1. 19 Mar, 2019 3 commits
    • Michał Kępień's avatar
      Move code handling key loading errors into a common function · b85007e0
      Michał Kępień authored
      Some values returned by dstkey_fromconfig() indicate that key loading
      should be interrupted, others do not.  There are also certain subsequent
      checks to be made after parsing a key from configuration and the results
      of these checks also affect the key loading process.  All of this
      complicates the key loading logic.
      
      In order to make the relevant parts of the code easier to follow, reduce
      the body of the inner for loop in load_view_keys() to a single call to a
      new function, process_key().  Move dstkey_fromconfig() error handling to
      process_key() as well and add comments to clearly describe the effects
      of various key loading errors.
      b85007e0
    • Matthijs Mekking's avatar
      4d1ed128
    • Matthijs Mekking's avatar
      Ignore trust anchors using disabled algorithm · 1d45ad8f
      Matthijs Mekking authored
      More specifically: ignore configured trusted and managed keys that
      match a disabled algorithm.  The behavioral change is that
      associated responses no longer SERVFAIL, but return insecure.
      1d45ad8f
  2. 15 Mar, 2019 2 commits
  3. 14 Mar, 2019 1 commit
  4. 08 Mar, 2019 1 commit
  5. 07 Mar, 2019 1 commit
  6. 06 Mar, 2019 1 commit
    • Michał Kępień's avatar
      Look for named plugins in ${libdir}/named · 1a9fc624
      Michał Kępień authored
      When the "library" part of a "plugin" configuration stanza does not
      contain at least one path separator, treat it as a filename and assume
      it is a name of a shared object present in the named plugin installation
      directory.  Absolute and relative paths can still be used and will be
      used verbatim.  Get the full path to a plugin before attempting to
      check/register it so that all relevant log messages include the same
      plugin path (apart from the one logged when the full path cannot be
      determined).
      1a9fc624
  7. 18 Feb, 2019 1 commit
  8. 06 Feb, 2019 1 commit
  9. 25 Jan, 2019 1 commit
  10. 24 Jan, 2019 2 commits
  11. 16 Jan, 2019 1 commit
  12. 14 Jan, 2019 1 commit
    • Tony Finch's avatar
      Fix a few cosmetic issues with `rndc managed-keys` · 6a3b851f
      Tony Finch authored
      The handling of class and view arguments was broken, because the code
      didn't realise that next_token() would overwrite the class name when
      it parsed the view name. The code was trying to implement a syntax
      like `refresh [[class] view]`, but it was documented to have a syntax
      like `refresh [class [view]]`. The latter is consistent with other rndc
      commands, so that is how I have fixed it.
      
      Before:
      
      $ rndc managed-keys refresh in rec
      rndc: 'managed-keys' failed: unknown class/type
      unknown class 'rec'
      
      After:
      
      $ rndc managed-keys refresh in rec
      refreshing managed keys for 'rec'
      
      There were missing newlines in the output from `rndc managed-keys
      refresh` and `rndc managed-keys destroy`.
      
      Before:
      
      $ rndc managed-keys refresh
      refreshing managed keys for 'rec'refreshing managed keys for 'auth'
      
      After:
      
      $ rndc managed-keys refresh
      refreshing managed keys for 'rec'
      refreshing managed keys for 'auth'
      6a3b851f
  13. 10 Jan, 2019 1 commit
  14. 19 Dec, 2018 1 commit
  15. 11 Dec, 2018 1 commit
  16. 06 Dec, 2018 13 commits
    • Michał Kępień's avatar
      add a function for processing a list of configured plugins · 42349687
      Michał Kępień authored
      Add a new libisccfg function, cfg_pluginlist_foreach(), which allows an
      arbitrary callback to be invoked for every "plugin" stanza present in a
      configuration object.  Use this function for both loading plugins and
      checking their configuration in order to reduce duplication of
      configuration processing code present in bin/named/server.c and
      lib/bind9/check.c.
      42349687
    • Evan Hunt's avatar
      name change from "hook modules" to "plugins" · fd20f10d
      Evan Hunt authored
      - "hook" is now used only for hook points and hook actions
      - the "hook" statement in named.conf is now "plugin"
      - ns_module and ns_modlist are now ns_plugin and ns_plugins
      - ns_module_load is renamed ns_plugin_register
      - the mandatory functions in plugin modules (hook_register,
        hook_check, hook_version, hook_destroy) have been renamed
      fd20f10d
    • Evan Hunt's avatar
      8da0c0e7
    • Evan Hunt's avatar
      restore filter-aaaa syntax checking · 7a47e4d8
      Evan Hunt authored
      - added functionality to check hook parameters in named-checkconf,
        and restored the checkconf tests that were removed from the
        filter-aaaa test.
      7a47e4d8
    • Evan Hunt's avatar
      refactor to support multiple module instances · b94945e6
      Evan Hunt authored
      - use a per-view module list instead of global hook_modules
      - create an 'instance' pointer when registering modules, store it in
        the module structure, and use it as action_data when calling
        hook functions - this enables multiple module instances to be set
        up in parallel
      - also some nomenclature changes and cleanup
      b94945e6
    • Evan Hunt's avatar
      use entirely local persistent data in modules · 74683fbc
      Evan Hunt authored
      - eliminate qctx->hookdata and client->hookflags.
      - use a memory pool to allocate data blobs in the filter-aaaa module,
        and associate them with the client address in a hash table
      - instead of detaching the client in query_done(), mark it for deletion
        and then call ns_client_detach() from qctx_destroy(); this ensures
        that it will still exist when the QCTX_DESTROYED hook point is
        reached.
      74683fbc
    • Evan Hunt's avatar
      clear AD flag when altering response messages · 427e9ca3
      Evan Hunt authored
      - the AD flag was not being cleared correctly when filtering
      - enabled dnssec valdiation in the filter-aaaa test to confirm this
        works correctly now
      427e9ca3
    • Evan Hunt's avatar
      enable modules to store data in qctx · 81f58e2e
      Evan Hunt authored
      - added a 'hookdata' array to qctx to store pointers to up to
        16 blobs of data which are allocated by modules as needed.
        each module is assigned an ID number as it's loaded, and this
        is the index into the hook data array. this is to be used for
        holding persistent state between calls to a hook module for a
        specific query.
      - instead of using qctx->filter_aaaa, we now use qctx->hookdata.
        (this was the last piece of filter-aaaa specific code outside the
        module.)
      - added hook points for qctx initialization and destruction. we get
        a filter-aaaa data pointer from the mempool when initializing and
        store it in the qctx->hookdata table; return to to the mempool
        when destroying the qctx.
      - link the view to the qctx so that detaching the client doesn't cause
        hooks to fail
      - added a qctx_destroy() function which must be called after qctx_init;
        this calls the QCTX_DESTROY hook and detaches the view
      - general cleanup and comments
      81f58e2e
    • Evan Hunt's avatar
      add a parser to filter-aaaa.so and pass in the parameters · 9911c835
      Evan Hunt authored
      - make some cfg-parsing functions global so they can be run
        from filter-aaaa.so
      - add filter-aaaa options to the hook module's parser
      - mark filter-aaaa options in named.conf as obsolete, remove
        from named and checkconf, and update the filter-aaaa test not to
        use checkconf anymore
      - remove filter-aaaa-related struct members from dns_view
      9911c835
    • Evan Hunt's avatar
      add hook statement to configuration parser · d2f46443
      Evan Hunt authored
      - allow multiple "hook" statements at global or view level
      - add "optional bracketed text" type for optional parameter list
      - load hook module from specified path rather than hardcoded path
      - add a hooktable pointer (and a callback for freeing it) to the
        view structure
      - change the hooktable functions so they no longer update ns__hook_table
        by default, and modify PROCESS_HOOK so it uses the view hooktable, if
        set, rather than ns__hook_table. (ns__hook_table is retained for
        use by unit tests.)
      - update the filter-aaaa system test to load filter-aaaa.so
      - add a prereq script to check for dlopen support before running
        the filter-aaaa system test
      
      not yet done:
      - configuration parameters are not being passed to the filter-aaaa
        module; the filter-aaaa ACL and filter-aaaa-on-{v4,v6} settings are
        still stored in dns_view
      d2f46443
    • Evan Hunt's avatar
      initial implementation of filter-aaaa.so as a shared object · d3f0f71b
      Evan Hunt authored
      - temporary kluge! in this version, for testing purposes,
        named always searches for a filter-aaaa module at /tmp/filter-aaaa.so.
        this enables the filter-aaaa system test to run even though the
        code to configure hooks in named.conf hasn't been written yet.
      - filter-aaaa-on-v4, filter-aaaa-on-v6 and the filter-aaaa ACL are
        still configured in the view as they were before, not in the hook.
      d3f0f71b
    • Evan Hunt's avatar
      move several query.c helper functions to client.c and rename · e4f0a98b
      Evan Hunt authored
      - these formerly static helper functions have been moved into client.c
        and made external so that they can be used in hook modules as well as
        internally in libns: query_newrdataset, query_putrdataset,
        query_newnamebuf, query_newname, query_getnamebuf, query_keepname,
        query_releasename, query_newdbversion, query_findversion
      - made query_recurse() and query_done() into public functions
        ns_query_recurse() and ns_query_done() so they can be called from
        modules.
      e4f0a98b
    • Evan Hunt's avatar
      set up hooks.c to enable setting hook points and loading modules · 70cc3f80
      Evan Hunt authored
      - move hooks.h to public include directory
      - ns_hooktable_init() initializes a hook table. if NULL is passed in, it
        initializes the global hook table
      - ns_hooktable_save() saves a pointer to the current global hook table.
      - ns_hooktable_reset() replaces the global hook table with different
        one
      - ns_hook_add() adds hooks at specified hook points in a hook table (or
        the global hook table if the specified table is NULL)
      - load and unload functions support dlopen() of hook modules (this is
        adapted from dyndb and not yet functional)
      - began adding new hook points to query.c
      70cc3f80
  17. 03 Dec, 2018 1 commit
    • Tony Finch's avatar
      catz: improved log message when a zone is overridden · 16eb3518
      Tony Finch authored
      If you have a catalog zone containing 10.in-addr.arpa and an
      explicitly-configured version which overrides the catz version,
      `named` used to log:
      
      catz: error "success" while trying to add zone "10.in-addr.arpa"
      
      After this patch it logs:
      
      catz: zone "10.in-addr.arpa" is overridden by explicitly configured zone
      16eb3518
  18. 22 Nov, 2018 3 commits
  19. 16 Nov, 2018 2 commits
  20. 14 Nov, 2018 1 commit
  21. 08 Nov, 2018 1 commit