Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
bf13e709
Commit
bf13e709
authored
Jun 25, 2010
by
Mark Andrews
Browse files
2924. [func] 'rndc secroots' dump a combined summary of the
current managed keys combined with trusted keys. [RT #20904]
parent
256b56f4
Changes
15
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
bf13e709
2924. [func] 'rndc secroots' dump a combined summary of the
current managed keys combined with trusted keys.
[RT #20904]
2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]
...
...
bin/named/config.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.11
0
2010/06/2
2 23:46:52 tbox
Exp $ */
/* $Id: config.c,v 1.11
1
2010/06/2
5 03:24:05 marka
Exp $ */
/*! \file */
...
...
@@ -80,6 +80,7 @@ options {\n\
bindkeys-file
\"
"
NS_SYSCONFDIR
"/bind.keys
\"
;
\n
\
port 53;
\n
\
recursing-file
\"
named.recursing
\"
;
\n
\
secroots-file
\"
named.secroots
\"
;
\n
\
"
#ifdef PATH_RANDOMDEV
"\
...
...
bin/named/control.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.3
6
20
09/10/12 20:48:11 each
Exp $ */
/* $Id: control.c,v 1.3
7
20
10/06/25 03:24:05 marka
Exp $ */
/*! \file */
...
...
@@ -153,6 +153,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
}
else
if
(
command_compare
(
command
,
NS_COMMAND_DUMPDB
))
{
ns_server_dumpdb
(
ns_g_server
,
command
);
result
=
ISC_R_SUCCESS
;
}
else
if
(
command_compare
(
command
,
NS_COMMAND_SECROOTS
))
{
result
=
ns_server_dumpsecroots
(
ns_g_server
,
command
);
}
else
if
(
command_compare
(
command
,
NS_COMMAND_TRACE
))
{
result
=
ns_server_setdebuglevel
(
ns_g_server
,
command
);
}
else
if
(
command_compare
(
command
,
NS_COMMAND_NOTRACE
))
{
...
...
bin/named/include/named/control.h
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.h,v 1.2
7
20
09/10/12 23:48:01 tbox
Exp $ */
/* $Id: control.h,v 1.2
8
20
10/06/25 03:24:05 marka
Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
...
...
@@ -42,6 +42,7 @@
#define NS_COMMAND_DUMPSTATS "stats"
#define NS_COMMAND_QUERYLOG "querylog"
#define NS_COMMAND_DUMPDB "dumpdb"
#define NS_COMMAND_SECROOTS "secroots"
#define NS_COMMAND_TRACE "trace"
#define NS_COMMAND_NOTRACE "notrace"
#define NS_COMMAND_FLUSH "flush"
...
...
bin/named/include/named/server.h
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.10
6
2010/0
5/14 23:50:39 tbox
Exp $ */
/* $Id: server.h,v 1.10
7
2010/0
6/25 03:24:05 marka
Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
...
...
@@ -54,6 +54,7 @@ struct ns_server {
dns_acl_t
*
blackholeacl
;
char
*
statsfile
;
/*%< Statistics file name */
char
*
dumpfile
;
/*%< Dump file name */
char
*
secrootsfile
;
/*%< Secroots file name */
char
*
bindkeysfile
;
/*%< bind.keys file name */
char
*
recfile
;
/*%< Recursive file name */
isc_boolean_t
version_set
;
/*%< User has set version */
...
...
@@ -244,6 +245,12 @@ ns_server_dumpstats(ns_server_t *server);
isc_result_t
ns_server_dumpdb
(
ns_server_t
*
server
,
char
*
args
);
/*%
* Dump the current security roots to the secroots file.
*/
isc_result_t
ns_server_dumpsecroots
(
ns_server_t
*
server
,
char
*
args
);
/*%
* Change or increment the server debug level.
*/
...
...
bin/named/server.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.5
69
2010/06/2
2
03:
58:36
marka Exp $ */
/* $Id: server.c,v 1.5
70
2010/06/2
5
03:
24:05
marka Exp $ */
/*! \file */
...
...
@@ -4352,6 +4352,12 @@ load_configuration(const char *filename, ns_server_t *server,
CHECKM
(
setstring
(
server
,
&
server
->
dumpfile
,
cfg_obj_asstring
(
obj
)),
"strdup"
);
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"secroots-file"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
CHECKM
(
setstring
(
server
,
&
server
->
secrootsfile
,
cfg_obj_asstring
(
obj
)),
"strdup"
);
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"recursing-file"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
...
...
@@ -4763,6 +4769,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL
(
server
->
dumpfile
==
NULL
?
ISC_R_NOMEMORY
:
ISC_R_SUCCESS
,
"isc_mem_strdup"
);
server
->
secrootsfile
=
isc_mem_strdup
(
server
->
mctx
,
"named.secroots"
);
CHECKFATAL
(
server
->
secrootsfile
==
NULL
?
ISC_R_NOMEMORY
:
ISC_R_SUCCESS
,
"isc_mem_strdup"
);
server
->
recfile
=
isc_mem_strdup
(
server
->
mctx
,
"named.recursing"
);
CHECKFATAL
(
server
->
recfile
==
NULL
?
ISC_R_NOMEMORY
:
ISC_R_SUCCESS
,
"isc_mem_strdup"
);
...
...
@@ -4833,6 +4844,7 @@ ns_server_destroy(ns_server_t **serverp) {
isc_mem_free
(
server
->
mctx
,
server
->
statsfile
);
isc_mem_free
(
server
->
mctx
,
server
->
bindkeysfile
);
isc_mem_free
(
server
->
mctx
,
server
->
dumpfile
);
isc_mem_free
(
server
->
mctx
,
server
->
secrootsfile
);
isc_mem_free
(
server
->
mctx
,
server
->
recfile
);
if
(
server
->
version
!=
NULL
)
...
...
@@ -5693,6 +5705,68 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
return
(
result
);
}
isc_result_t
ns_server_dumpsecroots
(
ns_server_t
*
server
,
char
*
args
)
{
dns_view_t
*
view
;
dns_keytable_t
*
secroots
=
NULL
;
isc_result_t
result
;
char
*
ptr
;
FILE
*
fp
=
NULL
;
isc_time_t
now
;
char
tbuf
[
64
];
/* Skip the command name. */
ptr
=
next_token
(
&
args
,
"
\t
"
);
if
(
ptr
==
NULL
)
return
(
ISC_R_UNEXPECTEDEND
);
ptr
=
next_token
(
&
args
,
"
\t
"
);
CHECKMF
(
isc_stdio_open
(
server
->
secrootsfile
,
"w"
,
&
fp
),
"could not open secroots dump file"
,
server
->
secrootsfile
);
TIME_NOW
(
&
now
);
isc_time_formattimestamp
(
&
now
,
tbuf
,
sizeof
(
tbuf
));
fprintf
(
fp
,
"%s
\n
"
,
tbuf
);
nextview:
for
(
view
=
ISC_LIST_HEAD
(
server
->
viewlist
);
view
!=
NULL
;
view
=
ISC_LIST_NEXT
(
view
,
link
))
{
if
(
ptr
!=
NULL
&&
strcmp
(
view
->
name
,
ptr
)
!=
0
)
continue
;
if
(
secroots
!=
NULL
)
dns_keytable_detach
(
&
secroots
);
result
=
dns_view_getsecroots
(
view
,
&
secroots
);
if
(
result
==
ISC_R_NOTFOUND
)
{
result
=
ISC_R_SUCCESS
;
continue
;
}
fprintf
(
fp
,
"
\n
Start view %s
\n\n
"
,
view
->
name
);
CHECK
(
dns_keytable_dump
(
secroots
,
fp
));
}
if
(
ptr
!=
NULL
)
{
ptr
=
next_token
(
&
args
,
"
\t
"
);
if
(
ptr
!=
NULL
)
goto
nextview
;
}
cleanup:
if
(
secroots
!=
NULL
)
dns_keytable_detach
(
&
secroots
);
if
(
fp
!=
NULL
)
(
void
)
isc_stdio_close
(
fp
);
if
(
result
==
ISC_R_SUCCESS
)
isc_log_write
(
ns_g_lctx
,
NS_LOGCATEGORY_GENERAL
,
NS_LOGMODULE_SERVER
,
ISC_LOG_INFO
,
"dumpsecroots complete"
);
else
isc_log_write
(
ns_g_lctx
,
NS_LOGCATEGORY_GENERAL
,
NS_LOGMODULE_SERVER
,
ISC_LOG_ERROR
,
"dumpsecroots failed: %s"
,
dns_result_totext
(
result
));
return
(
result
);
}
isc_result_t
ns_server_dumprecursing
(
ns_server_t
*
server
)
{
FILE
*
fp
=
NULL
;
...
...
bin/rndc/rndc.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.c,v 1.12
7
20
09/12/18 07:59:43 each
Exp $ */
/* $Id: rndc.c,v 1.12
8
20
10/06/25 03:24:05 marka
Exp $ */
/*! \file */
...
...
@@ -123,6 +123,8 @@ command is one of the following:\n\
querylog Toggle query logging.
\n
\
dumpdb [-all|-cache|-zones] [view ...]
\n
\
Dump cache(s) to the dump file (named_dump.db).
\n
\
secroots [view ...]
\n
\
Write security roots to the secroots file.
\n
\
stop Save pending updates to master files and stop the server.
\n
\
stop -p Save pending updates to master files and stop the server
\n
\
reporting process id.
\n
\
...
...
bin/tests/system/dnssec/clean.sh
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2
7
2010/06/
03 23:51:05 tbox
Exp $
# $Id: clean.sh,v 1.2
8
2010/06/
25 03:24:05 marka
Exp $
rm
-f
*
/K
*
*
/keyset-
*
*
/dsset-
*
*
/dlvset-
*
*
/signedkey-
*
*
/
*
.signed
*
/trusted.conf
*
/tmp
*
*
/
*
.jnl
*
/
*
.bk
rm
-f
ns1/root.db ns2/example.db ns3/secure.example.db
...
...
@@ -37,4 +37,6 @@ rm -f ns3/optout.nsec3.example.db
rm
-f
ns3/optout.optout.example.db
rm
-f
ns3/secure.nsec3.example.db
rm
-f
ns3/secure.optout.example.db
rm
-f
*
/named.secroots
rm
-f
ns1/managed.key.id
rm
-f
signer/example.db
bin/tests/system/dnssec/ns1/sign.sh
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.3
0
20
09/10
/2
8
0
0
:2
7:10
marka Exp $
# $Id: sign.sh,v 1.3
1
20
10/06
/2
5
0
3
:2
4:05
marka Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -53,3 +53,8 @@ cp trusted.conf ../ns3/trusted.conf
cp
trusted.conf ../ns4/trusted.conf
cp
trusted.conf ../ns6/trusted.conf
cp
trusted.conf ../ns7/trusted.conf
#
# Save keyid for managed key id test.
#
keyid
=
`
expr
$keyname
:
'K.+001+\(.*\)'
`
echo
"
$keyid
"
>
managed.key.id
bin/tests/system/dnssec/ns4/named.conf
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
*
PERFORMANCE
OF
THIS
SOFTWARE
.
*/
/* $
Id
:
named
.
conf
,
v
1
.
2
8
200
7
/
06
/
18
23
:
47
:
28
tbox
Exp
$ */
/* $
Id
:
named
.
conf
,
v
1
.
2
9
20
1
0
/
06
/
25
03
:
24
:
05
marka
Exp
$ */
//
NS4
...
...
@@ -36,6 +36,15 @@ options {
dnssec
-
must
-
be
-
secure
mustbesecure
.
example
yes
;
};
key
rndc_key
{
secret
"1234abcd8765"
;
algorithm
hmac
-
md5
;
};
controls
{
inet
10
.
53
.
0
.
4
port
9953
allow
{
any
; }
keys
{
rndc_key
; };
};
zone
"."
{
type
hint
;
file
"../../common/root.hint"
;
...
...
bin/tests/system/dnssec/tests.sh
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.6
1
2010/06/
04 00:04:39
marka Exp $
# $Id: tests.sh,v 1.6
2
2010/06/
25 03:24:05
marka Exp $
SYSTEMTESTTOP
=
..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -933,6 +933,19 @@ grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - IQF9LQTLKKNF
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
# Test that "rndc secroots" is able to dump trusted keys
echo
"I:checking rndc secroots (
$n
)"
ret
=
0
$RNDC
-c
../common/rndc.conf
-s
10.53.0.4
-p
9953 secroots 2>&1 |
sed
's/^/I:ns1 /'
keyid
=
`
cat
ns1/managed.key.id
`
linecount
=
`
grep
"./RSAMD5/
$keyid
; trusted"
ns4/named.secroots |
wc
-l
`
[
"
$linecount
"
-eq
2
]
||
ret
=
1
linecount
=
`
cat
ns4/named.secroots |
wc
-l
`
[
"
$linecount
"
-eq
9
]
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
...
...
doc/arm/Bv9ARM-book.xml
View file @
bf13e709
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.45
8
2010/06/2
2
0
6:16:34
marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.45
9
2010/06/2
5
0
3:24:05
marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
...
...
@@ -1305,6 +1305,19 @@ zone "eng.example.com" {
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>secroots
<optional><replaceable>view ...</replaceable></optional></userinput></term>
<listitem>
<para>
Dump the server's security roots to the secroots
file for the specified views. If no view is
specified, security roots for all
views are dumped.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>stop <optional>-p</optional></userinput></term>
<listitem>
...
...
@@ -5365,6 +5378,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</listitem>
</varlistentry>
<varlistentry>
<term><command>secroots-file</command></term>
<listitem>
<para>
The pathname of the file the server dumps
security roots to when instructed to do so with
<command>rndc secroots</command>.
If not specified, the default is <filename>named.secroots</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>session-keyfile</command></term>
<listitem>
...
...
lib/dns/include/dns/keytable.h
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.h,v 1.2
2
2010/0
1/12 23:48:57 tbox
Exp $ */
/* $Id: keytable.h,v 1.2
3
2010/0
6/25 03:24:05 marka
Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
...
...
@@ -410,6 +410,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
*\li Any other result is an error.
*/
isc_result_t
dns_keytable_dump
(
dns_keytable_t
*
keytable
,
FILE
*
fp
);
/*%<
* Dump the keytable on fp.
*/
dst_key_t
*
dns_keynode_key
(
dns_keynode_t
*
keynode
);
/*%<
...
...
lib/dns/keytable.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.c,v 1.
39
20
09/12/03 15:40:02 each
Exp $ */
/* $Id: keytable.c,v 1.
40
20
10/06/25 03:24:05 marka
Exp $ */
/*! \file */
...
...
@@ -553,6 +553,44 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
return
(
result
);
}
isc_result_t
dns_keytable_dump
(
dns_keytable_t
*
keytable
,
FILE
*
fp
)
{
isc_result_t
result
;
dns_keynode_t
*
knode
;
dns_rbtnode_t
*
node
;
dns_rbtnodechain_t
chain
;
REQUIRE
(
VALID_KEYTABLE
(
keytable
));
RWLOCK
(
&
keytable
->
rwlock
,
isc_rwlocktype_read
);
dns_rbtnodechain_init
(
&
chain
,
keytable
->
mctx
);
result
=
dns_rbtnodechain_first
(
&
chain
,
keytable
->
table
,
NULL
,
NULL
);
if
(
result
!=
ISC_R_SUCCESS
&&
result
!=
DNS_R_NEWORIGIN
)
goto
cleanup
;
for
(;;)
{
char
pbuf
[
DST_KEY_FORMATSIZE
];
dns_rbtnodechain_current
(
&
chain
,
NULL
,
NULL
,
&
node
);
for
(
knode
=
node
->
data
;
knode
!=
NULL
;
knode
=
knode
->
next
)
{
dst_key_format
(
knode
->
key
,
pbuf
,
sizeof
(
pbuf
));
fprintf
(
fp
,
"%s ; %s
\n
"
,
pbuf
,
knode
->
managed
?
"managed"
:
"trusted"
);
}
result
=
dns_rbtnodechain_next
(
&
chain
,
NULL
,
NULL
);
if
(
result
!=
ISC_R_SUCCESS
&&
result
!=
DNS_R_NEWORIGIN
)
{
if
(
result
==
ISC_R_NOMORE
)
result
=
ISC_R_SUCCESS
;
break
;
}
}
cleanup:
dns_rbtnodechain_invalidate
(
&
chain
);
RWUNLOCK
(
&
keytable
->
rwlock
,
isc_rwlocktype_read
);
return
(
result
);
}
dst_key_t
*
dns_keynode_key
(
dns_keynode_t
*
keynode
)
{
...
...
lib/isccfg/namedconf.c
View file @
bf13e709
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.11
8
2010/06/2
2
03:
58:38
marka Exp $ */
/* $Id: namedconf.c,v 1.11
9
2010/06/2
5
03:
24:05
marka Exp $ */
/*! \file */
...
...
@@ -868,6 +868,7 @@ options_clauses[] = {
{
"random-device"
,
&
cfg_type_qstring
,
0
},
{
"recursive-clients"
,
&
cfg_type_uint32
,
0
},
{
"reserved-sockets"
,
&
cfg_type_uint32
,
0
},
{
"secroots-file"
,
&
cfg_type_qstring
,
0
},
{
"serial-queries"
,
&
cfg_type_uint32
,
CFG_CLAUSEFLAG_OBSOLETE
},
{
"serial-query-rate"
,
&
cfg_type_uint32
,
0
},
{
"server-id"
,
&
cfg_type_serverid
,
0
},
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment