--- bind9-9.9.3.dfsg.P2.orig/aclocal.m4 +++ bind9-9.9.3.dfsg.P2/aclocal.m4 @@ -1,5 +1,19 @@ -sinclude(libtool.m4/libtool.m4)dnl -sinclude(libtool.m4/ltoptions.m4)dnl -sinclude(libtool.m4/ltsugar.m4)dnl -sinclude(libtool.m4/ltversion.m4)dnl -sinclude(libtool.m4/lt~obsolete.m4)dnl +# generated automatically by aclocal 1.13.3 -*- Autoconf -*- + +# Copyright (C) 1996-2013 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) +m4_include([libtool.m4/libtool.m4]) +m4_include([libtool.m4/ltoptions.m4]) +m4_include([libtool.m4/ltsugar.m4]) +m4_include([libtool.m4/ltversion.m4]) +m4_include([libtool.m4/lt~obsolete.m4]) --- bind9-9.9.3.dfsg.P2.orig/bin/named/client.c +++ bind9-9.9.3.dfsg.P2/bin/named/client.c @@ -994,6 +994,11 @@ } if (result != ISC_R_SUCCESS) goto done; + /* + * Stop after the question if TC was set for rate limiting. + */ + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) + goto renderend; result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, DNS_MESSAGERENDER_PARTIAL | @@ -1134,6 +1139,51 @@ #endif /* + * Try to rate limit error responses. + */ + if (client->view != NULL && client->view->rrl != NULL) { + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + dns_rrl_result_t rrl_result; + + INSIST(rcode != dns_rcode_noerror && + rcode != dns_rcode_nxdomain); + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + rrl_result = dns_rrl(client->view, &client->peeraddr, + TCP_CLIENT(client), + dns_rdataclass_in, dns_rdatatype_none, + NULL, result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped errors in the query category + * so that they are not lost in silence. + * Starts of rate-limited bursts are logged in + * NS_LOGCATEGORY_RRL. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_CLIENT, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + /* + * Some error responses cannot be 'slipped', + * so don't try to slip any error responses. + */ + if (!client->view->rrl->log_only) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_ratedropped); + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_dropped); + ns_client_next(client, DNS_R_DROP); + return; + } + } + } + + /* * Message may be an in-progress reply that we had trouble * with, in which case QR will be set. We need to clear QR before * calling dns_message_reply() to avoid triggering an assertion. --- bind9-9.9.3.dfsg.P2.orig/bin/named/config.c +++ bind9-9.9.3.dfsg.P2/bin/named/config.c @@ -144,6 +144,8 @@ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-cache-ttl 604800; /* 1 week */\n\ + min-ncache-ttl 0; /* 0 hours */\n\ + min-cache-ttl 0; /* 0 seconds */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ check-names master fail;\n\ @@ -228,6 +230,13 @@ notify no;\n\ allow-new-zones no;\n\ \n\ + # Prevent use of this zone in DNS amplified reflection DoS attacks\n\ + rate-limit {\n\ + responses-per-second 3;\n\ + slip 0;\n\ + min-table-size 10;\n\ + };\n\ +\n\ zone \"version.bind\" chaos {\n\ type master;\n\ database \"_builtin version\";\n\ --- bind9-9.9.3.dfsg.P2.orig/bin/named/include/named/query.h +++ bind9-9.9.3.dfsg.P2/bin/named/include/named/query.h @@ -85,6 +85,7 @@ #define NS_QUERYATTR_CACHEACLOK 0x2000 #define NS_QUERYATTR_DNS64 0x4000 #define NS_QUERYATTR_DNS64EXCLUDE 0x8000 +#define NS_QUERYATTR_RRL_CHECKED 0x10000 isc_result_t --- bind9-9.9.3.dfsg.P2.orig/bin/named/include/named/server.h +++ bind9-9.9.3.dfsg.P2/bin/named/include/named/server.h @@ -167,7 +167,10 @@ dns_nsstatscounter_rpz_rewrites = 36, - dns_nsstatscounter_max = 37 + dns_nsstatscounter_ratedropped = 37, + dns_nsstatscounter_rateslipped = 38, + + dns_nsstatscounter_max = 39 }; void --- bind9-9.9.3.dfsg.P2.orig/bin/named/main.c +++ bind9-9.9.3.dfsg.P2/bin/named/main.c @@ -643,14 +643,6 @@ ISC_LOG_INFO, "using up to %u sockets", socks); } - result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_entropy_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -666,10 +658,6 @@ destroy_managers(void) { ns_lwresd_shutdown(); - isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) - isc_entropy_detach(&ns_g_fallbackentropy); - /* * isc_taskmgr_destroy() will block until all tasks have exited, */ @@ -770,6 +758,21 @@ } #endif + result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_entropy_create() failed: %s", + isc_result_totext(result)); + + /* + * DST may load additional libraries, which must be done before + * chroot + */ + result = dst_lib_init2(ns_g_mctx, ns_g_entropy, + ns_g_engine, ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("dst_lib_init2() failed: %s", + isc_result_totext(result)); + #ifdef ISC_PLATFORM_USETHREADS /* * Check for the number of cpu's before ns_os_chroot(). @@ -936,6 +939,12 @@ ns_builtin_deinit(); + dst_lib_destroy(); + + isc_entropy_detach(&ns_g_entropy); + if (ns_g_fallbackentropy != NULL) + isc_entropy_detach(&ns_g_fallbackentropy); + /* * Add calls to unregister sdb drivers here. */ --- bind9-9.9.3.dfsg.P2.orig/bin/named/query.c +++ bind9-9.9.3.dfsg.P2/bin/named/query.c @@ -193,7 +193,7 @@ #ifdef NEWSTATS /* Do query type statistics * - * We only increment per-type if we're using the authoriative + * We only increment per-type if we're using the authoritative * answer counter, preventing double-counting. */ if (counter == dns_nsstatscounter_authans) { @@ -879,11 +879,11 @@ static void rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled, dns_rpz_policy_t policy, dns_rpz_type_t type, - dns_zone_t *zone, dns_name_t *rpz_qname) + dns_zone_t *p_zone, dns_name_t *p_name) { isc_stats_t *zonestats; char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; + char p_name_buf[DNS_NAME_FORMATSIZE]; /* * Count enabled rewrites in the global counter. @@ -893,8 +893,8 @@ isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_rpz_rewrites); } - if (zone != NULL) { - zonestats = dns_zone_getrequeststats(zone); + if (p_zone != NULL) { + zonestats = dns_zone_getrequeststats(p_zone); if (zonestats != NULL) isc_stats_increment(zonestats, dns_nsstatscounter_rpz_rewrites); @@ -904,68 +904,73 @@ return; dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); - dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf)); + dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s", disabled ? "disabled " : "", dns_rpz_type2str(type), dns_rpz_policy2str(policy), - qname_buf, rpz_qname_buf); + qname_buf, p_name_buf); } static void -rpz_log_fail(ns_client_t *client, int level, - dns_rpz_type_t rpz_type, dns_name_t *name, - const char *str, isc_result_t result) +rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, + dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; + const char *failed; if (!isc_log_wouldlog(ns_g_lctx, level)) return; /* - * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems. */ - dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1)); - dns_name_format(name, namebuf2, sizeof(namebuf2)); + if (level <= DNS_RPZ_DEBUG_LEVEL1) + failed = "failed: "; + else + failed = ": "; + dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY, level, - "rpz %s rewrite %s via %s %sfailed: %s", + "rpz %s rewrite %s via %s%s%s%s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2, str, isc_result_totext(result)); + qnamebuf, p_namebuf, + str, failed, isc_result_totext(result)); } /* * Get a policy rewrite zone database. */ static isc_result_t -rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname, +rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; dns_dbversion_t *rpz_version = NULL; isc_result_t result; - result = query_getzonedb(client, rpz_qname, dns_rdatatype_any, + result = query_getzonedb(client, p_name, dns_rdatatype_any, DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version); if (result == ISC_R_SUCCESS) { if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) { - dns_name_format(client->query.qname, namebuf1, - sizeof(namebuf1)); - dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2)); + dns_name_format(client->query.qname, qnamebuf, + sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, "try rpz %s rewrite %s via %s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2); + qnamebuf, p_namebuf); } *versionp = rpz_version; return (ISC_R_SUCCESS); } - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname, - "query_getzonedb() ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, + " query_getzonedb()", result); return (result); } @@ -3913,7 +3918,7 @@ dns_rdataset_disassociate(*rdatasetp); } -static void +static inline void rpz_match_clear(dns_rpz_st_t *st) { rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); @@ -3921,16 +3926,16 @@ } static inline isc_result_t -rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) +rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { REQUIRE(rdatasetp != NULL); - rpz_clean(zonep, dbp, nodep, rdatasetp); if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); if (*rdatasetp == NULL) return (DNS_R_SERVFAIL); + } else if (dns_rdataset_isassociated(*rdatasetp)) { + dns_rdataset_disassociate(*rdatasetp); } return (ISC_R_SUCCESS); } @@ -3959,13 +3964,83 @@ st->m.policy = DNS_RPZ_POLICY_MISS; } +static dns_rpz_zbits_t +rpz_get_zbits(ns_client_t *client, + dns_rdatatype_t ip_type, dns_rpz_type_t rpz_type) +{ + dns_rpz_zones_t *rpzs; + dns_rpz_st_t *st; + dns_rpz_zbits_t zbits; + + rpzs = client->view->rpzs; + + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits = rpzs->have.client_ip; + break; + case DNS_RPZ_TYPE_QNAME: + zbits = rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.ipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.ipv6; + } else { + zbits = rpzs->have.ip; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + zbits = rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.nsipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.nsipv6; + } else { + zbits = rpzs->have.nsip; + } + break; + default: + INSIST(0); + break; + } + + st = client->query.rpz_st; + + /* + * Choose + * the earliest configured policy zone (rpz->num) + * QNAME over IP over NSDNAME over NSIP (rpz_type) + * the smallest name, + * the longest IP address prefix, + * the lexically smallest address. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.type >= rpz_type) { + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); + } else{ + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; + } + } + + /* + * If the client wants recursion, allow only compatible policies. + */ + if (!RECURSIONOK(client)) + zbits &= rpzs->p.no_rd_ok; + + return (zbits); +} + /* - * Get NS, A, or AAAA rrset for response policy zone checks. + * Get an NS, A, or AAAA rrset related to the response for the client + * to check the contents of that rrset for hits by eligible policy zones. */ static isc_result_t -rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_db_t **dbp, dns_dbversion_t *version, +rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, + dns_rpz_type_t rpz_type, dns_db_t **dbp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp, isc_boolean_t resuming) { dns_rpz_st_t *st; @@ -3977,15 +4052,13 @@ dns_clientinfomethods_t cm; dns_clientinfo_t ci; - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - st = client->query.rpz_st; if ((st->state & DNS_RPZ_RECURSING) != 0) { INSIST(st->r.r_type == type); INSIST(dns_name_equal(name, st->r_name)); INSIST(*rdatasetp == NULL || !dns_rdataset_isassociated(*rdatasetp)); + INSIST(*dbp == NULL); st->state &= ~DNS_RPZ_RECURSING; *dbp = st->r.db; st->r.db = NULL; @@ -3995,16 +4068,15 @@ st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(1) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " rpz_rrset_find(1)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; result = DNS_R_SERVFAIL; } return (result); } - result = rpz_ready(client, NULL, NULL, NULL, rdatasetp); + result = rpz_ready(client, rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); @@ -4019,9 +4091,8 @@ result = query_getdb(client, name, type, 0, &zone, dbp, &version, &is_zone); if (result != ISC_R_SUCCESS) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(2) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " rpz_rrset_find(2)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; if (zone != NULL) dns_zone_detach(&zone); @@ -4034,6 +4105,8 @@ node = NULL; dns_fixedname_init(&fixed); found = dns_fixedname_name(&fixed); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); @@ -4072,177 +4145,97 @@ } /* - * Check the IP address in an A or AAAA rdataset against - * the IP or NSIP response policy rules of a view. + * Compute a policy owner name, p_name, in a policy zone given the needed + * policy type and the trigger name. */ static isc_result_t -rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset, - dns_rpz_type_t rpz_type) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_zone_t *zone; - dns_db_t *db; - dns_rpz_zone_t *rpz; +rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, + dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_name_t *trig_name) +{ + dns_offsets_t prefix_offsets; + dns_name_t prefix, *suffix; + unsigned int first, labels; isc_result_t result; - st = client->query.rpz_st; - if (st->m.rdataset == NULL) { - st->m.rdataset = query_newrdataset(client); - if (st->m.rdataset == NULL) - return (DNS_R_SERVFAIL); - } - zone = NULL; - db = NULL; - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; - - /* - * Do not check policy zones that cannot replace a policy - * already known to match. - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS) { - if (st->m.rpz->num < rpz->num) - break; - if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; - } - - /* - * Find the database for this policy zone to get its radix tree. - */ - version = NULL; - result = rpz_getdb(client, rpz_type, &rpz->origin, - &zone, &db, &version); - if (result != ISC_R_SUCCESS) { - rpz_clean(&zone, &db, NULL, NULL); - continue; - } - /* - * Look for a better (e.g. longer prefix) hit for an IP address - * in this rdataset in this radix tree than than the previous - * hit, if any. Note the domain name and quality of the - * best hit. - */ - dns_db_rpz_findips(rpz, rpz_type, zone, db, version, - rdataset, st, client->query.rpz_st->qname); - rpz_clean(&zone, &db, NULL, NULL); - } - return (ISC_R_SUCCESS); -} - -/* - * Look for an A or AAAA rdataset - * and check for IP or NSIP rewrite policy rules. - */ -static isc_result_t -rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_rdatatype_t type, dns_name_t *name, - dns_db_t **dbp, dns_dbversion_t *version, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - isc_result_t result; - - result = rpz_rrset_find(client, rpz_type, name, type, dbp, version, - rdatasetp, resuming); - switch (result) { - case ISC_R_SUCCESS: - case DNS_R_GLUE: - case DNS_R_ZONECUT: - result = rpz_rewrite_ip(client, *rdatasetp, rpz_type); + /* + * The policy owner name consists of a suffix depending on the type + * and policy zone and a prefix that is the longest possible string + * from the trigger name that keesp the resulting policy owner name + * from being too long. + */ + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + suffix = &rpz->client_ip; break; - case DNS_R_EMPTYNAME: - case DNS_R_EMPTYWILD: - case DNS_R_NXDOMAIN: - case DNS_R_NCACHENXDOMAIN: - case DNS_R_NXRRSET: - case DNS_R_NCACHENXRRSET: - case ISC_R_NOTFOUND: - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_QNAME: + suffix = &rpz->origin; break; - case DNS_R_DELEGATION: - case DNS_R_DUPLICATE: - case DNS_R_DROP: + case DNS_RPZ_TYPE_IP: + suffix = &rpz->ip; break; - case DNS_R_CNAME: - case DNS_R_DNAME: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type, - name, "NS address rewrite rrset ", result); - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_NSDNAME: + suffix = &rpz->nsdname; break; - default: - if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - name, "NS address rewrite rrset ", result); - } + case DNS_RPZ_TYPE_NSIP: + suffix = &rpz->nsip; break; + default: + INSIST(0); } - return (result); -} -/* - * Look for both A and AAAA rdatasets - * and check for IP or NSIP rewrite policy rules. - * Look only for addresses that will be in the ANSWER section - * when checking for IP rules. - */ -static isc_result_t -rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_db_t *ipdb; - isc_result_t result; - - st = client->query.rpz_st; - version = NULL; - ipdb = NULL; - if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv4) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_a)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a, - name, &ipdb, version, rdatasetp, - resuming); + /* + * Start with relative version of the full trigger name, + * and trim enough allow the addition of the suffix. + */ + dns_name_init(&prefix, prefix_offsets); + labels = dns_name_countlabels(trig_name); + first = 0; + for (;;) { + dns_name_getlabelsequence(trig_name, first, labels-first-1, + &prefix); + result = dns_name_concatenate(&prefix, suffix, p_name, NULL); if (result == ISC_R_SUCCESS) - st->state |= DNS_RPZ_DONE_IPv4; - } else { - result = ISC_R_SUCCESS; - } - if (result == ISC_R_SUCCESS && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv6) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa, - name, &ipdb, version, rdatasetp, - resuming); + return (ISC_R_SUCCESS); + INSIST(result == DNS_R_NAMETOOLONG); + /* + * Trim the trigger name until the combination is not too long. + */ + if (labels-first < 2) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, + rpz_type, " concatentate()", result); + return (ISC_R_FAILURE); + } + /* + * Complain once about trimming the trigger name. + */ + if (first == 0) { + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, + rpz_type, " concatentate()", result); + } + ++first; } - if (ipdb != NULL) - dns_db_detach(&ipdb); - return (result); } /* - * Get the rrset from a response policy zone. + * Look in policy zone rpz for a policy of rpz_type by p_name. + * The self-name (usually the client qname or an NS name) is compared with + * the target of a CNAME policy for the old style passthru encoding. + * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, + * *rdatasetp, and *policyp. + * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. + * The caller must decide if the found policy is most suitable, including + * better than a previously found policy. + * If it is best, the caller records it in client->query.rpz_st->m. */ static isc_result_t -rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, - dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, - dns_rpz_policy_t *policyp) +rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, + dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_rpz_policy_t *policyp) { - dns_rpz_policy_t policy; - dns_fixedname_t fixed; + dns_fixedname_t foundf; dns_name_t *found; isc_result_t result; dns_clientinfomethods_t cm; @@ -4250,31 +4243,28 @@ REQUIRE(nodep != NULL); - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - - result = rpz_ready(client, zonep, dbp, nodep, rdatasetp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_ERROR; - return (result); - } - /* - * Try to get either a CNAME or the type of record demanded by the + * Try to find either a CNAME or the type of record demanded by the * request from the policy zone. */ + rpz_clean(zonep, dbp, nodep, rdatasetp); + result = rpz_ready(client, rdatasetp); + if (result != ISC_R_SUCCESS) + return (DNS_R_SERVFAIL); *versionp = NULL; - result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_MISS; + result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); + if (result != ISC_R_SUCCESS) return (DNS_R_NXDOMAIN); - } - - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); - result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0, + dns_fixedname_init(&foundf); + found = dns_fixedname_name(&foundf); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); + result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); + /* + * Choose the best rdataset if we found something. + */ if (result == ISC_R_SUCCESS) { dns_rdatasetiter_t *rdsiter; @@ -4282,10 +4272,8 @@ result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, &rdsiter); if (result != ISC_R_SUCCESS) { - dns_db_detachnode(*dbp, nodep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - qnamef, "allrdatasets() ", result); - *policyp = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, + rpz_type, " allrdatasets()", result); return (DNS_R_SERVFAIL); } for (result = dns_rdatasetiter_first(rdsiter); @@ -4301,9 +4289,8 @@ if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOMORE) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, qnamef, "rdatasetiter ", - result); - *policyp = DNS_RPZ_POLICY_ERROR; + p_name, rpz_type, + " rdatasetiter", result); return (DNS_R_SERVFAIL); } /* @@ -4318,7 +4305,7 @@ qtype == dns_rdatatype_sig) result = DNS_R_NXRRSET; else - result = dns_db_findext(*dbp, qnamef, *versionp, + result = dns_db_findext(*dbp, p_name, *versionp, qtype, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); @@ -4327,162 +4314,476 @@ switch (result) { case ISC_R_SUCCESS: if ((*rdatasetp)->type != dns_rdatatype_cname) { - policy = DNS_RPZ_POLICY_RECORD; + *policyp = DNS_RPZ_POLICY_RECORD; } else { - policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname); - if ((policy == DNS_RPZ_POLICY_RECORD || - policy == DNS_RPZ_POLICY_WILDCNAME) && + *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, + self_name); + if ((*policyp == DNS_RPZ_POLICY_RECORD || + *policyp == DNS_RPZ_POLICY_WILDCNAME) && qtype != dns_rdatatype_cname && qtype != dns_rdatatype_any) - result = DNS_R_CNAME; + return (DNS_R_CNAME); } - break; + return (ISC_R_SUCCESS); case DNS_R_NXRRSET: - policy = DNS_RPZ_POLICY_NODATA; - break; + *policyp = DNS_RPZ_POLICY_NODATA; + return (result); case DNS_R_DNAME: /* * DNAME policy RRs have very few if any uses that are not - * better served with simple wildcards. Making the work would + * better served with simple wildcards. Making them work would * require complications to get the number of labels matched * in the name or the found name to the main DNS_R_DNAME case - * in query_find(). - */ - dns_rdataset_disassociate(*rdatasetp); - dns_db_detachnode(*dbp, nodep); - /* - * Fall through to treat it as a miss. + * in query_find(). The domain also does not appear in the + * summary database at the right level, so this happens only + * with a single policy zone when we have no summary database. + * Treat it as a miss. */ case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: - /* - * If we don't get a qname hit, - * see if it is worth looking for other types. - */ - (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st); - dns_db_detach(dbp); - dns_zone_detach(zonep); - result = DNS_R_NXDOMAIN; - policy = DNS_RPZ_POLICY_MISS; - break; + return (DNS_R_NXDOMAIN); default: - dns_db_detach(dbp); - dns_zone_detach(zonep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); return (DNS_R_SERVFAIL); } +} - *policyp = policy; - return (result); +static void +rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, + isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_dbversion_t *version) +{ + dns_rdataset_t *trdataset; + + rpz_match_clear(st); + st->m.rpz = rpz; + st->m.type = rpz_type; + st->m.policy = policy; + dns_name_copy(p_name, st->p_name, NULL); + st->m.prefix = prefix; + st->m.result = result; + st->m.zone = *zonep; + *zonep = NULL; + st->m.db = *dbp; + *dbp = NULL; + st->m.node = *nodep; + *nodep = NULL; + if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { + /* + * Save the replacement rdataset from the policy + * and make the previous replacement rdataset scratch. + */ + trdataset = st->m.rdataset; + st->m.rdataset = *rdatasetp; + *rdatasetp = trdataset; + st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); + } else { + st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); + } + st->m.version = version; } /* - * Build and look for a QNAME or NSDNAME owner name in a response policy zone. + * Check this address in every eligible policy zone. */ static isc_result_t -rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, - dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp) +rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { + dns_rpz_zones_t *rpzs; dns_rpz_st_t *st; dns_rpz_zone_t *rpz; - dns_fixedname_t prefixf, rpz_qnamef; - dns_name_t *prefix, *suffix, *rpz_qname; - dns_zone_t *zone; - dns_db_t *db; - dns_dbversion_t *version; - dns_dbnode_t *node; + dns_rpz_prefix_t prefix; + dns_rpz_num_t rpz_num; + dns_fixedname_t ip_namef, p_namef; + dns_name_t *ip_name, *p_name; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; dns_rpz_policy_t policy; - unsigned int labels; isc_result_t result; - st = client->query.rpz_st; - zone = NULL; - db = NULL; - node = NULL; + dns_fixedname_init(&ip_namef); + ip_name = dns_fixedname_name(&ip_namef); - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + rpzs = client->view->rpzs; + st = client->query.rpz_st; + while (zbits != 0) { + rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, + ip_name, &prefix); + if (rpz_num == DNS_RPZ_INVALID_NUM) + break; + zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); /* - * Do not check policy zones that cannot replace a policy - * already known to match. + * Do not try applying policy zones that cannot replace a + * previously found policy zone. + * Stop looking if the next best choice cannot + * replace what we already have. */ + rpz = rpzs->zones[rpz_num]; if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.rpz->num < rpz->num) break; if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; + (st->m.type < rpz_type || + st->m.prefix > prefix)) + break; } + /* - * Construct the policy's owner name. + * Get the policy for a prefix at least as long + * as the prefix of the entry we had before. */ - dns_fixedname_init(&prefixf); - prefix = dns_fixedname_name(&prefixf); - dns_name_split(qname, 1, prefix, NULL); - if (rpz_type == DNS_RPZ_TYPE_NSDNAME) - suffix = &rpz->nsdname; - else - suffix = &rpz->origin; - dns_fixedname_init(&rpz_qnamef); - rpz_qname = dns_fixedname_name(&rpz_qnamef); - for (;;) { - result = dns_name_concatenate(prefix, suffix, - rpz_qname, NULL); - if (result == ISC_R_SUCCESS) - break; - INSIST(result == DNS_R_NAMETOOLONG); + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, ip_name, qtype, + p_name, rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + p_rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: /* - * Trim the name until it is not too long. + * Continue after a policy record that is missing + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. */ - labels = dns_name_countlabels(prefix); - if (labels < 2) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, suffix, - "concatentate() ", result); - return (ISC_R_SUCCESS); - } - if (labels+1 == dns_name_countlabels(qname)) { - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, - rpz_type, suffix, - "concatentate() ", result); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + default: + /* + * Forget this policy if it is not preferable + * to the previously found policy. + * If this policy is not good, then stop looking + * because none of the later policy zones would work. + * + * With more than one applicable policy, prefer + * the earliest configured policy, + * client-IP over QNAME over IP over NSDNAME over NSIP, + * the longest prefix + * the lexically smallest address. + * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. + * We can compare new and current p_name because + * both are of the same type and in the same zone. + * The tests above eliminate other reasons to + * reject this policy. If this policy can't work, + * then neither can later zones. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + rpz->num == st->m.rpz->num && + (st->m.type == rpz_type && + st->m.prefix == prefix && + 0 > dns_name_rdatacompare(st->p_name, p_name))) + break; + + /* + * Stop checking after saving an enabled hit in this + * policy zone. The radix tree in the policy zone + * ensures that we found the longest match. + */ + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, prefix, result, + &p_zone, &p_db, &p_node, + p_rdatasetp, p_version); + break; } - dns_name_split(prefix, labels - 1, NULL, prefix); + + /* + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. + */ + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + } + } + + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + return (ISC_R_SUCCESS); +} + +/* + * Check the IP addresses in the A or AAAA rrsets for name against + * all eligible rpz_type (IP or NSIP) response policy rewrite rules. + */ +static isc_result_t +rpz_rewrite_ip_rrset(ns_client_t *client, + dns_name_t *name, dns_rdatatype_t qtype, + dns_rpz_type_t rpz_type, dns_rdatatype_t ip_type, + dns_db_t **ip_dbp, dns_dbversion_t *ip_version, + dns_rdataset_t **ip_rdatasetp, + dns_rdataset_t **p_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_zbits_t zbits; + isc_netaddr_t netaddr; + struct in_addr ina; + struct in6_addr in6a; + isc_result_t result; + + zbits = rpz_get_zbits(client, ip_type, rpz_type); + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * Get the A or AAAA rdataset. + */ + result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp, + ip_version, ip_rdatasetp, resuming); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + break; + case DNS_R_EMPTYNAME: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + return (ISC_R_SUCCESS); + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + return (result); + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, + " NS address rewrite rrset", result); + return (ISC_R_SUCCESS); + default: + if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { + client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " NS address rewrite rrset", + result); + } + return (DNS_R_SERVFAIL); + } + + /* + * Check all of the IP addresses in the rdataset. + */ + for (result = dns_rdataset_first(*ip_rdatasetp); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(*ip_rdatasetp)) { + + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(*ip_rdatasetp, &rdata); + switch (rdata.type) { + case dns_rdatatype_a: + INSIST(rdata.length == 4); + memcpy(&ina.s_addr, rdata.data, 4); + isc_netaddr_fromin(&netaddr, &ina); + break; + case dns_rdatatype_aaaa: + INSIST(rdata.length == 16); + memcpy(in6a.s6_addr, rdata.data, 16); + isc_netaddr_fromin6(&netaddr, &in6a); + break; + default: + continue; + } + + result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, + zbits, p_rdatasetp); + if (result != ISC_R_SUCCESS) + return (result); + } + + return (ISC_R_SUCCESS); +} + +/* + * Look for IP addresses in A and AAAA rdatasets + * that trigger all eligible IP or NSIP policy rules. + */ +static isc_result_t +rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rdataset_t **ip_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_st_t *st; + dns_dbversion_t *ip_version; + dns_db_t *ip_db; + dns_rdataset_t *p_rdataset; + isc_result_t result; + + st = client->query.rpz_st; + ip_version = NULL; + ip_db = NULL; + p_rdataset = NULL; + if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && + (qtype == dns_rdatatype_a || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on an IPv4 address that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_a, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + if (result == ISC_R_SUCCESS) + st->state |= DNS_RPZ_DONE_IPv4; + } else { + result = ISC_R_SUCCESS; + } + if (result == ISC_R_SUCCESS && + (qtype == dns_rdatatype_aaaa || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on IPv6 addresses that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_aaaa, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + } + if (ip_db != NULL) + dns_db_detach(&ip_db); + query_putrdataset(client, &p_rdataset); + return (result); +} + +/* + * Try to rewrite a request for a qtype rdataset based on the trigger name + * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). + * Record the results including the replacement rdataset if any + * in client->query.rpz_st. + * *rdatasetp is a scratch rdataset. + */ +static isc_result_t +rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t allowed_zbits, dns_rdataset_t **rdatasetp) +{ + dns_rpz_zone_t *rpz; + dns_rpz_st_t *st; + dns_fixedname_t p_namef; + dns_name_t *p_name; + dns_rpz_zbits_t zbits; + dns_rpz_num_t rpz_num; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + isc_result_t result; + + zbits = rpz_get_zbits(client, qtype, rpz_type); + zbits &= allowed_zbits; + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * If there is only one eligible policy zone, just check it. + * If more than one, then use the summary database to find + * the bit mask of policy zones with policies for this trigger name. + * x&-x is the least significant bit set in x + */ + if (zbits != (zbits & (~zbits + 1))) { + zbits = dns_rpz_find_name(client->view->rpzs, + rpz_type, zbits, trig_name); + if (zbits == 0) + return (ISC_R_SUCCESS); + } + + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + st = client->query.rpz_st; + + /* + * Check the trigger name in every policy zone that the summary data + * says has a hit for the trigger name. + * Most of the time there are no eligible zones and the summary data + * keeps us from getting this far. + * We check the most eligible zone first and so usually check only + * one policy zone. + */ + for (rpz_num = 0; + zbits != 0; + ++rpz_num, zbits >>= 1) { + if ((zbits & 1) == 0) { + INSIST(rpz_num <= client->view->rpzs->p.num_zones); + continue; } /* - * See if the policy record exists and get its policy. + * Do not check policy zones that cannot replace a previously + * found policy. */ - result = rpz_find(client, qtype, rpz_qname, qname, rpz, - rpz_type, &zone, &db, &version, &node, - rdatasetp, &policy); + rpz = client->view->rpzs->zones[rpz_num]; + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.rpz->num < rpz->num) + break; + if (st->m.rpz->num == rpz->num && + st->m.type < rpz_type) + break; + } + + /* + * Get the next policy zone's record for this trigger name. + */ + result = rpz_get_p_name(client, p_name, rpz, rpz_type, + trig_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, trig_name, qtype, p_name, + rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: - break; + /* + * Continue after a missing policy record + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. + */ + continue; case DNS_R_SERVFAIL: - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); default: /* - * We are dealing with names here. * With more than one applicable policy, prefer * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, + * client-IP over QNAME over IP over NSDNAME over NSIP, * and the smallest name. - * Because of the testing above, - * we known st->m.rpz->num >= rpz->num and either + * We known st->m.rpz->num >= rpz->num and either * st->m.rpz->num > rpz->num or st->m.type >= rpz_type */ if (st->m.policy != DNS_RPZ_POLICY_MISS && rpz->num == st->m.rpz->num && (st->m.type < rpz_type || (st->m.type == rpz_type && - 0 >= dns_name_compare(rpz_qname, st->qname)))) + 0 >= dns_name_compare(p_name, st->p_name)))) continue; #if 0 /* @@ -4505,11 +4806,12 @@ * names in TLDs that start with "rpz-" should * ICANN ever allow such TLDs. */ - labels = dns_name_countlabels(qname); + unsigned int labels; + labels = dns_name_countlabels(trig_name); if (labels >= 2) { dns_label_t label; - dns_name_getlabel(qname, labels-2, &label); + dns_name_getlabel(trig_name, labels-2, &label); if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 && strncasecmp((const char *)label.base+1, DNS_RPZ_PREFIX, @@ -4517,46 +4819,29 @@ continue; } #endif + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, 0, result, + &p_zone, &p_db, &p_node, + rdatasetp, p_version); + /* + * After a hit, higher numbered policy zones + * are irrelevant + */ + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + return (ISC_R_SUCCESS); + } /* - * Merely log DNS_RPZ_POLICY_DISABLED hits. + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - rpz_log_rewrite(client, ISC_TRUE, policy, - rpz_type, zone, rpz_qname); - continue; - } - - rpz_match_clear(st); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = 0; - st->m.policy = policy; - st->m.result = result; - dns_name_copy(rpz_qname, st->qname, NULL); - if (*rdatasetp != NULL && - dns_rdataset_isassociated(*rdatasetp)) { - dns_rdataset_t *trdataset; - - trdataset = st->m.rdataset; - st->m.rdataset = *rdatasetp; - *rdatasetp = trdataset; - st->m.ttl = ISC_MIN(st->m.rdataset->ttl, - rpz->max_policy_ttl); - } else { - st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, - rpz->max_policy_ttl); - } - st->m.node = node; - node = NULL; - st->m.db = db; - db = NULL; - st->m.version = version; - st->m.zone = zone; - zone = NULL; + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + break; } } - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); return (ISC_R_SUCCESS); } @@ -4569,7 +4854,7 @@ st = client->query.rpz_st; if (str != NULL) - rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname, + rpz_log_fail(client, level, nsname, DNS_RPZ_TYPE_NSIP, str, result); if (st->r.ns_rdataset != NULL && dns_rdataset_isassociated(st->r.ns_rdataset)) @@ -4589,7 +4874,8 @@ dns_rdataset_t *rdataset; dns_fixedname_t nsnamef; dns_name_t *nsname; - isc_boolean_t ck_ip; + int qresult_type; + dns_rpz_zbits_t zbits; isc_result_t result; st = client->query.rpz_st; @@ -4603,10 +4889,10 @@ st->m.policy = DNS_RPZ_POLICY_MISS; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); - dns_fixedname_init(&st->_qnamef); + dns_fixedname_init(&st->_p_namef); dns_fixedname_init(&st->_r_namef); dns_fixedname_init(&st->_fnamef); - st->qname = dns_fixedname_name(&st->_qnamef); + st->p_name = dns_fixedname_name(&st->_p_namef); st->r_name = dns_fixedname_name(&st->_r_namef); st->fname = dns_fixedname_name(&st->_fnamef); client->query.rpz_st = st; @@ -4619,7 +4905,7 @@ case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: - ck_ip = ISC_TRUE; + qresult_type = 0; break; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: @@ -4629,73 +4915,155 @@ case DNS_R_NCACHENXRRSET: case DNS_R_CNAME: case DNS_R_DNAME: - ck_ip = ISC_FALSE; + qresult_type = 1; break; case DNS_R_DELEGATION: case ISC_R_NOTFOUND: - return (ISC_R_SUCCESS); + /* + * If recursion is on, do only tentative rewriting. + * If recursion is off, this the normal and only time we + * can rewrite. + */ + if (RECURSIONOK(client)) + qresult_type = 2; + else + qresult_type = 1; + break; case ISC_R_FAILURE: case ISC_R_TIMEDOUT: case DNS_R_BROKENCHAIN: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME, - client->query.qname, - "stop on qresult in rpz_rewrite() ", - qresult); + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, client->query.qname, + DNS_RPZ_TYPE_QNAME, + " stop on qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); default: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME, - client->query.qname, - "stop on unrecognized qresult in rpz_rewrite() ", + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, client->query.qname, + DNS_RPZ_TYPE_QNAME, + " stop on unrecognized qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); } rdataset = NULL; - if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + + if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) != + (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) { + isc_netaddr_t netaddr; + dns_rpz_zbits_t allowed; + + if (qresult_type == 2) { + /* + * This request needs recursion that has not been done. + * Get bits for the policy zones that do not need + * to wait for the results of recursion. + */ + allowed = client->view->rpzs->have.qname_skip_recurse; + if (allowed == 0) + return (ISC_R_SUCCESS); + } else { + allowed = DNS_RPZ_ALL_ZBITS; + } + /* - * Check rules for the query name if this is the first time - * for the current qname, i.e. we've not been recursing. - * There is a first time for each name in a CNAME chain. + * Check once for triggers for the client IP address. */ - result = rpz_rewrite_name(client, qtype, client->query.qname, - DNS_RPZ_TYPE_QNAME, &rdataset); - if (result != ISC_R_SUCCESS) - goto cleanup; + if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { + zbits = rpz_get_zbits(client, dns_rdatatype_none, + DNS_RPZ_TYPE_CLIENT_IP); + zbits &= allowed; + if (zbits != 0) { + isc_netaddr_fromsockaddr(&netaddr, + &client->peeraddr); + result = rpz_rewrite_ip(client, &netaddr, qtype, + DNS_RPZ_TYPE_CLIENT_IP, + zbits, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + + /* + * Check triggers for the query name if this is the first time + * for the current qname. + * There is a first time for each name in a CNAME chain + */ + if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + result = rpz_rewrite_name(client, client->query.qname, + qtype, DNS_RPZ_TYPE_QNAME, + allowed, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + + /* + * Check IPv4 addresses in A RRs next. + * Reset to the start of the NS names. + */ + st->r.label = dns_name_countlabels(client->query.qname); + st->state &= ~(DNS_RPZ_DONE_QNAME_IP | + DNS_RPZ_DONE_IPv4); - st->r.label = dns_name_countlabels(client->query.qname); + } - st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); - st->state |= DNS_RPZ_DONE_QNAME; + /* + * Quit if this was an attempt to find a qname or + * client-IP trigger before recursion. + * We will be back if no pre-recursion triggers hit. + * For example, consider 2 policy zones, both with qname and + * IP address triggers. If the qname misses the 1st zone, + * then we cannot know whether a hit for the qname in the + * 2nd zone matters until after recursing to get the A RRs and + * testing them in the first zone. + * Do not bother saving the work from this attempt, + * because recusion is so slow. + */ + if (qresult_type == 2) + goto cleanup; + + /* + * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP + * is reset at the end of dealing with each CNAME. + */ + st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME); } /* - * Check known IP addresses for the query name. + * Check known IP addresses for the query name if the database + * lookup resulted in some addresses (qresult_type == 0) + * and if we have not already checked them. * Any recursion required for the query has already happened. * Do not check addresses that will not be in the ANSWER section. */ - if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && - (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) { - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP, - client->query.qname, qtype, - &rdataset, resuming); + if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && qresult_type == 0 && + rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) { + result = rpz_rewrite_ip_rrsets(client, + client->query.qname, qtype, + DNS_RPZ_TYPE_IP, + &rdataset, resuming); if (result != ISC_R_SUCCESS) goto cleanup; - st->state &= ~DNS_RPZ_DONE_IPv4; + /* + * We are finished checking the IP addresses for the qname. + * Start with IPv4 if we will check NS IP addesses. + */ st->state |= DNS_RPZ_DONE_QNAME_IP; + st->state &= ~DNS_RPZ_DONE_IPv4; } /* - * Stop looking for rules if there are none of the other kinds. + * Stop looking for rules if there are none of the other kinds + * that could override what we already have. */ - if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 | - DNS_RPZ_HAVE_NSDNAME)) == 0) { + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) { result = ISC_R_SUCCESS; goto cleanup; } dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); - while (st->r.label > client->view->rpz_min_ns_labels) { + while (st->r.label > client->view->rpzs->p.min_ns_labels) { /* * Get NS rrset for each domain in the current qname. */ @@ -4709,8 +5077,8 @@ if (st->r.ns_rdataset == NULL || !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; - result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME, - nsname, dns_rdatatype_ns, + result = rpz_rrset_find(client, nsname, dns_rdatatype_ns, + DNS_RPZ_TYPE_NSDNAME, &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) @@ -4744,12 +5112,12 @@ case ISC_R_FAILURE: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_DEBUG_LEVEL3, - "NS db_find() "); + " NS db_find()"); continue; default: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_INFO_LEVEL, - "unrecognized NS db_find() "); + " unrecognized NS db_find()"); continue; } } @@ -4765,8 +5133,8 @@ dns_rdata_reset(&nsrdata); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - DNS_RPZ_TYPE_NSIP, nsname, - "rdata_tostruct() ", result); + nsname, DNS_RPZ_TYPE_NSIP, + " rdata_tostruct()", result); st->m.policy = DNS_RPZ_POLICY_ERROR; goto cleanup; } @@ -4782,11 +5150,11 @@ * Check this NS name if we did not handle it * during a previous recursion. */ - if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 && - (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) { - result = rpz_rewrite_name(client, qtype, - &ns.name, + if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { + result = rpz_rewrite_name(client, &ns.name, + qtype, DNS_RPZ_TYPE_NSDNAME, + DNS_RPZ_ALL_ZBITS, &rdataset); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&ns); @@ -4797,9 +5165,9 @@ /* * Check all IP addresses for this NS name. */ - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP, - &ns.name, dns_rdatatype_any, - &rdataset, resuming); + result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, + DNS_RPZ_TYPE_NSIP, + &rdataset, resuming); dns_rdata_freestruct(&ns); if (result != ISC_R_SUCCESS) goto cleanup; @@ -4809,10 +5177,16 @@ } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); st->r.label--; + + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) + break; } /* - * Use the best, if any, hit. + * Use the best hit, if any. */ result = ISC_R_SUCCESS; @@ -4827,7 +5201,7 @@ if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { @@ -4846,19 +5220,25 @@ * by the client in DNSSEC or a lack of signatures. */ static isc_boolean_t -rpz_ck_dnssec(ns_client_t *client, isc_result_t result, +rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_fixedname_t fixed; dns_name_t *found; dns_rdataset_t trdataset; dns_rdatatype_t type; + isc_result_t result; - if (client->view->rpz_break_dnssec) + if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) return (ISC_TRUE); + /* - * sigrdataset == NULL if and only !WANTDNSSEC(client) + * We do not know if there are signatures if we have not recursed + * for them. */ + if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) + return (ISC_FALSE); + if (sigrdataset == NULL) return (ISC_TRUE); if (dns_rdataset_isassociated(sigrdataset)) @@ -4938,7 +5318,7 @@ if (result != ISC_R_SUCCESS) return (result); rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); ns_client_qnamereplace(client, fname); /* * Turn off DNSSEC because the results of a @@ -5865,13 +6245,140 @@ resume: CTRACE("query_find: resume"); - if (!ISC_LIST_EMPTY(client->view->rpz_zones) && - (RECURSIONOK(client) || !client->view->rpz_recursive_only) && + /* + * Rate limit these responses to this client. + * Do not delay counting and handling obvious referrals, + * since those won't come here again. + * Delay handling delegations for which we are certain to recurse and + * return here (DNS_R_DELEGATION, not a child of one of our + * own zones, and recursion enabled) + * Don't mess with responses rewritten by RPZ + * Count each response at most once. + */ + if (client->view->rrl != NULL && + ((fname != NULL && dns_name_isabsolute(fname)) || + (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) && + !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) && + (client->query.rpz_st == NULL || + (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&& + (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) { + dns_rdataset_t nc_rdataset; + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + isc_result_t nc_result, resp_result; + dns_rrl_result_t rrl_result; + + client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; + + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + tname = fname; + if (result == DNS_R_NXDOMAIN) { + /* + * Use the database origin name to rate limit NXDOMAIN + */ + if (db != NULL) + tname = dns_db_origin(db); + resp_result = result; + } else if (result == DNS_R_NCACHENXDOMAIN && + rdataset != NULL && + dns_rdataset_isassociated(rdataset) && + (rdataset->attributes & + DNS_RDATASETATTR_NEGATIVE) != 0) { + /* + * Try to use owner name in the negative cache SOA. + */ + dns_fixedname_init(&fixed); + dns_rdataset_init(&nc_rdataset); + for (nc_result = dns_rdataset_first(rdataset); + nc_result == ISC_R_SUCCESS; + nc_result = dns_rdataset_next(rdataset)) { + dns_ncache_current(rdataset, + dns_fixedname_name(&fixed), + &nc_rdataset); + if (nc_rdataset.type == dns_rdatatype_soa) { + dns_rdataset_disassociate(&nc_rdataset); + tname = dns_fixedname_name(&fixed); + break; + } + dns_rdataset_disassociate(&nc_rdataset); + } + resp_result = DNS_R_NXDOMAIN; + } else if (result == DNS_R_NXRRSET || + result == DNS_R_EMPTYNAME) { + resp_result = DNS_R_NXRRSET; + } else if (result == DNS_R_DELEGATION) { + resp_result = result; + } else if (result == ISC_R_NOTFOUND) { + /* + * Handle referral to ".", including when recursion + * is off or not requested and the hints have not + * been loaded or we have "additional-from-cache no". + */ + tname = dns_rootname; + resp_result = DNS_R_DELEGATION; + } else { + resp_result = ISC_R_SUCCESS; + } + rrl_result = dns_rrl(client->view, &client->peeraddr, + ISC_TF((client->attributes + & NS_CLIENTATTR_TCP) != 0), + client->message->rdclass, qtype, tname, + resp_result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped or slipped responses in the query + * category so that requests are not silently lost. + * Starts of rate-limited bursts are logged in + * DNS_LOGCATEGORY_RRL. + * + * Dropped responses are counted with dropped queries + * in QryDropped while slipped responses are counted + * with other truncated responses in RespTruncated. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_QUERY, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + if (!client->view->rrl->log_only) { + if (rrl_result == DNS_RRL_RESULT_DROP) { + /* + * These will also be counted in + * dns_nsstatscounter_dropped + */ + inc_stats(client, + dns_nsstatscounter_ratedropped); + QUERY_ERROR(DNS_R_DROP); + } else { + /* + * These will also be counted in + * dns_nsstatscounter_truncatedresp + */ + inc_stats(client, + dns_nsstatscounter_rateslipped); + client->message->flags |= + DNS_MESSAGEFLAG_TC; + if (resp_result == DNS_R_NXDOMAIN) + client->message->rcode = + dns_rcode_nxdomain; + } + goto cleanup; + } + } + } + + if (client->view->rpzs != NULL && + client->view->rpzs->p.num_zones != 0 && + (RECURSIONOK(client) || client->view->rpzs->p.no_rd_ok != 0) && rpz_ck_dnssec(client, result, rdataset, sigrdataset) && !RECURSING(client) && (client->query.rpz_st == NULL || (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && - !dns_name_equal(client->query.qname, dns_rootname)) { + !dns_name_equal(client->query.qname, dns_rootname)) + { isc_result_t rresult; rresult = rpz_rewrite(client, qtype, result, resuming); @@ -5909,12 +6416,17 @@ rpz_st->state |= DNS_RPZ_REWRITTEN; if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS && rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && + (rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY || + (client->attributes & NS_CLIENTATTR_TCP) == 0) && rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) { - result = dns_name_copy(client->query.qname, - fname, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - } + /* We got a hit and are going to answer with our + * fiction. Ensure that we answer with the name + * we looked up even if we were stopped short + * in recursion or for a deferral. + */ + rresult = dns_name_copy(client->query.qname, + fname, NULL); + RUNTIME_CHECK(rresult == ISC_R_SUCCESS); rpz_clean(&zone, &db, &node, NULL); if (rpz_st->m.rdataset != NULL) { query_putrdataset(client, &rdataset); @@ -5934,6 +6446,23 @@ rpz_st->m.zone = NULL; switch (rpz_st->m.policy) { + case DNS_RPZ_POLICY_TCP_ONLY: + client->message->flags |= DNS_MESSAGEFLAG_TC; + if (result == DNS_R_NXDOMAIN || + result == DNS_R_NCACHENXDOMAIN) + client->message->rcode = + dns_rcode_nxdomain; + else + result = ISC_R_SUCCESS; + rpz_log_rewrite(client, ISC_FALSE, + rpz_st->m.policy, + rpz_st->m.type, zone, + rpz_st->p_name); + goto cleanup; + case DNS_RPZ_POLICY_DROP: + result = ISC_R_SUCCESS; + QUERY_ERROR(DNS_R_DROP); + break; case DNS_RPZ_POLICY_NXDOMAIN: result = DNS_R_NXDOMAIN; break; @@ -5946,8 +6475,8 @@ result != DNS_R_CNAME) { /* * We will add all of the rdatasets of - * the node by iterating, setting the - * TTL then. + * the node by iterating later, + * and set the TTL then. */ if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); @@ -6002,7 +6531,7 @@ rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, - rpz_st->m.type, zone, rpz_st->qname); + rpz_st->m.type, zone, rpz_st->p_name); } } @@ -7318,12 +7847,14 @@ } if (eresult != ISC_R_SUCCESS && - (!PARTIALANSWER(client) || WANTRECURSION(client))) { + (!PARTIALANSWER(client) || WANTRECURSION(client) + || eresult == DNS_R_DROP)) { if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { /* * This was a duplicate query that we are - * recursing on. Don't send a response now. - * The original query will still cause a response. + * recursing on or the result of rate limiting. + * Don't send a response now for a duplicate query, + * because the original will still cause a response. */ query_next(client, eresult); } else { --- bind9-9.9.3.dfsg.P2.orig/bin/named/server.c +++ bind9-9.9.3.dfsg.P2/bin/named/server.c @@ -373,7 +373,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added); + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok); static isc_result_t add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx); @@ -1082,6 +1083,8 @@ mode = DNS_RDATASETATTR_FIXEDORDER; else if (!strcasecmp(str, "random")) mode = DNS_RDATASETATTR_RANDOMIZE; + else if (!strcasecmp(str, "random_1")) + mode = DNS_RDATASETATTR_RANDOMIZE|DNS_RDATASETATTR_SINGLE; else if (!strcasecmp(str, "cyclic")) mode = 0; else @@ -1549,17 +1552,24 @@ } static isc_result_t -configure_rpz(dns_view_t *view, const cfg_listelt_t *element, - isc_boolean_t recursive_only_def, dns_ttl_t ttl_def) +configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, + isc_boolean_t recursive_only_def, dns_ttl_t ttl_def, + const dns_rpz_zone_t *old, isc_boolean_t *old_rpz_okp) { const cfg_obj_t *rpz_obj, *obj; const char *str; - dns_rpz_zone_t *old, *new; + dns_rpz_zone_t *new; isc_result_t result; + dns_rpz_num_t rpz_num; + + REQUIRE(old != NULL || !*old_rpz_okp); rpz_obj = cfg_listelt_value(element); - new = isc_mem_get(view->mctx, sizeof(*new)); + if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) + return (ISC_R_NOMEMORY); + + new = isc_mem_get(view->rpzs->mctx, sizeof(*new)); if (new == NULL) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "no memory for response policy zones"); @@ -1567,20 +1577,29 @@ } memset(new, 0, sizeof(*new)); + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + isc_mem_put(view->rpzs->mctx, new, sizeof(*new)); + return (result); + } dns_name_init(&new->origin, NULL); + dns_name_init(&new->client_ip, NULL); + dns_name_init(&new->ip, NULL); dns_name_init(&new->nsdname, NULL); + dns_name_init(&new->nsip, NULL); dns_name_init(&new->passthru, NULL); + dns_name_init(&new->drop, NULL); + dns_name_init(&new->tcp_only, NULL); dns_name_init(&new->cname, NULL); - ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link); + new->num = view->rpzs->p.num_zones++; + view->rpzs->zones[new->num] = new; obj = cfg_tuple_get(rpz_obj, "recursive-only"); - if (cfg_obj_isvoid(obj)) { - new->recursive_only = recursive_only_def; + if (cfg_obj_isvoid(obj) ? recursive_only_def : cfg_obj_asboolean(obj)) { + view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(new->num); } else { - new->recursive_only = cfg_obj_asboolean(obj); + view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(new->num); } - if (!new->recursive_only) - view->rpz_recursive_only = ISC_FALSE; obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); if (cfg_obj_isuint32(obj)) { @@ -1588,6 +1607,8 @@ } else { new->max_policy_ttl = ttl_def; } + if (*old_rpz_okp && new->max_policy_ttl != old->max_policy_ttl) + *old_rpz_okp = ISC_FALSE; str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone"); @@ -1598,25 +1619,50 @@ "invalid zone name '%s'", str); return (DNS_R_EMPTYLABEL); } - for (old = ISC_LIST_HEAD(view->rpz_zones); - old != new; - old = ISC_LIST_NEXT(old, link)) { - ++new->num; - if (dns_name_equal(&old->origin, &new->origin)) { + for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones-1; ++rpz_num) { + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, + &new->origin)) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "duplicate '%s'", str); result = DNS_R_DUPLICATE; return (result); } } + if (*old_rpz_okp && !dns_name_equal(&old->origin, &new->origin)) + *old_rpz_okp = ISC_FALSE; + + result = configure_rpz_name2(view, rpz_obj, &new->client_ip, + DNS_RPZ_CLIENT_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name2(view, rpz_obj, &new->ip, + DNS_RPZ_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); result = configure_rpz_name2(view, rpz_obj, &new->nsdname, DNS_RPZ_NSDNAME_ZONE, &new->origin); if (result != ISC_R_SUCCESS) return (result); + result = configure_rpz_name2(view, rpz_obj, &new->nsip, + DNS_RPZ_NSIP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + result = configure_rpz_name(view, rpz_obj, &new->passthru, - DNS_RPZ_PASSTHRU_ZONE, "zone"); + DNS_RPZ_PASSTHRU_NAME, "name"); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->drop, + DNS_RPZ_DROP_NAME, "name"); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->tcp_only, + DNS_RPZ_TCP_ONLY_NAME, "name"); if (result != ISC_R_SUCCESS) return (result); @@ -1635,10 +1681,282 @@ return (result); } } + if (*old_rpz_okp && (new->policy != old->policy || + !dns_name_equal(&old->cname, &new->cname))) + *old_rpz_okp = ISC_FALSE; + + return (ISC_R_SUCCESS); +} + +static isc_result_t +configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj, + isc_boolean_t *old_rpz_okp) +{ + const cfg_listelt_t *zone_element; + const cfg_obj_t *sub_obj; + isc_boolean_t recursive_only_def; + dns_ttl_t ttl_def; + dns_rpz_zones_t *new; + const dns_rpz_zones_t *old; + dns_view_t *pview; + const dns_rpz_zone_t *old_zone; + isc_result_t result; + int i; + + *old_rpz_okp = ISC_FALSE; + + zone_element = cfg_list_first(cfg_tuple_get(rpz_obj, "zone list")); + if (zone_element == NULL) + return (ISC_R_SUCCESS); + + result = dns_rpz_new_zones(&view->rpzs, view->mctx); + if (result != ISC_R_SUCCESS) + return (result); + new = view->rpzs; + + sub_obj = cfg_tuple_get(rpz_obj, "recursive-only"); + if (!cfg_obj_isvoid(sub_obj) && + !cfg_obj_asboolean(sub_obj)) + recursive_only_def = ISC_FALSE; + else + recursive_only_def = ISC_TRUE; + + sub_obj = cfg_tuple_get(rpz_obj, "break-dnssec"); + if (!cfg_obj_isvoid(sub_obj) && + cfg_obj_asboolean(sub_obj)) + new->p.break_dnssec = ISC_TRUE; + else + new->p.break_dnssec = ISC_FALSE; + + sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); + if (cfg_obj_isuint32(sub_obj)) + ttl_def = cfg_obj_asuint32(sub_obj); + else + ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; + + sub_obj = cfg_tuple_get(rpz_obj, "min-ns-dots"); + if (cfg_obj_isuint32(sub_obj)) + new->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1; + else + new->p.min_ns_labels = 2; + + sub_obj = cfg_tuple_get(rpz_obj, "qname-wait-recurse"); + if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) + new->p.qname_wait_recurse = ISC_TRUE; + else + new->p.qname_wait_recurse = ISC_FALSE; + + pview = NULL; + result = dns_viewlist_find(&ns_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result == ISC_R_SUCCESS) { + old = pview->rpzs; + } else { + old = NULL; + } + if (old == NULL) + *old_rpz_okp = ISC_FALSE; + else + *old_rpz_okp = ISC_TRUE; + + for (i = 0; + zone_element != NULL; + ++i, zone_element = cfg_list_next(zone_element)) { + if (*old_rpz_okp && i < old->p.num_zones) { + old_zone = old->zones[i]; + } else { + *old_rpz_okp = ISC_FALSE; + old_zone = NULL; + } + result = configure_rpz_zone(view, zone_element, + recursive_only_def, ttl_def, + old_zone, old_rpz_okp); + if (result != ISC_R_SUCCESS) { + if (pview != NULL) + dns_view_detach(&pview); + return (result); + } + } + + /* + * If this is a reloading and the parameters and list of policy + * zones are unchanged, then use the same policy data. + * Data for individual zones that must be reloaded will be merged. + */ + if (old != NULL && memcmp(&old->p, &new->p, sizeof(new->p)) != 0) + *old_rpz_okp = ISC_FALSE; + if (*old_rpz_okp) { + dns_rpz_detach_rpzs(&view->rpzs); + dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs); + } + if (pview != NULL) + dns_view_detach(&pview); return (ISC_R_SUCCESS); } +#define CHECK_RRL(cond, pat, val1, val2) \ + do { \ + if (!(cond)) { \ + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, \ + pat, val1, val2); \ + result = ISC_R_RANGE; \ + goto cleanup; \ + } \ + } while (0) + +#define CHECK_RRL_RATE(rate, def, max_rate, name) \ + do { \ + obj = NULL; \ + rrl->rate.str = name; \ + result = cfg_map_get(map, name, &obj); \ + if (result == ISC_R_SUCCESS) { \ + rrl->rate.r = cfg_obj_asuint32(obj); \ + CHECK_RRL(rrl->rate.r <= max_rate, \ + name" %d > %d", \ + rrl->rate.r, max_rate); \ + } else { \ + rrl->rate.r = def; \ + } \ + rrl->rate.scaled = rrl->rate.r; \ + } while (0) + +static isc_result_t +configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) { + const cfg_obj_t *obj; + dns_rrl_t *rrl; + isc_result_t result; + int min_entries, i, j; + + /* + * Most DNS servers have few clients, but intentinally open + * recursive and authoritative servers often have many. + * So start with a small number of entries unless told otherwise + * to reduce cold-start costs. + */ + min_entries = 500; + obj = NULL; + result = cfg_map_get(map, "min-table-size", &obj); + if (result == ISC_R_SUCCESS) { + min_entries = cfg_obj_asuint32(obj); + if (min_entries < 1) + min_entries = 1; + } + result = dns_rrl_init(&rrl, view, min_entries); + if (result != ISC_R_SUCCESS) + return (result); + + i = ISC_MAX(20000, min_entries); + obj = NULL; + result = cfg_map_get(map, "max-table-size", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= min_entries, + "max-table-size %d < min-table-size %d", + i, min_entries); + } + rrl->max_entries = i; + + CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE, + "responses-per-second"); + CHECK_RRL_RATE(referrals_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "referrals-per-second"); + CHECK_RRL_RATE(nodata_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nodata-per-second"); + CHECK_RRL_RATE(nxdomains_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nxdomains-per-second"); + CHECK_RRL_RATE(errors_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "errors-per-second"); + + CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, + "all-per-second"); + + CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, + "slip"); + + i = 15; + obj = NULL; + result = cfg_map_get(map, "window", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW, + "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW); + } + rrl->window = i; + + i = 0; + obj = NULL; + result = cfg_map_get(map, "qps-scale", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, ""); + } + rrl->qps_scale = i; + rrl->qps = 1.0; + + i = 24; + obj = NULL; + result = cfg_map_get(map, "ipv4-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 8 && i <= 32, + "invalid 'ipv4-prefix-length %d'%s", i, ""); + } + rrl->ipv4_prefixlen = i; + if (i == 32) + rrl->ipv4_mask = 0xffffffff; + else + rrl->ipv4_mask = htonl(0xffffffff << (32-i)); + + i = 56; + obj = NULL; + result = cfg_map_get(map, "ipv6-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX, + "ipv6-prefix-length %d < 16 or > %d", + i, DNS_RRL_MAX_PREFIX); + } + rrl->ipv6_prefixlen = i; + for (j = 0; j < 4; ++j) { + if (i <= 0) { + rrl->ipv6_mask[j] = 0; + } else if (i < 32) { + rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i)); + } else { + rrl->ipv6_mask[j] = 0xffffffff; + } + i -= 32; + } + + obj = NULL; + result = cfg_map_get(map, "exempt-clients", &obj); + if (result == ISC_R_SUCCESS) { + result = cfg_acl_fromconfig(obj, config, ns_g_lctx, + ns_g_aclconfctx, ns_g_mctx, + 0, &rrl->exempt); + CHECK_RRL(result == ISC_R_SUCCESS, + "invalid %s%s", "address match list", ""); + } + + obj = NULL; + result = cfg_map_get(map, "log-only", &obj); + if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj)) + rrl->log_only = ISC_TRUE; + else + rrl->log_only = ISC_FALSE; + + return (ISC_R_SUCCESS); + + cleanup: + dns_rrl_view_destroy(view); + return (result); +} + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -1705,7 +2023,7 @@ dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout, ndisp; struct cfg_context *nzctx; - dns_rpz_zone_t *rpz; + isc_boolean_t old_rpz_ok = ISC_FALSE; REQUIRE(DNS_VIEW_VALID(view)); @@ -1810,44 +2128,7 @@ obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - const cfg_obj_t *rpz_obj; - isc_boolean_t recursive_only_def; - dns_ttl_t ttl_def; - - rpz_obj = cfg_tuple_get(obj, "recursive-only"); - if (!cfg_obj_isvoid(rpz_obj) && - !cfg_obj_asboolean(rpz_obj)) - recursive_only_def = ISC_FALSE; - else - recursive_only_def = ISC_TRUE; - - rpz_obj = cfg_tuple_get(obj, "break-dnssec"); - if (!cfg_obj_isvoid(rpz_obj) && - cfg_obj_asboolean(rpz_obj)) - view->rpz_break_dnssec = ISC_TRUE; - else - view->rpz_break_dnssec = ISC_FALSE; - - rpz_obj = cfg_tuple_get(obj, "max-policy-ttl"); - if (cfg_obj_isuint32(rpz_obj)) - ttl_def = cfg_obj_asuint32(rpz_obj); - else - ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; - - rpz_obj = cfg_tuple_get(obj, "min-ns-dots"); - if (cfg_obj_isuint32(rpz_obj)) - view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1; - else - view->rpz_min_ns_labels = 2; - - element = cfg_list_first(cfg_tuple_get(obj, "zone list")); - while (element != NULL) { - result = configure_rpz(view, element, - recursive_only_def, ttl_def); - if (result != ISC_R_SUCCESS) - goto cleanup; - element = cfg_list_next(element); - } + CHECK(configure_rpz(view, obj, &old_rpz_ok)); } /* @@ -1868,22 +2149,29 @@ { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, - actx, ISC_FALSE)); + actx, ISC_FALSE, old_rpz_ok)); } - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (!rpz->defined) { - char namebuf[DNS_NAME_FORMATSIZE]; + /* + * Check that a master or slave zone was found for each + * zone named in the response policy statement. + */ + if (view->rpzs != NULL) { + dns_rpz_num_t n; - dns_name_format(&rpz->origin, namebuf, sizeof(namebuf)); - cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "'%s' is not a master or slave zone", - namebuf); - result = ISC_R_NOTFOUND; - goto cleanup; + for (n = 0; n < view->rpzs->p.num_zones; ++n) + { + if ((view->rpzs->defined & DNS_RPZ_ZBIT(n)) == 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(&view->rpzs->zones[n]->origin, + namebuf, sizeof(namebuf)); + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "'%s' is not a master or slave zone", + namebuf); + result = ISC_R_NOTFOUND; + goto cleanup; + } } } @@ -1909,7 +2197,7 @@ const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, actx, - ISC_TRUE)); + ISC_TRUE, ISC_FALSE)); } } @@ -2144,6 +2432,18 @@ if (view->maxncachettl > 7 * 24 * 3600) view->maxncachettl = 7 * 24 * 3600; + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-ncache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->minncachettl = cfg_obj_asuint32(obj); + if (view->minncachettl > 7 * 24 * 3600) + view->minncachettl = 7 * 24 * 3600; + /* * Configure the view's cache. * @@ -3043,6 +3343,14 @@ } } + obj = NULL; + result = ns_config_get(maps, "rate-limit", &obj); + if (result == ISC_R_SUCCESS) { + result = configure_rrl(view, config, obj); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + result = ISC_R_SUCCESS; cleanup: @@ -3375,7 +3683,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added) + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -3396,8 +3705,7 @@ const char *zname; dns_rdataclass_t zclass; const char *ztypestr; - isc_boolean_t is_rpz; - dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -3559,18 +3867,15 @@ INSIST(dupzone == NULL); /* - * Note whether this is a response policy zone. + * Note whether this is a response policy zone and which one if so. */ - is_rpz = ISC_FALSE; - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (dns_name_equal(&rpz->origin, origin)) { - is_rpz = ISC_TRUE; - rpz->defined = ISC_TRUE; + for (rpz_num = 0; ; ++rpz_num) { + if (view->rpzs == NULL || rpz_num >= view->rpzs->p.num_zones) { + rpz_num = DNS_RPZ_INVALID_NUM; break; } + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, origin)) + break; } /* @@ -3581,7 +3886,9 @@ * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) - * - The zone was and is or was not and is not a policy zone + * - The zone was not and is still not a response policy zone + * or the zone is a policy zone with an unchanged number + * and we are using the old policy zone summary data. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); @@ -3595,7 +3902,8 @@ if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); - if (zone != NULL && is_rpz != dns_zone_get_rpz(zone)) + if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || + (rpz_num != DNS_RPZ_INVALID_NUM && !old_rpz_ok))) dns_zone_detach(&zone); if (zone != NULL) { @@ -3620,8 +3928,8 @@ dns_zone_setstats(zone, ns_g_server->zonestats); } - if (is_rpz) { - result = dns_zone_rpz_enable(zone); + if (rpz_num != DNS_RPZ_INVALID_NUM) { + result = dns_zone_rpz_enable(zone, view->rpzs, rpz_num); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -5730,10 +6038,6 @@ ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); - CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, - ns_g_engine, ISC_ENTROPY_GOODONLY), - "initializing DST"); - server->tkeyctx = NULL; CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), @@ -5880,8 +6184,6 @@ if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); - dst_lib_destroy(); - isc_event_free(&server->reload_event); INSIST(ISC_LIST_EMPTY(server->viewlist)); @@ -7834,7 +8136,8 @@ RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, - server->mctx, view, cfg->actx, ISC_FALSE); + server->mctx, view, cfg->actx, ISC_FALSE, + ISC_FALSE); dns_view_freeze(view); isc_task_endexclusive(server->task); if (result != ISC_R_SUCCESS) --- bind9-9.9.3.dfsg.P2.orig/bin/named/statschannel.c +++ bind9-9.9.3.dfsg.P2/bin/named/statschannel.c @@ -206,6 +206,10 @@ SET_NSSTATDESC(updatebadprereq, "updates rejected due to prerequisite failure", "UpdateBadPrereq"); + SET_NSSTATDESC(ratedropped, "responses dropped for rate limits", + "RateDropped"); + SET_NSSTATDESC(rateslipped, "responses truncated for rate limits", + "RateSlipped"); SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", "RPZRewrites"); INSIST(i == dns_nsstatscounter_max); --- bind9-9.9.3.dfsg.P2.orig/bin/tests/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/named.conf @@ -54,6 +54,7 @@ memstatistics-file "named.memstats"; // _PATH_MEMSTATS max-cache-ttl 999; + min-cache-ttl 666; auth-nxdomain yes; // always set AA on NXDOMAIN. // don't set this to 'no' unless // you know what you're doing -- older @@ -155,6 +156,7 @@ min-refresh-time 777; max-ncache-ttl 333; + min-ncache-ttl 222; min-roots 15; serial-queries 34; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/Makefile.in +++ bind9-9.9.3.dfsg.P2/bin/tests/system/Makefile.in @@ -21,7 +21,7 @@ @BIND9_MAKE_INCLUDES@ -SUBDIRS = dlzexternal filter-aaaa lwresd rpz rsabigexponent tkey tsiggss +SUBDIRS = filter-aaaa lwresd rpz rsabigexponent tkey tsiggss TARGETS = @BIND9_MAKE_RULES@ --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/README +++ bind9-9.9.3.dfsg.P2/bin/tests/system/README @@ -17,6 +17,7 @@ nsupdate/ Dynamic update and IXFR tests resolver/ Regression tests for resolver bugs that have been fixed (not a complete resolver test suite) + rrl/ query rate limiting rpz/ Tests of response policy zone (RPZ) rewriting stub/ Tests of stub zone functionality unknown/ Unknown type and class tests --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/conf.sh.in +++ bind9-9.9.3.dfsg.P2/bin/tests/system/conf.sh.in @@ -62,7 +62,7 @@ database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa formerr forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending - pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent + pkcs11 redirect resolver rndc rpz rrl rrsetorder rsabigexponent smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown upforwd verify views wildcard xfer xferquota zonechecks" --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/Makefile +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/Makefile @@ -0,0 +1,478 @@ +# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + + +srcdir = . + +top_srcdir = ../../../.. + +VERSION=9.10.0pre-alpha + +# Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1999-2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: includes.in,v 1.21 2007/06/19 23:47:24 tbox Exp $ + +# Search for machine-generated header files in the build tree, +# and for normal headers in the source tree (${top_srcdir}). +# We only need to look in OS-specific subdirectories for the +# latter case, because there are no machine-generated OS-specific +# headers. + +ISC_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isc/include \ + -I${top_srcdir}/lib/isc \ + -I${top_srcdir}/lib/isc/include \ + -I${top_srcdir}/lib/isc/unix/include \ + -I${top_srcdir}/lib/isc/pthreads/include \ + -I${top_srcdir}/lib/isc/x86_32/include + +ISCCC_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isccc/include \ + -I${top_srcdir}/lib/isccc/include + +ISCCFG_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isccfg/include \ + -I${top_srcdir}/lib/isccfg/include + +DNS_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/dns/include \ + -I${top_srcdir}/lib/dns/include + +LWRES_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/lwres/include \ + -I${top_srcdir}/lib/lwres/unix/include \ + -I${top_srcdir}/lib/lwres/include + +BIND9_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/bind9/include \ + -I${top_srcdir}/lib/bind9/include + +TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include + +CINCLUDES = + +CDEFINES = +CWARNINGS = + +DNSLIBS = +ISCLIBS = . + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -liconv -lm + +TARGETS = rpz + +RPZOBJS = rpz.o + +SRCS = rpz.c + +# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +### +### Common Makefile rules for BIND 9. +### + +### +### Paths +### +### Note: paths that vary by Makefile MUST NOT be listed +### here, or they won't get expanded correctly. + +prefix = /usr +exec_prefix = ${prefix} +bindir = ${exec_prefix}/bin +sbindir = ${exec_prefix}/sbin +includedir = ${prefix}/include +libdir = ${exec_prefix}/lib +sysconfdir = /etc/namedb +localstatedir = ${prefix}/var +mandir = ${datarootdir}/man +datarootdir = ${prefix}/share + +DESTDIR = + + + +top_builddir = /usr/home/vjs/isc/work/rpz3 + +### +### All +### +### Makefile may define: +### TARGETS + +all: subdirs ${TARGETS} testdirs + +### +### Subdirectories +### +### Makefile may define: +### SUBDIRS + +ALL_SUBDIRS = ${SUBDIRS} nulldir +ALL_TESTDIRS = ${TESTDIRS} nulldir + +# +# We use a single-colon rule so that additional dependencies of +# subdirectories can be specified after the inclusion of this file. +# The "depend" and "testdirs" targets are treated the same way. +# +subdirs: + @for i in ${ALL_SUBDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making all in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \ + fi; \ + done + +# +# Tests are built after the targets instead of before +# +testdirs: + @for i in ${ALL_TESTDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making all in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \ + fi; \ + done + +install:: all + +install clean distclean maintainer-clean doc docclean man manclean:: + @for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making $@ in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \ + fi; \ + done + +### +### C Programs +### +### Makefile must define +### CC +### Makefile may define +### CFLAGS +### LDFLAGS +### CINCLUDES +### CDEFINES +### CWARNINGS +### User may define externally +### EXT_CFLAGS + +CC = gcc -pthread +CFLAGS = -g -I/usr/local/include/libxml2 -I/usr/local/include +LDFLAGS = +STD_CINCLUDES = +STD_CDEFINES = -D_THREAD_SAFE +STD_CWARNINGS = -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing + +BUILD_CC = gcc -pthread +BUILD_CFLAGS = -g -I/usr/local/include/libxml2 -I/usr/local/include +BUILD_CPPFLAGS = +BUILD_LDFLAGS = +BUILD_LIBS = -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -liconv -lm + +.SUFFIXES: +.SUFFIXES: .c .o + +ALWAYS_INCLUDES = -I${top_builddir} +ALWAYS_DEFINES = -D_REENTRANT +ALWAYS_WARNINGS = + +ALL_CPPFLAGS = \ + ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ + ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES} + +ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \ + ${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS} + +.c.o: + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $< + +SHELL = /bin/sh +LIBTOOL = +LIBTOOL_MODE_COMPILE = ${LIBTOOL} +LIBTOOL_MODE_INSTALL = ${LIBTOOL} +LIBTOOL_MODE_LINK = ${LIBTOOL} +PURIFY = + +MKDEP = ${SHELL} ${top_builddir}/make/mkdep + +### +### This is a template compound command to build an executable binary with +### an internal symbol table. +### This process is tricky. We first link all objects including a tentative +### empty symbol table, then get a tentative list of symbols from the resulting +### binary ($@tmp0). Next, we re-link all objects, but this time with the +### symbol table just created ($tmp@1). The set of symbols should be the same, +### but the corresponding addresses would be changed due to the difference on +### the size of symbol tables. So we create the symbol table and re-create the +### objects once again. Finally, we check the symbol table embedded in the +### final binaryis consistent with the binary itself; otherwise the process is +### terminated. +### +### To minimize the overhead of creating symbol tables, the autoconf switch +### --enable-symtable takes an argument so that the symbol table can be created +### on a per application basis: unless the argument is set to "all", the symbol +### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is +### set to a non-null value in the rule to build the executable binary. +### +### Each Makefile.in that uses this macro is expected to define "LIBS" and +### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and +### the latter includes libisc without the definition of a symbol table. +### The rule to make the executable binary will look like this +### binary: ${OBJS} +### #export MAKE_SYMTABLE="yes"; \ <- enable if symtable is always needed +### export BASEOBJS="${OBJS}"; \ +### ${FINALBUILDCMD} +### +### Normally, ${LIBS} includes all necessary libraries to build the binary; +### there are some exceptions however, where the rule lists some of the +### necessary libraries explicitly in addition to (or instead of) ${LIBS}, +### like this: +### binary: ${OBJS} +### cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${lIBS} +### in order to modify such a rule to use this compound command, a separate +### variable "LIBS0" should be deinfed for the explicitly listed libraries, +### while making sure ${LIBS} still includes libisc. So the above rule would +### be modified as follows: +### binary: ${OBJS} +### export BASEOBJS="${OBJS}"; \ +### export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \ +### ${FINALBUILDCMD} +### See bin/check/Makefile.in for a complete example of the use of LIBS0. +### +FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \ + else \ + rm -f $@tmp0; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp0 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + rm -f $@tmp1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp1 $${BASEOBJS} $@-symtbl.o $${LIBS0} ${NOSYMLIBS} || exit 1; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp1 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp2 $${BASEOBJS} $@-symtbl.o $${LIBS0} ${NOSYMLIBS}; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl2.c $@tmp2; \ + count=0; \ + until diff $@-symtbl.c $@-symtbl2.c > /dev/null ; \ + do \ + count=`expr $$count + 1` ; \ + test $$count = 42 && exit 1 ; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp2 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} \ + ${LDFLAGS} -o $@tmp2 $${BASEOBJS} $@-symtbl.o \ + $${LIBS0} ${NOSYMLIBS}; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl2.c $@tmp2; \ + done ; \ + mv $@tmp2 $@; \ + rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \ + fi + +cleandir: distclean +superclean: maintainer-clean + +clean distclean maintainer-clean:: + rm -f *.o *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2 + rm -rf .depend .libs + +distclean maintainer-clean:: + rm -f Makefile + +depend: + @for i in ${ALL_SUBDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making depend in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \ + fi; \ + done + @if [ X"${srcdir}" != X. ] ; then \ + if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + echo ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${SRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -vpath ${srcdir} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + fi \ + else \ + if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${SRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + fi \ + fi + +FORCE: + +### +### Libraries +### + +AR = /usr/local/bin/ar +ARFLAGS = cruv +RANLIB = ranlib + +### +### Installation +### + +INSTALL = /usr/bin/install -c +INSTALL_PROGRAM = ${INSTALL} +LINK_PROGRAM = ln -s +INSTALL_SCRIPT = ${INSTALL} +INSTALL_DATA = ${INSTALL} -m 644 + +### +### Programs used when generating documentation. It's ok for these +### not to exist when not generating documentation. +### + +XSLTPROC = xsltproc --novalid --xinclude --nonet +PERL = /usr/local/bin/perl5 +LATEX = latex +PDFLATEX = pdflatex +W3M = w3m + +### +### Script language program used to create internal symbol tables +### +MKSYMTBL_PROGRAM = /usr/local/bin/perl5 + +### +### Switch to create internal symbol table selectively +### +ALWAYS_MAKE_SYMTABLE = + +### +### DocBook -> HTML +### DocBook -> man page +### + +.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8 + +.docbook.html: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $< + +.docbook.1: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.2: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.3: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.4: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.5: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.6: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.7: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.8: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +### +### Python executable +### +.SUFFIXES: .py +.py: + cp -f $< $@ + chmod +x $@ + + +all: rpz + +rpz: ${RPZOBJS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${RPZOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + +# DO NOT DELETE THIS LINE -- mkdep uses it. +# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. + +rpz.o: rpz.c /usr/home/vjs/isc/work/rpz3/config.h /usr/include/stdlib.h \ + /usr/include/sys/cdefs.h /usr/include/sys/_null.h \ + /usr/include/sys/_types.h /usr/include/machine/_types.h \ + /usr/include/stdio.h /usr/include/string.h /usr/include/strings.h + +# IF YOU PUT ANYTHING HERE IT WILL GO AWAY --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns1/root.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns1/root.db @@ -38,3 +38,6 @@ ; performance test tld5. NS ns.tld5. ns.tld5. A 10.53.0.5 + +; generate SERVFAIL +servfail NS ns.tld2. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/bl.tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/bl.tld2.db @@ -0,0 +1,27 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.2 + A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/named.conf @@ -44,3 +44,5 @@ zone "subsub.sub3.tld2." {type master; file "tld2.db";}; zone "tld2s." {type master; file "tld2s.db";}; + +zone "bl.tld2." {type master; file "bl.tld2.db";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/tld2.db @@ -111,6 +111,9 @@ A 192.168.5.2 TXT "a5-1-2 tld2 text" +a5-2 A 192.168.5.2 + TXT "a5-2 tld2 text" + a5-3 A 192.168.5.3 TXT "a5-3 tld2 text" @@ -121,3 +124,6 @@ TXT "a6-1 tld2 text" a6-2 A 192.168.6.2 TXT "a6-2 tld2 text" + +a7-1 A 192.168.7.1 + TXT "a7-1 tld2 text" --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns3/base.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns3/base.db @@ -21,30 +21,7 @@ ; Its contents are also changed with nsupdate -$TTL 120 +$TTL 300 @ SOA blx. hostmaster.ns.blx. ( 1 3600 1200 604800 60 ) - NS ns -ns A 10.53.0.3 + NS ns.tld3. -; Poke the radix tree a little. -128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip CNAME . -128.1111.2222.3333.4444.5555.6666.zz.rpz-ip CNAME . -128.1111.2222.3333.4444.5555.zz.8888.rpz-ip CNAME . -128.1111.2222.3333.4444.zz.8888.rpz-ip CNAME . -128.zz.3333.4444.0.0.8888.rpz-ip CNAME . -128.zz.3333.4444.0.7777.8888.rpz-ip CNAME . -128.zz.3333.4444.0.8777.8888.rpz-ip CNAME . -127.zz.3333.4444.0.8777.8888.rpz-ip CNAME . - - -; regression testing for some old crashes -redirect A 127.0.0.1 -*.redirect A 127.0.0.1 -*.credirect CNAME google.com. - - -; names in the RPZ TLDs that some say should not be rewritten. -; This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip -; (or whatever) is available by publishing "foo A 10.2.3.4" and then -; resolving foo. -32.3.2.1.127.rpz-ip CNAME walled.invalid. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns3/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns3/named.conf @@ -46,19 +46,24 @@ zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; zone "bl-garden" policy cname a12.tld2.; - } min-ns-dots 0; + zone "bl-drop" policy drop; + zone "bl-tcp-only" policy tcp-only; + zone "bl.tld2"; + } + min-ns-dots 0 + qname-wait-recurse yes + ; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-md5; + algorithm hmac-sha256; }; controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; -// include "../trusted.conf"; zone "." { type hint; file "hints"; }; zone "bl." {type master; file "bl.db"; @@ -83,6 +88,13 @@ allow-update {any;};}; zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; +zone "bl-drop." {type master; file "bl-drop.db"; + allow-update {any;};}; +zone "bl-tcp-only." {type master; file "bl-tcp-only.db"; + allow-update {any;};}; + +zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;}; + masterfile-format text;}; zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/named.args +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/named.args @@ -1,3 +1,3 @@ # run the performace test close to real life --c named.conf -g +-c named.conf -gd3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/named.conf @@ -40,7 +40,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-md5; + algorithm hmac-sha256; }; controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; @@ -56,3 +56,20 @@ zone "bl0." {type master; file "bl.db"; }; zone "bl1." {type master; file "bl.db"; }; zone "bl2." {type master; file "bl.db"; }; +zone "bl3." {type master; file "bl.db"; }; +zone "bl4." {type master; file "bl.db"; }; +zone "bl5." {type master; file "bl.db"; }; +zone "bl6." {type master; file "bl.db"; }; +zone "bl7." {type master; file "bl.db"; }; +zone "bl8." {type master; file "bl.db"; }; +zone "bl9." {type master; file "bl.db"; }; +zone "bl10." {type master; file "bl.db"; }; +zone "bl11." {type master; file "bl.db"; }; +zone "bl12." {type master; file "bl.db"; }; +zone "bl13." {type master; file "bl.db"; }; +zone "bl14." {type master; file "bl.db"; }; +zone "bl15." {type master; file "bl.db"; }; +zone "bl16." {type master; file "bl.db"; }; +zone "bl17." {type master; file "bl.db"; }; +zone "bl18." {type master; file "bl.db"; }; +zone "bl19." {type master; file "bl.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/tld5.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/tld5.db @@ -22,42 +22,10 @@ NS ns1 NS ns2 NS ns3 - NS ns4 - NS ns5 - NS ns6 - NS ns7 - NS ns8 - NS ns9 - NS ns10 - NS ns11 - NS ns12 - NS ns13 - NS ns14 - NS ns15 - NS ns16 - NS ns17 - NS ns18 - NS ns19 ns A 10.53.0.5 ns1 A 10.53.0.5 ns2 A 10.53.0.5 ns3 A 10.53.0.5 -ns4 A 10.53.0.5 -ns5 A 10.53.0.5 -ns6 A 10.53.0.5 -ns7 A 10.53.0.5 -ns8 A 10.53.0.5 -ns9 A 10.53.0.5 -ns10 A 10.53.0.5 -ns11 A 10.53.0.5 -ns12 A 10.53.0.5 -ns13 A 10.53.0.5 -ns14 A 10.53.0.5 -ns15 A 10.53.0.5 -ns16 A 10.53.0.5 -ns17 A 10.53.0.5 -ns18 A 10.53.0.5 -ns19 A 10.53.0.5 $ORIGIN example.tld5. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/setup.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/setup.sh @@ -26,11 +26,13 @@ sh clean.sh -# set up test policy zones. bl-2 is used to check competing zones. -# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden} -# are used to check policy overrides in named.conf. -# NO-OP is an obsolete synonym for PASSHTRU -for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do +# set up test policy zones. +# bl is the main test zone +# bl-2 is used to check competing zones. +# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden, +# drop,tcp-only} are used to check policy overrides in named.conf. +# NO-OP is an obsolete synonym for PASSHTRU +for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done @@ -48,18 +50,22 @@ signzone ns2 tld2s. base-tld2s.db tld2s.db -# Performance checks. +# Performance and a few other checks. cat <ns5/rpz-switch response-policy { - zone "bl0"; zone "bl1"; zone "bl2"; + zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4"; + zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9"; + zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14"; + zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19"; } recursive-only no - max-policy-ttl 90 - # min-ns-dots 0 - break-dnssec yes; + max-policy-ttl 90 + break-dnssec yes + qname-wait-recurse no + ; EOF cat <ns5/example.db -\$TTL 120 +\$TTL 300 @ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 ) NS ns NS ns1 @@ -68,15 +74,16 @@ EOF cat <ns5/bl.db -\$TTL 120 +\$TTL 300 @ SOA . hostmaster.ns.blperf. ( 1 3600 1200 604800 60 ) - NS ns -ns A 10.53.0.5 + NS ns.tld5. -; used only in failure for "recursive-only no" in #8 test5 -a3-5.tld2 CNAME *. +; for "qname-wait-recurse no" in #35 test1 +x.servfail A 35.35.35.35 +; for "recursive-only no" in #8 test5 +a3-5.tld2 CNAME . ; for "break-dnssec" in #9 & #10 test5 -a3-5.tld2s CNAME *. +a3-5.tld2s CNAME . ; for "max-policy-ttl 90" in #17 test5 a3-17.tld2 500 A 17.17.17.17 @@ -85,8 +92,7 @@ EOF if test -n "$QPERF"; then - # do not build the full zones if we will not use them to avoid the long - # time otherwise required to shut down the server + # Do not build the full zones if we will not use them. $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256); }' >>ns5/example.db --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test1 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test1 @@ -24,13 +24,13 @@ ; QNAME tests ; NXDOMAIN -; 2, 20, 25 +; 2, 25 update add a0-1.tld2.bl. 300 CNAME . ; NODATA -; 3, 21 +; 3 update add a3-1.tld2.bl. 300 CNAME *. ; and no assert-botch -; 4, 5, 22, 23 +; 4, 5 update add a3-2.tld2.bl. 300 DNAME example.com. ; ; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2. @@ -77,6 +77,14 @@ ; 19 update add a4-6.tld2.bl. 300 CNAME . update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 +; no change instead of NXDOMAIN because +norecurse +; 20 +update add a5-2.tld2.bl. 300 CNAME . +; no change instead of NODATA because +norecurse +; 21 +update add a5-3.tld2.bl. 300 CNAME *. +; 22, 23 +update add a5-4.tld2.bl. 300 DNAME example.com. ; ; assert in rbtdb.c ; 24 @@ -84,4 +92,10 @@ ; DO=1 without signatures, DO=0 with signatures are rewritten ; 26 - 27 update add a0-1.tld2s.bl. 300 CNAME . +; 32 +update add a3-8.tld2.bl. 300 CNAME rpz-drop. +; 33 +update add a3-9.tld2.bl. 300 CNAME rpz-tcp-only. +; 34 qname-wait-recurse yes +update add x.servfail.bl. 300 A 127.0.0.34 send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test2 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test2 @@ -58,7 +58,7 @@ send ; prefer QNAME to IP for a5-4.tld2 -; 13 +; 13, 14 update add 32.4.5.168.192.rpz-ip.bl 300 CNAME a12.tld2. update add a5-4.tld2.bl 300 CNAME a14.tld4. ; @@ -72,3 +72,8 @@ send update add c2.crash2.tld3.bl-2 300 A 127.0.0.16 send + +; client-IP address trigger +; 17 +update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17 +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test5 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test5 @@ -35,10 +35,8 @@ ; 4 update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4 send -; 5 - 8 +; 5 - 7 update add a3-5.tld2.bl-nodata. 300 A 127.0.0.5 -; 9 - 10 -update add a3-5.tld2s.bl-nodata. 300 A 127.0.0.9 send ; 11 update add a3-6.tld2.bl-nxdomain. 300 A 127.0.0.11 @@ -57,3 +55,9 @@ ; 16 update add a3-16.tld2.bl. 300 A 127.0.0.16 send +; 18 +update add a3-18.tld2.bl-drop. 300 A 127.0.0.18 +send +; 19 +update add a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19 +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test6 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test6 @@ -0,0 +1,40 @@ +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +server 10.53.0.3 5300 + +; Poke the radix tree a little. +update add 128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.6666.zz.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.0.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +update add 127.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +; +; +; regression testing for some old crashes +update add redirect.bl. 300 A 127.0.0.1 +update add *.redirect.bl. 300 A 127.0.0.1 +update add *.credirect.bl. 300 CNAME google.com. +; +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/tests.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/tests.sh @@ -21,15 +21,15 @@ . $SYSTEMTESTTOP/conf.sh ns=10.53.0 -ns1=$ns.1 # root, defining the others -ns2=$ns.2 # server whose answers are rewritten -ns3=$ns.3 # resolve that does the rewriting -ns4=$ns.4 # another server that is rewritten -ns5=$ns.5 # check performance with this server +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose records are rewritten +ns3=$ns.3 # main rewriting resolver +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # another rewriting resolver HAVE_CORE= SAVE_RESULTS= -NS3_STATS=47 + USAGE="$0: [-x]" while getopts "x" c; do @@ -57,11 +57,16 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" digcmd () { - digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*" - expr "$digcmd_args" : '.*@' >/dev/null || \ - digcmd_args="$digcmd_args @$ns3" - expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \ - digcmd_args="+noauth $digcmd_args" + if test "$1" = TCP; then + shift + fi + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \ + sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/'` #echo I:dig $digcmd_args 1>&2 $DIG $digcmd_args } @@ -87,10 +92,13 @@ # (re)load the reponse policy zones with the rules in the file $TEST_FILE load_db () { if test -n "$TEST_FILE"; then - $NSUPDATE -v $TEST_FILE || { + if $NSUPDATE -v $TEST_FILE; then : + $RNDCCMD $ns3 sync + else echo "I:failed to update policy zone with $TEST_FILE" + $RNDCCMD $ns3 sync exit 1 - } + fi fi } @@ -133,15 +141,20 @@ return 1 } -# check that statistics for $1 in $2 = $3 ckstats () { - $RNDCCMD $1 stats - CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $2/named.stats` - CNT=`expr 0$CNT + 0` - if test "$CNT" -ne $3; then - setret "I:wrong $2 statistics of $CNT instead of $3" + HOST=$1 + LABEL="$2" + NSDIR="$3" + EXPECTED="$4" + $RNDCCMD $HOST stats + NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1` + eval "OLD_CNT=0\$${NSDIR}_CNT" + GOT=`expr $NEW_CNT - $OLD_CNT` + if test "$GOT" -ne "$EXPECTED"; then + setret "I:wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" fi + eval "${NSDIR}_CNT=$NEW_CNT" } # $1=message $2=optional test file name @@ -178,6 +191,12 @@ ckresult () { #ckalive "$1" "I:server crashed by 'dig $1'" || return 1 if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then + NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'` + RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM` + if test "$NEED_TCP" != "$RESULT_TCP"; then + setret "I:'dig $1' wrong; no or unexpected truncation in $DIGNM" + return 1 + fi clean_result ${DIGNM}* return 0 fi @@ -234,12 +253,14 @@ clean_result ${DIGNM}* } -# check that a response is not rewritten -# $1=target domain $2=optional query type +# Check that a response is not rewritten +# Use $ns1 instead of the authority for most test domains, $ns2 to prevent +# spurious differences for `dig +norecurse` +# $1=optional "TCP" remaining args for dig nochange () { make_dignm digcmd $* >$DIGNM - digcmd $* @$ns2 >${DIGNM}_OK + digcmd $* @$ns1 >${DIGNM}_OK ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } @@ -251,6 +272,20 @@ ckresult "$*" ${DIGNM}_OK } +# check dropped response +DROPPED='^;; connection timed out; no servers could be reached' +drop () { + make_dignm + digcmd $* >$DIGNM + if grep "$DROPPED" $DIGNM >/dev/null; then + clean_result ${DIGNM}* + return 0 + fi + setret "I:'dig $1' wrong; response in $DIGNM" + return 1 +} + + # make prototype files to check against rewritten results digcmd nonexistent @$ns2 >proto.nxdomain digcmd txt-only.tld2 @$ns2 >proto.nodata @@ -278,19 +313,27 @@ addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain -nochange a0-1.tld2 +norecurse # 20 check that RD=1 is required -nochange a3-1.tld2 +norecurse # 21 -nochange a3-2.tld2 +norecurse # 22 -nochange sub.a3-2.tld2 +norecurse # 23 +nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required +nochange a5-3.tld2 +norecurse # 21 +nochange a5-4.tld2 +norecurse # 22 +nochange sub.a5-4.tld2 +norecurse # 23 nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures -nxdomain a0-1.tld2s # 26 simple DO=0 with signatures +nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain -nochange a0-1.tld2s srv +auth +dnssec # 30 no write for +DNSSEC and no record -nxdomain a0-1.tld2s srv # 31 +nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record +nxdomain a0-1.tld2s srv +nodnssec # 31 +drop a3-8.tld2 # 32 drop +nochange tcp a3-9.tld2 # 33 tcp-only +here x.servfail <<'EOF' # 34 qname-wait-recurse yes + ;; status: SERVFAIL, x +EOF +addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no end_group +ckstats $ns3 test1 ns3 22 +ckstats $ns5 test1 ns5 1 start_group "IP rewrites" test2 nodata a3-1.tld2 # 1 NODATA @@ -305,11 +348,14 @@ nochange a4-1-aaaa.tld2 -taaaa # 10 addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone -addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP -nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required +nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 +addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP nochange a4-4.tld2 # 15 PASSTHRU nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger +nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) end_group +ckstats $ns3 test2 ns3 11 # check that IP addresses for previous group were deleted from the radix tree start_group "radix tree deletions" @@ -325,6 +371,7 @@ nochange a4-1-aaaa.tld2 -tAAAA nochange a5-1-2.tld2 end_group +ckstats $ns3 'radix tree deletions' ns3 0 if ./rpz nsdname; then # these tests assume "min-ns-dots 0" @@ -342,7 +389,7 @@ addr 127.0.0.2 a3-1.subsub.sub3.tld2 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash end_group - NS3_STATS=`expr $NS3_STATS + 7` + ckstats $ns3 test3 ns3 7 else echo "I:NSDNAME not checked; named configured with --disable-rpz-nsdname" fi @@ -356,15 +403,15 @@ nochange a3-1.tld4 # 4 different NS IP address end_group -# start_group "walled garden NSIP rewrites" test4a -# addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 -# addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 -# here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 -# ;; status: NOERROR, x -# a3-1.tld2. x IN TXT "NSIP walled garden" -#EOF -# end_group - NS3_STATS=`expr $NS3_STATS + 1` + start_group "walled garden NSIP rewrites" test4a + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + ;; status: NOERROR, x + a3-1.tld2. x IN TXT "NSIP walled garden" +EOF + end_group + ckstats $ns3 test4 ns3 4 else echo "I:NSIP not checked; named configured with --disable-rpz-nsip" fi @@ -376,12 +423,12 @@ nochange a3-2.tld2 # 2 bl-passthru nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru nochange a3-4.tld2 # 4 bl-disabled -nodata a3-5.tld2 # 5 bl-nodata -nodata a3-5.tld2 +norecurse # 6 bl-nodata recursive-only no -nodata a3-5.tld2 # 7 bl-nodata -nodata a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata recursive-only no -nodata a3-5.tld2s @$ns5 # 9 bl-nodata -nodata a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata break-dnssec +nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no +nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no +nodata a3-5.tld2 # 7 bl-nodata not needed +nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no +nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec +nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec nxdomain a3-6.tld2 # 11 bl-nxdomain here a3-7.tld2 -tany <<'EOF' ;; status: NOERROR, x @@ -393,10 +440,15 @@ addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 +drop a3-18.tld2 # 18 bl-drop +nxdomain TCP a3-19.tld2 # 19 bl-tcp-only end_group +ckstats $ns3 test5 ns3 12 +ckstats $ns5 test5 ns5 4 + # check that miscellaneous bugs are still absent -start_group "crashes" +start_group "crashes" test6 for Q in RRSIG SIG ANY 'ANY +dnssec'; do nocrash a3-1.tld2 -t$Q nocrash a3-2.tld2 -t$Q @@ -410,6 +462,8 @@ # resolving foo. # nxdomain 32.3.2.1.127.rpz-ip end_group +ckstats $ns3 bugs ns3 8 + # superficial test for major performance bugs @@ -422,6 +476,7 @@ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >/dev/null comment "before real test $1" PFILE="ns5/$2.perf" + $RNDCCMD $ns5 notrace $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >$PFILE comment "after test $1" X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ @@ -436,17 +491,17 @@ } # get qps with rpz - perf 'with rpz' rpz 'NOERROR:2900 NXDOMAIN:100 ' + perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' RPZ=`trim rpz` # turn off rpz and measure qps again - echo "# rpz off" >ns5/rpz-switch + echo "# RPZ off" >ns5/rpz-switch RNDCCMD_OUT=`$RNDCCMD $ns5 reload` - perf 'without rpz' norpz 'NOERROR:3000 ' + perf 'without RPZ' norpz 'NOERROR:3000 ' NORPZ=`trim norpz` PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ` - echo "I:$RPZ qps with rpz is $PERCENT% of $NORPZ qps without rpz" + echo "I:$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" MIN_PERCENT=30 if test "$PERCENT" -lt $MIN_PERCENT; then @@ -457,15 +512,13 @@ setret "I:$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" fi - ckstats $ns5 ns5 203 + ckstats $ns5 performance ns5 200 else echo "I:performance not checked; queryperf not available" fi -ckstats $ns3 ns3 55 - # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl . ns3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/clean.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/clean.sh @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns1/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns1/named.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns1/root.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns1/root.db @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/hints +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/named.conf @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/tld2.db @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/hints +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/named.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/tld3.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/tld3.db @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/setup.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/tests.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/tests.sh @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 --- bind9-9.9.3.dfsg.P2.orig/bind9-resolvconf.service +++ bind9-9.9.3.dfsg.P2/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service --- bind9-9.9.3.dfsg.P2.orig/bind9.service +++ bind9-9.9.3.dfsg.P2/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/bind9.tmpfile +++ bind9-9.9.3.dfsg.P2/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/clean.sh +++ bind9-9.9.3.dfsg.P2/clean.sh @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid --- bind9-9.9.3.dfsg.P2.orig/config.h.in +++ bind9-9.9.3.dfsg.P2/config.h.in @@ -184,6 +184,9 @@ MSVC and with C++ compilers. */ #undef FLEXIBLE_ARRAY_MEMBER +/* Defined if GeoIP supports IPv6 lookups */ +#undef GEOIP_V6 + /* Define to 1 if you have the `chroot' function. */ #undef HAVE_CHROOT @@ -421,6 +424,9 @@ /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS +/* Define if you want GeoIP support. */ +#undef SUPPORT_GEOIP + /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME --- bind9-9.9.3.dfsg.P2.orig/configure +++ bind9-9.9.3.dfsg.P2/configure @@ -1326,6 +1326,7 @@ OPENSSLGOSTLINKOBJS DST_OPENSSL_INC USE_OPENSSL +GEOIP_LIBS LWRES_PLATFORM_NEEDSYSSELECTH ISC_PLATFORM_NEEDSYSSELECTH ISC_PLATFORM_HAVEDEVPOLL @@ -1459,6 +1460,7 @@ enable_openssl_version_check with_ecdsa with_gost +with_geoip enable_openssl_hash with_pkcs11 with_gssapi @@ -2170,6 +2172,7 @@ (Required for DNSSEC) --with-ecdsa OpenSSL ECDSA --with-gost OpenSSL GOST + --with-geoip=PATH Specify path for system-supplied GeoIP --with-pkcs11=PATH Build with PKCS11 support yes|no|path (PATH is for the PKCS11 provider) --with-gssapi=PATH Specify path for system-supplied GSSAPI [default=yes] @@ -4989,7 +4992,8 @@ ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -5390,10 +5394,6 @@ fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -5432,11 +5432,11 @@ ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else @@ -6572,7 +6572,14 @@ LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; ppc64-*linux*|powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" @@ -8401,7 +8408,7 @@ lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -8879,6 +8886,9 @@ openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + link_all_deplibs=no + ;; esac ld_shlibs=yes @@ -9100,7 +9110,7 @@ fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -9277,6 +9287,7 @@ if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then @@ -9730,7 +9741,7 @@ link_all_deplibs=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -10567,17 +10578,6 @@ esac ;; -gnu*) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -10694,7 +10694,7 @@ ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -10758,6 +10758,18 @@ dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -12912,7 +12924,7 @@ # as it breaks how the two halves (Basic and Advanced) of the IPv6 # Socket API were designed to be used but we have to live with it. # Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. - *-linux* | *-kfreebsd*-gnu) + *-linux*|*-gnu*) STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE" CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE" ;; @@ -14388,6 +14400,147 @@ esac # +# Check for GeoIP - if yes enable it +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP library" >&5 +$as_echo_n "checking for GeoIP library... " >&6; } + +# Check whether --with-geoip was given. +if test "${with_geoip+set}" = set; then : + withval=$with_geoip; use_geoip="$withval" +else + use_geoip="no" +fi + + +#geoipdirs="/usr/local /usr/pkg /usr/kerberos /usr" +# +#if test "$use_geoip" = "yes" +#then +# for d in $geoipdirs +# do +# if test -f $d/include/include/GeoIP.h -o -f $d/include/GeoIP.h +# then +# use_geoip=$d +# break +# fi +# done +#fi + + +$as_echo "#define GEOIP_V6 1" >>confdefs.h + +case "$use_geoip" in + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + USE_GEOIP='' + ;; +# yes) +# AC_MSG_ERROR([--with-geoip must specify a path]) +# ;; + *) + ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default" +if test "x$ac_cv_header_GeoIP_h" = xyes; then : + +else + as_fn_error $? "GeoIP library header files not found" "$LINENO" 5 + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP_open in -lGeoIP" >&5 +$as_echo_n "checking for GeoIP_open in -lGeoIP... " >&6; } +if ${ac_cv_lib_GeoIP_GeoIP_open+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lGeoIP $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char GeoIP_open (); +int +main () +{ +return GeoIP_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_GeoIP_GeoIP_open=yes +else + ac_cv_lib_GeoIP_GeoIP_open=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_GeoIP_GeoIP_open" >&5 +$as_echo "$ac_cv_lib_GeoIP_GeoIP_open" >&6; } +if test "x$ac_cv_lib_GeoIP_GeoIP_open" = xyes; then : + + +$as_echo "#define SUPPORT_GEOIP 1" >>confdefs.h + + +else + + as_fn_error $? "GeoIP library header files were found but the library was not found" "$LINENO" 5 + +fi + + GEOIP_LIBS="-lGeoIP" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for for GeoIP IPv6 support" >&5 +$as_echo_n "checking for for GeoIP IPv6 support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + +extern const struct in6_addr in6addr_loopback; +static GeoIP *geoip = NULL; + +const char* value = value = GeoIP_country_name_by_ipnum_v6(geoip, (geoipv6_t)in6addr_loopback); + + + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + GEOIP_V6="#define GEOIP_V6 1" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + GEOIP_V6="#undef GEOIP_V6" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +$as_echo "#define GEOIP_V6 1" >>confdefs.h + + ;; +esac + + + +# # This would include the system openssl path (and linker options to use # it as needed) if it is found. # @@ -15653,7 +15806,7 @@ # LinuxThreads requires some changes to the way we # deal with signals. # - *-linux*) + *-linux*|*-kfreebsd*-gnu) $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h ;; --- bind9-9.9.3.dfsg.P2.orig/configure.in +++ bind9-9.9.3.dfsg.P2/configure.in @@ -349,7 +349,7 @@ # as it breaks how the two halves (Basic and Advanced) of the IPv6 # Socket API were designed to be used but we have to live with it. # Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. - *-linux* | *-kfreebsd*-gnu) + *-linux*|*-gnu*) STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE" CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE" ;; @@ -905,6 +905,74 @@ esac # +# Check for GeoIP - if yes enable it +# + +AC_MSG_CHECKING(for GeoIP library) +AC_ARG_WITH(geoip, +[ --with-geoip=PATH Specify path for system-supplied GeoIP], + use_geoip="$withval", use_geoip="no") + +#geoipdirs="/usr/local /usr/pkg /usr/kerberos /usr" +# +#if test "$use_geoip" = "yes" +#then +# for d in $geoipdirs +# do +# if test -f $d/include/include/GeoIP.h -o -f $d/include/GeoIP.h +# then +# use_geoip=$d +# break +# fi +# done +#fi + +AC_DEFINE([GEOIP_V6], [1], [Defined if GeoIP supports IPv6 lookups]) +case "$use_geoip" in + no) + AC_MSG_RESULT(disabled) + USE_GEOIP='' + ;; +# yes) +# AC_MSG_ERROR([--with-geoip must specify a path]) +# ;; + *) + AC_CHECK_HEADER(GeoIP.h,, + [AC_MSG_ERROR([GeoIP library header files not found])] + ) + AC_CHECK_LIB(GeoIP, GeoIP_open, + [ + AC_DEFINE(SUPPORT_GEOIP, 1, Define if you want GeoIP support.) + ], + [ + AC_MSG_ERROR([GeoIP library header files were found but the library was not found]) + ]) + GEOIP_LIBS="-lGeoIP" + AC_MSG_CHECKING(for for GeoIP IPv6 support) + AC_TRY_COMPILE([ +#include +#include +], +[ + +extern const struct in6_addr in6addr_loopback; +static GeoIP *geoip = NULL; + +const char* value = value = GeoIP_country_name_by_ipnum_v6(geoip, (geoipv6_t)in6addr_loopback); + +] +, + [AC_MSG_RESULT(yes) + GEOIP_V6="#define GEOIP_V6 1"], + [AC_MSG_RESULT(no) + GEOIP_V6="#undef GEOIP_V6"]) +AC_DEFINE(GEOIP_V6) + ;; +esac + +AC_SUBST(GEOIP_LIBS) + +# # This would include the system openssl path (and linker options to use # it as needed) if it is found. # @@ -1319,7 +1387,7 @@ # LinuxThreads requires some changes to the way we # deal with signals. # - *-linux*) + *-linux*|*-kfreebsd*-gnu) AC_DEFINE(HAVE_LINUXTHREADS) ;; # --- bind9-9.9.3.dfsg.P2.orig/contrib/idn/idnkit-1.0-src/config.guess +++ bind9-9.9.3.dfsg.P2/contrib/idn/idnkit-1.0-src/config.guess @@ -1,9 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2001-09-04' +timestamp='2009-01-17' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -24,8 +24,9 @@ # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. -# Written by Per Bothner . -# Please send patches to . +# Originally written by Per Bothner . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and @@ -52,7 +53,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -87,30 +88,42 @@ exit 1 fi +trap 'exit 1' 1 2 15 -dummy=dummy-$$ -trap 'rm -f $dummy.c $dummy.o $dummy.rel $dummy; exit 1' 1 2 15 +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. -# CC_FOR_BUILD -- compiler used by this script. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. -set_cc_for_build='case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int dummy(){}" > $dummy.c ; - for c in cc gcc c89 ; do - ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ; - if test $? = 0 ; then +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; - rm -f $dummy.c $dummy.o $dummy.rel ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac' +esac ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) @@ -127,29 +140,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) - # Netbsd (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. - # Determine the machine/vendor (is the vendor relevant). - case "${UNAME_MACHINE}" in - amiga) machine=m68k-unknown ;; - arm32) machine=arm-unknown ;; - atari*) machine=m68k-atari ;; - sun3*) machine=m68k-sun ;; - mac68k) machine=m68k-apple ;; - macppc) machine=powerpc-apple ;; - hp3[0-9][05]) machine=m68k-hp ;; - ibmrt|romp-ibm) machine=romp-ibm ;; - *) machine=${UNAME_MACHINE}-unknown ;; + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. - case "${UNAME_MACHINE}" in - i386|sparc|amiga|arm*|hp300|mvme68k|vax|atari|luna68k|mac68k|news68k|next68k|pc532|sun3*|x68k) + case "${UNAME_MACHINE_ARCH}" in + arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep __ELF__ >/dev/null @@ -166,74 +180,123 @@ ;; esac # The OS release - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit 0 ;; + amd64:OpenBSD:*:*) + echo x86_64-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + cats:OpenBSD:*:*) + echo arm-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + luna88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + macppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvmeppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sgi:OpenBSD:*:*) + echo mips64-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sun3:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit 0 ;; + macppc:MirBSD:*:*) + echo powerppc-unknown-mirbsd${UNAME_RELEASE} + exit 0 ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit 0 ;; alpha:OSF1:*:*) - if test $UNAME_RELEASE = "V4.0"; then + case $UNAME_RELEASE in + *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - fi + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - cat <$dummy.s - .data -\$Lformat: - .byte 37,100,45,37,120,10,0 # "%d-%x\n" - - .text - .globl main - .align 4 - .ent main -main: - .frame \$30,16,\$26,0 - ldgp \$29,0(\$27) - .prologue 1 - .long 0x47e03d80 # implver \$0 - lda \$2,-1 - .long 0x47e20c21 # amask \$2,\$1 - lda \$16,\$Lformat - mov \$0,\$17 - not \$1,\$18 - jsr \$26,printf - ldgp \$29,0(\$26) - mov 0,\$16 - jsr \$26,exit - .end main -EOF - eval $set_cc_for_build - $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null - if test "$?" = 0 ; then - case `./$dummy` in - 0-0) - UNAME_MACHINE="alpha" - ;; - 1-0) - UNAME_MACHINE="alphaev5" - ;; - 1-1) - UNAME_MACHINE="alphaev56" - ;; - 1-101) - UNAME_MACHINE="alphapca56" - ;; - 2-303) - UNAME_MACHINE="alphaev6" - ;; - 2-307) - UNAME_MACHINE="alphaev67" - ;; - 2-1307) - UNAME_MACHINE="alphaev68" - ;; - esac - fi - rm -f $dummy.s $dummy - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` exit 0 ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? @@ -247,33 +310,18 @@ Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit 0;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit 0 ;; - arc64:OpenBSD:*:*) - echo mips64el-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hkmips:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos exit 0 ;; *:OS/390:*:*) echo i370-ibm-openedition exit 0 ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit 0 ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit 0;; @@ -291,6 +339,13 @@ NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit 0 ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit 0 ;; + DRS?6000:UNIX_SV:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7 && exit 0 ;; + esac ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit 0 ;; @@ -319,7 +374,7 @@ echo m68k-sun-sunos${UNAME_RELEASE} exit 0 ;; sun*:*:4.2BSD:*) - UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) @@ -333,12 +388,6 @@ aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit 0 ;; - sparc*:NetBSD:*) - echo `uname -p`-unknown-netbsd${UNAME_RELEASE} - exit 0 ;; - atari*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor @@ -365,17 +414,8 @@ *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit 0 ;; - sun3*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} exit 0 ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} @@ -415,15 +455,20 @@ exit (-1); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy \ - && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c \ + && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && exit 0 echo mips-mips-riscos${UNAME_RELEASE} exit 0 ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit 0 ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit 0 ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit 0 ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit 0 ;; @@ -496,8 +541,7 @@ exit(0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo rs6000-ibm-aix3.2.5 elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 @@ -506,7 +550,7 @@ fi exit 0 ;; *:AIX:*:[45]) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else @@ -546,10 +590,8 @@ 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) - case "${HPUX_REV}" in - 11.[0-9][0-9]) - if [ -x /usr/bin/getconf ]; then - sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 @@ -558,13 +600,13 @@ case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac - fi ;; - esac - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include @@ -597,11 +639,21 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy` - if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi - rm -f $dummy.c $dummy - fi ;; + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + # avoid double evaluation of $set_cc_for_build + test -n "$CC_FOR_BUILD" || eval $set_cc_for_build + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit 0 ;; ia64:HP-UX:*:*) @@ -635,8 +687,7 @@ exit (0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo unknown-hitachi-hiuxwe2 exit 0 ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) @@ -664,9 +715,6 @@ parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit 0 ;; - hppa*:OpenBSD:*:*) - echo hppa-unknown-openbsd - exit 0 ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit 0 ;; @@ -685,9 +733,6 @@ C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit 0 ;; - CRAY*X-MP:*:*:*) - echo xmp-cray-unicos - exit 0 ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; @@ -700,26 +745,25 @@ CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; - CRAY*T3D:*:*:*) - echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; - CRAY-2:*:*:*) - echo cray2-cray-unicos - exit 0 ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit 0 ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -733,9 +777,6 @@ *:FreeBSD:*:*) echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit 0 ;; - *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - exit 0 ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit 0 ;; @@ -745,11 +786,17 @@ i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit 0 ;; + x86:Interix*:[34]*) + echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' + exit 0 ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit 0 ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? - echo i386-pc-interix + echo i586-pc-interix exit 0 ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin @@ -761,25 +808,74 @@ echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit 0 ;; *:GNU:*:*) + # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit 0 ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit 0 ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit 0 ;; arm*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit 0 ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit 0 ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit 0 ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit 0 ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; mips:Linux:*:*) - case `sed -n '/^byte/s/^.*: \(.*\) endian/\1/p' < /proc/cpuinfo` in - big) echo mips-unknown-linux-gnu && exit 0 ;; - little) echo mipsel-unknown-linux-gnu && exit 0 ;; - esac + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips + #undef mipsel + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mipsel + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu @@ -815,6 +911,9 @@ s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux exit 0 ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit 0 ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; @@ -828,7 +927,8 @@ # The BFD linker knows what the default object file format is, so # first see if it will tell us. cd to the root directory to prevent # problems with other programs or directories called `ld' in the path. - ld_supported_targets=`cd /; ld --help 2>&1 \ + # Set LC_ALL=C to ensure ld outputs messages in English. + ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ | sed -ne '/supported targets:/!d s/[ ][ ]*/ /g s/.*supported targets: *// @@ -840,7 +940,7 @@ ;; a.out-i386-linux) echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; + exit 0 ;; coff-i386) echo "${UNAME_MACHINE}-pc-linux-gnucoff" exit 0 ;; @@ -852,32 +952,31 @@ esac # Determine whether the default compiler is a.out or elf eval $set_cc_for_build - cat >$dummy.c < -#ifdef __cplusplus -#include /* for printf() prototype */ - int main (int argc, char *argv[]) { -#else - int main (argc, argv) int argc; char *argv[]; { -#endif -#ifdef __ELF__ -# ifdef __GLIBC__ -# if __GLIBC__ >= 2 - printf ("%s-pc-linux-gnu\n", argv[1]); -# else - printf ("%s-pc-linux-gnulibc1\n", argv[1]); -# endif -# else - printf ("%s-pc-linux-gnulibc1\n", argv[1]); -# endif -#else - printf ("%s-pc-linux-gnuaout\n", argv[1]); -#endif - return 0; -} + sed 's/^ //' << EOF >$dummy.c + #include + #ifdef __ELF__ + # ifdef __GLIBC__ + # if __GLIBC__ >= 2 + LIBC=gnu + # else + LIBC=gnulibc1 + # endif + # else + LIBC=gnulibc1 + # endif + #else + #ifdef __INTEL_COMPILER + LIBC=gnu + #else + LIBC=gnuaout + #endif + #endif + #ifdef __dietlibc__ + LIBC=dietlibc + #endif EOF - $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` + test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 ;; i*86:DYNIX/ptx:4*:*) @@ -894,6 +993,26 @@ # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit 0 ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit 0 ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit 0 ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit 0 ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit 0 ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit 0 ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then @@ -915,22 +1034,19 @@ UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` - (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 - (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 - (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about @@ -954,9 +1070,15 @@ # "miniframe" echo m68010-convergent-sysv exit 0 ;; - M68*:*:R3V[567]*:*) + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit 0 ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit 0 ;; + M68*:*:R3V[5678]*:*) test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` @@ -973,9 +1095,6 @@ mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit 0 ;; @@ -1047,6 +1166,9 @@ SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit 0 ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit 0 ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit 0 ;; @@ -1054,18 +1176,25 @@ echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit 0 ;; *:Darwin:*:*) - echo `uname -p`-apple-darwin${UNAME_RELEASE} + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + *86) UNAME_PROCESSOR=i686 ;; + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit 0 ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) - if test "${UNAME_MACHINE}" = "x86pc"; then + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo `uname -p`-${UNAME_MACHINE}-nto-qnx + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit 0 ;; *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; - NSR-[KW]:NONSTOP_KERNEL:*:*) + NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; *:NonStop-UX:*:*) @@ -1088,11 +1217,6 @@ fi echo ${UNAME_MACHINE}-unknown-plan9 exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit 0 ;; @@ -1111,12 +1235,19 @@ *:ITS:*:*) echo pdp10-unknown-its exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit 0 ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms && exit 0 ;; + I*) echo ia64-dec-vms && exit 0 ;; + V*) echo vax-dec-vms && exit 0 ;; + esac esac #echo '(No uname command or uname output not recognized.)' 1>&2 @@ -1237,8 +1368,7 @@ } EOF -$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm -f $dummy.c $dummy && exit 0 -rm -f $dummy.c $dummy +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 # Apollos put the system type in the environment. --- bind9-9.9.3.dfsg.P2.orig/contrib/idn/idnkit-1.0-src/config.sub +++ bind9-9.9.3.dfsg.P2/contrib/idn/idnkit-1.0-src/config.sub @@ -1,9 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2001-09-07' +timestamp='2004-08-29' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -29,7 +29,8 @@ # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. -# Please send patches to . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -69,7 +70,7 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -117,7 +118,8 @@ # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | storm-chaos* | os2-emx* | windows32-*) + nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \ + kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; @@ -143,7 +145,7 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis) + -apple | -axis | -knuth | -cray) os= basic_machine=$1 ;; @@ -226,32 +228,46 @@ 1750a | 580 \ | a29k \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ | c4x | clipper \ - | d10v | d30v | dsp16xx \ - | fr30 \ + | d10v | d30v | dlx | dsp16xx \ + | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ - | m32r | m68000 | m68k | m88k | mcore \ - | mips16 | mips64 | mips64el | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el | mips64vr4300 \ - | mips64vr4300el | mips64vr5000 | mips64vr5000el \ - | mipsbe | mipseb | mipsel | mipsle | mipstx39 | mipstx39el \ - | mipsisa32 \ + | ip2k | iq2000 \ + | m32r | m32rle | m68000 | m68k | m88k | mcore \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64vr | mips64vrel \ + | mips64orion | mips64orionel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | msp430 \ | ns16k | ns32k \ - | openrisc \ + | openrisc | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | s390 | s390x \ - | sh | sh[34] | sh[34]eb | shbe | shle \ - | sparc | sparc64 | sparclet | sparclite | sparcv9 | sparcv9b \ - | stormy16 | strongarm \ - | tahoe | thumb | tic80 | tron \ - | v850 \ + | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \ + | strongarm \ + | tahoe | thumb | tic4x | tic80 | tron \ + | v850 | v850e \ | we32k \ - | x86 | xscale \ + | x86 | xscale | xstormy16 | xtensa \ | z8k) basic_machine=$basic_machine-unknown ;; @@ -278,38 +294,57 @@ 580-* \ | a29k-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alphapca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armv*-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* \ | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c54x-* \ - | clipper-* | cray2-* | cydra-* \ - | d10v-* | d30v-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | fx80-* \ + | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ - | m32r-* \ - | m68000-* | m680[01234]0-* | m68360-* | m683?2-* | m68k-* \ + | ip2k-* | iq2000-* \ + | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | mcore-* \ - | mips-* | mips16-* | mips64-* | mips64el-* | mips64orion-* \ - | mips64orionel-* | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* | mipsbe-* | mipseb-* \ - | mipsle-* | mipsel-* | mipstx39-* | mipstx39el-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | msp430-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ | romp-* | rs6000-* \ - | s390-* | s390x-* \ - | sh-* | sh[34]-* | sh[34]eb-* | shbe-* | shle-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclite-* \ - | sparcv9-* | sparcv9b-* | stormy16-* | strongarm-* | sv1-* \ - | t3e-* | tahoe-* | thumb-* | tic30-* | tic54x-* | tic80-* | tron-* \ - | v850-* | vax-* \ + | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tron-* \ + | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xmp-* | xps100-* | xscale-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ + | xtensa-* \ | ymp-* \ | z8k-*) ;; @@ -329,6 +364,9 @@ basic_machine=a29k-amd os=-udi ;; + abacus) + basic_machine=abacus-unknown + ;; adobe68k) basic_machine=m68010-adobe os=-scout @@ -343,6 +381,12 @@ basic_machine=a29k-none os=-bsd ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; amdahl) basic_machine=580-amdahl os=-sysv @@ -374,6 +418,10 @@ basic_machine=ns32k-sequent os=-dynix ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; convex-c1) basic_machine=c1-convex os=-bsd @@ -394,30 +442,45 @@ basic_machine=c38-convex os=-bsd ;; - cray | ymp) - basic_machine=ymp-cray + cray | j90) + basic_machine=j90-cray os=-unicos ;; - cray2) - basic_machine=cray2-cray - os=-unicos + craynv) + basic_machine=craynv-cray + os=-unicosmp ;; - [cjt]90) - basic_machine=${basic_machine}-cray - os=-unicos + cr16c) + basic_machine=cr16c-unknown + os=-elf ;; crds | unos) basic_machine=m68k-crds ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola @@ -598,28 +661,20 @@ basic_machine=m68k-atari os=-mint ;; - mipsel*-linux*) - basic_machine=mipsel-unknown - os=-linux-gnu - ;; - mips*-linux*) - basic_machine=mips-unknown - os=-linux-gnu - ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; - mmix*) - basic_machine=mmix-knuth - os=-mmixware - ;; monitor) basic_machine=m68k-rom68k os=-coff ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; msdos) basic_machine=i386-pc os=-msdos @@ -699,6 +754,14 @@ basic_machine=hppa1.1-oki os=-proelf ;; + or32 | or32-*) + basic_machine=or32-unknown + os=-coff + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose @@ -721,49 +784,55 @@ pbb) basic_machine=m68k-tti ;; - pc532 | pc532-*) + pc532 | pc532-*) basic_machine=ns32k-pc532 ;; - pentium | p5 | k5 | k6 | nexgen) + pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; - pentiumpro | p6 | 6x86 | athlon) + pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; - pentiumii | pentium2) + pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-*) + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - pentiumii-* | pentium2-*) + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc) basic_machine=powerpc-unknown - ;; + ;; ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown - ;; + ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown - ;; + ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown - ;; + ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; @@ -784,10 +853,26 @@ rtpc | rtpc-*) basic_machine=romp-ibm ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; sa29200) basic_machine=a29k-amd os=-udi ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; sequent) basic_machine=i386-sequent ;; @@ -795,7 +880,10 @@ basic_machine=sh-hitachi os=-hms ;; - sparclite-wrs) + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; @@ -862,22 +950,42 @@ os=-dynix ;; t3e) - basic_machine=t3e-cray + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray os=-unicos ;; tic54x | c54x*) basic_machine=tic54x-unknown os=-coff ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; tower | tower-32) basic_machine=m68k-ncr ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; udi29k) basic_machine=a29k-amd os=-udi @@ -899,8 +1007,8 @@ os=-vms ;; vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; + basic_machine=f301-fujitsu + ;; vxworks960) basic_machine=i960-wrs os=-vxworks @@ -921,17 +1029,13 @@ basic_machine=hppa1.1-winbond os=-proelf ;; - windows32) - basic_machine=i386-pc - os=-windows32-msvcrt + xps | xps100) + basic_machine=xps100-honeywell ;; - xmp) - basic_machine=xmp-cray + ymp) + basic_machine=ymp-cray os=-unicos ;; - xps | xps100) - basic_machine=xps100-honeywell - ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim @@ -952,16 +1056,12 @@ op60c) basic_machine=hppa1.1-oki ;; - mips) - if [ x$os = x-linux-gnu ]; then - basic_machine=mips-unknown - else - basic_machine=mips-mips - fi - ;; romp) basic_machine=romp-ibm ;; + mmix) + basic_machine=mmix-knuth + ;; rs6000) basic_machine=rs6000-ibm ;; @@ -978,13 +1078,16 @@ we32k) basic_machine=we32k-att ;; - sh3 | sh4 | sh3eb | sh4eb) + sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; - sparc | sparcv9 | sparcv9b) + sh64) + basic_machine=sh64-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; - cydra) + cydra) basic_machine=cydra-cydrome ;; orion) @@ -999,10 +1102,6 @@ pmac | pmac-mpw) basic_machine=powerpc-apple ;; - c4x*) - basic_machine=c4x-none - os=-coff - ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; @@ -1058,17 +1157,20 @@ | -aos* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ - | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \ + | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos*) + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1080,8 +1182,10 @@ ;; esac ;; + -nto-qnx*) + ;; -nto*) - os=-nto-qnx + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ @@ -1090,6 +1194,9 @@ -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; @@ -1102,6 +1209,9 @@ -opened*) os=-openedition ;; + -os400*) + os=-os400 + ;; -wince*) os=-wince ;; @@ -1120,14 +1230,23 @@ -acis*) os=-aos ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; + -nova*) + os=-rtmk-nova + ;; -ns2 ) - os=-nextstep2 + os=-nextstep2 ;; -nsk*) os=-nsk @@ -1139,6 +1258,9 @@ -sinix*) os=-sysv4 ;; + -tpf*) + os=-tpf + ;; -triton*) os=-sysv3 ;; @@ -1166,8 +1288,14 @@ -xenix) os=-xenix ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos ;; -none) ;; @@ -1200,10 +1328,14 @@ arm*-semi) os=-aout ;; + c4x-* | tic4x-*) + os=-coff + ;; + # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; - pdp11-*) + pdp11-*) os=-none ;; *-dec | vax-*) @@ -1230,6 +1362,9 @@ mips*-*) os=-elf ;; + or32-*) + os=-coff + ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; @@ -1242,6 +1377,9 @@ *-ibm) os=-aix ;; + *-knuth) + os=-mmixware + ;; *-wec) os=-proelf ;; @@ -1293,19 +1431,19 @@ *-next) os=-nextstep3 ;; - *-gould) + *-gould) os=-sysv ;; - *-highlevel) + *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; - *-sgi) + *-sgi) os=-irix ;; - *-siemens) + *-siemens) os=-sysv4 ;; *-masscomp) @@ -1374,10 +1512,16 @@ -mvs* | -opened*) vendor=ibm ;; + -os400*) + vendor=ibm + ;; -ptx*) vendor=sequent ;; - -vxsim* | -vxworks*) + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) --- bind9-9.9.3.dfsg.P2.orig/debian/README.Debian +++ bind9-9.9.3.dfsg.P2/debian/README.Debian @@ -0,0 +1,178 @@ +DNSSEC validation turned on by default as of BIND 9.8.1 +------------------------------------------------------- +As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on +by default. As the keys get changed over time, this means that a fresh +install of BIND will require that the admin manually upgrade bind.keys +to account for the change, before BIND will be able to resolve hosts in +DNSSEC validated zones. + + +Upgrading from BIND 8.X: +----------------------- + +If you are upgrading an authoritative server from BIND 8.X, please install +the bind9-doc package and read /usr/share/doc/bind9-doc/misc/migration.gz, +which contains a set of notes from the BIND maintainers on what changed +that is likely to need your attention during an upgrade. + + +Upgrading from earlier bind9 packages: +------------------------------------- + +If you installed an early version of the Debian bind9 packages, prior to +version 1:9.2.0-2 to be more precise, you may have an /etc/bind/rndc.conf +configuration file still on your system. There's nothing wrong with that, +and if you've explicitly configured keys for using rndc you may well want to +leave things exactly as they are! + +However, since 9.2.0 BIND 9.X has supported an rndc.key file that both named +and rndc will read to obtain a shared key for rndc use against a daemon on +the same host. The rndc-confgen program will easily create a suitable key +file. To take advantage of this mechanism, you may want to: + + remove the /etc/bind/rndc.conf file + remove the rndc key specification in the /etc/bind/named.conf file + + rndc-confgen -r /dev/urandom -a + +Alternatively, you can 'purge' the bind9 packages and reinstall them and you +will end up with the new behavior since it is now the default. + +This is more secure than using a static key that isn't generated on a per-host +basis, and is an easy alternative to more complex key schemes if you only need +to use rndc to talk to named on the same host. + + +Known Issues: +------------ + +I've had a report that lwresd, at least, fails to work with some recent 2.5 +kernels. If you see something in your logs like + + loading configuration from '/etc/bind/lwresd.conf' + none:0: open: /etc/bind/lwresd.conf: permission denied + +Try rebuilding with --disable-linux-caps added to the configure call in the +rules file. I'm hoping this is a temporary problem in the 2.5 kernel series, +but we'll see. + + +Configuration Schema: +-------------------- + +The Debian BIND package ships with a config that will work for the majority +of leaf servers with no user input required. + +The named configuration file named.conf is located in /etc/bind, so that all +static configuration files relating to bind are in one place. If you really +really don't want named.conf in /etc/bind, then the best way to handle it is +probably to replace /etc/bind/named.conf with a symlink to the location you +want to use. You could also use an option to named in the init.d script, +but that only works for named, not for things like ndc. + +Zone data files for the root servers, and the forward and reverse localhost +zones are also provided in /etc/bind. + +The working directory for named is now /var/cache/bind. Thus, any transient +files generated by named, such as database files for zones the daemon is +secondary for, will be written to the /var filesystem, where they belong. + +To make this work, the named.conf provided uses explicitly fully-qualified +pathnames to reference the files in /etc/bind. + +Unlike previous BIND packages for Debian, the named.conf and provided db.* +files are tagged as conffiles. Thus, if you just want a "caching mostly" +server configuration for a server that does not need to be authoritative for +anything else, you can run the provided configuration as-is. If you want to +hack on named.conf, or even the init.d fragment, you can feel free to. Future +package upgrades will treat your configuration changes sanely, as all Debian +packages should. + +While you are free to craft whatever structure you wish for servers which need +to be authoritative for additional zones, what we suggest is that you put the +db files for any zones you are master for in /etc/bind (perhaps even in a +subdirectory structure depending on complexity), using full pathnames in the +named.conf file. Any zones you are secondary for should be configured in +named.conf with simple filenames (relative to /var/cache/bind), so the data +files will be stored in BIND's working directory (defaults to /var/cache/bind). +Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be +stored in /var/lib/bind, and specified with full pathnames. + + +Running Chroot'ed: +----------------- + +Several users have asked for Debian BIND to run in a "chroot jail". There are +various issues associated with making this the default configuration for the +package in Debian. In the meantime, reasonable instructions on how to do +this yourself are available on the web from: + + http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html + + +Running Non-Root: +----------------- + +Recent versions of named can be invoked with options that specify a non-root +user and/or group for named. Read the named man page for more information. +Note that when running named as a user other than root, it will not be able +to find new interfaces that appear dynamically, such as during a PCMCIA card +insertion, or if you're running some flavors of IPSEC and/or IP over IP +tunnels. If you cannot live with those limitations, feel free to edit the +/etc/init.d/bind9 script to change the invocation of named. + +The default is now to run as the user 'bind' (which is automatically created +in the group 'bind', if it doesn't exist), unless named.conf has been changed. +To change this, edit /etc/default/bind9 + +Please note that 'ndc restart' doesn't honor all the original command line +options to named, so we explicitly don't use it in the init.d script provided +with the package, and you should be careful about using it if you decide to +run named non-root. + + +PPP Control Script: +----------------- + +Unfortunately, 'ndc reload' will not honor any command line options that were +fed to named on the initial invocation. If you can live with that, and +want to wiggle your DNS configuration when your PPP link goes up or down, the +following script fragment from Francesco Potorti` may be helpful +to you: + + I suggest adding this as bot /etc/ppp/ip-up.d/bind and + /etc/ppp/ip-down.d/bind: + + ================================================================ + #!/bin/sh + if [ -x /usr/sbin/ndc -a -x /usr/sbin/named ] + then + /usr/sbin/ndc reload > /dev/null + fi + ================================================================ + + This should cause no harm in any case, and should be helpful in these + cases: + - you configure bind as a forwarder. When ppp is down, it cannot access + the network. As soon as ppp is up, it is forced by the script to try + again, and it succeeds. + - someone writes a clever script that, coupled with the `usepeerdns' + command of pppd, makes a forwarding-only bind use the right servers by + rewriting the configuration file after ppp goes up. Then the script + above makes bind reload the configuration. + + Now, someone should write that clever script :-) + + By the way, this is a badly wanted feature, that should help setting up + a ppp connection automatically. Currently, setting up a ppp connection + is much easier on a windows system than on linux, and there is really no + reason why it should be so, given that all the tools are there. + + +Apparmor Profile +---------------- +If your system uses apparmor, please note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed apparmor profile. Please see +https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this +software. --- bind9-9.9.3.dfsg.P2.orig/debian/apparmor-profile +++ bind9-9.9.3.dfsg.P2/debian/apparmor-profile @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jun 1 16:43:22 2007 +#include + +/usr/sbin/named { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # /etc/bind should be read-only for bind + # /var/lib/bind is for dynamically updated zone (and journal) files. + # /var/cache/bind is for slave/stub data, since we're not the origin of it. + # See /usr/share/doc/bind9/README.Debian.gz + /etc/bind/** r, + /var/lib/bind/** rw, + /var/lib/bind/ rw, + /var/cache/bind/** lrw, + /var/cache/bind/ rw, + + # gssapi + /etc/krb5.keytab kr, + /etc/bind/krb5.keytab kr, + + # ssl + /etc/ssl/openssl.cnf r, + + # dnscvsutil package + /var/lib/dnscvsutil/compiled/** rw, + + /proc/net/if_inet6 r, + /proc/*/net/if_inet6 r, + /usr/sbin/named mr, + /{,var/}run/named/named.pid w, + /{,var/}run/named/session.key w, + # support for resolvconf + /{,var/}run/named/named.options r, + + # some people like to put logs in /var/log/named/ instead of having + # syslog do the heavy lifting. + /var/log/named/** rw, + /var/log/named/ rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- bind9-9.9.3.dfsg.P2.orig/debian/apparmor-profile.local +++ bind9-9.9.3.dfsg.P2/debian/apparmor-profile.local @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.sbin.named. +# For more details, please see /etc/apparmor.d/local/README. --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-doc.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9-doc.dirs @@ -0,0 +1 @@ +usr/share/doc/bind9-doc/arm --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-doc.docs +++ bind9-9.9.3.dfsg.P2/debian/bind9-doc.docs @@ -0,0 +1 @@ +doc/misc --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-host.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9-host.dirs @@ -0,0 +1,2 @@ +usr/bin +usr/share/man/man1 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-host.install +++ bind9-9.9.3.dfsg.P2/debian/bind9-host.install @@ -0,0 +1,2 @@ +usr/bin/host +usr/share/man/man1/host.1* --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-resolvconf.service +++ bind9-9.9.3.dfsg.P2/debian/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.NEWS +++ bind9-9.9.3.dfsg.P2/debian/bind9.NEWS @@ -0,0 +1,14 @@ +bind9 (1:9.4.0-1) experimental; urgency=low + + As of bind 9.4, allow-query-cache and allow-recursion default to the + builtin acls 'localnets' and 'localhost'. If you are setting up a + name server for a network, you will almost certainly need to change + this. + + The change in default has been done to make caching servers less + attractive as reflective amplifying targets for spoofed traffic. + This still leaves authoritative servers exposed. + + The best fix is for full BCP 38 deployment to remove spoofed traffic. + + -- LaMont Jones Wed, 03 Oct 2007 00:52:44 -0600 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.apport +++ bind9-9.9.3.dfsg.P2/debian/bind9.apport @@ -0,0 +1,36 @@ +#!/usr/bin/python + +'''apport hook for bind9 + +(c) 2010 Andres Rodriguez. +Author: Andres Rodriguez + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import re + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/bind/named.conf file " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + elif response == True: + attach_conffiles(report,'bind9') + + # getting syslog stuff + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) + + # Attaching related packages info + attach_related_packages(report, ['bind9utils', 'apparmor']) + + attach_mac_events(report, '/usr/sbin/named') --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.config +++ bind9-9.9.3.dfsg.P2/debian/bind9.config @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +db_input low bind9/start-as-user || true +db_go + +db_input low bind9/different-configuration-file || true +db_go + +db_input low bind9/run-resolvconf || true +db_go --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9.dirs @@ -0,0 +1,13 @@ +etc/ufw/applications.d +etc/apparmor.d/force-complain +etc/apparmor.d/local +etc/bind +usr/bin +usr/sbin +var/cache/bind +var/run/named +usr/share/bind9 +etc/ppp/ip-up.d +etc/ppp/ip-down.d +etc/network/if-up.d +etc/network/if-down.d --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.docs +++ bind9-9.9.3.dfsg.P2/debian/bind9.docs @@ -0,0 +1,2 @@ +FAQ +README --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.init +++ bind9-9.9.3.dfsg.P2/debian/bind9.init @@ -0,0 +1,145 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: bind9 +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Should-Start: $network $syslog +# Should-Stop: $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start and stop bind9 +# Description: bind9 is a Domain Name Server (DNS) +# which translates ip addresses to and from internet names +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# for a chrooted server: "-u bind -t /var/lib/named" +# Don't modify this line, change or create /etc/default/bind9. +OPTIONS="" +RESOLVCONF=no + +test -f /etc/default/bind9 && . /etc/default/bind9 + +test -x /usr/sbin/rndc || exit 0 + +. /lib/lsb/init-functions +PIDFILE=/var/run/named/named.pid + +check_network() { + if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then + IFCONFIG_OPTS="-au" + else + IFCONFIG_OPTS="" + fi + if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then + #log_action_msg "No networks configured." + return 1 + fi + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting domain name service..." "bind9" + + modprobe capability >/dev/null 2>&1 || true + + # dirs under /var/run can go away on reboots. + mkdir -p /var/run/named + chmod 775 /var/run/named + chown root:bind /var/run/named >/dev/null 2>&1 || true + + if [ ! -x /usr/sbin/named ]; then + log_action_msg "named binary missing - not starting" + log_end_msg 1 + fi + + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS; then + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named + fi + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + stop) + log_daemon_msg "Stopping domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.named + fi + pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') || true + if [ -z "$pid" ]; then # no pid found, so either not running, or error + pid=$(pgrep -f ^/usr/sbin/named) || true + start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS + fi + if [ -n $pid ]; then + sig=0 + n=1 + while kill -$sig $pid 2>/dev/null; do + if [ $n -eq 1 ]; then + echo "waiting for pid $pid to die" + fi + if [ $n -eq 11 ]; then + echo "giving up on pid $pid with kill -0; trying -9" + sig=9 + fi + if [ $n -gt 20 ]; then + echo "giving up on pid $pid" + break + fi + n=$(($n+1)) + sleep 1 + done + fi + log_end_msg 0 + ;; + + reload|force-reload) + log_daemon_msg "Reloading domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + /usr/sbin/rndc reload >/dev/null && log_end_msg 0 || log_end_msg 1 + ;; + + restart) + if ! check_network; then + log_action_msg "no networks configured" + exit 1 + fi + + $0 stop + $0 start + ;; + + status) + ret=0 + status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/null || ret=$? + exit $ret + ;; + + *) + log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|restart|force-reload|status}" + exit 1 + ;; +esac + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.postinst +++ bind9-9.9.3.dfsg.P2/debian/bind9.postinst @@ -0,0 +1,169 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +if [ "$1" = configure ]; then + lastversion="$2"; + + # lets give them a bind user/group in all cases. + getent group bind >/dev/null 2>&1 || addgroup --system bind + getent passwd bind >/dev/null 2>&1 || + adduser --system --home /var/cache/bind --no-create-home \ + --disabled-password --ingroup bind bind + + if [ -z "$lastversion" ] || dpkg --compare-versions "$lastversion" lt 1:9.4.2-2 ; then + mkdir -p /var/lib/bind + chown root:bind /var/lib/bind + chmod 775 /var/lib/bind + fi + + if [ ! -s /etc/bind/rndc.key ]; then + rndc-confgen -r /dev/urandom -a + fi + + # no sumfile means you get the default + [ -f /var/lib/bind/bind9-default.md5sum ] || + echo "2cfcfb7bf1b99c7930fd475907e38be7 /etc/default/bind9" > /var/lib/bind/bind9-default.md5sum + + if [ -f /etc/default/bind9 ] && \ + [ "$(cat /var/lib/bind/bind9-default.md5sum)" = "$(md5sum /etc/default/bind9)" ]; then + config="/etc/default/bind9" + elif [ ! -e /etc/default/bind9 ]; then + config="/etc/default/bind9" + else + config="/etc/default/bind9.dpkg-dist" + fi + + + # On a fresh install, or if we are upgrading from pre-9.8, think about dnssec + if [ -z "$lastversion" ] || dpkg --compare-versions "$lastversion" lt 1:9.8.1.dfsg-1 ; then + UPDATE_OPTS="n" + if [ -f /etc/bind/named.conf.options ]; then + case $(md5sum /etc/bind/named.conf.options | sed 's/ .*$//') in + d6b678ac90fd6ab163d74dfe5d68c2c9) UPDATE_OPTS=y;; # 9.4.2ish + 0367900f381d5c83cf34009440f3d211) UPDATE_OPTS=y;; # 9.6 and later + 56919cbc0d819c9a303a8bdeb306b5f1) UPDATE_OPTS=ok;; # 9.8 + esac + case $UPDATE_OPTS in + y) + echo Updating named.conf.options to include DNSSEC enablement + cp /usr/share/bind9/named.conf.options /etc/bind/named.conf.options + chmod 644 /etc/bind/named.conf.options + ;; + n) + echo NOT updating named.conf.options to include DNSSEC enablement + ;; + esac + else + cp /usr/share/bind9/named.conf.options /etc/bind/named.conf.options + chmod 644 /etc/bind/named.conf.options + fi + fi + + localconf="" + if [ ! -f $config ]; then + CONF=/etc/bind/named.conf + for file in ${CONF} ${CONF}.local ${CONF}.default-zones; do + if [ -f ${file} ]; then + theirs=$(md5sum $file | sed 's/ .*$//') + mine=$(dpkg --status bind9 | grep "^ $file " | sed -n 's/.* //p') + if [ "$mine" != "$theirs" ]; then + localconf="y" + fi + else + localconf="y" + fi + done + if [ -n "$localconf" ]; then + db_reset bind9/start-as-user + else + db_set bind9/start-as-user bind || true + fi + + echo '#' + echo '# run resolvconf?' >> $config + db_get bind9/run-resolvconf + if [ ! -z "$RET" ] && [ "$RET" = "true" ]; then + echo "RESOLVCONF=yes" >> $config + else + echo "RESOLVCONF=no" >> $config + fi + + db_get bind9/start-as-user + USER=$RET + db_get bind9/different-configuration-file + CONFFILE=$RET + + echo '' >> $config + echo '# startup options for the server' >> $config + if [ ! -z "$USER" ] && [ ! -z "$CONFFILE" ]; then + echo "OPTIONS=\"-u $USER -c $CONFFILE\"" >> $config + elif [ ! -z "$USER" ]; then + echo "OPTIONS=\"-u $USER\"" >> $config + elif [ ! -z "$CONFFILE" ]; then + echo "OPTIONS=\"-c $CONFFILE\"" >> $config + else + echo "OPTIONS=\"\"" >> $config + fi + else + db_get bind9/run-resolvconf + if [ ! -z "$RET" ] && [ "$RET" = "true" ]; then + sed -e "s#^\([[:space:]]*\)\(RESOLVCONF=[[:space:]]*\)[^ ]*#\1\2yes#g" -i $config + else + sed -e "s#^\([[:space:]]*\)\(RESOLVCONF=[[:space:]]*\)[^ ]*#\1\2no#g" -i $config + fi + db_get bind9/start-as-user + if [ ! -z "$RET" ]; then + if [ ! -z "`grep OPTIONS $config`" ]; then + if [ ! -z "`grep OPTIONS $config | grep '\-u'`" ]; then + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)-u[[:space:]]*[^\" ]*\([^\"]*\)\"#\1=\"\2-u $RET\3\"#g" -i $config + else + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)\"#\1=\"\2 -u $RET\"#g" -i $config + fi + else + echo "OPTIONS=\"-u $RET\"" + fi + fi + db_get bind9/different-configuration-file + if [ ! -z "$RET" ]; then + if [ ! -z "`grep OPTIONS $config | grep '\-c'`" ]; then + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)-c[[:space:]]*[^\" ]*\([^\"]*\)\"#\1=\"\2-c $RET\3\"#g" -i $config + else + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)\"#\1=\"\2 -c $RET\"#g" -i $config + fi + fi + fi + + if [ "$config" = "/etc/default/bind9" ]; then + md5sum /etc/default/bind9 > /var/lib/bind/bind9-default.md5sum + fi + + uid=$(ls -ln /etc/bind/rndc.key | awk '{print $3}') + if [ "$uid" = "0" ]; then + [ -n "$localconf" ] || chown bind /etc/bind/rndc.key + chgrp bind /etc/bind + chmod g+s /etc/bind + chgrp bind /etc/bind/rndc.key /var/cache/bind + chgrp bind /etc/bind/named.conf* || true + chmod g+r /etc/bind/rndc.key /etc/bind/named.conf* || true + chmod g+rwx /var/cache/bind + fi + + # Reload AppArmor profile + APP_PROFILE="/etc/apparmor.d/usr.sbin.named" + if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then + apparmor_parser -r "$APP_PROFILE" || true + fi + + if pidof /usr/sbin/named >/dev/null 2>&1; then + invoke-rc.d bind9 restart + else + invoke-rc.d bind9 start + fi +fi + +db_stop + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.postrm +++ bind9-9.9.3.dfsg.P2/debian/bind9.postrm @@ -0,0 +1,16 @@ +#!/bin/sh + +#DEBHELPER# + +if [ "$1" = "purge" ]; then + rm -f /etc/bind/rndc.key /etc/bind/named.conf.options /etc/default/bind9 + rmdir /etc/bind >/dev/null 2>&1 || true + rm -f /etc/apparmor.d/force-complain/usr.sbin.named >/dev/null 2>&1 || true + rm -f /var/lib/bind/bind9-default.md5sum + rmdir /var/lib/bind + # delete bind daemon user, if it exists + if getent passwd bind > /dev/null ; then + echo "Deleting bind user" + deluser --quiet bind > /dev/null || true + fi +fi --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.preinst +++ bind9-9.9.3.dfsg.P2/debian/bind9.preinst @@ -0,0 +1,44 @@ +#!/bin/sh +# pre install script for the Debian bind9 package + +set -e + +# Check if we are upgrading while running a kernel before 2.2.18. If so abort +# immediately since we don't support those kernels anymore. +if [ "$1" = "upgrade" ] && dpkg --compare-versions "`uname -r`" lt 2.2.18 ; then + cat </dev/null || true + if dpkg --compare-versions $2 lt 1:9.3.4-2ubuntu2 ; then + # force-complain for pre-apparmor upgrades + ln -sf $APP_CONFFILE $APP_COMPLAIN + elif dpkg --compare-versions $2 lt 1:9.4.2-3ubuntu1 ; then + if [ -e "$APP_CONFFILE" ]; then + md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`" + pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`" + if [ "$md5sum" = "$pkg_md5sum" ]; then + # force-complain when upgrade from pre-shipped profile and an existing + # profile is same as in conffiles + ln -sf $APP_CONFFILE $APP_COMPLAIN + fi + else + # force-complain on upgrade from pre-shipped profile and + # there is no existing profile + ln -sf $APP_CONFFILE $APP_COMPLAIN + fi + fi +fi + + +#DEBHELPER# +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.prerm +++ bind9-9.9.3.dfsg.P2/debian/bind9.prerm @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +case "$1" in + remove) + # if bind is running, stop it before removing + if pidof named >/dev/null 2>&1; then + # test if invoke-rc.d command is present on this system + if command -v invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d bind9 stop + # if really not, use initscript + else + /etc/init.d/bind9 stop + fi + fi + ;; + + upgrade) + # leave bind running during the upgrade + ;; + + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.service +++ bind9-9.9.3.dfsg.P2/debian/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.tmpfile +++ bind9-9.9.3.dfsg.P2/debian/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.ufw.profile +++ bind9-9.9.3.dfsg.P2/debian/bind9.ufw.profile @@ -0,0 +1,5 @@ +[Bind9] +title=Internet Domain Name Server +description=The Berkeley Internet Name Domain (BIND) implements an Internet domain name server. +ports=53 + --- bind9-9.9.3.dfsg.P2.orig/debian/bind9utils.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9utils.dirs @@ -0,0 +1,3 @@ +usr +usr/sbin +usr/share/man/man8 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9utils.install +++ bind9-9.9.3.dfsg.P2/debian/bind9utils.install @@ -0,0 +1,24 @@ +usr/sbin/dnssec-checkds +usr/sbin/dnssec-dsfromkey +usr/sbin/dnssec-keyfromlabel +usr/sbin/dnssec-keygen +usr/sbin/dnssec-revoke +usr/sbin/dnssec-settime +usr/sbin/dnssec-signzone +usr/sbin/dnssec-verify +usr/sbin/named-checkconf +usr/sbin/named-checkzone +usr/sbin/named-compilezone +usr/sbin/rndc +usr/sbin/rndc-confgen +usr/share/man/man8/dnssec-dsfromkey.8 +usr/share/man/man8/dnssec-keyfromlabel.8 +usr/share/man/man8/dnssec-keygen.8 +usr/share/man/man8/dnssec-revoke.8 +usr/share/man/man8/dnssec-settime.8 +usr/share/man/man8/dnssec-signzone.8 +usr/share/man/man8/named-checkconf.8 +usr/share/man/man8/named-checkzone.8 +usr/share/man/man8/named-compilezone.8 +usr/share/man/man8/rndc-confgen.8 +usr/share/man/man8/rndc.8 --- bind9-9.9.3.dfsg.P2.orig/debian/changelog +++ bind9-9.9.3.dfsg.P2/debian/changelog @@ -0,0 +1,1983 @@ +bind9 (1:9.9.3.dfsg.P2-3) unstable; urgency=low + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + [LaMont Jones] + + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build. Closes: #713025 + * deliver rrl.h and stat.h Closes: #692483, #720813 + + -- LaMont Jones Tue, 27 Aug 2013 10:06:37 -0600 + +bind9 (1:9.9.3.dfsg.P2-2build1) saucy; urgency=low + + [Marc Deslauriers] + + * 9.9.2.dfsg.P1-2ubuntu1: fixed in 9.9.3b1 + * 9.9.2.dfsg.P1-2ubuntu3: fixed in 9.9.3-P2 + + [Robie Basak] + + * 9.9.2.dfsg.P1-2ubuntu2: fixed in 9.9.3b1 + + [LaMont Jones] + + * Merge ubuntu changes, except: autoconf files are generated as part + of the source packagee creation, not on the build host. NAK + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + -- LaMont Jones Thu, 22 Aug 2013 10:57:17 -0600 + +bind9 (1:9.9.3.dfsg.P2-2) unstable; urgency=low + + * ack NMUs of 9.8.4 + - upstream 9.9.3-P2 fixes: CVE-2013-4854, CVE-2012-5689, + CVE-2013-2266 + - deliver rrl.h + + [LaMont Jones] + + * Use ISC's bin/tests + * Diff cleanup and rationalization to 9.9.3 upstream + + -- LaMont Jones Sat, 17 Aug 2013 07:09:54 -0600 + +bind9 (1:9.9.3.dfsg.P2-1) unstable; urgency=low + + + [Internet Software Consortium, Inc] + + * 9.9.3-P2 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + [LaMont Jones] + + * soname changes + + [Paul Vixie] + + * Reapply rpz/rrl patches from http://www.redbarn.org/dns/ratelimits + + -- LaMont Jones Wed, 14 Aug 2013 10:38:59 -0600 + +bind9 (1:9.9.2.dfsg.P1-3) experimental; urgency=low + + [LaMont Jones] + + * Merge 1:9.8.4.dfsg.P1-6 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones Mon, 04 Mar 2013 09:30:50 -0700 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu3) saucy; urgency=low + + * SECURITY UPDATE: denial of service via incorrect bounds checking on + private type 'keydata' + - lib/dns/rdata/generic/keydata_65533.c: check for correct length. + - Patch backported from 9.9.3-P2 + - CVE-2013-4854 + + -- Marc Deslauriers Sun, 28 Jul 2013 10:13:06 -0400 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu2) raring; urgency=low + + * configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475). + * debian/control: add Build-Depends on dh-autoreconf. + * debian/rules: use dh_autoreconf and dh_autoreconf_clean. + + -- Robie Basak Wed, 10 Apr 2013 16:50:28 +0000 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu1) raring; urgency=low + + * SECURITY UPDATE: denial of service via regex syntax checking + - configure,configure.in,config.h.in: remove check for regex.h to + disable regex syntax checking. + - CVE-2013-2266 + + -- Marc Deslauriers Thu, 28 Mar 2013 15:04:57 -0400 + +bind9 (1:9.9.2.dfsg.P1-2) experimental; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * zone transfers now involve link(), update the apparmor profile + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + * re-drop dlzexternal test + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + [Sebastian Wiesinger] + + * Build and deliver dnssec-checkds and dnssec-verify in bind9utils + + -- LaMont Jones Wed, 09 Jan 2013 10:09:40 -0700 + +bind9 (1:9.8.4.dfsg.P1-6+nmu3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2013-4854: A specially crafted query that includes malformed rdata can + cause named to terminate with an assertion failure while rejecting the + malformed query. (Closes: #717936). + + -- Salvatore Bonaccorso Sat, 27 Jul 2013 10:24:07 +0200 + +bind9 (1:9.8.4.dfsg.P1-6+nmu2) unstable; urgency=medium + + * Non-maintainer upload. + * Install /usr/include/dns/rrl.h (closes: #699834). + + -- Michael Gilbert Tue, 16 Apr 2013 01:59:05 +0000 + +bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA + lookup for a record with an A record overwrite rule in a Response Policy + Zone (closes: #699145). + * Fix cve-2013-2266: issues in regular expression handling (closes: #704174). + + -- Michael Gilbert Fri, 29 Mar 2013 00:47:25 +0000 + +bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones Fri, 01 Mar 2013 08:23:27 -0700 + +bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low + + [LaMont Jones] + + * Properly acknowledge 1:9.8.1.dfsg.P1-4.4: [Philipp Kern] + - Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing the patch. + + [Paul Vixie] + + * Include rpz/rrl patches from http://www.redbarn.org/dns/ratelimits. + Closes: #698641 + + -- LaMont Jones Wed, 30 Jan 2013 14:04:35 -0700 + +bind9 (1:9.8.4.dfsg.P1-4) unstable; urgency=high + + * The rest of the dnssec validation logspam removal. Closes: #697681 + + -- LaMont Jones Mon, 21 Jan 2013 13:18:53 -0700 + +bind9 (1:9.8.4.dfsg.P1-3) unstable; urgency=low + + [Marc Deslauriers] + + * debian/bind9.apport: Add AppArmor info and logs to apport hook. + + [LaMont Jones] + + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + -- LaMont Jones Wed, 09 Jan 2013 09:47:24 -0700 + +bind9 (1:9.9.2.dfsg.P1-1) experimental; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones Wed, 05 Dec 2012 05:27:18 -0700 + +bind9 (1:9.8.4.dfsg.P1-2) unstable; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * Re-enable dlopen, do not build the test that fails. Closes: #692416 + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + + -- LaMont Jones Mon, 07 Jan 2013 06:50:25 -0700 + +bind9 (1:9.8.4.dfsg.P1-1) unstable; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones Wed, 05 Dec 2012 05:22:06 -0700 + +bind9 (1:9.9.2.dfsg-1) experimental; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version 9.9.2 + * soname fixes + + -- LaMont Jones Thu, 01 Nov 2012 08:59:57 -0600 + +bind9 (1:9.9.1.dfsg.P1-1) unstable; urgency=low + + [LaMont Jones] + + * New upstream 9.9.1-P1 + + -- LaMont Jones Wed, 13 Jun 2012 08:22:15 -0600 + +bind9 (1:9.9.0.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.9.0 release + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones Mon, 23 Apr 2012 09:52:51 -0600 + +bind9 (1:9.9.0.dfsg~rc4-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * soname changes for new release + + -- LaMont Jones Fri, 17 Feb 2012 17:51:39 -0700 + +bind9 (1:9.8.4.dfsg-1ubuntu2) raring; urgency=low + + * SECURITY UPDATE: denial of service via DNS64 and crafted query + - bin/named/query.c: init rdataset before cleanup. + - Patch backported from 9.8.4-P1 + - CVE-2012-5688 + + -- Marc Deslauriers Wed, 05 Dec 2012 15:42:08 -0500 + +bind9 (1:9.8.4.dfsg-1ubuntu1) raring; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/bind9.apport: Add AppArmor info and logs to apport hook. + + -- Marc Deslauriers Fri, 23 Nov 2012 08:13:50 -0500 + +bind9 (1:9.8.4.dfsg-1) unstable; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version + * soname fixup + * Ack NMUs + + -- LaMont Jones Mon, 29 Oct 2012 08:37:49 -0600 + +bind9 (1:9.8.1.dfsg.P1-4.4) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing + the patch. + + -- Philipp Kern Sat, 03 Nov 2012 20:43:43 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.3) unstable; urgency=medium + + [ Philipp Kern ] + * Non-maintainer upload. + + [ Marc Deslauriers ] + * SECURITY UPDATE: denial of service via specific combinations of RDATA + - bin/named/query.c: fix logic + - Patch backported from 9.8.3-P4 + - CVE-2012-5166 + + -- Philipp Kern Sun, 28 Oct 2012 20:28:11 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix denial of service vulnerability triggered + through an assert because of using bad cache + (CVE-2012-3817; Closes: #683259). + + -- Nico Golde Mon, 30 Jul 2012 20:56:10 +0200 + +bind9 (1:9.8.1.dfsg.P1-4.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * SECURITY UPDATE: ghost domain names attack + - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that + of the old NS RRset when replacing it. + - Patch backported from 9.8.2. + - CVE-2012-1033 + * SECURITY UPDATE: denial of service via zero length rdata handling + - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for + duplicate rdata. + - Patch backported from 9.8.3-P1. + - CVE-2012-1667 + + -- Luk Claes Wed, 20 Jun 2012 15:26:09 -0400 + +bind9 (1:9.8.1.dfsg.P1-4) unstable; urgency=low + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones Fri, 13 Apr 2012 12:09:24 -0600 + +bind9 (1:9.8.1.dfsg.P1-3) unstable; urgency=low + + [Zlatan Todoric] + + * fixed Serbian latin translation of debconf template. Closes: #634951 + + [Peter Eisentraut] + + * Add support for "status" action to lwresd init script. Closes: #651540 + + [Bjørn Steensrud] + + * NB Translations. Closes: #654454 + + [LaMont Jones] + + * Default to run_resolvconf=false. LP: #933723 + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + * Do not deliver /usr/share/bind9/bind9-default.md5sum in the bind9 deb. + Closes: #620007 LP: #681536 + * Deliver and use /etc/apparmor.d/local/usr.sbin.named for local overrides. + LP: #929563 + + -- LaMont Jones Fri, 17 Feb 2012 14:40:29 -0800 + +bind9 (1:9.8.1.dfsg.P1-2) unstable; urgency=low + + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + + -- LaMont Jones Wed, 25 Jan 2012 03:55:21 -0700 + +bind9 (1:9.8.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.1-P1 + - Cache lookup could return RRSIG data associated with nonexistent + records, leading to an assertion failure. + + [LaMont Jones] + + * add a readme entry for DNSSEC-by-default + * Failed to install due to chgrp on non-existant directory. Closes: #647598 + * ack NMU: l10n issues + + -- LaMont Jones Wed, 18 Jan 2012 10:44:14 -0700 + +bind9 (1:9.8.1.dfsg-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - Danish (Joe Hansen). Closes: #619302 + - Korean (강민지). Closes: #632006, #632016 + - Serbian (FULL NAME). Closes: #634886 + + -- Christian Perrier Sat, 03 Dec 2011 17:22:12 +0100 + +bind9 (1:9.8.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * cleanup the messages around killing named + * enable dnssec validation: deliver named.conf.options outside of + conffiledom, and update if able, complain and do not update if not + Closes: #516979 + * typo in min-ncache-ttl processing + * disable dlz until we get a patch to make it build again + + [Jay Ford] + + * Fix "waiting for pid $pid to die" loop to not be infinite. Closes: #570852 + + -- LaMont Jones Tue, 01 Nov 2011 16:39:19 -0600 + +bind9 (1:9.8.0.dfsg.P1-0) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.0-P1 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones Fri, 13 May 2011 03:46:22 -0600 + +bind9 (1:9.7.4.dfsg-0) unstable; urgency=low + + * New upstream + + -- LaMont Jones Sun, 21 Aug 2011 04:43:16 -0600 + +bind9 (1:9.7.3.dfsg-1ubuntu4) oneiric; urgency=low + + * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270) + + -- Martin Pitt Thu, 14 Jul 2011 15:15:45 +0200 + +bind9 (1:9.7.3.dfsg-1ubuntu3) oneiric; urgency=low + + * SECURITY UPDATE: denial of service via specially crafted packet + - lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache, + nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute + flag to indicate negative-cache records rather than using rrtype 0. + - Patch backported from 9.7.3-P3. + - CVE-2011-2464 + + -- Marc Deslauriers Tue, 05 Jul 2011 08:33:30 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2.1) natty-security; urgency=low + + * SECURITY UPDATE: denial of service via off-by-one + - lib/dns/ncache.c: correctly validate length. + - Patch backported from 9.7.3-P1. + - CVE-2011-1910 + + -- Marc Deslauriers Fri, 27 May 2011 12:50:40 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2) natty; urgency=low + + * debian/rules, configure, contrib/dlz/config.dlz.in: use + DEB_HOST_MULTIARCH so we can find multiarch libraries and fix FTBFS. + (LP: #745642) + + -- Marc Deslauriers Wed, 30 Mar 2011 10:19:37 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu1) natty; urgency=low + + * debian/bind9-default.md5sum: + - updated to reflect the default md5sum in maverick and natty, this + avoids a bogus /etc/default/bind9.dpkg-dist file + (LP: #556332) + + -- Michael Vogt Tue, 29 Mar 2011 10:13:11 +0200 + +bind9 (1:9.7.3.dfsg-1) unstable; urgency=low + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Internet Systems Consortium, Inc] + + * 9.7.3 - Closes: #612287 + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones Wed, 23 Feb 2011 09:14:36 -0700 + +bind9 (1:9.7.3.dfsg~rc1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes for new upstream + + -- LaMont Jones Fri, 04 Feb 2011 21:20:05 -0700 + +bind9 (1:9.7.2.dfsg.P3-1) unstable; urgency=high + + [ISC] + * Fix denial of service via ncache entry and a rrsig for the + same type (CVE-2010-3613) + * answers were incorrectly marked as insecure during key algorithm + rollover (CVE-2010-3614) + * Using "allow-query" in the "options" or "view" statements to + restrict access to authoritative zones had no effect. + (CVE-2010-3615) + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + + -- LaMont Jones Wed, 01 Dec 2010 16:32:48 -0700 + +bind9 (1:9.7.2.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + * acknowledge and incorporate ubuntu change. + + -- LaMont Jones Fri, 26 Nov 2010 05:18:43 -0700 + +bind9 (1:9.7.2.dfsg.P2-2ubuntu1) natty; urgency=low + + [ Andres Rodriguez ] + * Add apport hook (LP: #533601): + - debian/bind9.apport: Added. + + [ Martin Pitt ] + * debian/rules: Install Apport hook when building on Ubuntu. + + -- Martin Pitt Fri, 26 Nov 2010 10:50:17 +0100 + +bind9 (1:9.7.2.dfsg.P2-2) unstable; urgency=low + + [Roy Jamison] + + * lib/isc/unix/resource.c was missing inttypes.h include. LP: #674199 + + -- LaMont Jones Fri, 12 Nov 2010 10:52:32 -0700 + +bind9 (1:9.7.2.dfsg.P2-1) unstable; urgency=low + + [Joe Dalton] + + * Add Danish translation of debconf templates. Closes: #599431 + + [Internet Software Consortium, Inc] + + * v9.7.2-P2 + + [José Figueiredo] + + * Add Brazilian Portuguese debconf templates translation. Closes: #597616 + + [LaMont Jones] + + * drop this v3 (quilt) source format idea. Closes: #589916 + + -- LaMont Jones Sun, 10 Oct 2010 19:01:57 -0600 + +bind9 (1:9.7.1.dfsg.P2-2) unstable; urgency=low + + * Correct conflicts for bind9-host + + -- LaMont Jones Fri, 16 Jul 2010 05:24:38 -0600 + +bind9 (1:9.7.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Temporarily and partially disable change 2864 because it would cause + inifinite attempts of RRSIG queries. This is an urgent care fix; we'll + revisit the issue and complete the fix later. [RT #21710] + * Temporarially rollback change 2748. [RT #21594] + * Named failed to accept uncachable negative responses from insecure zones. + [RT# 21555] + + [LaMont Jones] + + * freshen copyright file + + -- LaMont Jones Thu, 15 Jul 2010 15:07:54 -0600 + +bind9 (1:9.7.1.dfsg.0-1) unstable; urgency=low + + * Repack to drop zkt/doc/{draft,rfc}* Closes: #588055 + + -- LaMont Jones Mon, 05 Jul 2010 07:21:34 -0600 + +bind9 (1:9.7.1.dfsg-2) unstable; urgency=low + + [Regid Ichira] + + * explicitly add nsupdate to dynamic updates in README.Debian. + Closes: #577398 + + [LaMont Jones] + + * Cleanup bind9-host description. Closes: #579421 + * switch to 3.0 (quilt) source format, but not to quilt. Closes: #578210 + + [Stephen Gran] + + * updated geoip patch for ipv6, based on work by John 'Warthog9' Hawley + . Closes: #584603 + + -- LaMont Jones Fri, 02 Jul 2010 08:19:29 -0600 + +bind9 (1:9.7.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.1 + + [LaMont Jones] + + * Add freebsd support. Closes: #578447 + * soname changes + * freshen root cache. LP: #596363 + + -- LaMont Jones Mon, 21 Jun 2010 09:53:30 -0600 + +bind9 (1:9.7.0.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0-P1 + - 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] + + -- LaMont Jones Wed, 17 Mar 2010 08:06:42 -0600 + +bind9 (1:9.7.0.dfsg.1-1) unstable; urgency=low + + [Niko Tyni] + + * fix mips/mipsel startup. Closes: #516616 + + [LaMont Jones] + + * ignore failures due to a lack of /etc/bind/named.conf*. LP: #422968 + * ldap API changed regarding % sign. LP: #227344 + * Drop more rfc and draft files. Closes: #572606 + * update config.guess, config.sub. Closes: #572528 + + -- LaMont Jones Fri, 12 Mar 2010 14:56:08 -0700 + +bind9 (1:9.7.0.dfsg-2) unstable; urgency=low + + [Aurelien Jarno] + + * kfreebsd has linux threads. Closes: #470500 + + [LaMont Jones] + + * do not error out on initial install. Closes: #572443 + + -- LaMont Jones Thu, 04 Mar 2010 09:32:13 -0700 + +bind9 (1:9.7.0.dfsg-1) unstable; urgency=low + + * New upstream release + + -- LaMont Jones Wed, 17 Feb 2010 14:53:36 -0700 + +bind9 (1:9.7.0.dfsg~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones Thu, 28 Jan 2010 05:46:50 -0700 + +bind9 (1:9.7.0.dfsg~b3-2) experimental; urgency=low + + * merge changes from 9.6.1.dfsg.P2-1 + * meta: drop verisoned depends from library packages, for less upgrade pain + * apparmor: allow named to create /var/run/named/session.key + + -- LaMont Jones Sun, 06 Dec 2009 11:46:17 -0700 + +bind9 (1:9.7.0.dfsg~b3-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b3 + + [LaMont Jones] + + * Merge remote branch 'origin/master' + * soname changes + + -- LaMont Jones Mon, 30 Nov 2009 21:07:58 -0700 + +bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1-P2 + - When validating, track whether pending data was from the + additional section or not and only return it if validates + as secure. [RT #20438] CVE-2009-4022 + + [LaMont Jones] + + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + * meta: soname changes + * l10n: missing newline in pofile. + + -- LaMont Jones Fri, 27 Nov 2009 10:07:10 -0700 + +bind9 (1:9.7.0.dfsg~b2-2) experimental; urgency=low + + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + + -- LaMont Jones Tue, 17 Nov 2009 22:42:40 -0600 + +bind9 (1:9.7.0.dfsg~b2-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b2 + + [LaMont Jones] + + * /etc/bind/bind.keys need not be executable. + * bind9: drop old stale code from postinst + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * l10n: missing newline in pofile. + + -- LaMont Jones Mon, 16 Nov 2009 18:53:24 -0700 + +bind9 (1:9.7.0~a1.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0a1 + + -- LaMont Jones Wed, 24 Jun 2009 15:10:08 -0600 + +bind9 (1:9.6.1.dfsg.P1-3) unstable; urgency=low + + * Build-Depend on the fixed libgeoip-dev. Closes: #540973 + + -- LaMont Jones Mon, 17 Aug 2009 06:53:11 -0600 + +bind9 (1:9.6.1.dfsg.P1-2) unstable; urgency=low + + [Jamie Strandboge] + + * reload individual named profile, not all of apparmor. LP: #412751 + + [Guillaume Delacour] + + * bind9 did not purge cleanly. Closes: #497959 + + [LaMont Jones] + + * postinst: do not append a blank line to /etc/default/bind9. + Closes: #541469 + * init.d stop needs to not error out. LP: #398033 + * meta: fix build-depends. Closes: #539230 + + -- LaMont Jones Fri, 14 Aug 2009 17:03:31 -0600 + +bind9 (1:9.6.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * A specially crafted update packet will cause named to exit. + CVE-2009-0696, CERT VU#725188. Closes: #538975 + + [InterNIC] + + * Update db.root hints file. + + [LaMont Jones] + + * Move default zone definitions from named.conf to named.conf.default-zones. + Closes: #492308 + * use start-stop-daemon if rndc stop fails. Closes: #536487 + * lwresd: pidfile name was wrong in init script. Closes: #527137 + + -- LaMont Jones Tue, 28 Jul 2009 22:03:14 -0600 + +bind9 (1:9.6.1.dfsg-2) unstable; urgency=low + + * ia64: fix atomic.h + + -- LaMont Jones Tue, 23 Jun 2009 01:56:35 -0600 + +bind9 (1:9.6.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1 + + -- LaMont Jones Mon, 22 Jun 2009 14:33:20 -0600 + +bind9 (1:9.6.0.dfsg.P1-3) unstable; urgency=low + + [Martin Zobel-Helas] + + * GEO-IP Patch from + git://git.kernel.org/pub/scm/network/bind/bind-geodns.git. Closes: #395191 + + [LaMont Jones] + + * Remove /var/lib/bind on purge. Closes: #527613 + * Build-Depend: libdb-dev (>4.6). Closes: #527877, #528772 + * init.d: detect rndc errors better. LP: #380962 + * init.d: clean up exit status. Closes: #523454 + * Enable pkcs11 support, and then Revert - causes assertion failures + c.f.: #516552 + + -- LaMont Jones Mon, 22 Jun 2009 13:58:32 -0600 + +bind9 (1:9.6.0.dfsg.P1-2) unstable; urgency=low + + * random_1 broke memory usage assertions. + + -- LaMont Jones Thu, 23 Apr 2009 05:15:45 -0600 + +bind9 (1:9.6.0.dfsg.P1-1) experimental; urgency=low + + [Michael Milligan] + + * Add min-cache-ttl and min-ncache-ttl keywords + + [LaMont Jones] + + * Fix merge errors from 9.6.0.dfsg.P1-0 + + -- LaMont Jones Fri, 20 Mar 2009 15:50:50 -0600 + +bind9 (1:9.6.0.dfsg.P1-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.0-P1 + + [LaMont Jones] + + * meta: fix override disparity + * meta: soname package fixups for 9.6.0 + * meta: update Standards-Version: 3.7.3.0 + * upstream now uses a bind subdir. Closes: #212659 + + [Sven Joachim] + + * meta: pass host and build into configure for hybrid build machines. + Closes: #515110 + + -- LaMont Jones Fri, 20 Mar 2009 11:54:55 -0600 + +bind9 (1:9.5.1.dfsg.P1-3) unstable; urgency=low + + * package -2 for unstable + + -- LaMont Jones Wed, 18 Mar 2009 09:40:18 -0600 + +bind9 (1:9.5.1.dfsg.P1-2) stable; urgency=low + + [Juhana Helovuo] + + * fix atomic operations on alpha. Closes: #512285 + + [Dann Frazier] + + * fix atomic operations on ia64. Closes: #520179 + + [LaMont Jones] + + * build-conflict: libdb4.2-dev. Closes: #515074, #507013 + + [localization folks] + + * l10n: Basque debconf template. Closes: #516549 (Piarres Beobide) + + -- LaMont Jones Wed, 18 Mar 2009 05:30:22 -0600 + +bind9 (1:9.5.1.dfsg.P1-1) unstable; urgency=low + + * New upstream patch release + - supportable version of fix from 9.5.0.dfsg.P2-5.1 + - CVE-2009-0025: Closes: #511936 + - 2475: Overly agressive cache entry removal. Closes: #511768 + - other bug fixes worthy of patch-release inclusion + + -- LaMont Jones Mon, 26 Jan 2009 10:33:42 -0700 + +bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low + + * Non-maintainer upload. + * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided + by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot + contacted him. Closes: #496954, #501800. + * Remove obsolete dh_installmanpages invocation which was adding + unwanted manual pages to bind9. Closes: #486196. + + -- Ben Hutchings Fri, 02 Jan 2009 16:51:42 +0000 + +bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low + + [ISC] + + * 2463: IPv6 Advanced Socket API broken on linux. LP: #249824 + + [Jamie Strandboge] + + * apparmor: add capability sys_resource + * apparmor: add krb keytab access. LP: #277370 + + [LaMont Jones] + + * apparmor: allow proc/*/net/if_inet6 read access too. LP: #289060 + * apparmor: add /var/log/named/* entries. LP: #294935 + + [Ben Hutchings] + + * meta: Add dependency of bind9 on net-tools (ifconfig used in init script) + * meta: Fix bind9utils Depends. + * meta: fix typo in package description + + [localization folks] + + * l10n: add polish debconf translations. Closes: #506856 (L) + + -- LaMont Jones Sun, 07 Dec 2008 21:03:29 -0700 + +bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low + + * meta: fix typo in Depends: lsb-base. Closes: #501365 + + -- LaMont Jones Tue, 07 Oct 2008 17:20:11 -0600 + +bind9 (1:9.5.0.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * enable largefile support. Closes: #497040 + + [localization folks] + + * l10n: Dutch translation. Closes: #499977 (Paul Gevers) + * l10n: simplified chinese debconf template. Closes: #501103 (LI Daobing) + * l10n: Update spanish template. Closes: #493775 (Ignacio Mondino) + + -- LaMont Jones Sun, 05 Oct 2008 20:20:00 -0600 + +bind9 (1:9.5.0.dfsg.P2-2) unstable; urgency=low + + [Kees Cook] + + * debian/{control,rules}: enable PIE hardening (from -1ubuntu1) + + [Nicolas Valcárcel] + + * Add ufw integration (from -1ubuntu2) + + [Dustin Kirkland] + + * use pid file in init.d/bind9 status. LP: #247084 + + [LaMont Jones] + + * dig: add -DDIG_SIGCHASE to compile options. LP: #257682 + * apparmor profile: add /var/log/named + + [Nikita Ofitserov] + + * ipv6 support requires _GNU_SOURCE definition. LP: #249824 + + -- LaMont Jones Thu, 28 Aug 2008 23:08:36 -0600 + +bind9 (1:9.5.0.dfsg.P2-1) unstable; urgency=low + + [LaMont Jones] + + * default to using resolvconf if it is installed + * fix sonames and dependencies. Closes: #149259, #492418 + * Do not build-depend libcap2-dev on non-linux. Closes: #493392 + * drop unused query-loc manpage. Closes: #492564 + * lwresd: Deliver /etc/bind directory. Closes: #490027 + * fix query-source comment in default install + + [Internet Software Consortium, Inc] + + * 9.5.0-P2. Closes: #492949 + + [localization folks] + + * l10n: Spanish debconf translation. Closes: #492425 (Ignacio Mondino) + * l10n: Swedish debconf templates. Closes: #491369 (Martin Ã…gren) + * l10n: Japanese debconf translations. Closes: #492048 (Hideki Yamane + (Debian-JP)) + * l10n: Finnish translation. Closes: #490630 (Esko Arajärvi) + * l10n: Italian debconf translations. Closes: #492587 (Alessandro Vietta) + + -- LaMont Jones Sat, 02 Aug 2008 14:20:20 -0600 + +bind9 (1:9.5.0.dfsg.P1-2) unstable; urgency=low + + * Revert "meta: merge the mess of single-lib packages back into one large + one." - That way lies madness and pain. + * init.d/bind9: implement status function. LP: #203169 + + -- LaMont Jones Tue, 08 Jul 2008 21:56:58 -0600 + +bind9 (1:9.5.0.dfsg.P1-1) unstable; urgency=low + + * Repackage 9.5.0.dfsg-5 with the -P1 tarball. + + -- LaMont Jones Tue, 08 Jul 2008 15:06:07 -0600 + +bind9 (1:9.5.0.dfsg-5) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Randomize UDP query source ports to improve forgery resilience. + (CVE-2008-1447) + + [LaMont Jones] + + * add build-depends: texlive-latex-base, xsltproc, remove Bv9ARM.pdf in clean + * fix sonames + * drop unneeded build-deps, since we do not actually deliver B9vARM.pdf + * meta: cleanup libbind9-41 Provides/Conflicts + * build: fix sonames for new libraries + * postinst: really restart bind/lwresd in postinst + + -- LaMont Jones Sun, 06 Jul 2008 21:34:18 -0600 + +bind9 (1:9.5.0.dfsg-4) unstable; urgency=low + + [LaMont Jones] + + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + * lwresd: restart in postinst. Closes: #486481 + * meta: merge the mess of single-lib packages back into one large one. + * apparmor: allow bind to create files in /var/{lib,cache}/bind + * build: drop .la files. Closes: #486969 + * build: drop the extra lib path from the library-package merge + * meta: liblwres40 does not conflict with the libbind9-40-provided libbind0 + + [localization folks] + + * l10n: German debconf translation. Closes: #486547 (Helge Kreutzmann) + * l10n: Indonesian debconf translations. Closes: #486503 (Arief S Fitrianto) + * l10n: Slovak po-debconf translation Closes: #488905 (helix84) + * l10n: Turkish debconf template. Closes: #486479 (Mert Dirik) + + -- LaMont Jones Mon, 30 Jun 2008 11:22:05 -0600 + +bind9 (1:9.4.2-12) unstable; urgency=low + + * apparmor: allow bind to create files in /var/{lib,cache}/bind + + -- LaMont Jones Mon, 30 Jun 2008 11:17:53 -0600 + +bind9 (1:9.4.2-11) unstable; urgency=low + + * apparmor: add dnscvsutil package files + * lwresd Depends: adduser + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + + -- LaMont Jones Tue, 17 Jun 2008 21:30:12 -0600 + +bind9 (1:9.5.0.dfsg-3) unstable; urgency=low + + [LaMont Jones] + + * bind9utils Depends: libbind9-40. Closes: #486194 + * bind9 should not deliver manpages for nonexistant binaries. + Closes: #486196 + + [localization folks] + + * l10n: Vietnamese debconf templates translation update. Closes: #486185 + (Clytie Siddall) + * l10n: Russian debconf templates translation. Closes: #486191 (Yuri Kozlov) + * l10n: Galician debconf template. Closes: #486215 (Jacobo Tarrio) + * l10n: French debconf templates. Closes: #486325 (CALARESU Luc) + * l10n: Czech debconf translation. Closes: #486337 (Miroslav Kure) + * l10n: Updated Portuguese translation. Closes: #486267 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones Sun, 15 Jun 2008 18:25:02 -0600 + +bind9 (1:9.5.0.dfsg-2) unstable; urgency=low + + [Tim Spriggs] + + * init.d: Nexenta has different ifconfig arguments + + [LaMont Jones] + + * templates rework from debian-l10n-english + * reload named when an interface goes up or down. LP: #226495 + * build: need to create the directories for interface restart triggering + * Build-Depends: libcap2-dev. Closes: #485747 + * Leave named running during update. Closes: #453765 + * Fix path to uname, cleaning up the nexenta checks. + * l10n: avoid double-question in templates. + + [localization folks] + + * l10n: Vietnamese debconf translations. Closes: #483911 (Clytie Siddall) + * l10n: Portuguese debconf translations. Closes: #483872 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones Fri, 13 Jun 2008 16:54:42 -0600 + +bind9 (1:9.5.0.dfsg-1) unstable; urgency=low + + [LaMont Jones] + + * manpages: fix references that should say /etc/bind + * meta: build-depend libxml2-dev for statistics support + + -- LaMont Jones Sat, 31 May 2008 12:17:21 -0600 + +bind9 (1:9.5.0.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.5.0 release + + [LaMont Jones] + + * Only use capabilities if they are present: reprise. Closes: #360339, #212226 + * control: fix dnsutils description to avoid list reformatting. Closes: #480317 + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. No pgsql or mysql support yet. LP: #227344 + + -- LaMont Jones Thu, 29 May 2008 22:05:19 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu2) intrepid; urgency=low + + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. LP: #227344 + + -- LaMont Jones Tue, 27 May 2008 21:43:06 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu1) intrepid; urgency=low + + * Upload what will become (maybe an ancestor of) -2 to intrepid. + - Only use capabilities if they are present: reprise. Closes: #360339, #212226 + - control: fix dnsutils description to avoid list reformatting. Closes: #480317 + + -- LaMont Jones Mon, 26 May 2008 11:46:27 -0600 + +bind9 (1:9.5.0~rc1-1) experimental; urgency=low + + [Patrick Winnertz] + + * postinst: make add debconf support. Closes: #473460 + + [Jamie Strandboge] + + * debian/bind9.preinst: Apparmor force-complain on upgrade without + existing profile. LP: #204658 + + [LaMont Jones] + + * bind9utils: fix typos in .install + * host: manpage inaccurately describes default query. LP: #203087 + * apparmor: add dnscvsutil package files + * Revert "Only use capabilities if they are present." for merge of 9.5.0rc1. + * soname: libdns41 -> 42 + * fix typos in debconf patch, #473460 + * cleanup more files in clean target + * lwresd Depends: adduser + + -- LaMont Jones Thu, 15 May 2008 17:59:54 -0600 + +bind9 (1:9.5.0~b2-2) experimental; urgency=low + + * meta: add bind9utils binary package, with various useful utilities. Closes: #151957, #130445, #160483 + + -- LaMont Jones Thu, 03 Apr 2008 07:01:42 -0600 + +bind9 (1:9.4.2-10) unstable; urgency=low + + [Jamie Strandboge] + + * debian/bind9.preinst: AA force-complain on upgrade without existing + profile. LP: #204658 + + [LaMont Jones] + + * host: manpage inaccurately describes default query. LP: #203087 + + -- LaMont Jones Tue, 08 Apr 2008 22:45:57 -0600 + +bind9 (1:9.4.2-9) unstable; urgency=low + + * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind + * apparmor: make profile match README.Debian + + -- LaMont Jones Tue, 01 Apr 2008 21:13:05 -0600 + +bind9 (1:9.4.2-8) unstable; urgency=low + + [ISC] + + * CVE-2008-0122: off by one error in (unused) inet_network function. + Closes: #462783 LP: #203476 + + [Michael Milligan] + + * Fix min-cache-ttl and min-ncache-ttl keywords + + [Jamie Strandboge] + + * apparmor: force complain-mode for apparmor on certain upgrades. LP: #203528 + * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named + + -- LaMont Jones Tue, 18 Mar 2008 18:35:15 -0600 + +bind9 (1:9.4.2-7) unstable; urgency=low + + [Jamie Strandboge] + + * Allow rw access to /var/lib/bind/* in apparmor-profile. LP: #201954 + + [LaMont Jones] + + * Drop root-delegation comments from named.conf. Closes: #217829, #297219 + + -- LaMont Jones Sat, 15 Mar 2008 09:48:10 -0600 + +bind9 (1:9.4.2-6) unstable; urgency=low + + * Correct apparmor profile filename. LP: #200739 + + -- LaMont Jones Mon, 10 Mar 2008 14:28:01 -0600 + +bind9 (1:9.4.2-5) unstable; urgency=low + + * add "order random_1" support (return one random RR) + * Fix doc pathnames in README.Debian. Closes: #266891 + * Add AAAA ::1 entry to db.local. Closes: #230088 + + -- LaMont Jones Mon, 10 Mar 2008 13:51:28 -0600 + +bind9 (1:9.5.0~b2-1) experimental; urgency=low + + [Thiemo Seufer] + + * mips:atomic.h: improve implementation of atomic ops, fix mips{el,64} + + [LaMont Jones] + + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * manpages: fix typo errors. Closes: #395834 + * Makefile.in: be explicit about library paths + * build: Turn on GSS-TSIG support. LP: #158197 + * build: soname changes + * db.root: include AAAA RRs. Closes: #464111 + * soname: lib{dns,isc}40 -> 41 + * meta: use binary:Version instead of Source-Version + + [Andreas John] + + * Only use capabilities if they are present. Closes: #360339, #212226 + + -- LaMont Jones Sat, 23 Feb 2008 08:06:17 -0700 + +bind9 (1:9.4.2-4) unstable; urgency=low + + * incorporate ubuntu apparmor change from Jamie Strandboge, + with changes: + - Add apparmor profile, reload apparmor profile on config + - Add a note about apparmor to README.Debian + - conflicts/replaces old apparmor versions + * db.root: include AAAA RRs. Closes: #464111 + * Don't die when /var/lib/bind already exists. LP: #191685 + * build: turn on optimization. Closes: #435194 + + -- LaMont Jones Fri, 22 Feb 2008 22:05:25 -0700 + +bind9 (1:9.4.2-3ubuntu1) hardy; urgency=low + + * add AppArmor profile + + debian/apparmor-profile + + debian/bind9.postinst: Reload AA profile on configuration + * updated debian/README.Debian for note on AppArmor + * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets installed + it won't overwrite our profile + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Jamie Strandboge Wed, 13 Feb 2008 17:30:45 +0000 + +bind9 (1:9.4.2-3) unstable; urgency=low + + * don't run rndc-confgen when it's not there. Closes: #459551 + * control: drop use of ${Source-Version} + + -- LaMont Jones Mon, 07 Jan 2008 10:16:06 -0700 + +bind9 (1:9.4.2-2) unstable; urgency=low + + * init.d: add --oknodo to start-stop-daemon. Closes: #411881 + * init: LSB dependency info. Closes: #459421, #448006 + * meta: bind9 Suggests: resolvconf. Closes: #252285 + * bind9: deliver /var/lib/bind directory, and document. + Closes: #248771, #200253, #202981, #209022 + * lwresd: create bind user/group and rndc key if needed, at install. + Closes: #190742 + * dnsutils: update long description. Closes: #236901 + + -- LaMont Jones Sun, 06 Jan 2008 12:25:31 -0700 + +bind9 (1:9.4.2-1) unstable; urgency=low + + [Mike O'Connor] + + * bind9.init: LSB compliance. Closes: #448006 + + [Internet Software Consortium, Inc] + + * New release: 9.4.2 + + [LaMont Jones] + + * soname shifts for new release + + -- LaMont Jones Sat, 17 Nov 2007 10:50:07 -0700 + +bind9 (1:9.4.2~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones Fri, 12 Oct 2007 18:33:57 -0600 + +bind9 (1:9.4.1-P1-4) unstable; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 LP: #160176 + * init.d: if there are no networks configured, error out quickly + + -- LaMont Jones Thu, 08 Nov 2007 21:31:55 -0700 + +bind9 (1:9.4.1-P1-3) unstable; urgency=low + + * Only deliver upstream changes with bind9-doc + + -- LaMont Jones Thu, 04 Oct 2007 08:30:55 -0600 + +bind9 (1:9.4.1-P1-2) unstable; urgency=low + + * manpages: fix typo errors. Closes: #395834 + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * bind9.NEWS: update version for ACL change doc. Closes: #435225 + * build: don't have dnsutils deliver man pages that it shouldn't. LP: #82178 + * nslookup.1: some of the manpage was not visible. LP: #131415 + * document git repositories + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + -- LaMont Jones Wed, 03 Oct 2007 01:10:59 -0600 + +bind9 (1:9.4.1-P1-1) unstable; urgency=high + + * New upstream version, addresses CVE-2007-2926 and CVE-2007-2925 + + -- Bdale Garbee Thu, 26 Jul 2007 16:41:50 -0600 + +bind9 (1:9.4.1-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones Mon, 30 Apr 2007 16:59:05 -0600 + +bind9 (1:9.4.0-2) unstable; urgency=low + + * upload to unstable + + -- LaMont Jones Tue, 10 Apr 2007 11:12:16 -0600 + +bind9 (1:9.4.0-1) experimental; urgency=low + + * New upstream version + * more mipsel patch. Closes: #406409 + + -- LaMont Jones Sun, 25 Feb 2007 11:44:11 -0700 + +bind9 (1:9.4.0~rc2-1) experimental; urgency=low + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones Thu, 25 Jan 2007 14:26:12 -0700 + +bind9 (1:9.4.0~rc1.0-3) experimental; urgency=low + + * add NEWS file talking about the change in defaults: + As of bind 9.4, allow-query-cache and allow-recursion default to the + builtin acls 'localnets' and 'localhost'. If you are setting up a + name server for a network, you will almost certainly need to change + this. + + The change in default has been done to make caching servers less + attractive as reflective amplifying targets for spoofed traffic. + This still leaves authoritative servers exposed. + + -- LaMont Jones Wed, 24 Jan 2007 09:35:06 -0700 + +bind9 (1:9.4.0~rc1.0-2) experimental; urgency=low + + * Fix mips64. Closes: #406409 + + -- LaMont Jones Sun, 21 Jan 2007 15:32:27 -0700 + +bind9 (1:9.4.0~rc1.0-1) experimental; urgency=low + + * Broken orig.tar.gz. + + -- LaMont Jones Thu, 28 Dec 2006 23:04:05 -0700 + +bind9 (1:9.4.0~rc1-1) experimental; urgency=low + + * New upstream + + -- LaMont Jones Thu, 28 Dec 2006 19:00:37 -0700 + +bind9 (1:9.3.4-2etch2) stable-proposed-updates; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 + + -- LaMont Jones Mon, 05 Nov 2007 19:48:23 -0700 + +bind9 (1:9.3.4-2etch1) stable-security; urgency=high + + * Fix DNS cache poisoning through predictable query IDs. (CVE-2007-2926) + + -- Moritz Muehlenhoff Tue, 24 Jul 2007 22:09:35 +0000 + +bind9 (1:9.3.4-2) unstable; urgency=high + + * Actually really do the merge of 9.3.4. Sigh. Closes: #408925 + + -- LaMont Jones Mon, 29 Jan 2007 06:09:03 -0700 + +bind9 (1:9.3.4-1) unstable; urgency=high + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones Thu, 25 Jan 2007 14:31:09 -0700 + +bind9 (1:9.3.3-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones Tue, 12 Dec 2006 23:31:51 -0700 + +bind9 (1:9.3.2-P1.0-1) unstable; urgency=low + + * Fix README.Debian to point to the URL. Closes: #387437 + * Strip rfc's from orig.tar.gz. Closes: #393359 + + -- LaMont Jones Mon, 16 Oct 2006 06:38:22 -0600 + +bind9 (1:9.3.2-P1-2) unstable; urgency=low + + * Fix init script output. Closes: #354192 + Thanks to Joey Hess for the patch. + * Default install should listen on ipv6 interfaces. Closes: #382438 + + -- LaMont Jones Sat, 9 Sep 2006 19:01:53 -0600 + +bind9 (1:9.3.2-P1-1) unstable; urgency=high + + * New upstream, fixes CVE-2006-4095 and CVE-2006-4096. + Closes: #386237, #386245 + * Drop gcc-3.4 [powerpc] dependency. Closes: #342957, #372203 + * Add -fno-strict-aliasing for type-punned pointer aliasing issues + Closes: #386224 + * Use getent in postinst instead of chown/chgrp. Closes: #386091, #239665 + * Drop redundant update-rc.d calls. Closes: #356914 + + -- LaMont Jones Wed, 6 Sep 2006 08:07:13 -0600 + +bind9 (1:9.3.2-2) unstable; urgency=low + + * correct force-reload. Closes: #333841 + * Fix init.d's usage message. Closes: #331090 + * resolvconf tweaks. Closes: #252232, #275412 + + -- LaMont Jones Mon, 16 Jan 2006 15:17:04 -0700 + +bind9 (1:9.3.2-1) unstable; urgency=low + + * New upstream + * use lsb-base for start/stop messages in init.d. + * switch to debhelper 4 + + -- LaMont Jones Thu, 5 Jan 2006 12:29:28 -0700 + +bind9 (1:9.3.1-2) unstable; urgency=low + + * Getting good reports from experimental, uploading to sid. + Release team, please consider this package for sarge. Thanks. + * correct pidfile name in init.d/lwresd. Closes: #298100 + + -- LaMont Jones Sat, 19 Mar 2005 17:46:31 -0700 + +bind9 (1:9.3.1-1) experimental; urgency=low + + * Build with gcc-3.4 on powerpc, to work around #292958. + + -- LaMont Jones Sat, 19 Mar 2005 11:40:06 -0700 + +bind9 (1:9.3.1-0) experimental; urgency=low + + * New upstream version. + + -- LaMont Jones Sun, 13 Mar 2005 21:44:57 -0700 + +bind9 (1:9.3.0+9.3.1beta2-1) experimental; urgency=low + + * new upstream version + + -- LaMont Jones Tue, 25 Jan 2005 14:21:51 -0700 + +bind9 (1:9.3.0-1) experimental; urgency=low + + * New upstream version + + -- LaMont Jones Sat, 25 Sep 2004 21:35:46 -0600 + +bind9 (1:9.2.4-1) unstable; urgency=high + + * New upstream version. Closes: #269157 and others. + * Version debhelper build-dep. Closes: #262720 + + -- LaMont Jones Thu, 23 Sep 2004 09:11:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc7-1) unstable; urgency=low + + * New upstream + + -- LaMont Jones Wed, 1 Sep 2004 00:04:55 -0600 + +bind9 (1:9.2.3+9.2.4-rc6-1) unstable; urgency=low + + * New upstream. + * Comment out delegation-only directives in named.conf + + -- LaMont Jones Mon, 2 Aug 2004 10:00:38 -0600 + +bind9 (1:9.2.3+9.2.4-rc5-1) unstable; urgency=low + + * New upstream release candidate + + -- LaMont Jones Thu, 17 Jun 2004 19:50:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc2-1) unstable; urgency=low + + * New upstream release candidate + * Remove shared library symlinks in clean. Closes: #243109 + * Deal with capset being a module. Closes: #245043, #240874, #241605 + * deliver /var/run/bind/run in lwresd as well. Closes: #186569 + + -- LaMont Jones Thu, 22 Apr 2004 12:20:05 -0600 + +bind9 (1:9.2.3-3) unstable; urgency=low + + * new IP for b.root-servers.net. Closes: #234278 + * Fix RC linkages to match bind8. Closes: #218007 + + -- LaMont Jones Mon, 1 Mar 2004 15:00:44 -0700 + +bind9 (1:9.2.3-2) unstable; urgency=low + + * Rebuild autoconf files for mips. Closes: #221419 + + -- LaMont Jones Tue, 18 Nov 2003 06:33:34 -0700 + +bind9 (1:9.2.3-1) unstable; urgency=low + + * New upstream. + * cleanup zones.rfc1918/db.empty stuff. + * Fix Makefiles to work even if the build environment is unclean. + Closes: #211503 + * Add comments about root-delegation-only to named.conf. Closes: #212243 + * Add resolvconf support. Closes: #199255 + * more SO_BSDCOMPAT hacks for linux. Closes: #220735, #214460 + + -- LaMont Jones Mon, 17 Nov 2003 21:30:33 -0700 + +bind9 (1:9.2.2+9.2.3rc4-1) unstable; urgency=low + + * Yet another new upstream release. + + -- LaMont Jones Mon, 22 Sep 2003 09:39:50 -0600 + +bind9 (1:9.2.2+9.2.3rc3-1) unstable; urgency=low + + * New upstream. Closes: #211752. #211503. #211496, #211520 + + -- LaMont Jones Sat, 20 Sep 2003 12:22:59 -0600 + +bind9 (1:9.2.2+9.2.3rc2-4) unstable; urgency=low + + * Really fix versioned depends. Closes: #211590 + + -- LaMont Jones Thu, 18 Sep 2003 17:29:47 -0600 + +bind9 (1:9.2.2+9.2.3rc2-3) unstable; urgency=low + + * Version depends for all the libraries. sigh. Closes: #211412,#210293 + + -- LaMont Jones Wed, 17 Sep 2003 10:56:36 -0600 + +bind9 (1:9.2.2+9.2.3rc2-2) unstable; urgency=low + + * Need a versioned depend. sigh. + + -- LaMont Jones Wed, 17 Sep 2003 10:25:35 -0600 + +bind9 (1:9.2.2+9.2.3rc2-1) unstable; urgency=low + + * New upstream release. Closes: #211373 + * Remove RFC's from package, per policy. + * Make com and net zones delegation-only by default. + + -- LaMont Jones Wed, 17 Sep 2003 07:15:37 -0600 + +bind9 (1:9.2.2+9.2.3rc1-3) unstable; urgency=low + + * A bit more cleanup of descriptions. + * fix package sections + * Fix b0rkage with dependencies. + + -- LaMont Jones Sun, 14 Sep 2003 09:05:10 -0600 + +bind9 (1:9.2.2+9.2.3rc1-2) unstable; urgency=low + + * Explicitly link libraries. Closes: #210653 + * Fix descriptions. Closes: #209563, #209853, #210063 + + -- LaMont Jones Sat, 13 Sep 2003 19:29:05 -0600 + +bind9 (1:9.2.2+9.2.3rc1-1) unstable; urgency=low + + * New upstream release candidate. + * Quit using SO_BSDCOMPAT (why is it still in the header files??) so + that the kernel will shut up about it's advertised, obsolete option. + Closes: #201293, #204282, #205590 + + -- LaMont Jones Thu, 28 Aug 2003 14:44:28 -0600 + +bind9 (1:9.2.2-2) unstable; urgency=low + + * Fix libtool.m4. Closes: #183791 + * move lib packages into Section: libs. Closes: #184788 + * make sure it's libssl0.9.7. Closes: #182363 + * Add /etc/default/lwresd. Closes: #169727 + * Add fakeroot dir to dh_shlibdeps. Closes: #169622 + * Fix rndc manpage. Closes: #179353 + * Deliver /usr/bin/isc-config.sh (in libbind-dev). Closes: #178186 + + -- LaMont Jones Sat, 15 Mar 2003 16:34:15 -0700 + +bind9 (1:9.2.2-1) unstable; urgency=low + + * New upstream version + * Document /etc/default/bind9 in init.d script. Closes: #170267 + + -- LaMont Jones Tue, 4 Mar 2003 22:43:58 -0700 + +bind9 (1:9.2.1-7) unstable; urgency=low + + * One more overrides disparity. + * Fix bashism in postinst. Closes: #169531 + + -- LaMont Jones Sun, 17 Nov 2002 19:22:58 -0700 + +bind9 (1:9.2.1-6) unstable; urgency=low + + * The "I give up for now" release. + * Only convert to running as bind if named.conf hasn't been modified. + * Closes: #163552, #164352 + * Fix overrides + * Cleanup README.Debian wrt non-root-by-default. + * Make sure that /var/run/bind/run exists in init.d script. Closes: #168912 + * New IP for j.root-servers.net. Closes: #167818 + * Check for 2.2.18 kernel in preinst. Closes: #164349 + * Move local options to /etc/default/bind9. Closes: #169132, #163073 + * Cleanup old bugs (fixed in -5, really). Closes: #165864 + * Add /etc/bind/named.conf.local, included from named.conf. Closes: #129576 + * Do options definitions in /etc/bind/named.conf.options, makes life + easier in the face of named.conf changes from upstream. + * Add missing Depends: adduser + + -- LaMont Jones Sat, 16 Nov 2002 17:05:45 -0700 + +bind9 (1:9.2.1-5) unstable; urgency=low + + * Run named a non-privileged user by default. Closes: #149059 + + -- LaMont Jones Thu, 12 Sep 2002 16:57:37 -0600 + +bind9 (1:9.2.1-4) unstable; urgency=low + + * swap maintainer/uploader status so LaMont is primary and Bdale is backup + * Deal with bind/bind9 collisions better. Closes: #149580 + * Fix some documentation. Closes: #151579 + + -- LaMont Jones Wed, 4 Sep 2002 23:25:33 -0600 + +bind9 (1:9.2.1-3) unstable; urgency=high + + * fold in lib/bind/resolv from 8.3.3 to resolve buffer overlow issue in + resolver library, closes: #151342, #151431 + + -- Bdale Garbee Mon, 1 Jul 2002 00:16:31 -0600 + +bind9 (1:9.2.1-1.woody.1) testing-security woody-proposed-updates; urgency=high + + * backport to woody (simple rebuild) since 9.2.1 resolves a security issue + + -- Bdale Garbee Tue, 4 Jun 2002 10:30:57 -0600 + +bind9 (1:9.2.1-2) unstable; urgency=low + + * don't include nslint man page, closes: #148695 + * fix typo in rndc.8, closes: #139602 + * add a section to README.Debian explaining the rndc key mode that has been + our default since 9.2.0-2, closes: #129849 + * fix paths for named.conf in named.8 to reflect our default, closes: #143443 + * upstream fixed the nsupdate man page at some point, closes: #121108 + + -- Bdale Garbee Mon, 3 Jun 2002 15:44:37 -0600 + +bind9 (1:9.2.1-1) unstable; urgency=medium + + * new upstream version + * have bind9-host provide host, closes: #140174 + * move bind9-host to priority standard since dnsutils depends on it or host, + and we prefer bind9-host over host. + * move libdns5 and libisc4 to priority standard since dnsutils depends on + them and is priority standard + + -- Bdale Garbee Thu, 30 May 2002 10:38:39 -0600 + +bind9 (1:9.2.0-6) unstable; urgency=low + + * move to US main! Yippee! Closes: #123969 + * add info to README.Debian about 2.5 kernels vs --disable-linux-caps + + -- Bdale Garbee Sat, 23 Mar 2002 00:18:05 -0700 + +bind9 (1:9.2.0-5) unstable; urgency=medium + + * clean up various issues in the rules file + * make bind9-host conflict/replace old dnsutils as host does, otherwise we + can have problems upgrading from potato to woody, closes: #136686 + * use /dev/urandom for rndc-confgen in postinst, it should be good enough for + this purpose, and will keep the postinst from blocking arbitrarily. + closes: #130372 + * add fresh pointers to chroot howto to README.Debian, closes: #135774 + + -- Bdale Garbee Sun, 3 Mar 2002 16:47:12 -0700 + +bind9 (1:9.2.0-4) unstable; urgency=low + + * bind9-host needs to conflict with host, closes: #127395 + + -- Bdale Garbee Tue, 1 Jan 2002 20:12:14 -0700 + +bind9 (1:9.2.0-3) unstable; urgency=low + + * force removal of old diverted files, closes: #126236 + * change priority of liblwres1 from optional to standard per ftp admins + * add a bind9-host package so that the 'host' provided with the BIND 9.X + source tree can be an alternative to the aging NIKHEF version packaged + separately. Update dnsutils dependencies to depend on one of the two, + with preference to this one since it has fewer bugs (but fewer features, + too). + + -- Bdale Garbee Sun, 23 Dec 2001 00:59:15 -0700 + +bind9 (1:9.2.0-2) unstable; urgency=medium + + * change rc.d links to ensure daemon starts before and stops after other + daemons that may fail if name service is not working (bug was filed + against 8.X bind packages, but is just as relevant here!) + * use rndc for daemon shutdown instead of start-stop-daemon, closes: #111935 + * add a postinst to dnsutils to remove any lingering diversions from old + dnsutils packages, closes: #122227 + * not much point in delivering zone2ldap.1 since we aren't delivering + zone2ldap right now (though we might someday?), closes: #124058 + * be more verbose with shared library descriptions, closes: #123426, #123428 + * 9.2.0 added a new rndc.key file that both named and rndc will read to + obtain a shared key, and rndc-confgen will easily create this file with + a unique-per-system key. Modify named.conf and remove rndc.conf + to take advantage of this mechanism and stop delivering a pre-determined + static key to all Debian systems (which has been a mild security risk). + Create the key in postinst if the key file doesn't already exist, and + remove the file in postrm if purging. + Closes: #86718, #87208 + + -- Bdale Garbee Fri, 21 Dec 2001 04:04:30 -0700 + +bind9 (1:9.2.0-1) unstable; urgency=low + + * new upstream version, closes: #108243, #112266, #114250, #119506, #120657 + * /etc/bind/rndc.conf is now a conffile + * minor hacks to the README.Debian since the chroot instructions it points + to are 8.X specific, part of addressing bug 111868. + * libomapi is gone, replaced by libisccc and libisccfg + * a few lintian-motivated cosmetic cleanups + * lose task-dns-server meta package, since tasksel doesn't need it now + * dig problem not reproducible in this version, closes: #89526 + * named-checkconf now uses $sysconfdir, closes: #107835 + * no longer deliver man pages for contributed binaries we're not including + in dnsutils, closes: #108220 + * fix section in nslookup man page, though that's the least of the man + page's problems... glitch reported is unreproducible + closes: #103630, #120946 + * update libbind-dev README.Debian, closes: #121050 + + -- Bdale Garbee Tue, 27 Nov 2001 01:41:00 -0700 + +bind9 (1:9.1.3-1) unstable; urgency=low + + * new upstream version, closes: #96483, #99824, #100647, #101568, #103429 + * update config.sub/guess for hppa/ia64 support + * small init.d patch from Marco d'Itri to ease adding options on invocation + * stop having bind9-doc conflict/replace bind-doc since they don't really + conflict and there's no reason to prevent having both installed at the + same time, closes: #90994 + * the CHANGES file documents fixes since 9.1.1 that probably cured the + reported assertion failure. If it turns out that I'm wrong, the bug can + be re-opened or a new one filed. I can't see any way to reproduce the bug + in a test case here. Closes: #99352 + * have libbind-dev depend on the runtime library packages it delivers + compile-time symlinks for, closes: #100898, #103855 + * fix lwres man pages to source man3/* instead of * so all the page content + can actually be found, closes: #85450, #103865 + + -- Bdale Garbee Mon, 9 Jul 2001 11:30:39 -0600 + +bind9 (1:9.1.1-1) unstable; urgency=low + + * new upstream release + * update build-depends for libssl-dev + * add build-depends on bison, closes: #90150, #90752, #90159 + * split up libbind0 since libdns is changing so numbers + * downgrade rblcheck from a depends to a suggests, closes: #90783 + * bind9 mkdep creates files in the current working directory, closes: #58353 + + -- Bdale Garbee Wed, 25 Apr 2001 22:53:21 -0600 + +bind9 (1:9.1.0-3) unstable; urgency=low + + * merge patch from Zack Weinberg that solves compilation problem, and + reduces the memory footprint of applications by making configure.in + smarter. Closes: #86776, #86910 + * the bind-doc package includes all relevant documentation from the bind9 + source tree, including HTML content in /usr/share/doc/bind9-doc/arm, + closes: #85718 + * default named.conf and rndc.conf to not world-readable. This is an + interim step towards addressing the concerns about security raised by + bugs 86718 and closes: #86836 A better long-term solution would be for + rndc.conf to allow includes, so that both named.conf and rndc.conf could + include a key file built on the fly during installation while themselves + retaining conffile status. The required functionality has been requested + of the bind9 upstream, this will limit vulnerability in the meantime. + * add replaces logic to the dnsutils package to avoid complaints about the + delivery of nsupdate.8.gz, closes: #86759 + * move a couple of man pages back from dnsutils to bind9 that really belong + there. sigh. + + -- Bdale Garbee Thu, 22 Feb 2001 16:39:02 -0700 + +bind9 (1:9.1.0-2) unstable; urgency=low + + * merge patch from Luca Filipozzi - thanks! + + bind9: ships with a working rndc.conf file, closes: #84572 + + bind9: init.d calls rndc rather than ndc on reload, closes: #85481 + + bind9: named.conf ships with 'key' and 'control' sections + + bind9: correctly creates /var/cache/bind, closes: #85457 + + lwresd: lwresd is split off into its own package, closes: #85627 + * nsupdate is delivered by the dnsutils package, but the (wrong) man page + was accidentally also included in the bind9 package, closes: #85717 + * freshen config.sub and config.guess for ia64 and hppa support + + -- Bdale Garbee Mon, 12 Feb 2001 23:43:55 -0700 + +bind9 (1:9.1.0-1) unstable; urgency=low + + * Initial packaging of BIND 9.1.0. Must use epoch so that meta packages + retain their sequencing from the bind 8 package version stream. + * snarf a couple of man pages from the 8.X tree for now + + -- Bdale Garbee Thu, 1 Feb 2001 16:30:35 -0700 + --- bind9-9.9.3.dfsg.P2.orig/debian/compat +++ bind9-9.9.3.dfsg.P2/debian/compat @@ -0,0 +1 @@ +5 --- bind9-9.9.3.dfsg.P2.orig/debian/control +++ bind9-9.9.3.dfsg.P2/debian/control @@ -0,0 +1,173 @@ +Source: bind9 +Section: net +Priority: optional +Maintainer: LaMont Jones +Uploaders: Bdale Garbee +Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5), dpkg-dev (>= 1.15.5), python, python-argparse, dh-systemd +Build-Conflicts: libdb4.2-dev +Standards-Version: 3.7.3.0 +XS-Vcs-Browser: http://git.debian.org/?p=users/lamont/bind9.git +XS-Vcs-Git: git://git.debian.org/~lamont/bind9.git + +Package: bind9 +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, debconf | debconf-2.0, netbase, adduser, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), libisccc90 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}), net-tools +Conflicts: bind, apparmor-profiles (<< 2.1+1075-0ubuntu4) +Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4), bind9utils (<< 1:9.9.3.dfsg.P2-3) +Suggests: dnsutils, bind9-doc, resolvconf, ufw +Description: Internet Domain Name Server + ${Description} + . + This package provides the server and related configuration files. + +Package: bind9utils +Architecture: any +Replaces: bind9 (<= 1:9.5.0~b2-1) +Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-argparse +Description: Utilities for BIND + This package provides various utilities that are useful for maintaining a + working BIND installation. + +Package: bind9-doc +Architecture: all +Section: doc +Depends: ${misc:Depends} +Description: Documentation for BIND + This package provides various documents that are useful for maintaining a + working BIND installation. + +Package: host +Priority: standard +Architecture: all +Depends: ${misc:Depends}, bind9-host +Description: Transitional package + This dummy package is provided for a smooth transition from the previous + host package. It may safely be removed after installation. + +Package: bind9-host +Priority: standard +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Conflicts: host (<<1:9.7.0), dnsutils (<< 1:9.0.0) +Replaces: dnsutils (<< 1:9.0.0), host (<< 1:9.7.0) +Provides: host +Description: Version of 'host' bundled with BIND 9.X + This package provides the 'host' program in the form that is bundled with + the BIND 9.X sources. + +Package: libbind-dev +Section: libdevel +Architecture: any +Conflicts: bind-dev +Replaces: bind-dev +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Description: Static Libraries and Headers used by BIND + This package delivers archive-style libraries, header files, and API man + pages for libbind, libdns, libisc, and liblwres. These are only needed + if you want to compile other packages that need more nameserver API than the + resolver code provided in libc. + +Package: libbind9-90 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99, libisccfg90, libisc95 +Description: BIND9 Shared Library used by BIND + ${Description} + . + This package delivers the libbind9 shared library used by BIND's daemons and + clients. + +Package: libdns99 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libisc95 +Description: DNS Shared Library used by BIND + ${Description} + . + This package delivers the libdns shared library used by BIND's daemons and + clients. + +Package: libisc95 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: ISC Shared Library used by BIND + ${Description} + . + This package delivers the libisc shared library used by BIND's daemons and + clients. + +Package: liblwres90 +Section: libs +Priority: standard +Architecture: any +Replaces: libbind0 +Conflicts: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Lightweight Resolver Library used by BIND + ${Description} + . + This package delivers the liblwres shared library used by BIND's daemons + and clients. + +Package: libisccc90 +Section: libs +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libisc95 +Description: Command Channel Library used by BIND + ${Description} + . + This package delivers the libisccc shared library used by BIND's daemons + and clients, particularly rndc. + +Package: libisccfg90 +Section: libs +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99, libisccc90, libisc95 +Description: Config File Handling Library used by BIND + ${Description} + . + This package delivers the libisccfg shared library used by BIND's daemons + and clients to read and write ISC-style configuration files like named.conf + and rndc.conf. + +Package: dnsutils +Priority: standard +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, bind9-host | host, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Suggests: rblcheck +Conflicts: netstd (<< 2.00) +Replaces: bind, bind9 (<< 1:9.1.0-3) +Description: Clients provided with BIND + ${Description} + . + This package delivers various client programs related to DNS that are + derived from the BIND source tree. + . + - dig - query the DNS in various ways + - nslookup - the older way to do it + - nsupdate - perform dynamic updates (See RFC2136) + +Package: lwresd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisccc90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Recommends: libnss-lwres +Suggests: bind9utils +Description: Lightweight Resolver Daemon + lwresd is the daemon providing name lookup services to clients that use + the BIND 9 lightweight resolver library. It is essentially a stripped- + down, caching-only name server that answers queries using the BIND 9 + lightweight resolver protocol rather than the DNS protocol. --- bind9-9.9.3.dfsg.P2.orig/debian/copyright +++ bind9-9.9.3.dfsg.P2/debian/copyright @@ -0,0 +1,121 @@ +This package was debianized by Bdale Garbee on +Tue, 12 Dec 2000 02:42:56 -0700. + +It was downloaded from http://www.isc.org/products/BIND/ and can be fetched +from git with: + git clone git://git.debian.org/users/lamont/bind9.git +ISC releases can be cloned from git with: + git clone git://git.debian.org/users/lamont/bind9-isc.git + +Upstream Author: Internet Systems Consortium, Inc. ("ISC") + +Copyright: + +Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2003 Internet Software Consortium. + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + +Portions Copyright (C) 1996-2001 Nominum, Inc. + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Portions Copyright (c) 2000 Japan Network Information Center. All rights reserved. + +By using this file, you agree to the terms and conditions set forth bellow. + + LICENSE TERMS AND CONDITIONS + +The following License Terms and Conditions apply, unless a different +license is obtained from Japan Network Information Center ("JPNIC"), +a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda, +Chiyoda-ku, Tokyo 101-0047, Japan. + +1. Use, Modification and Redistribution (including distribution of any + modified or derived work) in source and/or binary forms is permitted + under this License Terms and Conditions. + +2. Redistribution of source code must retain the copyright notices as they + appear in each source code file, this License Terms and Conditions. + +3. Redistribution in binary form must reproduce the Copyright Notice, + this License Terms and Conditions, in the documentation and/or other + materials provided with the distribution. For the purposes of binary + distribution the "Copyright Notice" refers to the following language: + "Copyright (c) 2000-2002 Japan Network Information Center. All rights reserved." + +4. The name of JPNIC may not be used to endorse or promote products + derived from this Software without specific prior written approval of + JPNIC. + +5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JPNIC BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +Portions Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved. + +This software is open source. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +Redistributions in binary form must reproduce the above copyright notice, +this list of conditions and the following disclaimer in the documentation +and/or other materials provided with the distribution. + +Neither the name of Holger Zuleger HZnet nor the names of its contributors may +be used to endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +Portions Copyright(C) Jason Vas Dias, Red Hat Inc., 2005 +Modified by Adam Tkac, Red Hat Inc., 2007 + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation at + http://www.fsf.org/licensing/licenses/gpl.txt +and found in /usr/share/common-licenses. --- bind9-9.9.3.dfsg.P2.orig/debian/db.0 +++ bind9-9.9.3.dfsg.P2/debian/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.127 +++ bind9-9.9.3.dfsg.P2/debian/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.empty +++ bind9-9.9.3.dfsg.P2/debian/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.local +++ bind9-9.9.3.dfsg.P2/debian/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 --- bind9-9.9.3.dfsg.P2.orig/debian/db.root +++ bind9-9.9.3.dfsg.P2/debian/db.root @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.dirs +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.dirs @@ -0,0 +1,3 @@ +usr/bin +usr/share/doc/dnsutils +usr/share/man/man1 --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.install +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.install @@ -0,0 +1,6 @@ +usr/bin/dig +usr/bin/nslookup +usr/bin/nsupdate +usr/share/man/man1/dig.1* +usr/share/man/man1/nslookup.1* +usr/share/man/man1/nsupdate.1* --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.postinst +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/ip-down.d +++ bind9-9.9.3.dfsg.P2/debian/ip-down.d @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when an interface disconnects +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 || true + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/ip-up.d +++ bind9-9.9.3.dfsg.P2/debian/ip-up.d @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when a new interface comes up +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 || true + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.README.Debian +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.README.Debian @@ -0,0 +1,9 @@ +The include files for BIND are in /usr/include/{isc,dns,dst,lwres}. If +you're compiling something that uses them, use something like + + '-I/usr/include/isc' + +and so on in the call to the compiler to pick up the BIND versions before +the normal system versions for files that have conflicting filenames. + + --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.dirs +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.dirs @@ -0,0 +1,2 @@ +usr/include +usr/lib --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.install +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.install @@ -0,0 +1,15 @@ +usr/include +usr/lib/libbind9.a +usr/lib/libbind9.so +usr/lib/libdns.a +usr/lib/libdns.so +usr/lib/libisc.a +usr/lib/libisc.so +usr/lib/liblwres.a +usr/lib/liblwres.so +usr/lib/libisccc.a +usr/lib/libisccc.so +usr/lib/libisccfg.a +usr/lib/libisccfg.so +usr/share/man/man3 +usr/bin/isc-config.sh --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.install +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.install @@ -0,0 +1 @@ +usr/lib/libbind9.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.install +++ bind9-9.9.3.dfsg.P2/debian/libdns99.install @@ -0,0 +1 @@ +usr/lib/libdns.so.99* --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.postinst +++ bind9-9.9.3.dfsg.P2/debian/libdns99.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.postrm +++ bind9-9.9.3.dfsg.P2/debian/libdns99.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.install +++ bind9-9.9.3.dfsg.P2/debian/libirs90.install @@ -0,0 +1 @@ +usr/lib/libirs.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libirs90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libirs90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.install +++ bind9-9.9.3.dfsg.P2/debian/libisc95.install @@ -0,0 +1 @@ +usr/lib/libisc.so.95* --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisc95.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisc95.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.install +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.install @@ -0,0 +1 @@ +usr/lib/libisccc.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.install +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.install @@ -0,0 +1 @@ +usr/lib/libisccfg.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/liblwres90.install +++ bind9-9.9.3.dfsg.P2/debian/liblwres90.install @@ -0,0 +1 @@ +usr/lib/liblwres.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/liblwres90.postinst +++ bind9-9.9.3.dfsg.P2/debian/liblwres90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libwres90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libwres90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.dirs +++ bind9-9.9.3.dfsg.P2/debian/lwresd.dirs @@ -0,0 +1,5 @@ +etc/bind +usr/sbin +usr/share/man/man8 +usr/share/doc/lwresd +var/run/named --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.init +++ bind9-9.9.3.dfsg.P2/debian/lwresd.init @@ -0,0 +1,72 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: lwresd +# Required-Start: $remote_fs +# Should-Start: $syslog $network +# Required-Stop: $remote_fs +# Should-Stop: $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start and stop the Lightweight Resolver Daemon. +### END INIT INFO + +. /lib/lsb/init-functions + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=lwresd +DAEMON=/usr/sbin/lwresd +PIDFILE=/var/run/lwresd/lwresd.pid + +# Don't modify this line, change or create /etc/default/lwresd. +OPTIONS="" + +test -f /etc/default/lwresd && . /etc/default/lwresd + +test -x $DAEMON || exit 0 + +case "$1" in + start) + modprobe capability >/dev/null 2>&1 || true + + # dirs under /var/run can go away on reboots. + mkdir -p ${PIDFILE%/*} + chmod 775 ${PIDFILE%/*} + chown root:bind ${PIDFILE%/*} >/dev/null 2>&1 || true + + log_daemon_msg "Starting domain name service" $NAME + if start-stop-daemon --start --quiet --exec $DAEMON -- $OPTIONS; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + stop) + log_daemon_msg "Stopping domain name service" $NAME + if start-stop-daemon --stop --quiet \ + --pidfile ${PIDFILE} --exec $DAEMON; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + + + restart|force-reload) + $0 stop + sleep 2 + $0 start + ;; + + *) + log_action_msg "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.install +++ bind9-9.9.3.dfsg.P2/debian/lwresd.install @@ -0,0 +1,2 @@ +usr/sbin/lwresd +usr/share/man/man8/lwresd.8* --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.postinst +++ bind9-9.9.3.dfsg.P2/debian/lwresd.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +case "$1" in + configure) + OLDVERSION="$2" + # see below + ;; + + abort-upgrade) + exit 0 + ;; + + abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# lets give them a bind user/group in all cases. +getent group bind >/dev/null 2>&1 || addgroup --system bind +getent passwd bind >/dev/null 2>&1 || + adduser --system --home /var/cache/bind --no-create-home \ + --disabled-password --ingroup bind bind + +if [ ! -s /etc/bind/rndc.key ] && [ -x /usr/sbin/rndc-confgen ]; then + rndc-confgen -r /dev/urandom -a +fi + +if pidof /usr/sbin/lwresd >/dev/null 2>&1; then + invoke-rc.d lwresd restart +else + invoke-rc.d lwresd start +fi --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.service +++ bind9-9.9.3.dfsg.P2/debian/lwresd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Lightweight Resolver Daemon +Documentation=man:lwresd(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/lwresd -f + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.tmpfile +++ bind9-9.9.3.dfsg.P2/debian/lwresd.tmpfile @@ -0,0 +1 @@ +d /run/lwresd 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf +++ bind9-9.9.3.dfsg.P2/debian/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.default-zones +++ bind9-9.9.3.dfsg.P2/debian/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.local +++ bind9-9.9.3.dfsg.P2/debian/named.conf.local @@ -0,0 +1,8 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.options +++ bind9-9.9.3.dfsg.P2/debian/named.conf.options @@ -0,0 +1,26 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + --- bind9-9.9.3.dfsg.P2.orig/debian/nslookup.1 +++ bind9-9.9.3.dfsg.P2/debian/nslookup.1 @@ -0,0 +1,536 @@ +.\" +.\" ++Copyright++ 1985, 1989 +.\" - +.\" Copyright (c) 1985, 1989 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" - +.\" Portions Copyright (c) 1993 by Digital Equipment Corporation. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies, and that +.\" the name of Digital Equipment Corporation not be used in advertising or +.\" publicity pertaining to distribution of the document or software without +.\" specific, written prior permission. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL +.\" WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT +.\" CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +.\" SOFTWARE. +.\" - +.\" --Copyright-- +.\" +.\" @(#)nslookup.8 5.3 (Berkeley) 6/24/90 +.\" +.Dd June 24, 1990 +.Dt NSLOOKUP 1 +.Os BSD 4 +.Sh NAME +.Nm nslookup +.Nd query Internet name servers interactively +.Sh SYNOPSIS +.Nm nslookup +.Op Fl option Ar ... +.Op Ar host-to-find | Fl Op Ar server +.Sh DESCRIPTION +.Ic Nslookup +is a program to query Internet domain name servers. +.Ic Nslookup +has two modes: interactive and non-interactive. +Interactive mode allows the user to query name servers for +information about various hosts and domains or to print a list of hosts +in a domain. +Non-interactive mode is used to print just the name and requested information +for a host or domain. +.Sh ARGUMENTS +Interactive mode is entered in the following cases: +.Bl -tag -width "a) " +.It a) +when no arguments are given (the default name server will be used), +.It b) +when the first argument is a hyphen (-) and the second argument +is the host name or Internet address of a name server. +.El +.Pp +Non-interactive mode is used when the name or Internet address +of the host to be looked up +is given as the first argument. The optional second argument specifies +the host name or address of a name server. +.Pp +The options listed under the +.Dq Li set +command below can be specified in +the +.Pa .nslookuprc +file in the user's home directory if they are listed +one per line. Options can also be specified +on the command line if they precede the arguments and are prefixed with +a hyphen. For example, to change the default query type to host information, +and the initial timeout to 10 seconds, type: +.Bd -literal -offset indent + nslookup -query=hinfo -timeout=10 +.Ed +.Sh INTERACTIVE COMMANDS +Commands may be interrupted at any time by typing a control-C. +To exit, type a control-D +.Pq Dv EOF +or type +.Li exit . +The command line length must be less than 256 characters. +To treat a built-in command as a host name, +precede it with an escape character +.Pq .&\\ . +.Sy N.B.: An unrecognized command will be interpreted as a host name. +.Bl -tag -width "lserver" +.It Ar host Op Ar server +Look up information for +.Ar host +using the current default server or using +.Ar server , +if specified. +If +.Ar host +is an Internet address and the query type is +.Dv A +or +.Dv PTR , +the name of the host is returned. +If +.Ar host +is a name and does not have a trailing period, the default +domain name is appended to the name. (This behavior depends on the state of the +.Ic set +options +.Ic domain , srchlist , defname , +and +.Ic search . ) +.Pp +To look up a host not in the current domain, append a period to +the name. +.It Ic server Ar domain +.It Ic lserver Ar domain +Change the default server to +.Ar domain ; +.Ic lserver +uses the initial server to look up information about +.Ar domain , +while +.Ic server +uses the current default server. +If an authoritative answer can't be found, the names of servers +that might have the answer are returned. +.It Ic root +Changes the default server to the server for the root of the domain name space. +Currently, the host +.Li ns.internic.net +is used. +(This command is a synonym for +.Dq Ic lserver ns.internic.net . ) +The name of the root server can be changed with the +.Dq Ic set root +command. +.It Xo Ic finger Op Ar name +.Op Ic > Ar filename +.Xc +.It Xo Ic finger Op Ar name +.Op Ic >> Ar filename +.Xc +Connects with the finger server on the current host. +The current host is defined when a previous lookup for a host +was successful and returned address information (see the +.Dq Ic set querytype=A +command). +The +.Ar name +is optional. +.Ic > +and +.Ic >> +can be used to redirect output in the usual manner. +.It Xo Ic ls Op Ar option +.Ar domain Op Ic > Ar filename +.Xc +.It Xo Ic ls Op Ar option +.Ar domain Op Ic >> Ar filename +.Xc +List the information available for +.Ar domain , +optionally creating or appending to +.Ar filename . +The default output contains host names and their Internet addresses. +.Ar Option +can be one of the following: +.Bl -tag -width "-a " +.It Fl t Ar querytype +lists all records of the specified type (see +.Ar querytype +below). +.It Fl a +lists aliases of hosts in the domain; +synonym for +.Dq Fl t Dv CNAME . +.It Fl d +lists all records for the domain; +synonym for +.Dq Fl t Dv ANY . +.It Fl h +lists CPU and operating system information for the domain; +synonym for +.Dq Fl t Dv HINFO . +.It Fl s +lists well-known services of hosts in the domain; +synonym for +.Dq Fl t Dv WKS . +.El +.Pp +When output is directed to a file, hash marks are printed for every +50 records received from the server. +.It Ic view Ar filename +Sorts and lists the output of previous +.Ic ls +command(s) with +.Xr more @CMD_EXT@ . +.It Ic help +.It Ic ? +Prints a brief summary of commands. +.It Ic exit +Exits the program. +.It Xo Ic set Ar keyword +.Ns Op = Ns Ar value +.Xc +This command is used to change state information that affects the lookups. +Valid keywords are: +.Bl -tag -width "class=v" +.It Ic all +Prints the current values of the frequently-used options to +.Ic set . +Information about the current default server and host is also printed. +.It Ic class= Ns Ar value +Change the query class to one of: +.Bl -tag -width "HESIOD " +.It Dv IN +the Internet class +.It Dv CHAOS +the Chaos class +.It Dv HESIOD +the MIT Athena Hesiod class +.It Dv ANY +wildcard (any of the above) +.El +.Pp +The class specifies the protocol group of the information. +.Pp +(Default = +.Dv IN ; +abbreviation = +.Ic cl ) +.It Xo Op Ic no +.Ns Ic debug +.Xc +Turn debugging mode on. A lot more information is printed about the +packet sent to the server and the resulting answer. +.Pp +(Default = +.Ic nodebug ; +abbreviation = +.Xo Op Ic no +.Ns Ic deb ) +.Xc +.It Xo Op Ic no +.Ns Ic d2 +.Xc +Turn exhaustive debugging mode on. +Essentially all fields of every packet are printed. +.Pp +(Default = +.Ic nod2 ) +.It Ic domain= Ns Ar name +Change the default domain name to +.Ar name . +The default domain name is appended to a lookup request depending on the +state of the +.Ic defname +and +.Ic search +options. +The domain search list contains the parents of the default domain if it has +at least two components in its name. +For example, if the default domain +is CC.Berkeley.EDU, the search list is CC.Berkeley.EDU and Berkeley.EDU. +Use the +.Dq Ic set srchlist +command to specify a different list. +Use the +.Dq Ic set all +command to display the list. +.Pp +(Default = value from +.Xr hostname @CMD_EXT@ , +.Pa /etc/resolv.conf , +or +.Ev LOCALDOMAIN; +abbreviation = +.Ic do ) +.It Ic srchlist= Ns Ar name1/name2/... +Change the default domain name to +.Ar name1 +and the domain search list +to +.Ar name1 , name2 , +etc. A maximum of 6 names separated by slashes (/) +can be specified. +For example, +.Bd -literal -offset indent +set srchlist=lcs.MIT.EDU/ai.MIT.EDU/MIT.EDU +.Ed +.Pp +sets the domain to lcs.MIT.EDU and the search list to the three names. +This command overrides the +default domain name and search list of the +.Dq Ic set domain +command. +Use the +.Dq Ic set all +command to display the list. +.Pp +(Default = value based on +.Xr hostname @CMD_EXT@ , +.Pa /etc/resolv.conf , +or +.Ev LOCALDOMAIN; +abbreviation = +.Ic srchl ) +.It Xo Op Ic no +.Ns Ic defname +.Xc +If set, append the default domain name to a single-component lookup request +(i.e., one that does not contain a period). +.Pp +(Default = +.Ic defname ; +abbreviation = +.Xo Op Ic no +.Ns Ic defname ) +.Xc +.It Xo Op Ic no +.Ns Ic search +.Xc +If the lookup request contains at least one period but +.Em doesn't +end with a trailing period, append the domain names in the domain search list +to the request until an answer is received. +.Pp +(Default = +.Ic search ; +abbreviation = +.Xo Op Ic no +.Ns Ic sea ) +.Xc +.It Ic port= Ns Ar value +Change the default TCP/UDP name server port to +.Ar value . +.Pp +(Default = 53; +abbreviation = +.Ic \&po ) +.It Ic querytype= Ns Ar value +.It Ic type= Ns Ar value +Change the type of information query to one of: +.Bl -tag -width "HINFO " +.It Dv A +the host's Internet address. +.It Dv CNAME +the canonical name for an alias. +.It Dv HINFO +the host CPU and operating system type. +.It Dv MINFO +the mailbox or mail list information. +.It Dv MX +the mail exchanger. +.It Dv NS +the name server for the named zone. +.It Dv PTR +the host name if the query is an Internet address; +otherwise, the pointer to other information. +.It Dv SOA +the domain's +.Dq start-of-authority +information. +.It Dv TXT +the text information. +.It Dv UINFO +the user information. +.It Dv WKS +the supported well-known services. +.El +.Pp +Other types +.Pq Dv ANY, AXFR, MB, MD, MF, NULL +are described in the RFC-1035 document. +.Pp +(Default = +.Dv A ; +abbreviations = +.Ic q , ty ) +.It Xo Op Ic no +.Ns Ic recurse +.Xc +Tell the name server to query other servers if it does not have the +information. +.Pp +(Default = +.Ic recurse ; +abbreviation = +.Xo Op Ic no +.Ns Ic rec ) +.Xc +.It Ic retry= Ns Ar number +Set the number of retries to +.Ar number . +When a reply to a request is not received within a certain +amount of time (changed with +.Dq Ic set timeout ) , +the timeout period is doubled and the request is resent. +The retry value controls how many times a request is resent before giving up. +.Pp +(Default = 4, abbreviation = +.Ic ret ) +.It Ic root= Ns Ar host +Change the name of the root server to +.Ar host . +This affects the +.Dq Ic root +command. +.Pp +(Default = +.Ic ns.internic.net. ; +abbreviation = +.Ic ro ) +.It Ic timeout= Ns Ar number +Change the initial timeout interval for waiting for a reply to +.Ar number +seconds. Each retry doubles the timeout period. +.Pp +(Default = 5 seconds; abbreviation = +.Ic ti ) +.It Xo Op Ic no +.Ns Ic vc +.Xc +Always use a virtual circuit when sending requests to the server. +.Pp +(Default = +.Ic novc ; +abbreviation = +.Xo Op Ic no +.Ns Ic v ) +.Xc +.It Xo Op Ic no +.Ns Ic ignoretc +.Xc +Ignore packet truncation errors. +.Pp +(Default = +.Ic noignoretc ; +abbreviation = +.Xo Op Ic no +.Ns Ic ig ) +.Xc +.El +.El +.Sh DIAGNOSTICS +If the lookup request was not successful, an error message is printed. +Possible errors are: +.Bl -tag -width "Timed" +.It Li Timed out +The server did not respond to a request after a certain amount of +time (changed with +.Dq Ic set timeout= Ns Ar value ) +and a certain number of retries (changed with +.Dq Ic set retry= Ns Ar value ) . +.It Li \&No response from server +No name server is running on the server machine. +.It Li \&No records +The server does not have resource records of the current query type for the +host, although the host name is valid. +The query type is specified with the +.Dq Ic set querytype +command. +.It Li Non-existent domain +The host or domain name does not exist. +.It Li Connection refused +.It Li Network is unreachable +The connection to the name or finger server could not be made +at the current time. +This error commonly occurs with +.Ic ls +and +.Ic finger +requests. +.It Li Server failure +The name server found an internal inconsistency in its database +and could not return a valid answer. +.It Li Refused +The name server refused to service the request. +.It Li Format error +The name server found that the request packet was not in the proper format. +It may indicate an error in +.Nm nslookup . +.El +.Sh FILES +.Bl -tag -width "/usr/share/misc/nslookup.helpXXX" -compact +.It Pa /etc/resolv.conf +initial domain name and name server addresses +.It Pa $HOME/.nslookuprc +user's initial options +.It Pa /usr/share/misc/nslookup.help +summary of commands +.El +.Sh ENVIRONMENT +.Bl -tag -width "HOSTALIASESXXXX" -compact +.It Ev HOSTALIASES +file containing host aliases +.It Ev LOCALDOMAIN +overrides default domain +.El +.Sh SEE ALSO +.Xr @INDOT@named @SYS_OPS_EXT@ , +.Xr resolver @LIB_NETWORK_EXT@ , +.Xr resolver @FORMAT_EXT@ ; +RFC-1034, +.Dq Domain Names - Concepts and Facilities ; +RFC-1035, +.Dq Domain Names - Implementation and Specification . +.Sh AUTHOR +Andrew Cherenson --- bind9-9.9.3.dfsg.P2.orig/debian/po/POTFILES.in +++ bind9-9.9.3.dfsg.P2/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates --- bind9-9.9.3.dfsg.P2.orig/debian/po/cs.po +++ bind9-9.9.3.dfsg.P2/debian/po/cs.po @@ -0,0 +1,67 @@ +# Czech translation of bind9 debconf messages. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Miroslav Kure , 2008 +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-15 14:38+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Uživatelský úÄet pro bÄ›h daemona BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Ve výchozím nastavení se daemon BINDu9 (named) spouÅ¡tí pod úÄtem uživatele " +"„bind“. Pro použití jiného úÄtu zadejte jeho jméno." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Další spouÅ¡tÄ›cí parametry pro named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Zadejte prosím případné další parametry (mimo uživatelského úÄtu), které se " +"mají pÅ™edat daemonu BINDu9 (named) pÅ™i každém spuÅ¡tÄ›ní." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Má se pÅ™epsat nastavení v resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"RozhodnÄ›te se, zda se má pÅ™epsat nastavení resolveru tak, aby vždy používal " +"lokální daemon BINDu9 (named) namísto serveru, který doporuÄí aktuální " +"pÅ™ipojení." --- bind9-9.9.3.dfsg.P2.orig/debian/po/da.po +++ bind9-9.9.3.dfsg.P2/debian/po/da.po @@ -0,0 +1,67 @@ +# Danish translation bind9. +# Copyright (C) 2010 bind9 & Joe Hansen. +# This file is distributed under the same license as the bind9 package. +# Joe Hansen , 2010. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2010-10-07 17:30+01:00\n" +"Last-Translator: Joe Hansen \n" +"Language-Team: Danish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Brugerkonto til kørsel af BIND9-dæmonen:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standarden er at køre BIND9-dæmonen (navngivet) under brugerkontoen »bind«. " +"For at bruge en anden konto, sÃ¥ indtast venligst et passende brugernavn." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andre opstartsindstillinger for navngivet:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Angiv venligst eventuelle yderligere indstillinger (udover brugernavnet) som " +"skal videresendes til BIND9-dæmonen (navngivet) ved opstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Skal opsætningen af resolv.conf overskrives?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Vælg venligst hvorvidt opløseren skal tvinges til at bruge den lokale BIND9-" +"dæmon (navngivet), frem for hvad den aktuelle forbindelse anbefaler, nÃ¥r " +"denne maskine flytter rundt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/de.po +++ bind9-9.9.3.dfsg.P2/debian/po/de.po @@ -0,0 +1,84 @@ +# Translation of bind9 debconf templates to German +# (C) Helge Kreutzmann , 2008. +# This file is distributed under the same license as the bind9 package. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-16 20:22+0200\n" +"Last-Translator: Helge Kreutzmann \n" +"Language-Team: de \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Benutzerkonto, unter dessen Kennung der BIND9-Daemon laufen soll:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standardmäßig wird der BIND9-Daemon (Named) unter der Kennung des Benutzers " +"»bind« betrieben. Um ein anderes Benutzerkonto auszuwählen, geben Sie bitte " +"den entsprechenden Benutzernamen ein." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Weitere Optionen für den Start des Named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Bitte geben Sie hier die zusätzlichen Optionen (außer dem Benutzernamen) " +"ein, die dem Bind9-Daemon (Named) beim Starten übergeben werden sollen." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Sollen die Einstellungen in resolv.conf ignoriert werden?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Bitte wählen Sie aus, ob der Namensauflöser (Resolver) dazu gezwungen werden " +"soll, den lokalen BIND9-Daemon (Named) zu verwenden, statt den aktuellen " +"Verbindungsempfehlungen zu folgen, wenn diese Maschine bewegt wird." + +#~ msgid "Options that should be passed at startup to bind9" +#~ msgstr "Optionen, die beim Starten an Bind9 weitergegeben werden sollen" + +#~ msgid "which user should bind9 run as?" +#~ msgstr "Unter welcher Benutzerkennung soll Bind9 laufen?" + +#~ msgid "" +#~ "The default is to start bind9 as bind user, if you would like to change " +#~ "that, please give here the username as which bind9 should start as." +#~ msgstr "" +#~ "Standardmäßig startet Bind9 unter der Benutzerkennung »bind«. Falls Sie " +#~ "dies ändern möchten geben Sie hier bitte den Benutzernamen ein, unter " +#~ "dessen Kennung Bind9 starten soll." + +#~ msgid "Should resolvconf run when bind9 starts up?" +#~ msgstr "Soll Resolvconf laufen, wenn Bind9 startet?" --- bind9-9.9.3.dfsg.P2.orig/debian/po/es.po +++ bind9-9.9.3.dfsg.P2/debian/po/es.po @@ -0,0 +1,86 @@ +# bind9 translation to spanish +# Copyright (C) 2008 Software in the Public Interest +# This file is distributed under the same license as the bind9 package. +# Changes: +# - Initial translation +# Ignacio Mondino , 2008 +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg-3\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-08 20:18-0300\n" +"Last-Translator: Ignacio Mondino \n" +"Language-Team: Debian Spanish team \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Cuenta de usuario que ejecuta el demonio BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"La cuenta de usuario por omisión que ejecuta el demonio BIND9 («named») es " +"«bind». Para usar una cuenta diferente, por favor ingrese el nombre de " +"usuario apropiado." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Otras opciones de inicio para «named»:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Ingrese cualquier opción adicional (además del nombre de usuario) que " +"debiera pasarse como parámetro al demonio BIND9 («named») al inicio del " +"sistema." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "¿Debería sobreescribirse el archivo «resolv.conf»?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Indique si se debería forzar al cliente a utilizar el demonio BIND9 " +"(«named») local en lugar de lo que la conexión actual recomiende, cuando " +"este equipo este en movimiento." --- bind9-9.9.3.dfsg.P2.orig/debian/po/eu.po +++ bind9-9.9.3.dfsg.P2/debian/po/eu.po @@ -0,0 +1,68 @@ +# translation of eu.po to Euskara +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Piarres Beobide , 2009. +msgid "" +msgstr "" +"Project-Id-Version: eu\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2009-02-22 10:36+0100\n" +"Last-Translator: Piarres Beobide \n" +"Language-Team: Euskara \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 exekutatuko duen erabiltzaile kontua:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Lehenetsia BIND9 deabrua (named) 'bind' erabiltzaile kontuarekin exekutatzea " +"da. Beste kontu bat erabiltzeko, idatzi dagokion erabiltzaile-izena" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Beste abio aukera batzuek named-rentzat:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Mesedez zehaztu BIND9 deabruari abioan pasa behar zaizkion beste aukera " +"gehigarriak (erabiltzaile-izenaz beste)." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ezarpenak gainidatzi behar al dira?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Mesedez hautatu ebazlea nola behartu behar den BIND9 deabru kopia lokala " +"erabiltzeko ekipo hau mugitzen ari denean konexioak gomendatzen dionaren " +"ordez." --- bind9-9.9.3.dfsg.P2.orig/debian/po/fi.po +++ bind9-9.9.3.dfsg.P2/debian/po/fi.po @@ -0,0 +1,64 @@ +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-13 08:08-0000\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"Language: fi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: FINLAND\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Käyttäjätunnus, jolla BIND9-taustaohjelmaa ajetaan:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Oletuksena BIND9-taustaohjelmaa (named) ajetaan käyttäjätunnuksella â€bindâ€. " +"Jos halutaan käyttää jotain muuta tunnusta, syötä se tähän." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Ohjelman named muut käynnistysvalitsimet:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Anna mahdolliset muut valitsimet (muut kuin käyttäjätunnus), jotka BIND9-" +"taustaohjelmalle (named) tulisi antaa käynnistyksessä." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Tulisiko tiedoston resolv.conf asetukset jättää huomioitta?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Valitse tulisiko selvittäjä pakottaa käyttämään paikallista BIND9-" +"taustaohjelmaa (named) sen sijaan mitä nykyinen yhteys suosittelee, kun " +"konetta siirrellään eri paikkoihin." --- bind9-9.9.3.dfsg.P2.orig/debian/po/fr.po +++ bind9-9.9.3.dfsg.P2/debian/po/fr.po @@ -0,0 +1,69 @@ +# Translation of bind9 debconf templates to French +# Copyright (C) 2008 CALARESU Luc +# This file is distributed under the same license as the bind9 package. +# CALARESU Luc , 2008. +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 14:26+0200\n" +"Last-Translator: CALARESU Luc \n" +"Language-Team: French \n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Identifiant pour l'exécution du démon de BIND9 :" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Par défaut, le démon de BIND9 est lancé avec les privilèges de l'identifiant " +"« bind ». Si vous souhaitez utiliser un autre identifiant, veuillez " +"l'indiquer ici." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Autres options à transmettre pour « named » :" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Veuillez indiquer toute option supplémentaire (autre que l'identifiant) qui " +"doit être transmise au démarrage du démon de BIND9 (« named »)." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Faut-il écraser les paramètres de resolv.conf ?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Veuillez choisir si la résolution de noms doit utiliser le démon BIND9 local " +"(« named ») plutôt que les paramètres recommandés pour la connexion " +"actuelle, lorsque cette machine est déplacée." --- bind9-9.9.3.dfsg.P2.orig/debian/po/gl.po +++ bind9-9.9.3.dfsg.P2/debian/po/gl.po @@ -0,0 +1,66 @@ +# Galician translation of bind9's debconf templates +# This file is distributed under the same license as the bind9 package. +# Jacobo Tarrio , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:36+0100\n" +"Last-Translator: Jacobo Tarrio \n" +"Language-Team: Galician \n" +"Language: gl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de usuario que executa o servizo de BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"A elección por defecto é executar o servizo de BIND9 (named) baixo a conta " +"de usuario \"bind\". Para empregar unha conta diferente, introduza o nome." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opcións de inicio para named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Forneza as opcións adicionais (que non sexan o nome de usuario) que se deban " +"pasar ao servizo de BIND9 (named) no inicio." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "¿Quere substituír a configuración de resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Indique se quere forzar o resolvedor a que empregue o servizo de BIND9 local " +"(named) no canto do que recomenda a conexión actual, cando esta máquina " +"estea en movemento." --- bind9-9.9.3.dfsg.P2.orig/debian/po/id.po +++ bind9-9.9.3.dfsg.P2/debian/po/id.po @@ -0,0 +1,51 @@ +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: \n" +"Last-Translator: Mahyuddin Susanto \n" +"Language-Team: Debian Indonesia Translator \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Indonesian\n" +"X-Poedit-Country: INDONESIA\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Akun pengguna untuk menjalankan daemon BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "The default is to run the BIND9 daemon (named) under the 'bind' user account. To use a different account, please enter the appropriate username." +msgstr "Bawaan dari daemon BIND9 adalah menjalankan dengan user akun 'bind'. Untuk menggunakan akun berbeda, silakan masukkan nama pengguna yang sesuai." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Opsi lain startup untuk named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Please provide any additional options (other than username) that should be passed to the BIND9 daemon (named) on startup." +msgstr "Harap menyediakan opsi tambahan (selain nama pengguna) yang digunakan daemon BIND9 untuk startup" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "haruskah resolv.conf ditimpa?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether the resolver should be forced to use the local BIND9 daemon (named) rather than what the current connection recommends, when this machine moves around." +msgstr "Silakan tentukan resolver mana yang akan digunakan untuk daemon lokal BIND9 (named) dari koneksi sekarang yang digunakan, ketika mesin ini berjalan" + --- bind9-9.9.3.dfsg.P2.orig/debian/po/it.po +++ bind9-9.9.3.dfsg.P2/debian/po/it.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg.P1-2_templates.po to Italian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Alex , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P1-2_templates\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-27 16:10+0200\n" +"Last-Translator: Alex \n" +"Language-Team: Italian \n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Account utente con cui eseguire il demone BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"L'opzione predefinita prevede l'esecuzione del demone BIND9 (named) " +"utilizzando l'utente 'bind'. Se si desidera utilizzare un differente account " +"utente, inserire il nome corrispondente." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Altre opzioni di avvio per named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Inserire qualsiasi opzione addizionale (differente dal nome utente) che " +"dovrebbe essere inviata al demone BIND9 (named) durante l'avvio." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Si desidera non tener conto delle impostazioni in resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Scegliere se si desidera forzare la risoluzione di tutte le query DNS con il " +"demone BIND9 locale (named) non utilizzando i server raccomandati dalla " +"connessione attiva." --- bind9-9.9.3.dfsg.P2.orig/debian/po/ja.po +++ bind9-9.9.3.dfsg.P2/debian/po/ja.po @@ -0,0 +1,66 @@ +# Copyright (C) 2008 LaMont Jones +# This file is distributed under the same license as the bind9 package. +# Hideki Yamane , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg.P1-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-22 00:03+0900\n" +"Last-Translator: Hideki Yamane (Debian-JP) \n" +"Language-Team: Japanese \n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 デーモンã®å‹•ä½œã«ä½¿ã†ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆ:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"デフォルトã§ã¯ BIND9 デーモン (named) ã¯ã€Œbindã€ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã§å‹•ä½œã—ã¾" +"ã™ã€‚ç•°ãªã‚‹ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’使ã„ãŸã„å ´åˆã¯ã€é©åˆ‡ãªãƒ¦ãƒ¼ã‚¶åを入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "起動時㫠named ã«æŒ‡å®šã™ã‚‹ã‚ªãƒ—ション:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"BIND9 デーモン (named) ã®èµ·å‹•æ™‚ã«æŒ‡å®šã—ãŸã„ (ユーザå以外ã®) 追加オプションを" +"入力ã—ã¦ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ã®è¨­å®šã‚’上書ãã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ã“ã®ãƒžã‚·ãƒ³ã‚’移動ã—ãŸéš›ã€ãƒªã‚¾ãƒ«ãƒãŒãƒ­ãƒ¼ã‚«ãƒ«ã® BIND9 デーモン (named) を使ã†ã‚ˆ" +"ã†ã«ã™ã‚‹ã‹ã€ç¾åœ¨ã®æŽ¥ç¶šå…ˆã§æŽ¨å¥¨ã•ã‚Œã‚‹ãƒãƒ¼ãƒ ã‚µãƒ¼ãƒã‚’使ã†ã‚ˆã†ã«ã™ã‚‹ã‹ã‚’é¸ã‚“ã§ã" +"ã ã•ã„。" --- bind9-9.9.3.dfsg.P2.orig/debian/po/ko.po +++ bind9-9.9.3.dfsg.P2/debian/po/ko.po @@ -0,0 +1,69 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: debconf template\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2011-06-24 18:37+0900\n" +"Last-Translator: 강민지 \n" +"Language-Team: opensource \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Korean\n" +"X-Poedit-Country: KOREA, REPUBLIC OF\n" +"X-Poedit-SourceCharset: utf-8\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 ë°ëª¬ì„ 실행하기 위한 ì‚¬ìš©ìž ê³„ì •:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"ê¸°ë³¸ê°’ì€ 'ë°”ì¸ë“œ' ì‚¬ìš©ìž ê³„ì •ì—ì„œ BIND9 ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì„ ì‹¤í–‰í•©ë‹ˆë‹¤. 다른 " +"ê³„ì •ì„ ì‚¬ìš©í•˜ë ¤ë©´ 해당 ì‚¬ìš©ìž ì´ë¦„ì„ ìž…ë ¥í•˜ì„¸ìš”." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "ì§€ëª…ëœ ë‹¤ë¥¸ 시작 옵션:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"BIND9 ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì´ ì‹¤í–‰ìœ¼ë¡œ 전달ë˜ê¸° 위해서 추가옵션(ì‚¬ìš©ìž ì´ë¦„ ì´ì™¸)" +"ì„ ìž…ë ¥í•˜ì„¸ìš”." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ì„¤ì •ì€ ìž¬ì •ì˜ ë˜ì–´ì•¼í•˜ëŠ”ê°€?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ì´ ê¸°ê³„ê°€ 근처로 ì´ë™ë  ë•Œ í•´ê²°ìžëŠ” í˜„ìž¬ì˜ ì—°ê²°ì„ ê¶Œìž¥í•˜ëŠ” 것보다 로컬 BIND9 " +"ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì„ ì‚¬ìš©í•˜ë„ë¡ ê°•ìš”í•´ì•¼í•˜ëŠ”ì§€ 여부를 ì„ íƒí•˜ì„¸ìš”." --- bind9-9.9.3.dfsg.P2.orig/debian/po/nb.po +++ bind9-9.9.3.dfsg.P2/debian/po/nb.po @@ -0,0 +1,69 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Bjørn Steensrud , 2012. +msgid "" +msgstr "" +"Project-Id-Version: \n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2012-01-03 21:33+0100\n" +"Last-Translator: Bjørn Steensrud \n" +"Language-Team: Norwegian BokmÃ¥l \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nb\n" +"X-Generator: Lokalize 1.2\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Brukerkonto for Ã¥ kjøre BIND9-daemonen:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standard er Ã¥ kjøre BIND8-daemonen (named) under brukerkontoen «bind». Skriv " +"inn et passende navn for Ã¥ bruke en annen konto." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andre oppstartsvalg for named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Skriv inn flere valg (annet enn brukernavn) som skal sendes over til " +"BIND9-daemonen (named) ved oppstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Skal innstillingene i resolv.conf oveerstyres?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Velg om adresseløseren skal tvinges til Ã¥ bruke den lokale BIND9-daemonen " +"(named) i stedet for det den gjeldende tilkoblingen anbefaler, nÃ¥r denne " +"maskinen flyttes omkring." + --- bind9-9.9.3.dfsg.P2.orig/debian/po/nl.po +++ bind9-9.9.3.dfsg.P2/debian/po/nl.po @@ -0,0 +1,72 @@ +# translation of bind9_1:9.5.0.dfsg.P2-1_nl.po to Dutch +# translation of bind9 debconf template to Dutch +# Copyright (C) 2008 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# +# Paul Gevers , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P2-1_nl\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-09-17 21:15-0500\n" +"Last-Translator: Paul Gevers \n" +"Language-Team: Dutch \n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "" +"Gebruikersaccount waaronder de BIND9 achtergronddienst dient te draaien:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standaard wordt 'named', de BIND9-achtergronddienst, uitgevoerd onder de " +"'bind' gebruikersaccount. Als u een andere account wilt gebruiken kunt hier " +"de geschikte gebruikersnaam invullen." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andere opstartopties voor 'named':" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Welke aanvullende opties (anders dan de gebruikersnaam) wilt u bij het " +"opstarten meegeven aan 'named', de BIND9 achtergronddienst?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Wilt u dat de 'resolv.conf' instellingen omzeild worden?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Wilt u afdwingen dat de 'resolver' gebruik maakt van de lokale BIND9 " +"achtergronddienst (named), in plaats van de aanbevelingen van de huidige " +"connectie. Bijvoorbeeld, wanneer deze computer veel verplaatst wordt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pl.po +++ bind9-9.9.3.dfsg.P2/debian/po/pl.po @@ -0,0 +1,68 @@ +# debconf templates for bind9 package +# Polish translation +# Copyright (C) 2008 +# This file is distributed under the same license as the bind9 package. +# Åukasz Paździora , 2008 +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 9.5.0.dfsg.P2-4\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-11-24 18:30+0100\n" +"Last-Translator: Åukasz Paździora \n" +"Language-Team: Polish \n" +"Language: pl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Konto użytkownika, jako który powinien dziaÅ‚ać BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"DomyÅ›lnie demon BIND9 (named) dziaÅ‚a jako użytkownik 'bind'. Aby użyć innego " +"konta podaj innÄ… nazwÄ™ użytkownika." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Inne opcje startowe dla named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"ProszÄ™ podać dodatkowe opcje (inne niż nazwa użytkownika), które powinny " +"zostać podane demonowi BIND9 (named) przy starcie." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Czy ustawienia resolv.conf majÄ… zostać nadpisane?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ProszÄ™ wybrać czy do rozwiÄ…zywania nazw powinna być używana lokalna usÅ‚uga " +"BIND9 (named), kiedy maszyna zmienia miejsce, czy też powinien korzystać z " +"zalecanych ustawieÅ„ aktualnego poÅ‚Ä…czenia." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pt.po +++ bind9-9.9.3.dfsg.P2/debian/po/pt.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg-2_pt debconf to Portuguese +# Copyright (C) 2008 Américo Monteiro +# This file is distributed under the same license as the bind9 package. +# +# Américo Monteiro , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg-2_pt\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:55+0100\n" +"Last-Translator: Américo Monteiro \n" +"Language-Team: Portuguese \n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de utilizador para correr o deamon BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"A pré-definição é correr o deamon BIND9 (named) sob a conta de utilizador " +"'bind'. Para usar uma conta diferente, por favor indique o nome de " +"utilizador apropriado." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opções de arranque para o named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Por favor forneça quaisquer opções adicionais (além do nome de utilizador) " +"que deverão ser enviadas ao deamon BIND9 (named) durante o arranque. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Devem as configurações de resolv.conf ser substituidas?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Por favor escolha se a resolução de nomes deverá ser forçada a usar o deamon " +"local BIND9 (named) em vez do que a corrente ligação recomenda, quando esta " +"máquina está ligada." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pt_BR.po +++ bind9-9.9.3.dfsg.P2/debian/po/pt_BR.po @@ -0,0 +1,71 @@ +# bind9 Brazilian Portuguese translation +# Copyright (C) 2009 bind9's COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Luís Gustavo Pessoa Sales , 2009. +# José Figueiredo , 2010. +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2010-09-10 22:37-0300\n" +"Last-Translator: José de Figueiredo \n" +"Language-Team: Brazilian Portuguese \n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de usuário para execução do daemon do BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"O padrão é executar o daemon do BIND9 (named) com a conta de usuário 'bind'. " +"Para usar uma conta diferente, por favor informe o nome do usuário." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opções de inicialização para o named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Por favor, forneça outras opções adicionais (além de nome de usuário), que " +"devam ser passadas ao daemon do BIND9 (named) na inicialização." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "As configurações do resolv.conf devem ser sobrescritas?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Por favor, escolha se o resolvedor de nomes deve ser forçado a usar o daemon " +"do BIND9 local (named) em vez daquele que a conexão atual recomendar, quando " +"esta máquina for movida." --- bind9-9.9.3.dfsg.P2.orig/debian/po/ru.po +++ bind9-9.9.3.dfsg.P2/debian/po/ru.po @@ -0,0 +1,70 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Yuri Kozlov , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:08+0400\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Ð£Ñ‡Ñ‘Ñ‚Ð½Ð°Ñ Ð·Ð°Ð¿Ð¸ÑÑŒ Ð´Ð»Ñ Ð·Ð°Ð¿ÑƒÑка Ñлужбы BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"По умолчанию, Ñлужба BIND9 (файл named) запуÑкаетÑÑ Ñ Ð¿Ñ€Ð°Ð²Ð°Ð¼Ð¸ учётной запиÑи " +"'bind'. ЕÑли вы хотите иÑпользовать другую учётную запиÑÑŒ, то введите Ñто " +"Ð¸Ð¼Ñ Ð·Ð´ÐµÑÑŒ." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Другие параметры запуÑка named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Укажите любые дополнительные параметры (кроме имени учётной запиÑи), которые " +"нужно передать Ñлужбе BIND9 (файлу named) при запуÑке." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "ПерепиÑать наÑтройки resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Укажите, хотите ли вы, чтобы определитель имён машины иÑпользовал локальную " +"Ñлужбу BIND9 (named), а не наÑтройки имеющегоÑÑ Ð¿Ð¾Ð´ÐºÐ»ÑŽÑ‡ÐµÐ½Ð¸Ñ." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sk.po +++ bind9-9.9.3.dfsg.P2/debian/po/sk.po @@ -0,0 +1,67 @@ +# Slovak translation of bind9 +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Ivan Masár , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: \n" +"Last-Translator: Ivan Masár \n" +"Language-Team: \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Používateľský úÄet démona BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Å tandardne sa démon BIND9 (named) spúšťa s používateľským úÄtom „bindâ€. Ak " +"chcete použiÅ¥ iný úÄet, prosím zadajte prísluÅ¡ný názov úÄtu." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "ÄŽalÅ¡ie spúšťacie voľby pre named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Zadajte ÄalÅ¡ie voľby (okrem používateľského mena), ktoré sa majú odovzdaÅ¥ " +"démonovi BIND9 (named) pri spustení." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Má sa nastaviÅ¥ priorita pred resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Zvoľte, Äi má sa má vynútiÅ¥, aby prekladaÄ adries používal lokálneho démona " +"BIND9 (named) namiesto toho, Äo odporúÄa aktuálne pripojenie, keÄ sa " +"umiestnenie tohto poÄítaÄa mení." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sr.po +++ bind9-9.9.3.dfsg.P2/debian/po/sr.po @@ -0,0 +1,66 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: Zlatan Todoric \n" +"Language-Team: Serbian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "КориÑнички налог за покретање BIND9 процеÑа у позадини:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Подразумијевано је да Ñе BIND9 Ð¿Ñ€Ð¾Ñ†ÐµÑ Ñƒ позадини (Named) покреће под 'bind'" +"кориÑничким налогом. Да биÑте кориÑтили другачији налог, унеÑите адекватно кориÑничко име." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Друге опције приликом покретања за (Named):" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Молимо Ð²Ð°Ñ Ð¾Ð±ÐµÐ·Ð±Ñ˜ÐµÐ´Ð¸Ñ‚Ðµ додатне опције (оÑим кориÑничког имена) који би требали" +"бити проÑлијеђени BIND9 процеÑу у позадини (Named) приликом покретања." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Желите ли поништити поÑтојећа resolv.conf подешавања?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Одаберите желите ли да аутоматÑки помагач (Resolver) буде приÑиљен кориÑтити " +"локални BIND9 Ð¿Ñ€Ð¾Ñ†ÐµÑ Ñƒ позадини (Named) умјеÑто препорука тренутне мреже, када " +"ова машина буде помјерана." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sr@latin.po +++ bind9-9.9.3.dfsg.P2/debian/po/sr@latin.po @@ -0,0 +1,66 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) 2011 +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: Zlatan Todorić \n" +"Language-Team: Serbian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "KorisniÄki nalog za pokretanje BIND9 procesa u pozadini:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Podrazumijevano je da se BIND9 proces u pozadini (Named) pokreće pod 'bind'" +"korisniÄkim nalogom. Da biste koristili drugaÄiji nalog, unesite adekvatno korisniÄko ime." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Druge opcije prilikom pokretanja za (Named):" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Molimo vas obezbjedite dodatne opcije (osim korisniÄkog imena) koji bi trebali" +"biti proslijeÄ‘eni BIND9 procesu u pozadini (Named) prilikom pokretanja." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Želite li poniÅ¡titi postojeća resolv.conf podeÅ¡avanja?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Odaberite želite li da automatski pomagaÄ (Resolver) bude prisiljen koristiti" +"lokalni BIND9 proces u pozadini umjesto preporuka trenutne mreže, kada ova" +"maÅ¡ina bude pomjerana." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sv.po +++ bind9-9.9.3.dfsg.P2/debian/po/sv.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg.P1-2_sv.po to Swedish +# Copyright (C) 2008 +# This file is distributed under the same license as the bind9 package. +# +# Martin Ã…gren , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P1-2_sv\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-18 19:24+0200\n" +"Last-Translator: Martin Ã…gren \n" +"Language-Team: Swedish \n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Användarkonto att köra BIND9-demonen under:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standardvalet är att köra BIND9-demonen (named) under användarkontot 'bind'. " +"För att använda ett annat konto, var vänlig ange användarnamnet." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Övriga uppstartsval för named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Var vänlig ange eventuella ytterligare val (förutom användarnamn) som ska " +"skickas till BIND9-demonen (named) vid uppstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Ska resolv.conf-inställningar hoppas över?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Var vänlig välj huruvida uppslagaren ska tvingas använda den lokala BIND9-" +"demonen (named) snarare än vad den aktuella uppkopplingen rekommenderar när " +"den här maskinen flyttar runt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/templates.pot +++ bind9-9.9.3.dfsg.P2/debian/po/templates.pot @@ -0,0 +1,60 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" --- bind9-9.9.3.dfsg.P2.orig/debian/po/tr.po +++ bind9-9.9.3.dfsg.P2/debian/po/tr.po @@ -0,0 +1,70 @@ +# turkish translation of bind9 debconf template +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# Mert Dirik , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-15 23:31+0200\n" +"Last-Translator: Mert Dirik \n" +"Language-Team: Debian L10n Turkish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Poedit-Language: Turkish\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 bekletici programının (named) kullanacağı kullanıcı hesabı:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Öntanımlı olarak BIND9 bekletici (daemon) programı 'bind' kullanıcı " +"hesabıyla çalışır. Farklı bir hesap kullanmak için kullanmak istediÄŸiniz " +"hesabın adını girin." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "'named'in kullanacağı diÄŸer baÅŸlatma seçenekleri:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Lütfen BIND9 bekletici programına (named) geçilmesini istediÄŸiniz, kullanıcı " +"adı dışındaki ek seçenekleri yazın." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "'resolv.conf' ayarları ezilmeli mi (override)?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Lütfen bu makine gezerken; çözümleyicinin o anda kullanılan baÄŸlantının " +"önerdiÄŸi sunucu yerine yerel BIND9 bekletici programını (named) kullanmaya " +"zorlanması gerekip gerekmediÄŸini seçin." --- bind9-9.9.3.dfsg.P2.orig/debian/po/vi.po +++ bind9-9.9.3.dfsg.P2/debian/po/vi.po @@ -0,0 +1,67 @@ +# Vietnamese translation for Bind 9. +# Copyright © 2008 Free Software Foundation, Inc. +# Clytie Siddall , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 15:35+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"Language: vi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.7b3\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Tài khoản ngÆ°á»i dùng để chạy trình ná»n BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Mặc định là chạy trình ná»n BIND9 (đặt tên) dÆ°á»›i tài khoản ngÆ°á»i dùng « bind " +"». Äể sá»­ dụng tài khoản khác, hãy nhập tên ngÆ°á»i dùng thích hợp." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Tùy chá»n khởi chạy khác cần đặt tên:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Hãy nhập vào đây bất kỳ tùy chá»n bổ sung (khác vá»›i tên ngÆ°á»i dùng) nên gá»­i " +"cho trình ná»n BIND9 vào lúc khởi chạy." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Co nên ghi đè lên thiết lập « resolv.conf » không?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Hãy chá»n có nên ép buá»™c trình giải quyết sá»­ dụng trình ná»n BIND9 cục bá»™ (đặt " +"tên) hÆ¡n là kết nối hiện thá»i Ä‘á» nghị gì khi máy này ở nÆ¡i khác." --- bind9-9.9.3.dfsg.P2.orig/debian/po/zh_CN.po +++ bind9-9.9.3.dfsg.P2/debian/po/zh_CN.po @@ -0,0 +1,64 @@ +# Chinese translations for bind package. +# Copyright (C) 2008 THE bind'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind package. +# LI Daobing , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind 9-9.5.0.dfsg.P2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-10-04 14:36+0800\n" +"Last-Translator: LI Daobing \n" +"Language-Team: Chinese (simplified)\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "è¿è¡Œ BIND9 æœåŠ¡çš„用户账å·:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"缺çœä½¿ç”¨ 'bind' 用户æ¥è¿è¡Œ BIND9 æœåŠ¡(named)。 想使用其他的账å·, 请输入åˆé€‚çš„" +"用户å。" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "named 的其他å¯åŠ¨é€‰é¡¹:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "请æ供需è¦ä¼ ç»™ BIND9 æœåŠ¡(named)çš„å¯åŠ¨é€‰é¡¹(用户å除外)。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "是å¦è¦†ç›– resolv.conf 的设置?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"请选择是å¦å¼ºåˆ¶ä½¿ç”¨æœ¬åœ° BIND9 æœåŠ¡(named)æ¥åšåŸŸå解æž, 而ä¸æ˜¯ä½¿ç”¨å½“å‰è¿žæŽ¥æ‰€æŽ¨" +"è的域å解æžæœåŠ¡å™¨, 特别是当机器需è¦ç§»åŠ¨æ—¶ã€‚" --- bind9-9.9.3.dfsg.P2.orig/debian/rules +++ bind9-9.9.3.dfsg.P2/debian/rules @@ -0,0 +1,186 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +export DEB_BUILD_HARDENING=1 +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +ifndef DEB_HOST_ARCH +DEB_BUILD_ARCH := $(shell dpkg --print-architecture) +endif +export arch = $(DEB_HOST_ARCH) + +DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +DEBUG = -g +endif + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) +OPT = +else +OPT = -O2 +endif + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +export MAKEFLAGS += -j$(NUMJOBS) +endif + +export CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE $(DEBUG) $(OPT) + +ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) +EXTRA_FEATURES=--disable-linux-caps --disable-threads +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + ./configure --prefix=/usr \ + --mandir=\$${prefix}/share/man \ + --infodir=\$${prefix}/share/info \ + --sysconfdir=/etc/bind \ + --localstatedir=/var \ + --enable-threads \ + --enable-largefile \ + --with-libtool \ + --enable-shared \ + --enable-static \ + --with-openssl=/usr \ + --with-gssapi=/usr \ + --with-gnu-ld \ + --with-geoip=/usr \ + --with-atf=no \ + --enable-ipv6 \ + $(EXTRA_FEATURES) + + touch $@ + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + LD_LIBRARY_PATH=$$(pwd)/lib/isc/.libs:$$(pwd)/lib/isccc/.libs:$$(pwd)/isccfg/.libs:$${LD_LIBRARY_PATH} $(MAKE) + touch $@ + +autofiles: + libtoolize --automake --copy --force + aclocal + #automake + autoheader + autoconf + rm -rf autom4te.cache + cp config.guess config.sub contrib/idn/idnkit-1.0-src/ + +clean: + dh_testdir + dh_testroot + -$(MAKE) distclean + find . -name \*.o -exec rm {} \; + rm -f build-stamp configure-stamp + rm -f debian/substvars lib/bind/include/isc/platform.h + rm -f contrib/dlz/bin/dlzbdb/Makefile contrib/dlz/drivers/rules + rm -f doc/arm/Bv9ARM.pdf + dh_clean + +newtemplate: + debconf-updatepo + +msgstats: + @cd debian/po && for i in *.po; do x=$$(msgfmt --statistics $$i 2>&1); echo $$i $$x; done; rm -f messages.mo *.po~ + +msg-email: + @podebconf-report-po + +ETCBIND=debian/bind9/etc/bind +ETCAPP=debian/bind9/etc/apparmor.d +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + $(MAKE) install DESTDIR=`pwd`/debian/bind9 + rm -f debian/bind9/usr/lib/*.la + install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.0 + install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.255 + install -c -o bin -g bin -m 444 debian/db.empty ${ETCBIND} + install -c -o bin -g bin -m 444 debian/zones.rfc1918 ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.127 ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.local ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.root ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.local ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.default-zones ${ETCBIND} + install -c -o bin -g bin -m 440 bind.keys ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.options debian/bind9/usr/share/bind9/ + cp doc/arm/*.html debian/bind9-doc/usr/share/doc/bind9-doc/arm + install -m 644 -o root -g root debian/apparmor-profile ${ETCAPP}/usr.sbin.named + install -m 644 -o root -g root debian/apparmor-profile.local ${ETCAPP}/local/usr.sbin.named + rmdir debian/bind9/var/run/named debian/lwresd/var/run/named || true + + install debian/ip-up.d debian/bind9/etc/ppp/ip-up.d/bind9 + install debian/ip-down.d debian/bind9/etc/ppp/ip-down.d/bind9 + install debian/ip-up.d debian/bind9/etc/network/if-up.d/bind9 + install debian/ip-down.d debian/bind9/etc/network/if-down.d/bind9 + install -m644 debian/bind9.ufw.profile debian/bind9/etc/ufw/applications.d/bind9 + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir -i + dh_testroot -i + dh_installdocs -i + dh_installexamples -i + dh_installmenu -i + dh_installcron -i + dh_installinfo -i + dh_installchangelogs -i # CHANGES # upstream changelog only in bind9-doc + dh_installchangelogs -pbind9-doc CHANGES + dh_link -i + dh_compress -i + dh_fixperms -i + dh_installdeb -i + for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars.in >> debian/$$i.substvars; done + cat debian/vars.in >> debian/substvars + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir -a + dh_testroot -a + dh_installdocs -a + dh_installexamples -a + dh_installmenu -a + dh_systemd_enable -pbind9 --no-enable bind9-resolvconf.service + dh_systemd_enable -pbind9 bind9.service + dh_systemd_enable -plwresd lwresd.service + dh_installinit -a --no-start -- defaults 15 85 + # Ship the extra service file for resolvconf integration manually. + cp debian/bind9-resolvconf.service debian/bind9/lib/systemd/system + dh_installcron -a + dh_installdebconf -pbind9 + dh_installinfo -a + dh_installchangelogs -a # CHANGES # upstream changelog only in bind9-doc + dh_install --sourcedir=debian/bind9 -a + (cd debian/bind9/ && rm -rf $$(cat ../*.install) ) + rm -f debian/bind9/usr/share/man/man1/query-loc.1 + # install apport hook on Ubuntu + if dpkg-vendor --is ubuntu; then \ + install -m 644 -D debian/bind9.apport debian/bind9/usr/share/apport/package-hooks/bind9.py; \ + fi + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_makeshlibs -a + dh_installdeb -a + dh_shlibdeps -l"debian/libbind9-90/usr/lib:debian/libbind-dev/usr/lib:debian/libdns99/usr/lib:debian/libisc95/usr/lib:debian/libisccc90/usr/lib:debian/libisccfg90/usr/lib:debian/liblwres90/usr/lib:/usr/lib/libfakeroot" -a + for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars.in >> debian/$$i.substvars; done + cat debian/vars.in >> debian/substvars + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- bind9-9.9.3.dfsg.P2.orig/debian/source/format +++ bind9-9.9.3.dfsg.P2/debian/source/format @@ -0,0 +1 @@ +1.0 --- bind9-9.9.3.dfsg.P2.orig/debian/templates +++ bind9-9.9.3.dfsg.P2/debian/templates @@ -0,0 +1,21 @@ +Template: bind9/start-as-user +Type: string +Default: bind +_Description: User account for running the BIND9 daemon: + The default is to run the BIND9 daemon (named) under the 'bind' + user account. To use a different account, please enter the + appropriate username. + +Template: bind9/different-configuration-file +Type: string +_Description: Other startup options for named: + Please provide any additional options (other than username) that should + be passed to the BIND9 daemon (named) on startup. + +Template: bind9/run-resolvconf +Type: boolean +Default: false +_Description: Should resolv.conf settings be overridden? + Please choose whether the resolver should be forced to use the + local BIND9 daemon (named) rather than what the current connection + recommends, when this machine moves around. --- bind9-9.9.3.dfsg.P2.orig/debian/vars.in +++ bind9-9.9.3.dfsg.P2/debian/vars.in @@ -0,0 +1 @@ +Description=The Berkeley Internet Name Domain (BIND) implements an Internet domain${Newline}name server. BIND is the most widely-used name server software on the${Newline}Internet, and is supported by the Internet Software Consortium, www.isc.org. --- bind9-9.9.3.dfsg.P2.orig/debian/zones.rfc1918 +++ bind9-9.9.3.dfsg.P2/debian/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; --- bind9-9.9.3.dfsg.P2.orig/doc/arm/Bv9ARM-book.xml +++ bind9-9.9.3.dfsg.P2/doc/arm/Bv9ARM-book.xml @@ -4818,6 +4818,32 @@ + + + rate-limit + + + + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + info severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + + + Rate limiting of individual requests + is logged in the query-errors category. + + + @@ -5318,7 +5344,7 @@ match-mapped-addresses yes_or_no; filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); filter-aaaa { address_match_list }; - dns64 IPv6-prefix { + dns64 ipv6-prefix { clients { address_match_list }; mapped { address_match_list }; exclude { address_match_list }; @@ -5351,8 +5377,25 @@ resolver-query-timeout number ; deny-answer-addresses { address_match_list } except-from { namelist } ; deny-answer-aliases { namelist } except-from { namelist } ; + rate-limit { + responses-per-second number ; + referrals-per-second number ; + nodata-per-second number ; + nxdomains-per-second number ; + errors-per-second number ; + all-per-second number ; + window number ; + log-only yes_or_no ; + qps-scale number ; + ipv4-prefix-length number ; + ipv6-prefix-length number ; + slip number ; + exempt-clients { address_match_list } ; + max-table-size number ; + min-table-size number ; + } ; response-policy { zone_name - policy given | disabled | passthru | nxdomain | nodata | cname domain + policy given | disabled | passthru | drop | nxdomain | nodata | cname domain recursive-only yes_or_no max-policy-ttl number ; } recursive-only yes_or_no max-policy-ttl number break-dnssec yes_or_no min-ns-dots number ; @@ -9645,77 +9688,122 @@ Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. - RPZs are ordinary DNS zones containing RRsets + Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. - Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, - and NSDNAME. - QNAME RPZ records triggered by query names of requests and targets - of CNAME records resolved to generate the response. - The owner name of a QNAME RPZ record is the query name relativized - to the RPZ. - + Five policy triggers can be encoded in RPZ records. + + + RPZ-CLIENT-IP + + + IP records are triggered by the IP address of the + DNS client. + Client IP address triggers are encoded in records that have + owner names that are subdomains of + rpz-client-ip relativized to the + policy zone origin name + and encode an address or address block. + IPv4 addresses are represented as + prefixlength.B4.B3.B2.B1.rpz-ip. + The IPv4 prefix length must be between 1 and 32. + All four bytes, B4, B3, B2, and B1, must be present. + B4 is the decimal value of the least significant byte of the + IPv4 address as in IN-ADDR.ARPA. + - - The second kind of RPZ trigger is an IP address in an A and AAAA - record in the ANSWER section of a response. - IP address triggers are encoded in records that have owner names - that are subdomains of rpz-ip relativized - to the RPZ origin name and encode an IP address or address block. - IPv4 trigger addresses are represented as - prefixlength.B4.B3.B2.B1.rpz-ip. - The prefix length must be between 1 and 32. - All four bytes, B4, B3, B2, and B1, must be present. - B4 is the decimal value of the least significant byte of the - IPv4 address as in IN-ADDR.ARPA. - IPv6 addresses are encoded in a format similar to the standard - IPv6 text representation, - prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. - Each of W8,...,W1 is a one to four digit hexadecimal number - representing 16 bits of the IPv6 address as in the standard text - representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. - All 8 words must be present except when consecutive - zero words are replaced with .zz. - analogous to double colons (::) in standard IPv6 text encodings. - The prefix length must be between 1 and 128. - + + IPv6 addresses are encoded in a format similar + to the standard IPv6 text representation, + prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. + Each of W8,...,W1 is a one to four digit hexadecimal number + representing 16 bits of the IPv6 address as in the standard + text representation of IPv6 addresses, + but reversed as in IN-ADDR.ARPA. + All 8 words must be present except when one set of consecutive + zero words is replaced with .zz. + analogous to double colons (::) in standard IPv6 text + encodings. + The IPv6 prefix length must be between 64 and 128. + + + - - NSDNAME triggers match names of authoritative servers - for the query name, a parent of the query name, a CNAME for - query name, or a parent of a CNAME. - They are encoded as subdomains of - rpz-nsdomain relativized - to the RPZ origin name. - NSIP triggers match IP addresses in A and - AAAA RRsets for domains that can be checked against NSDNAME - policy records. - NSIP triggers are encoded like IP triggers except as subdomains of - rpz-nsip. - NSDNAME and NSIP triggers are checked only for names with at - least min-ns-dots dots. - The default value of min-ns-dots is 1 to - exclude top level domains. - + + QNAME + + + QNAME policy records are triggered by query names of + requests and targets of CNAME records resolved to generate + the response. + The owner name of a QNAME policy record is + the query name relativized to the policy zone. + + + + + + RPZ-IP + + + IP triggers are IP addresses in an + A or AAAA record in the ANSWER section of a response. + They are encoded like client-IP triggers except as + subdomains of rpz-ip. + + + + + + RPZ-NSDNAME + + + NSDNAME triggers match names of authoritative servers + for the query name, a parent of the query name, a CNAME for + query name, or a parent of a CNAME. + They are encoded as subdomains of + rpz-nsdname relativized + to the RPZ origin name. + NSIP triggers match IP addresses in A and + AAAA RRsets for domains that can be checked against NSDNAME + policy records. + + + + + + RPZ-NSIP + + + NSIP triggers are encoded like IP triggers except as + subdomains of rpz-nsip. + NSDNAME and NSIP triggers are checked only for names with at + least min-ns-dots dots. + The default value of min-ns-dots is 1 to + exclude top level domains. + + + + - The query response is checked against all RPZs, so - two or more policy records can be triggered by a response. - Because DNS responses can be rewritten according to at most one + The query response is checked against all response policy zones, + so two or more policy records can be triggered by a response. + Because DNS responses are rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. - Triggers or the records that encode them are chosen in - the following order: + Triggers or the records that encode them are chosen for the + rewriting in the following order: Choose the triggered record in the zone that appears - first in the response-policy option. + first in the response-policy option. - Prefer QNAME to IP to NSDNAME to NSIP triggers - in a single zone. + Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP + triggers in a single zone. Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. @@ -9734,83 +9822,168 @@ When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, - all RPZs are again consulted for the DNAME or CNAME names - and addresses. + all response policy zones are again consulted for the + DNAME or CNAME names and addresses. - RPZ record sets are sets of any types of DNS record except - DNAME or DNSSEC that encode actions or responses to queries. - - The NXDOMAIN response is encoded - by a CNAME whose target is the root domain (.) - - A CNAME whose target is the wildcard top-level - domain (*.) specifies the NODATA action, - which rewrites the response to NODATA or ANCOUNT=1. - - The Local Data action is - represented by a set ordinary DNS records that are used - to answer queries. Queries for record types not the - set are answered with NODATA. - - A special form of local data is a CNAME whose target is a - wildcard such as *.example.com. - It is used as if were an ordinary CNAME after the astrisk (*) - has been replaced with the query name. - The purpose for this special form is query logging in the - walled garden's authority DNS server. - - The PASSTHRU policy is specified - by a CNAME whose target is rpz-passthru. - It causes the response to not be rewritten - and is most often used to "poke holes" in policies for - CIDR blocks. - (A CNAME whose target is the variable part of its owner name - is an obsolete specification of the PASSTHRU policy.) - - + RPZ record sets are any types of DNS record except + DNAME or DNSSEC that encode actions or responses to + individual queries. + Any of the policies can be used with any of the triggers. + For example, while the TCP-only policy is + commonly used with client-IP triggers, + it cn be used with any type of trigger to force the use of + TCP for responses with owner names in a zone. + + + PASSTHRU + + + The whitelist policy is specified + by a CNAME whose target is rpz-passthru. + It causes the response to not be rewritten + and is most often used to "poke holes" in policies for + CIDR blocks. + + + + + + DROP + + + The blacklist policy is specified + by a CNAME whose target is rpz-drop. + It causes the response to be discarded. + Nothing is sent to the DNS client. + + + + + + TCP-Only + + + The "slip" policy is specified + by a CNAME whose target is rpz-tcp-only. + It changes UDP responses to short, truncated DNS responses + that require the DNS client to try again with TCP. + It is used to mitigate distributed DNS reflection attacks. + + + + + + NXDOMAIN + + + The domain undefined response is encoded + by a CNAME whose target is the root domain (.) + + + + + + NODATA + + + The empty set of resource records is specified by + CNAME whose target is the wildcard top-level + domain (*.). + It rewrites the response to NODATA or ANCOUNT=1. + + + + + + Local Data + + + A set of ordinary DNS records can be used to answer queries. + Queries for record types not the set are answered with + NODATA. + + + + A special form of local data is a CNAME whose target is a + wildcard such as *.example.com. + It is used as if were an ordinary CNAME after the astrisk (*) + has been replaced with the query name. + The purpose for this special form is query logging in the + walled garden's authority DNS server. + + + + - The actions specified in an RPZ can be overridden with a - policy clause in the + All of the actions specified in all of the individual records + in a policy zone + can be overridden with a policy clause in the response-policy option. - An organization using an RPZ provided by another organization might - use this mechanism to redirect domains to its own walled garden. - - GIVEN says "do not override but - perform the action specified in the zone." - - DISABLED causes policy records to do - nothing but log what they might have done. - The response to the DNS query will be written according to - any triggered policy records that are not disabled. - Disabled policy zones should appear first, - because they will often not be logged - if a higher precedence trigger is found first. - - PASSTHRU causes all policy records - to act as if they were CNAME records with targets the variable - part of their owner name. They protect the response from - being changed. - - NXDOMAIN causes all RPZ records - to specify NXDOMAIN policies. - - NODATA overrides with the - NODATA policy - - CNAME domain causes all RPZ - policy records to act as if they were "cname domain" records. - - + An organization using a policy zone provided by another + organization might use this mechanism to redirect domains + to its own walled garden. + + + GIVEN + + The placeholder policy says "do not override but + perform the action specified in the zone." + + + + + + DISABLED + + + The testing override policy causes policy zone records to do + nothing but log what they would have done if the + policy zone were not disabled. + The response to the DNS query will be written (or not) + according to any triggered policy records that are not + disabled. + Disabled policy zones should appear first, + because they will often not be logged + if a higher precedence trigger is found first. + + + + + + PASSTHRU, + DROP, + TCP-Only, + NXDOMAIN, + and + NODATA + + + override with the corresponding per-record policy. + + + + + + CNAME domain + + + causes all RPZ policy records to act as if they were + "cname domain" records. + + + + - By default, the actions encoded in an RPZ are applied - only to queries that ask for recursion (RD=1). - That default can be changed for a single RPZ or all RPZs in a view + By default, the actions encoded in a response policy zone + are applied only to queries that ask for recursion (RD=1). + That default can be changed for a single policy zone or + all response policy zones in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to @@ -9819,15 +9992,43 @@ - Also by default, RPZ actions are applied only to DNS requests that - either do not request DNSSEC metadata (DO=0) or when no DNSSEC - records are available for request name in the original zone (not - the response policy zone). - This default can be changed for all RPZs in a view with a - break-dnssec yes clause. - In that case, RPZ actions are applied regardless of DNSSEC. - The name of the clause option reflects the fact that results - rewritten by RPZ actions cannot verify. + Also by default, RPZ actions are applied only to DNS requests + that either do not request DNSSEC metadata (DO=0) or when no + DNSSEC records are available for request name in the original + zone (not the response policy zone). This default can be + changed for all response policy zones in a view with a + break-dnssec yes clause. In that case, RPZ + actions are applied regardless of DNSSEC. The name of the + clause option reflects the fact that results rewritten by RPZ + actions cannot verify. + + + + No DNS records are needed for a QNAME or Client-IP trigger. + The name or IP address itself is sufficient, + so in principle the query name need not be recursively resolved. + However, not resolving the requested + name can leak the fact that response policy rewriting is in use + and that the name is listed in a policy zone to operators of + servers for listed names. To prevent that information leak, by + default any recursion needed for a request is done before any + policy triggers are considered. Because listed domains often + have slow authoritative servers, this default behavior can cost + significant time. + The qname-wait-recurse no option + overrides that default behavior when recursion cannot + change a non-error response. + The option does not affect QNAME or client-IP triggers + in policy zones listed + after other zones containing IP, NSIP and NSDNAME triggers, because + those may depend on the A, AAAA, and NS records that would be + found during recursive resolution. It also does not affect + DNSSEC requests (DO=1) unless break-dnssec yes + is in use, because the response would depend on whether or not + RRSIG records were found during resolution. + The option can cause appear to rewrite error responses + such as SERVFAIL when no recursion is done to discover problems + at the authoritative server. @@ -9855,26 +10056,38 @@ ; QNAME policy records. There are no periods (.) after the owner names. nxdomain.domain.com CNAME . ; NXDOMAIN policy +*.nxdomain.domain.com CNAME . ; NXDOMAIN policy nodata.domain.com CNAME *. ; NODATA policy +*.nodata.domain.com CNAME *. ; NODATA policy bad.domain.com A 10.0.0.1 ; redirect to a walled garden AAAA 2001:2::1 +bzone.domain.com CNAME garden.example.com. ; do not rewrite (PASSTHRU) OK.DOMAIN.COM ok.domain.com CNAME rpz-passthru. -bzone.domain.com CNAME garden.example.com. - ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. -; IP policy records that rewrite all answers for 127/8 except 127.0.0.1 +; IP policy records that rewrite all responses containing A records in 127/8 +; except 127.0.0.1 8.0.0.0.127.rpz-ip CNAME . 32.1.0.0.127.rpz-ip CNAME rpz-passthru. ; NSDNAME and NSIP policy records ns.domain.com.rpz-nsdname CNAME . 48.zz.2.2001.rpz-nsip CNAME . + +; blacklist and whitelist some DNS clients +112.zz.2001.rpz-client-ip CNAME rpz-drop. +8.0.0.0.127.rpz-client-ip CNAME rpz-drop. + +; force some DNS clients and responses in the example.com zone to TCP +16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. +example.com CNAME rpz-tcp-only. +*.example.com CNAME rpz-tcp-only. + RPZ can affect server performance. @@ -9897,6 +10110,223 @@ RPZRewrites statistics. + + + Response Rate Limiting + + Excessive almost-identical UDP responses + can be controlled by configuring a + rate-limit clause in an + options or view statement. + This mechanism keeps authoritative BIND 9 from being used + in amplifying reflection denial of service (DoS) attacks. + Short truncated (TC=1) responses can be sent to provide + rate-limited responses to legitimate clients within + a range of forged, attacked IP addresses. + Legitimate clients react to dropped or truncated response + by retrying with UDP or with TCP respectively. + + + + This mechanism is intended for authoritative DNS servers. + It can be used on recursive servers but can slow + applications such as SMTP servers (mail receivers) and + HTTP clients (web browsers) that repeatedly request the + same domains. + When possible, closing "open" recursive servers is better. + + + + Response rate limiting uses a "credit" or "token bucket" scheme. + Each combination of identical response and client + has a conceptual account that earns a specified number + of credits every second. + A prospective response debits its account by one. + Responses are dropped or truncated + while the account is negative. + Responses are tracked within a rolling window of time + which defaults to 15 seconds, but can be configured with + the window option to any value from + 1 to 3600 seconds (1 hour). + The account cannot become more positive than + the per-second limit + or more negative than window + times the per-second limit. + When the specified number of credits for a class of + responses is set to 0, those responses are not rate limited. + + + + The notions of "identical response" and "DNS client" + for rate limiting are not simplistic. + All responses to an address block are counted as if to a + single client. + The prefix lengths of addresses blocks are + specified with ipv4-prefix-length (default 24) + and ipv6-prefix-length (default 56). + + + + All non-empty responses for a valid domain name (qname) + and record type (qtype) are identical and have a limit specified + with responses-per-second + (default 0 or no limit). + All empty (NODATA) responses for a valid domain, + regardless of query type, are identical. + Responses in the NODATA class are limited by + nodata-per-second + (default responses-per-second). + Requests for any and all undefined subdomains of a given + valid domain result in NXDOMAIN errors, and are identical + regardless of query type. + They are limited by nxdomain-per-second + (default responses-per-second). + This controls some attacks using random names, but + can be relaxed or turned off (set to 0) + on servers that expect many legitimate + NXDOMAIN responses, such as from anti-spam blacklists. + Referrals or delegations to the server of a given + domain are identical and are limited by + referrals-per-second + (default responses-per-second). + + + + Responses generated from local wildcards are counted and limited + as if they were for the parent domain name. + This controls flooding using random.wild.example.com. + + + + All requests that result in DNS errors other + than NXDOMAIN, such as SERVFAIL and FORMERR, are identical + regardless of requested name (qname) or record type (qtype). + This controls attacks using invalid requests or distant, + broken authoritative servers. + By default the limit on errors is the same as the + responses-per-second value, + but it can be set separately with + errors-per-second. + + + + Many attacks using DNS involve UDP requests with forged source + addresses. + Rate limiting prevents the use of BIND 9 to flood a network + with responses to requests with forged source addresses, + but could let a third party block responses to legitimate requests. + There is a mechanism that can answer some legitimate + requests from a client whose address is being forged in a flood. + Setting slip to 2 (its default) causes every + other UDP request to be answered with a small truncated (TC=1) + response. + The small size and reduced frequency, and so lack of + amplification, of "slipped" responses make them unattractive + for reflection DoS attacks. + slip must be between 0 and 10. + A value of 0 does not "slip"; + no truncated responses are sent due to rate limiting. + Some error responses including REFUSED and SERVFAIL + cannot be replaced with truncated responses and are instead + leaked at the slip rate. + + + + When the approximate query per second rate exceeds + the qps-scale value, + then the responses-per-second, + errors-per-second, + nxdomains-per-second and + all-per-second values are reduced by the + ratio of the current rate to the qps-scale value. + This feature can tighten defenses during attacks. + For example, with + qps-scale 250; responses-per-second 20; and + a total query rate of 1000 queries/second for all queries from + all DNS clients including via TCP, + then the effective responses/second limit changes to + (250/1000)*20 or 5. + Responses sent via TCP are not limited + but are counted to compute the query per second rate. + + + + Communities of DNS clients can be given their own parameters or no + rate limiting by putting + rate-limit statements in view + statements instead of the global option + statement. + A rate-limit statement in a view replaces, + rather than supplementing, a rate-limit + statement among the main options. + DNS clients within a view can be exempted from rate limits + with the exempt-clients clause. + + + + UDP responses of all kinds can be limited with the + all-per-second phrase. + This rate limiting is unlike the rate limiting provided by + responses-per-second, + errors-per-second, and + nxdomains-per-second on a DNS server + which are often invisible to the victim of a DNS reflection attack. + Unless the forged requests of the attack are the same as the + legitimate requests of the victim, the victim's requests are + not affected. + Responses affected by an all-per-second limit + are always dropped; the slip value has no + effect. + An all-per-second limit should be + at least 4 times as large as the other limits, + because single DNS clients often send bursts of legitimate + requests. + For example, the receipt of a single mail message can prompt + requests from an SMTP server for NS, PTR, A, and AAAA records + as the incoming SMTP/TCP/IP connection is considered. + The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF + records as it considers the STMP Mail From + command. + Web browsers often repeatedly resolve the same names that + are repeated in HTML <IMG> tags in a page. + All-per-second is similar to the + rate limiting offered by firewalls but often inferior. + Attacks that justify ignoring the + contents of DNS responses are likely to be attacks on the + DNS server itself. + They usually should be discarded before the DNS server + spends resources make TCP connections or parsing DNS requesets, + but that rate limiting must be done before the + DNS server sees the requests. + + + + The maximum size of the table used to track requests and + rate limit responses is set with max-table-size. + Each entry in the table is between 40 and 80 bytes. + The table needs approximately as many entries as the number + of requests received per second. + The default is 20,000. + To reduce the cold start of growing the table, + min-table-size (default 500) + can set the minimum table size. + Enable rate-limit category logging to monitor + expansions of the table and inform + choices for the initial and maximum table size. + + + + Use log-only yes to test rate limiting parameters + without actually dropping any requests. + + + + Responses dropped by rate limits are included in the + RateDropped and QryDropped + statistics. + Responses that truncated by rate limits are included in + RateSlipped and RespTruncated. + @@ -14649,6 +15079,32 @@ + + + RateDropped + + + + + + + Responses dropped by rate limits. + + + + + + RateSlipped + + + + + + + Responses truncated by rate limits. + + + --- bind9-9.9.3.dfsg.P2.orig/hints +++ bind9-9.9.3.dfsg.P2/hints @@ -0,0 +1,36 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/lib/bind9/check.c +++ bind9-9.9.3.dfsg.P2/lib/bind9/check.c @@ -131,6 +131,7 @@ "compilation time"); #endif } else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 && + strcasecmp(cfg_obj_asstring(obj), "random_1") != 0 && strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "rrset-order: invalid order '%s'", --- bind9-9.9.3.dfsg.P2.orig/lib/dns/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/dns/Makefile.in @@ -42,7 +42,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../../lib/isc -lcrypto @GEOIP_LIBS@ # Alphabetically @@ -67,8 +67,8 @@ portlist.@O@ private.@O@ \ rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \ rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \ - request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \ - rriterator.@O@ sdb.@O@ \ + request.@O@ resolver.@O@ result.@O@ rootns.@O@ \ + rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \ sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \ stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \ tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \ @@ -95,7 +95,7 @@ name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \ rdataset.c rdatasetiter.c rdataslab.c request.c \ - resolver.c result.c rootns.c rpz.c rriterator.c \ + resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \ sdb.c sdlz.c soa.c ssu.c ssu_external.c \ stats.c tcpmsg.c time.c timer.c tkey.c \ tsec.c tsig.c ttl.c update.c validator.c \ @@ -130,6 +130,7 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ln -sf .libs/libdns.so . timestamp: libdns.@A@ touch timestamp @@ -144,6 +145,7 @@ rm -f libdns.@A@ timestamp rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h rm -f include/dns/rdatastruct.h + rm -f libdns.so newrr:: rm -f code.h include/dns/enumtype.h include/dns/enumclass.h --- bind9-9.9.3.dfsg.P2.orig/lib/dns/acl.c +++ bind9-9.9.3.dfsg.P2/lib/dns/acl.c @@ -21,10 +21,15 @@ #include +#ifdef SUPPORT_GEOIP +#include +#endif + #include #include #include #include +#include #include #include @@ -320,6 +325,13 @@ dest->elements[nelem + i].node_num = source->elements[i].node_num + dest->node_count; +#ifdef SUPPORT_GEOIP + /* Country */ + if (source->elements[i].type == dns_aclelementtype_ipcountry && + source->elements[i].country != NULL) { + strncpy(dest->elements[nelem + i].country, source->elements[i].country, 3); + } +#endif /* Duplicate nested acl. */ if (source->elements[i].type == dns_aclelementtype_nestedacl && source->elements[i].nestedacl != NULL) @@ -379,7 +391,68 @@ int indirectmatch; isc_result_t result; + #ifdef SUPPORT_GEOIP + static GeoIP *geoip = NULL; + static isc_boolean_t geoip_init_tried = ISC_FALSE; + #ifdef GEOIP_V6 + static GeoIP *geoip6 = NULL; + static isc_boolean_t geoip6_init_tried = ISC_FALSE; + #endif + #endif + switch (e->type) { +#ifdef SUPPORT_GEOIP + case dns_aclelementtype_ipcountry: + /* Country match */ + if (NULL == geoip && !geoip_init_tried) { + geoip_init_tried = ISC_TRUE; + if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION)) { + geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION, GEOIP_MEMORY_CACHE); + if (NULL == geoip) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "Failed to open geoip database for ipv4"); + } else { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "geoip database for ipv4 is not available"); + } + } +#ifdef GEOIP_V6 + if (NULL == geoip6 && !geoip6_init_tried) { + geoip6_init_tried = ISC_TRUE; + if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION_V6)) { + geoip6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6, GEOIP_MEMORY_CACHE); + if (NULL == geoip6) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "Failed to open geoip database for ipv6"); + } else { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "geoip database for ipv6 is not available"); + } + } +#endif + + const char *value = NULL; + + if (reqaddr->family == AF_INET && geoip) { + value = GeoIP_country_code_by_addr(geoip,inet_ntoa(reqaddr->type.in)); +#ifdef GEOIP_V6 + } else if (reqaddr->family == AF_INET6 && geoip6) { + value = GeoIP_country_code_by_ipnum_v6(geoip6, (geoipv6_t)reqaddr->type.in6); +#endif + } + + if ((NULL != value) && (2 == strlen(value))) { + if ((e->country[0] == value[0]) && (e->country[1] == value[1])) { + return (ISC_TRUE); + } + } + return (ISC_FALSE); +#endif + case dns_aclelementtype_keyname: if (reqsigner != NULL && dns_name_equal(reqsigner, &e->keyname)) { --- bind9-9.9.3.dfsg.P2.orig/lib/dns/db.c +++ bind9-9.9.3.dfsg.P2/lib/dns/db.c @@ -1007,21 +1007,23 @@ (db->methods->resigned)(db, rdataset, version); } -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - if (db->methods->rpz_enabled != NULL) - return ((db->methods->rpz_enabled)(db, st)); - return (ISC_R_SUCCESS); +/* + * Attach a database to policy zone databases. + * This should only happen when the caller has already ensured that + * it is dealing with a database that understands response policy zones. + */ +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + REQUIRE(db->methods->rpz_attach != NULL); + (db->methods->rpz_attach)(db, rpzs, rpz_num); } -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - if (db->methods->rpz_findips != NULL) - (db->methods->rpz_findips)(rpz, rpz_type, zone, db, version, - ardataset, st, query_qname); +/* + * Finish loading a response policy zone. + */ +isc_result_t +dns_db_rpz_ready(dns_db_t *db) { + if (db->methods->rpz_ready == NULL) + return (ISC_R_SUCCESS); + return ((db->methods->rpz_ready)(db)); } --- bind9-9.9.3.dfsg.P2.orig/lib/dns/ecdb.c +++ bind9-9.9.3.dfsg.P2/lib/dns/ecdb.c @@ -582,8 +582,8 @@ NULL, /* resigned */ NULL, /* isdnssec */ NULL, /* getrrsetstats */ - NULL, /* rpz_enabled */ - NULL, /* rpz_findips */ + NULL, /* rpz_attach */ + NULL, /* rpz_ready */ NULL, /* findnodeext */ NULL /* findext */ }; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/acl.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/acl.h @@ -53,8 +53,16 @@ dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_any +#ifdef SUPPORT_GEOIP + , + dns_aclelementtype_ipcountry +#endif } dns_aclelemettype_t; +#ifdef SUPPORT_GEOIP +typedef char dns_aclipcountry[3]; +#endif + typedef struct dns_aclipprefix dns_aclipprefix_t; struct dns_aclipprefix { @@ -68,6 +76,9 @@ dns_name_t keyname; dns_acl_t *nestedacl; int node_num; +#ifdef SUPPORT_GEOIP + dns_aclipcountry country; +#endif }; struct dns_acl { --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/db.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/db.h @@ -172,14 +172,9 @@ dns_dbversion_t *version); isc_boolean_t (*isdnssec)(dns_db_t *db); dns_stats_t *(*getrrsetstats)(dns_db_t *db); - isc_result_t (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st); - void (*rpz_findips)(dns_rpz_zone_t *rpz, - dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *version, - dns_rdataset_t *ardataset, - dns_rpz_st_t *st, - dns_name_t *query_qname); + void (*rpz_attach)(dns_db_t *db, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); + isc_result_t (*rpz_ready)(dns_db_t *db); isc_result_t (*findnodeext)(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_clientinfomethods_t *methods, @@ -1542,30 +1537,17 @@ * dns_rdatasetstats_create(); otherwise NULL. */ -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st); +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); /*%< - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Attach the response policy information for a view to a database for a + * zone for the view. */ -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname); -/*%< - * Search the CDIR block tree of a response policy tree of trees for the best - * match to any of the IP addresses in an A or AAAA rdataset. - * - * Requires: - * \li search in policy zone 'rpz' for a match of 'rpz_type' either - * DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP - * \li 'zone' and 'db' are the database corresponding to 'rpz' - * \li 'version' is the required version of the database - * \li 'ardataset' is an A or AAAA rdataset of addresses to check - * \li 'found' specifies the previous best match if any or - * or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0 +isc_result_t +dns_db_rpz_ready(dns_db_t *db); +/*%< + * Finish loading a response policy zone. */ ISC_LANG_ENDDECLS --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/log.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/log.h @@ -43,6 +43,7 @@ #define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10]) #define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11]) #define DNS_LOGCATEGORY_RPZ (&dns_categories[12]) +#define DNS_LOGCATEGORY_RRL (&dns_categories[13]) /* Backwards compatibility. */ #define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/ncache.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/ncache.h @@ -61,12 +61,12 @@ isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset); isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *addedrdataset); /*%< * Convert the authority data from 'message' into a negative cache --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rdataset.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rdataset.h @@ -206,6 +206,8 @@ #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */ #define DNS_RDATASETATTR_NEGATIVE 0x00200000 +#define DNS_RDATASETATTR_SINGLE 0x10000000 /* Only return 1 answer */ + /*% * _OMITDNSSEC: * Omit DNSSEC records when rendering ncache records. --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rpz.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rpz.h @@ -25,19 +25,31 @@ #include #include #include +#include ISC_LANG_BEGINDECLS #define DNS_RPZ_PREFIX "rpz-" +/* + * Sub-zones of various trigger types. + */ +#define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX"client-ip" #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" -#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru" +/* + * Special policies. + */ +#define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX"passthru" +#define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop" +#define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX"tcp-only" -typedef isc_uint8_t dns_rpz_cidr_bits_t; + +typedef isc_uint8_t dns_rpz_prefix_t; typedef enum { DNS_RPZ_TYPE_BAD, + DNS_RPZ_TYPE_CLIENT_IP, DNS_RPZ_TYPE_QNAME, DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSDNAME, @@ -45,45 +57,151 @@ } dns_rpz_type_t; /* - * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < - * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing - * policies. + * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP + * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA + * < DNS_RPZ_POLICY_CNAME to choose among competing policies. */ typedef enum { DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ - DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ - DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ - DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ - DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ + DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ + DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ + DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ + DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ DNS_RPZ_POLICY_RECORD, DNS_RPZ_POLICY_WILDCNAME, DNS_RPZ_POLICY_MISS, DNS_RPZ_POLICY_ERROR } dns_rpz_policy_t; +typedef isc_uint8_t dns_rpz_num_t; + +#define DNS_RPZ_MAX_ZONES 32 +#if DNS_RPZ_MAX_ZONES > 32 +# if DNS_RPZ_MAX_ZONES > 64 +# error "rpz zone bit masks must fit in a word" +# endif +typedef isc_uint64_t dns_rpz_zbits_t; +#else +typedef isc_uint32_t dns_rpz_zbits_t; +#endif + +#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) + +#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES + +#define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) + /* - * Specify a response policy zone. + * Mask of the specified and higher numbered policy zones + * Avoid hassles with (1<<33) or (1<<65) */ -typedef struct dns_rpz_zone dns_rpz_zone_t; +#define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \ + 0 : (1<<((n)+1))) -1)) +/* + * The number of triggers of each type in a response policy zone. + */ +typedef struct dns_rpz_triggers dns_rpz_triggers_t; +struct dns_rpz_triggers { + int client_ipv4; + int client_ipv6; + int qname; + int ipv4; + int ipv6; + int nsdname; + int nsipv4; + int nsipv6; +}; +/* + * A single response policy zone. + */ +typedef struct dns_rpz_zone dns_rpz_zone_t; struct dns_rpz_zone { - ISC_LINK(dns_rpz_zone_t) link; - int num; /* ordinal in list of policy zones */ - dns_name_t origin; /* Policy zone name */ - dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ - dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ - dns_name_t cname; /* override value for ..._CNAME */ - dns_ttl_t max_policy_ttl; - dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ - isc_boolean_t recursive_only; - isc_boolean_t defined; + isc_refcount_t refs; + dns_rpz_num_t num; /* ordinal in list of policy zones */ + dns_name_t origin; /* Policy zone name */ + dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ + dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ + dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ + dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ + dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ + dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ + dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ + dns_name_t cname; /* override value for ..._CNAME */ + dns_ttl_t max_policy_ttl; + dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ }; /* - * Radix trees for response policy IP addresses. + * Radix tree node for response policy IP addresses + */ +typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; + +/* + * Response policy zones known to a view. */ -typedef struct dns_rpz_cidr dns_rpz_cidr_t; +typedef struct dns_rpz_zones dns_rpz_zones_t; +struct dns_rpz_zones { + struct { + dns_rpz_zbits_t no_rd_ok; + isc_boolean_t break_dnssec; + isc_boolean_t qname_wait_recurse; + unsigned int min_ns_labels; + dns_rpz_num_t num_zones; + } p; + dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; + dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; + + dns_rpz_zbits_t defined; + + /* + * The set of records for a policy zone are in one of these states: + * never loaded load_begun=0 have=0 + * during initial loading load_begun=1 have=0 + * and rbtdb->rpzsp == rbtdb->load_rpzsp + * after good load load_begun=1 have!=0 + * after failed initial load load_begun=1 have=0 + * and rbtdb->load_rpzsp == NULL + * reloading after failure load_begun=1 have=0 + * reloading after success + * main rpzs load_begun=1 have!=0 + * load rpzs load_begun=1 have=0 + */ + dns_rpz_zbits_t load_begun; + struct { + dns_rpz_zbits_t client_ipv4; + dns_rpz_zbits_t client_ipv6; + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ipv4; + dns_rpz_zbits_t ipv6; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsdname; + dns_rpz_zbits_t nsipv4; + dns_rpz_zbits_t nsipv6; + dns_rpz_zbits_t nsip; + dns_rpz_zbits_t qname_skip_recurse; + } have; + dns_rpz_triggers_t total_triggers; + + isc_mem_t *mctx; + isc_refcount_t refs; + /* + * One lock for short term read-only search that guarantees the + * consistency of the pointers. + * A second lock for maintenance that guarantees no other thread + * is adding or deleting nodes. + */ + isc_mutex_t search_lock; + isc_mutex_t maint_lock; + + dns_rpz_cidr_node_t *cidr; + dns_rbt_t *rbt; +}; + /* * context for finding the best policy @@ -91,22 +209,19 @@ typedef struct { unsigned int state; # define DNS_RPZ_REWRITTEN 0x0001 -# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ -# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ -# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ -# define DNS_RPZ_DONE_IPv4 0x0010 -# define DNS_RPZ_RECURSING 0x0020 -# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ -# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ -# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ -# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ +# define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ +# define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ +# define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ +# define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ +# define DNS_RPZ_DONE_IPv4 0x0020 +# define DNS_RPZ_RECURSING 0x0040 /* * Best match so far. */ struct { dns_rpz_type_t type; dns_rpz_zone_t *rpz; - dns_rpz_cidr_bits_t prefix; + dns_rpz_prefix_t prefix; dns_rpz_policy_t policy; dns_ttl_t ttl; isc_result_t result; @@ -141,10 +256,15 @@ dns_rdataset_t *sigrdataset; dns_rdatatype_t qtype; } q; - dns_name_t *qname; + /* + * p_name: current policy owner name + * r_name: recursing for this name to possible policy triggers + * f_name: saved found name from before recursion + */ + dns_name_t *p_name; dns_name_t *r_name; dns_name_t *fname; - dns_fixedname_t _qnamef; + dns_fixedname_t _p_namef; dns_fixedname_t _r_namef; dns_fixedname_t _fnamef; } dns_rpz_st_t; @@ -171,32 +291,41 @@ const char * dns_rpz_policy2str(dns_rpz_policy_t policy); -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); - -void -dns_rpz_view_destroy(dns_view_t *view); +dns_rpz_policy_t +dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, + dns_name_t *selfname); isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr); -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx); void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); -dns_rpz_policy_t -dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, - dns_name_t *selfname); +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num); + +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); + +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name); ISC_LANG_ENDDECLS --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rrl.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rrl.h @@ -0,0 +1,278 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +#ifndef DNS_RRL_H +#define DNS_RRL_H 1 + +/* + * Rate limit DNS responses. + */ + +#include + +#include +#include +#include + +ISC_LANG_BEGINDECLS + + +/* + * Memory allocation or other failures. + */ +#define DNS_RRL_LOG_FAIL ISC_LOG_WARNING +/* + * dropped or slipped responses. + */ +#define DNS_RRL_LOG_DROP ISC_LOG_INFO +/* + * Major events in dropping or slipping. + */ +#define DNS_RRL_LOG_DEBUG1 ISC_LOG_DEBUG(3) +/* + * Limit computations. + */ +#define DNS_RRL_LOG_DEBUG2 ISC_LOG_DEBUG(4) +/* + * Even less interesting. + */ +#define DNS_RRL_LOG_DEBUG3 ISC_LOG_DEBUG(9) + + +#define DNS_RRL_LOG_ERR_LEN 64 +#define DNS_RRL_LOG_BUF_LEN (sizeof("would continue limiting") + \ + DNS_RRL_LOG_ERR_LEN + \ + sizeof(" responses to ") + \ + ISC_NETADDR_FORMATSIZE + \ + sizeof("/128 for IN ") + \ + DNS_RDATATYPE_FORMATSIZE + \ + DNS_NAME_FORMATSIZE) + + +typedef struct dns_rrl_hash dns_rrl_hash_t; + +/* + * Response types. + */ +typedef enum { + DNS_RRL_RTYPE_FREE = 0, + DNS_RRL_RTYPE_QUERY, + DNS_RRL_RTYPE_REFERRAL, + DNS_RRL_RTYPE_NODATA, + DNS_RRL_RTYPE_NXDOMAIN, + DNS_RRL_RTYPE_ERROR, + DNS_RRL_RTYPE_ALL, + DNS_RRL_RTYPE_TCP, +} dns_rrl_rtype_t; + +/* + * A rate limit bucket key. + * This should be small to limit the total size of the database. + * The hash of the qname should be wide enough to make the probability + * of collisions among requests from a single IP address block less than 50%. + * We need a 32-bit hash value for 10000 qps (e.g. random qnames forged + * by attacker) to collide with legitimate qnames from the target with + * probability at most 1%. + */ +#define DNS_RRL_MAX_PREFIX 64 +typedef union dns_rrl_key dns_rrl_key_t; +union dns_rrl_key { + struct { + isc_uint32_t ip[DNS_RRL_MAX_PREFIX/32]; + isc_uint32_t qname_hash; + dns_rdatatype_t qtype; + isc_uint8_t qclass; + dns_rrl_rtype_t rtype :4; /* 3 bits + sign bit */ + isc_boolean_t ipv6 :1; + } s; + isc_uint16_t w[1]; +}; + +/* + * A rate-limit entry. + * This should be small to limit the total size of the table of entries. + */ +typedef struct dns_rrl_entry dns_rrl_entry_t; +typedef ISC_LIST(dns_rrl_entry_t) dns_rrl_bin_t; +struct dns_rrl_entry { + ISC_LINK(dns_rrl_entry_t) lru; + ISC_LINK(dns_rrl_entry_t) hlink; + dns_rrl_key_t key; +# define DNS_RRL_RESPONSE_BITS 24 + signed int responses :DNS_RRL_RESPONSE_BITS; +# define DNS_RRL_QNAMES_BITS 8 + unsigned int log_qname :DNS_RRL_QNAMES_BITS; + +# define DNS_RRL_TS_GEN_BITS 2 + unsigned int ts_gen :DNS_RRL_TS_GEN_BITS; + isc_boolean_t ts_valid :1; +# define DNS_RRL_HASH_GEN_BITS 1 + unsigned int hash_gen :DNS_RRL_HASH_GEN_BITS; + isc_boolean_t logged :1; +# define DNS_RRL_LOG_BITS 11 + unsigned int log_secs :DNS_RRL_LOG_BITS; + +# define DNS_RRL_TS_BITS 12 + unsigned int ts :DNS_RRL_TS_BITS; + +# define DNS_RRL_MAX_SLIP 10 + unsigned int slip_cnt :4; +}; + +#define DNS_RRL_MAX_TIME_TRAVEL 5 +#define DNS_RRL_FOREVER (1<= DNS_RRL_MAX_TS +#error "DNS_RRL_MAX_WINDOW is too large" +#endif +#define DNS_RRL_MAX_RATE 1000 +#if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW) +#error "DNS_RRL_MAX_rate is too large" +#endif + +#if (1<= DNS_RRL_FOREVER +#error DNS_RRL_LOG_BITS is too big +#endif +#define DNS_RRL_MAX_LOG_SECS 1800 +#if DNS_RRL_MAX_LOG_SECS >= (1<= (1< #include +#include #include #include #include @@ -142,10 +143,13 @@ dns_rbt_t * answeracl_exclude; dns_rbt_t * denyanswernames; dns_rbt_t * answernames_exclude; + dns_rrl_t * rrl; isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; dns_ttl_t maxncachettl; + dns_ttl_t mincachettl; + dns_ttl_t minncachettl; in_port_t dstport; dns_aclenv_t aclenv; dns_rdatatype_t preferred_glue; @@ -162,10 +166,7 @@ dns_acl_t * v4_aaaa_acl; dns_dns64list_t dns64; unsigned int dns64cnt; - ISC_LIST(dns_rpz_zone_t) rpz_zones; - isc_boolean_t rpz_recursive_only; - isc_boolean_t rpz_break_dnssec; - unsigned int rpz_min_ns_labels; + dns_rpz_zones_t *rpzs; /* * Configurable data for server use only, --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/zone.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/zone.h @@ -2081,13 +2081,20 @@ */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone); +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); /*% * Set the response policy associated with a zone. */ -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone); +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db); +/*% + * If a zone is a response policy zone, mark its new database. + */ + +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone); void dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/log.c +++ bind9-9.9.3.dfsg.P2/lib/dns/log.c @@ -45,6 +45,7 @@ { "delegation-only", 0 }, { "edns-disabled", 0 }, { "rpz", 0 }, + { "rate-limit", 0 }, { NULL, 0 } }; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/ncache.c +++ bind9-9.9.3.dfsg.P2/lib/dns/ncache.c @@ -49,7 +49,7 @@ static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *addedrdataset); @@ -99,26 +99,26 @@ isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, ISC_FALSE, ISC_FALSE, addedrdataset)); } isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, optout, ISC_TRUE, addedrdataset)); } static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *addedrdataset) { @@ -187,6 +187,8 @@ type == dns_rdatatype_nsec3) { if (ttl > rdataset->ttl) ttl = rdataset->ttl; + if (ttl < minttl) + ttl = minttl; if (trust > rdataset->trust) trust = rdataset->trust; /* --- bind9-9.9.3.dfsg.P2.orig/lib/dns/order.c +++ bind9-9.9.3.dfsg.P2/lib/dns/order.c @@ -89,6 +89,7 @@ REQUIRE(DNS_ORDER_VALID(order)); REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE || mode == DNS_RDATASETATTR_FIXEDORDER || + mode == (DNS_RDATASETATTR_RANDOMIZE|DNS_RDATASETATTR_SINGLE) || mode == 0 /* DNS_RDATASETATTR_CYCLIC */ ); ent = isc_mem_get(order->mctx, sizeof(*ent)); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rbtdb.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rbtdb.c @@ -453,7 +453,9 @@ dns_rbt_t * tree; dns_rbt_t * nsec; dns_rbt_t * nsec3; - dns_rpz_cidr_t * rpz_cidr; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; + dns_rpz_zones_t *load_rpzs; /* Unlocked */ unsigned int quantum; @@ -972,8 +974,18 @@ dns_stats_detach(&rbtdb->rrsetstats); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_free(&rbtdb->rpz_cidr); + if (rbtdb->load_rpzs != NULL) { + /* + * We must be cleaning up after a failed zone loading. + */ + REQUIRE(rbtdb->rpzs != NULL && + rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->load_rpzs); + } + if (rbtdb->rpzs != NULL) { + REQUIRE(rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->rpzs); + } #endif isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks, @@ -1515,11 +1527,11 @@ switch (node->nsec) { case DNS_RBT_NSEC_NORMAL: #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL) { dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rbt_fullnamefromnode(node, name); - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); } #endif result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); @@ -1555,11 +1567,11 @@ isc_result_totext(result)); } } + result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL) + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); #endif - result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); break; case DNS_RBT_NSEC_NSEC: result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE); @@ -1573,7 +1585,7 @@ DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_WARNING, - "delete_cnode(): " + "delete_node(): " "dns_rbt_deletenode: %s", isc_result_totext(result)); } @@ -2538,14 +2550,15 @@ result = dns_rbt_addnode(tree, name, &node); if (result == ISC_R_SUCCESS) { #ifdef BIND9 - if (tree == rbtdb->tree && rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL && tree == rbtdb->tree) { dns_fixedname_t fnamef; dns_name_t *fname; dns_fixedname_init(&fnamef); fname = dns_fixedname_name(&fnamef); dns_rbt_fullnamefromnode(node, fname); - dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname); + result = dns_rpz_add(rbtdb->rpzs, + rbtdb->rpz_num, fname); } #endif dns_rbt_namefromnode(node, &nodename); @@ -4547,228 +4560,45 @@ return (result); } +#ifdef BIND9 /* - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Connect this RBTDB to the response policy zone summary data for the view. */ -#ifdef BIND9 -static isc_result_t -rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - dns_rbtdb_t *rbtdb; - isc_result_t result; +static void +rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + dns_rbtdb_t * rbtdb; - result = ISC_R_SUCCESS; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - if (st != NULL) { - dns_rpz_enabled_get(rbtdb->rpz_cidr, st); - } else { - result = dns_rpz_new_cidr(rbtdb->common.mctx, - &rbtdb->common.origin, - &rbtdb->rpz_cidr); - } - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return (result); + + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + REQUIRE(rbtdb->rpzs == NULL && rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &rbtdb->rpzs); + rbtdb->rpz_num = rpz_num; + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } /* - * Search the CDIR block tree of a response policy tree of trees for all of - * the IP addresses in an A or AAAA rdataset. - * Among the policies for all IPv4 and IPv6 addresses for a name, choose - * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, - * the longest prefix, - * the lexically smallest address. - * The caller must have already checked that any existing policy was not - * configured earlier than this policy zone and does not have a higher - * precedence type. + * Enable this RBTDB as a response policy zone. */ -static void -rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - dns_rbtdb_t *rbtdb; - struct in_addr ina; - struct in6_addr in6a; - isc_netaddr_t netaddr; - dns_fixedname_t selfnamef, qnamef; - dns_name_t *selfname, *qname; - dns_rbtnode_t *node; - dns_rdataset_t zrdataset; - dns_rpz_cidr_bits_t prefix; +static isc_result_t +rpz_ready(dns_db_t *db) { + dns_rbtdb_t * rbtdb; isc_result_t result; - dns_rpz_policy_t rpz_policy; - dns_ttl_t ttl; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - - if (rbtdb->rpz_cidr == NULL) { - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return; - } - - dns_fixedname_init(&selfnamef); - dns_fixedname_init(&qnamef); - selfname = dns_fixedname_name(&selfnamef); - qname = dns_fixedname_name(&qnamef); - - for (result = dns_rdataset_first(ardataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(ardataset)) { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_current(ardataset, &rdata); - switch (rdata.type) { - case dns_rdatatype_a: - INSIST(rdata.length == 4); - memcpy(&ina.s_addr, rdata.data, 4); - isc_netaddr_fromin(&netaddr, &ina); - break; - case dns_rdatatype_aaaa: - INSIST(rdata.length == 16); - memcpy(in6a.s6_addr, rdata.data, 16); - isc_netaddr_fromin6(&netaddr, &in6a); - break; - default: - continue; - } - result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type, - selfname, qname, &prefix); - if (result != ISC_R_SUCCESS) - continue; - - /* - * If we already have a rule, discard this new rule if - * is not better. - * The caller has checked that st->m.rpz->num > rpz->num - * or st->m.rpz->num == rpz->num and st->m.type >= rpz_type - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS && - st->m.rpz->num == rpz->num && - (st->m.type < rpz_type || - (st->m.type == rpz_type && - (st->m.prefix > prefix || - (st->m.prefix == prefix && - 0 > dns_name_rdatacompare(st->qname, qname)))))) - continue; - - /* - * We have rpz_st an entry with a prefix at least as long as - * the prefix of the entry we had before. Find the node - * corresponding to CDIR tree entry. - */ - node = NULL; - result = dns_rbt_findnode(rbtdb->tree, qname, NULL, - &node, NULL, 0, NULL, NULL); - if (result != ISC_R_SUCCESS) { - char namebuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, namebuf, sizeof(namebuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz_findips findnode(%s) failed: %s", - namebuf, isc_result_totext(result)); - continue; - } - /* - * First look for a simple rewrite of the IP address. - * If that fails, look for a CNAME. If we cannot find - * a CNAME or the CNAME is neither of the special forms - * "*" or ".", treat it like a real CNAME. - */ - dns_rdataset_init(&zrdataset); - result = dns_db_findrdataset(db, node, version, ardataset->type, - 0, 0, &zrdataset, NULL); - if (result != ISC_R_SUCCESS) - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_cname, - 0, 0, &zrdataset, NULL); - if (result == ISC_R_SUCCESS) { - if (zrdataset.type != dns_rdatatype_cname) { - rpz_policy = DNS_RPZ_POLICY_RECORD; - } else { - rpz_policy = dns_rpz_decode_cname(rpz, - &zrdataset, - selfname); - if (rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) - result = DNS_R_CNAME; - } - ttl = zrdataset.ttl; - } else { - rpz_policy = DNS_RPZ_POLICY_RECORD; - result = DNS_R_NXRRSET; - ttl = DNS_RPZ_TTL_DEFAULT; - } - - /* - * Use an overriding action specified in the configuration file - */ - if (rpz->policy != DNS_RPZ_POLICY_GIVEN) { - /* - * only log DNS_RPZ_POLICY_DISABLED hits - */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - if (isc_log_wouldlog(dns_lctx, - DNS_RPZ_INFO_LEVEL)) { - char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; - dns_name_format(query_qname, qname_buf, - sizeof(qname_buf)); - dns_name_format(qname, rpz_qname_buf, - sizeof(rpz_qname_buf)); - - isc_log_write(dns_lctx, - DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, - DNS_RPZ_INFO_LEVEL, - "disabled rpz %s %s rewrite" - " %s via %s", - dns_rpz_type2str(rpz_type), - dns_rpz_policy2str(rpz_policy), - qname_buf, rpz_qname_buf); - } - continue; - } - - rpz_policy = rpz->policy; - } - - if (dns_rdataset_isassociated(st->m.rdataset)) - dns_rdataset_disassociate(st->m.rdataset); - if (st->m.node != NULL) - dns_db_detachnode(st->m.db, &st->m.node); - if (st->m.db != NULL) - dns_db_detach(&st->m.db); - if (st->m.zone != NULL) - dns_zone_detach(&st->m.zone); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = prefix; - st->m.policy = rpz_policy; - st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl); - st->m.result = result; - dns_name_copy(qname, st->qname, NULL); - if ((rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) && - result != DNS_R_NXRRSET) { - dns_rdataset_clone(&zrdataset,st->m.rdataset); - dns_db_attachnode(db, node, &st->m.node); - } - dns_db_attach(db, &st->m.db); - st->m.version = version; - dns_zone_attach(zone, &st->m.zone); - if (dns_rdataset_isassociated(&zrdataset)) - dns_rdataset_disassociate(&zrdataset); + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + if (rbtdb->rpzs == NULL) { + INSIST(rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + result = ISC_R_SUCCESS; + } else { + result = dns_rpz_ready(rbtdb->rpzs, &rbtdb->load_rpzs, + rbtdb->rpz_num); } - - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + return (result); } #endif @@ -6874,8 +6704,9 @@ noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep); #ifdef BIND9 - if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_addip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) + noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, + name); #endif if (!hasnsec) @@ -7060,6 +6891,20 @@ RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); +#ifdef BIND9 + if (rbtdb->rpzs != NULL) { + isc_result_t result; + + result = dns_rpz_beginload(&rbtdb->load_rpzs, + rbtdb->rpzs, rbtdb->rpz_num); + if (result != ISC_R_SUCCESS) { + isc_mem_put(rbtdb->common.mctx, loadctx, + sizeof(*loadctx)); + return (result); + } + } +#endif + REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING)) == 0); rbtdb->attributes |= RBTDB_ATTR_LOADING; @@ -7461,8 +7306,8 @@ isdnssec, NULL, #ifdef BIND9 - rpz_enabled, - rpz_findips, + rpz_attach, + rpz_ready, #else NULL, NULL, @@ -7776,6 +7621,9 @@ } rbtdb->attributes = 0; rbtdb->task = NULL; + rbtdb->rpzs = NULL; + rbtdb->load_rpzs = NULL; + rbtdb->rpz_num = DNS_RPZ_INVALID_NUM; /* * Version Initialization. --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rdataset.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rdataset.c @@ -297,6 +297,7 @@ #define MAX_SHUFFLE 32 #define WANT_FIXED(r) (((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0) #define WANT_RANDOM(r) (((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0) +#define WANT_SINGLE(r) (((r)->attributes & DNS_RDATASETATTR_SINGLE) != 0) struct towire_sort { int key; @@ -321,6 +322,7 @@ isc_region_t r; isc_result_t result; unsigned int i, count = 0, added, choice; + unsigned int real_count; isc_buffer_t savedbuffer, rdlen, rrbuffer; unsigned int headlen; isc_boolean_t question = ISC_FALSE; @@ -362,6 +364,7 @@ if (result != ISC_R_SUCCESS) return (result); } + real_count = count; /* * Do we want to shuffle this answer? @@ -430,6 +433,9 @@ sorted[i].key = 0; /* Unused */ sorted[i].rdata = &shuffled[i]; } + if (count > 1 && WANT_SINGLE(rdataset)) { + count = 1; + } } else { /* * "Cyclic" order. @@ -550,9 +556,9 @@ cleanup: if (sorted != NULL && sorted != sorted_fixed) - isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted)); + isc_mem_put(cctx->mctx, sorted, real_count * sizeof(*sorted)); if (shuffled != NULL && shuffled != shuffled_fixed) - isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled)); + isc_mem_put(cctx->mctx, shuffled, real_count * sizeof(*shuffled)); return (result); } --- bind9-9.9.3.dfsg.P2.orig/lib/dns/resolver.c +++ bind9-9.9.3.dfsg.P2/lib/dns/resolver.c @@ -470,7 +470,9 @@ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, + dns_ttl_t minttl, + dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *ardataset, @@ -4197,7 +4199,7 @@ ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, vevent->optout, + covers, now, fctx->res->view->minncachettl, ttl, vevent->optout, vevent->secure, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto noanswer_response; @@ -4652,6 +4654,12 @@ */ if (rdataset->ttl > res->view->maxcachettl) rdataset->ttl = res->view->maxcachettl; + + /* + * Enforce configured minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; /* * Find the SIG for this rdataset, if we have it. @@ -4979,7 +4987,7 @@ */ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *ardataset, isc_result_t *eresultp) { @@ -4992,10 +5000,10 @@ } if (secure) result = dns_ncache_addoptout(message, cache, node, covers, - now, maxttl, optout, ardataset); + now, minttl, maxttl, optout, ardataset); else result = dns_ncache_add(message, cache, node, covers, now, - maxttl, ardataset); + minttl, maxttl, ardataset); if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* * If the cache now contains a negative entry and we @@ -5161,7 +5169,7 @@ ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, ISC_FALSE, + covers, now, fctx->res->view->minncachettl, ttl, ISC_FALSE, ISC_FALSE, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto unlock; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rpz.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rpz.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include @@ -44,9 +45,13 @@ /* * Parallel radix trees for databases of response policy IP addresses * - * The radix or Patricia trees are somewhat specialized to handle response - * policy addresses by representing the two test of IP IP addresses and name - * server IP addresses in a single tree. + * The radix or patricia trees are somewhat specialized to handle response + * policy addresses by representing the two sets of IP addresses and name + * server IP addresses in a single tree. One set of IP addresses is + * for rpz-ip policies or policies triggered by addresses in A or + * AAAA records in responses. + * The second set is for rpz-nsip policies or policies triggered by addresses + * in A or AAAA records for NS records that are authorities for responses. * * Each leaf indicates that an IP address is listed in the IP address or the * name server IP address policy sub-zone (or both) of the corresponding @@ -55,7 +60,8 @@ * tree, the node in the policy zone's database is found by converting * the IP address to a domain name in a canonical form. * - * The response policy zone canonical form of IPv6 addresses is one of: + * + * The response policy zone canonical form of an IPv6 address is one of: * prefix.W.W.W.W.W.W.W.W * prefix.WORDS.zz * prefix.WORDS.zz.WORDS @@ -72,7 +78,7 @@ * prefix is the prefix length of the address between 1 and 32 * B is a number between 0 and 255 * - * IPv4 addresses are distinguished from IPv6 addresses by having + * Names for IPv4 addresses are distinguished from IPv6 addresses by having * 5 labels all of which are numbers, and a prefix between 1 and 32. */ @@ -90,43 +96,89 @@ } dns_rpz_cidr_key_t; #define ADDR_V4MAPPED 0xffff +#define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 && \ + (ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED) + +#define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ + : ((dns_rpz_cidr_word_t)(-1) \ + << (DNS_RPZ_CIDR_WORD_BITS - (b)))) + +/* + * Get bit #n from the array of words of an IP address. + */ +#define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >> \ + (DNS_RPZ_CIDR_WORD_BITS \ + - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS)))) -#define DNS_RPZ_WORD_MASK(b) \ - ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ - : ((dns_rpz_cidr_word_t)(-1) \ - << (DNS_RPZ_CIDR_WORD_BITS - (b)))) - -#define DNS_RPZ_IP_BIT(ip, bitno) \ - (1 & ((ip)->w[(bitno)/DNS_RPZ_CIDR_WORD_BITS] >> \ - (DNS_RPZ_CIDR_WORD_BITS - 1 - ((bitno) % DNS_RPZ_CIDR_WORD_BITS)))) +/* + * A triplet of arrays of bits flagging the existence of + * client-IP, IP, and NSIP policy triggers. + */ +typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t; +struct dns_rpz_addr_zbits { + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsip; +}; -typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; -typedef isc_uint8_t dns_rpz_cidr_flags_t; +/* + * A CIDR or radix tree node. + */ struct dns_rpz_cidr_node { - dns_rpz_cidr_node_t *parent; - dns_rpz_cidr_node_t *child[2]; - dns_rpz_cidr_key_t ip; - dns_rpz_cidr_bits_t bits; - dns_rpz_cidr_flags_t flags; -#define DNS_RPZ_CIDR_FG_IP 0x01 /* has IP data or is parent of IP */ -#define DNS_RPZ_CIDR_FG_IP_DATA 0x02 /* has IP data */ -#define DNS_RPZ_CIDR_FG_NSIPv4 0x04 /* has or is parent of NSIPv4 data */ -#define DNS_RPZ_CIDR_FG_NSIPv6 0x08 /* has or is parent of NSIPv6 data */ -#define DNS_RPZ_CIDR_FG_NSIP_DATA 0x10 /* has NSIP data */ + dns_rpz_cidr_node_t *parent; + dns_rpz_cidr_node_t *child[2]; + dns_rpz_cidr_key_t ip; + dns_rpz_prefix_t prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_addr_zbits_t sum; +}; + +/* + * The data in a RBT node has two pairs of bits for policy zones. + * One pair is for the corresponding name of the node such as example.com + * and the other pair is for a wildcard child such as *.example.com. + */ +/* + * A pair of arrays of bits flagging the existence of + * QNAME and NSDNAME policy triggers. + */ +typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t; +struct dns_rpz_nm_zbits { + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ns; }; -struct dns_rpz_cidr { - isc_mem_t *mctx; - isc_boolean_t have_nsdname; /* zone has NSDNAME record */ - dns_rpz_cidr_node_t *root; - dns_name_t ip_name; /* RPZ_IP_ZONE.origin. */ - dns_name_t nsip_name; /* RPZ_NSIP_ZONE.origin. */ - dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.origin */ +typedef struct dns_rpz_nm_data dns_rpz_nm_data_t; +struct dns_rpz_nm_data { + dns_rpz_nm_zbits_t set; + dns_rpz_nm_zbits_t wild; }; +#if 0 +/* + * Catch a name while debugging. + */ +static void +catch_name(const dns_name_t *src_name, const char *tgt, const char *str) { + dns_fixedname_t tgt_namef; + dns_name_t *tgt_name; + + dns_fixedname_init(&tgt_namef); + tgt_name = dns_fixedname_name(&tgt_namef); + dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL); + if (dns_name_equal(src_name, tgt_name)) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz hit failed: %s %s", str, tgt); + } +} +#endif + const char * dns_rpz_type2str(dns_rpz_type_t type) { switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + return ("CLIENT-IP"); case DNS_RPZ_TYPE_QNAME: return ("QNAME"); case DNS_RPZ_TYPE_IP: @@ -138,32 +190,34 @@ case DNS_RPZ_TYPE_BAD: break; } - FATAL_ERROR(__FILE__, __LINE__, - "impossible rpz type %d", type); + FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type); return ("impossible"); } dns_rpz_policy_t dns_rpz_str2policy(const char *str) { + static struct { + const char *str; + dns_rpz_policy_t policy; + } tbl[] = { + {"given", DNS_RPZ_POLICY_GIVEN}, + {"disabled", DNS_RPZ_POLICY_DISABLED}, + {"passthru", DNS_RPZ_POLICY_PASSTHRU}, + {"drop", DNS_RPZ_POLICY_DROP}, + {"tcp-only", DNS_RPZ_POLICY_TCP_ONLY}, + {"nxdomain", DNS_RPZ_POLICY_NXDOMAIN}, + {"nodata", DNS_RPZ_POLICY_NODATA}, + {"cname", DNS_RPZ_POLICY_CNAME}, + {"no-op", DNS_RPZ_POLICY_PASSTHRU}, /* old passthru */ + }; + unsigned int n; + if (str == NULL) return (DNS_RPZ_POLICY_ERROR); - if (!strcasecmp(str, "given")) - return (DNS_RPZ_POLICY_GIVEN); - if (!strcasecmp(str, "disabled")) - return (DNS_RPZ_POLICY_DISABLED); - if (!strcasecmp(str, "passthru")) - return (DNS_RPZ_POLICY_PASSTHRU); - if (!strcasecmp(str, "nxdomain")) - return (DNS_RPZ_POLICY_NXDOMAIN); - if (!strcasecmp(str, "nodata")) - return (DNS_RPZ_POLICY_NODATA); - if (!strcasecmp(str, "cname")) - return (DNS_RPZ_POLICY_CNAME); - /* - * Obsolete - */ - if (!strcasecmp(str, "no-op")) - return (DNS_RPZ_POLICY_PASSTHRU); + for (n = 0; n < sizeof(tbl)/sizeof(tbl[0]); ++n) { + if (!strcasecmp(tbl[n].str, str)) + return (tbl[n].policy); + } return (DNS_RPZ_POLICY_ERROR); } @@ -175,6 +229,12 @@ case DNS_RPZ_POLICY_PASSTHRU: str = "PASSTHRU"; break; + case DNS_RPZ_POLICY_DROP: + str = "DROP"; + break; + case DNS_RPZ_POLICY_TCP_ONLY: + str = "TCP-ONLY"; + break; case DNS_RPZ_POLICY_NXDOMAIN: str = "NXDOMAIN"; break; @@ -196,243 +256,274 @@ return (str); } -/* - * Free the radix tree of a response policy database. - */ -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidrp) { - dns_rpz_cidr_node_t *cur, *child, *parent; - dns_rpz_cidr_t *cidr; - - REQUIRE(cidrp != NULL); - - cidr = *cidrp; - if (cidr == NULL) - return; - - cur = cidr->root; - while (cur != NULL) { - /* Depth first. */ - child = cur->child[0]; - if (child != NULL) { - cur = child; - continue; - } - child = cur->child[1]; - if (child != NULL) { - cur = child; - continue; - } +static int +zbit_to_num(dns_rpz_zbits_t zbit) { + dns_rpz_num_t rpz_num; - /* Delete this leaf and go up. */ - parent = cur->parent; - if (parent == NULL) - cidr->root = NULL; - else - parent->child[parent->child[1] == cur] = NULL; - isc_mem_put(cidr->mctx, cur, sizeof(*cur)); - cur = parent; + INSIST(zbit != 0); + rpz_num = 0; +#if DNS_RPZ_MAX_ZONES > 32 + if ((zbit & 0xffffffff00000000L) != 0) { + zbit >>= 32; + rpz_num += 32; } - - dns_name_free(&cidr->ip_name, cidr->mctx); - dns_name_free(&cidr->nsip_name, cidr->mctx); - dns_name_free(&cidr->nsdname_name, cidr->mctx); - isc_mem_put(cidr->mctx, cidr, sizeof(*cidr)); - *cidrp = NULL; +#endif + if ((zbit & 0xffff0000) != 0) { + zbit >>= 16; + rpz_num += 16; + } + if ((zbit & 0xff00) != 0) { + zbit >>= 8; + rpz_num += 8; + } + if ((zbit & 0xf0) != 0) { + zbit >>= 4; + rpz_num += 4; + } + if ((zbit & 0xc) != 0) { + zbit >>= 2; + rpz_num += 2; + } + if ((zbit & 2) != 0) + ++rpz_num; + return (rpz_num); } /* - * Forget a view's list of policy zones. + * Make a set of bit masks given one or more bits and their type. */ -void -dns_rpz_view_destroy(dns_view_t *view) { - dns_rpz_zone_t *zone; - - REQUIRE(view != NULL); +static void +make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits, + dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + tgt_set->client_ip = zbits; + tgt_set->ip = 0; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_IP: + tgt_set->client_ip = 0; + tgt_set->ip = zbits; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_NSIP: + tgt_set->client_ip = 0; + tgt_set->ip = 0; + tgt_set->nsip = zbits; + break; + default: + INSIST(0); + break; + } +} - while (!ISC_LIST_EMPTY(view->rpz_zones)) { - zone = ISC_LIST_HEAD(view->rpz_zones); - ISC_LIST_UNLINK(view->rpz_zones, zone, link); - if (dns_name_dynamic(&zone->origin)) - dns_name_free(&zone->origin, view->mctx); - if (dns_name_dynamic(&zone->passthru)) - dns_name_free(&zone->passthru, view->mctx); - if (dns_name_dynamic(&zone->nsdname)) - dns_name_free(&zone->nsdname, view->mctx); - if (dns_name_dynamic(&zone->cname)) - dns_name_free(&zone->cname, view->mctx); - isc_mem_put(view->mctx, zone, sizeof(*zone)); +static void +make_nm_set(dns_rpz_nm_zbits_t *tgt_set, + dns_rpz_num_t rpz_num, dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_QNAME: + tgt_set->qname = DNS_RPZ_ZBIT(rpz_num); + tgt_set->ns = 0; + break; + case DNS_RPZ_TYPE_NSDNAME: + tgt_set->qname = 0; + tgt_set->ns = DNS_RPZ_ZBIT(rpz_num); + break; + default: + INSIST(0); + break; } } /* - * Start a new radix tree for a response policy zone. + * Mark a node and all of its parents as having client-IP, IP, or NSIP data */ -isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr) -{ - isc_result_t result; - dns_rpz_cidr_t *cidr; - - REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL); - - cidr = isc_mem_get(mctx, sizeof(*cidr)); - if (cidr == NULL) - return (ISC_R_NOMEMORY); - memset(cidr, 0, sizeof(*cidr)); - cidr->mctx = mctx; +static void +set_sum_pair(dns_rpz_cidr_node_t *cnode) { + dns_rpz_cidr_node_t *child; + dns_rpz_addr_zbits_t sum; - dns_name_init(&cidr->ip_name, NULL); - result = dns_name_fromstring2(&cidr->ip_name, DNS_RPZ_IP_ZONE, origin, - DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + do { + sum = cnode->set; - dns_name_init(&cidr->nsip_name, NULL); - result = dns_name_fromstring2(&cidr->nsip_name, DNS_RPZ_NSIP_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[0]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - dns_name_init(&cidr->nsdname_name, NULL); - result = dns_name_fromstring2(&cidr->nsdname_name, DNS_RPZ_NSDNAME_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->nsip_name, mctx); - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[1]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - *rbtdb_cidr = cidr; - return (ISC_R_SUCCESS); + if (cnode->sum.client_ip == sum.client_ip && + cnode->sum.ip == sum.ip && + cnode->sum.nsip == sum.nsip) + break; + cnode->sum = sum; + cnode = cnode->parent; + } while (cnode != NULL); } -/* - * See if a policy zone has IP, NSIP, or NSDNAME rules or records. - */ -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) { - if (cidr == NULL) - return; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_IP) != 0) - st->state |= DNS_RPZ_HAVE_IP; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv4) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv4; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv6) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv6; - if (cidr->have_nsdname) - st->state |= DNS_RPZ_HAVE_NSDNAME; -} - -static inline dns_rpz_cidr_flags_t -get_flags(const dns_rpz_cidr_key_t *ip, dns_rpz_cidr_bits_t prefix, - dns_rpz_type_t rpz_type) -{ - if (rpz_type == DNS_RPZ_TYPE_NSIP) { - if (prefix >= 96 && - ip->w[0] == 0 && ip->w[1] == 0 && - ip->w[2] == ADDR_V4MAPPED) - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv4); - else - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv6); +static void +fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) { + dns_rpz_zbits_t zbits; + + /* + * Get a mask covering all policy zones that are not subordinate to + * other policy zones containing triggers that require that the + * qname be resolved before they can be checked. + */ + if (rpzs->p.qname_wait_recurse) { + zbits = 0; } else { - return (DNS_RPZ_CIDR_FG_IP | DNS_RPZ_CIDR_FG_IP_DATA); + zbits = (rpzs->have.ipv4 || rpzs->have.ipv6 || + rpzs->have.nsdname || + rpzs->have.nsipv4 || rpzs->have.nsipv6); + if (zbits == 0) { + zbits = DNS_RPZ_ALL_ZBITS; + } else { + zbits = DNS_RPZ_ZMASK(zbit_to_num(zbits)); + } } + rpzs->have.qname_skip_recurse = zbits; + + rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6; + rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6; + rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6; } -/* - * Mark a node as having IP or NSIP data and all of its parents - * as members of the IP or NSIP tree. - */ static void -set_node_flags(dns_rpz_cidr_node_t *node, dns_rpz_type_t rpz_type) { - dns_rpz_cidr_flags_t flags; +adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + isc_boolean_t inc) +{ + int *cnt; + dns_rpz_zbits_t *have; - flags = get_flags(&node->ip, node->bits, rpz_type); - node->flags |= flags; - flags &= ~(DNS_RPZ_CIDR_FG_NSIP_DATA | DNS_RPZ_CIDR_FG_IP_DATA); - for (;;) { - node = node->parent; - if (node == NULL) - return; - node->flags |= flags; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].client_ipv4; + have = &rpzs->have.client_ipv4; + } else { + cnt = &rpzs->triggers[rpz_num].client_ipv6; + have = &rpzs->have.client_ipv6; + } + break; + case DNS_RPZ_TYPE_QNAME: + cnt = &rpzs->triggers[rpz_num].qname; + have = &rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].ipv4; + have = &rpzs->have.ipv4; + } else { + cnt = &rpzs->triggers[rpz_num].ipv6; + have = &rpzs->have.ipv6; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + cnt = &rpzs->triggers[rpz_num].nsdname; + have = &rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].nsipv4; + have = &rpzs->have.nsipv4; + } else { + cnt = &rpzs->triggers[rpz_num].nsipv6; + have = &rpzs->have.nsipv6; + } + break; + default: + INSIST(0); + } + + if (inc) { + if (++*cnt == 1) { + *have |= DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } + } else { + REQUIRE(*cnt > 0); + if (--*cnt == 0) { + *have &= ~DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } } } -/* - * Make a radix tree node. - */ static dns_rpz_cidr_node_t * -new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip, - dns_rpz_cidr_bits_t bits, dns_rpz_cidr_flags_t flags) +new_node(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix, + const dns_rpz_cidr_node_t *child) { - dns_rpz_cidr_node_t *node; + dns_rpz_cidr_node_t *new; int i, words, wlen; - node = isc_mem_get(cidr->mctx, sizeof(*node)); - if (node == NULL) + new = isc_mem_get(rpzs->mctx, sizeof(*new)); + if (new == NULL) return (NULL); - memset(node, 0, sizeof(*node)); + memset(new, 0, sizeof(*new)); - node->flags = flags & ~(DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); + if (child != NULL) + new->sum = child->sum; - node->bits = bits; - words = bits / DNS_RPZ_CIDR_WORD_BITS; - wlen = bits % DNS_RPZ_CIDR_WORD_BITS; + new->prefix = prefix; + words = prefix / DNS_RPZ_CIDR_WORD_BITS; + wlen = prefix % DNS_RPZ_CIDR_WORD_BITS; i = 0; while (i < words) { - node->ip.w[i] = ip->w[i]; + new->ip.w[i] = ip->w[i]; ++i; } if (wlen != 0) { - node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); + new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); ++i; } while (i < DNS_RPZ_CIDR_WORDS) - node->ip.w[i++] = 0; + new->ip.w[i++] = 0; - return (node); + return (new); } static void badname(int level, dns_name_t *name, const char *str1, const char *str2) { - char printname[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "invalid rpz". */ - if (level < DNS_RPZ_DEBUG_QUIET - && isc_log_wouldlog(dns_lctx, level)) { - dns_name_format(name, printname, sizeof(printname)); + if (level < DNS_RPZ_DEBUG_QUIET && + isc_log_wouldlog(dns_lctx, level)) { + dns_name_format(name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, level, "invalid rpz IP address \"%s\"%s%s", - printname, str1, str2); + namebuf, str1, str2); } } /* * Convert an IP address from radix tree binary (host byte order) to - * to its canonical response policy domain name and its name in the + * to its canonical response policy domain name without the origin of the * policy zone. */ static isc_result_t -ip2name(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - dns_name_t *canon_name, dns_name_t *search_name) +ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + dns_name_t *base_name, dns_name_t *ip_name) { #ifndef INET6_ADDRSTRLEN #define INET6_ADDRSTRLEN 46 @@ -440,22 +531,18 @@ int w[DNS_RPZ_CIDR_WORDS*2]; char str[1+8+1+INET6_ADDRSTRLEN+1]; isc_buffer_t buffer; - dns_name_t *name; isc_result_t result; isc_boolean_t zeros; int i, n, len; - if (tgt_prefix > 96 && - tgt_ip->w[0] == 0 && - tgt_ip->w[1] == 0 && - tgt_ip->w[2] == ADDR_V4MAPPED) { + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d", tgt_prefix - 96, tgt_ip->w[3] & 0xff, (tgt_ip->w[3]>>8) & 0xff, (tgt_ip->w[3]>>16) & 0xff, (tgt_ip->w[3]>>24) & 0xff); - if (len == -1 || len > (int)sizeof(str)) + if (len < 0 || len > (int)sizeof(str)) return (ISC_R_FAILURE); } else { for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) { @@ -469,9 +556,9 @@ return (ISC_R_FAILURE); i = 0; while (i < DNS_RPZ_CIDR_WORDS * 2) { - if (w[i] != 0 || zeros - || i >= DNS_RPZ_CIDR_WORDS * 2 - 1 - || w[i+1] != 0) { + if (w[i] != 0 || zeros || + i >= DNS_RPZ_CIDR_WORDS * 2 - 1 || + w[i+1] != 0) { INSIST((size_t)len <= sizeof(str)); n = snprintf(&str[len], sizeof(str) - len, ".%x", w[i++]); @@ -495,48 +582,31 @@ } } - if (canon_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - result = dns_name_fromtext(canon_name, &buffer, - dns_rootname, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - if (search_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - if (type == DNS_RPZ_TYPE_NSIP) - name = &cidr->nsip_name; - else - name = &cidr->ip_name; - result = dns_name_fromtext(search_name, &buffer, name, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - return (ISC_R_SUCCESS); + isc__buffer_init(&buffer, str, sizeof(str)); + isc__buffer_add(&buffer, len); + result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL); + return (result); } /* - * Decide which kind of IP address response policy zone a name is in. + * Determine the type a of a name in a response policy zone. */ static dns_rpz_type_t -set_type(dns_rpz_cidr_t *cidr, dns_name_t *name) { +type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) { - if (dns_name_issubdomain(name, &cidr->ip_name)) + if (dns_name_issubdomain(name, &rpz->ip)) return (DNS_RPZ_TYPE_IP); - /* - * Require `./configure --enable-rpz-nsip` and nsdname - * until consistency problems are resolved. - */ + if (dns_name_issubdomain(name, &rpz->client_ip)) + return (DNS_RPZ_TYPE_CLIENT_IP); + #ifdef ENABLE_RPZ_NSIP - if (dns_name_issubdomain(name, &cidr->nsip_name)) + if (dns_name_issubdomain(name, &rpz->nsip)) return (DNS_RPZ_TYPE_NSIP); #endif #ifdef ENABLE_RPZ_NSDNAME - if (dns_name_issubdomain(name, &cidr->nsdname_name)) + if (dns_name_issubdomain(name, &rpz->nsdname)) return (DNS_RPZ_TYPE_NSDNAME); #endif @@ -545,73 +615,80 @@ /* * Convert an IP address from canonical response policy domain name form - * to radix tree binary (host byte order). + * to radix tree binary (host byte order) for adding or deleting IP or NSIP + * data. */ static isc_result_t -name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, - dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t *tgt_prefix) +name2ipkey(int log_level, + const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name, + dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix, + dns_rpz_addr_zbits_t *new_set) { - isc_result_t result; - dns_fixedname_t fname; - dns_name_t *ipname; - char ipstr[DNS_NAME_FORMATSIZE]; + dns_rpz_zone_t *rpz; + char ip_str[DNS_NAME_FORMATSIZE]; + dns_offsets_t ip_name_offsets; + dns_fixedname_t ip_name2f; + dns_name_t ip_name, *ip_name2; const char *prefix_str, *cp, *end; char *cp2; int ip_labels; - dns_rpz_cidr_bits_t bits; - unsigned long prefix, l; + dns_rpz_prefix_t prefix; + unsigned long prefix_num, l; + isc_result_t result; int i; - /* - * Need at least enough labels for the shortest name, - * :: or 128.*.RPZ_x_ZONE.rpz.LOCALHOST. - */ + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type); + ip_labels = dns_name_countlabels(src_name); - ip_labels -= dns_name_countlabels(&cidr->ip_name); - ip_labels--; - if (ip_labels < 1) { - badname(level, src_name, "; too short", ""); + if (rpz_type == DNS_RPZ_TYPE_QNAME) + ip_labels -= dns_name_countlabels(&rpz->origin); + else + ip_labels -= dns_name_countlabels(&rpz->nsdname); + if (ip_labels < 2) { + badname(log_level, src_name, "; too short", ""); return (ISC_R_FAILURE); } + dns_name_init(&ip_name, ip_name_offsets); + dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name); /* * Get text for the IP address */ - dns_fixedname_init(&fname); - ipname = dns_fixedname_name(&fname); - dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name), - ipname, NULL); - dns_name_format(ipname, ipstr, sizeof(ipstr)); - end = &ipstr[strlen(ipstr)+1]; - prefix_str = ipstr; + dns_name_format(&ip_name, ip_str, sizeof(ip_str)); + end = &ip_str[strlen(ip_str)+1]; + prefix_str = ip_str; - prefix = strtoul(prefix_str, &cp2, 10); + prefix_num = strtoul(prefix_str, &cp2, 10); if (*cp2 != '.') { - badname(level, src_name, + badname(log_level, src_name, "; invalid leading prefix length", ""); return (ISC_R_FAILURE); } *cp2 = '\0'; - if (prefix < 1U || prefix > 128U) { - badname(level, src_name, + if (prefix_num < 1U || prefix_num > 128U) { + badname(log_level, src_name, "; invalid prefix length of ", prefix_str); return (ISC_R_FAILURE); } cp = cp2+1; - if (ip_labels == 4 && !strchr(cp, 'z')) { + if (--ip_labels == 4 && !strchr(cp, 'z')) { /* * Convert an IPv4 address * from the form "prefix.w.z.y.x" */ - if (prefix > 32U) { - badname(level, src_name, + if (prefix_num > 32U) { + badname(log_level, src_name, "; invalid IPv4 prefix length of ", prefix_str); return (ISC_R_FAILURE); } - prefix += 96; - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + prefix_num += 96; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; tgt_ip->w[0] = 0; tgt_ip->w[1] = 0; tgt_ip->w[2] = ADDR_V4MAPPED; @@ -621,7 +698,7 @@ if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv4 octet ", cp); return (ISC_R_FAILURE); } @@ -632,7 +709,7 @@ /* * Convert a text IPv6 address. */ - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; for (i = 0; ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2; ip_labels--) { @@ -651,7 +728,7 @@ (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv6 word ", cp); return (ISC_R_FAILURE); } @@ -665,36 +742,37 @@ } } if (cp != end) { - badname(level, src_name, "", ""); + badname(log_level, src_name, "", ""); return (ISC_R_FAILURE); } /* * Check for 1s after the prefix length. */ - bits = (dns_rpz_cidr_bits_t)prefix; - while (bits < DNS_RPZ_CIDR_KEY_BITS) { + prefix = (dns_rpz_prefix_t)prefix_num; + while (prefix < DNS_RPZ_CIDR_KEY_BITS) { dns_rpz_cidr_word_t aword; - i = bits % DNS_RPZ_CIDR_WORD_BITS; - aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS]; + i = prefix % DNS_RPZ_CIDR_WORD_BITS; + aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS]; if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) { - badname(level, src_name, + badname(log_level, src_name, "; too small prefix length of ", prefix_str); return (ISC_R_FAILURE); } - bits -= i; - bits += DNS_RPZ_CIDR_WORD_BITS; + prefix -= i; + prefix += DNS_RPZ_CIDR_WORD_BITS; } /* - * Convert the address back to a canonical policy domain name - * to ensure that it is in canonical form. + * Convert the address back to a canonical domain name + * to ensure that the original name is in canonical form. */ - result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix, - type, NULL, ipname); - if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) { - badname(level, src_name, "; not canonical", ""); + dns_fixedname_init(&ip_name2f); + ip_name2 = dns_fixedname_name(&ip_name2f); + result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2); + if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) { + badname(log_level, src_name, "; not canonical", ""); return (ISC_R_FAILURE); } @@ -702,10 +780,54 @@ } /* - * Find first differing bit. + * Get trigger name and data bits for adding or deleting summary NSDNAME + * or QNAME data. */ -static int -ffbit(dns_rpz_cidr_word_t w) { +static void +name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, const dns_name_t *src_name, + dns_name_t *trig_name, dns_rpz_nm_data_t *new_data) +{ + dns_rpz_zone_t *rpz; + dns_offsets_t tmp_name_offsets; + dns_name_t tmp_name; + unsigned int prefix_len, n; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * Handle wildcards by putting only the parent into the + * summary RBT. The summary database only causes a check of the + * real policy zone where wildcards will be handled. + */ + if (dns_name_iswildcard(src_name)) { + prefix_len = 1; + memset(&new_data->set, 0, sizeof(new_data->set)); + make_nm_set(&new_data->wild, rpz_num, rpz_type); + } else { + prefix_len = 0; + make_nm_set(&new_data->set, rpz_num, rpz_type); + memset(&new_data->wild, 0, sizeof(new_data->wild)); + } + + dns_name_init(&tmp_name, tmp_name_offsets); + n = dns_name_countlabels(src_name); + n -= prefix_len; + if (rpz_type == DNS_RPZ_TYPE_QNAME) + n -= dns_name_countlabels(&rpz->origin); + else + n -= dns_name_countlabels(&rpz->nsdname); + dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name); + (void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL); +} + +/* + * Find the first differing bit in a key (IP address) word. + */ +static inline int +ffs_keybit(dns_rpz_cidr_word_t w) { int bit; bit = DNS_RPZ_CIDR_WORD_BITS-1; @@ -731,17 +853,17 @@ } /* - * Find the first differing bit in two keys. + * Find the first differing bit in two keys (IP addresses). */ static int -diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1, - const dns_rpz_cidr_key_t *key2, dns_rpz_cidr_bits_t bits2) +diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1, + const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2) { dns_rpz_cidr_word_t delta; - dns_rpz_cidr_bits_t maxbit, bit; + dns_rpz_prefix_t maxbit, bit; int i; - maxbit = ISC_MIN(bits1, bits2); + maxbit = ISC_MIN(prefix1, prefix2); /* * find the first differing words @@ -751,7 +873,7 @@ i++, bit += DNS_RPZ_CIDR_WORD_BITS) { delta = key1->w[i] ^ key2->w[i]; if (delta != 0) { - bit += ffbit(delta); + bit += ffs_keybit(delta); break; } } @@ -759,133 +881,170 @@ } /* + * Given a hit while searching the radix trees, + * clear all bits for higher numbered zones. + */ +static inline dns_rpz_zbits_t +trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) { + dns_rpz_zbits_t x; + + /* + * Isolate the first or smallest numbered hit bit. + * Make a mask of that bit and all smaller numbered bits. + */ + x = zbits & found; + x &= (~x + 1); + x = (x << 1) - 1; + return (zbits &= x); +} + +/* * Search a radix tree for an IP address for ordinary lookup * or for a CIDR block adding or deleting an entry - * The tree read (for simple search) or write lock must be held by the caller. * - * Return ISC_R_SUCCESS, ISC_R_NOTFOUND, DNS_R_PARTIALMATCH, ISC_R_EXISTS, - * ISC_R_NOMEMORY + * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND, + * and *found=longest match node + * or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY */ static isc_result_t -search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - isc_boolean_t create, - dns_rpz_cidr_node_t **found) /* NULL or longest match node */ +search(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + const dns_rpz_addr_zbits_t *tgt_set, isc_boolean_t create, + dns_rpz_cidr_node_t **found) { dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling; + dns_rpz_addr_zbits_t set; int cur_num, child_num; - dns_rpz_cidr_bits_t dbit; - dns_rpz_cidr_flags_t flags, data_flag; + dns_rpz_prefix_t dbit; isc_result_t find_result; - flags = get_flags(tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - + set = *tgt_set; find_result = ISC_R_NOTFOUND; - if (found != NULL) - *found = NULL; - cur = cidr->root; + *found = NULL; + cur = rpzs->cidr; parent = NULL; cur_num = 0; for (;;) { if (cur == NULL) { /* - * No child so we cannot go down. Fail or - * add the target as a child of the current parent. + * No child so we cannot go down. + * Quit with whatever we already found + * or add the target as a child of the current parent. */ if (!create) return (find_result); - child = new_node(cidr, tgt_ip, tgt_prefix, 0); + child = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (child == NULL) return (ISC_R_NOMEMORY); if (parent == NULL) - cidr->root = child; + rpzs->cidr = child; else parent->child[cur_num] = child; child->parent = parent; - set_node_flags(child, type); - if (found != NULL) - *found = cur; + child->set.client_ip |= tgt_set->client_ip; + child->set.ip |= tgt_set->ip; + child->set.nsip |= tgt_set->nsip; + set_sum_pair(child); + *found = cur; return (ISC_R_SUCCESS); } - /* - * Pretend a node not in the correct tree does not exist - * if we are not adding to the tree, - * If we are adding, then continue down to eventually - * add a node and mark/put this node in the correct tree. - */ - if ((cur->flags & flags) == 0 && !create) - return (find_result); + if ((cur->sum.client_ip & set.client_ip) == 0 && + (cur->sum.ip & set.ip) == 0 && + (cur->sum.nsip & set.nsip) == 0) { + /* + * This node has no relevant data + * and is in none of the target trees. + * Pretend it does not exist if we are not adding. + * + * If we are adding, continue down to eventually add + * a node and mark/put this node in the correct tree. + */ + if (!create) + return (find_result); + } - dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->bits); + dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix); /* - * dbit <= tgt_prefix and dbit <= cur->bits always. + * dbit <= tgt_prefix and dbit <= cur->prefix always. * We are finished searching if we matched all of the target. */ if (dbit == tgt_prefix) { - if (tgt_prefix == cur->bits) { + if (tgt_prefix == cur->prefix) { /* - * The current node matches the target exactly. - * It is the answer if it has data. + * The node's key matches the target exactly. */ - if ((cur->flags & data_flag) != 0) { - if (create) - return (ISC_R_EXISTS); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * It is the answer if it has data. + */ + *found = cur; + if (create) { + find_result = ISC_R_EXISTS; + } else { + find_result = ISC_R_SUCCESS; + } } else if (create) { /* - * The node had no data but does now. + * The node lacked relevant data, + * but will have it now. */ - set_node_flags(cur, type); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + cur->set.client_ip |= tgt_set->client_ip; + cur->set.ip |= tgt_set->ip; + cur->set.nsip |= tgt_set->nsip; + set_sum_pair(cur); + *found = cur; + find_result = ISC_R_SUCCESS; } return (find_result); } /* - * We know tgt_prefix < cur_bits which means that + * We know tgt_prefix < cur->prefix which means that * the target is shorter than the current node. * Add the target as the current node's parent. */ if (!create) return (find_result); - new_parent = new_node(cidr, tgt_ip, tgt_prefix, - cur->flags); + new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur); if (new_parent == NULL) return (ISC_R_NOMEMORY); new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1); new_parent->child[child_num] = cur; cur->parent = new_parent; - set_node_flags(new_parent, type); - if (found != NULL) - *found = new_parent; + new_parent->set = *tgt_set; + set_sum_pair(new_parent); + *found = new_parent; return (ISC_R_SUCCESS); } - if (dbit == cur->bits) { - /* - * We have a partial match by matching of all of the - * current node but only part of the target. - * Try to go down. - */ - if ((cur->flags & data_flag) != 0) { + if (dbit == cur->prefix) { + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * We have a partial match between of all of the + * current node but only part of the target. + * Continue searching for other hits in the + * same or lower numbered trees. + */ find_result = DNS_R_PARTIALMATCH; - if (found != NULL) - *found = cur; + *found = cur; + set.client_ip = trim_zbits(set.ip, + cur->set.client_ip); + set.ip = trim_zbits(set.ip, + cur->set.ip); + set.nsip = trim_zbits(set.nsip, + cur->set.nsip); } - parent = cur; cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); cur = cur->child[cur_num]; @@ -894,7 +1053,7 @@ /* - * dbit < tgt_prefix and dbit < cur->bits, + * dbit < tgt_prefix and dbit < cur->prefix, * so we failed to match both the target and the current node. * Insert a fork of a parent above the current node and * add the target as a sibling of the current node @@ -902,17 +1061,17 @@ if (!create) return (find_result); - sibling = new_node(cidr, tgt_ip, tgt_prefix, 0); + sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (sibling == NULL) return (ISC_R_NOMEMORY); - new_parent = new_node(cidr, tgt_ip, dbit, cur->flags); + new_parent = new_node(rpzs, tgt_ip, dbit, cur); if (new_parent == NULL) { - isc_mem_put(cidr->mctx, sibling, sizeof(*sibling)); + isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling)); return (ISC_R_NOMEMORY); } new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); @@ -920,129 +1079,670 @@ new_parent->child[1-child_num] = cur; cur->parent = new_parent; sibling->parent = new_parent; - set_node_flags(sibling, type); - if (found != NULL) - *found = sibling; + sibling->set = *tgt_set; + set_sum_pair(sibling); + *found = sibling; return (ISC_R_SUCCESS); } } /* - * Add an IP address to the radix tree of a response policy database. - * The tree write lock must be held by the caller. + * Add an IP address to the radix tree. */ -void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { - isc_result_t result; +static isc_result_t +add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - - REQUIRE(cidr != NULL); + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_cidr_node_t *found; + isc_result_t result; + result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &set); /* - * No worries if the new name is not an IP address. + * Log complaints about bad owner names but let the zone load. */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: - cidr->have_nsdname = ISC_TRUE; - return; - case DNS_RPZ_TYPE_QNAME: - case DNS_RPZ_TYPE_BAD: - return; - } - result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name, - type, &tgt_ip, &tgt_prefix); if (result != ISC_R_SUCCESS) - return; + return (ISC_R_SUCCESS); - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL); - if (result == ISC_R_EXISTS && - isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) - { - char printname[DNS_NAME_FORMATSIZE]; + result = search(rpzs, &tgt_ip, tgt_prefix, &set, ISC_TRUE, &found); + if (result != ISC_R_SUCCESS) { + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - dns_name_format(name, printname, sizeof(printname)); + dns_name_format(src_name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz add failed; \"%s\" is a duplicate name", - printname); + "rpz add_cidr(%s) failed: %s", + namebuf, isc_result_totext(result)); + return (result); } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_TRUE); + return (result); } -/* - * Delete an IP address from the radix tree of a response policy database. - * The tree write lock must be held by the caller. - */ -void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) { +static isc_result_t +add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name, + const dns_rpz_nm_data_t *new_data) +{ + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data; isc_result_t result; - dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - dns_rpz_cidr_node_t *tgt = NULL, *parent, *child; - dns_rpz_cidr_flags_t flags, data_flag; - if (cidr == NULL) - return; + nmnode = NULL; + result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode); + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_EXISTS: + nm_data = nmnode->data; + if (nm_data == NULL) { + nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data)); + if (nm_data == NULL) + return (ISC_R_NOMEMORY); + *nm_data = *new_data; + nmnode->data = nm_data; + return (ISC_R_SUCCESS); + } + break; + default: + return (result); + } /* - * Decide which kind of policy zone IP address it is, if either - * and then find its node. + * Do not count bits that are already present */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: + if ((nm_data->set.qname & new_data->set.qname) != 0 || + (nm_data->set.ns & new_data->set.ns) != 0 || + (nm_data->wild.qname & new_data->wild.qname) != 0 || + (nm_data->wild.ns & new_data->wild.ns) != 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + /* - * We cannot easily count nsdnames because - * internal rbt nodes get deleted. + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - return; + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz add_nm(%s): bits already set", namebuf); + return (ISC_R_EXISTS); + } + + nm_data->set.qname |= new_data->set.qname; + nm_data->set.ns |= new_data->set.ns; + nm_data->wild.qname |= new_data->wild.qname; + nm_data->wild.ns |= new_data->wild.ns; + return (ISC_R_SUCCESS); +} + +static isc_result_t +add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + dns_rpz_nm_data_t new_data; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data); + + result = add_nm(rpzs, trig_name, &new_data); + if (result == ISC_R_SUCCESS) + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE); + return (result); +} + +/* + * Callback to free the data for a node in the summary RBT database. + */ +static void +rpz_node_deleter(void *nm_data, void *mctx) { + isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t)); +} + +/* + * Get ready for a new set of policy zones. + */ +isc_result_t +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) { + dns_rpz_zones_t *new; + isc_result_t result; + + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + + *rpzsp = NULL; + + new = isc_mem_get(mctx, sizeof(*new)); + if (new == NULL) + return (ISC_R_NOMEMORY); + memset(new, 0, sizeof(*new)); + + result = isc_mutex_init(&new->search_lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_mutex_init(&new->maint_lock); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt); + if (result != ISC_R_SUCCESS) { + isc_refcount_decrement(&new->refs, NULL); + isc_refcount_destroy(&new->refs); + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + isc_mem_attach(mctx, &new->mctx); + + *rpzsp = new; + return (ISC_R_SUCCESS); +} + +/* + * Free the radix tree of a response policy database. + */ +static void +cidr_free(dns_rpz_zones_t *rpzs) { + dns_rpz_cidr_node_t *cur, *child, *parent; + + cur = rpzs->cidr; + while (cur != NULL) { + /* Depth first. */ + child = cur->child[0]; + if (child != NULL) { + cur = child; + continue; + } + child = cur->child[1]; + if (child != NULL) { + cur = child; + continue; + } + + /* Delete this leaf and go up. */ + parent = cur->parent; + if (parent == NULL) + rpzs->cidr = NULL; + else + parent->child[parent->child[1] == cur] = NULL; + isc_mem_put(rpzs->mctx, cur, sizeof(*cur)); + cur = parent; + } +} + +/* + * Discard a response policy zone blob + * before discarding the overall rpz structure. + */ +static void +rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) { + dns_rpz_zone_t *rpz; + unsigned int refs; + + rpz = *rpzp; + *rpzp = NULL; + isc_refcount_decrement(&rpz->refs, &refs); + if (refs != 0) + return; + isc_refcount_destroy(&rpz->refs); + + if (dns_name_dynamic(&rpz->origin)) + dns_name_free(&rpz->origin, rpzs->mctx); + if (dns_name_dynamic(&rpz->client_ip)) + dns_name_free(&rpz->client_ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->ip)) + dns_name_free(&rpz->ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsdname)) + dns_name_free(&rpz->nsdname, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsip)) + dns_name_free(&rpz->nsip, rpzs->mctx); + if (dns_name_dynamic(&rpz->passthru)) + dns_name_free(&rpz->passthru, rpzs->mctx); + if (dns_name_dynamic(&rpz->drop)) + dns_name_free(&rpz->drop, rpzs->mctx); + if (dns_name_dynamic(&rpz->tcp_only)) + dns_name_free(&rpz->tcp_only, rpzs->mctx); + if (dns_name_dynamic(&rpz->cname)) + dns_name_free(&rpz->cname, rpzs->mctx); + + isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz)); +} + +void +dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) { + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + isc_refcount_increment(&rpzs->refs, NULL); + *rpzsp = rpzs; +} + +/* + * Forget a view's policy zones. + */ +void +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) { + dns_rpz_zones_t *rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; + unsigned int refs; + + REQUIRE(rpzsp != NULL); + rpzs = *rpzsp; + REQUIRE(rpzs != NULL); + + *rpzsp = NULL; + isc_refcount_decrement(&rpzs->refs, &refs); + + /* + * Forget the last of view's rpz machinery after the last reference. + */ + if (refs == 0) { + for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) { + rpz = rpzs->zones[rpz_num]; + rpzs->zones[rpz_num] = NULL; + if (rpz != NULL) + rpz_detach(&rpz, rpzs); + } + + cidr_free(rpzs); + dns_rbt_destroy(&rpzs->rbt); + DESTROYLOCK(&rpzs->maint_lock); + DESTROYLOCK(&rpzs->search_lock); + isc_refcount_destroy(&rpzs->refs); + isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs)); + } +} + +/* + * Create empty summary database to load one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) +{ + dns_rpz_zones_t *load_rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_zbits_t tgt; + isc_result_t result; + + REQUIRE(rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * When reloading a zone, there are usually records among the summary + * data for the zone. Some of those records might be deleted by the + * reloaded zone data. To deal with that case: + * reload the new zone data into a new blank summary database + * if the reload fails, discard the new summary database + * if the new zone data is acceptable, copy the records for the + * other zones into the new summary database and replace the + * old summary database with the new. + * + * At the first attempt to load a zone, there is no summary data + * for the zone and so no records that need to be deleted. + * This is also the most common case of policy zone loading. + * Most policy zone maintenance should be by incremental changes + * and so by the addition and deletion of individual records. + * Detect that case and load records the first time into the + * operational summary database + */ + tgt = DNS_RPZ_ZBIT(rpz_num); + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + if ((rpzs->load_begun & tgt) == 0) { + /* + * There is no existing version of the target zone. + */ + rpzs->load_begun |= tgt; + dns_rpz_attach_rpzs(rpzs, load_rpzsp); + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + } else { + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx); + if (result != ISC_R_SUCCESS) + return (result); + load_rpzs = *load_rpzsp; + load_rpzs->p.num_zones = rpzs->p.num_zones; + load_rpzs->total_triggers = rpzs->total_triggers; + memcpy(load_rpzs->triggers, rpzs->triggers, + sizeof(load_rpzs->triggers)); + memset(&load_rpzs->triggers[rpz_num], 0, + sizeof(load_rpzs->triggers[rpz_num])); + load_rpzs->zones[rpz_num] = rpz; + isc_refcount_increment(&rpz->refs, NULL); + } + + return (ISC_R_SUCCESS); +} + +static void +fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + dns_rpz_num_t n; + const dns_rpz_zone_t *rpz; + dns_rpz_triggers_t old_totals; + dns_rpz_zbits_t zbit; + char namebuf[DNS_NAME_FORMATSIZE]; + +# define SET_TRIG(n, zbit, type) \ + if (rpzs->triggers[n].type == 0) { \ + rpzs->have.type &= ~zbit; \ + } else { \ + rpzs->total_triggers.type += rpzs->triggers[n].type; \ + rpzs->have.type |= zbit; \ + } + + memcpy(&old_totals, &rpzs->total_triggers, sizeof(old_totals)); + memset(&rpzs->total_triggers, 0, sizeof(rpzs->total_triggers)); + for (n = 0; n < rpzs->p.num_zones; ++n) { + rpz = rpzs->zones[n]; + zbit = DNS_RPZ_ZBIT(n); + SET_TRIG(n, zbit, client_ipv4); + SET_TRIG(n, zbit, client_ipv6); + SET_TRIG(n, zbit, qname); + SET_TRIG(n, zbit, ipv4); + SET_TRIG(n, zbit, ipv6); + SET_TRIG(n, zbit, nsdname); + SET_TRIG(n, zbit, nsipv4); + SET_TRIG(n, zbit, nsipv6); + } + + fix_qname_skip_recurse(rpzs); + + dns_name_format(&rpzs->zones[rpz_num]->origin, + namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL, + "(re)loading policy zone '%s' changed from" + " %d to %d qname, %d to %d nsdname," + " %d to %d IP, %d to %d NSIP entries", + namebuf, + old_totals.qname, rpzs->total_triggers.qname, + old_totals.nsdname, rpzs->total_triggers.nsdname, + old_totals.ipv4 + old_totals.ipv6, + rpzs->total_triggers.ipv4 + rpzs->total_triggers.ipv6, + old_totals.nsipv4 + old_totals.nsipv6, + rpzs->total_triggers.nsipv4 + rpzs->total_triggers.nsipv6); + +# undef SET_TRIG +} + +/* + * Finish loading one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num) +{ + dns_rpz_zones_t *load_rpzs; + const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode; + dns_rpz_cidr_node_t *found; + dns_rpz_zbits_t new_bit; + dns_rpz_addr_zbits_t new_ip; + dns_rbt_t *rbt; + dns_rbtnodechain_t chain; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, new_data; + dns_fixedname_t labelf, originf, namef; + dns_name_t *label, *origin, *name; + isc_result_t result; + + INSIST(rpzs != NULL); + LOCK(&rpzs->maint_lock); + load_rpzs = *load_rpzsp; + INSIST(load_rpzs != NULL); + + if (load_rpzs == rpzs) { + /* + * This is a successful initial zone loading, + * perhaps for a new instance of a view. + */ + fix_triggers(rpzs, rpz_num); + UNLOCK(&rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + return (ISC_R_SUCCESS); + } + + LOCK(&load_rpzs->maint_lock); + LOCK(&load_rpzs->search_lock); + + /* + * Unless there is only one policy zone, copy the other policy zones + * from the old policy structure to the new summary databases. + */ + if (rpzs->p.num_zones > 1) { + new_bit = ~DNS_RPZ_ZBIT(rpz_num); + + /* + * Copy to the radix tree. + */ + for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) { + new_ip.ip = cnode->set.ip & new_bit; + new_ip.client_ip = cnode->set.client_ip & new_bit; + new_ip.nsip = cnode->set.nsip & new_bit; + if (new_ip.client_ip != 0 || + new_ip.ip != 0 || + new_ip.nsip != 0) { + result = search(load_rpzs, + &cnode->ip, cnode->prefix, + &new_ip, ISC_TRUE, &found); + if (result == ISC_R_NOMEMORY) + goto unlock_and_detach; + INSIST(result == ISC_R_SUCCESS); + } + /* + * Do down and to the left as far as possible. + */ + next_cnode = cnode->child[0]; + if (next_cnode != NULL) + continue; + /* + * Go up until we find a branch to the right where + * we previously took the branch to the left. + */ + for (;;) { + parent_cnode = cnode->parent; + if (parent_cnode == NULL) + break; + if (parent_cnode->child[0] == cnode) { + next_cnode = parent_cnode->child[1]; + if (next_cnode != NULL) + break; + } + cnode = parent_cnode; + } + } + + /* + * Copy to the summary RBT. + */ + dns_fixedname_init(&namef); + name = dns_fixedname_name(&namef); + dns_fixedname_init(&labelf); + label = dns_fixedname_name(&labelf); + dns_fixedname_init(&originf); + origin = dns_fixedname_name(&originf); + dns_rbtnodechain_init(&chain, NULL); + result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL); + while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { + result = dns_rbtnodechain_current(&chain, label, origin, + &nmnode); + INSIST(result == ISC_R_SUCCESS); + nm_data = nmnode->data; + if (nm_data != NULL) { + new_data.set.qname = (nm_data->set.qname & + new_bit); + new_data.set.ns = nm_data->set.ns & new_bit; + new_data.wild.qname = (nm_data->wild.qname & + new_bit); + new_data.wild.ns = nm_data->wild.ns & new_bit; + if (new_data.set.qname != 0 || + new_data.set.ns != 0 || + new_data.wild.qname != 0 || + new_data.wild.ns != 0) { + result = dns_name_concatenate(label, + origin, name, NULL); + INSIST(result == ISC_R_SUCCESS); + result = add_nm(load_rpzs, name, + &new_data); + if (result != ISC_R_SUCCESS) + goto unlock_and_detach; + } + } + result = dns_rbtnodechain_next(&chain, NULL, NULL); + } + if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_ready(): unexpected %s", + isc_result_totext(result)); + goto unlock_and_detach; + } + } + + fix_triggers(load_rpzs, rpz_num); + + /* + * Exchange the summary databases. + */ + LOCK(&rpzs->search_lock); + + found = rpzs->cidr; + rpzs->cidr = load_rpzs->cidr; + load_rpzs->cidr = found; + + rbt = rpzs->rbt; + rpzs->rbt = load_rpzs->rbt; + load_rpzs->rbt = rbt; + + rpzs->total_triggers = load_rpzs->total_triggers; + + UNLOCK(&rpzs->search_lock); + + result = ISC_R_SUCCESS; + + unlock_and_detach: + UNLOCK(&rpzs->maint_lock); + UNLOCK(&load_rpzs->search_lock); + UNLOCK(&load_rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + return (result); +} + +/* + * Add an IP address to the radix tree or a name to the summary database. + */ +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name) +{ + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + isc_result_t result = ISC_R_FAILURE; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + result = add_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + result = add_cidr(rpzs, rpz_num, rpz_type, src_name); + break; case DNS_RPZ_TYPE_BAD: - return; + break; } + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + return (result); +} + +/* + * Remove an IP address from the radix tree. + */ +static void +del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + isc_result_t result; + dns_rpz_cidr_key_t tgt_ip; + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t tgt_set; + dns_rpz_cidr_node_t *tgt, *parent, *child; + /* - * Do not get excited about the deletion of interior rbt nodes. + * Do not worry about invalid rpz IP address names. If we + * are here, then something relevant was added and so was + * valid. Invalid names here are usually internal RBTDB nodes. */ - result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name, - type, &tgt_ip, &tgt_prefix); + result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &tgt_set); if (result != ISC_R_SUCCESS) return; - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt); + result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, ISC_FALSE, &tgt); if (result != ISC_R_SUCCESS) { - badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", ""); + INSIST(result == ISC_R_NOTFOUND || + result == DNS_R_PARTIALMATCH); + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ return; } /* * Mark the node and its parents to reflect the deleted IP address. + * Do not count bits that are already clear for internal RBTDB nodes. */ - flags = get_flags(&tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - tgt->flags &= ~data_flag; - for (parent = tgt; parent != NULL; parent = parent->parent) { - if ((parent->flags & data_flag) != 0 || - (parent->child[0] != NULL && - (parent->child[0]->flags & flags) != 0) || - (parent->child[1] != NULL && - (parent->child[1]->flags & flags) != 0)) - break; - parent->flags &= ~flags; - } + tgt_set.client_ip &= tgt->set.client_ip; + tgt_set.ip &= tgt->set.ip; + tgt_set.nsip &= tgt->set.nsip; + tgt->set.client_ip &= ~tgt_set.client_ip; + tgt->set.ip &= ~tgt_set.ip; + tgt->set.nsip &= ~tgt_set.nsip; + set_sum_pair(tgt); + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_FALSE); /* * We might need to delete 2 nodes. @@ -1054,13 +1754,14 @@ */ if ((child = tgt->child[0]) != NULL) { if (tgt->child[1] != NULL) - return; + break; } else { child = tgt->child[1]; } - if ((tgt->flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA)) != 0) - return; + if (tgt->set.client_ip != 0 || + tgt->set.ip != 0 || + tgt->set.nsip != 0) + break; /* * Replace the pointer to this node in the parent with @@ -1068,7 +1769,7 @@ */ parent = tgt->parent; if (parent == NULL) { - cidr->root = child; + rpzs->cidr = child; } else { parent->child[parent->child[1] == tgt] = child; } @@ -1077,26 +1778,144 @@ */ if (child != NULL) child->parent = parent; - isc_mem_put(cidr->mctx, tgt, sizeof(*tgt)); + isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt)); tgt = parent; } while (tgt != NULL); } +static void +del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, del_data; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data); + + /* + * No need for a summary database of names with only 1 policy zone. + */ + if (rpzs->p.num_zones <= 1) { + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); + return; + } + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0, + NULL, NULL); + if (result != ISC_R_SUCCESS) { + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ + if (result == ISC_R_NOTFOUND) + return; + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node search failed: %s", + namebuf, isc_result_totext(result)); + return; + } + + nm_data = nmnode->data; + INSIST(nm_data != NULL); + + /* + * Do not count bits that next existed for RBT nodes that would we + * would not have found in a summary for a single RBTDB tree. + */ + del_data.set.qname &= nm_data->set.qname; + del_data.set.ns &= nm_data->set.ns; + del_data.wild.qname &= nm_data->wild.qname; + del_data.wild.ns &= nm_data->wild.ns; + + nm_data->set.qname &= ~del_data.set.qname; + nm_data->set.ns &= ~del_data.set.ns; + nm_data->wild.qname &= ~del_data.wild.qname; + nm_data->wild.ns &= ~del_data.wild.ns; + + if (nm_data->set.qname == 0 && nm_data->set.ns == 0 && + nm_data->wild.qname == 0 && nm_data->wild.ns == 0) { + result = dns_rbt_deletenode(rpzs->rbt, nmnode, ISC_FALSE); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node delete failed: %s", + namebuf, isc_result_totext(result)); + } + } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); +} + /* - * Caller must hold tree lock. - * Return ISC_R_NOTFOUND - * or ISC_R_SUCCESS and the found entry's canonical and search names - * and its prefix length + * Remove an IP address from the radix tree or a name from the summary database. */ -isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix) +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_name_t *src_name) { + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { + case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + del_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + del_cidr(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_BAD: + break; + } + + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); +} + +/* + * Search the summary radix tree to get a relative owner name in a + * policy zone relevant to a triggering IP address. + * rpz_type and zbits limit the search for IP address netaddr + * return the policy zone's number or DNS_RPZ_INVALID_NUM + * ip_name is the relative owner name found and + * *prefixp is its prefix length. + */ +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp) { dns_rpz_cidr_key_t tgt_ip; - isc_result_t result; + dns_rpz_addr_zbits_t tgt_set; dns_rpz_cidr_node_t *found; + isc_result_t result; + dns_rpz_num_t rpz_num; int i; /* @@ -1107,29 +1926,163 @@ tgt_ip.w[1] = 0; tgt_ip.w[2] = ADDR_V4MAPPED; tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr); + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv4; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv4; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv4; + break; + default: + INSIST(0); + break; + } } else if (netaddr->family == AF_INET6) { dns_rpz_cidr_key_t src_ip6; /* * Given the int aligned struct in_addr member of netaddr->type * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *, - * but there are objections. + * but some people object. */ memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); for (i = 0; i < 4; i++) { tgt_ip.w[i] = ntohl(src_ip6.w[i]); } + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv6; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv6; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv6; + break; + default: + INSIST(0); + break; + } } else { - return (ISC_R_NOTFOUND); + return (DNS_RPZ_INVALID_NUM); } - result = search(cidr, &tgt_ip, 128, type, ISC_FALSE, &found); - if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH) - return (result); + if (zbits == 0) + return (DNS_RPZ_INVALID_NUM); + make_addr_set(&tgt_set, zbits, rpz_type); + + LOCK(&rpzs->search_lock); + result = search(rpzs, &tgt_ip, 128, &tgt_set, ISC_FALSE, &found); + if (result == ISC_R_NOTFOUND) { + /* + * There are no eligible zones for this IP address. + */ + UNLOCK(&rpzs->search_lock); + return (DNS_RPZ_INVALID_NUM); + } - *prefix = found->bits; - return (ip2name(cidr, &found->ip, found->bits, type, - canon_name, search_name)); + /* + * Construct the trigger name for the longest matching trigger + * in the first eligible zone with a match. + */ + *prefixp = found->prefix; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip); + break; + case DNS_RPZ_TYPE_IP: + rpz_num = zbit_to_num(found->set.ip & tgt_set.ip); + break; + case DNS_RPZ_TYPE_NSIP: + rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip); + break; + default: + INSIST(0); + break; + } + result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name); + UNLOCK(&rpzs->search_lock); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz ip2name() failed: %s", + isc_result_totext(result)); + return (DNS_RPZ_INVALID_NUM); + } + return (rpz_num); +} + +/* + * Search the summary radix tree for policy zones with triggers matching + * a name. + */ +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_rbtnode_t *nmnode; + const dns_rpz_nm_data_t *nm_data; + dns_rpz_zbits_t found_zbits; + isc_result_t result; + + if (zbits == 0) + return (0); + + found_zbits = 0; + + LOCK(&rpzs->search_lock); + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, + DNS_RBTFIND_EMPTYDATA, NULL, NULL); + switch (result) { + case ISC_R_SUCCESS: + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits = nm_data->set.qname; + else + found_zbits = nm_data->set.ns; + } + nmnode = nmnode->parent; + /* fall thru */ + case DNS_R_PARTIALMATCH: + while (nmnode != NULL) { + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits |= nm_data->wild.qname; + else + found_zbits |= nm_data->wild.ns; + } + nmnode = nmnode->parent; + } + break; + + case ISC_R_NOTFOUND: + break; + + default: + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_find_name(%s) failed: %s", + namebuf, isc_result_totext(result)); + break; + } + + UNLOCK(&rpzs->search_lock); + return (zbits & found_zbits); } /* @@ -1144,10 +2097,10 @@ isc_result_t result; result = dns_rdataset_first(rdataset); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); /* @@ -1174,7 +2127,19 @@ } /* - * CNAME PASSTHRU.origin means "do not rewrite. + * CNAME rpz-tcp-only. means "send truncated UDP responses." + */ + if (dns_name_equal(&cname.cname, &rpz->tcp_only)) + return (DNS_RPZ_POLICY_TCP_ONLY); + + /* + * CNAME rpz-drop. means "do not respond." + */ + if (dns_name_equal(&cname.cname, &rpz->drop)) + return (DNS_RPZ_POLICY_DROP); + + /* + * CNAME rpz-passthru. means "do not rewrite." */ if (dns_name_equal(&cname.cname, &rpz->passthru)) return (DNS_RPZ_POLICY_PASSTHRU); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rrl.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rrl.c @@ -0,0 +1,1324 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/*! \file */ + +/* + * Rate limit DNS responses. + */ + +/* #define ISC_LIST_CHECKINIT */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len); + +/* + * Get a modulus for a hash function that is tolerably likely to be + * relatively prime to most inputs. Of course, we get a prime for for initial + * values not larger than the square of the last prime. We often get a prime + * after that. + * This works well in practice for hash tables up to at least 100 + * times the square of the last prime and better than a multiplicative hash. + */ +static int +hash_divisor(unsigned int initial) { + static isc_uint16_t primes[] = { + 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, + 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, +#if 0 + 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, + 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, + 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, + 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, + 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, + 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, + 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, + 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, + 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, + 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, + 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, + 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,1009, +#endif + }; + int divisions, tries; + unsigned int result; + isc_uint16_t *pp, p; + + result = initial; + + if (primes[sizeof(primes)/sizeof(primes[0])-1] >= result) { + pp = primes; + while (*pp < result) + ++pp; + return (*pp); + } + + if ((result & 1) == 0) + ++result; + + divisions = 0; + tries = 1; + pp = primes; + do { + p = *pp++; + ++divisions; + if ((result % p) == 0) { + ++tries; + result += 2; + pp = primes; + } + } while (pp < &primes[sizeof(primes) / sizeof(primes[0])]); + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "%d hash_divisor() divisions in %d tries" + " to get %d from %d", + divisions, tries, result, initial); + + return (result); +} + +/* + * Convert a timestamp to a number of seconds in the past. + */ +static inline int +delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) { + int delta; + + delta = now - ts; + if (delta >= 0) + return (delta); + + /* + * The timestamp is in the future. That future might result from + * re-ordered requests, because we use timestamps on requests + * instead of consulting a clock. Timestamps in the distant future are + * assumed to result from clock changes. When the clock changes to + * the past, make existing timestamps appear to be in the past. + */ + if (delta < -DNS_RRL_MAX_TIME_TRAVEL) + return (DNS_RRL_FOREVER); + return (0); +} + +static inline int +get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) { + if (!e->ts_valid) + return (DNS_RRL_FOREVER); + return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now)); +} + +static inline void +set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) { + dns_rrl_entry_t *e_old; + unsigned int ts_gen; + int i, ts; + + ts_gen = rrl->ts_gen; + ts = now - rrl->ts_bases[ts_gen]; + if (ts < 0) { + if (ts < -DNS_RRL_MAX_TIME_TRAVEL) + ts = DNS_RRL_FOREVER; + else + ts = 0; + } + + /* + * Make a new timestamp base if the current base is too old. + * All entries older than DNS_RRL_MAX_WINDOW seconds are ancient, + * useless history. Their timestamps can be treated as if they are + * all the same. + * We only do arithmetic on more recent timestamps, so bases for + * older timestamps can be recycled provided the old timestamps are + * marked as ancient history. + * This loop is almost always very short because most entries are + * recycled after one second and any entries that need to be marked + * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds. + */ + if (ts >= DNS_RRL_MAX_TS) { + ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES; + for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0; + e_old != NULL && (e_old->ts_gen == ts_gen || + !ISC_LINK_LINKED(e_old, hlink)); + e_old = ISC_LIST_PREV(e_old, lru), ++i) + { + e_old->ts_valid = ISC_FALSE; + } + if (i != 0) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "rrl new time base scanned %d entries" + " at %d for %d %d %d %d", + i, now, rrl->ts_bases[ts_gen], + rrl->ts_bases[(ts_gen + 1) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 2) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 3) % + DNS_RRL_TS_BASES]); + rrl->ts_gen = ts_gen; + rrl->ts_bases[ts_gen] = now; + ts = 0; + } + + e->ts_gen = ts_gen; + e->ts = ts; + e->ts_valid = ISC_TRUE; +} + +static isc_result_t +expand_entries(dns_rrl_t *rrl, int new) { + unsigned int bsize; + dns_rrl_block_t *b; + dns_rrl_entry_t *e; + double rate; + int i; + + if (rrl->num_entries+new >= rrl->max_entries && rrl->max_entries != 0) { + if (rrl->num_entries >= rrl->max_entries) + return (ISC_R_SUCCESS); + new = rrl->max_entries - rrl->num_entries; + if (new <= 0) + return (ISC_R_NOMEMORY); + } + + /* + * Log expansions so that the user can tune max-table-size + * and min-table-size. + */ + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && + rrl->hash != NULL) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL entries with" + " %d bins; average search length %.1f", + rrl->num_entries, rrl->num_entries+new, + rrl->hash->length, rate); + } + + bsize = sizeof(dns_rrl_block_t) + (new-1)*sizeof(dns_rrl_entry_t); + b = isc_mem_get(rrl->mctx, bsize); + if (b == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for RRL entries", + bsize); + return (ISC_R_NOMEMORY); + } + memset(b, 0, bsize); + b->size = bsize; + + e = b->entries; + for (i = 0; i < new; ++i, ++e) { + ISC_LINK_INIT(e, hlink); + ISC_LIST_INITANDAPPEND(rrl->lru, e, lru); + } + rrl->num_entries += new; + ISC_LIST_INITANDAPPEND(rrl->blocks, b, link); + + return (ISC_R_SUCCESS); +} + +static inline dns_rrl_bin_t * +get_bin(dns_rrl_hash_t *hash, unsigned int hval) { + return (&hash->bins[hval % hash->length]); +} + +static void +free_old_hash(dns_rrl_t *rrl) { + dns_rrl_hash_t *old_hash; + dns_rrl_bin_t *old_bin; + dns_rrl_entry_t *e, *e_next; + + old_hash = rrl->old_hash; + for (old_bin = &old_hash->bins[0]; + old_bin < &old_hash->bins[old_hash->length]; + ++old_bin) + { + for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) { + e_next = ISC_LIST_NEXT(e, hlink); + ISC_LINK_INIT(e, hlink); + } + } + + isc_mem_put(rrl->mctx, old_hash, + sizeof(*old_hash) + + (old_hash->length - 1) * sizeof(old_hash->bins[0])); + rrl->old_hash = NULL; +} + +static isc_result_t +expand_rrl_hash(dns_rrl_t *rrl, isc_stdtime_t now) { + dns_rrl_hash_t *hash; + int old_bins, new_bins, hsize; + double rate; + + if (rrl->old_hash != NULL) + free_old_hash(rrl); + + /* + * Most searches fail and so go to the end of the chain. + * Use a small hash table load factor. + */ + old_bins = (rrl->hash == NULL) ? 0 : rrl->hash->length; + new_bins = old_bins/8 + old_bins; + if (new_bins < rrl->num_entries) + new_bins = rrl->num_entries; + new_bins = hash_divisor(new_bins); + + hsize = sizeof(dns_rrl_hash_t) + (new_bins-1)*sizeof(hash->bins[0]); + hash = isc_mem_get(rrl->mctx, hsize); + if (hash == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for" + " RRL hash table", + hsize); + return (ISC_R_NOMEMORY); + } + memset(hash, 0, hsize); + hash->length = new_bins; + rrl->hash_gen ^= 1; + hash->gen = rrl->hash_gen; + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && old_bins != 0) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL bins for" + " %d entries; average search length %.1f", + old_bins, new_bins, rrl->num_entries, rate); + } + + rrl->old_hash = rrl->hash; + if (rrl->old_hash != NULL) + rrl->old_hash->check_time = now; + rrl->hash = hash; + + return (ISC_R_SUCCESS); +} + +static void +ref_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, int probes, isc_stdtime_t now) { + /* + * Make the entry most recently used. + */ + if (ISC_LIST_HEAD(rrl->lru) != e) { + if (e == rrl->last_logged) + rrl->last_logged = ISC_LIST_PREV(e, lru); + ISC_LIST_UNLINK(rrl->lru, e, lru); + ISC_LIST_PREPEND(rrl->lru, e, lru); + } + + /* + * Expand the hash table if it is time and necessary. + * This will leave the newly referenced entry in a chain in the + * old hash table. It will migrate to the new hash table the next + * time it is used or be cut loose when the old hash table is destroyed. + */ + rrl->probes += probes; + ++rrl->searches; + if (rrl->searches > 100 && + delta_rrl_time(rrl->hash->check_time, now) > 1) { + if (rrl->probes/rrl->searches > 2) + expand_rrl_hash(rrl, now); + rrl->hash->check_time = now; + rrl->probes = 0; + rrl->searches = 0; + } +} + +static inline isc_boolean_t +key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) { + if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0) + return (ISC_TRUE); + return (ISC_FALSE); +} + +static inline isc_uint32_t +hash_key(const dns_rrl_key_t *key) { + isc_uint32_t hval; + int i; + + hval = key->w[0]; + for (i = sizeof(*key) / sizeof(key->w[0]) - 1; i >= 0; --i) { + hval = key->w[i] + (hval<<1); + } + return (hval); +} + +/* + * Construct the hash table key. + * Use a hash of the DNS query name to save space in the database. + * Collisions result in legitimate rate limiting responses for one + * query name also limiting responses for other names to the + * same client. This is rare and benign enough given the large + * space costs compared to keeping the entire name in the database + * entry or the time costs of dynamic allocation. + */ +static void +make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key, + const isc_sockaddr_t *client_addr, + dns_rdatatype_t qtype, dns_name_t *qname, dns_rdataclass_t qclass, + dns_rrl_rtype_t rtype) +{ + dns_name_t base; + dns_offsets_t base_offsets; + int labels, i; + + memset(key, 0, sizeof(*key)); + + key->s.rtype = rtype; + if (rtype == DNS_RRL_RTYPE_QUERY) { + key->s.qtype = qtype; + key->s.qclass = qclass & 0xff; + } else if (rtype == DNS_RRL_RTYPE_REFERRAL || + rtype == DNS_RRL_RTYPE_NODATA) { + /* + * Because there is no qtype in the empty answer sections of + * referral and NODATA responses, count them as the same. + */ + key->s.qclass = qclass & 0xff; + } + + if (qname != NULL && qname->labels != 0) { + /* + * Ignore the first label of wildcards. + */ + if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 && + (labels = dns_name_countlabels(qname)) > 1) + { + dns_name_init(&base, base_offsets); + dns_name_getlabelsequence(qname, 1, labels-1, &base); + key->s.qname_hash = dns_name_hashbylabel(&base, + ISC_FALSE); + } else { + key->s.qname_hash = dns_name_hashbylabel(qname, + ISC_FALSE); + } + } + + switch (client_addr->type.sa.sa_family) { + case AF_INET: + key->s.ip[0] = (client_addr->type.sin.sin_addr.s_addr & + rrl->ipv4_mask); + break; + case AF_INET6: + key->s.ipv6 = ISC_TRUE; + memcpy(key->s.ip, &client_addr->type.sin6.sin6_addr, + sizeof(key->s.ip)); + for (i = 0; i < DNS_RRL_MAX_PREFIX/32; ++i) + key->s.ip[i] &= rrl->ipv6_mask[i]; + break; + } +} + +static inline dns_rrl_rate_t * +get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) { + switch (rtype) { + case DNS_RRL_RTYPE_QUERY: + return (&rrl->responses_per_second); + case DNS_RRL_RTYPE_REFERRAL: + return (&rrl->referrals_per_second); + case DNS_RRL_RTYPE_NODATA: + return (&rrl->nodata_per_second); + case DNS_RRL_RTYPE_NXDOMAIN: + return (&rrl->nxdomains_per_second); + case DNS_RRL_RTYPE_ERROR: + return (&rrl->errors_per_second); + case DNS_RRL_RTYPE_ALL: + return (&rrl->all_per_second); + default: + INSIST(0); + } + return (NULL); +} + +static int +response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) { + dns_rrl_rate_t *ratep; + int balance, rate; + + if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) { + rate = 1; + } else { + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->scaled; + } + + balance = e->responses + age * rate; + if (balance > rate) + balance = rate; + return (balance); +} + +/* + * Search for an entry for a response and optionally create it. + */ +static dns_rrl_entry_t * +get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, dns_name_t *qname, + dns_rrl_rtype_t rtype, isc_stdtime_t now, isc_boolean_t create, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_key_t key; + isc_uint32_t hval; + dns_rrl_entry_t *e; + dns_rrl_hash_t *hash; + dns_rrl_bin_t *new_bin, *old_bin; + int probes, age; + + make_key(rrl, &key, client_addr, qtype, qname, qclass, rtype); + hval = hash_key(&key); + + /* + * Look for the entry in the current hash table. + */ + new_bin = get_bin(rrl->hash, hval); + probes = 1; + e = ISC_LIST_HEAD(*new_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ref_entry(rrl, e, probes, now); + return (e); + } + ++probes; + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Look in the old hash table. + */ + if (rrl->old_hash != NULL) { + old_bin = get_bin(rrl->old_hash, hval); + e = ISC_LIST_HEAD(*old_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ISC_LIST_UNLINK(*old_bin, e, hlink); + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + ref_entry(rrl, e, probes, now); + return (e); + } + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Discard prevous hash table when all of its entries are old. + */ + age = delta_rrl_time(rrl->old_hash->check_time, now); + if (age > rrl->window) + free_old_hash(rrl); + } + + if (!create) + return (NULL); + + /* + * The entry does not exist, so create it by finding a free entry. + * Keep currently penalized and logged entries. + * Try to make more entries if none are idle. + * Steal the oldest entry if we cannot create more. + */ + for (e = ISC_LIST_TAIL(rrl->lru); + e != NULL; + e = ISC_LIST_PREV(e, lru)) + { + if (!ISC_LINK_LINKED(e, hlink)) + break; + age = get_age(rrl, e, now); + if (age <= 1) { + e = NULL; + break; + } + if (!e->logged && response_balance(rrl, e, age) > 0) + break; + } + if (e == NULL) { + expand_entries(rrl, ISC_MIN((rrl->num_entries+1)/2, 1000)); + e = ISC_LIST_TAIL(rrl->lru); + } + if (e->logged) + log_end(rrl, e, ISC_TRUE, log_buf, log_buf_len); + if (ISC_LINK_LINKED(e, hlink)) { + if (e->hash_gen == rrl->hash_gen) + hash = rrl->hash; + else + hash = rrl->old_hash; + old_bin = get_bin(hash, hash_key(&e->key)); + ISC_LIST_UNLINK(*old_bin, e, hlink); + } + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + e->key = key; + e->ts_valid = ISC_FALSE; + ref_entry(rrl, e, probes, now); + return (e); +} + +static void +debit_log(const dns_rrl_entry_t *e, int age, const char *action) { + char buf[sizeof("age=12345678")]; + const char *age_str; + + if (age == DNS_RRL_FOREVER) { + age_str = ""; + } else { + snprintf(buf, sizeof(buf), "age=%d", age); + age_str = buf; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "rrl %08x %6s responses=%-3d %s", + hash_key(&e->key), age_str, e->responses, action); +} + +static inline dns_rrl_result_t +debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale, + const isc_sockaddr_t *client_addr, isc_stdtime_t now, + char *log_buf, unsigned int log_buf_len) +{ + int rate, new_rate, slip, new_slip, age, log_secs, min; + dns_rrl_rate_t *ratep; + dns_rrl_entry_t const *credit_e; + + /* + * Pick the rate counter. + * Optionally adjust the rate by the estimated query/second rate. + */ + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->r; + if (rate == 0) + return (DNS_RRL_RESULT_OK); + + if (scale < 1.0) { + /* + * The limit for clients that have used TCP is not scaled. + */ + credit_e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_FALSE, + log_buf, log_buf_len); + if (credit_e != NULL) { + age = get_age(rrl, e, now); + if (age < rrl->window) + scale = 1.0; + } + } + if (scale < 1.0) { + new_rate = (int) (rate * scale); + if (new_rate < 1) + new_rate = 1; + if (ratep->scaled != new_rate) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled %s by %.2f" + " from %d to %d", + (int)qps, ratep->str, scale, + rate, new_rate); + rate = new_rate; + ratep->scaled = rate; + } + } + + min = -rrl->window * rate; + + /* + * Treat time jumps into the recent past as no time. + * Treat entries older than the window as if they were just created + * Credit other entries. + */ + age = get_age(rrl, e, now); + if (age > 0) { + /* + * Credit tokens earned during elapsed time. + */ + if (age > rrl->window) { + e->responses = rate; + e->slip_cnt = 0; + } else { + e->responses += rate*age; + if (e->responses > rate) { + e->responses = rate; + e->slip_cnt = 0; + } + } + /* + * Find the seconds since last log message without overflowing + * small counter. This counter is reset when an entry is + * created. It is not necessarily reset when some requests + * are answered provided other requests continue to be dropped + * or slipped. This can happen when the request rate is just + * at the limit. + */ + if (e->logged) { + log_secs = e->log_secs; + log_secs += age; + if (log_secs > DNS_RRL_MAX_LOG_SECS || log_secs < 0) + log_secs = DNS_RRL_MAX_LOG_SECS; + e->log_secs = log_secs; + } + } + set_age(rrl, e, now); + + /* + * Debit the entry for this response. + */ + if (--e->responses >= 0) { + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, ""); + return (DNS_RRL_RESULT_OK); + } + + if (e->responses < min) + e->responses = min; + + /* + * Drop this response unless it should slip or leak. + */ + slip = rrl->slip.r; + if (slip > 2 && scale < 1.0) { + new_slip = (int) (slip * scale); + if (new_slip < 2) + new_slip = 2; + if (rrl->slip.scaled != new_slip) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled slip" + " by %.2f from %d to %d", + (int)qps, scale, + slip, new_slip); + slip = new_slip; + rrl->slip.scaled = slip; + } + } + if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) { + if (e->slip_cnt++ == 0) { + if ((int) e->slip_cnt >= slip) + e->slip_cnt = 0; + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "slip"); + return (DNS_RRL_RESULT_SLIP); + } else if ((int) e->slip_cnt >= slip) { + e->slip_cnt = 0; + } + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "drop"); + return (DNS_RRL_RESULT_DROP); +} + +static inline dns_rrl_qname_buf_t * +get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = rrl->qnames[e->log_qname]; + if (qbuf == NULL || qbuf->e != e) + return (NULL); + return (qbuf); +} + +static inline void +free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = get_qname(rrl, e); + if (qbuf != NULL) { + qbuf->e = NULL; + ISC_LIST_APPEND(rrl->qname_free, qbuf, link); + } +} + +static void +add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) { + isc_region_t region; + + isc_buffer_availableregion(lb, ®ion); + if (str_len >= region.length) { + if (region.length <= 0) + return; + str_len = region.length; + } + memcpy(region.base, str, str_len); + isc_buffer_add(lb, str_len); +} + +#define ADD_LOG_CSTR(eb, s) add_log_str(eb, s, sizeof(s)-1) + +/* + * Build strings for the logs + */ +static void +make_log_buf(dns_rrl_t *rrl, dns_rrl_entry_t *e, + const char *str1, const char *str2, isc_boolean_t plural, + dns_name_t *qname, isc_boolean_t save_qname, + dns_rrl_result_t rrl_result, isc_result_t resp_result, + char *log_buf, unsigned int log_buf_len) +{ + isc_buffer_t lb; + dns_rrl_qname_buf_t *qbuf; + isc_netaddr_t cidr; + char strbuf[ISC_MAX(sizeof("/123"), sizeof(" (12345678)"))]; + const char *rstr; + isc_result_t msg_result; + + if (log_buf_len <= 1) { + if (log_buf_len == 1) + log_buf[0] = '\0'; + return; + } + isc_buffer_init(&lb, log_buf, log_buf_len-1); + + if (str1 != NULL) + add_log_str(&lb, str1, strlen(str1)); + if (str2 != NULL) + add_log_str(&lb, str2, strlen(str2)); + + switch (rrl_result) { + case DNS_RRL_RESULT_OK: + break; + case DNS_RRL_RESULT_DROP: + ADD_LOG_CSTR(&lb, "drop "); + break; + case DNS_RRL_RESULT_SLIP: + ADD_LOG_CSTR(&lb, "slip "); + break; + default: + INSIST(0); + break; + } + + switch (e->key.s.rtype) { + case DNS_RRL_RTYPE_QUERY: + break; + case DNS_RRL_RTYPE_REFERRAL: + ADD_LOG_CSTR(&lb, "referral "); + break; + case DNS_RRL_RTYPE_NODATA: + ADD_LOG_CSTR(&lb, "NODATA "); + break; + case DNS_RRL_RTYPE_NXDOMAIN: + ADD_LOG_CSTR(&lb, "NXDOMAIN "); + break; + case DNS_RRL_RTYPE_ERROR: + if (resp_result == ISC_R_SUCCESS) { + ADD_LOG_CSTR(&lb, "error "); + } else { + rstr = isc_result_totext(resp_result); + add_log_str(&lb, rstr, strlen(rstr)); + ADD_LOG_CSTR(&lb, " error "); + } + break; + case DNS_RRL_RTYPE_ALL: + ADD_LOG_CSTR(&lb, "all "); + break; + default: + INSIST(0); + } + + if (plural) + ADD_LOG_CSTR(&lb, "responses to "); + else + ADD_LOG_CSTR(&lb, "response to "); + + memset(&cidr, 0, sizeof(cidr)); + if (e->key.s.ipv6) { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv6_prefixlen); + cidr.family = AF_INET6; + memset(&cidr.type.in6, 0, sizeof(cidr.type.in6)); + memcpy(&cidr.type.in6, e->key.s.ip, sizeof(e->key.s.ip)); + } else { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv4_prefixlen); + cidr.family = AF_INET; + cidr.type.in.s_addr = e->key.s.ip[0]; + } + msg_result = isc_netaddr_totext(&cidr, &lb); + if (msg_result != ISC_R_SUCCESS) + ADD_LOG_CSTR(&lb, "?"); + add_log_str(&lb, strbuf, strlen(strbuf)); + + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY || + e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL || + e->key.s.rtype == DNS_RRL_RTYPE_NODATA || + e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) { + qbuf = get_qname(rrl, e); + if (save_qname && qbuf == NULL && + qname != NULL && dns_name_isabsolute(qname)) { + /* + * Capture the qname for the "stop limiting" message. + */ + qbuf = ISC_LIST_TAIL(rrl->qname_free); + if (qbuf != NULL) { + ISC_LIST_UNLINK(rrl->qname_free, qbuf, link); + } else if (rrl->num_qnames < DNS_RRL_QNAMES) { + qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf)); + if (qbuf != NULL) { + memset(qbuf, 0, sizeof(*qbuf)); + ISC_LINK_INIT(qbuf, link); + qbuf->index = rrl->num_qnames; + rrl->qnames[rrl->num_qnames++] = qbuf; + } else { + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_FAIL, + "isc_mem_get(%d)" + " failed for RRL qname", + (int)sizeof(*qbuf)); + } + } + if (qbuf != NULL) { + e->log_qname = qbuf->index; + qbuf->e = e; + dns_fixedname_init(&qbuf->qname); + dns_name_copy(qname, + dns_fixedname_name(&qbuf->qname), + NULL); + } + } + if (qbuf != NULL) + qname = dns_fixedname_name(&qbuf->qname); + if (qname != NULL) { + ADD_LOG_CSTR(&lb, " for "); + (void)dns_name_totext(qname, ISC_TRUE, &lb); + } else { + ADD_LOG_CSTR(&lb, " for (?)"); + } + if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdataclass_totext(e->key.s.qclass, &lb); + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdatatype_totext(e->key.s.qtype, &lb); + } + } + snprintf(strbuf, sizeof(strbuf), " (%08x)", + e->key.s.qname_hash); + add_log_str(&lb, strbuf, strlen(strbuf)); + } + + /* + * We saved room for '\0'. + */ + log_buf[isc_buffer_usedlength(&lb)] = '\0'; +} + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len) +{ + if (e->logged) { + make_log_buf(rrl, e, + early ? "*" : NULL, + rrl->log_only ? "would stop limiting " + : "stop limiting ", + ISC_TRUE, NULL, ISC_FALSE, + DNS_RRL_RESULT_OK, ISC_R_SUCCESS, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + free_qname(rrl, e); + e->logged = ISC_FALSE; + --rrl->num_logged; + } +} + +/* + * Log messages for streams that have stopped being rate limited. + */ +static void +log_stops(dns_rrl_t *rrl, isc_stdtime_t now, int limit, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_entry_t *e; + int age; + + for (e = rrl->last_logged; e != NULL; e = ISC_LIST_PREV(e, lru)) { + if (!e->logged) + continue; + if (now != 0) { + age = get_age(rrl, e, now); + if (age < DNS_RRL_STOP_LOG_SECS || + response_balance(rrl, e, age) < 0) + break; + } + + log_end(rrl, e, now == 0, log_buf, log_buf_len); + if (rrl->num_logged <= 0) + break; + + /* + * Too many messages could stall real work. + */ + if (--limit < 0) { + rrl->last_logged = ISC_LIST_PREV(e, lru); + return; + } + } + if (e == NULL) { + INSIST(rrl->num_logged == 0); + rrl->log_stops_time = now; + } + rrl->last_logged = e; +} + +/* + * Main rate limit interface. + */ +dns_rrl_result_t +dns_rrl(dns_view_t *view, + const isc_sockaddr_t *client_addr, isc_boolean_t is_tcp, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, + dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now, + isc_boolean_t wouldlog, char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_t *rrl; + dns_rrl_rtype_t rtype; + dns_rrl_entry_t *e; + isc_netaddr_t netclient; + int secs; + double qps, scale; + int exempt_match; + isc_result_t result; + dns_rrl_result_t rrl_result; + + INSIST(log_buf != NULL && log_buf_len > 0); + + rrl = view->rrl; + if (rrl->exempt != NULL) { + isc_netaddr_fromsockaddr(&netclient, client_addr); + result = dns_acl_match(&netclient, NULL, rrl->exempt, + &view->aclenv, &exempt_match, NULL); + if (result == ISC_R_SUCCESS && exempt_match > 0) + return (DNS_RRL_RESULT_OK); + } + + LOCK(&rrl->lock); + + /* + * Estimate total query per second rate when scaling by qps. + */ + if (rrl->qps_scale == 0) { + qps = 0.0; + scale = 1.0; + } else { + ++rrl->qps_responses; + secs = delta_rrl_time(rrl->qps_time, now); + if (secs <= 0) { + qps = rrl->qps; + } else { + qps = (1.0*rrl->qps_responses) / secs; + if (secs >= rrl->window) { + if (isc_log_wouldlog(dns_lctx, + DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG3, + "%d responses/%d seconds" + " = %d qps", + rrl->qps_responses, secs, + (int)qps); + rrl->qps = qps; + rrl->qps_responses = 0; + rrl->qps_time = now; + } else if (qps < rrl->qps) { + qps = rrl->qps; + } + } + scale = rrl->qps_scale / qps; + } + + /* + * Do maintenance once per second. + */ + if (rrl->num_logged > 0 && rrl->log_stops_time != now) + log_stops(rrl, now, 8, log_buf, log_buf_len); + + /* + * Notice TCP responses when scaling limits by qps. + * Do not try to rate limit TCP responses. + */ + if (is_tcp) { + if (scale < 1.0) { + e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_TRUE, + log_buf, log_buf_len); + if (e != NULL) { + e->responses = -(rrl->window+1); + set_age(rrl, e, now); + } + } + UNLOCK(&rrl->lock); + return (ISC_R_SUCCESS); + } + + /* + * Find the right kind of entry, creating it if necessary. + * If that is impossible, then nothing more can be done + */ + switch (resp_result) { + case ISC_R_SUCCESS: + rtype = DNS_RRL_RTYPE_QUERY; + break; + case DNS_R_DELEGATION: + rtype = DNS_RRL_RTYPE_REFERRAL; + break; + case DNS_R_NXRRSET: + rtype = DNS_RRL_RTYPE_NODATA; + break; + case DNS_R_NXDOMAIN: + rtype = DNS_RRL_RTYPE_NXDOMAIN; + break; + default: + rtype = DNS_RRL_RTYPE_ERROR; + break; + } + e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype, + now, ISC_TRUE, log_buf, log_buf_len); + if (e == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) { + /* + * Do not worry about speed or releasing the lock. + * This message appears before messages from debit_rrl_entry(). + */ + make_log_buf(rrl, e, "consider limiting ", NULL, ISC_FALSE, + qname, ISC_FALSE, DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "%s", log_buf); + } + + rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now, + log_buf, log_buf_len); + + if (rrl->all_per_second.r != 0) { + /* + * We must debit the all-per-second token bucket if we have + * an all-per-second limit for the IP address. + * The all-per-second limit determines the log message + * when both limits are hit. + * The response limiting must continue if the + * all-per-second limiting lapses. + */ + dns_rrl_entry_t *e_all; + dns_rrl_result_t rrl_all_result; + + e_all = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_ALL, now, ISC_TRUE, + log_buf, log_buf_len); + if (e_all == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + rrl_all_result = debit_rrl_entry(rrl, e_all, qps, scale, + client_addr, now, + log_buf, log_buf_len); + if (rrl_all_result != DNS_RRL_RESULT_OK) { + int level; + + e = e_all; + rrl_result = rrl_all_result; + if (rrl_result == DNS_RRL_RESULT_OK) + level = DNS_RRL_LOG_DEBUG2; + else + level = DNS_RRL_LOG_DEBUG1; + if (isc_log_wouldlog(dns_lctx, level)) { + make_log_buf(rrl, e, + "prefer all-per-second limiting ", + NULL, ISC_TRUE, qname, ISC_FALSE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, level, + "%s", log_buf); + } + } + } + + if (rrl_result == DNS_RRL_RESULT_OK) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + /* + * Log occassionally in the rate-limit category. + */ + if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) && + isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP)) { + make_log_buf(rrl, e, rrl->log_only ? "would " : NULL, + e->logged ? "continue limiting " : "limit ", + ISC_TRUE, qname, ISC_TRUE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + if (!e->logged) { + e->logged = ISC_TRUE; + if (++rrl->num_logged <= 1) + rrl->last_logged = e; + } + e->log_secs = 0; + + /* + * Avoid holding the lock. + */ + if (!wouldlog) { + UNLOCK(&rrl->lock); + e = NULL; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + } + + /* + * Make a log message for the caller. + */ + if (wouldlog) + make_log_buf(rrl, e, + rrl->log_only ? "would rate limit " : "rate limit ", + NULL, ISC_FALSE, qname, ISC_FALSE, + rrl_result, resp_result, log_buf, log_buf_len); + + if (e != NULL) { + /* + * Do not save the qname unless we might need it for + * the ending log message. + */ + if (!e->logged) + free_qname(rrl, e); + UNLOCK(&rrl->lock); + } + + return (rrl_result); +} + +void +dns_rrl_view_destroy(dns_view_t *view) { + dns_rrl_t *rrl; + dns_rrl_block_t *b; + dns_rrl_hash_t *h; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + int i; + + rrl = view->rrl; + if (rrl == NULL) + return; + view->rrl = NULL; + + /* + * Assume the caller takes care of locking the view and anything else. + */ + + if (rrl->num_logged > 0) + log_stops(rrl, 0, ISC_INT32_MAX, log_buf, sizeof(log_buf)); + + for (i = 0; i < DNS_RRL_QNAMES; ++i) { + if (rrl->qnames[i] == NULL) + break; + isc_mem_put(rrl->mctx, rrl->qnames[i], sizeof(*rrl->qnames[i])); + } + + if (rrl->exempt != NULL) + dns_acl_detach(&rrl->exempt); + + DESTROYLOCK(&rrl->lock); + + while (!ISC_LIST_EMPTY(rrl->blocks)) { + b = ISC_LIST_HEAD(rrl->blocks); + ISC_LIST_UNLINK(rrl->blocks, b, link); + isc_mem_put(rrl->mctx, b, b->size); + } + + h = rrl->hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + h = rrl->old_hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); +} + +isc_result_t +dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries) { + dns_rrl_t *rrl; + isc_result_t result; + + *rrlp = NULL; + + rrl = isc_mem_get(view->mctx, sizeof(*rrl)); + if (rrl == NULL) + return (ISC_R_NOMEMORY); + memset(rrl, 0, sizeof(*rrl)); + isc_mem_attach(view->mctx, &rrl->mctx); + result = isc_mutex_init(&rrl->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); + return (result); + } + isc_stdtime_get(&rrl->ts_bases[0]); + + view->rrl = rrl; + + result = expand_entries(rrl, min_entries); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + result = expand_rrl_hash(rrl, 0); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + + *rrlp = rrl; + return (ISC_R_SUCCESS); +} --- bind9-9.9.3.dfsg.P2.orig/lib/dns/view.c +++ bind9-9.9.3.dfsg.P2/lib/dns/view.c @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include @@ -184,6 +185,7 @@ view->answeracl_exclude = NULL; view->denyanswernames = NULL; view->answernames_exclude = NULL; + view->rrl = NULL; view->provideixfr = ISC_TRUE; view->maxcachettl = 7 * 24 * 3600; view->maxncachettl = 3 * 3600; @@ -195,9 +197,7 @@ view->maxbits = 0; view->v4_aaaa = dns_v4_aaaa_ok; view->v4_aaaa_acl = NULL; - ISC_LIST_INIT(view->rpz_zones); - view->rpz_recursive_only = ISC_TRUE; - view->rpz_break_dnssec = ISC_FALSE; + view->rpzs = NULL; dns_fixedname_init(&view->dlv_fixed); view->managed_keys = NULL; view->redirect = NULL; @@ -334,10 +334,13 @@ dns_acache_putdb(view->acache, view->cachedb); dns_acache_detach(&view->acache); } - dns_rpz_view_destroy(view); + if (view->rpzs != NULL) + dns_rpz_detach_rpzs(&view->rpzs); + dns_rrl_view_destroy(view); #else INSIST(view->acache == NULL); - INSIST(ISC_LIST_EMPTY(view->rpz_zones)); + INSIST(view->rpzs == NULL); + INSIST(view->rrl == NULL); #endif if (view->requestmgr != NULL) dns_requestmgr_detach(&view->requestmgr); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.def +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.def @@ -130,8 +130,8 @@ dns_db_overmem dns_db_printnode dns_db_register -dns_db_rpz_enabled -dns_db_rpz_findips +dns_db_rpz_attach +dns_db_rpz_ready dns_db_subtractrdataset dns_db_unregister dns_dbiterator_current @@ -639,17 +639,22 @@ dns_result_torcode dns_result_totext dns_rootns_create +dns_rpz_add +dns_rpz_attach_rpzs +dns_rpz_beginload dns_rpz_cidr_addip -dns_rpz_cidr_deleteip dns_rpz_cidr_find -dns_rpz_cidr_free dns_rpz_decode_cname -dns_rpz_enabled_get -dns_rpz_new_cidr +dns_rpz_delete +dns_rpz_delete_node +dns_rpz_detach_rpzs +dns_rpz_find_ip +dns_rpz_find_name +dns_rpz_new_zones dns_rpz_policy2str +dns_rpz_ready dns_rpz_str2policy dns_rpz_type2str -dns_rpz_view_destroy dns_rriterator_current dns_rriterator_destroy dns_rriterator_first @@ -657,6 +662,9 @@ dns_rriterator_next dns_rriterator_nextrrset dns_rriterator_pause +dns_rrl +dns_rrl_init +dns_rrl_view_destroy dns_sdb_putnamedrr dns_sdb_putrdata dns_sdb_putrr @@ -806,7 +814,7 @@ dns_zone_forcereload dns_zone_forwardupdate dns_zone_fulldumptostream -dns_zone_get_rpz +dns_zone_get_rpz_num dns_zone_getadded dns_zone_getchecknames dns_zone_getclass @@ -834,6 +842,7 @@ dns_zone_getqueryonacl dns_zone_getraw dns_zone_getrequeststats +dns_zone_getrpz_num dns_zone_getserial dns_zone_getserial2 dns_zone_getserialupdatemethod @@ -871,6 +880,7 @@ dns_zone_refresh dns_zone_rekey dns_zone_replacedb +dns_zone_rpz_attach dns_zone_rpz_enable dns_zone_setacache dns_zone_setadded --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.dsp +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.dsp @@ -346,6 +346,10 @@ # End Source File # Begin Source File +SOURCE=..\include\dns\rrl.h +# End Source File +# Begin Source File + SOURCE=..\include\dns\rriterator.h # End Source File # Begin Source File @@ -650,6 +654,10 @@ # End Source File # Begin Source File +SOURCE=..\rrl.c +# End Source File +# Begin Source File + SOURCE=..\rriterator.c # End Source File # Begin Source File --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.mak +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.mak @@ -184,6 +184,7 @@ -@erase "$(INTDIR)\result.obj" -@erase "$(INTDIR)\rootns.obj" -@erase "$(INTDIR)\rpz.obj" + -@erase "$(INTDIR)\rrl.obj" -@erase "$(INTDIR)\sdb.obj" -@erase "$(INTDIR)\sdlz.obj" -@erase "$(INTDIR)\soa.obj" @@ -309,6 +310,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -505,6 +507,8 @@ -@erase "$(INTDIR)\rootns.sbr" -@erase "$(INTDIR)\rpz.obj" -@erase "$(INTDIR)\rpz.sbr" + -@erase "$(INTDIR)\rrl.obj" + -@erase "$(INTDIR)\rrl.sbr" -@erase "$(INTDIR)\rriterator.obj" -@erase "$(INTDIR)\rriterator.sbr" -@erase "$(INTDIR)\sdb.obj" @@ -651,6 +655,7 @@ "$(INTDIR)\result.sbr" \ "$(INTDIR)\rootns.sbr" \ "$(INTDIR)\rpz.sbr" \ + "$(INTDIR)\rrl.sbr" \ "$(INTDIR)\rriterator.sbr" \ "$(INTDIR)\sdb.sbr" \ "$(INTDIR)\sdlz.sbr" \ @@ -748,6 +753,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -1724,6 +1730,24 @@ $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\rrl.c + +!IF "$(CFG)" == "libdns - Win32 Release" + + +"$(INTDIR)\rrl.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libdns - Win32 Debug" + + +"$(INTDIR)\rrl.obj" "$(INTDIR)\rrl.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\rriterator.c --- bind9-9.9.3.dfsg.P2.orig/lib/dns/xfrin.c +++ bind9-9.9.3.dfsg.P2/lib/dns/xfrin.c @@ -270,13 +270,19 @@ static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) { - return (dns_db_create(xfr->mctx, /* XXX */ - "rbt", /* XXX guess */ - &xfr->name, - dns_dbtype_zone, - xfr->rdclass, - 0, NULL, /* XXX guess */ - dbp)); + isc_result_t result; + + result = dns_db_create(xfr->mctx, /* XXX */ + "rbt", /* XXX guess */ + &xfr->name, + dns_dbtype_zone, + xfr->rdclass, + 0, NULL, /* XXX guess */ + dbp); + if (result != ISC_R_SUCCESS) + return (result); + result = dns_zone_rpz_enable_db(xfr->zone, *dbp); + return (result); } static isc_result_t --- bind9-9.9.3.dfsg.P2.orig/lib/dns/zone.c +++ bind9-9.9.3.dfsg.P2/lib/dns/zone.c @@ -346,9 +346,10 @@ isc_boolean_t added; /*% - * whether this is a response policy zone + * response policy data to be relayed to the database */ - isc_boolean_t is_rpz; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; /*% * Serial number update method. @@ -917,7 +918,8 @@ zone->nodes = 100; zone->privatetype = (dns_rdatatype_t)0xffffU; zone->added = ISC_FALSE; - zone->is_rpz = ISC_FALSE; + zone->rpzs = NULL; + zone->rpz_num = DNS_RPZ_INVALID_NUM; ISC_LIST_INIT(zone->forwards); zone->raw = NULL; zone->secure = NULL; @@ -1021,6 +1023,13 @@ zone_detachdb(zone); if (zone->acache != NULL) dns_acache_detach(&zone->acache); +#ifdef BIND9 + if (zone->rpzs != NULL) { + REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&zone->rpzs); + zone->rpz_num = DNS_RPZ_INVALID_NUM; + } +#endif zone_freedbargs(zone); RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0) == ISC_R_SUCCESS); @@ -1513,7 +1522,9 @@ * Set the response policy index and information for a zone. */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone) { +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num) +{ /* * Only RBTDB zones can be used for response policy zones, * because only they have the code to load the create the summary data. @@ -1524,14 +1535,26 @@ strcmp(zone->db_argv[0], "rbt64") != 0) return (ISC_R_NOTIMPLEMENTED); - zone->is_rpz = ISC_TRUE; + /* + * This must happen only once or be redundant. + */ + LOCK_ZONE(zone); + if (zone->rpzs != NULL) { + REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num); + } else { + REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &zone->rpzs); + zone->rpz_num = rpz_num; + } + rpzs->defined |= DNS_RPZ_ZBIT(rpz_num); + UNLOCK_ZONE(zone); return (ISC_R_SUCCESS); } -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone) { - return (zone->is_rpz); +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone) { + return (zone->rpz_num); } static isc_result_t @@ -1987,13 +2010,9 @@ isc_result_t tresult; unsigned int options; -#ifdef BIND9 - if (zone->is_rpz) { - result = dns_db_rpz_enabled(db, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } -#endif + result = dns_zone_rpz_enable_db(zone, db); + if (result != ISC_R_SUCCESS) + return (result); options = get_master_options(zone); if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) @@ -2069,6 +2088,19 @@ return (result); } +/* + * If a zone is a response policy zone, mark its new database. + */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) { + if (zone->rpz_num != DNS_RPZ_INVALID_NUM) { + REQUIRE(zone->rpzs != NULL); + dns_db_rpz_attach(db, zone->rpzs, zone->rpz_num); + } + + return (ISC_R_SUCCESS); +} + static isc_boolean_t zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, dns_name_t *owner) @@ -4120,6 +4152,11 @@ if (result != ISC_R_SUCCESS) goto cleanup; } else { +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + goto cleanup; +#endif zone_attachdb(zone, db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); DNS_ZONE_SETFLAG(zone, @@ -13047,6 +13084,12 @@ REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(LOCKED_ZONE(zone)); +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + return (result); +#endif + result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL, NULL, NULL, NULL, NULL); if (result == ISC_R_SUCCESS) { --- bind9-9.9.3.dfsg.P2.orig/lib/export/dns/include/dns/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/export/dns/include/dns/Makefile.in @@ -31,7 +31,7 @@ peer.h portlist.h \ rbt.h rcode.h rdata.h rdataclass.h \ rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \ - request.h resolver.h result.h \ + request.h resolver.h result.h rrl.h \ secalg.h secproto.h soa.h stats.h \ tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \ validator.h version.h view.h --- bind9-9.9.3.dfsg.P2.orig/lib/export/isc/include/isc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/export/isc/include/isc/Makefile.in @@ -37,7 +37,7 @@ print.h quota.h radix.h random.h ratelimiter.h \ refcount.h regex.h region.h resource.h \ result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \ - sockaddr.h socket.h stdio.h stdlib.h string.h \ + sockaddr.h socket.h stat.h stdio.h stdlib.h string.h \ symtab.h \ task.h taskpool.h timer.h types.h util.h version.h \ xml.h --- bind9-9.9.3.dfsg.P2.orig/lib/isc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isc/Makefile.in @@ -114,12 +114,14 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${SYMTBLOBJS} ${LIBS} + ln -sf .libs/libisc.so . libisc-nosymtbl.la: ${OBJS} ${LIBTOOL_MODE_LINK} \ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${LIBS} + ln -sf .libs/libisc-nosymtbl.so . timestamp: libisc.@A@ libisc-nosymtbl.@A@ touch timestamp @@ -133,3 +135,4 @@ clean distclean:: rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ libisc-nosymtbl.la timestamp + rm -f libisc.so libisc-nosymtbl.so --- bind9-9.9.3.dfsg.P2.orig/lib/isc/mips/include/isc/atomic.h +++ bind9-9.9.3.dfsg.P2/lib/isc/mips/include/isc/atomic.h @@ -31,18 +31,20 @@ isc_atomic_xadd(isc_int32_t *p, int val) { isc_int32_t orig; - /* add is a cheat, since MIPS has no mov instruction */ - __asm__ volatile ( - "1:" - "ll $3, %1\n" - "add %0, $0, $3\n" - "add $3, $3, %2\n" - "sc $3, %1\n" - "beq $3, 0, 1b" - : "=&r"(orig) - : "m"(*p), "r"(val) - : "memory", "$3" - ); + __asm__ __volatile__ ( + " .set push \n" + " .set mips2 \n" + " .set noreorder \n" + " .set noat \n" + "1: ll $1, %1 \n" + " addu %0, $1, %2 \n" + " sc %0, %1 \n" + " beqz %0, 1b \n" + " move %0, $1 \n" + " .set pop \n" + : "=&r" (orig), "+R" (*p) + : "r" (val) + : "memory"); return (orig); } @@ -52,16 +54,7 @@ */ static inline void isc_atomic_store(isc_int32_t *p, isc_int32_t val) { - __asm__ volatile ( - "1:" - "ll $3, %0\n" - "add $3, $0, %1\n" - "sc $3, %0\n" - "beq $3, 0, 1b" - : - : "m"(*p), "r"(val) - : "memory", "$3" - ); + *p = val; } /* @@ -72,20 +65,23 @@ static inline isc_int32_t isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { isc_int32_t orig; + isc_int32_t tmp; - __asm__ volatile( - "1:" - "ll $3, %1\n" - "add %0, $0, $3\n" - "bne $3, %2, 2f\n" - "add $3, $0, %3\n" - "sc $3, %1\n" - "beq $3, 0, 1b\n" - "2:" - : "=&r"(orig) - : "m"(*p), "r"(cmpval), "r"(val) - : "memory", "$3" - ); + __asm__ __volatile__ ( + " .set push \n" + " .set mips2 \n" + " .set noreorder \n" + " .set noat \n" + "1: ll $1, %1 \n" + " bne $1, %3, 2f \n" + " move %2, %4 \n" + " sc %2, %1 \n" + " beqz %2, 1b \n" + "2: move %0, $1 \n" + " .set pop \n" + : "=&r"(orig), "+R" (*p), "=r" (tmp) + : "r"(cmpval), "r"(val) + : "memory"); return (orig); } --- bind9-9.9.3.dfsg.P2.orig/lib/isc/unix/resource.c +++ bind9-9.9.3.dfsg.P2/lib/isc/unix/resource.c @@ -29,6 +29,7 @@ #include #ifdef __linux__ +#include #include /* To get the large NR_OPEN. */ #endif --- bind9-9.9.3.dfsg.P2.orig/lib/isccc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isccc/Makefile.in @@ -36,7 +36,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCCCDEPLIBS = libisccc.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../../lib/isc SUBDIRS = include @@ -72,6 +72,7 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${ISCLIBS} ${LIBS} + ln -sf .libs/libisccc.so . timestamp: libisccc.@A@ touch timestamp @@ -84,3 +85,4 @@ clean distclean:: rm -f libisccc.@A@ timestamp + rm -f libisccc.so --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isccfg/Makefile.in @@ -38,7 +38,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCCFGDEPLIBS = libisccfg.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../dns -L../isc -L../isccc SUBDIRS = include --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/aclconf.c +++ bind9-9.9.3.dfsg.P2/lib/isccfg/aclconf.c @@ -247,6 +247,9 @@ } else if (cfg_obj_isstring(ce)) { const char *name = cfg_obj_asstring(ce); if (strcasecmp(name, "localhost") == 0 || +#ifdef SUPPORT_GEOIP + strncasecmp(name, "country_", 8) == 0 || +#endif strcasecmp(name, "localnets") == 0) { n++; } else if (strcasecmp(name, "any") != 0 && @@ -441,6 +444,14 @@ de->negative = !neg; } else continue; +#ifdef SUPPORT_GEOIP + } else if ((0 == (strncmp("country_", name, 8))) && (10 == strlen(name))) { + /* It is a country code */ + de->type = dns_aclelementtype_ipcountry; + de->country[0] = name[8]; + de->country[1] = name[9]; + de->country[2] = '\0'; +#endif } else if (strcasecmp(name, "localhost") == 0) { de->type = dns_aclelementtype_localhost; de->negative = neg; --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/namedconf.c +++ bind9-9.9.3.dfsg.P2/lib/isccfg/namedconf.c @@ -1054,11 +1054,12 @@ /*% * response-policy { - * zone [ policy (given|disabled|passthru| + * zone [ policy (given|disabled|passthru|drop|tcp-only| * nxdomain|nodata|cname ) ] * [ recursive-only yes|no ] [ max-policy-ttl number ] ; * } [ recursive-only yes|no ] [ max-policy-ttl number ] ; - * [ break-dnssec yes|no ] [ min-ns-dots number ] ; + * [ break-dnssec yes|no ] [ min-ns-dots number ] + * [ qname-wait-recurse yes|no ] */ static void @@ -1083,7 +1084,7 @@ /* * Parse - * given|disabled|passthru|nxdomain|nodata|cname + * given|disabled|passthru|drop|tcp-only|nxdomain|nodata|cname */ static isc_result_t cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type, @@ -1214,9 +1215,12 @@ doc_keyvalue, &cfg_rep_string, &zone_kw }; +/* + * "no-op" is an obsolete equivalent of "passthru". + */ static const char *rpz_policies[] = { - "given", "disabled", "passthru", "no-op", "nxdomain", "nodata", - "cname", NULL + "given", "disabled", "passthru", "no-op", "drop", "tcp-only", + "nxdomain", "nodata", "cname", NULL }; static cfg_type_t cfg_type_rpz_policy_name = { "policy name", cfg_parse_enum, cfg_print_ustring, @@ -1261,6 +1265,7 @@ { "break-dnssec", &cfg_type_boolean, 0 }, { "max-policy-ttl", &cfg_type_uint32, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 }, + { "qname-wait-recurse", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = { @@ -1270,6 +1275,40 @@ }; +/* + * rate-limit + */ +static cfg_clausedef_t rrl_clauses[] = { + { "responses-per-second", &cfg_type_uint32, 0 }, + { "referrals-per-second", &cfg_type_uint32, 0 }, + { "nodata-per-second", &cfg_type_uint32, 0 }, + { "nxdomains-per-second", &cfg_type_uint32, 0 }, + { "errors-per-second", &cfg_type_uint32, 0 }, + { "all-per-second", &cfg_type_uint32, 0 }, + { "slip", &cfg_type_uint32, 0 }, + { "window", &cfg_type_uint32, 0 }, + { "log-only", &cfg_type_boolean, 0 }, + { "qps-scale", &cfg_type_uint32, 0 }, + { "ipv4-prefix-length", &cfg_type_uint32, 0 }, + { "ipv6-prefix-length", &cfg_type_uint32, 0 }, + { "exempt-clients", &cfg_type_bracketed_aml, 0 }, + { "max-table-size", &cfg_type_uint32, 0 }, + { "min-table-size", &cfg_type_uint32, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_clausedef_t *rrl_clausesets[] = { + rrl_clauses, + NULL +}; + +static cfg_type_t cfg_type_rrl = { + "rate-limit", cfg_parse_map, cfg_print_map, cfg_doc_map, + &cfg_rep_map, rrl_clausesets +}; + + + /*% * dnssec-lookaside */ @@ -1387,6 +1426,8 @@ { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, + { "min-ncache-ttl", &cfg_type_uint32, 0 }, { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, { "minimal-responses", &cfg_type_boolean, 0 }, { "preferred-glue", &cfg_type_astring, 0 }, @@ -1423,6 +1464,7 @@ CFG_CLAUSEFLAG_NOTCONFIGURED }, #endif { "response-policy", &cfg_type_rpz, 0 }, + { "rate-limit", &cfg_type_rrl, 0 }, { NULL, NULL, 0 } }; --- bind9-9.9.3.dfsg.P2.orig/libtool.m4/libtool.m4 +++ bind9-9.9.3.dfsg.P2/libtool.m4/libtool.m4 @@ -1324,7 +1324,14 @@ LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; ppc64-*linux*|powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" @@ -1688,7 +1695,8 @@ ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -2512,17 +2520,6 @@ esac ;; -gnu*) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -2639,7 +2636,7 @@ ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -2684,6 +2681,18 @@ dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -3243,10 +3252,6 @@ fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -3285,11 +3290,11 @@ ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' else @@ -4037,7 +4042,7 @@ ;; esac ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # KAI C++ Compiler @@ -4101,7 +4106,7 @@ ;; esac ;; - netbsd*) + netbsd* | netbsdelf*-gnu) ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise @@ -4336,7 +4341,7 @@ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -4578,6 +4583,9 @@ ;; esac ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' ;; @@ -4640,6 +4648,9 @@ openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; esac _LT_TAGVAR(ld_shlibs, $1)=yes @@ -4861,7 +4872,7 @@ fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -5038,6 +5049,7 @@ if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + _LT_TAGVAR(link_all_deplibs, $1)=no else # not using gcc if test "$host_cpu" = ia64; then @@ -5342,7 +5354,7 @@ _LT_TAGVAR(link_all_deplibs, $1)=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -6222,9 +6234,6 @@ _LT_TAGVAR(ld_shlibs, $1)=yes ;; - gnu*) - ;; - haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes @@ -6386,7 +6395,7 @@ _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler --- bind9-9.9.3.dfsg.P2.orig/ltmain.sh +++ bind9-9.9.3.dfsg.P2/ltmain.sh @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.3 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION=2.4.2 +VERSION="2.4.2 Debian-2.4.2-1.3" TIMESTAMP="" package_revision=1.3337 @@ -1375,21 +1375,6 @@ func_infer_tag () { $opt_debug - - # FreeBSD-specific: where we install compilers with non-standard names - tag_compilers_CC="*cc cc* *gcc gcc* clang" - tag_compilers_CXX="*c++ c++* *g++ g++* clang++" - base_compiler=`set -- "$@"; echo $1` - - # If $tagname isn't set, then try to infer if the default "CC" tag applies - if test -z "$tagname"; then - for zp in $tag_compilers_CC; do - case $base_compiler in - $zp) tagname="CC"; break;; - esac - done - fi - if test -n "$available_tags" && test -z "$tagname"; then CC_quoted= for arg in $CC; do @@ -1426,22 +1411,7 @@ break ;; esac - - # FreeBSD-specific: try compilers based on inferred tag - if test -z "$tagname"; then - eval "tag_compilers=\$tag_compilers_${z}" - if test -n "$tag_compilers"; then - for zp in $tag_compilers; do - case $base_compiler in - $zp) tagname=$z; break;; - esac - done - if test -n "$tagname"; then - break - fi - fi - fi - fi + fi done # If $tagname still isn't set, then no tagged configuration # was found and let the user know that the "--tag" command @@ -3547,9 +3517,6 @@ ;; esac ;; - *-*-freebsd*) - # FreeBSD doesn't need this... - ;; *) func_fatal_error "unknown suffix for \`$my_dlsyms'" ;; @@ -5628,7 +5595,6 @@ esac ;; esac - deplibs="$deplibs $arg" continue ;; @@ -6158,7 +6124,10 @@ case $pass in dlopen) libs="$dlfiles" ;; dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + link) + libs="$deplibs %DEPLIBS%" + test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs" + ;; esac fi if test "$linkmode,$pass" = "lib,dlpreopen"; then @@ -6201,30 +6170,13 @@ finalize_deplibs="$deplib $finalize_deplibs" else func_append compiler_flags " $deplib" - fi - - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test "$pass" = conv && continue - newdependency_libs="$deplib $newdependency_libs" - ;; - prog) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test "$pass" = scan; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac fi - ;; - *) - ;; - esac # linkmode - + fi continue ;; -l*) @@ -6495,19 +6447,19 @@ # It is a libtool convenience library, so add in its objects. func_append convenience " $ladir/$objdir/$old_library" func_append old_convenience " $ladir/$objdir/$old_library" + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" fi - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done continue fi # $pass = conv @@ -7400,6 +7352,9 @@ revision="$number_minor" lt_irix_increment=no ;; + *) + func_fatal_configuration "$modename: unknown library version type \`$version_type'" + ;; esac ;; no) --- bind9-9.9.3.dfsg.P2.orig/named.conf +++ bind9-9.9.3.dfsg.P2/named.conf @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; --- bind9-9.9.3.dfsg.P2.orig/root.db +++ bind9-9.9.3.dfsg.P2/root.db @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. --- bind9-9.9.3.dfsg.P2.orig/setup.sh +++ bind9-9.9.3.dfsg.P2/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + --- bind9-9.9.3.dfsg.P2.orig/tests.sh +++ bind9-9.9.3.dfsg.P2/tests.sh @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 --- bind9-9.9.3.dfsg.P2.orig/tld2.db +++ bind9-9.9.3.dfsg.P2/tld2.db @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 --- bind9-9.9.3.dfsg.P2.orig/tld3.db +++ bind9-9.9.3.dfsg.P2/tld3.db @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 --- bind9-9.9.3.dfsg.P2.orig/version +++ bind9-9.9.3.dfsg.P2/version @@ -7,6 +7,6 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=9 -PATCHVER=3 +PATCHVER=3-rpz2+rl.13214.22 RELEASETYPE=-P RELEASEVER=2