Commit e3344054 authored by Mark Andrews's avatar Mark Andrews

2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]

parent b59e6107
2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.h,v 1.42 2010/09/24 08:31:23 tbox Exp $ */
/* $Id: query.h,v 1.43 2010/12/08 02:46:15 marka Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
......@@ -27,6 +27,7 @@
#include <isc/netaddr.h>
#include <dns/types.h>
#include <dns/rdataset.h>
#include <named/types.h>
......@@ -57,6 +58,12 @@ struct ns_query {
isc_bufferlist_t namebufs;
ISC_LIST(ns_dbversion_t) activeversions;
ISC_LIST(ns_dbversion_t) freeversions;
dns_rdataset_t * dns64_aaaa;
dns_rdataset_t * dns64_sigaaaa;
isc_boolean_t * dns64_aaaaok;
unsigned int dns64_aaaaoklen;
unsigned int dns64_options;
unsigned int dns64_ttl;
};
#define NS_QUERYATTR_RECURSIONOK 0x0001
......@@ -73,6 +80,9 @@ struct ns_query {
#define NS_QUERYATTR_NOADDITIONAL 0x0800
#define NS_QUERYATTR_CACHEACLOKVALID 0x1000
#define NS_QUERYATTR_CACHEACLOK 0x2000
#define NS_QUERYATTR_DNS64 0x4000
#define NS_QUERYATTR_DNS64EXCLUDE 0x8000
isc_result_t
ns_query_init(ns_client_t *client);
......
This diff is collapsed.
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.587 2010/12/02 23:22:41 marka Exp $ */
/* $Id: server.c,v 1.588 2010/12/08 02:46:15 marka Exp $ */
/*! \file */
......@@ -63,6 +63,7 @@
#ifdef DLZ
#include <dns/dlz.h>
#endif
#include <dns/dns64.h>
#include <dns/forward.h>
#include <dns/journal.h>
#include <dns/keytable.h>
......@@ -1356,6 +1357,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
isc_boolean_t zero_no_soattl;
cfg_parser_t *newzones_parser = NULL;
cfg_obj_t *nzfconf = NULL;
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
REQUIRE(DNS_VIEW_VALID(view));
......@@ -1618,6 +1620,89 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
INSIST(result == ISC_R_SUCCESS);
zero_no_soattl = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "dns64", &obj);
if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
strcmp(view->name, "_meta")) {
const cfg_listelt_t *element;
isc_netaddr_t na, suffix, *sp;
unsigned int prefixlen;
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *map = cfg_listelt_value(element);
dns_dns64_t *dns64 = NULL;
unsigned int dns64options = 0;
cfg_obj_asnetprefix(cfg_map_getname(map), &na,
&prefixlen);
obj = NULL;
(void)cfg_map_get(map, "suffix", &obj);
if (obj != NULL) {
sp = &suffix;
isc_netaddr_fromsockaddr(sp,
cfg_obj_assockaddr(obj));
} else
sp = NULL;
clients = mapped = excluded = NULL;
obj = NULL;
(void)cfg_map_get(map, "clients", &obj);
if (obj != NULL) {
result = cfg_acl_fromconfig(obj, config,
ns_g_lctx, actx,
mctx, 0, &clients);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
obj = NULL;
(void)cfg_map_get(map, "mapped", &obj);
if (obj != NULL) {
result = cfg_acl_fromconfig(obj, config,
ns_g_lctx, actx,
mctx, 0, &mapped);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
obj = NULL;
(void)cfg_map_get(map, "exclude", &obj);
if (obj != NULL) {
result = cfg_acl_fromconfig(obj, config,
ns_g_lctx, actx,
mctx, 0, &excluded);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
obj = NULL;
(void)cfg_map_get(map, "recursive-only", &obj);
if (obj != NULL && cfg_obj_asboolean(obj))
dns64options |= DNS_DNS64_RECURSIVE_ONLY;
obj = NULL;
(void)cfg_map_get(map, "break-dnssec", &obj);
if (obj != NULL && cfg_obj_asboolean(obj))
dns64options |= DNS_DNS64_BREAK_DNSSEC;
result = dns_dns64_create(mctx, &na, prefixlen, sp,
clients, mapped, excluded,
dns64options, &dns64);
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_dns64_append(&view->dns64, dns64);
view->dns64cnt++;
if (clients != NULL)
dns_acl_detach(&clients);
if (mapped != NULL)
dns_acl_detach(&mapped);
if (excluded != NULL)
dns_acl_detach(&excluded);
}
}
obj = NULL;
result = ns_config_get(maps, "dnssec-accept-expired", &obj);
INSIST(result == ISC_R_SUCCESS);
......@@ -2518,6 +2603,12 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
result = ISC_R_SUCCESS;
cleanup:
if (clients != NULL)
dns_acl_detach(&clients);
if (mapped != NULL)
dns_acl_detach(&mapped);
if (excluded != NULL)
dns_acl_detach(&excluded);
if (ring != NULL)
dns_tsigkeyring_destroy(&ring);
if (zone != NULL)
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.53 2010/12/07 02:53:33 marka Exp $
# $Id: conf.sh.in,v 1.54 2010/12/08 02:46:15 marka Exp $
#
# Common configuration data for system tests, to be sourced into
......@@ -53,7 +53,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
dlv @DLZ_SYSTEM_TEST@ dnssec forward glue ixfr limits lwresd
dlv @DLZ_SYSTEM_TEST@ dns64 dnssec forward glue ixfr limits lwresd
masterfile masterformat metadata notify nsupdate pending pkcs11
resolver rrsetorder sortlist smartsign stub tkey unknown upforwd
views xfer xferquota zonechecks"
......
#!/bin/sh
rm -f ns1/K*
rm -f ns1/signed.db*
rm -f ns1/dsset-signed.
; Copyright
$TTL 3600
@ SOA ns1 marka.isc.org. 0 0 0 0 1200
@ NS ns1
ns1 A 10.53.0.1
excluded-good-a AAAA 2001:eeee::1
A 1.2.3.4
excluded-bad-a AAAA 2001:eeee::2
A 10.0.0.1
excluded-only AAAA 2001:eeee::3
partially-excluded-good-a AAAA 2001:eeee::1
AAAA 2001::1
A 1.2.3.4
partially-excluded-bad-a AAAA 2001:eeee::2
AAAA 2001::2
A 10.0.0.1
partially-excluded-only AAAA 2001:eeee::3
AAAA 2001::3
a-only A 1.2.3.5
a-and-aaaa AAAA 2001::1
A 1.2.3.6
aaaa-only AAAA 2001::2
a-not-mapped A 10.0.0.2
mx-only MX 10 ns.example.
cname-excluded-good-a CNAME excluded-good-a
cname-excluded-bad-a CNAME excluded-bad-a
cname-excluded-only CNAME excluded-only
cname-partial-excluded-good-a CNAME partial-excluded-good-a
cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
cname-partial-excluded-only CNAME partial-excluded-only
cname-a-only CNAME a-only
cname-a-and-aaaa CNAME a-and-aaaa
cname-aaaa-only CNAME aaaa-only
cname-a-not-mapped CNAME a-not-mapped
cname-mx-only CNAME mx-only
cname-non-existent CNAME non-existent
/*
* Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/12/08 02:46:15 marka Exp $ */
// NS1
controls { /* empty */ };
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
allow-recursion { 10.53.0.1; };
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dns64 2001:bbbb::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
recursive-only yes;
};
};
zone "." {
type master;
file "root.db";
};
zone "example" {
type master;
file "example.db";
};
zone "signed" {
type master;
file "signed.db.signed";
};
// include "trusted.conf";
; Copyright
$TTL 3600
@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example NS ns1.example.
ns1.example. A 10.53.0.1
signed NS ns1.example.
ns1.signed. A 10.53.0.1
#!/bin/sh -e
#
# Copyright (C) 2004, 2006-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2010/12/08 02:46:16 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
zone=signed
infile=example.db
zonefile=signed.db
key1=`$KEYGEN -q -r $RANDFILE $zone`
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/12/08 02:46:16 marka Exp $ */
// NS2
controls { /* empty */ };
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dns64 2001:aaaa::/96 {
clients { 10.53.0.2; };
mapped { !rfc1918; any; };
exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
dns64 64:FF9B::/96 {
clients { 10.53.0.1; };
mapped { !192.228.79.201; !rfc1918; any; };
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
};
zone "." {
type hint;
file "../../common/root.hint";
};
#!/bin/sh -e
#
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2010/12/08 02:46:15 marka Exp $
../../../tools/genrandom 400 random.data
sh clean.sh
cd ns1 && sh sign.sh
This diff is collapsed.
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.465 2010/09/21 19:47:57 ebersman Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.466 2010/12/08 02:46:16 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -5120,6 +5120,14 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
<optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
<optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
<optional> dns64 <replaceable>IPv6-prefix</replaceable> {
<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
<optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
<optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
<optional> suffix IPv6-address; </optional>
<optional> recursion-only <replaceable>yes_or_no</replaceable>; </optional>
<optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional>
}; </optional>;
<optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
<optional> max-udp-size <replaceable>number</replaceable>; </optional>
......@@ -5710,6 +5718,63 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>dns64</command></term>
<listitem>
<para>
This directive instructs <command>named</command> to
return mapped IPv4 addresses to AAAA queries when
there are no AAAA records. It is intended to be
used in conjunction with a NAT64. Each
<command>dns64</command> defines one DNS64 prefix.
Multiple DNS64 prefixes can be defined.
</para>
<para>
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
64 and 96 as per RFC 6052.
</para>
<para>
Each <command>dns64</command> supports a optional
<command>clients</command> acl which defines which clients
see this directive. If not defined it defaults to
<userinput>any;</userinput>.
</para>
<para>
Each <command>dns64</command> supports a optional
<command>mapped</command> acl which selects which
IPv4 addresses are to be mapped are in the corresponding
A RRset. If not defined it defaults to
<userinput>any;</userinput>.
</para>
<para>
Each <command>dns64</command> supports a optional
<command>exclude</command> acl which selects which
IPv6 addresses will be ignored for the purposes
of determining if dns64 is to be applied. Any
non matching address will prevent any further
DNS64 processing from occuring for this client.
</para>
<para>
A optional <command>suffix</command> can also
be defined to set the bits trailing the mapped
IPv4 address bits. By default these bits are
set to <userinput>::</userinput>. The bits
matching the prefix and mapped IPv4 address
must be zero.
</para>
<programlisting>
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
dns64 64:FF9B::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
</programlisting>
</listitem>
</varlistentry>
</variablelist>
<sect3 id="boolean_options">
......
......@@ -100,6 +100,14 @@ options {
directory <quoted_string>;
disable-algorithms <string> { <string>; ... };
disable-empty-zone <string>;
dns64 <netprefix> {
break-dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive-only <boolean>;
suffix <ipv6_address>;
};
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>;
......@@ -303,6 +311,14 @@ view <string> <optional_class> {
dlz <string> {
database <string>;
};
dns64 <netprefix> {
break-dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive-only <boolean>;
suffix <ipv6_address>;
};
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.120 2010/08/11 18:14:19 each Exp $ */
/* $Id: check.c,v 1.121 2010/12/08 02:46:16 marka Exp $ */
/*! \file */
......@@ -418,6 +418,106 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
return (result);
}
static const unsigned char zeros[16];
static isc_result_t
check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *dns64 = NULL;
const cfg_obj_t *options;
const cfg_listelt_t *element;
const cfg_obj_t *map, *obj;
isc_netaddr_t na, sa;
unsigned int prefixlen;
int nbytes;
int i;
static const char *acls[] = { "client", "exclude", "mapped", NULL};
if (voptions != NULL)
cfg_map_get(voptions, "dns64", &dns64);
if (config != NULL && dns64 == NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "dns64", &dns64);
}
if (dns64 == NULL)
return (ISC_R_SUCCESS);
for (element = cfg_list_first(dns64);
element != NULL;
element = cfg_list_next(element))
{
map = cfg_listelt_value(element);
obj = cfg_map_getname(map);
cfg_obj_asnetprefix(obj, &na, &prefixlen);
if (na.family != AF_INET6) {
cfg_obj_log(map, logctx, ISC_LOG_ERROR,
"dns64 requires a IPv6 prefix");
result = ISC_R_FAILURE;
continue;
}
if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
cfg_obj_log(map, logctx, ISC_LOG_ERROR,
"bad prefix length %u [32/40/48/56/64/96]",
prefixlen);
result = ISC_R_FAILURE;
continue;
}
for (i = 0; acls[i] != NULL; i++) {
obj = NULL;
(void)cfg_map_get(map, acls[i], &obj);
if (obj != NULL) {
dns_acl_t *acl = NULL;
isc_result_t tresult;
tresult = cfg_acl_fromconfig(obj, config,
logctx, actx,
mctx, 0, &acl);
if (acl != NULL)
dns_acl_detach(&acl);
if (tresult != ISC_R_SUCCESS)
result = tresult;
}