1794. [func] Named and named-checkzone can now both check for

non-terminal wildcard records.

1794. [func] Named and named-checkzone can now both check for
non-terminal wildcard records.
508f61f8 · Mark Andrews · c0a1ebb1 · 508f61f8 · 508f61f8 · 508f61f8
Commit 508f61f8 authored Jan 09, 2005 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
 1795.	[placeholder]	rt13396

-1794.	[placeholder]	rt13382
+1794.	[func]		Named and named-checkzone can now both check for
+			non-terminal wildcard records.

 1793.	[placeholder]	rt13378


--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: check-tool.c,v 1.13 2004/11/30 01:08:48 marka Exp $ */
+/* $Id: check-tool.c,v 1.14 2005/01/09 23:39:56 marka Exp $ */

 #include <config.h>

@@ -51,7 +51,8 @@ int debug = 0;
 isc_boolean_t nomerge = ISC_TRUE;
 unsigned int zone_options = DNS_ZONEOPT_CHECKNS | 
 			    DNS_ZONEOPT_MANYERRORS |
-			    DNS_ZONEOPT_CHECKNAMES;
+			    DNS_ZONEOPT_CHECKNAMES |
+			    DNS_ZONEOPT_CHECKWILDCARD;

 /*
 * This needs to match the list in bin/named/log.c.

--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named-checkzone.c,v 1.31 2004/10/25 01:27:53 marka Exp $ */
+/* $Id: named-checkzone.c,v 1.32 2005/01/09 23:39:56 marka Exp $ */

 #include <config.h>

@@ -67,7 +67,7 @@ usage(void) {
 	fprintf(stderr,
 		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
 		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] zonename filename\n");
+		"[-n (ignore|warn|fail)] [-W (ignore|warn)] zonename filename\n");
 	exit(1);
 }

@@ -88,7 +88,7 @@ main(int argc, char **argv) {
 	char *classname = classname_in;
 	const char *workdir = NULL;

-	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
+	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:DW:")) != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
@@ -165,6 +165,13 @@ main(int argc, char **argv) {
 			dumpzone++;
 			break;

+		case 'W':
+			if (!strcmp(isc_commandline_argument, "warn"))
+				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+			else if (!strcmp(isc_commandline_argument, "ignore"))
+				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+			break;
+
 		default:
 			usage();
 		}

--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -16,7 +16,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: named-checkzone.docbook,v 1.12 2004/06/03 02:22:35 marka Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.13 2005/01/09 23:39:57 marka Exp $ -->

 <refentry>
  <refentryinfo>
@@ -48,6 +48,7 @@
      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
      <arg><option>-D</option></arg>
+      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
      <arg choice="req">zonename</arg>
      <arg choice="req">filename</arg>
    </cmdsynopsis>
@@ -178,6 +179,19 @@
 	</listitem>
      </varlistentry>

+      <varlistentry>
+        <term>-W <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify whether to check for non-terminal wildcards.
+	      Non-terminal wildcards are almost always the result of a
+	      failure to understand the wildcard matching algorithm (RFC 1034).
+	      Possible modes are <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>zonename</term>
 	<listitem>

--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.52 2004/12/21 10:45:15 jinmei Exp $ */
+/* $Id: config.c,v 1.53 2005/01/09 23:39:57 marka Exp $ */

 #include <config.h>

@@ -158,6 +158,7 @@ options {\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
+	check-wildcard yes;\n\
 };\n\
 "


--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: update.c,v 1.118 2004/10/21 01:29:29 marka Exp $ */
+/* $Id: update.c,v 1.119 2005/01/09 23:39:58 marka Exp $ */

 #include <config.h>

@@ -2149,6 +2149,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_ssutable_t *ssutable = NULL;
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
+	unsigned int options;

 	INSIST(event->ev_type == DNS_EVENT_UPDATE);

@@ -2382,6 +2383,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	 * Process the Update Section.
 	 */

+	options = dns_zone_getoptions(zone);
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
@@ -2468,6 +2470,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}
 				soa_serial_changed = ISC_TRUE;
 			}
+			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
+			    dns_name_internalwildcard(name)) {
+				char namestr[DNS_NAME_FORMATSIZE];
+				dns_name_format(name, namestr,
+						sizeof(namestr));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "warning: ownername '%s' contains "
+					   "a non-terminal wildcard", namestr);
+			}

 			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
 				char namestr[DNS_NAME_FORMATSIZE];

--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zoneconf.c,v 1.114 2004/10/14 00:49:33 marka Exp $ */
+/* $Id: zoneconf.c,v 1.115 2005/01/09 23:39:58 marka Exp $ */

 #include <config.h>

@@ -602,7 +602,13 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 			}
 			RETERR(dns_zone_setkeydirectory(zone, filename));
 		}
-
+		obj = NULL;
+		result = ns_config_get(maps, "check-wildcard", &obj);
+		if (result == ISC_R_SUCCESS)
+			check = cfg_obj_asboolean(obj);
+		else
+			check = ISC_FALSE;
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check);
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  "allow-update-forwarding", ac, zone,

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">

-<!-- File: $Id: Bv9ARM-book.xml,v 1.260 2004/12/21 10:45:16 jinmei Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.261 2005/01/09 23:39:59 marka Exp $ -->

 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -2733,6 +2733,7 @@ statement in the <filename>named.conf</filename> file:</para>
    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
    <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
@@ -3384,6 +3385,16 @@ IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
 </para>
 </listitem></varlistentry>

+<varlistentry><term><command>check-wildcard</command></term>
+<listitem><para>
+This option is used to check for non-terminal wildcards.
+The use of non-terminal wildcards is almost always as a result of a failure
+to understand the wildcard matching algorithm (RFC 1034).  This option
+affects master zones.  The default (<command>yes</command>) is to check
+for non-terminal wildcards and issue a warning.
+</para>
+</listitem></varlistentry>
+
 </variablelist>

 </sect3>
@@ -4686,6 +4697,7 @@ Statement Grammar</title>
    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
    <optional> file <replaceable>string</replaceable> ; </optional>
@@ -4908,6 +4920,11 @@ zones the default is <command>warn</command>.
 </para>
 </listitem></varlistentry>

+<varlistentry><term><command>check-wildcard</command></term>
+<listitem><para>See the description of
+<command>check-wildcard</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
 <varlistentry><term><command>database</command></term>
 <listitem><para>Specify the type of database to be used for storing the
 zone data.  The string following the <command>database</command> keyword

--- a/doc/misc/options
+++ b/doc/misc/options
@@ -126,6 +126,7 @@ options {
        use-alt-transfer-source <boolean>;
        zone-statistics <boolean>;
        key-directory <quoted_string>;
+        check-wildcard <boolean>;
 };

 controls {
@@ -218,6 +219,7 @@ view <string> <optional_class> {
                use-alt-transfer-source <boolean>;
                zone-statistics <boolean>;
                key-directory <quoted_string>;
+                check-wildcard <boolean>;
        };
        server ( <ipv4_address> | <ipv6_address> ) {
                bogus <boolean>;
@@ -312,6 +314,7 @@ view <string> <optional_class> {
        use-alt-transfer-source <boolean>;
        zone-statistics <boolean>;
        key-directory <quoted_string>;
+        check-wildcard <boolean>;
 };

 lwres {
@@ -378,6 +381,7 @@ zone <string> <optional_class> {
        use-alt-transfer-source <boolean>;
        zone-statistics <boolean>;
        key-directory <quoted_string>;
+        check-wildcard <boolean>;
 };

 server ( <ipv4_address> | <ipv6_address> ) {

--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: check.c,v 1.51 2004/11/22 05:03:11 marka Exp $ */
+/* $Id: check.c,v 1.52 2005/01/09 23:40:00 marka Exp $ */

 #include <config.h>

@@ -741,6 +741,7 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
 	{ "update-policy", MASTERZONE },
 	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "key-directory", MASTERZONE },
+	{ "check-wildcard", MASTERZONE },
 	};

 	static optionstable dialups[] = {

--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: master.h,v 1.38 2004/03/05 05:09:43 marka Exp $ */
+/* $Id: master.h,v 1.39 2005/01/09 23:40:03 marka Exp $ */

 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
@@ -45,6 +45,7 @@
 						 * matches as fatal */
 #define DNS_MASTER_CHECKNAMES   0x00000100
 #define DNS_MASTER_CHECKNAMESFAIL 0x00000200
+#define DNS_MASTER_CHECKWILDCARD 0x00000400	/* Check for internal wilcards. */

 ISC_LANG_BEGINDECLS


--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: name.h,v 1.111 2004/09/08 00:26:14 marka Exp $ */
+/* $Id: name.h,v 1.112 2005/01/09 23:40:03 marka Exp $ */

 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -1167,6 +1167,15 @@ dns_name_ismailbox(const dns_name_t *name);
 *	'name' to be valid.
 */

+isc_boolean_t
+dns_name_internalwildcard(const dns_name_t *name);
+/*
+ * Return if 'name' contains a internal wildcard name.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+
 ISC_LANG_ENDDECLS

 /***

--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.h,v 1.128 2004/12/21 10:45:19 jinmei Exp $ */
+/* $Id: zone.h,v 1.129 2005/01/09 23:40:03 marka Exp $ */

 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -52,6 +52,7 @@ typedef enum {
 #define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/* use alternate transfer sources */
 #define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/* check-names */
 #define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/* fatal check-name failures */
+#define DNS_ZONEOPT_CHECKWILDCARD 0x00002000U	/* check for internal wildcards */

 #ifndef NOMINUM_PUBLIC
 /*

--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: master.c,v 1.149 2004/05/05 01:32:58 marka Exp $ */
+/* $Id: master.c,v 1.150 2005/01/09 23:40:01 marka Exp $ */

 #include <config.h>

@@ -862,6 +862,23 @@ check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
 	return (result);
 }

+static void
+check_wildcard(dns_incctx_t *ictx, const char *source, unsigned long line,
+	       dns_rdatacallbacks_t *callbacks)
+{
+	dns_name_t *name;
+
+	name = (ictx->glue != NULL) ? ictx->glue : ictx->current;
+	if (dns_name_internalwildcard(name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%lu: warning: ownername "
+				   "'%s' contains an non-terminal wildcard",
+				   source, line, namebuf);
+	}
+}
+
 static isc_result_t
 load(dns_loadctx_t *lctx) {
 	dns_rdataclass_t rdclass;
@@ -1346,6 +1363,14 @@ load(dns_loadctx_t *lctx) {
 					isc_buffer_init(&target, target_mem,
 							target_size);
 				}
+				/*
+				 * Check for internal wildcards.
+				 */
+				if ((lctx->options & DNS_MASTER_CHECKWILDCARD)
+						 != 0)
+					check_wildcard(ictx, source, line,
+						       callbacks);
+
 			}
 			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
 			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
@@ -1571,7 +1596,7 @@ load(dns_loadctx_t *lctx) {
 			isc_boolean_t ok;
 			dns_name_t *name;

-			name = (ictx->glue != NULL) ? ictx-> glue :
+			name = (ictx->glue != NULL) ? ictx->glue :
 						      ictx->current;
 			ok = dns_rdata_checkowner(name, lctx->zclass, type,
 						  ISC_TRUE);

--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: name.c,v 1.146 2004/09/01 05:13:05 marka Exp $ */
+/* $Id: name.c,v 1.147 2005/01/09 23:40:01 marka Exp $ */

 #include <config.h>

@@ -385,6 +385,41 @@ dns_name_iswildcard(const dns_name_t *name) {
 	return (ISC_FALSE);
 }

+isc_boolean_t
+dns_name_internalwildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+	unsigned int count;
+	unsigned int label;
+
+	/*
+	 * Does 'name' contain a internal wildcard?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	/*
+	 * Skip first label.
+	 */
+	ndata = name->ndata;
+	count = *ndata++;
+	INSIST(count <= 63);
+	ndata += count;
+	label = 1;
+	/*
+	 * Check all but the last of the remaining labels.
+	 */
+	while (label + 1 < name->labels) {
+		count = *ndata++;
+		INSIST(count <= 63);
+		if (count == 1 && *ndata == '*')
+			return (ISC_TRUE);
+		ndata += count;
+		label++;
+	}
+	return (ISC_FALSE);
+}
+
 static inline unsigned int
 name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
 	unsigned int length;

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.426 2004/12/21 10:45:18 jinmei Exp $ */
+/* $Id: zone.c,v 1.427 2005/01/09 23:40:02 marka Exp $ */

 #include <config.h>

@@ -1148,6 +1148,8 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 		options |= DNS_MASTER_CHECKNAMES;
 	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
 		options |= DNS_MASTER_CHECKNAMESFAIL;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;
 	result = dns_master_loadfileinc(load->zone->masterfile,
 					dns_db_origin(load->db),
 					dns_db_origin(load->db),
@@ -1218,6 +1220,8 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 		options |= DNS_MASTER_CHECKNAMES;
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
 		options |= DNS_MASTER_CHECKNAMESFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;

 	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
 		load = isc_mem_get(zone->mctx, sizeof(*load));

--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: namedconf.c,v 1.42 2004/12/21 10:45:20 jinmei Exp $ */
+/* $Id: namedconf.c,v 1.43 2005/01/09 23:40:04 marka Exp $ */

 #include <config.h>

@@ -788,6 +788,7 @@ zone_clauses[] = {
 	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
 	{ "zone-statistics", &cfg_type_boolean, 0 },
 	{ "key-directory", &cfg_type_qstring, 0 },
+	{ "check-wildcard", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };