.example8. 3600 IN A 10.10.3.46 +biganswer.example8. 3600 IN A 10.10.3.47 +biganswer.example8. 3600 IN A 10.10.3.48 +biganswer.example8. 3600 IN A 10.10.3.49 +biganswer.example8. 3600 IN A 10.10.3.50 +biganswer.example8. 3600 IN A 10.10.4.1 +biganswer.example8. 3600 IN A 10.10.4.2 +biganswer.example8. 3600 IN A 10.10.4.3 +biganswer.example8. 3600 IN A 10.10.4.4 +biganswer.example8. 3600 IN A 10.10.4.5 +biganswer.example8. 3600 IN A 10.10.4.6 +biganswer.example8. 3600 IN A 10.10.4.7 +biganswer.example8. 3600 IN A 10.10.4.8 +biganswer.example8. 3600 IN A 10.10.4.9 +biganswer.example8. 3600 IN A 10.10.4.10 +biganswer.example8. 3600 IN A 10.10.4.11 +biganswer.example8. 3600 IN A 10.10.4.12 +biganswer.example8. 3600 IN A 10.10.4.13 +biganswer.example8. 3600 IN A 10.10.4.14 +biganswer.example8. 3600 IN A 10.10.4.15 +biganswer.example8. 3600 IN A 10.10.4.16 +biganswer.example8. 3600 IN A 10.10.4.17 +biganswer.example8. 3600 IN A 10.10.4.18 +biganswer.example8. 3600 IN A 10.10.4.19 +biganswer.example8. 3600 IN A 10.10.4.20 +biganswer.example8. 3600 IN A 10.10.4.21 +biganswer.example8. 3600 IN A 10.10.4.22 +biganswer.example8. 3600 IN A 10.10.4.23 +biganswer.example8. 3600 IN A 10.10.4.24 +biganswer.example8. 3600 IN A 10.10.4.25 +biganswer.example8. 3600 IN A 10.10.4.26 +biganswer.example8. 3600 IN A 10.10.4.27 +biganswer.example8. 3600 IN A 10.10.4.28 +biganswer.example8. 3600 IN A 10.10.4.29 +biganswer.example8. 3600 IN A 10.10.4.30 +biganswer.example8. 3600 IN A 10.10.4.31 +biganswer.example8. 3600 IN A 10.10.4.32 +biganswer.example8. 3600 IN A 10.10.4.33 +biganswer.example8. 3600 IN A 10.10.4.34 +biganswer.example8. 3600 IN A 10.10.4.35 +biganswer.example8. 3600 IN A 10.10.4.36 +biganswer.example8. 3600 IN A 10.10.4.37 +biganswer.example8. 3600 IN A 10.10.4.38 +biganswer.example8. 3600 IN A 10.10.4.39 +biganswer.example8. 3600 IN A 10.10.4.40 +biganswer.example8. 3600 IN A 10.10.4.41 +biganswer.example8. 3600 IN A 10.10.4.42 +biganswer.example8. 3600 IN A 10.10.4.43 +biganswer.example8. 3600 IN A 10.10.4.44 +biganswer.example8. 3600 IN A 10.10.4.45 +biganswer.example8. 3600 IN A 10.10.4.46 +biganswer.example8. 3600 IN A 10.10.4.47 +biganswer.example8. 3600 IN A 10.10.4.48 +biganswer.example8. 3600 IN A 10.10.4.49 +biganswer.example8. 3600 IN A 10.10.4.50 +biganswer.example8. 3600 IN A 10.10.5.1 +biganswer.example8. 3600 IN A 10.10.5.2 +biganswer.example8. 3600 IN A 10.10.5.3 +biganswer.example8. 3600 IN A 10.10.5.4 +biganswer.example8. 3600 IN A 10.10.5.5 +biganswer.example8. 3600 IN A 10.10.5.6 +biganswer.example8. 3600 IN A 10.10.5.7 +biganswer.example8. 3600 IN A 10.10.5.8 +biganswer.example8. 3600 IN A 10.10.5.9 +biganswer.example8. 3600 IN A 10.10.5.10 +biganswer.example8. 3600 IN A 10.10.5.11 +biganswer.example8. 3600 IN A 10.10.5.12 +biganswer.example8. 3600 IN A 10.10.5.13 +biganswer.example8. 3600 IN A 10.10.5.14 +biganswer.example8. 3600 IN A 10.10.5.15 +biganswer.example8. 3600 IN A 10.10.5.16 +biganswer.example8. 3600 IN A 10.10.5.17 +biganswer.example8. 3600 IN A 10.10.5.18 +biganswer.example8. 3600 IN A 10.10.5.19 +biganswer.example8. 3600 IN A 10.10.5.20 +biganswer.example8. 3600 IN A 10.10.5.21 +biganswer.example8. 3600 IN A 10.10.5.22 +biganswer.example8. 3600 IN A 10.10.5.23 +biganswer.example8. 3600 IN A 10.10.5.24 +biganswer.example8. 3600 IN A 10.10.5.25 +biganswer.example8. 3600 IN A 10.10.5.26 +biganswer.example8. 3600 IN A 10.10.5.27 +biganswer.example8. 3600 IN A 10.10.5.28 +biganswer.example8. 3600 IN A 10.10.5.29 +biganswer.example8. 3600 IN A 10.10.5.30 +biganswer.example8. 3600 IN A 10.10.5.31 +biganswer.example8. 3600 IN A 10.10.5.32 +biganswer.example8. 3600 IN A 10.10.5.33 +biganswer.example8. 3600 IN A 10.10.5.34 +biganswer.example8. 3600 IN A 10.10.5.35 +biganswer.example8. 3600 IN A 10.10.5.36 +biganswer.example8. 3600 IN A 10.10.5.37 +biganswer.example8. 3600 IN A 10.10.5.38 +biganswer.example8. 3600 IN A 10.10.5.39 +biganswer.example8. 3600 IN A 10.10.5.40 +biganswer.example8. 3600 IN A 10.10.5.41 +biganswer.example8. 3600 IN A 10.10.5.42 +biganswer.example8. 3600 IN A 10.10.5.43 +biganswer.example8. 3600 IN A 10.10.5.44 +biganswer.example8. 3600 IN A 10.10.5.45 +biganswer.example8. 3600 IN A 10.10.5.46 +biganswer.example8. 3600 IN A 10.10.5.47 +biganswer.example8. 3600 IN A 10.10.5.48 +biganswer.example8. 3600 IN A 10.10.5.49 +biganswer.example8. 3600 IN A 10.10.5.50 +biganswer.example8. 3600 IN A 10.10.6.1 +biganswer.example8. 3600 IN A 10.10.6.2 +biganswer.example8. 3600 IN A 10.10.6.3 +biganswer.example8. 3600 IN A 10.10.6.4 +biganswer.example8. 3600 IN A 10.10.6.5 +biganswer.example8. 3600 IN A 10.10.6.6 +biganswer.example8. 3600 IN A 10.10.6.7 +biganswer.example8. 3600 IN A 10.10.6.8 +biganswer.example8. 3600 IN A 10.10.6.9 +biganswer.example8. 3600 IN A 10.10.6.10 +biganswer.example8. 3600 IN A 10.10.6.11 +biganswer.example8. 3600 IN A 10.10.6.12 +biganswer.example8. 3600 IN A 10.10.6.13 +biganswer.example8. 3600 IN A 10.10.6.14 +biganswer.example8. 3600 IN A 10.10.6.15 +biganswer.example8. 3600 IN A 10.10.6.16 +biganswer.example8. 3600 IN A 10.10.6.17 +biganswer.example8. 3600 IN A 10.10.6.18 +biganswer.example8. 3600 IN A 10.10.6.19 +biganswer.example8. 3600 IN A 10.10.6.20 +biganswer.example8. 3600 IN A 10.10.6.21 +biganswer.example8. 3600 IN A 10.10.6.22 +biganswer.example8. 3600 IN A 10.10.6.23 +biganswer.example8. 3600 IN A 10.10.6.24 +biganswer.example8. 3600 IN A 10.10.6.25 +biganswer.example8. 3600 IN A 10.10.6.26 +biganswer.example8. 3600 IN A 10.10.6.27 +biganswer.example8. 3600 IN A 10.10.6.28 +biganswer.example8. 3600 IN A 10.10.6.29 +biganswer.example8. 3600 IN A 10.10.6.30 +biganswer.example8. 3600 IN A 10.10.6.31 +biganswer.example8. 3600 IN A 10.10.6.32 +biganswer.example8. 3600 IN A 10.10.6.33 +biganswer.example8. 3600 IN A 10.10.6.34 +biganswer.example8. 3600 IN A 10.10.6.35 +biganswer.example8. 3600 IN A 10.10.6.36 +biganswer.example8. 3600 IN A 10.10.6.37 +biganswer.example8. 3600 IN A 10.10.6.38 +biganswer.example8. 3600 IN A 10.10.6.39 +biganswer.example8. 3600 IN A 10.10.6.40 +biganswer.example8. 3600 IN A 10.10.6.41 +biganswer.example8. 3600 IN A 10.10.6.42 +biganswer.example8. 3600 IN A 10.10.6.43 +biganswer.example8. 3600 IN A 10.10.6.44 +biganswer.example8. 3600 IN A 10.10.6.45 +biganswer.example8. 3600 IN A 10.10.6.46 +biganswer.example8. 3600 IN A 10.10.6.47 +biganswer.example8. 3600 IN A 10.10.6.48 +biganswer.example8. 3600 IN A 10.10.6.49 +biganswer.example8. 3600 IN A 10.10.6.50 +biganswer.example8. 3600 IN A 10.10.7.1 +biganswer.example8. 3600 IN A 10.10.7.2 +biganswer.example8. 3600 IN A 10.10.7.3 +biganswer.example8. 3600 IN A 10.10.7.4 +biganswer.example8. 3600 IN A 10.10.7.5 +biganswer.example8. 3600 IN A 10.10.7.6 +biganswer.example8. 3600 IN A 10.10.7.7 +biganswer.example8. 3600 IN A 10.10.7.8 +biganswer.example8. 3600 IN A 10.10.7.9 +biganswer.example8. 3600 IN A 10.10.7.10 +biganswer.example8. 3600 IN A 10.10.7.11 +biganswer.example8. 3600 IN A 10.10.7.12 +biganswer.example8. 3600 IN A 10.10.7.13 +biganswer.example8. 3600 IN A 10.10.7.14 +biganswer.example8. 3600 IN A 10.10.7.15 +biganswer.example8. 3600 IN A 10.10.7.16 +biganswer.example8. 3600 IN A 10.10.7.17 +biganswer.example8. 3600 IN A 10.10.7.18 +biganswer.example8. 3600 IN A 10.10.7.19 +biganswer.example8. 3600 IN A 10.10.7.20 +biganswer.example8. 3600 IN A 10.10.7.21 +biganswer.example8. 3600 IN A 10.10.7.22 +biganswer.example8. 3600 IN A 10.10.7.23 +biganswer.example8. 3600 IN A 10.10.7.24 +biganswer.example8. 3600 IN A 10.10.7.25 +biganswer.example8. 3600 IN A 10.10.7.26 +biganswer.example8. 3600 IN A 10.10.7.27 +biganswer.example8. 3600 IN A 10.10.7.28 +biganswer.example8. 3600 IN A 10.10.7.29 +biganswer.example8. 3600 IN A 10.10.7.30 +biganswer.example8. 3600 IN A 10.10.7.31 +biganswer.example8. 3600 IN A 10.10.7.32 +biganswer.example8. 3600 IN A 10.10.7.33 +biganswer.example8. 3600 IN A 10.10.7.34 +biganswer.example8. 3600 IN A 10.10.7.35 +biganswer.example8. 3600 IN A 10.10.7.36 +biganswer.example8. 3600 IN A 10.10.7.37 +biganswer.example8. 3600 IN A 10.10.7.38 +biganswer.example8. 3600 IN A 10.10.7.39 +biganswer.example8. 3600 IN A 10.10.7.40 +biganswer.example8. 3600 IN A 10.10.7.41 +biganswer.example8. 3600 IN A 10.10.7.42 +biganswer.example8. 3600 IN A 10.10.7.43 +biganswer.example8. 3600 IN A 10.10.7.44 +biganswer.example8. 3600 IN A 10.10.7.45 +biganswer.example8. 3600 IN A 10.10.7.46 +biganswer.example8. 3600 IN A 10.10.7.47 +biganswer.example8. 3600 IN A 10.10.7.48 +biganswer.example8. 3600 IN A 10.10.7.49 +biganswer.example8. 3600 IN A 10.10.7.50 +biganswer.example8. 3600 IN A 10.10.8.1 +biganswer.example8. 3600 IN A 10.10.8.2 +biganswer.example8. 3600 IN A 10.10.8.3 +biganswer.example8. 3600 IN A 10.10.8.4 +biganswer.example8. 3600 IN A 10.10.8.5 +biganswer.example8. 3600 IN A 10.10.8.6 +biganswer.example8. 3600 IN A 10.10.8.7 +biganswer.example8. 3600 IN A 10.10.8.8 +biganswer.example8. 3600 IN A 10.10.8.9 +biganswer.example8. 3600 IN A 10.10.8.10 +biganswer.example8. 3600 IN A 10.10.8.11 +biganswer.example8. 3600 IN A 10.10.8.12 +biganswer.example8. 3600 IN A 10.10.8.13 +biganswer.example8. 3600 IN A 10.10.8.14 +biganswer.example8. 3600 IN A 10.10.8.15 +biganswer.example8. 3600 IN A 10.10.8.16 +biganswer.example8. 3600 IN A 10.10.8.17 +biganswer.example8. 3600 IN A 10.10.8.18 +biganswer.example8. 3600 IN A 10.10.8.19 +biganswer.example8. 3600 IN A 10.10.8.20 +biganswer.example8. 3600 IN A 10.10.8.21 +biganswer.example8. 3600 IN A 10.10.8.22 +biganswer.example8. 3600 IN A 10.10.8.23 +biganswer.example8. 3600 IN A 10.10.8.24 +biganswer.example8. 3600 IN A 10.10.8.25 +biganswer.example8. 3600 IN A 10.10.8.26 +biganswer.example8. 3600 IN A 10.10.8.27 +biganswer.example8. 3600 IN A 10.10.8.28 +biganswer.example8. 3600 IN A 10.10.8.29 +biganswer.example8. 3600 IN A 10.10.8.30 +biganswer.example8. 3600 IN A 10.10.8.31 +biganswer.example8. 3600 IN A 10.10.8.32 +biganswer.example8. 3600 IN A 10.10.8.33 +biganswer.example8. 3600 IN A 10.10.8.34 +biganswer.example8. 3600 IN A 10.10.8.35 +biganswer.example8. 3600 IN A 10.10.8.36 +biganswer.example8. 3600 IN A 10.10.8.37 +biganswer.example8. 3600 IN A 10.10.8.38 +biganswer.example8. 3600 IN A 10.10.8.39 +biganswer.example8. 3600 IN A 10.10.8.40 +biganswer.example8. 3600 IN A 10.10.8.41 +biganswer.example8. 3600 IN A 10.10.8.42 +biganswer.example8. 3600 IN A 10.10.8.43 +biganswer.example8. 3600 IN A 10.10.8.44 +biganswer.example8. 3600 IN A 10.10.8.45 +biganswer.example8. 3600 IN A 10.10.8.46 +biganswer.example8. 3600 IN A 10.10.8.47 +biganswer.example8. 3600 IN A 10.10.8.48 +biganswer.example8. 3600 IN A 10.10.8.49 +biganswer.example8. 3600 IN A 10.10.8.50 +biganswer.example8. 3600 IN A 10.10.9.1 +biganswer.example8. 3600 IN A 10.10.9.2 +biganswer.example8. 3600 IN A 10.10.9.3 +biganswer.example8. 3600 IN A 10.10.9.4 +biganswer.example8. 3600 IN A 10.10.9.5 +biganswer.example8. 3600 IN A 10.10.9.6 +biganswer.example8. 3600 IN A 10.10.9.7 +biganswer.example8. 3600 IN A 10.10.9.8 +biganswer.example8. 3600 IN A 10.10.9.9 +biganswer.example8. 3600 IN A 10.10.9.10 +biganswer.example8. 3600 IN A 10.10.9.11 +biganswer.example8. 3600 IN A 10.10.9.12 +biganswer.example8. 3600 IN A 10.10.9.13 +biganswer.example8. 3600 IN A 10.10.9.14 +biganswer.example8. 3600 IN A 10.10.9.15 +biganswer.example8. 3600 IN A 10.10.9.16 +biganswer.example8. 3600 IN A 10.10.9.17 +biganswer.example8. 3600 IN A 10.10.9.18 +biganswer.example8. 3600 IN A 10.10.9.19 +biganswer.example8. 3600 IN A 10.10.9.20 +biganswer.example8. 3600 IN A 10.10.9.21 +biganswer.example8. 3600 IN A 10.10.9.22 +biganswer.example8. 3600 IN A 10.10.9.23 +biganswer.example8. 3600 IN A 10.10.9.24 +biganswer.example8. 3600 IN A 10.10.9.25 +biganswer.example8. 3600 IN A 10.10.9.26 +biganswer.example8. 3600 IN A 10.10.9.27 +biganswer.example8. 3600 IN A 10.10.9.28 +biganswer.example8. 3600 IN A 10.10.9.29 +biganswer.example8. 3600 IN A 10.10.9.30 +biganswer.example8. 3600 IN A 10.10.9.31 +biganswer.example8. 3600 IN A 10.10.9.32 +biganswer.example8. 3600 IN A 10.10.9.33 +biganswer.example8. 3600 IN A 10.10.9.34 +biganswer.example8. 3600 IN A 10.10.9.35 +biganswer.example8. 3600 IN A 10.10.9.36 +biganswer.example8. 3600 IN A 10.10.9.37 +biganswer.example8. 3600 IN A 10.10.9.38 +biganswer.example8. 3600 IN A 10.10.9.39 +biganswer.example8. 3600 IN A 10.10.9.40 +biganswer.example8. 3600 IN A 10.10.9.41 +biganswer.example8. 3600 IN A 10.10.9.42 +biganswer.example8. 3600 IN A 10.10.9.43 +biganswer.example8. 3600 IN A 10.10.9.44 +biganswer.example8. 3600 IN A 10.10.9.45 +biganswer.example8. 3600 IN A 10.10.9.46 +biganswer.example8. 3600 IN A 10.10.9.47 +biganswer.example8. 3600 IN A 10.10.9.48 +biganswer.example8. 3600 IN A 10.10.9.49 +biganswer.example8. 3600 IN A 10.10.9.50 +biganswer.example8. 3600 IN A 10.10.10.1 +biganswer.example8. 3600 IN A 10.10.10.2 +biganswer.example8. 3600 IN A 10.10.10.3 +biganswer.example8. 3600 IN A 10.10.10.4 +biganswer.example8. 3600 IN A 10.10.10.5 +biganswer.example8. 3600 IN A 10.10.10.6 +biganswer.example8. 3600 IN A 10.10.10.7 +biganswer.example8. 3600 IN A 10.10.10.8 +biganswer.example8. 3600 IN A 10.10.10.9 +biganswer.example8. 3600 IN A 10.10.10.10 +biganswer.example8. 3600 IN A 10.10.10.11 +biganswer.example8. 3600 IN A 10.10.10.12 +biganswer.example8. 3600 IN A 10.10.10.13 +biganswer.example8. 3600 IN A 10.10.10.14 +biganswer.example8. 3600 IN A 10.10.10.15 +biganswer.example8. 3600 IN A 10.10.10.16 +biganswer.example8. 3600 IN A 10.10.10.17 +biganswer.example8. 3600 IN A 10.10.10.18 +biganswer.example8. 3600 IN A 10.10.10.19 +biganswer.example8. 3600 IN A 10.10.10.20 +biganswer.example8. 3600 IN A 10.10.10.21 +biganswer.example8. 3600 IN A 10.10.10.22 +biganswer.example8. 3600 IN A 10.10.10.23 +biganswer.example8. 3600 IN A 10.10.10.24 +biganswer.example8. 3600 IN A 10.10.10.25 +biganswer.example8. 3600 IN A 10.10.10.26 +biganswer.example8. 3600 IN A 10.10.10.27 +biganswer.example8. 3600 IN A 10.10.10.28 +biganswer.example8. 3600 IN A 10.10.10.29 +biganswer.example8. 3600 IN A 10.10.10.30 +biganswer.example8. 3600 IN A 10.10.10.31 +biganswer.example8. 3600 IN A 10.10.10.32 +biganswer.example8. 3600 IN A 10.10.10.33 +biganswer.example8. 3600 IN A 10.10.10.34 +biganswer.example8. 3600 IN A 10.10.10.35 +biganswer.example8. 3600 IN A 10.10.10.36 +biganswer.example8. 3600 IN A 10.10.10.37 +biganswer.example8. 3600 IN A 10.10.10.38 +biganswer.example8. 3600 IN A 10.10.10.39 +biganswer.example8. 3600 IN A 10.10.10.40 +biganswer.example8. 3600 IN A 10.10.10.41 +biganswer.example8. 3600 IN A 10.10.10.42 +biganswer.example8. 3600 IN A 10.10.10.43 +biganswer.example8. 3600 IN A 10.10.10.44 +biganswer.example8. 3600 IN A 10.10.10.45 +biganswer.example8. 3600 IN A 10.10.10.46 +biganswer.example8. 3600 IN A 10.10.10.47 +biganswer.example8. 3600 IN A 10.10.10.48 +biganswer.example8. 3600 IN A 10.10.10.49 +biganswer.example8. 3600 IN A 10.10.10.50 +biganswer.example8. 3600 IN A 10.10.11.1 +biganswer.example8. 3600 IN A 10.10.11.2 +biganswer.example8. 3600 IN A 10.10.11.3 +biganswer.example8. 3600 IN A 10.10.11.4 +biganswer.example8. 3600 IN A 10.10.11.5 +biganswer.example8. 3600 IN A 10.10.11.6 +biganswer.example8. 3600 IN A 10.10.11.7 +biganswer.example8. 3600 IN A 10.10.11.8 +biganswer.example8. 3600 IN A 10.10.11.9 +biganswer.example8. 3600 IN A 10.10.11.10 +biganswer.example8. 3600 IN A 10.10.11.11 +biganswer.example8. 3600 IN A 10.10.11.12 +biganswer.example8. 3600 IN A 10.10.11.13 +biganswer.example8. 3600 IN A 10.10.11.14 +biganswer.example8. 3600 IN A 10.10.11.15 +biganswer.example8. 3600 IN A 10.10.11.16 +biganswer.example8. 3600 IN A 10.10.11.17 +biganswer.example8. 3600 IN A 10.10.11.18 +biganswer.example8. 3600 IN A 10.10.11.19 +biganswer.example8. 3600 IN A 10.10.11.20 +biganswer.example8. 3600 IN A 10.10.11.21 +biganswer.example8. 3600 IN A 10.10.11.22 +biganswer.example8. 3600 IN A 10.10.11.23 +biganswer.example8. 3600 IN A 10.10.11.24 +biganswer.example8. 3600 IN A 10.10.11.25 +biganswer.example8. 3600 IN A 10.10.11.26 +biganswer.example8. 3600 IN A 10.10.11.27 +biganswer.example8. 3600 IN A 10.10.11.28 +biganswer.example8. 3600 IN A 10.10.11.29 +biganswer.example8. 3600 IN A 10.10.11.30 +biganswer.example8. 3600 IN A 10.10.11.31 +biganswer.example8. 3600 IN A 10.10.11.32 +biganswer.example8. 3600 IN A 10.10.11.33 +biganswer.example8. 3600 IN A 10.10.11.34 +biganswer.example8. 3600 IN A 10.10.11.35 +biganswer.example8. 3600 IN A 10.10.11.36 +biganswer.example8. 3600 IN A 10.10.11.37 +biganswer.example8. 3600 IN A 10.10.11.38 +biganswer.example8. 3600 IN A 10.10.11.39 +biganswer.example8. 3600 IN A 10.10.11.40 +biganswer.example8. 3600 IN A 10.10.11.41 +biganswer.example8. 3600 IN A 10.10.11.42 +biganswer.example8. 3600 IN A 10.10.11.43 +biganswer.example8. 3600 IN A 10.10.11.44 +biganswer.example8. 3600 IN A 10.10.11.45 +biganswer.example8. 3600 IN A 10.10.11.46 +biganswer.example8. 3600 IN A 10.10.11.47 +biganswer.example8. 3600 IN A 10.10.11.48 +biganswer.example8. 3600 IN A 10.10.11.49 +biganswer.example8. 3600 IN A 10.10.11.50 +biganswer.example8. 3600 IN A 10.10.12.1 +biganswer.example8. 3600 IN A 10.10.12.2 +biganswer.example8. 3600 IN A 10.10.12.3 +biganswer.example8. 3600 IN A 10.10.12.4 +biganswer.example8. 3600 IN A 10.10.12.5 +biganswer.example8. 3600 IN A 10.10.12.6 +biganswer.example8. 3600 IN A 10.10.12.7 +biganswer.example8. 3600 IN A 10.10.12.8 +biganswer.example8. 3600 IN A 10.10.12.9 +biganswer.example8. 3600 IN A 10.10.12.10 +biganswer.example8. 3600 IN A 10.10.12.11 +biganswer.example8. 3600 IN A 10.10.12.12 +biganswer.example8. 3600 IN A 10.10.12.13 +biganswer.example8. 3600 IN A 10.10.12.14 +biganswer.example8. 3600 IN A 10.10.12.15 +biganswer.example8. 3600 IN A 10.10.12.16 +biganswer.example8. 3600 IN A 10.10.12.17 +biganswer.example8. 3600 IN A 10.10.12.18 +biganswer.example8. 3600 IN A 10.10.12.19 +biganswer.example8. 3600 IN A 10.10.12.20 +biganswer.example8. 3600 IN A 10.10.12.21 +biganswer.example8. 3600 IN A 10.10.12.22 +biganswer.example8. 3600 IN A 10.10.12.23 +biganswer.example8. 3600 IN A 10.10.12.24 +biganswer.example8. 3600 IN A 10.10.12.25 +biganswer.example8. 3600 IN A 10.10.12.26 +biganswer.example8. 3600 IN A 10.10.12.27 +biganswer.example8. 3600 IN A 10.10.12.28 +biganswer.example8. 3600 IN A 10.10.12.29 +biganswer.example8. 3600 IN A 10.10.12.30 +biganswer.example8. 3600 IN A 10.10.12.31 +biganswer.example8. 3600 IN A 10.10.12.32 +biganswer.example8. 3600 IN A 10.10.12.33 +biganswer.example8. 3600 IN A 10.10.12.34 +biganswer.example8. 3600 IN A 10.10.12.35 +biganswer.example8. 3600 IN A 10.10.12.36 +biganswer.example8. 3600 IN A 10.10.12.37 +biganswer.example8. 3600 IN A 10.10.12.38 +biganswer.example8. 3600 IN A 10.10.12.39 +biganswer.example8. 3600 IN A 10.10.12.40 +biganswer.example8. 3600 IN A 10.10.12.41 +biganswer.example8. 3600 IN A 10.10.12.42 +biganswer.example8. 3600 IN A 10.10.12.43 +biganswer.example8. 3600 IN A 10.10.12.44 +biganswer.example8. 3600 IN A 10.10.12.45 +biganswer.example8. 3600 IN A 10.10.12.46 +biganswer.example8. 3600 IN A 10.10.12.47 +biganswer.example8. 3600 IN A 10.10.12.48 +biganswer.example8. 3600 IN A 10.10.12.49 +biganswer.example8. 3600 IN A 10.10.12.50 +biganswer.example8. 3600 IN A 10.10.13.1 +biganswer.example8. 3600 IN A 10.10.13.2 +biganswer.example8. 3600 IN A 10.10.13.3 +biganswer.example8. 3600 IN A 10.10.13.4 +biganswer.example8. 3600 IN A 10.10.13.5 +biganswer.example8. 3600 IN A 10.10.13.6 +biganswer.example8. 3600 IN A 10.10.13.7 +biganswer.example8. 3600 IN A 10.10.13.8 +biganswer.example8. 3600 IN A 10.10.13.9 +biganswer.example8. 3600 IN A 10.10.13.10 +biganswer.example8. 3600 IN A 10.10.13.11 +biganswer.example8. 3600 IN A 10.10.13.12 +biganswer.example8. 3600 IN A 10.10.13.13 +biganswer.example8. 3600 IN A 10.10.13.14 +biganswer.example8. 3600 IN A 10.10.13.15 +biganswer.example8. 3600 IN A 10.10.13.16 +biganswer.example8. 3600 IN A 10.10.13.17 +biganswer.example8. 3600 IN A 10.10.13.18 +biganswer.example8. 3600 IN A 10.10.13.19 +biganswer.example8. 3600 IN A 10.10.13.20 +biganswer.example8. 3600 IN A 10.10.13.21 +biganswer.example8. 3600 IN A 10.10.13.22 +biganswer.example8. 3600 IN A 10.10.13.23 +biganswer.example8. 3600 IN A 10.10.13.24 +biganswer.example8. 3600 IN A 10.10.13.25 +biganswer.example8. 3600 IN A 10.10.13.26 +biganswer.example8. 3600 IN A 10.10.13.27 +biganswer.example8. 3600 IN A 10.10.13.28 +biganswer.example8. 3600 IN A 10.10.13.29 +biganswer.example8. 3600 IN A 10.10.13.30 +biganswer.example8. 3600 IN A 10.10.13.31 +biganswer.example8. 3600 IN A 10.10.13.32 +biganswer.example8. 3600 IN A 10.10.13.33 +biganswer.example8. 3600 IN A 10.10.13.34 +biganswer.example8. 3600 IN A 10.10.13.35 +biganswer.example8. 3600 IN A 10.10.13.36 +biganswer.example8. 3600 IN A 10.10.13.37 +biganswer.example8. 3600 IN A 10.10.13.38 +biganswer.example8. 3600 IN A 10.10.13.39 +biganswer.example8. 3600 IN A 10.10.13.40 +biganswer.example8. 3600 IN A 10.10.13.41 +biganswer.example8. 3600 IN A 10.10.13.42 +biganswer.example8. 3600 IN A 10.10.13.43 +biganswer.example8. 3600 IN A 10.10.13.44 +biganswer.example8. 3600 IN A 10.10.13.45 +biganswer.example8. 3600 IN A 10.10.13.46 +biganswer.example8. 3600 IN A 10.10.13.47 +biganswer.example8. 3600 IN A 10.10.13.48 +biganswer.example8. 3600 IN A 10.10.13.49 +biganswer.example8. 3600 IN A 10.10.13.50 +biganswer.example8. 3600 IN A 10.10.14.1 +biganswer.example8. 3600 IN A 10.10.14.2 +biganswer.example8. 3600 IN A 10.10.14.3 +biganswer.example8. 3600 IN A 10.10.14.4 +biganswer.example8. 3600 IN A 10.10.14.5 +biganswer.example8. 3600 IN A 10.10.14.6 +biganswer.example8. 3600 IN A 10.10.14.7 +biganswer.example8. 3600 IN A 10.10.14.8 +biganswer.example8. 3600 IN A 10.10.14.9 +biganswer.example8. 3600 IN A 10.10.14.10 +biganswer.example8. 3600 IN A 10.10.14.11 +biganswer.example8. 3600 IN A 10.10.14.12 +biganswer.example8. 3600 IN A 10.10.14.13 +biganswer.example8. 3600 IN A 10.10.14.14 +biganswer.example8. 3600 IN A 10.10.14.15 +biganswer.example8. 3600 IN A 10.10.14.16 +biganswer.example8. 3600 IN A 10.10.14.17 +biganswer.example8. 3600 IN A 10.10.14.18 +biganswer.example8. 3600 IN A 10.10.14.19 +biganswer.example8. 3600 IN A 10.10.14.20 +biganswer.example8. 3600 IN A 10.10.14.21 +biganswer.example8. 3600 IN A 10.10.14.22 +biganswer.example8. 3600 IN A 10.10.14.23 +biganswer.example8. 3600 IN A 10.10.14.24 +biganswer.example8. 3600 IN A 10.10.14.25 +biganswer.example8. 3600 IN A 10.10.14.26 +biganswer.example8. 3600 IN A 10.10.14.27 +biganswer.example8. 3600 IN A 10.10.14.28 +biganswer.example8. 3600 IN A 10.10.14.29 +biganswer.example8. 3600 IN A 10.10.14.30 +biganswer.example8. 3600 IN A 10.10.14.31 +biganswer.example8. 3600 IN A 10.10.14.32 +biganswer.example8. 3600 IN A 10.10.14.33 +biganswer.example8. 3600 IN A 10.10.14.34 +biganswer.example8. 3600 IN A 10.10.14.35 +biganswer.example8. 3600 IN A 10.10.14.36 +biganswer.example8. 3600 IN A 10.10.14.37 +biganswer.example8. 3600 IN A 10.10.14.38 +biganswer.example8. 3600 IN A 10.10.14.39 +biganswer.example8. 3600 IN A 10.10.14.40 +biganswer.example8. 3600 IN A 10.10.14.41 +biganswer.example8. 3600 IN A 10.10.14.42 +biganswer.example8. 3600 IN A 10.10.14.43 +biganswer.example8. 3600 IN A 10.10.14.44 +biganswer.example8. 3600 IN A 10.10.14.45 +biganswer.example8. 3600 IN A 10.10.14.46 +biganswer.example8. 3600 IN A 10.10.14.47 +biganswer.example8. 3600 IN A 10.10.14.48 +biganswer.example8. 3600 IN A 10.10.14.49 +biganswer.example8. 3600 IN A 10.10.14.50 +biganswer.example8. 3600 IN A 10.10.15.1 +biganswer.example8. 3600 IN A 10.10.15.2 +biganswer.example8. 3600 IN A 10.10.15.3 +biganswer.example8. 3600 IN A 10.10.15.4 +biganswer.example8. 3600 IN A 10.10.15.5 +biganswer.example8. 3600 IN A 10.10.15.6 +biganswer.example8. 3600 IN A 10.10.15.7 +biganswer.example8. 3600 IN A 10.10.15.8 +biganswer.example8. 3600 IN A 10.10.15.9 +biganswer.example8. 3600 IN A 10.10.15.10 +biganswer.example8. 3600 IN A 10.10.15.11 +biganswer.example8. 3600 IN A 10.10.15.12 +biganswer.example8. 3600 IN A 10.10.15.13 +biganswer.example8. 3600 IN A 10.10.15.14 +biganswer.example8. 3600 IN A 10.10.15.15 +biganswer.example8. 3600 IN A 10.10.15.16 +biganswer.example8. 3600 IN A 10.10.15.17 +biganswer.example8. 3600 IN A 10.10.15.18 +biganswer.example8. 3600 IN A 10.10.15.19 +biganswer.example8. 3600 IN A 10.10.15.20 +biganswer.example8. 3600 IN A 10.10.15.21 +biganswer.example8. 3600 IN A 10.10.15.22 +biganswer.example8. 3600 IN A 10.10.15.23 +biganswer.example8. 3600 IN A 10.10.15.24 +biganswer.example8. 3600 IN A 10.10.15.25 +biganswer.example8. 3600 IN A 10.10.15.26 +biganswer.example8. 3600 IN A 10.10.15.27 +biganswer.example8. 3600 IN A 10.10.15.28 +biganswer.example8. 3600 IN A 10.10.15.29 +biganswer.example8. 3600 IN A 10.10.15.30 +biganswer.example8. 3600 IN A 10.10.15.31 +biganswer.example8. 3600 IN A 10.10.15.32 +biganswer.example8. 3600 IN A 10.10.15.33 +biganswer.example8. 3600 IN A 10.10.15.34 +biganswer.example8. 3600 IN A 10.10.15.35 +biganswer.example8. 3600 IN A 10.10.15.36 +biganswer.example8. 3600 IN A 10.10.15.37 +biganswer.example8. 3600 IN A 10.10.15.38 +biganswer.example8. 3600 IN A 10.10.15.39 +biganswer.example8. 3600 IN A 10.10.15.40 +biganswer.example8. 3600 IN A 10.10.15.41 +biganswer.example8. 3600 IN A 10.10.15.42 +biganswer.example8. 3600 IN A 10.10.15.43 +biganswer.example8. 3600 IN A 10.10.15.44 +biganswer.example8. 3600 IN A 10.10.15.45 +biganswer.example8. 3600 IN A 10.10.15.46 +biganswer.example8. 3600 IN A 10.10.15.47 +biganswer.example8. 3600 IN A 10.10.15.48 +biganswer.example8. 3600 IN A 10.10.15.49 +biganswer.example8. 3600 IN A 10.10.15.50 +biganswer.example8. 3600 IN A 10.10.16.1 +biganswer.example8. 3600 IN A 10.10.16.2 +biganswer.example8. 3600 IN A 10.10.16.3 +biganswer.example8. 3600 IN A 10.10.16.4 +biganswer.example8. 3600 IN A 10.10.16.5 +biganswer.example8. 3600 IN A 10.10.16.6 +biganswer.example8. 3600 IN A 10.10.16.7 +biganswer.example8. 3600 IN A 10.10.16.8 +biganswer.example8. 3600 IN A 10.10.16.9 +biganswer.example8. 3600 IN A 10.10.16.10 +biganswer.example8. 3600 IN A 10.10.16.11 +biganswer.example8. 3600 IN A 10.10.16.12 +biganswer.example8. 3600 IN A 10.10.16.13 +biganswer.example8. 3600 IN A 10.10.16.14 +biganswer.example8. 3600 IN A 10.10.16.15 +biganswer.example8. 3600 IN A 10.10.16.16 +biganswer.example8. 3600 IN A 10.10.16.17 +biganswer.example8. 3600 IN A 10.10.16.18 +biganswer.example8. 3600 IN A 10.10.16.19 +biganswer.example8. 3600 IN A 10.10.16.20 +biganswer.example8. 3600 IN A 10.10.16.21 +biganswer.example8. 3600 IN A 10.10.16.22 +biganswer.example8. 3600 IN A 10.10.16.23 +biganswer.example8. 3600 IN A 10.10.16.24 +biganswer.example8. 3600 IN A 10.10.16.25 +biganswer.example8. 3600 IN A 10.10.16.26 +biganswer.example8. 3600 IN A 10.10.16.27 +biganswer.example8. 3600 IN A 10.10.16.28 +biganswer.example8. 3600 IN A 10.10.16.29 +biganswer.example8. 3600 IN A 10.10.16.30 +biganswer.example8. 3600 IN A 10.10.16.31 +biganswer.example8. 3600 IN A 10.10.16.32 +biganswer.example8. 3600 IN A 10.10.16.33 +biganswer.example8. 3600 IN A 10.10.16.34 +biganswer.example8. 3600 IN A 10.10.16.35 +biganswer.example8. 3600 IN A 10.10.16.36 +biganswer.example8. 3600 IN A 10.10.16.37 +biganswer.example8. 3600 IN A 10.10.16.38 +biganswer.example8. 3600 IN A 10.10.16.39 +biganswer.example8. 3600 IN A 10.10.16.40 +biganswer.example8. 3600 IN A 10.10.16.41 +biganswer.example8. 3600 IN A 10.10.16.42 +biganswer.example8. 3600 IN A 10.10.16.43 +biganswer.example8. 3600 IN A 10.10.16.44 +biganswer.example8. 3600 IN A 10.10.16.45 +biganswer.example8. 3600 IN A 10.10.16.46 +biganswer.example8. 3600 IN A 10.10.16.47 +biganswer.example8. 3600 IN A 10.10.16.48 +biganswer.example8. 3600 IN A 10.10.16.49 +biganswer.example8. 3600 IN A 10.10.16.50 +biganswer.example8. 3600 IN A 10.10.17.1 +biganswer.example8. 3600 IN A 10.10.17.2 +biganswer.example8. 3600 IN A 10.10.17.3 +biganswer.example8. 3600 IN A 10.10.17.4 +biganswer.example8. 3600 IN A 10.10.17.5 +biganswer.example8. 3600 IN A 10.10.17.6 +biganswer.example8. 3600 IN A 10.10.17.7 +biganswer.example8. 3600 IN A 10.10.17.8 +biganswer.example8. 3600 IN A 10.10.17.9 +biganswer.example8. 3600 IN A 10.10.17.10 +biganswer.example8. 3600 IN A 10.10.17.11 +biganswer.example8. 3600 IN A 10.10.17.12 +biganswer.example8. 3600 IN A 10.10.17.13 +biganswer.example8. 3600 IN A 10.10.17.14 +biganswer.example8. 3600 IN A 10.10.17.15 +biganswer.example8. 3600 IN A 10.10.17.16 +biganswer.example8. 3600 IN A 10.10.17.17 +biganswer.example8. 3600 IN A 10.10.17.18 +biganswer.example8. 3600 IN A 10.10.17.19 +biganswer.example8. 3600 IN A 10.10.17.20 +biganswer.example8. 3600 IN A 10.10.17.21 +biganswer.example8. 3600 IN A 10.10.17.22 +biganswer.example8. 3600 IN A 10.10.17.23 +biganswer.example8. 3600 IN A 10.10.17.24 +biganswer.example8. 3600 IN A 10.10.17.25 +biganswer.example8. 3600 IN A 10.10.17.26 +biganswer.example8. 3600 IN A 10.10.17.27 +biganswer.example8. 3600 IN A 10.10.17.28 +biganswer.example8. 3600 IN A 10.10.17.29 +biganswer.example8. 3600 IN A 10.10.17.30 +biganswer.example8. 3600 IN A 10.10.17.31 +biganswer.example8. 3600 IN A 10.10.17.32 +biganswer.example8. 3600 IN A 10.10.17.33 +biganswer.example8. 3600 IN A 10.10.17.34 +biganswer.example8. 3600 IN A 10.10.17.35 +biganswer.example8. 3600 IN A 10.10.17.36 +biganswer.example8. 3600 IN A 10.10.17.37 +biganswer.example8. 3600 IN A 10.10.17.38 +biganswer.example8. 3600 IN A 10.10.17.39 +biganswer.example8. 3600 IN A 10.10.17.40 +biganswer.example8. 3600 IN A 10.10.17.41 +biganswer.example8. 3600 IN A 10.10.17.42 +biganswer.example8. 3600 IN A 10.10.17.43 +biganswer.example8. 3600 IN A 10.10.17.44 +biganswer.example8. 3600 IN A 10.10.17.45 +biganswer.example8. 3600 IN A 10.10.17.46 +biganswer.example8. 3600 IN A 10.10.17.47 +biganswer.example8. 3600 IN A 10.10.17.48 +biganswer.example8. 3600 IN A 10.10.17.49 +biganswer.example8. 3600 IN A 10.10.17.50 +biganswer.example8. 3600 IN A 10.10.18.1 +biganswer.example8. 3600 IN A 10.10.18.2 +biganswer.example8. 3600 IN A 10.10.18.3 +biganswer.example8. 3600 IN A 10.10.18.4 +biganswer.example8. 3600 IN A 10.10.18.5 +biganswer.example8. 3600 IN A 10.10.18.6 +biganswer.example8. 3600 IN A 10.10.18.7 +biganswer.example8. 3600 IN A 10.10.18.8 +biganswer.example8. 3600 IN A 10.10.18.9 +biganswer.example8. 3600 IN A 10.10.18.10 +biganswer.example8. 3600 IN A 10.10.18.11 +biganswer.example8. 3600 IN A 10.10.18.12 +biganswer.example8. 3600 IN A 10.10.18.13 +biganswer.example8. 3600 IN A 10.10.18.14 +biganswer.example8. 3600 IN A 10.10.18.15 +biganswer.example8. 3600 IN A 10.10.18.16 +biganswer.example8. 3600 IN A 10.10.18.17 +biganswer.example8. 3600 IN A 10.10.18.18 +biganswer.example8. 3600 IN A 10.10.18.19 +biganswer.example8. 3600 IN A 10.10.18.20 +biganswer.example8. 3600 IN A 10.10.18.21 +biganswer.example8. 3600 IN A 10.10.18.22 +biganswer.example8. 3600 IN A 10.10.18.23 +biganswer.example8. 3600 IN A 10.10.18.24 +biganswer.example8. 3600 IN A 10.10.18.25 +biganswer.example8. 3600 IN A 10.10.18.26 +biganswer.example8. 3600 IN A 10.10.18.27 +biganswer.example8. 3600 IN A 10.10.18.28 +biganswer.example8. 3600 IN A 10.10.18.29 +biganswer.example8. 3600 IN A 10.10.18.30 +biganswer.example8. 3600 IN A 10.10.18.31 +biganswer.example8. 3600 IN A 10.10.18.32 +biganswer.example8. 3600 IN A 10.10.18.33 +biganswer.example8. 3600 IN A 10.10.18.34 +biganswer.example8. 3600 IN A 10.10.18.35 +biganswer.example8. 3600 IN A 10.10.18.36 +biganswer.example8. 3600 IN A 10.10.18.37 +biganswer.example8. 3600 IN A 10.10.18.38 +biganswer.example8. 3600 IN A 10.10.18.39 +biganswer.example8. 3600 IN A 10.10.18.40 +biganswer.example8. 3600 IN A 10.10.18.41 +biganswer.example8. 3600 IN A 10.10.18.42 +biganswer.example8. 3600 IN A 10.10.18.43 +biganswer.example8. 3600 IN A 10.10.18.44 +biganswer.example8. 3600 IN A 10.10.18.45 +biganswer.example8. 3600 IN A 10.10.18.46 +biganswer.example8. 3600 IN A 10.10.18.47 +biganswer.example8. 3600 IN A 10.10.18.48 +biganswer.example8. 3600 IN A 10.10.18.49 +biganswer.example8. 3600 IN A 10.10.18.50 +biganswer.example8. 3600 IN A 10.10.19.1 +biganswer.example8. 3600 IN A 10.10.19.2 +biganswer.example8. 3600 IN A 10.10.19.3 +biganswer.example8. 3600 IN A 10.10.19.4 +biganswer.example8. 3600 IN A 10.10.19.5 +biganswer.example8. 3600 IN A 10.10.19.6 +biganswer.example8. 3600 IN A 10.10.19.7 +biganswer.example8. 3600 IN A 10.10.19.8 +biganswer.example8. 3600 IN A 10.10.19.9 +biganswer.example8. 3600 IN A 10.10.19.10 +biganswer.example8. 3600 IN A 10.10.19.11 +biganswer.example8. 3600 IN A 10.10.19.12 +biganswer.example8. 3600 IN A 10.10.19.13 +biganswer.example8. 3600 IN A 10.10.19.14 +biganswer.example8. 3600 IN A 10.10.19.15 +biganswer.example8. 3600 IN A 10.10.19.16 +biganswer.example8. 3600 IN A 10.10.19.17 +biganswer.example8. 3600 IN A 10.10.19.18 +biganswer.example8. 3600 IN A 10.10.19.19 +biganswer.example8. 3600 IN A 10.10.19.20 +biganswer.example8. 3600 IN A 10.10.19.21 +biganswer.example8. 3600 IN A 10.10.19.22 +biganswer.example8. 3600 IN A 10.10.19.23 +biganswer.example8. 3600 IN A 10.10.19.24 +biganswer.example8. 3600 IN A 10.10.19.25 +biganswer.example8. 3600 IN A 10.10.19.26 +biganswer.example8. 3600 IN A 10.10.19.27 +biganswer.example8. 3600 IN A 10.10.19.28 +biganswer.example8. 3600 IN A 10.10.19.29 +biganswer.example8. 3600 IN A 10.10.19.30 +biganswer.example8. 3600 IN A 10.10.19.31 +biganswer.example8. 3600 IN A 10.10.19.32 +biganswer.example8. 3600 IN A 10.10.19.33 +biganswer.example8. 3600 IN A 10.10.19.34 +biganswer.example8. 3600 IN A 10.10.19.35 +biganswer.example8. 3600 IN A 10.10.19.36 +biganswer.example8. 3600 IN A 10.10.19.37 +biganswer.example8. 3600 IN A 10.10.19.38 +biganswer.example8. 3600 IN A 10.10.19.39 +biganswer.example8. 3600 IN A 10.10.19.40 +biganswer.example8. 3600 IN A 10.10.19.41 +biganswer.example8. 3600 IN A 10.10.19.42 +biganswer.example8. 3600 IN A 10.10.19.43 +biganswer.example8. 3600 IN A 10.10.19.44 +biganswer.example8. 3600 IN A 10.10.19.45 +biganswer.example8. 3600 IN A 10.10.19.46 +biganswer.example8. 3600 IN A 10.10.19.47 +biganswer.example8. 3600 IN A 10.10.19.48 +biganswer.example8. 3600 IN A 10.10.19.49 +biganswer.example8. 3600 IN A 10.10.19.50 +biganswer.example8. 3600 IN A 10.10.20.1 +biganswer.example8. 3600 IN A 10.10.20.2 +biganswer.example8. 3600 IN A 10.10.20.3 +biganswer.example8. 3600 IN A 10.10.20.4 +biganswer.example8. 3600 IN A 10.10.20.5 +biganswer.example8. 3600 IN A 10.10.20.6 +biganswer.example8. 3600 IN A 10.10.20.7 +biganswer.example8. 3600 IN A 10.10.20.8 +biganswer.example8. 3600 IN A 10.10.20.9 +biganswer.example8. 3600 IN A 10.10.20.10 +biganswer.example8. 3600 IN A 10.10.20.11 +biganswer.example8. 3600 IN A 10.10.20.12 +biganswer.example8. 3600 IN A 10.10.20.13 +biganswer.example8. 3600 IN A 10.10.20.14 +biganswer.example8. 3600 IN A 10.10.20.15 +biganswer.example8. 3600 IN A 10.10.20.16 +biganswer.example8. 3600 IN A 10.10.20.17 +biganswer.example8. 3600 IN A 10.10.20.18 +biganswer.example8. 3600 IN A 10.10.20.19 +biganswer.example8. 3600 IN A 10.10.20.20 +biganswer.example8. 3600 IN A 10.10.20.21 +biganswer.example8. 3600 IN A 10.10.20.22 +biganswer.example8. 3600 IN A 10.10.20.23 +biganswer.example8. 3600 IN A 10.10.20.24 +biganswer.example8. 3600 IN A 10.10.20.25 +biganswer.example8. 3600 IN A 10.10.20.26 +biganswer.example8. 3600 IN A 10.10.20.27 +biganswer.example8. 3600 IN A 10.10.20.28 +biganswer.example8. 3600 IN A 10.10.20.29 +biganswer.example8. 3600 IN A 10.10.20.30 +biganswer.example8. 3600 IN A 10.10.20.31 +biganswer.example8. 3600 IN A 10.10.20.32 +biganswer.example8. 3600 IN A 10.10.20.33 +biganswer.example8. 3600 IN A 10.10.20.34 +biganswer.example8. 3600 IN A 10.10.20.35 +biganswer.example8. 3600 IN A 10.10.20.36 +biganswer.example8. 3600 IN A 10.10.20.37 +biganswer.example8. 3600 IN A 10.10.20.38 +biganswer.example8. 3600 IN A 10.10.20.39 +biganswer.example8. 3600 IN A 10.10.20.40 +biganswer.example8. 3600 IN A 10.10.20.41 +biganswer.example8. 3600 IN A 10.10.20.42 +biganswer.example8. 3600 IN A 10.10.20.43 +biganswer.example8. 3600 IN A 10.10.20.44 +biganswer.example8. 3600 IN A 10.10.20.45 +biganswer.example8. 3600 IN A 10.10.20.46 +biganswer.example8. 3600 IN A 10.10.20.47 +biganswer.example8. 3600 IN A 10.10.20.48 +biganswer.example8. 3600 IN A 10.10.20.49 +biganswer.example8. 3600 IN A 10.10.20.50 +biganswer.example8. 3600 IN A 10.10.21.1 +biganswer.example8. 3600 IN A 10.10.21.2 +biganswer.example8. 3600 IN A 10.10.21.3 +biganswer.example8. 3600 IN A 10.10.21.4 +biganswer.example8. 3600 IN A 10.10.21.5 +biganswer.example8. 3600 IN A 10.10.21.6 +biganswer.example8. 3600 IN A 10.10.21.7 +biganswer.example8. 3600 IN A 10.10.21.8 +biganswer.example8. 3600 IN A 10.10.21.9 +biganswer.example8. 3600 IN A 10.10.21.10 +biganswer.example8. 3600 IN A 10.10.21.11 +biganswer.example8. 3600 IN A 10.10.21.12 +biganswer.example8. 3600 IN A 10.10.21.13 +biganswer.example8. 3600 IN A 10.10.21.14 +biganswer.example8. 3600 IN A 10.10.21.15 +biganswer.example8. 3600 IN A 10.10.21.16 +biganswer.example8. 3600 IN A 10.10.21.17 +biganswer.example8. 3600 IN A 10.10.21.18 +biganswer.example8. 3600 IN A 10.10.21.19 +biganswer.example8. 3600 IN A 10.10.21.20 +biganswer.example8. 3600 IN A 10.10.21.21 +biganswer.example8. 3600 IN A 10.10.21.22 +biganswer.example8. 3600 IN A 10.10.21.23 +biganswer.example8. 3600 IN A 10.10.21.24 +biganswer.example8. 3600 IN A 10.10.21.25 +biganswer.example8. 3600 IN A 10.10.21.26 +biganswer.example8. 3600 IN A 10.10.21.27 +biganswer.example8. 3600 IN A 10.10.21.28 +biganswer.example8. 3600 IN A 10.10.21.29 +biganswer.example8. 3600 IN A 10.10.21.30 +biganswer.example8. 3600 IN A 10.10.21.31 +biganswer.example8. 3600 IN A 10.10.21.32 +biganswer.example8. 3600 IN A 10.10.21.33 +biganswer.example8. 3600 IN A 10.10.21.34 +biganswer.example8. 3600 IN A 10.10.21.35 +biganswer.example8. 3600 IN A 10.10.21.36 +biganswer.example8. 3600 IN A 10.10.21.37 +biganswer.example8. 3600 IN A 10.10.21.38 +biganswer.example8. 3600 IN A 10.10.21.39 +biganswer.example8. 3600 IN A 10.10.21.40 +biganswer.example8. 3600 IN A 10.10.21.41 +biganswer.example8. 3600 IN A 10.10.21.42 +biganswer.example8. 3600 IN A 10.10.21.43 +biganswer.example8. 3600 IN A 10.10.21.44 +biganswer.example8. 3600 IN A 10.10.21.45 +biganswer.example8. 3600 IN A 10.10.21.46 +biganswer.example8. 3600 IN A 10.10.21.47 +biganswer.example8. 3600 IN A 10.10.21.48 +biganswer.example8. 3600 IN A 10.10.21.49 +biganswer.example8. 3600 IN A 10.10.21.50 +biganswer.example8. 3600 IN A 10.10.22.1 +biganswer.example8. 3600 IN A 10.10.22.2 +biganswer.example8. 3600 IN A 10.10.22.3 +biganswer.example8. 3600 IN A 10.10.22.4 +biganswer.example8. 3600 IN A 10.10.22.5 +biganswer.example8. 3600 IN A 10.10.22.6 +biganswer.example8. 3600 IN A 10.10.22.7 +biganswer.example8. 3600 IN A 10.10.22.8 +biganswer.example8. 3600 IN A 10.10.22.9 +biganswer.example8. 3600 IN A 10.10.22.10 +biganswer.example8. 3600 IN A 10.10.22.11 +biganswer.example8. 3600 IN A 10.10.22.12 +biganswer.example8. 3600 IN A 10.10.22.13 +biganswer.example8. 3600 IN A 10.10.22.14 +biganswer.example8. 3600 IN A 10.10.22.15 +biganswer.example8. 3600 IN A 10.10.22.16 +biganswer.example8. 3600 IN A 10.10.22.17 +biganswer.example8. 3600 IN A 10.10.22.18 +biganswer.example8. 3600 IN A 10.10.22.19 +biganswer.example8. 3600 IN A 10.10.22.20 +biganswer.example8. 3600 IN A 10.10.22.21 +biganswer.example8. 3600 IN A 10.10.22.22 +biganswer.example8. 3600 IN A 10.10.22.23 +biganswer.example8. 3600 IN A 10.10.22.24 +biganswer.example8. 3600 IN A 10.10.22.25 +biganswer.example8. 3600 IN A 10.10.22.26 +biganswer.example8. 3600 IN A 10.10.22.27 +biganswer.example8. 3600 IN A 10.10.22.28 +biganswer.example8. 3600 IN A 10.10.22.29 +biganswer.example8. 3600 IN A 10.10.22.30 +biganswer.example8. 3600 IN A 10.10.22.31 +biganswer.example8. 3600 IN A 10.10.22.32 +biganswer.example8. 3600 IN A 10.10.22.33 +biganswer.example8. 3600 IN A 10.10.22.34 +biganswer.example8. 3600 IN A 10.10.22.35 +biganswer.example8. 3600 IN A 10.10.22.36 +biganswer.example8. 3600 IN A 10.10.22.37 +biganswer.example8. 3600 IN A 10.10.22.38 +biganswer.example8. 3600 IN A 10.10.22.39 +biganswer.example8. 3600 IN A 10.10.22.40 +biganswer.example8. 3600 IN A 10.10.22.41 +biganswer.example8. 3600 IN A 10.10.22.42 +biganswer.example8. 3600 IN A 10.10.22.43 +biganswer.example8. 3600 IN A 10.10.22.44 +biganswer.example8. 3600 IN A 10.10.22.45 +biganswer.example8. 3600 IN A 10.10.22.46 +biganswer.example8. 3600 IN A 10.10.22.47 +biganswer.example8. 3600 IN A 10.10.22.48 +biganswer.example8. 3600 IN A 10.10.22.49 +biganswer.example8. 3600 IN A 10.10.22.50 +biganswer.example8. 3600 IN A 10.10.23.1 +biganswer.example8. 3600 IN A 10.10.23.2 +biganswer.example8. 3600 IN A 10.10.23.3 +biganswer.example8. 3600 IN A 10.10.23.4 +biganswer.example8. 3600 IN A 10.10.23.5 +biganswer.example8. 3600 IN A 10.10.23.6 +biganswer.example8. 3600 IN A 10.10.23.7 +biganswer.example8. 3600 IN A 10.10.23.8 +biganswer.example8. 3600 IN A 10.10.23.9 +biganswer.example8. 3600 IN A 10.10.23.10 +biganswer.example8. 3600 IN A 10.10.23.11 +biganswer.example8. 3600 IN A 10.10.23.12 +biganswer.example8. 3600 IN A 10.10.23.13 +biganswer.example8. 3600 IN A 10.10.23.14 +biganswer.example8. 3600 IN A 10.10.23.15 +biganswer.example8. 3600 IN A 10.10.23.16 +biganswer.example8. 3600 IN A 10.10.23.17 +biganswer.example8. 3600 IN A 10.10.23.18 +biganswer.example8. 3600 IN A 10.10.23.19 +biganswer.example8. 3600 IN A 10.10.23.20 +biganswer.example8. 3600 IN A 10.10.23.21 +biganswer.example8. 3600 IN A 10.10.23.22 +biganswer.example8. 3600 IN A 10.10.23.23 +biganswer.example8. 3600 IN A 10.10.23.24 +biganswer.example8. 3600 IN A 10.10.23.25 +biganswer.example8. 3600 IN A 10.10.23.26 +biganswer.example8. 3600 IN A 10.10.23.27 +biganswer.example8. 3600 IN A 10.10.23.28 +biganswer.example8. 3600 IN A 10.10.23.29 +biganswer.example8. 3600 IN A 10.10.23.30 +biganswer.example8. 3600 IN A 10.10.23.31 +biganswer.example8. 3600 IN A 10.10.23.32 +biganswer.example8. 3600 IN A 10.10.23.33 +biganswer.example8. 3600 IN A 10.10.23.34 +biganswer.example8. 3600 IN A 10.10.23.35 +biganswer.example8. 3600 IN A 10.10.23.36 +biganswer.example8. 3600 IN A 10.10.23.37 +biganswer.example8. 3600 IN A 10.10.23.38 +biganswer.example8. 3600 IN A 10.10.23.39 +biganswer.example8. 3600 IN A 10.10.23.40 +biganswer.example8. 3600 IN A 10.10.23.41 +biganswer.example8. 3600 IN A 10.10.23.42 +biganswer.example8. 3600 IN A 10.10.23.43 +biganswer.example8. 3600 IN A 10.10.23.44 +biganswer.example8. 3600 IN A 10.10.23.45 +biganswer.example8. 3600 IN A 10.10.23.46 +biganswer.example8. 3600 IN A 10.10.23.47 +biganswer.example8. 3600 IN A 10.10.23.48 +biganswer.example8. 3600 IN A 10.10.23.49 +biganswer.example8. 3600 IN A 10.10.23.50 +biganswer.example8. 3600 IN A 10.10.24.1 +biganswer.example8. 3600 IN A 10.10.24.2 +biganswer.example8. 3600 IN A 10.10.24.3 +biganswer.example8. 3600 IN A 10.10.24.4 +biganswer.example8. 3600 IN A 10.10.24.5 +biganswer.example8. 3600 IN A 10.10.24.6 +biganswer.example8. 3600 IN A 10.10.24.7 +biganswer.example8. 3600 IN A 10.10.24.8 +biganswer.example8. 3600 IN A 10.10.24.9 +biganswer.example8. 3600 IN A 10.10.24.10 +biganswer.example8. 3600 IN A 10.10.24.11 +biganswer.example8. 3600 IN A 10.10.24.12 +biganswer.example8. 3600 IN A 10.10.24.13 +biganswer.example8. 3600 IN A 10.10.24.14 +biganswer.example8. 3600 IN A 10.10.24.15 +biganswer.example8. 3600 IN A 10.10.24.16 +biganswer.example8. 3600 IN A 10.10.24.17 +biganswer.example8. 3600 IN A 10.10.24.18 +biganswer.example8. 3600 IN A 10.10.24.19 +biganswer.example8. 3600 IN A 10.10.24.20 +biganswer.example8. 3600 IN A 10.10.24.21 +biganswer.example8. 3600 IN A 10.10.24.22 +biganswer.example8. 3600 IN A 10.10.24.23 +biganswer.example8. 3600 IN A 10.10.24.24 +biganswer.example8. 3600 IN A 10.10.24.25 +biganswer.example8. 3600 IN A 10.10.24.26 +biganswer.example8. 3600 IN A 10.10.24.27 +biganswer.example8. 3600 IN A 10.10.24.28 +biganswer.example8. 3600 IN A 10.10.24.29 +biganswer.example8. 3600 IN A 10.10.24.30 +biganswer.example8. 3600 IN A 10.10.24.31 +biganswer.example8. 3600 IN A 10.10.24.32 +biganswer.example8. 3600 IN A 10.10.24.33 +biganswer.example8. 3600 IN A 10.10.24.34 +biganswer.example8. 3600 IN A 10.10.24.35 +biganswer.example8. 3600 IN A 10.10.24.36 +biganswer.example8. 3600 IN A 10.10.24.37 +biganswer.example8. 3600 IN A 10.10.24.38 +biganswer.example8. 3600 IN A 10.10.24.39 +biganswer.example8. 3600 IN A 10.10.24.40 +biganswer.example8. 3600 IN A 10.10.24.41 +biganswer.example8. 3600 IN A 10.10.24.42 +biganswer.example8. 3600 IN A 10.10.24.43 +biganswer.example8. 3600 IN A 10.10.24.44 +biganswer.example8. 3600 IN A 10.10.24.45 +biganswer.example8. 3600 IN A 10.10.24.46 +biganswer.example8. 3600 IN A 10.10.24.47 +biganswer.example8. 3600 IN A 10.10.24.48 +biganswer.example8. 3600 IN A 10.10.24.49 +biganswer.example8. 3600 IN A 10.10.24.50 +biganswer.example8. 3600 IN A 10.10.25.1 +biganswer.example8. 3600 IN A 10.10.25.2 +biganswer.example8. 3600 IN A 10.10.25.3 +biganswer.example8. 3600 IN A 10.10.25.4 +biganswer.example8. 3600 IN A 10.10.25.5 +biganswer.example8. 3600 IN A 10.10.25.6 +biganswer.example8. 3600 IN A 10.10.25.7 +biganswer.example8. 3600 IN A 10.10.25.8 +biganswer.example8. 3600 IN A 10.10.25.9 +biganswer.example8. 3600 IN A 10.10.25.10 +biganswer.example8. 3600 IN A 10.10.25.11 +biganswer.example8. 3600 IN A 10.10.25.12 +biganswer.example8. 3600 IN A 10.10.25.13 +biganswer.example8. 3600 IN A 10.10.25.14 +biganswer.example8. 3600 IN A 10.10.25.15 +biganswer.example8. 3600 IN A 10.10.25.16 +biganswer.example8. 3600 IN A 10.10.25.17 +biganswer.example8. 3600 IN A 10.10.25.18 +biganswer.example8. 3600 IN A 10.10.25.19 +biganswer.example8. 3600 IN A 10.10.25.20 +biganswer.example8. 3600 IN A 10.10.25.21 +biganswer.example8. 3600 IN A 10.10.25.22 +biganswer.example8. 3600 IN A 10.10.25.23 +biganswer.example8. 3600 IN A 10.10.25.24 +biganswer.example8. 3600 IN A 10.10.25.25 +biganswer.example8. 3600 IN A 10.10.25.26 +biganswer.example8. 3600 IN A 10.10.25.27 +biganswer.example8. 3600 IN A 10.10.25.28 +biganswer.example8. 3600 IN A 10.10.25.29 +biganswer.example8. 3600 IN A 10.10.25.30 +biganswer.example8. 3600 IN A 10.10.25.31 +biganswer.example8. 3600 IN A 10.10.25.32 +biganswer.example8. 3600 IN A 10.10.25.33 +biganswer.example8. 3600 IN A 10.10.25.34 +biganswer.example8. 3600 IN A 10.10.25.35 +biganswer.example8. 3600 IN A 10.10.25.36 +biganswer.example8. 3600 IN A 10.10.25.37 +biganswer.example8. 3600 IN A 10.10.25.38 +biganswer.example8. 3600 IN A 10.10.25.39 +biganswer.example8. 3600 IN A 10.10.25.40 +biganswer.example8. 3600 IN A 10.10.25.41 +biganswer.example8. 3600 IN A 10.10.25.42 +biganswer.example8. 3600 IN A 10.10.25.43 +biganswer.example8. 3600 IN A 10.10.25.44 +biganswer.example8. 3600 IN A 10.10.25.45 +biganswer.example8. 3600 IN A 10.10.25.46 +biganswer.example8. 3600 IN A 10.10.25.47 +biganswer.example8. 3600 IN A 10.10.25.48 +biganswer.example8. 3600 IN A 10.10.25.49 +biganswer.example8. 3600 IN A 10.10.25.50 +biganswer.example8. 3600 IN A 10.10.26.1 +biganswer.example8. 3600 IN A 10.10.26.2 +biganswer.example8. 3600 IN A 10.10.26.3 +biganswer.example8. 3600 IN A 10.10.26.4 +biganswer.example8. 3600 IN A 10.10.26.5 +biganswer.example8. 3600 IN A 10.10.26.6 +biganswer.example8. 3600 IN A 10.10.26.7 +biganswer.example8. 3600 IN A 10.10.26.8 +biganswer.example8. 3600 IN A 10.10.26.9 +biganswer.example8. 3600 IN A 10.10.26.10 +biganswer.example8. 3600 IN A 10.10.26.11 +biganswer.example8. 3600 IN A 10.10.26.12 +biganswer.example8. 3600 IN A 10.10.26.13 +biganswer.example8. 3600 IN A 10.10.26.14 +biganswer.example8. 3600 IN A 10.10.26.15 +biganswer.example8. 3600 IN A 10.10.26.16 +biganswer.example8. 3600 IN A 10.10.26.17 +biganswer.example8. 3600 IN A 10.10.26.18 +biganswer.example8. 3600 IN A 10.10.26.19 +biganswer.example8. 3600 IN A 10.10.26.20 +biganswer.example8. 3600 IN A 10.10.26.21 +biganswer.example8. 3600 IN A 10.10.26.22 +biganswer.example8. 3600 IN A 10.10.26.23 +biganswer.example8. 3600 IN A 10.10.26.24 +biganswer.example8. 3600 IN A 10.10.26.25 +biganswer.example8. 3600 IN A 10.10.26.26 +biganswer.example8. 3600 IN A 10.10.26.27 +biganswer.example8. 3600 IN A 10.10.26.28 +biganswer.example8. 3600 IN A 10.10.26.29 +biganswer.example8. 3600 IN A 10.10.26.30 +biganswer.example8. 3600 IN A 10.10.26.31 +biganswer.example8. 3600 IN A 10.10.26.32 +biganswer.example8. 3600 IN A 10.10.26.33 +biganswer.example8. 3600 IN A 10.10.26.34 +biganswer.example8. 3600 IN A 10.10.26.35 +biganswer.example8. 3600 IN A 10.10.26.36 +biganswer.example8. 3600 IN A 10.10.26.37 +biganswer.example8. 3600 IN A 10.10.26.38 +biganswer.example8. 3600 IN A 10.10.26.39 +biganswer.example8. 3600 IN A 10.10.26.40 +biganswer.example8. 3600 IN A 10.10.26.41 +biganswer.example8. 3600 IN A 10.10.26.42 +biganswer.example8. 3600 IN A 10.10.26.43 +biganswer.example8. 3600 IN A 10.10.26.44 +biganswer.example8. 3600 IN A 10.10.26.45 +biganswer.example8. 3600 IN A 10.10.26.46 +biganswer.example8. 3600 IN A 10.10.26.47 +biganswer.example8. 3600 IN A 10.10.26.48 +biganswer.example8. 3600 IN A 10.10.26.49 +biganswer.example8. 3600 IN A 10.10.26.50 +biganswer.example8. 3600 IN A 10.10.27.1 +biganswer.example8. 3600 IN A 10.10.27.2 +biganswer.example8. 3600 IN A 10.10.27.3 +biganswer.example8. 3600 IN A 10.10.27.4 +biganswer.example8. 3600 IN A 10.10.27.5 +biganswer.example8. 3600 IN A 10.10.27.6 +biganswer.example8. 3600 IN A 10.10.27.7 +biganswer.example8. 3600 IN A 10.10.27.8 +biganswer.example8. 3600 IN A 10.10.27.9 +biganswer.example8. 3600 IN A 10.10.27.10 +biganswer.example8. 3600 IN A 10.10.27.11 +biganswer.example8. 3600 IN A 10.10.27.12 +biganswer.example8. 3600 IN A 10.10.27.13 +biganswer.example8. 3600 IN A 10.10.27.14 +biganswer.example8. 3600 IN A 10.10.27.15 +biganswer.example8. 3600 IN A 10.10.27.16 +biganswer.example8. 3600 IN A 10.10.27.17 +biganswer.example8. 3600 IN A 10.10.27.18 +biganswer.example8. 3600 IN A 10.10.27.19 +biganswer.example8. 3600 IN A 10.10.27.20 +biganswer.example8. 3600 IN A 10.10.27.21 +biganswer.example8. 3600 IN A 10.10.27.22 +biganswer.example8. 3600 IN A 10.10.27.23 +biganswer.example8. 3600 IN A 10.10.27.24 +biganswer.example8. 3600 IN A 10.10.27.25 +biganswer.example8. 3600 IN A 10.10.27.26 +biganswer.example8. 3600 IN A 10.10.27.27 +biganswer.example8. 3600 IN A 10.10.27.28 +biganswer.example8. 3600 IN A 10.10.27.29 +biganswer.example8. 3600 IN A 10.10.27.30 +biganswer.example8. 3600 IN A 10.10.27.31 +biganswer.example8. 3600 IN A 10.10.27.32 +biganswer.example8. 3600 IN A 10.10.27.33 +biganswer.example8. 3600 IN A 10.10.27.34 +biganswer.example8. 3600 IN A 10.10.27.35 +biganswer.example8. 3600 IN A 10.10.27.36 +biganswer.example8. 3600 IN A 10.10.27.37 +biganswer.example8. 3600 IN A 10.10.27.38 +biganswer.example8. 3600 IN A 10.10.27.39 +biganswer.example8. 3600 IN A 10.10.27.40 +biganswer.example8. 3600 IN A 10.10.27.41 +biganswer.example8. 3600 IN A 10.10.27.42 +biganswer.example8. 3600 IN A 10.10.27.43 +biganswer.example8. 3600 IN A 10.10.27.44 +biganswer.example8. 3600 IN A 10.10.27.45 +biganswer.example8. 3600 IN A 10.10.27.46 +biganswer.example8. 3600 IN A 10.10.27.47 +biganswer.example8. 3600 IN A 10.10.27.48 +biganswer.example8. 3600 IN A 10.10.27.49 +biganswer.example8. 3600 IN A 10.10.27.50 +biganswer.example8. 3600 IN A 10.10.28.1 +biganswer.example8. 3600 IN A 10.10.28.2 +biganswer.example8. 3600 IN A 10.10.28.3 +biganswer.example8. 3600 IN A 10.10.28.4 +biganswer.example8. 3600 IN A 10.10.28.5 +biganswer.example8. 3600 IN A 10.10.28.6 +biganswer.example8. 3600 IN A 10.10.28.7 +biganswer.example8. 3600 IN A 10.10.28.8 +biganswer.example8. 3600 IN A 10.10.28.9 +biganswer.example8. 3600 IN A 10.10.28.10 +biganswer.example8. 3600 IN A 10.10.28.11 +biganswer.example8. 3600 IN A 10.10.28.12 +biganswer.example8. 3600 IN A 10.10.28.13 +biganswer.example8. 3600 IN A 10.10.28.14 +biganswer.example8. 3600 IN A 10.10.28.15 +biganswer.example8. 3600 IN A 10.10.28.16 +biganswer.example8. 3600 IN A 10.10.28.17 +biganswer.example8. 3600 IN A 10.10.28.18 +biganswer.example8. 3600 IN A 10.10.28.19 +biganswer.example8. 3600 IN A 10.10.28.20 +biganswer.example8. 3600 IN A 10.10.28.21 +biganswer.example8. 3600 IN A 10.10.28.22 +biganswer.example8. 3600 IN A 10.10.28.23 +biganswer.example8. 3600 IN A 10.10.28.24 +biganswer.example8. 3600 IN A 10.10.28.25 +biganswer.example8. 3600 IN A 10.10.28.26 +biganswer.example8. 3600 IN A 10.10.28.27 +biganswer.example8. 3600 IN A 10.10.28.28 +biganswer.example8. 3600 IN A 10.10.28.29 +biganswer.example8. 3600 IN A 10.10.28.30 +biganswer.example8. 3600 IN A 10.10.28.31 +biganswer.example8. 3600 IN A 10.10.28.32 +biganswer.example8. 3600 IN A 10.10.28.33 +biganswer.example8. 3600 IN A 10.10.28.34 +biganswer.example8. 3600 IN A 10.10.28.35 +biganswer.example8. 3600 IN A 10.10.28.36 +biganswer.example8. 3600 IN A 10.10.28.37 +biganswer.example8. 3600 IN A 10.10.28.38 +biganswer.example8. 3600 IN A 10.10.28.39 +biganswer.example8. 3600 IN A 10.10.28.40 +biganswer.example8. 3600 IN A 10.10.28.41 +biganswer.example8. 3600 IN A 10.10.28.42 +biganswer.example8. 3600 IN A 10.10.28.43 +biganswer.example8. 3600 IN A 10.10.28.44 +biganswer.example8. 3600 IN A 10.10.28.45 +biganswer.example8. 3600 IN A 10.10.28.46 +biganswer.example8. 3600 IN A 10.10.28.47 +biganswer.example8. 3600 IN A 10.10.28.48 +biganswer.example8. 3600 IN A 10.10.28.49 +biganswer.example8. 3600 IN A 10.10.28.50 +biganswer.example8. 3600 IN A 10.10.29.1 +biganswer.example8. 3600 IN A 10.10.29.2 +biganswer.example8. 3600 IN A 10.10.29.3 +biganswer.example8. 3600 IN A 10.10.29.4 +biganswer.example8. 3600 IN A 10.10.29.5 +biganswer.example8. 3600 IN A 10.10.29.6 +biganswer.example8. 3600 IN A 10.10.29.7 +biganswer.example8. 3600 IN A 10.10.29.8 +biganswer.example8. 3600 IN A 10.10.29.9 +biganswer.example8. 3600 IN A 10.10.29.10 +biganswer.example8. 3600 IN A 10.10.29.11 +biganswer.example8. 3600 IN A 10.10.29.12 +biganswer.example8. 3600 IN A 10.10.29.13 +biganswer.example8. 3600 IN A 10.10.29.14 +biganswer.example8. 3600 IN A 10.10.29.15 +biganswer.example8. 3600 IN A 10.10.29.16 +biganswer.example8. 3600 IN A 10.10.29.17 +biganswer.example8. 3600 IN A 10.10.29.18 +biganswer.example8. 3600 IN A 10.10.29.19 +biganswer.example8. 3600 IN A 10.10.29.20 +biganswer.example8. 3600 IN A 10.10.29.21 +biganswer.example8. 3600 IN A 10.10.29.22 +biganswer.example8. 3600 IN A 10.10.29.23 +biganswer.example8. 3600 IN A 10.10.29.24 +biganswer.example8. 3600 IN A 10.10.29.25 +biganswer.example8. 3600 IN A 10.10.29.26 +biganswer.example8. 3600 IN A 10.10.29.27 +biganswer.example8. 3600 IN A 10.10.29.28 +biganswer.example8. 3600 IN A 10.10.29.29 +biganswer.example8. 3600 IN A 10.10.29.30 +biganswer.example8. 3600 IN A 10.10.29.31 +biganswer.example8. 3600 IN A 10.10.29.32 +biganswer.example8. 3600 IN A 10.10.29.33 +biganswer.example8. 3600 IN A 10.10.29.34 +biganswer.example8. 3600 IN A 10.10.29.35 +biganswer.example8. 3600 IN A 10.10.29.36 +biganswer.example8. 3600 IN A 10.10.29.37 +biganswer.example8. 3600 IN A 10.10.29.38 +biganswer.example8. 3600 IN A 10.10.29.39 +biganswer.example8. 3600 IN A 10.10.29.40 +biganswer.example8. 3600 IN A 10.10.29.41 +biganswer.example8. 3600 IN A 10.10.29.42 +biganswer.example8. 3600 IN A 10.10.29.43 +biganswer.example8. 3600 IN A 10.10.29.44 +biganswer.example8. 3600 IN A 10.10.29.45 +biganswer.example8. 3600 IN A 10.10.29.46 +biganswer.example8. 3600 IN A 10.10.29.47 +biganswer.example8. 3600 IN A 10.10.29.48 +biganswer.example8. 3600 IN A 10.10.29.49 +biganswer.example8. 3600 IN A 10.10.29.50 +biganswer.example8. 3600 IN A 10.10.30.1 +biganswer.example8. 3600 IN A 10.10.30.2 +biganswer.example8. 3600 IN A 10.10.30.3 +biganswer.example8. 3600 IN A 10.10.30.4 +biganswer.example8. 3600 IN A 10.10.30.5 +biganswer.example8. 3600 IN A 10.10.30.6 +biganswer.example8. 3600 IN A 10.10.30.7 +biganswer.example8. 3600 IN A 10.10.30.8 +biganswer.example8. 3600 IN A 10.10.30.9 +biganswer.example8. 3600 IN A 10.10.30.10 +biganswer.example8. 3600 IN A 10.10.30.11 +biganswer.example8. 3600 IN A 10.10.30.12 +biganswer.example8. 3600 IN A 10.10.30.13 +biganswer.example8. 3600 IN A 10.10.30.14 +biganswer.example8. 3600 IN A 10.10.30.15 +biganswer.example8. 3600 IN A 10.10.30.16 +biganswer.example8. 3600 IN A 10.10.30.17 +biganswer.example8. 3600 IN A 10.10.30.18 +biganswer.example8. 3600 IN A 10.10.30.19 +biganswer.example8. 3600 IN A 10.10.30.20 +biganswer.example8. 3600 IN A 10.10.30.21 +biganswer.example8. 3600 IN A 10.10.30.22 +biganswer.example8. 3600 IN A 10.10.30.23 +biganswer.example8. 3600 IN A 10.10.30.24 +biganswer.example8. 3600 IN A 10.10.30.25 +biganswer.example8. 3600 IN A 10.10.30.26 +biganswer.example8. 3600 IN A 10.10.30.27 +biganswer.example8. 3600 IN A 10.10.30.28 +biganswer.example8. 3600 IN A 10.10.30.29 +biganswer.example8. 3600 IN A 10.10.30.30 +biganswer.example8. 3600 IN A 10.10.30.31 +biganswer.example8. 3600 IN A 10.10.30.32 +biganswer.example8. 3600 IN A 10.10.30.33 +biganswer.example8. 3600 IN A 10.10.30.34 +biganswer.example8. 3600 IN A 10.10.30.35 +biganswer.example8. 3600 IN A 10.10.30.36 +biganswer.example8. 3600 IN A 10.10.30.37 +biganswer.example8. 3600 IN A 10.10.30.38 +biganswer.example8. 3600 IN A 10.10.30.39 +biganswer.example8. 3600 IN A 10.10.30.40 +biganswer.example8. 3600 IN A 10.10.30.41 +biganswer.example8. 3600 IN A 10.10.30.42 +biganswer.example8. 3600 IN A 10.10.30.43 +biganswer.example8. 3600 IN A 10.10.30.44 +biganswer.example8. 3600 IN A 10.10.30.45 +biganswer.example8. 3600 IN A 10.10.30.46 +biganswer.example8. 3600 IN A 10.10.30.47 +biganswer.example8. 3600 IN A 10.10.30.48 +biganswer.example8. 3600 IN A 10.10.30.49 +biganswer.example8. 3600 IN A 10.10.30.50 +biganswer.example8. 3600 IN A 10.10.31.1 +biganswer.example8. 3600 IN A 10.10.31.2 +biganswer.example8. 3600 IN A 10.10.31.3 +biganswer.example8. 3600 IN A 10.10.31.4 +biganswer.example8. 3600 IN A 10.10.31.5 +biganswer.example8. 3600 IN A 10.10.31.6 +biganswer.example8. 3600 IN A 10.10.31.7 +biganswer.example8. 3600 IN A 10.10.31.8 +biganswer.example8. 3600 IN A 10.10.31.9 +biganswer.example8. 3600 IN A 10.10.31.10 +biganswer.example8. 3600 IN A 10.10.31.11 +biganswer.example8. 3600 IN A 10.10.31.12 +biganswer.example8. 3600 IN A 10.10.31.13 +biganswer.example8. 3600 IN A 10.10.31.14 +biganswer.example8. 3600 IN A 10.10.31.15 +biganswer.example8. 3600 IN A 10.10.31.16 +biganswer.example8. 3600 IN A 10.10.31.17 +biganswer.example8. 3600 IN A 10.10.31.18 +biganswer.example8. 3600 IN A 10.10.31.19 +biganswer.example8. 3600 IN A 10.10.31.20 +biganswer.example8. 3600 IN A 10.10.31.21 +biganswer.example8. 3600 IN A 10.10.31.22 +biganswer.example8. 3600 IN A 10.10.31.23 +biganswer.example8. 3600 IN A 10.10.31.24 +biganswer.example8. 3600 IN A 10.10.31.25 +biganswer.example8. 3600 IN A 10.10.31.26 +biganswer.example8. 3600 IN A 10.10.31.27 +biganswer.example8. 3600 IN A 10.10.31.28 +biganswer.example8. 3600 IN A 10.10.31.29 +biganswer.example8. 3600 IN A 10.10.31.30 +biganswer.example8. 3600 IN A 10.10.31.31 +biganswer.example8. 3600 IN A 10.10.31.32 +biganswer.example8. 3600 IN A 10.10.31.33 +biganswer.example8. 3600 IN A 10.10.31.34 +biganswer.example8. 3600 IN A 10.10.31.35 +biganswer.example8. 3600 IN A 10.10.31.36 +biganswer.example8. 3600 IN A 10.10.31.37 +biganswer.example8. 3600 IN A 10.10.31.38 +biganswer.example8. 3600 IN A 10.10.31.39 +biganswer.example8. 3600 IN A 10.10.31.40 +biganswer.example8. 3600 IN A 10.10.31.41 +biganswer.example8. 3600 IN A 10.10.31.42 +biganswer.example8. 3600 IN A 10.10.31.43 +biganswer.example8. 3600 IN A 10.10.31.44 +biganswer.example8. 3600 IN A 10.10.31.45 +biganswer.example8. 3600 IN A 10.10.31.46 +biganswer.example8. 3600 IN A 10.10.31.47 +biganswer.example8. 3600 IN A 10.10.31.48 +biganswer.example8. 3600 IN A 10.10.31.49 +biganswer.example8. 3600 IN A 10.10.31.50 +biganswer.example8. 3600 IN A 10.10.32.1 +biganswer.example8. 3600 IN A 10.10.32.2 +biganswer.example8. 3600 IN A 10.10.32.3 +biganswer.example8. 3600 IN A 10.10.32.4 +biganswer.example8. 3600 IN A 10.10.32.5 +biganswer.example8. 3600 IN A 10.10.32.6 +biganswer.example8. 3600 IN A 10.10.32.7 +biganswer.example8. 3600 IN A 10.10.32.8 +biganswer.example8. 3600 IN A 10.10.32.9 +biganswer.example8. 3600 IN A 10.10.32.10 +biganswer.example8. 3600 IN A 10.10.32.11 +biganswer.example8. 3600 IN A 10.10.32.12 +biganswer.example8. 3600 IN A 10.10.32.13 +biganswer.example8. 3600 IN A 10.10.32.14 +biganswer.example8. 3600 IN A 10.10.32.15 +biganswer.example8. 3600 IN A 10.10.32.16 +biganswer.example8. 3600 IN A 10.10.32.17 +biganswer.example8. 3600 IN A 10.10.32.18 +biganswer.example8. 3600 IN A 10.10.32.19 +biganswer.example8. 3600 IN A 10.10.32.20 +biganswer.example8. 3600 IN A 10.10.32.21 +biganswer.example8. 3600 IN A 10.10.32.22 +biganswer.example8. 3600 IN A 10.10.32.23 +biganswer.example8. 3600 IN A 10.10.32.24 +biganswer.example8. 3600 IN A 10.10.32.25 +biganswer.example8. 3600 IN A 10.10.32.26 +biganswer.example8. 3600 IN A 10.10.32.27 +biganswer.example8. 3600 IN A 10.10.32.28 +biganswer.example8. 3600 IN A 10.10.32.29 +biganswer.example8. 3600 IN A 10.10.32.30 +biganswer.example8. 3600 IN A 10.10.32.31 +biganswer.example8. 3600 IN A 10.10.32.32 +biganswer.example8. 3600 IN A 10.10.32.33 +biganswer.example8. 3600 IN A 10.10.32.34 +biganswer.example8. 3600 IN A 10.10.32.35 +biganswer.example8. 3600 IN A 10.10.32.36 +biganswer.example8. 3600 IN A 10.10.32.37 +biganswer.example8. 3600 IN A 10.10.32.38 +biganswer.example8. 3600 IN A 10.10.32.39 +biganswer.example8. 3600 IN A 10.10.32.40 +biganswer.example8. 3600 IN A 10.10.32.41 +biganswer.example8. 3600 IN A 10.10.32.42 +biganswer.example8. 3600 IN A 10.10.32.43 +biganswer.example8. 3600 IN A 10.10.32.44 +biganswer.example8. 3600 IN A 10.10.32.45 +biganswer.example8. 3600 IN A 10.10.32.46 +biganswer.example8. 3600 IN A 10.10.32.47 +biganswer.example8. 3600 IN A 10.10.32.48 +biganswer.example8. 3600 IN A 10.10.32.49 +biganswer.example8. 3600 IN A 10.10.32.50 +biganswer.example8. 3600 IN A 10.10.33.1 +biganswer.example8. 3600 IN A 10.10.33.2 +biganswer.example8. 3600 IN A 10.10.33.3 +biganswer.example8. 3600 IN A 10.10.33.4 +biganswer.example8. 3600 IN A 10.10.33.5 +biganswer.example8. 3600 IN A 10.10.33.6 +biganswer.example8. 3600 IN A 10.10.33.7 +biganswer.example8. 3600 IN A 10.10.33.8 +biganswer.example8. 3600 IN A 10.10.33.9 +biganswer.example8. 3600 IN A 10.10.33.10 +biganswer.example8. 3600 IN A 10.10.33.11 +biganswer.example8. 3600 IN A 10.10.33.12 +biganswer.example8. 3600 IN A 10.10.33.13 +biganswer.example8. 3600 IN A 10.10.33.14 +biganswer.example8. 3600 IN A 10.10.33.15 +biganswer.example8. 3600 IN A 10.10.33.16 +biganswer.example8. 3600 IN A 10.10.33.17 +biganswer.example8. 3600 IN A 10.10.33.18 +biganswer.example8. 3600 IN A 10.10.33.19 +biganswer.example8. 3600 IN A 10.10.33.20 +biganswer.example8. 3600 IN A 10.10.33.21 +biganswer.example8. 3600 IN A 10.10.33.22 +biganswer.example8. 3600 IN A 10.10.33.23 +biganswer.example8. 3600 IN A 10.10.33.24 +biganswer.example8. 3600 IN A 10.10.33.25 +biganswer.example8. 3600 IN A 10.10.33.26 +biganswer.example8. 3600 IN A 10.10.33.27 +biganswer.example8. 3600 IN A 10.10.33.28 +biganswer.example8. 3600 IN A 10.10.33.29 +biganswer.example8. 3600 IN A 10.10.33.30 +biganswer.example8. 3600 IN A 10.10.33.31 +biganswer.example8. 3600 IN A 10.10.33.32 +biganswer.example8. 3600 IN A 10.10.33.33 +biganswer.example8. 3600 IN A 10.10.33.34 +biganswer.example8. 3600 IN A 10.10.33.35 +biganswer.example8. 3600 IN A 10.10.33.36 +biganswer.example8. 3600 IN A 10.10.33.37 +biganswer.example8. 3600 IN A 10.10.33.38 +biganswer.example8. 3600 IN A 10.10.33.39 +biganswer.example8. 3600 IN A 10.10.33.40 +biganswer.example8. 3600 IN A 10.10.33.41 +biganswer.example8. 3600 IN A 10.10.33.42 +biganswer.example8. 3600 IN A 10.10.33.43 +biganswer.example8. 3600 IN A 10.10.33.44 +biganswer.example8. 3600 IN A 10.10.33.45 +biganswer.example8. 3600 IN A 10.10.33.46 +biganswer.example8. 3600 IN A 10.10.33.47 +biganswer.example8. 3600 IN A 10.10.33.48 +biganswer.example8. 3600 IN A 10.10.33.49 +biganswer.example8. 3600 IN A 10.10.33.50 +biganswer.example8. 3600 IN A 10.10.34.1 +biganswer.example8. 3600 IN A 10.10.34.2 +biganswer.example8. 3600 IN A 10.10.34.3 +biganswer.example8. 3600 IN A 10.10.34.4 +biganswer.example8. 3600 IN A 10.10.34.5 +biganswer.example8. 3600 IN A 10.10.34.6 +biganswer.example8. 3600 IN A 10.10.34.7 +biganswer.example8. 3600 IN A 10.10.34.8 +biganswer.example8. 3600 IN A 10.10.34.9 +biganswer.example8. 3600 IN A 10.10.34.10 +biganswer.example8. 3600 IN A 10.10.34.11 +biganswer.example8. 3600 IN A 10.10.34.12 +biganswer.example8. 3600 IN A 10.10.34.13 +biganswer.example8. 3600 IN A 10.10.34.14 +biganswer.example8. 3600 IN A 10.10.34.15 +biganswer.example8. 3600 IN A 10.10.34.16 +biganswer.example8. 3600 IN A 10.10.34.17 +biganswer.example8. 3600 IN A 10.10.34.18 +biganswer.example8. 3600 IN A 10.10.34.19 +biganswer.example8. 3600 IN A 10.10.34.20 +biganswer.example8. 3600 IN A 10.10.34.21 +biganswer.example8. 3600 IN A 10.10.34.22 +biganswer.example8. 3600 IN A 10.10.34.23 +biganswer.example8. 3600 IN A 10.10.34.24 +biganswer.example8. 3600 IN A 10.10.34.25 +biganswer.example8. 3600 IN A 10.10.34.26 +biganswer.example8. 3600 IN A 10.10.34.27 +biganswer.example8. 3600 IN A 10.10.34.28 +biganswer.example8. 3600 IN A 10.10.34.29 +biganswer.example8. 3600 IN A 10.10.34.30 +biganswer.example8. 3600 IN A 10.10.34.31 +biganswer.example8. 3600 IN A 10.10.34.32 +biganswer.example8. 3600 IN A 10.10.34.33 +biganswer.example8. 3600 IN A 10.10.34.34 +biganswer.example8. 3600 IN A 10.10.34.35 +biganswer.example8. 3600 IN A 10.10.34.36 +biganswer.example8. 3600 IN A 10.10.34.37 +biganswer.example8. 3600 IN A 10.10.34.38 +biganswer.example8. 3600 IN A 10.10.34.39 +biganswer.example8. 3600 IN A 10.10.34.40 +biganswer.example8. 3600 IN A 10.10.34.41 +biganswer.example8. 3600 IN A 10.10.34.42 +biganswer.example8. 3600 IN A 10.10.34.43 +biganswer.example8. 3600 IN A 10.10.34.44 +biganswer.example8. 3600 IN A 10.10.34.45 +biganswer.example8. 3600 IN A 10.10.34.46 +biganswer.example8. 3600 IN A 10.10.34.47 +biganswer.example8. 3600 IN A 10.10.34.48 +biganswer.example8. 3600 IN A 10.10.34.49 +biganswer.example8. 3600 IN A 10.10.34.50 +biganswer.example8. 3600 IN A 10.10.35.1 +biganswer.example8. 3600 IN A 10.10.35.2 +biganswer.example8. 3600 IN A 10.10.35.3 +biganswer.example8. 3600 IN A 10.10.35.4 +biganswer.example8. 3600 IN A 10.10.35.5 +biganswer.example8. 3600 IN A 10.10.35.6 +biganswer.example8. 3600 IN A 10.10.35.7 +biganswer.example8. 3600 IN A 10.10.35.8 +biganswer.example8. 3600 IN A 10.10.35.9 +biganswer.example8. 3600 IN A 10.10.35.10 +biganswer.example8. 3600 IN A 10.10.35.11 +biganswer.example8. 3600 IN A 10.10.35.12 +biganswer.example8. 3600 IN A 10.10.35.13 +biganswer.example8. 3600 IN A 10.10.35.14 +biganswer.example8. 3600 IN A 10.10.35.15 +biganswer.example8. 3600 IN A 10.10.35.16 +biganswer.example8. 3600 IN A 10.10.35.17 +biganswer.example8. 3600 IN A 10.10.35.18 +biganswer.example8. 3600 IN A 10.10.35.19 +biganswer.example8. 3600 IN A 10.10.35.20 +biganswer.example8. 3600 IN A 10.10.35.21 +biganswer.example8. 3600 IN A 10.10.35.22 +biganswer.example8. 3600 IN A 10.10.35.23 +biganswer.example8. 3600 IN A 10.10.35.24 +biganswer.example8. 3600 IN A 10.10.35.25 +biganswer.example8. 3600 IN A 10.10.35.26 +biganswer.example8. 3600 IN A 10.10.35.27 +biganswer.example8. 3600 IN A 10.10.35.28 +biganswer.example8. 3600 IN A 10.10.35.29 +biganswer.example8. 3600 IN A 10.10.35.30 +biganswer.example8. 3600 IN A 10.10.35.31 +biganswer.example8. 3600 IN A 10.10.35.32 +biganswer.example8. 3600 IN A 10.10.35.33 +biganswer.example8. 3600 IN A 10.10.35.34 +biganswer.example8. 3600 IN A 10.10.35.35 +biganswer.example8. 3600 IN A 10.10.35.36 +biganswer.example8. 3600 IN A 10.10.35.37 +biganswer.example8. 3600 IN A 10.10.35.38 +biganswer.example8. 3600 IN A 10.10.35.39 +biganswer.example8. 3600 IN A 10.10.35.40 +biganswer.example8. 3600 IN A 10.10.35.41 +biganswer.example8. 3600 IN A 10.10.35.42 +biganswer.example8. 3600 IN A 10.10.35.43 +biganswer.example8. 3600 IN A 10.10.35.44 +biganswer.example8. 3600 IN A 10.10.35.45 +biganswer.example8. 3600 IN A 10.10.35.46 +biganswer.example8. 3600 IN A 10.10.35.47 +biganswer.example8. 3600 IN A 10.10.35.48 +biganswer.example8. 3600 IN A 10.10.35.49 +biganswer.example8. 3600 IN A 10.10.35.50 +biganswer.example8. 3600 IN A 10.10.36.1 +biganswer.example8. 3600 IN A 10.10.36.2 +biganswer.example8. 3600 IN A 10.10.36.3 +biganswer.example8. 3600 IN A 10.10.36.4 +biganswer.example8. 3600 IN A 10.10.36.5 +biganswer.example8. 3600 IN A 10.10.36.6 +biganswer.example8. 3600 IN A 10.10.36.7 +biganswer.example8. 3600 IN A 10.10.36.8 +biganswer.example8. 3600 IN A 10.10.36.9 +biganswer.example8. 3600 IN A 10.10.36.10 +biganswer.example8. 3600 IN A 10.10.36.11 +biganswer.example8. 3600 IN A 10.10.36.12 +biganswer.example8. 3600 IN A 10.10.36.13 +biganswer.example8. 3600 IN A 10.10.36.14 +biganswer.example8. 3600 IN A 10.10.36.15 +biganswer.example8. 3600 IN A 10.10.36.16 +biganswer.example8. 3600 IN A 10.10.36.17 +biganswer.example8. 3600 IN A 10.10.36.18 +biganswer.example8. 3600 IN A 10.10.36.19 +biganswer.example8. 3600 IN A 10.10.36.20 +biganswer.example8. 3600 IN A 10.10.36.21 +biganswer.example8. 3600 IN A 10.10.36.22 +biganswer.example8. 3600 IN A 10.10.36.23 +biganswer.example8. 3600 IN A 10.10.36.24 +biganswer.example8. 3600 IN A 10.10.36.25 +biganswer.example8. 3600 IN A 10.10.36.26 +biganswer.example8. 3600 IN A 10.10.36.27 +biganswer.example8. 3600 IN A 10.10.36.28 +biganswer.example8. 3600 IN A 10.10.36.29 +biganswer.example8. 3600 IN A 10.10.36.30 +biganswer.example8. 3600 IN A 10.10.36.31 +biganswer.example8. 3600 IN A 10.10.36.32 +biganswer.example8. 3600 IN A 10.10.36.33 +biganswer.example8. 3600 IN A 10.10.36.34 +biganswer.example8. 3600 IN A 10.10.36.35 +biganswer.example8. 3600 IN A 10.10.36.36 +biganswer.example8. 3600 IN A 10.10.36.37 +biganswer.example8. 3600 IN A 10.10.36.38 +biganswer.example8. 3600 IN A 10.10.36.39 +biganswer.example8. 3600 IN A 10.10.36.40 +biganswer.example8. 3600 IN A 10.10.36.41 +biganswer.example8. 3600 IN A 10.10.36.42 +biganswer.example8. 3600 IN A 10.10.36.43 +biganswer.example8. 3600 IN A 10.10.36.44 +biganswer.example8. 3600 IN A 10.10.36.45 +biganswer.example8. 3600 IN A 10.10.36.46 +biganswer.example8. 3600 IN A 10.10.36.47 +biganswer.example8. 3600 IN A 10.10.36.48 +biganswer.example8. 3600 IN A 10.10.36.49 +biganswer.example8. 3600 IN A 10.10.36.50 +biganswer.example8. 3600 IN A 10.10.37.1 +biganswer.example8. 3600 IN A 10.10.37.2 +biganswer.example8. 3600 IN A 10.10.37.3 +biganswer.example8. 3600 IN A 10.10.37.4 +biganswer.example8. 3600 IN A 10.10.37.5 +biganswer.example8. 3600 IN A 10.10.37.6 +biganswer.example8. 3600 IN A 10.10.37.7 +biganswer.example8. 3600 IN A 10.10.37.8 +biganswer.example8. 3600 IN A 10.10.37.9 +biganswer.example8. 3600 IN A 10.10.37.10 +biganswer.example8. 3600 IN A 10.10.37.11 +biganswer.example8. 3600 IN A 10.10.37.12 +biganswer.example8. 3600 IN A 10.10.37.13 +biganswer.example8. 3600 IN A 10.10.37.14 +biganswer.example8. 3600 IN A 10.10.37.15 +biganswer.example8. 3600 IN A 10.10.37.16 +biganswer.example8. 3600 IN A 10.10.37.17 +biganswer.example8. 3600 IN A 10.10.37.18 +biganswer.example8. 3600 IN A 10.10.37.19 +biganswer.example8. 3600 IN A 10.10.37.20 +biganswer.example8. 3600 IN A 10.10.37.21 +biganswer.example8. 3600 IN A 10.10.37.22 +biganswer.example8. 3600 IN A 10.10.37.23 +biganswer.example8. 3600 IN A 10.10.37.24 +biganswer.example8. 3600 IN A 10.10.37.25 +biganswer.example8. 3600 IN A 10.10.37.26 +biganswer.example8. 3600 IN A 10.10.37.27 +biganswer.example8. 3600 IN A 10.10.37.28 +biganswer.example8. 3600 IN A 10.10.37.29 +biganswer.example8. 3600 IN A 10.10.37.30 +biganswer.example8. 3600 IN A 10.10.37.31 +biganswer.example8. 3600 IN A 10.10.37.32 +biganswer.example8. 3600 IN A 10.10.37.33 +biganswer.example8. 3600 IN A 10.10.37.34 +biganswer.example8. 3600 IN A 10.10.37.35 +biganswer.example8. 3600 IN A 10.10.37.36 +biganswer.example8. 3600 IN A 10.10.37.37 +biganswer.example8. 3600 IN A 10.10.37.38 +biganswer.example8. 3600 IN A 10.10.37.39 +biganswer.example8. 3600 IN A 10.10.37.40 +biganswer.example8. 3600 IN A 10.10.37.41 +biganswer.example8. 3600 IN A 10.10.37.42 +biganswer.example8. 3600 IN A 10.10.37.43 +biganswer.example8. 3600 IN A 10.10.37.44 +biganswer.example8. 3600 IN A 10.10.37.45 +biganswer.example8. 3600 IN A 10.10.37.46 +biganswer.example8. 3600 IN A 10.10.37.47 +biganswer.example8. 3600 IN A 10.10.37.48 +biganswer.example8. 3600 IN A 10.10.37.49 +biganswer.example8. 3600 IN A 10.10.37.50 +biganswer.example8. 3600 IN A 10.10.38.1 +biganswer.example8. 3600 IN A 10.10.38.2 +biganswer.example8. 3600 IN A 10.10.38.3 +biganswer.example8. 3600 IN A 10.10.38.4 +biganswer.example8. 3600 IN A 10.10.38.5 +biganswer.example8. 3600 IN A 10.10.38.6 +biganswer.example8. 3600 IN A 10.10.38.7 +biganswer.example8. 3600 IN A 10.10.38.8 +biganswer.example8. 3600 IN A 10.10.38.9 +biganswer.example8. 3600 IN A 10.10.38.10 +biganswer.example8. 3600 IN A 10.10.38.11 +biganswer.example8. 3600 IN A 10.10.38.12 +biganswer.example8. 3600 IN A 10.10.38.13 +biganswer.example8. 3600 IN A 10.10.38.14 +biganswer.example8. 3600 IN A 10.10.38.15 +biganswer.example8. 3600 IN A 10.10.38.16 +biganswer.example8. 3600 IN A 10.10.38.17 +biganswer.example8. 3600 IN A 10.10.38.18 +biganswer.example8. 3600 IN A 10.10.38.19 +biganswer.example8. 3600 IN A 10.10.38.20 +biganswer.example8. 3600 IN A 10.10.38.21 +biganswer.example8. 3600 IN A 10.10.38.22 +biganswer.example8. 3600 IN A 10.10.38.23 +biganswer.example8. 3600 IN A 10.10.38.24 +biganswer.example8. 3600 IN A 10.10.38.25 +biganswer.example8. 3600 IN A 10.10.38.26 +biganswer.example8. 3600 IN A 10.10.38.27 +biganswer.example8. 3600 IN A 10.10.38.28 +biganswer.example8. 3600 IN A 10.10.38.29 +biganswer.example8. 3600 IN A 10.10.38.30 +biganswer.example8. 3600 IN A 10.10.38.31 +biganswer.example8. 3600 IN A 10.10.38.32 +biganswer.example8. 3600 IN A 10.10.38.33 +biganswer.example8. 3600 IN A 10.10.38.34 +biganswer.example8. 3600 IN A 10.10.38.35 +biganswer.example8. 3600 IN A 10.10.38.36 +biganswer.example8. 3600 IN A 10.10.38.37 +biganswer.example8. 3600 IN A 10.10.38.38 +biganswer.example8. 3600 IN A 10.10.38.39 +biganswer.example8. 3600 IN A 10.10.38.40 +biganswer.example8. 3600 IN A 10.10.38.41 +biganswer.example8. 3600 IN A 10.10.38.42 +biganswer.example8. 3600 IN A 10.10.38.43 +biganswer.example8. 3600 IN A 10.10.38.44 +biganswer.example8. 3600 IN A 10.10.38.45 +biganswer.example8. 3600 IN A 10.10.38.46 +biganswer.example8. 3600 IN A 10.10.38.47 +biganswer.example8. 3600 IN A 10.10.38.48 +biganswer.example8. 3600 IN A 10.10.38.49 +biganswer.example8. 3600 IN A 10.10.38.50 +biganswer.example8. 3600 IN A 10.10.39.1 +biganswer.example8. 3600 IN A 10.10.39.2 +biganswer.example8. 3600 IN A 10.10.39.3 +biganswer.example8. 3600 IN A 10.10.39.4 +biganswer.example8. 3600 IN A 10.10.39.5 +biganswer.example8. 3600 IN A 10.10.39.6 +biganswer.example8. 3600 IN A 10.10.39.7 +biganswer.example8. 3600 IN A 10.10.39.8 +biganswer.example8. 3600 IN A 10.10.39.9 +biganswer.example8. 3600 IN A 10.10.39.10 +biganswer.example8. 3600 IN A 10.10.39.11 +biganswer.example8. 3600 IN A 10.10.39.12 +biganswer.example8. 3600 IN A 10.10.39.13 +biganswer.example8. 3600 IN A 10.10.39.14 +biganswer.example8. 3600 IN A 10.10.39.15 +biganswer.example8. 3600 IN A 10.10.39.16 +biganswer.example8. 3600 IN A 10.10.39.17 +biganswer.example8. 3600 IN A 10.10.39.18 +biganswer.example8. 3600 IN A 10.10.39.19 +biganswer.example8. 3600 IN A 10.10.39.20 +biganswer.example8. 3600 IN A 10.10.39.21 +biganswer.example8. 3600 IN A 10.10.39.22 +biganswer.example8. 3600 IN A 10.10.39.23 +biganswer.example8. 3600 IN A 10.10.39.24 +biganswer.example8. 3600 IN A 10.10.39.25 +biganswer.example8. 3600 IN A 10.10.39.26 +biganswer.example8. 3600 IN A 10.10.39.27 +biganswer.example8. 3600 IN A 10.10.39.28 +biganswer.example8. 3600 IN A 10.10.39.29 +biganswer.example8. 3600 IN A 10.10.39.30 +biganswer.example8. 3600 IN A 10.10.39.31 +biganswer.example8. 3600 IN A 10.10.39.32 +biganswer.example8. 3600 IN A 10.10.39.33 +biganswer.example8. 3600 IN A 10.10.39.34 +biganswer.example8. 3600 IN A 10.10.39.35 +biganswer.example8. 3600 IN A 10.10.39.36 +biganswer.example8. 3600 IN A 10.10.39.37 +biganswer.example8. 3600 IN A 10.10.39.38 +biganswer.example8. 3600 IN A 10.10.39.39 +biganswer.example8. 3600 IN A 10.10.39.40 +biganswer.example8. 3600 IN A 10.10.39.41 +biganswer.example8. 3600 IN A 10.10.39.42 +biganswer.example8. 3600 IN A 10.10.39.43 +biganswer.example8. 3600 IN A 10.10.39.44 +biganswer.example8. 3600 IN A 10.10.39.45 +biganswer.example8. 3600 IN A 10.10.39.46 +biganswer.example8. 3600 IN A 10.10.39.47 +biganswer.example8. 3600 IN A 10.10.39.48 +biganswer.example8. 3600 IN A 10.10.39.49 +biganswer.example8. 3600 IN A 10.10.39.50 +biganswer.example8. 3600 IN A 10.10.40.1 +biganswer.example8. 3600 IN A 10.10.40.2 +biganswer.example8. 3600 IN A 10.10.40.3 +biganswer.example8. 3600 IN A 10.10.40.4 +biganswer.example8. 3600 IN A 10.10.40.5 +biganswer.example8. 3600 IN A 10.10.40.6 +biganswer.example8. 3600 IN A 10.10.40.7 +biganswer.example8. 3600 IN A 10.10.40.8 +biganswer.example8. 3600 IN A 10.10.40.9 +biganswer.example8. 3600 IN A 10.10.40.10 +biganswer.example8. 3600 IN A 10.10.40.11 +biganswer.example8. 3600 IN A 10.10.40.12 +biganswer.example8. 3600 IN A 10.10.40.13 +biganswer.example8. 3600 IN A 10.10.40.14 +biganswer.example8. 3600 IN A 10.10.40.15 +biganswer.example8. 3600 IN A 10.10.40.16 +biganswer.example8. 3600 IN A 10.10.40.17 +biganswer.example8. 3600 IN A 10.10.40.18 +biganswer.example8. 3600 IN A 10.10.40.19 +biganswer.example8. 3600 IN A 10.10.40.20 +biganswer.example8. 3600 IN A 10.10.40.21 +biganswer.example8. 3600 IN A 10.10.40.22 +biganswer.example8. 3600 IN A 10.10.40.23 +biganswer.example8. 3600 IN A 10.10.40.24 +biganswer.example8. 3600 IN A 10.10.40.25 +biganswer.example8. 3600 IN A 10.10.40.26 +biganswer.example8. 3600 IN A 10.10.40.27 +biganswer.example8. 3600 IN A 10.10.40.28 +biganswer.example8. 3600 IN A 10.10.40.29 +biganswer.example8. 3600 IN A 10.10.40.30 +biganswer.example8. 3600 IN A 10.10.40.31 +biganswer.example8. 3600 IN A 10.10.40.32 +biganswer.example8. 3600 IN A 10.10.40.33 +biganswer.example8. 3600 IN A 10.10.40.34 +biganswer.example8. 3600 IN A 10.10.40.35 +biganswer.example8. 3600 IN A 10.10.40.36 +biganswer.example8. 3600 IN A 10.10.40.37 +biganswer.example8. 3600 IN A 10.10.40.38 +biganswer.example8. 3600 IN A 10.10.40.39 +biganswer.example8. 3600 IN A 10.10.40.40 +biganswer.example8. 3600 IN A 10.10.40.41 +biganswer.example8. 3600 IN A 10.10.40.42 +biganswer.example8. 3600 IN A 10.10.40.43 +biganswer.example8. 3600 IN A 10.10.40.44 +biganswer.example8. 3600 IN A 10.10.40.45 +biganswer.example8. 3600 IN A 10.10.40.46 +biganswer.example8. 3600 IN A 10.10.40.47 +biganswer.example8. 3600 IN A 10.10.40.48 +biganswer.example8. 3600 IN A 10.10.40.49 +biganswer.example8. 3600 IN A 10.10.40.50 +biganswer.example8. 3600 IN A 10.10.41.1 +biganswer.example8. 3600 IN A 10.10.41.2 +biganswer.example8. 3600 IN A 10.10.41.3 +biganswer.example8. 3600 IN A 10.10.41.4 +biganswer.example8. 3600 IN A 10.10.41.5 +biganswer.example8. 3600 IN A 10.10.41.6 +biganswer.example8. 3600 IN A 10.10.41.7 +biganswer.example8. 3600 IN A 10.10.41.8 +biganswer.example8. 3600 IN A 10.10.41.9 +biganswer.example8. 3600 IN A 10.10.41.10 +biganswer.example8. 3600 IN A 10.10.41.11 +biganswer.example8. 3600 IN A 10.10.41.12 +biganswer.example8. 3600 IN A 10.10.41.13 +biganswer.example8. 3600 IN A 10.10.41.14 +biganswer.example8. 3600 IN A 10.10.41.15 +biganswer.example8. 3600 IN A 10.10.41.16 +biganswer.example8. 3600 IN A 10.10.41.17 +biganswer.example8. 3600 IN A 10.10.41.18 +biganswer.example8. 3600 IN A 10.10.41.19 +biganswer.example8. 3600 IN A 10.10.41.20 +biganswer.example8. 3600 IN A 10.10.41.21 +biganswer.example8. 3600 IN A 10.10.41.22 +biganswer.example8. 3600 IN A 10.10.41.23 +biganswer.example8. 3600 IN A 10.10.41.24 +biganswer.example8. 3600 IN A 10.10.41.25 +biganswer.example8. 3600 IN A 10.10.41.26 +biganswer.example8. 3600 IN A 10.10.41.27 +biganswer.example8. 3600 IN A 10.10.41.28 +biganswer.example8. 3600 IN A 10.10.41.29 +biganswer.example8. 3600 IN A 10.10.41.30 +biganswer.example8. 3600 IN A 10.10.41.31 +biganswer.example8. 3600 IN A 10.10.41.32 +biganswer.example8. 3600 IN A 10.10.41.33 +biganswer.example8. 3600 IN A 10.10.41.34 +biganswer.example8. 3600 IN A 10.10.41.35 +biganswer.example8. 3600 IN A 10.10.41.36 +biganswer.example8. 3600 IN A 10.10.41.37 +biganswer.example8. 3600 IN A 10.10.41.38 +biganswer.example8. 3600 IN A 10.10.41.39 +biganswer.example8. 3600 IN A 10.10.41.40 +biganswer.example8. 3600 IN A 10.10.41.41 +biganswer.example8. 3600 IN A 10.10.41.42 +biganswer.example8. 3600 IN A 10.10.41.43 +biganswer.example8. 3600 IN A 10.10.41.44 +biganswer.example8. 3600 IN A 10.10.41.45 +biganswer.example8. 3600 IN A 10.10.41.46 +biganswer.example8. 3600 IN A 10.10.41.47 +biganswer.example8. 3600 IN A 10.10.41.48 +biganswer.example8. 3600 IN A 10.10.41.49 +biganswer.example8. 3600 IN A 10.10.41.50 +biganswer.example8. 3600 IN A 10.10.42.1 +biganswer.example8. 3600 IN A 10.10.42.2 +biganswer.example8. 3600 IN A 10.10.42.3 +biganswer.example8. 3600 IN A 10.10.42.4 +biganswer.example8. 3600 IN A 10.10.42.5 +biganswer.example8. 3600 IN A 10.10.42.6 +biganswer.example8. 3600 IN A 10.10.42.7 +biganswer.example8. 3600 IN A 10.10.42.8 +biganswer.example8. 3600 IN A 10.10.42.9 +biganswer.example8. 3600 IN A 10.10.42.10 +biganswer.example8. 3600 IN A 10.10.42.11 +biganswer.example8. 3600 IN A 10.10.42.12 +biganswer.example8. 3600 IN A 10.10.42.13 +biganswer.example8. 3600 IN A 10.10.42.14 +biganswer.example8. 3600 IN A 10.10.42.15 +biganswer.example8. 3600 IN A 10.10.42.16 +biganswer.example8. 3600 IN A 10.10.42.17 +biganswer.example8. 3600 IN A 10.10.42.18 +biganswer.example8. 3600 IN A 10.10.42.19 +biganswer.example8. 3600 IN A 10.10.42.20 +biganswer.example8. 3600 IN A 10.10.42.21 +biganswer.example8. 3600 IN A 10.10.42.22 +biganswer.example8. 3600 IN A 10.10.42.23 +biganswer.example8. 3600 IN A 10.10.42.24 +biganswer.example8. 3600 IN A 10.10.42.25 +biganswer.example8. 3600 IN A 10.10.42.26 +biganswer.example8. 3600 IN A 10.10.42.27 +biganswer.example8. 3600 IN A 10.10.42.28 +biganswer.example8. 3600 IN A 10.10.42.29 +biganswer.example8. 3600 IN A 10.10.42.30 +biganswer.example8. 3600 IN A 10.10.42.31 +biganswer.example8. 3600 IN A 10.10.42.32 +biganswer.example8. 3600 IN A 10.10.42.33 +biganswer.example8. 3600 IN A 10.10.42.34 +biganswer.example8. 3600 IN A 10.10.42.35 +biganswer.example8. 3600 IN A 10.10.42.36 +biganswer.example8. 3600 IN A 10.10.42.37 +biganswer.example8. 3600 IN A 10.10.42.38 +biganswer.example8. 3600 IN A 10.10.42.39 +biganswer.example8. 3600 IN A 10.10.42.40 +biganswer.example8. 3600 IN A 10.10.42.41 +biganswer.example8. 3600 IN A 10.10.42.42 +biganswer.example8. 3600 IN A 10.10.42.43 +biganswer.example8. 3600 IN A 10.10.42.44 +biganswer.example8. 3600 IN A 10.10.42.45 +biganswer.example8. 3600 IN A 10.10.42.46 +biganswer.example8. 3600 IN A 10.10.42.47 +biganswer.example8. 3600 IN A 10.10.42.48 +biganswer.example8. 3600 IN A 10.10.42.49 +biganswer.example8. 3600 IN A 10.10.42.50 +biganswer.example8. 3600 IN A 10.10.43.1 +biganswer.example8. 3600 IN A 10.10.43.2 +biganswer.example8. 3600 IN A 10.10.43.3 +biganswer.example8. 3600 IN A 10.10.43.4 +biganswer.example8. 3600 IN A 10.10.43.5 +biganswer.example8. 3600 IN A 10.10.43.6 +biganswer.example8. 3600 IN A 10.10.43.7 +biganswer.example8. 3600 IN A 10.10.43.8 +biganswer.example8. 3600 IN A 10.10.43.9 +biganswer.example8. 3600 IN A 10.10.43.10 +biganswer.example8. 3600 IN A 10.10.43.11 +biganswer.example8. 3600 IN A 10.10.43.12 +biganswer.example8. 3600 IN A 10.10.43.13 +biganswer.example8. 3600 IN A 10.10.43.14 +biganswer.example8. 3600 IN A 10.10.43.15 +biganswer.example8. 3600 IN A 10.10.43.16 +biganswer.example8. 3600 IN A 10.10.43.17 +biganswer.example8. 3600 IN A 10.10.43.18 +biganswer.example8. 3600 IN A 10.10.43.19 +biganswer.example8. 3600 IN A 10.10.43.20 +biganswer.example8. 3600 IN A 10.10.43.21 +biganswer.example8. 3600 IN A 10.10.43.22 +biganswer.example8. 3600 IN A 10.10.43.23 +biganswer.example8. 3600 IN A 10.10.43.24 +biganswer.example8. 3600 IN A 10.10.43.25 +biganswer.example8. 3600 IN A 10.10.43.26 +biganswer.example8. 3600 IN A 10.10.43.27 +biganswer.example8. 3600 IN A 10.10.43.28 +biganswer.example8. 3600 IN A 10.10.43.29 +biganswer.example8. 3600 IN A 10.10.43.30 +biganswer.example8. 3600 IN A 10.10.43.31 +biganswer.example8. 3600 IN A 10.10.43.32 +biganswer.example8. 3600 IN A 10.10.43.33 +biganswer.example8. 3600 IN A 10.10.43.34 +biganswer.example8. 3600 IN A 10.10.43.35 +biganswer.example8. 3600 IN A 10.10.43.36 +biganswer.example8. 3600 IN A 10.10.43.37 +biganswer.example8. 3600 IN A 10.10.43.38 +biganswer.example8. 3600 IN A 10.10.43.39 +biganswer.example8. 3600 IN A 10.10.43.40 +biganswer.example8. 3600 IN A 10.10.43.41 +biganswer.example8. 3600 IN A 10.10.43.42 +biganswer.example8. 3600 IN A 10.10.43.43 +biganswer.example8. 3600 IN A 10.10.43.44 +biganswer.example8. 3600 IN A 10.10.43.45 +biganswer.example8. 3600 IN A 10.10.43.46 +biganswer.example8. 3600 IN A 10.10.43.47 +biganswer.example8. 3600 IN A 10.10.43.48 +biganswer.example8. 3600 IN A 10.10.43.49 +biganswer.example8. 3600 IN A 10.10.43.50 +biganswer.example8. 3600 IN A 10.10.44.1 +biganswer.example8. 3600 IN A 10.10.44.2 +biganswer.example8. 3600 IN A 10.10.44.3 +biganswer.example8. 3600 IN A 10.10.44.4 +biganswer.example8. 3600 IN A 10.10.44.5 +biganswer.example8. 3600 IN A 10.10.44.6 +biganswer.example8. 3600 IN A 10.10.44.7 +biganswer.example8. 3600 IN A 10.10.44.8 +biganswer.example8. 3600 IN A 10.10.44.9 +biganswer.example8. 3600 IN A 10.10.44.10 +biganswer.example8. 3600 IN A 10.10.44.11 +biganswer.example8. 3600 IN A 10.10.44.12 +biganswer.example8. 3600 IN A 10.10.44.13 +biganswer.example8. 3600 IN A 10.10.44.14 +biganswer.example8. 3600 IN A 10.10.44.15 +biganswer.example8. 3600 IN A 10.10.44.16 +biganswer.example8. 3600 IN A 10.10.44.17 +biganswer.example8. 3600 IN A 10.10.44.18 +biganswer.example8. 3600 IN A 10.10.44.19 +biganswer.example8. 3600 IN A 10.10.44.20 +biganswer.example8. 3600 IN A 10.10.44.21 +biganswer.example8. 3600 IN A 10.10.44.22 +biganswer.example8. 3600 IN A 10.10.44.23 +biganswer.example8. 3600 IN A 10.10.44.24 +biganswer.example8. 3600 IN A 10.10.44.25 +biganswer.example8. 3600 IN A 10.10.44.26 +biganswer.example8. 3600 IN A 10.10.44.27 +biganswer.example8. 3600 IN A 10.10.44.28 +biganswer.example8. 3600 IN A 10.10.44.29 +biganswer.example8. 3600 IN A 10.10.44.30 +biganswer.example8. 3600 IN A 10.10.44.31 +biganswer.example8. 3600 IN A 10.10.44.32 +biganswer.example8. 3600 IN A 10.10.44.33 +biganswer.example8. 3600 IN A 10.10.44.34 +biganswer.example8. 3600 IN A 10.10.44.35 +biganswer.example8. 3600 IN A 10.10.44.36 +biganswer.example8. 3600 IN A 10.10.44.37 +biganswer.example8. 3600 IN A 10.10.44.38 +biganswer.example8. 3600 IN A 10.10.44.39 +biganswer.example8. 3600 IN A 10.10.44.40 +biganswer.example8. 3600 IN A 10.10.44.41 +biganswer.example8. 3600 IN A 10.10.44.42 +biganswer.example8. 3600 IN A 10.10.44.43 +biganswer.example8. 3600 IN A 10.10.44.44 +biganswer.example8. 3600 IN A 10.10.44.45 +biganswer.example8. 3600 IN A 10.10.44.46 +biganswer.example8. 3600 IN A 10.10.44.47 +biganswer.example8. 3600 IN A 10.10.44.48 +biganswer.example8. 3600 IN A 10.10.44.49 +biganswer.example8. 3600 IN A 10.10.44.50 +biganswer.example8. 3600 IN A 10.10.45.1 +biganswer.example8. 3600 IN A 10.10.45.2 +biganswer.example8. 3600 IN A 10.10.45.3 +biganswer.example8. 3600 IN A 10.10.45.4 +biganswer.example8. 3600 IN A 10.10.45.5 +biganswer.example8. 3600 IN A 10.10.45.6 +biganswer.example8. 3600 IN A 10.10.45.7 +biganswer.example8. 3600 IN A 10.10.45.8 +biganswer.example8. 3600 IN A 10.10.45.9 +biganswer.example8. 3600 IN A 10.10.45.10 +biganswer.example8. 3600 IN A 10.10.45.11 +biganswer.example8. 3600 IN A 10.10.45.12 +biganswer.example8. 3600 IN A 10.10.45.13 +biganswer.example8. 3600 IN A 10.10.45.14 +biganswer.example8. 3600 IN A 10.10.45.15 +biganswer.example8. 3600 IN A 10.10.45.16 +biganswer.example8. 3600 IN A 10.10.45.17 +biganswer.example8. 3600 IN A 10.10.45.18 +biganswer.example8. 3600 IN A 10.10.45.19 +biganswer.example8. 3600 IN A 10.10.45.20 +biganswer.example8. 3600 IN A 10.10.45.21 +biganswer.example8. 3600 IN A 10.10.45.22 +biganswer.example8. 3600 IN A 10.10.45.23 +biganswer.example8. 3600 IN A 10.10.45.24 +biganswer.example8. 3600 IN A 10.10.45.25 +biganswer.example8. 3600 IN A 10.10.45.26 +biganswer.example8. 3600 IN A 10.10.45.27 +biganswer.example8. 3600 IN A 10.10.45.28 +biganswer.example8. 3600 IN A 10.10.45.29 +biganswer.example8. 3600 IN A 10.10.45.30 +biganswer.example8. 3600 IN A 10.10.45.31 +biganswer.example8. 3600 IN A 10.10.45.32 +biganswer.example8. 3600 IN A 10.10.45.33 +biganswer.example8. 3600 IN A 10.10.45.34 +biganswer.example8. 3600 IN A 10.10.45.35 +biganswer.example8. 3600 IN A 10.10.45.36 +biganswer.example8. 3600 IN A 10.10.45.37 +biganswer.example8. 3600 IN A 10.10.45.38 +biganswer.example8. 3600 IN A 10.10.45.39 +biganswer.example8. 3600 IN A 10.10.45.40 +biganswer.example8. 3600 IN A 10.10.45.41 +biganswer.example8. 3600 IN A 10.10.45.42 +biganswer.example8. 3600 IN A 10.10.45.43 +biganswer.example8. 3600 IN A 10.10.45.44 +biganswer.example8. 3600 IN A 10.10.45.45 +biganswer.example8. 3600 IN A 10.10.45.46 +biganswer.example8. 3600 IN A 10.10.45.47 +biganswer.example8. 3600 IN A 10.10.45.48 +biganswer.example8. 3600 IN A 10.10.45.49 +biganswer.example8. 3600 IN A 10.10.45.50 +biganswer.example8. 3600 IN A 10.10.46.1 +biganswer.example8. 3600 IN A 10.10.46.2 +biganswer.example8. 3600 IN A 10.10.46.3 +biganswer.example8. 3600 IN A 10.10.46.4 +biganswer.example8. 3600 IN A 10.10.46.5 +biganswer.example8. 3600 IN A 10.10.46.6 +biganswer.example8. 3600 IN A 10.10.46.7 +biganswer.example8. 3600 IN A 10.10.46.8 +biganswer.example8. 3600 IN A 10.10.46.9 +biganswer.example8. 3600 IN A 10.10.46.10 +biganswer.example8. 3600 IN A 10.10.46.11 +biganswer.example8. 3600 IN A 10.10.46.12 +biganswer.example8. 3600 IN A 10.10.46.13 +biganswer.example8. 3600 IN A 10.10.46.14 +biganswer.example8. 3600 IN A 10.10.46.15 +biganswer.example8. 3600 IN A 10.10.46.16 +biganswer.example8. 3600 IN A 10.10.46.17 +biganswer.example8. 3600 IN A 10.10.46.18 +biganswer.example8. 3600 IN A 10.10.46.19 +biganswer.example8. 3600 IN A 10.10.46.20 +biganswer.example8. 3600 IN A 10.10.46.21 +biganswer.example8. 3600 IN A 10.10.46.22 +biganswer.example8. 3600 IN A 10.10.46.23 +biganswer.example8. 3600 IN A 10.10.46.24 +biganswer.example8. 3600 IN A 10.10.46.25 +biganswer.example8. 3600 IN A 10.10.46.26 +biganswer.example8. 3600 IN A 10.10.46.27 +biganswer.example8. 3600 IN A 10.10.46.28 +biganswer.example8. 3600 IN A 10.10.46.29 +biganswer.example8. 3600 IN A 10.10.46.30 +biganswer.example8. 3600 IN A 10.10.46.31 +biganswer.example8. 3600 IN A 10.10.46.32 +biganswer.example8. 3600 IN A 10.10.46.33 +biganswer.example8. 3600 IN A 10.10.46.34 +biganswer.example8. 3600 IN A 10.10.46.35 +biganswer.example8. 3600 IN A 10.10.46.36 +biganswer.example8. 3600 IN A 10.10.46.37 +biganswer.example8. 3600 IN A 10.10.46.38 +biganswer.example8. 3600 IN A 10.10.46.39 +biganswer.example8. 3600 IN A 10.10.46.40 +biganswer.example8. 3600 IN A 10.10.46.41 +biganswer.example8. 3600 IN A 10.10.46.42 +biganswer.example8. 3600 IN A 10.10.46.43 +biganswer.example8. 3600 IN A 10.10.46.44 +biganswer.example8. 3600 IN A 10.10.46.45 +biganswer.example8. 3600 IN A 10.10.46.46 +biganswer.example8. 3600 IN A 10.10.46.47 +biganswer.example8. 3600 IN A 10.10.46.48 +biganswer.example8. 3600 IN A 10.10.46.49 +biganswer.example8. 3600 IN A 10.10.46.50 +biganswer.example8. 3600 IN A 10.10.47.1 +biganswer.example8. 3600 IN A 10.10.47.2 +biganswer.example8. 3600 IN A 10.10.47.3 +biganswer.example8. 3600 IN A 10.10.47.4 +biganswer.example8. 3600 IN A 10.10.47.5 +biganswer.example8. 3600 IN A 10.10.47.6 +biganswer.example8. 3600 IN A 10.10.47.7 +biganswer.example8. 3600 IN A 10.10.47.8 +biganswer.example8. 3600 IN A 10.10.47.9 +biganswer.example8. 3600 IN A 10.10.47.10 +biganswer.example8. 3600 IN A 10.10.47.11 +biganswer.example8. 3600 IN A 10.10.47.12 +biganswer.example8. 3600 IN A 10.10.47.13 +biganswer.example8. 3600 IN A 10.10.47.14 +biganswer.example8. 3600 IN A 10.10.47.15 +biganswer.example8. 3600 IN A 10.10.47.16 +biganswer.example8. 3600 IN A 10.10.47.17 +biganswer.example8. 3600 IN A 10.10.47.18 +biganswer.example8. 3600 IN A 10.10.47.19 +biganswer.example8. 3600 IN A 10.10.47.20 +biganswer.example8. 3600 IN A 10.10.47.21 +biganswer.example8. 3600 IN A 10.10.47.22 +biganswer.example8. 3600 IN A 10.10.47.23 +biganswer.example8. 3600 IN A 10.10.47.24 +biganswer.example8. 3600 IN A 10.10.47.25 +biganswer.example8. 3600 IN A 10.10.47.26 +biganswer.example8. 3600 IN A 10.10.47.27 +biganswer.example8. 3600 IN A 10.10.47.28 +biganswer.example8. 3600 IN A 10.10.47.29 +biganswer.example8. 3600 IN A 10.10.47.30 +biganswer.example8. 3600 IN A 10.10.47.31 +biganswer.example8. 3600 IN A 10.10.47.32 +biganswer.example8. 3600 IN A 10.10.47.33 +biganswer.example8. 3600 IN A 10.10.47.34 +biganswer.example8. 3600 IN A 10.10.47.35 +biganswer.example8. 3600 IN A 10.10.47.36 +biganswer.example8. 3600 IN A 10.10.47.37 +biganswer.example8. 3600 IN A 10.10.47.38 +biganswer.example8. 3600 IN A 10.10.47.39 +biganswer.example8. 3600 IN A 10.10.47.40 +biganswer.example8. 3600 IN A 10.10.47.41 +biganswer.example8. 3600 IN A 10.10.47.42 +biganswer.example8. 3600 IN A 10.10.47.43 +biganswer.example8. 3600 IN A 10.10.47.44 +biganswer.example8. 3600 IN A 10.10.47.45 +biganswer.example8. 3600 IN A 10.10.47.46 +biganswer.example8. 3600 IN A 10.10.47.47 +biganswer.example8. 3600 IN A 10.10.47.48 +biganswer.example8. 3600 IN A 10.10.47.49 +biganswer.example8. 3600 IN A 10.10.47.50 +biganswer.example8. 3600 IN A 10.10.48.1 +biganswer.example8. 3600 IN A 10.10.48.2 +biganswer.example8. 3600 IN A 10.10.48.3 +biganswer.example8. 3600 IN A 10.10.48.4 +biganswer.example8. 3600 IN A 10.10.48.5 +biganswer.example8. 3600 IN A 10.10.48.6 +biganswer.example8. 3600 IN A 10.10.48.7 +biganswer.example8. 3600 IN A 10.10.48.8 +biganswer.example8. 3600 IN A 10.10.48.9 +biganswer.example8. 3600 IN A 10.10.48.10 +biganswer.example8. 3600 IN A 10.10.48.11 +biganswer.example8. 3600 IN A 10.10.48.12 +biganswer.example8. 3600 IN A 10.10.48.13 +biganswer.example8. 3600 IN A 10.10.48.14 +biganswer.example8. 3600 IN A 10.10.48.15 +biganswer.example8. 3600 IN A 10.10.48.16 +biganswer.example8. 3600 IN A 10.10.48.17 +biganswer.example8. 3600 IN A 10.10.48.18 +biganswer.example8. 3600 IN A 10.10.48.19 +biganswer.example8. 3600 IN A 10.10.48.20 +biganswer.example8. 3600 IN A 10.10.48.21 +biganswer.example8. 3600 IN A 10.10.48.22 +biganswer.example8. 3600 IN A 10.10.48.23 +biganswer.example8. 3600 IN A 10.10.48.24 +biganswer.example8. 3600 IN A 10.10.48.25 +biganswer.example8. 3600 IN A 10.10.48.26 +biganswer.example8. 3600 IN A 10.10.48.27 +biganswer.example8. 3600 IN A 10.10.48.28 +biganswer.example8. 3600 IN A 10.10.48.29 +biganswer.example8. 3600 IN A 10.10.48.30 +biganswer.example8. 3600 IN A 10.10.48.31 +biganswer.example8. 3600 IN A 10.10.48.32 +biganswer.example8. 3600 IN A 10.10.48.33 +biganswer.example8. 3600 IN A 10.10.48.34 +biganswer.example8. 3600 IN A 10.10.48.35 +biganswer.example8. 3600 IN A 10.10.48.36 +biganswer.example8. 3600 IN A 10.10.48.37 +biganswer.example8. 3600 IN A 10.10.48.38 +biganswer.example8. 3600 IN A 10.10.48.39 +biganswer.example8. 3600 IN A 10.10.48.40 +biganswer.example8. 3600 IN A 10.10.48.41 +biganswer.example8. 3600 IN A 10.10.48.42 +biganswer.example8. 3600 IN A 10.10.48.43 +biganswer.example8. 3600 IN A 10.10.48.44 +biganswer.example8. 3600 IN A 10.10.48.45 +biganswer.example8. 3600 IN A 10.10.48.46 +biganswer.example8. 3600 IN A 10.10.48.47 +biganswer.example8. 3600 IN A 10.10.48.48 +biganswer.example8. 3600 IN A 10.10.48.49 +biganswer.example8. 3600 IN A 10.10.48.50 +biganswer.example8. 3600 IN A 10.10.49.1 +biganswer.example8. 3600 IN A 10.10.49.2 +biganswer.example8. 3600 IN A 10.10.49.3 +biganswer.example8. 3600 IN A 10.10.49.4 +biganswer.example8. 3600 IN A 10.10.49.5 +biganswer.example8. 3600 IN A 10.10.49.6 +biganswer.example8. 3600 IN A 10.10.49.7 +biganswer.example8. 3600 IN A 10.10.49.8 +biganswer.example8. 3600 IN A 10.10.49.9 +biganswer.example8. 3600 IN A 10.10.49.10 +biganswer.example8. 3600 IN A 10.10.49.11 +biganswer.example8. 3600 IN A 10.10.49.12 +biganswer.example8. 3600 IN A 10.10.49.13 +biganswer.example8. 3600 IN A 10.10.49.14 +biganswer.example8. 3600 IN A 10.10.49.15 +biganswer.example8. 3600 IN A 10.10.49.16 +biganswer.example8. 3600 IN A 10.10.49.17 +biganswer.example8. 3600 IN A 10.10.49.18 +biganswer.example8. 3600 IN A 10.10.49.19 +biganswer.example8. 3600 IN A 10.10.49.20 +biganswer.example8. 3600 IN A 10.10.49.21 +biganswer.example8. 3600 IN A 10.10.49.22 +biganswer.example8. 3600 IN A 10.10.49.23 +biganswer.example8. 3600 IN A 10.10.49.24 +biganswer.example8. 3600 IN A 10.10.49.25 +biganswer.example8. 3600 IN A 10.10.49.26 +biganswer.example8. 3600 IN A 10.10.49.27 +biganswer.example8. 3600 IN A 10.10.49.28 +biganswer.example8. 3600 IN A 10.10.49.29 +biganswer.example8. 3600 IN A 10.10.49.30 +biganswer.example8. 3600 IN A 10.10.49.31 +biganswer.example8. 3600 IN A 10.10.49.32 +biganswer.example8. 3600 IN A 10.10.49.33 +biganswer.example8. 3600 IN A 10.10.49.34 +biganswer.example8. 3600 IN A 10.10.49.35 +biganswer.example8. 3600 IN A 10.10.49.36 +biganswer.example8. 3600 IN A 10.10.49.37 +biganswer.example8. 3600 IN A 10.10.49.38 +biganswer.example8. 3600 IN A 10.10.49.39 +biganswer.example8. 3600 IN A 10.10.49.40 +biganswer.example8. 3600 IN A 10.10.49.41 +biganswer.example8. 3600 IN A 10.10.49.42 +biganswer.example8. 3600 IN A 10.10.49.43 +biganswer.example8. 3600 IN A 10.10.49.44 +biganswer.example8. 3600 IN A 10.10.49.45 +biganswer.example8. 3600 IN A 10.10.49.46 +biganswer.example8. 3600 IN A 10.10.49.47 +biganswer.example8. 3600 IN A 10.10.49.48 +biganswer.example8. 3600 IN A 10.10.49.49 +biganswer.example8. 3600 IN A 10.10.49.50 +biganswer.example8. 3600 IN A 10.10.50.1 +biganswer.example8. 3600 IN A 10.10.50.2 +biganswer.example8. 3600 IN A 10.10.50.3 +biganswer.example8. 3600 IN A 10.10.50.4 +biganswer.example8. 3600 IN A 10.10.50.5 +biganswer.example8. 3600 IN A 10.10.50.6 +biganswer.example8. 3600 IN A 10.10.50.7 +biganswer.example8. 3600 IN A 10.10.50.8 +biganswer.example8. 3600 IN A 10.10.50.9 +biganswer.example8. 3600 IN A 10.10.50.10 +biganswer.example8. 3600 IN A 10.10.50.11 +biganswer.example8. 3600 IN A 10.10.50.12 +biganswer.example8. 3600 IN A 10.10.50.13 +biganswer.example8. 3600 IN A 10.10.50.14 +biganswer.example8. 3600 IN A 10.10.50.15 +biganswer.example8. 3600 IN A 10.10.50.16 +biganswer.example8. 3600 IN A 10.10.50.17 +biganswer.example8. 3600 IN A 10.10.50.18 +biganswer.example8. 3600 IN A 10.10.50.19 +biganswer.example8. 3600 IN A 10.10.50.20 +biganswer.example8. 3600 IN A 10.10.50.21 +biganswer.example8. 3600 IN A 10.10.50.22 +biganswer.example8. 3600 IN A 10.10.50.23 +biganswer.example8. 3600 IN A 10.10.50.24 +biganswer.example8. 3600 IN A 10.10.50.25 +biganswer.example8. 3600 IN A 10.10.50.26 +biganswer.example8. 3600 IN A 10.10.50.27 +biganswer.example8. 3600 IN A 10.10.50.28 +biganswer.example8. 3600 IN A 10.10.50.29 +biganswer.example8. 3600 IN A 10.10.50.30 +biganswer.example8. 3600 IN A 10.10.50.31 +biganswer.example8. 3600 IN A 10.10.50.32 +biganswer.example8. 3600 IN A 10.10.50.33 +biganswer.example8. 3600 IN A 10.10.50.34 +biganswer.example8. 3600 IN A 10.10.50.35 +biganswer.example8. 3600 IN A 10.10.50.36 +biganswer.example8. 3600 IN A 10.10.50.37 +biganswer.example8. 3600 IN A 10.10.50.38 +biganswer.example8. 3600 IN A 10.10.50.39 +biganswer.example8. 3600 IN A 10.10.50.40 +biganswer.example8. 3600 IN A 10.10.50.41 +biganswer.example8. 3600 IN A 10.10.50.42 +biganswer.example8. 3600 IN A 10.10.50.43 +biganswer.example8. 3600 IN A 10.10.50.44 +biganswer.example8. 3600 IN A 10.10.50.45 +biganswer.example8. 3600 IN A 10.10.50.46 +biganswer.example8. 3600 IN A 10.10.50.47 +biganswer.example8. 3600 IN A 10.10.50.48 +biganswer.example8. 3600 IN A 10.10.50.49 +biganswer.example8. 3600 IN A 10.10.50.50 +caa01.example8. 3600 IN CAA 0 issue "ca.example.net; policy=ev" +caa02.example8. 3600 IN CAA 128 tbs "Unknown" +caa03.example8. 3600 IN CAA 128 tbs "" +cdnskey01.example8. 3600 IN CDNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +cds01.example8. 3600 IN CDS 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +cert01.example8. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +cname01.example8. 3600 IN CNAME cname-target. +cname02.example8. 3600 IN CNAME cname-target.example8. +cname03.example8. 3600 IN CNAME . +csync01.example8. 3600 IN CSYNC 0 0 A NS AAAA +csync02.example8. 3600 IN CSYNC 0 0 +dhcid01.example8. 3600 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA= +dhcid02.example8. 3600 IN DHCID AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No= +dhcid03.example8. 3600 IN DHCID AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY= +dlv.example8. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +dname01.example8. 3600 IN DNAME dname-target. +dname02.example8. 3600 IN DNAME dname-target.example8. +dname03.example8. 3600 IN DNAME . +dnskey01.example8. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +doa01.example8. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 +doa02.example8. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= +ds01.example8. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 +ds01.example8. 3600 IN NS ns42.example8. +ds02.example8. 3600 IN DS 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 +ds02.example8. 3600 IN NS ns43.example8. +eid01.example8. 3600 IN EID 1289AB +eui48.example8. 3600 IN EUI48 01-23-45-67-89-ab +eui64.example8. 3600 IN EUI64 01-23-45-67-89-ab-cd-ef +gid01.example8. 3600 IN GID \# 1 03 +gpos01.example8. 3600 IN GPOS "-22.6882" "116.8652" "250.0" +gpos02.example8. 3600 IN GPOS "" "" "" +hinfo01.example8. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02.example8. 3600 IN HINFO "PC" "NetBSD" +hip1.example8. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D +hip2.example8. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com. +https0.example8. 3600 IN HTTPS 0 example.net. +https1.example8. 3600 IN HTTPS 1 . port=60 +ipseckey01.example8. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey02.example8. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey03.example8. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey04.example8. 3600 IN IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey05.example8. 3600 IN IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +isdn01.example8. 3600 IN ISDN "isdn-address" +isdn02.example8. 3600 IN ISDN "isdn-address" "subaddress" +isdn03.example8. 3600 IN ISDN "isdn-address" +isdn04.example8. 3600 IN ISDN "isdn-address" "subaddress" +keydata.example8. 3600 IN TYPE65533 \# 0 +keydata.example8. 3600 IN TYPE65533 \# 6 010203040506 +keydata.example8. 3600 IN TYPE65533 \# 18 010203040506010203040506010203040506 +kx01.example8. 3600 IN KX 10 kdc.example8. +kx02.example8. 3600 IN KX 10 . +l32.example8. 3600 IN L32 10 1.2.3.4 +l64.example8. 3600 IN L64 10 14:4fff:ff20:ee64 +loc01.example8. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02.example8. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +lp.example8. 3600 IN LP 10 example.net. +mb01.example8. 3600 IN MG madname.example8. +mb02.example8. 3600 IN MG . +mg01.example8. 3600 IN MG mgmname.example8. +mg02.example8. 3600 IN MG . +minfo01.example8. 3600 IN MINFO rmailbx.example8. emailbx.example8. +minfo02.example8. 3600 IN MINFO . . +mr01.example8. 3600 IN MR mrname.example8. +mr02.example8. 3600 IN MR . +mx01.example8. 3600 IN MX 10 mail.example8. +mx02.example8. 3600 IN MX 10 . +naptr01.example8. 3600 IN NAPTR 0 0 "" "" "" . +naptr02.example8. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nid.example8. 3600 IN NID 10 14:4fff:ff20:ee64 +nimloc01.example8. 3600 IN NIMLOC 1289AB +ninfo01.example8. 3600 IN NINFO "foo" +ninfo02.example8. 3600 IN NINFO "foo" "bar" +ninfo03.example8. 3600 IN NINFO "foo" +ninfo04.example8. 3600 IN NINFO "foo" "bar" +ninfo05.example8. 3600 IN NINFO "foo bar" +ninfo06.example8. 3600 IN NINFO "foo bar" +ninfo07.example8. 3600 IN NINFO "foo bar" +ninfo08.example8. 3600 IN NINFO "foo\010bar" +ninfo09.example8. 3600 IN NINFO "foo\010bar" +ninfo10.example8. 3600 IN NINFO "foo bar" +ninfo11.example8. 3600 IN NINFO "\"foo\"" +ninfo12.example8. 3600 IN NINFO "\"foo\"" +ninfo13.example8. 3600 IN NINFO "foo;" +ninfo14.example8. 3600 IN NINFO "foo;" +ninfo15.example8. 3600 IN NINFO "bar\\;" +ns2.example8. 3600 IN A 10.53.0.2 +nsap-ptr01.example8. 3600 IN NSAP-PTR foo. +nsap-ptr01.example8. 3600 IN NSAP-PTR . +nsap01.example8. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02.example8. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsec01.example8. 3600 IN NSEC a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY +nsec02.example8. 3600 IN NSEC . NSAP-PTR NSEC +nsec03.example8. 3600 IN NSEC . A +nsec04.example8. 3600 IN NSEC . TYPE127 +openpgpkey.example8. 3600 IN OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +ptr01.example8. 3600 IN PTR example8. +px01.example8. 3600 IN PX 65535 foo. bar. +px02.example8. 3600 IN PX 65535 . . +rkey01.example8. 3600 IN RKEY 0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +rp01.example8. 3600 IN RP mbox-dname.example8. txt-dname.example8. +rp02.example8. 3600 IN RP . . +rrsig01.example8. 3600 IN RRSIG NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +rt01.example8. 3600 IN RT 0 intermediate-host.example8. +rt02.example8. 3600 IN RT 65535 . +sink01.example8. 3600 IN SINK 1 0 0 +sink02.example8. 3600 IN SINK 8 0 2 l4ik +smimea.example8. 3600 IN SMIMEA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +spf01.example8. 3600 IN SPF "v=spf1 -all" +spf02.example8. 3600 IN SPF "v=spf1" " -all" +srv01.example8. 3600 IN SRV 0 0 0 . +srv02.example8. 3600 IN SRV 65535 65535 65535 old-slow-box.example8. +sshfp01.example8. 3600 IN SSHFP 4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83 +sshfp02.example8. 3600 IN SSHFP 1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC +svcb0.example8. 3600 IN SVCB 0 example.net. +svcb1.example8. 3600 IN SVCB 1 . port=60 +ta.example8. 3600 IN TA 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +talink0.example8. 3600 IN TALINK . talink1.example8. +talink1.example8. 3600 IN TALINK talink0.example8. talink2.example8. +talink2.example8. 3600 IN TALINK talink2.example8. . +tlsa.example8. 3600 IN TLSA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +txt01.example8. 3600 IN TXT "foo" +txt02.example8. 3600 IN TXT "foo" "bar" +txt03.example8. 3600 IN TXT "foo" +txt04.example8. 3600 IN TXT "foo" "bar" +txt05.example8. 3600 IN TXT "foo bar" +txt06.example8. 3600 IN TXT "foo bar" +txt07.example8. 3600 IN TXT "foo bar" +txt08.example8. 3600 IN TXT "foo\010bar" +txt09.example8. 3600 IN TXT "foo\010bar" +txt10.example8. 3600 IN TXT "foo bar" +txt11.example8. 3600 IN TXT "\"foo\"" +txt12.example8. 3600 IN TXT "\"foo\"" +txt13.example8. 3600 IN TXT "foo;" +txt14.example8. 3600 IN TXT "foo;" +txt15.example8. 3600 IN TXT "bar\\;" +uid01.example8. 3600 IN UID \# 1 02 +uinfo01.example8. 3600 IN UINFO \# 1 01 +unspec01.example8. 3600 IN UNSPEC \# 1 04 +uri01.example8. 3600 IN URI 10 20 "https://www.isc.org/" +uri02.example8. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" +uri03.example8. 3600 IN URI 30 40 "" +wks01.example8. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23 +wks02.example8. 3600 IN WKS 10.0.0.1 17 0 1 2 53 +wks03.example8. 3600 IN WKS 10.0.0.2 6 65535 +x2501.example8. 3600 IN X25 "123456789" +zonemd01.example8. 3600 IN ZONEMD 2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB +zonemd02.example8. 3600 IN ZONEMD 2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27 +8f1tmio9avcom2k0frp92lgcumak0cad.example8. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM +kcd3juae64f9c5csl1kif1htaui7un0g.example8. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E +mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example8. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG +example8. 86400 IN SOA ns2.example8. hostmaster.example8. 1397051952 5 5 1814400 3600 diff --git a/bin/tests/system/doth/get_openssl_version.py b/bin/tests/system/doth/get_openssl_version.py new file mode 100755 index 0000000000..f1d6f4bf00 --- /dev/null +++ b/bin/tests/system/doth/get_openssl_version.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import ssl + +version = ssl.OPENSSL_VERSION_INFO +print(version[0], version[1], version[2]) diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 6438b7bbe0..500675f587 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -17,6 +19,53 @@ controls { http local { endpoints { "/dns-query"; "/alter"; }; + listener-clients 100; +}; + +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv01.crt01.example.com.key"; + cert-file "../CA/certs/srv01.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-pfs-aes256 { + protocols { TLSv1.2; }; + ciphers "AES256:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv01.crt01.example.com.key"; + cert-file "../CA/certs/srv01.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-no-subject-alt-name { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv01.crt02-no-san.example.com.key"; + cert-file "../CA/certs/srv01.crt02-no-san.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv01.crt03-expired.example.com.key"; + cert-file "../CA/certs/srv01.crt03-expired.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv01.crt01.example.com.key"; + cert-file "../CA/certs/srv01.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; }; options { @@ -26,25 +75,98 @@ options { http-port @HTTPPORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; - listen-on tls ephemeral { 10.53.0.1; }; // DoT + listen-on tls tls-forward-secrecy { 10.53.0.1; }; // DoT + listen-on-v6 tls tls-forward-secrecy { fd92:7065:b8e:ffff::1;}; listen-on tls ephemeral http local { 10.53.0.1; }; // DoH + listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; }; listen-on tls none http local { 10.53.0.1; }; // unencrypted DoH + listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; }; listen-on-v6 { none; }; + listen-on port @EXTRAPORT1@ tls tls-pfs-aes256 { 10.53.0.1; }; // DoT + listen-on-v6 port @EXTRAPORT1@ tls tls-pfs-aes256 { fd92:7065:b8e:ffff::1;}; + listen-on port @EXTRAPORT2@ tls tls-no-subject-alt-name { 10.53.0.1; }; // DoT + listen-on port @EXTRAPORT3@ tls tls-no-subject-alt-name http local { 10.53.0.1; }; // DoH + listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; }; // DoT + listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT + listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH recursion no; notify explicit; also-notify { 10.53.0.2 port @PORT@; }; statistics-file "named.stats"; dnssec-validation yes; + tcp-initial-timeout 1200; + transfers-in 100; + transfers-out 100; }; zone "." { type primary; file "root.db"; - allow-transfer { any; }; + allow-transfer port @TLSPORT@ transport tls { any; }; }; zone "example" { type primary; file "example.db"; - allow-transfer { any; }; + allow-transfer port @TLSPORT@ transport tls { any; }; +}; + +zone "example2" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT1@ transport tls { any; }; +}; + +zone "example3" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT3@ transport tls { any; }; +}; + +zone "example4" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example5" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example6" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example7" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example8" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example9" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT5@ transport tls { any; }; +}; + +zone "example10" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT5@ transport tls { any; }; +}; + +zone "example11" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT5@ transport tls { any; }; }; diff --git a/bin/tests/system/doth/ns1/root.db b/bin/tests/system/doth/ns1/root.db index 5ace5c3c6f..47a18a1e76 100644 --- a/bin/tests/system/doth/ns1/root.db +++ b/bin/tests/system/doth/ns1/root.db @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 3cdc952270..3cb20425c7 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. @@ -16,8 +18,9 @@ controls { }; tls local { - key-file "key.pem"; - cert-file "cert.pem"; + key-file "../CA/certs/srv02.crt01.example.com.key"; + cert-file "../CA/certs/srv02.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; }; http local { @@ -35,14 +38,19 @@ options { pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on tls local { 10.53.0.2; }; // DoT + listen-on-v6 tls local { fd92:7065:b8e:ffff::2; }; listen-on tls local http local { 10.53.0.2; }; // DoH + listen-on-v6 tls local http local { fd92:7065:b8e:ffff::2; }; listen-on tls none http local { 10.53.0.2; }; // unencrypted DoH + listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; }; listen-on-v6 { none; }; recursion no; notify no; ixfr-from-differences yes; check-integrity no; dnssec-validation yes; + transfers-in 100; + transfers-out 100; }; zone "." { @@ -50,9 +58,126 @@ zone "." { file "../../common/root.hint"; }; +tls tls-example-primary { + remote-hostname "srv01.crt01.example.com"; // enable Strict TLS + ca-file "../CA/CA.pem"; +}; + zone "example" { type secondary; - primaries { 10.53.0.1 tls ephemeral; }; + primaries { 10.53.0.1 tls tls-example-primary; }; file "example.db"; allow-transfer { any; }; }; + +# the server's certificate does not contain SubjectAltName, which is required for DoT +tls tls-example-primary-no-san { + remote-hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS + ca-file "../CA/CA.pem"; +}; + +zone "example3" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT2@ tls tls-example-primary-no-san; }; + file "example3.db"; + allow-transfer { any; }; +}; + +# As you can see, the "remote-hostname" is missing, but "ca-file" is +# specified. As the result, the primaries server certificate will be +# verified using the IP address instead of hostname. That is fine, +# because the server certificate is issued with IP address in the +# SubjectAltName section. +tls tls-example-primary-strict-tls-no-hostname { + ca-file "../CA/CA.pem"; // enable Strict TLS +}; + +zone "example4" { + type secondary; + primaries { 10.53.0.1 tls tls-example-primary-strict-tls-no-hostname; }; + file "example4.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-strict-tls-ipv4 { + remote-hostname "10.53.0.1"; # the IP is in the server's cert SAN + ca-file "../CA/CA.pem"; # enable Strict TLS +}; + +zone "example5" { + type secondary; + primaries { 10.53.0.1 tls tls-example-primary-strict-tls-ipv4; }; + file "example5.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-strict-tls-ipv6 { + remote-hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN + ca-file "../CA/CA.pem"; # enable Strict TLS +}; + +zone "example6" { + type secondary; + primaries { 10.53.0.1 tls tls-example-primary-strict-tls-ipv6; }; + file "example6.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-strict-tls-wrong-host { + remote-hostname "not-present.example.com"; # this is not present in the server's cert SAN + ca-file "../CA/CA.pem"; # enable Strict TLS +}; + +zone "example7" { + type secondary; + primaries { 10.53.0.1 tls tls-example-primary-strict-tls-wrong-host; }; + file "example7.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-strict-tls-expired { + remote-hostname "srv01.crt03-expired.example.com"; + ca-file "../CA/CA.pem"; +}; + +zone "example8" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT4@ tls tls-example-primary-strict-tls-expired; }; + file "example8.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-mutual-tls { + remote-hostname "srv01.crt01.example.com"; + ca-file "../CA/CA.pem"; + cert-file "../CA/certs/srv01.client02-ns2.example.com.pem"; + key-file "../CA/certs/srv01.client02-ns2.example.com.key"; +}; + +zone "example9" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary-mutual-tls; }; + file "example9.db"; + allow-transfer { any; }; +}; + +zone "example10" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary; }; + file "example10.db"; + allow-transfer { any; }; +}; + +tls tls-example-primary-mutual-tls-expired { + remote-hostname "srv01.crt01.example.com"; + ca-file "../CA/CA.pem"; + cert-file "../CA/certs/srv01.client03-ns2-expired.example.com.pem"; + key-file "../CA/certs/srv01.client03-ns2-expired.example.com.key"; +}; + +zone "example11" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary-mutual-tls-expired; }; + file "example11.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in new file mode 100644 index 0000000000..74d3957e2d --- /dev/null +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -0,0 +1,79 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +tls local { + key-file "../CA/certs/srv03.crt01.example.com.key"; + cert-file "../CA/certs/srv03.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +http local { + endpoints { "/dns-query"; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on tls local { 10.53.0.3; }; // DoT + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +tls tls-v1.2-pfs { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls tls-v1.2-pfs; }; + file "example.db"; + allow-transfer { any; }; +}; + +tls tls-pfs-aes-128 { + protocols { TLSv1.2; }; + // AES128 does not match the setting on the server: AES256 + ciphers "AES128:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example2" { + type secondary; + primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-pfs-aes-128; }; + file "example2.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in new file mode 100644 index 0000000000..077226a488 --- /dev/null +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -0,0 +1,73 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# We need a separate instance for the "rndc reconfig" test in order to +# ensure that it does not use ephemeral keys (these are costly to +# generate) and creates a minimal amount of TLS contexts, reducing the +# time needed for startup/reconfiguration. Long +# startup/reconfiguration was known to cause timeout issues in the CI +# system, where many tests run in parallel. + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +tls local { + key-file "../CA/certs/srv04.crt01.example.com.key"; + cert-file "../CA/certs/srv04.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +http local { + endpoints { "/dns-query"; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on tls local { 10.53.0.4; }; // DoT + listen-on tls local http local { 10.53.0.4; }; // DoH + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +tls tls-v1.2-pfs { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls tls-v1.2-pfs; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/prereq.sh b/bin/tests/system/doth/prereq.sh new file mode 100644 index 0000000000..a9b9a1494d --- /dev/null +++ b/bin/tests/system/doth/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +$FEATURETEST --with-libnghttp2 || { + echo_i "This test requires libnghttp2 support." >&2 + exit 255 +} + +$FEATURETEST --have-fips-dh || { + echo_i "FIPS mode Diffie-Hellman not working - skipping doth test" + exit 255 +} + +exit 0 diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index 29e49c4bbe..c50c31f779 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -13,5 +15,18 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db +echo '; huge answer' >> ns1/example.db +x=1 +while [ $x -le 50 ]; do + y=1 + while [ $y -le 50 ]; do + printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db + y=$((y+1)) + done + x=$((x+1)) +done + copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/doth/stress_http_quota.py b/bin/tests/system/doth/stress_http_quota.py new file mode 100755 index 0000000000..12e29c858e --- /dev/null +++ b/bin/tests/system/doth/stress_http_quota.py @@ -0,0 +1,252 @@ +#!/usr/bin/env python + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import sys +import socket +import subprocess +import random +import time + +from functools import reduce +from resource import getrlimit +from resource import setrlimit +from resource import RLIMIT_NOFILE + +MULTIDIG_INSTANCES = 10 +CONNECT_TRIES = 5 + +random.seed() + +# Ensure we have enough file desriptors to work +rlimit_nofile = getrlimit(RLIMIT_NOFILE) +if rlimit_nofile[0] < 1024: + setrlimit(RLIMIT_NOFILE, (1024, rlimit_nofile[1])) + + +# Introduce some random delay +def jitter(): + time.sleep((500 + random.randint(0, 250)) / 1000000.0) + + +# A set of simple procedures to get the test's configuration options +def get_http_port(http_secure=False): + http_port_env = None + if http_secure: + http_port_env = os.getenv("HTTPSPORT") + else: + http_port_env = os.getenv("HTTPPORT") + if http_port_env: + return int(http_port_env) + return 443 + + +def get_http_host(): + bind_host = os.getenv("BINDHOST") + if bind_host: + return bind_host + return "localhost" + + +def get_dig_path(): + dig_path = os.getenv("DIG") + if dig_path: + return dig_path + return "dig" + + +# A simple class which creates the given number of TCP connections to +# the given host in order to stress the BIND's quota facility +class TCPConnector: + def __init__(self, host, port): + self.host = host + self.port = port + self.connections = [] + + def connect_one(self): + tries = CONNECT_TRIES + while tries > 0: + try: + sock = socket.create_connection( + address=(self.host, self.port), timeout=None + ) + self.connections.append(sock) + break + except ConnectionResetError: + # some jitter for BSDs + jitter() + continue + except TimeoutError: + jitter() + continue + finally: + tries -= 1 + + # Close an established connection (randomly) + def disconnect_random(self): + pos = random.randint(0, len(self.connections) - 1) + conn = self.connections[pos] + try: + conn.shutdown(socket.SHUT_RDWR) + conn.close() + except OSError: + conn.close() + finally: + self.connections.remove(conn) + + def disconnect_all(self): + while len(self.connections) != 0: + self.disconnect_random() + + +# A simple class which allows running a dig instance under control of +# the process +class SubDIG: + def __init__(self, http_secure=None, extra_args=None): + self.sub_process = None + self.dig_path = get_dig_path() + self.host = get_http_host() + self.port = get_http_port(http_secure=http_secure) + if http_secure: + self.http_secure = True + else: + self.http_secure = False + self.extra_args = extra_args + + # This method constructs a command string + def get_command(self): + command = self.dig_path + " -p " + str(self.port) + " " + command = command + "+noadd +nosea +nostat +noquest +nocmd +time=30 " + if self.http_secure: + command = command + "+https " + else: + command = command + "+http-plain " + command = command + "@" + self.host + " " + if self.extra_args: + command = command + self.extra_args + return command + + def run(self): + # pylint: disable=consider-using-with + with open(os.devnull, "w", encoding="utf-8") as devnull: + self.sub_process = subprocess.Popen( + self.get_command(), shell=True, stdout=devnull + ) + + def wait(self, timeout=None): + res = None + if timeout is None: + return self.sub_process.wait() + try: + res = self.sub_process.wait(timeout=timeout) + except subprocess.TimeoutExpired: + return None + return res + + def alive(self): + return self.sub_process.poll() is None + + +# A simple wrapper class which allows running multiple dig instances +# and examining their statuses in one logical operation. +class MultiDIG: + def __init__(self, numdigs, http_secure=None, extra_args=None): + assert int(numdigs) > 0 + digs = [] + for _ in range(1, int(numdigs) + 1): + digs.append(SubDIG(http_secure=http_secure, extra_args=extra_args)) + self.digs = digs + assert len(self.digs) == int(numdigs) + + def run(self): + for p in self.digs: + p.run() + + def wait(self): + return map(lambda p: (p.wait()), self.digs) + + # Wait for the all instances to terminate with expected given + # status. Returns true or false. + def wait_for_result(self, result): + return reduce( + lambda a, b: ((a == result or a is True) and b == result), self.wait() + ) + + def alive(self): + return reduce(lambda a, b: (a and b), map(lambda p: (p.alive()), self.digs)) + + def completed(self): + total = 0 + for p in self.digs: + if not p.alive(): + total += 1 + return total + + +# The test's main logic +def run_test(http_secure=True): + query_args = "SOA ." + # Let's try to make a successful query + subdig = SubDIG(http_secure=http_secure, extra_args=query_args) + subdig.run() + assert subdig.wait() == 0, "DIG was expected to succeed" + # Let's create a lot of TCP connections to the server stress the + # HTTP quota + connector = TCPConnector(get_http_host(), get_http_port(http_secure=http_secure)) + # Let's make queries until the quota kicks in + subdig = SubDIG(http_secure=http_secure, extra_args=query_args) + subdig.run() + while True: + connector.connect_one() + subdig = SubDIG(http_secure=http_secure, extra_args=query_args) + subdig.run() + if subdig.wait(timeout=5) is None: + break + + # At this point quota has kicked in. Additionally, let's create a + # bunch of dig processes all trying to make a query against the + # server with exceeded quota + multidig = MultiDIG( + MULTIDIG_INSTANCES, http_secure=http_secure, extra_args=query_args + ) + multidig.run() + # Wait for the dig instance to complete. Not a single instance has + # a chance to complete successfully because of the exceeded quota + assert ( + subdig.wait(timeout=5) is None + ), "The single DIG instance has stopped prematurely" + assert subdig.alive(), "The single DIG instance is expected to be alive" + assert multidig.alive(), ( + "The DIG instances from the set are all expected to " + "be alive, but {} of them have completed" + ).format(multidig.completed()) + # Let's close opened connections (in random order) to let all dig + # processes to complete + connector.disconnect_all() + # Wait for all processes to complete successfully + assert subdig.wait() == 0, "Single DIG instance failed" + assert ( + multidig.wait_for_result(0) is True + ), "One or more of DIG instances returned unexpected results" + + +def main(): + run_test(http_secure=True) + run_test(http_secure=False) + # If we have reached this point we could safely return 0 + # (success). If the test fails because of an assert, the whole + # program will return non-zero exit code and produce the backtrace + return 0 + + +sys.exit(main()) diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index 2bed4e555d..a95bd8c99a 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -1,31 +1,84 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + +# shellcheck disable=SC1091 . ../conf.sh +common_dig_options="+noadd +nosea +nostat +noquest +nocmd" +msg_xfrs_not_allowed=";; zone transfers over the established TLS connection are not allowed" +msg_peer_verification_failed=";; TLS peer certificate verification" + +ca_file="./CA/CA.pem" + +if [ -x "$PYTHON" ]; then + OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") + OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) + OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) +fi + +# According to the RFC 8310, Section 8.1, Subject field MUST +# NOT be inspected when verifying a hostname when using +# DoT. Only SubjectAltName must be checked instead. That is +# not the case for HTTPS, though. + +# Unfortunately, some quite old versions of OpenSSL (< 1.1.1) +# might lack the functionality to implement that. It should +# have very little real-world consequences, as most of the +# production-ready certificates issued by real CAs will have +# SubjectAltName set. In such a case, the Subject field is +# ignored. +# +# On the platforms with too old TLS versions, e.g. RedHat 7, we should +# ignore the tests checking the correct handling of absence of +# SubjectAltName. +if [ -n "$OPENSSL_VERSION" ]; then + if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then + run_san_tests=1 + elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then + run_san_tests=1 + fi +fi + dig_with_tls_opts() { - "$DIG" +tls +noadd +nosea +nostat +noquest +nocmd -p "${TLSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" } dig_with_https_opts() { - "$DIG" +https +noadd +nosea +nostat +noquest +nocmd -p "${HTTPSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" } dig_with_http_opts() { - "$DIG" +http-plain +noadd +nosea +nostat +noquest +nocmd -p "${HTTPPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" +} + +dig_with_opts() { + # shellcheck disable=SC2086 + "$DIG" $common_dig_options -p "${PORT}" "$@" } wait_for_tls_xfer() ( - dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1 - grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1 + srv_number="$1" + shift + zone_name="$1" + shift + # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces + dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 return 0 ) @@ -35,20 +88,166 @@ n=0 n=$((n+1)) echo_i "testing XoT server functionality (using dig) ($n)" ret=0 -dig_with_tls_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp example.axfr.good dig.out.ns1.test$n || ret=1 if test $ret != 0 ; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "testing incoming XoT functionality (from secondary) ($n)" +echo_i "testing incoming XoT functionality (from the first secondary) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example; then + digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example.test$n" | cat_i + ret=1 +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + +if [ -n "$run_san_tests" ]; then + n=$((n + 1)) + echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" + ret=0 + if retry_quiet 10 wait_for_tls_xfer 2 example3; then + ret=1 + else + echo_i "timed out waiting for zone transfer" + fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via implicit IP) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example4; then + retry_quiet 5 test -f "ns2/example4.db" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example4.test$n" | cat_i + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv4) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example5; then + retry_quiet 5 test -f "ns2/example5.db" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example5.test$n" | cat_i + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv6) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example6; then + retry_quiet 5 test -f "ns2/example6.db" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example6.test$n" | cat_i + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, wrong hostname, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example7; then + ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, expired certificate, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example8; then + ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example9; then + retry_quiet 5 test -f "ns2/example9.db" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example9.test$n" | cat_i + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, no client cert, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example10; then + ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, expired client cert, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 2 example11; then + ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the second secondary) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 3 example; then + digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 +else + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns3.example.test$n" | cat_i + ret=1 +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 3 example2; then + ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the third secondary) ($n)" ret=0 -if retry_quiet 10 wait_for_tls_xfer; then - grep "^;" "dig.out.ns2.test$n" | cat_i - digcomp example.axfr.good "dig.out.ns2.test$n" || ret=1 +if retry_quiet 10 wait_for_tls_xfer 4 example; then + digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 else echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns4.example.test$n" | cat_i ret=1 fi if test $ret != 0 ; then echo_i "failed"; fi @@ -57,7 +256,15 @@ status=$((status+ret)) n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n +dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query via IPv6 (ephemeral key) ($n)" +ret=0 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -65,7 +272,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (static key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n +dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query via IPv6 (static key) ($n)" +ret=0 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -73,23 +288,85 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT XFR ($n)" ret=0 -dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n +dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# zone transfers are allowed only via TLS +n=$((n+1)) +echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)" +ret=0 +dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# querying zones is still allowed via UDP/TCP +n=$((n + 1)) +echo_i "checking Do53 query ($n)" +ret=0 +dig_with_opts @10.53.0.1 example SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +# In this test we are trying to establish a DoT connection over the +# DoH port. That is intentional, as dig should fail right after +# handshake has happened and before sending any queries, as XFRs, per +# the RFC, could happen only over a connection where "dot" ALPN token +# was negotiated. over DoH it cannot happen, as only "h2" token could +# be selected for a DoH connection. +n=$((n + 1)) +echo_i "checking DoT XFR with wrong ALPN token (h2, failure expected) ($n)" +ret=0 +# shellcheck disable=SC2086 +"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR > dig.out.test$n +grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Let's try to issue an HTTP/2 query over TLS port to check if dig +# will detect ALPN token negotiation problem. +n=$((n + 1)) +echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)" +ret=0 +# shellcheck disable=SC2086 +"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n && ret=1 +grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (POST) ($n)" ret=0 -dig_with_https_opts @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST) ($n)" +ret=0 +dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, static key) ($n)" ret=0 -dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n +dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, static key) ($n)" +ret=0 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -97,7 +374,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)" +ret=0 +dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -105,7 +390,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)" +ret=0 +dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 grep "communications error" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -113,23 +406,41 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (POST) (failure expected) ($n)" ret=0 -dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +stat +https-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET) ($n)" +ret=0 +dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, static key) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n +dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, static key) ($n)" +ret=0 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -137,7 +448,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)" +ret=0 +dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -145,7 +464,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)" +ret=0 +dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 grep "communications error" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,34 +480,410 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (GET) (failure expected) ($n)" ret=0 -dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (POST) ($n)" ret=0 -dig_with_http_opts @10.53.0.1 . SOA > dig.out.test$n +dig_with_http_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)" +ret=0 +dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (GET) ($n)" ret=0 -dig_with_http_opts +http-plain-get @10.53.0.1 . SOA > dig.out.test$n +dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)" +ret=0 +dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH XFR (failure expected) ($n)" ret=0 -dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query for a large answer (POST) ($n)" +ret=0 +dig_with_https_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)" +ret=0 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query for a large answer (GET) ($n)" +ret=0 +dig_with_https_opts +https-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)" +ret=0 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" +ret=0 +dig_with_http_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)" +ret=0 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query for a large answer (GET) ($n)" +ret=0 +dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)" +ret=0 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +wait_for_tlsctx_update_ns4 () { + grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run > /dev/null || return 1 + grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run > /dev/null || return 1 + return 0 +} + +n=$((n + 1)) +echo_i "doing rndc reconfig to see that queries keep being served after that ($n)" +ret=0 +rndc_reconfig ns4 10.53.0.4 60 +retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query after a reconfiguration ($n)" +ret=0 +dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (POST) after a reconfiguration ($n)" +ret=0 +dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "doing rndc reconfig to see if HTTP endpoints have gotten reconfigured ($n)" +ret=0 +# 'sed -i ...' is not portable. Sigh... +sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" > "ns4/named.conf.sed" +mv -f "ns4/named.conf.sed" "ns4/named.conf" +rndc_reconfig ns4 10.53.0.4 60 +retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (POST) to verify HTTP endpoint reconfiguration ($n)" +ret=0 +dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query (with TLS verification enabled) ($n)" +ret=0 +dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (with TLS verification enabled, self-signed cert, failure expected) ($n)" +ret=0 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query (with TLS verification using the system's CA store, failure expected) ($n)" +ret=0 +dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (with TLS verification using the system's CA store, failure expected) ($n)" +ret=0 +dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# the primary server's certificate contains the IP address in the +# SubjectAltName section +n=$((n + 1)) +echo_i "checking DoT query (with TLS verification, hostname is not specified, IP address is used instead) ($n)" +ret=0 +dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -n "$run_san_tests" ]; then + # SubjectAltName is required for DoT as according to RFC 8310, Subject + # field MUST NOT be inspected when verifying hostname for DoT. + n=$((n + 1)) + echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" + ret=0 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" + ret=0 + # shellcheck disable=SC2086 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +# SubjectAltName is not required for HTTPS. Having a properly set +# Common Name in the Subject field is enough. +n=$((n + 1)) +echo_i "checking DoH query (when SubjectAltName is not set) ($n)" +ret=0 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query (expired certificate, Opportunistic TLS) ($n)" +ret=0 +dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoT query (expired certificate, Strict TLS, failure expected) ($n)" +ret=0 +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n+1)) +echo_i "testing XoT server functionality (using dig, client certificate required, failure expected) ($n)" +ret=0 +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "testing XoT server functionality (using dig, client certificate used) ($n)" +ret=0 +dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +digcomp dig.out.ns1.test$n example8.axfr.good > /dev/null || ret=1 +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (client certificate required, failure expected) ($n)" +ret=0 +dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n && ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking DoH query (client certificate used) ($n)" +ret=0 +# shellcheck disable=SC2086 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# send two requests one after another so that session resumption will happen +n=$((n + 1)) +echo_i "checking DoH query (client certificate used - session resumption when using Mutual TLS) ($n)" +ret=0 +# shellcheck disable=SC2086 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA > dig.out.test$n || ret=1 +grep "TLS error" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +test_opcodes() { + EXPECT_STATUS="$1" + shift + for op in "$@"; + do + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" + ret=0 + dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" + ret=0 + dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" + ret=0 + dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" + ret=0 + dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done +} + +test_opcodes NOERROR 0 +test_opcodes NOTIMP 1 2 3 6 7 8 9 10 11 12 13 14 15 +test_opcodes FORMERR 4 5 + +n=$((n + 1)) +echo_i "checking server quotas for both encrypted and unencrypted HTTP ($n)" +ret=0 +if [ -x "$PYTHON" ]; then + BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? +else + echo_i "Python is not available. Skipping the test..." +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# check whether we can use curl for sending test queries. +if [ -x "${CURL}" ] ; then + CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" + + if [ -n "$CURL_HTTP2" ]; then + testcurl=1 + else + echo_i "The available version of CURL does not have HTTP/2 support" + fi +fi + +# Note: see README.curl for information on how to generate curl +# queries. +if [ -n "$testcurl" ]; then + n=$((n + 1)) + echo_i "checking max-age for positive answer ($n)" + ret=0 + # use curl to query for 'example/SOA' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" > /dev/null 2>&1 || ret=1 + grep "cache-control: max-age=86400" headers.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking max-age for negative answer ($n)" + ret=0 + # use curl to query for 'fake.example/TXT' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" > /dev/null 2>&1 || ret=1 + grep "cache-control: max-age=3600" headers.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/doth/tests_gnutls.py b/bin/tests/system/doth/tests_gnutls.py new file mode 100644 index 0000000000..5ddb708fd2 --- /dev/null +++ b/bin/tests/system/doth/tests_gnutls.py @@ -0,0 +1,108 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import selectors +import struct +import subprocess +import time + +import pytest + +pytest.importorskip("dns") +import dns.exception +import dns.message +import dns.name +import dns.rdataclass +import dns.rdatatype + + +def test_gnutls_cli_query(gnutls_cli_executable, named_tlsport): + # Prepare the example/SOA query which will be sent over TLS. + query = dns.message.make_query("example.", dns.rdatatype.SOA) + query_wire = query.to_wire() + query_with_length = struct.pack(">H", len(query_wire)) + query_wire + + # Run gnutls-cli. + gnutls_cli_args = [ + gnutls_cli_executable, + "--no-ca-verification", + "-V", + "--no-ocsp", + "--alpn=dot", + "--logfile=gnutls-cli.log", + "--port=%d" % named_tlsport, + "10.53.0.1", + ] + with open("gnutls-cli.err", "wb") as gnutls_cli_stderr, subprocess.Popen( + gnutls_cli_args, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=gnutls_cli_stderr, + bufsize=0, + ) as gnutls_cli: + # Send the example/SOA query to the standard input of gnutls-cli. Do + # not close standard input yet because that causes gnutls-cli to close + # the TLS connection immediately, preventing the response from being + # read. + gnutls_cli.stdin.write(query_with_length) + gnutls_cli.stdin.flush() + + # Keep reading data from the standard output of gnutls-cli until a full + # DNS message is received or a timeout is exceeded or gnutls-cli exits. + # Popen.communicate() cannot be used here because: a) it closes + # standard input after sending data to the process (see above why this + # is a problem), b) gnutls-cli is not DNS-aware, so it does not exit + # upon receiving a DNS response. + selector = selectors.DefaultSelector() + selector.register(gnutls_cli.stdout, selectors.EVENT_READ) + deadline = time.time() + 10 + gnutls_cli_output = b"" + response = b"" + while not response and not gnutls_cli.poll(): + if not selector.select(timeout=deadline - time.time()): + break + gnutls_cli_output += gnutls_cli.stdout.read(512) + try: + # Ignore TCP length, just try to parse a DNS message from + # the rest of the data received. + response = dns.message.from_wire(gnutls_cli_output[2:]) + except dns.exception.FormError: + continue + + # At this point either a DNS response was received or a timeout fired + # or gnutls-cli exited prematurely. Close the standard input of + # gnutls-cli. Terminate it if that does not cause it to shut down + # gracefully. + gnutls_cli.stdin.close() + try: + gnutls_cli.wait(5) + except subprocess.TimeoutExpired: + gnutls_cli.kill() + + # Store the response received for diagnostic purposes. + with open("gnutls-cli.out.bin", "wb") as response_bin: + response_bin.write(gnutls_cli_output) + if response: + with open("gnutls-cli.out.txt", "w", encoding="utf-8") as response_txt: + response_txt.write(response.to_text()) + + # Check whether a response was received and whether it is sane. + assert response + assert query.id == response.id + assert len(response.answer) == 1 + assert response.answer[0].match( + dns.name.from_text("example."), + dns.rdataclass.IN, + dns.rdatatype.SOA, + dns.rdatatype.NONE, + ) diff --git a/bin/tests/system/doth/tests_sh_doth.py b/bin/tests/system/doth/tests_sh_doth.py new file mode 100644 index 0000000000..ef87a06acd --- /dev/null +++ b/bin/tests/system/doth/tests_sh_doth.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_doth(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/doth/tests_sslyze.py b/bin/tests/system/doth/tests_sslyze.py new file mode 100644 index 0000000000..2562fe482d --- /dev/null +++ b/bin/tests/system/doth/tests_sslyze.py @@ -0,0 +1,65 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import pathlib +import subprocess + +import pytest + + +def is_pid_alive(pid): + try: + os.kill(pid, 0) + return True + except OSError: + return False + + +def run_sslyze_in_a_loop(executable, port, log_file_prefix): + # Determine the PID of ns1. + with open(pathlib.Path("ns1", "named.pid"), encoding="utf-8") as pidfile: + pid = int(pidfile.read()) + + # Ensure ns1 is alive before starting the loop below to avoid reporting + # false positives. + if not is_pid_alive(pid): + pytest.skip(f"ns1 (PID: {pid}) is not running") + + # Run sslyze on ns1 in a loop with a limit of 30 iterations. Interrupt the + # test as soon as ns1 is determined to not be running any more. Log sslyze + # output. + sslyze_args = [executable, f"10.53.0.1:{port}"] + for i in range(0, 30): + log_file = f"{log_file_prefix}.ns1.{port}.{i + 1}" + with open(log_file, "wb") as sslyze_log: + # Run sslyze, logging stdout+stderr. Ignore the exit code since + # sslyze is only used for triggering crashes here rather than + # actual TLS analysis. + subprocess.run( + sslyze_args, + stdout=sslyze_log, + stderr=subprocess.STDOUT, + timeout=30, + check=False, + ) + # Ensure ns1 is still alive after each sslyze run. + assert is_pid_alive(pid), f"ns1 (PID: {pid}) exited prematurely" + + +def test_sslyze_doh(sslyze_executable, named_httpsport): + run_sslyze_in_a_loop(sslyze_executable, named_httpsport, "sslyze.log.doh") + + +def test_sslyze_dot(sslyze_executable, named_tlsport): + run_sslyze_in_a_loop(sslyze_executable, named_tlsport, "sslyze.log.dot") diff --git a/bin/tests/system/dscp/clean.sh b/bin/tests/system/dscp/clean.sh deleted file mode 100644 index 1cdca7d576..0000000000 --- a/bin/tests/system/dscp/clean.sh +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -rm -f */root.bk -rm -f dig.out.10.53.0.? -rm -f */named.memstats -rm -f */named.run -rm -f */named.conf -rm -f ns*/named.lock -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dscp/ns1/named.args b/bin/tests/system/dscp/ns1/named.args deleted file mode 100644 index 0c955c704a..0000000000 --- a/bin/tests/system/dscp/ns1/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns1 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns1/named.conf.in b/bin/tests/system/dscp/ns1/named.conf.in deleted file mode 100644 index 0a5245d7dd..0000000000 --- a/bin/tests/system/dscp/ns1/named.conf.in +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 46; - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify yes; -}; - -zone "." { - type primary; - file "root.db"; -}; diff --git a/bin/tests/system/dscp/ns1/root.db b/bin/tests/system/dscp/ns1/root.db deleted file mode 100644 index 3bd582940e..0000000000 --- a/bin/tests/system/dscp/ns1/root.db +++ /dev/null @@ -1,17 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -. SOA ns1.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200 -. NS ns1.nil-servers. -. NS ns2.nil-servers. -ns1.nil-servers. A 10.53.0.1 -ns2.nil-servers. A 10.53.0.2 -xxx.example. A 10.53.0.1 -xxx.tld. A 10.53.0.1 diff --git a/bin/tests/system/dscp/ns2/named.args b/bin/tests/system/dscp/ns2/named.args deleted file mode 100644 index ff501a812c..0000000000 --- a/bin/tests/system/dscp/ns2/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns2 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns2/named.conf.in b/bin/tests/system/dscp/ns2/named.conf.in deleted file mode 100644 index 94a9e3244a..0000000000 --- a/bin/tests/system/dscp/ns2/named.conf.in +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 46; - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify yes; -}; - -zone "." { - type secondary; - file "root.bk"; - primaries { 10.53.0.1; }; -}; diff --git a/bin/tests/system/dscp/ns3/hint.db b/bin/tests/system/dscp/ns3/hint.db deleted file mode 100644 index 5fe03e71a2..0000000000 --- a/bin/tests/system/dscp/ns3/hint.db +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -. NS ns1.nil-servers. -. NS ns2.nil-servers. -ns1.nil-servers. A 10.53.0.1 -ns2.nil-servers. A 10.53.0.2 diff --git a/bin/tests/system/dscp/ns3/named.args b/bin/tests/system/dscp/ns3/named.args deleted file mode 100644 index 3d1981fb59..0000000000 --- a/bin/tests/system/dscp/ns3/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns3 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns3/named.conf.in b/bin/tests/system/dscp/ns3/named.conf.in deleted file mode 100644 index c775e5180b..0000000000 --- a/bin/tests/system/dscp/ns3/named.conf.in +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 46; - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - notify yes; - recursion yes; - dnssec-validation yes; -}; - -zone "." { - type hint; - file "hint.db"; -}; diff --git a/bin/tests/system/dscp/ns4/named.args b/bin/tests/system/dscp/ns4/named.args deleted file mode 100644 index 277a47b628..0000000000 --- a/bin/tests/system/dscp/ns4/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns4 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns4/named.conf.in b/bin/tests/system/dscp/ns4/named.conf.in deleted file mode 100644 index 63fd7691ec..0000000000 --- a/bin/tests/system/dscp/ns4/named.conf.in +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 47; - query-source dscp 46 address 10.53.0.4; - notify-source 10.53.0.4 dscp 46; - transfer-source 10.53.0.4 dscp 46; - port @PORT@; - pid-file "named.pid"; - listen-on dscp 46 { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify yes; -}; - -zone "." { - type primary; - file "root.db"; -}; diff --git a/bin/tests/system/dscp/ns4/root.db b/bin/tests/system/dscp/ns4/root.db deleted file mode 100644 index d1627dbd4e..0000000000 --- a/bin/tests/system/dscp/ns4/root.db +++ /dev/null @@ -1,17 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -. SOA ns4.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200 -. NS ns4.nil-servers. -. NS ns5.nil-servers. -ns4.nil-servers. A 10.53.0.4 -ns5.nil-servers. A 10.53.0.5 -xxx.example. A 10.53.0.1 -xxx.tld. A 10.53.0.1 diff --git a/bin/tests/system/dscp/ns5/named.args b/bin/tests/system/dscp/ns5/named.args deleted file mode 100644 index c678163f37..0000000000 --- a/bin/tests/system/dscp/ns5/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns5 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns5/named.conf.in b/bin/tests/system/dscp/ns5/named.conf.in deleted file mode 100644 index 9ffa0a1272..0000000000 --- a/bin/tests/system/dscp/ns5/named.conf.in +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 47; - query-source dscp 46 address 10.53.0.5; - notify-source 10.53.0.5 dscp 46; - transfer-source 10.53.0.5 dscp 46; - alt-transfer-source 10.53.0.5 dscp 46; - port @PORT@; - pid-file "named.pid"; - listen-on dscp 46 { 10.53.0.5; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify yes; -}; - -zone "." { - type secondary; - file "root.bk"; - primaries { 10.53.0.4; }; -}; diff --git a/bin/tests/system/dscp/ns6/hint.db b/bin/tests/system/dscp/ns6/hint.db deleted file mode 100644 index 8c54e3a3dc..0000000000 --- a/bin/tests/system/dscp/ns6/hint.db +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -. NS ns4.nil-servers. -. NS ns5.nil-servers. -ns4.nil-servers. A 10.53.0.4 -ns5.nil-servers. A 10.53.0.5 diff --git a/bin/tests/system/dscp/ns6/named.args b/bin/tests/system/dscp/ns6/named.args deleted file mode 100644 index 283cf22011..0000000000 --- a/bin/tests/system/dscp/ns6/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns6 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns6/named.conf.in b/bin/tests/system/dscp/ns6/named.conf.in deleted file mode 100644 index 1714e2232a..0000000000 --- a/bin/tests/system/dscp/ns6/named.conf.in +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 47; - query-source dscp 46 address 10.53.0.6; - notify-source 10.53.0.6 dscp 46; - transfer-source 10.53.0.6 dscp 46; - port @PORT@; - pid-file "named.pid"; - listen-on dscp 46 { 10.53.0.6; }; - listen-on-v6 { none; }; - notify yes; - recursion yes; - dnssec-validation yes; -}; - -zone "." { - type hint; - file "hint.db"; -}; diff --git a/bin/tests/system/dscp/ns7/named.args b/bin/tests/system/dscp/ns7/named.args deleted file mode 100644 index 4ccf38ea05..0000000000 --- a/bin/tests/system/dscp/ns7/named.args +++ /dev/null @@ -1 +0,0 @@ --m record,size,mctx -c named.conf -d 99 -D dscp-ns7 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns7/named.conf.in b/bin/tests/system/dscp/ns7/named.conf.in deleted file mode 100644 index a7c8bf2021..0000000000 --- a/bin/tests/system/dscp/ns7/named.conf.in +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dscp 47; - query-source dscp 46 address 10.53.0.7; - notify-source 10.53.0.7 dscp 47; - transfer-source 10.53.0.7 dscp 47; - alt-transfer-source 10.53.0.7 dscp 47; - port @PORT@; - pid-file "named.pid"; - listen-on dscp 46 { 10.53.0.7; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify yes; -}; - -zone "." { - type secondary; - file "root.bk"; - transfer-source 10.53.0.7 dscp 46; - notify-source 10.53.0.7 dscp 46; - alt-transfer-source 10.53.0.7 dscp 46; - primaries { 10.53.0.4; }; -}; diff --git a/bin/tests/system/dscp/setup.sh b/bin/tests/system/dscp/setup.sh deleted file mode 100644 index 401985d4a5..0000000000 --- a/bin/tests/system/dscp/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf -copy_setports ns4/named.conf.in ns4/named.conf -copy_setports ns5/named.conf.in ns5/named.conf -copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf diff --git a/bin/tests/system/dscp/tests.sh b/bin/tests/system/dscp/tests.sh deleted file mode 100644 index 2051ecc7ec..0000000000 --- a/bin/tests/system/dscp/tests.sh +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -DIGOPTS="+tcp +noadd +nosea +nostat +noquest -p ${PORT}" - -status=0 - -# -# 10.53.0.1 10.53.0.2 10.53.0.3 have a global dscp setting; -# 10.53.0.4 10.53.0.5 10.53.0.6 have dscp set in option *-source clauses; -# 10.53.0.7 has dscp set in zone *-source clauses; -# -for server in 10.53.0.1 10.53.0.2 10.53.0.3 10.53.0.4 10.53.0.5 \ - 10.53.0.6 10.53.0.7 -do - echo_i "testing root SOA lookup at $server" - for i in 0 1 2 3 4 5 6 7 8 9 - do - ret=0 - $DIG $DIGOPTS @$server soa . > dig.out.$server - grep "status: NOERROR" dig.out.$server > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 - done - test $ret = 0 || { echo_i "failed"; status=`expr $status + $ret`; } -done - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/clean.sh b/bin/tests/system/dsdigest/clean.sh index b39bc5851d..172cf1e8fe 100644 --- a/bin/tests/system/dsdigest/clean.sh +++ b/bin/tests/system/dsdigest/clean.sh @@ -1,9 +1,11 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dsdigest/ns1/named.conf.in b/bin/tests/system/dsdigest/ns1/named.conf.in index a68caf9d96..da27c58c87 100644 --- a/bin/tests/system/dsdigest/ns1/named.conf.in +++ b/bin/tests/system/dsdigest/ns1/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns1/root.db.in b/bin/tests/system/dsdigest/ns1/root.db.in index 52232798fb..30c61e9279 100644 --- a/bin/tests/system/dsdigest/ns1/root.db.in +++ b/bin/tests/system/dsdigest/ns1/root.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh index e02d421ef7..d7efd9a320 100644 --- a/bin/tests/system/dsdigest/ns1/sign.sh +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -17,11 +19,11 @@ zonefile=root.db (cd ../ns2 && $SHELL sign.sh) -cp ../ns2/dsset-good$TP . -cp ../ns2/dsset-bad$TP . +cp ../ns2/dsset-good. . +cp ../ns2/dsset-bad. . -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 2048 -n zone -f KSK $zone` +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/dsdigest/ns2/bad.db.in b/bin/tests/system/dsdigest/ns2/bad.db.in index ab5ce91b90..c5e8c83354 100644 --- a/bin/tests/system/dsdigest/ns2/bad.db.in +++ b/bin/tests/system/dsdigest/ns2/bad.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns2/good.db.in b/bin/tests/system/dsdigest/ns2/good.db.in index ab5ce91b90..c5e8c83354 100644 --- a/bin/tests/system/dsdigest/ns2/good.db.in +++ b/bin/tests/system/dsdigest/ns2/good.db.in @@ -1,8 +1,10 @@ ; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ; +; SPDX-License-Identifier: MPL-2.0 +; ; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. ; ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in index 8485ad75ac..d3fd750279 100644 --- a/bin/tests/system/dsdigest/ns2/named.conf.in +++ b/bin/tests/system/dsdigest/ns2/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh index 7c6c7fd103..5bb4fceed8 100644 --- a/bin/tests/system/dsdigest/ns2/sign.sh +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional @@ -18,10 +20,10 @@ zone2=bad infile2=bad.db.in zonefile2=bad.db -keyname11=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone1` -keyname12=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone1` -keyname21=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone2` -keyname22=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone2` +keyname11=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone1) +keyname12=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone1) +keyname21=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone2) +keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2) cat $infile1 $keyname11.key $keyname12.key >$zonefile1 cat $infile2 $keyname21.key $keyname22.key >$zonefile2 @@ -29,8 +31,8 @@ cat $infile2 $keyname21.key $keyname22.key >$zonefile2 $SIGNER -P -g -o $zone1 $zonefile1 > /dev/null $SIGNER -P -g -o $zone2 $zonefile2 > /dev/null -DSFILENAME1=dsset-${zone1}${TP} -DSFILENAME2=dsset-${zone2}${TP} +DSFILENAME1=dsset-${zone1}. +DSFILENAME2=dsset-${zone2}. $DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in index 97bfe26687..a2b105c31b 100644 --- a/bin/tests/system/dsdigest/ns3/named.conf.in +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in index 91f21a6e01..e43763bbc0 100644 --- a/bin/tests/system/dsdigest/ns4/named.conf.in +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -1,9 +1,11 @@ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * + * SPDX-License-Identifier: MPL-2.0 + * * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh index e3ddbbabfb..44bcc9d0b4 100644 --- a/bin/tests/system/dsdigest/setup.sh +++ b/bin/tests/system/dsdigest/setup.sh @@ -1,9 +1,11 @@ #!/bin/sh -e -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh index d1cc0e9d1f..3650f4aacd 100644 --- a/bin/tests/system/dsdigest/tests.sh +++ b/bin/tests/system/dsdigest/tests.sh @@ -1,14 +1,18 @@ #!/bin/sh -# + # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # +# SPDX-License-Identifier: MPL-2.0 +# # This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this +# License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +set -e + . ../conf.sh status=0 @@ -25,7 +29,7 @@ $DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 grep "status: NOERROR" dig.out.good > /dev/null || ret=1 grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # Check the bad. domain @@ -34,7 +38,7 @@ ret=0 $DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "checking that validation with no supported digest algorithms results in insecure" ret=0 @@ -45,7 +49,7 @@ $DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 grep "NOERROR" dig.out.insecure > /dev/null || ret=1 grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/tests_sh_dsdigest.py b/bin/tests/system/dsdigest/tests_sh_dsdigest.py new file mode 100644 index 0000000000..348d704739 --- /dev/null +++ b/bin/tests/system/dsdigest/tests_sh_dsdigest.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_dsdigest(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl deleted file mode 100644 index bd5f4c24c1..0000000000 --- a/bin/tests/system/dupsigs/check_journal.pl +++ /dev/null @@ -1,209 +0,0 @@ -#!/usr/bin/env perl -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -use strict; -use warnings; - -sub process_changeset; - -my @changeset; - -while( my $line = <> ) { - chomp $line; - - if( $line =~ /^(?add|del) (?
ID Name ReferencesTotalUse InUseMaxUseMallocedMaxMallocedBlockSize Pools HiWater LoWater - - - - - - - - - -