Commit 180319f5 authored by Evan Hunt's avatar Evan Hunt

[master] fix geoip asnum matching

3935.	[bug]		"geoip asnum" ACL elements would not match unless
			the full organization name was specified.  They
			can now match against the AS number alone (e.g.,
			AS1234). [RT #36945]
parent 9ba4efa4
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980]
......
......@@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip domain one.de; };
match-clients { geoip asnum "AS100001"; };
zone "example" {
type master;
file "example1.db";
......@@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip domain two.com; };
match-clients { geoip asnum "AS100002"; };
zone "example" {
type master;
file "example2.db";
......@@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip domain three.com; };
match-clients { geoip asnum "AS100003"; };
zone "example" {
type master;
file "example3.db";
......@@ -64,7 +64,7 @@ view three {
};
view four {
match-clients { geoip domain four.com; };
match-clients { geoip asnum "AS100004"; };
zone "example" {
type master;
file "example4.db";
......@@ -72,7 +72,7 @@ view four {
};
view five {
match-clients { geoip domain five.es; };
match-clients { geoip asnum "AS100005"; };
zone "example" {
type master;
file "example5.db";
......@@ -80,7 +80,7 @@ view five {
};
view six {
match-clients { geoip domain six.it; };
match-clients { geoip asnum "AS100006"; };
zone "example" {
type master;
file "example6.db";
......@@ -88,7 +88,7 @@ view six {
};
view seven {
match-clients { geoip domain seven.org; };
match-clients { geoip asnum "AS100007"; };
zone "example" {
type master;
file "example7.db";
......
......@@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip netspeed 0; };
match-clients { geoip domain one.de; };
zone "example" {
type master;
file "example1.db";
......@@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip netspeed 1; };
match-clients { geoip domain two.com; };
zone "example" {
type master;
file "example2.db";
......@@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip netspeed 2; };
match-clients { geoip domain three.com; };
zone "example" {
type master;
file "example3.db";
......@@ -64,13 +64,37 @@ view three {
};
view four {
match-clients { geoip netspeed 3; };
match-clients { geoip domain four.com; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { geoip domain five.es; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { geoip domain six.it; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { geoip domain seven.org; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
......
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -18,10 +18,6 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
......@@ -32,7 +28,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
......@@ -43,3 +38,43 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
view one {
match-clients { geoip netspeed 0; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { geoip netspeed 1; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { geoip netspeed 2; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { geoip netspeed 3; };
zone "example" {
type master;
file "example4.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};
......@@ -18,6 +18,10 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
......@@ -28,6 +32,7 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
......@@ -38,75 +43,3 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};
......@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP domain database ($n)"
echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
......@@ -215,6 +215,25 @@ cp -f ns2/named11.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP domain database ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database ($n)"
ret=0
......@@ -230,7 +249,7 @@ done
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named12.conf ns2/named.conf
cp -f ns2/named13.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
......@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
......
......@@ -2564,10 +2564,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<command>lwres</command> statement in <filename>named.conf</filename>.
</para>
<para>
The number of client queries that the <command>lwresd</command>
daemon is able to serve can be set using the
<option>lwres-tasks</option> and <option>lwres-clients</option>
statements in the configuration.
The number of client queries that the <command>lwresd</command>
daemon is able to serve can be set using the
<option>lwres-tasks</option> and <option>lwres-clients</option>
statements in the configuration.
</para>
</sect1>
</chapter>
......@@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
"isp", "org", "asnum", "domain" and "netspeed".
</para>
<para>
<replaceable>value</replaceable> is the value to searched for
within the database. A string may be quoted if it contains
spaces or other special characters. If this is a "country"
search and the string is two characters long, then it must be a
standard ISO-3166-1 two-letter country code, and if it is three
characters long then it must be an ISO-3166-1 three-letter
country code; otherwise it is the full name of the country.
Similarly, if this is a "region" search and the string is
two characters long, then it must be a standard two-letter state
or province abbreviation; otherwise it is the full name of the
state or province.
<replaceable>value</replaceable> is the value to search
for within the database. A string may be quoted if it
contains spaces or other special characters. If this is
an "asnum" search, then the leading "ASNNNN" string can be
used, otherwise the full description must be used (e.g.
"ASNNNN Example Company Name"). If this is a "country"
search and the string is two characters long, then it must
be a standard ISO-3166-1 two-letter country code, and if it
is three characters long then it must be an ISO-3166-1
three-letter country code; otherwise it is the full name
of the country. Similarly, if this is a "region" search
and the string is two characters long, then it must be a
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.
</para>
<para>
The <replaceable>database</replaceable> field indicates which
......@@ -4718,32 +4721,32 @@ badresp:1,adberr:0,findfail:0,valfail:0]
minimum
number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
</para>
<para>
The <option>lwres-tasks</option> statement specifies the number
of worker threads the lightweight resolver will dedicate to serving
clients. By default the number is the same as the number of CPUs on
the system; this can be overridden using the <option>-n</option>
command line option when starting the server.
</para>
<para>
The <option>lwres-clients</option> specifies
the number of client objects per thread the lightweight
resolver should create to serve client queries.
By default, if the lightweight resolver runs as a part
of <command>named</command>, 256 client objects are
created for each task; if it runs as <command>lwresd</command>,
1024 client objects are created for each thread. The maximum
value is 32768; higher values will be silently ignored and
the maximum will be used instead.
Note that setting too high a value may overconsume
system resources.
</para>
<para>
The maximum number of client queries that the lightweight
resolver can handle at any one time equals
<option>lwres-tasks</option> times <option>lwres-clients</option>.
</para>
</para>
<para>
The <option>lwres-tasks</option> statement specifies the number
of worker threads the lightweight resolver will dedicate to serving
clients. By default the number is the same as the number of CPUs on
the system; this can be overridden using the <option>-n</option>
command line option when starting the server.
</para>
<para>
The <option>lwres-clients</option> specifies
the number of client objects per thread the lightweight
resolver should create to serve client queries.
By default, if the lightweight resolver runs as a part
of <command>named</command>, 256 client objects are
created for each task; if it runs as <command>lwresd</command>,
1024 client objects are created for each thread. The maximum
value is 32768; higher values will be silently ignored and
the maximum will be used instead.
Note that setting too high a value may overconsume
system resources.
</para>
<para>
The maximum number of client queries that the lightweight
resolver can handle at any one time equals
<option>lwres-tasks</option> times <option>lwres-clients</option>.
</para>
</sect2>
<sect2>
<title><command>masters</command> Statement Grammar</title>
......@@ -5793,7 +5796,7 @@ options {
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
or hours. <option>nta-lifetime</option> defaults to
one hour. It cannot exceed one day.
one hour. It cannot exceed one day.
</para>
</listitem>
</varlistentry>
......@@ -5802,31 +5805,31 @@ options {
<term><command>nta-recheck</command></term>
<listitem>
<para>
Species how often to check whether negative
trust anchors added via <command>rndc nta</command>
are still necessary.
Species how often to check whether negative
trust anchors added via <command>rndc nta</command>
are still necessary.
</para>
<para>
A negative trust anchor is normally used when a
domain has stopped validating due to operator error;
it temporarily disables DNSSEC validation for that
domain. In the interest of ensuring that DNSSEC
validation is turned back on as soon as possible,
<command>named</command> will periodically send a
query to the domain, ignoring negative trust anchors,
to find out whether it can now be validated. If so,
the negative trust anchor is allowed to expire early.
A negative trust anchor is normally used when a
domain has stopped validating due to operator error;
it temporarily disables DNSSEC validation for that
domain. In the interest of ensuring that DNSSEC
validation is turned back on as soon as possible,
<command>named</command> will periodically send a
query to the domain, ignoring negative trust anchors,
to find out whether it can now be validated. If so,
the negative trust anchor is allowed to expire early.
</para>
<para>
Validity checks can be disabled for an individual
NTA by using <command>rndc nta -f</command>, or
for all NTA's by setting <option>nta-recheck</option>
to zero.
Validity checks can be disabled for an individual
NTA by using <command>rndc nta -f</command>, or
for all NTA's by setting <option>nta-recheck</option>
to zero.
</para>
<para>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes.
used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes.
</para>
</listitem>
</varlistentry>
......@@ -9020,24 +9023,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<varlistentry>
<term><command>masterfile-style</command></term>
<listitem>
<para>
Specifies the formatting of zone files during dump
when the <option>masterfile-format</option> is
<constant>text</constant>. (This option is ignored
with any other <option>masterfile-format</option>.)
</para>
<para>
When set to <constant>relative</constant>,
records are printed in a multi-line format with owner
names expressed relative to a shared origin. When set
to <constant>full</constant>, records are printed in
a single-line format with absolute owner names.
The <constant>full</constant> format is most suitable
when a zone file needs to be processed automatically
by a script. The <constant>relative</constant> format
is more human-readable, and is thus suitable when a
zone is to be edited by hand. The default is
<constant>relative</constant>.
<para>
Specifies the formatting of zone files during dump
when the <option>masterfile-format</option> is
<constant>text</constant>. (This option is ignored
with any other <option>masterfile-format</option>.)
</para>
<para>
When set to <constant>relative</constant>,
records are printed in a multi-line format with owner