Commit 434bfc3d authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] "in-view" zone option

3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]
parent 98009744
3673. [func] New "in-view" zone option allows direct sharing
of zones between views. [RT #32968]
3672. [func] Local address can now be specified when using
dns_client API. [RT #34811]
......
......@@ -379,8 +379,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
cfg_aclconfctx_t *aclconf, isc_boolean_t added,
isc_boolean_t old_rpz_ok);
dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
isc_boolean_t added, isc_boolean_t old_rpz_ok);
static isc_result_t
add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
......@@ -2255,7 +2255,8 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
* global defaults in 'config' used exclusively.
*/
static isc_result_t
configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
cfg_obj_t *config, cfg_obj_t *vconfig,
ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
isc_mem_t *mctx, cfg_aclconfctx_t *actx,
isc_boolean_t need_hints)
......@@ -2431,7 +2432,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
actx, ISC_FALSE, old_rpz_ok));
viewlist, actx, ISC_FALSE, old_rpz_ok));
}
/*
......@@ -2478,7 +2479,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig,
mctx, view, actx,
mctx, view, NULL, actx,
ISC_TRUE, ISC_FALSE));
}
}
......@@ -4009,8 +4010,8 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
cfg_aclconfctx_t *aclconf, isc_boolean_t added,
isc_boolean_t old_rpz_ok)
dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
isc_boolean_t added, isc_boolean_t old_rpz_ok)
{
dns_view_t *pview = NULL; /* Production view */
dns_zone_t *zone = NULL; /* New or reused zone */
......@@ -4023,6 +4024,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *forwardtype = NULL;
const cfg_obj_t *only = NULL;
const cfg_obj_t *signing = NULL;
const cfg_obj_t *viewobj = NULL;
isc_result_t result;
isc_result_t tresult;
isc_buffer_t buffer;
......@@ -4067,11 +4069,64 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
goto cleanup;
}
(void)cfg_map_get(zoptions, "in-view", &viewobj);
if (viewobj != NULL) {
const char *inview = cfg_obj_asstring(viewobj);
dns_view_t *otherview = NULL;
if (viewlist == NULL) {
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
"'in-view' option is not permitted in "
"dynamically added zones");
result = ISC_R_FAILURE;
goto cleanup;
}
result = dns_viewlist_find(viewlist, inview, view->rdclass,
&otherview);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
"view '%s' is not yet defined.", inview);
result = ISC_R_FAILURE;
goto cleanup;
}
result = dns_view_findzone(otherview, origin, &zone);
dns_view_detach(&otherview);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
"zone '%s' not defined in view '%s'",
zname, inview);
result = ISC_R_FAILURE;
goto cleanup;
}
CHECK(dns_view_addzone(view, zone));
dns_zone_detach(&zone);
/*
* If the zone contains a 'forwarders' statement, configure
* selective forwarding. Note: this is not inherited from the
* other view.
*/
forwarders = NULL;
result = cfg_map_get(zoptions, "forwarders", &forwarders);
if (result == ISC_R_SUCCESS) {
forwardtype = NULL;
(void)cfg_map_get(zoptions, "forward", &forwardtype);
CHECK(configure_forward(config, view, origin,
forwarders, forwardtype));
}
result = ISC_R_SUCCESS;
goto cleanup;
}
(void)cfg_map_get(zoptions, "type", &typeobj);
if (typeobj == NULL) {
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
"zone '%s' 'type' not specified", zname);
return (ISC_R_FAILURE);
result = ISC_R_FAILURE;
goto cleanup;
}
ztypestr = cfg_obj_asstring(typeobj);
......@@ -4154,7 +4209,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
result = ISC_R_EXISTS;
goto cleanup;
}
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
result = dns_viewlist_find(viewlist, view->name,
view->rdclass, &pview);
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
goto cleanup;
......@@ -5699,7 +5754,7 @@ load_configuration(const char *filename, ns_server_t *server,
view = NULL;
CHECK(find_view(vconfig, &viewlist, &view));
CHECK(configure_view(view, config, vconfig,
CHECK(configure_view(view, &viewlist, config, vconfig,
&cachelist, bindkeys, ns_g_mctx,
ns_g_aclconfctx, ISC_TRUE));
dns_view_freeze(view);
......@@ -5713,7 +5768,7 @@ load_configuration(const char *filename, ns_server_t *server,
if (views == NULL) {
view = NULL;
CHECK(find_view(NULL, &viewlist, &view));
CHECK(configure_view(view, config, NULL,
CHECK(configure_view(view, &viewlist, config, NULL,
&cachelist, bindkeys,
ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
dns_view_freeze(view);
......@@ -5733,7 +5788,7 @@ load_configuration(const char *filename, ns_server_t *server,
cfg_obj_t *vconfig = cfg_listelt_value(element);
CHECK(create_view(vconfig, &builtin_viewlist, &view));
CHECK(configure_view(view, config, vconfig,
CHECK(configure_view(view, &viewlist, config, vconfig,
&cachelist, bindkeys,
ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
dns_view_freeze(view);
......@@ -8616,8 +8671,8 @@ ns_server_add_zone(ns_server_t *server, char *args) {
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_view_thaw(view);
result = configure_zone(cfg->config, parms, vconfig,
server->mctx, view, cfg->actx, ISC_FALSE,
ISC_FALSE);
server->mctx, view, NULL, cfg->actx,
ISC_FALSE, ISC_FALSE);
dns_view_freeze(view);
isc_task_endexclusive(server->task);
if (result != ISC_R_SUCCESS)
......
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
view "first" {
match-clients {
"none";
};
zone "clone" {
type master;
file "xxx";
};
};
view "second" {
match-clients {
"any";
};
zone "clone" {
in-view "first";
type slave;
};
};
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
view "first" {
match-clients {
"none";
};
zone "clone" {
type master;
file "xxx";
};
};
view "second" {
match-clients {
"any";
};
zone "clone" {
in-view "first";
forward only;
forwarders { 10.0.0.100; };
type slave;
};
};
......@@ -81,6 +81,10 @@ view "first" {
update-policy local;
notify-source 10.10.10.10 port 53 dscp 55;
};
zone "clone" {
type master;
file "yyy";
};
dnssec-lookaside auto;
dnssec-validation auto;
zone-statistics terse;
......@@ -103,7 +107,22 @@ view "second" {
};
zone-statistics no;
};
zone "clone" {
in-view "first";
};
dnssec-lookaside "." trust-anchor "dlv.isc.org.";
dnssec-validation auto;
zone-statistics full;
};
view "third" {
match-clients {
"none";
};
zone "clone" {
in-view "first";
forward only;
forwarders {
10.0.0.100;
};
};
};
#!/bin/sh
#
# Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2005, 2007, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -23,4 +23,5 @@
rm -f ns3/example.bk dig.out.ns?.?
rm -f ns2/named.conf ns2/example.db ns3/named.conf ns3/internal.bk
rm -f */*.jnl
rm -f */named.memstats
; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600
@ IN SOA mname1. . (
2 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ IN NS ns2
ns2 IN A 10.53.0.2
a IN A 10.1.0.1
child IN NS ns3.child
ns3.child IN A 10.53.0.3
......@@ -27,7 +27,7 @@ options {
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
recursion yes;
notify yes;
};
......
/*
* Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -27,7 +27,7 @@ options {
pid-file "named.pid";
listen-on { 10.53.0.2; 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
recursion yes;
notify yes;
};
......@@ -47,6 +47,12 @@ view "internal" {
file "internal.db";
allow-update { any; };
};
zone "clone" {
type master;
file "clone.db";
allow-update { any; };
};
};
view "external" {
......@@ -61,5 +67,10 @@ view "external" {
type master;
file "example.db";
};
};
zone "clone" {
in-view internal;
forward only;
forwarders { 10.53.0.4; };
};
};
; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA ns3. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns3
@ TXT This is NS3.
ns3 A 10.53.0.3
......@@ -52,4 +52,7 @@ zone "example" {
file "internal.db";
};
zone "child.clone" {
type master;
file "child.clone.db";
};
......@@ -52,3 +52,9 @@ zone "example" {
allow-update { any; };
file "internal.bk";
};
zone "child.clone" {
type master;
file "child.clone.db";
};
; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA ns3. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns3
@ TXT This is NS4.
ns3 A 10.53.0.3
/*
* Copyright (C) 2004, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named1.conf,v 1.19 2007/06/19 23:47:07 tbox Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
directory ".";
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
zone "child.clone" {
type master;
file "child.clone.db";
};
#!/bin/sh
#
# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -79,5 +79,47 @@ then
status=1
fi
echo "I:updating cloned zone in internal view"
$NSUPDATE << EOF
server 10.53.0.2 5300
zone clone
update add b.clone. 300 in a 10.1.0.3
send
EOF
echo "I:sleeping to allow update to take effect"
sleep 5
echo "I:verifying update affected both views"
ret=0
one=`$DIG +tcp +short -p 5300 -b 10.53.0.2 @10.53.0.2 b.clone a`
two=`$DIG +tcp +short -p 5300 -b 10.53.0.4 @10.53.0.2 b.clone a`
if [ "$one" != "$two" ]; then
echo "'$one' does not match '$two'"
ret=1
fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:verifying forwarder in cloned zone works"
ret=0
one=`$DIG +tcp +short -p 5300 -b 10.53.0.2 @10.53.0.2 child.clone txt`
two=`$DIG +tcp +short -p 5300 -b 10.53.0.4 @10.53.0.2 child.clone txt`
three=`$DIG +tcp +short -p 5300 @10.53.0.3 child.clone txt`
four=`$DIG +tcp +short -p 5300 @10.53.0.4 child.clone txt`
if [ "$one" = "$two" ]; then
echo "'$one' matches '$two'"
ret=1
fi
if [ "$one" != "$three" ]; then
echo "'$one' does not match '$three'"
ret=1
fi
if [ "$two" != "$four" ]; then
echo "'$two' does not match '$four'"
ret=1
fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -10792,6 +10792,10 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
type delegation-only;
};
 
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
<optional> in-view <replaceable>string</replaceable> ; </optional>
};
</programlisting>
 
</sect2>
......@@ -11138,8 +11142,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
</para>
</sect3>
<sect3>
 
<sect3>
<title>Zone Options</title>
 
<variablelist>
......@@ -12327,6 +12331,52 @@ example.com. NS ns2.example.net.
checked for each existing record type.
</para>
</sect3>
<sect3>
<title>Multiple views</title>
<para>
When multiple views are in use, a zone may be
referenced by more than one of them. Often, the views
will contain different zones with the same name, allowing
different clients to receive different answers for the same
queries. At times, however, it is desirable for multiple
views to contain identical zones. The
<command>in-view</command> zone option provides an efficient
way to do this: it allows a view to reference a zone that
was defined in a previously configured view. Example:
</para>
<programlisting>
view internal {
match-clients { 10/8; };
zone example.com {
type master;
file "example-external.db";
};
};
view external {
match-clients { any; };
zone example.com {
in-view internal;
};
};
</programlisting>
<para>
An <command>in-view</command> option cannot refer to a view
that is configured later in the configuration file.