Commit 0e507dbb authored by Mark Andrews's avatar Mark Andrews

2039. [func] Redirect on NXDOMAIN support. [RT #23146]

parent 3b46648b
2039. [func] Redirect on NXDOMAIN support. [RT #23146]
2038. [bug] Install <dns/rpz.h>. [RT #23342]
2037. [doc] Update COPYRIGHT to contain all the individual
......
/*
* Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
* From bind.keys 1.7 2011/01/03 23:45:07 each Exp
* Generated by bindkeys.pl 1.7 2011-01-04 23:47:13 tbox Exp
* From bind.keys 1.7 2011-01-03 23:45:07 each Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.115 2011/02/03 12:18:10 tbox Exp $ */
/* $Id: config.c,v 1.116 2011/02/23 03:08:08 marka Exp $ */
/*! \file */
......@@ -377,6 +377,8 @@ ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
ztype = dns_zone_stub;
else if (strcasecmp(str, "static-stub") == 0)
ztype = dns_zone_staticstub;
else if (strcasecmp(str, "redirect") == 0)
ztype = dns_zone_redirect;
else
INSIST(0);
return (ztype);
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.50 2011/02/03 05:41:52 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.51 2011/02/23 03:08:08 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -563,7 +563,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
<title>ZONE</title>
<literallayout>
zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
type ( master | slave | stub | hint |
type ( master | slave | stub | hint | redirect |
forward | delegation-only );
file <replaceable>quoted_string</replaceable>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.355 2011/02/18 15:18:30 smann Exp $ */
/* $Id: query.c,v 1.356 2011/02/23 03:08:08 marka Exp $ */
/*! \file */
......@@ -4928,6 +4928,106 @@ dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
return (ISC_FALSE);
}
/*
* Look for the name and type in the redirection zone. If found update
* the arguments as appropriate. Return ISC_TRUE if a update was
* performed.
*
* Only perform the update if the client is in the allow query acl and
* returning the update would not cause a DNSSEC validation failure.
*/
static isc_boolean_t
redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
dns_dbnode_t **nodep, dns_db_t **dbp, dns_rdatatype_t qtype)
{
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
dns_fixedname_t fixed;
dns_name_t *found;
dns_rdataset_t trdataset;
isc_result_t result;
dns_rdatatype_t type;
CTRACE("redirect");
if (client->view->redirect == NULL)
return (ISC_FALSE);
dns_fixedname_init(&fixed);
found = dns_fixedname_name(&fixed);
dns_rdataset_init(&trdataset);
if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
return (ISC_FALSE);
if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
if (rdataset->trust == dns_trust_secure)
return (ISC_FALSE);
if (rdataset->trust == dns_trust_ultimate &&
(rdataset->type == dns_rdatatype_nsec ||
rdataset->type == dns_rdatatype_nsec3))
return (ISC_FALSE);
if (rdataset->type == 0) {
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset)) {
dns_ncache_current(rdataset, found, &trdataset);
type = trdataset.type;
dns_rdataset_disassociate(&trdataset);
if (type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3 ||
type == dns_rdatatype_rrsig)
return (ISC_FALSE);
}
}
}
result = ns_client_checkaclsilent(client, NULL,
dns_zone_getqueryacl(client->view->redirect),
ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
result = dns_zone_getdb(client->view->redirect, &db);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
/*
* Lookup the requested data in the redirect zone.
*/
result = dns_db_find(db, client->query.qname, NULL, qtype, 0,
client->now, &node, found, &trdataset, NULL);
if (result != ISC_R_SUCCESS) {
if (dns_rdataset_isassociated(&trdataset))
dns_rdataset_disassociate(&trdataset);
if (node != NULL)
dns_db_detachnode(db, &node);
dns_db_detach(&db);
return (ISC_FALSE);
}
CTRACE("redirect: found data: done");
dns_name_copy(found, name, NULL);
if (dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(&trdataset)) {
dns_rdataset_clone(&trdataset, rdataset);
dns_rdataset_disassociate(&trdataset);
}
if (*nodep != NULL)
dns_db_detachnode(*dbp, nodep);
dns_db_detach(dbp);
dns_db_attachnode(db, node, nodep);
dns_db_attach(db, dbp);
dns_db_detachnode(db, &node);
dns_db_detach(&db);
client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
NS_QUERYATTR_NOADDITIONAL);
return (ISC_TRUE);
}
/*
* Do the bulk of query processing for the current query of 'client'.
* If 'event' is non-NULL, we are returning from recursion and 'qtype'
......@@ -5844,6 +5944,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
case DNS_R_NXDOMAIN:
INSIST(is_zone);
if (!empty_wild &&
redirect(client, fname, rdataset, &node, &db, type)) {
result = ISC_R_SUCCESS;
break;
}
if (dns_rdataset_isassociated(rdataset)) {
/*
* If we've got a NSEC record, we need to save the
......@@ -5904,6 +6009,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
case DNS_R_NCACHENXDOMAIN:
if (redirect(client, fname, rdataset, &node, &db, type)) {
result = ISC_R_SUCCESS;
break;
}
case DNS_R_NCACHENXRRSET:
ncache_nxrrset:
INSIST(!is_zone);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.603 2011/02/16 19:48:12 each Exp $ */
/* $Id: server.c,v 1.604 2011/02/23 03:08:09 marka Exp $ */
/*! \file */
......@@ -3341,6 +3341,37 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
goto cleanup;
}
/*
* Redirect zones only require minimal configuration.
*/
if (strcasecmp(ztypestr, "redirect") == 0) {
if (view->redirect != NULL) {
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
"redirect zone already exists");
result = ISC_R_EXISTS;
goto cleanup;
}
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
view->rdclass, &pview);
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
goto cleanup;
if (pview != NULL && pview->redirect != NULL) {
dns_zone_attach(pview->redirect, &zone);
dns_zone_setview(zone, view);
} else {
CHECK(dns_zone_create(&zone, mctx));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setview(zone, view);
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
zone));
dns_zone_setstats(zone, ns_g_server->zonestats);
}
CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf,
zone));
dns_zone_attach(zone, &view->redirect);
goto cleanup;
}
/*
* Check for duplicates in the new zone table.
*/
......@@ -3366,9 +3397,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
* options (e.g., an existing master zone cannot
* be reused if the options specify a slave zone)
*/
result = dns_viewlist_find(&ns_g_server->viewlist,
view->name, view->rdclass,
&pview);
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
view->rdclass, &pview);
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
goto cleanup;
if (pview != NULL)
......@@ -3924,6 +3954,9 @@ removed(dns_zone_t *zone, void *uap) {
case dns_zone_stub:
type = "stub";
break;
case dns_zone_redirect:
type = "redirect";
break;
default:
type = "other";
break;
......@@ -5017,6 +5050,8 @@ load_zones(ns_server_t *server, isc_boolean_t stop) {
CHECK(dns_view_load(view, stop));
if (view->managed_keys != NULL)
CHECK(dns_zone_load(view->managed_keys));
if (view->redirect != NULL)
CHECK(dns_zone_load(view->redirect));
}
/*
......@@ -5050,6 +5085,8 @@ load_new_zones(ns_server_t *server, isc_boolean_t stop) {
/* Load managed-keys data */
if (view->managed_keys != NULL)
CHECK(dns_zone_loadnew(view->managed_keys));
if (view->redirect != NULL)
CHECK(dns_zone_loadnew(view->redirect));
}
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.170 2011/01/06 23:47:00 tbox Exp $ */
/* $Id: zoneconf.c,v 1.171 2011/02/23 03:08:09 marka Exp $ */
/*% */
......@@ -973,7 +973,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
* to primary masters (type "master") and slaves
* acting as masters (type "slave"), but not to stubs.
*/
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub) {
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = ns_config_get(maps, "notify", &obj);
INSIST(result == ISC_R_SUCCESS);
......@@ -1046,7 +1047,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
obj = NULL;
result = ns_config_get(maps, "max-journal-size", &obj);
result = ns_config_get(maps, "max-journal-size", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setjournalsize(zone, -1);
if (cfg_obj_isstring(obj)) {
......@@ -1119,6 +1120,32 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
cfg_obj_asboolean(obj));
} else if (ztype == dns_zone_redirect) {
dns_zone_setnotifytype(zone, dns_notifytype_no);
obj = NULL;
result = ns_config_get(maps, "max-journal-size", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setjournalsize(zone, -1);
if (cfg_obj_isstring(obj)) {
const char *str = cfg_obj_asstring(obj);
INSIST(strcasecmp(str, "unlimited") == 0);
journal_size = ISC_UINT32_MAX / 2;
} else {
isc_resourcevalue_t value;
value = cfg_obj_asuint64(obj);
if (value > ISC_UINT32_MAX / 2) {
cfg_obj_log(obj, ns_g_lctx,
ISC_LOG_ERROR,
"'max-journal-size "
"%" ISC_PRINT_QUADFORMAT "d' "
"is too large",
value);
RETERR(ISC_R_RANGE);
}
journal_size = (isc_uint32_t)value;
}
dns_zone_setjournalsize(zone, journal_size);
}
/*
......@@ -1320,6 +1347,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
switch (ztype) {
case dns_zone_slave:
case dns_zone_stub:
case dns_zone_redirect:
count = 0;
obj = NULL;
result = cfg_map_get(zoptions, "masters", &obj);
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.60 2011/02/22 04:14:29 marka Exp $
# $Id: conf.sh.in,v 1.61 2011/02/23 03:08:09 marka Exp $
#
# Common configuration data for system tests, to be sourced into
......@@ -55,7 +55,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
database dlv @DLZ_SYSTEM_TEST@ dlzexternal dns64 dnssec forward
glue gost ixfr limits lwresd masterfile masterformat metadata
notify nsupdate pending pkcs11 resolver rpz rrsetorder
notify nsupdate pending pkcs11 redirect resolver rpz rrsetorder
sortlist smartsign staticstub stub tkey tsig tsiggss
unknown upforwd views xfer xferquota zonechecks"
......
#!/bin/sh
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2011/02/23 03:08:09 marka Exp $
rm -f ns1/K*
rm -f ns1/signed.db*
rm -f ns1/nsec3.db*
rm -f ns1/dsset-signed.
rm -f ns1/dsset-nsec3.
rm -f */named.memstats
rm -f */named.run
rm -f dig.out.* random.data
zone "." {
type hint;
file "hint.db";
};
zone "." {
type redirect;
file "redirect.db";
allow-query { 10.0.1.0; };
forwarders { 1.2.3.4; };
};
zone "." {
type hint;
file "hint.db";
};
zone "." {
type redirect;
file "redirect.db";
allow-query { 10.0.1.0; };
also-notify { 1.2.3.4; };
};
zone "." {
type hint;
file "hint.db";
};
zone "x" {
type redirect;
file "redirect.db";
allow-query { 10.0.1.0; };
};
zone "." {
type hint;
file "hint.db";
};
zone "." {
type redirect;
file "redirect.db";
};
zone "." {
type master;
file "master.db";
};
zone "." {
type redirect;
file "redirect.db";
};
zone "." {
type slave;
file "slave.db";
masters { 1.2.3.4; };
};
zone "." {
type redirect;
file "redirect.db";
};
zone "." {
type hint;
file "hint.db";
};
zone "." {
type redirect;
file "redirect.db";
allow-query { 10.0.1.0; };
};
; Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db,v 1.2 2011/02/23 03:08:10 marka Exp $
$TTL 3600
@ SOA ns1 marka.isc.org. 0 0 0 0 1200
@ NS ns1
ns1 A 10.53.0.1
excluded-good-a AAAA 2001:eeee::1
A 1.2.3.4
excluded-bad-a AAAA 2001:eeee::2
A 10.0.0.1
excluded-only AAAA 2001:eeee::3
partially-excluded-good-a AAAA 2001:eeee::1
AAAA 2001::1
A 1.2.3.4
partially-excluded-bad-a AAAA 2001:eeee::2
AAAA 2001::2
A 10.0.0.1
partially-excluded-only AAAA 2001:eeee::3
AAAA 2001::3
a-only A 1.2.3.5
a-and-aaaa AAAA 2001::1
A 1.2.3.6
aaaa-only AAAA 2001::2
a-not-mapped A 10.0.0.2
mx-only MX 10 ns.example.
cname-excluded-good-a CNAME excluded-good-a
cname-excluded-bad-a CNAME excluded-bad-a
cname-excluded-only CNAME excluded-only
cname-partial-excluded-good-a CNAME partial-excluded-good-a
cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
cname-partial-excluded-only CNAME partial-excluded-only
cname-a-only CNAME a-only
cname-a-and-aaaa CNAME a-and-aaaa
cname-aaaa-only CNAME aaaa-only
cname-a-not-mapped CNAME a-not-mapped
cname-mx-only CNAME mx-only
cname-non-existent CNAME non-existent
ttl-less-than-600 500 A 5.6.7.8
ttl-more-than-600 700 A 5.6.7.8
ttl-less-than-minimum 1100 A 5.6.7.8
ttl-more-than-minimum 1300 A 5.6.7.8
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/02/23 03:08:10 marka Exp $ */
// NS1
controls { /* empty */ };
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
allow-recursion { 10.53.0.1; };
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db";
};
zone "example" {
type master;
file "example.db";
};
zone "signed" {
type master;
file "signed.db.signed";
};
zone "nsec3" {
type master;
file "nsec3.db.signed";
};
zone "." {
type redirect;
file "redirect.db";
allow-query { !10.53.0.2; !10.53.0.4; any; };
};
// include "trusted.conf";
; Copyright
;
$TTL 300
@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
@ IN NS ns.example.net
;
; NS records do not need address records in this zone as it is not in the
; normal namespace.
;
*. IN A 100.100.100.2
*. IN AAAA 2001:ffff:ffff::100.100.100.2
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db,v 1.2 2011/02/23 03:08:10 marka Exp $
$TTL 3600
@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example NS ns1.example.
ns1.example. A 10.53.0.1
signed NS ns1.example.
ns1.signed. A 10.53.0.1
#!/bin/sh -e
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR