Commit 29f699d6 authored by Evan Hunt's avatar Evan Hunt

Merge branch '105-nta-all' into 'master'

Resolve "[RT#44623] RNDC NTA option to add NTA to all views"

Closes #105

See merge request isc-projects/bind9!658
parents 07f29a08 2f6ba87a
5033. [bug] When adding NTAs to multiple views using "rndc nta",
the text returned via rndc was incorrectly terminated
after the first line, making it look as if only one
NTA had been added. Also, it was not possible to
differentiate between views with the same name but
different classes; this has been corrected with the
addition of a "-class" option. [GL #105]
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]
......
......@@ -938,7 +938,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/* We don't need trust anchors for the _bind view */
if (strcmp(view->name, "_bind") == 0 &&
view->rdclass == dns_rdataclass_chaos) {
view->rdclass == dns_rdataclass_chaos)
{
return (ISC_R_SUCCESS);
}
......@@ -14231,6 +14232,7 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
dns_name_t *fname;
dns_ttl_t ntattl;
bool ttlset = false, excl = false;
dns_rdataclass_t rdclass = dns_rdataclass_in;
UNUSED(force);
......@@ -14238,18 +14240,20 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
/* Skip the command name. */
ptr = next_token(lex, text);
if (ptr == NULL)
if (ptr == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
for (;;) {
/* Check for options */
ptr = next_token(lex, text);
if (ptr == NULL)
if (ptr == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
if (argcheck(ptr, "dump"))
if (argcheck(ptr, "dump")) {
dump = true;
else if (argcheck(ptr, "remove")) {
} else if (argcheck(ptr, "remove")) {
ntattl = 0;
ttlset = true;
} else if (argcheck(ptr, "force")) {
......@@ -14279,8 +14283,22 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
ttlset = true;
continue;
} else
} else if (argcheck(ptr, "class")) {
isc_textregion_t tr;
ptr = next_token(lex, text);
if (ptr == NULL) {
msg = "No class specified";
CHECK(ISC_R_UNEXPECTEDEND);
}
tr.base = ptr;
tr.length = strlen(ptr);
CHECK(dns_rdataclass_fromtext(&rdclass, &tr));
continue;
} else {
nametext = ptr;
}
break;
}
......@@ -14293,11 +14311,13 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (ntatable != NULL)
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
result = dns_view_getntatable(view, &ntatable);
if (result == ISC_R_NOTFOUND)
if (result == ISC_R_NOTFOUND) {
continue;
}
CHECK(dns_ntatable_totext(ntatable, text));
}
CHECK(putnull(text));
......@@ -14314,17 +14334,19 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
}
/* Get the NTA name. */
if (nametext == NULL)
if (nametext == NULL) {
nametext = next_token(lex, text);
if (nametext == NULL)
}
if (nametext == NULL) {
return (ISC_R_UNEXPECTEDEND);
}
/* Copy nametext as it'll be overwritten by next_token() */
strlcpy(namebuf, nametext, DNS_NAME_FORMATSIZE);
if (strcmp(namebuf, ".") == 0)
if (strcmp(namebuf, ".") == 0) {
ntaname = dns_rootname;
else {
} else {
isc_buffer_t b;
isc_buffer_init(&b, namebuf, strlen(namebuf));
isc_buffer_add(&b, strlen(namebuf));
......@@ -14344,18 +14366,27 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (viewname != NULL &&
strcmp(view->name, viewname) != 0)
static bool first = true;
if (viewname != NULL && strcmp(view->name, viewname) != 0) {
continue;
}
if (view->nta_lifetime == 0)
if (view->rdclass != rdclass && rdclass != dns_rdataclass_any) {
continue;
}
if (view->nta_lifetime == 0) {
continue;
}
if (!ttlset)
if (!ttlset) {
ntattl = view->nta_lifetime;
}
if (ntatable != NULL)
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
result = dns_view_getntatable(view, &ntatable);
if (result == ISC_R_NOTFOUND) {
......@@ -14378,6 +14409,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
isc_time_set(&t, when, 0);
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
if (!first) {
CHECK(putstr(text, "\n"));
}
first = false;
CHECK(putstr(text, "Negative trust anchor added: "));
CHECK(putstr(text, namebuf));
CHECK(putstr(text, "/"));
......@@ -14392,6 +14428,11 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
} else {
CHECK(dns_ntatable_delete(ntatable, ntaname));
if (!first) {
CHECK(putstr(text, "\n"));
}
first = false;
CHECK(putstr(text, "Negative trust anchor removed: "));
CHECK(putstr(text, namebuf));
CHECK(putstr(text, "/"));
......@@ -14411,20 +14452,21 @@ named_server_nta(named_server_t *server, isc_lex_t *lex,
"for view '%s': %s",
view->name, isc_result_totext(result));
}
CHECK(putnull(text));
}
CHECK(putnull(text));
cleanup:
if (msg != NULL) {
(void) putstr(text, msg);
(void) putnull(text);
}
if (excl)
if (excl) {
isc_task_endexclusive(server->task);
if (ntatable != NULL)
}
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
return (result);
}
......
......@@ -575,7 +575,7 @@
<varlistentry>
<term><userinput>nta
<optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
<optional>( -class <replaceable>class</replaceable> | -dump | -force | -remove | -lifetime <replaceable>duration</replaceable>)</optional>
<replaceable>domain</replaceable>
<optional><replaceable>view</replaceable></optional>
</userinput></term>
......@@ -623,7 +623,7 @@
is equivalent to <option>-remove</option>.
</para>
<para>
If <option>-dump</option> is used, any other arguments
If the <option>-dump</option> is used, any other arguments
are ignored, and a list of existing NTAs is printed
(note that this may include NTAs that are expired but
have not yet been cleaned up).
......@@ -640,10 +640,15 @@
lifetime, regardless of whether data could be
validated if the NTA were not present.
</para>
<para>
The view class can be specified with <option>-class</option>.
The default is class <userinput>IN</userinput>, which is
the only class for which DNSSEC is currently supported.
</para>
<para>
All of these options can be shortened, i.e., to
<option>-l</option>, <option>-r</option>, <option>-d</option>,
and <option>-f</option>.
<option>-f</option>, and <option>-c</option>.
</para>
</listitem>
</varlistentry>
......
......@@ -12,7 +12,7 @@
rm -f dig.out.*.test*
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run
rm -f ns*/named.run ns*/named.run.prev
rm -f ns2/named.stats
rm -f ns2/nil.db ns2/other.db ns2/static.db ns2/*.jnl
rm -f ns2/session.key
......@@ -25,3 +25,4 @@ rm -f nsupdate.out.*.test*
rm -f python.out.*.test*
rm -f rndc.out.*.test*
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ns*/*.nta
......@@ -14,7 +14,6 @@ options {
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
};
key rndc_key {
......@@ -31,8 +30,17 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view all {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "../../common/root.hint";
};
};
zone "." {
type hint;
file "../../common/root.hint";
view none {
match-clients { none; };
};
......@@ -486,6 +486,22 @@ grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "testing rndc nta -class option ($n)"
ret=0
nextpart ns4/named.run > /dev/null
$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1
nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288
do
n=`expr $n + 1`
......@@ -656,5 +672,14 @@ grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check rndc nta reports adding to multiple views ($n)"
ret=0
$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1
lines=`cat rndc.out.test$n | wc -l`
[ ${lines:-0} -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -465,6 +465,14 @@
instead of using the <command>resolver</command> category.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
</itemizedlist>
</section>
......@@ -497,6 +505,15 @@
to be non-resolvable. [GL #390]
</para>
</listitem>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment