Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
778a01b1
Commit
778a01b1
authored
May 14, 2010
by
Mark Andrews
Browse files
2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
parent
44f175a9
Changes
9
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
778a01b1
2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
2892. [bug] Handle REVOKED keys better. [RT #20961]
2891. [maint] Update empty-zones list to match
...
...
bin/named/config.c
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.10
6
20
09/12/04 21:09:32
marka Exp $ */
/* $Id: config.c,v 1.10
7
20
10/05/14 04:48:28
marka Exp $ */
/*! \file */
...
...
@@ -238,18 +238,6 @@ view \"_bind\" chaos {\n\
};
\n
\
};
\n
\
"
"#
\n
\
# The
\"
_meta
\"
view is for zones that are used to store internal
\n
\
# information for named, such as managed keys. The zones are defined
\n
\
# elsewhere.
\n
\
#
\n
\
view
\"
_meta
\"
in {
\n
\
recursion no;
\n
\
notify no;
\n
\
};
\n
\
"
"#
\n
\
# Default trusted key(s) for builtin DLV support
\n
\
# (used if
\"
dnssec-lookaside auto;
\"
is set and
\n
\
...
...
bin/named/include/named/server.h
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.10
4
20
09/11/28 15:57:37 vjs
Exp $ */
/* $Id: server.h,v 1.10
5
20
10/05/14 04:48:28 marka
Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
...
...
@@ -55,8 +55,6 @@ struct ns_server {
char
*
statsfile
;
/*%< Statistics file name */
char
*
dumpfile
;
/*%< Dump file name */
char
*
bindkeysfile
;
/*%< bind.keys file name */
isc_boolean_t
managedkeys
;
/*%< A managed-keys
statement exists */
char
*
recfile
;
/*%< Recursive file name */
isc_boolean_t
version_set
;
/*%< User has set version */
char
*
version
;
/*%< User-specified version */
...
...
bin/named/named.conf.docbook
View file @
778a01b1
...
...
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.4
4
20
09/12/03 23:18:16 each
Exp $ -->
<!-- $Id: named.conf.docbook,v 1.4
5
20
10/05/14 04:48:28 marka
Exp $ -->
<refentry>
<refentryinfo>
<date>
Aug 13, 2004
</date>
...
...
@@ -349,6 +349,7 @@ options {
zone-statistics
<replaceable>
boolean
</replaceable>
;
key-directory
<replaceable>
quoted_string
</replaceable>
;
managed-keys-directory
<replaceable>
quoted_string
</replaceable>
;
auto-dnssec
<constant>
allow
</constant>
|
<constant>
maintain
</constant>
|
<constant>
create
</constant>
|
<constant>
off
</constant>
;
try-tcp-refresh
<replaceable>
boolean
</replaceable>
;
zero-no-soa-ttl
<replaceable>
boolean
</replaceable>
;
...
...
bin/named/server.c
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.56
5
2010/05/14 0
3:24
:2
4
marka Exp $ */
/* $Id: server.c,v 1.56
6
2010/05/14 0
4:48
:2
8
marka Exp $ */
/*! \file */
...
...
@@ -23,6 +23,7 @@
#include
<stdlib.h>
#include
<unistd.h>
#include
<limits.h>
#include
<isc/app.h>
#include
<isc/base64.h>
...
...
@@ -36,6 +37,7 @@
#include
<isc/portset.h>
#include
<isc/print.h>
#include
<isc/resource.h>
#include
<isc/sha2.h>
#include
<isc/socket.h>
#include
<isc/stat.h>
#include
<isc/stats.h>
...
...
@@ -104,6 +106,10 @@
#include
<stdlib.h>
#endif
#ifndef PATH_MAX
#define PATH_MAX 1024
#endif
/*%
* Check an operation for failure. Assumes that the function
* using it has a 'result' variable and a 'cleanup' label.
...
...
@@ -280,7 +286,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
cfg_aclconfctx_t
*
aclconf
);
static
isc_result_t
add_keydata_zone
(
dns_view_t
*
view
,
isc_mem_t
*
mctx
);
add_keydata_zone
(
dns_view_t
*
view
,
const
char
*
directory
,
isc_mem_t
*
mctx
);
static
void
end_reserved_dispatches
(
ns_server_t
*
server
,
isc_boolean_t
all
);
...
...
@@ -635,13 +641,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
isc_result_t
result
=
ISC_R_SUCCESS
;
const
cfg_obj_t
*
view_keys
=
NULL
;
const
cfg_obj_t
*
global_keys
=
NULL
;
const
cfg_obj_t
*
view_managed_keys
=
NULL
;
const
cfg_obj_t
*
global_managed_keys
=
NULL
;
const
cfg_obj_t
*
builtin_keys
=
NULL
;
const
cfg_obj_t
*
builtin_managed_keys
=
NULL
;
const
cfg_obj_t
*
maps
[
4
];
const
cfg_obj_t
*
voptions
=
NULL
;
const
cfg_obj_t
*
options
=
NULL
;
isc_boolean_t
meta
;
const
cfg_obj_t
*
obj
=
NULL
;
const
char
*
directory
;
int
i
=
0
;
/* We don't need trust anchors for the _bind view */
...
...
@@ -650,14 +658,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
return
(
ISC_R_SUCCESS
);
}
meta
=
ISC_TF
(
strcmp
(
view
->
name
,
"_meta"
)
==
0
&&
view
->
rdclass
==
dns_rdataclass_in
);
if
(
vconfig
!=
NULL
)
{
voptions
=
cfg_tuple_get
(
vconfig
,
"options"
);
if
(
voptions
!=
NULL
)
{
(
void
)
cfg_map_get
(
voptions
,
"trusted-keys"
,
&
view_keys
);
(
void
)
cfg_map_get
(
voptions
,
"managed-keys"
,
&
view_managed_keys
);
maps
[
i
++
]
=
voptions
;
}
}
...
...
@@ -682,10 +689,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
return
(
ISC_R_UNEXPECTED
);
}
if
(
global_managed_keys
!=
NULL
)
ns_g_server
->
managedkeys
=
ISC_TRUE
;
if
(
auto_dlv
)
{
if
(
auto_dlv
&&
view
->
rdclass
==
dns_rdataclass_in
)
{
isc_log_write
(
ns_g_lctx
,
DNS_LOGCATEGORY_SECURITY
,
NS_LOGMODULE_SERVER
,
ISC_LOG_WARNING
,
"using built-in trusted-keys for view %s"
,
...
...
@@ -707,22 +711,30 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
&
builtin_managed_keys
);
}
if
(
builtin_keys
!=
NULL
)
CHECK
(
load_view_keys
(
builtin_keys
,
vconfig
,
view
,
ISC_FALSE
,
mctx
));
if
(
builtin_managed_keys
!=
NULL
)
ns_g_server
->
managedkeys
=
ISC_TRUE
;
CHECK
(
load_view_keys
(
builtin_keys
,
vconfig
,
view
,
ISC_FALSE
,
mctx
));
if
(
meta
)
CHECK
(
load_view_keys
(
builtin_managed_keys
,
vconfig
,
view
,
ISC_TRUE
,
mctx
));
}
CHECK
(
load_view_keys
(
view_keys
,
vconfig
,
view
,
ISC_FALSE
,
mctx
));
CHECK
(
load_view_keys
(
global_keys
,
vconfig
,
view
,
ISC_FALSE
,
mctx
));
if
(
meta
)
CHECK
(
load_view_keys
(
view_managed_keys
,
vconfig
,
view
,
ISC_TRUE
,
mctx
));
if
(
view
->
rdclass
==
dns_rdataclass_in
)
{
CHECK
(
load_view_keys
(
global_keys
,
vconfig
,
view
,
ISC_FALSE
,
mctx
));
CHECK
(
load_view_keys
(
global_managed_keys
,
vconfig
,
view
,
ISC_TRUE
,
mctx
));
ISC_TRUE
,
mctx
));
}
/*
* Add key zone for managed-keys.
*/
obj
=
NULL
;
(
void
)
ns_config_get
(
maps
,
"managed-keys-directory"
,
&
obj
);
directory
=
obj
!=
NULL
?
cfg_obj_asstring
(
obj
)
:
NULL
;
CHECK
(
add_keydata_zone
(
view
,
directory
,
ns_g_mctx
));
cleanup:
return
(
result
);
...
...
@@ -2929,30 +2941,33 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
*/
#define KEYZONE "managed-keys.bind"
#define MKEYS ".mkeys"
static
isc_result_t
add_keydata_zone
(
dns_view_t
*
view
,
isc_mem_t
*
mctx
)
{
add_keydata_zone
(
dns_view_t
*
view
,
const
char
*
directory
,
isc_mem_t
*
mctx
)
{
isc_result_t
result
;
dns_zone_t
*
zone
=
NULL
;
dns_acl_t
*
none
=
NULL
;
dns_name_t
zname
;
if
(
!
ns_g_server
->
managedkeys
)
return
(
ISC_R_SUCCESS
);
char
filename
[
PATH_MAX
];
char
buffer
[
ISC_SHA256_DIGESTSTRINGLENGTH
+
sizeof
(
MKEYS
)];
int
n
;
REQUIRE
(
view
!=
NULL
);
CHECK
(
dns_zone_create
(
&
zone
,
mctx
));
dns_name_init
(
&
zname
,
NULL
);
CHECK
(
dns_name_fromstring
(
&
zname
,
KEYZONE
,
0
,
mctx
));
CHECK
(
dns_zone_setorigin
(
zone
,
&
zname
));
dns_name_free
(
&
zname
,
mctx
);
CHECK
(
dns_zone_setorigin
(
zone
,
dns_rootname
));
CHECK
(
dns_zone_setfile
(
zone
,
KEYZONE
));
if
(
view
->
hints
==
NULL
)
dns_view_sethints
(
view
,
ns_g_server
->
in_roothints
);
isc_sha256_data
(
view
->
name
,
strlen
(
view
->
name
),
buffer
);
strcat
(
buffer
,
MKEYS
);
n
=
snprintf
(
filename
,
sizeof
(
filename
),
"%s%s%s"
,
directory
?
directory
:
""
,
directory
?
"/"
:
""
,
strcmp
(
view
->
name
,
"_default"
)
==
0
?
KEYZONE
:
buffer
);
if
(
n
<
0
||
(
size_t
)
n
>=
sizeof
(
filename
))
{
result
=
(
n
<
0
)
?
ISC_R_FAILURE
:
ISC_R_NOSPACE
;
goto
cleanup
;
}
CHECK
(
dns_zone_setfile
(
zone
,
filename
));
dns_zone_setview
(
zone
,
view
);
dns_zone_settype
(
zone
,
dns_zone_key
);
...
...
@@ -2976,11 +2991,14 @@ add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
dns_zone_setstats
(
zone
,
ns_g_server
->
zonestats
);
CHECK
(
setquerystats
(
zone
,
mctx
,
ISC_FALSE
));
CHECK
(
dns_view_addzone
(
view
,
zone
));
if
(
view
->
managed_keys
!=
NULL
)
dns_zone_detach
(
&
view
->
managed_keys
);
dns_zone_attach
(
zone
,
&
view
->
managed_keys
);
isc_log_write
(
ns_g_lctx
,
NS_LOGCATEGORY_GENERAL
,
NS_LOGMODULE_SERVER
,
ISC_LOG_INFO
,
"set up %s meta-zone"
,
KEYZONE
);
"set up managed keys zone for view %s, file '%s'"
,
view
->
name
,
filename
);
cleanup:
if
(
zone
!=
NULL
)
...
...
@@ -4113,12 +4131,6 @@ load_configuration(const char *filename, ns_server_t *server,
CHECK
(
configure_view
(
view
,
config
,
vconfig
,
&
cachelist
,
bindkeys
,
ns_g_mctx
,
&
aclconfctx
,
ISC_FALSE
));
if
(
!
strcmp
(
view
->
name
,
"_meta"
))
{
result
=
add_keydata_zone
(
view
,
ns_g_mctx
);
RUNTIME_CHECK
(
result
==
ISC_R_SUCCESS
);
}
dns_view_freeze
(
view
);
dns_view_detach
(
&
view
);
view
=
NULL
;
...
...
@@ -4469,6 +4481,8 @@ load_zones(ns_server_t *server, isc_boolean_t stop) {
view
=
ISC_LIST_NEXT
(
view
,
link
))
{
CHECK
(
dns_view_load
(
view
,
stop
));
if
(
view
->
managed_keys
!=
NULL
)
CHECK
(
dns_zone_load
(
view
->
managed_keys
));
}
/*
...
...
@@ -4743,8 +4757,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
ISC_R_SUCCESS
,
"isc_mem_strdup"
);
server
->
managedkeys
=
ISC_FALSE
;
server
->
dumpfile
=
isc_mem_strdup
(
server
->
mctx
,
"named_dump.db"
);
CHECKFATAL
(
server
->
dumpfile
==
NULL
?
ISC_R_NOMEMORY
:
ISC_R_SUCCESS
,
"isc_mem_strdup"
);
...
...
@@ -6415,8 +6427,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
view
=
dns_zone_getview
(
zone
);
if
(
strcmp
(
view
->
name
,
"_default"
)
==
0
||
strcmp
(
view
->
name
,
"_bind"
)
==
0
||
strcmp
(
view
->
name
,
"_meta"
))
strcmp
(
view
->
name
,
"_bind"
)
==
0
)
{
vname
=
""
;
sep
=
""
;
...
...
doc/arm/Bv9ARM-book.xml
View file @
778a01b1
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.45
6
2010/0
2/25 04:39:12
marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.45
7
2010/0
5/14 04:48:28
marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
...
...
@@ -4870,6 +4870,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> server-id <replaceable>server_id_string</replaceable>; </optional>
<optional> directory <replaceable>path_name</replaceable>; </optional>
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
<optional> managed-keys-directory <replaceable>path_name</replaceable>; </optional>
<optional> named-xfer <replaceable>path_name</replaceable>; </optional>
<optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
<optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
...
...
@@ -5190,6 +5191,19 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</listitem>
</varlistentry>
<varlistentry>
<term><command>managed-keys-directory</command></term>
<listitem>
<para>
The directory used to hold the files used to track managed keys.
By default it is the working directory. It there are no
views then the file <filename>managed-keys.bind</filename>
otherwise a SHA256 hash of the view name is used with
<filename>.mkeys</filename> extension added.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>named-xfer</command></term>
<listitem>
...
...
lib/dns/include/dns/view.h
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.h,v 1.12
1
2010/05/14 04:
3
8:
5
2 marka Exp $ */
/* $Id: view.h,v 1.12
2
2010/05/14 04:
4
8:2
8
marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
...
...
@@ -175,6 +175,8 @@ struct dns_view {
/* Under owner's locking control. */
ISC_LINK
(
struct
dns_view
)
link
;
dns_viewlist_t
*
viewlist
;
dns_zone_t
*
managed_keys
;
};
#define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w')
...
...
lib/dns/view.c
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.c,v 1.16
2
2010/05/14 04:
3
8:
51
marka Exp $ */
/* $Id: view.c,v 1.16
3
2010/05/14 04:
4
8:
28
marka Exp $ */
/*! \file */
...
...
@@ -183,6 +183,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view
->
v4_aaaa
=
dns_v4_aaaa_ok
;
#endif
dns_fixedname_init
(
&
view
->
dlv_fixed
);
view
->
managed_keys
=
NULL
;
#ifdef BIND9
result
=
dns_order_create
(
view
->
mctx
,
&
view
->
order
);
...
...
@@ -361,6 +362,8 @@ destroy(dns_view_t *view) {
dns_stats_detach
(
&
view
->
resquerystats
);
if
(
view
->
secroots_priv
!=
NULL
)
dns_keytable_detach
(
&
view
->
secroots_priv
);
if
(
view
->
managed_keys
!=
NULL
)
dns_zone_detach
(
&
view
->
managed_keys
);
dns_fwdtable_destroy
(
&
view
->
fwdtable
);
dns_aclenv_destroy
(
&
view
->
aclenv
);
DESTROYLOCK
(
&
view
->
lock
);
...
...
@@ -423,6 +426,11 @@ view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
dns_zt_flushanddetach
(
&
view
->
zonetable
);
else
dns_zt_detach
(
&
view
->
zonetable
);
if
(
view
->
managed_keys
!=
NULL
)
{
if
(
view
->
flush
)
dns_zone_flush
(
view
->
managed_keys
);
dns_zone_detach
(
&
view
->
managed_keys
);
}
#endif
done
=
all_done
(
view
);
UNLOCK
(
&
view
->
lock
);
...
...
lib/dns/zone.c
View file @
778a01b1
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.56
2
2010/05/14 04:
3
8:
51
marka Exp $ */
/* $Id: zone.c,v 1.56
3
2010/05/14 04:
4
8:
28
marka Exp $ */
/*! \file */
...
...
@@ -11087,7 +11087,8 @@ dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
vsnprintf
(
message
,
sizeof
(
message
),
fmt
,
ap
);
va_end
(
ap
);
isc_log_write
(
dns_lctx
,
category
,
DNS_LOGMODULE_ZONE
,
level
,
"zone %s: %s"
,
zone
->
strnamerd
,
message
);
level
,
"%s %s: %s"
,
(
zone
->
type
==
dns_zone_key
)
?
"managed-keys-zone"
:
"zone"
,
zone
->
strnamerd
,
message
);
}
void
...
...
@@ -11102,7 +11103,8 @@ dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
vsnprintf
(
message
,
sizeof
(
message
),
fmt
,
ap
);
va_end
(
ap
);
isc_log_write
(
dns_lctx
,
DNS_LOGCATEGORY_GENERAL
,
DNS_LOGMODULE_ZONE
,
level
,
"zone %s: %s"
,
zone
->
strnamerd
,
message
);
level
,
"%s %s: %s"
,
(
zone
->
type
==
dns_zone_key
)
?
"managed-keys-zone"
:
"zone"
,
zone
->
strnamerd
,
message
);
}
static
void
...
...
Michał Kępień
@michal
mentioned in issue
#3349 (closed)
·
May 13, 2022
mentioned in issue
#3349 (closed)
mentioned in issue #3349
Toggle commit list
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment