Commit eaac2057 authored by Evan Hunt's avatar Evan Hunt
Browse files

option to disable validation under specified names

- added new 'validate-except' option, which configures an NTA with
  expiry of 0xffffffff.  NTAs with that value in the expiry field do not
  expire, are are not written out when saving the NTA table and are not
  dumped by rndc secroots
parent 509d71e1
......@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2018-05-29</date>
<date>2018-06-21</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -224,9 +224,9 @@ options {
coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
except-from { <replaceable>quoted_string</replaceable>; ... } ];
deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
<replaceable>quoted_string</replaceable>; ... } ];
except-from { <replaceable>string</replaceable>; ... } ];
deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
directory <replaceable>quoted_string</replaceable>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
......@@ -257,14 +257,12 @@ options {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... };
dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
hostname );
dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
| timestamp ) ];
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
<replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <replaceable>quoted_string</replaceable> | none );
dscp <replaceable>integer</replaceable>;
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
......@@ -362,7 +360,7 @@ options {
preferred-glue <replaceable>string</replaceable>;
prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
provide-ixfr <replaceable>boolean</replaceable>;
qname-minimization ( strict | relaxed | disabled );
qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
......@@ -413,7 +411,7 @@ options {
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
......@@ -463,6 +461,7 @@ options {
use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
v6-bias <replaceable>integer</replaceable>;
validate-except { <replaceable>string</replaceable>; ... };
version ( <replaceable>quoted_string</replaceable> | none );
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
......@@ -574,9 +573,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
cleaning-interval <replaceable>integer</replaceable>;
clients-per-query <replaceable>integer</replaceable>;
deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
except-from { <replaceable>quoted_string</replaceable>; ... } ];
deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
<replaceable>quoted_string</replaceable>; ... } ];
except-from { <replaceable>string</replaceable>; ... } ];
deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
... };
......@@ -610,8 +609,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... };
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
......@@ -689,7 +688,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
preferred-glue <replaceable>string</replaceable>;
prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
provide-ixfr <replaceable>boolean</replaceable>;
qname-minimization ( strict | relaxed | disabled );
qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
......@@ -735,7 +734,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
......@@ -797,6 +796,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>;
v6-bias <replaceable>integer</replaceable>;
validate-except { <replaceable>string</replaceable>; ... };
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
......@@ -878,7 +878,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [
port <replaceable>integer</replaceable> ]; ... };
server-names { <replaceable>quoted_string</replaceable>; ... };
server-names { <replaceable>string</replaceable>; ... };
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
......@@ -982,7 +982,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port
<replaceable>integer</replaceable> ]; ... };
server-names { <replaceable>quoted_string</replaceable>; ... };
server-names { <replaceable>string</replaceable>; ... };
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
......
......@@ -3692,6 +3692,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
unsigned int resolver_param;
dns_ntatable_t *ntatable = NULL;
const char *qminmode = NULL;
REQUIRE(DNS_VIEW_VALID(view));
......@@ -5348,8 +5349,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0,
NULL));
view->redirectzone = name;
} else
} else {
view->redirectzone = NULL;
}
/*
* Exceptions to DNSSEC validation.
*/
obj = NULL;
result = named_config_get(maps, "validate-except", &obj);
if (result == ISC_R_SUCCESS) {
result = dns_view_getntatable(view, &ntatable);
}
if (result == ISC_R_SUCCESS) {
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
dns_fixedname_t fntaname;
dns_name_t *ntaname;
ntaname = dns_fixedname_initname(&fntaname);
obj = cfg_listelt_value(element);
CHECK(dns_name_fromstring(ntaname,
cfg_obj_asstring(obj),
0, NULL));
CHECK(dns_ntatable_add(ntatable, ntaname,
true, 0, 0xffffffffU));
}
}
#ifdef HAVE_DNSTAP
/*
......@@ -5362,35 +5390,51 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
result = ISC_R_SUCCESS;
cleanup:
if (clients != NULL)
if (ntatable != NULL) {
dns_ntatable_detach(&ntatable);
}
if (clients != NULL) {
dns_acl_detach(&clients);
if (mapped != NULL)
}
if (mapped != NULL) {
dns_acl_detach(&mapped);
if (excluded != NULL)
}
if (excluded != NULL) {
dns_acl_detach(&excluded);
if (ring != NULL)
}
if (ring != NULL) {
dns_tsigkeyring_detach(&ring);
if (zone != NULL)
}
if (zone != NULL) {
dns_zone_detach(&zone);
if (dispatch4 != NULL)
}
if (dispatch4 != NULL) {
dns_dispatch_detach(&dispatch4);
if (dispatch6 != NULL)
}
if (dispatch6 != NULL) {
dns_dispatch_detach(&dispatch6);
if (resstats != NULL)
}
if (resstats != NULL) {
isc_stats_detach(&resstats);
if (resquerystats != NULL)
}
if (resquerystats != NULL) {
dns_stats_detach(&resquerystats);
if (order != NULL)
}
if (order != NULL) {
dns_order_detach(&order);
if (cmctx != NULL)
}
if (cmctx != NULL) {
isc_mem_detach(&cmctx);
if (hmctx != NULL)
}
if (hmctx != NULL) {
isc_mem_detach(&hmctx);
if (cache != NULL)
}
if (cache != NULL) {
dns_cache_detach(&cache);
if (dctx != NULL)
}
if (dctx != NULL) {
dns_dyndb_destroyctx(&dctx);
}
return (result);
}
......
......@@ -65,6 +65,9 @@ options {
max-cache-size 20000000000000;
nta-lifetime 604800;
nta-recheck 604800;
validate-except {
"corp";
};
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......
......@@ -6646,6 +6646,24 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>validate-except</command></term>
<listitem>
<para>
Specifies a list of domain names at and beneath which DNSSEC
validation should <emphasis>not</emphasis> be performed,
regardless of the presence of a trust anchor at or above
those names. This may be used, for example, when configuring
a top-level domain intended only for local use, so that the
lack of a secure delegation for that domain in the root zone
will not cause validation failures. (This is similar
to setting a negative trust anchor, except that it is a
permanent configuration, whereas negative trust anchors
expire and are removed after a set period of time.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-accept-expired</command></term>
<listitem>
......
......@@ -63,9 +63,9 @@
<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
<command>deny-answer-addresses</command> { <replaceable>address_match_element</replaceable>; ... } [
<command>except-from</command> { <replaceable>quoted_string</replaceable>; ... } ];
<command>deny-answer-aliases</command> { <replaceable>quoted_string</replaceable>; ... } [ except-from {
<replaceable>quoted_string</replaceable>; ... } ];
<command>except-from</command> { <replaceable>string</replaceable>; ... } ];
<command>deny-answer-aliases</command> { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
} ];
<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
<command>directory</command> <replaceable>quoted_string</replaceable>;
<command>disable-algorithms</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
......@@ -96,14 +96,12 @@
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
<command>dnssec-validation</command> ( yes | no | auto );
<command>dnstap</command> { ( all | auth | client | forwarder |
<command>resolver</command> ) [ ( query | response ) ]; ... };
<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none |
<command>hostname</command> );
<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [
<command>size</command> ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
<command>unlimited</command> | <replaceable>integer</replaceable> ) ] [ suffix ( increment
| timestamp ) ];
<command>dnstap</command> { ( all | auth | client | forwarder | resolver ) [ ( query |
<command>response</command> ) ]; ... };
<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
<replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
<command>increment</command> | timestamp ) ];
<command>dnstap-version</command> ( <replaceable>quoted_string</replaceable> | none );
<command>dscp</command> <replaceable>integer</replaceable>;
<command>dual-stack-servers</command> [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
......@@ -202,7 +200,7 @@
<command>preferred-glue</command> <replaceable>string</replaceable>;
<command>prefetch</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
<command>qname-minimization</command> ( strict | relaxed | disabled );
<command>qname-minimization</command> ( strict | relaxed | disabled | off );
<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
<command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
......@@ -253,7 +251,7 @@
<command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
<command>dnsrps-enable</command> <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
<command>root-delegation-only</command> [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
<command>root-delegation-only</command> [ exclude { <replaceable>string</replaceable>; ... } ];
<command>root-key-sentinel</command> <replaceable>boolean</replaceable>;
<command>rrset-order</command> { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
<replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
......@@ -303,6 +301,7 @@
<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
<command>v6-bias</command> <replaceable>integer</replaceable>;
<command>validate-except</command> { <replaceable>string</replaceable>; ... };
<command>version</command> ( <replaceable>quoted_string</replaceable> | none );
<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
<command>zero-no-soa-ttl-cache</command> <replaceable>boolean</replaceable>;
......
......@@ -19,7 +19,7 @@
<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
<command>max-records</command> <replaceable>integer</replaceable>;
<command>server-addresses</command> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ]; ... };
<command>server-names</command> { <replaceable>quoted_string</replaceable>; ... };
<command>server-names</command> { <replaceable>string</replaceable>; ... };
<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
};
</programlisting>
......@@ -113,9 +113,9 @@ options {
datasize ( default | unlimited | <sizeval> );
deallocate-on-exit <boolean>; // obsolete
deny-answer-addresses { <address_match_element>; ... } [
except-from { <quoted_string>; ... } ];
deny-answer-aliases { <quoted_string>; ... } [ except-from {
<quoted_string>; ... } ];
except-from { <string>; ... } ];
deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
directory <quoted_string>;
disable-algorithms <string> { <string>;
......@@ -146,15 +146,13 @@ options {
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... }; // not configured
dnstap-identity ( <quoted_string> | none |
hostname ); // not configured
dnstap-output ( file | unix ) <quoted_string> [
size ( unlimited | <size> ) ] [ versions (
unlimited | <integer> ) ] [ suffix ( increment
| timestamp ) ]; // not configured
dnstap-version ( <quoted_string> | none ); // not configured
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dnstap-identity ( <quoted_string> | none | hostname );
dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <quoted_string> | none );
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
......@@ -178,14 +176,14 @@ options {
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
fstrm-set-buffer-hint <integer>; // not configured
fstrm-set-flush-timeout <integer>; // not configured
fstrm-set-input-queue-size <integer>; // not configured
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
fstrm-set-buffer-hint <integer>;
fstrm-set-flush-timeout <integer>;
fstrm-set-input-queue-size <integer>;
fstrm-set-output-notify-threshold <integer>;
fstrm-set-output-queue-model ( mpsc | spsc );
fstrm-set-output-queue-size <integer>;
fstrm-set-reopen-interval <ttlval>;
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
......@@ -321,7 +319,7 @@ options {
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
} ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
......@@ -380,6 +378,7 @@ options {
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };
v6-bias <integer>;
validate-except { <string>; ... };
version ( <quoted_string> | none );
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
......@@ -478,9 +477,9 @@ view <string> [ <class> ] {
cleaning-interval <integer>;
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [
except-from { <quoted_string>; ... } ];
deny-answer-aliases { <quoted_string>; ... } [ except-from {
<quoted_string>; ... } ];
except-from { <string>; ... } ];
deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
} ];
dialup ( notify | notify-passive | passive | refresh | <boolean> );
disable-algorithms <string> { <string>;
... }; // may occur multiple times
......@@ -514,8 +513,8 @@ view <string> [ <class> ] {
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... }; // not configured
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
......@@ -651,7 +650,7 @@ view <string> [ <class> ] {
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
} ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
root-delegation-only [ exclude { <string>; ... } ];
root-key-sentinel <boolean>;
rrset-order { [ class <string> ] [ type <string> ] [ name
<quoted_string> ] <string> <string>; ... };
......@@ -718,6 +717,7 @@ view <string> [ <class> ] {
use-alt-transfer-source <boolean>;
use-queryport-pool <boolean>; // obsolete
v6-bias <integer>;
validate-except { <string>; ... };
zero-no-soa-ttl <boolean>;
zero-no-soa-ttl-cache <boolean>;
zone <string> [ <class> ] {
......@@ -805,7 +805,7 @@ view <string> [ <class> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ) [
port <integer> ]; ... };
server-names { <quoted_string>; ... };
server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
......@@ -910,7 +910,7 @@ zone <string> [ <class> ] {
serial-update-method ( date | increment | unixtime );
server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
<integer> ]; ... };
server-names { <quoted_string>; ... };
server-names { <string>; ... };
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
......
......@@ -6,6 +6,6 @@ zone <string> [ <class> ] {
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
max-records <integer>;
server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
server-names { <quoted_string>; ... };
server-names { <string>; ... };
zone-statistics ( full | terse | none | <boolean> );
};
......@@ -122,9 +122,12 @@ dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name,
uint32_t lifetime);
/*%<
* Add a negative trust anchor to 'ntatable' for name 'name',
* which will expire at time 'now' + 'lifetime'. If 'force' is false,
* then the name will be checked periodically to see if it's bogus;
* if not, then the NTA will be allowed to expire early.
* which will expire at time 'now' + 'lifetime'. If 'force' is true,
* then the NTA will persist for the entire specified lifetime.
* If it is false, then the name will be queried periodically and
* validation will be attempted to see whether it's still bogus;
* if validation is successful, the NTA will be allowed to expire
* early and validation below the NTA will resume.
*
* Notes:
*
......
<
......@@ -547,69 +547,28 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
dns_name_t *name;
isc_time_t t;
name = dns_fixedname_initname(&fn);
dns_rbt_fullnamefromnode(node, name);
dns_name_format(name, nbuf, sizeof(nbuf));
isc_time_set(&t, n->expiry, 0);
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
first ? "" : "\n", nbuf,
n->expiry <= now ? "expired" : "expiry",
tbuf);
first = false;
result = putstr(buf, obuf);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
break;
}
}
cleanup:
dns_rbtnodechain_invalidate(&chain);
RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
return (result);
}
#if 0
isc_result_t
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
isc_result_t result;
dns_rbtnode_t *node;
dns_rbtnodechain_t chain;
isc_stdtime_t now;
REQUIRE(VALID_NTATABLE(ntatable));
isc_stdtime_get(&now);
RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
dns_rbtnodechain_init(&chain, ntatable->view->mctx);
result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
goto cleanup;
for (;;) {
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
if (node->data != NULL) {
dns_nta_t *n = (dns_nta_t *) node->data;
char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
dns_fixedname_t fn;
dns_name_t *name;
isc_time_t t;
name = dns_fixedname_initname(&fn);
dns_rbt_fullnamefromnode(node, name);
dns_name_format(name, nbuf, sizeof(nbuf));
isc_time_set(&t, n->expiry, 0);
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
fprintf(fp, "%s: %s %s\n", nbuf,
n->expiry <= now ? "expired" : "expiry",
tbuf);
/*
* Skip "validate-except" entries.
*/
if (n->expiry != 0xffffffffU) {
name = dns_fixedname_initname(&fn);
dns_rbt_fullnamefromnode(node, name);
dns_name_format(name, nbuf, sizeof(nbuf));
isc_time_set(&t, n->expiry, 0);
isc_time_formattimestamp(&t, tbuf,
sizeof(tbuf));
snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
first ? "" : "\n", nbuf,
n->expiry <= now
? "expired"
: "expiry",
tbuf);
first = false;
result = putstr(buf, obuf);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
......@@ -624,7 +583,6 @@ dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
return (result);
}
#endif
isc_result_t
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
......@@ -674,35 +632,41 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
for (;;) {
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
if (node->data != NULL) {
isc_buffer_t b;
char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
dns_fixedname_t fn;
dns_name_t *name;
dns_nta_t *n = (dns_nta_t *) node->data;
if (n->expiry > now) {
isc_buffer_t b;
char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
dns_fixedname_t fn;
dns_name_t *name;
name = dns_fixedname_initname(&fn);
dns_rbt_fullnamefromnode(node, name);
/*
* Skip this node if the expiry is already in the
* past, or if this is a "validate-except" entry.
*/
if (n->expiry <= now || n->expiry == 0xffffffffU) {
goto skip;
}
isc_buffer_init(&b, nbuf, sizeof(nbuf));
result = dns_name_totext(name, false, &b);
if (result != ISC_R_SUCCESS)
goto skip;
name = dns_fixedname_initname(&fn);
dns_rbt_fullnamefromnode(node, name);
/* Zero terminate. */
isc_buffer_putuint8(&b, 0);
isc_buffer_init(&b, nbuf, sizeof(nbuf));
result = dns_name_totext(name, false, &b);
if (result != ISC_R_SUCCESS)
goto skip;