Commit bf13e709 authored by Mark Andrews's avatar Mark Andrews

2924. [func] 'rndc secroots' dump a combined summary of the

                        current managed keys combined with trusted keys.
                        [RT #20904]
parent 256b56f4
2924. [func] 'rndc secroots' dump a combined summary of the
current managed keys combined with trusted keys.
[RT #20904]
2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.110 2010/06/22 23:46:52 tbox Exp $ */
/* $Id: config.c,v 1.111 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -80,6 +80,7 @@ options {\n\
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
secroots-file \"named.secroots\";\n\
"
#ifdef PATH_RANDOMDEV
"\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.36 2009/10/12 20:48:11 each Exp $ */
/* $Id: control.c,v 1.37 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -153,6 +153,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
ns_server_dumpdb(ns_g_server, command);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
result = ns_server_dumpsecroots(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_TRACE)) {
result = ns_server_setdebuglevel(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.h,v 1.27 2009/10/12 23:48:01 tbox Exp $ */
/* $Id: control.h,v 1.28 2010/06/25 03:24:05 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
......@@ -42,6 +42,7 @@
#define NS_COMMAND_DUMPSTATS "stats"
#define NS_COMMAND_QUERYLOG "querylog"
#define NS_COMMAND_DUMPDB "dumpdb"
#define NS_COMMAND_SECROOTS "secroots"
#define NS_COMMAND_TRACE "trace"
#define NS_COMMAND_NOTRACE "notrace"
#define NS_COMMAND_FLUSH "flush"
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.106 2010/05/14 23:50:39 tbox Exp $ */
/* $Id: server.h,v 1.107 2010/06/25 03:24:05 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
......@@ -54,6 +54,7 @@ struct ns_server {
dns_acl_t *blackholeacl;
char * statsfile; /*%< Statistics file name */
char * dumpfile; /*%< Dump file name */
char * secrootsfile; /*%< Secroots file name */
char * bindkeysfile; /*%< bind.keys file name */
char * recfile; /*%< Recursive file name */
isc_boolean_t version_set; /*%< User has set version */
......@@ -244,6 +245,12 @@ ns_server_dumpstats(ns_server_t *server);
isc_result_t
ns_server_dumpdb(ns_server_t *server, char *args);
/*%
* Dump the current security roots to the secroots file.
*/
isc_result_t
ns_server_dumpsecroots(ns_server_t *server, char *args);
/*%
* Change or increment the server debug level.
*/
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.569 2010/06/22 03:58:36 marka Exp $ */
/* $Id: server.c,v 1.570 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -4352,6 +4352,12 @@ load_configuration(const char *filename, ns_server_t *server,
CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
"strdup");
obj = NULL;
result = ns_config_get(maps, "secroots-file", &obj);
INSIST(result == ISC_R_SUCCESS);
CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
"strdup");
obj = NULL;
result = ns_config_get(maps, "recursing-file", &obj);
INSIST(result == ISC_R_SUCCESS);
......@@ -4763,6 +4769,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
"isc_mem_strdup");
server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
ISC_R_SUCCESS,
"isc_mem_strdup");
server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
"isc_mem_strdup");
......@@ -4833,6 +4844,7 @@ ns_server_destroy(ns_server_t **serverp) {
isc_mem_free(server->mctx, server->statsfile);
isc_mem_free(server->mctx, server->bindkeysfile);
isc_mem_free(server->mctx, server->dumpfile);
isc_mem_free(server->mctx, server->secrootsfile);
isc_mem_free(server->mctx, server->recfile);
if (server->version != NULL)
......@@ -5693,6 +5705,68 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
return (result);
}
isc_result_t
ns_server_dumpsecroots(ns_server_t *server, char *args) {
dns_view_t *view;
dns_keytable_t *secroots = NULL;
isc_result_t result;
char *ptr;
FILE *fp = NULL;
isc_time_t now;
char tbuf[64];
/* Skip the command name. */
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
ptr = next_token(&args, " \t");
CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
"could not open secroots dump file", server->secrootsfile);
TIME_NOW(&now);
isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
fprintf(fp, "%s\n", tbuf);
nextview:
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (ptr != NULL && strcmp(view->name, ptr) != 0)
continue;
if (secroots != NULL)
dns_keytable_detach(&secroots);
result = dns_view_getsecroots(view, &secroots);
if (result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
continue;
}
fprintf(fp, "\n Start view %s\n\n", view->name);
CHECK(dns_keytable_dump(secroots, fp));
}
if (ptr != NULL) {
ptr = next_token(&args, " \t");
if (ptr != NULL)
goto nextview;
}
cleanup:
if (secroots != NULL)
dns_keytable_detach(&secroots);
if (fp != NULL)
(void)isc_stdio_close(fp);
if (result == ISC_R_SUCCESS)
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"dumpsecroots complete");
else
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"dumpsecroots failed: %s",
dns_result_totext(result));
return (result);
}
isc_result_t
ns_server_dumprecursing(ns_server_t *server) {
FILE *fp = NULL;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.c,v 1.127 2009/12/18 07:59:43 each Exp $ */
/* $Id: rndc.c,v 1.128 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -123,6 +123,8 @@ command is one of the following:\n\
querylog Toggle query logging.\n\
dumpdb [-all|-cache|-zones] [view ...]\n\
Dump cache(s) to the dump file (named_dump.db).\n\
secroots [view ...]\n\
Write security roots to the secroots file.\n\
stop Save pending updates to master files and stop the server.\n\
stop -p Save pending updates to master files and stop the server\n\
reporting process id.\n\
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.27 2010/06/03 23:51:05 tbox Exp $
# $Id: clean.sh,v 1.28 2010/06/25 03:24:05 marka Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
......@@ -37,4 +37,6 @@ rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
rm -f */named.secroots
rm -f ns1/managed.key.id
rm -f signer/example.db
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
# $Id: sign.sh,v 1.31 2010/06/25 03:24:05 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -53,3 +53,8 @@ cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
#
# Save keyid for managed key id test.
#
keyid=`expr $keyname : 'K.+001+\(.*\)'`
echo "$keyid" > managed.key.id
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.28 2007/06/18 23:47:28 tbox Exp $ */
/* $Id: named.conf,v 1.29 2010/06/25 03:24:05 marka Exp $ */
// NS4
......@@ -36,6 +36,15 @@ options {
dnssec-must-be-secure mustbesecure.example yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.61 2010/06/04 00:04:39 marka Exp $
# $Id: tests.sh,v 1.62 2010/06/25 03:24:05 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -933,6 +933,19 @@ grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - IQF9LQTLKKNF
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Test that "rndc secroots" is able to dump trusted keys
echo "I:checking rndc secroots ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
keyid=`cat ns1/managed.key.id`
linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l`
[ "$linecount" -eq 2 ] || ret=1
linecount=`cat ns4/named.secroots | wc -l`
[ "$linecount" -eq 9 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.458 2010/06/22 06:16:34 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.459 2010/06/25 03:24:05 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -1305,6 +1305,19 @@ zone "eng.example.com" {
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>secroots
<optional><replaceable>view ...</replaceable></optional></userinput></term>
<listitem>
<para>
Dump the server's security roots to the secroots
file for the specified views. If no view is
specified, security roots for all
views are dumped.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>stop <optional>-p</optional></userinput></term>
<listitem>
......@@ -5365,6 +5378,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</listitem>
</varlistentry>
<varlistentry>
<term><command>secroots-file</command></term>
<listitem>
<para>
The pathname of the file the server dumps
security roots to when instructed to do so with
<command>rndc secroots</command>.
If not specified, the default is <filename>named.secroots</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>session-keyfile</command></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.h,v 1.22 2010/01/12 23:48:57 tbox Exp $ */
/* $Id: keytable.h,v 1.23 2010/06/25 03:24:05 marka Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
......@@ -410,6 +410,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
*\li Any other result is an error.
*/
isc_result_t
dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
/*%<
* Dump the keytable on fp.
*/
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode);
/*%<
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.c,v 1.39 2009/12/03 15:40:02 each Exp $ */
/* $Id: keytable.c,v 1.40 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -553,6 +553,44 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
return (result);
}
isc_result_t
dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
{
isc_result_t result;
dns_keynode_t *knode;
dns_rbtnode_t *node;
dns_rbtnodechain_t chain;
REQUIRE(VALID_KEYTABLE(keytable));
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
dns_rbtnodechain_init(&chain, keytable->mctx);
result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
goto cleanup;
for (;;) {
char pbuf[DST_KEY_FORMATSIZE];
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
for (knode = node->data; knode != NULL; knode = knode->next) {
dst_key_format(knode->key, pbuf, sizeof(pbuf));
fprintf(fp, "%s ; %s\n", pbuf,
knode->managed ? "managed" : "trusted");
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
break;
}
}
cleanup:
dns_rbtnodechain_invalidate(&chain);
RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
return (result);
}
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode) {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.118 2010/06/22 03:58:38 marka Exp $ */
/* $Id: namedconf.c,v 1.119 2010/06/25 03:24:05 marka Exp $ */
/*! \file */
......@@ -868,6 +868,7 @@ options_clauses[] = {
{ "random-device", &cfg_type_qstring, 0 },
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
{ "secroots-file", &cfg_type_qstring, 0 },
{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
{ "serial-query-rate", &cfg_type_uint32, 0 },
{ "server-id", &cfg_type_serverid, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment