Commit 995c41e8 authored by Evan Hunt's avatar Evan Hunt

[master] further restrict update-policy local

4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]
parent 7baa39fc
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
4761. [protocol] Add support for DOA. [RT #45612] 4761. [protocol] Add support for DOA. [RT #45612]
4760. [func] Add glue cache statistics counters. [RT #46028] 4760. [func] Add glue cache statistics counters. [RT #46028]
......
...@@ -127,6 +127,7 @@ static isc_boolean_t noaa = ISC_FALSE; ...@@ -127,6 +127,7 @@ static isc_boolean_t noaa = ISC_FALSE;
static unsigned int delay = 0; static unsigned int delay = 0;
static isc_boolean_t nonearest = ISC_FALSE; static isc_boolean_t nonearest = ISC_FALSE;
static isc_boolean_t notcp = ISC_FALSE; static isc_boolean_t notcp = ISC_FALSE;
static isc_boolean_t fixedlocal = ISC_FALSE;
/* /*
* -4 and -6 * -4 and -6
...@@ -626,14 +627,21 @@ parse_command_line(int argc, char *argv[]) { ...@@ -626,14 +627,21 @@ parse_command_line(int argc, char *argv[]) {
} else if (!strcmp(isc_commandline_argument, "notcp")) } else if (!strcmp(isc_commandline_argument, "notcp"))
notcp = ISC_TRUE; notcp = ISC_TRUE;
else if (!strncmp(isc_commandline_argument, "tat=", 4)) else if (!strncmp(isc_commandline_argument, "tat=", 4))
{
named_g_tat_interval = named_g_tat_interval =
atoi(isc_commandline_argument + 4); atoi(isc_commandline_argument + 4);
else if (!strcmp(isc_commandline_argument, } else if (!strcmp(isc_commandline_argument,
"keepstderr")) "keepstderr"))
{
named_g_keepstderr = ISC_TRUE; named_g_keepstderr = ISC_TRUE;
else } else if (!strcmp(isc_commandline_argument,
"fixedlocal"))
{
fixedlocal = ISC_TRUE;
} else {
fprintf(stderr, "unknown -T flag '%s\n", fprintf(stderr, "unknown -T flag '%s\n",
isc_commandline_argument); isc_commandline_argument);
}
break; break;
case 'U': case 'U':
named_g_udpdisp = parse_int(isc_commandline_argument, named_g_udpdisp = parse_int(isc_commandline_argument,
...@@ -1193,6 +1201,8 @@ setup(void) { ...@@ -1193,6 +1201,8 @@ setup(void) {
ns_server_setoption(sctx, NS_SERVER_NONEAREST, ISC_TRUE); ns_server_setoption(sctx, NS_SERVER_NONEAREST, ISC_TRUE);
if (notcp) if (notcp)
ns_server_setoption(sctx, NS_SERVER_NOTCP, ISC_TRUE); ns_server_setoption(sctx, NS_SERVER_NOTCP, ISC_TRUE);
if (fixedlocal)
ns_server_setoption(sctx, NS_SERVER_FIXEDLOCAL, ISC_TRUE);
if (disable4) if (disable4)
ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE); ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE);
if (disable6) if (disable6)
......
...@@ -218,7 +218,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, ...@@ -218,7 +218,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
const char *str; const char *str;
isc_boolean_t grant = ISC_FALSE; isc_boolean_t grant = ISC_FALSE;
isc_boolean_t usezone = ISC_FALSE; isc_boolean_t usezone = ISC_FALSE;
unsigned int mtype = DNS_SSUMATCHTYPE_NAME; unsigned int mtype = dns_ssumatchtype_name;
dns_fixedname_t fname, fident; dns_fixedname_t fname, fident;
isc_buffer_t b; isc_buffer_t b;
dns_rdatatype_t *types; dns_rdatatype_t *types;
...@@ -234,34 +234,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, ...@@ -234,34 +234,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype); str = cfg_obj_asstring(matchtype);
if (strcasecmp(str, "name") == 0) if (strcasecmp(str, "name") == 0)
mtype = DNS_SSUMATCHTYPE_NAME; mtype = dns_ssumatchtype_name;
else if (strcasecmp(str, "subdomain") == 0) else if (strcasecmp(str, "subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAIN; mtype = dns_ssumatchtype_subdomain;
else if (strcasecmp(str, "wildcard") == 0) else if (strcasecmp(str, "wildcard") == 0)
mtype = DNS_SSUMATCHTYPE_WILDCARD; mtype = dns_ssumatchtype_wildcard;
else if (strcasecmp(str, "self") == 0) else if (strcasecmp(str, "self") == 0)
mtype = DNS_SSUMATCHTYPE_SELF; mtype = dns_ssumatchtype_self;
else if (strcasecmp(str, "selfsub") == 0) else if (strcasecmp(str, "selfsub") == 0)
mtype = DNS_SSUMATCHTYPE_SELFSUB; mtype = dns_ssumatchtype_selfsub;
else if (strcasecmp(str, "selfwild") == 0) else if (strcasecmp(str, "selfwild") == 0)
mtype = DNS_SSUMATCHTYPE_SELFWILD; mtype = dns_ssumatchtype_selfwild;
else if (strcasecmp(str, "ms-self") == 0) else if (strcasecmp(str, "ms-self") == 0)
mtype = DNS_SSUMATCHTYPE_SELFMS; mtype = dns_ssumatchtype_selfms;
else if (strcasecmp(str, "krb5-self") == 0) else if (strcasecmp(str, "krb5-self") == 0)
mtype = DNS_SSUMATCHTYPE_SELFKRB5; mtype = dns_ssumatchtype_selfkrb5;
else if (strcasecmp(str, "ms-subdomain") == 0) else if (strcasecmp(str, "ms-subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS; mtype = dns_ssumatchtype_subdomainms;
else if (strcasecmp(str, "krb5-subdomain") == 0) else if (strcasecmp(str, "krb5-subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5; mtype = dns_ssumatchtype_subdomainkrb5;
else if (strcasecmp(str, "tcp-self") == 0) else if (strcasecmp(str, "tcp-self") == 0)
mtype = DNS_SSUMATCHTYPE_TCPSELF; mtype = dns_ssumatchtype_tcpself;
else if (strcasecmp(str, "6to4-self") == 0) else if (strcasecmp(str, "6to4-self") == 0)
mtype = DNS_SSUMATCHTYPE_6TO4SELF; mtype = dns_ssumatchtype_6to4self;
else if (strcasecmp(str, "zonesub") == 0) { else if (strcasecmp(str, "zonesub") == 0) {
mtype = DNS_SSUMATCHTYPE_SUBDOMAIN; mtype = dns_ssumatchtype_subdomain;
usezone = ISC_TRUE; usezone = ISC_TRUE;
} else if (strcasecmp(str, "external") == 0) } else if (strcasecmp(str, "external") == 0)
mtype = DNS_SSUMATCHTYPE_EXTERNAL; mtype = dns_ssumatchtype_external;
else else
INSIST(0); INSIST(0);
...@@ -373,7 +373,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, ...@@ -373,7 +373,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
result = dns_ssutable_addrule(table, ISC_TRUE, result = dns_ssutable_addrule(table, ISC_TRUE,
named_g_server->session_keyname, named_g_server->session_keyname,
DNS_SSUMATCHTYPE_SUBDOMAIN, dns_ssumatchtype_local,
dns_zone_getorigin(zone), dns_zone_getorigin(zone),
1, &any); 1, &any);
......
...@@ -11,12 +11,12 @@ ...@@ -11,12 +11,12 @@
# #
rm -f */named.memstats rm -f */named.memstats
rm -f */named.run rm -f */named.run */ans.run
rm -f Kxxx.* rm -f Kxxx.*
rm -f dig.out.* rm -f dig.out.*
rm -f jp.out.ns3.* rm -f jp.out.ns3.*
rm -f ns*/named.lock rm -f ns*/named.lock
rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl rm -f */*.jnl
rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
rm -f ns1/many.test.db rm -f ns1/many.test.db
rm -f ns1/maxjournal.db rm -f ns1/maxjournal.db
...@@ -33,6 +33,7 @@ rm -f ns3/example.db ...@@ -33,6 +33,7 @@ rm -f ns3/example.db
rm -f ns3/many.test.bk rm -f ns3/many.test.bk
rm -f ns3/nsec3param.test.db rm -f ns3/nsec3param.test.db
rm -f ns3/too-big.test.db rm -f ns3/too-big.test.db
rm -f ns5/local.db
rm -f nsupdate.out* rm -f nsupdate.out*
rm -f typelist.out.* rm -f typelist.out.*
rm -f ns1/sample.db rm -f ns1/sample.db
......
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$ORIGIN .
$TTL 300 ; 5 minutes
local.nil IN SOA ns5.local.nil. hostmaster.local.nil. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
local.nil. NS ns5.local.nil.
ns5.local.nil. A 10.53.0.5
$ORIGIN local.nil.
a A 10.10.10.10
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -U 4 -T fixedlocal
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port 5300;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.5; };
recursion no;
notify yes;
minimal-responses no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
};
zone "local.nil" {
type master;
file "local.db";
update-policy local;
};
...@@ -64,3 +64,5 @@ cp ns2/sample.db.in ns2/sample.db ...@@ -64,3 +64,5 @@ cp ns2/sample.db.in ns2/sample.db
cp -f ns1/maxjournal.db.in ns1/maxjournal.db cp -f ns1/maxjournal.db.in ns1/maxjournal.db
rm -f ns1/maxjournal.db.jnl rm -f ns1/maxjournal.db.jnl
cp -f ns5/local.db.in ns5/local.db
...@@ -464,6 +464,44 @@ then ...@@ -464,6 +464,44 @@ then
echo "I:failed"; status=1 echo "I:failed"; status=1
fi fi
n=`expr $n + 1`
ret=0
echo "I:check that 'update-policy local' works from localhost address ($n)"
$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1
server 10.53.0.5 5300
local 127.0.0.1 5300
update add fromlocal.local.nil. 600 A 1.2.3.4
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
$DIG @10.53.0.5 -p 5300 \
+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
fromlocal.local.nil. > dig.out.ns5.$n || ret=1
grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1
if test $ret -ne 0
then
echo "I:failed"; status=1
fi
n=`expr $n + 1`
ret=0
echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
server 10.53.0.5 5300
local 10.53.0.1 5300
update add nonlocal.local.nil. 600 A 4.3.2.1
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
$DIG @10.53.0.5 -p 5300 \
+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
nonlocal.local.nil. > dig.out.ns5.$n || ret=1
grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1
if test $ret -ne 0
then
echo "I:failed"; status=1
fi
n=`expr $n + 1` n=`expr $n + 1`
ret=0 ret=0
echo "I:check that changes to the DNSKEY RRset TTL do not have side effects ($n)" echo "I:check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
......
...@@ -13016,38 +13016,52 @@ example.com. NS ns2.example.net. ...@@ -13016,38 +13016,52 @@ example.com. NS ns2.example.net.
is present, it is a configuration error for the is present, it is a configuration error for the
<command>allow-update</command> statement to be <command>allow-update</command> statement to be
present. The <command>update-policy</command> statement present. The <command>update-policy</command> statement
only examines the signer of a message; the source (except when set to <literal>local</literal>) only
examines the signer of a message; the source
address is not relevant. address is not relevant.
</para> </para>
<para> <para>
There is a pre-defined <command>update-policy</command> A pre-defined <command>update-policy</command> rule can be
rule which can be switched on with the command switched on with the command
<command>update-policy local;</command>. <command>update-policy local;</command>.
Switching on this rule in a zone causes Switching on this rule in a zone causes
<command>named</command> to generate a TSIG session <command>named</command> to generate a TSIG session key and
key and place it in a file, and to allow that key place it in a file. That key will then be allowed to update
to update the zone. (By default, the file is the zone, if the update request is sent from localhost.
<filename>/var/run/named/session.key</filename>, the key By default, the session key is stored in the file
name is "local-ddns" and the key algorithm is HMAC-SHA256, <filename>/var/run/named/session.key</filename>; the key name
but these values are configurable with the is "local-ddns" and the key algorithm is HMAC-SHA256.
These values are configurable with the
<command>session-keyfile</command>, <command>session-keyfile</command>,
<command>session-keyname</command> and <command>session-keyname</command> and
<command>session-keyalg</command> options, respectively). <command>session-keyalg</command> options, respectively).
</para> </para>
<para> <para>
A client running on the local system, and with appropriate A client on the local system, if it is run with appropriate
permissions, may read that file and use the key to sign update permissions, may read the session key from the key file and
requests. The zone's update policy will be set to allow that use the key to sign update requests. The zone's update
key to change any record within the zone. Assuming the policy will be set to allow that key to change any record
key name is "local-ddns", this policy is equivalent to: within the zone. Assuming the key name is "local-ddns",
this policy is:
</para> </para>
<programlisting>update-policy { grant local-ddns zonesub any; }; <programlisting>update-policy { grant local-ddns zonesub any; };
</programlisting> </programlisting>
<para> <para>
The command <command>nsupdate -l</command> sends update ...with an additional restriction that only clients
requests to localhost, and signs them using the session key. connecting from the local system will be permitted to send
updates.
</para>
<para>
Note that only one session key is generated; all zones
configured to use <command>update-policy local</command>
will accept the same key.
</para>
<para>
The command <command>nsupdate -l</command> implements this
feature, sending requests to localhost and signing them using
the key retrieved from the session key file.
</para> </para>
<para> <para>
......
...@@ -471,6 +471,15 @@ ...@@ -471,6 +471,15 @@
anchor is now a fatal configuration error. [RT #46155] anchor is now a fatal configuration error. [RT #46155]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Previously, <command>update-policy local;</command> accepted
updates from any source so long as they were signed by the
locally-generated session key. This has been further restricted;
updates are now only accepted from locally configured addresses.
[RT #45492]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The lightweight resolver daemon and library (<command>lwresd</command> The lightweight resolver daemon and library (<command>lwresd</command>
......
...@@ -6,8 +6,6 @@ ...@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. * file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/ */
/* $Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp $ */
#ifndef DNS_SSU_H #ifndef DNS_SSU_H
#define DNS_SSU_H 1 #define DNS_SSU_H 1
...@@ -15,26 +13,31 @@ ...@@ -15,26 +13,31 @@
#include <isc/lang.h> #include <isc/lang.h>
#include <dns/acl.h>
#include <dns/types.h> #include <dns/types.h>
#include <dst/dst.h> #include <dst/dst.h>
ISC_LANG_BEGINDECLS ISC_LANG_BEGINDECLS
#define DNS_SSUMATCHTYPE_NAME 0 typedef enum {
#define DNS_SSUMATCHTYPE_SUBDOMAIN 1 dns_ssumatchtype_name = 0,
#define DNS_SSUMATCHTYPE_WILDCARD 2 dns_ssumatchtype_subdomain = 1,
#define DNS_SSUMATCHTYPE_SELF 3 dns_ssumatchtype_wildcard = 2,
#define DNS_SSUMATCHTYPE_SELFSUB 4 dns_ssumatchtype_self = 3,
#define DNS_SSUMATCHTYPE_SELFWILD 5 dns_ssumatchtype_selfsub = 4,
#define DNS_SSUMATCHTYPE_SELFKRB5 6 dns_ssumatchtype_selfwild = 5,
#define DNS_SSUMATCHTYPE_SELFMS 7 dns_ssumatchtype_selfkrb5 = 6,
#define DNS_SSUMATCHTYPE_SUBDOMAINMS 8 dns_ssumatchtype_selfms = 7,
#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9 dns_ssumatchtype_subdomainms = 8,
#define DNS_SSUMATCHTYPE_TCPSELF 10 dns_ssumatchtype_subdomainkrb5 = 9,
#define DNS_SSUMATCHTYPE_6TO4SELF 11 dns_ssumatchtype_tcpself = 10,
#define DNS_SSUMATCHTYPE_EXTERNAL 12 dns_ssumatchtype_6to4self = 11,
#define DNS_SSUMATCHTYPE_DLZ 13 dns_ssumatchtype_external = 12,
#define DNS_SSUMATCHTYPE_MAX 12 /* max value */ dns_ssumatchtype_local = 13,
dns_ssumatchtype_max = 13, /* max value */
dns_ssumatchtype_dlz = 14 /* intentionally higher than _max */
} dns_ssumatchtype_t;
isc_result_t isc_result_t
dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table); dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
...@@ -56,7 +59,7 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, ...@@ -56,7 +59,7 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
dns_dlzdb_t *dlzdatabase); dns_dlzdb_t *dlzdatabase);
/*%< /*%<
* Create an SSU table that contains a dlzdatabase pointer, and a * Create an SSU table that contains a dlzdatabase pointer, and a
* single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU * single rule with matchtype dns_ssumatchtype_dlz. This type of SSU
* table is used by writeable DLZ drivers to offload authorization for * table is used by writeable DLZ drivers to offload authorization for
* updates to the driver. * updates to the driver.
*/ */
...@@ -90,7 +93,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep); ...@@ -90,7 +93,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep);
isc_result_t isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant, dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
const dns_name_t *identity, unsigned int matchtype, const dns_name_t *identity, dns_ssumatchtype_t matchtype,
const dns_name_t *name, unsigned int ntypes, const dns_name_t *name, unsigned int ntypes,
dns_rdatatype_t *types); dns_rdatatype_t *types);
/*%< /*%<
...@@ -123,7 +126,12 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant, ...@@ -123,7 +126,12 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
isc_boolean_t isc_boolean_t
dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
const dns_name_t *name, const isc_netaddr_t *tcpaddr, const dns_name_t *name, const isc_netaddr_t *addr,
dns_rdatatype_t type, const dst_key_t *key);
isc_boolean_t
dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
const dns_name_t *name, const isc_netaddr_t *addr,
isc_boolean_t tcp, const dns_aclenv_t *env,
dns_rdatatype_t type, const dst_key_t *key); dns_rdatatype_t type, const dst_key_t *key);
/*%< /*%<
* Checks that the attempted update of (name, type) is allowed according * Checks that the attempted update of (name, type) is allowed according
...@@ -131,18 +139,26 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, ...@@ -131,18 +139,26 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
* no rules are matched, access is denied. * no rules are matched, access is denied.
* *
* Notes: * Notes:
* 'tcpaddr' should only be set if the request received * In dns_ssutable_checkrules(), 'addr' should only be
* via TCP. This provides a weak assurance that the * set if the request received via TCP. This provides a
* request was not spoofed. 'tcpaddr' is to to validate * weak assurance that the request was not spoofed.
* DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF * 'addr' is to to validate dns_ssumatchtype_tcpself
* rules. * and dns_ssumatchtype_6to4self rules.
* *
* For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to * In dns_ssutable_checkrules2(), 'addr' can also be passed for
* UDP requests and TCP is specified via the 'tcp' parameter.
* In addition to dns_ssumatchtype_tcpself and
* tcp_ssumatchtype_6to4self rules, the address
* also be used to check dns_ssumatchtype_local rules.
* If 'addr' is set then 'env' must also be set so that
* requests from non-localhost addresses can be rejected.
*
* For dns_ssumatchtype_tcpself the addresses are mapped to
* the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
* RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
* Section 2.5, "IP6.ARPA Domain". * Section 2.5, "IP6.ARPA Domain".
* *
* For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted * For dns_ssumatchtype_6to4self, IPv4 address are converted
* to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only
* the top 48 bits of the IPv6 address are mapped to the reverse * the top 48 bits of the IPv6 address are mapped to the reverse
* name. This is independent of whether the most significant 16 * name. This is independent of whether the most significant 16
...@@ -151,8 +167,10 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, ...@@ -151,8 +167,10 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
* Requires: * Requires:
*\li 'table' is a valid SSU table *\li 'table' is a valid SSU table
*\li 'signer' is NULL or a valid absolute name *\li 'signer' is NULL or a valid absolute name
*\li 'tcpaddr' is NULL or a valid network address. *\li 'addr' is NULL or a valid network address.
*\li 'aclenv' is NULL or a valid ACL environment.
*\li 'name' is a valid absolute name *\li 'name' is a valid absolute name
*\li if 'addr' is not NULL, 'env' is not NULL.
*/ */
......
...@@ -37,13 +37,14 @@ ...@@ -37,13 +37,14 @@
struct dns_ssurule { struct dns_ssurule {
unsigned int magic; unsigned int magic;
isc_boolean_t grant; /*%< is this a grant or a deny? */ isc_boolean_t grant; /*%< is this a grant or a deny? */
unsigned int matchtype; /*%< which type of pattern match? */ dns_ssumatchtype_t matchtype; /*%< which type of pattern match? */
dns_name_t *identity; /*%< the identity to match */ dns_name_t *identity; /*%< the identity to match */
dns_name_t *name; /*%< the name being updated */ dns_name_t *name; /*%< the name being updated */
unsigned int ntypes; /*%< number of data types covered */ unsigned int ntypes; /*%< number of data types covered */
dns_rdatatype_t *types; /*%< the data types. Can include ANY, */ dns_rdatatype_t *types; /*%< the data types. Can include */
/*%< defaults to all but SIG,SOA,NS if NULL */ /* ANY. if NULL, defaults to all */
/* types except SIG, SOA, and NS */
ISC_LINK(dns_ssurule_t) link; ISC_LINK(dns_ssurule_t) link;
}; };
...@@ -150,7 +151,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep) { ...@@ -150,7 +151,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep) {
isc_result_t isc_result_t