Commit a3e41e3c authored by Andreas Gustafsson's avatar Andreas Gustafsson
Browse files

obey the allow-update forwarding option for both signed and unsigned updates;

fold the upforwd system test README file and nsupdate input files into the tests.sh script;
other minor cleanup of the upforwd test
parent 72a10307
......@@ -137,7 +137,10 @@
543. [doc] The 'port' option is now documented.
542. [func] Add allow-update-forwarding support.
542. [func] Add support for update forwarding as required for
full compliance with RFC2136. It is turned off
by default and can be enabled using the
'allow-update-forwarding' option.
541. [func] Add bogus server support.
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.74 2000/11/22 02:49:57 gson Exp $ */
/* $Id: update.c,v 1.75 2000/12/01 21:37:08 gson Exp $ */
#include <config.h>
......@@ -1889,31 +1889,13 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
if (sigresult != ISC_R_SUCCESS)
FAIL(sigresult);
CHECK(send_update_event(client, zone));
break; /* OK. */
break;
case dns_zone_slave:
if (dns_message_gettsig(client->message, NULL) == NULL) {
dns_acl_t *forwardacl;
/*
* We only REFUSE if policy is explicitly set and
* we fail to match.
*/
forwardacl = dns_zone_getforwardacl(zone);
if (forwardacl == NULL) {
FAILS(DNS_R_NOTIMP,
"unsigned updates not forwarded (noacl)");
} else {
result = ns_client_checkacl(client,
"update-forward",
forwardacl,
ISC_FALSE,
ISC_LOG_INFO);
if (result != ISC_R_SUCCESS)
FAIL(DNS_R_REFUSED);
}
}
CHECK(ns_client_checkacl(client, "update forwarding",
dns_zone_getforwardacl(zone),
ISC_FALSE, ISC_LOG_ERROR));
CHECK(send_forward_event(client, zone));
break; /* OK. */
break;
default:
FAILC(DNS_R_NOTAUTH,
"not authoritative for update zone");
......
Copyright (C) 2000 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
$Id: README,v 1.2 2000/11/06 08:33:06 marka Exp $
ns1 stealth master
ns2 slave
ns3 slave
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2000/11/28 19:06:47 gson Exp $ */
/* $Id: named.conf,v 1.4 2000/12/01 21:37:13 gson Exp $ */
options {
query-source address 10.53.0.3;
......@@ -32,6 +32,6 @@ options {
zone "example" {
type slave;
file "example.bk";
allow-update-forwarding { 10.53.0.3; };
allow-update-forwarding { any; };
masters { 10.53.0.1; };
};
......@@ -15,22 +15,26 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.5 2000/11/28 03:21:17 marka Exp $
# $Id: tests.sh,v 1.6 2000/12/01 21:37:10 gson Exp $
# ns1 = stealth master
# ns2 = slave with update forwarding disabled; not currently used
# ns3 = slave with update forwarding enabled
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
echo "I:fetching first copy of zone before update"
echo "I:fetching master copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
echo "I:fetching second copy of zone before update"
echo "I:fetching slave 1 copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
echo "I:fetching third copy of zone before update"
echo "I:fetching slave 2 copy of zone before update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
......@@ -40,20 +44,25 @@ $PERL ../digcomp.pl knowngood.before dig.out.ns2 || status=1
$PERL ../digcomp.pl knowngood.before dig.out.ns3 || status=1
echo "I:updating zone (signed)"
# nsupdate will print a ">" prompt to stdout as it gets each input line.
$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K update.scp > /dev/null
$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || status=1
server 10.53.0.3 5300
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
send
EOF
echo "I:sleeping 15 seconds for server to incorporate changes"
sleep 15
echo "I:fetching first copy of zone after update"
echo "I:fetching master copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
echo "I:fetching second copy of zone after update"
echo "I:fetching slave 1 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
echo "I:fetching third copy of zone after update"
echo "I:fetching slave 2 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
......@@ -63,20 +72,25 @@ $PERL ../digcomp.pl knowngood.after1 dig.out.ns2 || status=1
$PERL ../digcomp.pl knowngood.after1 dig.out.ns3 || status=1
echo "I:updating zone (unsigned)"
# nsupdate will print a ">" prompt to stdout as it gets each input line.
$NSUPDATE update.scp2 > /dev/null
$NSUPDATE -- - <<EOF || status=1
server 10.53.0.3 5300
update add unsigned.example. 600 A 10.10.10.1
update add unsigned.example. 600 TXT Foo
send
EOF
echo "I:sleeping 15 seconds for server to incorporate changes"
sleep 15
echo "I:fetching first copy of zone after update"
echo "I:fetching master copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
echo "I:fetching second copy of zone after update"
echo "I:fetching slave 1 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
echo "I:fetching third copy of zone after update"
echo "I:fetching slave 2 copy of zone after update"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
......
server 10.53.0.2 5300
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
server 10.53.0.3 5300
local 10.53.0.3
update add unsigned.example. 600 A 10.10.10.1
update add unsigned.example. 600 TXT Foo
......@@ -2,7 +2,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
<!-- File: $Id: Bv9ARM-book.xml,v 1.59 2000/11/30 21:33:22 gson Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.60 2000/12/01 21:37:15 gson Exp $ -->
<book>
......@@ -3741,14 +3741,21 @@ updates from all hosts.</para></entry>
</row>
<row rowsep = "0">
<entry colname = "1"><para><command>allow-update-forwarding</command></para></entry>
<entry colname = "2"><para>Specifies which hosts are allowed to
<entry colname = "2"><para>Specifies which hosts are allowed to
submit Dynamic DNS updates to slave zones to be forwarded to the
master.
This applies only to unsigned updates.
Signed updates are always forwarded.
If there is no acl defined then the server will return NOTIMPL, causing the
client to skip to the next server. If an acl is defined and there is no
match then the default is to deny update forwarding.</para>
master. The default is <userinput>{ none; }</userinput>, which
means that no update forwarding will be performed. To enable
update forwarding, specify <userinput>allow-update-forwarding { any; };</userinput>.
Specifying values other than <userinput>{ none; }</userinput> or
<userinput>{ any; }</userinput> is usually counterproductive, since
the responsibility for update access control should rest with the
master server, not the slaves.</para>
<para>Note that enabling the update forwarding feature on a slave server
may expose master servers relying on insecure IP address based
access control to attacks; see <xref linkend="dynamic_update_security">
for more details.</para>
</entry>
</row>
<row rowsep = "0">
......@@ -4609,7 +4616,7 @@ the <command>touch</command> utility (to change file access and
modification times) or the <command>chown</command> utility (to
set the user id and/or group id) on files to which you want <acronym>BIND</acronym>
to write.</para></sect2></sect1>
<sect1><title>Dynamic Updates</title>
<sect1 id="dynamic_update_security"><title>Dynamic Updates</title>
<para>Access to the dynamic
update facility should be strictly limited. In earlier versions of
<acronym>BIND</acronym> the only way to do this was based on the IP
......
......@@ -522,7 +522,6 @@
./bin/tests/system/unknown/ns1/example-in.db ZONE 2000
./bin/tests/system/unknown/ns1/named.conf CONF-C 2000
./bin/tests/system/unknown/tests.sh SH 2000
./bin/tests/system/upforwd/README TXT.BRIEF 2000
./bin/tests/system/upforwd/clean.sh SH 2000
./bin/tests/system/upforwd/knowngood.after1 X 2000
./bin/tests/system/upforwd/knowngood.after2 X 2000
......@@ -537,8 +536,6 @@
./bin/tests/system/upforwd/ns3/named.conf CONF-C 2000
./bin/tests/system/upforwd/setup.sh SH 2000
./bin/tests/system/upforwd/tests.sh SH 2000
./bin/tests/system/upforwd/update.scp X 2000
./bin/tests/system/upforwd/update.scp2 X 2000
./bin/tests/system/views/.cvsignore X 2000
./bin/tests/system/views/clean.sh SH 2000
./bin/tests/system/views/ns1/.cvsignore X 2000
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment