horok/bind9
1
0
Fork 0
Code Activity

Adding upstream version 1:9.20.9.

Browse source 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
This commit is contained in:
Daniel Baumann 2025-06-21 13:32:37 +02:00
parent e312db4b53
commit f66ff7eae6
Signed by: daniel.baumann
GPG key ID: BCC918A2ABD66424
4677 changed files with 861298 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

54
AUTHORS Normal file
View file

@ -0,0 +1,54 @@
Mark Andrews
Andreas Gustafsson
Evan Hunt
Brian Wellington
Bob Halley
David Lawrence
Michael Graff
Michael Sawyer
Ondřej Surý
James Brister
Tatuya JINMEI 神明達哉
Francis Dupont
Michał Kępień
Danny Mayer
Mukund Sivaraman
Jeremy C. Reed
William King
Stephen Morris
Witold Kręcicki
Curtis Blackburn
Scott Mann
Rob Austein
Jim Reid
Eric Luce
Olafur Gudmundsson
Stephen Jacob
Damien Neil
Tony Finch
Jakob Schlyter
Petr Menšík
Vernon Schryver
Matt Nelson
Shane Kerr
Paul Ebersman
Ray Bellis
Shawn Routhier
Ben Cottrell
Tomas Hozza
johnd
Bill Parker
李昶
Kevin Chen
Jonathan Casey
Mary Stahl
Mathieu Arnold
David Hankins
Paul Hoffman
Paul Vixie
Brian Conry
Anay Panvalkar
colleen
Robert Edmonds
João Damas
Artem Boldariev (Артем Болдарєв)

84
CODE_OF_CONDUCT.md Normal file
View file

@ -0,0 +1,84 @@
<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
# BIND 9 Code of Conduct
Like the technical community as a whole, the BIND 9 team and community is made
up of a mixture of professionals and volunteers from all over the world, working
on every aspect of the mission - including mentorship, teaching, and connecting
people.
Diversity is one of our huge strengths, but it can also lead to communication
issues and unhappiness. To that end, we have a few ground rules that we ask
people to adhere to. This code applies equally to the core development team,
open source contributors and those seeking help and guidance.
This isn't an exhaustive list of things that you can't do. Rather, take it in
the spirit in which it's intended - a guide to make it easier to enrich all of
us and the technical communities in which we participate.
This code of conduct applies to all spaces managed by the BIND 9 project or
Internet Systems Consortium. This includes chat, the mailing lists, the issue
tracker, and any other fora created by the project team which the
community uses for communication. In addition, violations of this code outside
these spaces may affect a person's ability to participate within them.
If you believe someone is violating the code of conduct, we ask that you report
it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
our [Reporting Guidelines](https://www.isc.org/conductreporting/).
* **Be friendly and patient.**
* **Be welcoming.** We strive to be a community that welcomes and supports
people of all backgrounds and identities. This includes, but is not limited to
members of any race, ethnicity, culture, national origin, colour, immigration
status, social and economic class, educational level, sex, sexual orientation,
gender identity and expression, age, size, family status, political belief,
religion, and mental and physical ability.
* **Be considerate.** Your work will be used by other people, and you in turn
will depend on the work of others. Any decision you take will affect users and
colleagues, and you should take those consequences into account when making
decisions. Remember that we're a world-wide community, so you might not be
communicating in someone else's primary language.
* **Be respectful.** Not all of us will agree all the time, but disagreement is
no excuse for poor behavior and poor manners. We might all experience some
frustration now and then, but we cannot allow that frustration to turn into a
personal attack. It's important to remember that a community where people feel
uncomfortable or threatened is not a productive one. Members of the BIND 9
community should be respectful when dealing with other members as well as with
people outside the BIND 9 community.
* **Be careful in the words that you choose.** We are a community of
professionals, and we conduct ourselves professionally. Be kind to others. Do
not insult or put down other participants. Harassment and other exclusionary
behavior aren't acceptable. This includes, but is not limited to:
* Violent threats or language directed against another person.
* Discriminatory jokes and language.
* Posting sexually explicit or violent material.
* Posting (or threatening to post) other people's personally identifying
information ("doxing").
* Personal insults, especially those using racist or sexist terms.
* Unwelcome sexual attention.
* Advocating for, or encouraging, any of the above behavior.
* Repeated harassment of others. In general, if someone asks you to stop, then
stop.
* **When we disagree, try to understand why.** Disagreements, both social and
technical, happen all the time and BIND 9 is no exception. It is important
that we resolve disagreements and differing views constructively. Remember
that we're different. The strength of BIND 9 comes from its varied community,
people from a wide range of backgrounds. Different people have different
perspectives on issues. Being unable to understand why someone holds a
viewpoint doesn't mean that they're wrong. Don't forget that it is human to
err and blaming each other doesn't get us anywhere. Instead, focus on helping
to resolve issues and learning from mistakes.
Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
project.

194
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,194 @@
<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
## BIND 9 Source Access and Contributor Guidelines
*Nov 26, 2024*
### Contents
1. [Access to source code](#access)
1. [Reporting bugs](#bugs)
1. [Contributing code](#contrib)
### Introduction
Thank you for using BIND 9!
BIND is open source software that implements the Domain Name System (DNS)
protocols for the Internet. It is a reference implementation of those
protocols, but it is also production-grade software, suitable for use in
high-volume and high-reliability applications. It is very
widely used DNS software, providing a robust and stable platform on top of
which organizations can build distributed computing systems with the
knowledge that those systems are fully compliant with published DNS
standards.
BIND is and will always remain free and openly available. It can be
used and modified in any way by anyone.
BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
anyone can see the source, but only ISC employees have commit access.
In the past, the source could only be seen once ISC had published
a release; read access to the source repository was restricted just
as commit access was. That has changed, as ISC now provides a
public git repository of the BIND source tree (see below).
At ISC, we're committed to
building communities that are welcoming and inclusive: environments where people
are encouraged to share ideas, treat each other with respect, and collaborate
towards the best solutions. To reinforce our commitment, ISC
has adopted a slightly modified version of the Django
[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
for the BIND 9 project, as well as for the conduct of our developers throughout
the industry.
### <a name="access"></a>Access to source code
Public BIND releases are always available from the
[ISC FTP site](ftp://ftp.isc.org/isc/bind9).
A public-access git repository is also available at
[https://gitlab.isc.org](https://gitlab.isc.org). This repository
contains all public release branches. Upcoming releases can be viewed in
their current state at any time. Short-lived development branches
contain unreviewed work in progress. Commits which address security
vulnerablilities are withheld until after public disclosure.
You can browse the source online via
[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
To clone the repository, use:
> $ git clone https://gitlab.isc.org/isc-projects/bind9.git
Release branch names are of the form `bind-9.X`, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.20
branch, use:
> $ git checkout bind-9.20
Whenever a branch is ready for publication, a tag is placed of the
form `v9.X.Y`. The 9.20.0 release, for instance, is tagged as `v9.20.0`.
The branch in which the next major release is being developed is called
`main`.
### <a name="bugs"></a>Reporting bugs
Reports of flaws in the BIND package, including software bugs, errors
in the documentation, missing files in the tarball, suggested changes
or requests for new features, etc., can be filed using
[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or
low in priority, but we try at least to acknowledge legitimate
bug reports within a week.
ISC's GitLab system is publicly readable; however, you must have
an account to create a new issue. You can either register locally or
use credentials from an existing account at GitHub, GitLab, Google,
Twitter, or Facebook.
### Reporting possible security issues
See `SECURITY.md`.
### <a name="contrib"></a>Contributing code
BIND is licensed under the
[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
Earlier versions (BIND 9.10 and earlier) were licensed under the
[ISC License](https://www.isc.org/licenses/)
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to relinquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
#### <a name="bind"></a>BIND code
Patches for BIND may be submitted directly via merge requests in
[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source repository for
BIND. Please contact ISC and provide your GitLab username in order to be allowed
to fork the project and submit merge requests.
Patches can also be submitted as diffs against a specific version of
BIND -- preferably the current top of the `main` branch. Diffs may
be generated using either `git format-patch` or `git diff`.
Those wanting to write code for BIND may be interested in the
[developer information](doc/dev/dev.md) page, which includes information
about BIND design and coding practices, including discussion of internal
APIs and overall system architecture.
Every patch submitted is reviewed by ISC engineers following our
[code review process](doc/dev/dev.md#reviews) before it is merged.
It may take considerable time to review patch submissions, especially if
they don't meet ISC style and quality guidelines. If a patch is a good
idea, we can and will do additional work to bring it up to par, but if
we're busy with other work, it may take us a long time to get to it.
To ensure your patch is acted on as promptly as possible, please:
* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
* Run unit and system tests to ensure your change hasn't caused any
functional regressions (these can be checked in the CI pipeline).
* Document your work, both in the patch itself and in the
accompanying email.
* In patches that make non-trivial functional changes, include system
tests if possible; when introducing or substantially altering a
library API, include unit tests. See [Testing](doc/dev/dev.md#testing)
for more information.
##### Changes to `configure`
If you need to make changes to `configure`, you should not edit it
directly; instead, edit `configure.ac`, then run `autoconf`. Similarly,
instead of editing `config.h.in` directly, edit `configure.ac` and run
`autoheader`.
When submitting a patch as a diff, it's fine to omit the `configure`
diffs to save space. Just send the `configure.ac` diffs and we'll
generate the new `configure` during the review process.
##### Documentation
All functional changes should be documented. There are three types
of documentation in the BIND source tree:
* Man pages are kept alongside the source code for the commands
they document, in files ending in `.rst`: for example, the
`named` man page is `bin/named/named.rst`.
* The *BIND 9 Administrator Reference Manual* is in the .rst files in
`doc/arm/`; the HTML version is automatically generated from
the `.rst` files.
* API documentation is in the header file describing the API, in
Doxygen-formatted comments.
Patches to improve existing documentation are also very welcome!
##### Tests
BIND is a large and complex project. We rely heavily on continuous
automated testing and cannot merge new code without adequate test coverage.
Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
for more information.
#### Thanks
Thank you for your interest in contributing to the ongoing development
of BIND 9.

362
COPYING Normal file
View file

@ -0,0 +1,362 @@
Mozilla Public License, version 2.0
1. Definitions
1.1. "Contributor"
means each individual or legal entity that creates, contributes to the
creation of, or owns Covered Software.
1.2. "Contributor Version"
means the combination of the Contributions of others (if any) used by a
Contributor and that particular Contributor's Contribution.
1.3. "Contribution"
means Covered Software of a particular Contributor.
1.4. "Covered Software"
means Source Code Form to which the initial Contributor has attached the
notice in Exhibit A, the Executable Form of such Source Code Form, and
Modifications of such Source Code Form, in each case including portions
thereof.
1.5. "Incompatible With Secondary Licenses"
means
a. that the initial Contributor has attached the notice described in
Exhibit B to the Covered Software; or
b. that the Covered Software was made available under the terms of
version 1.1 or earlier of the License, but not also under the terms of
a Secondary License.
1.6. "Executable Form"
means any form of the work other than Source Code Form.
1.7. "Larger Work"
means a work that combines Covered Software with other material, in a
separate file or files, that is not Covered Software.
1.8. "License"
means this document.
1.9. "Licensable"
means having the right to grant, to the maximum extent possible, whether
at the time of the initial grant or subsequently, any and all of the
rights conveyed by this License.
1.10. "Modifications"
means any of the following:
a. any file in Source Code Form that results from an addition to,
deletion from, or modification of the contents of Covered Software; or
b. any new file in Source Code Form that contains any Covered Software.
1.11. "Patent Claims" of a Contributor
means any patent claim(s), including without limitation, method,
process, and apparatus claims, in any patent Licensable by such
Contributor that would be infringed, but for the grant of the License,
by the making, using, selling, offering for sale, having made, import,
or transfer of either its Contributions or its Contributor Version.
1.12. "Secondary License"
means either the GNU General Public License, Version 2.0, the GNU Lesser
General Public License, Version 2.1, the GNU Affero General Public
License, Version 3.0, or any later versions of those licenses.
1.13. "Source Code Form"
means the form of the work preferred for making modifications.
1.14. "You" (or "Your")
means an individual or a legal entity exercising rights under this
License. For legal entities, "You" includes any entity that controls, is
controlled by, or is under common control with You. For purposes of this
definition, "control" means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or
otherwise, or (b) ownership of more than fifty percent (50%) of the
outstanding shares or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
a. under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or
as part of a Larger Work; and
b. under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its
Contributions or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution
become effective for each Contribution on the date the Contributor first
distributes such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under
this License. No additional rights or licenses will be implied from the
distribution or licensing of Covered Software under this License.
Notwithstanding Section 2.1(b) above, no patent license is granted by a
Contributor:
a. for any code that a Contributor has removed from Covered Software; or
b. for infringements caused by: (i) Your and any other third party's
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
c. under Patent Claims infringed by Covered Software in the absence of
its Contributions.
This License does not grant any rights in the trademarks, service marks,
or logos of any Contributor (except as may be necessary to comply with
the notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this
License (see Section 10.2) or under the terms of a Secondary License (if
permitted under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its
Contributions are its original creation(s) or it has sufficient rights to
grant the rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under
applicable copyright doctrines of fair use, fair dealing, or other
equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under
the terms of this License. You must inform recipients that the Source
Code Form of the Covered Software is governed by the terms of this
License, and how they can obtain a copy of this License. You may not
attempt to alter or restrict the recipients' rights in the Source Code
Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner, at a charge no more than the cost
of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this
License, or sublicense it under different terms, provided that the
license for the Executable Form does not attempt to limit or alter the
recipients' rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for
the Covered Software. If the Larger Work is a combination of Covered
Software with a work governed by one or more Secondary Licenses, and the
Covered Software is not Incompatible With Secondary Licenses, this
License permits You to additionally distribute such Covered Software
under the terms of such Secondary License(s), so that the recipient of
the Larger Work may, at their option, further distribute the Covered
Software under the terms of either this License or such Secondary
License(s).
3.4. Notices
You may not remove or alter the substance of any license notices
(including copyright notices, patent notices, disclaimers of warranty, or
limitations of liability) contained within the Source Code Form of the
Covered Software, except that You may alter any license notices to the
extent required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on
behalf of any Contributor. You must make it absolutely clear that any
such warranty, support, indemnity, or liability obligation is offered by
You alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute,
judicial order, or regulation then You must: (a) comply with the terms of
this License to the maximum extent possible; and (b) describe the
limitations and the code they affect. Such description must be placed in a
text file included with all distributions of the Covered Software under
this License. Except to the extent prohibited by statute or regulation,
such description must be sufficiently detailed for a recipient of ordinary
skill to be able to understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if You
fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor
are reinstated (a) provisionally, unless and until such Contributor
explicitly and finally terminates Your grants, and (b) on an ongoing
basis, if such Contributor fails to notify You of the non-compliance by
some reasonable means prior to 60 days after You have come back into
compliance. Moreover, Your grants from a particular Contributor are
reinstated on an ongoing basis if such Contributor notifies You of the
non-compliance by some reasonable means, this is the first time You have
received notice of non-compliance with this License from such
Contributor, and You become compliant prior to 30 days after Your receipt
of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions,
counter-claims, and cross-claims) alleging that a Contributor Version
directly or indirectly infringes any patent, then the rights granted to
You by any and all Contributors for the Covered Software under Section
2.1 of this License shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
license agreements (excluding distributors and resellers) which have been
validly granted by You or Your distributors under this License prior to
termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an "as is" basis,
without warranty of any kind, either expressed, implied, or statutory,
including, without limitation, warranties that the Covered Software is free
of defects, merchantable, fit for a particular purpose or non-infringing.
The entire risk as to the quality and performance of the Covered Software
is with You. Should any Covered Software prove defective in any respect,
You (not any Contributor) assume the cost of any necessary servicing,
repair, or correction. This disclaimer of warranty constitutes an essential
part of this License. No use of any Covered Software is authorized under
this License except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any
character including, without limitation, damages for lost profits, loss of
goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses, even if such party shall have been
informed of the possibility of such damages. This limitation of liability
shall not apply to liability for death or personal injury resulting from
such party's negligence to the extent applicable law prohibits such
limitation. Some jurisdictions do not allow the exclusion or limitation of
incidental or consequential damages, so this exclusion and limitation may
not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts
of a jurisdiction where the defendant maintains its principal place of
business and such litigation shall be governed by laws of that
jurisdiction, without reference to its conflict-of-law provisions. Nothing
in this Section shall prevent a party's ability to bring cross-claims or
counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject
matter hereof. If any provision of this License is held to be
unenforceable, such provision shall be reformed only to the extent
necessary to make it enforceable. Any law or regulation which provides that
the language of a contract shall be construed against the drafter shall not
be used to construe this License against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version
of the License under which You originally received the Covered Software,
or under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a
modified version of this License if you rename the license and remove
any references to the name of the license steward (except to note that
such modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary
Licenses If You choose to distribute Source Code Form that is
Incompatible With Secondary Licenses under the terms of this version of
the License, the notice described in Exhibit B of this License must be
attached.
Exhibit A - Source Code Form License Notice
This Source Code Form is subject to the
terms of the Mozilla Public License, v.
2.0. If a copy of the MPL was not
distributed with this file, You can
obtain one at
https://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file,
then You may include the notice in a location (such as a LICENSE file in a
relevant directory) where a recipient would be likely to look for such a
notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - "Incompatible With Secondary Licenses" Notice
This Source Code Form is "Incompatible
With Secondary Licenses", as defined by
the Mozilla Public License, v. 2.0.

391
COPYRIGHT Normal file
View file

@ -0,0 +1,391 @@
Copyright (C) 1996-2023 Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
-----------------------------------------------------------------------------
Portions of this code release fall under one or more of the
following Copyright notices. Please see individual source
files for details.
For binary releases also see: OpenSSL-LICENSE.
Copyright (C) 1996-2001 Nominum, Inc.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 1995-2000 by Network Associates, Inc.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
conceived and contributed by Rob Butler.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 1987, 1990, 1993, 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (C) The Internet Society 2005. This version of
this module is part of RFC 4178; see the RFC itself for
full legal notices.
(The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-----------------------------------------------------------------------------
Copyright (c) 2004 Masarykova universita
(Masaryk University, Brno, Czech Republic)
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the Institute nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1993 by Digital Equipment Corporation.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies, and that
the name of Digital Equipment Corporation not be used in advertising or
publicity pertaining to distribution of the document or software without
specific, written prior permission.
THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1999-2000 by Nortel Networks Corporation
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 2004 Nominet, Ltd.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 1996, David Mazieres <dm@uun.org>
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (C) 2008-2011 Red Hat, Inc.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 2013-2014, Farsight Security, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 2014 by Farsight Security, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-----------------------------------------------------------------------------
Copyright Joyent, Inc. and other Node contributors. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.

30
ChangeLog Normal file
View file

@ -0,0 +1,30 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _changelog:
Changelog
=========
.. note:: The following list contains detailed information about BIND 9
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.20.9.rst
.. include:: ../changelog/changelog-9.20.8.rst
.. include:: ../changelog/changelog-9.20.7.rst
.. include:: ../changelog/changelog-9.20.6.rst
.. include:: ../changelog/changelog-9.20.5.rst
.. include:: ../changelog/changelog-9.20.4.rst
.. include:: ../changelog/changelog-9.20.3.rst
.. include:: ../changelog/changelog-9.20.2.rst
.. include:: ../changelog/changelog-9.20.1.rst
.. include:: ../changelog/changelog-history.rst

362
LICENSE Normal file
View file

@ -0,0 +1,362 @@
Mozilla Public License, version 2.0
1. Definitions
1.1. "Contributor"
means each individual or legal entity that creates, contributes to the
creation of, or owns Covered Software.
1.2. "Contributor Version"
means the combination of the Contributions of others (if any) used by a
Contributor and that particular Contributor's Contribution.
1.3. "Contribution"
means Covered Software of a particular Contributor.
1.4. "Covered Software"
means Source Code Form to which the initial Contributor has attached the
notice in Exhibit A, the Executable Form of such Source Code Form, and
Modifications of such Source Code Form, in each case including portions
thereof.
1.5. "Incompatible With Secondary Licenses"
means
a. that the initial Contributor has attached the notice described in
Exhibit B to the Covered Software; or
b. that the Covered Software was made available under the terms of
version 1.1 or earlier of the License, but not also under the terms of
a Secondary License.
1.6. "Executable Form"
means any form of the work other than Source Code Form.
1.7. "Larger Work"
means a work that combines Covered Software with other material, in a
separate file or files, that is not Covered Software.
1.8. "License"
means this document.
1.9. "Licensable"
means having the right to grant, to the maximum extent possible, whether
at the time of the initial grant or subsequently, any and all of the
rights conveyed by this License.
1.10. "Modifications"
means any of the following:
a. any file in Source Code Form that results from an addition to,
deletion from, or modification of the contents of Covered Software; or
b. any new file in Source Code Form that contains any Covered Software.
1.11. "Patent Claims" of a Contributor
means any patent claim(s), including without limitation, method,
process, and apparatus claims, in any patent Licensable by such
Contributor that would be infringed, but for the grant of the License,
by the making, using, selling, offering for sale, having made, import,
or transfer of either its Contributions or its Contributor Version.
1.12. "Secondary License"
means either the GNU General Public License, Version 2.0, the GNU Lesser
General Public License, Version 2.1, the GNU Affero General Public
License, Version 3.0, or any later versions of those licenses.
1.13. "Source Code Form"
means the form of the work preferred for making modifications.
1.14. "You" (or "Your")
means an individual or a legal entity exercising rights under this
License. For legal entities, "You" includes any entity that controls, is
controlled by, or is under common control with You. For purposes of this
definition, "control" means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or
otherwise, or (b) ownership of more than fifty percent (50%) of the
outstanding shares or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
a. under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or
as part of a Larger Work; and
b. under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its
Contributions or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution
become effective for each Contribution on the date the Contributor first
distributes such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under
this License. No additional rights or licenses will be implied from the
distribution or licensing of Covered Software under this License.
Notwithstanding Section 2.1(b) above, no patent license is granted by a
Contributor:
a. for any code that a Contributor has removed from Covered Software; or
b. for infringements caused by: (i) Your and any other third party's
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
c. under Patent Claims infringed by Covered Software in the absence of
its Contributions.
This License does not grant any rights in the trademarks, service marks,
or logos of any Contributor (except as may be necessary to comply with
the notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this
License (see Section 10.2) or under the terms of a Secondary License (if
permitted under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its
Contributions are its original creation(s) or it has sufficient rights to
grant the rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under
applicable copyright doctrines of fair use, fair dealing, or other
equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under
the terms of this License. You must inform recipients that the Source
Code Form of the Covered Software is governed by the terms of this
License, and how they can obtain a copy of this License. You may not
attempt to alter or restrict the recipients' rights in the Source Code
Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner, at a charge no more than the cost
of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this
License, or sublicense it under different terms, provided that the
license for the Executable Form does not attempt to limit or alter the
recipients' rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for
the Covered Software. If the Larger Work is a combination of Covered
Software with a work governed by one or more Secondary Licenses, and the
Covered Software is not Incompatible With Secondary Licenses, this
License permits You to additionally distribute such Covered Software
under the terms of such Secondary License(s), so that the recipient of
the Larger Work may, at their option, further distribute the Covered
Software under the terms of either this License or such Secondary
License(s).
3.4. Notices
You may not remove or alter the substance of any license notices
(including copyright notices, patent notices, disclaimers of warranty, or
limitations of liability) contained within the Source Code Form of the
Covered Software, except that You may alter any license notices to the
extent required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on
behalf of any Contributor. You must make it absolutely clear that any
such warranty, support, indemnity, or liability obligation is offered by
You alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute,
judicial order, or regulation then You must: (a) comply with the terms of
this License to the maximum extent possible; and (b) describe the
limitations and the code they affect. Such description must be placed in a
text file included with all distributions of the Covered Software under
this License. Except to the extent prohibited by statute or regulation,
such description must be sufficiently detailed for a recipient of ordinary
skill to be able to understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if You
fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor
are reinstated (a) provisionally, unless and until such Contributor
explicitly and finally terminates Your grants, and (b) on an ongoing
basis, if such Contributor fails to notify You of the non-compliance by
some reasonable means prior to 60 days after You have come back into
compliance. Moreover, Your grants from a particular Contributor are
reinstated on an ongoing basis if such Contributor notifies You of the
non-compliance by some reasonable means, this is the first time You have
received notice of non-compliance with this License from such
Contributor, and You become compliant prior to 30 days after Your receipt
of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions,
counter-claims, and cross-claims) alleging that a Contributor Version
directly or indirectly infringes any patent, then the rights granted to
You by any and all Contributors for the Covered Software under Section
2.1 of this License shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
license agreements (excluding distributors and resellers) which have been
validly granted by You or Your distributors under this License prior to
termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an "as is" basis,
without warranty of any kind, either expressed, implied, or statutory,
including, without limitation, warranties that the Covered Software is free
of defects, merchantable, fit for a particular purpose or non-infringing.
The entire risk as to the quality and performance of the Covered Software
is with You. Should any Covered Software prove defective in any respect,
You (not any Contributor) assume the cost of any necessary servicing,
repair, or correction. This disclaimer of warranty constitutes an essential
part of this License. No use of any Covered Software is authorized under
this License except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any
character including, without limitation, damages for lost profits, loss of
goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses, even if such party shall have been
informed of the possibility of such damages. This limitation of liability
shall not apply to liability for death or personal injury resulting from
such party's negligence to the extent applicable law prohibits such
limitation. Some jurisdictions do not allow the exclusion or limitation of
incidental or consequential damages, so this exclusion and limitation may
not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts
of a jurisdiction where the defendant maintains its principal place of
business and such litigation shall be governed by laws of that
jurisdiction, without reference to its conflict-of-law provisions. Nothing
in this Section shall prevent a party's ability to bring cross-claims or
counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject
matter hereof. If any provision of this License is held to be
unenforceable, such provision shall be reformed only to the extent
necessary to make it enforceable. Any law or regulation which provides that
the language of a contract shall be construed against the drafter shall not
be used to construe this License against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version
of the License under which You originally received the Covered Software,
or under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a
modified version of this License if you rename the license and remove
any references to the name of the license steward (except to note that
such modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary
Licenses If You choose to distribute Source Code Form that is
Incompatible With Secondary Licenses under the terms of this version of
the License, the notice described in Exhibit B of this License must be
attached.
Exhibit A - Source Code Form License Notice
This Source Code Form is subject to the
terms of the Mozilla Public License, v.
2.0. If a copy of the MPL was not
distributed with this file, You can
obtain one at
https://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file,
then You may include the notice in a location (such as a LICENSE file in a
relevant directory) where a recipient would be likely to look for such a
notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - "Incompatible With Secondary Licenses" Notice
This Source Code Form is "Incompatible
With Secondary Licenses", as defined by
the Mozilla Public License, v. 2.0.

30
Makefile.am Normal file
View file

@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
SUBDIRS = . lib doc
# build libtest before fuzz/* and bin/tests
SUBDIRS += tests
# run fuzz tests before system tests
SUBDIRS += fuzz bin
BUILT_SOURCES += bind.keys.h
CLEANFILES += bind.keys.h
bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
.PHONY: doc
EXTRA_DIST = \
bind.keys \
util/bindkeys.pl \
util/dtrace.sh \
contrib \
COPYRIGHT \
LICENSE \
*.md
dist-hook:
find $(distdir) -type f -name .gitignore -delete
git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

59
Makefile.docs Normal file
View file

@ -0,0 +1,59 @@
SPHINX_V = $(SPHINX_V_@AM_V@)
SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
SPHINX_V_0 = -q
SPHINX_V_1 = -n
SPHINX_W = -W
AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
AM_V_SPHINX_0 = @echo " SPHINX $@";
SPHINXBUILDDIR = $(builddir)/_build
LF = \n
RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
export RST_EPILOG = $(RNDC_CONF)$(LF)$(RNDC_KEY)$(LF)$(NAMED_CONF)$(LF)$(BIND_KEYS)$(LF)$(NAMED_PID)$(LF)$(SESSION_KEY)
common_SPHINXOPTS = \
$(SPHINX_W) \
-c $(srcdir) \
-a \
$(SPHINX_V)
ALLSPHINXOPTS = \
$(common_SPHINXOPTS) \
-D rst_epilog="$$(printf "$${RST_EPILOG}")" \
$(SPHINXOPTS) \
$(srcdir)
_ = @
man_RNDC_CONF = .. |rndc_conf| replace:: ``$(_)sysconfdir$(_)/rndc.conf``
man_RNDC_KEY = .. |rndc_key| replace:: ``$(_)sysconfdir$(_)/rndc.key``
man_NAMED_CONF = .. |named_conf| replace:: ``$(_)sysconfdir$(_)/named.conf``
man_BIND_KEYS = .. |bind_keys| replace:: ``$(_)sysconfdir$(_)/bind.keys``
man_NAMED_PID = .. |named_pid| replace:: ``$(_)runstatedir$(_)/named.pid``
man_SESSION_KEY = .. |session_key| replace:: ``$(_)runstatedir$(_)/session.key``
export man_RST_EPILOG = $(man_RNDC_CONF)$(LF)$(man_RNDC_KEY)$(LF)$(man_NAMED_CONF)$(LF)$(man_BIND_KEYS)$(LF)$(man_NAMED_PID)$(LF)$(man_SESSION_KEY)
man_SPHINXOPTS = \
$(common_SPHINXOPTS) \
-D version="@""PACKAGE_VERSION@" \
-D today="@""RELEASE_DATE@" \
-D release="@""PACKAGE_VERSION@" \
-D rst_epilog="$$(printf "$${man_RST_EPILOG}")" \
$(SPHINXOPTS) \
$(srcdir)
AM_V_SED = $(AM_V_SED_@AM_V@)
AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
AM_V_SED_0 = @echo " SED $@";
AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
AM_V_CFG_TEST_0 = @echo " CFG_GEN $@";

20
Makefile.dtrace Normal file
View file

@ -0,0 +1,20 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
AM_V_DTRACE = $(AM_V_DTRACE_@AM_V@)
AM_V_DTRACE_ = $(AM_V_DTRACE_@AM_DEFAULT_V@)
AM_V_DTRACE_0 = @echo " DTRACE $@";
BUILT_SOURCES += probes.h
CLEANFILES += probes.h probes.o
probes.h: Makefile probes.d
$(AM_V_DTRACE)$(DTRACE) -s $(srcdir)/probes.d -h -o $@
probes.lo: Makefile probes.d $(DTRACE_DEPS)
$(AM_V_DTRACE)$(LIBTOOL) --mode=compile --tag=CC $(DTRACE) -s $(srcdir)/probes.d -G -o $@ $(DTRACE_OBJS)
if HAVE_DTRACE
if !HOST_MACOS
DTRACE_LIBADD = probes.lo
endif
endif

1078
Makefile.in Normal file
View file

File diff suppressed because it is too large Load diff

28
Makefile.tests Normal file
View file

@ -0,0 +1,28 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
unit-local: check
if HAVE_CMOCKA
TESTS = $(check_PROGRAMS)
endif HAVE_CMOCKA
LOG_COMPILER = $(top_builddir)/tests/unit-test-driver.sh
AM_CFLAGS += \
-I$(top_srcdir)/tests/include \
$(TEST_CFLAGS)
AM_CPPFLAGS += \
$(CMOCKA_CFLAGS) \
-DNAMED_PLUGINDIR=\"$(pkglibdir)\" \
-DTESTS_DIR=\"$(abs_srcdir)\"
LDADD += \
$(top_builddir)/tests/libtest/libtest.la \
$(CMOCKA_LIBS)
if HAVE_JEMALLOC
AM_CFLAGS += $(JEMALLOC_CFLAGS)
LDADD += $(JEMALLOC_LIBS)
endif

73
Makefile.top Normal file
View file

@ -0,0 +1,73 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = \
$(STD_CPPFLAGS) \
-include $(top_builddir)/config.h \
-I$(srcdir)/include
AM_LDFLAGS = \
$(STD_LDFLAGS)
LDADD =
BUILT_SOURCES =
CLEANFILES =
if HOST_MACOS
AM_LDFLAGS += \
-Wl,-flat_namespace
endif HOST_MACOS
if HAVE_JEMALLOC
LIBISC_CFLAGS = $(JEMALLOC_CFLAGS)
LIBISC_LIBS = $(JEMALLOC_LIBS)
else
LIBISC_CFLAGS =
LIBISC_LIBS =
endif
LIBISC_CFLAGS += \
-I$(top_srcdir)/include \
-I$(top_srcdir)/lib/isc/include \
-I$(top_builddir)/lib/isc/include
LIBISC_LIBS += $(top_builddir)/lib/isc/libisc.la
if HAVE_DTRACE
LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
endif
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
if HAVE_DTRACE
LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
endif
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
if HAVE_DTRACE
LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
endif
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la

30
NEWS Normal file
View file

@ -0,0 +1,30 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _changelog:
Changelog
=========
.. note:: The following list contains detailed information about BIND 9
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.20.9.rst
.. include:: ../changelog/changelog-9.20.8.rst
.. include:: ../changelog/changelog-9.20.7.rst
.. include:: ../changelog/changelog-9.20.6.rst
.. include:: ../changelog/changelog-9.20.5.rst
.. include:: ../changelog/changelog-9.20.4.rst
.. include:: ../changelog/changelog-9.20.3.rst
.. include:: ../changelog/changelog-9.20.2.rst
.. include:: ../changelog/changelog-9.20.1.rst
.. include:: ../changelog/changelog-history.rst

29
OPTIONS.md Normal file
View file

@ -0,0 +1,29 @@
<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
Setting the `CPPFLAGS` environment variable before running `configure`
can be used to enable certain compile-time options that are not
explicitly defined in `configure`.
Some of these settings are:
| Setting | Description |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| `-DCHECK_LOCAL=0` | Don't check out-of-zone addresses in `named-checkzone` |
| `-DCHECK_SIBLING=0` | Don't check sibling glue in `named-checkzone` |
| `-DISC_FACILITY=LOG_LOCAL0` | Change the default syslog facility for `named` |
| `-DISC_HEAP_CHECK` | Test heap consistency after every heap operation; used when debugging |
| `-DISC_MEM_DEFAULTFILL=1` | Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier |
| `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult |
| `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` |
| `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports |
| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support |

205
README.md Normal file
View file

@ -0,0 +1,205 @@
<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
# BIND 9
### Contents
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [Building BIND](#build)
1. [Automated testing](#testing)
1. [Documentation](#doc)
1. [Acknowledgments](#ack)
### <a name="intro"/> Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the Domain Name System (DNS) protocol.
The BIND name server, `named`, can act as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the `dig` and `delv` DNS lookup tools,
`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
administration, and more.
BIND 9 began as a complete rewrite of the BIND architecture that was
used in versions 4 and 8. Internet Systems Consortium
([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
corporation dedicated to providing software and services in support of the
Internet infrastructure, developed BIND 9 and is responsible for its
ongoing maintenance and improvement. BIND is open source software
licensed under the terms of the Mozilla Public License, version 2.0.
For a detailed list of changes made throughout the history of BIND 9, see
the [changelog](doc/arm/changelog.rst).
For up-to-date versions and release notes, see
[https://www.isc.org/download/](https://www.isc.org/download/).
For information about supported platforms, see the
["Supported Platforms"](doc/arm/platforms.rst) section in the BIND 9
Administrator Reference Manual.
### <a name="help"/> Reporting bugs and getting help
To report non-security-sensitive bugs or request new features, you may
open an issue in the BIND 9 project on the
[ISC GitLab server](https://gitlab.isc.org) at
[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
Please note that, unless you explicitly mark the newly created issue as
"confidential," it will be publicly readable. Please do not include any
information in bug reports that you consider to be confidential unless
the issue has been marked as such. In particular, if submitting the
contents of your configuration file in a non-confidential issue, it is
advisable to obscure key secrets; this can be done automatically by
using `named-checkconf -px`.
For information about ISC's Security Vulnerability Disclosure Policy and
information about reporting potential security issues, please see
`SECURITY.md`.
Professional support and training for BIND are available from
ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
for more information.
To join the __BIND Users__ mailing list, or view the archives, visit
[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
If you're planning on making changes to the BIND 9 source code, you
may also want to join the __BIND Workers__ mailing list, at
[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
### <a name="contrib"/> Contributing to BIND
ISC maintains a public git repository for BIND; details can be found
at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
Information for BIND contributors can be found in the following files:
- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
Patches for BIND may be submitted as
[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
on the [ISC GitLab server](https://gitlab.isc.org).
By default, external contributors do not have the ability to fork BIND on the
GitLab server; if you wish to contribute code to BIND, you may request
permission to do so. Thereafter, you can create git branches and directly
submit requests that they be reviewed and merged.
If you prefer, you may also submit code by opening a
[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
including your patch as an attachment, preferably generated by
`git format-patch`.
### <a name="build"/> Building BIND 9
For information about building BIND 9, see the
["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9
Administrator Reference Manual.
### <a name="testing"/> Automated testing
A system test suite can be run with `make check`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with each other). These
IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the `Net::DNS` and/or `IO::Socket::IP` modules,
and are skipped if these are not available. Some tests require Python
and the `dnspython` module and are skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework. To build
them, use `configure --with-cmocka`. Execution of tests is done by the automake
parallel test driver; unit tests are also run by `make check`.
### <a name="doc"/> Documentation
The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
distribution, and in .rst format, in the `doc/arm`
directory. The HTML version is automatically generated and can
be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
The PDF version can be built by running:
cd doc/arm/
sphinx-build -b latex . pdf/
make -C pdf/ all-pdf
The above requires TeX Live in order to work. The PDF will be written to
`doc/arm/pdf/Bv9ARM.pdf`.
Man pages for some of the programs in the BIND 9 distribution
are also included in the BIND ARM.
Frequently (and not-so-frequently) asked questions and their answers
can be found in the ISC Knowledgebase at
[https://kb.isc.org](https://kb.isc.org).
Additional information on various subjects can be found in other
`README` files throughout the source tree.
#### Bug report identifiers
Most notes in the ARM Changelog appendix include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security-sensitive.
To look up a GitLab issue by its number, use the URL
[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
To look up a merge request, use
[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
In rare cases, an issue or merge request number may be followed with the
letter "P". This indicates that the information is in the private ISC
GitLab instance, which is not visible to the public.
### <a name="ack"/> Acknowledgments
* The original development of BIND 9 was underwritten by the
following organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit.
[https://www.OpenSSL.org/](https://www.OpenSSL.org/)
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com).
* This product includes software written by Tim Hudson (tjh@cryptsoft.com).

35
SECURITY.md Normal file
View file

@ -0,0 +1,35 @@
<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
# Security Policy
ISC's Security Vulnerability Disclosure Policy is documented in the
relevant [ISC Knowledgebase article][1].
## Reporting possible security issues
If you think you may be seeing a potential security vulnerability in
BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
please report it immediately by [opening a confidential GitLab issue][2]
(preferred) or emailing bind-security@isc.org.
Please do not discuss undisclosed security vulnerabilities on any public
mailing list. ISC has a long history of handling reported
vulnerabilities promptly and effectively and we respect and acknowledge
responsible reporters.
If you have a crash, you may want to consult the Knowledgebase article
entitled ["What to do if your BIND or DHCP server has crashed"][3].
[1]: https://kb.isc.org/docs/aa-00861
[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
[3]: https://kb.isc.org/docs/aa-00340

1983
aclocal.m4 vendored Normal file
View file

File diff suppressed because it is too large Load diff

271
ar-lib Executable file
View file

@ -0,0 +1,271 @@
#! /bin/sh
# Wrapper for Microsoft lib.exe
me=ar-lib
scriptversion=2019-07-04.01; # UTC
# Copyright (C) 2010-2021 Free Software Foundation, Inc.
# Written by Peter Rosin <peda@lysator.liu.se>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
# func_error message
func_error ()
{
echo "$me: $1" 1>&2
exit 1
}
file_conv=
# func_file_conv build_file
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN* | MSYS*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv in
mingw)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin | msys)
file=`cygpath -m "$file" || echo "$file"`
;;
wine)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_at_file at_file operation archive
# Iterate over all members in AT_FILE performing OPERATION on ARCHIVE
# for each of them.
# When interpreting the content of the @FILE, do NOT use func_file_conv,
# since the user would need to supply preconverted file names to
# binutils ar, at least for MinGW.
func_at_file ()
{
operation=$2
archive=$3
at_file_contents=`cat "$1"`
eval set x "$at_file_contents"
shift
for member
do
$AR -NOLOGO $operation:"$member" "$archive" || exit $?
done
}
case $1 in
'')
func_error "no command. Try '$0 --help' for more information."
;;
-h | --h*)
cat <<EOF
Usage: $me [--help] [--version] PROGRAM ACTION ARCHIVE [MEMBER...]
Members may be specified in a file named with @FILE.
EOF
exit $?
;;
-v | --v*)
echo "$me, version $scriptversion"
exit $?
;;
esac
if test $# -lt 3; then
func_error "you must specify a program, an action and an archive"
fi
AR=$1
shift
while :
do
if test $# -lt 2; then
func_error "you must specify a program, an action and an archive"
fi
case $1 in
-lib | -LIB \
| -ltcg | -LTCG \
| -machine* | -MACHINE* \
| -subsystem* | -SUBSYSTEM* \
| -verbose | -VERBOSE \
| -wx* | -WX* )
AR="$AR $1"
shift
;;
*)
action=$1
shift
break
;;
esac
done
orig_archive=$1
shift
func_file_conv "$orig_archive"
archive=$file
# strip leading dash in $action
action=${action#-}
delete=
extract=
list=
quick=
replace=
index=
create=
while test -n "$action"
do
case $action in
d*) delete=yes ;;
x*) extract=yes ;;
t*) list=yes ;;
q*) quick=yes ;;
r*) replace=yes ;;
s*) index=yes ;;
S*) ;; # the index is always updated implicitly
c*) create=yes ;;
u*) ;; # TODO: don't ignore the update modifier
v*) ;; # TODO: don't ignore the verbose modifier
*)
func_error "unknown action specified"
;;
esac
action=${action#?}
done
case $delete$extract$list$quick$replace,$index in
yes,* | ,yes)
;;
yesyes*)
func_error "more than one action specified"
;;
*)
func_error "no action specified"
;;
esac
if test -n "$delete"; then
if test ! -f "$orig_archive"; then
func_error "archive not found"
fi
for member
do
case $1 in
@*)
func_at_file "${1#@}" -REMOVE "$archive"
;;
*)
func_file_conv "$1"
$AR -NOLOGO -REMOVE:"$file" "$archive" || exit $?
;;
esac
done
elif test -n "$extract"; then
if test ! -f "$orig_archive"; then
func_error "archive not found"
fi
if test $# -gt 0; then
for member
do
case $1 in
@*)
func_at_file "${1#@}" -EXTRACT "$archive"
;;
*)
func_file_conv "$1"
$AR -NOLOGO -EXTRACT:"$file" "$archive" || exit $?
;;
esac
done
else
$AR -NOLOGO -LIST "$archive" | tr -d '\r' | sed -e 's/\\/\\\\/g' \
| while read member
do
$AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $?
done
fi
elif test -n "$quick$replace"; then
if test ! -f "$orig_archive"; then
if test -z "$create"; then
echo "$me: creating $orig_archive"
fi
orig_archive=
else
orig_archive=$archive
fi
for member
do
case $1 in
@*)
func_file_conv "${1#@}"
set x "$@" "@$file"
;;
*)
func_file_conv "$1"
set x "$@" "$file"
;;
esac
shift
shift
done
if test -n "$orig_archive"; then
$AR -NOLOGO -OUT:"$archive" "$orig_archive" "$@" || exit $?
else
$AR -NOLOGO -OUT:"$archive" "$@" || exit $?
fi
elif test -n "$list"; then
if test ! -f "$orig_archive"; then
func_error "archive not found"
fi
$AR -NOLOGO -LIST "$archive" || exit $?
fi

1
bin/Makefile.am Normal file
View file

@ -0,0 +1 @@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins

741
bin/Makefile.in Normal file
View file

@ -0,0 +1,741 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
subdir = bin
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
distdir distdir-am
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
sed_rest='s,^[^/]*/*,,'; \
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
sed_butlast='s,/*[^/]*$$,,'; \
while test -n "$$dir1"; do \
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
if test "$$first" != "."; then \
if test "$$first" = ".."; then \
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
else \
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
if test "$$first2" = "$$first"; then \
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
else \
dir2="../$$dir2"; \
fi; \
dir0="$$dir0"/"$$first"; \
fi; \
fi; \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
all: all-recursive
.SUFFIXES:
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done; \
if test "$$dot_seen" = "no"; then \
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
include_option=--etags-include; \
empty_fix=.; \
else \
include_option=--include; \
empty_fix=; \
fi; \
list='$(SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test ! -f $$subdir/TAGS || \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
dir1=$$subdir; dir2="$(top_distdir)"; \
$(am__relativize); \
new_top_distdir=$$reldir; \
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
($(am__cd) $$subdir && \
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$$new_top_distdir" \
distdir="$$new_distdir" \
am__remove_distdir=: \
am__skip_length_check=: \
am__skip_mode_fix=: \
distdir) \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-recursive
all-am: Makefile
installdirs: installdirs-recursive
installdirs-am:
install: install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-recursive
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-recursive
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-tags
doc: doc-recursive
doc-am: doc-local
dvi: dvi-recursive
dvi-am:
html: html-recursive
html-am:
info: info-recursive
info-am:
install-data-am:
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
install-html: install-html-recursive
install-html-am:
install-info: install-info-recursive
install-info-am:
install-man:
install-pdf: install-pdf-recursive
install-pdf-am:
install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-recursive
pdf-am:
ps: ps-recursive
ps-am:
test: test-recursive
test-am: test-local
uninstall-am:
unit: unit-recursive
unit-am: unit-local
.MAKE: $(am__recursive_targets) install-am install-strip
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
check-am clean clean-generic clean-libtool cscopelist-am ctags \
ctags-am distclean distclean-generic distclean-libtool \
distclean-tags distdir doc-am doc-local dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am test-am \
test-local uninstall uninstall-am unit-am unit-local
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

32
bin/check/Makefile.am Normal file
View file

@ -0,0 +1,32 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCFG_CFLAGS)
AM_CPPFLAGS += \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
noinst_LTLIBRARIES = libcheck-tool.la
libcheck_tool_la_SOURCES = \
check-tool.h \
check-tool.c
LDADD += \
libcheck-tool.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCFG_LIBS)
bin_PROGRAMS = named-checkconf named-checkzone
install-exec-hook:
ln -f $(DESTDIR)$(bindir)/named-checkzone \
$(DESTDIR)$(bindir)/named-compilezone
uninstall-hook:
-rm -f $(DESTDIR)$(bindir)/named-compilezone

886
bin/check/Makefile.in Normal file
View file

@ -0,0 +1,886 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
@HOST_MACOS_TRUE@am__append_1 = \
@HOST_MACOS_TRUE@ -Wl,-flat_namespace
bin_PROGRAMS = named-checkconf$(EXEEXT) named-checkzone$(EXEEXT)
subdir = bin/check
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
LTLIBRARIES = $(noinst_LTLIBRARIES)
libcheck_tool_la_LIBADD =
am_libcheck_tool_la_OBJECTS = check-tool.lo
libcheck_tool_la_OBJECTS = $(am_libcheck_tool_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
named_checkconf_SOURCES = named-checkconf.c
named_checkconf_OBJECTS = named-checkconf.$(OBJEXT)
named_checkconf_LDADD = $(LDADD)
am__DEPENDENCIES_1 =
@HAVE_JEMALLOC_FALSE@am__DEPENDENCIES_2 = \
@HAVE_JEMALLOC_FALSE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
named_checkconf_DEPENDENCIES = libcheck-tool.la $(am__DEPENDENCIES_2) \
$(LIBDNS_LIBS) $(LIBNS_LIBS) $(LIBISCCFG_LIBS)
named_checkzone_SOURCES = named-checkzone.c
named_checkzone_OBJECTS = named-checkzone.$(OBJEXT)
named_checkzone_LDADD = $(LDADD)
named_checkzone_DEPENDENCIES = libcheck-tool.la $(am__DEPENDENCIES_2) \
$(LIBDNS_LIBS) $(LIBNS_LIBS) $(LIBISCCFG_LIBS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/check-tool.Plo \
./$(DEPDIR)/named-checkconf.Po ./$(DEPDIR)/named-checkzone.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo " CC " $@;
am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(libcheck_tool_la_SOURCES) named-checkconf.c \
named-checkzone.c
DIST_SOURCES = $(libcheck_tool_la_SOURCES) named-checkconf.c \
named-checkzone.c
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \
$(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \
-I$(srcdir)/include $(LIBISC_CFLAGS) $(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) $(LIBISCCFG_CFLAGS) \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1)
LDADD = libcheck-tool.la $(LIBISC_LIBS) $(LIBDNS_LIBS) $(LIBNS_LIBS) \
$(LIBISCCFG_LIBS)
BUILT_SOURCES =
CLEANFILES =
@HAVE_JEMALLOC_FALSE@LIBISC_CFLAGS = -I$(top_srcdir)/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_TRUE@LIBISC_CFLAGS = $(JEMALLOC_CFLAGS) \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_FALSE@LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@LIBISC_LIBS = $(JEMALLOC_LIBS) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_DTRACE_TRUE@LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
@HAVE_DTRACE_TRUE@LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
@HAVE_DTRACE_TRUE@LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
noinst_LTLIBRARIES = libcheck-tool.la
libcheck_tool_la_SOURCES = \
check-tool.h \
check-tool.c
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/check/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/check/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.top $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
} \
; done
uninstall-binPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
clean-binPROGRAMS:
@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
clean-noinstLTLIBRARIES:
-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
@list='$(noinst_LTLIBRARIES)'; \
locs=`for p in $$list; do echo $$p; done | \
sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
sort -u`; \
test -z "$$locs" || { \
echo rm -f $${locs}; \
rm -f $${locs}; \
}
libcheck-tool.la: $(libcheck_tool_la_OBJECTS) $(libcheck_tool_la_DEPENDENCIES) $(EXTRA_libcheck_tool_la_DEPENDENCIES)
$(AM_V_CCLD)$(LINK) $(libcheck_tool_la_OBJECTS) $(libcheck_tool_la_LIBADD) $(LIBS)
named-checkconf$(EXEEXT): $(named_checkconf_OBJECTS) $(named_checkconf_DEPENDENCIES) $(EXTRA_named_checkconf_DEPENDENCIES)
@rm -f named-checkconf$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(named_checkconf_OBJECTS) $(named_checkconf_LDADD) $(LIBS)
named-checkzone$(EXEEXT): $(named_checkzone_OBJECTS) $(named_checkzone_DEPENDENCIES) $(EXTRA_named_checkzone_DEPENDENCIES)
@rm -f named-checkzone$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(named_checkzone_OBJECTS) $(named_checkzone_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/check-tool.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/named-checkconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/named-checkzone.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
all-am: Makefile $(PROGRAMS) $(LTLIBRARIES)
installdirs:
for dir in "$(DESTDIR)$(bindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
clean-am: clean-binPROGRAMS clean-generic clean-libtool \
clean-noinstLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/check-tool.Plo
-rm -f ./$(DEPDIR)/named-checkconf.Po
-rm -f ./$(DEPDIR)/named-checkzone.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
doc: doc-am
doc-am: doc-local
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-binPROGRAMS
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/check-tool.Plo
-rm -f ./$(DEPDIR)/named-checkconf.Po
-rm -f ./$(DEPDIR)/named-checkzone.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
test: test-am
test-am: test-local
uninstall-am: uninstall-binPROGRAMS
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
unit: unit-am
unit-am: unit-local
.MAKE: all check install install-am install-exec install-exec-am \
install-strip uninstall-am
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-binPROGRAMS clean-generic clean-libtool \
clean-noinstLTLIBRARIES cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir doc-am doc-local dvi dvi-am html \
html-am info info-am install install-am install-binPROGRAMS \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-exec-hook install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am tags tags-am test-am test-local uninstall \
uninstall-am uninstall-binPROGRAMS uninstall-hook unit-am \
unit-local
.PRECIOUS: Makefile
install-exec-hook:
ln -f $(DESTDIR)$(bindir)/named-checkzone \
$(DESTDIR)$(bindir)/named-compilezone
uninstall-hook:
-rm -f $(DESTDIR)$(bindir)/named-compilezone
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

693
bin/check/check-tool.c Normal file
View file

@ -0,0 +1,693 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <inttypes.h>
#include <netdb.h>
#include <stdbool.h>
#include <stdio.h>
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/symtab.h>
#include <isc/types.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dns/types.h>
#include <dns/zone.h>
#include <isccfg/log.h>
#include <ns/log.h>
#include "check-tool.h"
#ifndef CHECK_SIBLING
#define CHECK_SIBLING 1
#endif /* ifndef CHECK_SIBLING */
#ifndef CHECK_LOCAL
#define CHECK_LOCAL 1
#endif /* ifndef CHECK_LOCAL */
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
#define ERR_IS_CNAME 1
#define ERR_NO_ADDRESSES 2
#define ERR_LOOKUP_FAILURE 3
#define ERR_EXTRA_A 4
#define ERR_EXTRA_AAAA 5
#define ERR_MISSING_GLUE 5
#define ERR_IS_MXCNAME 6
#define ERR_IS_SRVCNAME 7
static const char *dbtype[] = { ZONEDB_DEFAULT };
int debug = 0;
const char *journal = NULL;
bool nomerge = true;
#if CHECK_LOCAL
bool docheckmx = true;
bool dochecksrv = true;
bool docheckns = true;
#else /* if CHECK_LOCAL */
bool docheckmx = false;
bool dochecksrv = false;
bool docheckns = false;
#endif /* if CHECK_LOCAL */
dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF |
DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKINTEGRITY |
#if CHECK_SIBLING
DNS_ZONEOPT_CHECKSIBLING |
#endif /* if CHECK_SIBLING */
DNS_ZONEOPT_CHECKSVCB | DNS_ZONEOPT_CHECKWILDCARD |
DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
/*
* This needs to match the list in bin/named/log.c.
*/
static isc_logcategory_t categories[] = { { "", 0 },
{ "unmatched", 0 },
{ NULL, 0 } };
static isc_symtab_t *symtab = NULL;
static isc_mem_t *sym_mctx;
static void
freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
UNUSED(type);
UNUSED(value);
isc_mem_free(userarg, key);
}
static void
add(char *key, int value) {
isc_result_t result;
isc_symvalue_t symvalue;
if (sym_mctx == NULL) {
isc_mem_create(&sym_mctx);
}
if (symtab == NULL) {
result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
false, &symtab);
if (result != ISC_R_SUCCESS) {
return;
}
}
key = isc_mem_strdup(sym_mctx, key);
symvalue.as_pointer = NULL;
result = isc_symtab_define(symtab, key, value, symvalue,
isc_symexists_reject);
if (result != ISC_R_SUCCESS) {
isc_mem_free(sym_mctx, key);
}
}
static bool
logged(char *key, int value) {
isc_result_t result;
if (symtab == NULL) {
return false;
}
result = isc_symtab_lookup(symtab, key, value, NULL);
if (result == ISC_R_SUCCESS) {
return true;
}
return false;
}
static bool
checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
dns_rdataset_t *a, dns_rdataset_t *aaaa) {
dns_rdataset_t *rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
bool answer = true;
bool match;
const char *type;
void *ptr = NULL;
int result;
REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
a->type == dns_rdatatype_a);
REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
aaaa->type == dns_rdatatype_aaaa);
if (a == NULL || aaaa == NULL) {
return answer;
}
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
{
cur = cur->ai_next;
}
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0 &&
!logged(namebuf, ERR_IS_CNAME))
{
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
"is a CNAME '%s' (illegal)",
ownerbuf, namebuf, cur->ai_canonname);
/* XXX950 make fatal for 9.5.0 */
/* answer = false; */
add(namebuf, ERR_IS_CNAME);
}
break;
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0 */
return true;
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s", namebuf,
gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return true;
}
/*
* Check that all glue records really exist.
*/
if (!dns_rdataset_isassociated(a)) {
goto checkaaaa;
}
result = dns_rdataset_first(a);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(a, &rdata);
match = false;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
if (cur->ai_family != AF_INET) {
continue;
}
ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
if (memcmp(ptr, rdata.data, rdata.length) == 0) {
match = true;
break;
}
}
if (!match && !logged(namebuf, ERR_EXTRA_A)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' "
"extra GLUE A record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET, rdata.data, addrbuf,
sizeof(addrbuf)));
add(namebuf, ERR_EXTRA_A);
/* XXX950 make fatal for 9.5.0 */
/* answer = false; */
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(a);
}
checkaaaa:
if (!dns_rdataset_isassociated(aaaa)) {
goto checkmissing;
}
result = dns_rdataset_first(aaaa);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(aaaa, &rdata);
match = false;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
if (cur->ai_family != AF_INET6) {
continue;
}
ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
->sin6_addr;
if (memcmp(ptr, rdata.data, rdata.length) == 0) {
match = true;
break;
}
}
if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' "
"extra GLUE AAAA record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET6, rdata.data, addrbuf,
sizeof(addrbuf)));
add(namebuf, ERR_EXTRA_AAAA);
/* XXX950 make fatal for 9.5.0. */
/* answer = false; */
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(aaaa);
}
checkmissing:
/*
* Check that all addresses appear in the glue.
*/
if (!logged(namebuf, ERR_MISSING_GLUE)) {
bool missing_glue = false;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
switch (cur->ai_family) {
case AF_INET:
rdataset = a;
ptr = &((struct sockaddr_in *)(cur->ai_addr))
->sin_addr;
type = "A";
break;
case AF_INET6:
rdataset = aaaa;
ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
->sin6_addr;
type = "AAAA";
break;
default:
continue;
}
match = false;
if (dns_rdataset_isassociated(rdataset)) {
result = dns_rdataset_first(rdataset);
} else {
result = ISC_R_FAILURE;
}
while (result == ISC_R_SUCCESS && !match) {
dns_rdataset_current(rdataset, &rdata);
if (memcmp(ptr, rdata.data, rdata.length) == 0)
{
match = true;
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
}
if (!match) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' "
"missing GLUE %s record (%s)",
ownerbuf, namebuf, type,
inet_ntop(cur->ai_family, ptr,
addrbuf,
sizeof(addrbuf)));
/* XXX950 make fatal for 9.5.0. */
/* answer = false; */
missing_glue = true;
}
}
if (missing_glue) {
add(namebuf, ERR_MISSING_GLUE);
}
}
freeaddrinfo(ai);
return answer;
}
static bool
checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
int level = ISC_LOG_ERROR;
bool answer = true;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
{
cur = cur->ai_next;
}
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0)
{
if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) {
level = ISC_LOG_WARNING;
}
if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
if (!logged(namebuf, ERR_IS_MXCNAME)) {
dns_zone_log(zone, level,
"%s/MX '%s' (out of zone)"
" is a CNAME '%s' "
"(illegal)",
ownerbuf, namebuf,
cur->ai_canonname);
add(namebuf, ERR_IS_MXCNAME);
}
if (level == ISC_LOG_ERROR) {
answer = false;
}
}
}
freeaddrinfo(ai);
return answer;
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/MX '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0. */
return true;
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s", namebuf,
gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return true;
}
}
static bool
checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
int level = ISC_LOG_ERROR;
bool answer = true;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
{
cur = cur->ai_next;
}
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0)
{
if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) {
level = ISC_LOG_WARNING;
}
if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
if (!logged(namebuf, ERR_IS_SRVCNAME)) {
dns_zone_log(zone, level,
"%s/SRV '%s'"
" (out of zone) is a "
"CNAME '%s' (illegal)",
ownerbuf, namebuf,
cur->ai_canonname);
add(namebuf, ERR_IS_SRVCNAME);
}
if (level == ISC_LOG_ERROR) {
answer = false;
}
}
}
freeaddrinfo(ai);
return answer;
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/SRV '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0. */
return true;
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s", namebuf,
gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return true;
}
}
isc_result_t
setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
isc_log_t *log = NULL;
isc_log_create(mctx, &log, &logconfig);
isc_log_registercategories(log, categories);
isc_log_setcontext(log);
dns_log_init(log);
dns_log_setcontext(log);
cfg_log_init(log);
ns_log_init(log);
destination.file.stream = errout;
destination.file.name = NULL;
destination.file.versions = ISC_LOG_ROLLNEVER;
destination.file.maximum_size = 0;
isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
ISC_LOG_DYNAMIC, &destination, 0);
RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
ISC_R_SUCCESS);
*logp = log;
return ISC_R_SUCCESS;
}
/*% load the zone */
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_masterformat_t fileformat, const char *classname,
dns_ttl_t maxttl, dns_zone_t **zonep) {
isc_result_t result;
dns_rdataclass_t rdclass;
isc_textregion_t region;
isc_buffer_t buffer;
dns_fixedname_t fixorigin;
dns_name_t *origin;
dns_zone_t *zone = NULL;
REQUIRE(zonep == NULL || *zonep == NULL);
if (debug) {
fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
zonename, filename, classname);
}
dns_zone_create(&zone, mctx, 0);
dns_zone_settype(zone, dns_zone_primary);
isc_buffer_constinit(&buffer, zonename, strlen(zonename));
isc_buffer_add(&buffer, strlen(zonename));
origin = dns_fixedname_initname(&fixorigin);
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
if (strcmp(filename, "-") == 0) {
CHECK(dns_zone_setstream(zone, stdin, fileformat,
&dns_master_style_default));
} else {
CHECK(dns_zone_setfile(zone, filename, fileformat,
&dns_master_style_default));
}
if (journal != NULL) {
CHECK(dns_zone_setjournal(zone, journal));
}
region.base = UNCONST(classname);
region.length = strlen(classname);
CHECK(dns_rdataclass_fromtext(&rdclass, &region));
dns_zone_setclass(zone, rdclass);
dns_zone_setoption(zone, zone_options, true);
dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
dns_zone_setmaxttl(zone, maxttl);
if (docheckmx) {
dns_zone_setcheckmx(zone, checkmx);
}
if (docheckns) {
dns_zone_setcheckns(zone, checkns);
}
if (dochecksrv) {
dns_zone_setchecksrv(zone, checksrv);
}
CHECK(dns_zone_load(zone, false));
if (zonep != NULL) {
*zonep = zone;
zone = NULL;
}
cleanup:
if (zone != NULL) {
dns_zone_detach(&zone);
}
return result;
}
/*% dump the zone */
isc_result_t
dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
dns_masterformat_t fileformat, const dns_master_style_t *style,
const uint32_t rawversion) {
isc_result_t result;
FILE *output = stdout;
const char *flags;
flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
if (debug) {
if (filename != NULL && strcmp(filename, "-") != 0) {
fprintf(stderr, "dumping \"%s\" to \"%s\"\n", zonename,
filename);
} else {
fprintf(stderr, "dumping \"%s\"\n", zonename);
}
}
if (filename != NULL && strcmp(filename, "-") != 0) {
result = isc_stdio_open(filename, flags, &output);
if (result != ISC_R_SUCCESS) {
fprintf(stderr,
"could not open output "
"file \"%s\" for writing\n",
filename);
return ISC_R_FAILURE;
}
}
result = dns_zone_dumptostream(zone, output, fileformat, style,
rawversion);
if (output != stdout) {
(void)isc_stdio_close(output);
}
return result;
}

52
bin/check/check-tool.h Normal file
View file

@ -0,0 +1,52 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <inttypes.h>
#include <stdbool.h>
#include <isc/lang.h>
#include <isc/stdio.h>
#include <isc/types.h>
#include <dns/masterdump.h>
#include <dns/types.h>
#include <dns/zone.h>
ISC_LANG_BEGINDECLS
isc_result_t
setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_masterformat_t fileformat, const char *classname,
dns_ttl_t maxttl, dns_zone_t **zonep);
isc_result_t
dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
dns_masterformat_t fileformat, const dns_master_style_t *style,
const uint32_t rawversion);
extern int debug;
extern const char *journal;
extern bool nomerge;
extern bool docheckmx;
extern bool docheckns;
extern bool dochecksrv;
extern dns_zoneopt_t zone_options;
ISC_LANG_ENDDECLS

778
bin/check/named-checkconf.c Normal file
View file

@ -0,0 +1,778 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <errno.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rootns.h>
#include <dns/zone.h>
#include <isccfg/check.h>
#include <isccfg/grammar.h>
#include <isccfg/namedconf.h>
#include "check-tool.h"
static const char *program = "named-checkconf";
isc_log_t *logc = NULL;
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
/*% usage */
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr,
"usage: %s [-achijlvz] [-p [-x]] [-t directory] "
"[named.conf]\n",
program);
exit(EXIT_SUCCESS);
}
/*% directory callback */
static isc_result_t
directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
isc_result_t result;
const char *directory;
REQUIRE(strcasecmp("directory", clausename) == 0);
UNUSED(arg);
UNUSED(clausename);
/*
* Change directory.
*/
directory = cfg_obj_asstring(obj);
result = isc_dir_chdir(directory);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, logc, ISC_LOG_ERROR,
"change directory to '%s' failed: %s\n", directory,
isc_result_totext(result));
return result;
}
return ISC_R_SUCCESS;
}
static bool
get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
int i;
for (i = 0;; i++) {
if (maps[i] == NULL) {
return false;
}
if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
return true;
}
}
}
static bool
get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
const cfg_listelt_t *element;
const cfg_obj_t *checknames;
const cfg_obj_t *type;
const cfg_obj_t *value;
isc_result_t result;
int i;
for (i = 0;; i++) {
if (maps[i] == NULL) {
return false;
}
checknames = NULL;
result = cfg_map_get(maps[i], "check-names", &checknames);
if (result != ISC_R_SUCCESS) {
continue;
}
if (checknames != NULL && !cfg_obj_islist(checknames)) {
*obj = checknames;
return true;
}
for (element = cfg_list_first(checknames); element != NULL;
element = cfg_list_next(element))
{
value = cfg_listelt_value(element);
type = cfg_tuple_get(value, "type");
if ((strcasecmp(cfg_obj_asstring(type), "primary") !=
0) &&
(strcasecmp(cfg_obj_asstring(type), "master") != 0))
{
continue;
}
*obj = cfg_tuple_get(value, "mode");
return true;
}
}
}
static isc_result_t
configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
isc_result_t result;
dns_db_t *db = NULL;
dns_rdataclass_t rdclass;
isc_textregion_t r;
if (zfile == NULL) {
return ISC_R_FAILURE;
}
r.base = UNCONST(zclass);
r.length = strlen(zclass);
result = dns_rdataclass_fromtext(&rdclass, &r);
if (result != ISC_R_SUCCESS) {
return result;
}
result = dns_rootns_create(mctx, rdclass, zfile, &db);
if (result != ISC_R_SUCCESS) {
return result;
}
dns_db_detach(&db);
return ISC_R_SUCCESS;
}
/*% configure the zone */
static isc_result_t
configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
isc_mem_t *mctx, bool list) {
int i = 0;
isc_result_t result;
const char *zclass;
const char *zname;
const char *zfile = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *primariesobj = NULL;
const cfg_obj_t *inviewobj = NULL;
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *classobj = NULL;
const cfg_obj_t *typeobj = NULL;
const cfg_obj_t *fileobj = NULL;
const cfg_obj_t *dlzobj = NULL;
const cfg_obj_t *dbobj = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *fmtobj = NULL;
dns_masterformat_t masterformat;
dns_ttl_t maxttl = 0;
zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
classobj = cfg_tuple_get(zconfig, "class");
if (!cfg_obj_isstring(classobj)) {
zclass = vclass;
} else {
zclass = cfg_obj_asstring(classobj);
}
zoptions = cfg_tuple_get(zconfig, "options");
maps[i++] = zoptions;
if (vconfig != NULL) {
maps[i++] = cfg_tuple_get(vconfig, "options");
}
if (config != NULL) {
cfg_map_get(config, "options", &obj);
if (obj != NULL) {
maps[i++] = obj;
}
}
maps[i] = NULL;
cfg_map_get(zoptions, "in-view", &inviewobj);
if (inviewobj != NULL && list) {
const char *inview = cfg_obj_asstring(inviewobj);
printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
}
if (inviewobj != NULL) {
return ISC_R_SUCCESS;
}
cfg_map_get(zoptions, "type", &typeobj);
if (typeobj == NULL) {
return ISC_R_FAILURE;
}
if (list) {
const char *ztype = cfg_obj_asstring(typeobj);
printf("%s %s %s %s\n", zname, zclass, view, ztype);
return ISC_R_SUCCESS;
}
/*
* Skip checks when using an alternate data source.
*/
cfg_map_get(zoptions, "database", &dbobj);
if (dbobj != NULL &&
strcmp(ZONEDB_DEFAULT, cfg_obj_asstring(dbobj)) != 0)
{
return ISC_R_SUCCESS;
}
cfg_map_get(zoptions, "dlz", &dlzobj);
if (dlzobj != NULL) {
return ISC_R_SUCCESS;
}
cfg_map_get(zoptions, "file", &fileobj);
if (fileobj != NULL) {
zfile = cfg_obj_asstring(fileobj);
}
/*
* Check hints files for hint zones.
* Skip loading checks for any type other than
* master and redirect
*/
if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) {
return configure_hint(zfile, zclass, mctx);
} else if ((strcasecmp(cfg_obj_asstring(typeobj), "primary") != 0) &&
(strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
(strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
{
return ISC_R_SUCCESS;
}
/*
* Is the redirect zone configured as a secondary?
*/
if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
cfg_map_get(zoptions, "primaries", &primariesobj);
if (primariesobj == NULL) {
cfg_map_get(zoptions, "masters", &primariesobj);
}
if (primariesobj != NULL) {
return ISC_R_SUCCESS;
}
}
if (zfile == NULL) {
return ISC_R_FAILURE;
}
obj = NULL;
if (get_maps(maps, "check-dup-records", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
}
obj = NULL;
if (get_maps(maps, "check-mx", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
}
obj = NULL;
if (get_maps(maps, "check-integrity", &obj)) {
if (cfg_obj_asboolean(obj)) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
} else {
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
}
} else {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
}
obj = NULL;
if (get_maps(maps, "check-mx-cname", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
}
obj = NULL;
if (get_maps(maps, "check-srv-cname", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
}
obj = NULL;
if (get_maps(maps, "check-sibling", &obj)) {
if (cfg_obj_asboolean(obj)) {
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
} else {
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
}
}
obj = NULL;
if (get_maps(maps, "check-spf", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_CHECKSPF;
}
obj = NULL;
if (get_maps(maps, "check-svcb", &obj)) {
if (cfg_obj_asboolean(obj)) {
zone_options |= DNS_ZONEOPT_CHECKSVCB;
} else {
zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
}
} else {
zone_options |= DNS_ZONEOPT_CHECKSVCB;
}
obj = NULL;
if (get_maps(maps, "check-wildcard", &obj)) {
if (cfg_obj_asboolean(obj)) {
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
} else {
zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
}
} else {
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
}
obj = NULL;
if (get_checknames(maps, &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else {
UNREACHABLE();
}
} else {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
}
masterformat = dns_masterformat_text;
fmtobj = NULL;
if (get_maps(maps, "masterfile-format", &fmtobj)) {
const char *masterformatstr = cfg_obj_asstring(fmtobj);
if (strcasecmp(masterformatstr, "text") == 0) {
masterformat = dns_masterformat_text;
} else if (strcasecmp(masterformatstr, "raw") == 0) {
masterformat = dns_masterformat_raw;
} else {
UNREACHABLE();
}
}
obj = NULL;
if (get_maps(maps, "max-zone-ttl", &obj)) {
maxttl = cfg_obj_asduration(obj);
zone_options |= DNS_ZONEOPT_CHECKTTL;
}
result = load_zone(mctx, zname, zfile, masterformat, zclass, maxttl,
NULL);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
isc_result_totext(result));
}
return result;
}
/*% configure a view */
static isc_result_t
configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list) {
const cfg_listelt_t *element;
const cfg_obj_t *voptions;
const cfg_obj_t *zonelist;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
voptions = NULL;
if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
}
zonelist = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "zone", &zonelist);
} else {
(void)cfg_map_get(config, "zone", &zonelist);
}
for (element = cfg_list_first(zonelist); element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
tresult = configure_zone(vclass, view, zconfig, vconfig, config,
mctx, list);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
return result;
}
static isc_result_t
config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
dns_rdataclass_t *classp) {
isc_textregion_t r;
if (!cfg_obj_isstring(classobj)) {
*classp = defclass;
return ISC_R_SUCCESS;
}
r.base = UNCONST(cfg_obj_asstring(classobj));
r.length = strlen(r.base);
return dns_rdataclass_fromtext(classp, &r);
}
/*% load zones from the configuration */
static isc_result_t
load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
bool list_zones) {
const cfg_listelt_t *element;
const cfg_obj_t *views;
const cfg_obj_t *vconfig;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
views = NULL;
(void)cfg_map_get(config, "view", &views);
for (element = cfg_list_first(views); element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *classobj;
dns_rdataclass_t viewclass;
const char *vname;
char buf[sizeof("CLASS65535")];
vconfig = cfg_listelt_value(element);
if (vconfig == NULL) {
continue;
}
classobj = cfg_tuple_get(vconfig, "class");
tresult = config_getclass(classobj, dns_rdataclass_in,
&viewclass);
if (tresult != ISC_R_SUCCESS) {
CHECK(tresult);
}
if (dns_rdataclass_ismeta(viewclass)) {
CHECK(ISC_R_FAILURE);
}
dns_rdataclass_format(viewclass, buf, sizeof(buf));
vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
tresult = configure_view(buf, vname, config, vconfig, mctx,
list_zones);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
if (views == NULL) {
tresult = configure_view("IN", "_default", config, NULL, mctx,
list_zones);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
cleanup:
return result;
}
static void
output(void *closure, const char *text, int textlen) {
if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
isc_result_t *result = closure;
perror("fwrite");
*result = ISC_R_FAILURE;
}
}
/*% The main processing routine */
int
main(int argc, char **argv) {
int c;
cfg_parser_t *parser = NULL;
cfg_obj_t *config = NULL;
const char *conffile = NULL;
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
bool cleanup_dst = false;
bool load_zones = false;
bool list_zones = false;
bool print = false;
bool nodeprecate = false;
unsigned int flags = 0;
unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS;
isc_commandline_errprint = false;
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "acdhijlm:t:pvxz"
while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (c) {
case 'm':
if (strcasecmp(isc_commandline_argument, "record") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
}
if (strcasecmp(isc_commandline_argument, "trace") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
}
if (strcasecmp(isc_commandline_argument, "usage") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
}
break;
default:
break;
}
}
isc_commandline_reset = true;
isc_mem_create(&mctx);
while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
switch (c) {
case 'a':
checkflags &= ~BIND_CHECK_ALGORITHMS;
break;
case 'c':
checkflags &= ~BIND_CHECK_PLUGINS;
break;
case 'd':
debug++;
break;
case 'i':
nodeprecate = true;
break;
case 'j':
nomerge = false;
break;
case 'l':
list_zones = true;
break;
case 'm':
break;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s\n",
isc_result_totext(result));
CHECK(result);
}
break;
case 'p':
print = true;
break;
case 'v':
printf("%s\n", PACKAGE_VERSION);
result = ISC_R_SUCCESS;
goto cleanup;
case 'x':
flags |= CFG_PRINTER_XKEY;
break;
case 'z':
load_zones = true;
docheckmx = false;
docheckns = false;
dochecksrv = false;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
isc_mem_detach(&mctx);
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
CHECK(ISC_R_FAILURE);
}
}
if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
fprintf(stderr, "%s: -x cannot be used without -p\n", program);
CHECK(ISC_R_FAILURE);
}
if (print && list_zones) {
fprintf(stderr, "%s: -l cannot be used with -p\n", program);
CHECK(ISC_R_FAILURE);
}
if (isc_commandline_index + 1 < argc) {
isc_mem_detach(&mctx);
usage();
}
if (argv[isc_commandline_index] != NULL) {
conffile = argv[isc_commandline_index];
}
if (conffile == NULL || conffile[0] == '\0') {
conffile = NAMED_CONFFILE;
}
CHECK(setup_logging(mctx, stdout, &logc));
CHECK(dst_lib_init(mctx, NULL));
cleanup_dst = true;
CHECK(cfg_parser_create(mctx, logc, &parser));
if (nodeprecate) {
cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
}
cfg_parser_setcallback(parser, directory_callback, NULL);
CHECK(cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config));
CHECK(isccfg_check_namedconf(config, checkflags, logc, mctx));
if (load_zones || list_zones) {
CHECK(load_zones_fromconfig(config, mctx, list_zones));
}
if (print) {
cfg_printx(config, flags, output, &result);
}
cleanup:
if (config != NULL) {
cfg_obj_destroy(parser, &config);
}
if (parser != NULL) {
cfg_parser_destroy(&parser);
}
if (cleanup_dst) {
dst_lib_destroy();
}
/*
* Wait for memory reclamation in dns_qp to finish.
*/
rcu_barrier();
if (logc != NULL) {
isc_log_destroy(&logc);
}
if (mctx != NULL) {
isc_mem_destroy(&mctx);
}
return result == ISC_R_SUCCESS ? 0 : 1;
}

116
bin/check/named-checkconf.rst Normal file
View file

@ -0,0 +1,116 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: named-checkconf
.. program:: named-checkconf
.. _man_named-checkconf:
named-checkconf - named configuration file syntax checking tool
---------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkconf` [**-achjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
Description
~~~~~~~~~~~
:program:`named-checkconf` checks the syntax, but not the semantics, of a
:iscman:`named` configuration file. The file, along with all files included by it, is parsed and checked for syntax
errors. If no file is specified,
|named_conf| is read by default.
Note: files that :iscman:`named` reads in separate parser contexts, such as
``rndc.conf`` or ``rndc.key``, are not automatically read by
:program:`named-checkconf`. Configuration errors in these files may cause
:iscman:`named` to fail to run, even if :program:`named-checkconf` was
successful. However, :program:`named-checkconf` can be run on these files
explicitly.
Options
~~~~~~~
.. option:: -a
Don't check the `dnssec-policy`'s DNSSEC key algorithms against
those supported by the crypto provider. This is useful when checking
a `named.conf` intended to be run on another machine with possibly a
different set of supported DNSSEC key algorithms.
.. option:: -h
This option prints the usage summary and exits.
.. option:: -j
When loading a zonefile, this option instructs :iscman:`named` to read the journal if it exists.
.. option:: -l
This option lists all the configured zones. Each line of output contains the zone
name, class (e.g. IN), view, and type (e.g. primary or secondary).
.. option:: -c
This option specifies that only the "core" configuration should be checked. This suppresses the loading of
plugin modules, and causes all parameters to ``plugin`` statements to
be ignored.
.. option:: -i
This option ignores warnings on deprecated options.
.. option:: -p
This option prints out the :iscman:`named.conf` and included files in canonical form if
no errors were detected. See also the :option:`-x` option.
.. option:: -t directory
This option instructs :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
:iscman:`named`.
.. option:: -v
This option prints the version of the :program:`named-checkconf` program and exits.
.. option:: -x
When printing the configuration files in canonical form, this option obscures
shared secrets by replacing them with strings of question marks
(``?``). This allows the contents of :iscman:`named.conf` and related files
to be shared - for example, when submitting bug reports -
without compromising private data. This option cannot be used without
:option:`-p`.
.. option:: -z
This option performs a test load of all zones of type ``primary`` found in :iscman:`named.conf`.
.. option:: filename
This indicates the name of the configuration file to be checked. If not specified,
it defaults to |named_conf|.
Return Values
~~~~~~~~~~~~~
:program:`named-checkconf` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:iscman:`named(8) <named>`, :iscman:`named-checkzone(8) <named-checkzone>`, BIND 9 Administrator Reference Manual.

575
bin/check/named-checkzone.c Normal file
View file

@ -0,0 +1,575 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/types.h>
#include <dns/zone.h>
#include "check-tool.h"
static int quiet = 0;
static isc_mem_t *mctx = NULL;
dns_zone_t *zone = NULL;
dns_zonetype_t zonetype = dns_zone_primary;
static int dumpzone = 0;
static const char *output_filename;
static const char *prog_name = NULL;
static const dns_master_style_t *outputstyle = NULL;
static enum { progmode_check, progmode_compile } progmode;
#define ERRRET(result, function) \
do { \
if (result != ISC_R_SUCCESS) { \
if (!quiet) \
fprintf(stderr, "%s() returned %s\n", \
function, isc_result_totext(result)); \
return (result); \
} \
} while (0)
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr,
"usage: %s [-djqvD] [-c class] "
"[-f inputformat] [-F outputformat] [-J filename] "
"[-s (full|relative)] [-t directory] [-w directory] "
"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "
"%s zonename [ (filename|-) ]\n",
prog_name,
progmode == progmode_check ? "[-o filename]" : "-o filename");
exit(EXIT_FAILURE);
}
static void
destroy(void) {
if (zone != NULL) {
dns_zone_detach(&zone);
}
}
/*% main processing routine */
int
main(int argc, char **argv) {
int c;
char *origin = NULL;
const char *filename = NULL;
isc_log_t *lctx = NULL;
isc_result_t result;
char classname_in[] = "IN";
char *classname = classname_in;
const char *workdir = NULL;
const char *inputformatstr = NULL;
const char *outputformatstr = NULL;
dns_masterformat_t inputformat = dns_masterformat_text;
dns_masterformat_t outputformat = dns_masterformat_text;
dns_masterrawheader_t header;
uint32_t rawversion = 1, serialnum = 0;
dns_ttl_t maxttl = 0;
bool snset = false;
bool logdump = false;
FILE *errout = stdout;
char *endp;
/*
* Uncomment the following line if memory debugging is needed:
* isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
*/
outputstyle = &dns_master_style_full;
prog_name = strrchr(argv[0], '/');
if (prog_name == NULL) {
prog_name = strrchr(argv[0], '\\');
}
if (prog_name != NULL) {
prog_name++;
} else {
prog_name = argv[0];
}
/*
* Libtool doesn't preserve the program name prior to final
* installation. Remove the libtool prefix ("lt-").
*/
if (strncmp(prog_name, "lt-", 3) == 0) {
prog_name += 3;
}
#define PROGCMP(X) \
(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
if (PROGCMP("named-checkzone")) {
progmode = progmode_check;
} else if (PROGCMP("named-compilezone")) {
progmode = progmode_compile;
} else {
UNREACHABLE();
}
/* When compiling, disable checks by default */
if (progmode == progmode_compile) {
zone_options = 0;
docheckmx = false;
docheckns = false;
dochecksrv = false;
}
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
isc_commandline_errprint = false;
while ((c = isc_commandline_parse(argc, argv,
"c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:C:"
"DF:M:S:T:W:")) != EOF)
{
switch (c) {
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
debug++;
break;
case 'i':
if (ARGCMP("full")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
DNS_ZONEOPT_CHECKSIBLING;
docheckmx = true;
docheckns = true;
dochecksrv = true;
} else if (ARGCMP("full-sibling")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = true;
docheckns = true;
dochecksrv = true;
} else if (ARGCMP("local")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
docheckmx = false;
docheckns = false;
dochecksrv = false;
} else if (ARGCMP("local-sibling")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = false;
docheckns = false;
dochecksrv = false;
} else if (ARGCMP("none")) {
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = false;
docheckns = false;
dochecksrv = false;
} else {
fprintf(stderr, "invalid argument to -i: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'f':
inputformatstr = isc_commandline_argument;
break;
case 'F':
outputformatstr = isc_commandline_argument;
break;
case 'j':
nomerge = false;
break;
case 'J':
journal = isc_commandline_argument;
nomerge = false;
break;
case 'k':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL);
} else {
fprintf(stderr, "invalid argument to -k: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'L':
snset = true;
endp = NULL;
serialnum = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fprintf(stderr, "source serial number "
"must be numeric");
exit(EXIT_FAILURE);
}
break;
case 'l':
zone_options |= DNS_ZONEOPT_CHECKTTL;
endp = NULL;
maxttl = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fprintf(stderr, "maximum TTL "
"must be numeric");
exit(EXIT_FAILURE);
}
break;
case 'n':
if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS);
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKNS;
zone_options &= ~DNS_ZONEOPT_FATALNS;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS;
} else {
fprintf(stderr, "invalid argument to -n: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'm':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_CHECKMXFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_CHECKMXFAIL);
} else {
fprintf(stderr, "invalid argument to -m: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'o':
output_filename = isc_commandline_argument;
break;
case 'q':
quiet++;
break;
case 'r':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL);
} else {
fprintf(stderr, "invalid argument to -r: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 's':
if (ARGCMP("full")) {
outputstyle = &dns_master_style_full;
} else if (ARGCMP("relative")) {
outputstyle = &dns_master_style_default;
} else {
fprintf(stderr,
"unknown or unsupported style: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s: %s\n",
isc_commandline_argument,
isc_result_totext(result));
exit(EXIT_FAILURE);
}
break;
case 'v':
printf("%s\n", PACKAGE_VERSION);
exit(EXIT_SUCCESS);
case 'w':
workdir = isc_commandline_argument;
break;
case 'C':
if (ARGCMP("check-svcb:fail")) {
zone_options |= DNS_ZONEOPT_CHECKSVCB;
} else if (ARGCMP("check-svcb:ignore")) {
zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
} else {
fprintf(stderr, "invalid argument to -C: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'D':
dumpzone++;
break;
case 'M':
if (ARGCMP("fail")) {
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (ARGCMP("ignore")) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
} else {
fprintf(stderr, "invalid argument to -M: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'S':
if (ARGCMP("fail")) {
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (ARGCMP("ignore")) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
} else {
fprintf(stderr, "invalid argument to -S: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'T':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (ARGCMP("ignore")) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else {
fprintf(stderr, "invalid argument to -T: %s\n",
isc_commandline_argument);
exit(EXIT_FAILURE);
}
break;
case 'W':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
} else if (ARGCMP("ignore")) {
zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
}
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
prog_name, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
if (workdir != NULL) {
result = isc_dir_chdir(workdir);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
isc_result_totext(result));
exit(EXIT_FAILURE);
}
}
if (inputformatstr != NULL) {
if (strcasecmp(inputformatstr, "text") == 0) {
inputformat = dns_masterformat_text;
} else if (strcasecmp(inputformatstr, "raw") == 0) {
inputformat = dns_masterformat_raw;
} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
inputformat = dns_masterformat_raw;
fprintf(stderr, "WARNING: input format raw, version "
"ignored\n");
} else {
fprintf(stderr, "unknown file format: %s\n",
inputformatstr);
exit(EXIT_FAILURE);
}
}
if (outputformatstr != NULL) {
if (strcasecmp(outputformatstr, "text") == 0) {
outputformat = dns_masterformat_text;
} else if (strcasecmp(outputformatstr, "raw") == 0) {
outputformat = dns_masterformat_raw;
} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
char *end;
outputformat = dns_masterformat_raw;
rawversion = strtol(outputformatstr + 4, &end, 10);
if (end == outputformatstr + 4 || *end != '\0' ||
rawversion > 1U)
{
fprintf(stderr, "unknown raw format version\n");
exit(EXIT_FAILURE);
}
} else {
fprintf(stderr, "unknown file format: %s\n",
outputformatstr);
exit(EXIT_FAILURE);
}
}
if (progmode == progmode_compile) {
dumpzone = 1; /* always dump */
logdump = !quiet;
if (output_filename == NULL) {
fprintf(stderr, "output file required, but not "
"specified\n");
usage();
}
}
if (output_filename != NULL) {
dumpzone = 1;
}
/*
* If we are printing to stdout then send the informational
* output to stderr.
*/
if (dumpzone &&
(output_filename == NULL || strcmp(output_filename, "-") == 0 ||
strcmp(output_filename, "/dev/fd/1") == 0 ||
strcmp(output_filename, "/dev/stdout") == 0))
{
errout = stderr;
logdump = false;
}
if (argc - isc_commandline_index < 1 ||
argc - isc_commandline_index > 2)
{
usage();
}
isc_mem_create(&mctx);
if (!quiet) {
RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) ==
ISC_R_SUCCESS);
}
origin = argv[isc_commandline_index++];
if (isc_commandline_index == argc) {
/* "-" will be interpreted as stdin */
filename = "-";
} else {
filename = argv[isc_commandline_index];
}
isc_commandline_index++;
result = load_zone(mctx, origin, filename, inputformat, classname,
maxttl, &zone);
if (snset) {
dns_master_initrawheader(&header);
header.flags = DNS_MASTERRAW_SOURCESERIALSET;
header.sourceserial = serialnum;
dns_zone_setrawdata(zone, &header);
}
if (result == ISC_R_SUCCESS && dumpzone) {
if (logdump) {
fprintf(errout, "dump zone to %s...", output_filename);
fflush(errout);
}
result = dump_zone(origin, zone, output_filename, outputformat,
outputstyle, rawversion);
if (logdump) {
fprintf(errout, "done\n");
}
}
if (!quiet && result == ISC_R_SUCCESS) {
fprintf(errout, "OK\n");
}
destroy();
if (lctx != NULL) {
isc_log_destroy(&lctx);
}
isc_mem_destroy(&mctx);
return (result == ISC_R_SUCCESS) ? 0 : 1;
}

231
bin/check/named-checkzone.rst Normal file
View file

@ -0,0 +1,231 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. BEWARE: Do not forget to edit also named-compilezone.rst!
.. iscman:: named-checkzone
.. program:: named-checkzone
.. _man_named-checkzone:
named-checkzone - zone file validation tool
-------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
Description
~~~~~~~~~~~
:program:`named-checkzone` checks the syntax and integrity of a zone file. It
performs the same checks as :iscman:`named` does when loading a zone. This
makes :program:`named-checkzone` useful for checking zone files before
configuring them into a name server.
Options
~~~~~~~
.. option:: -d
This option enables debugging.
.. option:: -h
This option prints the usage summary and exits.
.. option:: -q
This option sets quiet mode, which only sets an exit code to indicate
successful or failed completion.
.. option:: -v
This option prints the version of the :program:`named-checkzone` program and exits.
.. option:: -j
When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string ``.jnl`` appended.
.. option:: -J filename
When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
it exists. This implies :option:`-j`.
.. option:: -c class
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
.. option:: -C mode
This option controls check mode on zone files when loading.
Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
records and ``check-svcb:ignore`` disables these checks. The
default is ``check-svcb:fail``.
.. option:: -i mode
This option performs post-load zone integrity checks. Possible modes are
``full`` (the default), ``full-sibling``, ``local``,
``local-sibling``, and ``none``.
Mode ``full`` checks that MX records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks MX records which refer to in-zone hostnames.
Mode ``full`` checks that SRV records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks SRV records which refer to in-zone hostnames.
Mode ``full`` checks that delegation NS records refer to A or AAAA
records (both in-zone and out-of-zone hostnames). It also checks that
glue address records in the zone match those advertised by the child.
Mode ``local`` only checks NS records which refer to in-zone
hostnames or verifies that some required glue exists, i.e., when the
name server is in a child zone.
Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
checks, but are otherwise the same as ``full`` and ``local``,
respectively.
Mode ``none`` disables the checks.
.. option:: -f format
This option specifies the format of the zone file. Possible formats are
``text`` (the default), and ``raw``.
.. option:: -F format
This option specifies the format of the output file specified. For
:program:`named-checkzone`, this does not have any effect unless it dumps
the zone contents.
Possible formats are ``text`` (the default), which is the standard
textual representation of the zone, and ``raw`` and ``raw=N``, which
store the zone in a binary format for rapid loading by :iscman:`named`.
``raw=N`` specifies the format version of the raw zone file: if ``N`` is
0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
file can only be read by release 9.9.0 or higher. The default is 1.
.. option:: -k mode
This option performs ``check-names`` checks with the specified failure mode.
Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
.. option:: -l ttl
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
.. option:: -L serial
When compiling a zone to ``raw`` format, this option sets the "source
serial" value in the header to the specified serial number. This is
expected to be used primarily for testing purposes.
.. option:: -m mode
This option specifies whether MX records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn`` (the default), and
``ignore``.
.. option:: -M mode
This option checks whether a MX record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
.. option:: -n mode
This option specifies whether NS records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
.. option:: -o filename
This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
the zone output is written to standard output.
.. option:: -r mode
This option checks for records that are treated as different by DNSSEC but are
semantically equal in plain DNS. Possible modes are ``fail``,
``warn`` (the default), and ``ignore``.
.. option:: -s style
This option specifies the style of the dumped zone file. Possible styles are
``full`` (the default) and ``relative``. The ``full`` format is most
suitable for processing automatically by a separate script.
The relative format is more human-readable and is thus
suitable for editing by hand. This does not have any effect unless it dumps
the zone contents. It also does not have any meaning if the output format
is not text.
.. option:: -S mode
This option checks whether an SRV record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
.. option:: -t directory
This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
:iscman:`named`.
.. option:: -T mode
This option checks whether Sender Policy Framework (SPF) records exist and issues a
warning if an SPF-formatted TXT record is not also present. Possible
modes are ``warn`` (the default) and ``ignore``.
.. option:: -w directory
This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
``$INCLUDE`` directives work. This is similar to the directory clause in
:iscman:`named.conf`.
.. option:: -D
This option dumps the zone file in canonical format.
.. option:: -W mode
This option specifies whether to check for non-terminal wildcards. Non-terminal
wildcards are almost always the result of a failure to understand the
wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
(the default) and ``ignore``.
.. option:: zonename
This indicates the domain name of the zone being checked.
.. option:: filename
This is the name of the zone file.
Return Values
~~~~~~~~~~~~~
:program:`named-checkzone` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-compilezone(8) <named-compilezone>`, :rfc:`1035`, BIND 9 Administrator Reference
Manual.

239
bin/check/named-compilezone.rst Normal file
View file

@ -0,0 +1,239 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. BEWARE: Do not forget to edit also named-checkzone.rst!
.. iscman:: named-compilezone
.. program:: named-compilezone
.. _man_named-compilezone:
named-compilezone - zone file converting tool
---------------------------------------------
Synopsis
~~~~~~~~
:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
Description
~~~~~~~~~~~
:program:`named-compilezone` checks the syntax and integrity of a zone file,
and dumps the zone contents to a specified file in a specified format.
Unlike :program:`named-checkzone`, zone contents are not strictly checked
by default. If the output is to be used as an actual zone file to be loaded
by :iscman:`named`, then the check levels should be manually configured to
be at least as strict as those specified in the :iscman:`named` configuration
file.
Running :program:`named-checkzone` on the input prior to compiling will
ensure that the zone compiles with the default requirements of
:iscman:`named`.
Options
~~~~~~~
.. option:: -d
This option enables debugging.
.. option:: -h
This option prints the usage summary and exits.
.. option:: -q
This option sets quiet mode, which only sets an exit code to indicate
successful or failed completion.
.. option:: -v
This option prints the version of the :iscman:`named-checkzone` program and exits.
.. option:: -j
When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string ``.jnl`` appended.
.. option:: -J filename
When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
it exists. This implies :option:`-j`.
.. option:: -c class
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
.. option:: -C mode
This option controls check mode on zone files when loading.
Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
records and ``check-svcb:ignore`` disables these checks. The
default is ``check-svcb:ignore``.
.. option:: -i mode
This option performs post-load zone integrity checks. Possible modes are
``full``, ``full-sibling``, ``local``,
``local-sibling``, and ``none`` (the default).
Mode ``full`` checks that MX records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks MX records which refer to in-zone hostnames.
Mode ``full`` checks that SRV records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks SRV records which refer to in-zone hostnames.
Mode ``full`` checks that delegation NS records refer to A or AAAA
records (both in-zone and out-of-zone hostnames). It also checks that
glue address records in the zone match those advertised by the child.
Mode ``local`` only checks NS records which refer to in-zone
hostnames or verifies that some required glue exists, i.e., when the
name server is in a child zone.
Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
checks, but are otherwise the same as ``full`` and ``local``,
respectively.
Mode ``none`` disables the checks.
.. option:: -f format
This option specifies the format of the zone file. Possible formats are
``text`` (the default), and ``raw``.
.. option:: -F format
This option specifies the format of the output file specified. For
:iscman:`named-checkzone`, this does not have any effect unless it dumps
the zone contents.
Possible formats are ``text`` (the default), which is the standard
textual representation of the zone, and ``raw`` and ``raw=N``, which
store the zone in a binary format for rapid loading by :iscman:`named`.
``raw=N`` specifies the format version of the raw zone file: if ``N`` is
0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
file can only be read by release 9.9.0 or higher. The default is 1.
.. option:: -k mode
This option performs ``check-names`` checks with the specified failure mode.
Possible modes are ``fail``, ``warn``, and ``ignore`` (the default).
.. option:: -l ttl
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
.. option:: -L serial
When compiling a zone to ``raw`` format, this option sets the "source
serial" value in the header to the specified serial number. This is
expected to be used primarily for testing purposes.
.. option:: -m mode
This option specifies whether MX records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn``, and
``ignore`` (the default).
.. option:: -M mode
This option checks whether a MX record refers to a CNAME. Possible modes are
``fail``, ``warn``, and ``ignore`` (the default).
.. option:: -n mode
This option specifies whether NS records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn``, and
``ignore`` (the default).
.. option:: -o filename
This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
the zone output is written to standard output. This is mandatory for :program:`named-compilezone`.
.. option:: -r mode
This option checks for records that are treated as different by DNSSEC but are
semantically equal in plain DNS. Possible modes are ``fail``,
``warn``, and ``ignore`` (the default).
.. option:: -s style
This option specifies the style of the dumped zone file. Possible styles are
``full`` (the default) and ``relative``. The ``full`` format is most
suitable for processing automatically by a separate script.
The relative format is more human-readable and is thus
suitable for editing by hand.
.. option:: -S mode
This option checks whether an SRV record refers to a CNAME. Possible modes are
``fail``, ``warn``, and ``ignore`` (the default).
.. option:: -t directory
This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
:iscman:`named`.
.. option:: -T mode
This option checks whether Sender Policy Framework (SPF) records exist and issues a
warning if an SPF-formatted TXT record is not also present. Possible
modes are ``warn`` and ``ignore`` (the default).
.. option:: -w directory
This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
``$INCLUDE`` directives work. This is similar to the directory clause in
:iscman:`named.conf`.
.. option:: -D
This option dumps the zone file in canonical format. This is always enabled for
:program:`named-compilezone`.
.. option:: -W mode
This option specifies whether to check for non-terminal wildcards. Non-terminal
wildcards are almost always the result of a failure to understand the
wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
and ``ignore`` (the default).
.. option:: zonename
This indicates the domain name of the zone being checked.
.. option:: filename
This is the name of the zone file.
Return Values
~~~~~~~~~~~~~
:program:`named-compilezone` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-checkzone(8) <named-checkzone>`, :rfc:`1035`,
BIND 9 Administrator Reference Manual.

30
bin/confgen/Makefile.am Normal file
View file

@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
LDADD += \
libconfgen.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS)
noinst_LTLIBRARIES = libconfgen.la
libconfgen_la_SOURCES = \
include/confgen/os.h \
keygen.c \
keygen.h \
os.c \
util.c \
util.h
sbin_PROGRAMS = tsig-keygen rndc-confgen
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
$(DESTDIR)$(sbindir)/ddns-confgen
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/ddns-confgen

893
bin/confgen/Makefile.in Normal file
View file

@ -0,0 +1,893 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
@HOST_MACOS_TRUE@am__append_1 = \
@HOST_MACOS_TRUE@ -Wl,-flat_namespace
sbin_PROGRAMS = tsig-keygen$(EXEEXT) rndc-confgen$(EXEEXT)
subdir = bin/confgen
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(sbindir)"
PROGRAMS = $(sbin_PROGRAMS)
LTLIBRARIES = $(noinst_LTLIBRARIES)
libconfgen_la_LIBADD =
am_libconfgen_la_OBJECTS = keygen.lo os.lo util.lo
libconfgen_la_OBJECTS = $(am_libconfgen_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
rndc_confgen_SOURCES = rndc-confgen.c
rndc_confgen_OBJECTS = rndc-confgen.$(OBJEXT)
rndc_confgen_LDADD = $(LDADD)
am__DEPENDENCIES_1 =
@HAVE_JEMALLOC_FALSE@am__DEPENDENCIES_2 = \
@HAVE_JEMALLOC_FALSE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
rndc_confgen_DEPENDENCIES = libconfgen.la $(am__DEPENDENCIES_2) \
$(LIBDNS_LIBS)
tsig_keygen_SOURCES = tsig-keygen.c
tsig_keygen_OBJECTS = tsig-keygen.$(OBJEXT)
tsig_keygen_LDADD = $(LDADD)
tsig_keygen_DEPENDENCIES = libconfgen.la $(am__DEPENDENCIES_2) \
$(LIBDNS_LIBS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/keygen.Plo ./$(DEPDIR)/os.Plo \
./$(DEPDIR)/rndc-confgen.Po ./$(DEPDIR)/tsig-keygen.Po \
./$(DEPDIR)/util.Plo
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo " CC " $@;
am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(libconfgen_la_SOURCES) rndc-confgen.c tsig-keygen.c
DIST_SOURCES = $(libconfgen_la_SOURCES) rndc-confgen.c tsig-keygen.c
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \
$(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \
-I$(srcdir)/include $(LIBISC_CFLAGS) $(LIBDNS_CFLAGS) \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1)
LDADD = libconfgen.la $(LIBISC_LIBS) $(LIBDNS_LIBS)
BUILT_SOURCES =
CLEANFILES =
@HAVE_JEMALLOC_FALSE@LIBISC_CFLAGS = -I$(top_srcdir)/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_TRUE@LIBISC_CFLAGS = $(JEMALLOC_CFLAGS) \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_FALSE@LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@LIBISC_LIBS = $(JEMALLOC_LIBS) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_DTRACE_TRUE@LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
@HAVE_DTRACE_TRUE@LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
@HAVE_DTRACE_TRUE@LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
noinst_LTLIBRARIES = libconfgen.la
libconfgen_la_SOURCES = \
include/confgen/os.h \
keygen.c \
keygen.h \
os.c \
util.c \
util.h
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/confgen/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/confgen/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.top $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-sbinPROGRAMS: $(sbin_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
} \
; done
uninstall-sbinPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(sbindir)" && rm -f $$files
clean-sbinPROGRAMS:
@list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
clean-noinstLTLIBRARIES:
-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
@list='$(noinst_LTLIBRARIES)'; \
locs=`for p in $$list; do echo $$p; done | \
sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
sort -u`; \
test -z "$$locs" || { \
echo rm -f $${locs}; \
rm -f $${locs}; \
}
libconfgen.la: $(libconfgen_la_OBJECTS) $(libconfgen_la_DEPENDENCIES) $(EXTRA_libconfgen_la_DEPENDENCIES)
$(AM_V_CCLD)$(LINK) $(libconfgen_la_OBJECTS) $(libconfgen_la_LIBADD) $(LIBS)
rndc-confgen$(EXEEXT): $(rndc_confgen_OBJECTS) $(rndc_confgen_DEPENDENCIES) $(EXTRA_rndc_confgen_DEPENDENCIES)
@rm -f rndc-confgen$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(rndc_confgen_OBJECTS) $(rndc_confgen_LDADD) $(LIBS)
tsig-keygen$(EXEEXT): $(tsig_keygen_OBJECTS) $(tsig_keygen_DEPENDENCIES) $(EXTRA_tsig_keygen_DEPENDENCIES)
@rm -f tsig-keygen$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(tsig_keygen_OBJECTS) $(tsig_keygen_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keygen.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/os.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndc-confgen.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tsig-keygen.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
all-am: Makefile $(PROGRAMS) $(LTLIBRARIES)
installdirs:
for dir in "$(DESTDIR)$(sbindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-sbinPROGRAMS mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/keygen.Plo
-rm -f ./$(DEPDIR)/os.Plo
-rm -f ./$(DEPDIR)/rndc-confgen.Po
-rm -f ./$(DEPDIR)/tsig-keygen.Po
-rm -f ./$(DEPDIR)/util.Plo
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
doc: doc-am
doc-am: doc-local
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-sbinPROGRAMS
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/keygen.Plo
-rm -f ./$(DEPDIR)/os.Plo
-rm -f ./$(DEPDIR)/rndc-confgen.Po
-rm -f ./$(DEPDIR)/tsig-keygen.Po
-rm -f ./$(DEPDIR)/util.Plo
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
test: test-am
test-am: test-local
uninstall-am: uninstall-sbinPROGRAMS
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
unit: unit-am
unit-am: unit-local
.MAKE: all check install install-am install-exec install-exec-am \
install-strip uninstall-am
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-sbinPROGRAMS cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir doc-am doc-local dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-exec-hook install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am tags tags-am test-am test-local uninstall \
uninstall-am uninstall-hook uninstall-sbinPROGRAMS unit-am \
unit-local
.PRECIOUS: Makefile
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
$(DESTDIR)$(sbindir)/ddns-confgen
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/ddns-confgen
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

96
bin/confgen/ddns-confgen.rst Normal file
View file

@ -0,0 +1,96 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. BEWARE: Do not forget to edit also tsig-keygen.rst!
.. iscman:: ddns-confgen
.. program:: ddns-confgen
.. _man_ddns-confgen:
ddns-confgen - TSIG key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone]
Description
~~~~~~~~~~~
:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing.
The resulting keys can be used, for example, to secure dynamic DNS updates
to a zone, or for the :iscman:`rndc` command channel.
The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``.
The generated key is accompanied by configuration text and instructions that
can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS,
including an example ``update-policy`` statement.
(This usage is similar to the :iscman:`rndc-confgen` command for setting up
command-channel security.)
Note that :iscman:`named` itself can configure a local DDNS key for use with
:option:`nsupdate -l`; it does this when a zone is configured with
``update-policy local;``. :program:`ddns-confgen` is only needed when a more
elaborate configuration is required: for instance, if :iscman:`nsupdate` is to
be used from a remote system.
Options
~~~~~~~
.. option:: -a algorithm
This option specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
and hmac-sha512. The default is hmac-sha256. Options are
case-insensitive, and the "hmac-" prefix may be omitted.
.. option:: -h
This option prints a short summary of options and arguments.
.. option:: -k keyname
This option specifies the key name of the DDNS authentication key. The
default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is
specified; otherwise, the default is ``ddns-key`` as a separate label
followed by the argument of the option, e.g., ``ddns-key.example.com.``
The key name must have the format of a valid domain name, consisting of
letters, digits, hyphens, and periods.
.. option:: -q
This option enables quiet mode, which prints only the key, with no
explanatory text or usage examples. This is essentially identical to
:iscman:`tsig-keygen`.
.. option:: -s name
This option generates a configuration example to allow dynamic updates
of a single hostname. The example :iscman:`named.conf` text shows how to set
an update policy for the specified name using the "name" nametype. The
default key name is ``ddns-key.name``. Note that the "self" nametype
cannot be used, since the name to be updated may differ from the key
name. This option cannot be used with the :option:`-z` option.
.. option:: -z zone
This option generates a configuration example to allow
dynamic updates of a zone. The example :iscman:`named.conf` text shows how
to set an update policy for the specified zone using the "zonesub"
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the :option:`-s` option.
See Also
~~~~~~~~
:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.

33
bin/confgen/include/confgen/os.h Normal file
View file

@ -0,0 +1,33 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#pragma once
#include <stdio.h>
#include <isc/lang.h>
ISC_LANG_BEGINDECLS
int
set_user(FILE *fd, const char *user);
/*%<
* Set the owner of the file referenced by 'fd' to 'user'.
* Returns:
* 0 success
* -1 insufficient permissions, or 'user' does not exist.
*/
ISC_LANG_ENDDECLS

177
bin/confgen/keygen.c Normal file
View file

@ -0,0 +1,177 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include "keygen.h"
#include <stdarg.h>
#include <stdlib.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/file.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
/*%
* Convert string to algorithm type.
*/
dns_secalg_t
alg_fromtext(const char *name) {
const char *p = name;
if (strncasecmp(p, "hmac-", 5) == 0) {
p = &name[5];
}
if (strcasecmp(p, "md5") == 0) {
return DST_ALG_HMACMD5;
}
if (strcasecmp(p, "sha1") == 0) {
return DST_ALG_HMACSHA1;
}
if (strcasecmp(p, "sha224") == 0) {
return DST_ALG_HMACSHA224;
}
if (strcasecmp(p, "sha256") == 0) {
return DST_ALG_HMACSHA256;
}
if (strcasecmp(p, "sha384") == 0) {
return DST_ALG_HMACSHA384;
}
if (strcasecmp(p, "sha512") == 0) {
return DST_ALG_HMACSHA512;
}
return DST_ALG_UNKNOWN;
}
/*%
* Return default keysize for a given algorithm type.
*/
int
alg_bits(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return 128;
case DST_ALG_HMACSHA1:
return 160;
case DST_ALG_HMACSHA224:
return 224;
case DST_ALG_HMACSHA256:
return 256;
case DST_ALG_HMACSHA384:
return 384;
case DST_ALG_HMACSHA512:
return 512;
default:
return 0;
}
}
/*%
* Generate a key of size 'keysize' and place it in 'key_txtbuffer'
*/
void
generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
isc_buffer_t *key_txtbuffer) {
isc_result_t result = ISC_R_SUCCESS;
isc_buffer_t key_rawbuffer;
isc_region_t key_rawregion;
char key_rawsecret[64];
dst_key_t *key = NULL;
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 512) {
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
}
break;
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
if (keysize < 1 || keysize > 1024) {
fatal("keysize %d out of range (must be 1-1024)\n",
keysize);
}
break;
default:
fatal("unsupported algorithm %d\n", alg);
}
DO("initialize dst library", dst_lib_init(mctx, NULL));
DO("generate key",
dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
dns_rdataclass_in, NULL, mctx, &key, NULL));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret",
isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
if (key != NULL) {
dst_key_free(&key);
}
dst_lib_destroy();
}
/*%
* Write a key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
void
write_key_file(const char *keyfile, const char *user, const char *keyname,
isc_buffer_t *secret, dns_secalg_t alg) {
isc_result_t result;
const char *algname = dst_hmac_algorithm_totext(alg);
FILE *fd = NULL;
DO("create keyfile", isc_file_safecreate(keyfile, &fd));
if (user != NULL) {
if (set_user(fd, user) == -1) {
fatal("unable to set file owner\n");
}
}
fprintf(fd,
"key \"%s\" {\n\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n",
keyname, algname, (int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd)) {
fatal("write to %s failed\n", keyfile);
}
if (fclose(fd)) {
fatal("fclose(%s) failed\n", keyfile);
}
}

41
bin/confgen/keygen.h Normal file
View file

@ -0,0 +1,41 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <isc/buffer.h>
#include <isc/lang.h>
#include <isc/mem.h>
#include <dns/secalg.h>
ISC_LANG_BEGINDECLS
void
generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
isc_buffer_t *key_txtbuffer);
void
write_key_file(const char *keyfile, const char *user, const char *keyname,
isc_buffer_t *secret, dns_secalg_t alg);
const char *
alg_totext(dns_secalg_t alg);
dns_secalg_t
alg_fromtext(const char *name);
int
alg_bits(dns_secalg_t alg);
ISC_LANG_ENDDECLS

36
bin/confgen/os.c Normal file
View file

@ -0,0 +1,36 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <errno.h>
#include <fcntl.h>
#include <pwd.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <confgen/os.h>
int
set_user(FILE *fd, const char *user) {
struct passwd *pw;
pw = getpwnam(user);
if (pw == NULL) {
errno = EINVAL;
return -1;
}
return fchown(fileno(fd), pw->pw_uid, -1);
}

294
bin/confgen/rndc-confgen.c Normal file
View file

@ -0,0 +1,294 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
/**
* rndc-confgen generates configuration files for rndc. It can be used
* as a convenient alternative to writing the rndc.conf file and the
* corresponding controls and key statements in named.conf by hand.
* Alternatively, it can be run with the -a option to set up a
* rndc.key file and avoid the need for a rndc.conf file and a
* controls statement altogether.
*/
#include <stdarg.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "keygen.h"
#include "util.h"
#define DEFAULT_KEYNAME "rndc-key"
#define DEFAULT_SERVER "127.0.0.1"
#define DEFAULT_PORT 953
static char program[256];
const char *progname;
bool verbose = false;
const char *keyfile, *keydef;
noreturn static void
usage(int status);
static void
usage(int status) {
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-A alg: algorithm (default hmac-sha256)\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-q: suppress printing written key path\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
exit(status);
}
int
main(int argc, char **argv) {
bool show_final_mem = false;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *keyname = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg;
const char *algname;
char *p;
int ch;
int port;
int keysize = -1;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
char *user = NULL;
bool keyonly = false;
bool quiet = false;
int len;
keydef = keyfile = RNDC_KEYFILE;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS) {
memmove(program, "rndc-confgen", 13);
}
progname = program;
keyname = DEFAULT_KEYNAME;
alg = DST_ALG_HMACSHA256;
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
isc_commandline_errprint = false;
while ((ch = isc_commandline_parse(argc, argv,
"aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
{
switch (ch) {
case 'a':
keyonly = true;
break;
case 'A':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN) {
fatal("Unsupported algorithm '%s'", algname);
}
break;
case 'b':
keysize = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || keysize < 0) {
fatal("-b requires a non-negative number");
}
break;
case 'c':
keyfile = isc_commandline_argument;
break;
case 'h':
usage(EXIT_SUCCESS);
break;
case 'k':
case 'y': /* Compatible with rndc -y. */
keyname = isc_commandline_argument;
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = true;
break;
case 'p':
port = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || port < 0 || port > 65535) {
fatal("port '%s' out of range",
isc_commandline_argument);
}
break;
case 'q':
quiet = true;
break;
case 'r':
fatal("The -r option has been deprecated.");
break;
case 's':
serveraddr = isc_commandline_argument;
if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
{
fatal("-s should be an IPv4 or IPv6 address");
}
break;
case 't':
chrootdir = isc_commandline_argument;
break;
case 'u':
user = isc_commandline_argument;
break;
case 'V':
verbose = true;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(EXIT_FAILURE);
} else {
usage(EXIT_SUCCESS);
}
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
POST(argv);
if (argc > 0) {
usage(EXIT_FAILURE);
}
if (alg == DST_ALG_HMACMD5) {
fprintf(stderr, "warning: use of hmac-md5 for RNDC keys "
"is deprecated; hmac-sha256 is now "
"recommended.\n");
}
if (keysize < 0) {
keysize = alg_bits(alg);
}
algname = dst_hmac_algorithm_totext(alg);
isc_mem_create(&mctx);
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
keyname, &key_txtbuffer, alg);
if (!quiet) {
printf("wrote key file \"%s\"\n", keyfile);
}
if (chrootdir != NULL) {
char *buf;
len = strlen(chrootdir) + strlen(keyfile) + 2;
buf = isc_mem_get(mctx, len);
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
write_key_file(buf, user, keyname, &key_txtbuffer, alg);
if (!quiet) {
printf("wrote key file \"%s\"\n", buf);
}
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
options {\n\
default-key \"%s\";\n\
default-server %s;\n\
default-port %d;\n\
};\n\
# End of rndc.conf\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
# controls {\n\
# inet %s port %d\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer), keyname,
serveraddr, port, keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer), serveraddr,
port, serveraddr, keyname);
}
if (show_final_mem) {
isc_mem_stats(mctx, stderr);
}
isc_mem_destroy(&mctx);
return 0;
}

121
bin/confgen/rndc-confgen.rst Normal file
View file

@ -0,0 +1,121 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: rndc-confgen
.. program:: rndc-confgen
.. _man_rndc-confgen:
rndc-confgen - rndc key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
Description
~~~~~~~~~~~
:program:`rndc-confgen` generates configuration files for :iscman:`rndc`. It can be
used as a convenient alternative to writing the :iscman:`rndc.conf` file and
the corresponding ``controls`` and ``key`` statements in :iscman:`named.conf`
by hand. Alternatively, it can be run with the :option:`-a` option to set up a
``rndc.key`` file and avoid the need for a :iscman:`rndc.conf` file and a
``controls`` statement altogether.
Options
~~~~~~~
.. option:: -a
This option sets automatic :iscman:`rndc` configuration, which creates a file
|rndc_key| that is read by both :iscman:`rndc` and :iscman:`named` on startup.
The ``rndc.key`` file defines a default command channel and
authentication key allowing :iscman:`rndc` to communicate with :iscman:`named` on
the local host with no further configuration.
If a more elaborate configuration than that generated by
:option:`rndc-confgen -a` is required, for example if rndc is to be used
remotely, run :program:`rndc-confgen` without the :option:`-a` option
and set up :iscman:`rndc.conf` and :iscman:`named.conf` as directed.
.. option:: -A algorithm
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
hmac-sha512. The default is hmac-sha256.
.. option:: -b keysize
This option specifies the size of the authentication key in bits. The size must be between
1 and 512 bits; the default is the hash size.
.. option:: -c keyfile
This option is used with the :option:`-a` option to specify an alternate location for
``rndc.key``.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`rndc-confgen`.
.. option:: -k keyname
This option specifies the key name of the :iscman:`rndc` authentication key. This must be a
valid domain name. The default is ``rndc-key``.
.. option:: -p port
This option specifies the command channel port where :iscman:`named` listens for
connections from :iscman:`rndc`. The default is 953.
.. option:: -q
This option prevets printing the written path in automatic configuration mode.
.. option:: -s address
This option specifies the IP address where :iscman:`named` listens for command-channel
connections from :iscman:`rndc`. The default is the loopback address
127.0.0.1.
.. option:: -t chrootdir
This option is used with the :option:`-a` option to specify a directory where :iscman:`named`
runs chrooted. An additional copy of the ``rndc.key`` is
written relative to this directory, so that it is found by the
chrooted :iscman:`named`.
.. option:: -u user
This option is used with the :option:`-a` option to set the owner of the generated ``rndc.key`` file.
If :option:`-t` is also specified, only the file in the chroot
area has its owner changed.
Examples
~~~~~~~~
To allow :iscman:`rndc` to be used with no manual configuration, run:
``rndc-confgen -a``
To print a sample :iscman:`rndc.conf` file and the corresponding ``controls`` and
``key`` statements to be manually inserted into :iscman:`named.conf`, run:
:program:`rndc-confgen`
See Also
~~~~~~~~
:iscman:`rndc(8) <rndc>`, :iscman:`rndc.conf(5) <rndc.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.

300
bin/confgen/tsig-keygen.c Normal file
View file

@ -0,0 +1,300 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
/**
* tsig-keygen generates TSIG keys that can be used in named configuration
* files for dynamic DNS.
*/
#include <stdarg.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "keygen.h"
#include "util.h"
#define KEYGEN_DEFAULT "tsig-key"
#define CONFGEN_DEFAULT "ddns-key"
static char program[256];
const char *progname;
static enum { progmode_keygen, progmode_confgen } progmode;
bool verbose = false; /* needed by util.c but not used here */
noreturn static void
usage(int status);
static void
usage(int status) {
if (progmode == progmode_confgen) {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-k keyname] [-q] [-s name | -z zone]\n\
-a alg: algorithm (default hmac-sha256)\n\
-k keyname: name of the key as it will be used in named.conf\n\
-s name: domain name to be updated using the created key\n\
-z zone: name of the zone as it will be used in named.conf\n\
-q: quiet mode: print the key, with no explanatory text\n",
progname);
} else {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [keyname]\n\
-a alg: algorithm (default hmac-sha256)\n\n",
progname);
}
exit(status);
}
int
main(int argc, char **argv) {
isc_result_t result = ISC_R_SUCCESS;
bool show_final_mem = false;
bool quiet = false;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
const char *keyname = NULL;
const char *zone = NULL;
const char *self_domain = NULL;
char *keybuf = NULL;
dns_secalg_t alg = DST_ALG_HMACSHA256;
const char *algname;
int keysize = 256;
int len = 0;
int ch;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS) {
memmove(program, "tsig-keygen", 11);
}
progname = program;
/*
* Libtool doesn't preserve the program name prior to final
* installation. Remove the libtool prefix ("lt-").
*/
if (strncmp(progname, "lt-", 3) == 0) {
progname += 3;
}
#define PROGCMP(X) \
(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
if (PROGCMP("tsig-keygen")) {
progmode = progmode_keygen;
quiet = true;
} else if (PROGCMP("ddns-confgen")) {
progmode = progmode_confgen;
} else {
UNREACHABLE();
}
isc_commandline_errprint = false;
while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) !=
-1)
{
switch (ch) {
case 'a':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN) {
fatal("Unsupported algorithm '%s'", algname);
}
keysize = alg_bits(alg);
break;
case 'h':
usage(EXIT_SUCCESS);
case 'k':
case 'y':
if (progmode == progmode_confgen) {
keyname = isc_commandline_argument;
} else {
usage(EXIT_FAILURE);
}
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = true;
break;
case 'q':
if (progmode == progmode_confgen) {
quiet = true;
} else {
usage(EXIT_FAILURE);
}
break;
case 'r':
fatal("The -r option has been deprecated.");
break;
case 's':
if (progmode == progmode_confgen) {
self_domain = isc_commandline_argument;
} else {
usage(EXIT_FAILURE);
}
break;
case 'z':
if (progmode == progmode_confgen) {
zone = isc_commandline_argument;
} else {
usage(EXIT_FAILURE);
}
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(EXIT_FAILURE);
} else {
usage(EXIT_SUCCESS);
}
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
if (progmode == progmode_keygen) {
keyname = argv[isc_commandline_index++];
}
POST(argv);
if (self_domain != NULL && zone != NULL) {
usage(EXIT_FAILURE); /* -s and -z cannot coexist */
}
if (argc > isc_commandline_index) {
usage(EXIT_FAILURE);
}
/* Use canonical algorithm name */
algname = dst_hmac_algorithm_totext(alg);
isc_mem_create(&mctx);
if (keyname == NULL) {
const char *suffix = NULL;
keyname = ((progmode == progmode_keygen) ? KEYGEN_DEFAULT
: CONFGEN_DEFAULT);
if (self_domain != NULL) {
suffix = self_domain;
} else if (zone != NULL) {
suffix = zone;
}
if (suffix != NULL) {
len = strlen(keyname) + strlen(suffix) + 2;
keybuf = isc_mem_get(mctx, len);
snprintf(keybuf, len, "%s.%s", keyname, suffix);
keyname = (const char *)keybuf;
}
}
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, alg, keysize, &key_txtbuffer);
if (!quiet) {
printf("\
# To activate this key, place the following in named.conf, and\n\
# in a separate keyfile on the system or systems from which nsupdate\n\
# will be run:\n");
}
printf("\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n",
keyname, algname, (int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer));
if (!quiet) {
if (self_domain != NULL) {
printf("\n\
# Then, in the \"zone\" statement for the zone containing the\n\
# name \"%s\", place an \"update-policy\" statement\n\
# like this one, adjusted as needed for your preferred permissions:\n\
update-policy {\n\
grant %s name %s ANY;\n\
};\n",
self_domain, keyname, self_domain);
} else if (zone != NULL) {
printf("\n\
# Then, in the \"zone\" definition statement for \"%s\",\n\
# place an \"update-policy\" statement like this one, adjusted as \n\
# needed for your preferred permissions:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
zone, keyname);
} else {
printf("\n\
# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
# update, place an \"update-policy\" statement granting update permission\n\
# to this key. For example, the following statement grants this key\n\
# permission to update any name within the zone:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
keyname);
}
printf("\n\
# After the keyfile has been placed, the following command will\n\
# execute nsupdate using this key:\n\
nsupdate -k <keyfile>\n");
}
if (keybuf != NULL) {
isc_mem_put(mctx, keybuf, len);
}
if (show_final_mem) {
isc_mem_stats(mctx, stderr);
}
isc_mem_destroy(&mctx);
return 0;
}

55
bin/confgen/tsig-keygen.rst Normal file
View file

@ -0,0 +1,55 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. BEWARE: Do not forget to edit also ddns-confgen.rst!
.. iscman:: tsig-keygen
.. program:: tsig-keygen
.. _man_tsig-keygen:
tsig-keygen - TSIG key generation tool
--------------------------------------
Synopsis
~~~~~~~~
:program:`tsig-keygen` [**-a** algorithm] [**-h**] [name]
Description
~~~~~~~~~~~
:program:`tsig-keygen` is an utility that generates keys for use with TSIG
(Transaction Signatures) as defined in :rfc:`2845`. The resulting keys can be used,
for example, to secure dynamic DNS updates to a zone, or for the :iscman:`rndc`
command channel.
A domain name can be specified on the command line to be used as the name
of the generated key. If no name is specified, the default is ``tsig-key``.
Options
~~~~~~~
.. option:: -a algorithm
This option specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
and hmac-sha512. The default is hmac-sha256. Options are
case-insensitive, and the "hmac-" prefix may be omitted.
.. option:: -h
This option prints a short summary of options and arguments.
See Also
~~~~~~~~
:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.

51
bin/confgen/util.c Normal file
View file

@ -0,0 +1,51 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/tls.h>
#include "util.h"
extern bool verbose;
extern const char *progname;
void
notify(const char *fmt, ...) {
va_list ap;
if (verbose) {
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fprintf(stderr, "\n");
}
}
void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", progname);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
_exit(EXIT_FAILURE);
}

42
bin/confgen/util.h Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <isc/attributes.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#define NS_CONTROL_PORT 953
#undef DO
#define DO(name, function) \
do { \
result = function; \
if (result != ISC_R_SUCCESS) \
fatal("%s: %s", name, isc_result_totext(result)); \
else \
notify("%s", name); \
} while (0)
ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
noreturn void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_LANG_ENDDECLS

23
bin/delv/Makefile.am Normal file
View file

@ -0,0 +1,23 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
-I$(top_builddir)/include \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(OPENSSL_CFLAGS)
AM_CPPFLAGS += \
-DSYSCONFDIR=\"${sysconfdir}\"
bin_PROGRAMS = delv
delv_SOURCES = \
delv.c
delv_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCFG_LIBS)

838
bin/delv/Makefile.in Normal file
View file

@ -0,0 +1,838 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
@HOST_MACOS_TRUE@am__append_1 = \
@HOST_MACOS_TRUE@ -Wl,-flat_namespace
bin_PROGRAMS = delv$(EXEEXT)
subdir = bin/delv
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
am_delv_OBJECTS = delv.$(OBJEXT)
delv_OBJECTS = $(am_delv_OBJECTS)
am__DEPENDENCIES_1 =
@HAVE_JEMALLOC_FALSE@am__DEPENDENCIES_2 = \
@HAVE_JEMALLOC_FALSE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
delv_DEPENDENCIES = $(am__DEPENDENCIES_2) $(LIBDNS_LIBS) $(LIBNS_LIBS) \
$(LIBISCCFG_LIBS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/delv.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo " CC " $@;
am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(delv_SOURCES)
DIST_SOURCES = $(delv_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \
$(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \
-I$(srcdir)/include -I$(top_builddir)/include $(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) $(LIBNS_CFLAGS) $(LIBISCCFG_CFLAGS) \
$(OPENSSL_CFLAGS) -DSYSCONFDIR=\"${sysconfdir}\"
AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1)
LDADD =
BUILT_SOURCES =
CLEANFILES =
@HAVE_JEMALLOC_FALSE@LIBISC_CFLAGS = -I$(top_srcdir)/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_TRUE@LIBISC_CFLAGS = $(JEMALLOC_CFLAGS) \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_FALSE@LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@LIBISC_LIBS = $(JEMALLOC_LIBS) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_DTRACE_TRUE@LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
@HAVE_DTRACE_TRUE@LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
@HAVE_DTRACE_TRUE@LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
delv_SOURCES = \
delv.c
delv_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCFG_LIBS)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/delv/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/delv/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.top $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
} \
; done
uninstall-binPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
clean-binPROGRAMS:
@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
delv$(EXEEXT): $(delv_OBJECTS) $(delv_DEPENDENCIES) $(EXTRA_delv_DEPENDENCIES)
@rm -f delv$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(delv_OBJECTS) $(delv_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delv.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
all-am: Makefile $(PROGRAMS)
installdirs:
for dir in "$(DESTDIR)$(bindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/delv.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
doc: doc-am
doc-am: doc-local
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-binPROGRAMS
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/delv.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
test: test-am
test-am: test-local
uninstall-am: uninstall-binPROGRAMS
unit: unit-am
unit-am: unit-local
.MAKE: all check install install-am install-exec install-strip
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
ctags ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir doc-am doc-local dvi \
dvi-am html html-am info info-am install install-am \
install-binPROGRAMS install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am tags tags-am test-am test-local uninstall \
uninstall-am uninstall-binPROGRAMS unit-am unit-local
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

2342
bin/delv/delv.c Normal file
View file

File diff suppressed because it is too large Load diff

422
bin/delv/delv.rst Normal file
View file

@ -0,0 +1,422 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: delv
.. program:: delv
.. _man_delv:
delv - DNS lookup and validation utility
----------------------------------------
Synopsis
~~~~~~~~
:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
:program:`delv` [**-h**]
:program:`delv` [**-v**]
:program:`delv` [queryopt...] [query...]
Description
~~~~~~~~~~~
:program:`delv` is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as :iscman:`named`.
:program:`delv` sends to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
requested query, subsequent queries to follow CNAME or DNAME chains,
queries for DNSKEY, and DS records to establish a chain of trust for
DNSSEC validation. It does not perform iterative resolution, but
simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
By default, responses are validated using the built-in DNSSEC trust anchor
for the root zone ("."). Records returned by :program:`delv` are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
in detail. Because :program:`delv` does not rely on an external server to carry
out validation, it can be used to check the validity of DNS responses in
environments where local name servers may not be trustworthy.
Unless it is told to query a specific name server, :program:`delv` tries
each of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, :program:`delv` sends queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
When no command-line arguments or options are given, :program:`delv`
performs an NS query for "." (the root zone).
Simple Usage
~~~~~~~~~~~~
A typical invocation of :program:`delv` looks like:
::
delv @server name type
where:
.. option:: server
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, :program:`delv` resolves that name before querying that name
server (note, however, that this initial lookup is *not* validated by
DNSSEC).
If no ``server`` argument is provided, :program:`delv` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the :option:`-4` or :option:`-6`
options is in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, :program:`delv`
sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
.. option:: name
is the domain name to be looked up.
.. option:: type
indicates what type of query is required - ANY, A, MX, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, :program:`delv` performs a lookup for an A record.
Options
~~~~~~~
.. option:: -a anchor-file
This option specifies a file from which to read an alternate
DNSSEC root zone trust anchor.
By default, keys that do not match the root zone name (`.`) are
ignored. If an alternate key name is desired, it can be
specified using the :option:`+root` option.
Note: When reading trust anchors, :program:`delv` treats
``trust-anchors``, ``initial-key``, and ``static-key`` identically. That
is, for a managed key, it is the *initial* key that is trusted;
:rfc:`5011` key management is not supported. :program:`delv` does not
consult the managed-keys database maintained by :iscman:`named`. This
means that if the default key built in to :program:`delv` is revoked,
:program:`delv` must be updated to a newer version in order to continue
validating.
.. option:: -b address
This option sets the source IP address of the query to ``address``. This must be
a valid address on one of the host's network interfaces, or ``0.0.0.0``,
or ``::``. An optional source port may be specified by appending
``#<port>``
.. option:: -c class
This option sets the query class for the requested data. Currently, only class
"IN" is supported in :program:`delv` and any other value is ignored.
.. option:: -d level
This option sets the systemwide debug level to ``level``. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
:program:`delv` become more verbose as the debug level increases. See the
:option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for
additional debugging details.
.. option:: -h
This option displays the :program:`delv` help usage output and exits.
.. option:: -i
This option sets insecure mode, which disables internal DNSSEC validation. (Note,
however, that this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it does
not return invalid data; this can cause :program:`delv` to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
:option:`dig +cd`.)
.. option:: -m
This option enables memory usage debugging.
.. option:: -p port#
This option specifies a destination port to use for queries, instead of the
standard DNS port number 53. This option is used with a name
server that has been configured to listen for queries on a
non-standard port number.
.. option:: -q name
This option sets the query name to ``name``. While the query name can be
specified without using the :option:`-q` option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
.. option:: -t type
This option sets the query type to ``type``, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
with :option:`-q`, this is useful to distinguish query-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
The default query type is "A", unless the :option:`-x` option is supplied
to indicate a reverse lookup, in which case it is "PTR".
.. option:: -v
This option prints the :program:`delv` version and exits.
.. option:: -x addr
This option performs a reverse lookup, mapping an address to a name. ``addr``
is an IPv4 address in dotted-decimal notation, or a colon-delimited
IPv6 address. When :option:`-x` is used, there is no need to provide the
``name`` or ``type`` arguments; :program:`delv` automatically performs a
lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
.. option:: -4
This option forces :program:`delv` to only use IPv4.
.. option:: -6
This option forces :program:`delv` to only use IPv6.
Query Options
~~~~~~~~~~~~~
:program:`delv` provides a number of query options which affect the way results
are displayed, and in some cases the way lookups are performed.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option. These may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options like the timeout interval. They have the form
``+keyword=value``. The query options are:
.. option:: +cdflag, +nocdflag
This option controls whether to set the CD (checking disabled) bit in queries
sent by :program:`delv`. This may be useful when troubleshooting DNSSEC
problems from behind a validating resolver. A validating resolver
blocks invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries causes the resolver
to return invalid responses, which :program:`delv` can then validate
internally and report the errors in detail.
.. option:: +class, +noclass
This option controls whether to display the CLASS when printing a record. The
default is to display the CLASS.
.. option:: +hint=FILE, +nohint
This option specifies a filename from which to load root hints;
this will be used to find the root name servers when name server
mode (``delv +ns``) is in use. If the option is not specified,
built-in root hints will be used.
.. option:: +ns, +nons
This option toggles name server mode. When this option is in use,
the ``delv`` process instantiates a full recursive resolver, and uses
that to look up the requested query name and type. Turning on this
option also activates ``+mtrace``, ``+strace`` and ``+rtrace``, so that
every iterative query will be logged, including the full response messages
from each authoritatve server. These logged messages will be written
to ``stdout`` rather than ``stderr`` as usual, so that the full trace
can be captured more easily.
This is intended to be similar to the behavior of ``dig +trace``, but
because it uses the same code as ``named``, it much more accurately
replicates the behavior of a recursive name server with a cold cache
that is processing a recursive query.
.. option:: +qmin[=MODE], +noqmin
When used with ``+ns``, this option enables QNAME minimization mode.
Valid options of MODE are ``relaxed`` and ``strict``. By default,
QNAME minimization is disabled. If ``+qmin`` is specified but MODE
is omitted, then ``relaxed`` mode will be used.
.. option:: +ttl, +nottl
This option controls whether to display the TTL when printing a record. The
default is to display the TTL.
.. option:: +rtrace, +nortrace
This option toggles resolver fetch logging. This reports the name and
type of each query sent by :program:`delv` in the process of carrying
out the resolution and validation process, including the original query
and all subsequent queries to follow CNAMEs and to establish a chain of
trust for DNSSEC validation.
This is equivalent to setting the debug level to 1 in the "resolver"
logging category. Setting the systemwide debug level to 1 using the
:option:`-d` option produces the same output, but affects other
logging categories as well.
.. option:: +mtrace, +nomtrace
This option toggles logging of messages received. This produces
a detailed dump of the responses received by :program:`delv` in the
process of carrying out the resolution and validation process.
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 10 using the :option:`-d` option produces the same
output, but affects other logging categories as well.
.. option:: +strace, +nostrace
This option toggles logging of messages sent. This produces a detailed
dump of the queries sent by :program:`delv` in the process of carrying
out the resolution and validation process. Turning on this option
also activates ``+mtrace``.
This is equivalent to setting the debug level to 11 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 11 using the :option:`-d` option produces the same
output, but affects other logging categories as well.
.. option:: +vtrace, +novtrace
This option toggles validation logging. This shows the internal process of the
validator as it determines whether an answer is validly signed,
unsigned, or invalid.
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
systemwide debug level to 3 using the :option:`-d` option produces the
same output, but affects other logging categories as well.
.. option:: +short, +noshort
This option toggles between verbose and terse answers. The default is to print the answer in a
verbose form.
.. option:: +comments, +nocomments
This option toggles the display of comment lines in the output. The default is to
print comments.
.. option:: +rrcomments, +norrcomments
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
to print per-record comments.
.. option:: +crypto, +nocrypto
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
.. option:: +restarts
When name server mode (``delv +ns``) is in use, this option sets the
maximum number of CNAME queries to follow before terminating resolution.
This prevents ``delv`` from hanging in the event of a CNAME loop.
The default is 11.
.. option:: +maxqueries
This option specifies the maximum number of queries to send to resolve
a name before giving up. The default is 50.
.. option:: +maxtotalqueries
This option specifies the maximum number of queries to send to resolve
a client request before giving up. The default is 200.
.. option:: +trust, +notrust
This option controls whether to display the trust level when printing a record.
The default is to display the trust level.
.. option:: +split[=W], +nosplit
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
.. option:: +all, +noall
This option sets or clears the display options :option:`+comments`,
:option:`+rrcomments`, and :option:`+trust` as a group.
.. option:: +multiline, +nomultiline
This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
verbose multi-line format with human-readable comments. The default
is to print each record on a single line, to facilitate machine
parsing of the :program:`delv` output.
.. option:: +dnssec, +nodnssec
This option indicates whether to display RRSIG records in the :program:`delv` output.
The default is to do so. Note that (unlike in :iscman:`dig`) this does
*not* control whether to request DNSSEC records or to
validate them. DNSSEC records are always requested, and validation
always occurs unless suppressed by the use of :option:`-i` or
:option:`+noroot`.
.. option:: +root[=ROOT], +noroot
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built-in key. If
specifying a different trust anchor, then :option:`-a` must be used to specify a
file containing the key.
.. option:: +tcp, +notcp
This option controls whether to use TCP when sending queries. The default is to
use UDP unless a truncated response has been received.
.. option:: +unknownformat, +nounknownformat
This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
.. option:: +yaml, +noyaml
This option prints response data in YAML format.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:iscman:`dig(1) <dig>`, :iscman:`named(8) <named>`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

37
bin/dig/Makefile.am Normal file
View file

@ -0,0 +1,37 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIDN2_CFLAGS) \
$(LIBUV_CFLAGS) \
$(OPENSSL_CFLAGS)
LDADD += \
libdighost.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIDN2_LIBS)
noinst_LTLIBRARIES = libdighost.la
libdighost_la_SOURCES = \
dighost.h \
dighost.c
bin_PROGRAMS = dig host nslookup
nslookup_CPPFLAGS = \
$(AM_CPPFLAGS)
nslookup_LDADD = \
$(LDADD)
if HAVE_READLINE
nslookup_CPPFLAGS += \
$(READLINE_CFLAGS)
nslookup_LDADD += \
$(READLINE_LIBS)
endif HAVE_READLINE

908
bin/dig/Makefile.in Normal file
View file

@ -0,0 +1,908 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
@HOST_MACOS_TRUE@am__append_1 = \
@HOST_MACOS_TRUE@ -Wl,-flat_namespace
bin_PROGRAMS = dig$(EXEEXT) host$(EXEEXT) nslookup$(EXEEXT)
@HAVE_READLINE_TRUE@am__append_2 = \
@HAVE_READLINE_TRUE@ $(READLINE_CFLAGS)
@HAVE_READLINE_TRUE@am__append_3 = \
@HAVE_READLINE_TRUE@ $(READLINE_LIBS)
subdir = bin/dig
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
LTLIBRARIES = $(noinst_LTLIBRARIES)
libdighost_la_LIBADD =
am_libdighost_la_OBJECTS = dighost.lo
libdighost_la_OBJECTS = $(am_libdighost_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
dig_SOURCES = dig.c
dig_OBJECTS = dig.$(OBJEXT)
dig_LDADD = $(LDADD)
am__DEPENDENCIES_1 =
@HAVE_JEMALLOC_FALSE@am__DEPENDENCIES_2 = \
@HAVE_JEMALLOC_FALSE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
dig_DEPENDENCIES = libdighost.la $(am__DEPENDENCIES_2) $(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) $(am__DEPENDENCIES_1)
host_SOURCES = host.c
host_OBJECTS = host.$(OBJEXT)
host_LDADD = $(LDADD)
host_DEPENDENCIES = libdighost.la $(am__DEPENDENCIES_2) $(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) $(am__DEPENDENCIES_1)
nslookup_SOURCES = nslookup.c
nslookup_OBJECTS = nslookup-nslookup.$(OBJEXT)
am__DEPENDENCIES_3 = libdighost.la $(am__DEPENDENCIES_2) \
$(LIBDNS_LIBS) $(LIBISCCFG_LIBS) $(am__DEPENDENCIES_1)
@HAVE_READLINE_TRUE@am__DEPENDENCIES_4 = $(am__DEPENDENCIES_1)
nslookup_DEPENDENCIES = $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_4)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/dig.Po ./$(DEPDIR)/dighost.Plo \
./$(DEPDIR)/host.Po ./$(DEPDIR)/nslookup-nslookup.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo " CC " $@;
am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(libdighost_la_SOURCES) dig.c host.c nslookup.c
DIST_SOURCES = $(libdighost_la_SOURCES) dig.c host.c nslookup.c
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \
$(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \
-I$(srcdir)/include $(LIBISC_CFLAGS) $(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) $(LIBIDN2_CFLAGS) $(LIBUV_CFLAGS) \
$(OPENSSL_CFLAGS)
AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1)
LDADD = libdighost.la $(LIBISC_LIBS) $(LIBDNS_LIBS) $(LIBISCCFG_LIBS) \
$(LIBIDN2_LIBS)
BUILT_SOURCES =
CLEANFILES =
@HAVE_JEMALLOC_FALSE@LIBISC_CFLAGS = -I$(top_srcdir)/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_TRUE@LIBISC_CFLAGS = $(JEMALLOC_CFLAGS) \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_FALSE@LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@LIBISC_LIBS = $(JEMALLOC_LIBS) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_DTRACE_TRUE@LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
@HAVE_DTRACE_TRUE@LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
@HAVE_DTRACE_TRUE@LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
noinst_LTLIBRARIES = libdighost.la
libdighost_la_SOURCES = \
dighost.h \
dighost.c
nslookup_CPPFLAGS = $(AM_CPPFLAGS) $(am__append_2)
nslookup_LDADD = $(LDADD) $(am__append_3)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/dig/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/dig/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.top $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
} \
; done
uninstall-binPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
clean-binPROGRAMS:
@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
clean-noinstLTLIBRARIES:
-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
@list='$(noinst_LTLIBRARIES)'; \
locs=`for p in $$list; do echo $$p; done | \
sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
sort -u`; \
test -z "$$locs" || { \
echo rm -f $${locs}; \
rm -f $${locs}; \
}
libdighost.la: $(libdighost_la_OBJECTS) $(libdighost_la_DEPENDENCIES) $(EXTRA_libdighost_la_DEPENDENCIES)
$(AM_V_CCLD)$(LINK) $(libdighost_la_OBJECTS) $(libdighost_la_LIBADD) $(LIBS)
dig$(EXEEXT): $(dig_OBJECTS) $(dig_DEPENDENCIES) $(EXTRA_dig_DEPENDENCIES)
@rm -f dig$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(dig_OBJECTS) $(dig_LDADD) $(LIBS)
host$(EXEEXT): $(host_OBJECTS) $(host_DEPENDENCIES) $(EXTRA_host_DEPENDENCIES)
@rm -f host$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(host_OBJECTS) $(host_LDADD) $(LIBS)
nslookup$(EXEEXT): $(nslookup_OBJECTS) $(nslookup_DEPENDENCIES) $(EXTRA_nslookup_DEPENDENCIES)
@rm -f nslookup$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(nslookup_OBJECTS) $(nslookup_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dig.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dighost.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nslookup-nslookup.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
nslookup-nslookup.o: nslookup.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nslookup_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nslookup-nslookup.o -MD -MP -MF $(DEPDIR)/nslookup-nslookup.Tpo -c -o nslookup-nslookup.o `test -f 'nslookup.c' || echo '$(srcdir)/'`nslookup.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/nslookup-nslookup.Tpo $(DEPDIR)/nslookup-nslookup.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nslookup.c' object='nslookup-nslookup.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nslookup_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nslookup-nslookup.o `test -f 'nslookup.c' || echo '$(srcdir)/'`nslookup.c
nslookup-nslookup.obj: nslookup.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nslookup_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nslookup-nslookup.obj -MD -MP -MF $(DEPDIR)/nslookup-nslookup.Tpo -c -o nslookup-nslookup.obj `if test -f 'nslookup.c'; then $(CYGPATH_W) 'nslookup.c'; else $(CYGPATH_W) '$(srcdir)/nslookup.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/nslookup-nslookup.Tpo $(DEPDIR)/nslookup-nslookup.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nslookup.c' object='nslookup-nslookup.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nslookup_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nslookup-nslookup.obj `if test -f 'nslookup.c'; then $(CYGPATH_W) 'nslookup.c'; else $(CYGPATH_W) '$(srcdir)/nslookup.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
all-am: Makefile $(PROGRAMS) $(LTLIBRARIES)
installdirs:
for dir in "$(DESTDIR)$(bindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
clean-am: clean-binPROGRAMS clean-generic clean-libtool \
clean-noinstLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/dig.Po
-rm -f ./$(DEPDIR)/dighost.Plo
-rm -f ./$(DEPDIR)/host.Po
-rm -f ./$(DEPDIR)/nslookup-nslookup.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
doc: doc-am
doc-am: doc-local
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-binPROGRAMS
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/dig.Po
-rm -f ./$(DEPDIR)/dighost.Plo
-rm -f ./$(DEPDIR)/host.Po
-rm -f ./$(DEPDIR)/nslookup-nslookup.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
test: test-am
test-am: test-local
uninstall-am: uninstall-binPROGRAMS
unit: unit-am
unit-am: unit-local
.MAKE: all check install install-am install-exec install-strip
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-binPROGRAMS clean-generic clean-libtool \
clean-noinstLTLIBRARIES cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir doc-am doc-local dvi dvi-am html \
html-am info info-am install install-am install-binPROGRAMS \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am test-am test-local uninstall uninstall-am \
uninstall-binPROGRAMS unit-am unit-local
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

3446
bin/dig/dig.c Normal file
View file

File diff suppressed because it is too large Load diff

816
bin/dig/dig.rst Normal file
View file

@ -0,0 +1,816 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dig
.. program:: dig
.. _man_dig:
dig - DNS lookup utility
------------------------
Synopsis
~~~~~~~~
:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
:program:`dig` [**-h**]
:program:`dig` [global-queryopt...] [query...]
Description
~~~~~~~~~~~
:program:`dig` is a flexible tool for interrogating DNS name servers. It
performs DNS lookups and displays the answers that are returned from the
name server(s) that were queried. Most DNS administrators use :program:`dig` to
troubleshoot DNS problems because of its flexibility, ease of use, and
clarity of output. Other lookup tools tend to have less functionality
than :program:`dig`.
Although :program:`dig` is normally used with command-line arguments, it also
has a batch mode of operation for reading lookup requests from a file. A
brief summary of its command-line arguments and options is printed when
the :option:`-h` option is given. The BIND 9
implementation of :program:`dig` allows multiple lookups to be issued from the
command line.
Unless it is told to query a specific name server, :program:`dig` tries each
of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, :program:`dig` sends the query to the local host.
When no command-line arguments or options are given, :program:`dig`
performs an NS query for "." (the root).
It is possible to set per-user defaults for :program:`dig` via
``${HOME}/.digrc``. This file is read and any options in it are applied
before the command-line arguments. The :option:`-r` option disables this
feature, for scripts that need predictable behavior.
The IN and CH class names overlap with the IN and CH top-level domain
names. Either use the :option:`-t` and :option:`-c` options to specify the type and
class, use the :option:`-q` to specify the domain name, or use "IN." and
"CH." when looking up these top-level domains.
Simple Usage
~~~~~~~~~~~~
A typical invocation of :program:`dig` looks like:
::
dig @server name type
where:
.. option:: server
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, :program:`dig` resolves that name before querying that name
server.
If no ``server`` argument is provided, :program:`dig` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the :option:`-4` or :option:`-6`
options are in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, :program:`dig`
sends the query to the local host. The reply from the name server
that responds is displayed.
.. option:: name
is the name of the resource record that is to be looked up.
.. option:: type
indicates what type of query is required - ANY, A, MX, SIG, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, :program:`dig` performs a lookup for an A record.
Options
~~~~~~~
.. option:: -4
This option indicates that only IPv4 should be used.
.. option:: -6
This option indicates that only IPv6 should be used.
.. option:: -b address[#port]
This option sets the source IP address of the query. The ``address`` must be a
valid address on one of the host's network interfaces, or "0.0.0.0"
or "::". An optional port may be specified by appending ``#port``.
.. option:: -c class
This option sets the query class. The default ``class`` is IN; other classes are
HS for Hesiod records or CH for Chaosnet records.
.. option:: -f file
This option sets batch mode, in which :program:`dig` reads a list of lookup requests to process from
the given ``file``. Each line in the file should be organized in the
same way it would be presented as a query to :program:`dig` using the
command-line interface.
.. option:: -h
Print a usage summary.
.. option:: -k keyfile
This option tells :program:`dig` to sign queries using TSIG or
SIG(0) using a key read from the given file. Key files can be
generated using :iscman:`tsig-keygen`. When using TSIG authentication
with :program:`dig`, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is
done by providing appropriate ``key`` and ``server`` statements
in :iscman:`named.conf` for TSIG and by looking up the KEY record
in zone data for SIG(0).
.. option:: -m
This option enables memory usage debugging.
.. option:: -p port
This option sends the query to a non-standard port on the server, instead of the
default port 53. This option is used to test a name server that
has been configured to listen for queries on a non-standard port
number.
.. option:: -q name
This option specifies the domain name to query. This is useful to distinguish the ``name``
from other arguments.
.. option:: -r
This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
scripts that need predictable behavior.
.. option:: -t type
This option indicates the resource record type to query, which can be any valid query type. If
it is a resource record type supported in BIND 9, it can be given by
the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
``A``, unless the :option:`-x` option is supplied to indicate a reverse
lookup. A zone transfer can be requested by specifying a type of
AXFR. When an incremental zone transfer (IXFR) is required, set the
``type`` to ``ixfr=N``. The incremental zone transfer contains
all changes made to the zone since the serial number in the zone's
SOA record was ``N``.
All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
the number of the type. If the resource record type is not supported
in BIND 9, the result is displayed as described in :rfc:`3597`.
.. option:: -u
This option indicates that print query times should be provided in microseconds instead of milliseconds.
.. option:: -v
This option prints the version number and exits.
.. option:: -x addr
This option sets simplified reverse lookups, for mapping addresses to names. The
``addr`` is an IPv4 address in dotted-decimal notation, or a
colon-delimited IPv6 address. When the :option:`-x` option is used, there is no
need to provide the ``name``, ``class``, and ``type`` arguments.
:program:`dig` automatically performs a lookup for a name like
``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
and IN respectively. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
.. option:: -y [hmac:]keyname:secret
This option signs queries using TSIG with the given authentication key.
``keyname`` is the name of the key, and ``secret`` is the
base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
``hmac-sha256``.
.. note:: Only the :option:`-k` option should be used, rather than the :option:`-y` option,
because with :option:`-y` the shared secret is supplied as a command-line
argument in clear text. This may be visible in the output from ``ps1`` or
in a history file maintained by the user's shell.
Query Options
~~~~~~~~~~~~~
:program:`dig` provides a number of query options which affect the way in which
lookups are made and the results displayed. Some of these set or reset
flag bits in the query header, some determine which sections of the
answer get printed, and others determine the timeout and retry
strategies.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option; these may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options, like the timeout interval. They have the form
``+keyword=value``. Keywords may be abbreviated, provided the
abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
:option:`+cdflag`. The query options are:
.. option:: +aaflag, +noaaflag
This option is a synonym for :option:`+aaonly`, :option:`+noaaonly`.
.. option:: +aaonly, +noaaonly
This option sets the ``aa`` flag in the query.
.. option:: +additional, +noadditional
This option displays [or does not display] the additional section of a reply. The
default is to display it.
.. option:: +adflag, +noadflag
This option sets [or does not set] the AD (authentic data) bit in the query. This
requests the server to return whether all of the answer and authority
sections have been validated as secure, according to the security
policy of the server. ``AD=1`` indicates that all records have been
validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
indicates that some part of the answer was insecure or not validated.
This bit is set by default.
.. option:: +all, +noall
This option sets or clears all display flags.
.. option:: +answer, +noanswer
This option displays [or does not display] the answer section of a reply. The default
is to display it.
.. option:: +authority, +noauthority
This option displays [or does not display] the authority section of a reply. The
default is to display it.
.. option:: +badcookie, +nobadcookie
This option retries the lookup with a new server cookie if a BADCOOKIE response is
received.
.. option:: +besteffort, +nobesteffort
This option attempts to display the contents of messages which are malformed. The
default is to not display malformed answers.
.. option:: +bufsize[=B]
This option sets the UDP message buffer size advertised using EDNS0 to
``B`` bytes. The maximum and minimum sizes of this buffer are 65535 and
0, respectively. ``+bufsize`` restores the default buffer size.
.. option:: +cd, +cdflag, +nocdflag
This option sets [or does not set] the CD (checking disabled) bit in the query. This
requests the server to not perform DNSSEC validation of responses.
.. option:: +class, +noclass
This option displays [or does not display] the CLASS when printing the record.
.. option:: +cmd, +nocmd
This option toggles the printing of the initial comment in the output, identifying the
version of :program:`dig` and the query options that have been applied. This option
always has a global effect; it cannot be set globally and then overridden on a
per-lookup basis. The default is to print this comment.
.. option:: +comments, +nocomments
This option toggles the display of some comment lines in the output, with
information about the packet header and OPT pseudosection, and the names of
the response section. The default is to print these comments.
Other types of comments in the output are not affected by this option, but
can be controlled using other command-line switches. These include
:option:`+cmd`, :option:`+question`, :option:`+stats`, and :option:`+rrcomments`.
.. option:: +cookie=####, +nocookie
This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
from a previous response allows the server to identify a previous
client. The default is ``+cookie``.
``+cookie`` is also set when :option:`+trace` is set to better emulate the
default queries from a nameserver.
.. option:: +crypto, +nocrypto
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary for debugging most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
.. option:: +defname, +nodefname
This option, which is deprecated, is treated as a synonym for
:option:`+search`, :option:`+nosearch`.
.. option:: +dns64prefix, +nodns64prefix
Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
.. option:: +dnssec, +do, +nodnssec, +nodo
This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
the OPT record in the additional section of the query.
.. option:: +domain=somename
This option sets the search list to contain the single domain ``somename``, as if
specified in a ``domain`` directive in ``/etc/resolv.conf``, and
enables search list processing as if the :option:`+search` option were
given.
.. option:: +edns[=#], +noedns
This option specifies the EDNS version to query with. Valid values are 0 to 255.
Setting the EDNS version causes an EDNS query to be sent.
``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
default.
.. option:: +ednsflags[=#], +noednsflags
This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
Decimal, hex, and octal encodings are accepted. Setting a named flag
(e.g., DO) is silently ignored. By default, no Z bits are set.
.. option:: +ednsnegotiation, +noednsnegotiation
This option enables/disables EDNS version negotiation. By default, EDNS version
negotiation is enabled.
.. option:: +ednsopt[=code[:value]], +noednsopt
This option specifies the EDNS option with code point ``code`` and an optional payload
of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
option name (for example, ``NSID`` or ``ECS``) or an arbitrary
numeric value. ``+noednsopt`` clears the EDNS options to be sent.
.. option:: +expire, +noexpire
This option sends an EDNS Expire option.
.. option:: +fail, +nofail
This option indicates that :iscman:`named` should try [or not try] the next server if a SERVFAIL is received. The default is
to not try the next server, which is the reverse of normal stub
resolver behavior.
.. option:: +fuzztime[=value], +nofuzztime
This option allows the signing time to be specified when generating
signed messages. If a value is specified it is the seconds since
00:00:00 January 1, 1970 UTC ignoring leap seconds. If no value
is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used.
The default is ``+nofuzztime`` and the current time is used.
.. option:: +header-only, +noheader-only
This option sends a query with a DNS header without a question section. The
default is to add a question section. The query type and query name
are ignored when this is set.
.. option:: +https[=value], +nohttps
This option indicates whether to use DNS over HTTPS (DoH) when querying
name servers. When this option is in use, the port number defaults to 443.
The HTTP POST request mode is used when sending the query.
If ``value`` is specified, it will be used as the HTTP endpoint in the
query URI; the default is ``/dns-query``. So, for example, ``dig
@example.com +https`` will use the URI ``https://example.com/dns-query``.
.. option:: +https-get[=value], +nohttps-get
Similar to :option:`+https`, except that the HTTP GET request mode is used
when sending the query.
.. option:: +https-post[=value], +nohttps-post
Same as :option:`+https`.
.. option:: +http-plain[=value], +nohttp-plain
Similar to :option:`+https`, except that HTTP queries will be sent over a
non-encrypted channel. When this option is in use, the port number
defaults to 80 and the HTTP request mode is POST.
.. option:: +http-plain-get[=value], +nohttp-plain-get
Similar to :option:`+http-plain`, except that the HTTP request mode is GET.
.. option:: +http-plain-post[=value], +nohttp-plain-post
Same as :option:`+http-plain`.
.. option:: +identify, +noidentify
This option shows [or does not show] the IP address and port number that
supplied the answer, when the :option:`+short` option is enabled. If short
form answers are requested, the default is not to show the source
address and port number of the server that provided the answer.
.. option:: +idn, +noidn
Enable or disable IDN processing. By default IDN is enabled for
input query names, and for display when the output is a terminal.
You can also turn off :program:`dig`'s IDN processing by setting
the ``IDN_DISABLE`` environment variable.
.. option:: +ignore, +noignore
This option ignores [or does not ignore] truncation in UDP
responses instead of retrying with TCP. By default, TCP retries are
performed.
.. option:: +keepalive, +nokeepalive
This option sends [or does not send] an EDNS Keepalive option.
.. option:: +keepopen, +nokeepopen
This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
creating a new TCP socket for each lookup. The default is
``+nokeepopen``.
.. option:: +multiline, +nomultiline
This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
with human-readable comments. The default is to print each record on
a single line to facilitate machine parsing of the :program:`dig` output.
.. option:: +ndots=D
This option sets the number of dots (``D``) that must appear in ``name`` for
it to be considered absolute. The default value is that defined using
the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
statement is present. Names with fewer dots are interpreted as
relative names, and are searched for in the domains listed in the
``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
:option:`+search` is set.
.. option:: +nsid, +nonsid
When enabled, this option includes an EDNS name server ID request when sending a query.
.. option:: +nssearch, +nonssearch
When this option is set, :program:`dig` attempts to find the authoritative
name servers for the zone containing the name being looked up, and
display the SOA record that each name server has for the zone.
Addresses of servers that did not respond are also printed.
.. option:: +onesoa, +noonesoa
When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
default is to print both the starting and ending SOA records.
.. option:: +opcode=value, +noopcode
When enabled, this option sets (restores) the DNS message opcode to the specified value. The
default value is QUERY (0).
.. option:: +padding=value
This option pads the size of the query packet using the EDNS Padding option to
blocks of ``value`` bytes. For example, ``+padding=32`` causes a
48-byte query to be padded to 64 bytes. The default block size is 0,
which disables padding; the maximum is 512. Values are ordinarily
expected to be powers of two, such as 128; however, this is not
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
.. option:: +proxy[=src_addr[#src_port]-dst_addr[#dst_port]], +noproxy
When this option is set, :program:`dig` adds PROXYv2 headers to the
queries. When source and destination addresses are specified, the
headers contain them and use the ``PROXY`` command. It means for
the remote peer that the queries were sent on behalf of another
node and that the PROXYv2 header reflects the original connection
endpoints. The default source port is ``0`` and destination port is
`53`.
For encrypted DNS transports, to prevent accidental information
leakage, encryption is applied to the PROXYv2 headers: the headers
are sent right after the handshake process has been completed.
For plain DNS transports, no encryption is applied to the PROXYv2
headers.
If the addressees are omitted, PROXYv2 headers, that use the
``LOCAL`` command set, are added instead. For the remote peer, that
means that the queries were sent on purpose without being relayed,
so the real connection endpoint addresses must be used.
.. option:: +proxy-plain[=src_addr[#src_port]-dst_addr[#dst_port], +noproxy-plain
The same as ``+[no]proxy``, but instructs ``dig`` to send PROXYv2
headers ahead of any encryption, before any handshake messages are
sent. That makes :program:`dig` behave exactly how it is described
in the PROXY protocol specification, but not all software expects
such behaviour.
Please consult the software documentation to find out if you need
this option. (for example, ``dnsdist`` expects encrypted PROXYv2
headers sent over TLS when encryption is used, while ``HAProxy``
and many other software packages expect plain ones).
For plain DNS transports the option is effectively an alias for the
``+[no]proxy`` described above.
.. option:: +qid=value
This option specifies the query ID to use when sending queries.
.. option:: +qr, +noqr
This option toggles the display of the query message as it is sent. By default, the query
is not printed.
.. option:: +question, +noquestion
This option toggles the display of the question section of a query when an answer is
returned. The default is to print the question section as a comment.
.. option:: +raflag, +noraflag
This option sets [or does not set] the RA (Recursion Available) bit in the query. The
default is ``+noraflag``. This bit is ignored by the server for
QUERY.
.. option:: +rdflag, +nordflag
This option is a synonym for :option:`+recurse`, :option:`+norecurse`.
.. option:: +recurse, +norecurse
This option toggles the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means :program:`dig` normally sends
recursive queries. Recursion is automatically disabled when the
:option:`+nssearch` or :option:`+trace` query option is used.
.. option:: +retry=T
This option sets the number of times to retry UDP and TCP queries to server to ``T``
instead of the default, 2. Unlike :option:`+tries`, this does not include
the initial query.
.. option:: +rrcomments, +norrcomments
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
not to print record comments unless multiline mode is active.
.. option:: +search, +nosearch
This option uses [or does not use] the search list defined by the searchlist or domain
directive in ``resolv.conf``, if any. The search list is not used by
default.
``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
:option:`+ndots`, determines whether the name is treated as relative
and hence whether a search is eventually performed.
.. option:: +short, +noshort
This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
form. This option always has a global effect; it cannot be set globally and
then overridden on a per-lookup basis.
.. option:: +showbadcookie, +noshowbadcookie
This option toggles whether to show the message containing the
BADCOOKIE rcode before retrying the request or not. The default
is to not show the messages.
.. option:: +showbadvers, +noshowbadvers
This option toggles whether to show the message containing the
BADVERS rcode before retrying the request or not. The default
is to not show the messages.
.. option:: +showsearch, +noshowsearch
This option performs [or does not perform] a search showing intermediate results.
.. option:: +split=W
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
.. option:: +stats, +nostats
This option toggles the printing of statistics: when the query was made, the size of the
reply, etc. The default behavior is to print the query statistics as a
comment after each lookup.
.. option:: +subnet=addr[/prefix-length], +nosubnet
This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
address or network prefix.
``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
sends an EDNS CLIENT-SUBNET option with an empty address and a source
prefix-length of zero, which signals a resolver that the client's
address information must *not* be used when resolving this query.
.. option:: +tcflag, +notcflag
This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
``+notcflag``. This bit is ignored by the server for QUERY.
.. option:: +tcp, +notcp
This option indicates whether to use TCP when querying name
servers. The default behavior is to use UDP unless a type ``any``
or ``ixfr=N`` query is requested, in which case the default is
TCP. AXFR queries always use TCP. To prevent retry over TCP when
TC=1 is returned from a UDP query, use ``+ignore``.
.. option:: +timeout=T
This option sets the timeout for a query to ``T`` seconds. The default timeout is
5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
.. option:: +tls, +notls
This option indicates whether to use DNS over TLS (DoT) when querying
name servers. When this option is in use, the port number defaults
to 853.
.. option:: +tls-ca[=file-name], +notls-ca
This option enables remote server TLS certificate validation for
DNS transports, relying on TLS. Certificate authorities
certificates are loaded from the specified PEM file
(``file-name``). If the file is not specified, the default
certificates from the global certificates store are used.
.. option:: +tls-certfile=file-name, +tls-keyfile=file-name, +notls-certfile, +notls-keyfile
These options set the state of certificate-based client
authentication for DNS transports, relying on TLS. Both certificate
chain file and private key file are expected to be in PEM format.
Both options must be specified at the same time.
.. option:: +tls-hostname=hostname, +notls-hostname
This option makes :program:`dig` use the provided hostname during remote
server TLS certificate verification. Otherwise, the DNS server name
is used. This option has no effect if :option:`+tls-ca` is not specified.
.. option:: +trace, +notrace
This option toggles tracing of the delegation path from the root name
servers for the name being looked up. Tracing is disabled by default.
When tracing is enabled, :program:`dig` makes iterative queries to
resolve the name being looked up. It follows referrals from the root
servers, showing the answer from each server that was used to resolve
the lookup.
If ``@server`` is also specified, it affects only the initial query for
the root zone name servers.
:option:`+dnssec` is set when :option:`+trace` is set, to better
emulate the default queries from a name server.
Note that the ``delv +ns`` option can also be used for tracing the
resolution of a name from the root (see :iscman:`delv`).
.. option:: +tries=T
This option sets the number of times to try UDP and TCP queries to server to ``T``
instead of the default, 3. If ``T`` is less than or equal to zero,
the number of tries is silently rounded up to 1.
.. option:: +ttlid, +nottlid
This option displays [or does not display] the TTL when printing the record.
.. option:: +ttlunits, +nottlunits
This option displays [or does not display] the TTL in friendly human-readable time
units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
hours, days, and weeks. This implies :option:`+ttlid`.
.. option:: +unknownformat, +nounknownformat
This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
.. option:: +vc, +novc
This option uses [or does not use] TCP when querying name servers. This alternate
syntax to :option:`+tcp` is provided for backwards compatibility. The
``vc`` stands for "virtual circuit."
.. option:: +yaml, +noyaml
When enabled, this option prints the responses (and, if :option:`+qr` is in use, also the
outgoing queries) in a detailed YAML format.
.. option:: +zflag, +nozflag
This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
This flag is off by default.
Multiple Queries
~~~~~~~~~~~~~~~~
The BIND 9 implementation of :program:`dig` supports specifying multiple
queries on the command line (in addition to supporting the :option:`-f` batch
file option). Each of those queries can be supplied with its own set of
flags, options, and query options.
In this case, each ``query`` argument represents an individual query in
the command-line syntax described above. Each consists of any of the
standard options and flags, the name to be looked up, an optional query
type and class, and any query options that should be applied to that
query.
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the first
tuple of name, class, type, options, flags, and query options supplied
on the command line. Any global query options (except :option:`+cmd` and
:option:`+short` options) can be overridden by a query-specific set of
query options. For example:
::
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
shows how :program:`dig` can be used from the command line to make three
lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
and a query for the NS records of ``isc.org``. A global query option of
:option:`+qr` is applied, so that :program:`dig` shows the initial query it made for
each lookup. The final query has a local query option of :option:`+noqr` which
means that :program:`dig` does not print the initial query when it looks up the
NS records for ``isc.org``.
Return Codes
~~~~~~~~~~~~
:program:`dig` return codes are:
``0``
DNS response received, including NXDOMAIN status
``1``
Usage error
``8``
Couldn't open batch file
``9``
No reply from server
``10``
Internal error
Files
~~~~~
``/etc/resolv.conf``
``${HOME}/.digrc``
See Also
~~~~~~~~
:iscman:`delv(1) <delv>`, :iscman:`host(1) <host>`, :iscman:`named(8) <named>`, :iscman:`dnssec-keygen(8) <dnssec-keygen>`, :rfc:`1035`.
Bugs
~~~~
There are probably too many query options.

4932
bin/dig/dighost.c Normal file
View file

File diff suppressed because it is too large Load diff

471
bin/dig/dighost.h Normal file
View file

@ -0,0 +1,471 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <inttypes.h>
#include <stdbool.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/list.h>
#include <isc/loop.h>
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/refcount.h>
#include <isc/sockaddr.h>
#include <isc/time.h>
#include <dns/rdatalist.h>
#include <dst/dst.h>
#ifdef __APPLE__
#include <TargetConditionals.h>
#endif /* ifdef __APPLE__ */
#define MXSERV 20
#define MXNAME (DNS_NAME_MAXTEXT + 1)
#define MXRD 32
/*% Buffer Size */
#define BUFSIZE 512
#define COMMSIZE 0xffff
#ifndef RESOLV_CONF
/*% location of resolve.conf */
#define RESOLV_CONF "/etc/resolv.conf"
#endif /* ifndef RESOLV_CONF */
/*% output buffer */
#define OUTPUTBUF 32767
/*% Max RR Limit */
#define MAXRRLIMIT 0xffffffff
#define MAXTIMEOUT 0xffff
/*% Max number of tries */
#define MAXTRIES 0xffffffff
/*% Max number of dots */
#define MAXNDOTS 0xffff
/*% Max number of ports */
#define MAXPORT 0xffff
/*% Max serial number */
#define MAXSERIAL 0xffffffff
/*% Max query ID */
#define MAXQID 0xffff
/*% Default TCP Timeout */
#define TCP_TIMEOUT 10
/*% Default UDP Timeout */
#define UDP_TIMEOUT 5
#define SERVER_TIMEOUT 1
#define LOOKUP_LIMIT 64
#define DEFAULT_EDNS_VERSION 0
#define DEFAULT_EDNS_BUFSIZE 1232
#define DEFAULT_HTTPS_QUERY "?dns="
/*%
* Lookup_limit is just a limiter, keeping too many lookups from being
* created. It's job is mainly to prevent the program from running away
* in a tight loop of constant lookups. It's value is arbitrary.
*/
ISC_LANG_BEGINDECLS
typedef struct dig_lookup dig_lookup_t;
typedef struct dig_query dig_query_t;
typedef struct dig_server dig_server_t;
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
#define DIG_LOOKUP_MAGIC ISC_MAGIC('D', 'i', 'g', 'l')
#define DIG_VALID_LOOKUP(x) ISC_MAGIC_VALID((x), DIG_LOOKUP_MAGIC)
#define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
/*% The dig_lookup structure */
struct dig_lookup {
unsigned int magic;
isc_refcount_t references;
bool aaonly, adflag, badcookie, besteffort, cdflag, cleared, comments,
dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
expire, fuzzing, header_only, identify, /*%< Append an "on
server <foo>" message
*/
identify_previous_line, /*% Prepend a "Nameserver <foo>:"
message, with newline and tab */
idnin, idnout, ignore, multiline, need_search, new_search,
noclass, nocrypto, nottl, ns_search_only, /*%< dig +nssearch,
host -C */
ns_search_success, nsid, /*% Name Server ID (RFC 5001) */
onesoa, pending, /*%< Pending a successful answer */
print_unknown_format, qr, raflag, recurse, section_additional,
section_answer, section_authority, section_question,
seenbadcookie, sendcookie, servfail_stops,
setqid, /*% use a speciied query ID */
showbadcookie, showbadvers, stats, tcflag, tcp_keepalive,
tcp_mode, tcp_mode_set, tls_mode, /*% connect using TLS */
trace, /*% dig +trace */
trace_root, /*% initial query for either +trace or +nssearch */
ttlunits, use_usec, waiting_connect, zflag;
char textname[MXNAME]; /*% Name we're going to be looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
dns_rdataclass_t rdclass;
bool rdtypeset;
bool rdclassset;
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char *sendspace;
dns_name_t *name;
isc_interval_t interval;
dns_message_t *sendmsg;
dns_name_t *oname;
ISC_LINK(dig_lookup_t) link;
ISC_LIST(dig_query_t) q;
ISC_LIST(dig_query_t) connecting;
dig_query_t *current_query;
dig_serverlist_t my_server_list;
dig_searchlist_t *origin;
dig_query_t *xfr_q;
uint32_t retries;
int nsfound;
int16_t udpsize;
int16_t edns;
int16_t original_edns;
int16_t padding;
uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t *tsigctx;
isc_buffer_t *querysig;
uint32_t msgcounter;
dns_fixedname_t fdomain;
isc_sockaddr_t *ecs_addr;
char *cookie;
dns_ednsopt_t *ednsopts;
unsigned int ednsoptscnt;
unsigned int ednsflags;
dns_opcode_t opcode;
int rrcomments;
uint16_t qid;
struct {
bool http_plain;
bool https_mode;
bool https_get;
char *https_path;
};
struct {
bool tls_ca_set;
char *tls_ca_file;
bool tls_hostname_set;
char *tls_hostname;
bool tls_cert_file_set;
char *tls_cert_file;
bool tls_key_file_set;
char *tls_key_file;
isc_tlsctx_cache_t *tls_ctx_cache;
};
struct {
bool proxy_mode;
bool proxy_plain;
bool proxy_local;
isc_sockaddr_t proxy_src_addr;
isc_sockaddr_t proxy_dst_addr;
};
isc_stdtime_t fuzztime;
};
/*% The dig_query structure */
struct dig_query {
unsigned int magic;
dig_lookup_t *lookup;
bool started;
bool first_soa_rcvd;
bool second_rr_rcvd;
bool first_repeat_rcvd;
bool warn_id;
bool canceled;
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
uint32_t rr_count;
bool ixfr_axfr;
char *servname;
char *userarg;
isc_buffer_t sendbuf;
char *recvspace, *tmpsendspace, lengthspace[4];
isc_refcount_t references;
isc_nmhandle_t *handle;
isc_nmhandle_t *readhandle;
isc_nmhandle_t *sendhandle;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
isc_time_t time_sent;
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t *timer;
};
struct dig_server {
char servername[MXNAME];
char userarg[MXNAME];
ISC_LINK(dig_server_t) link;
};
struct dig_searchlist {
char origin[MXNAME];
ISC_LINK(dig_searchlist_t) link;
};
typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
/*
* Externals from dighost.c
*/
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_searchlistlist_t search_list;
extern unsigned int extrabytes;
extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
showsearch, yaml;
extern in_port_t port;
extern bool port_set;
extern unsigned int timeout;
extern isc_mem_t *mctx;
extern isc_refcount_t sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t localaddr;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern dst_algorithm_t hmac_alg;
extern unsigned int digestbits;
extern dns_tsigkey_t *tsigkey;
extern bool validated;
extern isc_loopmgr_t *loopmgr;
extern isc_loop_t *mainloop;
extern bool free_now;
extern bool debugging, debugtiming, memdebugging;
extern bool keep_open;
extern char *progname;
extern int tries;
extern int fatalexit;
extern bool verbose;
/*
* Routines in dighost.c.
*/
isc_result_t
get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr);
int
getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
isc_result_t
get_reverse(char *reverse, size_t len, char *value, bool strict);
noreturn void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
noreturn void
digexit(void);
void
cleanup_openssl_refs(void);
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
check_result(isc_result_t result, const char *msg);
bool
setup_lookup(dig_lookup_t *lookup);
void
destroy_lookup(dig_lookup_t *lookup);
void
do_lookup(dig_lookup_t *lookup);
void
start_lookup(void);
void
onrun_callback(void *arg);
void
run_loop(void *arg);
int
dhmain(int argc, char **argv);
void
setup_libs(void);
void
setup_system(bool ipv4only, bool ipv6only);
isc_result_t
parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
isc_result_t
parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
isc_result_t
parse_netprefix(isc_sockaddr_t **sap, const char *value);
void
parse_hmac(const char *algname);
dig_lookup_t *
requeue_lookup(dig_lookup_t *lookold, bool servers);
dig_lookup_t *
make_empty_lookup(void);
dig_lookup_t *
clone_lookup(dig_lookup_t *lookold, bool servers);
dig_server_t *
make_server(const char *servname, const char *userarg);
void
flush_server_list(void);
void
set_nameserver(char *opt);
void
clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest);
void
cancel_all(void);
void
destroy_libs(void);
void
set_search_domain(char *domain);
/*
* Routines to be defined in dig.c, host.c, and nslookup.c. and
* then assigned to the appropriate function pointer
*/
extern isc_result_t (*dighost_printmessage)(dig_query_t *query,
const isc_buffer_t *msgbuf,
dns_message_t *msg, bool headers);
/*
* Print an error message in the appropriate format.
*/
extern void (*dighost_error)(const char *format, ...);
/*
* Print a warning message in the appropriate format.
*/
extern void (*dighost_warning)(const char *format, ...);
/*
* Print a comment in the appropriate format.
*/
extern void (*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
/*%<
* Print the final result of the lookup.
*/
extern void (*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
dig_query_t *query);
/*%<
* Print a message about where and when the response
* was received from, like the final comment in the
* output of "dig".
*/
extern void (*dighost_trying)(char *frm, dig_lookup_t *lookup);
extern void (*dighost_shutdown)(void);
extern void (*dighost_pre_exit_hook)(void);
void
save_opt(dig_lookup_t *lookup, char *code, char *value);
void
setup_file_key(void);
void
setup_text_key(void);
/*
* Routines exported from dig.c for use by dig for iOS
*/
/*%
* Call once only to set up libraries, parse global
* parameters and initial command line query parameters
*/
void
dig_setup(int argc, char **argv);
/*%
* Call to supply new parameters for the next lookup
*/
void
dig_query_setup(bool, bool, int argc, char **argv);
/*%
* set the main application event cycle running
*/
void
dig_startup(void);
/*%
* Activate/deactivate IDN filtering of output.
*/
void
dig_idnsetup(dig_lookup_t *lookup, bool active);
/*%
* Cleans up the application
*/
void
dig_shutdown(void);
bool
dig_lookup_is_tls(const dig_lookup_t *lookup);
ISC_LANG_ENDDECLS

932
bin/dig/host.c Normal file
View file

@ -0,0 +1,932 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <inttypes.h>
#include <limits.h>
#include <locale.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/loop.h>
#include <isc/netaddr.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include "dighost.h"
static bool short_form = true, listed_server = false;
static bool default_lookups = true;
static int seen_error = -1;
static bool list_addresses = true;
static bool list_almost_all = false;
static dns_rdatatype_t list_type = dns_rdatatype_a;
static bool printed_server = false;
static bool ipv4only = false, ipv6only = false;
static const char *opcodetext[] = { "QUERY", "IQUERY", "STATUS",
"RESERVED3", "NOTIFY", "UPDATE",
"RESERVED6", "RESERVED7", "RESERVED8",
"RESERVED9", "RESERVED10", "RESERVED11",
"RESERVED12", "RESERVED13", "RESERVED14",
"RESERVED15" };
static const char *rcodetext[] = { "NOERROR", "FORMERR", "SERVFAIL",
"NXDOMAIN", "NOTIMP", "REFUSED",
"YXDOMAIN", "YXRRSET", "NXRRSET",
"NOTAUTH", "NOTZONE", "RESERVED11",
"RESERVED12", "RESERVED13", "RESERVED14",
"RESERVED15", "BADVERS" };
struct rtype {
unsigned int type;
const char *text;
};
struct rtype rtypes[] = { { 1, "has address" },
{ 2, "name server" },
{ 5, "is an alias for" },
{ 11, "has well known services" },
{ 12, "domain name pointer" },
{ 13, "host information" },
{ 15, "mail is handled by" },
{ 16, "descriptive text" },
{ 19, "x25 address" },
{ 20, "ISDN address" },
{ 24, "has signature" },
{ 25, "has key" },
{ 28, "has IPv6 address" },
{ 29, "location" },
{ dns_rdatatype_https, "has HTTP service bindings" },
{ 0, NULL } };
static char *
rcode_totext(dns_rcode_t rcode) {
static char buf[sizeof("?65535")];
union {
const char *consttext;
char *deconsttext;
} totext;
if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
snprintf(buf, sizeof(buf), "?%u", rcode);
totext.deconsttext = buf;
} else {
totext.consttext = rcodetext[rcode];
}
return totext.deconsttext;
}
noreturn static void
show_usage(void);
static void
show_usage(void) {
fprintf(stderr,
"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
"time]\n"
" [-R number] [-m flag] [-p port] hostname "
"[server]\n"
" -a is equivalent to -v -t ANY\n"
" -A is like -a but omits RRSIG, NSEC, NSEC3\n"
" -c specifies query class for non-IN data\n"
" -C compares SOA records on authoritative nameservers\n"
" -d is equivalent to -v\n"
" -l lists all hosts in a domain, using AXFR\n"
" -m set memory debugging flag (trace|record|usage)\n"
" -N changes the number of dots allowed before root "
"lookup "
"is done\n"
" -p specifies the port on the server to query\n"
" -r disables recursive processing\n"
" -R specifies number of retries for UDP packets\n"
" -s a SERVFAIL response should stop query\n"
" -t specifies the query type\n"
" -T enables TCP/IP mode\n"
" -U enables UDP mode\n"
" -v enables verbose output\n"
" -V print version number and exit\n"
" -w specifies to wait forever for a reply\n"
" -W specifies how long to wait for a reply\n"
" -4 use IPv4 query transport only\n"
" -6 use IPv6 query transport only\n");
exit(EXIT_FAILURE);
}
static void
host_shutdown(void) {
isc_loopmgr_shutdown(loopmgr);
}
static void
received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
isc_time_t now;
int diff;
if (!short_form) {
char fromtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(from, fromtext, sizeof(fromtext));
if (query->lookup->use_usec) {
now = isc_time_now_hires();
} else {
now = isc_time_now();
}
diff = (int)isc_time_microdiff(&now, &query->time_sent);
printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
diff / 1000);
}
}
static void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(lookup);
if (!short_form) {
printf("Trying \"%s\"\n", frm);
}
}
static void
say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
dig_query_t *query) {
isc_buffer_t *b = NULL;
char namestr[DNS_NAME_FORMATSIZE];
isc_region_t r;
isc_result_t result;
unsigned int bufsize = BUFSIZ;
dns_name_format(name, namestr, sizeof(namestr));
retry:
isc_buffer_allocate(mctx, &b, bufsize);
result = dns_rdata_totext(rdata, NULL, b);
if (result == ISC_R_NOSPACE) {
isc_buffer_free(&b);
INSIST(bufsize <= (UINT_MAX / 2));
bufsize *= 2;
goto retry;
}
check_result(result, "dns_rdata_totext");
isc_buffer_usedregion(b, &r);
if (query->lookup->identify_previous_line) {
printf("Nameserver %s:\n\t", query->servname);
}
printf("%s %s %.*s", namestr, msg, (int)r.length, (char *)r.base);
if (query->lookup->identify) {
printf(" on server %s", query->servname);
}
printf("\n");
isc_buffer_free(&b);
}
static isc_result_t
printsection(dns_message_t *msg, dns_section_t sectionid,
const char *section_name, bool headers, dig_query_t *query) {
dns_name_t *name, *print_name;
dns_rdataset_t *rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_buffer_t target;
isc_result_t result, loopresult;
isc_region_t r;
dns_name_t empty_name;
char tbuf[4096] = { 0 };
bool first;
bool no_rdata = (sectionid == DNS_SECTION_QUESTION);
if (headers) {
printf(";; %s SECTION:\n", section_name);
}
dns_name_init(&empty_name, NULL);
result = dns_message_firstname(msg, sectionid);
if (result == ISC_R_NOMORE) {
return ISC_R_SUCCESS;
} else if (result != ISC_R_SUCCESS) {
return result;
}
for (;;) {
name = NULL;
dns_message_currentname(msg, sectionid, &name);
isc_buffer_init(&target, tbuf, sizeof(tbuf));
first = true;
print_name = name;
for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
if (query->lookup->rdtype == dns_rdatatype_axfr &&
!((!list_addresses &&
(list_type == dns_rdatatype_any ||
rdataset->type == list_type)) ||
(list_addresses &&
(rdataset->type == dns_rdatatype_a ||
rdataset->type == dns_rdatatype_aaaa ||
rdataset->type == dns_rdatatype_ns ||
rdataset->type == dns_rdatatype_ptr))))
{
continue;
}
if (list_almost_all &&
(rdataset->type == dns_rdatatype_rrsig ||
rdataset->type == dns_rdatatype_nsec ||
rdataset->type == dns_rdatatype_nsec3))
{
continue;
}
if (!short_form) {
result = dns_rdataset_totext(rdataset,
print_name, false,
no_rdata, &target);
if (result != ISC_R_SUCCESS) {
return result;
}
#ifdef USEINITALWS
if (first) {
print_name = &empty_name;
first = false;
}
#else /* ifdef USEINITALWS */
UNUSED(first); /* Shut up compiler. */
#endif /* ifdef USEINITALWS */
} else {
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
struct rtype *t;
const char *rtt;
char typebuf[DNS_RDATATYPE_FORMATSIZE];
char typebuf2[DNS_RDATATYPE_FORMATSIZE +
20];
dns_rdataset_current(rdataset, &rdata);
for (t = rtypes; t->text != NULL; t++) {
if (t->type == rdata.type) {
rtt = t->text;
goto found;
}
}
dns_rdatatype_format(rdata.type,
typebuf,
sizeof(typebuf));
snprintf(typebuf2, sizeof(typebuf2),
"has %s record", typebuf);
rtt = typebuf2;
found:
say_message(print_name, rtt, &rdata,
query);
dns_rdata_reset(&rdata);
loopresult =
dns_rdataset_next(rdataset);
}
}
}
if (!short_form) {
isc_buffer_usedregion(&target, &r);
if (no_rdata) {
printf(";%.*s", (int)r.length, (char *)r.base);
} else {
printf("%.*s", (int)r.length, (char *)r.base);
}
}
result = dns_message_nextname(msg, sectionid);
if (result == ISC_R_NOMORE) {
break;
} else if (result != ISC_R_SUCCESS) {
return result;
}
}
return ISC_R_SUCCESS;
}
static isc_result_t
printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
const dns_name_t *owner, const char *set_name, bool headers) {
isc_buffer_t target;
isc_result_t result;
isc_region_t r;
char tbuf[4096];
UNUSED(msg);
if (headers) {
printf(";; %s SECTION:\n", set_name);
}
isc_buffer_init(&target, tbuf, sizeof(tbuf));
result = dns_rdataset_totext(rdataset, owner, false, false, &target);
if (result != ISC_R_SUCCESS) {
return result;
}
isc_buffer_usedregion(&target, &r);
printf("%.*s", (int)r.length, (char *)r.base);
return ISC_R_SUCCESS;
}
static void
chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
isc_result_t result;
dns_rdataset_t *rdataset;
dns_rdata_cname_t cname;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL,
&rdataset);
if (result != ISC_R_SUCCESS) {
return;
}
result = dns_rdataset_first(rdataset);
check_result(result, "dns_rdataset_first");
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname);
dns_rdata_freestruct(&cname);
}
}
static isc_result_t
printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
bool headers) {
bool did_flag = false;
dns_rdataset_t *opt, *tsig = NULL;
const dns_name_t *tsigname;
isc_result_t result = ISC_R_SUCCESS;
int force_error;
UNUSED(msgbuf);
UNUSED(headers);
/*
* We get called multiple times.
* Preserve any existing error status.
*/
force_error = (seen_error == 1) ? 1 : 0;
seen_error = 1;
if (listed_server && !printed_server) {
char sockstr[ISC_SOCKADDR_FORMATSIZE];
printf("Using domain server:\n");
printf("Name: %s\n", query->userarg);
isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
printf("Address: %s\n", sockstr);
printf("Aliases: \n\n");
printed_server = true;
}
if (msg->rcode != 0) {
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
if (query->lookup->identify_previous_line) {
printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
query->servname,
(msg->rcode != dns_rcode_nxdomain)
? namestr
: query->lookup->textname,
msg->rcode, rcode_totext(msg->rcode));
} else {
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain)
? namestr
: query->lookup->textname,
msg->rcode, rcode_totext(msg->rcode));
}
return ISC_R_SUCCESS;
}
if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
char namestr[DNS_NAME_FORMATSIZE];
dig_lookup_t *lookup;
dns_fixedname_t fixed;
dns_name_t *name;
/* Add AAAA and MX lookups. */
name = dns_fixedname_initname(&fixed);
dns_name_copy(query->lookup->name, name);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, false);
if (lookup != NULL) {
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_aaaa;
lookup->rdtypeset = true;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
lookup = clone_lookup(query->lookup, false);
if (lookup != NULL) {
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_mx;
lookup->rdtypeset = true;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
lookup = clone_lookup(query->lookup, false);
if (lookup != NULL) {
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_https;
lookup->rdtypeset = true;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
}
if (!short_form) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
opcodetext[msg->opcode], rcode_totext(msg->rcode),
msg->id);
printf(";; flags: ");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
printf("qr");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
printf("%saa", did_flag ? " " : "");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
printf("%stc", did_flag ? " " : "");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
printf("%srd", did_flag ? " " : "");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
printf("%sra", did_flag ? " " : "");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
printf("%sad", did_flag ? " " : "");
did_flag = true;
}
if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
printf("%scd", did_flag ? " " : "");
did_flag = true;
POST(did_flag);
}
printf("; QUERY: %u, ANSWER: %u, "
"AUTHORITY: %u, ADDITIONAL: %u\n",
msg->counts[DNS_SECTION_QUESTION],
msg->counts[DNS_SECTION_ANSWER],
msg->counts[DNS_SECTION_AUTHORITY],
msg->counts[DNS_SECTION_ADDITIONAL]);
opt = dns_message_getopt(msg);
if (opt != NULL) {
printf(";; EDNS: version: %u, udp=%u\n",
(unsigned int)((opt->ttl & 0x00ff0000) >> 16),
(unsigned int)opt->rdclass);
}
tsigname = NULL;
tsig = dns_message_gettsig(msg, &tsigname);
if (tsig != NULL) {
printf(";; PSEUDOSECTIONS: TSIG\n");
}
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) && !short_form)
{
printf("\n");
result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
true, query);
if (result != ISC_R_SUCCESS) {
return result;
}
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
if (!short_form) {
printf("\n");
}
result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
!short_form, query);
if (result != ISC_R_SUCCESS) {
return result;
}
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
!short_form)
{
printf("\n");
result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
true, query);
if (result != ISC_R_SUCCESS) {
return result;
}
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
!short_form)
{
printf("\n");
result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL",
true, query);
if (result != ISC_R_SUCCESS) {
return result;
}
}
if ((tsig != NULL) && !short_form) {
printf("\n");
result = printrdata(msg, tsig, tsigname, "PSEUDOSECTION TSIG",
true);
if (result != ISC_R_SUCCESS) {
return result;
}
}
if (!short_form) {
printf("\n");
}
if (short_form && !default_lookups &&
ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
{
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
dns_rdatatype_format(query->lookup->rdtype, typestr,
sizeof(typestr));
printf("%s has no %s record\n", namestr, typestr);
}
seen_error = force_error;
return result;
}
static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
static void
pre_parse_args(int argc, char **argv) {
int c;
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
case 'm':
memdebugging = true;
if (strcasecmp("trace", isc_commandline_argument) == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
} else if (strcasecmp("record",
isc_commandline_argument) == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
} else if (strcasecmp("usage",
isc_commandline_argument) == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
}
break;
case '4':
if (ipv6only) {
fatal("only one of -4 and -6 allowed");
}
ipv4only = true;
break;
case '6':
if (ipv4only) {
fatal("only one of -4 and -6 allowed");
}
ipv6only = true;
break;
case 'a':
break;
case 'A':
break;
case 'c':
break;
case 'C':
break;
case 'd':
break;
case 'D':
if (debugging) {
debugtiming = true;
}
debugging = true;
break;
case 'i':
break;
case 'l':
break;
case 'n':
break;
case 'N':
break;
case 'p':
break;
case 'r':
break;
case 'R':
break;
case 's':
break;
case 't':
break;
case 'T':
break;
case 'U':
break;
case 'v':
break;
case 'V':
printf("host %s\n", PACKAGE_VERSION);
exit(EXIT_SUCCESS);
break;
case 'w':
break;
case 'W':
break;
default:
show_usage();
}
}
isc_commandline_reset = true;
isc_commandline_index = 1;
}
static void
parse_args(bool is_batchfile, int argc, char **argv) {
char hostname[MXNAME];
dig_lookup_t *lookup;
int c;
char store[MXNAME];
isc_textregion_t tr;
isc_result_t result = ISC_R_SUCCESS;
dns_rdatatype_t rdtype;
dns_rdataclass_t rdclass;
uint32_t serial = 0;
UNUSED(is_batchfile);
lookup = make_empty_lookup();
lookup->servfail_stops = false;
lookup->besteffort = false;
lookup->comments = false;
short_form = !verbose;
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
case 'l':
lookup->tcp_mode = true;
lookup->rdtype = dns_rdatatype_axfr;
lookup->rdtypeset = true;
fatalexit = 3;
break;
case 'v':
case 'd':
short_form = false;
break;
case 'r':
lookup->recurse = false;
break;
case 't':
if (strncasecmp(isc_commandline_argument, "ixfr=", 5) ==
0)
{
rdtype = dns_rdatatype_ixfr;
/* XXXMPA add error checking */
serial = strtoul(isc_commandline_argument + 5,
NULL, 10);
result = ISC_R_SUCCESS;
} else {
tr.base = isc_commandline_argument;
tr.length = strlen(isc_commandline_argument);
result = dns_rdatatype_fromtext(
&rdtype, (isc_textregion_t *)&tr);
}
if (result != ISC_R_SUCCESS) {
fatalexit = 2;
fatal("invalid type: %s\n",
isc_commandline_argument);
}
if (!lookup->rdtypeset ||
lookup->rdtype != dns_rdatatype_axfr)
{
lookup->rdtype = rdtype;
}
lookup->rdtypeset = true;
if (rdtype == dns_rdatatype_axfr) {
/* -l -t any -v */
list_type = dns_rdatatype_any;
short_form = false;
lookup->tcp_mode = true;
} else if (rdtype == dns_rdatatype_ixfr) {
lookup->ixfr_serial = serial;
lookup->tcp_mode = true;
list_type = rdtype;
} else if (rdtype == dns_rdatatype_any) {
if (!lookup->tcp_mode_set) {
lookup->tcp_mode = true;
}
} else {
list_type = rdtype;
}
list_addresses = false;
default_lookups = false;
break;
case 'c':
tr.base = isc_commandline_argument;
tr.length = strlen(isc_commandline_argument);
result = dns_rdataclass_fromtext(
&rdclass, (isc_textregion_t *)&tr);
if (result != ISC_R_SUCCESS) {
fatalexit = 2;
fatal("invalid class: %s\n",
isc_commandline_argument);
} else {
lookup->rdclass = rdclass;
lookup->rdclassset = true;
}
default_lookups = false;
break;
case 'A':
list_almost_all = true;
FALLTHROUGH;
case 'a':
if (!lookup->rdtypeset ||
lookup->rdtype != dns_rdatatype_axfr)
{
lookup->rdtype = dns_rdatatype_any;
}
list_type = dns_rdatatype_any;
list_addresses = false;
lookup->rdtypeset = true;
short_form = false;
default_lookups = false;
break;
case 'i':
/* deprecated */
break;
case 'n':
/* deprecated */
break;
case 'm':
/* Handled by pre_parse_args(). */
break;
case 'w':
/*
* The timer routines are coded such that
* timeout==MAXINT doesn't enable the timer
*/
timeout = INT_MAX;
break;
case 'W':
timeout = atoi(isc_commandline_argument);
if (timeout < 1) {
timeout = 1;
}
break;
case 'R':
tries = atoi(isc_commandline_argument) + 1;
if (tries < 2) {
tries = 2;
}
break;
case 'T':
lookup->tcp_mode = true;
lookup->tcp_mode_set = true;
break;
case 'U':
lookup->tcp_mode = false;
lookup->tcp_mode_set = true;
break;
case 'C':
debug("showing all SOAs");
lookup->rdtype = dns_rdatatype_ns;
lookup->rdtypeset = true;
lookup->rdclass = dns_rdataclass_in;
lookup->rdclassset = true;
lookup->ns_search_only = true;
lookup->trace_root = true;
lookup->identify_previous_line = true;
default_lookups = false;
break;
case 'N':
debug("setting NDOTS to %s", isc_commandline_argument);
ndots = atoi(isc_commandline_argument);
break;
case 'D':
/* Handled by pre_parse_args(). */
break;
case '4':
/* Handled by pre_parse_args(). */
break;
case '6':
/* Handled by pre_parse_args(). */
break;
case 's':
lookup->servfail_stops = true;
break;
case 'p':
port = atoi(isc_commandline_argument);
port_set = true;
break;
}
}
lookup->retries = tries;
if (isc_commandline_index >= argc) {
show_usage();
}
strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname));
if (argc > isc_commandline_index + 1) {
set_nameserver(argv[isc_commandline_index + 1]);
debug("server is %s", argv[isc_commandline_index + 1]);
listed_server = true;
} else {
check_ra = true;
}
lookup->pending = false;
if (get_reverse(store, sizeof(store), hostname, true) == ISC_R_SUCCESS)
{
strlcpy(lookup->textname, store, sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_ptr;
lookup->rdtypeset = true;
default_lookups = false;
} else {
strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
usesearch = true;
}
lookup->new_search = true;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
int
main(int argc, char **argv) {
tries = 2;
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
fatalexit = 1;
/* setup dighost callbacks */
dighost_printmessage = printmessage;
dighost_received = received;
dighost_trying = trying;
dighost_shutdown = host_shutdown;
debug("main()");
progname = argv[0];
pre_parse_args(argc, argv);
setup_libs();
setup_system(ipv4only, ipv6only);
parse_args(false, argc, argv);
if (keyfile[0] != 0) {
setup_file_key();
} else if (keysecret[0] != 0) {
setup_text_key();
}
isc_loopmgr_setup(loopmgr, run_loop, NULL);
isc_loopmgr_run(loopmgr);
cancel_all();
destroy_libs();
return (seen_error == 0) ? 0 : 1;
}

193
bin/dig/host.rst Normal file
View file

@ -0,0 +1,193 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: host
.. program:: host
.. _man_host:
host - DNS lookup utility
-------------------------
Synopsis
~~~~~~~~
:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
Description
~~~~~~~~~~~
:program:`host` is a simple utility for performing DNS lookups. It is normally
used to convert names to IP addresses and vice versa. When no arguments
or options are given, :program:`host` prints a short summary of its
command-line arguments and options.
``name`` is the domain name that is to be looked up. It can also be a
dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
case :program:`host` by default performs a reverse lookup for that address.
``server`` is an optional argument which is either the name or IP
address of the name server that :program:`host` should query instead of the
server or servers listed in ``/etc/resolv.conf``.
Options
~~~~~~~
.. option:: -4
This option specifies that only IPv4 should be used for query transport. See also the :option:`-6` option.
.. option:: -6
This option specifies that only IPv6 should be used for query transport. See also the :option:`-4` option.
.. option:: -a
The :option:`-a` ("all") option is normally equivalent to :option:`-v` :option:`-t ANY <-t>`. It
also affects the behavior of the :option:`-l` list zone option.
.. option:: -A
The :option:`-A` ("almost all") option is equivalent to :option:`-a`, except that RRSIG,
NSEC, and NSEC3 records are omitted from the output.
.. option:: -c class
This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
class resource records. The default class is IN (Internet).
.. option:: -C
This option indicates that :iscman:`named` should check consistency, meaning that :program:`host` queries the SOA records for zone
``name`` from all the listed authoritative name servers for that
zone. The list of name servers is defined by the NS records that are
found for the zone.
.. option:: -d
This option prints debugging traces, and is equivalent to the :option:`-v` verbose option.
.. option:: -l
This option tells :iscman:`named` to list the zone, meaning the :program:`host` command performs a zone transfer of zone
``name`` and prints out the NS, PTR, and address records (A/AAAA).
Together, the :option:`-l` :option:`-a` options print all records in the zone.
.. option:: -N ndots
This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
considered absolute. The default value is that defined using the
``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
is present. Names with fewer dots are interpreted as relative names,
and are searched for in the domains listed in the ``search`` or
``domain`` directive in ``/etc/resolv.conf``.
.. option:: -p port
This option specifies the port to query on the server. The default is 53.
.. option:: -r
This option specifies a non-recursive query; setting this option clears the RD (recursion
desired) bit in the query. This means that the name server
receiving the query does not attempt to resolve ``name``. The :option:`-r`
option enables :program:`host` to mimic the behavior of a name server by
making non-recursive queries, and expecting to receive answers to
those queries that can be referrals to other name servers.
.. option:: -R number
This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
the number of retries is silently set to 1. The default value is 1, or
the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
.. option:: -s
This option tells :iscman:`named` *not* to send the query to the next nameserver if any server responds
with a SERVFAIL response, which is the reverse of normal stub
resolver behavior.
.. option:: -t type
This option specifies the query type. The ``type`` argument can be any recognized query type:
CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
When no query type is specified, :program:`host` automatically selects an
appropriate query type. By default, it looks for A, AAAA, MX, and HTTPS
records. If the :option:`-C` option is given, queries are made for SOA
records. If ``name`` is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, :program:`host` queries for PTR records.
If a query type of IXFR is chosen, the starting serial number can be
specified by appending an equals sign (=), followed by the starting serial
number, e.g., :option:`-t IXFR=12345678 <-t>`.
.. option:: -T, -U
This option specifies TCP or UDP. By default, :program:`host` uses UDP when making queries; the
:option:`-T` option makes it use a TCP connection when querying the name
server. TCP is automatically selected for queries that require
it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
to TCP, but can be forced to use UDP initially via :option:`-U`.
.. option:: -m flag
This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
``trace``. The :option:`-m` option can be specified more than once to set
multiple flags.
.. option:: -v
This option sets verbose output, and is equivalent to the :option:`-d` debug option. Verbose output
can also be enabled by setting the ``debug`` option in
``/etc/resolv.conf``.
.. option:: -V
This option prints the version number and exits.
.. option:: -w
This option sets "wait forever": the query timeout is set to the maximum possible. See
also the :option:`-W` option.
.. option:: -W wait
This options sets the length of the wait timeout, indicating that :iscman:`named` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
less than 1, the wait interval is set to 1 second.
By default, :program:`host` waits for 5 seconds for UDP responses and 10
seconds for TCP connections. These defaults can be overridden by the
``timeout`` option in ``/etc/resolv.conf``.
See also the :option:`-w` option.
IDN Support
~~~~~~~~~~~
If :program:`host` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. :program:`host`
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when :program:`host` runs.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:iscman:`dig(1) <dig>`, :iscman:`named(8) <named>`.

979
bin/dig/nslookup.c Normal file
View file

@ -0,0 +1,979 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/async.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/condition.h>
#include <isc/loop.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isc/work.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include "dighost.h"
#include "readline.h"
static char cmdlinebuf[COMMSIZE];
static char *cmdline = NULL;
static bool short_form = true, tcpmode = false, tcpmode_set = false,
identify = false, stats = true, comments = true,
section_question = true, section_answer = true,
section_authority = true, section_additional = true, recurse = true,
aaonly = false, nofail = true, default_lookups = true,
a_noanswer = false;
static bool interactive;
static bool in_use = false;
static char defclass[MXRD] = "IN";
static char deftype[MXRD] = "A";
static int query_error = 1, print_error = 0;
static char domainopt[DNS_NAME_MAXTEXT];
static const char *rcodetext[] = { "NOERROR", "FORMERR", "SERVFAIL",
"NXDOMAIN", "NOTIMP", "REFUSED",
"YXDOMAIN", "YXRRSET", "NXRRSET",
"NOTAUTH", "NOTZONE", "RESERVED11",
"RESERVED12", "RESERVED13", "RESERVED14",
"RESERVED15", "BADVERS" };
static const char *rtypetext[] = {
"rtype_0 = ", /* 0 */
"internet address = ", /* 1 */
"nameserver = ", /* 2 */
"md = ", /* 3 */
"mf = ", /* 4 */
"canonical name = ", /* 5 */
"soa = ", /* 6 */
"mb = ", /* 7 */
"mg = ", /* 8 */
"mr = ", /* 9 */
"rtype_10 = ", /* 10 */
"protocol = ", /* 11 */
"name = ", /* 12 */
"hinfo = ", /* 13 */
"minfo = ", /* 14 */
"mail exchanger = ", /* 15 */
"text = ", /* 16 */
"rp = ", /* 17 */
"afsdb = ", /* 18 */
"x25 address = ", /* 19 */
"isdn address = ", /* 20 */
"rt = ", /* 21 */
"nsap = ", /* 22 */
"nsap_ptr = ", /* 23 */
"signature = ", /* 24 */
"key = ", /* 25 */
"px = ", /* 26 */
"gpos = ", /* 27 */
"has AAAA address ", /* 28 */
"loc = ", /* 29 */
"next = ", /* 30 */
"rtype_31 = ", /* 31 */
"rtype_32 = ", /* 32 */
"service = ", /* 33 */
"rtype_34 = ", /* 34 */
"naptr = ", /* 35 */
"kx = ", /* 36 */
"cert = ", /* 37 */
"v6 address = ", /* 38 */
"dname = ", /* 39 */
"rtype_40 = ", /* 40 */
"optional = " /* 41 */
};
#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
static char *
rcode_totext(dns_rcode_t rcode) {
static char buf[sizeof("?65535")];
union {
const char *consttext;
char *deconsttext;
} totext;
if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
snprintf(buf, sizeof(buf), "?%u", rcode);
totext.deconsttext = buf;
} else {
totext.consttext = rcodetext[rcode];
}
return totext.deconsttext;
}
static void
printsoa(dns_rdata_t *rdata) {
dns_rdata_soa_t soa;
isc_result_t result;
char namebuf[DNS_NAME_FORMATSIZE];
result = dns_rdata_tostruct(rdata, &soa, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
printf("\torigin = %s\n", namebuf);
dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
printf("\tmail addr = %s\n", namebuf);
printf("\tserial = %u\n", soa.serial);
printf("\trefresh = %u\n", soa.refresh);
printf("\tretry = %u\n", soa.retry);
printf("\texpire = %u\n", soa.expire);
printf("\tminimum = %u\n", soa.minimum);
dns_rdata_freestruct(&soa);
}
static void
printaddr(dns_rdata_t *rdata) {
isc_result_t result;
char text[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
isc_buffer_t b;
isc_buffer_init(&b, text, sizeof(text));
result = dns_rdata_totext(rdata, NULL, &b);
check_result(result, "dns_rdata_totext");
printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
(char *)isc_buffer_base(&b));
}
static void
printrdata(dns_rdata_t *rdata) {
isc_result_t result;
isc_buffer_t *b = NULL;
unsigned int size = 1024;
bool done = false;
if (rdata->type < N_KNOWN_RRTYPES) {
printf("%s", rtypetext[rdata->type]);
} else {
printf("rdata_%d = ", rdata->type);
}
while (!done) {
isc_buffer_allocate(mctx, &b, size);
result = dns_rdata_totext(rdata, NULL, b);
if (result == ISC_R_SUCCESS) {
printf("%.*s\n", (int)isc_buffer_usedlength(b),
(char *)isc_buffer_base(b));
done = true;
} else if (result != ISC_R_NOSPACE) {
check_result(result, "dns_rdata_totext");
}
isc_buffer_free(&b);
INSIST(size <= (UINT_MAX / 2));
size *= 2;
}
}
static isc_result_t
printsection(dig_query_t *query, dns_message_t *msg, bool headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
UNUSED(headers);
debug("printsection()");
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE) {
return ISC_R_SUCCESS;
} else if (result != ISC_R_SUCCESS) {
return result;
}
for (;;) {
name = NULL;
dns_message_currentname(msg, section, &name);
for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
case dns_rdatatype_aaaa:
if (section != DNS_SECTION_ANSWER) {
goto def_short_section;
}
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("Name:\t%s\n", namebuf);
printaddr(&rdata);
break;
case dns_rdatatype_soa:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\n", namebuf);
printsoa(&rdata);
break;
default:
def_short_section:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\t", namebuf);
printrdata(&rdata);
break;
}
dns_rdata_reset(&rdata);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE) {
break;
} else if (result != ISC_R_SUCCESS) {
return result;
}
}
return ISC_R_SUCCESS;
}
static isc_result_t
detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
debug("detailsection()");
if (headers) {
switch (section) {
case DNS_SECTION_QUESTION:
puts(" QUESTIONS:");
break;
case DNS_SECTION_ANSWER:
puts(" ANSWERS:");
break;
case DNS_SECTION_AUTHORITY:
puts(" AUTHORITY RECORDS:");
break;
case DNS_SECTION_ADDITIONAL:
puts(" ADDITIONAL RECORDS:");
break;
}
}
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE) {
return ISC_R_SUCCESS;
} else if (result != ISC_R_SUCCESS) {
return result;
}
for (;;) {
name = NULL;
dns_message_currentname(msg, section, &name);
for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
if (section == DNS_SECTION_QUESTION) {
dns_name_format(name, namebuf, sizeof(namebuf));
printf("\t%s, ", namebuf);
dns_rdatatype_format(rdataset->type, namebuf,
sizeof(namebuf));
printf("type = %s, ", namebuf);
dns_rdataclass_format(rdataset->rdclass,
namebuf, sizeof(namebuf));
printf("class = %s\n", namebuf);
}
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
dns_name_format(name, namebuf, sizeof(namebuf));
printf(" -> %s\n", namebuf);
switch (rdata.type) {
case dns_rdatatype_soa:
printsoa(&rdata);
break;
default:
printf("\t");
printrdata(&rdata);
}
dns_rdata_reset(&rdata);
printf("\tttl = %u\n", rdataset->ttl);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE) {
break;
} else if (result != ISC_R_SUCCESS) {
return result;
}
}
return ISC_R_SUCCESS;
}
static void
received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
UNUSED(bytes);
UNUSED(from);
UNUSED(query);
}
static void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(frm);
UNUSED(lookup);
}
static void
chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
isc_result_t result;
dns_rdataset_t *rdataset;
dns_rdata_cname_t cname;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL,
&rdataset);
if (result != ISC_R_SUCCESS) {
return;
}
result = dns_rdataset_first(rdataset);
check_result(result, "dns_rdataset_first");
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname);
dns_rdata_freestruct(&cname);
}
}
static isc_result_t
printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
bool headers) {
UNUSED(msgbuf);
/* I've we've gotten this far, we've reached a server. */
query_error = 0;
debug("printmessage()");
if (!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
char servtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(&query->sockaddr, servtext,
sizeof(servtext));
printf("Server:\t\t%s\n", query->userarg);
printf("Address:\t%s\n", servtext);
puts("");
}
if (!short_form) {
puts("------------");
/* detailheader(query, msg);*/
detailsection(query, msg, true, DNS_SECTION_QUESTION);
detailsection(query, msg, true, DNS_SECTION_ANSWER);
detailsection(query, msg, true, DNS_SECTION_AUTHORITY);
detailsection(query, msg, true, DNS_SECTION_ADDITIONAL);
puts("------------");
}
if (msg->rcode != 0) {
char nametext[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name, nametext,
sizeof(nametext));
printf("** server can't find %s: %s\n", nametext,
rcode_totext(msg->rcode));
debug("returning with rcode == 0");
/* the lookup failed */
print_error |= 1;
return ISC_R_SUCCESS;
}
if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
char namestr[DNS_NAME_FORMATSIZE];
dig_lookup_t *lookup;
dns_fixedname_t fixed;
dns_name_t *name;
/* Add AAAA lookup. */
name = dns_fixedname_initname(&fixed);
dns_name_copy(query->lookup->name, name);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, false);
if (lookup != NULL) {
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_aaaa;
lookup->rdtypeset = true;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0 &&
(!default_lookups || query->lookup->rdtype == dns_rdatatype_a))
{
puts("Non-authoritative answer:");
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
printsection(query, msg, headers, DNS_SECTION_ANSWER);
} else {
if (default_lookups && query->lookup->rdtype == dns_rdatatype_a)
{
a_noanswer = true;
} else if (!default_lookups ||
(query->lookup->rdtype == dns_rdatatype_aaaa &&
a_noanswer))
{
printf("*** Can't find %s: No answer\n",
query->lookup->textname);
}
}
if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
(query->lookup->rdtype != dns_rdatatype_a) &&
(query->lookup->rdtype != dns_rdatatype_aaaa))
{
puts("\nAuthoritative answers can be found from:");
printsection(query, msg, headers, DNS_SECTION_AUTHORITY);
printsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
}
return ISC_R_SUCCESS;
}
static void
show_settings(bool full, bool serv_only) {
dig_server_t *srv;
isc_sockaddr_t sockaddr;
dig_searchlist_t *listent;
isc_result_t result;
srv = ISC_LIST_HEAD(server_list);
while (srv != NULL) {
char sockstr[ISC_SOCKADDR_FORMATSIZE];
result = get_address(srv->servername, port, &sockaddr);
check_result(result, "get_address");
isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
printf("Default server: %s\nAddress: %s\n", srv->userarg,
sockstr);
if (!full) {
return;
}
srv = ISC_LIST_NEXT(srv, link);
}
if (serv_only) {
return;
}
printf("\nSet options:\n");
printf(" %s\t\t\t%s\t\t%s\n", tcpmode ? "vc" : "novc",
short_form ? "nodebug" : "debug", debugging ? "d2" : "nod2");
printf(" %s\t\t%s\n", usesearch ? "search" : "nosearch",
recurse ? "recurse" : "norecurse");
printf(" timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n", timeout,
tries, port, ndots);
printf(" querytype = %-8s\tclass = %s\n", deftype, defclass);
printf(" srchlist = ");
for (listent = ISC_LIST_HEAD(search_list); listent != NULL;
listent = ISC_LIST_NEXT(listent, link))
{
printf("%s", listent->origin);
if (ISC_LIST_NEXT(listent, link) != NULL) {
printf("/");
}
}
printf("\n");
}
static bool
testtype(char *typetext) {
isc_result_t result;
isc_textregion_t tr;
dns_rdatatype_t rdtype;
tr.base = typetext;
tr.length = strlen(typetext);
result = dns_rdatatype_fromtext(&rdtype, &tr);
if (result == ISC_R_SUCCESS) {
return true;
} else {
printf("unknown query type: %s\n", typetext);
return false;
}
}
static bool
testclass(char *typetext) {
isc_result_t result;
isc_textregion_t tr;
dns_rdataclass_t rdclass;
tr.base = typetext;
tr.length = strlen(typetext);
result = dns_rdataclass_fromtext(&rdclass, &tr);
if (result == ISC_R_SUCCESS) {
return true;
} else {
printf("unknown query class: %s\n", typetext);
return false;
}
}
static void
set_port(const char *value) {
uint32_t n;
isc_result_t result = parse_uint(&n, value, 65535, "port");
if (result == ISC_R_SUCCESS) {
port = (uint16_t)n;
port_set = true;
}
}
static void
set_timeout(const char *value) {
uint32_t n;
isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
if (result == ISC_R_SUCCESS) {
timeout = n;
}
}
static void
set_tries(const char *value) {
uint32_t n;
isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
if (result == ISC_R_SUCCESS) {
tries = n;
}
}
static void
set_ndots(const char *value) {
uint32_t n;
isc_result_t result = parse_uint(&n, value, 128, "ndots");
if (result == ISC_R_SUCCESS) {
ndots = n;
}
}
static void
setoption(char *opt) {
size_t l = strlen(opt);
#define CHECKOPT(A, N) \
((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
if (CHECKOPT("all", 3)) {
show_settings(true, false);
} else if (strncasecmp(opt, "class=", 6) == 0) {
if (testclass(&opt[6])) {
strlcpy(defclass, &opt[6], sizeof(defclass));
}
} else if (strncasecmp(opt, "cl=", 3) == 0) {
if (testclass(&opt[3])) {
strlcpy(defclass, &opt[3], sizeof(defclass));
}
} else if (strncasecmp(opt, "type=", 5) == 0) {
if (testtype(&opt[5])) {
strlcpy(deftype, &opt[5], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "ty=", 3) == 0) {
if (testtype(&opt[3])) {
strlcpy(deftype, &opt[3], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "querytype=", 10) == 0) {
if (testtype(&opt[10])) {
strlcpy(deftype, &opt[10], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "query=", 6) == 0) {
if (testtype(&opt[6])) {
strlcpy(deftype, &opt[6], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "qu=", 3) == 0) {
if (testtype(&opt[3])) {
strlcpy(deftype, &opt[3], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "q=", 2) == 0) {
if (testtype(&opt[2])) {
strlcpy(deftype, &opt[2], sizeof(deftype));
default_lookups = false;
}
} else if (strncasecmp(opt, "domain=", 7) == 0) {
strlcpy(domainopt, &opt[7], sizeof(domainopt));
set_search_domain(domainopt);
usesearch = true;
} else if (strncasecmp(opt, "do=", 3) == 0) {
strlcpy(domainopt, &opt[3], sizeof(domainopt));
set_search_domain(domainopt);
usesearch = true;
} else if (strncasecmp(opt, "port=", 5) == 0) {
set_port(&opt[5]);
} else if (strncasecmp(opt, "po=", 3) == 0) {
set_port(&opt[3]);
} else if (strncasecmp(opt, "timeout=", 8) == 0) {
set_timeout(&opt[8]);
} else if (strncasecmp(opt, "t=", 2) == 0) {
set_timeout(&opt[2]);
} else if (CHECKOPT("recurse", 3)) {
recurse = true;
} else if (CHECKOPT("norecurse", 5)) {
recurse = false;
} else if (strncasecmp(opt, "retry=", 6) == 0) {
set_tries(&opt[6]);
} else if (strncasecmp(opt, "ret=", 4) == 0) {
set_tries(&opt[4]);
} else if (CHECKOPT("defname", 3)) {
usesearch = true;
} else if (CHECKOPT("nodefname", 5)) {
usesearch = false;
} else if (CHECKOPT("vc", 2)) {
tcpmode = true;
tcpmode_set = true;
} else if (CHECKOPT("novc", 4)) {
tcpmode = false;
tcpmode_set = true;
} else if (CHECKOPT("debug", 3)) {
short_form = false;
showsearch = true;
} else if (CHECKOPT("nodebug", 5)) {
short_form = true;
showsearch = false;
} else if (CHECKOPT("d2", 2)) {
debugging = true;
} else if (CHECKOPT("nod2", 4)) {
debugging = false;
} else if (CHECKOPT("search", 3)) {
usesearch = true;
} else if (CHECKOPT("nosearch", 5)) {
usesearch = false;
} else if (CHECKOPT("sil", 3)) {
/* deprecation_msg = false; */
} else if (CHECKOPT("fail", 3)) {
nofail = false;
} else if (CHECKOPT("nofail", 5)) {
nofail = true;
} else if (strncasecmp(opt, "ndots=", 6) == 0) {
set_ndots(&opt[6]);
} else {
printf("*** Invalid option: %s\n", opt);
}
}
static void
addlookup(char *opt) {
dig_lookup_t *lookup;
isc_result_t result;
isc_textregion_t tr;
dns_rdatatype_t rdtype;
dns_rdataclass_t rdclass;
char store[MXNAME];
debug("addlookup()");
a_noanswer = false;
tr.base = deftype;
tr.length = strlen(deftype);
result = dns_rdatatype_fromtext(&rdtype, &tr);
if (result != ISC_R_SUCCESS) {
printf("unknown query type: %s\n", deftype);
rdclass = dns_rdatatype_a;
}
tr.base = defclass;
tr.length = strlen(defclass);
result = dns_rdataclass_fromtext(&rdclass, &tr);
if (result != ISC_R_SUCCESS) {
printf("unknown query class: %s\n", defclass);
rdclass = dns_rdataclass_in;
}
lookup = make_empty_lookup();
if (get_reverse(store, sizeof(store), opt, true) == ISC_R_SUCCESS) {
strlcpy(lookup->textname, store, sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_ptr;
lookup->rdtypeset = true;
} else {
strlcpy(lookup->textname, opt, sizeof(lookup->textname));
lookup->rdtype = rdtype;
lookup->rdtypeset = true;
}
lookup->rdclass = rdclass;
lookup->rdclassset = true;
lookup->trace = false;
lookup->trace_root = lookup->trace;
lookup->ns_search_only = false;
lookup->identify = identify;
lookup->recurse = recurse;
lookup->aaonly = aaonly;
lookup->retries = tries;
lookup->setqid = false;
lookup->qid = 0;
lookup->comments = comments;
if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
lookup->tcp_mode = true;
} else {
lookup->tcp_mode = tcpmode;
}
lookup->stats = stats;
lookup->section_question = section_question;
lookup->section_answer = section_answer;
lookup->section_authority = section_authority;
lookup->section_additional = section_additional;
lookup->new_search = true;
lookup->besteffort = false;
if (nofail) {
lookup->servfail_stops = false;
}
ISC_LIST_INIT(lookup->q);
ISC_LINK_INIT(lookup, link);
ISC_LIST_APPEND(lookup_list, lookup, link);
lookup->origin = NULL;
ISC_LIST_INIT(lookup->my_server_list);
debug("looking up %s", lookup->textname);
}
static void
do_next_command(char *input) {
char *ptr, *arg, *last;
if ((ptr = strtok_r(input, " \t\r\n", &last)) == NULL) {
return;
}
arg = strtok_r(NULL, " \t\r\n", &last);
if ((strcasecmp(ptr, "set") == 0) && (arg != NULL)) {
setoption(arg);
} else if ((strcasecmp(ptr, "server") == 0) ||
(strcasecmp(ptr, "lserver") == 0))
{
set_nameserver(arg);
check_ra = false;
show_settings(true, true);
} else if (strcasecmp(ptr, "exit") == 0) {
in_use = false;
} else if (strcasecmp(ptr, "help") == 0 || strcasecmp(ptr, "?") == 0) {
printf("The '%s' command is not yet implemented.\n", ptr);
} else if (strcasecmp(ptr, "finger") == 0 ||
strcasecmp(ptr, "root") == 0 || strcasecmp(ptr, "ls") == 0 ||
strcasecmp(ptr, "view") == 0)
{
printf("The '%s' command is not implemented.\n", ptr);
} else {
addlookup(ptr);
}
}
static void
readline_next_command(void *arg) {
char *ptr = NULL;
UNUSED(arg);
isc_loopmgr_blocking(loopmgr);
ptr = readline("> ");
isc_loopmgr_nonblocking(loopmgr);
if (ptr == NULL) {
return;
}
if (*ptr != 0) {
add_history(ptr);
strlcpy(cmdlinebuf, ptr, COMMSIZE);
cmdline = cmdlinebuf;
}
free(ptr);
}
static void
fgets_next_command(void *arg) {
UNUSED(arg);
cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
}
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " nslookup [-opt ...] # interactive mode "
"using default server\n");
fprintf(stderr, " nslookup [-opt ...] - server # interactive mode "
"using 'server'\n");
fprintf(stderr, " nslookup [-opt ...] host # just look up "
"'host' using default server\n");
fprintf(stderr, " nslookup [-opt ...] host server # just look up "
"'host' using 'server'\n");
exit(EXIT_FAILURE);
}
static void
parse_args(int argc, char **argv) {
bool have_lookup = false;
usesearch = true;
for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
debug("main parsing %s", argv[0]);
if (argv[0][0] == '-') {
if (strncasecmp(argv[0], "-ver", 4) == 0) {
printf("nslookup %s\n", PACKAGE_VERSION);
exit(EXIT_SUCCESS);
} else if (argv[0][1] != 0) {
setoption(&argv[0][1]);
} else {
have_lookup = true;
}
} else {
if (!have_lookup) {
have_lookup = true;
in_use = true;
addlookup(argv[0]);
} else {
if (argv[1] != NULL) {
usage();
}
set_nameserver(argv[0]);
check_ra = false;
}
}
}
}
static void
start_next_command(void);
static void
process_next_command(void *arg ISC_ATTR_UNUSED) {
isc_loop_t *loop = isc_loop_main(loopmgr);
if (cmdline == NULL) {
in_use = false;
} else {
do_next_command(cmdline);
if (ISC_LIST_HEAD(lookup_list) != NULL) {
isc_async_run(loop, run_loop, NULL);
return;
}
}
start_next_command();
}
static void
start_next_command(void) {
isc_loop_t *loop = isc_loop_main(loopmgr);
if (!in_use) {
isc_loopmgr_shutdown(loopmgr);
return;
}
cmdline = NULL;
isc_loopmgr_pause(loopmgr);
if (interactive) {
isc_work_enqueue(loop, readline_next_command,
process_next_command, loop);
} else {
isc_work_enqueue(loop, fgets_next_command, process_next_command,
loop);
}
isc_loopmgr_resume(loopmgr);
}
static void
read_loop(void *arg) {
UNUSED(arg);
start_next_command();
}
int
main(int argc, char **argv) {
interactive = isatty(0);
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
check_ra = true;
/* setup dighost callbacks */
dighost_printmessage = printmessage;
dighost_received = received;
dighost_trying = trying;
dighost_shutdown = start_next_command;
setup_libs();
progname = argv[0];
setup_system(false, false);
parse_args(argc, argv);
if (keyfile[0] != 0) {
setup_file_key();
} else if (keysecret[0] != 0) {
setup_text_key();
}
if (domainopt[0] != '\0') {
set_search_domain(domainopt);
}
if (in_use) {
isc_loopmgr_setup(loopmgr, run_loop, NULL);
} else {
isc_loopmgr_setup(loopmgr, read_loop, NULL);
}
in_use = !in_use;
isc_loopmgr_run(loopmgr);
puts("");
debug("done, and starting to shut down");
cancel_all();
destroy_libs();
return query_error | print_error;
}

208
bin/dig/nslookup.rst Normal file
View file

@ -0,0 +1,208 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: nslookup
.. program:: nslookup
.. _man_nslookup:
nslookup - query Internet name servers interactively
----------------------------------------------------
Synopsis
~~~~~~~~
:program:`nslookup` [-option] [name | -] [server]
Description
~~~~~~~~~~~
:program:`nslookup` is a program to query Internet domain name servers.
:program:`nslookup` has two modes: interactive and non-interactive. Interactive
mode allows the user to query name servers for information about various
hosts and domains or to print a list of hosts in a domain.
Non-interactive mode prints just the name and requested
information for a host or domain.
Arguments
~~~~~~~~~
Interactive mode is entered in the following cases:
a. when no arguments are given (the default name server is used);
b. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to change the
default query type to host information, with an initial timeout of 10
seconds, type:
::
nslookup -query=hinfo -timeout=10
The ``-version`` option causes :program:`nslookup` to print the version number
and immediately exit.
Interactive Commands
~~~~~~~~~~~~~~~~~~~~
``host [server]``
This command looks up information for :iscman:`host` using the current default server or
using ``server``, if specified. If :iscman:`host` is an Internet address and the
query type is A or PTR, the name of the host is returned. If :iscman:`host` is
a name and does not have a trailing period (``.``), the search list is used
to qualify the name.
To look up a host not in the current domain, append a period to the
name.
``server domain`` | ``lserver domain``
These commands change the default server to ``domain``; ``lserver`` uses the initial
server to look up information about ``domain``, while ``server`` uses the
current default server. If an authoritative answer cannot be found,
the names of servers that might have the answer are returned.
``root``
This command is not implemented.
``finger``
This command is not implemented.
``ls``
This command is not implemented.
``view``
This command is not implemented.
``help``
This command is not implemented.
``?``
This command is not implemented.
``exit``
This command exits the program.
``set keyword[=value]``
This command is used to change state information that affects the
lookups. Valid keywords are:
``all``
This keyword prints the current values of the frequently used options to
``set``. Information about the current default server and host is
also printed.
``class=value``
This keyword changes the query class to one of:
``IN``
the Internet class
``CH``
the Chaos class
``HS``
the Hesiod class
``ANY``
wildcard
The class specifies the protocol group of the information. The default
is ``IN``; the abbreviation for this keyword is ``cl``.
``nodebug``
This keyword turns on or off the display of the full response packet, and any
intermediate response packets, when searching. The default for this keyword is
``nodebug``; the abbreviation for this keyword is ``[no]deb``.
``nod2``
This keyword turns debugging mode on or off. This displays more about what
nslookup is doing. The default is ``nod2``.
``domain=name``
This keyword sets the search list to ``name``.
``nosearch``
If the lookup request contains at least one period, but does not end
with a trailing period, this keyword appends the domain names in the domain
search list to the request until an answer is received. The default is ``search``.
``port=value``
This keyword changes the default TCP/UDP name server port to ``value`` from
its default, port 53. The abbreviation for this keyword is ``po``.
``querytype=value`` | ``type=value``
This keyword changes the type of the information query to ``value``. The
defaults are A and then AAAA; the abbreviations for these keywords are
``q`` and ``ty``.
Please note that it is only possible to specify one query type. Only the default
behavior looks up both when an alternative is not specified.
``norecurse``
This keyword tells the name server to query other servers if it does not have
the information. The default is ``recurse``; the abbreviation for this
keyword is ``[no]rec``.
``ndots=number``
This keyword sets the number of dots (label separators) in a domain that
disables searching. Absolute names always stop searching.
``retry=number``
This keyword sets the number of retries to ``number``.
``timeout=number``
This keyword changes the initial timeout interval to wait for a reply to
``number``, in seconds.
``novc``
This keyword indicates that a virtual circuit should always be used when sending requests to the server.
``novc`` is the default.
``nofail``
This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
a referral (nofail), or terminates the query (fail) on such a response. The
default is ``nofail``.
Return Values
~~~~~~~~~~~~~
:program:`nslookup` returns with an exit status of 1 if any query failed, and 0
otherwise.
IDN Support
~~~~~~~~~~~
If :program:`nslookup` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. :program:`nslookup`
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when :program:`nslookup` runs, or when the standard output is not a tty.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:iscman:`dig(1) <dig>`, :iscman:`host(1) <host>`, :iscman:`named(8) <named>`.

58
bin/dig/readline.h Normal file
View file

@ -0,0 +1,58 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*
* A little wrapper around readline(), add_history() and free() to make using
* the readline code simpler.
*/
#if defined(HAVE_READLINE_LIBEDIT)
#include <editline/readline.h>
#elif defined(HAVE_READLINE_EDITLINE)
#include <editline.h>
#elif defined(HAVE_READLINE_READLINE)
/* Prevent deprecated functions being declared. */
#define _FUNCTION_DEF 1
/* Ensure rl_message() gets prototype. */
#define USE_VARARGS 1
#define PREFER_STDARG 1
#include <readline/history.h>
#include <readline/readline.h>
#endif
#if !defined(HAVE_READLINE_LIBEDIT) && !defined(HAVE_READLINE_EDITLINE) && \
!defined(HAVE_READLINE_READLINE)
#include <stdio.h>
#include <stdlib.h>
#define RL_MAXCMD (128 * 1024)
static inline char *
readline(const char *prompt) {
char *line, *buf = malloc(RL_MAXCMD);
fprintf(stdout, "%s", prompt);
fflush(stdout);
line = fgets(buf, RL_MAXCMD, stdin);
if (line == NULL) {
free(buf);
return NULL;
}
return buf;
}
#define add_history(line)
#endif

50
bin/dnssec/Makefile.am Normal file
View file

@ -0,0 +1,50 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBDNS_CFLAGS)
AM_CPPFLAGS += \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
noinst_LTLIBRARIES = libdnssectool.la
LDADD += \
libdnssectool.la \
$(LIBISC_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBDNS_LIBS) \
$(OPENSSL_LIBS)
bin_PROGRAMS = \
dnssec-cds \
dnssec-dsfromkey \
dnssec-importkey \
dnssec-keyfromlabel \
dnssec-keygen \
dnssec-ksr \
dnssec-revoke \
dnssec-settime \
dnssec-signzone \
dnssec-verify
libdnssectool_la_SOURCES = \
dnssectool.h \
dnssectool.c
dnssec_keygen_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(OPENSSL_CFLAGS)
dnssec_keygen_LDADD = \
$(LDADD) \
$(OPENSSL_LIBS)
dnssec_signzone_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(OPENSSL_CFLAGS)
dnssec_signzone_LDADD = \
$(LDADD) \
$(OPENSSL_LIBS)

1030
bin/dnssec/Makefile.in Normal file
View file

File diff suppressed because it is too large Load diff

1359
bin/dnssec/dnssec-cds.c Normal file
View file

File diff suppressed because it is too large Load diff

221
bin/dnssec/dnssec-cds.rst Normal file
View file

@ -0,0 +1,221 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-cds
.. program:: dnssec-cds
.. _man_dnssec-cds:
dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
--------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
Description
~~~~~~~~~~~
The :program:`dnssec-cds` command changes DS records at a delegation point
based on CDS or CDNSKEY records published in the child zone. If both CDS
and CDNSKEY records are present in the child zone, the CDS is preferred.
This enables a child zone to inform its parent of upcoming changes to
its key-signing keys (KSKs); by polling periodically with :program:`dnssec-cds`, the
parent can keep the DS records up-to-date and enable automatic rolling
of KSKs.
Two input files are required. The :option:`-f child-file <-f>` option specifies a
file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
DNSKEY records so that they can be authenticated. The :option:`-d path <-d>` option
specifies the location of a file containing the current DS records. For
example, this could be a ``dsset-`` file generated by
:iscman:`dnssec-signzone`, or the output of :iscman:`dnssec-dsfromkey`, or the
output of a previous run of :program:`dnssec-cds`.
The :program:`dnssec-cds` command uses special DNSSEC validation logic
specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
be validly signed by a key represented in the existing DS records. This
is typically the pre-existing KSK.
For protection against replay attacks, the signatures on the child
records must not be older than they were on a previous run of
:program:`dnssec-cds`. Their age is obtained from the modification time of the
``dsset-`` file, or from the :option:`-s` option.
To protect against breaking the delegation, :program:`dnssec-cds` ensures that
the DNSKEY RRset can be verified by every key algorithm in the new DS
RRset, and that the same set of keys are covered by every DS digest
type.
By default, replacement DS records are written to the standard output;
with the :option:`-i` option the input file is overwritten in place. The
replacement DS records are the same as the existing records, when no
change is required. The output can be empty if the CDS/CDNSKEY records
specify that the child zone wants to be insecure.
.. warning::
Be careful not to delete the DS records when :program:`dnssec-cds` fails!
Alternatively, :option`dnssec-cds -u` writes an :iscman:`nsupdate` script to the
standard output. The :option:`-u` and :option:`-i` options can be used together to
maintain a ``dsset-`` file as well as emit an :iscman:`nsupdate` script.
Options
~~~~~~~
.. option:: -a algorithm
When converting CDS records to DS records, this option specifies
the acceptable digest algorithms. This option can be repeated, so
that multiple digest types are allowed. If none of the CDS records
use an acceptable digest type, :program:`dnssec-cds` will try to use CDNSKEY
records instead; if there are no CDNSKEY records, it reports an error.
When converting CDNSKEY records to DS records, this option specifies the
digest algorithm to use. It can be repeated, so that multiple DS records
are created for each CDNSKEY records.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256 only.
.. option:: -c class
This option specifies the DNS class of the zones.
.. option:: -D
This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
records are present in the child zone. By default CDS records are
preferred.
.. option:: -d path
This specifies the location of the parent DS records. The path can be the name of a file
containing the DS records; if it is a directory, :program:`dnssec-cds`
looks for a ``dsset-`` file for the domain inside the directory.
To protect against replay attacks, child records are rejected if they
were signed earlier than the modification time of the ``dsset-``
file. This can be adjusted with the :option:`-s` option.
.. option:: -f child-file
This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
DNSKEY records and the covering RRSIG records, so that they can be
authenticated.
The examples below describe how to generate this file.
.. option:: -i extension
This option updates the ``dsset-`` file in place, instead of writing DS records to
the standard output.
There must be no space between the :option:`-i` and the extension. If
no extension is provided, the old ``dsset-`` is discarded. If an
extension is present, a backup of the old ``dsset-`` file is kept
with the extension appended to its filename.
To protect against replay attacks, the modification time of the
``dsset-`` file is set to match the signature inception time of the
child records, provided that it is later than the file's current
modification time.
.. option:: -s start-time
This option specifies the date and time after which RRSIG records become
acceptable. This can be either an absolute or a relative time. An
absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
time relative to the ``dsset-`` file is indicated with ``-N``, which is N
seconds before the file modification time. A time relative to the
current time is indicated with ``now+N``.
If no start-time is specified, the modification time of the
``dsset-`` file is used.
.. option:: -T ttl
This option specifies a TTL to be used for new DS records. If not specified, the
default is the TTL of the old DS records. If they had no explicit TTL,
the new DS records also have no explicit TTL.
.. option:: -u
This option writes an :iscman:`nsupdate` script to the standard output, instead of
printing the new DS reords. The output is empty if no change is
needed.
Note: The TTL of new records needs to be specified: it can be done in the
original ``dsset-`` file, with the :option:`-T` option, or using the
:iscman:`nsupdate` ``ttl`` command.
.. option:: -V
This option prints version information.
.. option:: -v level
This option sets the debugging level. Level 1 is intended to be usefully verbose
for general users; higher levels are intended for developers.
``domain``
This indicates the name of the delegation point/child zone apex.
Exit Status
~~~~~~~~~~~
The :program:`dnssec-cds` command exits 0 on success, or non-zero if an error
occurred.
If successful, the DS records may or may not need to be
changed.
Examples
~~~~~~~~
Before running :iscman:`dnssec-signzone`, ensure that the delegations
are up-to-date by running :program:`dnssec-cds` on every ``dsset-`` file.
To fetch the child records required by :program:`dnssec-cds`, invoke
:iscman:`dig` as in the script below. It is acceptable if the :iscman:`dig` fails, since
:program:`dnssec-cds` performs all the necessary checking.
::
for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
When the parent zone is automatically signed by :iscman:`named`,
:program:`dnssec-cds` can be used with :iscman:`nsupdate` to maintain a delegation as follows.
The ``dsset-`` file allows the script to avoid having to fetch and
validate the parent DS records, and it maintains the replay attack
protection time.
::
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
See Also
~~~~~~~~
:iscman:`dig(1) <dig>`, :iscman:`dnssec-settime(8) <dnssec-settime>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, :iscman:`nsupdate(1) <nsupdate>`, BIND 9 Administrator
Reference Manual, :rfc:`7344`.

565
bin/dnssec/dnssec-dsfromkey.c Normal file
View file

@ -0,0 +1,565 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/callbacks.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-dsfromkey";
static dns_rdataclass_t rdclass;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static uint32_t ttl;
static bool emitttl = false;
static unsigned int split_width = 0;
static isc_result_t
initname(char *setname) {
isc_result_t result;
isc_buffer_t buf;
name = dns_fixedname_initname(&fixed);
isc_buffer_init(&buf, setname, strlen(setname));
isc_buffer_add(&buf, strlen(setname));
result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
return result;
}
static void
db_load_from_stream(dns_db_t *db, FILE *fp) {
isc_result_t result;
dns_rdatacallbacks_t callbacks;
dns_rdatacallbacks_init(&callbacks);
result = dns_db_beginload(db, &callbacks);
if (result != ISC_R_SUCCESS) {
fatal("dns_db_beginload failed: %s", isc_result_totext(result));
}
result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
mctx);
if (result != ISC_R_SUCCESS) {
fatal("can't load from input: %s", isc_result_totext(result));
}
result = dns_db_endload(db, &callbacks);
if (result != ISC_R_SUCCESS) {
fatal("dns_db_endload failed: %s", isc_result_totext(result));
}
}
static isc_result_t
loadset(const char *filename, dns_rdataset_t *rdataset) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
char setname[DNS_NAME_FORMATSIZE];
dns_name_format(name, setname, sizeof(setname));
result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS) {
fatal("can't create database");
}
if (strcmp(filename, "-") == 0) {
db_load_from_stream(db, stdin);
filename = "input";
} else {
result = dns_db_load(db, filename, dns_masterformat_text, 0);
if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
fatal("can't load %s: %s", filename,
isc_result_totext(result));
}
}
result = dns_db_findnode(db, name, false, &node);
if (result != ISC_R_SUCCESS) {
fatal("can't find %s node in %s", setname, filename);
}
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
rdataset, NULL);
if (result == ISC_R_NOTFOUND) {
fatal("no DNSKEY RR for %s in %s", setname, filename);
} else if (result != ISC_R_SUCCESS) {
fatal("dns_db_findrdataset");
}
if (node != NULL) {
dns_db_detachnode(db, &node);
}
if (db != NULL) {
dns_db_detach(&db);
}
return result;
}
static isc_result_t
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
isc_result_t result;
char filename[PATH_MAX + 1];
isc_buffer_t buf;
dns_rdataset_init(rdataset);
isc_buffer_init(&buf, filename, sizeof(filename));
if (dirname != NULL) {
/* allow room for a trailing slash */
if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
return ISC_R_NOSPACE;
}
isc_buffer_putstr(&buf, dirname);
if (dirname[strlen(dirname) - 1] != '/') {
isc_buffer_putstr(&buf, "/");
}
}
if (isc_buffer_availablelength(&buf) < 7) {
return ISC_R_NOSPACE;
}
isc_buffer_putstr(&buf, "keyset-");
result = dns_name_tofilenametext(name, false, &buf);
check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&buf) == 0) {
return ISC_R_NOSPACE;
}
isc_buffer_putuint8(&buf, 0);
return loadset(filename, rdataset);
}
static void
loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
dns_rdata_t *rdata) {
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t keyb;
isc_region_t r;
dns_rdata_init(rdata);
isc_buffer_init(&keyb, key_buf, key_buf_size);
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
&key);
if (result != ISC_R_SUCCESS) {
fatal("can't load %s.key: %s", filename,
isc_result_totext(result));
}
if (verbose > 2) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
}
result = dst_key_todns(key, &keyb);
if (result != ISC_R_SUCCESS) {
fatal("can't decode key");
}
isc_buffer_usedregion(&keyb, &r);
dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
&r);
rdclass = dst_key_class(key);
name = dns_fixedname_initname(&fixed);
dns_name_copy(dst_key_name(key), name);
dst_key_free(&key);
}
static void
logkey(dns_rdata_t *rdata) {
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
char keystr[DST_KEY_FORMATSIZE];
isc_buffer_init(&buf, rdata->data, rdata->length);
isc_buffer_add(&buf, rdata->length);
result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
if (result != ISC_R_SUCCESS) {
return;
}
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
dst_key_free(&key);
}
static void
emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
char name_buf[DNS_NAME_MAXWIRE];
char class_buf[10];
isc_buffer_t textb, nameb, classb;
isc_region_t r;
dns_rdata_t ds;
dns_rdata_dnskey_t dnskey;
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
dns_rdata_init(&ds);
result = dns_rdata_tostruct(rdata, &dnskey, NULL);
if (result != ISC_R_SUCCESS) {
fatal("can't convert DNSKEY");
}
if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
return;
}
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
return;
}
result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
if (result != ISC_R_SUCCESS) {
fatal("can't build record");
}
result = dns_name_totext(name, 0, &nameb);
if (result != ISC_R_SUCCESS) {
fatal("can't print name");
}
result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, split_width,
"", &textb);
if (result != ISC_R_SUCCESS) {
fatal("can't print rdata");
}
result = dns_rdataclass_totext(rdclass, &classb);
if (result != ISC_R_SUCCESS) {
fatal("can't print class");
}
isc_buffer_usedregion(&nameb, &r);
printf("%.*s ", (int)r.length, r.base);
if (emitttl) {
printf("%u ", ttl);
}
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
if (cds) {
printf(" CDS ");
} else {
printf(" DS ");
}
isc_buffer_usedregion(&textb, &r);
printf("%.*s\n", (int)r.length, r.base);
}
static void
emits(bool showall, bool cds, dns_rdata_t *rdata) {
unsigned int i, n;
n = sizeof(dtype) / sizeof(dtype[0]);
for (i = 0; i < n; i++) {
if (dtype[i] != 0) {
emit(dtype[i], showall, cds, rdata);
}
}
}
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, " %s [options] -f zonefile [zonename]\n\n", program);
fprintf(stderr, " %s [options] -s dnsname\n\n", program);
fprintf(stderr, " %s [-h|-V]\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options:\n"
" -1: digest algorithm SHA-1\n"
" -2: digest algorithm SHA-256\n"
" -a algorithm: digest algorithm (SHA-1, SHA-256 or "
"SHA-384)\n"
" -A: include all keys in DS set, not just KSKs (-f "
"only)\n"
" -c class: rdata class for DS set (default IN) (-f "
"or -s only)\n"
" -C: print CDS records\n"
" -f zonefile: read keys from a zone file\n"
" -h: print help information\n"
" -K directory: where to find key or keyset files\n"
" -w split base64 rdata text into chunks\n"
" -s: read keys from keyset-<dnsname> file\n"
" -T: TTL of output records (omitted by default)\n"
" -v level: verbosity\n"
" -V: print version information\n");
fprintf(stderr, "Output: DS or CDS RRs\n");
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv) {
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *endp, *arg1;
int ch;
bool cds = false;
bool usekeyset = false;
bool showall = false;
isc_result_t result;
isc_log_t *log = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata;
dns_rdata_init(&rdata);
if (argc == 1) {
usage();
}
isc_mem_create(&mctx);
isc_commandline_errprint = false;
#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:whV"
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case '1':
add_dtype(DNS_DSDIGEST_SHA1);
break;
case '2':
add_dtype(DNS_DSDIGEST_SHA256);
break;
case 'A':
showall = true;
break;
case 'a':
add_dtype(strtodsdigest(isc_commandline_argument));
break;
case 'C':
cds = true;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
fprintf(stderr,
"%s: the -d option is deprecated; "
"use -K\n",
program);
/* fall through */
case 'K':
dir = isc_commandline_argument;
if (strlen(dir) == 0U) {
fatal("directory must be non-empty string");
}
break;
case 'f':
filename = isc_commandline_argument;
break;
case 'l':
fatal("-l option (DLV lookaside) is obsolete");
break;
case 's':
usekeyset = true;
break;
case 'T':
emitttl = true;
ttl = strtottl(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case 'w':
split_width = UINT_MAX;
break;
case 'F':
/* Reserved for FIPS mode */
FALLTHROUGH;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'V':
/* Does not return. */
version(program);
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL) {
fatal("cannot use both -s and -f");
}
/* When not using -f, -A is implicit */
if (filename == NULL) {
showall = true;
}
/* Default digest type if none specified. */
if (dtype[0] == 0) {
dtype[0] = DNS_DSDIGEST_SHA256;
}
/*
* Use local variable arg1 so that clang can correctly analyse
* reachable paths rather than 'argc < isc_commandline_index + 1'.
*/
arg1 = argv[isc_commandline_index];
if (arg1 == NULL && filename == NULL) {
fatal("the key file name was not specified");
}
if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
dns_rdataset_init(&rdataset);
if (usekeyset || filename != NULL) {
if (arg1 == NULL) {
/* using file name as the zone name */
namestr = filename;
} else {
namestr = arg1;
}
result = initname(namestr);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize name %s", namestr);
}
if (usekeyset) {
result = loadkeyset(dir, &rdataset);
} else {
INSIST(filename != NULL);
result = loadset(filename, &rdataset);
}
if (result != ISC_R_SUCCESS) {
fatal("could not load DNSKEY set: %s\n",
isc_result_totext(result));
}
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
dns_rdata_init(&rdata);
dns_rdataset_current(&rdataset, &rdata);
if (verbose > 2) {
logkey(&rdata);
}
emits(showall, cds, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
emits(showall, cds, &rdata);
}
if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
isc_mem_destroy(&mctx);
fflush(stdout);
if (ferror(stdout)) {
fprintf(stderr, "write error\n");
return 1;
} else {
return 0;
}
}

159
bin/dnssec/dnssec-dsfromkey.rst Normal file
View file

@ -0,0 +1,159 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-dsfromkey
.. program:: dnssec-dsfromkey
.. _man_dnssec-dsfromkey:
dnssec-dsfromkey - DNSSEC DS RR generation tool
-----------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
Description
~~~~~~~~~~~
The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the :option:`-C` option.
By default, only KSKs are converted (keys with flags = 257). The
:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never
included.
The input keys can be specified in a number of ways:
By default, :program:`dnssec-dsfromkey` reads a key file named in the format
``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`.
With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone
file or partial zone file (which can contain just the DNSKEY records).
With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file,
as generated by :iscman:`dnssec-keygen` :option:`-C`.
Options
~~~~~~~
.. option:: -1
This option is an abbreviation for :option:`-a SHA1 <-a>`.
.. option:: -2
This option is an abbreviation for :option:`-a SHA-256 <-a>`.
.. option:: -a algorithm
This option specifies a digest algorithm to use when converting DNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each DNSKEY record.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256.
.. option:: -A
This option indicates that ZSKs are to be included when generating DS records. Without this option, only
keys which have the KSK flag set are converted to DS records and
printed. This option is only useful in :option:`-f` zone file mode.
.. option:: -c class
This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset
or :option:`-f` zone file mode.
.. option:: -C
This option generates CDS records rather than DS records.
.. option:: -f file
This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the
DNS domain name of a zone whose master file can be read from
``file``. If the zone name is the same as ``file``, then it may be
omitted.
If ``file`` is ``-``, then the zone data is read from the standard
input. This makes it possible to use the output of the :iscman:`dig`
command as input, as in:
``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
.. option:: -h
This option prints usage information.
.. option:: -K directory
This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
.. option:: -s
This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS
domain name used to locate a ``keyset-`` file.
.. option:: -T TTL
This option specifies the TTL of the DS records. By default the TTL is omitted.
.. option:: -v level
This option sets the debugging level.
.. option:: -V
This option prints version information.
Example
~~~~~~~
To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
issue the following command:
``dnssec-dsfromkey -2 Kexample.com.+003+26160``
The command returns something similar to:
``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
Files
~~~~~
The keyfile can be designated by the key identification
``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
generated by :iscman:`dnssec-keygen`.
The keyset file name is built from the ``directory``, the string
``keyset-``, and the ``dnsname``.
Caveat
~~~~~~
A keyfile error may return "file not found," even if the file exists.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

475
bin/dnssec/dnssec-importkey.c Normal file
View file

@ -0,0 +1,475 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/callbacks.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-importkey";
static dns_rdataclass_t rdclass;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static bool setpub = false, setdel = false;
static bool setttl = false;
static isc_stdtime_t pub = 0, del = 0;
static dns_ttl_t ttl = 0;
static isc_stdtime_t syncadd = 0, syncdel = 0;
static bool setsyncadd = false;
static bool setsyncdel = false;
static isc_result_t
initname(char *setname) {
isc_result_t result;
isc_buffer_t buf;
name = dns_fixedname_initname(&fixed);
isc_buffer_init(&buf, setname, strlen(setname));
isc_buffer_add(&buf, strlen(setname));
result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
return result;
}
static void
db_load_from_stream(dns_db_t *db, FILE *fp) {
isc_result_t result;
dns_rdatacallbacks_t callbacks;
dns_rdatacallbacks_init(&callbacks);
result = dns_db_beginload(db, &callbacks);
if (result != ISC_R_SUCCESS) {
fatal("dns_db_beginload failed: %s", isc_result_totext(result));
}
result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
mctx);
if (result != ISC_R_SUCCESS) {
fatal("can't load from input: %s", isc_result_totext(result));
}
result = dns_db_endload(db, &callbacks);
if (result != ISC_R_SUCCESS) {
fatal("dns_db_endload failed: %s", isc_result_totext(result));
}
}
static isc_result_t
loadset(const char *filename, dns_rdataset_t *rdataset) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
char setname[DNS_NAME_FORMATSIZE];
dns_name_format(name, setname, sizeof(setname));
result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS) {
fatal("can't create database");
}
if (strcmp(filename, "-") == 0) {
db_load_from_stream(db, stdin);
filename = "input";
} else {
result = dns_db_load(db, filename, dns_masterformat_text,
DNS_MASTER_NOTTL);
if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
fatal("can't load %s: %s", filename,
isc_result_totext(result));
}
}
result = dns_db_findnode(db, name, false, &node);
if (result != ISC_R_SUCCESS) {
fatal("can't find %s node in %s", setname, filename);
}
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
rdataset, NULL);
if (result == ISC_R_NOTFOUND) {
fatal("no DNSKEY RR for %s in %s", setname, filename);
} else if (result != ISC_R_SUCCESS) {
fatal("dns_db_findrdataset");
}
if (node != NULL) {
dns_db_detachnode(db, &node);
}
if (db != NULL) {
dns_db_detach(&db);
}
return result;
}
static void
loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
dns_rdata_t *rdata) {
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t keyb;
isc_region_t r;
dns_rdata_init(rdata);
isc_buffer_init(&keyb, key_buf, key_buf_size);
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
&key);
if (result != ISC_R_SUCCESS) {
fatal("invalid keyfile name %s: %s", filename,
isc_result_totext(result));
}
if (verbose > 2) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
}
result = dst_key_todns(key, &keyb);
if (result != ISC_R_SUCCESS) {
fatal("can't decode key");
}
isc_buffer_usedregion(&keyb, &r);
dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
&r);
rdclass = dst_key_class(key);
name = dns_fixedname_initname(&fixed);
dns_name_copy(dst_key_name(key), name);
dst_key_free(&key);
}
static void
emit(const char *dir, dns_rdata_t *rdata) {
isc_result_t result;
char keystr[DST_KEY_FORMATSIZE];
char pubname[1024];
char priname[1024];
isc_buffer_t buf;
dst_key_t *key = NULL, *tmp = NULL;
isc_buffer_init(&buf, rdata->data, rdata->length);
isc_buffer_add(&buf, rdata->length);
result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
if (result != ISC_R_SUCCESS) {
fatal("dst_key_fromdns: %s", isc_result_totext(result));
}
isc_buffer_init(&buf, pubname, sizeof(pubname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
isc_buffer_init(&buf, priname, sizeof(priname));
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
result = dst_key_fromfile(
dst_key_name(key), dst_key_id(key), dst_key_alg(key),
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir, mctx, &tmp);
if (result == ISC_R_SUCCESS) {
if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp)) {
fatal("Private key already exists in %s", priname);
}
dst_key_free(&tmp);
}
dst_key_setexternal(key, true);
if (setpub) {
dst_key_settime(key, DST_TIME_PUBLISH, pub);
}
if (setdel) {
dst_key_settime(key, DST_TIME_DELETE, del);
}
if (setsyncadd) {
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
}
if (setsyncdel) {
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
}
if (setttl) {
dst_key_setttl(key, ttl);
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", pubname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", priname);
dst_key_free(&key);
}
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
fprintf(stderr, " %s options -f file [keyname]\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -f file: read key from zone file\n");
fprintf(stderr, " -K <directory>: directory in which to store "
"the key files\n");
fprintf(stderr, " -L ttl: set default key TTL\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, " -h: print usage and exit\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv) {
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *endp;
int ch;
isc_result_t result;
isc_log_t *log = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata;
isc_stdtime_t now = isc_stdtime_now();
dns_rdata_init(&rdata);
if (argc == 1) {
usage();
}
isc_mem_create(&mctx);
isc_commandline_errprint = false;
#define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel) {
fatal("-D sync specified more than "
"once");
}
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel) {
fatal("-D specified more than once");
}
del = strtotime(isc_commandline_argument, now, now,
&setdel);
break;
case 'K':
dir = isc_commandline_argument;
if (strlen(dir) == 0U) {
fatal("directory must be non-empty string");
}
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd) {
fatal("-P sync specified more than "
"once");
}
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub) {
fatal("-P specified more than once");
}
pub = strtotime(isc_commandline_argument, now, now,
&setpub);
break;
case 'f':
filename = isc_commandline_argument;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'V':
/* Does not return. */
version(program);
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
rdclass = strtoclass(classname);
if (argc < isc_commandline_index + 1 && filename == NULL) {
fatal("the key file name was not specified");
}
if (argc > isc_commandline_index + 1) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
dns_rdataset_init(&rdataset);
if (filename != NULL) {
if (argc < isc_commandline_index + 1) {
/* using filename as zone name */
namestr = filename;
} else {
namestr = argv[isc_commandline_index];
}
result = initname(namestr);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize name %s", namestr);
}
result = loadset(filename, &rdataset);
if (result != ISC_R_SUCCESS) {
fatal("could not load DNSKEY set: %s\n",
isc_result_totext(result));
}
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
dns_rdata_init(&rdata);
dns_rdataset_current(&rdataset, &rdata);
emit(dir, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE,
&rdata);
emit(dir, &rdata);
}
if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
isc_mem_destroy(&mctx);
fflush(stdout);
if (ferror(stdout)) {
fprintf(stderr, "write error\n");
return 1;
} else {
return 0;
}
}

142
bin/dnssec/dnssec-importkey.rst Normal file
View file

@ -0,0 +1,142 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-importkey
.. program:: dnssec-importkey
.. _man_dnssec-importkey:
dnssec-importkey - import DNSKEY records from external systems so they can be managed
-------------------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
Description
~~~~~~~~~~~
:program:`dnssec-importkey` reads a public DNSKEY record and generates a pair
of .key/.private files. The DNSKEY record may be read from an
existing .key file, in which case a corresponding .private file is
generated, or it may be read from any other file or from the standard
input, in which case both .key and .private files are generated.
The newly created .private file does *not* contain private key data, and
cannot be used for signing. However, having a .private file makes it
possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for the
key, which means the public key can be added to and removed from the
DNSKEY RRset on schedule even if the true private key is stored offline.
Options
~~~~~~~
.. option:: -f filename
This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
DNS domain name of a zone master file, which can be read from
``filename``. If the domain name is the same as ``filename``, then it may be
omitted.
If ``filename`` is set to ``"-"``, then the zone data is read from the
standard input.
.. option:: -K directory
This option sets the directory in which the key files are to reside.
.. option:: -L ttl
This option sets the default TTL to use for this key when it is converted into a
DNSKEY RR. This is the TTL used when the key is imported into a zone,
unless there was already a DNSKEY RRset in
place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
removes it from the key.
.. option:: -h
This option emits a usage message and exits.
.. option:: -v level
This option sets the debugging level.
.. option:: -V
This option prints version information.
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
(which is the format used inside key files),
or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
or UNIX epoch time (as printed by ``dnssec-settime -up``),
or the literal ``now``.
The argument can be followed by ``+`` or ``-`` and an offset from the
given time. The literal ``now`` can be omitted before an offset. The
offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
``d``, ``h``, or ``mi``, so that it is computed in years (defined as
365 24-hour days, ignoring leap years), months (defined as 30 24-hour
days), weeks, days, hours, or minutes, respectively. Without a suffix,
the offset is computed in seconds.
To explicitly prevent a date from being set, use ``none``, ``never``,
or ``unset``.
All these formats are case-insensitive.
.. option:: -P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
to sign it.
.. program:: dnssec-importkey -P
.. option:: sync date/offset
This option sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
.. program:: dnssec-importkey
.. option:: -D date/offset
This option sets the date on which the key is to be deleted. After that date, the
key is no longer included in the zone. (However, it may remain in the key
repository.)
.. program:: dnssec-importkey -D
.. option:: sync date/offset
This option sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
.. program:: dnssec-importkey
Files
~~~~~
A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
:iscman:`dnssec-keygen`.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
:rfc:`5011`.

759
bin/dnssec/dnssec-keyfromlabel.c Normal file
View file

@ -0,0 +1,759 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/secalg.h>
#include <dst/dst.h>
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
const char *program = "dnssec-keyfromlabel";
static uint16_t tag_min = 0, tag_max = 0xffff;
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s -l label [options] name\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
" RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
" ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -L ttl: default key TTL\n");
fprintf(stderr, " -M <min>:<max>: allowed Key ID range\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | "
"OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -y: permit keys that might collide\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -P sync date/[+-]offset: set CDS and CDNSKEY "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset: set CDS and CDNSKEY "
"deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" all dates\n");
fprintf(stderr, " -S <key>: generate a successor to an existing "
"key\n");
fprintf(stderr, " -i <interval>: prepublication interval for "
"successor key "
"(default: 30 days)\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv) {
char *algname = NULL, *freeit = NULL;
char *nametype = NULL, *type = NULL;
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
const char *engine = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
uint16_t flags = 0, kskflag = 0, revflag = 0;
dns_secalg_t alg;
bool oldstyle = false;
isc_mem_t *mctx = NULL;
int ch;
int protocol = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
char filename[255];
isc_buffer_t buf;
isc_log_t *log = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
dns_ttl_t ttl = 0;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, deltime = 0;
int prepub = -1;
bool setpub = false, setact = false;
bool setrev = false, setinact = false;
bool setdel = false, setttl = false;
bool unsetpub = false, unsetact = false;
bool unsetrev = false, unsetinact = false;
bool unsetdel = false;
bool genonly = false;
bool use_nsec3 = false;
bool avoid_collisions = true;
bool exact;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;
bool unsetsyncadd = false, setsyncadd = false;
bool unsetsyncdel = false, setsyncdel = false;
isc_stdtime_t now = isc_stdtime_now();
if (argc == 1) {
usage();
}
isc_mem_create(&mctx);
isc_commandline_errprint = false;
#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:M:n:P:p:R:S:t:v:Vy"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case '3':
use_nsec3 = true;
break;
case 'a':
algname = isc_commandline_argument;
break;
case 'C':
oldstyle = true;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
if (toupper(c) == 'K') {
kskflag = DNS_KEYFLAG_KSK;
} else if (toupper(c) == 'R') {
revflag = DNS_KEYFLAG_REVOKE;
} else {
fatal("unknown flag '%s'",
isc_commandline_argument);
}
break;
case 'K':
directory = isc_commandline_argument;
ret = try_dir(directory);
if (ret != ISC_R_SUCCESS) {
fatal("cannot open directory %s: %s", directory,
isc_result_totext(ret));
}
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
break;
case 'l':
label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
case 'M': {
unsigned long ul;
tag_min = ul = strtoul(isc_commandline_argument, &endp,
10);
if (*endp != ':' || ul > 0xffff) {
fatal("-M range invalid");
}
tag_max = ul = strtoul(endp + 1, &endp, 10);
if (*endp != '\0' || ul > 0xffff || tag_max <= tag_min)
{
fatal("-M range invalid");
}
break;
}
case 'n':
nametype = isc_commandline_argument;
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || protocol < 0 || protocol > 255) {
fatal("-p must be followed by a number "
"[0..255]");
}
break;
case 't':
type = isc_commandline_argument;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case 'y':
avoid_collisions = false;
break;
case 'G':
genonly = true;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd) {
fatal("-P sync specified more than "
"once");
}
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub) {
fatal("-P specified more than once");
}
publish = strtotime(isc_commandline_argument, now, now,
&setpub);
unsetpub = !setpub;
break;
case 'A':
if (setact || unsetact) {
fatal("-A specified more than once");
}
activate = strtotime(isc_commandline_argument, now, now,
&setact);
unsetact = !setact;
break;
case 'R':
if (setrev || unsetrev) {
fatal("-R specified more than once");
}
revoke = strtotime(isc_commandline_argument, now, now,
&setrev);
unsetrev = !setrev;
break;
case 'I':
if (setinact || unsetinact) {
fatal("-I specified more than once");
}
inactive = strtotime(isc_commandline_argument, now, now,
&setinact);
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel) {
fatal("-D sync specified more than "
"once");
}
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel) {
fatal("-D specified more than once");
}
deltime = strtotime(isc_commandline_argument, now, now,
&setdel);
unsetdel = !setdel;
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case 'F':
/* Reserved for FIPS mode */
FALLTHROUGH;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'V':
/* Does not return. */
version(program);
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
ret = dst_lib_init(mctx, engine);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
setup_logging(mctx, &log);
if (predecessor == NULL) {
if (label == NULL) {
fatal("the key label was not specified");
}
if (argc < isc_commandline_index + 1) {
fatal("the key name was not specified");
}
if (argc > isc_commandline_index + 1) {
fatal("extraneous arguments");
}
name = dns_fixedname_initname(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS) {
fatal("invalid key name %s: %s",
argv[isc_commandline_index],
isc_result_totext(ret));
}
if (strchr(label, ':') == NULL) {
char *l;
int len;
len = strlen(label) + 8;
l = isc_mem_allocate(mctx, len);
snprintf(l, len, "pkcs11:%s", label);
isc_mem_free(mctx, label);
label = l;
}
if (algname == NULL) {
fatal("no algorithm specified");
}
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
if (use_nsec3) {
switch (alg) {
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
break;
default:
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option",
algname);
}
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0) {
flags |= DNS_KEYTYPE_NOAUTH;
} else if (strcasecmp(type, "NOCONF") == 0) {
flags |= DNS_KEYTYPE_NOCONF;
} else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH |
DNS_KEYTYPE_NOCONF);
} else if (strcasecmp(type, "AUTHCONF") == 0) {
/* nothing */
} else {
fatal("invalid type %s", type);
}
}
if (!oldstyle && prepub > 0) {
if (setpub && setact && (activate - prepub) < publish) {
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
}
if (!setpub && !setact) {
setpub = setact = true;
publish = now;
activate = now + prepub;
} else if (setpub && !setact) {
setact = true;
activate = publish + prepub;
} else if (setact && !setpub) {
setpub = true;
publish = activate - prepub;
}
if ((activate - prepub) < now) {
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
}
} else {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t when;
int major, minor;
if (prepub == -1) {
prepub = (30 * 86400);
}
if (algname != NULL) {
fatal("-S and -a cannot be used together");
}
if (nametype != NULL) {
fatal("-S and -n cannot be used together");
}
if (type != NULL) {
fatal("-S and -t cannot be used together");
}
if (setpub || unsetpub) {
fatal("-S and -P cannot be used together");
}
if (setact || unsetact) {
fatal("-S and -A cannot be used together");
}
if (use_nsec3) {
fatal("-S and -3 cannot be used together");
}
if (oldstyle) {
fatal("-S and -C cannot be used together");
}
if (genonly) {
fatal("-S and -G cannot be used together");
}
ret = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &prevkey);
if (ret != ISC_R_SUCCESS) {
fatal("Invalid keyfile %s: %s", predecessor,
isc_result_totext(ret));
}
if (!dst_key_isprivate(prevkey)) {
fatal("%s is not a private key", predecessor);
}
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
fatal("Key %s has incompatible format version %d.%d\n\t"
"It is not possible to generate a successor key.",
keystr, major, minor);
}
ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
if (ret != ISC_R_SUCCESS) {
fatal("Key %s has no activation date.\n\t"
"You must use dnssec-settime -A to set one "
"before generating a successor.",
keystr);
}
ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
if (ret != ISC_R_SUCCESS) {
fatal("Key %s has no inactivation date.\n\t"
"You must use dnssec-settime -I to set one "
"before generating a successor.",
keystr);
}
publish = activate - prepub;
if (publish < now) {
fatal("Key %s becomes inactive\n\t"
"sooner than the prepublication period "
"for the new key ends.\n\t"
"Either change the inactivation date with "
"dnssec-settime -I,\n\t"
"or use the -i option to set a shorter "
"prepublication interval.",
keystr);
}
ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
if (ret != ISC_R_SUCCESS) {
fprintf(stderr,
"%s: WARNING: Key %s has no removal "
"date;\n\t it will remain in the zone "
"indefinitely after rollover.\n\t "
"You can use dnssec-settime -D to "
"change this.\n",
program, keystr);
}
setpub = setact = true;
}
if (nametype == NULL) {
if ((options & DST_TYPE_KEY) != 0) { /* KEY */
fatal("no nametype specified");
}
flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
} else if (strcasecmp(nametype, "zone") == 0) {
flags |= DNS_KEYOWNER_ZONE;
} else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
{
flags |= DNS_KEYOWNER_ENTITY;
} else if (strcasecmp(nametype, "user") == 0) {
/* no owner flags */
} else {
fatal("invalid KEY nametype %s", nametype);
}
} else if (strcasecmp(nametype, "other") != 0) { /* DNSKEY */
fatal("invalid DNSKEY nametype %s", nametype);
}
rdclass = strtoclass(classname);
if (directory == NULL) {
directory = ".";
}
if ((options & DST_TYPE_KEY) != 0) { /* KEY */
flags |= signatory;
} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
flags |= kskflag;
flags |= revflag;
}
if (protocol == -1) {
protocol = DNS_KEYPROTO_DNSSEC;
} else if ((options & DST_TYPE_KEY) == 0 &&
protocol != DNS_KEYPROTO_DNSSEC)
{
fatal("invalid DNSKEY protocol: %d", protocol);
}
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
label, NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
dns_secalg_format(alg, algstr, sizeof(algstr));
fatal("failed to get key %s/%s: %s", namestr, algstr,
isc_result_totext(ret));
UNREACHABLE();
exit(EXIT_FAILURE);
}
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default, but
* can be overridden. Creation date is always set to "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact)) {
fatal("cannot use -G together with -P or -A options");
}
if (setpub) {
dst_key_settime(key, DST_TIME_PUBLISH, publish);
} else if (setact) {
dst_key_settime(key, DST_TIME_PUBLISH, activate);
} else if (!genonly && !unsetpub) {
dst_key_settime(key, DST_TIME_PUBLISH, now);
}
if (setact) {
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
} else if (!genonly && !unsetact) {
dst_key_settime(key, DST_TIME_ACTIVATE, now);
}
if (setrev) {
if (kskflag == 0) {
fprintf(stderr,
"%s: warning: Key is "
"not flagged as a KSK, but -R "
"was used. Revoking a ZSK is "
"legal, but undefined.\n",
program);
}
dst_key_settime(key, DST_TIME_REVOKE, revoke);
}
if (setinact) {
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
}
if (setdel) {
dst_key_settime(key, DST_TIME_DELETE, deltime);
}
if (setsyncadd) {
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
}
if (setsyncdel) {
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
}
} else {
if (setpub || setact || setrev || setinact || setdel ||
unsetpub || unsetact || unsetrev || unsetinact ||
unsetdel || genonly || setsyncadd || setsyncdel)
{
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
}
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
*/
dst_key_setprivateformat(key, 1, 2);
}
/* Set default key TTL */
if (setttl) {
dst_key_setttl(key, ttl);
}
/*
* Do not overwrite an existing key. Warn LOUDLY if there
* is a risk of ID collision due to this key or another key
* being revoked.
*/
if (key_collision(key, name, directory, mctx, tag_min, tag_max, &exact))
{
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (ret != ISC_R_SUCCESS) {
fatal("dst_key_buildfilename returned: %s\n",
isc_result_totext(ret));
}
if (exact) {
fatal("%s: %s already exists\n", program, filename);
}
if (avoid_collisions) {
fatal("%s: %s could collide with another key upon "
"revokation\n",
program, filename);
}
fprintf(stderr,
"%s: WARNING: Key %s could collide with "
"another key upon revokation. If you plan "
"to revoke keys, destroy this key and "
"generate a different one.\n",
program, filename);
}
ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
if (ret != ISC_R_SUCCESS) {
fatal("dst_key_buildfilename returned: %s\n",
isc_result_totext(ret));
}
printf("%s\n", filename);
dst_key_free(&key);
if (prevkey != NULL) {
dst_key_free(&prevkey);
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
isc_mem_free(mctx, label);
isc_mem_destroy(&mctx);
if (freeit != NULL) {
free(freeit);
}
return 0;
}

301
bin/dnssec/dnssec-keyfromlabel.rst Normal file
View file

@ -0,0 +1,301 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-keyfromlabel
.. program:: dnssec-keyfromlabel
.. _man_dnssec-keyfromlabel:
dnssec-keyfromlabel - DNSSEC key generation tool
------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
:program:`dnssec-keyfromlabel` generates a pair of key files that reference a
key object stored in a cryptographic hardware service module (HSM). The
private key file can be used for DNSSEC signing of zone data as if it
were a conventional signing key created by :iscman:`dnssec-keygen`, but the
key material is stored within the HSM and the actual signing takes
place there.
The ``name`` of the key is specified on the command line. This must
match the name of the zone for which the key is being generated.
Options
~~~~~~~
.. option:: -a algorithm
This option selects the cryptographic algorithm. The value of ``algorithm`` must
be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
option, then NSEC3RSASHA1 is used instead.
This option is mandatory except when using the
:option:`-S` option, which copies the algorithm from the predecessory key.
.. versionchanged:: 9.12.0
The default value RSASHA1 for newly generated keys was removed.
.. option:: -3
This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
.. option:: -E engine
This option specifies the cryptographic hardware to use.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -l label
This option specifies the label for a key pair in the crypto hardware.
When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in ``pkcs11:keylabel``.
.. option:: -n nametype
This option specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
(for a key associated with a host (KEY)), USER (for a key associated
with a user (KEY)), or OTHER (DNSKEY). These values are
case-insensitive.
.. option:: -C
This option enables compatibility mode, which generates an old-style key, without any metadata.
By default, :program:`dnssec-keyfromlabel` includes the key's creation
date in the metadata stored with the private key; other dates may
be set there as well, including publication date, activation date, etc. Keys
that include this data may be incompatible with older versions of
BIND; the :option:`-C` option suppresses them.
.. option:: -c class
This option indicates that the DNS record containing the key should have the
specified class. If not specified, class IN is used.
.. option:: -f flag
This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key-Signing Key) and REVOKE.
.. option:: -G
This option generates a key, but does not publish it or sign with it. This option is
incompatible with :option:`-P` and :option:`-A`.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`dnssec-keyfromlabel`.
.. option:: -K directory
This option sets the directory in which the key files are to be written.
.. option:: -k
This option generates KEY records rather than DNSKEY records.
.. option:: -L ttl
This option sets the default TTL to use for this key when it is converted into a
DNSKEY RR. This is the TTL used when the key is imported into a zone,
unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. Setting
the default TTL to ``0`` or ``none`` removes it.
.. option:: -M tag_min:tag_max
This option sets the range of key tag values
that ``dnssec-keyfromlabel`` will accept. If the key tag of the new
key or the key tag of the revoked version of the new key is
outside this range, the new key will be rejected. This is
designed to be used when generating keys in a multi-signer
scenario, where each operator is given a range of key tags to
prevent collisions among different operators. The valid
values for ``tag_min`` and ``tag_max`` are [0..65535]. The
default allows all key tag values to be accepted.
.. option:: -p protocol
This option sets the protocol value for the key. The protocol is a number between
0 and 255. The default is 3 (DNSSEC). Other possible values for this
argument are listed in :rfc:`2535` and its successors.
.. option:: -S key
This option generates a key as an explicit successor to an existing key. The name,
algorithm, size, and type of the key are set to match the
predecessor. The activation date of the new key is set to the
inactivation date of the existing one. The publication date is
set to the activation date minus the prepublication interval, which
defaults to 30 days.
.. option:: -t type
This option indicates the type of the key. ``type`` must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
to the ability to authenticate data, and CONF to the ability to encrypt
data.
.. option:: -v level
This option sets the debugging level.
.. option:: -V
This option prints version information.
.. option:: -y
This option allows DNSSEC key files to be generated even if the key ID would
collide with that of an existing key, in the event of either key
being revoked. (This is only safe to enable if
:rfc:`5011` trust anchor maintenance is not used with either of the keys
involved.)
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
(which is the format used inside key files),
or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
or UNIX epoch time (as printed by ``dnssec-settime -up``),
or the literal ``now``.
The argument can be followed by ``+`` or ``-`` and an offset from the
given time. The literal ``now`` can be omitted before an offset. The
offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
``d``, ``h``, or ``mi``, so that it is computed in years (defined as
365 24-hour days, ignoring leap years), months (defined as 30 24-hour
days), weeks, days, hours, or minutes, respectively. Without a suffix,
the offset is computed in seconds.
To explicitly prevent a date from being set, use ``none``, ``never``,
or ``unset``.
All these formats are case-insensitive.
.. option:: -P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
to sign it. If not set, and if the :option:`-G` option has not been used, the
default is the current date.
.. program:: dnssec-keyfromlabel -P
.. option:: sync date/offset
This option sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
.. program:: dnssec-keyfromlabel
.. option:: -A date/offset
This option sets the date on which the key is to be activated. After that date,
the key is included in the zone and used to sign it. If not set,
and if the :option:`-G` option has not been used, the default is the current date.
.. option:: -R date/offset
This option sets the date on which the key is to be revoked. After that date, the
key is flagged as revoked. It is included in the zone and
is used to sign it.
.. option:: -I date/offset
This option sets the date on which the key is to be retired. After that date, the
key is still included in the zone, but it is not used to
sign it.
.. option:: -D date/offset
This option sets the date on which the key is to be deleted. After that date, the
key is no longer included in the zone. (However, it may remain in the key
repository.)
.. program:: dnssec-keyfromlabel -D
.. option:: sync date/offset
This option sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
.. program:: dnssec-keyfromlabel
.. option:: -i interval
This option sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date is not, the publication date defaults to this much time
before the activation date; conversely, if the publication date is
specified but not the activation date, activation is set to
this much time after publication.
If the key is being created as an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Generated Key Files
~~~~~~~~~~~~~~~~~~~
When :program:`dnssec-keyfromlabel` completes successfully, it prints a string
of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
identification string for the key files it has generated.
- ``nnnn`` is the key name.
- ``aaa`` is the numeric representation of the algorithm.
- ``iiiii`` is the key identifier (or footprint).
:program:`dnssec-keyfromlabel` creates two files, with names based on the
printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
``Knnnn.+aaa+iiiii.private`` contains the private key.
The ``.key`` file contains a DNS KEY record that can be inserted into a
zone file (directly or with an $INCLUDE statement).
The ``.private`` file contains algorithm-specific fields. For obvious
security reasons, this file does not have general read permission.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
:rfc:`4034`, :rfc:`7512`.

1336
bin/dnssec/dnssec-keygen.c Normal file
View file

File diff suppressed because it is too large Load diff

372
bin/dnssec/dnssec-keygen.rst Normal file
View file

@ -0,0 +1,372 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-keygen
.. program:: dnssec-keygen
.. _man_dnssec-keygen:
dnssec-keygen: DNSSEC key generation tool
-----------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
:program:`dnssec-keygen` generates keys for DNSSEC (Secure DNS), as defined in
:rfc:`2535` and :rfc:`4034`.
The ``name`` of the key is specified on the command line. For DNSSEC
keys, this must match the name of the zone for which the key is being
generated.
Options
~~~~~~~
.. option:: -3
This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version is selected; for example,
``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
.. option:: -a algorithm
This option selects the cryptographic algorithm. For DNSSEC keys, the value of
``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
option, NSEC3RSASHA1 is used instead.
This parameter *must* be specified except when using the :option:`-S`
option, which copies the algorithm from the predecessor key.
In prior releases, HMAC algorithms could be generated for use as TSIG
keys, but that feature was removed in BIND 9.13.0. Use
:iscman:`tsig-keygen` to generate TSIG keys.
.. option:: -b keysize
This option specifies the number of bits in the key. The choice of key size
depends on the algorithm used: RSA keys must be between 1024 and 4096
bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic
curve algorithms do not need this parameter.
If the key size is not specified, some algorithms have pre-defined
defaults. For example, RSA keys for use as DNSSEC zone-signing keys
have a default size of 1024 bits; RSA keys for use as key-signing
keys (KSKs, generated with :option:`-f KSK <-f>`) default to 2048 bits.
.. option:: -C
This option enables compatibility mode, which generates an old-style key, without any timing
metadata. By default, :program:`dnssec-keygen` includes the key's
creation date in the metadata stored with the private key; other
dates may be set there as well, including publication date, activation date,
etc. Keys that include this data may be incompatible with older
versions of BIND; the :option:`-C` option suppresses them.
.. option:: -c class
This option indicates that the DNS record containing the key should have the
specified class. If not specified, class IN is used.
.. option:: -d bits
This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, and ED448.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f flag
This option sets the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are ZSK (Zone-Signing Key), KSK (Key-Signing Key)
and REVOKE.
Note that ZSK is not a physical flag in the DNSKEY record, it is merely used
to explicitly tell that you want to create a ZSK. Setting :option:`-f` in
conjunction with :option:`-k` will result in generating keys that only
match the given role set with this option.
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)
mode if the underlying crytographic library supports running in FIPS
mode.
.. option:: -G
This option generates a key, but does not publish it or sign with it. This option is
incompatible with :option:`-P` and :option:`-A`.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`dnssec-keygen`.
.. option:: -K directory
This option sets the directory in which the key files are to be written.
.. option:: -k policy
This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys,
:program:`dnssec-keygen` generates multiple keys. This also
creates a ".state" file to keep track of the key state.
This option creates keys according to the ``dnssec-policy`` configuration, hence
it cannot be used at the same time as many of the other options that
:program:`dnssec-keygen` provides.
.. option:: -L ttl
This option sets the default TTL to use for this key when it is converted into a
DNSKEY RR. This is the TTL used when the key is imported into a zone,
unless there was already a DNSKEY RRset in
place, in which case the existing TTL takes precedence. If this
value is not set and there is no existing DNSKEY RRset, the TTL
defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
is the same as leaving it unset.
.. option:: -l file
This option provides a configuration file that contains a ``dnssec-policy`` statement
(matching the policy set with :option:`-k`).
.. option:: -M tag_min:tag_max
This option sets the range of acceptable key tag values that ``dnssec-keygen``
will produce. If the key tag of the new key or the key tag of
the revoked version of the new key is outside this range,
the new key will be rejected and another new key will be generated.
This is designed to be used when generating keys in a multi-signer
scenario, where each operator is given a range of key tags to
prevent collisions among different operators. The valid values
for ``tag_min`` and ``tag_max`` are [0..65535]. The default allows all
key tag values to be produced. This option is ignored when ``-k policy``
is specified.
.. option:: -n nametype
This option specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
(for a key associated with a host (KEY)), USER (for a key associated
with a user (KEY)), or OTHER (DNSKEY). These values are
case-insensitive. The default is ZONE for DNSKEY generation.
.. option:: -p protocol
This option sets the protocol value for the generated key, for use with
:option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default
is 3 (DNSSEC). Other possible values for this argument are listed in
:rfc:`2535` and its successors.
.. option:: -q
This option sets quiet mode, which suppresses unnecessary output, including progress
indication. Without this option, when :program:`dnssec-keygen` is run
interactively to generate an RSA or DSA key pair, it prints a
string of symbols to ``stderr`` indicating the progress of the key
generation. A ``.`` indicates that a random number has been found which
passed an initial sieve test; ``+`` means a number has passed a single
round of the Miller-Rabin primality test; and a space ( ) means that the
number has passed all the tests and is a satisfactory key.
.. option:: -S key
This option creates a new key which is an explicit successor to an existing key.
The name, algorithm, size, and type of the key are set to match
the existing key. The activation date of the new key is set to
the inactivation date of the existing one. The publication date is
set to the activation date minus the prepublication interval,
which defaults to 30 days.
.. option:: -s strength
This option specifies the strength value of the key. The strength is a number
between 0 and 15, and currently has no defined purpose in DNSSEC.
.. option:: -T rrtype
This option specifies the resource record type to use for the key. ``rrtype``
must be either DNSKEY or KEY. The default is DNSKEY when using a
DNSSEC algorithm, but it can be overridden to KEY for use with
SIG(0).
.. option:: -t type
This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type``
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate data, and
CONF to the ability to encrypt data.
.. option:: -V
This option prints version information.
.. option:: -v level
This option sets the debugging level.
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
(which is the format used inside key files),
or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
or UNIX epoch time (as printed by ``dnssec-settime -up``),
or the literal ``now``.
The argument can be followed by ``+`` or ``-`` and an offset from the
given time. The literal ``now`` can be omitted before an offset. The
offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
``d``, ``h``, or ``mi``, so that it is computed in years (defined as
365 24-hour days, ignoring leap years), months (defined as 30 24-hour
days), weeks, days, hours, or minutes, respectively. Without a suffix,
the offset is computed in seconds.
To unset a date, use ``none``, ``never``, or ``unset``.
.. option:: -P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
to sign it. If not set, and if the :option:`-G` option has not been used, the
default is the current date.
.. program:: dnssec-keygen -P
.. option:: sync date/offset
This option sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
.. program:: dnssec-keygen
.. option:: -A date/offset
This option sets the date on which the key is to be activated. After that date,
the key is included in the zone and used to sign it. If not set,
and if the :option:`-G` option has not been used, the default is the current date. If set,
and :option:`-P` is not set, the publication date is set to the
activation date minus the prepublication interval.
.. option:: -R date/offset
This option sets the date on which the key is to be revoked. After that date, the
key is flagged as revoked. It is included in the zone and
is used to sign it.
.. option:: -I date/offset
This option sets the date on which the key is to be retired. After that date, the
key is still included in the zone, but it is not used to
sign it.
.. option:: -D date/offset
This option sets the date on which the key is to be deleted. After that date, the
key is no longer included in the zone. (However, it may remain in the key
repository.)
.. program:: dnssec-keygen -D
.. option:: sync date/offset
This option sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
.. program:: dnssec-keygen
.. option:: -i interval
This option sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date is not, the publication date defaults to this much time
before the activation date; conversely, if the publication date is
specified but not the activation date, activation is set to
this much time after publication.
If the key is being created as an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Generated Keys
~~~~~~~~~~~~~~
When :program:`dnssec-keygen` completes successfully, it prints a string of the
form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
identification string for the key it has generated.
- ``nnnn`` is the key name.
- ``aaa`` is the numeric representation of the algorithm.
- ``iiiii`` is the key identifier (or footprint).
:program:`dnssec-keygen` creates two files, with names based on the printed
string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
``Knnnn.+aaa+iiiii.private`` contains the private key.
The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
signed by :iscman:`named` or :option:`dnssec-signzone -S`, DNSKEY records are
included automatically. In other cases, the ``.key`` file can be
inserted into a zone file manually or with an ``$INCLUDE`` statement.
The ``.private`` file contains algorithm-specific fields. For obvious
security reasons, this file does not have general read permission.
Example
~~~~~~~
To generate an ECDSAP256SHA256 zone-signing key for the zone
``example.com``, issue the command:
``dnssec-keygen -a ECDSAP256SHA256 example.com``
The command prints a string of the form:
``Kexample.com.+013+26160``
In this example, :program:`dnssec-keygen` creates the files
``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
To generate a matching key-signing key, issue the command:
``dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com``
See Also
~~~~~~~~
:iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
:rfc:`2845`, :rfc:`4034`.

1483
bin/dnssec/dnssec-ksr.c Normal file
View file

File diff suppressed because it is too large Load diff

172
bin/dnssec/dnssec-ksr.rst Normal file
View file

@ -0,0 +1,172 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-ksr
.. program:: dnssec-ksr
.. _man_dnssec-ksr:
dnssec-ksr - Create signed key response (SKR) files for offline KSK setups
--------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-f** file] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-o**] [**-V**] [**-v** level] {command} {zone}
Description
~~~~~~~~~~~
The :program:`dnssec-ksr` can be used to issue several commands that are needed
to generate presigned RRsets for a zone where the private key file of the Key
Signing Key (KSK) is typically offline. This requires Zone Signing Keys
(ZSKs) to be pregenerated, and the DNSKEY, CDNSKEY, and CDS RRsets to be
already signed in advance.
The latter is done by creating Key Signing Requests (KSRs) that can be imported
to the environment where the KSK is available. Once there, this program can
create Signed Key Responses (SKRs) that can be loaded by an authoritative DNS
server.
Options
~~~~~~~
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -e date/offset
This option sets the end date for which keys or SKRs need to be generated
(depending on the command).
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)
mode if the underlying crytographic library supports running in FIPS
mode.
.. option:: -f
This option sets the SKR file to be signed when issuing a ``sign`` command.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`dnssec-ksr`.
.. option:: -i date/offset
This option sets the start date for which keys or SKRs need to be generated
(depending on the command).
.. option:: -K directory
This option sets the directory in which the key files are to be read or
written (depending on the command).
.. option:: -k policy
This option sets the specific ``dnssec-policy`` for which keys need to
be generated, or signed.
.. option:: -l file
This option provides a configuration file that contains a ``dnssec-policy``
statement (matching the policy set with :option:`-k`).
.. option:: -o
Normally when pregenerating keys, ZSKs are created. When this option is
set, create KSKs instead.
.. option:: -V
This option prints version information.
.. option:: -v level
This option sets the debugging level. Level 1 is intended to be usefully
verbose for general users; higher levels are intended for developers.
``command``
The KSR command to be executed. See below for the available commands.
``zone``
The name of the zone for which the KSR command is being executed.
Commands
~~~~~~~~
.. option:: keygen
Pregenerate a number of keys, given a DNSSEC policy and an interval. The
number of generated keys depends on the interval and the key lifetime.
.. option:: request
Create a Key Signing Request (KSR), given a DNSSEC policy and an interval.
This will generate a file with a number of key bundles, where each bundle
contains the currently published ZSKs (according to the timing metadata).
.. option:: sign
Sign a Key Signing Request (KSR), given a DNSSEC policy and an interval,
creating a Signed Key Response (SKR). This will add the corresponding DNSKEY,
CDS, and CDNSKEY records for the KSK that is being used for signing.
Exit Status
~~~~~~~~~~~
The :program:`dnssec-ksr` command exits 0 on success, or non-zero if an error
occurred.
Examples
~~~~~~~~
When you need to generate ZSKs for the zone "example.com" for the next year,
given a ``dnssec-policy`` named "mypolicy":
::
dnssec-ksr -i now -e +1y -k mypolicy -l named.conf keygen example.com
Creating a KSR for the same zone and period can be done with:
::
dnssec-ksr -i now -e +1y -k mypolicy -l named.conf request example.com > ksr.txt
Typically you would now transfer the KSR to the system that has access to
the KSK.
Signing the KSR created above can be done with:
::
dnssec-ksr -i now -e +1y -k kskpolicy -l named.conf -f ksr.txt sign example.com
Make sure that the DNSSEC parameters in ``kskpolicy`` match those
in ``mypolicy``.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`,
:iscman:`dnssec-signzone(8) <dnssec-signzone>`,
BIND 9 Administrator Reference Manual.

261
bin/dnssec/dnssec-revoke.c Normal file
View file

@ -0,0 +1,261 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-revoke";
static isc_mem_t *mctx = NULL;
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
fprintf(stderr, " -r: remove old keyfiles after "
"creating revoked version\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp;
int ch;
dst_key_t *key = NULL;
uint32_t flags;
isc_buffer_t buf;
bool force = false;
bool removefile = false;
bool id = false;
if (argc == 1) {
usage();
}
isc_mem_create(&mctx);
isc_commandline_errprint = false;
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = true;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
dir = isc_mem_strdup(mctx, isc_commandline_argument);
break;
case 'r':
removefile = true;
break;
case 'R':
id = true;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'V':
/* Does not return. */
version(program);
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
{
fatal("The key file name was not specified");
}
if (argc > isc_commandline_index + 1) {
fatal("Extraneous arguments");
}
if (dir != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&dir, &filename);
if (result != ISC_R_SUCCESS) {
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
}
if (strcmp(dir, ".") == 0) {
isc_mem_free(mctx, dir);
dir = NULL;
}
}
result = dst_lib_init(mctx, engine);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
}
result = dst_key_fromnamedfile(
filename, dir, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &key);
if (result != ISC_R_SUCCESS) {
fatal("Invalid keyfile name %s: %s", filename,
isc_result_totext(result));
}
if (id) {
fprintf(stdout, "%u\n", dst_key_rid(key));
goto cleanup;
}
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2) {
fprintf(stderr, "%s: %s\n", program, keystr);
}
if (force) {
set_keyversion(key);
} else {
check_keyversion(key, keystr);
}
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
isc_stdtime_t now = isc_stdtime_now();
if ((flags & DNS_KEYFLAG_KSK) == 0) {
fprintf(stderr,
"%s: warning: Key is not flagged "
"as a KSK. Revoking a ZSK is "
"legal, but undefined.\n",
program);
}
dst_key_settime(key, DST_TIME_REVOKE, now);
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(newname, F_OK) == 0 && !force) {
fatal("Key file %s already exists; "
"use -f to force overwrite",
newname);
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
dir);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
isc_buffer_clear(&buf);
dst_key_buildfilename(key, 0, dir, &buf);
printf("%s\n", newname);
/*
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
if (removefile) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (strcmp(oldname, newname) == 0) {
goto cleanup;
}
(void)unlink(oldname);
isc_buffer_clear(&buf);
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
(void)unlink(oldname);
}
} else {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Key %s is already revoked", keystr);
}
cleanup:
dst_key_free(&key);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
if (dir != NULL) {
isc_mem_free(mctx, dir);
}
isc_mem_destroy(&mctx);
return 0;
}

78
bin/dnssec/dnssec-revoke.rst Normal file
View file

@ -0,0 +1,78 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-revoke
.. program:: dnssec-revoke
.. _man_dnssec-revoke:
dnssec-revoke - set the REVOKED bit on a DNSSEC key
---------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
Description
~~~~~~~~~~~
:program:`dnssec-revoke` reads a DNSSEC key file, sets the REVOKED bit on the
key as defined in :rfc:`5011`, and creates a new pair of key files
containing the now-revoked key.
Options
~~~~~~~
.. option:: -h
This option emits a usage message and exits.
.. option:: -K directory
This option sets the directory in which the key files are to reside.
.. option:: -r
This option indicates to remove the original keyset files after writing the new keyset files.
.. option:: -v level
This option sets the debugging level.
.. option:: -V
This option prints version information.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f
This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair,
even if a file already exists matching the algorithm and key ID of
the revoked key.
.. option:: -R
This option prints the key tag of the key with the REVOKE bit set, but does not
revoke the key.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, BIND 9 Administrator Reference Manual, :rfc:`5011`.

964
bin/dnssec/dnssec-settime.c Normal file
View file

@ -0,0 +1,964 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <errno.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-settime";
static isc_mem_t *mctx = NULL;
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
fprintf(stderr, " -L ttl: set default key TTL\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P ds date/[+-]offset/none: set/unset "
"DS publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
"revocation date\n");
fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D ds date/[+-]offset/none: set/unset "
"DS deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
fprintf(stderr, " -S <key>: generate a successor to an existing "
"key\n");
fprintf(stderr, " -i <interval>: prepublication interval for "
"successor key "
"(default: 30 days)\n");
fprintf(stderr, "Key state options:\n");
fprintf(stderr, " -s: update key state file (default no)\n");
fprintf(stderr, " -g state: set the goal state for this key\n");
fprintf(stderr, " -d state date/[+-]offset: set the DS state\n");
fprintf(stderr, " -k state date/[+-]offset: set the DNSKEY state\n");
fprintf(stderr, " -r state date/[+-]offset: set the RRSIG (KSK) "
"state\n");
fprintf(stderr, " -z state date/[+-]offset: set the RRSIG (ZSK) "
"state\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a "
"particular time value or values\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit(EXIT_FAILURE);
}
static void
printtime(dst_key_t *key, int type, const char *tag, bool epoch, FILE *stream) {
isc_result_t result;
isc_stdtime_t when;
if (tag != NULL) {
fprintf(stream, "%s: ", tag);
}
result = dst_key_gettime(key, type, &when);
if (result == ISC_R_NOTFOUND) {
fprintf(stream, "UNSET\n");
} else if (epoch) {
fprintf(stream, "%d\n", (int)when);
} else {
time_t now = when;
struct tm t, *tm = localtime_r(&now, &t);
unsigned int flen;
char timebuf[80];
if (tm == NULL) {
fprintf(stream, "INVALID\n");
return;
}
flen = strftime(timebuf, sizeof(timebuf),
"%a %b %e %H:%M:%S %Y", tm);
INSIST(flen > 0U && flen < sizeof(timebuf));
fprintf(stream, "%s\n", timebuf);
}
}
static void
writekey(dst_key_t *key, const char *directory, bool write_state) {
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
isc_buffer_t buf;
isc_result_t result;
int options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE;
if (write_state) {
options |= DST_TYPE_STATE;
}
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, options, directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
if (write_state) {
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_STATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build key state filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
}
}
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
const char *filename = NULL;
char *directory = NULL;
char keystr[DST_KEY_FORMATSIZE];
char *endp, *p;
int ch;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
dst_key_t *key = NULL;
dns_name_t *name = NULL;
dns_secalg_t alg = 0;
unsigned int size = 0;
uint16_t flags = 0;
int prepub = -1;
int options;
dns_ttl_t ttl = 0;
isc_stdtime_t dstime = 0, dnskeytime = 0;
isc_stdtime_t krrsigtime = 0, zrrsigtime = 0;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
dst_key_state_t goal = DST_KEY_STATE_NA;
dst_key_state_t ds = DST_KEY_STATE_NA;
dst_key_state_t dnskey = DST_KEY_STATE_NA;
dst_key_state_t krrsig = DST_KEY_STATE_NA;
dst_key_state_t zrrsig = DST_KEY_STATE_NA;
bool setgoal = false, setds = false, setdnskey = false;
bool setkrrsig = false, setzrrsig = false;
bool setdstime = false, setdnskeytime = false;
bool setkrrsigtime = false, setzrrsigtime = false;
bool setpub = false, setact = false;
bool setrev = false, setinact = false;
bool setdel = false, setttl = false;
bool unsetpub = false, unsetact = false;
bool unsetrev = false, unsetinact = false;
bool unsetdel = false;
bool printcreate = false, printpub = false;
bool printact = false, printrev = false;
bool printinact = false, printdel = false;
bool force = false;
bool epoch = false;
bool changed = false;
bool write_state = false;
isc_log_t *log = NULL;
isc_stdtime_t syncadd = 0, syncdel = 0;
bool unsetsyncadd = false, setsyncadd = false;
bool unsetsyncdel = false, setsyncdel = false;
bool printsyncadd = false, printsyncdel = false;
isc_stdtime_t dsadd = 0, dsdel = 0;
bool unsetdsadd = false, setdsadd = false;
bool unsetdsdel = false, setdsdel = false;
bool printdsadd = false, printdsdel = false;
isc_stdtime_t now = isc_stdtime_now();
options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE;
if (argc == 1) {
usage();
}
isc_mem_create(&mctx);
setup_logging(mctx, &log);
isc_commandline_errprint = false;
#define CMDLINE_FLAGS "A:D:d:E:fg:hI:i:K:k:L:P:p:R:r:S:suv:Vz:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'A':
if (setact || unsetact) {
fatal("-A specified more than once");
}
changed = true;
act = strtotime(isc_commandline_argument, now, now,
&setact);
unsetact = !setact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel) {
fatal("-D sync specified more than "
"once");
}
changed = true;
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Dds ? */
if (isoptarg("ds", argv, usage)) {
if (unsetdsdel || setdsdel) {
fatal("-D ds specified more than once");
}
changed = true;
dsdel = strtotime(isc_commandline_argument, now,
now, &setdsdel);
unsetdsdel = !setdsdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel) {
fatal("-D specified more than once");
}
changed = true;
del = strtotime(isc_commandline_argument, now, now,
&setdel);
unsetdel = !setdel;
break;
case 'd':
if (setds) {
fatal("-d specified more than once");
}
ds = strtokeystate(isc_commandline_argument);
setds = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
dstime = strtotime(isc_commandline_argument, now, now,
&setdstime);
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = true;
break;
case 'g':
if (setgoal) {
fatal("-g specified more than once");
}
goal = strtokeystate(isc_commandline_argument);
if (goal != DST_KEY_STATE_NA &&
goal != DST_KEY_STATE_HIDDEN &&
goal != DST_KEY_STATE_OMNIPRESENT)
{
fatal("-g must be either none, hidden, or "
"omnipresent");
}
setgoal = true;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'I':
if (setinact || unsetinact) {
fatal("-I specified more than once");
}
changed = true;
inact = strtotime(isc_commandline_argument, now, now,
&setinact);
unsetinact = !setinact;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
break;
case 'k':
if (setdnskey) {
fatal("-k specified more than once");
}
dnskey = strtokeystate(isc_commandline_argument);
setdnskey = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
dnskeytime = strtotime(isc_commandline_argument, now,
now, &setdnskeytime);
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd) {
fatal("-P sync specified more than "
"once");
}
changed = true;
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
/* -Pds ? */
if (isoptarg("ds", argv, usage)) {
if (unsetdsadd || setdsadd) {
fatal("-P ds specified more than once");
}
changed = true;
dsadd = strtotime(isc_commandline_argument, now,
now, &setdsadd);
unsetdsadd = !setdsadd;
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub) {
fatal("-P specified more than once");
}
changed = true;
pub = strtotime(isc_commandline_argument, now, now,
&setpub);
unsetpub = !setpub;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = true;
printpub = true;
printact = true;
printrev = true;
printinact = true;
printdel = true;
printsyncadd = true;
printsyncdel = true;
printdsadd = true;
printdsdel = true;
break;
}
do {
switch (*p++) {
case 'A':
printact = true;
break;
case 'C':
printcreate = true;
break;
case 'D':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncdel = true;
break;
}
if (!strncmp(p, "ds", 2)) {
p += 2;
printdsdel = true;
break;
}
printdel = true;
break;
case 'I':
printinact = true;
break;
case 'P':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncadd = true;
break;
}
if (!strncmp(p, "ds", 2)) {
p += 2;
printdsadd = true;
break;
}
printpub = true;
break;
case 'R':
printrev = true;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'R':
if (setrev || unsetrev) {
fatal("-R specified more than once");
}
changed = true;
rev = strtotime(isc_commandline_argument, now, now,
&setrev);
unsetrev = !setrev;
break;
case 'r':
if (setkrrsig) {
fatal("-r specified more than once");
}
krrsig = strtokeystate(isc_commandline_argument);
setkrrsig = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
krrsigtime = strtotime(isc_commandline_argument, now,
now, &setkrrsigtime);
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 's':
write_state = true;
break;
case 'u':
epoch = true;
break;
case 'V':
/* Does not return. */
version(program);
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case 'z':
if (setzrrsig) {
fatal("-z specified more than once");
}
zrrsig = strtokeystate(isc_commandline_argument);
setzrrsig = true;
(void)isoptarg(isc_commandline_argument, argv, usage);
zrrsigtime = strtotime(isc_commandline_argument, now,
now, &setzrrsigtime);
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
{
fatal("The key file name was not specified");
}
if (argc > isc_commandline_index + 1) {
fatal("Extraneous arguments");
}
if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) &&
!write_state)
{
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
result = dst_lib_init(mctx, engine);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
}
if (predecessor != NULL) {
int major, minor;
if (prepub == -1) {
prepub = (30 * 86400);
}
if (setpub || unsetpub) {
fatal("-S and -P cannot be used together");
}
if (setact || unsetact) {
fatal("-S and -A cannot be used together");
}
result = dst_key_fromnamedfile(predecessor, directory, options,
mctx, &prevkey);
if (result != ISC_R_SUCCESS) {
fatal("Invalid keyfile %s: %s", filename,
isc_result_totext(result));
}
if (!dst_key_isprivate(prevkey) && !dst_key_isexternal(prevkey))
{
fatal("%s is not a private key", filename);
}
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
size = dst_key_size(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
fatal("Predecessor has incompatible format "
"version %d.%d\n\t",
major, minor);
}
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
if (result != ISC_R_SUCCESS) {
fatal("Predecessor has no activation date. "
"You must set one before\n\t"
"generating a successor.");
}
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
&previnact);
if (result != ISC_R_SUCCESS) {
fatal("Predecessor has no inactivation date. "
"You must set one before\n\t"
"generating a successor.");
}
pub = previnact - prepub;
act = previnact;
if ((previnact - prepub) < now && prepub != 0) {
fatal("Time until predecessor inactivation is\n\t"
"shorter than the prepublication interval. "
"Either change\n\t"
"predecessor inactivation date, or use the -i "
"option to set\n\t"
"a shorter prepublication interval.");
}
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
if (result != ISC_R_SUCCESS) {
fprintf(stderr,
"%s: warning: Predecessor has no "
"removal date;\n\t"
"it will remain in the zone "
"indefinitely after rollover.\n",
program);
} else if (prevdel < previnact) {
fprintf(stderr,
"%s: warning: Predecessor is "
"scheduled to be deleted\n\t"
"before it is scheduled to be "
"inactive.\n",
program);
}
changed = setpub = setact = true;
} else {
if (prepub < 0) {
prepub = 0;
}
if (prepub > 0) {
if (setpub && setact && (act - prepub) < pub) {
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
}
if (setpub && !setact) {
setact = true;
act = pub + prepub;
} else if (setact && !setpub) {
setpub = true;
pub = act - prepub;
}
if ((act - prepub) < now) {
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
}
}
if (directory != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&directory, &filename);
if (result != ISC_R_SUCCESS) {
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
}
}
result = dst_key_fromnamedfile(filename, directory, options, mctx,
&key);
if (result != ISC_R_SUCCESS) {
fatal("Invalid keyfile %s: %s", filename,
isc_result_totext(result));
}
if (!dst_key_isprivate(key) && !dst_key_isexternal(key)) {
fatal("%s is not a private key", filename);
}
dst_key_format(key, keystr, sizeof(keystr));
if (predecessor != NULL) {
if (!dns_name_equal(name, dst_key_name(key))) {
fatal("Key name mismatch");
}
if (alg != dst_key_alg(key)) {
fatal("Key algorithm mismatch");
}
if (size != dst_key_size(key)) {
fatal("Key size mismatch");
}
if (flags != dst_key_flags(key)) {
fatal("Key flags mismatch");
}
}
prevdel = previnact = 0;
if ((setdel && setinact && del < inact) ||
(dst_key_gettime(key, DST_TIME_INACTIVE, &previnact) ==
ISC_R_SUCCESS &&
setdel && !setinact && !unsetinact && del < previnact) ||
(dst_key_gettime(key, DST_TIME_DELETE, &prevdel) == ISC_R_SUCCESS &&
setinact && !setdel && !unsetdel && prevdel < inact) ||
(!setdel && !unsetdel && !setinact && !unsetinact && prevdel != 0 &&
prevdel < previnact))
{
fprintf(stderr,
"%s: warning: Key is scheduled to "
"be deleted before it is\n\t"
"scheduled to be inactive.\n",
program);
}
if (force) {
set_keyversion(key);
} else {
check_keyversion(key, keystr);
}
if (verbose > 2) {
fprintf(stderr, "%s: %s\n", program, keystr);
}
/*
* Set time values.
*/
if (setpub) {
dst_key_settime(key, DST_TIME_PUBLISH, pub);
} else if (unsetpub) {
dst_key_unsettime(key, DST_TIME_PUBLISH);
}
if (setact) {
dst_key_settime(key, DST_TIME_ACTIVATE, act);
} else if (unsetact) {
dst_key_unsettime(key, DST_TIME_ACTIVATE);
}
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
fprintf(stderr,
"%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
program, keystr);
}
if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0) {
fprintf(stderr,
"%s: warning: Key %s is not flagged as "
"a KSK, but -R was used. Revoking a "
"ZSK is legal, but undefined.\n",
program, keystr);
}
dst_key_settime(key, DST_TIME_REVOKE, rev);
} else if (unsetrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
fprintf(stderr,
"%s: warning: Key %s is already "
"revoked; removing the revocation date "
"will not affect this.\n",
program, keystr);
}
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setinact) {
dst_key_settime(key, DST_TIME_INACTIVE, inact);
} else if (unsetinact) {
dst_key_unsettime(key, DST_TIME_INACTIVE);
}
if (setdel) {
dst_key_settime(key, DST_TIME_DELETE, del);
} else if (unsetdel) {
dst_key_unsettime(key, DST_TIME_DELETE);
}
if (setsyncadd) {
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
} else if (unsetsyncadd) {
dst_key_unsettime(key, DST_TIME_SYNCPUBLISH);
}
if (setsyncdel) {
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
} else if (unsetsyncdel) {
dst_key_unsettime(key, DST_TIME_SYNCDELETE);
}
if (setdsadd) {
dst_key_settime(key, DST_TIME_DSPUBLISH, dsadd);
} else if (unsetdsadd) {
dst_key_unsettime(key, DST_TIME_DSPUBLISH);
}
if (setdsdel) {
dst_key_settime(key, DST_TIME_DSDELETE, dsdel);
} else if (unsetdsdel) {
dst_key_unsettime(key, DST_TIME_DSDELETE);
}
if (setttl) {
dst_key_setttl(key, ttl);
}
if (predecessor != NULL && prevkey != NULL) {
dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
}
/*
* No metadata changes were made but we're forcing an upgrade
* to the new format anyway: use "-P now -A now" as the default
*/
if (force && !changed) {
dst_key_settime(key, DST_TIME_PUBLISH, now);
dst_key_settime(key, DST_TIME_ACTIVATE, now);
changed = true;
}
/*
* Make sure the key state goals are written.
*/
if (write_state) {
if (setgoal) {
if (goal == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_GOAL);
} else {
dst_key_setstate(key, DST_KEY_GOAL, goal);
}
changed = true;
}
if (setds) {
if (ds == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_DS);
dst_key_unsettime(key, DST_TIME_DS);
} else {
dst_key_setstate(key, DST_KEY_DS, ds);
dst_key_settime(key, DST_TIME_DS, dstime);
}
changed = true;
}
if (setdnskey) {
if (dnskey == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_DNSKEY);
dst_key_unsettime(key, DST_TIME_DNSKEY);
} else {
dst_key_setstate(key, DST_KEY_DNSKEY, dnskey);
dst_key_settime(key, DST_TIME_DNSKEY,
dnskeytime);
}
changed = true;
}
if (setkrrsig) {
if (krrsig == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_KRRSIG);
dst_key_unsettime(key, DST_TIME_KRRSIG);
} else {
dst_key_setstate(key, DST_KEY_KRRSIG, krrsig);
dst_key_settime(key, DST_TIME_KRRSIG,
krrsigtime);
}
changed = true;
}
if (setzrrsig) {
if (zrrsig == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_ZRRSIG);
dst_key_unsettime(key, DST_TIME_ZRRSIG);
} else {
dst_key_setstate(key, DST_KEY_ZRRSIG, zrrsig);
dst_key_settime(key, DST_TIME_ZRRSIG,
zrrsigtime);
}
changed = true;
}
}
if (!changed && setttl) {
changed = true;
}
/*
* Print out time values, if -p was used.
*/
if (printcreate) {
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
}
if (printpub) {
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
}
if (printact) {
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
}
if (printrev) {
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
}
if (printinact) {
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
}
if (printdel) {
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
}
if (printsyncadd) {
printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish", epoch,
stdout);
}
if (printsyncdel) {
printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete", epoch,
stdout);
}
if (printdsadd) {
printtime(key, DST_TIME_DSPUBLISH, "DS Publish", epoch, stdout);
}
if (printdsdel) {
printtime(key, DST_TIME_DSDELETE, "DS Delete", epoch, stdout);
}
if (changed) {
writekey(key, directory, write_state);
if (predecessor != NULL && prevkey != NULL) {
writekey(prevkey, directory, write_state);
}
}
if (prevkey != NULL) {
dst_key_free(&prevkey);
}
dst_key_free(&key);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
cleanup_logging(&log);
isc_mem_free(mctx, directory);
isc_mem_destroy(&mctx);
return 0;
}

271
bin/dnssec/dnssec-settime.rst Normal file
View file

@ -0,0 +1,271 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-settime
.. program:: dnssec-settime
.. _man_dnssec-settime:
dnssec-settime: set the key timing metadata for a DNSSEC key
------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
Description
~~~~~~~~~~~
:program:`dnssec-settime` reads a DNSSEC private key file and sets the key
timing metadata as specified by the :option:`-P`, :option:`-A`, :option:`-R`,
:option:`-I`, and :option:`-D` options. The metadata can then be used by
:iscman:`dnssec-signzone` or other signing software to determine when a key is
to be published, whether it should be used for signing a zone, etc.
If none of these options is set on the command line,
:program:`dnssec-settime` simply prints the key timing metadata already stored
in the key.
When key metadata fields are changed, both files of a key pair
(``Knnnn.+aaa+iiiii.key`` and ``Knnnn.+aaa+iiiii.private``) are
regenerated.
Metadata fields are stored in the private file. A
human-readable description of the metadata is also placed in comments in
the key file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
When working with state files, it is possible to update the timing metadata in
those files as well with :option:`-s`. With this option, it is also possible
to update key states with :option:`-d` (DS), :option:`-k` (DNSKEY), :option:`-r`
(RRSIG of KSK), or :option:`-z` (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
The goal state of the key can also be set with :option:`-g`. This should be either
HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
zone or published.
It is NOT RECOMMENDED to manipulate state files manually, except for testing
purposes.
Options
~~~~~~~
.. option:: -f
This option forces an update of an old-format key with no metadata fields. Without
this option, :program:`dnssec-settime` fails when attempting to update a
legacy key. With this option, the key is recreated in the new
format, but with the original key data retained. The key's creation
date is set to the present time. If no other values are
specified, then the key's publication and activation dates are also
set to the present time.
.. option:: -K directory
This option sets the directory in which the key files are to reside.
.. option:: -L ttl
This option sets the default TTL to use for this key when it is converted into a
DNSKEY RR. This is the TTL used when the key is imported into a zone,
unless there was already a DNSKEY RRset in
place, in which case the existing TTL takes precedence. If this
value is not set and there is no existing DNSKEY RRset, the TTL
defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
removes it from the key.
.. option:: -h
This option emits a usage message and exits.
.. option:: -V
This option prints version information.
.. option:: -v level
This option sets the debugging level.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
(which is the format used inside key files),
or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
or UNIX epoch time (as printed by ``dnssec-settime -up``),
or the literal ``now``.
The argument can be followed by ``+`` or ``-`` and an offset from the
given time. The literal ``now`` can be omitted before an offset. The
offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
``d``, ``h``, or ``mi``, so that it is computed in years (defined as
365 24-hour days, ignoring leap years), months (defined as 30 24-hour
days), weeks, days, hours, or minutes, respectively. Without a suffix,
the offset is computed in seconds.
To unset a date, use ``none``, ``never``, or ``unset``.
All these formats are case-insensitive.
.. option:: -P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
to sign it.
.. program:: dnssec-settime -P
.. option:: ds date/offset
This option sets the date on which DS records that match this key have been
seen in the parent zone.
.. option:: sync date/offset
This option sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
.. program:: dnssec-settime
.. option:: -A date/offset
This option sets the date on which the key is to be activated. After that date,
the key is included in the zone and used to sign it.
.. option:: -R date/offset
This option sets the date on which the key is to be revoked. After that date, the
key is flagged as revoked. It is included in the zone and
is used to sign it.
.. option:: -I date/offset
This option sets the date on which the key is to be retired. After that date, the
key is still included in the zone, but it is not used to
sign it.
.. option:: -D date/offset
This option sets the date on which the key is to be deleted. After that date, the
key is no longer included in the zone. (However, it may remain in the key
repository.)
.. program:: dnssec-settime -D
.. option:: ds date/offset
This option sets the date on which the DS records that match this key have
been seen removed from the parent zone.
.. option:: sync date/offset
This option sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
.. program:: dnssec-settime
.. option:: -S predecessor key
This option selects a key for which the key being modified is an explicit
successor. The name, algorithm, size, and type of the predecessor key
must exactly match those of the key being modified. The activation
date of the successor key is set to the inactivation date of the
predecessor. The publication date is set to the activation date
minus the prepublication interval, which defaults to 30 days.
.. option:: -i interval
This option sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date is not, the publication date defaults to this much time
before the activation date; conversely, if the publication date is
specified but not the activation date, activation is set to
this much time after publication.
If the key is being created as an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Key State Options
~~~~~~~~~~~~~~~~~
To test dnssec-policy it may be necessary to construct keys with artificial
state information; these options are used by the testing framework for that
purpose, but should never be used in production.
Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.
.. option:: -s
This option indicates that when setting key timing data, the state file should also be updated.
.. option:: -g state
This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
.. option:: -d state date/offset
This option sets the DS state for this key as of the specified date, offset from the current date.
.. option:: -k state date/offset
This option sets the DNSKEY state for this key as of the specified date, offset from the current date.
.. option:: -r state date/offset
This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date.
.. option:: -z state date/offset
This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date.
Printing Options
~~~~~~~~~~~~~~~~
:program:`dnssec-settime` can also be used to print the timing metadata
associated with a key.
.. option:: -u
This option indicates that times should be printed in Unix epoch format.
.. option:: -p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all
This option prints a specific metadata value or set of metadata values.
The :option:`-p` option may be followed by one or more of the following letters or
strings to indicate which value or values to print: ``C`` for the
creation date, ``P`` for the publication date, ``Pds` for the DS publication
date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the
activation date, ``R`` for the revocation date, ``I`` for the inactivation
date, ``D`` for the deletion date, ``Dds`` for the DS deletion date,
and ``Dsync`` for the CDS and CDNSKEY deletion date. To print all of the
metadata, use ``all``.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
:rfc:`5011`.

4179
bin/dnssec/dnssec-signzone.c Normal file
View file

File diff suppressed because it is too large Load diff

459
bin/dnssec/dnssec-signzone.rst Normal file
View file

@ -0,0 +1,459 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-signzone
.. program:: dnssec-signzone
.. _man_dnssec-signzone:
dnssec-signzone - DNSSEC zone signing tool
------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
:program:`dnssec-signzone` signs a zone; it generates NSEC and RRSIG records
and produces a signed version of the zone. The security status of
delegations from the signed zone (that is, whether the child zones are
secure) is determined by the presence or absence of a ``keyset``
file for each child zone.
Options
~~~~~~~
.. option:: -a
This option verifies all generated signatures.
.. option:: -c class
This option specifies the DNS class of the zone.
.. option:: -C
This option sets compatibility mode, in which a ``keyset-zonename`` file is generated in addition
to ``dsset-zonename`` when signing a zone, for use by older versions
of :program:`dnssec-signzone`.
.. option:: -d directory
This option indicates the directory where BIND 9 should look for ``dsset-`` or ``keyset-`` files.
.. option:: -D
This option indicates that only those record types automatically managed by
:program:`dnssec-signzone`, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output.
If smart signing (:option:`-S`) is used, DNSKEY records are also included.
The resulting file can be included in the original zone file with
``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>`
or serial-number updating.
.. option:: -E engine
This option specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)
mode if the underlying crytographic library supports running in FIPS
mode.
.. option:: -g
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
file. Existing DS records are removed.
.. option:: -G sync-records
This option indicates which CDS and CDNSKEY records should be generated. ``sync-records`` is a
comma-separated string with the following allowed items: ``cdnskey``, and ``cds:<digest-type>``,
where ``digest-type`` is an allowed algorithm such as SHA-256 (2), or SHA-384 (4).
Only works in combination with smart signing (``-S``).
.. option:: -J filename
This option tells :program:`dnssec-signzone` to read the journal from the given file
when loading the zone file.
.. option:: -K directory
This option specifies the directory to search for DNSSEC keys. If not
specified, it defaults to the current directory.
.. option:: -k key
This option tells BIND 9 to treat the specified key as a key-signing key, ignoring any key flags. This
option may be specified multiple times.
.. option:: -M maxttl
This option sets the maximum TTL for the signed zone. Any TTL higher than ``maxttl``
in the input zone is reduced to ``maxttl`` in the output. This
provides certainty as to the largest possible TTL in the signed zone,
which is useful to know when rolling keys. The maxttl is the longest
possible time before signatures that have been retrieved by resolvers
expire from resolver caches. Zones that are signed with this
option should be configured to use a matching ``max-zone-ttl`` in
:iscman:`named.conf`. (Note: This option is incompatible with :option:`-D`,
because it modifies non-DNSSEC data in the output zone.)
.. option:: -s start-time
This option specifies the date and time when the generated RRSIG records become
valid. This can be either an absolute or relative time. An absolute
start time is indicated by a number in YYYYMMDDHHMMSS notation;
20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by ``+N``, which is N seconds from the current
time. If no ``start-time`` is specified, the current time minus 1
hour (to allow for clock skew) is used.
.. option:: -e end-time
This option specifies the date and time when the generated RRSIG records expire. As
with ``start-time``, an absolute time is indicated in YYYYMMDDHHMMSS
notation. A time relative to the start time is indicated with ``+N``,
which is N seconds from the start time. A time relative to the
current time is indicated with ``now+N``. If no ``end-time`` is
specified, 30 days from the start time is the default.
``end-time`` must be later than ``start-time``.
.. option:: -X extended end-time
This option specifies the date and time when the generated RRSIG records for the
DNSKEY RRset expire. This is to be used in cases when the DNSKEY
signatures need to persist longer than signatures on other records;
e.g., when the private component of the KSK is kept offline and the
KSK signature is to be refreshed manually.
As with ``end-time``, an absolute time is indicated in
YYYYMMDDHHMMSS notation. A time relative to the start time is
indicated with ``+N``, which is N seconds from the start time. A time
relative to the current time is indicated with ``now+N``. If no
``extended end-time`` is specified, the value of ``end-time`` is used
as the default. (``end-time``, in turn, defaults to 30 days from the
start time.) ``extended end-time`` must be later than ``start-time``.
.. option:: -f output-file
This option indicates the name of the output file containing the signed zone. The default
is to append ``.signed`` to the input filename. If ``output-file`` is
set to ``-``, then the signed zone is written to the standard
output, with a default output format of ``full``.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`dnssec-signzone`.
.. option:: -V
This option prints version information.
.. option:: -i interval
This option indicates that, when a previously signed zone is passed as input, records may be
re-signed. The ``interval`` option specifies the cycle interval as an
offset from the current time, in seconds. If a RRSIG record expires
after the cycle interval, it is retained; otherwise, it is considered
to be expiring soon and it is replaced.
The default cycle interval is one quarter of the difference between
the signature end and start times. So if neither ``end-time`` nor
``start-time`` is specified, :program:`dnssec-signzone` generates
signatures that are valid for 30 days, with a cycle interval of 7.5
days. Therefore, if any existing RRSIG records are due to expire in
less than 7.5 days, they are replaced.
Note that the calculation of cycle interval is based upon the validity
period of the replacement signatures that would be generated by
``dnssec-signzone``, not on the valid lifetimes of the input RRSIGs being
considered for pre-expiry replacement.
.. option:: -I input-format
This option sets the format of the input zone file. Possible formats are
``text`` (the default), and ``raw``. This option is primarily
intended to be used for dynamic signed zones, so that the dumped zone
file in a non-text format containing updates can be signed directly.
This option is not useful for non-dynamic zones.
.. option:: -j jitter
When signing a zone with a fixed signature lifetime, all RRSIG
records issued at the time of signing expire simultaneously. If the
zone is incrementally signed, i.e., a previously signed zone is passed
as input to the signer, all expired signatures must be regenerated
at approximately the same time. The ``jitter`` option specifies a jitter
window that is used to randomize the signature expire time, thus
spreading incremental signature regeneration over time.
Signature lifetime jitter also, to some extent, benefits validators and
servers by spreading out cache expiration, i.e., if large numbers of
RRSIGs do not expire at the same time from all caches, there is
less congestion than if all validators need to refetch at around the
same time.
.. option:: -L serial
When writing a signed zone to "raw" format, this option sets the "source
serial" value in the header to the specified ``serial`` number. (This is
expected to be used primarily for testing purposes.)
.. option:: -n ncpus
This option specifies the number of threads to use. By default, one thread is
started for each detected CPU.
.. option:: -N soa-serial-format
This option sets the SOA serial number format of the signed zone. Possible formats are
``keep`` (the default), ``increment``, ``unixtime``, and
``date``.
**keep**
This format indicates that the SOA serial number should not be modified.
**increment**
This format increments the SOA serial number using :rfc:`1982` arithmetic.
**unixtime**
This format sets the SOA serial number to the number of seconds
since the beginning of the Unix epoch, unless the serial
number is already greater than or equal to that value, in
which case it is simply incremented by one.
**date**
This format sets the SOA serial number to today's date, in
YYYYMMDDNN format, unless the serial number is already greater
than or equal to that value, in which case it is simply
incremented by one.
.. option:: -o origin
This option sets the zone origin. If not specified, the name of the zone file is
assumed to be the origin.
.. option:: -O output-format
This option sets the format of the output file containing the signed
zone. Possible formats are ``text`` (the default), which is the standard
textual representation of the zone; ``full``, which is text output in a
format suitable for processing by external scripts; and ``raw`` and
``raw=N``, which store the zone in binary formats for rapid loading by
:iscman:`named`. ``raw=N`` specifies the format version of the raw zone file:
if N is 0, the raw file can be read by any version of :iscman:`named`; if N is
1, the file can be read by release 9.9.0 or higher. The default is 1.
.. option:: -P
This option disables post-sign verification tests.
The post-sign verification tests ensure that for each algorithm in
use there is at least one non-revoked self-signed KSK key, that all
revoked KSK keys are self-signed, and that all records in the zone
are signed by the algorithm. This option skips these tests.
.. option:: -Q
This option removes signatures from keys that are no longer active.
Normally, when a previously signed zone is passed as input to the
signer, and a DNSKEY record has been removed and replaced with a new
one, signatures from the old key that are still within their validity
period are retained. This allows the zone to continue to validate
with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces
:program:`dnssec-signzone` to remove signatures from keys that are no longer
active. This enables ZSK rollover using the procedure described in
:rfc:`6781#section-4.1.1.1` ("Pre-Publish Zone Signing Key Rollover").
.. option:: -q
This option enables quiet mode, which suppresses unnecessary output. Without this option, when
:program:`dnssec-signzone` is run it prints three pieces of information to standard output: the number of
keys in use; the algorithms used to verify the zone was signed correctly and
other status information; and the filename containing the signed
zone. With the option that output is suppressed, leaving only the filename.
.. option:: -R
This option removes signatures from keys that are no longer published.
This option is similar to :option:`-Q`, except it forces
:program:`dnssec-signzone` to remove signatures from keys that are no longer
published. This enables ZSK rollover using the procedure described in
:rfc:`6781#section-4.1.1.2` ("Double Signature Zone Signing Key
Rollover").
.. option:: -S
This option enables smart signing, which instructs :program:`dnssec-signzone` to search the key
repository for keys that match the zone being signed, and to include
them in the zone if appropriate.
When a key is found, its timing metadata is examined to determine how
it should be used, according to the following rules. Each successive
rule takes priority over the prior ones:
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
If the key's publication date is set and is in the past, the key
is published in the zone.
If the key's activation date is set and is in the past, the key is
published (regardless of publication date) and used to sign the
zone.
If the key's revocation date is set and is in the past, and the key
is published, then the key is revoked, and the revoked key is used
to sign the zone.
If either the key's unpublication or deletion date is set and
in the past, the key is NOT published or used to sign the zone,
regardless of any other metadata.
If the key's sync publication date is set and is in the past,
synchronization records (type CDS and/or CDNSKEY) are created.
If the key's sync deletion date is set and is in the past,
synchronization records (type CDS and/or CDNSKEY) are removed.
.. option:: -T ttl
This option specifies a TTL to be used for new DNSKEY records imported into the
zone from the key repository. If not specified, the default is the
TTL value from the zone's SOA record. This option is ignored when
signing without :option:`-S`, since DNSKEY records are not imported from
the key repository in that case. It is also ignored if there are any
pre-existing DNSKEY records at the zone apex, in which case new
records' TTL values are set to match them, or if any of the
imported DNSKEY records had a default TTL value. In the event of a
conflict between TTL values in imported keys, the shortest one is
used.
.. option:: -t
This option prints statistics at completion.
.. option:: -u
This option updates the NSEC/NSEC3 chain when re-signing a previously signed zone.
With this option, a zone signed with NSEC can be switched to NSEC3,
or a zone signed with NSEC3 can be switched to NSEC or to NSEC3 with
different parameters. Without this option, :program:`dnssec-signzone`
retains the existing chain when re-signing.
.. option:: -v level
This option sets the debugging level.
.. option:: -x
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
and should omit signatures from zone-signing keys.
.. option:: -z
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
KSK-flagged keys to sign all records, not just the DNSKEY RRset.
.. option:: -3 salt
This option generates an NSEC3 chain with the given hex-encoded salt. A dash
(-) can be used to indicate that no salt is to be used when
generating the NSEC3 chain.
.. note::
``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
See :rfc:`9276`.
.. option:: -H iterations
This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
is 0.
.. warning::
Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks.
See :rfc:`9276`.
.. option:: -A
This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3
records and should not generate NSEC3 records for insecure delegations.
.. warning::
Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
See :rfc:`9276`.
.. option:: -AA
This option turns the OPTOUT flag off for
all records. This is useful when using the :option:`-u` option to modify an
NSEC3 chain which previously had OPTOUT set.
.. option:: zonefile
This option sets the file containing the zone to be signed.
.. option:: key
This option specifies which keys should be used to sign the zone. If no keys are
specified, the zone is examined for DNSKEY records at the
zone apex. If these records are found and there are matching private keys in
the current directory, they are used for signing.
Example
~~~~~~~
The following command signs the ``example.com`` zone with the
ECDSAP256SHA256 key generated by :iscman:`dnssec-keygen`
(Kexample.com.+013+17247). Because the :option:`-S` option is not being used,
the zone's keys must be in the master file (``db.example.com``). This
invocation looks for ``dsset`` files in the current directory, so that
DS records can be imported from them (:option:`-g`).
::
% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+013+17247
db.example.com.signed
%
In the above example, :program:`dnssec-signzone` creates the file
``db.example.com.signed``. This file should be referenced in a zone
statement in the :iscman:`named.conf` file.
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
::
% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, BIND 9 Administrator Reference Manual, :rfc:`4033`,
:rfc:`6781`.

346
bin/dnssec/dnssec-verify.c Normal file
View file

@ -0,0 +1,346 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <stdbool.h>
#include <stdlib.h>
#include <time.h>
#include <isc/attributes.h>
#include <isc/base32.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/os.h>
#include <isc/random.h>
#include <isc/result.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/diff.h>
#include <dns/dnssec.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/soa.h>
#include <dns/time.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-verify";
static isc_stdtime_t now;
static isc_mem_t *mctx = NULL;
static dns_masterformat_t inputformat = dns_masterformat_text;
static dns_db_t *gdb = NULL; /* The database */
static dns_dbversion_t *gversion = NULL; /* The database version */
static dns_rdataclass_t gclass; /* The class */
static dns_name_t *gorigin = NULL; /* The database origin */
static bool ignore_kskflag = false;
static bool keyset_kskonly = false;
static void
report(const char *format, ...) {
if (!quiet) {
char buf[4096];
va_list args;
va_start(args, format);
vsnprintf(buf, sizeof(buf), format, args);
va_end(args);
fprintf(stdout, "%s\n", buf);
}
}
/*%
* Load the zone file from disk
*/
static void
loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
isc_buffer_t b;
int len;
dns_fixedname_t fname;
dns_name_t *name;
isc_result_t result;
len = strlen(origin);
isc_buffer_init(&b, origin, len);
isc_buffer_add(&b, len);
name = dns_fixedname_initname(&fname);
result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS) {
fatal("failed converting name '%s' to dns format: %s", origin,
isc_result_totext(result));
}
result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
rdclass, 0, NULL, db);
check_result(result, "dns_db_create()");
result = dns_db_load(*db, file, inputformat, 0);
switch (result) {
case DNS_R_SEENINCLUDE:
case ISC_R_SUCCESS:
break;
case DNS_R_NOTZONETOP:
/*
* Comparing pointers (vs. using strcmp()) is intentional: we
* want to check whether -o was supplied on the command line,
* not whether origin and file contain the same string.
*/
if (origin == file) {
fatal("failed loading zone '%s' from file '%s': "
"use -o to specify a different zone origin",
origin, file);
}
FALLTHROUGH;
default:
fatal("failed loading zone from '%s': %s", file,
isc_result_totext(result));
}
}
noreturn static void
usage(void);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
fprintf(stderr, "\n");
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options: (default value in parenthesis) \n");
fprintf(stderr, "\t-v debuglevel (0)\n");
fprintf(stderr, "\t-q quiet\n");
fprintf(stderr, "\t-V:\tprint version information\n");
fprintf(stderr, "\t-o origin:\n");
fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
fprintf(stderr, "\t-I format:\n");
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
exit(EXIT_SUCCESS);
}
int
main(int argc, char *argv[]) {
char *origin = NULL, *file = NULL;
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
const char *engine = NULL;
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
int ch;
#define CMDLINE_FLAGS "c:E:hJ:m:o:I:qv:Vxz"
/*
* Process memory debugging argument first.
*/
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
if (strcasecmp(isc_commandline_argument, "record") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
}
if (strcasecmp(isc_commandline_argument, "trace") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
}
if (strcasecmp(isc_commandline_argument, "usage") == 0)
{
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
}
break;
default:
break;
}
}
isc_commandline_reset = true;
isc_mem_create(&mctx);
isc_commandline_errprint = false;
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'I':
inputformatstr = isc_commandline_argument;
break;
case 'J':
journal = isc_commandline_argument;
break;
case 'm':
break;
case 'o':
origin = isc_commandline_argument;
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("verbose level must be numeric");
}
break;
case 'q':
quiet = true;
break;
case 'x':
keyset_kskonly = true;
break;
case 'z':
ignore_kskflag = true;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
FALLTHROUGH;
case 'h':
/* Does not return. */
usage();
case 'V':
/* Does not return. */
version(program);
default:
fprintf(stderr, "%s: unhandled option -%c\n", program,
isc_commandline_option);
exit(EXIT_FAILURE);
}
}
result = dst_lib_init(mctx, engine);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
now = isc_stdtime_now();
rdclass = strtoclass(classname);
setup_logging(mctx, &log);
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc < 1) {
usage();
}
file = argv[0];
argc -= 1;
argv += 1;
POST(argc);
POST(argv);
if (origin == NULL) {
origin = file;
}
if (inputformatstr != NULL) {
if (strcasecmp(inputformatstr, "text") == 0) {
inputformat = dns_masterformat_text;
} else if (strcasecmp(inputformatstr, "raw") == 0) {
inputformat = dns_masterformat_raw;
} else {
fatal("unknown file format: %s\n", inputformatstr);
}
}
gdb = NULL;
report("Loading zone '%s' from file '%s'\n", origin, file);
loadzone(file, origin, rdclass, &gdb);
if (journal != NULL) {
loadjournal(mctx, gdb, journal);
}
gorigin = dns_db_origin(gdb);
gclass = dns_db_class(gdb);
gversion = NULL;
result = dns_db_newversion(gdb, &gversion);
check_result(result, "dns_db_newversion()");
result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, NULL, mctx,
ignore_kskflag, keyset_kskonly, report);
dns_db_closeversion(gdb, &gversion, false);
dns_db_detach(&gdb);
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
isc_mem_destroy(&mctx);
return result == ISC_R_SUCCESS ? 0 : 1;
}

112
bin/dnssec/dnssec-verify.rst Normal file
View file

@ -0,0 +1,112 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-verify
.. program:: dnssec-verify
.. _man_dnssec-verify:
dnssec-verify - DNSSEC zone verification tool
---------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
Description
~~~~~~~~~~~
:program:`dnssec-verify` verifies that a zone is fully signed for each
algorithm found in the DNSKEY RRset for the zone, and that the
NSEC/NSEC3 chains are complete.
Options
~~~~~~~
.. option:: -c class
This option specifies the DNS class of the zone.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -I input-format
This option sets the format of the input zone file. Possible formats are ``text``
(the default) and ``raw``. This option is primarily intended to be used
for dynamic signed zones, so that the dumped zone file in a non-text
format containing updates can be verified independently.
This option is not useful for non-dynamic zones.
.. option:: -J filename
This option tells :program:`dnssec-verify` to read the journal from the given file
when loading the zone file.
.. option:: -o origin
This option indicates the zone origin. If not specified, the name of the zone file is
assumed to be the origin.
.. option:: -v level
This option sets the debugging level.
.. option:: -V
This option prints version information.
.. option:: -q
This option sets quiet mode, which suppresses output. Without this option, when :program:`dnssec-verify`
is run it prints to standard output the number of keys in use, the
algorithms used to verify the zone was signed correctly, and other status
information. With this option, all non-error output is suppressed, and only the exit
code indicates success.
.. option:: -x
This option verifies only that the DNSKEY RRset is signed with key-signing keys.
Without this flag, it is assumed that the DNSKEY RRset is signed
by all active keys. When this flag is set, it is not an error if
the DNSKEY RRset is not signed by zone-signing keys. This corresponds
to the :option:`-x option in dnssec-signzone <dnssec-signzone -x>`.
.. option:: -z
This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is
correctly signed. Without this flag, it is assumed that there is
a non-revoked, self-signed DNSKEY with the KSK flag set for each
algorithm, and that RRsets other than DNSKEY RRset are signed with
a different DNSKEY without the KSK flag set.
With this flag set, BIND 9 only requires that for each algorithm, there
be at least one non-revoked, self-signed DNSKEY, regardless of
the KSK flag state, and that other RRsets be signed by a
non-revoked key for the same algorithm that includes the self-signed
key; the same key may be used for both purposes. This corresponds to
the :option:`-z option in dnssec-signzone <dnssec-signzone -z>`.
.. option:: zonefile
This option indicates the file containing the zone to be signed.
See Also
~~~~~~~~
:iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, :rfc:`4033`.

702
bin/dnssec/dnssectool.c Normal file
View file

@ -0,0 +1,702 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
/*%
* DNSSEC Support Routines.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/base32.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/tls.h>
#include <isc/tm.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/secalg.h>
#include <dns/time.h>
#include "dnssectool.h"
#define KEYSTATES_NVALUES 4
static const char *keystates[KEYSTATES_NVALUES] = {
"hidden",
"rumoured",
"omnipresent",
"unretentive",
};
int verbose = 0;
bool quiet = false;
const char *journal = NULL;
dns_dsdigest_t dtype[8];
static fatalcallback_t *fatalcallback = NULL;
void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: fatal: ", program);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
if (fatalcallback != NULL) {
(*fatalcallback)();
}
_exit(EXIT_FAILURE);
}
void
setfatalcallback(fatalcallback_t *callback) {
fatalcallback = callback;
}
void
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fatal("%s: %s", message, isc_result_totext(result));
}
}
void
vbprintf(int level, const char *fmt, ...) {
va_list ap;
if (level > verbose) {
return;
}
va_start(ap, fmt);
fprintf(stderr, "%s: ", program);
vfprintf(stderr, fmt, ap);
va_end(ap);
}
void
version(const char *name) {
printf("%s %s\n", name, PACKAGE_VERSION);
exit(EXIT_SUCCESS);
}
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_NAME_FORMATSIZE];
dns_name_format(&sig->signer, namestr, sizeof(namestr));
dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
}
void
setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
isc_log_t *log = NULL;
int level;
if (verbose < 0) {
verbose = 0;
}
switch (verbose) {
case 0:
/*
* We want to see warnings about things like out-of-zone
* data in the master file even when not verbose.
*/
level = ISC_LOG_WARNING;
break;
case 1:
level = ISC_LOG_INFO;
break;
default:
level = ISC_LOG_DEBUG(verbose - 2 + 1);
break;
}
isc_log_create(mctx, &log, &logconfig);
isc_log_setcontext(log);
dns_log_init(log);
dns_log_setcontext(log);
isc_log_settag(logconfig, program);
/*
* Set up a channel similar to default_stderr except:
* - the logging level is passed in
* - the program name and logging level are printed
* - no time stamp is printed
*/
destination.file.stream = stderr;
destination.file.name = NULL;
destination.file.versions = ISC_LOG_ROLLNEVER;
destination.file.maximum_size = 0;
isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level,
&destination,
ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
ISC_R_SUCCESS);
*logp = log;
}
void
cleanup_logging(isc_log_t **logp) {
isc_log_t *log;
REQUIRE(logp != NULL);
log = *logp;
*logp = NULL;
if (log == NULL) {
return;
}
isc_log_destroy(&log);
isc_log_setcontext(NULL);
dns_log_setcontext(NULL);
}
static isc_stdtime_t
time_units(isc_stdtime_t offset, char *suffix, const char *str) {
switch (suffix[0]) {
case 'Y':
case 'y':
return offset * (365 * 24 * 3600);
case 'M':
case 'm':
switch (suffix[1]) {
case 'O':
case 'o':
return offset * (30 * 24 * 3600);
case 'I':
case 'i':
return offset * 60;
case '\0':
fatal("'%s' ambiguous: use 'mi' for minutes "
"or 'mo' for months",
str);
default:
fatal("time value %s is invalid", str);
}
UNREACHABLE();
break;
case 'W':
case 'w':
return offset * (7 * 24 * 3600);
case 'D':
case 'd':
return offset * (24 * 3600);
case 'H':
case 'h':
return offset * 3600;
case 'S':
case 's':
case '\0':
return offset;
default:
fatal("time value %s is invalid", str);
}
UNREACHABLE();
return 0; /* silence compiler warning */
}
static bool
isnone(const char *str) {
return (strcasecmp(str, "none") == 0) ||
(strcasecmp(str, "never") == 0) ||
(strcasecmp(str, "unset") == 0);
}
dns_ttl_t
strtottl(const char *str) {
const char *orig = str;
dns_ttl_t ttl;
char *endp;
if (isnone(str)) {
return (dns_ttl_t)0;
}
ttl = strtol(str, &endp, 0);
if (ttl == 0 && endp == str) {
fatal("TTL must be numeric");
}
ttl = time_units(ttl, endp, orig);
return ttl;
}
dst_key_state_t
strtokeystate(const char *str) {
if (isnone(str)) {
return DST_KEY_STATE_NA;
}
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
if (keystates[i] != NULL && strcasecmp(str, keystates[i]) == 0)
{
return (dst_key_state_t)i;
}
}
fatal("unknown key state %s", str);
}
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base, bool *setp) {
int64_t val, offset;
isc_result_t result;
const char *orig = str;
char *endp;
size_t n;
struct tm tm;
if (isnone(str)) {
SET_IF_NOT_NULL(setp, false);
return (isc_stdtime_t)0;
}
SET_IF_NOT_NULL(setp, true);
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') {
return (isc_stdtime_t)0;
}
/*
* We accept times in the following formats:
* now([+-]offset)
* YYYYMMDD([+-]offset)
* YYYYMMDDhhmmss([+-]offset)
* Day Mon DD HH:MM:SS YYYY([+-]offset)
* 1234567890([+-]offset)
* [+-]offset
*/
n = strspn(str, "0123456789");
if ((n == 8u || n == 14u) &&
(str[n] == '\0' || str[n] == '-' || str[n] == '+'))
{
char timestr[15];
strlcpy(timestr, str, sizeof(timestr));
timestr[n] = 0;
if (n == 8u) {
strlcat(timestr, "000000", sizeof(timestr));
}
result = dns_time64_fromtext(timestr, &val);
if (result != ISC_R_SUCCESS) {
fatal("time value %s is invalid: %s", orig,
isc_result_totext(result));
}
base = val;
str += n;
} else if (n == 10u &&
(str[n] == '\0' || str[n] == '-' || str[n] == '+'))
{
base = strtoll(str, &endp, 0);
str += 10;
} else if (strncmp(str, "now", 3) == 0) {
base = now;
str += 3;
} else if (str[0] >= 'A' && str[0] <= 'Z') {
/* parse ctime() format as written by `dnssec-settime -p` */
endp = isc_tm_strptime(str, "%a %b %d %H:%M:%S %Y", &tm);
if (endp != str + 24) {
fatal("time value %s is invalid", orig);
}
base = mktime(&tm);
str += 24;
}
if (str[0] == '\0') {
return (isc_stdtime_t)base;
} else if (str[0] == '+') {
offset = strtol(str + 1, &endp, 0);
offset = time_units((isc_stdtime_t)offset, endp, orig);
val = base + offset;
} else if (str[0] == '-') {
offset = strtol(str + 1, &endp, 0);
offset = time_units((isc_stdtime_t)offset, endp, orig);
val = base - offset;
} else {
fatal("time value %s is invalid", orig);
}
return (isc_stdtime_t)val;
}
dns_rdataclass_t
strtoclass(const char *str) {
isc_textregion_t r;
dns_rdataclass_t rdclass;
isc_result_t result;
if (str == NULL) {
return dns_rdataclass_in;
}
r.base = UNCONST(str);
r.length = strlen(str);
result = dns_rdataclass_fromtext(&rdclass, &r);
if (result != ISC_R_SUCCESS) {
fatal("unknown class %s", str);
}
return rdclass;
}
unsigned int
strtodsdigest(const char *str) {
isc_textregion_t r;
dns_dsdigest_t alg;
isc_result_t result;
r.base = UNCONST(str);
r.length = strlen(str);
result = dns_dsdigest_fromtext(&alg, &r);
if (result != ISC_R_SUCCESS) {
fatal("unknown DS algorithm %s", str);
}
return alg;
}
static int
cmp_dtype(const void *ap, const void *bp) {
int a = *(const uint8_t *)ap;
int b = *(const uint8_t *)bp;
return a - b;
}
void
add_dtype(unsigned int dt) {
unsigned int i, n;
/* ensure there is space for a zero terminator */
n = sizeof(dtype) / sizeof(dtype[0]) - 1;
for (i = 0; i < n; i++) {
if (dtype[i] == dt) {
return;
}
if (dtype[i] == 0) {
dtype[i] = dt;
qsort(dtype, i + 1, 1, cmp_dtype);
return;
}
}
fatal("too many -a digest type arguments");
}
isc_result_t
try_dir(const char *dirname) {
isc_result_t result;
isc_dir_t d;
isc_dir_init(&d);
result = isc_dir_open(&d, dirname);
if (result == ISC_R_SUCCESS) {
isc_dir_close(&d);
}
return result;
}
/*
* Check private key version compatibility.
*/
void
check_keyversion(dst_key_t *key, char *keystr) {
int major, minor;
dst_key_getprivateformat(key, &major, &minor);
INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
fatal("Key %s has incompatible format version %d.%d, "
"use -f to force upgrade to new version.",
keystr, major, minor);
}
if (minor > DST_MINOR_VERSION) {
fatal("Key %s has incompatible format version %d.%d, "
"use -f to force downgrade to current version.",
keystr, major, minor);
}
}
void
set_keyversion(dst_key_t *key) {
int major, minor;
dst_key_getprivateformat(key, &major, &minor);
INSIST(major <= DST_MAJOR_VERSION);
if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION) {
dst_key_setprivateformat(key, DST_MAJOR_VERSION,
DST_MINOR_VERSION);
}
/*
* If the key is from a version older than 1.3, set
* set the creation date
*/
if (major < 1 || (major == 1 && minor <= 2)) {
isc_stdtime_t now = isc_stdtime_now();
dst_key_settime(key, DST_TIME_CREATED, now);
}
}
bool
key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact) {
isc_result_t result;
bool conflict = false;
dns_dnsseckeylist_t matchkeys;
dns_dnsseckey_t *key = NULL;
uint16_t id, oldid;
uint32_t rid, roldid;
dns_secalg_t alg;
isc_stdtime_t now = isc_stdtime_now();
SET_IF_NOT_NULL(exact, false);
id = dst_key_id(dstkey);
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
if (min != max) {
if (id < min || id > max) {
fprintf(stderr, "Key ID %d outside of [%u..%u]\n", id,
min, max);
return true;
}
if (rid < min || rid > max) {
fprintf(stderr,
"Revoked Key ID %d (for tag %d) outside of "
"[%u..%u]\n",
rid, id, min, max);
return true;
}
}
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, NULL, dir, NULL, now, mctx,
&matchkeys);
if (result == ISC_R_NOTFOUND) {
return false;
}
while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
key = ISC_LIST_HEAD(matchkeys);
if (dst_key_alg(key->key) != alg) {
goto next;
}
oldid = dst_key_id(key->key);
roldid = dst_key_rid(key->key);
if (oldid == rid || roldid == id || id == oldid) {
conflict = true;
if (id != oldid) {
if (verbose > 1) {
fprintf(stderr,
"Key ID %d could "
"collide with %d\n",
id, oldid);
}
} else {
if (exact != NULL) {
*exact = true;
}
if (verbose > 1) {
fprintf(stderr, "Key ID %d exists\n",
id);
}
}
}
next:
ISC_LIST_UNLINK(matchkeys, key, link);
dns_dnsseckey_destroy(mctx, &key);
}
/* Finish freeing the list */
while (!ISC_LIST_EMPTY(matchkeys)) {
key = ISC_LIST_HEAD(matchkeys);
ISC_LIST_UNLINK(matchkeys, key, link);
dns_dnsseckey_destroy(mctx, &key);
}
return conflict;
}
bool
isoptarg(const char *arg, char **argv, void (*usage)(void)) {
if (!strcasecmp(isc_commandline_argument, arg)) {
if (argv[isc_commandline_index] == NULL) {
fprintf(stderr, "%s: missing argument -%c %s\n",
program, isc_commandline_option,
isc_commandline_argument);
usage();
}
isc_commandline_argument = argv[isc_commandline_index];
/* skip to next argument */
isc_commandline_index++;
return true;
}
return false;
}
void
loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *file) {
dns_journal_t *jnl = NULL;
isc_result_t result;
result = dns_journal_open(mctx, file, DNS_JOURNAL_READ, &jnl);
if (result == ISC_R_NOTFOUND) {
fprintf(stderr, "%s: journal file %s not found\n", program,
file);
goto cleanup;
} else if (result != ISC_R_SUCCESS) {
fatal("unable to open journal %s: %s\n", file,
isc_result_totext(result));
}
if (dns_journal_empty(jnl)) {
dns_journal_destroy(&jnl);
return;
}
result = dns_journal_rollforward(jnl, db, 0);
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_UPTODATE:
break;
case ISC_R_NOTFOUND:
case ISC_R_RANGE:
fatal("journal %s out of sync with zone", file);
default:
fatal("journal %s: %s\n", file, isc_result_totext(result));
}
cleanup:
dns_journal_destroy(&jnl);
}
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp) {
isc_result_t result = ISC_R_NOTFOUND;
const cfg_listelt_t *element;
const cfg_obj_t *kasps = NULL;
dns_kasp_t *kasp = NULL, *kasp_next;
dns_kasplist_t kasplist;
const cfg_obj_t *keystores = NULL;
dns_keystore_t *ks = NULL, *ks_next;
dns_keystorelist_t kslist;
ISC_LIST_INIT(kasplist);
ISC_LIST_INIT(kslist);
(void)cfg_map_get(config, "key-store", &keystores);
for (element = cfg_list_first(keystores); element != NULL;
element = cfg_list_next(element))
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
ks = NULL;
result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
&kslist, NULL);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure key-store '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
isc_result_totext(result));
}
}
/* Default key-directory key store. */
ks = NULL;
(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
INSIST(ks != NULL);
if (keydir != NULL) {
/* '-K keydir' takes priority */
dns_keystore_setdirectory(ks, keydir);
}
dns_keystore_detach(&ks);
(void)cfg_map_get(config, "dnssec-policy", &kasps);
for (element = cfg_list_first(kasps); element != NULL;
element = cfg_list_next(element))
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
kasp = NULL;
if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
name) != 0)
{
continue;
}
result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx,
&kslist, &kasplist, &kasp);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure dnssec-policy '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
isc_result_totext(result));
}
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
break;
}
*kaspp = kasp;
/*
* Cleanup kasp list.
*/
for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
kasp_next = ISC_LIST_NEXT(kasp, link);
ISC_LIST_UNLINK(kasplist, kasp, link);
dns_kasp_detach(&kasp);
}
/*
* Cleanup keystore list.
*/
for (ks = ISC_LIST_HEAD(kslist); ks != NULL; ks = ks_next) {
ks_next = ISC_LIST_NEXT(ks, link);
ISC_LIST_UNLINK(kslist, ks, link);
dns_keystore_detach(&ks);
}
}

123
bin/dnssec/dnssectool.h Normal file
View file

@ -0,0 +1,123 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
#include <inttypes.h>
#include <stdbool.h>
#include <isc/attributes.h>
#include <isc/log.h>
#include <isc/stdtime.h>
#include <dns/kasp.h>
#include <dns/rdatastruct.h>
#include <dst/dst.h>
#include <isccfg/cfg.h>
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
#define MAX_RSA 4096 /* should be long enough... */
#define MAX_DH 4096 /* should be long enough... */
/*! verbosity: set by -v and -q option in each program, defined in dnssectool.c
*/
extern int verbose;
extern bool quiet;
/*! program name, statically initialized in each program */
extern const char *program;
/*! journal file */
extern const char *journal;
/*!
* List of DS digest types used by dnssec-cds and dnssec-dsfromkey,
* defined in dnssectool.c. Filled in by add_dtype() from -a
* arguments, sorted (so that DS records are in a canonical order) and
* terminated by a zero. The size of the array is an arbitrary limit
* which should be greater than the number of known digest types.
*/
extern uint8_t dtype[8];
typedef void(fatalcallback_t)(void);
noreturn void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
setfatalcallback(fatalcallback_t *callback);
void
check_result(isc_result_t result, const char *message);
void
vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
noreturn void
version(const char *program);
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
#define SIG_FORMATSIZE \
(DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
void
setup_logging(isc_mem_t *mctx, isc_log_t **logp);
void
cleanup_logging(isc_log_t **logp);
dns_ttl_t
strtottl(const char *str);
dst_key_state_t
strtokeystate(const char *str);
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base, bool *setp);
dns_rdataclass_t
strtoclass(const char *str);
unsigned int
strtodsdigest(const char *str);
void
add_dtype(unsigned int dt);
isc_result_t
try_dir(const char *dirname);
void
check_keyversion(dst_key_t *key, char *keystr);
void
set_keyversion(dst_key_t *key);
bool
key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact);
bool
isoptarg(const char *arg, char **argv, void (*usage)(void));
void
loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal);
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp);

127
bin/named/Makefile.am Normal file
View file

@ -0,0 +1,127 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
-I$(top_builddir)/include \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCC_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(OPENSSL_CFLAGS) \
$(LIBCAP_CFLAGS) \
$(LMDB_CFLAGS) \
$(MAXMINDDB_CFLAGS) \
$(DNSTAP_CFLAGS) \
$(LIBUV_CFLAGS) \
$(LIBSYSTEMD_CFLAGS) \
$(ZLIB_CFLAGS)
if HAVE_JSON_C
AM_CPPFLAGS += \
$(JSON_C_CFLAGS)
endif HAVE_JSON_C
if HAVE_LIBNGHTTP2
AM_CPPFLAGS += \
$(LIBNGHTTP2_CFLAGS)
endif HAVE_LIBNGHTTP2
if HAVE_LIBXML2
AM_CPPFLAGS += \
$(LIBXML2_CFLAGS)
endif HAVE_LIBXML2
AM_CPPFLAGS += \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
sbin_PROGRAMS = named
nodist_named_SOURCES = xsl.c
BUILT_SOURCES += xsl.c
CLEANFILES += xsl.c
EXTRA_DIST = bind9.xsl
xsl.c: bind9.xsl Makefile
(echo 'const char xslmsg[] =' && \
$(SED) -e 's,\",\\\",g' \
-e 's,^,\",' \
-e 's,$$,\\n\",' && \
echo ";") \
< "${srcdir}/bind9.xsl" > $@
named_SOURCES = \
builtin.c \
config.c \
control.c \
controlconf.c \
dlz_dlopen_driver.c \
fuzz.c \
log.c \
logconf.c \
main.c \
os.c \
server.c \
statschannel.c \
tkeyconf.c \
transportconf.c \
tsigconf.c \
zoneconf.c \
include/dlz/dlz_dlopen_driver.h \
include/named/builtin.h \
include/named/config.h \
include/named/control.h \
include/named/fuzz.h \
include/named/geoip.h \
include/named/globals.h \
include/named/log.h \
include/named/logconf.h \
include/named/main.h \
include/named/os.h \
include/named/server.h \
include/named/smf_globals.h \
include/named/statschannel.h \
include/named/tkeyconf.h \
include/named/transportconf.h \
include/named/tsigconf.h \
include/named/types.h \
include/named/zoneconf.h \
xsl_p.h
if HAVE_GEOIP2
AM_CPPFLAGS += \
-DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\"
named_SOURCES += \
geoip.c
endif
named_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCC_LIBS) \
$(LIBISCCFG_LIBS) \
$(OPENSSL_LIBS) \
$(LIBCAP_LIBS) \
$(LMDB_LIBS) \
$(MAXMINDDB_LIBS) \
$(DNSTAP_LIBS) \
$(LIBUV_LIBS) \
$(LIBSYSTEMD_LIBS) \
$(ZLIB_LIBS)
if HAVE_JSON_C
named_LDADD += \
$(JSON_C_LIBS)
endif HAVE_JSON_C
if HAVE_LIBNGHTTP2
named_LDADD += \
$(LIBNGHTTP2_LIBS)
endif HAVE_LIBNGHTTP2
if HAVE_LIBXML2
named_LDADD += \
$(LIBXML2_LIBS)
endif HAVE_LIBXML2

975
bin/named/Makefile.in Normal file
View file

@ -0,0 +1,975 @@
# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
@HOST_MACOS_TRUE@am__append_1 = \
@HOST_MACOS_TRUE@ -Wl,-flat_namespace
@HAVE_JSON_C_TRUE@am__append_2 = \
@HAVE_JSON_C_TRUE@ $(JSON_C_CFLAGS)
@HAVE_LIBNGHTTP2_TRUE@am__append_3 = \
@HAVE_LIBNGHTTP2_TRUE@ $(LIBNGHTTP2_CFLAGS)
@HAVE_LIBXML2_TRUE@am__append_4 = \
@HAVE_LIBXML2_TRUE@ $(LIBXML2_CFLAGS)
sbin_PROGRAMS = named$(EXEEXT)
@HAVE_GEOIP2_TRUE@am__append_5 = \
@HAVE_GEOIP2_TRUE@ -DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\"
@HAVE_GEOIP2_TRUE@am__append_6 = \
@HAVE_GEOIP2_TRUE@ geoip.c
@HAVE_JSON_C_TRUE@am__append_7 = \
@HAVE_JSON_C_TRUE@ $(JSON_C_LIBS)
@HAVE_LIBNGHTTP2_TRUE@am__append_8 = \
@HAVE_LIBNGHTTP2_TRUE@ $(LIBNGHTTP2_LIBS)
@HAVE_LIBXML2_TRUE@am__append_9 = \
@HAVE_LIBXML2_TRUE@ $(LIBXML2_LIBS)
subdir = bin/named
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_check_openssl.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg-modversion.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(sbindir)"
PROGRAMS = $(sbin_PROGRAMS)
am__named_SOURCES_DIST = builtin.c config.c control.c controlconf.c \
dlz_dlopen_driver.c fuzz.c log.c logconf.c main.c os.c \
server.c statschannel.c tkeyconf.c transportconf.c tsigconf.c \
zoneconf.c include/dlz/dlz_dlopen_driver.h \
include/named/builtin.h include/named/config.h \
include/named/control.h include/named/fuzz.h \
include/named/geoip.h include/named/globals.h \
include/named/log.h include/named/logconf.h \
include/named/main.h include/named/os.h include/named/server.h \
include/named/smf_globals.h include/named/statschannel.h \
include/named/tkeyconf.h include/named/transportconf.h \
include/named/tsigconf.h include/named/types.h \
include/named/zoneconf.h xsl_p.h geoip.c
@HAVE_GEOIP2_TRUE@am__objects_1 = geoip.$(OBJEXT)
am_named_OBJECTS = builtin.$(OBJEXT) config.$(OBJEXT) \
control.$(OBJEXT) controlconf.$(OBJEXT) \
dlz_dlopen_driver.$(OBJEXT) fuzz.$(OBJEXT) log.$(OBJEXT) \
logconf.$(OBJEXT) main.$(OBJEXT) os.$(OBJEXT) server.$(OBJEXT) \
statschannel.$(OBJEXT) tkeyconf.$(OBJEXT) \
transportconf.$(OBJEXT) tsigconf.$(OBJEXT) zoneconf.$(OBJEXT) \
$(am__objects_1)
nodist_named_OBJECTS = xsl.$(OBJEXT)
named_OBJECTS = $(am_named_OBJECTS) $(nodist_named_OBJECTS)
am__DEPENDENCIES_1 =
@HAVE_JEMALLOC_FALSE@am__DEPENDENCIES_2 = \
@HAVE_JEMALLOC_FALSE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_JSON_C_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1)
@HAVE_LIBNGHTTP2_TRUE@am__DEPENDENCIES_4 = $(am__DEPENDENCIES_1)
@HAVE_LIBXML2_TRUE@am__DEPENDENCIES_5 = $(am__DEPENDENCIES_1)
named_DEPENDENCIES = $(am__DEPENDENCIES_2) $(LIBDNS_LIBS) \
$(LIBNS_LIBS) $(LIBISCCC_LIBS) $(LIBISCCFG_LIBS) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_3) $(am__DEPENDENCIES_4) \
$(am__DEPENDENCIES_5)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/builtin.Po ./$(DEPDIR)/config.Po \
./$(DEPDIR)/control.Po ./$(DEPDIR)/controlconf.Po \
./$(DEPDIR)/dlz_dlopen_driver.Po ./$(DEPDIR)/fuzz.Po \
./$(DEPDIR)/geoip.Po ./$(DEPDIR)/log.Po ./$(DEPDIR)/logconf.Po \
./$(DEPDIR)/main.Po ./$(DEPDIR)/os.Po ./$(DEPDIR)/server.Po \
./$(DEPDIR)/statschannel.Po ./$(DEPDIR)/tkeyconf.Po \
./$(DEPDIR)/transportconf.Po ./$(DEPDIR)/tsigconf.Po \
./$(DEPDIR)/xsl.Po ./$(DEPDIR)/zoneconf.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo " CC " $@;
am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(named_SOURCES) $(nodist_named_SOURCES)
DIST_SOURCES = $(am__named_SOURCES_DIST)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__extra_recursive_targets = test-recursive unit-recursive \
doc-recursive
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \
$(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
BUILD_EXEEXT = @BUILD_EXEEXT@
BUILD_OBJEXT = @BUILD_OBJEXT@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CC_FOR_BUILD = @CC_FOR_BUILD@
CFLAGS = @CFLAGS@
CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@
CPP_FOR_BUILD = @CPP_FOR_BUILD@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CURL = @CURL@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DEVELOPER_MODE = @DEVELOPER_MODE@
DLLTOOL = @DLLTOOL@
DLOPEN_LIBS = @DLOPEN_LIBS@
DNSTAP_CFLAGS = @DNSTAP_CFLAGS@
DNSTAP_LIBS = @DNSTAP_LIBS@
DOXYGEN = @DOXYGEN@
DSYMUTIL = @DSYMUTIL@
DTRACE = @DTRACE@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
FSTRM_CAPTURE = @FSTRM_CAPTURE@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@
GREP = @GREP@
GSSAPI_CFLAGS = @GSSAPI_CFLAGS@
GSSAPI_LIBS = @GSSAPI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@
JEMALLOC_LIBS = @JEMALLOC_LIBS@
JEMALLOC_VERSION = @JEMALLOC_VERSION@
JSON_C_CFLAGS = @JSON_C_CFLAGS@
JSON_C_LIBS = @JSON_C_LIBS@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_CONFIG = @KRB5_CONFIG@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDFLAGS = @LDFLAGS@
LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@
LIBCAP_CFLAGS = @LIBCAP_CFLAGS@
LIBCAP_LIBS = @LIBCAP_LIBS@
LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@
LIBIDN2_LIBS = @LIBIDN2_LIBS@
LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@
LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
LIBTOOL = @LIBTOOL@
LIBURCU_CFLAGS = @LIBURCU_CFLAGS@
LIBURCU_LIBS = @LIBURCU_LIBS@
LIBUV_CFLAGS = @LIBUV_CFLAGS@
LIBUV_LIBS = @LIBUV_LIBS@
LIBUV_VERSION = @LIBUV_VERSION@
LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
LIBXML2_LIBS = @LIBXML2_LIBS@
LIPO = @LIPO@
LMDB_CFLAGS = @LMDB_CFLAGS@
LMDB_LIBS = @LMDB_LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@
MKDIR_P = @MKDIR_P@
NC = @NC@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENSSL_VERSION = @OPENSSL_VERSION@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PROTOC_C = @PROTOC_C@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_CXX = @PTHREAD_CXX@
PTHREAD_LIBS = @PTHREAD_LIBS@
PYTEST = @PYTEST@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RCU_VERSION = @RCU_VERSION@
READLINE_CFLAGS = @READLINE_CFLAGS@
READLINE_LIBS = @READLINE_LIBS@
RELEASE_DATE = @RELEASE_DATE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SPHINX_BUILD = @SPHINX_BUILD@
STD_CFLAGS = @STD_CFLAGS@
STD_CPPFLAGS = @STD_CPPFLAGS@
STD_LDFLAGS = @STD_LDFLAGS@
STRIP = @STRIP@
TEST_CFLAGS = @TEST_CFLAGS@
VERSION = @VERSION@
XSLTPROC = @XSLTPROC@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \
-I$(srcdir)/include -I$(top_builddir)/include $(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) $(LIBNS_CFLAGS) $(LIBISCCC_CFLAGS) \
$(LIBISCCFG_CFLAGS) $(OPENSSL_CFLAGS) $(LIBCAP_CFLAGS) \
$(LMDB_CFLAGS) $(MAXMINDDB_CFLAGS) $(DNSTAP_CFLAGS) \
$(LIBUV_CFLAGS) $(LIBSYSTEMD_CFLAGS) $(ZLIB_CFLAGS) \
$(am__append_2) $(am__append_3) $(am__append_4) \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" $(am__append_5)
AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1)
LDADD =
BUILT_SOURCES = xsl.c
CLEANFILES = xsl.c
@HAVE_JEMALLOC_FALSE@LIBISC_CFLAGS = -I$(top_srcdir)/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_FALSE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_TRUE@LIBISC_CFLAGS = $(JEMALLOC_CFLAGS) \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_srcdir)/lib/isc/include \
@HAVE_JEMALLOC_TRUE@ -I$(top_builddir)/lib/isc/include
@HAVE_JEMALLOC_FALSE@LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
@HAVE_JEMALLOC_TRUE@LIBISC_LIBS = $(JEMALLOC_LIBS) \
@HAVE_JEMALLOC_TRUE@ $(top_builddir)/lib/isc/libisc.la
@HAVE_DTRACE_TRUE@LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
@HAVE_DTRACE_TRUE@LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
@HAVE_DTRACE_TRUE@LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
nodist_named_SOURCES = xsl.c
EXTRA_DIST = bind9.xsl
named_SOURCES = builtin.c config.c control.c controlconf.c \
dlz_dlopen_driver.c fuzz.c log.c logconf.c main.c os.c \
server.c statschannel.c tkeyconf.c transportconf.c tsigconf.c \
zoneconf.c include/dlz/dlz_dlopen_driver.h \
include/named/builtin.h include/named/config.h \
include/named/control.h include/named/fuzz.h \
include/named/geoip.h include/named/globals.h \
include/named/log.h include/named/logconf.h \
include/named/main.h include/named/os.h include/named/server.h \
include/named/smf_globals.h include/named/statschannel.h \
include/named/tkeyconf.h include/named/transportconf.h \
include/named/tsigconf.h include/named/types.h \
include/named/zoneconf.h xsl_p.h $(am__append_6)
named_LDADD = $(LIBISC_LIBS) $(LIBDNS_LIBS) $(LIBNS_LIBS) \
$(LIBISCCC_LIBS) $(LIBISCCFG_LIBS) $(OPENSSL_LIBS) \
$(LIBCAP_LIBS) $(LMDB_LIBS) $(MAXMINDDB_LIBS) $(DNSTAP_LIBS) \
$(LIBUV_LIBS) $(LIBSYSTEMD_LIBS) $(ZLIB_LIBS) $(am__append_7) \
$(am__append_8) $(am__append_9)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/named/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign bin/named/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.top $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-sbinPROGRAMS: $(sbin_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
} \
; done
uninstall-sbinPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(sbindir)" && rm -f $$files
clean-sbinPROGRAMS:
@list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
named$(EXEEXT): $(named_OBJECTS) $(named_DEPENDENCIES) $(EXTRA_named_DEPENDENCIES)
@rm -f named$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(named_OBJECTS) $(named_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builtin.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/config.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/control.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controlconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dlz_dlopen_driver.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fuzz.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/geoip.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/logconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/os.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/statschannel.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tkeyconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transportconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tsigconf.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xsl.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zoneconf.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
test-local:
unit-local:
doc-local:
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
all-am: Makefile $(PROGRAMS)
installdirs:
for dir in "$(DESTDIR)$(sbindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/builtin.Po
-rm -f ./$(DEPDIR)/config.Po
-rm -f ./$(DEPDIR)/control.Po
-rm -f ./$(DEPDIR)/controlconf.Po
-rm -f ./$(DEPDIR)/dlz_dlopen_driver.Po
-rm -f ./$(DEPDIR)/fuzz.Po
-rm -f ./$(DEPDIR)/geoip.Po
-rm -f ./$(DEPDIR)/log.Po
-rm -f ./$(DEPDIR)/logconf.Po
-rm -f ./$(DEPDIR)/main.Po
-rm -f ./$(DEPDIR)/os.Po
-rm -f ./$(DEPDIR)/server.Po
-rm -f ./$(DEPDIR)/statschannel.Po
-rm -f ./$(DEPDIR)/tkeyconf.Po
-rm -f ./$(DEPDIR)/transportconf.Po
-rm -f ./$(DEPDIR)/tsigconf.Po
-rm -f ./$(DEPDIR)/xsl.Po
-rm -f ./$(DEPDIR)/zoneconf.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
doc: doc-am
doc-am: doc-local
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-sbinPROGRAMS
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/builtin.Po
-rm -f ./$(DEPDIR)/config.Po
-rm -f ./$(DEPDIR)/control.Po
-rm -f ./$(DEPDIR)/controlconf.Po
-rm -f ./$(DEPDIR)/dlz_dlopen_driver.Po
-rm -f ./$(DEPDIR)/fuzz.Po
-rm -f ./$(DEPDIR)/geoip.Po
-rm -f ./$(DEPDIR)/log.Po
-rm -f ./$(DEPDIR)/logconf.Po
-rm -f ./$(DEPDIR)/main.Po
-rm -f ./$(DEPDIR)/os.Po
-rm -f ./$(DEPDIR)/server.Po
-rm -f ./$(DEPDIR)/statschannel.Po
-rm -f ./$(DEPDIR)/tkeyconf.Po
-rm -f ./$(DEPDIR)/transportconf.Po
-rm -f ./$(DEPDIR)/tsigconf.Po
-rm -f ./$(DEPDIR)/xsl.Po
-rm -f ./$(DEPDIR)/zoneconf.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
test: test-am
test-am: test-local
uninstall-am: uninstall-sbinPROGRAMS
unit: unit-am
unit-am: unit-local
.MAKE: all check install install-am install-exec install-strip
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-generic clean-libtool clean-sbinPROGRAMS cscopelist-am \
ctags ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir doc-am doc-local dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am tags tags-am test-am test-local uninstall \
uninstall-am uninstall-sbinPROGRAMS unit-am unit-local
.PRECIOUS: Makefile
xsl.c: bind9.xsl Makefile
(echo 'const char xslmsg[] =' && \
$(SED) -e 's,\",\\\",g' \
-e 's,^,\",' \
-e 's,$$,\\n\",' && \
echo ";") \
< "${srcdir}/bind9.xsl" > $@
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

1043
bin/named/bind9.xsl Normal file
View file

File diff suppressed because it is too large Load diff

1293
bin/named/builtin.c Normal file
View file

File diff suppressed because it is too large Load diff

956
bin/named/config.c Normal file
View file

@ -0,0 +1,956 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <bind.keys.h>
#include <inttypes.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/parseint.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/fixedname.h>
#include <dns/kasp.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/tsig.h>
#include <dns/zone.h>
#include <dst/dst.h>
#include <isccfg/grammar.h>
#include <isccfg/namedconf.h>
#include <named/config.h>
#include <named/globals.h>
/*% default configuration */
static char defaultconf[] = "\
options {\n\
answer-cookie true;\n\
automatic-interface-scan yes;\n\
# blackhole {none;};\n\
cookie-algorithm siphash24;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 1232;\n"
#if defined(HAVE_GEOIP2)
"\
geoip-directory \"" MAXMINDDB_PREFIX "/share/GeoIP\";\n"
#elif defined(HAVE_GEOIP2)
"\
geoip-directory \".\";\n"
#endif /* if defined(HAVE_GEOIP2) */
"\
heartbeat-interval 60;\n\
interface-interval 60;\n\
listen-on {any;};\n\
listen-on-v6 {any;};\n\
match-mapped-addresses no;\n\
max-ixfr-ratio 100%;\n\
max-rsa-exponent-size 0; /* no limit */\n\
max-udp-size 1232;\n\
memstatistics-file \"named.memstats\";\n\
nocookie-udp-size 4096;\n\
notify-rate 20;\n\
nta-lifetime 3600;\n\
nta-recheck 300;\n\
# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n"
#if HAVE_SO_REUSEPORT_LB
"\
reuseport yes;\n"
#else
"\
reuseport no;\n"
#endif
"\
tls-port 853;\n"
#if HAVE_LIBNGHTTP2
"\
http-port 80;\n\
https-port 443;\n\
http-listener-clients 300;\n\
http-streams-per-connection 100;\n"
#endif
"\
prefetch 2 9;\n\
# querylog <boolean>;\n\
recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\
request-nsid false;\n\
resolver-query-timeout 10;\n\
# responselog <boolean>;\n\
rrset-order { order random; };\n\
secroots-file \"named.secroots\";\n\
send-cookie true;\n\
serial-query-rate 20;\n\
server-id none;\n\
session-keyalg hmac-sha256;\n\
# session-keyfile \"" NAMED_LOCALSTATEDIR "/run/named/session.key\";\n\
session-keyname local-ddns;\n\
startup-notify-rate 20;\n\
sig0checks-quota 1;\n\
sig0key-checks-limit 16;\n\
sig0message-checks-limit 2;\n\
statistics-file \"named.stats\";\n\
tcp-advertised-timeout 300;\n\
tcp-clients 150;\n\
tcp-idle-timeout 300;\n\
tcp-initial-timeout 300;\n\
tcp-keepalive-timeout 300;\n\
tcp-listen-queue 10;\n\
tcp-receive-buffer 0;\n\
tcp-send-buffer 0;\n\
# tkey-domain <none>\n\
# tkey-gssapi-credential <none>\n\
transfer-message-size 20480;\n\
transfers-in 10;\n\
transfers-out 10;\n\
transfers-per-ns 2;\n\
trust-anchor-telemetry yes;\n\
udp-receive-buffer 0;\n\
udp-send-buffer 0;\n\
update-quota 100;\n\
\n\
/* view */\n\
allow-new-zones no;\n\
allow-notify {none;};\n\
allow-proxy {none;};\n\
allow-proxy-on {any;};\n\
allow-query-cache { localnets; localhost; };\n\
allow-query-cache-on { any; };\n\
allow-recursion { localnets; localhost; };\n\
allow-recursion-on { any; };\n\
allow-update-forwarding {none;};\n\
auth-nxdomain false;\n\
check-dup-records warn;\n\
check-mx warn;\n\
check-names primary fail;\n\
check-names response ignore;\n\
check-names secondary warn;\n\
check-spf warn;\n\
check-svcb yes;\n\
clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef USE_DNSRPS
" dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
#endif /* ifdef USE_DNSRPS */
#ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n"
#endif /* ifdef HAVE_DNSTAP */
"\
fetch-quota-params 100 0.1 0.3 0.7;\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
lame-ttl 0;\n"
#ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n"
#endif /* ifdef HAVE_LMDB */
" max-cache-size 90%;\n\
max-cache-ttl 604800; /* 1 week */\n\
max-clients-per-query 100;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\
max-recursion-queries 50;\n\
max-query-count 200;\n\
max-query-restarts 11;\n\
max-stale-ttl 86400; /* 1 day */\n\
message-compression yes;\n\
min-ncache-ttl 0; /* 0 hours */\n\
min-cache-ttl 0; /* 0 seconds */\n\
minimal-any false;\n\
minimal-responses no-auth-recursive;\n\
notify-source *;\n\
notify-source-v6 *;\n\
nsec3-test-zone no;\n\
parental-source *;\n\
parental-source-v6 *;\n\
provide-ixfr true;\n\
qname-minimization relaxed;\n\
query-source address *;\n\
query-source-v6 address *;\n\
recursion true;\n\
request-expire true;\n\
request-ixfr true;\n\
require-server-cookie no;\n\
root-key-sentinel yes;\n\
servfail-ttl 1;\n\
# sortlist <none>\n\
stale-answer-client-timeout off;\n\
stale-answer-enable false;\n\
stale-answer-ttl 30; /* 30 seconds */\n\
stale-cache-enable false;\n\
stale-refresh-time 30; /* 30 seconds */\n\
synth-from-dnssec yes;\n\
# topology <none>\n\
transfer-format many-answers;\n\
resolver-use-dns64 false;\n\
v6-bias 50;\n\
zero-no-soa-ttl-cache no;\n\
\n\
/* zone */\n\
allow-query {any;};\n\
allow-query-on {any;};\n\
allow-transfer {none;};\n\
# also-notify <none>\n\
check-integrity yes;\n\
check-mx-cname warn;\n\
check-sibling yes;\n\
check-srv-cname warn;\n\
check-wildcard yes;\n\
dialup no;\n\
dnssec-loadkeys-interval 60;\n\
# forward <none>\n\
# forwarders <none>\n\
# inline-signing no;\n\
ixfr-from-differences false;\n\
max-journal-size default;\n\
max-records 0;\n\
max-records-per-type 100;\n\
max-refresh-time 2419200; /* 4 weeks */\n\
max-retry-time 1209600; /* 2 weeks */\n\
max-types-per-name 100;\n\
max-transfer-idle-in 60;\n\
max-transfer-idle-out 60;\n\
max-transfer-time-in 120;\n\
max-transfer-time-out 120;\n\
min-refresh-time 300;\n\
min-retry-time 500;\n\
min-transfer-rate-in 10240 5;\n\
multi-master no;\n\
notify yes;\n\
notify-delay 5;\n\
notify-to-soa no;\n\
serial-update-method increment;\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65534;\n\
transfer-source *;\n\
transfer-source-v6 *;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
zero-no-soa-ttl yes;\n\
zone-statistics terse;\n\
};\n\
"
"#\n\
# Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
#\n\
view \"_bind\" chaos {\n\
recursion no;\n\
notify no;\n\
allow-new-zones no;\n\
max-cache-size 2M;\n\
\n\
# Prevent use of this zone in DNS amplified reflection DoS attacks\n\
rate-limit {\n\
responses-per-second 3;\n\
slip 0;\n\
min-table-size 10;\n\
};\n\
\n\
zone \"version.bind\" chaos {\n\
type primary;\n\
database \"_builtin version\";\n\
};\n\
\n\
zone \"hostname.bind\" chaos {\n\
type primary;\n\
database \"_builtin hostname\";\n\
};\n\
\n\
zone \"authors.bind\" chaos {\n\
type primary;\n\
database \"_builtin authors\";\n\
};\n\
\n\
zone \"id.server\" chaos {\n\
type primary;\n\
database \"_builtin id\";\n\
};\n\
};\n\
"
"#\n\
# Built-in DNSSEC key and signing policies.\n\
#\n\
dnssec-policy \"default\" {\n\
keys {\n\
csk key-directory lifetime unlimited algorithm 13;\n\
};\n\
\n\
cdnskey yes;\n\
cds-digest-types { 2; };\n\
dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
inline-signing yes;\n\
offline-ksk no;\n\
publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
purge-keys " DNS_KASP_PURGE_KEYS "; \n\
signatures-jitter " DNS_KASP_SIG_JITTER "; \n\
signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
};\n\
\n\
dnssec-policy \"insecure\" {\n\
max-zone-ttl 0; \n\
keys { };\n\
inline-signing yes;\n\
};\n\
\n\
"
"#\n\
# Default trusted key(s), used if \n\
# \"dnssec-validation auto;\" is set and\n\
# " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\
#\n\
# BEGIN TRUST ANCHORS\n"
/* Imported from bind.keys.h: */
TRUST_ANCHORS
"# END TRUST ANCHORS\n\
\n\
remote-servers " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
2801:1b8:10::b; # b.root-servers.net\n\
2001:500:2::c; # c.root-servers.net\n\
2001:500:2f::f; # f.root-servers.net\n\
2001:500:12::d0d; # g.root-servers.net\n\
2001:7fd::1; # k.root-servers.net\n\
2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\
2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\
170.247.170.2; # b.root-servers.net\n\
192.33.4.12; # c.root-servers.net\n\
192.5.5.241; # f.root-servers.net\n\
192.112.36.4; # g.root-servers.net\n\
193.0.14.129; # k.root-servers.net\n\
192.0.47.132; # xfr.cjr.dns.icann.org\n\
192.0.32.132; # xfr.lax.dns.icann.org\n\
};\n\
";
isc_result_t
named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
isc_buffer_t b;
isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
isc_buffer_add(&b, sizeof(defaultconf) - 1);
return cfg_parse_buffer(parser, &b, __FILE__, 0, &cfg_type_namedconf,
CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
CFG_PCTX_NOEXPERIMENTAL,
conf);
}
const char *
named_config_getdefault(void) {
return defaultconf;
}
isc_result_t
named_config_get(cfg_obj_t const *const *maps, const char *name,
const cfg_obj_t **obj) {
int i;
for (i = 0; maps[i] != NULL; i++) {
if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
return ISC_R_SUCCESS;
}
}
return ISC_R_NOTFOUND;
}
isc_result_t
named_checknames_get(const cfg_obj_t **maps, const char *const names[],
const cfg_obj_t **obj) {
const cfg_listelt_t *element;
const cfg_obj_t *checknames;
const cfg_obj_t *type;
const cfg_obj_t *value;
int i;
REQUIRE(maps != NULL);
REQUIRE(names != NULL);
REQUIRE(obj != NULL && *obj == NULL);
for (i = 0; maps[i] != NULL; i++) {
checknames = NULL;
if (cfg_map_get(maps[i], "check-names", &checknames) ==
ISC_R_SUCCESS)
{
/*
* Zone map entry is not a list.
*/
if (checknames != NULL && !cfg_obj_islist(checknames)) {
*obj = checknames;
return ISC_R_SUCCESS;
}
for (element = cfg_list_first(checknames);
element != NULL; element = cfg_list_next(element))
{
value = cfg_listelt_value(element);
type = cfg_tuple_get(value, "type");
for (size_t j = 0; names[j] != NULL; j++) {
if (strcasecmp(cfg_obj_asstring(type),
names[j]) == 0)
{
*obj = cfg_tuple_get(value,
"mode");
return ISC_R_SUCCESS;
}
}
}
}
}
return ISC_R_NOTFOUND;
}
int
named_config_listcount(const cfg_obj_t *list) {
const cfg_listelt_t *e;
int i = 0;
for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e)) {
i++;
}
return i;
}
isc_result_t
named_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
dns_rdataclass_t *classp) {
isc_textregion_t r;
isc_result_t result;
if (!cfg_obj_isstring(classobj)) {
*classp = defclass;
return ISC_R_SUCCESS;
}
r.base = UNCONST(cfg_obj_asstring(classobj));
r.length = strlen(r.base);
result = dns_rdataclass_fromtext(classp, &r);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(classobj, named_g_lctx, ISC_LOG_ERROR,
"unknown class '%s'", r.base);
}
return result;
}
isc_result_t
named_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
dns_rdatatype_t *typep) {
isc_textregion_t r;
isc_result_t result;
if (!cfg_obj_isstring(typeobj)) {
*typep = deftype;
return ISC_R_SUCCESS;
}
r.base = UNCONST(cfg_obj_asstring(typeobj));
r.length = strlen(r.base);
result = dns_rdatatype_fromtext(typep, &r);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(typeobj, named_g_lctx, ISC_LOG_ERROR,
"unknown type '%s'", r.base);
}
return result;
}
dns_zonetype_t
named_config_getzonetype(const cfg_obj_t *zonetypeobj) {
dns_zonetype_t ztype = dns_zone_none;
const char *str;
str = cfg_obj_asstring(zonetypeobj);
if (strcasecmp(str, "primary") == 0 || strcasecmp(str, "master") == 0) {
ztype = dns_zone_primary;
} else if (strcasecmp(str, "secondary") == 0 ||
strcasecmp(str, "slave") == 0)
{
ztype = dns_zone_secondary;
} else if (strcasecmp(str, "mirror") == 0) {
ztype = dns_zone_mirror;
} else if (strcasecmp(str, "stub") == 0) {
ztype = dns_zone_stub;
} else if (strcasecmp(str, "static-stub") == 0) {
ztype = dns_zone_staticstub;
} else if (strcasecmp(str, "redirect") == 0) {
ztype = dns_zone_redirect;
} else {
UNREACHABLE();
}
return ztype;
}
isc_result_t
named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
const char *name, const cfg_obj_t **ret) {
isc_result_t result;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *elt;
REQUIRE(cctx != NULL);
REQUIRE(name != NULL);
REQUIRE(ret != NULL && *ret == NULL);
result = cfg_map_get(cctx, list, &obj);
if (result != ISC_R_SUCCESS) {
return result;
}
elt = cfg_list_first(obj);
while (elt != NULL) {
obj = cfg_listelt_value(elt);
if (strcasecmp(cfg_obj_asstring(cfg_tuple_get(obj, "name")),
name) == 0)
{
*ret = obj;
return ISC_R_SUCCESS;
}
elt = cfg_list_next(elt);
}
return ISC_R_NOTFOUND;
}
static isc_result_t
named_config_getname(isc_mem_t *mctx, const cfg_obj_t *obj,
dns_name_t **namep) {
REQUIRE(namep != NULL && *namep == NULL);
const char *objstr;
isc_result_t result;
isc_buffer_t b;
dns_fixedname_t fname;
if (!cfg_obj_isstring(obj)) {
*namep = NULL;
return ISC_R_SUCCESS;
}
*namep = isc_mem_get(mctx, sizeof(**namep));
dns_name_init(*namep, NULL);
objstr = cfg_obj_asstring(obj);
isc_buffer_constinit(&b, objstr, strlen(objstr));
isc_buffer_add(&b, strlen(objstr));
dns_fixedname_init(&fname);
result = dns_name_fromtext(dns_fixedname_name(&fname), &b, dns_rootname,
0, NULL);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, *namep, sizeof(**namep));
*namep = NULL;
return result;
}
dns_name_dup(dns_fixedname_name(&fname), mctx, *namep);
return ISC_R_SUCCESS;
}
#define grow_array(mctx, array, newlen, oldlen) \
if (newlen >= oldlen) { \
array = isc_mem_creget(mctx, array, oldlen, newlen + 16, \
sizeof(array[0])); \
oldlen = newlen + 16; \
}
#define shrink_array(mctx, array, newlen, oldlen) \
if (newlen < oldlen) { \
array = isc_mem_creget(mctx, array, oldlen, newlen, \
sizeof(array[0])); \
oldlen = newlen; \
}
static const char *remotesnames[4] = { "remote-servers", "parental-agents",
"primaries", "masters" };
isc_result_t
named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
isc_mem_t *mctx, dns_ipkeylist_t *ipkl) {
uint32_t addrcount = 0, srccount = 0;
uint32_t keycount = 0, tlscount = 0;
uint32_t listcount = 0, l = 0, i = 0;
uint32_t stackcount = 0, pushed = 0;
isc_result_t result;
const cfg_listelt_t *element;
const cfg_obj_t *addrlist;
const cfg_obj_t *portobj;
const cfg_obj_t *src4obj;
const cfg_obj_t *src6obj;
in_port_t port = (in_port_t)0;
in_port_t def_port;
in_port_t def_tlsport;
isc_sockaddr_t src4;
isc_sockaddr_t src6;
isc_sockaddr_t *addrs = NULL;
isc_sockaddr_t *sources = NULL;
dns_name_t **keys = NULL;
dns_name_t **tlss = NULL;
struct {
const char *name;
in_port_t port;
isc_sockaddr_t *src4s;
isc_sockaddr_t *src6s;
} *lists = NULL;
struct {
const cfg_listelt_t *element;
in_port_t port;
isc_sockaddr_t src4;
isc_sockaddr_t src6;
} *stack = NULL;
REQUIRE(ipkl != NULL);
REQUIRE(ipkl->count == 0);
REQUIRE(ipkl->addrs == NULL);
REQUIRE(ipkl->keys == NULL);
REQUIRE(ipkl->tlss == NULL);
REQUIRE(ipkl->labels == NULL);
REQUIRE(ipkl->allocated == 0);
/*
* Get system defaults.
*/
result = named_config_getport(config, "port", &def_port);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result = named_config_getport(config, "tls-port", &def_tlsport);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
newlist:
addrlist = cfg_tuple_get(list, "addresses");
portobj = cfg_tuple_get(list, "port");
src4obj = cfg_tuple_get(list, "source");
src6obj = cfg_tuple_get(list, "source-v6");
if (cfg_obj_isuint32(portobj)) {
uint32_t val = cfg_obj_asuint32(portobj);
if (val > UINT16_MAX) {
cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
"port '%u' out of range", val);
result = ISC_R_RANGE;
goto cleanup;
}
port = (in_port_t)val;
}
if (src4obj != NULL && cfg_obj_issockaddr(src4obj)) {
src4 = *cfg_obj_assockaddr(src4obj);
} else {
isc_sockaddr_any(&src4);
}
if (src6obj != NULL && cfg_obj_issockaddr(src6obj)) {
src6 = *cfg_obj_assockaddr(src6obj);
} else {
isc_sockaddr_any6(&src6);
}
element = cfg_list_first(addrlist);
resume:
for (; element != NULL; element = cfg_list_next(element)) {
const cfg_obj_t *addr;
const cfg_obj_t *key;
const cfg_obj_t *tls;
addr = cfg_tuple_get(cfg_listelt_value(element),
"remoteselement");
key = cfg_tuple_get(cfg_listelt_value(element), "key");
tls = cfg_tuple_get(cfg_listelt_value(element), "tls");
if (!cfg_obj_issockaddr(addr)) {
const char *listname = cfg_obj_asstring(addr);
isc_result_t tresult;
uint32_t j;
/* Grow lists? */
grow_array(mctx, lists, l, listcount);
/* Seen? */
for (j = 0; j < l; j++) {
if (strcasecmp(lists[j].name, listname) == 0) {
break;
}
}
if (j < l) {
continue;
}
list = NULL;
tresult = ISC_R_NOTFOUND;
for (size_t n = 0; n < ARRAY_SIZE(remotesnames); n++) {
tresult = named_config_getremotesdef(
config, remotesnames[n], listname,
&list);
if (tresult == ISC_R_SUCCESS) {
break;
}
}
if (tresult == ISC_R_NOTFOUND) {
cfg_obj_log(addr, named_g_lctx, ISC_LOG_ERROR,
"remote-servers \"%s\" not found",
listname);
}
if (tresult != ISC_R_SUCCESS) {
result = tresult;
goto cleanup;
}
lists[l++].name = listname;
/* Grow stack? */
grow_array(mctx, stack, pushed, stackcount);
/*
* We want to resume processing this list on the
* next element.
*/
stack[pushed].element = cfg_list_next(element);
stack[pushed].port = port;
stack[pushed].src4 = src4;
stack[pushed].src6 = src6;
pushed++;
goto newlist;
}
grow_array(mctx, addrs, i, addrcount);
grow_array(mctx, keys, i, keycount);
grow_array(mctx, tlss, i, tlscount);
grow_array(mctx, sources, i, srccount);
addrs[i] = *cfg_obj_assockaddr(addr);
result = named_config_getname(mctx, key, &keys[i]);
if (result != ISC_R_SUCCESS) {
i++; /* Increment here so that cleanup on error works.
*/
goto cleanup;
}
result = named_config_getname(mctx, tls, &tlss[i]);
if (result != ISC_R_SUCCESS) {
i++; /* Increment here so that cleanup on error works.
*/
goto cleanup;
}
/* If the port is unset, take it from one of the upper levels */
if (isc_sockaddr_getport(&addrs[i]) == 0) {
in_port_t addr_port = port;
/* If unset, use the default port or tls-port */
if (addr_port == 0) {
if (tlss[i] != NULL) {
addr_port = def_tlsport;
} else {
addr_port = def_port;
}
}
isc_sockaddr_setport(&addrs[i], addr_port);
}
switch (isc_sockaddr_pf(&addrs[i])) {
case PF_INET:
sources[i] = src4;
break;
case PF_INET6:
sources[i] = src6;
break;
default:
i++; /* Increment here so that cleanup on error works.
*/
result = ISC_R_NOTIMPLEMENTED;
goto cleanup;
}
i++;
}
if (pushed != 0) {
pushed--;
element = stack[pushed].element;
port = stack[pushed].port;
src4 = stack[pushed].src4;
src6 = stack[pushed].src6;
goto resume;
}
shrink_array(mctx, addrs, i, addrcount);
shrink_array(mctx, keys, i, keycount);
shrink_array(mctx, tlss, i, tlscount);
shrink_array(mctx, sources, i, srccount);
if (lists != NULL) {
isc_mem_cput(mctx, lists, listcount, sizeof(lists[0]));
}
if (stack != NULL) {
isc_mem_cput(mctx, stack, stackcount, sizeof(stack[0]));
}
INSIST(keycount == addrcount);
INSIST(tlscount == addrcount);
INSIST(srccount == addrcount);
ipkl->addrs = addrs;
ipkl->keys = keys;
ipkl->tlss = tlss;
ipkl->sources = sources;
ipkl->count = addrcount;
ipkl->allocated = addrcount;
return ISC_R_SUCCESS;
cleanup:
if (addrs != NULL) {
isc_mem_cput(mctx, addrs, addrcount, sizeof(addrs[0]));
}
if (keys != NULL) {
for (size_t j = 0; j < i; j++) {
if (keys[j] == NULL) {
continue;
}
if (dns_name_dynamic(keys[j])) {
dns_name_free(keys[j], mctx);
}
isc_mem_put(mctx, keys[j], sizeof(*keys[j]));
}
isc_mem_cput(mctx, keys, keycount, sizeof(keys[0]));
}
if (tlss != NULL) {
for (size_t j = 0; j < i; j++) {
if (tlss[j] == NULL) {
continue;
}
if (dns_name_dynamic(tlss[j])) {
dns_name_free(tlss[j], mctx);
}
isc_mem_put(mctx, tlss[j], sizeof(*tlss[j]));
}
isc_mem_cput(mctx, tlss, tlscount, sizeof(tlss[0]));
}
if (sources != NULL) {
isc_mem_cput(mctx, sources, srccount, sizeof(sources[0]));
}
if (lists != NULL) {
isc_mem_cput(mctx, lists, listcount, sizeof(lists[0]));
}
if (stack != NULL) {
isc_mem_cput(mctx, stack, stackcount, sizeof(stack[0]));
}
return result;
}
isc_result_t
named_config_getport(const cfg_obj_t *config, const char *type,
in_port_t *portp) {
const cfg_obj_t *maps[3];
const cfg_obj_t *options = NULL;
const cfg_obj_t *portobj = NULL;
isc_result_t result;
int i;
(void)cfg_map_get(config, "options", &options);
i = 0;
if (options != NULL) {
maps[i++] = options;
}
maps[i++] = named_g_defaults;
maps[i] = NULL;
result = named_config_get(maps, type, &portobj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
"port '%u' out of range",
cfg_obj_asuint32(portobj));
return ISC_R_RANGE;
}
*portp = (in_port_t)cfg_obj_asuint32(portobj);
return ISC_R_SUCCESS;
}
struct keyalgorithms {
const char *str;
enum {
hmacnone,
hmacmd5,
hmacsha1,
hmacsha224,
hmacsha256,
hmacsha384,
hmacsha512
} hmac;
unsigned int type;
uint16_t size;
} algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
{ NULL, hmacnone, DST_ALG_UNKNOWN, 0 } };
isc_result_t
named_config_getkeyalgorithm(const char *str, unsigned int *typep,
uint16_t *digestbits) {
int i;
size_t len = 0;
uint16_t bits;
isc_result_t result;
for (i = 0; algorithms[i].str != NULL; i++) {
len = strlen(algorithms[i].str);
if (strncasecmp(algorithms[i].str, str, len) == 0 &&
(str[len] == '\0' ||
(algorithms[i].size != 0 && str[len] == '-')))
{
break;
}
}
if (algorithms[i].str == NULL) {
return ISC_R_NOTFOUND;
}
if (str[len] == '-') {
result = isc_parse_uint16(&bits, str + len + 1, 10);
if (result != ISC_R_SUCCESS) {
return result;
}
if (bits > algorithms[i].size) {
return ISC_R_RANGE;
}
} else if (algorithms[i].size == 0) {
bits = 128;
} else {
bits = algorithms[i].size;
}
SET_IF_NOT_NULL(typep, algorithms[i].type);
SET_IF_NOT_NULL(digestbits, bits);
return ISC_R_SUCCESS;
}

310
bin/named/control.c Normal file
View file

@ -0,0 +1,310 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <stdbool.h>
#include <isc/lex.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <isccc/alist.h>
#include <isccc/cc.h>
#include <named/control.h>
#include <named/globals.h>
#include <named/log.h>
#include <named/os.h>
#include <named/server.h>
#ifdef HAVE_LIBSCF
#include <named/smf_globals.h>
#endif /* ifdef HAVE_LIBSCF */
static isc_result_t
getcommand(isc_lex_t *lex, char **cmdp) {
isc_result_t result;
isc_token_t token;
REQUIRE(cmdp != NULL && *cmdp == NULL);
result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF, &token);
if (result != ISC_R_SUCCESS) {
return result;
}
isc_lex_ungettoken(lex, &token);
if (token.type != isc_tokentype_string) {
return ISC_R_FAILURE;
}
*cmdp = token.value.as_textregion.base;
return ISC_R_SUCCESS;
}
static bool
command_compare(const char *str, const char *command) {
return strcasecmp(str, command) == 0;
}
/*%
* This function is called to process the incoming command
* when a control channel message is received.
*/
isc_result_t
named_control_docommand(isccc_sexpr_t *message, bool readonly,
isc_buffer_t **text) {
isccc_sexpr_t *data;
char *cmdline = NULL;
char *command = NULL;
isc_result_t result;
int log_level;
isc_buffer_t src;
isc_lex_t *lex = NULL;
#ifdef HAVE_LIBSCF
named_smf_want_disable = 0;
#endif /* ifdef HAVE_LIBSCF */
data = isccc_alist_lookup(message, "_data");
if (!isccc_alist_alistp(data)) {
/*
* No data section.
*/
return ISC_R_FAILURE;
}
result = isccc_cc_lookupstring(data, "type", &cmdline);
if (result != ISC_R_SUCCESS) {
/*
* We have no idea what this is.
*/
return result;
}
isc_lex_create(named_g_mctx, strlen(cmdline), &lex);
isc_buffer_init(&src, cmdline, strlen(cmdline));
isc_buffer_add(&src, strlen(cmdline));
result = isc_lex_openbuffer(lex, &src);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result = getcommand(lex, &command);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Compare the 'command' parameter against all known control commands.
*/
if ((command_compare(command, NAMED_COMMAND_NULL) &&
strlen(cmdline) == 4) ||
command_compare(command, NAMED_COMMAND_STATUS))
{
log_level = ISC_LOG_DEBUG(1);
} else {
log_level = ISC_LOG_INFO;
}
/*
* If this listener should have read-only access, reject
* restricted commands here. rndc nta is handled specially
* below.
*/
if (readonly && !command_compare(command, NAMED_COMMAND_NTA) &&
!command_compare(command, NAMED_COMMAND_NULL) &&
!command_compare(command, NAMED_COMMAND_STATUS) &&
!command_compare(command, NAMED_COMMAND_SHOWZONE) &&
!command_compare(command, NAMED_COMMAND_TESTGEN) &&
!command_compare(command, NAMED_COMMAND_ZONESTATUS))
{
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_CONTROL, log_level,
"rejecting restricted control channel "
"command '%s'",
cmdline);
result = ISC_R_FAILURE;
goto cleanup;
}
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_CONTROL, log_level,
"received control channel command '%s'", cmdline);
/*
* After the lengthy "halt" and "stop", the commands are
* handled in alphabetical order of the NAMED_COMMAND_ macros.
*/
if (command_compare(command, NAMED_COMMAND_HALT)) {
#ifdef HAVE_LIBSCF
/*
* If we are managed by smf(5), AND in chroot, then
* we cannot connect to the smf repository, so just
* return with an appropriate message back to rndc.
*/
if (named_smf_got_instance == 1 && named_smf_chroot == 1) {
result = named_smf_add_message(text);
goto cleanup;
}
/*
* If we are managed by smf(5) but not in chroot,
* try to disable ourselves the smf way.
*/
if (named_smf_got_instance == 1 && named_smf_chroot == 0) {
named_smf_want_disable = 1;
}
/*
* If named_smf_got_instance = 0, named_smf_chroot is
* not relevant and we fall through to shutdown below.
*/
#endif /* ifdef HAVE_LIBSCF */
/* Do not flush master files */
named_server_flushonshutdown(named_g_server, false);
named_os_shutdownmsg(cmdline, *text);
isc_loopmgr_shutdown(named_g_loopmgr);
result = ISC_R_SHUTTINGDOWN;
} else if (command_compare(command, NAMED_COMMAND_STOP)) {
/*
* "stop" is the same as "halt" except it does
* flush master files.
*/
#ifdef HAVE_LIBSCF
if (named_smf_got_instance == 1 && named_smf_chroot == 1) {
result = named_smf_add_message(text);
goto cleanup;
}
if (named_smf_got_instance == 1 && named_smf_chroot == 0) {
named_smf_want_disable = 1;
}
#endif /* ifdef HAVE_LIBSCF */
named_server_flushonshutdown(named_g_server, true);
named_os_shutdownmsg(cmdline, *text);
isc_loopmgr_shutdown(named_g_loopmgr);
result = ISC_R_SHUTTINGDOWN;
} else if (command_compare(command, NAMED_COMMAND_ADDZONE) ||
command_compare(command, NAMED_COMMAND_MODZONE))
{
result = named_server_changezone(named_g_server, cmdline, text);
} else if (command_compare(command, NAMED_COMMAND_DELZONE)) {
result = named_server_delzone(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_DNSSEC)) {
result = named_server_dnssec(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_DNSTAP) ||
command_compare(command, NAMED_COMMAND_DNSTAPREOPEN))
{
result = named_server_dnstap(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_DUMPDB)) {
result = named_server_dumpdb(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_DUMPSTATS)) {
result = named_server_dumpstats(named_g_server);
} else if (command_compare(command, NAMED_COMMAND_FETCHLIMIT)) {
result = named_server_fetchlimit(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_FLUSH)) {
result = named_server_flushcache(named_g_server, lex);
} else if (command_compare(command, NAMED_COMMAND_FLUSHNAME)) {
result = named_server_flushnode(named_g_server, lex, false);
} else if (command_compare(command, NAMED_COMMAND_FLUSHTREE)) {
result = named_server_flushnode(named_g_server, lex, true);
} else if (command_compare(command, NAMED_COMMAND_FREEZE)) {
result = named_server_freeze(named_g_server, true, lex, text);
} else if (command_compare(command, NAMED_COMMAND_SKR)) {
result = named_server_skr(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_LOADKEYS) ||
command_compare(command, NAMED_COMMAND_SIGN))
{
result = named_server_rekey(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_MEMPROF)) {
result = named_server_togglememprof(lex);
} else if (command_compare(command, NAMED_COMMAND_MKEYS)) {
result = named_server_mkeys(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_NOTIFY)) {
result = named_server_notifycommand(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_NOTRACE)) {
named_g_debuglevel = 0;
isc_log_setdebuglevel(named_g_lctx, named_g_debuglevel);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NAMED_COMMAND_NTA)) {
result = named_server_nta(named_g_server, lex, readonly, text);
} else if (command_compare(command, NAMED_COMMAND_NULL)) {
result = ISC_R_SUCCESS;
} else if (command_compare(command, NAMED_COMMAND_QUERYLOG)) {
result = named_server_setortoggle(named_g_server,
"query logging",
NS_SERVER_LOGQUERIES, lex);
} else if (command_compare(command, NAMED_COMMAND_RECONFIG)) {
result = named_server_reconfigcommand(named_g_server);
} else if (command_compare(command, NAMED_COMMAND_RECURSING)) {
result = named_server_dumprecursing(named_g_server);
} else if (command_compare(command, NAMED_COMMAND_REFRESH)) {
result = named_server_refreshcommand(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_RELOAD)) {
result = named_server_reloadcommand(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_RESETSTATS)) {
result = named_server_resetstatscommand(named_g_server, lex,
text);
} else if (command_compare(command, NAMED_COMMAND_RESPONSELOG)) {
result = named_server_setortoggle(named_g_server,
"response logging",
NS_SERVER_LOGRESPONSES, lex);
} else if (command_compare(command, NAMED_COMMAND_RETRANSFER)) {
result = named_server_retransfercommand(named_g_server, lex,
text);
} else if (command_compare(command, NAMED_COMMAND_SCAN)) {
named_server_scan_interfaces(named_g_server);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NAMED_COMMAND_SECROOTS)) {
result = named_server_dumpsecroots(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_SERVESTALE)) {
result = named_server_servestale(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_SHOWZONE)) {
result = named_server_showzone(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_SIGNING)) {
result = named_server_signing(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_STATUS)) {
result = named_server_status(named_g_server, text);
} else if (command_compare(command, NAMED_COMMAND_SYNC)) {
result = named_server_sync(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_TCPTIMEOUTS)) {
result = named_server_tcptimeouts(lex, text);
} else if (command_compare(command, NAMED_COMMAND_TESTGEN)) {
result = named_server_testgen(lex, text);
} else if (command_compare(command, NAMED_COMMAND_THAW) ||
command_compare(command, NAMED_COMMAND_UNFREEZE))
{
result = named_server_freeze(named_g_server, false, lex, text);
} else if (command_compare(command, NAMED_COMMAND_TRACE)) {
result = named_server_setdebuglevel(named_g_server, lex);
} else if (command_compare(command, NAMED_COMMAND_VALIDATION)) {
result = named_server_validation(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_ZONESTATUS)) {
result = named_server_zonestatus(named_g_server, lex, text);
} else {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
"unknown control channel command '%s'", command);
result = DNS_R_UNKNOWNCOMMAND;
}
cleanup:
if (lex != NULL) {
isc_lex_destroy(&lex);
}
return result;
}

1386
bin/named/controlconf.c Normal file
View file

File diff suppressed because it is too large Load diff

550
bin/named/dlz_dlopen_driver.c Normal file
View file

@ -0,0 +1,550 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/util.h>
#include <isc/uv.h>
#include <dns/dlz_dlopen.h>
#include <dns/log.h>
#include <dlz/dlz_dlopen_driver.h>
#include <named/globals.h>
static dns_sdlzimplementation_t *dlz_dlopen = NULL;
typedef struct dlopen_data {
isc_mem_t *mctx;
char *dl_path;
char *dlzname;
uv_lib_t dl_handle;
void *dbdata;
unsigned int flags;
isc_mutex_t lock;
int version;
bool in_configure;
dlz_dlopen_version_t *dlz_version;
dlz_dlopen_create_t *dlz_create;
dlz_dlopen_findzonedb_t *dlz_findzonedb;
dlz_dlopen_lookup_t *dlz_lookup;
dlz_dlopen_authority_t *dlz_authority;
dlz_dlopen_allnodes_t *dlz_allnodes;
dlz_dlopen_allowzonexfr_t *dlz_allowzonexfr;
dlz_dlopen_newversion_t *dlz_newversion;
dlz_dlopen_closeversion_t *dlz_closeversion;
dlz_dlopen_configure_t *dlz_configure;
dlz_dlopen_ssumatch_t *dlz_ssumatch;
dlz_dlopen_addrdataset_t *dlz_addrdataset;
dlz_dlopen_subrdataset_t *dlz_subrdataset;
dlz_dlopen_delrdataset_t *dlz_delrdataset;
dlz_dlopen_destroy_t *dlz_destroy;
} dlopen_data_t;
/* Modules can choose whether they are lock-safe or not. */
#define MAYBE_LOCK(cd) \
do { \
if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
!cd->in_configure) \
LOCK(&cd->lock); \
} while (0)
#define MAYBE_UNLOCK(cd) \
do { \
if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
!cd->in_configure) \
UNLOCK(&cd->lock); \
} while (0)
/*
* Log a message at the given level.
*/
static void
dlopen_log(int level, const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
ISC_LOG_DEBUG(level), fmt, ap);
va_end(ap);
}
/*
* SDLZ methods
*/
static isc_result_t
dlopen_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
dns_sdlzallnodes_t *allnodes) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_allnodes == NULL) {
return ISC_R_NOPERM;
}
MAYBE_LOCK(cd);
result = cd->dlz_allnodes(zone, cd->dbdata, allnodes);
MAYBE_UNLOCK(cd);
return result;
}
static isc_result_t
dlopen_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
const char *client) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_allowzonexfr == NULL) {
return ISC_R_NOPERM;
}
MAYBE_LOCK(cd);
result = cd->dlz_allowzonexfr(cd->dbdata, name, client);
MAYBE_UNLOCK(cd);
return result;
}
static isc_result_t
dlopen_dlz_authority(const char *zone, void *driverarg, void *dbdata,
dns_sdlzlookup_t *lookup) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_authority == NULL) {
return ISC_R_NOTIMPLEMENTED;
}
MAYBE_LOCK(cd);
result = cd->dlz_authority(zone, cd->dbdata, lookup);
MAYBE_UNLOCK(cd);
return result;
}
static isc_result_t
dlopen_dlz_findzonedb(void *driverarg, void *dbdata, const char *name,
dns_clientinfomethods_t *methods,
dns_clientinfo_t *clientinfo) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
MAYBE_LOCK(cd);
result = cd->dlz_findzonedb(cd->dbdata, name, methods, clientinfo);
MAYBE_UNLOCK(cd);
return result;
}
static isc_result_t
dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
void *dbdata, dns_sdlzlookup_t *lookup,
dns_clientinfomethods_t *methods,
dns_clientinfo_t *clientinfo) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
MAYBE_LOCK(cd);
result = cd->dlz_lookup(zone, name, cd->dbdata, lookup, methods,
clientinfo);
MAYBE_UNLOCK(cd);
return result;
}
/*
* Load a symbol from the library
*/
static void *
dl_load_symbol(dlopen_data_t *cd, const char *symbol, bool mandatory) {
void *ptr = NULL;
int r = uv_dlsym(&cd->dl_handle, symbol, &ptr);
if (r != 0) {
const char *errmsg = uv_dlerror(&cd->dl_handle);
if (errmsg == NULL) {
errmsg = "returned function pointer is NULL";
}
if (mandatory) {
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen: library '%s' is missing "
"required symbol '%s': %s",
cd->dl_path, symbol, errmsg);
}
}
return ptr;
}
static void
dlopen_dlz_destroy(void *driverarg, void *dbdata);
/*
* Called at startup for each dlopen zone in named.conf
*/
static isc_result_t
dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
void *driverarg, void **dbdata) {
dlopen_data_t *cd;
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_FAILURE;
int r;
UNUSED(driverarg);
if (argc < 2) {
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen driver for '%s' needs a path to "
"the shared library",
dlzname);
return ISC_R_FAILURE;
}
isc_mem_create(&mctx);
cd = isc_mem_get(mctx, sizeof(*cd));
*cd = (dlopen_data_t){
.mctx = mctx,
.dl_path = isc_mem_strdup(mctx, argv[1]),
.dlzname = isc_mem_strdup(mctx, dlzname),
};
/* Initialize the lock */
isc_mutex_init(&cd->lock);
r = uv_dlopen(cd->dl_path, &cd->dl_handle);
if (r != 0) {
const char *errmsg = uv_dlerror(&cd->dl_handle);
if (errmsg == NULL) {
errmsg = "unknown error";
}
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen failed to open library '%s': %s",
cd->dl_path, errmsg);
result = ISC_R_FAILURE;
goto failed;
}
/* Find the symbols */
cd->dlz_version =
(dlz_dlopen_version_t *)dl_load_symbol(cd, "dlz_version", true);
cd->dlz_create = (dlz_dlopen_create_t *)dl_load_symbol(cd, "dlz_create",
true);
cd->dlz_lookup = (dlz_dlopen_lookup_t *)dl_load_symbol(cd, "dlz_lookup",
true);
cd->dlz_findzonedb = (dlz_dlopen_findzonedb_t *)dl_load_symbol(
cd, "dlz_findzonedb", true);
if (cd->dlz_create == NULL || cd->dlz_version == NULL ||
cd->dlz_lookup == NULL || cd->dlz_findzonedb == NULL)
{
/* We're missing a required symbol */
result = ISC_R_FAILURE;
goto failed;
}
cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)dl_load_symbol(
cd, "dlz_allowzonexfr", false);
cd->dlz_allnodes = (dlz_dlopen_allnodes_t *)dl_load_symbol(
cd, "dlz_allnodes", (cd->dlz_allowzonexfr != NULL));
cd->dlz_authority = (dlz_dlopen_authority_t *)dl_load_symbol(
cd, "dlz_authority", false);
cd->dlz_newversion = (dlz_dlopen_newversion_t *)dl_load_symbol(
cd, "dlz_newversion", false);
cd->dlz_closeversion = (dlz_dlopen_closeversion_t *)dl_load_symbol(
cd, "dlz_closeversion", (cd->dlz_newversion != NULL));
cd->dlz_configure = (dlz_dlopen_configure_t *)dl_load_symbol(
cd, "dlz_configure", false);
cd->dlz_ssumatch = (dlz_dlopen_ssumatch_t *)dl_load_symbol(
cd, "dlz_ssumatch", false);
cd->dlz_addrdataset = (dlz_dlopen_addrdataset_t *)dl_load_symbol(
cd, "dlz_addrdataset", false);
cd->dlz_subrdataset = (dlz_dlopen_subrdataset_t *)dl_load_symbol(
cd, "dlz_subrdataset", false);
cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)dl_load_symbol(
cd, "dlz_delrdataset", false);
cd->dlz_destroy = (dlz_dlopen_destroy_t *)dl_load_symbol(
cd, "dlz_destroy", false);
/* Check the version of the API is the same */
cd->version = cd->dlz_version(&cd->flags);
if (cd->version < (DLZ_DLOPEN_VERSION - DLZ_DLOPEN_AGE) ||
cd->version > DLZ_DLOPEN_VERSION)
{
dlopen_log(ISC_LOG_ERROR,
"dlz_dlopen: %s: incorrect driver API version %d, "
"requires %d",
cd->dl_path, cd->version, DLZ_DLOPEN_VERSION);
result = ISC_R_FAILURE;
goto failed;
}
/*
* Call the library's create function. Note that this is an
* extended version of dlz create, with the addition of
* named function pointers for helper functions that the
* driver will need. This avoids the need for the backend to
* link the BIND9 libraries
*/
MAYBE_LOCK(cd);
result = cd->dlz_create(dlzname, argc - 1, argv + 1, &cd->dbdata, "log",
dlopen_log, "putrr", dns_sdlz_putrr,
"putnamedrr", dns_sdlz_putnamedrr,
"writeable_zone", dns_dlz_writeablezone, NULL);
MAYBE_UNLOCK(cd);
if (result != ISC_R_SUCCESS) {
goto failed;
}
*dbdata = cd;
return ISC_R_SUCCESS;
failed:
dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
dlopen_dlz_destroy(NULL, cd);
return result;
}
/*
* Called when bind is shutting down
*/
static void
dlopen_dlz_destroy(void *driverarg, void *dbdata) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
UNUSED(driverarg);
if (cd->dlz_destroy && cd->dbdata) {
MAYBE_LOCK(cd);
cd->dlz_destroy(cd->dbdata);
MAYBE_UNLOCK(cd);
}
uv_dlclose(&cd->dl_handle);
isc_mutex_destroy(&cd->lock);
isc_mem_free(cd->mctx, cd->dl_path);
isc_mem_free(cd->mctx, cd->dlzname);
isc_mem_putanddetach(&cd->mctx, cd, sizeof(*cd));
}
/*
* Called to start a transaction
*/
static isc_result_t
dlopen_dlz_newversion(const char *zone, void *driverarg, void *dbdata,
void **versionp) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_newversion == NULL) {
return ISC_R_NOTIMPLEMENTED;
}
MAYBE_LOCK(cd);
result = cd->dlz_newversion(zone, cd->dbdata, versionp);
MAYBE_UNLOCK(cd);
return result;
}
/*
* Called to end a transaction
*/
static void
dlopen_dlz_closeversion(const char *zone, bool commit, void *driverarg,
void *dbdata, void **versionp) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
UNUSED(driverarg);
if (cd->dlz_newversion == NULL) {
*versionp = NULL;
return;
}
MAYBE_LOCK(cd);
cd->dlz_closeversion(zone, commit, cd->dbdata, versionp);
MAYBE_UNLOCK(cd);
}
/*
* Called on startup to configure any writeable zones
*/
static isc_result_t
dlopen_dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *driverarg,
void *dbdata) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_configure == NULL) {
return ISC_R_SUCCESS;
}
MAYBE_LOCK(cd);
cd->in_configure = true;
result = cd->dlz_configure(view, dlzdb, cd->dbdata);
cd->in_configure = false;
MAYBE_UNLOCK(cd);
return result;
}
/*
* Check for authority to change a name.
*/
static bool
dlopen_dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
const char *type, const char *key, uint32_t keydatalen,
unsigned char *keydata, void *driverarg, void *dbdata) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
bool ret;
UNUSED(driverarg);
if (cd->dlz_ssumatch == NULL) {
return false;
}
MAYBE_LOCK(cd);
ret = cd->dlz_ssumatch(signer, name, tcpaddr, type, key, keydatalen,
keydata, cd->dbdata);
MAYBE_UNLOCK(cd);
return ret;
}
/*
* Add an rdataset.
*/
static isc_result_t
dlopen_dlz_addrdataset(const char *name, const char *rdatastr, void *driverarg,
void *dbdata, void *version) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_addrdataset == NULL) {
return ISC_R_NOTIMPLEMENTED;
}
MAYBE_LOCK(cd);
result = cd->dlz_addrdataset(name, rdatastr, cd->dbdata, version);
MAYBE_UNLOCK(cd);
return result;
}
/*
* Subtract an rdataset.
*/
static isc_result_t
dlopen_dlz_subrdataset(const char *name, const char *rdatastr, void *driverarg,
void *dbdata, void *version) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_subrdataset == NULL) {
return ISC_R_NOTIMPLEMENTED;
}
MAYBE_LOCK(cd);
result = cd->dlz_subrdataset(name, rdatastr, cd->dbdata, version);
MAYBE_UNLOCK(cd);
return result;
}
/*
* Delete a rdataset.
*/
static isc_result_t
dlopen_dlz_delrdataset(const char *name, const char *type, void *driverarg,
void *dbdata, void *version) {
dlopen_data_t *cd = (dlopen_data_t *)dbdata;
isc_result_t result;
UNUSED(driverarg);
if (cd->dlz_delrdataset == NULL) {
return ISC_R_NOTIMPLEMENTED;
}
MAYBE_LOCK(cd);
result = cd->dlz_delrdataset(name, type, cd->dbdata, version);
MAYBE_UNLOCK(cd);
return result;
}
static dns_sdlzmethods_t dlz_dlopen_methods = {
dlopen_dlz_create, dlopen_dlz_destroy, dlopen_dlz_findzonedb,
dlopen_dlz_lookup, dlopen_dlz_authority, dlopen_dlz_allnodes,
dlopen_dlz_allowzonexfr, dlopen_dlz_newversion, dlopen_dlz_closeversion,
dlopen_dlz_configure, dlopen_dlz_ssumatch, dlopen_dlz_addrdataset,
dlopen_dlz_subrdataset, dlopen_dlz_delrdataset
};
/*
* Register driver with BIND
*/
isc_result_t
dlz_dlopen_init(isc_mem_t *mctx) {
isc_result_t result;
dlopen_log(2, "Registering DLZ_dlopen driver");
result = dns_sdlzregister("dlopen", &dlz_dlopen_methods, NULL,
DNS_SDLZFLAG_RELATIVEOWNER |
DNS_SDLZFLAG_RELATIVERDATA |
DNS_SDLZFLAG_THREADSAFE,
mctx, &dlz_dlopen);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR("dns_sdlzregister() failed: %s",
isc_result_totext(result));
result = ISC_R_UNEXPECTED;
}
return result;
}
/*
* Unregister the driver
*/
void
dlz_dlopen_clear(void) {
dlopen_log(2, "Unregistering DLZ_dlopen driver");
if (dlz_dlopen != NULL) {
dns_sdlzunregister(&dlz_dlopen);
}
}

782
bin/named/fuzz.c Normal file
View file

@ -0,0 +1,782 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <named/fuzz.h>
#ifdef ENABLE_AFL
#include <arpa/inet.h>
#include <errno.h>
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <isc/condition.h>
#include <isc/loop.h>
#include <isc/mutex.h>
#include <isc/thread.h>
#include <isc/util.h>
#include <dns/log.h>
#include <named/globals.h>
#include <named/log.h>
#include <named/server.h>
/*
* We are using pthreads directly because we might be using it with
* unthreaded version of BIND, where all thread functions are
* mocks. Since AFL for now only works on Linux it's not a problem.
*/
static pthread_cond_t cond;
static pthread_mutex_t mutex;
static bool ready;
/*
* In "client:" mode, this thread reads fuzzed query messages from AFL
* from standard input and sends it to named's listening port (DNS) that
* is passed in the -A client:<address>:<port> option. It can be used to
* test named from the client side.
*/
static void *
fuzz_thread_client(void *arg) {
char *host;
char *port;
struct sockaddr_in servaddr;
int sockfd;
void *buf;
UNUSED(arg);
/*
* Parse named -A argument in the "address:port" syntax. Due to
* the syntax used, this only supports IPv4 addresses.
*/
host = strdup(named_g_fuzz_addr);
RUNTIME_CHECK(host != NULL);
port = strchr(host, ':');
RUNTIME_CHECK(port != NULL);
*port = 0;
++port;
memset(&servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
RUNTIME_CHECK(inet_pton(AF_INET, host, &servaddr.sin_addr) == 1);
servaddr.sin_port = htons(atoi(port));
free(host);
/*
* Wait for named to start. This is set in run_server() in the
* named thread.
*/
while (!named_g_run_done) {
usleep(10000);
}
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
RUNTIME_CHECK(sockfd != -1);
buf = malloc(65536);
RUNTIME_CHECK(buf != NULL);
/*
* Processing fuzzed packets 100,000 times before shutting down
* the app.
*/
#ifdef __AFL_LOOP
for (int loop = 0; loop < 100000; loop++) {
#else /* ifdef __AFL_LOOP */
{
#endif /* ifdef __AFL_LOOP */
ssize_t length;
ssize_t sent;
length = read(0, buf, 65536);
if (length <= 0) {
usleep(1000000);
goto next;
}
/*
* Ignore packets that are larger than 4096 bytes.
*/
if (length > 4096) {
/*
* AFL_CMIN doesn't support persistent mode, so
* shutdown the server.
*/
if (getenv("AFL_CMIN")) {
free(buf);
close(sockfd);
named_server_flushonshutdown(named_g_server,
false);
isc_loopmgr_shutdown(named_g_loopmgr);
return NULL;
}
raise(SIGSTOP);
goto next;
}
RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
ready = false;
sent = sendto(sockfd, buf, length, 0,
(struct sockaddr *)&servaddr, sizeof(servaddr));
RUNTIME_CHECK(sent == length);
/*
* Read the reply message from named to unclog it. Don't
* bother if there isn't a reply.
*/
(void)recvfrom(sockfd, buf, 65536, MSG_DONTWAIT, NULL, NULL);
while (!ready) {
pthread_cond_wait(&cond, &mutex);
}
RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
next:;
}
free(buf);
close(sockfd);
named_server_flushonshutdown(named_g_server, false);
isc_loopmgr_shutdown(named_g_loopmgr);
return NULL;
}
/*
* In "resolver:" mode, this thread reads fuzzed reply messages from AFL
* from standard input. It also sets up a listener as a remote
* authoritative server and sends a driver query to the client side of
* named(resolver). When named(resolver) connects to this authoritative
* server, this thread writes the fuzzed reply message from AFL to it.
*
* -A resolver:<saddress>:<sport>:<raddress>:<rport>
*
* Here, <saddress>:<sport> is where named(resolver) is listening on.
* <raddress>:<rport> is where the thread is supposed to setup the
* authoritative server. This address should be configured via the root
* zone to be the authoritiative server for aaaaaaaaaa.example.
*
* named(resolver) when being fuzzed will not cache answers.
*/
static void *
fuzz_thread_resolver(void *arg) {
char *sqtype, *shost, *sport, *rhost, *rport;
struct sockaddr_in servaddr, recaddr, recvaddr;
/*
* Query for aaaaaaaaaa.example./A in wire format with RD=1,
* EDNS and DO=1. 0x88, 0x0c at the start is the ID field which
* will be updated for each query.
*/
char respacket[] = { 0x88, 0x0c, 0x01, 0x20, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x0a, 0x61, 0x61, 0x61,
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x07,
0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x29, 0x10,
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00 };
/*
* Response for example./DNSKEY in wire format. Note that RRSIGs
* were generated with this DNSKEY that are used as seeds for
* AFL in the DNSSEC fuzzing job. So the DNSKEY content of this
* message must not change, or the corresponding RRSIGs will
* have to be updated. 0x8d, 0xf6 at the start is the ID field
* which will be made to match the query.
*/
const uint8_t dnskey_wf[] = {
0x8d, 0xf6, 0x84, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00,
0x00, 0x01, 0x07, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
0x00, 0x00, 0x30, 0x00, 0x01, 0xc0, 0x0c, 0x00, 0x30, 0x00,
0x01, 0x00, 0x00, 0x01, 0x2c, 0x01, 0x08, 0x01, 0x00, 0x03,
0x08, 0x03, 0x01, 0x00, 0x01, 0xbd, 0x81, 0xdc, 0x7f, 0x16,
0xd4, 0x81, 0x7c, 0x1f, 0x9f, 0x6a, 0x68, 0xdd, 0xd4, 0xda,
0x48, 0xd9, 0x1c, 0xbd, 0xa6, 0x46, 0x1a, 0xf0, 0xb4, 0xb9,
0xec, 0x3d, 0x6c, 0x0b, 0x57, 0xc7, 0xd6, 0x54, 0x66, 0xe6,
0x6c, 0xd5, 0x90, 0x3a, 0x78, 0x7d, 0x7f, 0x78, 0x80, 0xa2,
0x89, 0x61, 0x6d, 0x8a, 0x2b, 0xcd, 0x0a, 0x77, 0x7a, 0xad,
0xc9, 0x61, 0x53, 0x53, 0x8c, 0x99, 0x72, 0x86, 0x14, 0x74,
0x9c, 0x49, 0x2a, 0x47, 0x23, 0xf7, 0x02, 0x07, 0x73, 0x1c,
0x5c, 0x2e, 0xb4, 0x9a, 0xa4, 0xd7, 0x98, 0x42, 0xc3, 0xd2,
0xfe, 0xbf, 0xf3, 0xb3, 0x6a, 0x52, 0x92, 0xd5, 0xfa, 0x47,
0x00, 0xe3, 0xd9, 0x59, 0x31, 0x95, 0x48, 0x40, 0xfc, 0x06,
0x73, 0x90, 0xc6, 0x73, 0x96, 0xba, 0x29, 0x91, 0xe2, 0xac,
0xa3, 0xa5, 0x6d, 0x91, 0x6d, 0x52, 0xb9, 0x34, 0xba, 0x68,
0x4f, 0xad, 0xf0, 0xc3, 0xf3, 0x1d, 0x6d, 0x61, 0x76, 0xe5,
0x3d, 0xa3, 0x9b, 0x2a, 0x0c, 0x92, 0xb3, 0x78, 0x6b, 0xf1,
0x20, 0xd6, 0x90, 0xb7, 0xac, 0xe2, 0xf8, 0x2b, 0x94, 0x10,
0x79, 0xce, 0xa8, 0x60, 0x42, 0xea, 0x6a, 0x18, 0x2f, 0xc0,
0xd8, 0x05, 0x0a, 0x3b, 0x06, 0x0f, 0x02, 0x7e, 0xff, 0x33,
0x46, 0xee, 0xb6, 0x21, 0x25, 0x90, 0x63, 0x4b, 0x3b, 0x5e,
0xb2, 0x72, 0x3a, 0xcb, 0x91, 0x41, 0xf4, 0x20, 0x50, 0x78,
0x1c, 0x93, 0x95, 0xda, 0xfa, 0xae, 0x85, 0xc5, 0xd7, 0x6b,
0x92, 0x0c, 0x70, 0x6b, 0xe4, 0xb7, 0x29, 0x3a, 0x2e, 0x18,
0x88, 0x82, 0x33, 0x7c, 0xa8, 0xea, 0xb8, 0x31, 0x8f, 0xaf,
0x50, 0xc5, 0x9c, 0x08, 0x56, 0x8f, 0x09, 0x76, 0x4e, 0xdf,
0x97, 0x75, 0x9d, 0x00, 0x52, 0x7f, 0xdb, 0xec, 0x30, 0xcb,
0x1c, 0x4c, 0x2a, 0x21, 0x93, 0xc4, 0x6d, 0x85, 0xa9, 0x40,
0x3b, 0xc0, 0x0c, 0x00, 0x2e, 0x00, 0x01, 0x00, 0x00, 0x01,
0x2c, 0x01, 0x1b, 0x00, 0x30, 0x08, 0x01, 0x00, 0x00, 0x01,
0x2c, 0x67, 0x74, 0x85, 0x80, 0x58, 0xb3, 0xc5, 0x17, 0x36,
0x90, 0x07, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x00,
0x45, 0xac, 0xd3, 0x82, 0x69, 0xf3, 0x10, 0x3a, 0x97, 0x2c,
0x6a, 0xa9, 0x78, 0x99, 0xea, 0xb0, 0xcc, 0xf7, 0xaf, 0x33,
0x51, 0x5b, 0xdf, 0x77, 0x04, 0x18, 0x14, 0x99, 0x61, 0xeb,
0x8d, 0x76, 0x3f, 0xd1, 0x71, 0x14, 0x43, 0x80, 0x53, 0xc2,
0x3b, 0x9f, 0x09, 0x4f, 0xb3, 0x51, 0x04, 0x89, 0x0e, 0xc8,
0x54, 0x12, 0xcd, 0x07, 0x20, 0xbe, 0x94, 0xc2, 0xda, 0x99,
0xdd, 0x1e, 0xf8, 0xb0, 0x84, 0x2e, 0xf9, 0x19, 0x35, 0x36,
0xf5, 0xd0, 0x5d, 0x82, 0x18, 0x74, 0xa0, 0x00, 0xb6, 0x15,
0x57, 0x40, 0x5f, 0x78, 0x2d, 0x27, 0xac, 0xc7, 0x8a, 0x29,
0x55, 0xa9, 0xcd, 0xbc, 0xf7, 0x3e, 0xff, 0xae, 0x1a, 0x5a,
0x1d, 0xac, 0x0d, 0x78, 0x0e, 0x08, 0x33, 0x6c, 0x59, 0x70,
0x40, 0xb9, 0x65, 0xbd, 0x35, 0xbb, 0x9a, 0x70, 0xdc, 0x93,
0x66, 0xb0, 0xef, 0xfe, 0xf0, 0x32, 0xa6, 0xee, 0xb7, 0x03,
0x89, 0xa2, 0x4d, 0xe0, 0xf1, 0x20, 0xdf, 0x39, 0xe8, 0xe3,
0xcc, 0x95, 0xe9, 0x9a, 0xad, 0xbf, 0xbd, 0x7c, 0xf7, 0xd7,
0xde, 0x47, 0x9e, 0xf6, 0x17, 0xbb, 0x84, 0xa9, 0xed, 0xf2,
0x45, 0x61, 0x6d, 0x13, 0x0b, 0x06, 0x29, 0x50, 0xde, 0xfd,
0x42, 0xb0, 0x66, 0x2c, 0x1c, 0x2b, 0x63, 0xcb, 0x4e, 0xb9,
0x31, 0xc4, 0xea, 0xd2, 0x07, 0x3a, 0x08, 0x79, 0x19, 0x4b,
0x4c, 0x50, 0x97, 0x02, 0xd7, 0x26, 0x41, 0x2f, 0xdd, 0x57,
0xaa, 0xb0, 0xa0, 0x21, 0x4e, 0x74, 0xb6, 0x97, 0x4b, 0x8b,
0x09, 0x9c, 0x3d, 0x29, 0xfb, 0x12, 0x27, 0x47, 0x8f, 0xb8,
0xc5, 0x8e, 0x65, 0xcd, 0xca, 0x2f, 0xba, 0xf5, 0x3e, 0xec,
0x56, 0xc3, 0xc9, 0xa1, 0x62, 0x7d, 0xf2, 0x9f, 0x90, 0x16,
0x1d, 0xbf, 0x97, 0x28, 0xe1, 0x92, 0xb1, 0x53, 0xab, 0xc4,
0xe0, 0x99, 0xbb, 0x19, 0x90, 0x7c, 0x00, 0x00, 0x29, 0x10,
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00
};
int sockfd;
int listenfd;
int loop;
uint16_t qtype;
char *buf, *rbuf;
char *nameptr;
unsigned int i;
uint8_t llen;
uint64_t seed;
UNUSED(arg);
/*
* Parse named -A argument in the "qtype:saddress:sport:raddress:rport"
* syntax. Due to the syntax used, this only supports IPv4 addresses.
*/
sqtype = strdup(named_g_fuzz_addr);
RUNTIME_CHECK(sqtype != NULL);
shost = strchr(sqtype, ':');
RUNTIME_CHECK(shost != NULL);
*shost = 0;
shost++;
sport = strchr(shost, ':');
RUNTIME_CHECK(sport != NULL);
*sport = 0;
sport++;
rhost = strchr(sport, ':');
RUNTIME_CHECK(rhost != NULL);
*rhost = 0;
rhost++;
rport = strchr(rhost, ':');
RUNTIME_CHECK(rport != NULL);
*rport = 0;
rport++;
/*
* Patch in the qtype into the question section of respacket.
*/
qtype = atoi(sqtype);
respacket[32] = (qtype >> 8) & 0xff;
respacket[33] = qtype & 0xff;
memset(&servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
RUNTIME_CHECK(inet_pton(AF_INET, shost, &servaddr.sin_addr) == 1);
servaddr.sin_port = htons(atoi(sport));
memset(&recaddr, 0, sizeof(recaddr));
recaddr.sin_family = AF_INET;
RUNTIME_CHECK(inet_pton(AF_INET, rhost, &recaddr.sin_addr) == 1);
recaddr.sin_port = htons(atoi(rport));
free(sqtype);
/*
* Wait for named to start. This is set in run_server() in the
* named thread.
*/
while (!named_g_run_done) {
usleep(10000);
}
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
RUNTIME_CHECK(sockfd != -1);
listenfd = socket(AF_INET, SOCK_DGRAM, 0);
RUNTIME_CHECK(listenfd != -1);
RUNTIME_CHECK(bind(listenfd, (struct sockaddr *)&recaddr,
sizeof(struct sockaddr_in)) == 0);
buf = malloc(65536);
rbuf = malloc(65536);
RUNTIME_CHECK(buf != NULL);
RUNTIME_CHECK(rbuf != NULL);
seed = 42;
/*
* Processing fuzzed packets 100,000 times before shutting down
* the app.
*/
for (loop = 0; loop < 100000; loop++) {
ssize_t length;
ssize_t sent;
unsigned short id;
socklen_t socklen;
memset(buf, 0, 12);
length = read(0, buf, 65536);
if (length <= 0) {
usleep(1000000);
continue;
}
if (length > 4096) {
if (getenv("AFL_CMIN")) {
free(buf);
free(rbuf);
close(sockfd);
close(listenfd);
named_server_flushonshutdown(named_g_server,
false);
isc_loopmgr_shutdown(named_g_loopmgr);
return NULL;
}
raise(SIGSTOP);
continue;
}
if (length < 12) {
length = 12;
}
RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
ready = false;
/* Use a unique query ID. */
seed = 1664525 * seed + 1013904223;
id = seed & 0xffff;
respacket[0] = (id >> 8) & 0xff;
respacket[1] = id & 0xff;
/*
* Flush any pending data on the authoritative server.
*/
socklen = sizeof(recvaddr);
(void)recvfrom(listenfd, rbuf, 65536, MSG_DONTWAIT,
(struct sockaddr *)&recvaddr, &socklen);
/*
* Send a fixed client query to named(resolver) of
* aaaaaaaaaa.example./A. This is the starting query
* driver.
*/
sent = sendto(sockfd, respacket, sizeof(respacket), 0,
(struct sockaddr *)&servaddr, sizeof(servaddr));
RUNTIME_CHECK(sent == sizeof(respacket));
/*
* named(resolver) will process the query above and send
* an upstream query to the authoritative server. We
* handle that here as the upstream authoritative server
* on listenfd.
*/
socklen = sizeof(recvaddr);
sent = recvfrom(listenfd, rbuf, 65536, 0,
(struct sockaddr *)&recvaddr, &socklen);
RUNTIME_CHECK(sent > 0);
/*
* Copy QID and set QR so that response is always
* accepted by named(resolver).
*/
buf[0] = rbuf[0];
buf[1] = rbuf[1];
buf[2] |= 0x80;
/*
* NOTE: We are not copying the QNAME or setting
* rcode=NOERROR each time. So the resolver may fail the
* client query (driver) / wander due to this. AA flag
* may also not be set based on the contents of the AFL
* fuzzed packet.
*/
/*
* A hack - set QTYPE to the one from query so that we
* can easily share packets between instances. If we
* write over something else we'll get FORMERR anyway.
*/
/* Skip DNS header to get to the name */
nameptr = buf + 12;
/* Skip the name to get to the qtype */
i = 0;
while (((llen = nameptr[i]) != 0) && (i < 255) &&
(((nameptr + i + 1 + llen) - buf) < length))
{
i += 1 + llen;
}
if (i <= 255) {
nameptr += 1 + i;
/* Patch the qtype */
if ((nameptr - buf) < (length - 2)) {
*nameptr++ = (qtype >> 8) & 0xff;
*nameptr++ = qtype & 0xff;
}
/* Patch the qclass */
if ((nameptr - buf) < (length - 2)) {
*nameptr++ = 0;
*nameptr++ = 1;
}
}
/*
* Send the reply to named(resolver).
*/
sent = sendto(listenfd, buf, length, 0,
(struct sockaddr *)&recvaddr, sizeof(recvaddr));
RUNTIME_CHECK(sent == length);
/* We might get additional questions here (e.g. for CNAME). */
for (;;) {
fd_set fds;
struct timeval tv;
int rv;
int max;
FD_ZERO(&fds);
FD_SET(listenfd, &fds);
FD_SET(sockfd, &fds);
tv.tv_sec = 10;
tv.tv_usec = 0;
max = (listenfd > sockfd ? listenfd : sockfd) + 1;
rv = select(max, &fds, NULL, NULL, &tv);
RUNTIME_CHECK(rv > 0);
if (FD_ISSET(sockfd, &fds)) {
/*
* It's the reply from named(resolver)
* to the client(query driver), so we're
* done.
*/
(void)recvfrom(sockfd, buf, 65536, 0, NULL,
NULL);
break;
}
/*
* We've got additional question (eg. due to
* CNAME). Bounce it - setting QR flag and
* NOERROR rcode and sending it back.
*/
length = recvfrom(listenfd, buf, 65536, 0,
(struct sockaddr *)&recvaddr,
&socklen);
/*
* If this is a DNSKEY query, send the DNSKEY,
* otherwise, bounce the query.
*/
/* Skip DNS header to get to the name */
nameptr = buf + 12;
/* Skip the name to get to the qtype */
i = 0;
while (((llen = nameptr[i]) != 0) && (i < 255) &&
(((nameptr + i + 1 + llen) - buf) < length))
{
i += 1 + llen;
}
if (i <= 255) {
nameptr += 1 + i;
/*
* Patch in the DNSKEY reply without
* touching the ID field. Note that we
* don't compare the name in the
* question section in the query, but we
* don't expect to receive any query for
* type DNSKEY but for the name
* "example."
*/
if ((nameptr - buf) < (length - 2)) {
uint8_t hb, lb;
hb = *nameptr++;
lb = *nameptr++;
qtype = (hb << 8) | lb;
if (qtype == 48) {
memmove(buf + 2, dnskey_wf + 2,
sizeof(dnskey_wf) - 2);
length = sizeof(dnskey_wf);
}
}
}
buf[2] |= 0x80;
buf[3] &= 0xF0;
sent = sendto(listenfd, buf, length, 0,
(struct sockaddr *)&recvaddr,
sizeof(recvaddr));
RUNTIME_CHECK(sent == length);
}
while (!ready) {
pthread_cond_wait(&cond, &mutex);
}
RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
}
free(buf);
free(rbuf);
close(sockfd);
close(listenfd);
named_server_flushonshutdown(named_g_server, false);
isc_loopmgr_shutdown(named_g_loopmgr);
#ifdef __AFL_LOOP
/*
* This is here just for the signature, that's how AFL detects
* if it's a 'persistent mode' binary. It has to occur somewhere
* in the file, that's all. < wpk_> AFL checks the binary for
* this signature ("##SIG_AFL_PERSISTENT##") and runs the binary
* in persistent mode if it's present.
*/
__AFL_LOOP(0);
#endif /* ifdef __AFL_LOOP */
return NULL;
}
/*
* In "tcp:", "http:" and "rndc:" modes, this thread reads fuzzed query
* blobs from AFL from standard input and sends it to the corresponding
* TCP listening port of named (port 53 DNS, or the HTTP statistics
* channels listener or the rndc port) that is passed in the -A
* <mode>:<address>:<port> option. It can be used to test named from the
* client side.
*/
static void *
fuzz_thread_tcp(void *arg) {
char *host;
char *port;
struct sockaddr_in servaddr;
int sockfd;
char *buf;
int loop;
UNUSED(arg);
/*
* Parse named -A argument in the "address:port" syntax. Due to
* the syntax used, this only supports IPv4 addresses.
*/
host = strdup(named_g_fuzz_addr);
RUNTIME_CHECK(host != NULL);
port = strchr(host, ':');
RUNTIME_CHECK(port != NULL);
*port = 0;
++port;
memset(&servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
RUNTIME_CHECK(inet_pton(AF_INET, host, &servaddr.sin_addr) == 1);
servaddr.sin_port = htons(atoi(port));
free(host);
/*
* Wait for named to start. This is set in run_server() in the
* named thread.
*/
while (!named_g_run_done) {
usleep(10000);
}
buf = malloc(65539);
RUNTIME_CHECK(buf != NULL);
/*
* Processing fuzzed packets 100,000 times before shutting down
* the app.
*/
for (loop = 0; loop < 100000; loop++) {
ssize_t length;
ssize_t sent;
int yes;
int r;
if (named_g_fuzz_type == isc_fuzz_tcpclient) {
/*
* To fuzz DNS TCP client we have to put 16-bit
* message length preceding the start of packet.
*/
length = read(0, buf + 2, 65535);
buf[0] = (length >> 8) & 0xff;
buf[1] = length & 0xff;
length += 2;
} else {
/*
* Other types of TCP clients such as HTTP, etc.
*/
length = read(0, buf, 65535);
}
if (length <= 0) {
usleep(1000000);
continue;
}
if (named_g_fuzz_type == isc_fuzz_http) {
/*
* This guarantees that the request will be
* processed.
*/
INSIST(length <= 65535);
buf[length++] = '\r';
buf[length++] = '\n';
buf[length++] = '\r';
buf[length++] = '\n';
}
RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
ready = false;
yes = 1;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
RUNTIME_CHECK(sockfd != -1);
RUNTIME_CHECK(setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes,
sizeof(int)) == 0);
do {
r = connect(sockfd, (struct sockaddr *)&servaddr,
sizeof(servaddr));
if (r != 0) {
usleep(10000);
}
} while (r != 0);
/*
* Send the fuzzed query blob to the target server.
*/
sent = write(sockfd, buf, length);
RUNTIME_CHECK(sent == length);
close(sockfd);
while (!ready) {
pthread_cond_wait(&cond, &mutex);
}
RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
}
free(buf);
close(sockfd);
named_server_flushonshutdown(named_g_server, false);
isc_loopmgr_shutdown(named_g_loopmgr);
return NULL;
}
#endif /* ENABLE_AFL */
/*
* named has finished processing a message and has sent the
* reply. Signal the fuzz thread using the condition variable, to read
* and process the next item from AFL.
*/
void
named_fuzz_notify(void) {
#ifdef ENABLE_AFL
if (getenv("AFL_CMIN")) {
named_server_flushonshutdown(named_g_server, false);
isc_loopmgr_shutdown(named_g_loopmgr);
return;
}
raise(SIGSTOP);
RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
ready = true;
RUNTIME_CHECK(pthread_cond_signal(&cond) == 0);
RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
#endif /* ENABLE_AFL */
}
void
named_fuzz_setup(void) {
#ifdef ENABLE_AFL
if (getenv("__AFL_PERSISTENT") || getenv("AFL_CMIN")) {
pthread_t thread;
void *(fn) = NULL;
switch (named_g_fuzz_type) {
case isc_fuzz_client:
fn = fuzz_thread_client;
break;
case isc_fuzz_http:
case isc_fuzz_tcpclient:
case isc_fuzz_rndc:
fn = fuzz_thread_tcp;
break;
case isc_fuzz_resolver:
fn = fuzz_thread_resolver;
break;
default:
RUNTIME_CHECK(fn != NULL);
}
RUNTIME_CHECK(pthread_mutex_init(&mutex, NULL) == 0);
RUNTIME_CHECK(pthread_cond_init(&cond, NULL) == 0);
RUNTIME_CHECK(pthread_create(&thread, NULL, fn, NULL) == 0);
}
#endif /* ENABLE_AFL */
}

146
bin/named/geoip.c Normal file
View file

@ -0,0 +1,146 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#if defined(HAVE_GEOIP2)
#include <maxminddb.h>
#endif /* if defined(HAVE_GEOIP2) */
#include <isc/dir.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/geoip.h>
#include <named/geoip.h>
#include <named/log.h>
static dns_geoip_databases_t geoip_table;
#if defined(HAVE_GEOIP2)
static MMDB_s geoip_country, geoip_city, geoip_as, geoip_isp, geoip_domain;
static MMDB_s *
open_geoip2(const char *dir, const char *dbfile, MMDB_s *mmdb) {
char pathbuf[PATH_MAX];
unsigned int n;
int ret;
n = snprintf(pathbuf, sizeof(pathbuf), "%s/%s", dir, dbfile);
if (n >= sizeof(pathbuf)) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"GeoIP2 database '%s/%s': path too long", dir,
dbfile);
return NULL;
}
ret = MMDB_open(pathbuf, MMDB_MODE_MMAP, mmdb);
if (ret == MMDB_SUCCESS) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"opened GeoIP2 database '%s'", pathbuf);
return mmdb;
}
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
"unable to open GeoIP2 database '%s' (status %d)",
pathbuf, ret);
return NULL;
}
#endif /* HAVE_GEOIP2 */
void
named_geoip_init(void) {
#if defined(HAVE_GEOIP2)
if (named_g_geoip == NULL) {
named_g_geoip = &geoip_table;
}
#else /* if defined(HAVE_GEOIP2) */
return;
#endif /* if defined(HAVE_GEOIP2) */
}
void
named_geoip_load(char *dir) {
#if defined(HAVE_GEOIP2)
REQUIRE(dir != NULL);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"looking for GeoIP2 databases in '%s'", dir);
named_g_geoip->country = open_geoip2(dir, "GeoIP2-Country.mmdb",
&geoip_country);
if (named_g_geoip->country == NULL) {
named_g_geoip->country = open_geoip2(
dir, "GeoLite2-Country.mmdb", &geoip_country);
}
named_g_geoip->city = open_geoip2(dir, "GeoIP2-City.mmdb", &geoip_city);
if (named_g_geoip->city == NULL) {
named_g_geoip->city = open_geoip2(dir, "GeoLite2-City.mmdb",
&geoip_city);
}
named_g_geoip->as = open_geoip2(dir, "GeoIP2-ASN.mmdb", &geoip_as);
if (named_g_geoip->as == NULL) {
named_g_geoip->as = open_geoip2(dir, "GeoLite2-ASN.mmdb",
&geoip_as);
}
named_g_geoip->isp = open_geoip2(dir, "GeoIP2-ISP.mmdb", &geoip_isp);
named_g_geoip->domain = open_geoip2(dir, "GeoIP2-Domain.mmdb",
&geoip_domain);
#else /* if defined(HAVE_GEOIP2) */
UNUSED(dir);
return;
#endif /* if defined(HAVE_GEOIP2) */
}
void
named_geoip_unload(void) {
#ifdef HAVE_GEOIP2
if (named_g_geoip->country != NULL) {
MMDB_close(named_g_geoip->country);
named_g_geoip->country = NULL;
}
if (named_g_geoip->city != NULL) {
MMDB_close(named_g_geoip->city);
named_g_geoip->city = NULL;
}
if (named_g_geoip->as != NULL) {
MMDB_close(named_g_geoip->as);
named_g_geoip->as = NULL;
}
if (named_g_geoip->isp != NULL) {
MMDB_close(named_g_geoip->isp);
named_g_geoip->isp = NULL;
}
if (named_g_geoip->domain != NULL) {
MMDB_close(named_g_geoip->domain);
named_g_geoip->domain = NULL;
}
#endif /* ifdef HAVE_GEOIP2 */
}
void
named_geoip_shutdown(void) {
#ifdef HAVE_GEOIP2
named_geoip_unload();
#endif /* HAVE_GEOIP2 */
}

20
bin/named/include/dlz/dlz_dlopen_driver.h Normal file
View file

@ -0,0 +1,20 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
isc_result_t
dlz_dlopen_init(isc_mem_t *mctx);
void
dlz_dlopen_clear(void);

35
bin/named/include/named/builtin.h Normal file
View file

@ -0,0 +1,35 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <inttypes.h>
#include <isc/lang.h>
#include <isc/types.h>
#include <dns/clientinfo.h>
#include <dns/types.h>
/***
*** Functions
***/
/* Initialization functions for builtin zone databases */
isc_result_t
named_builtin_init(void);
void
named_builtin_deinit(void);

69
bin/named/include/named/config.h Normal file
View file

@ -0,0 +1,69 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <inttypes.h>
#include <dns/types.h>
#include <dns/zone.h>
#include <isccfg/cfg.h>
#define DEFAULT_IANA_ROOT_ZONE_PRIMARIES "_default_iana_root_zone_primaries"
isc_result_t
named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
const char *
named_config_getdefault(void);
isc_result_t
named_config_get(cfg_obj_t const *const *maps, const char *name,
const cfg_obj_t **obj);
isc_result_t
named_checknames_get(const cfg_obj_t **maps, const char *const names[],
const cfg_obj_t **obj);
int
named_config_listcount(const cfg_obj_t *list);
isc_result_t
named_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
dns_rdataclass_t *classp);
isc_result_t
named_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
dns_rdatatype_t *typep);
dns_zonetype_t
named_config_getzonetype(const cfg_obj_t *zonetypeobj);
isc_result_t
named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
const char *name, const cfg_obj_t **ret);
isc_result_t
named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
isc_result_t
named_config_getport(const cfg_obj_t *config, const char *type,
in_port_t *portp);
isc_result_t
named_config_getkeyalgorithm(const char *str, unsigned int *typep,
uint16_t *digestbits);

111
bin/named/include/named/control.h Normal file
View file

@ -0,0 +1,111 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file
* \brief
* The name server command channel.
*/
#include <stdbool.h>
#include <isccc/types.h>
#include <isccfg/aclconf.h>
#include <named/types.h>
#define NAMED_CONTROL_PORT 953
#define NAMED_COMMAND_ADDZONE "addzone"
#define NAMED_COMMAND_DELZONE "delzone"
#define NAMED_COMMAND_DNSSEC "dnssec"
#define NAMED_COMMAND_DNSTAP "dnstap"
#define NAMED_COMMAND_DNSTAPREOPEN "dnstap-reopen"
#define NAMED_COMMAND_DUMPDB "dumpdb"
#define NAMED_COMMAND_DUMPSTATS "stats"
#define NAMED_COMMAND_FETCHLIMIT "fetchlimit"
#define NAMED_COMMAND_FLUSH "flush"
#define NAMED_COMMAND_FLUSHNAME "flushname"
#define NAMED_COMMAND_FLUSHTREE "flushtree"
#define NAMED_COMMAND_FREEZE "freeze"
#define NAMED_COMMAND_HALT "halt"
#define NAMED_COMMAND_LOADKEYS "loadkeys"
#define NAMED_COMMAND_MEMPROF "memprof"
#define NAMED_COMMAND_MKEYS "managed-keys"
#define NAMED_COMMAND_MODZONE "modzone"
#define NAMED_COMMAND_NOTIFY "notify"
#define NAMED_COMMAND_NOTRACE "notrace"
#define NAMED_COMMAND_NTA "nta"
#define NAMED_COMMAND_NULL "null"
#define NAMED_COMMAND_QUERYLOG "querylog"
#define NAMED_COMMAND_RECONFIG "reconfig"
#define NAMED_COMMAND_RECURSING "recursing"
#define NAMED_COMMAND_REFRESH "refresh"
#define NAMED_COMMAND_RELOAD "reload"
#define NAMED_COMMAND_RESETSTATS "reset-stats"
#define NAMED_COMMAND_RESPONSELOG "responselog"
#define NAMED_COMMAND_RETRANSFER "retransfer"
#define NAMED_COMMAND_SCAN "scan"
#define NAMED_COMMAND_SECROOTS "secroots"
#define NAMED_COMMAND_SERVESTALE "serve-stale"
#define NAMED_COMMAND_SHOWZONE "showzone"
#define NAMED_COMMAND_SIGN "sign"
#define NAMED_COMMAND_SIGNING "signing"
#define NAMED_COMMAND_SKR "skr"
#define NAMED_COMMAND_STATUS "status"
#define NAMED_COMMAND_STOP "stop"
#define NAMED_COMMAND_SYNC "sync"
#define NAMED_COMMAND_TCPTIMEOUTS "tcp-timeouts"
#define NAMED_COMMAND_TESTGEN "testgen"
#define NAMED_COMMAND_THAW "thaw"
#define NAMED_COMMAND_TRACE "trace"
#define NAMED_COMMAND_UNFREEZE "unfreeze"
#define NAMED_COMMAND_VALIDATION "validation"
#define NAMED_COMMAND_ZONESTATUS "zonestatus"
isc_result_t
named_controls_create(named_server_t *server, named_controls_t **ctrlsp);
/*%<
* Create an initial, empty set of command channels for 'server'.
*/
void
named_controls_destroy(named_controls_t **ctrlsp);
/*%<
* Destroy a set of command channels.
*
* Requires:
* Shutdown of the channels has completed.
*/
isc_result_t
named_controls_configure(named_controls_t *controls, const cfg_obj_t *config,
cfg_aclconfctx_t *aclconfctx);
/*%<
* Configure zero or more command channels into 'controls'
* as defined in the configuration parse tree 'config'.
* The channels will evaluate ACLs in the context of
* 'aclconfctx'.
*/
void
named_controls_shutdown(named_controls_t *controls);
/*%<
* Initiate shutdown of all the command channels in 'controls'.
*/
isc_result_t
named_control_docommand(isccc_sexpr_t *message, bool readonly,
isc_buffer_t **text);

22
bin/named/include/named/fuzz.h Normal file
View file

@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <isc/fuzz.h>
#pragma once
void
named_fuzz_notify(void);
void
named_fuzz_setup(void);

28
bin/named/include/named/geoip.h Normal file
View file

@ -0,0 +1,28 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
extern dns_geoip_databases_t *named_g_geoip;
void
named_geoip_init(void);
void
named_geoip_load(char *dir);
void
named_geoip_unload(void);
void
named_geoip_shutdown(void);

150
bin/named/include/named/globals.h Normal file
View file

@ -0,0 +1,150 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <stdbool.h>
#include <isc/log.h>
#include <isc/loop.h>
#include <isc/net.h>
#include <isc/netmgr.h>
#include <isc/rwlock.h>
#include <dns/acl.h>
#include <dns/zone.h>
#include <dst/dst.h>
#include <isccfg/aclconf.h>
#include <isccfg/cfg.h>
#include <named/fuzz.h>
#include <named/types.h>
#undef EXTERN
#undef INIT
#ifdef NAMED_MAIN
#define EXTERN
#define INIT(v) = (v)
#else /* ifdef NAMED_MAIN */
#define EXTERN extern
#define INIT(v)
#endif /* ifdef NAMED_MAIN */
#ifndef NAMED_RUN_PID_DIR
#define NAMED_RUN_PID_DIR 1
#endif /* ifndef NAMED_RUN_PID_DIR */
EXTERN isc_mem_t *named_g_mctx INIT(NULL);
EXTERN unsigned int named_g_cpus INIT(0);
EXTERN isc_loop_t *named_g_mainloop INIT(NULL);
EXTERN isc_loopmgr_t *named_g_loopmgr INIT(NULL);
EXTERN bool named_g_loopmgr_running INIT(false);
EXTERN dns_dispatchmgr_t *named_g_dispatchmgr INIT(NULL);
EXTERN unsigned int named_g_cpus_detected INIT(1);
#ifdef ENABLE_AFL
EXTERN bool named_g_run_done INIT(false);
#endif /* ifdef ENABLE_AFL */
/*
* XXXRTH We're going to want multiple timer managers eventually. One
* for really short timers, another for client timers, and one
* for zone timers.
*/
EXTERN isc_nm_t *named_g_netmgr INIT(NULL);
EXTERN cfg_parser_t *named_g_parser INIT(NULL);
EXTERN cfg_parser_t *named_g_addparser INIT(NULL);
EXTERN const char *named_g_version INIT(PACKAGE_VERSION);
EXTERN const char *named_g_product INIT(PACKAGE_NAME);
EXTERN const char *named_g_description INIT(PACKAGE_DESCRIPTION);
EXTERN const char *named_g_srcid INIT(PACKAGE_SRCID);
EXTERN const char *named_g_configargs INIT(PACKAGE_CONFIGARGS);
EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER);
EXTERN in_port_t named_g_port INIT(0);
EXTERN in_port_t named_g_tlsport INIT(0);
EXTERN in_port_t named_g_httpsport INIT(0);
EXTERN in_port_t named_g_httpport INIT(0);
EXTERN in_port_t named_g_http_listener_clients INIT(0);
EXTERN in_port_t named_g_http_streams_per_conn INIT(0);
EXTERN named_server_t *named_g_server INIT(NULL);
/*
* Logging.
*/
EXTERN isc_log_t *named_g_lctx INIT(NULL);
EXTERN isc_logcategory_t *named_g_categories INIT(NULL);
EXTERN isc_logmodule_t *named_g_modules INIT(NULL);
EXTERN unsigned int named_g_debuglevel INIT(0);
/*
* Current configuration information.
*/
EXTERN cfg_obj_t *named_g_config INIT(NULL);
EXTERN const cfg_obj_t *named_g_defaults INIT(NULL);
EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf");
EXTERN const char *named_g_defaultbindkeys INIT(NULL);
EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key");
EXTERN bool named_g_conffileset INIT(false);
EXTERN cfg_aclconfctx_t *named_g_aclconfctx INIT(NULL);
/*
* Misc.
*/
EXTERN bool named_g_coreok INIT(true);
EXTERN const char *named_g_chrootdir INIT(NULL);
EXTERN bool named_g_foreground INIT(false);
EXTERN bool named_g_logstderr INIT(false);
EXTERN bool named_g_nosyslog INIT(false);
EXTERN const char *named_g_logfile INIT(NULL);
EXTERN const char *named_g_defaultsessionkeyfile INIT(NAMED_LOCALSTATEDIR
"/run/named/"
"session.key");
#if NAMED_RUN_PID_DIR
EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/"
"named.pid");
#else /* if NAMED_RUN_PID_DIR */
EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/"
"named.pid");
#endif /* if NAMED_RUN_PID_DIR */
EXTERN const char *named_g_username INIT(NULL);
EXTERN const char *named_g_engine INIT(NULL);
EXTERN isc_time_t named_g_boottime;
EXTERN isc_time_t named_g_configtime;
EXTERN bool named_g_memstatistics INIT(false);
EXTERN bool named_g_keepstderr INIT(false);
EXTERN unsigned int named_g_tat_interval INIT(24 * 3600);
EXTERN unsigned int named_g_maxcachesize INIT(0);
#if defined(HAVE_GEOIP2)
EXTERN dns_geoip_databases_t *named_g_geoip INIT(NULL);
#endif /* if defined(HAVE_GEOIP2) */
EXTERN const char *named_g_fuzz_addr INIT(NULL);
EXTERN isc_fuzztype_t named_g_fuzz_type INIT(isc_fuzz_none);
EXTERN dns_acl_t *named_g_mapped INIT(NULL);
#undef EXTERN
#undef INIT

84
bin/named/include/named/log.h Normal file
View file

@ -0,0 +1,84 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <isc/log.h>
#include <isc/types.h>
#include <dns/log.h>
#include <named/globals.h> /* Required for named_g_(categories|modules). */
/* Unused slot 0. */
#define NAMED_LOGCATEGORY_UNMATCHED (&named_g_categories[1])
/*
* Backwards compatibility.
*/
#define NAMED_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
#define NAMED_LOGMODULE_MAIN (&named_g_modules[0])
#define NAMED_LOGMODULE_SERVER (&named_g_modules[1])
#define NAMED_LOGMODULE_CONTROL (&named_g_modules[2])
isc_result_t
named_log_init(bool safe);
/*%
* Initialize the logging system and set up an initial default
* logging default configuration that will be used until the
* config file has been read.
*
* If 'safe' is true, use a default configuration that refrains
* from opening files. This is to avoid creating log files
* as root.
*/
void
named_log_setdefaultchannels(isc_logconfig_t *lcfg);
/*%
* Set up logging channels according to the named defaults, which
* may differ from the logging library defaults. Currently,
* this just means setting up default_debug.
*/
void
named_log_setsafechannels(isc_logconfig_t *lcfg);
/*%
* Like named_log_setdefaultchannels(), but omits any logging to files.
*/
void
named_log_setdefaultsslkeylogfile(isc_logconfig_t *lcfg);
/*%
* If the SSLKEYLOGFILE environment variable is set, sets up a default
* logging channel for writing TLS pre-master secrets to the path stored
* in that environment variable (for debugging purposes).
*/
isc_result_t
named_log_setdefaultcategory(isc_logconfig_t *lcfg);
/*%
* Set up "category default" to go to the right places.
*/
isc_result_t
named_log_setunmatchedcategory(isc_logconfig_t *lcfg);
/*%
* Set up "category unmatched" to go to the right places.
*/
void
named_log_shutdown(void);

Some files were not shown because too many files have changed in this diff Show more