Commit afaa290b authored by Vernon Schryver's avatar Vernon Schryver

Squashed commit of the following:

commit aea73609ac5d41ed091360e94370798965f28f05
commit eef7f44c57a060b24a426eb8888e16176a0a69b1
commit a88a26d864ad399fa2d40e3b9659b4d26f454ca1
commit 1b90d59568e7e3b65690c6bd075cf4d60b03e454
Merge: 74d8f73 cd029246
commit 74d8f73ed553bb64a305e284905762f7ff0029aa
commit 9a59ef6bbd4befe91e5691e8b85afe1cb7ab0706
commit c63606a53b4f1bb7066b37d3cfe588e9dc21a119
commit 2c392a840c8838455d144ce163bd873bee400c97
commit 0241f53563e6e7bed462a883d98a8931f01e0980
commit 79fe22b5d6f04bdaa3073cf54d41952194e879e1
commit 351b3049625f2edd39729dd85413e961b97d4b3b
commit 7207674fc77c9a10d84c0cb94e36d1c09bb31459
commit 543ad34cf08f901c20b438c9d2f45482cff13d5e
commit fc45b99ce4438627fdcbeb4365695ba0065fa46f
commit c425207f57e0a5157372aa7edbb79b13170563e5
commit ef8c5e23ca284e0ea02f69ce1f356d537c19d93b
commit ba0d4e3aa51efe412cfa1d031651f949442d1802
commit 41c7969c7cb6884b93011f7ace3fd9522efc021e
  and more from CVS

for rt26172

Add
  - optional "recursive-only yes|no" to the response-policy statement
  - optional max-policy-ttl to limit the lies that "recursive-only no"
      can introduce into resolvers' caches
  - test that queries with RD=0 are not rewritten by default
  - performance smoke test

Change encoding of PASSTHRU action to "rpz-passthru".
      (The old encoding is still accepted.)
Fix rt26180  assert botch in zone_findrdataset() in this branch
     as well.

Fix missing signatures on NOERROR results despite RPZ hits
    when there are signatures and the client asks for DNSSEC,
parent 6fcf8750
......@@ -3880,6 +3880,13 @@ rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep,
dns_rdataset_disassociate(*rdatasetp);
}
static void
rpz_match_clear(dns_rpz_st_t *st)
{
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
st->m.version = NULL;
}
static inline isc_result_t
rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp)
......@@ -3899,10 +3906,9 @@ static void
rpz_st_clear(ns_client_t *client) {
dns_rpz_st_t *st = client->query.rpz_st;
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL);
st->m.version = NULL;
if (st->m.rdataset != NULL)
query_putrdataset(client, &st->m.rdataset);
rpz_match_clear(st);
rpz_clean(NULL, &st->r.db, NULL, NULL);
if (st->r.ns_rdataset != NULL)
......@@ -4058,6 +4064,9 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
rpz != NULL;
rpz = ISC_LIST_NEXT(rpz, link)) {
if (!RECURSIONOK(client) && rpz->recursive_only)
continue;
/*
* Do not check policy zones that cannot replace a policy
* already known to match.
......@@ -4086,9 +4095,8 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
* hit, if any. Note the domain name and quality of the
* best hit.
*/
(void)dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
rdataset, st,
client->query.rpz_st->qname);
dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
rdataset, st, client->query.rpz_st->qname);
rpz_clean(&zone, &db, NULL, NULL);
}
return (ISC_R_SUCCESS);
......@@ -4193,8 +4201,8 @@ rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
*/
static isc_result_t
rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep,
dns_db_t **dbp, dns_dbversion_t **versionp,
dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
dns_rpz_policy_t *policyp)
{
......@@ -4239,7 +4247,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
if (result != ISC_R_SUCCESS) {
dns_db_detachnode(*dbp, nodep);
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
qnamef, "allrdatasets()", result);
qnamef, "allrdatasets() ", result);
*policyp = DNS_RPZ_POLICY_ERROR;
return (DNS_R_SERVFAIL);
}
......@@ -4256,7 +4264,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
if (result != ISC_R_SUCCESS) {
if (result != ISC_R_NOMORE) {
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
rpz_type, qnamef, "rdatasetiter",
rpz_type, qnamef, "rdatasetiter ",
result);
*policyp = DNS_RPZ_POLICY_ERROR;
return (DNS_R_SERVFAIL);
......@@ -4284,7 +4292,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
if ((*rdatasetp)->type != dns_rdatatype_cname) {
policy = DNS_RPZ_POLICY_RECORD;
} else {
policy = dns_rpz_decode_cname(*rdatasetp, sname);
policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname);
if ((policy == DNS_RPZ_POLICY_RECORD ||
policy == DNS_RPZ_POLICY_WILDCNAME) &&
qtype != dns_rdatatype_cname &&
......@@ -4355,6 +4363,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
rpz != NULL;
rpz = ISC_LIST_NEXT(rpz, link)) {
if (!RECURSIONOK(client) && rpz->recursive_only)
continue;
/*
* Do not check policy zones that cannot replace a policy
* already known to match.
......@@ -4400,11 +4411,11 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
}
/*
* See if the policy record exists.
* See if the policy record exists and get its policy.
*/
result = rpz_find(client, qtype, rpz_qname, qname, rpz_type,
&zone, &db, &version, &node, rdatasetp,
&policy);
result = rpz_find(client, qtype, rpz_qname, qname, rpz,
rpz_type, &zone, &db, &version, &node,
rdatasetp, &policy);
switch (result) {
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
......@@ -4440,8 +4451,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
continue;
}
rpz_clean(&st->m.zone, &st->m.db, &st->m.node,
&st->m.rdataset);
rpz_match_clear(st);
st->m.rpz = rpz;
st->m.type = rpz_type;
st->m.prefix = 0;
......@@ -4455,9 +4465,11 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
trdataset = st->m.rdataset;
st->m.rdataset = *rdatasetp;
*rdatasetp = trdataset;
st->m.ttl = st->m.rdataset->ttl;
st->m.ttl = ISC_MIN(st->m.rdataset->ttl,
rpz->max_policy_ttl);
} else {
st->m.ttl = DNS_RPZ_TTL_DEFAULT;
st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT,
rpz->max_policy_ttl);
}
st->m.node = node;
node = NULL;
......@@ -4552,13 +4564,13 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
case DNS_R_BROKENCHAIN:
rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
client->query.qname,
"stop on qresult in rpz_rewrite()",
"stop on qresult in rpz_rewrite() ",
qresult);
return (ISC_R_SUCCESS);
default:
rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
client->query.qname,
"stop on unrecognized qresult in rpz_rewrite()",
"stop on unrecognized qresult in rpz_rewrite() ",
qresult);
return (ISC_R_SUCCESS);
}
......@@ -4737,10 +4749,11 @@ cleanup:
if (st->m.policy == DNS_RPZ_POLICY_MISS ||
st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
st->m.policy == DNS_RPZ_POLICY_ERROR) {
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU)
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
result != DNS_R_DELEGATION)
rpz_log_rewrite(client, "", st->m.policy, st->m.type,
st->qname);
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
rpz_match_clear(st);
}
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
st->m.type = DNS_RPZ_TYPE_BAD;
......@@ -4753,6 +4766,64 @@ cleanup:
return (result);
}
/*
* See if response policy zone rewriting is allowed a lack of interest
* by the client in DNSSEC or a lack of signatures.
*/
static isc_boolean_t
rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
{
dns_fixedname_t fixed;
dns_name_t *found;
dns_rdataset_t trdataset;
dns_rdatatype_t type;
if (client->view->rpz_break_dnssec)
return (ISC_TRUE);
/*
* sigrdataset == NULL if and only !WANTDNSSEC(client)
*/
if (sigrdataset == NULL)
return (ISC_TRUE);
if (dns_rdataset_isassociated(sigrdataset))
return (ISC_FALSE);
/*
* We are happy to rewrite nothing.
*/
if (rdataset == NULL || !dns_rdataset_isassociated(rdataset))
return (ISC_TRUE);
/*
* Do not rewrite if there is any sign of signatures.
*/
if (rdataset->type == dns_rdatatype_nsec ||
rdataset->type == dns_rdatatype_nsec3 ||
rdataset->type == dns_rdatatype_rrsig)
return (ISC_FALSE);
/*
* Look for a signature in a negative cache rdataset.
*/
if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0)
return (ISC_TRUE);
dns_fixedname_init(&fixed);
found = dns_fixedname_name(&fixed);
dns_rdataset_init(&trdataset);
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset)) {
dns_ncache_current(rdataset, found, &trdataset);
type = trdataset.type;
dns_rdataset_disassociate(&trdataset);
if (type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3 ||
type == dns_rdatatype_rrsig)
return (ISC_FALSE);
}
return (ISC_TRUE);
}
/*
* Add a CNAME to the query response, including translating foo.evil.com and
* *.evil.com CNAME *.example.com
......@@ -4797,7 +4868,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
* Turn off DNSSEC because the results of a
* response policy zone cannot verify.
*/
client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
return (ISC_R_SUCCESS);
}
......@@ -5727,9 +5799,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
CTRACE("query_find: resume");
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
RECURSIONOK(client) && !RECURSING(client) &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset)) &&
(RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
!RECURSING(client) &&
(client->query.rpz_st == NULL ||
(client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
!dns_name_equal(client->query.qname, dns_rootname)) {
......@@ -5803,10 +5875,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
if (type == dns_rdatatype_any &&
result != DNS_R_CNAME &&
dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
if (qtype == dns_rdatatype_any &&
result != DNS_R_CNAME) {
/*
* We will add all of the rdatasets of
* the node by iterating, setting the
* TTL then.
*/
if (dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
} else {
/*
* We will add this rdataset.
*/
rdataset->ttl = ISC_MIN(rdataset->ttl,
rpz_st->m.ttl);
}
break;
case DNS_RPZ_POLICY_WILDCNAME:
result = dns_rdataset_first(rdataset);
......@@ -5845,7 +5929,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Turn off DNSSEC because the results of a
* response policy zone cannot verify.
*/
client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
is_zone = ISC_TRUE;
rpz_log_rewrite(client, "", rpz_st->m.policy,
......@@ -6804,6 +6889,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
noqname = rdataset;
else
noqname = NULL;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL)
rdataset->ttl = ISC_MIN(rdataset->ttl,
rpz_st->m.ttl);
query_addrrset(client,
fname != NULL ? &fname : &tname,
&rdataset, NULL,
......@@ -7096,8 +7185,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
rpz_st = client->query.rpz_st;
if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) {
rpz_clean(&rpz_st->m.zone, &rpz_st->m.db, &rpz_st->m.node,
&rpz_st->m.rdataset);
rpz_match_clear(rpz_st);
rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
}
if (rdataset != NULL)
......
......@@ -1440,15 +1440,14 @@ cleanup:
}
static isc_result_t
configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
const cfg_obj_t *rpz_obj, *policy_obj;
configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
{
const cfg_obj_t *rpz_obj, *policy_obj, *obj;
const char *str;
dns_fixedname_t fixed;
dns_name_t *origin;
dns_rpz_zone_t *old, *new;
dns_zone_t *zone = NULL;
isc_result_t result;
unsigned int l1, l2;
new = isc_mem_get(view->mctx, sizeof(*new));
if (new == NULL) {
......@@ -1457,9 +1456,10 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
}
memset(new, 0, sizeof(*new));
dns_name_init(&new->nsdname, NULL);
dns_name_init(&new->origin, NULL);
dns_name_init(&new->nsdname, NULL);
dns_name_init(&new->cname, NULL);
dns_name_init(&new->passthru, NULL);
ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
rpz_obj = cfg_listelt_value(element);
......@@ -1467,15 +1467,31 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
if (cfg_obj_isvoid(policy_obj)) {
new->policy = DNS_RPZ_POLICY_GIVEN;
} else {
str = cfg_obj_asstring(policy_obj);
str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
"policy name"));
new->policy = dns_rpz_str2policy(str);
INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
}
dns_fixedname_init(&fixed);
origin = dns_fixedname_name(&fixed);
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "name"));
result = dns_name_fromstring(origin, str, DNS_NAME_DOWNCASE, NULL);
obj = cfg_tuple_get(rpz_obj, "recursive-only");
if (cfg_obj_isvoid(obj)) {
new->recursive_only = recursive_only_def;
} else {
new->recursive_only = cfg_obj_asboolean(obj);
}
if (!new->recursive_only)
view->rpz_recursive_only = ISC_FALSE;
obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(obj)) {
new->max_policy_ttl = cfg_obj_asuint32(obj);
} else {
new->max_policy_ttl = ttl_def;
}
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
......@@ -1483,31 +1499,28 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
}
result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
origin, DNS_NAME_DOWNCASE, view->mctx);
&new->origin, DNS_NAME_DOWNCASE,
view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
/*
* The origin is part of 'nsdname' so we don't need to keep it
* seperately.
*/
l1 = dns_name_countlabels(&new->nsdname);
l2 = dns_name_countlabels(origin);
dns_name_getlabelsequence(&new->nsdname, l1 - l2, l2, &new->origin);
result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
/*
* Are we configured to with the reponse policy zone?
*/
result = dns_view_findzone(view, &new->origin, &zone);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"unknown zone '%s'", str);
goto cleanup;
}
if (dns_zone_gettype(zone) != dns_zone_master &&
dns_zone_gettype(zone) != dns_zone_slave) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
......@@ -1531,8 +1544,9 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
}
if (new->policy == DNS_RPZ_POLICY_CNAME) {
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "cname"));
result = dns_name_fromstring(&new->cname, str, 0, view->mctx);
str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
result = dns_name_fromstring(&new->cname, str,
DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid cname '%s'", str);
......@@ -2877,19 +2891,39 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
* Make the list of response policy zone names for views that
* are used for real lookups and so care about hints.
*/
zonelist = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints) {
obj = NULL;
result = ns_config_get(maps, "response-policy", &obj);
if (result == ISC_R_SUCCESS)
cfg_map_get(obj, "zone", &zonelist);
}
obj = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints &&
ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
const cfg_obj_t *recursive_only_obj;
const cfg_obj_t *break_dnssec_obj, *ttl_obj;
isc_boolean_t recursive_only_def;
dns_ttl_t ttl_def;
recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
if (!cfg_obj_isvoid(recursive_only_obj) &&
!cfg_obj_asboolean(recursive_only_obj))
recursive_only_def = ISC_FALSE;
else
recursive_only_def = ISC_TRUE;
if (zonelist != NULL) {
for (element = cfg_list_first(zonelist);
break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
if (!cfg_obj_isvoid(break_dnssec_obj) &&
cfg_obj_asboolean(break_dnssec_obj))
view->rpz_break_dnssec = ISC_TRUE;
else
view->rpz_break_dnssec = ISC_FALSE;
ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
if (cfg_obj_isuint32(ttl_obj))
ttl_def = cfg_obj_asuint32(ttl_obj);
else
ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
element != NULL;
element = cfg_list_next(element)) {
result = configure_rpz(view, element);
result = configure_rpz(view, element,
recursive_only_def, ttl_def);
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_rpz_set_need(ISC_TRUE);
......
......@@ -17,8 +17,8 @@
# Clean up after rpz tests.
rm -f proto.* dig.out* nsupdate.tmp
rm -f */named.memstats */named.run */named.rpz */session.key
rm -f ns3/bl*.db */*.jnl */*.core */*.pid
rm -f ns2/signed-tld2.db
rm -f ns2/K*.private ns2/K*.key dsset-*
rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns*/*.key ns*/*.private ns2/tld2s.db
rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
rm -f */named.memstats */named.run */named.rpz */session.key
rm -f */*.jnl */*.core */*.pid
......@@ -23,12 +23,9 @@ ns. A 10.53.0.1
; rewrite responses from this zone
tld2. NS ns.tld2.
ns.tld2. A 10.53.0.2
ns2.tld2. A 10.53.0.2
; rewrite responses from this zone unless dnssec requested
signed-tld2. NS ns.signed-tld2.
ns.signed-tld2. A 10.53.0.2
ns2.signed-tld2. A 10.53.0.2
; rewrite responses from this secure zone unless dnssec requested (DO=1)
tld2s. NS ns.tld2.
; requests come from here
tld3. NS ns.tld3.
......@@ -37,4 +34,3 @@ ns.tld3. A 10.53.0.3
; rewrite responses from this zone
tld4. NS ns.tld4.
ns.tld4. A 10.53.0.4
ns2.tld4. A 10.53.0.4
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: base-tld2s.db,v 1.1.2.1 2012/02/24 17:22:37 vjs Exp $
; RPZ rewrite responses from this signed zone
$TTL 120
@ SOA tld2s. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
NS ns
NS . ; check for RT 24985
ns A 10.53.0.2
a0-1 A 192.168.0.1
a0-1-scname CNAME a0-1.tld2.
a3-5 A 192.168.3.5
......@@ -31,6 +31,7 @@ options {
notify no;
};
include "../trusted.conf";
zone "." { type hint; file "hints"; };
zone "tld2." {type master; file "tld2.db";};
......@@ -40,4 +41,5 @@ zone "sub2.tld2." {type master; file "tld2.db";};
zone "subsub.sub2.tld2." {type master; file "tld2.db";};
zone "sub3.tld2." {type master; file "tld2.db";};
zone "subsub.sub3.tld2." {type master; file "tld2.db";};
zone "signed-tld2." {type master; file "signed-tld2.db";};
zone "tld2s." {type master; file "tld2s.db";};
......@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: tld2.db,v 1.4 2011/10/13 01:32:33 vjs Exp $
; $Id: tld2.db,v 1.4.4.2 2012/02/24 17:22:37 vjs Exp $
; RPZ rewrite responses from this zone
......@@ -20,10 +20,8 @@
$TTL 120
@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
NS ns
NS ns2
NS . ; check for RT 24985
ns A 10.53.0.2
ns2 A 10.53.0.2
txt-only TXT "txt-only-tld2"
......@@ -36,6 +34,8 @@ a12-cname CNAME a12
a0-1 A 192.168.0.1
AAAA 2001:2::1
TXT "a0-1 tld2 text"
a0-1-scname CNAME a0-1.tld2s.
a3-1 A 192.168.3.1
AAAA 2001:2:3::1
......@@ -115,3 +115,8 @@ a5-3 A 192.168.5.3
a5-4 A 192.168.5.4
TXT "a5-4 tld2 text"
a6-1 A 192.168.6.1
TXT "a6-1 tld2 text"
a6-2 A 192.168.6.2
TXT "a6-2 tld2 text"
......@@ -12,14 +12,17 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: base.db,v 1.6 2011/10/13 01:32:33 vjs Exp $
; $Id: base.db,v 1.6.4.1 2011/10/15 23:03:38 vjs Exp $
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
$TTL 120
@ SOA blx. hostmaster.ns.blx. ( 1 3600 1200 604800 60 )
NS ns.tld.
NS ns
ns A 10.53.0.3
; Poke the radix tree a little.
......@@ -34,6 +37,6 @@ ns A 10.53.0.3
; regression testing for some old crashes
redirect IN A 127.0.0.1
*.redirect IN A 127.0.0.1
*.credirect IN CNAME google.com.
redirect A 127.0.0.1
*.redirect A 127.0.0.1
*.credirect CNAME google.com.
......@@ -21,8 +21,8 @@ $TTL 120
NS ns
ns A 10.53.0.3
; #18 in test1, crashed new ASSERT() in rbtdb.c
c1 A 172.16.1.1
; #24 in test1, crashed new ASSERT() in rbtdb.c
c1 A 172.16.1.24
; #16 in test2, crashed new ASSERT() in rbtdb.c
c2 A 172.16.1.16