Commit 8f7de3db authored by Evan Hunt's avatar Evan Hunt
Browse files

Respinning to fix memory leak in dnssec-signzone. (Also adopting doc changes.)

parent 102ccdd2
--- 9.7.0b1 released ---
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
--- 9.7.0b1 released ---
2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
......
#define TRUSTED_KEYS "\
trusted-keys {\n\
# NOTE: This key is current as of September 2009.\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
......@@ -9,7 +9,7 @@ trusted-keys {\n\
#define MANAGED_KEYS "\
managed-keys {\n\
# NOTE: This key is current as of September 2009.\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.42 2009/10/10 01:47:59 each Exp $ -->
<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -132,6 +132,15 @@ trusted-keys {
</literallayout>
</refsect1>
<refsect1>
<title>MANAGED-KEYS</title>
<literallayout>
managed-keys {
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
<refsect1>
<title>CONTROLS</title>
<literallayout>
......@@ -273,6 +282,7 @@ options {
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
......@@ -339,10 +349,17 @@ options {
zone-statistics <replaceable>boolean</replaceable>;
key-directory <replaceable>quoted_string</replaceable>;
auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
deny-answer-aliases {
<replaceable>namelist</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
......@@ -384,7 +401,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
};
trusted-keys {
<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
<optional>...</optional>
};
allow-recursion { <replaceable>address_match_element</replaceable>; ... };
......@@ -545,13 +563,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-policy {
update-policy <replaceable>local</replaceable> | <replaceable> {
( grant | deny ) <replaceable>string</replaceable>
( name | subdomain | wildcard | self | selfsub | selfwild |
krb5-self | ms-self | krb5-subdomain | ms-subdomain |
tcp-self | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>; ...
};
tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>;
<optional>...</optional>
}</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.40 2009/08/26 21:34:44 jreed Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.41 2009/10/16 02:59:41 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Aug 25, 2009</date>
......@@ -76,7 +76,7 @@
<refsect1>
<title>DESCRIPTION</title>
<para><command>nsupdate</command>
is used to submit Dynamic DNS Update requests as defined in RFC2136
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
without manually editing the zone file.
......@@ -118,8 +118,8 @@
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC2845 or the SIG(0) record described in RFC3535 and
RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on
in RFC 2845 or the SIG(0) record described in RFC 2535 and
RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
a shared secret that should only be known to
<command>nsupdate</command> and the name server. Currently,
the only supported encryption algorithm for TSIG is HMAC-MD5,
......@@ -136,7 +136,12 @@
record in a zone served by the name server.
<command>nsupdate</command> does not read
<filename>/etc/named.conf</filename>.
GSS-TSIG uses Kerberos credentials.
</para>
<para>
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
is switched on with the <option>-g</option> flag. A
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <option>-o</option> flag.
</para>
<para><command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> option
......@@ -629,9 +634,9 @@
If there are, the update request fails.
If this name does not exist, a CNAME for it is added.
This ensures that when the CNAME is added, it cannot conflict with the
long-standing rule in RFC1034 that a name must not exist as any other
long-standing rule in RFC 1034 that a name must not exist as any other
record type if it exists as a CNAME.
(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</para>
</refsect1>
......@@ -687,27 +692,14 @@
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>RFC2136</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC3007</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2104</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2845</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC1034</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2535</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2931</refentrytitle>
</citerefentry>,
<para>
<citetitle>RFC 2136</citetitle>,
<citetitle>RFC 3007</citetitle>,
<citetitle>RFC 2104</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 2535</citetitle>,
<citetitle>RFC 2931</citetitle>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
......@@ -718,8 +710,8 @@
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>BUGS</title>
<para>
......
managed-keys {
# NOTE: This key is current as of September 2009.
# NOTE: This key is current as of October 2009.
# If it fails to initialize correctly, it may have expired;
# see https://www.isc.org/solutions/dlv for a replacement.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.436 2009/10/14 12:49:11 jreed Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.437 2009/10/16 02:59:41 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -5509,24 +5509,42 @@ options {
validator with an alternate method to validate DNSKEY
records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest
<command>dnssec-lookaside</command>, and the normal dnssec
<command>dnssec-lookaside</command>, and the normal DNSSEC
validation has left the key untrusted, the trust-anchor
will be append to the key name and a DLV record will be
will be appended to the key name and a DLV record will be
looked up to see if it can validate the key. If the DLV
record validates a DNSKEY (similarly to the way a DS record
does) the DNSKEY RRset is deemed to be trusted.
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>auto</userinput>, then built-in default
values for the domain and trust anchor will be
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
</para>
<para>
NOTE: Since the built-in key may expire, it can be
overridden without recompiling <command>named</command>
by placing a new key in the file
<filename>bind.keys</filename>.
<para>
The default DLV key is stored in the file
<filename>bind.keys</filename>, which
<command>named</command> loads at startup if
<command>dnssec-lookaside</command> is set to
<constant>auto</constant>. A copy of that file is
installed along with <acronym>BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <filename>bind.keys</filename> can be downloaded
from <ulink>https://www.isc.org/solutions/dlv</ulink>.
</para>
<para>
(To prevent problems if <filename>bind.keys</filename> is
not found, the current key is also compiled in to
<command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
to be recompiled with a new key when the DLV key expires.)
</para>
<para>
NOTE: Using <filename>bind.keys</filename> to store
locally-configured keys is possible, but not
recommended, as the file will be overwritten whenever
<acronym>BIND</acronym> 9 is re-installed or upgraded.
</para>
</listitem>
</varlistentry>
......
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
* $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
*/
/*! \file */
......@@ -1256,15 +1256,15 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
continue;
goto again;
/* Corrupted .key file? */
if (!dns_name_equal(origin, dst_key_name(pubkey)))
continue;
goto again;
if (public) {
addkey(keylist, &pubkey, savekeys, mctx);
continue;
goto again;
}
result = dst_key_fromfile(dst_key_name(pubkey),
......@@ -1274,20 +1274,20 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
directory, mctx, &privkey);
if (result == ISC_R_FILENOTFOUND) {
addkey(keylist, &pubkey, savekeys, mctx);
continue;
goto again;
}
RETERR(result);
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
/* We should never get here. */
dst_key_free(&pubkey);
dst_key_free(&privkey);
continue;
}
/* This should never happen. */
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto again;
addkey(keylist, &privkey, savekeys, mctx);
dst_key_free(&pubkey);
again:
if (pubkey != NULL)
dst_key_free(&pubkey);
if (privkey != NULL)
dst_key_free(&privkey);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment