2 * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: server.c,v 1.599.8.19 2012/02/22 00:33:32 each Exp $ */
28 #include <sys/types.h>
32 #include <isc/base64.h>
34 #include <isc/entropy.h>
37 #include <isc/httpd.h>
39 #include <isc/parseint.h>
40 #include <isc/portset.h>
41 #include <isc/print.h>
42 #include <isc/resource.h>
44 #include <isc/socket.h>
46 #include <isc/stats.h>
47 #include <isc/stdio.h>
48 #include <isc/string.h>
50 #include <isc/timer.h>
54 #include <isccfg/namedconf.h>
56 #include <bind9/check.h>
58 #include <dns/acache.h>
60 #include <dns/cache.h>
62 #include <dns/dispatch.h>
64 #include <dns/dns64.h>
65 #include <dns/forward.h>
66 #include <dns/journal.h>
67 #include <dns/keytable.h>
68 #include <dns/keyvalues.h>
70 #include <dns/master.h>
71 #include <dns/masterdump.h>
72 #include <dns/order.h>
74 #include <dns/portlist.h>
76 #include <dns/rdataclass.h>
77 #include <dns/rdataset.h>
78 #include <dns/rdatastruct.h>
79 #include <dns/resolver.h>
80 #include <dns/rootns.h>
81 #include <dns/secalg.h>
82 #include <dns/stats.h>
90 #include <dst/result.h>
92 #include <named/client.h>
93 #include <named/config.h>
94 #include <named/control.h>
95 #include <named/interfacemgr.h>
96 #include <named/log.h>
97 #include <named/logconf.h>
98 #include <named/lwresd.h>
99 #include <named/main.h>
100 #include <named/os.h>
101 #include <named/server.h>
102 #include <named/statschannel.h>
103 #include <named/tkeyconf.h>
104 #include <named/tsigconf.h>
105 #include <named/zoneconf.h>
107 #include <named/ns_smf_globals.h>
112 #define PATH_MAX 1024
116 * Check an operation for failure. Assumes that the function
117 * using it has a 'result' variable and a 'cleanup' label.
120 do { result = (op); \
121 if (result != ISC_R_SUCCESS) goto cleanup; \
124 #define CHECKM(op, msg) \
125 do { result = (op); \
126 if (result != ISC_R_SUCCESS) { \
127 isc_log_write(ns_g_lctx, \
128 NS_LOGCATEGORY_GENERAL, \
129 NS_LOGMODULE_SERVER, \
132 isc_result_totext(result)); \
137 #define CHECKMF(op, msg, file) \
138 do { result = (op); \
139 if (result != ISC_R_SUCCESS) { \
140 isc_log_write(ns_g_lctx, \
141 NS_LOGCATEGORY_GENERAL, \
142 NS_LOGMODULE_SERVER, \
144 "%s '%s': %s", msg, file, \
145 isc_result_totext(result)); \
150 #define CHECKFATAL(op, msg) \
151 do { result = (op); \
152 if (result != ISC_R_SUCCESS) \
153 fatal(msg, result); \
157 * Maximum ADB size for views that share a cache. Use this limit to suppress
158 * the total of memory footprint, which should be the main reason for sharing
159 * a cache. Only effective when a finite max-cache-size is specified.
160 * This is currently defined to be 8MB.
162 #define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U
166 unsigned int dispatchgen;
167 dns_dispatch_t *dispatch;
168 ISC_LINK(struct ns_dispatch) link;
173 dns_view_t *primaryview;
174 isc_boolean_t needflush;
175 isc_boolean_t adbsizeadjusted;
176 ISC_LINK(ns_cache_t) link;
181 isc_boolean_t dumpcache;
182 isc_boolean_t dumpzones;
184 ISC_LIST(struct viewlistentry) viewlist;
185 struct viewlistentry *view;
186 struct zonelistentry *zone;
187 dns_dumpctx_t *mdctx;
191 dns_dbversion_t *version;
194 struct viewlistentry {
196 ISC_LINK(struct viewlistentry) link;
197 ISC_LIST(struct zonelistentry) zonelist;
200 struct zonelistentry {
202 ISC_LINK(struct zonelistentry) link;
206 * Configuration context to retain for each view that allows
207 * new zones to be added at runtime.
211 cfg_parser_t * parser;
213 cfg_parser_t * nzparser;
214 cfg_obj_t * nzconfig;
215 cfg_aclconfctx_t * actx;
219 * These zones should not leak onto the Internet.
221 static const struct {
223 isc_boolean_t rfc1918;
226 { "10.IN-ADDR.ARPA", ISC_TRUE },
227 { "16.172.IN-ADDR.ARPA", ISC_TRUE },
228 { "17.172.IN-ADDR.ARPA", ISC_TRUE },
229 { "18.172.IN-ADDR.ARPA", ISC_TRUE },
230 { "19.172.IN-ADDR.ARPA", ISC_TRUE },
231 { "20.172.IN-ADDR.ARPA", ISC_TRUE },
232 { "21.172.IN-ADDR.ARPA", ISC_TRUE },
233 { "22.172.IN-ADDR.ARPA", ISC_TRUE },
234 { "23.172.IN-ADDR.ARPA", ISC_TRUE },
235 { "24.172.IN-ADDR.ARPA", ISC_TRUE },
236 { "25.172.IN-ADDR.ARPA", ISC_TRUE },
237 { "26.172.IN-ADDR.ARPA", ISC_TRUE },
238 { "27.172.IN-ADDR.ARPA", ISC_TRUE },
239 { "28.172.IN-ADDR.ARPA", ISC_TRUE },
240 { "29.172.IN-ADDR.ARPA", ISC_TRUE },
241 { "30.172.IN-ADDR.ARPA", ISC_TRUE },
242 { "31.172.IN-ADDR.ARPA", ISC_TRUE },
243 { "168.192.IN-ADDR.ARPA", ISC_TRUE },
246 { "64.100.IN-ADDR.ARPA", ISC_FALSE },
247 { "65.100.IN-ADDR.ARPA", ISC_FALSE },
248 { "66.100.IN-ADDR.ARPA", ISC_FALSE },
249 { "67.100.IN-ADDR.ARPA", ISC_FALSE },
250 { "68.100.IN-ADDR.ARPA", ISC_FALSE },
251 { "69.100.IN-ADDR.ARPA", ISC_FALSE },
252 { "70.100.IN-ADDR.ARPA", ISC_FALSE },
253 { "71.100.IN-ADDR.ARPA", ISC_FALSE },
254 { "72.100.IN-ADDR.ARPA", ISC_FALSE },
255 { "73.100.IN-ADDR.ARPA", ISC_FALSE },
256 { "74.100.IN-ADDR.ARPA", ISC_FALSE },
257 { "75.100.IN-ADDR.ARPA", ISC_FALSE },
258 { "76.100.IN-ADDR.ARPA", ISC_FALSE },
259 { "77.100.IN-ADDR.ARPA", ISC_FALSE },
260 { "78.100.IN-ADDR.ARPA", ISC_FALSE },
261 { "79.100.IN-ADDR.ARPA", ISC_FALSE },
262 { "80.100.IN-ADDR.ARPA", ISC_FALSE },
263 { "81.100.IN-ADDR.ARPA", ISC_FALSE },
264 { "82.100.IN-ADDR.ARPA", ISC_FALSE },
265 { "83.100.IN-ADDR.ARPA", ISC_FALSE },
266 { "84.100.IN-ADDR.ARPA", ISC_FALSE },
267 { "85.100.IN-ADDR.ARPA", ISC_FALSE },
268 { "86.100.IN-ADDR.ARPA", ISC_FALSE },
269 { "87.100.IN-ADDR.ARPA", ISC_FALSE },
270 { "88.100.IN-ADDR.ARPA", ISC_FALSE },
271 { "89.100.IN-ADDR.ARPA", ISC_FALSE },
272 { "90.100.IN-ADDR.ARPA", ISC_FALSE },
273 { "91.100.IN-ADDR.ARPA", ISC_FALSE },
274 { "92.100.IN-ADDR.ARPA", ISC_FALSE },
275 { "93.100.IN-ADDR.ARPA", ISC_FALSE },
276 { "94.100.IN-ADDR.ARPA", ISC_FALSE },
277 { "95.100.IN-ADDR.ARPA", ISC_FALSE },
278 { "96.100.IN-ADDR.ARPA", ISC_FALSE },
279 { "97.100.IN-ADDR.ARPA", ISC_FALSE },
280 { "98.100.IN-ADDR.ARPA", ISC_FALSE },
281 { "99.100.IN-ADDR.ARPA", ISC_FALSE },
282 { "100.100.IN-ADDR.ARPA", ISC_FALSE },
283 { "101.100.IN-ADDR.ARPA", ISC_FALSE },
284 { "102.100.IN-ADDR.ARPA", ISC_FALSE },
285 { "103.100.IN-ADDR.ARPA", ISC_FALSE },
286 { "104.100.IN-ADDR.ARPA", ISC_FALSE },
287 { "105.100.IN-ADDR.ARPA", ISC_FALSE },
288 { "106.100.IN-ADDR.ARPA", ISC_FALSE },
289 { "107.100.IN-ADDR.ARPA", ISC_FALSE },
290 { "108.100.IN-ADDR.ARPA", ISC_FALSE },
291 { "109.100.IN-ADDR.ARPA", ISC_FALSE },
292 { "110.100.IN-ADDR.ARPA", ISC_FALSE },
293 { "111.100.IN-ADDR.ARPA", ISC_FALSE },
294 { "112.100.IN-ADDR.ARPA", ISC_FALSE },
295 { "113.100.IN-ADDR.ARPA", ISC_FALSE },
296 { "114.100.IN-ADDR.ARPA", ISC_FALSE },
297 { "115.100.IN-ADDR.ARPA", ISC_FALSE },
298 { "116.100.IN-ADDR.ARPA", ISC_FALSE },
299 { "117.100.IN-ADDR.ARPA", ISC_FALSE },
300 { "118.100.IN-ADDR.ARPA", ISC_FALSE },
301 { "119.100.IN-ADDR.ARPA", ISC_FALSE },
302 { "120.100.IN-ADDR.ARPA", ISC_FALSE },
303 { "121.100.IN-ADDR.ARPA", ISC_FALSE },
304 { "122.100.IN-ADDR.ARPA", ISC_FALSE },
305 { "123.100.IN-ADDR.ARPA", ISC_FALSE },
306 { "124.100.IN-ADDR.ARPA", ISC_FALSE },
307 { "125.100.IN-ADDR.ARPA", ISC_FALSE },
308 { "126.100.IN-ADDR.ARPA", ISC_FALSE },
309 { "127.100.IN-ADDR.ARPA", ISC_FALSE },
311 /* RFC 5735 and RFC 5737 */
312 { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */
313 { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */
314 { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */
315 { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */
316 { "100.51.198.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 2 */
317 { "113.0.203.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 3 */
318 { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */
320 /* Local IPv6 Unicast Addresses */
321 { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
322 { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
323 /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
324 { "D.F.IP6.ARPA", ISC_FALSE },
325 { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
326 { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
327 { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
328 { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
330 /* Example Prefix, RFC 3849. */
331 { "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
336 ISC_PLATFORM_NORETURN_PRE static void
337 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
340 ns_server_reload(isc_task_t *task, isc_event_t *event);
343 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
344 cfg_aclconfctx_t *actx,
345 isc_mem_t *mctx, ns_listenelt_t **target);
347 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
348 cfg_aclconfctx_t *actx,
349 isc_mem_t *mctx, ns_listenlist_t **target);
352 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
353 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
356 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
357 const cfg_obj_t *alternates);
360 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
361 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
362 cfg_aclconfctx_t *aclconf, isc_boolean_t added);
365 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
368 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
371 newzone_cfgctx_destroy(void **cfgp);
374 * Configure a single view ACL at '*aclp'. Get its configuration from
375 * 'vconfig' (for per-view configuration) and maybe from 'config'
378 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
379 const char *aclname, const char *acltuplename,
380 cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
383 const cfg_obj_t *maps[3];
384 const cfg_obj_t *aclobj = NULL;
388 dns_acl_detach(aclp);
390 maps[i++] = cfg_tuple_get(vconfig, "options");
391 if (config != NULL) {
392 const cfg_obj_t *options = NULL;
393 (void)cfg_map_get(config, "options", &options);
399 (void)ns_config_get(maps, aclname, &aclobj);
402 * No value available. *aclp == NULL.
404 return (ISC_R_SUCCESS);
406 if (acltuplename != NULL) {
408 * If the ACL is given in an optional tuple, retrieve it.
409 * The parser should have ensured that a valid object be
412 aclobj = cfg_tuple_get(aclobj, acltuplename);
415 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
416 actx, mctx, 0, aclp);
422 * Configure a sortlist at '*aclp'. Essentially the same as
423 * configure_view_acl() except it calls cfg_acl_fromconfig with a
424 * nest_level value of 2.
427 configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
428 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
432 const cfg_obj_t *maps[3];
433 const cfg_obj_t *aclobj = NULL;
437 dns_acl_detach(aclp);
439 maps[i++] = cfg_tuple_get(vconfig, "options");
440 if (config != NULL) {
441 const cfg_obj_t *options = NULL;
442 (void)cfg_map_get(config, "options", &options);
448 (void)ns_config_get(maps, "sortlist", &aclobj);
450 return (ISC_R_SUCCESS);
453 * Use a nest level of 3 for the "top level" of the sortlist;
454 * this means each entry in the top three levels will be stored
455 * as lists of separate, nested ACLs, rather than merged together
456 * into IP tables as is usually done with ACLs.
458 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
459 actx, mctx, 3, aclp);
465 configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
466 const char *confname, const char *conftuplename,
467 isc_mem_t *mctx, dns_rbt_t **rbtp)
470 const cfg_obj_t *maps[3];
471 const cfg_obj_t *obj = NULL;
472 const cfg_listelt_t *element;
474 dns_fixedname_t fixed;
478 const cfg_obj_t *nameobj;
481 dns_rbt_destroy(rbtp);
483 maps[i++] = cfg_tuple_get(vconfig, "options");
484 if (config != NULL) {
485 const cfg_obj_t *options = NULL;
486 (void)cfg_map_get(config, "options", &options);
492 (void)ns_config_get(maps, confname, &obj);
495 * No value available. *rbtp == NULL.
497 return (ISC_R_SUCCESS);
499 if (conftuplename != NULL) {
500 obj = cfg_tuple_get(obj, conftuplename);
501 if (cfg_obj_isvoid(obj))
502 return (ISC_R_SUCCESS);
505 result = dns_rbt_create(mctx, NULL, NULL, rbtp);
506 if (result != ISC_R_SUCCESS)
509 dns_fixedname_init(&fixed);
510 name = dns_fixedname_name(&fixed);
511 for (element = cfg_list_first(obj);
513 element = cfg_list_next(element)) {
514 nameobj = cfg_listelt_value(element);
515 str = cfg_obj_asstring(nameobj);
516 isc_buffer_constinit(&b, str, strlen(str));
517 isc_buffer_add(&b, strlen(str));
518 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
520 * We don't need the node data, but need to set dummy data to
521 * avoid a partial match with an empty node. For example, if
522 * we have foo.example.com and bar.example.com, we'd get a match
523 * for baz.example.com, which is not the expected result.
524 * We simply use (void *)1 as the dummy data.
526 result = dns_rbt_addname(*rbtp, name, (void *)1);
527 if (result != ISC_R_SUCCESS) {
528 cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
529 "failed to add %s for %s: %s",
530 str, confname, isc_result_totext(result));
539 dns_rbt_destroy(rbtp);
545 dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
546 isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
548 dns_rdataclass_t viewclass;
549 dns_rdata_dnskey_t keystruct;
550 isc_uint32_t flags, proto, alg;
551 const char *keystr, *keynamestr;
552 unsigned char keydata[4096];
553 isc_buffer_t keydatabuf;
554 unsigned char rrdata[4096];
555 isc_buffer_t rrdatabuf;
557 dns_fixedname_t fkeyname;
559 isc_buffer_t namebuf;
561 dst_key_t *dstkey = NULL;
563 INSIST(target != NULL && *target == NULL);
565 flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
566 proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
567 alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
568 keyname = dns_fixedname_name(&fkeyname);
569 keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
572 const char *initmethod;
573 initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
575 if (strcasecmp(initmethod, "initial-key") != 0) {
576 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
578 "invalid initialization method '%s'",
579 keynamestr, initmethod);
580 result = ISC_R_FAILURE;
586 viewclass = dns_rdataclass_in;
588 const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
589 CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
592 keystruct.common.rdclass = viewclass;
593 keystruct.common.rdtype = dns_rdatatype_dnskey;
595 * The key data in keystruct is not dynamically allocated.
597 keystruct.mctx = NULL;
599 ISC_LINK_INIT(&keystruct.common, link);
602 CHECKM(ISC_R_RANGE, "key flags");
604 CHECKM(ISC_R_RANGE, "key protocol");
606 CHECKM(ISC_R_RANGE, "key algorithm");
607 keystruct.flags = (isc_uint16_t)flags;
608 keystruct.protocol = (isc_uint8_t)proto;
609 keystruct.algorithm = (isc_uint8_t)alg;
611 isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
612 isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
614 keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
615 CHECK(isc_base64_decodestring(keystr, &keydatabuf));
616 isc_buffer_usedregion(&keydatabuf, &r);
617 keystruct.datalen = r.length;
618 keystruct.data = r.base;
620 if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
621 keystruct.algorithm == DST_ALG_RSAMD5) &&
622 r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
623 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
624 "%s key '%s' has a weak exponent",
625 managed ? "managed" : "trusted",
628 CHECK(dns_rdata_fromstruct(NULL,
629 keystruct.common.rdclass,
630 keystruct.common.rdtype,
631 &keystruct, &rrdatabuf));
632 dns_fixedname_init(&fkeyname);
633 isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
634 isc_buffer_add(&namebuf, strlen(keynamestr));
635 CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
636 CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
640 return (ISC_R_SUCCESS);
643 if (result == DST_R_NOCRYPTO) {
644 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
645 "ignoring %s key for '%s': no crypto support",
646 managed ? "managed" : "trusted",
648 } else if (result == DST_R_UNSUPPORTEDALG) {
649 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
650 "skipping %s key for '%s': %s",
651 managed ? "managed" : "trusted",
652 keynamestr, isc_result_totext(result));
654 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
655 "configuring %s key for '%s': %s",
656 managed ? "managed" : "trusted",
657 keynamestr, isc_result_totext(result));
658 result = ISC_R_FAILURE;
662 dst_key_free(&dstkey);
668 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
669 dns_view_t *view, isc_boolean_t managed,
670 dns_name_t *keyname, isc_mem_t *mctx)
672 const cfg_listelt_t *elt, *elt2;
673 const cfg_obj_t *key, *keylist;
674 dst_key_t *dstkey = NULL;
676 dns_keytable_t *secroots = NULL;
678 CHECK(dns_view_getsecroots(view, &secroots));
680 for (elt = cfg_list_first(keys);
682 elt = cfg_list_next(elt)) {
683 keylist = cfg_listelt_value(elt);
685 for (elt2 = cfg_list_first(keylist);
687 elt2 = cfg_list_next(elt2)) {
688 key = cfg_listelt_value(elt2);
689 result = dstkey_fromconfig(vconfig, key, managed,
691 if (result == DST_R_UNSUPPORTEDALG) {
692 result = ISC_R_SUCCESS;
695 if (result != ISC_R_SUCCESS)
699 * If keyname was specified, we only add that key.
701 if (keyname != NULL &&
702 !dns_name_equal(keyname, dst_key_name(dstkey)))
704 dst_key_free(&dstkey);
708 CHECK(dns_keytable_add(secroots, managed, &dstkey));
714 dst_key_free(&dstkey);
715 if (secroots != NULL)
716 dns_keytable_detach(&secroots);
717 if (result == DST_R_NOCRYPTO)
718 result = ISC_R_SUCCESS;
723 * Configure DNSSEC keys for a view.
725 * The per-view configuration values and the server-global defaults are read
726 * from 'vconfig' and 'config'.
729 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
730 const cfg_obj_t *config, const cfg_obj_t *bindkeys,
731 isc_boolean_t auto_dlv, isc_boolean_t auto_root,
734 isc_result_t result = ISC_R_SUCCESS;
735 const cfg_obj_t *view_keys = NULL;
736 const cfg_obj_t *global_keys = NULL;
737 const cfg_obj_t *view_managed_keys = NULL;
738 const cfg_obj_t *global_managed_keys = NULL;
739 const cfg_obj_t *maps[4];
740 const cfg_obj_t *voptions = NULL;
741 const cfg_obj_t *options = NULL;
742 const cfg_obj_t *obj = NULL;
743 const char *directory;
746 /* We don't need trust anchors for the _bind view */
747 if (strcmp(view->name, "_bind") == 0 &&
748 view->rdclass == dns_rdataclass_chaos) {
749 return (ISC_R_SUCCESS);
752 if (vconfig != NULL) {
753 voptions = cfg_tuple_get(vconfig, "options");
754 if (voptions != NULL) {
755 (void) cfg_map_get(voptions, "trusted-keys",
757 (void) cfg_map_get(voptions, "managed-keys",
759 maps[i++] = voptions;
763 if (config != NULL) {
764 (void)cfg_map_get(config, "trusted-keys", &global_keys);
765 (void)cfg_map_get(config, "managed-keys", &global_managed_keys);
766 (void)cfg_map_get(config, "options", &options);
767 if (options != NULL) {
772 maps[i++] = ns_g_defaults;
775 result = dns_view_initsecroots(view, mctx);
776 if (result != ISC_R_SUCCESS) {
777 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
778 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
779 "couldn't create keytable");
780 return (ISC_R_UNEXPECTED);
783 if (auto_dlv && view->rdclass == dns_rdataclass_in) {
784 const cfg_obj_t *builtin_keys = NULL;
785 const cfg_obj_t *builtin_managed_keys = NULL;
787 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
788 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
789 "using built-in DLV key for view %s",
793 * If bind.keys exists, it overrides the managed-keys
794 * clause hard-coded in ns_g_config.
796 if (bindkeys != NULL) {
797 (void)cfg_map_get(bindkeys, "trusted-keys",
799 (void)cfg_map_get(bindkeys, "managed-keys",
800 &builtin_managed_keys);
802 (void)cfg_map_get(ns_g_config, "trusted-keys",
804 (void)cfg_map_get(ns_g_config, "managed-keys",
805 &builtin_managed_keys);
808 if (builtin_keys != NULL)
809 CHECK(load_view_keys(builtin_keys, vconfig, view,
810 ISC_FALSE, view->dlv, mctx));
811 if (builtin_managed_keys != NULL)
812 CHECK(load_view_keys(builtin_managed_keys, vconfig,
813 view, ISC_TRUE, view->dlv, mctx));
816 if (auto_root && view->rdclass == dns_rdataclass_in) {
817 const cfg_obj_t *builtin_keys = NULL;
818 const cfg_obj_t *builtin_managed_keys = NULL;
820 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
821 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
822 "using built-in root key for view %s",
826 * If bind.keys exists, it overrides the managed-keys
827 * clause hard-coded in ns_g_config.
829 if (bindkeys != NULL) {
830 (void)cfg_map_get(bindkeys, "trusted-keys",
832 (void)cfg_map_get(bindkeys, "managed-keys",
833 &builtin_managed_keys);
835 (void)cfg_map_get(ns_g_config, "trusted-keys",
837 (void)cfg_map_get(ns_g_config, "managed-keys",
838 &builtin_managed_keys);
841 if (builtin_keys != NULL)
842 CHECK(load_view_keys(builtin_keys, vconfig, view,
843 ISC_FALSE, dns_rootname, mctx));
844 if (builtin_managed_keys != NULL)
845 CHECK(load_view_keys(builtin_managed_keys, vconfig,
846 view, ISC_TRUE, dns_rootname,
850 CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
852 CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
855 if (view->rdclass == dns_rdataclass_in) {
856 CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
858 CHECK(load_view_keys(global_managed_keys, vconfig, view,
859 ISC_TRUE, NULL, mctx));
863 * Add key zone for managed-keys.
866 (void)ns_config_get(maps, "managed-keys-directory", &obj);
867 directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
868 if (directory != NULL)
869 result = isc_file_isdirectory(directory);
870 if (result != ISC_R_SUCCESS) {
871 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
872 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
873 "invalid managed-keys-directory %s: %s",
874 directory, isc_result_totext(result));
878 CHECK(add_keydata_zone(view, directory, ns_g_mctx));
885 mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
886 const cfg_listelt_t *element;
887 const cfg_obj_t *obj;
889 dns_fixedname_t fixed;
895 dns_fixedname_init(&fixed);
896 name = dns_fixedname_name(&fixed);
897 for (element = cfg_list_first(mbs);
899 element = cfg_list_next(element))
901 obj = cfg_listelt_value(element);
902 str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
903 isc_buffer_constinit(&b, str, strlen(str));
904 isc_buffer_add(&b, strlen(str));
905 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
906 value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
907 CHECK(dns_resolver_setmustbesecure(resolver, name, value));
910 result = ISC_R_SUCCESS;
917 * Get a dispatch appropriate for the resolver of a given view.
920 get_view_querysource_dispatch(const cfg_obj_t **maps,
921 int af, dns_dispatch_t **dispatchp,
922 isc_boolean_t is_firstview)
924 isc_result_t result = ISC_R_FAILURE;
925 dns_dispatch_t *disp;
927 unsigned int attrs, attrmask;
928 const cfg_obj_t *obj = NULL;
929 unsigned int maxdispatchbuffers;
933 result = ns_config_get(maps, "query-source", &obj);
934 INSIST(result == ISC_R_SUCCESS);
937 result = ns_config_get(maps, "query-source-v6", &obj);
938 INSIST(result == ISC_R_SUCCESS);
944 sa = *(cfg_obj_assockaddr(obj));
945 INSIST(isc_sockaddr_pf(&sa) == af);
948 * If we don't support this address family, we're done!
952 result = isc_net_probeipv4();
955 result = isc_net_probeipv6();
960 if (result != ISC_R_SUCCESS)
961 return (ISC_R_SUCCESS);
964 * Try to find a dispatcher that we can share.
967 attrs |= DNS_DISPATCHATTR_UDP;
970 attrs |= DNS_DISPATCHATTR_IPV4;
973 attrs |= DNS_DISPATCHATTR_IPV6;
976 if (isc_sockaddr_getport(&sa) == 0) {
977 attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
978 maxdispatchbuffers = 4096;
982 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
983 "using specific query-source port "
984 "suppresses port randomization and can be "
987 maxdispatchbuffers = 1000;
991 attrmask |= DNS_DISPATCHATTR_UDP;
992 attrmask |= DNS_DISPATCHATTR_TCP;
993 attrmask |= DNS_DISPATCHATTR_IPV4;
994 attrmask |= DNS_DISPATCHATTR_IPV6;
997 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
998 ns_g_taskmgr, &sa, 4096,
999 maxdispatchbuffers, 32768, 16411, 16433,
1000 attrs, attrmask, &disp);
1001 if (result != ISC_R_SUCCESS) {
1003 char buf[ISC_SOCKADDR_FORMATSIZE];
1007 isc_sockaddr_any(&any);
1010 isc_sockaddr_any6(&any);
1013 if (isc_sockaddr_equal(&sa, &any))
1014 return (ISC_R_SUCCESS);
1015 isc_sockaddr_format(&sa, buf, sizeof(buf));
1016 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1017 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
1018 "could not get query source dispatcher (%s)",
1025 return (ISC_R_SUCCESS);
1029 configure_order(dns_order_t *order, const cfg_obj_t *ent) {
1030 dns_rdataclass_t rdclass;
1031 dns_rdatatype_t rdtype;
1032 const cfg_obj_t *obj;
1033 dns_fixedname_t fixed;
1034 unsigned int mode = 0;
1037 isc_result_t result;
1038 isc_boolean_t addroot;
1040 result = ns_config_getclass(cfg_tuple_get(ent, "class"),
1041 dns_rdataclass_any, &rdclass);
1042 if (result != ISC_R_SUCCESS)
1045 result = ns_config_gettype(cfg_tuple_get(ent, "type"),
1046 dns_rdatatype_any, &rdtype);
1047 if (result != ISC_R_SUCCESS)
1050 obj = cfg_tuple_get(ent, "name");
1051 if (cfg_obj_isstring(obj))
1052 str = cfg_obj_asstring(obj);
1055 addroot = ISC_TF(strcmp(str, "*") == 0);
1056 isc_buffer_constinit(&b, str, strlen(str));
1057 isc_buffer_add(&b, strlen(str));
1058 dns_fixedname_init(&fixed);
1059 result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
1060 dns_rootname, 0, NULL);
1061 if (result != ISC_R_SUCCESS)
1064 obj = cfg_tuple_get(ent, "ordering");
1065 INSIST(cfg_obj_isstring(obj));
1066 str = cfg_obj_asstring(obj);
1067 if (!strcasecmp(str, "fixed"))
1068 mode = DNS_RDATASETATTR_FIXEDORDER;
1069 else if (!strcasecmp(str, "random"))
1070 mode = DNS_RDATASETATTR_RANDOMIZE;
1071 else if (!strcasecmp(str, "cyclic"))
1077 * "*" should match everything including the root (BIND 8 compat).
1078 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
1079 * explicit entry for "." when the name is "*".
1082 result = dns_order_add(order, dns_rootname,
1083 rdtype, rdclass, mode);
1084 if (result != ISC_R_SUCCESS)
1088 return (dns_order_add(order, dns_fixedname_name(&fixed),
1089 rdtype, rdclass, mode));
1093 configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
1096 const cfg_obj_t *obj;
1098 isc_result_t result;
1099 unsigned int prefixlen;
1101 cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
1104 result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
1105 if (result != ISC_R_SUCCESS)
1109 (void)cfg_map_get(cpeer, "bogus", &obj);
1111 CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
1114 (void)cfg_map_get(cpeer, "provide-ixfr", &obj);
1116 CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
1119 (void)cfg_map_get(cpeer, "request-ixfr", &obj);
1121 CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
1124 (void)cfg_map_get(cpeer, "request-nsid", &obj);
1126 CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
1129 (void)cfg_map_get(cpeer, "edns", &obj);
1131 CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
1134 (void)cfg_map_get(cpeer, "edns-udp-size", &obj);
1136 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1141 CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
1145 (void)cfg_map_get(cpeer, "max-udp-size", &obj);
1147 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1152 CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
1156 (void)cfg_map_get(cpeer, "transfers", &obj);
1158 CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
1161 (void)cfg_map_get(cpeer, "transfer-format", &obj);
1163 str = cfg_obj_asstring(obj);
1164 if (strcasecmp(str, "many-answers") == 0)
1165 CHECK(dns_peer_settransferformat(peer,
1167 else if (strcasecmp(str, "one-answer") == 0)
1168 CHECK(dns_peer_settransferformat(peer,
1175 (void)cfg_map_get(cpeer, "keys", &obj);
1177 result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
1178 if (result != ISC_R_SUCCESS)
1183 if (na.family == AF_INET)
1184 (void)cfg_map_get(cpeer, "transfer-source", &obj);
1186 (void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
1188 result = dns_peer_settransfersource(peer,
1189 cfg_obj_assockaddr(obj));
1190 if (result != ISC_R_SUCCESS)
1192 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1196 if (na.family == AF_INET)
1197 (void)cfg_map_get(cpeer, "notify-source", &obj);
1199 (void)cfg_map_get(cpeer, "notify-source-v6", &obj);
1201 result = dns_peer_setnotifysource(peer,
1202 cfg_obj_assockaddr(obj));
1203 if (result != ISC_R_SUCCESS)
1205 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1209 if (na.family == AF_INET)
1210 (void)cfg_map_get(cpeer, "query-source", &obj);
1212 (void)cfg_map_get(cpeer, "query-source-v6", &obj);
1214 result = dns_peer_setquerysource(peer,
1215 cfg_obj_assockaddr(obj));
1216 if (result != ISC_R_SUCCESS)
1218 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1222 return (ISC_R_SUCCESS);
1225 dns_peer_detach(&peer);
1230 disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
1231 isc_result_t result;
1232 const cfg_obj_t *algorithms;
1233 const cfg_listelt_t *element;
1235 dns_fixedname_t fixed;
1239 dns_fixedname_init(&fixed);
1240 name = dns_fixedname_name(&fixed);
1241 str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
1242 isc_buffer_constinit(&b, str, strlen(str));
1243 isc_buffer_add(&b, strlen(str));
1244 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1246 algorithms = cfg_tuple_get(disabled, "algorithms");
1247 for (element = cfg_list_first(algorithms);
1249 element = cfg_list_next(element))
1254 DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
1255 r.length = strlen(r.base);
1257 result = dns_secalg_fromtext(&alg, &r);
1258 if (result != ISC_R_SUCCESS) {
1260 result = isc_parse_uint8(&ui, r.base, 10);
1263 if (result != ISC_R_SUCCESS) {
1264 cfg_obj_log(cfg_listelt_value(element),
1265 ns_g_lctx, ISC_LOG_ERROR,
1266 "invalid algorithm");
1269 CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
1275 static isc_boolean_t
1276 on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
1277 const cfg_listelt_t *element;
1278 dns_fixedname_t fixed;
1280 isc_result_t result;
1281 const cfg_obj_t *value;
1285 dns_fixedname_init(&fixed);
1286 name = dns_fixedname_name(&fixed);
1288 for (element = cfg_list_first(disablelist);
1290 element = cfg_list_next(element))
1292 value = cfg_listelt_value(element);
1293 str = cfg_obj_asstring(value);
1294 isc_buffer_constinit(&b, str, strlen(str));
1295 isc_buffer_add(&b, strlen(str));
1296 result = dns_name_fromtext(name, &b, dns_rootname,
1298 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1299 if (dns_name_equal(name, zonename))
1306 check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
1311 isc_result_t result;
1313 result = dns_zone_getdbtype(*zonep, &argv, mctx);
1314 if (result != ISC_R_SUCCESS) {
1315 dns_zone_detach(zonep);
1320 * Check that all the arguments match.
1322 for (i = 0; i < dbtypec; i++)
1323 if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
1324 dns_zone_detach(zonep);
1329 * Check that there are not extra arguments.
1331 if (i == dbtypec && argv[i] != NULL)
1332 dns_zone_detach(zonep);
1333 isc_mem_free(mctx, argv);
1337 setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
1338 isc_result_t result;
1339 isc_stats_t *zoneqrystats;
1341 zoneqrystats = NULL;
1343 result = isc_stats_create(mctx, &zoneqrystats,
1344 dns_nsstatscounter_max);
1345 if (result != ISC_R_SUCCESS)
1348 dns_zone_setrequeststats(zone, zoneqrystats);
1349 if (zoneqrystats != NULL)
1350 isc_stats_detach(&zoneqrystats);
1352 return (ISC_R_SUCCESS);
1356 cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
1359 for (nsc = ISC_LIST_HEAD(*cachelist);
1361 nsc = ISC_LIST_NEXT(nsc, link)) {
1362 if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
1369 static isc_boolean_t
1370 cache_reusable(dns_view_t *originview, dns_view_t *view,
1371 isc_boolean_t new_zero_no_soattl)
1373 if (originview->checknames != view->checknames ||
1374 dns_resolver_getzeronosoattl(originview->resolver) !=
1375 new_zero_no_soattl ||
1376 originview->acceptexpired != view->acceptexpired ||
1377 originview->enablevalidation != view->enablevalidation ||
1378 originview->maxcachettl != view->maxcachettl ||
1379 originview->maxncachettl != view->maxncachettl) {
1386 static isc_boolean_t
1387 cache_sharable(dns_view_t *originview, dns_view_t *view,
1388 isc_boolean_t new_zero_no_soattl,
1389 unsigned int new_cleaning_interval,
1390 isc_uint32_t new_max_cache_size)
1393 * If the cache cannot even reused for the same view, it cannot be
1394 * shared with other views.
1396 if (!cache_reusable(originview, view, new_zero_no_soattl))
1400 * Check other cache related parameters that must be consistent among
1401 * the sharing views.
1403 if (dns_cache_getcleaninginterval(originview->cache) !=
1404 new_cleaning_interval ||
1405 dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
1413 * Callback from DLZ configure when the driver sets up a writeable zone
1416 dlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
1417 dns_name_t *origin = dns_zone_getorigin(zone);
1418 dns_rdataclass_t zclass = view->rdclass;
1419 isc_result_t result;
1421 result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
1422 if (result != ISC_R_SUCCESS)
1424 dns_zone_setstats(zone, ns_g_server->zonestats);
1426 return ns_zone_configure_writeable_dlz(view->dlzdatabase,
1427 zone, zclass, origin);
1431 dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
1432 unsigned int prefixlen, const char *server,
1433 const char *contact)
1436 char reverse[48+sizeof("ip6.arpa.")];
1437 const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
1438 const char *sep = ": view ";
1439 const char *viewname = view->name;
1440 const unsigned char *s6;
1441 dns_fixedname_t fixed;
1443 dns_zone_t *zone = NULL;
1444 int dns64_dbtypec = 4;
1446 isc_result_t result;
1448 REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
1449 prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
1451 if (!strcmp(viewname, "_default")) {
1457 * Construct the reverse name of the zone.
1460 s6 = na->type.in6.s6_addr;
1461 while (prefixlen > 0) {
1463 sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
1464 (s6[prefixlen/8] >> 4) & 0xf);
1467 strcat(cp, "ip6.arpa.");
1470 * Create the actual zone.
1473 dns64_dbtype[2] = server;
1474 if (contact != NULL)
1475 dns64_dbtype[3] = contact;
1476 dns_fixedname_init(&fixed);
1477 name = dns_fixedname_name(&fixed);
1478 isc_buffer_constinit(&b, reverse, strlen(reverse));
1479 isc_buffer_add(&b, strlen(reverse));
1480 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1481 CHECK(dns_zone_create(&zone, mctx));
1482 CHECK(dns_zone_setorigin(zone, name));
1483 dns_zone_setview(zone, view);
1484 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
1485 dns_zone_setclass(zone, view->rdclass);
1486 dns_zone_settype(zone, dns_zone_master);
1487 dns_zone_setstats(zone, ns_g_server->zonestats);
1488 CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
1489 if (view->queryacl != NULL)
1490 dns_zone_setqueryacl(zone, view->queryacl);
1491 if (view->queryonacl != NULL)
1492 dns_zone_setqueryonacl(zone, view->queryonacl);
1493 dns_zone_setdialup(zone, dns_dialuptype_no);
1494 dns_zone_setnotifytype(zone, dns_notifytype_no);
1495 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
1496 CHECK(setquerystats(zone, mctx, ISC_FALSE)); /* XXXMPA */
1497 CHECK(dns_view_addzone(view, zone));
1498 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
1499 ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
1504 dns_zone_detach(&zone);
1509 configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1510 const char *str, const char *msg)
1512 isc_result_t result;
1514 result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
1515 if (result != ISC_R_SUCCESS)
1516 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1517 "invalid %s '%s'", msg, str);
1522 configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1523 const char *str, const dns_name_t *origin)
1525 isc_result_t result;
1527 result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
1529 if (result != ISC_R_SUCCESS)
1530 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1531 "invalid zone '%s'", str);
1536 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
1537 isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
1539 const cfg_obj_t *rpz_obj, *obj;
1541 dns_rpz_zone_t *old, *new;
1542 isc_result_t result;
1544 rpz_obj = cfg_listelt_value(element);
1546 new = isc_mem_get(view->mctx, sizeof(*new));
1548 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1549 "no memory for response policy zones");
1550 return (ISC_R_NOMEMORY);
1553 memset(new, 0, sizeof(*new));
1554 dns_name_init(&new->origin, NULL);
1555 dns_name_init(&new->nsdname, NULL);
1556 dns_name_init(&new->passthru, NULL);
1557 dns_name_init(&new->cname, NULL);
1558 ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
1560 obj = cfg_tuple_get(rpz_obj, "recursive-only");
1561 if (cfg_obj_isvoid(obj)) {
1562 new->recursive_only = recursive_only_def;
1564 new->recursive_only = cfg_obj_asboolean(obj);
1566 if (!new->recursive_only)
1567 view->rpz_recursive_only = ISC_FALSE;
1569 obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
1570 if (cfg_obj_isuint32(obj)) {
1571 new->max_policy_ttl = cfg_obj_asuint32(obj);
1573 new->max_policy_ttl = ttl_def;
1576 str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
1577 result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
1578 if (result != ISC_R_SUCCESS)
1580 if (dns_name_equal(&new->origin, dns_rootname)) {
1581 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1582 "invalid zone name '%s'", str);
1583 return (DNS_R_EMPTYLABEL);
1585 for (old = ISC_LIST_HEAD(view->rpz_zones);
1587 old = ISC_LIST_NEXT(old, link)) {
1589 if (dns_name_equal(&old->origin, &new->origin)) {
1590 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1591 "duplicate '%s'", str);
1592 result = DNS_R_DUPLICATE;
1597 result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
1598 DNS_RPZ_NSDNAME_ZONE, &new->origin);
1599 if (result != ISC_R_SUCCESS)
1602 result = configure_rpz_name(view, rpz_obj, &new->passthru,
1603 DNS_RPZ_PASSTHRU_ZONE, "zone");
1604 if (result != ISC_R_SUCCESS)
1607 obj = cfg_tuple_get(rpz_obj, "policy");
1608 if (cfg_obj_isvoid(obj)) {
1609 new->policy = DNS_RPZ_POLICY_GIVEN;
1611 str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
1612 new->policy = dns_rpz_str2policy(str);
1613 INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
1614 if (new->policy == DNS_RPZ_POLICY_CNAME) {
1615 str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
1616 result = configure_rpz_name(view, rpz_obj, &new->cname,
1618 if (result != ISC_R_SUCCESS)
1623 return (ISC_R_SUCCESS);
1627 * Configure 'view' according to 'vconfig', taking defaults from 'config'
1628 * where values are missing in 'vconfig'.
1630 * When configuring the default view, 'vconfig' will be NULL and the
1631 * global defaults in 'config' used exclusively.
1634 configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
1635 ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
1636 isc_mem_t *mctx, cfg_aclconfctx_t *actx,
1637 isc_boolean_t need_hints)
1639 const cfg_obj_t *maps[4];
1640 const cfg_obj_t *cfgmaps[3];
1641 const cfg_obj_t *optionmaps[3];
1642 const cfg_obj_t *options = NULL;
1643 const cfg_obj_t *voptions = NULL;
1644 const cfg_obj_t *forwardtype;
1645 const cfg_obj_t *forwarders;
1646 const cfg_obj_t *alternates;
1647 const cfg_obj_t *zonelist;
1648 const cfg_obj_t *dlz;
1649 unsigned int dlzargc;
1651 const cfg_obj_t *disabled;
1652 const cfg_obj_t *obj;
1653 const cfg_listelt_t *element;
1655 dns_cache_t *cache = NULL;
1656 isc_result_t result;
1657 isc_uint32_t max_adb_size;
1658 unsigned int cleaning_interval;
1659 isc_uint32_t max_cache_size;
1660 isc_uint32_t max_acache_size;
1661 isc_uint32_t lame_ttl;
1662 dns_tsig_keyring_t *ring = NULL;
1663 dns_view_t *pview = NULL; /* Production view */
1664 isc_mem_t *cmctx = NULL, *hmctx = NULL;
1665 dns_dispatch_t *dispatch4 = NULL;
1666 dns_dispatch_t *dispatch6 = NULL;
1667 isc_boolean_t reused_cache = ISC_FALSE;
1668 isc_boolean_t shared_cache = ISC_FALSE;
1669 int i = 0, j = 0, k = 0;
1671 const char *cachename = NULL;
1672 dns_order_t *order = NULL;
1673 isc_uint32_t udpsize;
1674 unsigned int resopts = 0;
1675 dns_zone_t *zone = NULL;
1676 isc_uint32_t max_clients_per_query;
1677 const char *sep = ": view ";
1678 const char *viewname = view->name;
1679 const char *forview = " for view ";
1680 isc_boolean_t rfc1918;
1681 isc_boolean_t empty_zones_enable;
1682 const cfg_obj_t *disablelist = NULL;
1683 isc_stats_t *resstats = NULL;
1684 dns_stats_t *resquerystats = NULL;
1685 isc_boolean_t auto_dlv = ISC_FALSE;
1686 isc_boolean_t auto_root = ISC_FALSE;
1688 isc_boolean_t zero_no_soattl;
1689 dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
1690 unsigned int query_timeout;
1691 struct cfg_context *nzctx;
1692 dns_rpz_zone_t *rpz;
1694 REQUIRE(DNS_VIEW_VALID(view));
1697 (void)cfg_map_get(config, "options", &options);
1700 * maps: view options, options, defaults
1701 * cfgmaps: view options, config
1702 * optionmaps: view options, options
1704 if (vconfig != NULL) {
1705 voptions = cfg_tuple_get(vconfig, "options");
1706 maps[i++] = voptions;
1707 optionmaps[j++] = voptions;
1708 cfgmaps[k++] = voptions;
1710 if (options != NULL) {
1711 maps[i++] = options;
1712 optionmaps[j++] = options;
1715 maps[i++] = ns_g_defaults;
1717 optionmaps[j] = NULL;
1719 cfgmaps[k++] = config;
1722 if (!strcmp(viewname, "_default")) {
1730 * Set the view's port number for outgoing queries.
1732 CHECKM(ns_config_getport(config, &port), "port");
1733 dns_view_setdstport(view, port);
1736 * Create additional cache for this view and zones under the view
1737 * if explicitly enabled.
1738 * XXX950 default to on.
1741 (void)ns_config_get(maps, "acache-enable", &obj);
1742 if (obj != NULL && cfg_obj_asboolean(obj)) {
1744 CHECK(isc_mem_create(0, 0, &cmctx));
1745 CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
1747 isc_mem_setname(cmctx, "acache", NULL);
1748 isc_mem_detach(&cmctx);
1750 if (view->acache != NULL) {
1752 result = ns_config_get(maps, "acache-cleaning-interval", &obj);
1753 INSIST(result == ISC_R_SUCCESS);
1754 dns_acache_setcleaninginterval(view->acache,
1755 cfg_obj_asuint32(obj) * 60);
1758 result = ns_config_get(maps, "max-acache-size", &obj);
1759 INSIST(result == ISC_R_SUCCESS);
1760 if (cfg_obj_isstring(obj)) {
1761 str = cfg_obj_asstring(obj);
1762 INSIST(strcasecmp(str, "unlimited") == 0);
1763 max_acache_size = ISC_UINT32_MAX;
1765 isc_resourcevalue_t value;
1767 value = cfg_obj_asuint64(obj);
1768 if (value > ISC_UINT32_MAX) {
1769 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1771 "%" ISC_PRINT_QUADFORMAT
1774 result = ISC_R_RANGE;
1777 max_acache_size = (isc_uint32_t)value;
1779 dns_acache_setcachesize(view->acache, max_acache_size);
1782 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
1783 ns_g_mctx, &view->queryacl));
1784 if (view->queryacl == NULL) {
1785 CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
1786 NULL, actx, ns_g_mctx,
1791 * Make the list of response policy zone names for a view that
1792 * is used for real lookups and so cares about hints.
1795 if (view->rdclass == dns_rdataclass_in && need_hints &&
1796 ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
1797 const cfg_obj_t *rpz_obj;
1798 isc_boolean_t recursive_only_def;
1801 rpz_obj = cfg_tuple_get(obj, "recursive-only");
1802 if (!cfg_obj_isvoid(rpz_obj) &&
1803 !cfg_obj_asboolean(rpz_obj))
1804 recursive_only_def = ISC_FALSE;
1806 recursive_only_def = ISC_TRUE;
1808 rpz_obj = cfg_tuple_get(obj, "break-dnssec");
1809 if (!cfg_obj_isvoid(rpz_obj) &&
1810 cfg_obj_asboolean(rpz_obj))
1811 view->rpz_break_dnssec = ISC_TRUE;
1813 view->rpz_break_dnssec = ISC_FALSE;
1815 rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
1816 if (cfg_obj_isuint32(rpz_obj))
1817 ttl_def = cfg_obj_asuint32(rpz_obj);
1819 ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
1821 rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
1822 if (cfg_obj_isuint32(rpz_obj))
1823 view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
1825 view->rpz_min_ns_labels = 2;
1827 element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
1828 while (element != NULL) {
1829 result = configure_rpz(view, element,
1830 recursive_only_def, ttl_def);
1831 if (result != ISC_R_SUCCESS)
1833 element = cfg_list_next(element);
1838 * Configure the zones.
1841 if (voptions != NULL)
1842 (void)cfg_map_get(voptions, "zone", &zonelist);
1844 (void)cfg_map_get(config, "zone", &zonelist);
1847 * Load zone configuration
1849 for (element = cfg_list_first(zonelist);
1851 element = cfg_list_next(element))
1853 const cfg_obj_t *zconfig = cfg_listelt_value(element);
1854 CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
1858 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
1860 rpz = ISC_LIST_NEXT(rpz, link))
1862 if (!rpz->defined) {
1863 char namebuf[DNS_NAME_FORMATSIZE];
1865 dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
1866 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1867 "'%s' is not a master or slave zone",
1869 result = ISC_R_NOTFOUND;
1875 * If we're allowing added zones, then load zone configuration
1876 * from the newzone file for zones that were added during previous
1879 nzctx = view->new_zone_config;
1880 if (nzctx != NULL && nzctx->nzconfig != NULL) {
1881 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1882 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
1883 "loading additional zones for view '%s'",
1887 cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
1889 for (element = cfg_list_first(zonelist);
1891 element = cfg_list_next(element))
1893 const cfg_obj_t *zconfig = cfg_listelt_value(element);
1894 CHECK(configure_zone(config, zconfig, vconfig,
1901 * Create Dynamically Loadable Zone driver.
1904 if (voptions != NULL)
1905 (void)cfg_map_get(voptions, "dlz", &dlz);
1907 (void)cfg_map_get(config, "dlz", &dlz);
1911 (void)cfg_map_get(cfg_tuple_get(dlz, "options"),
1914 char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
1916 result = ISC_R_NOMEMORY;
1920 result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
1921 if (result != ISC_R_SUCCESS) {
1922 isc_mem_free(mctx, s);
1926 obj = cfg_tuple_get(dlz, "name");
1927 result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
1928 dlzargv[0], dlzargc, dlzargv,
1929 &view->dlzdatabase);
1930 isc_mem_free(mctx, s);
1931 isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
1932 if (result != ISC_R_SUCCESS)
1936 * If the dlz backend supports configuration,
1937 * then call its configure method now.
1939 result = dns_dlzconfigure(view, dlzconfigure_callback);
1940 if (result != ISC_R_SUCCESS)
1946 * Obtain configuration parameters that affect the decision of whether
1947 * we can reuse/share an existing cache.
1950 result = ns_config_get(maps, "cleaning-interval", &obj);
1951 INSIST(result == ISC_R_SUCCESS);
1952 cleaning_interval = cfg_obj_asuint32(obj) * 60;
1955 result = ns_config_get(maps, "max-cache-size", &obj);
1956 INSIST(result == ISC_R_SUCCESS);
1957 if (cfg_obj_isstring(obj)) {
1958 str = cfg_obj_asstring(obj);
1959 INSIST(strcasecmp(str, "unlimited") == 0);
1960 max_cache_size = ISC_UINT32_MAX;
1962 isc_resourcevalue_t value;
1963 value = cfg_obj_asuint64(obj);
1964 if (value > ISC_UINT32_MAX) {
1965 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1967 "%" ISC_PRINT_QUADFORMAT "d' is too large",
1969 result = ISC_R_RANGE;
1972 max_cache_size = (isc_uint32_t)value;
1977 result = ns_checknames_get(maps, "response", &obj);
1978 INSIST(result == ISC_R_SUCCESS);
1980 str = cfg_obj_asstring(obj);
1981 if (strcasecmp(str, "fail") == 0) {
1982 resopts |= DNS_RESOLVER_CHECKNAMES |
1983 DNS_RESOLVER_CHECKNAMESFAIL;
1984 view->checknames = ISC_TRUE;
1985 } else if (strcasecmp(str, "warn") == 0) {
1986 resopts |= DNS_RESOLVER_CHECKNAMES;
1987 view->checknames = ISC_FALSE;
1988 } else if (strcasecmp(str, "ignore") == 0) {
1989 view->checknames = ISC_FALSE;
1994 result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
1995 INSIST(result == ISC_R_SUCCESS);
1996 zero_no_soattl = cfg_obj_asboolean(obj);
1999 result = ns_config_get(maps, "dns64", &obj);
2000 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
2001 strcmp(view->name, "_meta")) {
2002 const cfg_listelt_t *element;
2003 isc_netaddr_t na, suffix, *sp;
2004 unsigned int prefixlen;
2005 const char *server, *contact;
2006 const cfg_obj_t *myobj;
2009 result = ns_config_get(maps, "dns64-server", &myobj);
2010 if (result == ISC_R_SUCCESS)
2011 server = cfg_obj_asstring(myobj);
2016 result = ns_config_get(maps, "dns64-contact", &myobj);
2017 if (result == ISC_R_SUCCESS)
2018 contact = cfg_obj_asstring(myobj);
2022 for (element = cfg_list_first(obj);
2024 element = cfg_list_next(element))
2026 const cfg_obj_t *map = cfg_listelt_value(element);
2027 dns_dns64_t *dns64 = NULL;
2028 unsigned int dns64options = 0;
2030 cfg_obj_asnetprefix(cfg_map_getname(map), &na,
2034 (void)cfg_map_get(map, "suffix", &obj);
2037 isc_netaddr_fromsockaddr(sp,
2038 cfg_obj_assockaddr(obj));
2042 clients = mapped = excluded = NULL;
2044 (void)cfg_map_get(map, "clients", &obj);
2046 result = cfg_acl_fromconfig(obj, config,
2049 if (result != ISC_R_SUCCESS)
2053 (void)cfg_map_get(map, "mapped", &obj);
2055 result = cfg_acl_fromconfig(obj, config,
2058 if (result != ISC_R_SUCCESS)
2062 (void)cfg_map_get(map, "exclude", &obj);
2064 result = cfg_acl_fromconfig(obj, config,
2066 mctx, 0, &excluded);
2067 if (result != ISC_R_SUCCESS)
2072 (void)cfg_map_get(map, "recursive-only", &obj);
2073 if (obj != NULL && cfg_obj_asboolean(obj))
2074 dns64options |= DNS_DNS64_RECURSIVE_ONLY;
2077 (void)cfg_map_get(map, "break-dnssec", &obj);
2078 if (obj != NULL && cfg_obj_asboolean(obj))
2079 dns64options |= DNS_DNS64_BREAK_DNSSEC;
2081 result = dns_dns64_create(mctx, &na, prefixlen, sp,
2082 clients, mapped, excluded,
2083 dns64options, &dns64);
2084 if (result != ISC_R_SUCCESS)
2086 dns_dns64_append(&view->dns64, dns64);
2088 result = dns64_reverse(view, mctx, &na, prefixlen,
2090 if (result != ISC_R_SUCCESS)
2092 if (clients != NULL)
2093 dns_acl_detach(&clients);
2095 dns_acl_detach(&mapped);
2096 if (excluded != NULL)
2097 dns_acl_detach(&excluded);
2102 result = ns_config_get(maps, "dnssec-accept-expired", &obj);
2103 INSIST(result == ISC_R_SUCCESS);
2104 view->acceptexpired = cfg_obj_asboolean(obj);
2107 result = ns_config_get(maps, "dnssec-validation", &obj);
2108 INSIST(result == ISC_R_SUCCESS);
2109 if (cfg_obj_isboolean(obj)) {
2110 view->enablevalidation = cfg_obj_asboolean(obj);
2112 /* If dnssec-validation is not boolean, it must be "auto" */
2113 view->enablevalidation = ISC_TRUE;
2114 auto_root = ISC_TRUE;
2118 result = ns_config_get(maps, "max-cache-ttl", &obj);
2119 INSIST(result == ISC_R_SUCCESS);
2120 view->maxcachettl = cfg_obj_asuint32(obj);
2123 result = ns_config_get(maps, "max-ncache-ttl", &obj);
2124 INSIST(result == ISC_R_SUCCESS);
2125 view->maxncachettl = cfg_obj_asuint32(obj);
2126 if (view->maxncachettl > 7 * 24 * 3600)
2127 view->maxncachettl = 7 * 24 * 3600;
2130 * Configure the view's cache.
2132 * First, check to see if there are any attach-cache options. If yes,
2133 * attempt to lookup an existing cache at attach it to the view. If
2134 * there is not one, then try to reuse an existing cache if possible;
2135 * otherwise create a new cache.
2137 * Note that the ADB is not preserved or shared in either case.
2139 * When a matching view is found, the associated statistics are also
2140 * retrieved and reused.
2142 * XXX Determining when it is safe to reuse or share a cache is tricky.
2143 * When the view's configuration changes, the cached data may become
2144 * invalid because it reflects our old view of the world. We check
2145 * some of the configuration parameters that could invalidate the cache
2146 * or otherwise make it unsharable, but there are other configuration
2147 * options that should be checked. For example, if a view uses a
2148 * forwarder, changes in the forwarder configuration may invalidate
2149 * the cache. At the moment, it's the administrator's responsibility to
2150 * ensure these configuration options don't invalidate reusing/sharing.
2153 result = ns_config_get(maps, "attach-cache", &obj);
2154 if (result == ISC_R_SUCCESS)
2155 cachename = cfg_obj_asstring(obj);
2157 cachename = view->name;
2159 nsc = cachelist_find(cachelist, cachename);
2161 if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
2162 cleaning_interval, max_cache_size)) {
2163 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2164 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2165 "views %s and %s can't share the cache "
2166 "due to configuration parameter mismatch",
2167 nsc->primaryview->name, view->name);
2168 result = ISC_R_FAILURE;
2171 dns_cache_attach(nsc->cache, &cache);
2172 shared_cache = ISC_TRUE;
2174 if (strcmp(cachename, view->name) == 0) {
2175 result = dns_viewlist_find(&ns_g_server->viewlist,
2176 cachename, view->rdclass,
2178 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2180 if (pview != NULL) {
2181 if (!cache_reusable(pview, view,
2183 isc_log_write(ns_g_lctx,
2184 NS_LOGCATEGORY_GENERAL,
2185 NS_LOGMODULE_SERVER,
2187 "cache cannot be reused "
2188 "for view %s due to "
2189 "configuration parameter "
2190 "mismatch", view->name);
2192 INSIST(pview->cache != NULL);
2193 isc_log_write(ns_g_lctx,
2194 NS_LOGCATEGORY_GENERAL,
2195 NS_LOGMODULE_SERVER,
2197 "reusing existing cache");
2198 reused_cache = ISC_TRUE;
2199 dns_cache_attach(pview->cache, &cache);
2201 dns_view_getresstats(pview, &resstats);
2202 dns_view_getresquerystats(pview,
2204 dns_view_detach(&pview);
2207 if (cache == NULL) {
2209 * Create a cache with the desired name. This normally
2210 * equals the view name, but may also be a forward
2211 * reference to a view that share the cache with this
2212 * view but is not yet configured. If it is not the
2213 * view name but not a forward reference either, then it
2214 * is simply a named cache that is not shared.
2216 * We use two separate memory contexts for the
2217 * cache, for the main cache memory and the heap
2220 CHECK(isc_mem_create(0, 0, &cmctx));
2221 isc_mem_setname(cmctx, "cache", NULL);
2222 CHECK(isc_mem_create(0, 0, &hmctx));
2223 isc_mem_setname(hmctx, "cache_heap", NULL);
2224 CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
2225 ns_g_timermgr, view->rdclass,
2226 cachename, "rbt", 0, NULL,
2228 isc_mem_detach(&cmctx);
2229 isc_mem_detach(&hmctx);
2231 nsc = isc_mem_get(mctx, sizeof(*nsc));
2233 result = ISC_R_NOMEMORY;
2237 dns_cache_attach(cache, &nsc->cache);
2238 nsc->primaryview = view;
2239 nsc->needflush = ISC_FALSE;
2240 nsc->adbsizeadjusted = ISC_FALSE;
2241 ISC_LINK_INIT(nsc, link);
2242 ISC_LIST_APPEND(*cachelist, nsc, link);
2244 dns_view_setcache2(view, cache, shared_cache);
2247 * cache-file cannot be inherited if views are present, but this
2248 * should be caught by the configuration checking stage.
2251 result = ns_config_get(maps, "cache-file", &obj);
2252 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
2253 CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
2254 if (!reused_cache && !shared_cache)
2255 CHECK(dns_cache_load(cache));
2258 dns_cache_setcleaninginterval(cache, cleaning_interval);
2259 dns_cache_setcachesize(cache, max_cache_size);
2261 dns_cache_detach(&cache);
2266 * XXXRTH Hardwired number of tasks.
2268 CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
2269 ISC_TF(ISC_LIST_PREV(view, link)
2271 CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
2272 ISC_TF(ISC_LIST_PREV(view, link)
2274 if (dispatch4 == NULL && dispatch6 == NULL) {
2275 UNEXPECTED_ERROR(__FILE__, __LINE__,
2276 "unable to obtain neither an IPv4 nor"
2277 " an IPv6 dispatch");
2278 result = ISC_R_UNEXPECTED;
2281 CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
2282 ns_g_socketmgr, ns_g_timermgr,
2283 resopts, ns_g_dispatchmgr,
2284 dispatch4, dispatch6));
2286 if (resstats == NULL) {
2287 CHECK(isc_stats_create(mctx, &resstats,
2288 dns_resstatscounter_max));
2290 dns_view_setresstats(view, resstats);
2291 if (resquerystats == NULL)
2292 CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
2293 dns_view_setresquerystats(view, resquerystats);
2296 * Set the ADB cache size to 1/8th of the max-cache-size or
2297 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
2300 if (max_cache_size != 0U) {
2301 max_adb_size = max_cache_size / 8;
2302 if (max_adb_size == 0U)
2303 max_adb_size = 1; /* Force minimum. */
2304 if (view != nsc->primaryview &&
2305 max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
2306 max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
2307 if (!nsc->adbsizeadjusted) {
2308 dns_adb_setadbsize(nsc->primaryview->adb,
2309 MAX_ADB_SIZE_FOR_CACHESHARE);
2310 nsc->adbsizeadjusted = ISC_TRUE;
2314 dns_adb_setadbsize(view->adb, max_adb_size);
2317 * Set resolver's lame-ttl.
2320 result = ns_config_get(maps, "lame-ttl", &obj);
2321 INSIST(result == ISC_R_SUCCESS);
2322 lame_ttl = cfg_obj_asuint32(obj);
2323 if (lame_ttl > 1800)
2325 dns_resolver_setlamettl(view->resolver, lame_ttl);
2328 * Set the resolver's query timeout.
2331 result = ns_config_get(maps, "resolver-query-timeout", &obj);
2332 INSIST(result == ISC_R_SUCCESS);
2333 query_timeout = cfg_obj_asuint32(obj);
2334 dns_resolver_settimeout(view->resolver, query_timeout);
2336 /* Specify whether to use 0-TTL for negative response for SOA query */
2337 dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
2340 * Set the resolver's EDNS UDP size.
2343 result = ns_config_get(maps, "edns-udp-size", &obj);
2344 INSIST(result == ISC_R_SUCCESS);
2345 udpsize = cfg_obj_asuint32(obj);
2350 dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
2353 * Set the maximum UDP response size.
2356 result = ns_config_get(maps, "max-udp-size", &obj);
2357 INSIST(result == ISC_R_SUCCESS);
2358 udpsize = cfg_obj_asuint32(obj);
2363 view->maxudp = udpsize;
2366 * Set supported DNSSEC algorithms.
2368 dns_resolver_reset_algorithms(view->resolver);
2370 (void)ns_config_get(maps, "disable-algorithms", &disabled);
2371 if (disabled != NULL) {
2372 for (element = cfg_list_first(disabled);
2374 element = cfg_list_next(element))
2375 CHECK(disable_algorithms(cfg_listelt_value(element),
2380 * A global or view "forwarders" option, if present,
2381 * creates an entry for "." in the forwarding table.
2385 (void)ns_config_get(maps, "forward", &forwardtype);
2386 (void)ns_config_get(maps, "forwarders", &forwarders);
2387 if (forwarders != NULL)
2388 CHECK(configure_forward(config, view, dns_rootname,
2389 forwarders, forwardtype));
2392 * Dual Stack Servers.
2395 (void)ns_config_get(maps, "dual-stack-servers", &alternates);
2396 if (alternates != NULL)
2397 CHECK(configure_alternates(config, view, alternates));
2400 * We have default hints for class IN if we need them.
2402 if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
2403 dns_view_sethints(view, ns_g_server->in_roothints);
2406 * If we still have no hints, this is a non-IN view with no
2407 * "hints zone" configured. Issue a warning, except if this
2408 * is a root server. Root servers never need to consult
2409 * their hints, so it's no point requiring users to configure
2412 if (view->hints == NULL) {
2413 dns_zone_t *rootzone = NULL;
2414 (void)dns_view_findzone(view, dns_rootname, &rootzone);
2415 if (rootzone != NULL) {
2416 dns_zone_detach(&rootzone);
2417 need_hints = ISC_FALSE;
2420 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2421 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
2422 "no root hints for view '%s'",
2427 * Configure the view's TSIG keys.
2429 CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
2430 if (ns_g_server->sessionkey != NULL) {
2431 CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
2432 ns_g_server->sessionkey));
2434 dns_view_setkeyring(view, ring);
2435 dns_tsigkeyring_detach(&ring);
2438 * See if we can re-use a dynamic key ring.
2440 result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
2441 view->rdclass, &pview);
2442 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2444 if (pview != NULL) {
2445 dns_view_getdynamickeyring(pview, &ring);
2447 dns_view_setdynamickeyring(view, ring);
2448 dns_tsigkeyring_detach(&ring);
2449 dns_view_detach(&pview);
2451 dns_view_restorekeyring(view);
2454 * Configure the view's peer list.
2457 const cfg_obj_t *peers = NULL;
2458 const cfg_listelt_t *element;
2459 dns_peerlist_t *newpeers = NULL;
2461 (void)ns_config_get(cfgmaps, "server", &peers);
2462 CHECK(dns_peerlist_new(mctx, &newpeers));
2463 for (element = cfg_list_first(peers);
2465 element = cfg_list_next(element))
2467 const cfg_obj_t *cpeer = cfg_listelt_value(element);
2470 CHECK(configure_peer(cpeer, mctx, &peer));
2471 dns_peerlist_addpeer(newpeers, peer);
2472 dns_peer_detach(&peer);
2474 dns_peerlist_detach(&view->peers);
2475 view->peers = newpeers; /* Transfer ownership. */
2479 * Configure the views rrset-order.
2482 const cfg_obj_t *rrsetorder = NULL;
2483 const cfg_listelt_t *element;
2485 (void)ns_config_get(maps, "rrset-order", &rrsetorder);
2486 CHECK(dns_order_create(mctx, &order));
2487 for (element = cfg_list_first(rrsetorder);
2489 element = cfg_list_next(element))
2491 const cfg_obj_t *ent = cfg_listelt_value(element);
2493 CHECK(configure_order(order, ent));
2495 if (view->order != NULL)
2496 dns_order_detach(&view->order);
2497 dns_order_attach(order, &view->order);
2498 dns_order_detach(&order);
2501 * Copy the aclenv object.
2503 dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
2506 * Configure the "match-clients" and "match-destinations" ACL.
2508 CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
2509 ns_g_mctx, &view->matchclients));
2510 CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
2511 actx, ns_g_mctx, &view->matchdestinations));
2514 * Configure the "match-recursive-only" option.
2517 (void)ns_config_get(maps, "match-recursive-only", &obj);
2518 if (obj != NULL && cfg_obj_asboolean(obj))
2519 view->matchrecursiveonly = ISC_TRUE;
2521 view->matchrecursiveonly = ISC_FALSE;
2524 * Configure other configurable data.
2527 result = ns_config_get(maps, "recursion", &obj);
2528 INSIST(result == ISC_R_SUCCESS);
2529 view->recursion = cfg_obj_asboolean(obj);
2532 result = ns_config_get(maps, "auth-nxdomain", &obj);
2533 INSIST(result == ISC_R_SUCCESS);
2534 view->auth_nxdomain = cfg_obj_asboolean(obj);
2537 result = ns_config_get(maps, "minimal-responses", &obj);
2538 INSIST(result == ISC_R_SUCCESS);
2539 view->minimalresponses = cfg_obj_asboolean(obj);
2542 result = ns_config_get(maps, "transfer-format", &obj);
2543 INSIST(result == ISC_R_SUCCESS);
2544 str = cfg_obj_asstring(obj);
2545 if (strcasecmp(str, "many-answers") == 0)
2546 view->transfer_format = dns_many_answers;
2547 else if (strcasecmp(str, "one-answer") == 0)
2548 view->transfer_format = dns_one_answer;
2553 * Set sources where additional data and CNAME/DNAME
2554 * targets for authoritative answers may be found.
2557 result = ns_config_get(maps, "additional-from-auth", &obj);
2558 INSIST(result == ISC_R_SUCCESS);
2559 view->additionalfromauth = cfg_obj_asboolean(obj);
2560 if (view->recursion && ! view->additionalfromauth) {
2561 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
2562 "'additional-from-auth no' is only supported "
2563 "with 'recursion no'");
2564 view->additionalfromauth = ISC_TRUE;
2568 result = ns_config_get(maps, "additional-from-cache", &obj);
2569 INSIST(result == ISC_R_SUCCESS);
2570 view->additionalfromcache = cfg_obj_asboolean(obj);
2571 if (view->recursion && ! view->additionalfromcache) {
2572 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
2573 "'additional-from-cache no' is only supported "
2574 "with 'recursion no'");
2575 view->additionalfromcache = ISC_TRUE;
2579 * Set "allow-query-cache", "allow-query-cache-on",
2580 * "allow-recursion", and "allow-recursion-on" acls if
2581 * configured in named.conf.
2583 CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
2584 actx, ns_g_mctx, &view->cacheacl));
2585 CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
2586 actx, ns_g_mctx, &view->cacheonacl));
2587 if (view->cacheonacl == NULL)
2588 CHECK(configure_view_acl(NULL, ns_g_config,
2589 "allow-query-cache-on", NULL, actx,
2590 ns_g_mctx, &view->cacheonacl));
2591 if (strcmp(view->name, "_bind") != 0) {
2592 CHECK(configure_view_acl(vconfig, config, "allow-recursion",
2593 NULL, actx, ns_g_mctx,
2594 &view->recursionacl));
2595 CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
2596 NULL, actx, ns_g_mctx,
2597 &view->recursiononacl));
2601 * "allow-query-cache" inherits from "allow-recursion" if set,
2602 * otherwise from "allow-query" if set.
2603 * "allow-recursion" inherits from "allow-query-cache" if set,
2604 * otherwise from "allow-query" if set.
2606 if (view->cacheacl == NULL && view->recursionacl != NULL)
2607 dns_acl_attach(view->recursionacl, &view->cacheacl);
2609 * XXXEACH: This call to configure_view_acl() is redundant. We
2610 * are leaving it as it is because we are making a minimal change
2611 * for a patch release. In the future this should be changed to
2612 * dns_acl_attach(view->queryacl, &view->cacheacl).
2614 if (view->cacheacl == NULL && view->recursion)
2615 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
2616 actx, ns_g_mctx, &view->cacheacl));
2617 if (view->recursion &&
2618 view->recursionacl == NULL && view->cacheacl != NULL)
2619 dns_acl_attach(view->cacheacl, &view->recursionacl);
2622 * Set default "allow-recursion", "allow-recursion-on" and
2623 * "allow-query-cache" acls.
2625 if (view->recursionacl == NULL && view->recursion)
2626 CHECK(configure_view_acl(NULL, ns_g_config,
2627 "allow-recursion", NULL,
2629 &view->recursionacl));
2630 if (view->recursiononacl == NULL && view->recursion)
2631 CHECK(configure_view_acl(NULL, ns_g_config,
2632 "allow-recursion-on", NULL,
2634 &view->recursiononacl));
2635 if (view->cacheacl == NULL) {
2636 if (view->recursion)
2637 CHECK(configure_view_acl(NULL, ns_g_config,
2638 "allow-query-cache", NULL,
2642 CHECK(dns_acl_none(mctx, &view->cacheacl));
2646 * Filter setting on addresses in the answer section.
2648 CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
2649 "acl", actx, ns_g_mctx, &view->denyansweracl));
2650 CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
2651 "except-from", ns_g_mctx,
2652 &view->answeracl_exclude));
2655 * Filter setting on names (CNAME/DNAME targets) in the answer section.
2657 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2659 &view->denyanswernames));
2660 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2661 "except-from", ns_g_mctx,
2662 &view->answernames_exclude));
2665 * Configure sortlist, if set
2667 CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
2671 * Configure default allow-transfer, allow-notify, allow-update
2672 * and allow-update-forwarding ACLs, if set, so they can be
2673 * inherited by zones.
2675 if (view->notifyacl == NULL)
2676 CHECK(configure_view_acl(NULL, ns_g_config,
2677 "allow-notify", NULL, actx,
2678 ns_g_mctx, &view->notifyacl));
2679 if (view->transferacl == NULL)
2680 CHECK(configure_view_acl(NULL, ns_g_config,
2681 "allow-transfer", NULL, actx,
2682 ns_g_mctx, &view->transferacl));
2683 if (view->updateacl == NULL)
2684 CHECK(configure_view_acl(NULL, ns_g_config,
2685 "allow-update", NULL, actx,
2686 ns_g_mctx, &view->updateacl));
2687 if (view->upfwdacl == NULL)
2688 CHECK(configure_view_acl(NULL, ns_g_config,
2689 "allow-update-forwarding", NULL, actx,
2690 ns_g_mctx, &view->upfwdacl));
2693 result = ns_config_get(maps, "request-ixfr", &obj);
2694 INSIST(result == ISC_R_SUCCESS);
2695 view->requestixfr = cfg_obj_asboolean(obj);
2698 result = ns_config_get(maps, "provide-ixfr", &obj);
2699 INSIST(result == ISC_R_SUCCESS);
2700 view->provideixfr = cfg_obj_asboolean(obj);
2703 result = ns_config_get(maps, "request-nsid", &obj);
2704 INSIST(result == ISC_R_SUCCESS);
2705 view->requestnsid = cfg_obj_asboolean(obj);
2708 result = ns_config_get(maps, "max-clients-per-query", &obj);
2709 INSIST(result == ISC_R_SUCCESS);
2710 max_clients_per_query = cfg_obj_asuint32(obj);
2713 result = ns_config_get(maps, "clients-per-query", &obj);
2714 INSIST(result == ISC_R_SUCCESS);
2715 dns_resolver_setclientsperquery(view->resolver,
2716 cfg_obj_asuint32(obj),
2717 max_clients_per_query);
2719 #ifdef ALLOW_FILTER_AAAA_ON_V4
2721 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
2722 INSIST(result == ISC_R_SUCCESS);
2723 if (cfg_obj_isboolean(obj)) {
2724 if (cfg_obj_asboolean(obj))
2725 view->v4_aaaa = dns_v4_aaaa_filter;
2727 view->v4_aaaa = dns_v4_aaaa_ok;
2729 const char *v4_aaaastr = cfg_obj_asstring(obj);
2730 if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
2731 view->v4_aaaa = dns_v4_aaaa_break_dnssec;
2735 CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
2736 actx, ns_g_mctx, &view->v4_aaaa_acl));
2740 result = ns_config_get(maps, "dnssec-enable", &obj);
2741 INSIST(result == ISC_R_SUCCESS);
2742 view->enablednssec = cfg_obj_asboolean(obj);
2745 result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
2746 if (result == ISC_R_SUCCESS) {
2747 /* If set to "auto", use the version from the defaults */
2748 const cfg_obj_t *dlvobj;
2750 dlvobj = cfg_listelt_value(cfg_list_first(obj));
2751 dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
2752 if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
2753 /* If "no", skip; if "auto", use global default */
2754 if (!strcasecmp(dom, "no"))
2755 result = ISC_R_NOTFOUND;
2756 else if (!strcasecmp(dom, "auto")) {
2757 auto_dlv = ISC_TRUE;
2759 result = cfg_map_get(ns_g_defaults,
2760 "dnssec-lookaside", &obj);
2765 if (result == ISC_R_SUCCESS) {
2766 for (element = cfg_list_first(obj);
2768 element = cfg_list_next(element))
2774 obj = cfg_listelt_value(element);
2775 str = cfg_obj_asstring(cfg_tuple_get(obj,
2777 isc_buffer_constinit(&b, str, strlen(str));
2778 isc_buffer_add(&b, strlen(str));
2779 dlv = dns_fixedname_name(&view->dlv_fixed);
2780 CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
2781 DNS_NAME_DOWNCASE, NULL));
2782 view->dlv = dns_fixedname_name(&view->dlv_fixed);
2788 * For now, there is only one kind of trusted keys, the
2791 CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
2792 auto_dlv, auto_root, mctx));
2793 dns_resolver_resetmustbesecure(view->resolver);
2795 result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
2796 if (result == ISC_R_SUCCESS)
2797 CHECK(mustbesecure(obj, view->resolver));
2800 result = ns_config_get(maps, "preferred-glue", &obj);
2801 if (result == ISC_R_SUCCESS) {
2802 str = cfg_obj_asstring(obj);
2803 if (strcasecmp(str, "a") == 0)
2804 view->preferred_glue = dns_rdatatype_a;
2805 else if (strcasecmp(str, "aaaa") == 0)
2806 view->preferred_glue = dns_rdatatype_aaaa;
2808 view->preferred_glue = 0;
2810 view->preferred_glue = 0;
2813 result = ns_config_get(maps, "root-delegation-only", &obj);
2814 if (result == ISC_R_SUCCESS) {
2815 dns_view_setrootdelonly(view, ISC_TRUE);
2816 if (!cfg_obj_isvoid(obj)) {
2817 dns_fixedname_t fixed;
2821 const cfg_obj_t *exclude;
2823 dns_fixedname_init(&fixed);
2824 name = dns_fixedname_name(&fixed);
2825 for (element = cfg_list_first(obj);
2827 element = cfg_list_next(element)) {
2828 exclude = cfg_listelt_value(element);
2829 str = cfg_obj_asstring(exclude);
2830 isc_buffer_constinit(&b, str, strlen(str));
2831 isc_buffer_add(&b, strlen(str));
2832 CHECK(dns_name_fromtext(name, &b, dns_rootname,
2834 CHECK(dns_view_excludedelegationonly(view,
2839 dns_view_setrootdelonly(view, ISC_FALSE);
2842 * Setup automatic empty zones. If recursion is off then
2843 * they are disabled by default.
2846 (void)ns_config_get(maps, "empty-zones-enable", &obj);
2847 (void)ns_config_get(maps, "disable-empty-zone", &disablelist);
2848 if (obj == NULL && disablelist == NULL &&
2849 view->rdclass == dns_rdataclass_in) {
2850 rfc1918 = ISC_FALSE;
2851 empty_zones_enable = view->recursion;
2852 } else if (view->rdclass == dns_rdataclass_in) {
2855 empty_zones_enable = cfg_obj_asboolean(obj);
2857 empty_zones_enable = view->recursion;
2859 rfc1918 = ISC_FALSE;
2860 empty_zones_enable = ISC_FALSE;
2862 if (empty_zones_enable && !lwresd_g_useresolvconf) {
2865 dns_fixedname_t fixed;
2867 isc_buffer_t buffer;
2869 char server[DNS_NAME_FORMATSIZE + 1];
2870 char contact[DNS_NAME_FORMATSIZE + 1];
2871 isc_boolean_t logit;
2872 const char *empty_dbtype[4] =
2873 { "_builtin", "empty", NULL, NULL };
2874 int empty_dbtypec = 4;
2875 isc_boolean_t zonestats_on;
2877 dns_fixedname_init(&fixed);
2878 name = dns_fixedname_name(&fixed);
2881 result = ns_config_get(maps, "empty-server", &obj);
2882 if (result == ISC_R_SUCCESS) {
2883 str = cfg_obj_asstring(obj);
2884 isc_buffer_constinit(&buffer, str, strlen(str));
2885 isc_buffer_add(&buffer, strlen(str));
2886 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2888 isc_buffer_init(&buffer, server, sizeof(server) - 1);
2889 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2890 server[isc_buffer_usedlength(&buffer)] = 0;
2891 empty_dbtype[2] = server;
2893 empty_dbtype[2] = "@";
2896 result = ns_config_get(maps, "empty-contact", &obj);
2897 if (result == ISC_R_SUCCESS) {
2898 str = cfg_obj_asstring(obj);
2899 isc_buffer_constinit(&buffer, str, strlen(str));
2900 isc_buffer_add(&buffer, strlen(str));
2901 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2903 isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
2904 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2905 contact[isc_buffer_usedlength(&buffer)] = 0;
2906 empty_dbtype[3] = contact;
2908 empty_dbtype[3] = ".";
2911 result = ns_config_get(maps, "zone-statistics", &obj);
2912 INSIST(result == ISC_R_SUCCESS);
2913 zonestats_on = cfg_obj_asboolean(obj);
2916 for (empty = empty_zones[empty_zone].zone;
2918 empty = empty_zones[++empty_zone].zone)
2920 dns_forwarders_t *forwarders = NULL;
2921 dns_view_t *pview = NULL;
2923 isc_buffer_constinit(&buffer, empty, strlen(empty));
2924 isc_buffer_add(&buffer, strlen(empty));
2926 * Look for zone on drop list.
2928 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2930 if (disablelist != NULL &&
2931 on_disable_list(disablelist, name))
2935 * This zone already exists.
2937 (void)dns_view_findzone(view, name, &zone);
2939 dns_zone_detach(&zone);
2944 * If we would forward this name don't add a
2945 * empty zone for it.
2947 result = dns_fwdtable_find(view->fwdtable, name,
2949 if (result == ISC_R_SUCCESS &&
2950 forwarders->fwdpolicy == dns_fwdpolicy_only)
2953 if (!rfc1918 && empty_zones[empty_zone].rfc1918) {
2955 isc_log_write(ns_g_lctx,
2956 NS_LOGCATEGORY_GENERAL,
2957 NS_LOGMODULE_SERVER,
2960 "'empty-zones-enable/"
2961 "disable-empty-zone' "
2962 "not set: disabling "
2963 "RFC 1918 empty zones",
2971 * See if we can re-use a existing zone.
2973 result = dns_viewlist_find(&ns_g_server->viewlist,
2974 view->name, view->rdclass,
2976 if (result != ISC_R_NOTFOUND &&
2977 result != ISC_R_SUCCESS)
2980 if (pview != NULL) {
2981 (void)dns_view_findzone(pview, name, &zone);
2982 dns_view_detach(&pview);
2984 check_dbtype(&zone, empty_dbtypec,
2985 empty_dbtype, mctx);
2987 dns_zone_setview(zone, view);
2988 CHECK(dns_view_addzone(view, zone));
2989 CHECK(setquerystats(zone, mctx,
2991 dns_zone_detach(&zone);
2996 CHECK(dns_zone_create(&zone, mctx));
2997 CHECK(dns_zone_setorigin(zone, name));
2998 dns_zone_setview(zone, view);
2999 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
3001 dns_zone_setclass(zone, view->rdclass);
3002 dns_zone_settype(zone, dns_zone_master);
3003 dns_zone_setstats(zone, ns_g_server->zonestats);
3004 CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
3006 if (view->queryacl != NULL)
3007 dns_zone_setqueryacl(zone, view->queryacl);
3008 if (view->queryonacl != NULL)
3009 dns_zone_setqueryonacl(zone, view->queryonacl);
3010 dns_zone_setdialup(zone, dns_dialuptype_no);
3011 dns_zone_setnotifytype(zone, dns_notifytype_no);
3012 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
3014 CHECK(setquerystats(zone, mctx, zonestats_on));
3015 CHECK(dns_view_addzone(view, zone));
3016 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3017 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3018 "automatic empty zone%s%s: %s",
3019 sep, viewname, empty);
3020 dns_zone_detach(&zone);
3024 result = ISC_R_SUCCESS;
3027 if (clients != NULL)
3028 dns_acl_detach(&clients);
3030 dns_acl_detach(&mapped);
3031 if (excluded != NULL)
3032 dns_acl_detach(&excluded);
3034 dns_tsigkeyring_detach(&ring);
3036 dns_zone_detach(&zone);
3037 if (dispatch4 != NULL)
3038 dns_dispatch_detach(&dispatch4);
3039 if (dispatch6 != NULL)
3040 dns_dispatch_detach(&dispatch6);
3041 if (resstats != NULL)
3042 isc_stats_detach(&resstats);
3043 if (resquerystats != NULL)
3044 dns_stats_detach(&resquerystats);
3046 dns_order_detach(&order);
3048 isc_mem_detach(&cmctx);
3050 isc_mem_detach(&hmctx);
3053 dns_cache_detach(&cache);
3059 configure_hints(dns_view_t *view, const char *filename) {
3060 isc_result_t result;
3064 result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
3065 if (result == ISC_R_SUCCESS) {
3066 dns_view_sethints(view, db);
3074 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
3075 const cfg_obj_t *alternates)
3077 const cfg_obj_t *portobj;
3078 const cfg_obj_t *addresses;
3079 const cfg_listelt_t *element;
3080 isc_result_t result = ISC_R_SUCCESS;
3084 * Determine which port to send requests to.
3086 if (ns_g_lwresdonly && ns_g_port != 0)
3089 CHECKM(ns_config_getport(config, &port), "port");
3091 if (alternates != NULL) {
3092 portobj = cfg_tuple_get(alternates, "port");
3093 if (cfg_obj_isuint32(portobj)) {
3094 isc_uint32_t val = cfg_obj_asuint32(portobj);
3095 if (val > ISC_UINT16_MAX) {
3096 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3097 "port '%u' out of range", val);
3098 return (ISC_R_RANGE);
3100 port = (in_port_t) val;
3105 if (alternates != NULL)
3106 addresses = cfg_tuple_get(alternates, "addresses");
3108 for (element = cfg_list_first(addresses);
3110 element = cfg_list_next(element))
3112 const cfg_obj_t *alternate = cfg_listelt_value(element);
3115 if (!cfg_obj_issockaddr(alternate)) {
3116 dns_fixedname_t fixed;
3118 const char *str = cfg_obj_asstring(cfg_tuple_get(
3119 alternate, "name"));
3120 isc_buffer_t buffer;
3121 in_port_t myport = port;
3123 isc_buffer_constinit(&buffer, str, strlen(str));
3124 isc_buffer_add(&buffer, strlen(str));
3125 dns_fixedname_init(&fixed);
3126 name = dns_fixedname_name(&fixed);
3127 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3130 portobj = cfg_tuple_get(alternate, "port");
3131 if (cfg_obj_isuint32(portobj)) {
3132 isc_uint32_t val = cfg_obj_asuint32(portobj);
3133 if (val > ISC_UINT16_MAX) {
3134 cfg_obj_log(portobj, ns_g_lctx,
3136 "port '%u' out of range",
3138 return (ISC_R_RANGE);
3140 myport = (in_port_t) val;
3142 CHECK(dns_resolver_addalternate(view->resolver, NULL,
3147 sa = *cfg_obj_assockaddr(alternate);
3148 if (isc_sockaddr_getport(&sa) == 0)
3149 isc_sockaddr_setport(&sa, port);
3150 CHECK(dns_resolver_addalternate(view->resolver, &sa,
3159 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
3160 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
3162 const cfg_obj_t *portobj;
3163 const cfg_obj_t *faddresses;
3164 const cfg_listelt_t *element;
3165 dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
3166 isc_sockaddrlist_t addresses;
3168 isc_result_t result;
3171 ISC_LIST_INIT(addresses);
3174 * Determine which port to send forwarded requests to.
3176 if (ns_g_lwresdonly && ns_g_port != 0)
3179 CHECKM(ns_config_getport(config, &port), "port");
3181 if (forwarders != NULL) {
3182 portobj = cfg_tuple_get(forwarders, "port");
3183 if (cfg_obj_isuint32(portobj)) {
3184 isc_uint32_t val = cfg_obj_asuint32(portobj);
3185 if (val > ISC_UINT16_MAX) {
3186 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3187 "port '%u' out of range", val);
3188 return (ISC_R_RANGE);
3190 port = (in_port_t) val;
3195 if (forwarders != NULL)
3196 faddresses = cfg_tuple_get(forwarders, "addresses");
3198 for (element = cfg_list_first(faddresses);
3200 element = cfg_list_next(element))
3202 const cfg_obj_t *forwarder = cfg_listelt_value(element);
3203 sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
3205 result = ISC_R_NOMEMORY;
3208 *sa = *cfg_obj_assockaddr(forwarder);
3209 if (isc_sockaddr_getport(sa) == 0)
3210 isc_sockaddr_setport(sa, port);
3211 ISC_LINK_INIT(sa, link);
3212 ISC_LIST_APPEND(addresses, sa, link);
3215 if (ISC_LIST_EMPTY(addresses)) {
3216 if (forwardtype != NULL)
3217 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3218 "no forwarders seen; disabling "
3220 fwdpolicy = dns_fwdpolicy_none;
3222 if (forwardtype == NULL)
3223 fwdpolicy = dns_fwdpolicy_first;
3225 const char *forwardstr = cfg_obj_asstring(forwardtype);
3226 if (strcasecmp(forwardstr, "first") == 0)
3227 fwdpolicy = dns_fwdpolicy_first;
3228 else if (strcasecmp(forwardstr, "only") == 0)
3229 fwdpolicy = dns_fwdpolicy_only;
3235 result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
3237 if (result != ISC_R_SUCCESS) {
3238 char namebuf[DNS_NAME_FORMATSIZE];
3239 dns_name_format(origin, namebuf, sizeof(namebuf));
3240 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3241 "could not set up forwarding for domain '%s': %s",
3242 namebuf, isc_result_totext(result));
3246 result = ISC_R_SUCCESS;
3250 while (!ISC_LIST_EMPTY(addresses)) {
3251 sa = ISC_LIST_HEAD(addresses);
3252 ISC_LIST_UNLINK(addresses, sa, link);
3253 isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
3260 get_viewinfo(const cfg_obj_t *vconfig, const char **namep,
3261 dns_rdataclass_t *classp)
3263 isc_result_t result = ISC_R_SUCCESS;
3264 const char *viewname;
3265 dns_rdataclass_t viewclass;
3267 REQUIRE(namep != NULL && *namep == NULL);
3268 REQUIRE(classp != NULL);
3270 if (vconfig != NULL) {
3271 const cfg_obj_t *classobj = NULL;
3273 viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
3274 classobj = cfg_tuple_get(vconfig, "class");
3275 result = ns_config_getclass(classobj, dns_rdataclass_in,
3278 viewname = "_default";
3279 viewclass = dns_rdataclass_in;
3283 *classp = viewclass;
3289 * Find a view based on its configuration info and attach to it.
3291 * If 'vconfig' is NULL, attach to the default view.
3294 find_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3297 isc_result_t result;
3298 const char *viewname = NULL;
3299 dns_rdataclass_t viewclass;
3300 dns_view_t *view = NULL;
3302 result = get_viewinfo(vconfig, &viewname, &viewclass);
3303 if (result != ISC_R_SUCCESS)
3306 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3307 if (result != ISC_R_SUCCESS)
3311 return (ISC_R_SUCCESS);
3315 * Create a new view and add it to the list.
3317 * If 'vconfig' is NULL, create the default view.
3319 * The view created is attached to '*viewp'.
3322 create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3325 isc_result_t result;
3326 const char *viewname = NULL;
3327 dns_rdataclass_t viewclass;
3328 dns_view_t *view = NULL;
3330 result = get_viewinfo(vconfig, &viewname, &viewclass);
3331 if (result != ISC_R_SUCCESS)
3334 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3335 if (result == ISC_R_SUCCESS)
3336 return (ISC_R_EXISTS);
3337 if (result != ISC_R_NOTFOUND)
3339 INSIST(view == NULL);
3341 result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
3342 if (result != ISC_R_SUCCESS)
3345 ISC_LIST_APPEND(*viewlist, view, link);
3346 dns_view_attach(view, viewp);
3347 return (ISC_R_SUCCESS);
3351 * Configure or reconfigure a zone.
3354 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
3355 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
3356 cfg_aclconfctx_t *aclconf, isc_boolean_t added)
3358 dns_view_t *pview = NULL; /* Production view */
3359 dns_zone_t *zone = NULL; /* New or reused zone */
3360 dns_zone_t *dupzone = NULL;
3361 const cfg_obj_t *options = NULL;
3362 const cfg_obj_t *zoptions = NULL;
3363 const cfg_obj_t *typeobj = NULL;
3364 const cfg_obj_t *forwarders = NULL;
3365 const cfg_obj_t *forwardtype = NULL;
3366 const cfg_obj_t *only = NULL;
3367 isc_result_t result;
3368 isc_result_t tresult;
3369 isc_buffer_t buffer;
3370 dns_fixedname_t fixorigin;
3373 dns_rdataclass_t zclass;
3374 const char *ztypestr;
3375 isc_boolean_t is_rpz;
3376 dns_rpz_zone_t *rpz;
3379 (void)cfg_map_get(config, "options", &options);
3381 zoptions = cfg_tuple_get(zconfig, "options");
3384 * Get the zone origin as a dns_name_t.
3386 zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
3387 isc_buffer_constinit(&buffer, zname, strlen(zname));
3388 isc_buffer_add(&buffer, strlen(zname));
3389 dns_fixedname_init(&fixorigin);
3390 CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
3391 &buffer, dns_rootname, 0, NULL));
3392 origin = dns_fixedname_name(&fixorigin);
3394 CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
3395 view->rdclass, &zclass));
3396 if (zclass != view->rdclass) {
3397 const char *vname = NULL;
3398 if (vconfig != NULL)
3399 vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
3402 vname = "<default view>";
3404 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3405 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3406 "zone '%s': wrong class for view '%s'",
3408 result = ISC_R_FAILURE;
3412 (void)cfg_map_get(zoptions, "type", &typeobj);
3413 if (typeobj == NULL) {
3414 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3415 "zone '%s' 'type' not specified", zname);
3416 return (ISC_R_FAILURE);
3418 ztypestr = cfg_obj_asstring(typeobj);
3421 * "hints zones" aren't zones. If we've got one,
3422 * configure it and return.
3424 if (strcasecmp(ztypestr, "hint") == 0) {
3425 const cfg_obj_t *fileobj = NULL;
3426 if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
3427 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3428 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3429 "zone '%s': 'file' not specified",
3431 result = ISC_R_FAILURE;
3434 if (dns_name_equal(origin, dns_rootname)) {
3435 const char *hintsfile = cfg_obj_asstring(fileobj);
3437 result = configure_hints(view, hintsfile);
3438 if (result != ISC_R_SUCCESS) {
3439 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3440 NS_LOGMODULE_SERVER,
3442 "could not configure root hints "
3443 "from '%s': %s", hintsfile,
3444 isc_result_totext(result));
3448 * Hint zones may also refer to delegation only points.
3451 tresult = cfg_map_get(zoptions, "delegation-only",
3453 if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
3454 CHECK(dns_view_adddelegationonly(view, origin));
3456 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3457 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3458 "ignoring non-root hint zone '%s'",
3460 result = ISC_R_SUCCESS;
3462 /* Skip ordinary zone processing. */
3467 * "forward zones" aren't zones either. Translate this syntax into
3468 * the appropriate selective forwarding configuration and return.
3470 if (strcasecmp(ztypestr, "forward") == 0) {
3474 (void)cfg_map_get(zoptions, "forward", &forwardtype);
3475 (void)cfg_map_get(zoptions, "forwarders", &forwarders);
3476 result = configure_forward(config, view, origin, forwarders,
3482 * "delegation-only zones" aren't zones either.
3484 if (strcasecmp(ztypestr, "delegation-only") == 0) {
3485 result = dns_view_adddelegationonly(view, origin);
3490 * Check for duplicates in the new zone table.
3492 result = dns_view_findzone(view, origin, &dupzone);
3493 if (result == ISC_R_SUCCESS) {
3495 * We already have this zone!
3497 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3498 "zone '%s' already exists", zname);
3499 dns_zone_detach(&dupzone);
3500 result = ISC_R_EXISTS;
3503 INSIST(dupzone == NULL);
3506 * Note whether this is a response policy zone.
3509 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
3511 rpz = ISC_LIST_NEXT(rpz, link))
3513 if (dns_name_equal(&rpz->origin, origin)) {
3515 rpz->defined = ISC_TRUE;
3521 * See if we can reuse an existing zone. This is
3522 * only possible if all of these are true:
3523 * - The zone's view exists
3524 * - A zone with the right name exists in the view
3525 * - The zone is compatible with the config
3526 * options (e.g., an existing master zone cannot
3527 * be reused if the options specify a slave zone)
3528 * - The zone was and is or was not and is not a policy zone
3530 result = dns_viewlist_find(&ns_g_server->viewlist,
3531 view->name, view->rdclass,
3533 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
3536 result = dns_view_findzone(pview, origin, &zone);
3537 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
3539 if (zone != NULL && !ns_zone_reusable(zone, zconfig))
3540 dns_zone_detach(&zone);
3542 if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
3543 dns_zone_detach(&zone);
3547 * We found a reusable zone. Make it use the
3550 dns_zone_setview(zone, view);
3551 if (view->acache != NULL)
3552 dns_zone_setacache(zone, view->acache);
3555 * We cannot reuse an existing zone, we have
3556 * to create a new one.
3558 CHECK(dns_zone_create(&zone, mctx));
3559 CHECK(dns_zone_setorigin(zone, origin));
3560 dns_zone_setview(zone, view);
3561 if (view->acache != NULL)
3562 dns_zone_setacache(zone, view->acache);
3563 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
3564 dns_zone_setstats(zone, ns_g_server->zonestats);
3568 result = dns_zone_rpz_enable(zone);
3569 if (result != ISC_R_SUCCESS) {
3570 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3571 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3572 "zone '%s': incompatible"
3573 " masterfile-format or database"
3574 " for a response policy zone",
3581 * If the zone contains a 'forwarders' statement, configure
3582 * selective forwarding.
3585 if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
3588 (void)cfg_map_get(zoptions, "forward", &forwardtype);
3589 CHECK(configure_forward(config, view, origin, forwarders,
3594 * Stub and forward zones may also refer to delegation only points.
3597 if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
3599 if (cfg_obj_asboolean(only))
3600 CHECK(dns_view_adddelegationonly(view, origin));
3604 * Mark whether the zone was originally added at runtime or not
3606 dns_zone_setadded(zone, added);
3609 * Configure the zone.
3611 CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
3614 * Add the zone to its view in the new view list.
3616 CHECK(dns_view_addzone(view, zone));
3619 * Ensure that zone keys are reloaded on reconfig
3621 if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
3622 dns_zone_rekey(zone, ISC_FALSE);
3626 dns_zone_detach(&zone);
3628 dns_view_detach(&pview);
3634 * Configure built-in zone for storing managed-key data.
3637 #define KEYZONE "managed-keys.bind"
3638 #define MKEYS ".mkeys"
3641 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
3642 isc_result_t result;
3643 dns_view_t *pview = NULL;
3644 dns_zone_t *zone = NULL;
3645 dns_acl_t *none = NULL;
3646 char filename[PATH_MAX];
3647 char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
3650 REQUIRE(view != NULL);
3652 /* See if we can re-use an existing keydata zone. */
3653 result = dns_viewlist_find(&ns_g_server->viewlist,
3654 view->name, view->rdclass,
3656 if (result != ISC_R_NOTFOUND &&
3657 result != ISC_R_SUCCESS)
3660 if (pview != NULL && pview->managed_keys != NULL) {
3661 dns_zone_attach(pview->managed_keys, &view->managed_keys);
3662 dns_zone_setview(pview->managed_keys, view);
3663 dns_view_detach(&pview);
3664 dns_zone_synckeyzone(view->managed_keys);
3665 return (ISC_R_SUCCESS);
3668 /* No existing keydata zone was found; create one */
3669 CHECK(dns_zone_create(&zone, mctx));
3670 CHECK(dns_zone_setorigin(zone, dns_rootname));
3672 isc_sha256_data((void *)view->name, strlen(view->name), buffer);
3673 strcat(buffer, MKEYS);
3674 n = snprintf(filename, sizeof(filename), "%s%s%s",
3675 directory ? directory : "", directory ? "/" : "",
3676 strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
3677 if (n < 0 || (size_t)n >= sizeof(filename)) {
3678 result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
3681 CHECK(dns_zone_setfile(zone, filename));
3683 dns_zone_setview(zone, view);
3684 dns_zone_settype(zone, dns_zone_key);
3685 dns_zone_setclass(zone, view->rdclass);
3687 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
3689 if (view->acache != NULL)
3690 dns_zone_setacache(zone, view->acache);
3692 CHECK(dns_acl_none(mctx, &none));
3693 dns_zone_setqueryacl(zone, none);
3694 dns_zone_setqueryonacl(zone, none);
3695 dns_acl_detach(&none);
3697 dns_zone_setdialup(zone, dns_dialuptype_no);
3698 dns_zone_setnotifytype(zone, dns_notifytype_no);
3699 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
3700 dns_zone_setjournalsize(zone, 0);
3702 dns_zone_setstats(zone, ns_g_server->zonestats);
3703 CHECK(setquerystats(zone, mctx, ISC_FALSE));
3705 if (view->managed_keys != NULL)
3706 dns_zone_detach(&view->managed_keys);
3707 dns_zone_attach(zone, &view->managed_keys);
3709 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3710 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3711 "set up managed keys zone for view %s, file '%s'",
3712 view->name, filename);
3716 dns_zone_detach(&zone);
3718 dns_acl_detach(&none);
3724 * Configure a single server quota.
3727 configure_server_quota(const cfg_obj_t **maps, const char *name,
3730 const cfg_obj_t *obj = NULL;
3731 isc_result_t result;
3733 result = ns_config_get(maps, name, &obj);
3734 INSIST(result == ISC_R_SUCCESS);
3735 isc_quota_max(quota, cfg_obj_asuint32(obj));
3739 * This function is called as soon as the 'directory' statement has been
3740 * parsed. This can be extended to support other options if necessary.
3743 directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
3744 isc_result_t result;
3745 const char *directory;
3747 REQUIRE(strcasecmp("directory", clausename) == 0);
3755 directory = cfg_obj_asstring(obj);
3757 if (! isc_file_ischdiridempotent(directory))
3758 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3759 "option 'directory' contains relative path '%s'",
3762 result = isc_dir_chdir(directory);
3763 if (result != ISC_R_SUCCESS) {
3764 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
3765 "change directory to '%s' failed: %s",
3766 directory, isc_result_totext(result));
3770 return (ISC_R_SUCCESS);
3774 scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
3775 isc_boolean_t match_mapped = server->aclenv.match_mapped;
3777 ns_interfacemgr_scan(server->interfacemgr, verbose);
3779 * Update the "localhost" and "localnets" ACLs to match the
3780 * current set of network interfaces.
3782 dns_aclenv_copy(&server->aclenv,
3783 ns_interfacemgr_getaclenv(server->interfacemgr));
3785 server->aclenv.match_mapped = match_mapped;
3789 add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
3790 isc_boolean_t wcardport_ok)
3792 ns_listenelt_t *lelt = NULL;
3793 dns_acl_t *src_acl = NULL;
3794 isc_result_t result;
3795 isc_sockaddr_t any_sa6;
3796 isc_netaddr_t netaddr;
3798 REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
3800 isc_sockaddr_any6(&any_sa6);
3801 if (!isc_sockaddr_equal(&any_sa6, addr) &&
3802 (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
3803 isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
3805 result = dns_acl_create(mctx, 0, &src_acl);
3806 if (result != ISC_R_SUCCESS)
3809 result = dns_iptable_addprefix(src_acl->iptable,
3810 &netaddr, 128, ISC_TRUE);
3811 if (result != ISC_R_SUCCESS)
3814 result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
3816 if (result != ISC_R_SUCCESS)
3818 ISC_LIST_APPEND(list->elts, lelt, link);
3821 return (ISC_R_SUCCESS);
3824 INSIST(lelt == NULL);
3825 dns_acl_detach(&src_acl);
3831 * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
3832 * to update the listening interfaces accordingly.
3833 * We currently only consider IPv6, because this only affects IPv6 wildcard
3837 adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
3838 isc_result_t result;
3839 ns_listenlist_t *list = NULL;
3841 dns_zone_t *zone, *next;
3842 isc_sockaddr_t addr, *addrp;
3844 result = ns_listenlist_create(mctx, &list);
3845 if (result != ISC_R_SUCCESS)
3848 for (view = ISC_LIST_HEAD(server->viewlist);
3850 view = ISC_LIST_NEXT(view, link)) {
3851 dns_dispatch_t *dispatch6;
3853 dispatch6 = dns_resolver_dispatchv6(view->resolver);
3854 if (dispatch6 == NULL)
3856 result = dns_dispatch_getlocaladdress(dispatch6, &addr);
3857 if (result != ISC_R_SUCCESS)
3861 * We always add non-wildcard address regardless of whether
3862 * the port is 'any' (the fourth arg is TRUE): if the port is
3863 * specific, we need to add it since it may conflict with a
3864 * listening interface; if it's zero, we'll dynamically open
3865 * query ports, and some of them may override an existing
3866 * wildcard IPv6 port.
3868 result = add_listenelt(mctx, list, &addr, ISC_TRUE);
3869 if (result != ISC_R_SUCCESS)
3874 for (result = dns_zone_first(server->zonemgr, &zone);
3875 result == ISC_R_SUCCESS;
3876 next = NULL, result = dns_zone_next(zone, &next), zone = next) {
3877 dns_view_t *zoneview;
3880 * At this point the zone list may contain a stale zone
3881 * just removed from the configuration. To see the validity,
3882 * check if the corresponding view is in our current view list.
3883 * There may also be old zones that are still in the process
3884 * of shutting down and have detached from their old view
3885 * (zoneview == NULL).
3887 zoneview = dns_zone_getview(zone);
3888 if (zoneview == NULL)
3890 for (view = ISC_LIST_HEAD(server->viewlist);
3891 view != NULL && view != zoneview;
3892 view = ISC_LIST_NEXT(view, link))
3897 addrp = dns_zone_getnotifysrc6(zone);
3898 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3899 if (result != ISC_R_SUCCESS)
3902 addrp = dns_zone_getxfrsource6(zone);
3903 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3904 if (result != ISC_R_SUCCESS)
3908 ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
3911 ns_listenlist_detach(&list);
3916 * Even when we failed the procedure, most of other interfaces
3917 * should work correctly. We therefore just warn it.
3919 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3920 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3921 "could not adjust the listen-on list; "
3922 "some interfaces may not work");
3927 * This event callback is invoked to do periodic network
3928 * interface scanning.
3931 interface_timer_tick(isc_task_t *task, isc_event_t *event) {
3932 isc_result_t result;
3933 ns_server_t *server = (ns_server_t *) event->ev_arg;
3934 INSIST(task == server->task);
3936 isc_event_free(&event);
3938 * XXX should scan interfaces unlocked and get exclusive access
3939 * only to replace ACLs.
3941 result = isc_task_beginexclusive(server->task);
3942 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3943 scan_interfaces(server, ISC_FALSE);
3944 isc_task_endexclusive(server->task);
3948 heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
3949 ns_server_t *server = (ns_server_t *) event->ev_arg;
3953 isc_event_free(&event);
3954 view = ISC_LIST_HEAD(server->viewlist);
3955 while (view != NULL) {
3956 dns_view_dialup(view);
3957 view = ISC_LIST_NEXT(view, link);
3962 pps_timer_tick(isc_task_t *task, isc_event_t *event) {
3963 static unsigned int oldrequests = 0;
3964 unsigned int requests = ns_client_requests;
3967 isc_event_free(&event);
3970 * Don't worry about wrapping as the overflow result will be right.
3972 dns_pps = (requests - oldrequests) / 1200;
3973 oldrequests = requests;
3977 * Replace the current value of '*field', a dynamically allocated
3978 * string or NULL, with a dynamically allocated copy of the
3979 * null-terminated string pointed to by 'value', or NULL.
3982 setstring(ns_server_t *server, char **field, const char *value) {
3985 if (value != NULL) {
3986 copy = isc_mem_strdup(server->mctx, value);
3988 return (ISC_R_NOMEMORY);
3994 isc_mem_free(server->mctx, *field);
3997 return (ISC_R_SUCCESS);
4001 * Replace the current value of '*field', a dynamically allocated
4002 * string or NULL, with another dynamically allocated string
4003 * or NULL if whether 'obj' is a string or void value, respectively.
4006 setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
4007 if (cfg_obj_isvoid(obj))
4008 return (setstring(server, field, NULL));
4010 return (setstring(server, field, cfg_obj_asstring(obj)));
4014 set_limit(const cfg_obj_t **maps, const char *configname,
4015 const char *description, isc_resource_t resourceid,
4016 isc_resourcevalue_t defaultvalue)
4018 const cfg_obj_t *obj = NULL;
4019 const char *resource;
4020 isc_resourcevalue_t value;
4021 isc_result_t result;
4023 if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
4026 if (cfg_obj_isstring(obj)) {
4027 resource = cfg_obj_asstring(obj);
4028 if (strcasecmp(resource, "unlimited") == 0)
4029 value = ISC_RESOURCE_UNLIMITED;
4031 INSIST(strcasecmp(resource, "default") == 0);
4032 value = defaultvalue;
4035 value = cfg_obj_asuint64(obj);
4037 result = isc_resource_setlimit(resourceid, value);
4038 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4039 result == ISC_R_SUCCESS ?
4040 ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
4041 "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
4042 description, value, isc_result_totext(result));
4045 #define SETLIMIT(cfgvar, resource, description) \
4046 set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
4047 ns_g_init ## resource)
4050 set_limits(const cfg_obj_t **maps) {
4051 SETLIMIT("stacksize", stacksize, "stack size");
4052 SETLIMIT("datasize", datasize, "data size");
4053 SETLIMIT("coresize", coresize, "core size");
4054 SETLIMIT("files", openfiles, "open files");
4058 portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
4059 isc_boolean_t positive)
4061 const cfg_listelt_t *element;
4063 for (element = cfg_list_first(ports);
4065 element = cfg_list_next(element)) {
4066 const cfg_obj_t *obj = cfg_listelt_value(element);
4068 if (cfg_obj_isuint32(obj)) {
4069 in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
4072 isc_portset_add(portset, port);
4074 isc_portset_remove(portset, port);
4076 const cfg_obj_t *obj_loport, *obj_hiport;
4077 in_port_t loport, hiport;
4079 obj_loport = cfg_tuple_get(obj, "loport");
4080 loport = (in_port_t)cfg_obj_asuint32(obj_loport);
4081 obj_hiport = cfg_tuple_get(obj, "hiport");
4082 hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
4085 isc_portset_addrange(portset, loport, hiport);
4087 isc_portset_removerange(portset, loport,
4095 removed(dns_zone_t *zone, void *uap) {
4098 if (dns_zone_getview(zone) != uap)
4099 return (ISC_R_SUCCESS);
4101 switch (dns_zone_gettype(zone)) {
4102 case dns_zone_master:
4105 case dns_zone_slave:
4115 dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
4116 return (ISC_R_SUCCESS);
4120 cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
4121 if (server->session_keyfile != NULL) {
4122 isc_file_remove(server->session_keyfile);
4123 isc_mem_free(mctx, server->session_keyfile);
4124 server->session_keyfile = NULL;
4127 if (server->session_keyname != NULL) {
4128 if (dns_name_dynamic(server->session_keyname))
4129 dns_name_free(server->session_keyname, mctx);
4130 isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
4131 server->session_keyname = NULL;
4134 if (server->sessionkey != NULL)
4135 dns_tsigkey_detach(&server->sessionkey);
4137 server->session_keyalg = DST_ALG_UNKNOWN;
4138 server->session_keybits = 0;
4142 generate_session_key(const char *filename, const char *keynamestr,
4143 dns_name_t *keyname, const char *algstr,
4144 dns_name_t *algname, unsigned int algtype,
4145 isc_uint16_t bits, isc_mem_t *mctx,
4146 dns_tsigkey_t **tsigkeyp)
4148 isc_result_t result = ISC_R_SUCCESS;
4149 dst_key_t *key = NULL;
4150 isc_buffer_t key_txtbuffer;
4151 isc_buffer_t key_rawbuffer;
4152 char key_txtsecret[256];
4153 char key_rawsecret[64];
4154 isc_region_t key_rawregion;
4156 dns_tsigkey_t *tsigkey = NULL;
4159 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4160 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4161 "generating session key for dynamic DNS");
4164 result = dst_key_generate(keyname, algtype, bits, 1, 0,
4165 DNS_KEYPROTO_ANY, dns_rdataclass_in,
4167 if (result != ISC_R_SUCCESS)
4171 * Dump the key to the buffer for later use. Should be done before
4172 * we transfer the ownership of key to tsigkey.
4174 isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
4175 CHECK(dst_key_tobuffer(key, &key_rawbuffer));
4177 isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
4178 isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
4179 CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
4181 /* Store the key in tsigkey. */
4182 isc_stdtime_get(&now);
4183 CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
4184 ISC_FALSE, NULL, now, now, mctx, NULL,
4187 /* Dump the key to the key file. */
4188 fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
4190 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4191 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4192 "could not create %s", filename);
4193 result = ISC_R_NOPERM;
4197 fprintf(fp, "key \"%s\" {\n"
4199 "\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
4200 (int) isc_buffer_usedlength(&key_txtbuffer),
4201 (char*) isc_buffer_base(&key_txtbuffer));
4203 RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
4204 RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
4208 *tsigkeyp = tsigkey;
4210 return (ISC_R_SUCCESS);
4213 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4214 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4215 "failed to generate session key "
4216 "for dynamic DNS: %s", isc_result_totext(result));
4217 if (tsigkey != NULL)
4218 dns_tsigkey_detach(&tsigkey);
4226 configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
4229 const char *keyfile, *keynamestr, *algstr;
4230 unsigned int algtype;
4231 dns_fixedname_t fname;
4232 dns_name_t *keyname, *algname;
4233 isc_buffer_t buffer;
4235 const cfg_obj_t *obj;
4236 isc_boolean_t need_deleteold = ISC_FALSE;
4237 isc_boolean_t need_createnew = ISC_FALSE;
4238 isc_result_t result;
4241 result = ns_config_get(maps, "session-keyfile", &obj);
4242 if (result == ISC_R_SUCCESS) {
4243 if (cfg_obj_isvoid(obj))
4244 keyfile = NULL; /* disable it */
4246 keyfile = cfg_obj_asstring(obj);
4248 keyfile = ns_g_defaultsessionkeyfile;
4251 result = ns_config_get(maps, "session-keyname", &obj);
4252 INSIST(result == ISC_R_SUCCESS);
4253 keynamestr = cfg_obj_asstring(obj);
4254 dns_fixedname_init(&fname);
4255 isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
4256 isc_buffer_add(&buffer, strlen(keynamestr));
4257 keyname = dns_fixedname_name(&fname);
4258 result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
4259 if (result != ISC_R_SUCCESS)
4263 result = ns_config_get(maps, "session-keyalg", &obj);
4264 INSIST(result == ISC_R_SUCCESS);
4265 algstr = cfg_obj_asstring(obj);
4267 result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
4268 if (result != ISC_R_SUCCESS) {
4269 const char *s = " (keeping current key)";
4271 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
4272 "unsupported or unknown algorithm '%s'%s",
4274 server->session_keyfile != NULL ? s : "");
4278 /* See if we need to (re)generate a new key. */
4279 if (keyfile == NULL) {
4280 if (server->session_keyfile != NULL)
4281 need_deleteold = ISC_TRUE;
4282 } else if (server->session_keyfile == NULL)
4283 need_createnew = ISC_TRUE;
4284 else if (strcmp(keyfile, server->session_keyfile) != 0 ||
4285 !dns_name_equal(server->session_keyname, keyname) ||
4286 server->session_keyalg != algtype ||
4287 server->session_keybits != bits) {
4288 need_deleteold = ISC_TRUE;
4289 need_createnew = ISC_TRUE;
4292 if (need_deleteold) {
4293 INSIST(server->session_keyfile != NULL);
4294 INSIST(server->session_keyname != NULL);
4295 INSIST(server->sessionkey != NULL);
4297 cleanup_session_key(server, mctx);
4300 if (need_createnew) {
4301 INSIST(server->sessionkey == NULL);
4302 INSIST(server->session_keyfile == NULL);
4303 INSIST(server->session_keyname == NULL);
4304 INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
4305 INSIST(server->session_keybits == 0);
4307 server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
4308 if (server->session_keyname == NULL)
4310 dns_name_init(server->session_keyname, NULL);
4311 CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
4313 server->session_keyfile = isc_mem_strdup(mctx, keyfile);
4314 if (server->session_keyfile == NULL)
4317 server->session_keyalg = algtype;
4318 server->session_keybits = bits;
4320 CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
4321 algname, algtype, bits, mctx,
4322 &server->sessionkey));
4328 cleanup_session_key(server, mctx);
4333 setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
4334 cfg_parser_t *parser, cfg_aclconfctx_t *actx)
4336 isc_result_t result = ISC_R_SUCCESS;
4337 isc_boolean_t allow = ISC_FALSE;
4338 struct cfg_context *nzcfg = NULL;
4339 cfg_parser_t *nzparser = NULL;
4340 cfg_obj_t *nzconfig = NULL;
4341 const cfg_obj_t *maps[4];
4342 const cfg_obj_t *options = NULL, *voptions = NULL;
4343 const cfg_obj_t *nz = NULL;
4346 REQUIRE (config != NULL);
4348 if (vconfig != NULL)
4349 voptions = cfg_tuple_get(vconfig, "options");
4350 if (voptions != NULL)
4351 maps[i++] = voptions;
4352 result = cfg_map_get(config, "options", &options);
4353 if (result == ISC_R_SUCCESS)
4354 maps[i++] = options;
4355 maps[i++] = ns_g_defaults;
4358 result = ns_config_get(maps, "allow-new-zones", &nz);
4359 if (result == ISC_R_SUCCESS)
4360 allow = cfg_obj_asboolean(nz);
4363 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4364 return (ISC_R_SUCCESS);
4367 nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
4368 if (nzcfg == NULL) {
4369 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4370 return (ISC_R_NOMEMORY);
4373 dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
4375 memset(nzcfg, 0, sizeof(*nzcfg));
4376 isc_mem_attach(view->mctx, &nzcfg->mctx);
4377 cfg_obj_attach(config, &nzcfg->config);
4378 cfg_parser_attach(parser, &nzcfg->parser);
4379 cfg_aclconfctx_attach(actx, &nzcfg->actx);
4382 * Attempt to create a parser and parse the newzones
4383 * file. If successful, preserve both; otherwise leave
4386 result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
4387 if (result == ISC_R_SUCCESS)
4388 result = cfg_parse_file(nzparser, view->new_zone_file,
4389 &cfg_type_newzones, &nzconfig);
4390 if (result == ISC_R_SUCCESS) {
4391 cfg_parser_attach(nzparser, &nzcfg->nzparser);
4392 cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
4395 if (nzparser != NULL) {
4396 if (nzconfig != NULL)
4397 cfg_obj_destroy(nzparser, &nzconfig);
4398 cfg_parser_destroy(&nzparser);
4401 return (ISC_R_SUCCESS);
4405 count_zones(const cfg_obj_t *conf) {
4406 const cfg_obj_t *zonelist = NULL;
4407 const cfg_listelt_t *element;
4410 REQUIRE(conf != NULL);
4412 cfg_map_get(conf, "zone", &zonelist);
4413 for (element = cfg_list_first(zonelist);
4415 element = cfg_list_next(element))
4422 load_configuration(const char *filename, ns_server_t *server,
4423 isc_boolean_t first_time)
4425 cfg_obj_t *config = NULL, *bindkeys = NULL;
4426 cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
4427 const cfg_listelt_t *element;
4428 const cfg_obj_t *builtin_views;
4429 const cfg_obj_t *maps[3];
4430 const cfg_obj_t *obj;
4431 const cfg_obj_t *options;
4432 const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
4433 const cfg_obj_t *views;
4434 dns_view_t *view = NULL;
4435 dns_view_t *view_next;
4436 dns_viewlist_t tmpviewlist;
4437 dns_viewlist_t viewlist, builtin_viewlist;
4438 in_port_t listen_port, udpport_low, udpport_high;
4440 isc_interval_t interval;
4441 isc_portset_t *v4portset = NULL;
4442 isc_portset_t *v6portset = NULL;
4443 isc_resourcevalue_t nfiles;
4444 isc_result_t result;
4445 isc_uint32_t heartbeat_interval;
4446 isc_uint32_t interface_interval;
4447 isc_uint32_t reserved;
4448 isc_uint32_t udpsize;
4449 ns_cachelist_t cachelist, tmpcachelist;
4450 unsigned int maxsocks;
4452 struct cfg_context *nzctx;
4454 isc_boolean_t exclusive = ISC_FALSE;
4456 ISC_LIST_INIT(viewlist);
4457 ISC_LIST_INIT(builtin_viewlist);
4458 ISC_LIST_INIT(cachelist);
4460 /* Create the ACL configuration context */
4461 if (ns_g_aclconfctx != NULL)
4462 cfg_aclconfctx_detach(&ns_g_aclconfctx);
4463 CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
4466 * Parse the global default pseudo-config file.
4469 CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
4470 RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
4471 &ns_g_defaults) == ISC_R_SUCCESS);
4475 * Parse the configuration file using the new config code.
4477 result = ISC_R_FAILURE;
4481 * Unless this is lwresd with the -C option, parse the config file.
4483 if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
4484 isc_log_write(ns_g_lctx,
4485 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4486 ISC_LOG_INFO, "loading configuration from '%s'",
4488 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
4489 cfg_parser_setcallback(conf_parser, directory_callback, NULL);
4490 result = cfg_parse_file(conf_parser, filename,
4491 &cfg_type_namedconf, &config);
4495 * If this is lwresd with the -C option, or lwresd with no -C or -c
4496 * option where the above parsing failed, parse resolv.conf.
4498 if (ns_g_lwresdonly &&
4499 (lwresd_g_useresolvconf ||
4500 (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
4502 isc_log_write(ns_g_lctx,
4503 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4504 ISC_LOG_INFO, "loading configuration from '%s'",
4505 lwresd_g_resolvconffile);
4506 if (conf_parser != NULL)
4507 cfg_parser_destroy(&conf_parser);
4508 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
4509 result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
4515 * Check the validity of the configuration.
4517 CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
4520 * Fill in the maps array, used for resolving defaults.
4524 result = cfg_map_get(config, "options", &options);
4525 if (result == ISC_R_SUCCESS)
4526 maps[i++] = options;
4527 maps[i++] = ns_g_defaults;
4531 * If bind.keys exists, load it. If "dnssec-lookaside auto"
4532 * is turned on, the keys found there will be used as default
4536 result = ns_config_get(maps, "bindkeys-file", &obj);
4537 INSIST(result == ISC_R_SUCCESS);
4538 CHECKM(setstring(server, &server->bindkeysfile,
4539 cfg_obj_asstring(obj)), "strdup");
4541 if (access(server->bindkeysfile, R_OK) == 0) {
4542 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4543 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4544 "reading built-in trusted "
4545 "keys from file '%s'", server->bindkeysfile);
4547 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
4550 result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
4551 &cfg_type_bindkeys, &bindkeys);
4555 /* Ensure exclusive access to configuration data. */
4557 result = isc_task_beginexclusive(server->task);
4558 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4559 exclusive = ISC_TRUE;
4563 * Set process limits, which (usually) needs to be done as root.
4568 * Check if max number of open sockets that the system allows is
4569 * sufficiently large. Failing this condition is not necessarily fatal,
4570 * but may cause subsequent runtime failures for a busy recursive
4573 result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
4574 if (result != ISC_R_SUCCESS)
4576 result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
4577 if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
4578 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4579 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4580 "max open files (%" ISC_PRINT_QUADFORMAT "u)"
4581 " is smaller than max sockets (%u)",
4586 * Set the number of socket reserved for TCP, stdio etc.
4589 result = ns_config_get(maps, "reserved-sockets", &obj);
4590 INSIST(result == ISC_R_SUCCESS);
4591 reserved = cfg_obj_asuint32(obj);
4592 if (maxsocks != 0) {
4593 if (maxsocks < 128U) /* Prevent underflow. */
4595 else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
4596 reserved = maxsocks - 128;
4598 /* Minimum TCP/stdio space. */
4599 if (reserved < 128U)
4601 if (reserved + 128U > maxsocks && maxsocks != 0) {
4602 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4603 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4604 "less than 128 UDP sockets available after "
4605 "applying 'reserved-sockets' and 'maxsockets'");
4607 isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
4610 * Configure various server options.
4612 configure_server_quota(maps, "transfers-out", &server->xfroutquota);
4613 configure_server_quota(maps, "tcp-clients", &server->tcpquota);
4614 configure_server_quota(maps, "recursive-clients",
4615 &server->recursionquota);
4616 if (server->recursionquota.max > 1000)
4617 isc_quota_soft(&server->recursionquota,
4618 server->recursionquota.max - 100);
4620 isc_quota_soft(&server->recursionquota, 0);
4622 CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
4623 ns_g_aclconfctx, ns_g_mctx,
4624 &server->blackholeacl));
4625 if (server->blackholeacl != NULL)
4626 dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
4627 server->blackholeacl);
4630 result = ns_config_get(maps, "match-mapped-addresses", &obj);
4631 INSIST(result == ISC_R_SUCCESS);
4632 server->aclenv.match_mapped = cfg_obj_asboolean(obj);
4634 CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
4635 "configuring statistics server(s)");
4638 * Configure sets of UDP query source ports.
4640 CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
4641 "creating UDP port set");
4642 CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
4643 "creating UDP port set");
4647 avoidv4ports = NULL;
4648 avoidv6ports = NULL;
4650 (void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
4651 if (usev4ports != NULL)
4652 portset_fromconf(v4portset, usev4ports, ISC_TRUE);
4654 CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
4656 "get the default UDP/IPv4 port range");
4657 if (udpport_low == udpport_high)
4658 isc_portset_add(v4portset, udpport_low);
4660 isc_portset_addrange(v4portset, udpport_low,
4663 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4664 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4665 "using default UDP/IPv4 port range: [%d, %d]",
4666 udpport_low, udpport_high);
4668 (void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
4669 if (avoidv4ports != NULL)
4670 portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
4672 (void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
4673 if (usev6ports != NULL)
4674 portset_fromconf(v6portset, usev6ports, ISC_TRUE);
4676 CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
4678 "get the default UDP/IPv6 port range");
4679 if (udpport_low == udpport_high)
4680 isc_portset_add(v6portset, udpport_low);
4682 isc_portset_addrange(v6portset, udpport_low,
4685 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4686 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4687 "using default UDP/IPv6 port range: [%d, %d]",
4688 udpport_low, udpport_high);
4690 (void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
4691 if (avoidv6ports != NULL)
4692 portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
4694 dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
4697 * Set the EDNS UDP size when we don't match a view.
4700 result = ns_config_get(maps, "edns-udp-size", &obj);
4701 INSIST(result == ISC_R_SUCCESS);
4702 udpsize = cfg_obj_asuint32(obj);
4707 ns_g_udpsize = (isc_uint16_t)udpsize;
4710 * Configure the zone manager.
4713 result = ns_config_get(maps, "transfers-in", &obj);
4714 INSIST(result == ISC_R_SUCCESS);
4715 dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
4718 result = ns_config_get(maps, "transfers-per-ns", &obj);
4719 INSIST(result == ISC_R_SUCCESS);
4720 dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
4723 result = ns_config_get(maps, "serial-query-rate", &obj);
4724 INSIST(result == ISC_R_SUCCESS);
4725 dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
4728 * Determine which port to use for listening for incoming connections.
4731 listen_port = ns_g_port;
4733 CHECKM(ns_config_getport(config, &listen_port), "port");
4736 * Find the listen queue depth.
4739 result = ns_config_get(maps, "tcp-listen-queue", &obj);
4740 INSIST(result == ISC_R_SUCCESS);
4741 ns_g_listen = cfg_obj_asuint32(obj);
4742 if (ns_g_listen < 3)
4746 * Configure the interface manager according to the "listen-on"
4750 const cfg_obj_t *clistenon = NULL;
4751 ns_listenlist_t *listenon = NULL;
4755 * Even though listen-on is present in the default
4756 * configuration, we can't use it here, since it isn't
4757 * used if we're in lwresd mode. This way is easier.
4759 if (options != NULL)
4760 (void)cfg_map_get(options, "listen-on", &clistenon);
4761 if (clistenon != NULL) {
4762 /* check return code? */
4763 (void)ns_listenlist_fromconfig(clistenon, config,
4765 ns_g_mctx, &listenon);
4766 } else if (!ns_g_lwresdonly) {
4768 * Not specified, use default.
4770 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
4771 ISC_TRUE, &listenon));
4773 if (listenon != NULL) {
4774 ns_interfacemgr_setlistenon4(server->interfacemgr,
4776 ns_listenlist_detach(&listenon);
4783 const cfg_obj_t *clistenon = NULL;
4784 ns_listenlist_t *listenon = NULL;
4786 if (options != NULL)
4787 (void)cfg_map_get(options, "listen-on-v6", &clistenon);
4788 if (clistenon != NULL) {
4789 /* check return code? */
4790 (void)ns_listenlist_fromconfig(clistenon, config,
4792 ns_g_mctx, &listenon);
4793 } else if (!ns_g_lwresdonly) {
4794 isc_boolean_t enable;
4796 * Not specified, use default.
4798 enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
4799 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
4800 enable, &listenon));
4802 if (listenon != NULL) {
4803 ns_interfacemgr_setlistenon6(server->interfacemgr,
4805 ns_listenlist_detach(&listenon);
4810 * Rescan the interface list to pick up changes in the
4811 * listen-on option. It's important that we do this before we try
4812 * to configure the query source, since the dispatcher we use might
4813 * be shared with an interface.
4815 scan_interfaces(server, ISC_TRUE);
4818 * Arrange for further interface scanning to occur periodically
4819 * as specified by the "interface-interval" option.
4822 result = ns_config_get(maps, "interface-interval", &obj);
4823 INSIST(result == ISC_R_SUCCESS);
4824 interface_interval = cfg_obj_asuint32(obj) * 60;
4825 if (interface_interval == 0) {
4826 CHECK(isc_timer_reset(server->interface_timer,
4827 isc_timertype_inactive,
4828 NULL, NULL, ISC_TRUE));
4829 } else if (server->interface_interval != interface_interval) {
4830 isc_interval_set(&interval, interface_interval, 0);
4831 CHECK(isc_timer_reset(server->interface_timer,
4832 isc_timertype_ticker,
4833 NULL, &interval, ISC_FALSE));
4835 server->interface_interval = interface_interval;
4838 * Configure the dialup heartbeat timer.
4841 result = ns_config_get(maps, "heartbeat-interval", &obj);
4842 INSIST(result == ISC_R_SUCCESS);
4843 heartbeat_interval = cfg_obj_asuint32(obj) * 60;
4844 if (heartbeat_interval == 0) {
4845 CHECK(isc_timer_reset(server->heartbeat_timer,
4846 isc_timertype_inactive,
4847 NULL, NULL, ISC_TRUE));
4848 } else if (server->heartbeat_interval != heartbeat_interval) {
4849 isc_interval_set(&interval, heartbeat_interval, 0);
4850 CHECK(isc_timer_reset(server->heartbeat_timer,
4851 isc_timertype_ticker,
4852 NULL, &interval, ISC_FALSE));
4854 server->heartbeat_interval = heartbeat_interval;
4856 isc_interval_set(&interval, 1200, 0);
4857 CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
4858 &interval, ISC_FALSE));
4861 * Write the PID file.
4864 if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
4865 if (cfg_obj_isvoid(obj))
4866 ns_os_writepidfile(NULL, first_time);
4868 ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
4869 else if (ns_g_lwresdonly)
4870 ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
4872 ns_os_writepidfile(ns_g_defaultpidfile, first_time);
4875 * Configure the server-wide session key. This must be done before
4876 * configure views because zone configuration may need to know
4879 * Failure of session key generation isn't fatal at this time; if it
4880 * turns out that a session key is really needed but doesn't exist,
4881 * we'll treat it as a fatal error then.
4883 (void)configure_session_key(maps, server, ns_g_mctx);
4886 (void)cfg_map_get(config, "view", &views);
4889 * Create the views and count all the configured zones in
4890 * order to correctly size the zone manager's task table.
4891 * (We only count zones for configured views; the built-in
4892 * "bind" view can be ignored as it only adds a negligible
4895 * If we're allowing new zones, we need to be able to find the
4896 * new zone file and count those as well. So we setup the new
4897 * zone configuration context, but otherwise view configuration
4898 * waits until after the zone manager's task list has been sized.
4900 for (element = cfg_list_first(views);
4902 element = cfg_list_next(element))
4904 cfg_obj_t *vconfig = cfg_listelt_value(element);
4905 const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
4908 CHECK(create_view(vconfig, &viewlist, &view));
4909 INSIST(view != NULL);
4911 num_zones += count_zones(voptions);
4912 CHECK(setup_newzones(view, config, vconfig, conf_parser,
4915 nzctx = view->new_zone_config;
4916 if (nzctx != NULL && nzctx->nzconfig != NULL)
4917 num_zones += count_zones(nzctx->nzconfig);
4919 dns_view_detach(&view);
4923 * If there were no explicit views then we do the default
4926 if (views == NULL) {
4927 CHECK(create_view(NULL, &viewlist, &view));
4928 INSIST(view != NULL);
4930 num_zones = count_zones(config);
4932 CHECK(setup_newzones(view, config, NULL, conf_parser,
4935 nzctx = view->new_zone_config;
4936 if (nzctx != NULL && nzctx->nzconfig != NULL)
4937 num_zones += count_zones(nzctx->nzconfig);
4939 dns_view_detach(&view);
4943 * Zones have been counted; set the zone manager task pool size.
4945 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4946 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4947 "sizing zone task pool based on %d zones", num_zones);
4948 CHECK(dns_zonemgr_setsize(ns_g_server->zonemgr, num_zones));
4951 * Configure and freeze all explicit views. Explicit
4952 * views that have zones were already created at parsing
4953 * time, but views with no zones must be created here.
4955 for (element = cfg_list_first(views);
4957 element = cfg_list_next(element))
4959 cfg_obj_t *vconfig = cfg_listelt_value(element);
4962 CHECK(find_view(vconfig, &viewlist, &view));
4963 CHECK(configure_view(view, config, vconfig,
4964 &cachelist, bindkeys, ns_g_mctx,
4965 ns_g_aclconfctx, ISC_TRUE));
4966 dns_view_freeze(view);
4967 dns_view_detach(&view);
4971 * Make sure we have a default view if and only if there
4972 * were no explicit views.
4974 if (views == NULL) {
4976 CHECK(find_view(NULL, &viewlist, &view));
4977 CHECK(configure_view(view, config, NULL,
4978 &cachelist, bindkeys,
4979 ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
4980 dns_view_freeze(view);
4981 dns_view_detach(&view);
4985 * Create (or recreate) the built-in views.
4987 builtin_views = NULL;
4988 RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
4989 &builtin_views) == ISC_R_SUCCESS);
4990 for (element = cfg_list_first(builtin_views);
4992 element = cfg_list_next(element))
4994 cfg_obj_t *vconfig = cfg_listelt_value(element);
4996 CHECK(create_view(vconfig, &builtin_viewlist, &view));
4997 CHECK(configure_view(view, config, vconfig,
4998 &cachelist, bindkeys,
4999 ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
5000 dns_view_freeze(view);
5001 dns_view_detach(&view);
5005 /* Now combine the two viewlists into one */
5006 ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
5008 /* Swap our new view list with the production one. */
5009 tmpviewlist = server->viewlist;
5010 server->viewlist = viewlist;
5011 viewlist = tmpviewlist;
5013 /* Make the view list available to each of the views */
5014 view = ISC_LIST_HEAD(server->viewlist);
5015 while (view != NULL) {
5016 view->viewlist = &server->viewlist;
5017 view = ISC_LIST_NEXT(view, link);
5020 /* Swap our new cache list with the production one. */
5021 tmpcachelist = server->cachelist;
5022 server->cachelist = cachelist;
5023 cachelist = tmpcachelist;
5025 /* Load the TKEY information from the configuration. */
5026 if (options != NULL) {
5027 dns_tkeyctx_t *t = NULL;
5028 CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
5030 "configuring TKEY");
5031 if (server->tkeyctx != NULL)
5032 dns_tkeyctx_destroy(&server->tkeyctx);
5033 server->tkeyctx = t;
5037 * Bind the control port(s).
5039 CHECKM(ns_controls_configure(ns_g_server->controls, config,
5041 "binding control channel(s)");
5044 * Bind the lwresd port(s).
5046 CHECKM(ns_lwresd_configure(ns_g_mctx, config),
5047 "binding lightweight resolver ports");
5050 * Open the source of entropy.
5054 result = ns_config_get(maps, "random-device", &obj);
5055 if (result != ISC_R_SUCCESS) {
5056 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5057 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5058 "no source of entropy found");
5060 const char *randomdev = cfg_obj_asstring(obj);
5061 result = isc_entropy_createfilesource(ns_g_entropy,
5063 if (result != ISC_R_SUCCESS)
5064 isc_log_write(ns_g_lctx,
5065 NS_LOGCATEGORY_GENERAL,
5066 NS_LOGMODULE_SERVER,
5068 "could not open entropy source "
5071 isc_result_totext(result));
5072 #ifdef PATH_RANDOMDEV
5073 if (ns_g_fallbackentropy != NULL) {
5074 if (result != ISC_R_SUCCESS) {
5075 isc_log_write(ns_g_lctx,
5076 NS_LOGCATEGORY_GENERAL,
5077 NS_LOGMODULE_SERVER,
5079 "using pre-chroot entropy source "
5082 isc_entropy_detach(&ns_g_entropy);
5083 isc_entropy_attach(ns_g_fallbackentropy,
5086 isc_entropy_detach(&ns_g_fallbackentropy);
5093 * Relinquish root privileges.
5099 * Check that the working directory is writable.
5101 if (access(".", W_OK) != 0) {
5102 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5103 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5104 "the working directory is not writable");
5108 * Configure the logging system.
5110 * Do this after changing UID to make sure that any log
5111 * files specified in named.conf get created by the
5112 * unprivileged user, not root.
5114 if (ns_g_logstderr) {
5115 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5116 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5117 "ignoring config file logging "
5118 "statement due to -g option");
5120 const cfg_obj_t *logobj = NULL;
5121 isc_logconfig_t *logc = NULL;
5123 CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
5124 "creating new logging configuration");
5127 (void)cfg_map_get(config, "logging", &logobj);
5128 if (logobj != NULL) {
5129 CHECKM(ns_log_configure(logc, logobj),
5130 "configuring logging");
5132 CHECKM(ns_log_setdefaultchannels(logc),
5133 "setting up default logging channels");
5134 CHECKM(ns_log_setunmatchedcategory(logc),
5135 "setting up default 'category unmatched'");
5136 CHECKM(ns_log_setdefaultcategory(logc),
5137 "setting up default 'category default'");
5140 result = isc_logconfig_use(ns_g_lctx, logc);
5141 if (result != ISC_R_SUCCESS) {
5142 isc_logconfig_destroy(&logc);
5143 CHECKM(result, "installing logging configuration");
5146 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5147 NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
5148 "now using logging configuration from "
5153 * Set the default value of the query logging flag depending
5154 * whether a "queries" category has been defined. This is
5155 * a disgusting hack, but we need to do this for BIND 8
5159 const cfg_obj_t *logobj = NULL;
5160 const cfg_obj_t *categories = NULL;
5163 if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
5164 server->log_queries = cfg_obj_asboolean(obj);
5167 (void)cfg_map_get(config, "logging", &logobj);
5169 (void)cfg_map_get(logobj, "category",
5171 if (categories != NULL) {
5172 const cfg_listelt_t *element;
5173 for (element = cfg_list_first(categories);
5175 element = cfg_list_next(element))
5177 const cfg_obj_t *catobj;
5180 obj = cfg_listelt_value(element);
5181 catobj = cfg_tuple_get(obj, "name");
5182 str = cfg_obj_asstring(catobj);
5183 if (strcasecmp(str, "queries") == 0)
5184 server->log_queries = ISC_TRUE;
5192 if (options != NULL &&
5193 cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
5194 ns_g_memstatistics = cfg_obj_asboolean(obj);
5196 ns_g_memstatistics =
5197 ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
5200 if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
5201 ns_main_setmemstats(cfg_obj_asstring(obj));
5202 else if (ns_g_memstatistics)
5203 ns_main_setmemstats("named.memstats");
5205 ns_main_setmemstats(NULL);
5208 result = ns_config_get(maps, "statistics-file", &obj);
5209 INSIST(result == ISC_R_SUCCESS);
5210 CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
5214 result = ns_config_get(maps, "dump-file", &obj);
5215 INSIST(result == ISC_R_SUCCESS);
5216 CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
5220 result = ns_config_get(maps, "secroots-file", &obj);
5221 INSIST(result == ISC_R_SUCCESS);
5222 CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
5226 result = ns_config_get(maps, "recursing-file", &obj);
5227 INSIST(result == ISC_R_SUCCESS);
5228 CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
5232 result = ns_config_get(maps, "version", &obj);
5233 if (result == ISC_R_SUCCESS) {
5234 CHECKM(setoptstring(server, &server->version, obj), "strdup");
5235 server->version_set = ISC_TRUE;
5237 server->version_set = ISC_FALSE;
5241 result = ns_config_get(maps, "hostname", &obj);
5242 if (result == ISC_R_SUCCESS) {
5243 CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
5244 server->hostname_set = ISC_TRUE;
5246 server->hostname_set = ISC_FALSE;
5250 result = ns_config_get(maps, "server-id", &obj);
5251 server->server_usehostname = ISC_FALSE;
5252 if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
5253 /* The parser translates "hostname" to ISC_TRUE */
5254 server->server_usehostname = cfg_obj_asboolean(obj);
5255 result = setstring(server, &server->server_id, NULL);
5256 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5257 } else if (result == ISC_R_SUCCESS) {
5258 /* Found a quoted string */
5259 CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
5261 result = setstring(server, &server->server_id, NULL);
5262 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5266 result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
5267 if (result == ISC_R_SUCCESS) {
5268 server->flushonshutdown = cfg_obj_asboolean(obj);
5270 server->flushonshutdown = ISC_FALSE;
5273 result = ISC_R_SUCCESS;
5276 if (v4portset != NULL)
5277 isc_portset_destroy(ns_g_mctx, &v4portset);
5279 if (v6portset != NULL)
5280 isc_portset_destroy(ns_g_mctx, &v6portset);
5282 if (conf_parser != NULL) {
5284 cfg_obj_destroy(conf_parser, &config);
5285 cfg_parser_destroy(&conf_parser);
5288 if (bindkeys_parser != NULL) {
5289 if (bindkeys != NULL)
5290 cfg_obj_destroy(bindkeys_parser, &bindkeys);
5291 cfg_parser_destroy(&bindkeys_parser);
5295 dns_view_detach(&view);
5298 * This cleans up either the old production view list
5299 * or our temporary list depending on whether they
5300 * were swapped above or not.
5302 for (view = ISC_LIST_HEAD(viewlist);
5305 view_next = ISC_LIST_NEXT(view, link);
5306 ISC_LIST_UNLINK(viewlist, view, link);
5307 if (result == ISC_R_SUCCESS &&
5308 strcmp(view->name, "_bind") != 0)
5309 (void)dns_zt_apply(view->zonetable, ISC_FALSE,
5311 dns_view_detach(&view);
5314 /* Same cleanup for cache list. */
5315 while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
5316 ISC_LIST_UNLINK(cachelist, nsc, link);
5317 dns_cache_detach(&nsc->cache);
5318 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
5322 * Adjust the listening interfaces in accordance with the source
5323 * addresses specified in views and zones.
5325 if (isc_net_probeipv6() == ISC_R_SUCCESS)
5326 adjust_interfaces(server, ns_g_mctx);
5328 /* Relinquish exclusive access to configuration data. */
5330 isc_task_endexclusive(server->task);
5332 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5333 ISC_LOG_DEBUG(1), "load_configuration: %s",
5334 isc_result_totext(result));
5340 load_zones(ns_server_t *server, isc_boolean_t stop) {
5341 isc_result_t result;
5344 result = isc_task_beginexclusive(server->task);
5345 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5348 * Load zone data from disk.
5350 for (view = ISC_LIST_HEAD(server->viewlist);
5352 view = ISC_LIST_NEXT(view, link))
5354 CHECK(dns_view_load(view, stop));
5355 if (view->managed_keys != NULL)
5356 CHECK(dns_zone_load(view->managed_keys));
5360 * Force zone maintenance. Do this after loading
5361 * so that we know when we need to force AXFR of
5362 * slave zones whose master files are missing.
5364 CHECK(dns_zonemgr_forcemaint(server->zonemgr));
5366 isc_task_endexclusive(server->task);
5371 load_new_zones(ns_server_t *server, isc_boolean_t stop) {
5372 isc_result_t result;
5375 result = isc_task_beginexclusive(server->task);
5376 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5379 * Load zone data from disk.
5381 for (view = ISC_LIST_HEAD(server->viewlist);
5383 view = ISC_LIST_NEXT(view, link))
5385 CHECK(dns_view_loadnew(view, stop));
5387 /* Load managed-keys data */
5388 if (view->managed_keys != NULL)
5389 CHECK(dns_zone_loadnew(view->managed_keys));
5395 dns_zonemgr_resumexfrs(server->zonemgr);
5397 isc_task_endexclusive(server->task);
5402 run_server(isc_task_t *task, isc_event_t *event) {
5403 isc_result_t result;
5404 ns_server_t *server = (ns_server_t *)event->ev_arg;
5406 INSIST(task == server->task);
5408 isc_event_free(&event);
5410 CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
5412 "creating dispatch manager");
5414 dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
5416 CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
5417 ns_g_socketmgr, ns_g_dispatchmgr,
5418 &server->interfacemgr),
5419 "creating interface manager");
5421 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5422 NULL, NULL, server->task,
5423 interface_timer_tick,
5424 server, &server->interface_timer),
5425 "creating interface timer");
5427 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5428 NULL, NULL, server->task,
5429 heartbeat_timer_tick,
5430 server, &server->heartbeat_timer),
5431 "creating heartbeat timer");
5433 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5434 NULL, NULL, server->task, pps_timer_tick,
5435 server, &server->pps_timer),
5436 "creating pps timer");
5438 CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
5439 "creating default configuration parser");
5441 if (ns_g_lwresdonly)
5442 CHECKFATAL(load_configuration(lwresd_g_conffile, server,
5444 "loading configuration");
5446 CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
5447 "loading configuration");
5451 CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
5454 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5455 ISC_LOG_NOTICE, "running");
5459 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
5461 REQUIRE(NS_SERVER_VALID(server));
5463 server->flushonshutdown = flush;
5467 shutdown_server(isc_task_t *task, isc_event_t *event) {
5468 isc_result_t result;
5469 dns_view_t *view, *view_next;
5470 ns_server_t *server = (ns_server_t *)event->ev_arg;
5471 isc_boolean_t flush = server->flushonshutdown;
5475 INSIST(task == server->task);
5477 result = isc_task_beginexclusive(server->task);
5478 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5480 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5481 ISC_LOG_INFO, "shutting down%s",
5482 flush ? ": flushing changes" : "");
5484 ns_statschannels_shutdown(server);
5485 ns_controls_shutdown(server->controls);
5486 end_reserved_dispatches(server, ISC_TRUE);
5487 cleanup_session_key(server, server->mctx);
5489 if (ns_g_aclconfctx != NULL)
5490 cfg_aclconfctx_detach(&ns_g_aclconfctx);
5492 cfg_obj_destroy(ns_g_parser, &ns_g_config);
5493 cfg_parser_destroy(&ns_g_parser);
5495 for (view = ISC_LIST_HEAD(server->viewlist);
5498 view_next = ISC_LIST_NEXT(view, link);
5499 ISC_LIST_UNLINK(server->viewlist, view, link);
5501 dns_view_flushanddetach(&view);
5503 dns_view_detach(&view);
5506 while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
5507 ISC_LIST_UNLINK(server->cachelist, nsc, link);
5508 dns_cache_detach(&nsc->cache);
5509 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
5512 isc_timer_detach(&server->interface_timer);
5513 isc_timer_detach(&server->heartbeat_timer);
5514 isc_timer_detach(&server->pps_timer);
5516 ns_interfacemgr_shutdown(server->interfacemgr);
5517 ns_interfacemgr_detach(&server->interfacemgr);
5519 dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
5521 dns_zonemgr_shutdown(server->zonemgr);
5523 if (ns_g_sessionkey != NULL) {
5524 dns_tsigkey_detach(&ns_g_sessionkey);
5525 dns_name_free(&ns_g_sessionkeyname, server->mctx);
5528 if (server->blackholeacl != NULL)
5529 dns_acl_detach(&server->blackholeacl);
5531 dns_db_detach(&server->in_roothints);
5533 isc_task_endexclusive(server->task);
5535 isc_task_detach(&server->task);
5537 isc_event_free(&event);
5541 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
5542 isc_result_t result;
5543 ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
5546 fatal("allocating server object", ISC_R_NOMEMORY);
5548 server->mctx = mctx;
5549 server->task = NULL;
5551 /* Initialize configuration data with default values. */
5553 result = isc_quota_init(&server->xfroutquota, 10);
5554 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5555 result = isc_quota_init(&server->tcpquota, 10);
5556 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5557 result = isc_quota_init(&server->recursionquota, 100);
5558 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5560 result = dns_aclenv_init(mctx, &server->aclenv);
5561 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5563 /* Initialize server data structures. */
5564 server->zonemgr = NULL;
5565 server->interfacemgr = NULL;
5566 ISC_LIST_INIT(server->viewlist);
5567 server->in_roothints = NULL;
5568 server->blackholeacl = NULL;
5570 CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
5571 &server->in_roothints),
5572 "setting up root hints");
5574 CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
5575 "initializing reload event lock");
5576 server->reload_event =
5577 isc_event_allocate(ns_g_mctx, server,
5581 sizeof(isc_event_t));
5582 CHECKFATAL(server->reload_event == NULL ?
5583 ISC_R_NOMEMORY : ISC_R_SUCCESS,
5584 "allocating reload event");
5586 CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
5587 ns_g_engine, ISC_ENTROPY_GOODONLY),
5588 "initializing DST");
5590 server->tkeyctx = NULL;
5591 CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
5593 "creating TKEY context");
5596 * Setup the server task, which is responsible for coordinating
5597 * startup and shutdown of the server, as well as all exclusive
5600 CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
5601 "creating server task");
5602 isc_task_setname(server->task, "server", server);
5603 isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
5604 CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
5605 "isc_task_onshutdown");
5606 CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
5609 server->interface_timer = NULL;
5610 server->heartbeat_timer = NULL;
5611 server->pps_timer = NULL;
5613 server->interface_interval = 0;
5614 server->heartbeat_interval = 0;
5616 CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
5617 ns_g_socketmgr, &server->zonemgr),
5618 "dns_zonemgr_create");
5619 CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000),
5620 "dns_zonemgr_setsize");
5622 server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
5623 CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5625 server->nsstats = NULL;
5626 server->rcvquerystats = NULL;
5627 server->opcodestats = NULL;
5628 server->zonestats = NULL;
5629 server->resolverstats = NULL;
5630 server->sockstats = NULL;
5631 CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
5632 isc_sockstatscounter_max),
5633 "isc_stats_create");
5634 isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
5636 server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
5637 CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
5641 server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
5642 CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5645 server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
5646 CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
5650 server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
5651 CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5654 server->hostname_set = ISC_FALSE;
5655 server->hostname = NULL;
5656 server->version_set = ISC_FALSE;
5657 server->version = NULL;
5658 server->server_usehostname = ISC_FALSE;
5659 server->server_id = NULL;
5661 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
5662 dns_nsstatscounter_max),
5663 "dns_stats_create (server)");
5665 CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
5666 &server->rcvquerystats),
5667 "dns_stats_create (rcvquery)");
5669 CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
5670 "dns_stats_create (opcode)");
5672 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
5673 dns_zonestatscounter_max),
5674 "dns_stats_create (zone)");
5676 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
5677 dns_resstatscounter_max),
5678 "dns_stats_create (resolver)");
5680 server->flushonshutdown = ISC_FALSE;
5681 server->log_queries = ISC_FALSE;
5683 server->controls = NULL;
5684 CHECKFATAL(ns_controls_create(server, &server->controls),
5685 "ns_controls_create");
5686 server->dispatchgen = 0;
5687 ISC_LIST_INIT(server->dispatches);
5689 ISC_LIST_INIT(server->statschannels);
5691 ISC_LIST_INIT(server->cachelist);
5693 server->sessionkey = NULL;
5694 server->session_keyfile = NULL;
5695 server->session_keyname = NULL;
5696 server->session_keyalg = DST_ALG_UNKNOWN;
5697 server->session_keybits = 0;
5699 server->magic = NS_SERVER_MAGIC;
5704 ns_server_destroy(ns_server_t **serverp) {
5705 ns_server_t *server = *serverp;
5706 REQUIRE(NS_SERVER_VALID(server));
5708 ns_controls_destroy(&server->controls);
5710 isc_stats_detach(&server->nsstats);
5711 dns_stats_detach(&server->rcvquerystats);
5712 dns_stats_detach(&server->opcodestats);
5713 isc_stats_detach(&server->zonestats);
5714 isc_stats_detach(&server->resolverstats);
5715 isc_stats_detach(&server->sockstats);
5717 isc_mem_free(server->mctx, server->statsfile);
5718 isc_mem_free(server->mctx, server->bindkeysfile);
5719 isc_mem_free(server->mctx, server->dumpfile);
5720 isc_mem_free(server->mctx, server->secrootsfile);
5721 isc_mem_free(server->mctx, server->recfile);
5723 if (server->version != NULL)
5724 isc_mem_free(server->mctx, server->version);
5725 if (server->hostname != NULL)
5726 isc_mem_free(server->mctx, server->hostname);
5727 if (server->server_id != NULL)
5728 isc_mem_free(server->mctx, server->server_id);
5730 if (server->zonemgr != NULL)
5731 dns_zonemgr_detach(&server->zonemgr);
5733 if (server->tkeyctx != NULL)
5734 dns_tkeyctx_destroy(&server->tkeyctx);
5738 isc_event_free(&server->reload_event);
5740 INSIST(ISC_LIST_EMPTY(server->viewlist));
5741 INSIST(ISC_LIST_EMPTY(server->cachelist));
5743 dns_aclenv_destroy(&server->aclenv);
5745 isc_quota_destroy(&server->recursionquota);
5746 isc_quota_destroy(&server->tcpquota);
5747 isc_quota_destroy(&server->xfroutquota);
5750 isc_mem_put(server->mctx, server, sizeof(*server));
5755 fatal(const char *msg, isc_result_t result) {
5756 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5757 ISC_LOG_CRITICAL, "%s: %s", msg,
5758 isc_result_totext(result));
5759 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5760 ISC_LOG_CRITICAL, "exiting (due to fatal error)");
5765 start_reserved_dispatches(ns_server_t *server) {
5767 REQUIRE(NS_SERVER_VALID(server));
5769 server->dispatchgen++;
5773 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
5774 ns_dispatch_t *dispatch, *nextdispatch;
5776 REQUIRE(NS_SERVER_VALID(server));
5778 for (dispatch = ISC_LIST_HEAD(server->dispatches);
5780 dispatch = nextdispatch) {
5781 nextdispatch = ISC_LIST_NEXT(dispatch, link);
5782 if (!all && server->dispatchgen == dispatch-> dispatchgen)
5784 ISC_LIST_UNLINK(server->dispatches, dispatch, link);
5785 dns_dispatch_detach(&dispatch->dispatch);
5786 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
5791 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
5792 ns_dispatch_t *dispatch;
5794 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
5795 isc_result_t result;
5796 unsigned int attrs, attrmask;
5798 REQUIRE(NS_SERVER_VALID(server));
5800 port = isc_sockaddr_getport(addr);
5801 if (port == 0 || port >= 1024)
5804 for (dispatch = ISC_LIST_HEAD(server->dispatches);
5806 dispatch = ISC_LIST_NEXT(dispatch, link)) {
5807 if (isc_sockaddr_equal(&dispatch->addr, addr))
5810 if (dispatch != NULL) {
5811 dispatch->dispatchgen = server->dispatchgen;
5815 dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
5816 if (dispatch == NULL) {
5817 result = ISC_R_NOMEMORY;
5821 dispatch->addr = *addr;
5822 dispatch->dispatchgen = server->dispatchgen;
5823 dispatch->dispatch = NULL;
5826 attrs |= DNS_DISPATCHATTR_UDP;
5827 switch (isc_sockaddr_pf(addr)) {
5829 attrs |= DNS_DISPATCHATTR_IPV4;
5832 attrs |= DNS_DISPATCHATTR_IPV6;
5835 result = ISC_R_NOTIMPLEMENTED;
5839 attrmask |= DNS_DISPATCHATTR_UDP;
5840 attrmask |= DNS_DISPATCHATTR_TCP;
5841 attrmask |= DNS_DISPATCHATTR_IPV4;
5842 attrmask |= DNS_DISPATCHATTR_IPV6;
5844 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
5845 ns_g_taskmgr, &dispatch->addr, 4096,
5846 1000, 32768, 16411, 16433,
5847 attrs, attrmask, &dispatch->dispatch);
5848 if (result != ISC_R_SUCCESS)
5851 ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
5856 if (dispatch != NULL)
5857 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
5858 isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
5859 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5860 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
5861 "unable to create dispatch for reserved port %s: %s",
5862 addrbuf, isc_result_totext(result));
5867 loadconfig(ns_server_t *server) {
5868 isc_result_t result;
5869 start_reserved_dispatches(server);
5870 result = load_configuration(ns_g_lwresdonly ?
5871 lwresd_g_conffile : ns_g_conffile,
5873 if (result == ISC_R_SUCCESS) {
5874 end_reserved_dispatches(server, ISC_FALSE);
5875 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5876 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5877 "reloading configuration succeeded");
5879 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5880 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5881 "reloading configuration failed: %s",
5882 isc_result_totext(result));
5888 reload(ns_server_t *server) {
5889 isc_result_t result;
5890 CHECK(loadconfig(server));
5892 result = load_zones(server, ISC_FALSE);
5893 if (result == ISC_R_SUCCESS)
5894 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5895 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5896 "reloading zones succeeded");
5898 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5899 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5900 "reloading zones failed: %s",
5901 isc_result_totext(result));
5908 reconfig(ns_server_t *server) {
5909 isc_result_t result;
5910 CHECK(loadconfig(server));
5912 result = load_new_zones(server, ISC_FALSE);
5913 if (result == ISC_R_SUCCESS)
5914 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5915 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5916 "any newly configured zones are now loaded");
5918 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5919 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5920 "loading new zones failed: %s",
5921 isc_result_totext(result));
5927 * Handle a reload event (from SIGHUP).
5930 ns_server_reload(isc_task_t *task, isc_event_t *event) {
5931 ns_server_t *server = (ns_server_t *)event->ev_arg;
5933 INSIST(task = server->task);
5936 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5937 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5938 "received SIGHUP signal to reload zones");
5939 (void)reload(server);
5941 LOCK(&server->reload_event_lock);
5942 INSIST(server->reload_event == NULL);
5943 server->reload_event = event;
5944 UNLOCK(&server->reload_event_lock);
5948 ns_server_reloadwanted(ns_server_t *server) {
5949 LOCK(&server->reload_event_lock);
5950 if (server->reload_event != NULL)
5951 isc_task_send(server->task, &server->reload_event);
5952 UNLOCK(&server->reload_event_lock);
5956 next_token(char **stringp, const char *delim) {
5960 res = strsep(stringp, delim);
5963 } while (*res == '\0');
5968 * Find the zone specified in the control channel command 'args',
5969 * if any. If a zone is specified, point '*zonep' at it, otherwise
5970 * set '*zonep' to NULL.
5973 zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
5974 const char **zonename)
5977 const char *zonetxt;
5979 const char *viewtxt = NULL;
5980 dns_fixedname_t name;
5981 isc_result_t result;
5983 dns_view_t *view = NULL;
5984 dns_rdataclass_t rdclass;
5986 REQUIRE(zonep != NULL && *zonep == NULL);
5987 REQUIRE(zonename == NULL || *zonename == NULL);
5991 /* Skip the command name. */
5992 ptr = next_token(&input, " \t");
5994 return (ISC_R_UNEXPECTEDEND);
5996 /* Look for the zone name. */
5997 zonetxt = next_token(&input, " \t");
5998 if (zonetxt == NULL)
5999 return (ISC_R_SUCCESS);
6000 if (zonename != NULL)
6001 *zonename = zonetxt;
6003 /* Look for the optional class name. */
6004 classtxt = next_token(&input, " \t");
6005 if (classtxt != NULL) {
6006 /* Look for the optional view name. */
6007 viewtxt = next_token(&input, " \t");
6010 isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt));
6011 isc_buffer_add(&buf, strlen(zonetxt));
6012 dns_fixedname_init(&name);
6013 result = dns_name_fromtext(dns_fixedname_name(&name),
6014 &buf, dns_rootname, 0, NULL);
6015 if (result != ISC_R_SUCCESS)
6018 if (classtxt != NULL) {
6021 r.length = strlen(classtxt);
6022 result = dns_rdataclass_fromtext(&rdclass, &r);
6023 if (result != ISC_R_SUCCESS)
6026 rdclass = dns_rdataclass_in;
6028 if (viewtxt == NULL) {
6029 result = dns_viewlist_findzone(&server->viewlist,
6030 dns_fixedname_name(&name),
6031 ISC_TF(classtxt == NULL),
6034 result = dns_viewlist_find(&server->viewlist, viewtxt,
6036 if (result != ISC_R_SUCCESS)
6039 result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
6041 dns_view_detach(&view);
6044 /* Partial match? */
6045 if (result != ISC_R_SUCCESS && *zonep != NULL)
6046 dns_zone_detach(zonep);
6047 if (result == DNS_R_PARTIALMATCH)
6048 result = ISC_R_NOTFOUND;
6054 * Act on a "retransfer" command from the command channel.
6057 ns_server_retransfercommand(ns_server_t *server, char *args) {
6058 isc_result_t result;
6059 dns_zone_t *zone = NULL;
6060 dns_zonetype_t type;
6062 result = zone_from_args(server, args, &zone, NULL);
6063 if (result != ISC_R_SUCCESS)
6066 return (ISC_R_UNEXPECTEDEND);
6067 type = dns_zone_gettype(zone);
6068 if (type == dns_zone_slave || type == dns_zone_stub)
6069 dns_zone_forcereload(zone);
6071 result = ISC_R_NOTFOUND;
6072 dns_zone_detach(&zone);
6077 * Act on a "reload" command from the command channel.
6080 ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6081 isc_result_t result;
6082 dns_zone_t *zone = NULL;
6083 dns_zonetype_t type;
6084 const char *msg = NULL;
6086 result = zone_from_args(server, args, &zone, NULL);
6087 if (result != ISC_R_SUCCESS)
6090 result = reload(server);
6091 if (result == ISC_R_SUCCESS)
6092 msg = "server reload successful";
6094 type = dns_zone_gettype(zone);
6095 if (type == dns_zone_slave || type == dns_zone_stub) {
6096 dns_zone_refresh(zone);
6097 dns_zone_detach(&zone);
6098 msg = "zone refresh queued";
6100 result = dns_zone_load(zone);
6101 dns_zone_detach(&zone);
6104 msg = "zone reload successful";
6106 case DNS_R_CONTINUE:
6107 msg = "zone reload queued";
6108 result = ISC_R_SUCCESS;
6110 case DNS_R_UPTODATE:
6111 msg = "zone reload up-to-date";
6112 result = ISC_R_SUCCESS;
6115 /* failure message will be generated by rndc */
6120 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
6121 isc_buffer_putmem(text, (const unsigned char *)msg,
6127 * Act on a "reconfig" command from the command channel.
6130 ns_server_reconfigcommand(ns_server_t *server, char *args) {
6134 return (ISC_R_SUCCESS);
6138 * Act on a "notify" command from the command channel.
6141 ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6142 isc_result_t result;
6143 dns_zone_t *zone = NULL;
6144 const unsigned char msg[] = "zone notify queued";
6146 result = zone_from_args(server, args, &zone, NULL);
6147 if (result != ISC_R_SUCCESS)
6150 return (ISC_R_UNEXPECTEDEND);
6152 dns_zone_notify(zone);
6153 dns_zone_detach(&zone);
6154 if (sizeof(msg) <= isc_buffer_availablelength(text))
6155 isc_buffer_putmem(text, msg, sizeof(msg));
6157 return (ISC_R_SUCCESS);
6161 * Act on a "refresh" command from the command channel.
6164 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6165 isc_result_t result;
6166 dns_zone_t *zone = NULL;
6167 const unsigned char msg1[] = "zone refresh queued";
6168 const unsigned char msg2[] = "not a slave or stub zone";
6169 dns_zonetype_t type;
6171 result = zone_from_args(server, args, &zone, NULL);
6172 if (result != ISC_R_SUCCESS)
6175 return (ISC_R_UNEXPECTEDEND);
6177 type = dns_zone_gettype(zone);
6178 if (type == dns_zone_slave || type == dns_zone_stub) {
6179 dns_zone_refresh(zone);
6180 dns_zone_detach(&zone);
6181 if (sizeof(msg1) <= isc_buffer_availablelength(text))
6182 isc_buffer_putmem(text, msg1, sizeof(msg1));
6183 return (ISC_R_SUCCESS);
6186 dns_zone_detach(&zone);
6187 if (sizeof(msg2) <= isc_buffer_availablelength(text))
6188 isc_buffer_putmem(text, msg2, sizeof(msg2));
6189 return (ISC_R_FAILURE);
6193 ns_server_togglequerylog(ns_server_t *server) {
6194 server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
6196 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6197 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6198 "query logging is now %s",
6199 server->log_queries ? "on" : "off");
6200 return (ISC_R_SUCCESS);
6204 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
6205 cfg_aclconfctx_t *actx,
6206 isc_mem_t *mctx, ns_listenlist_t **target)
6208 isc_result_t result;
6209 const cfg_listelt_t *element;
6210 ns_listenlist_t *dlist = NULL;
6212 REQUIRE(target != NULL && *target == NULL);
6214 result = ns_listenlist_create(mctx, &dlist);
6215 if (result != ISC_R_SUCCESS)
6218 for (element = cfg_list_first(listenlist);
6220 element = cfg_list_next(element))
6222 ns_listenelt_t *delt = NULL;
6223 const cfg_obj_t *listener = cfg_listelt_value(element);
6224 result = ns_listenelt_fromconfig(listener, config, actx,
6226 if (result != ISC_R_SUCCESS)
6228 ISC_LIST_APPEND(dlist->elts, delt, link);
6231 return (ISC_R_SUCCESS);
6234 ns_listenlist_detach(&dlist);
6239 * Create a listen list from the corresponding configuration
6243 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
6244 cfg_aclconfctx_t *actx,
6245 isc_mem_t *mctx, ns_listenelt_t **target)
6247 isc_result_t result;
6248 const cfg_obj_t *portobj;
6250 ns_listenelt_t *delt = NULL;
6251 REQUIRE(target != NULL && *target == NULL);
6253 portobj = cfg_tuple_get(listener, "port");
6254 if (!cfg_obj_isuint32(portobj)) {
6255 if (ns_g_port != 0) {
6258 result = ns_config_getport(config, &port);
6259 if (result != ISC_R_SUCCESS)
6263 if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
6264 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
6265 "port value '%u' is out of range",
6266 cfg_obj_asuint32(portobj));
6267 return (ISC_R_RANGE);
6269 port = (in_port_t)cfg_obj_asuint32(portobj);
6272 result = ns_listenelt_create(mctx, port, NULL, &delt);
6273 if (result != ISC_R_SUCCESS)
6276 result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
6277 config, ns_g_lctx, actx, mctx, 0,
6279 if (result != ISC_R_SUCCESS) {
6280 ns_listenelt_destroy(delt);
6284 return (ISC_R_SUCCESS);
6288 ns_server_dumpstats(ns_server_t *server) {
6289 isc_result_t result;
6292 CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
6293 "could not open statistics dump file", server->statsfile);
6295 result = ns_stats_dump(server, fp);
6299 (void)isc_stdio_close(fp);
6300 if (result == ISC_R_SUCCESS)
6301 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6302 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6303 "dumpstats complete");
6305 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6306 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6307 "dumpstats failed: %s",
6308 dns_result_totext(result));
6313 add_zone_tolist(dns_zone_t *zone, void *uap) {
6314 struct dumpcontext *dctx = uap;
6315 struct zonelistentry *zle;
6317 zle = isc_mem_get(dctx->mctx, sizeof *zle);
6319 return (ISC_R_NOMEMORY);
6321 dns_zone_attach(zone, &zle->zone);
6322 ISC_LINK_INIT(zle, link);
6323 ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
6324 return (ISC_R_SUCCESS);
6328 add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
6329 struct viewlistentry *vle;
6330 isc_result_t result = ISC_R_SUCCESS;
6333 * Prevent duplicate views.
6335 for (vle = ISC_LIST_HEAD(dctx->viewlist);
6337 vle = ISC_LIST_NEXT(vle, link))
6338 if (vle->view == view)
6339 return (ISC_R_SUCCESS);
6341 vle = isc_mem_get(dctx->mctx, sizeof *vle);
6343 return (ISC_R_NOMEMORY);
6345 dns_view_attach(view, &vle->view);
6346 ISC_LINK_INIT(vle, link);
6347 ISC_LIST_INIT(vle->zonelist);
6348 ISC_LIST_APPEND(dctx->viewlist, vle, link);
6349 if (dctx->dumpzones)
6350 result = dns_zt_apply(view->zonetable, ISC_TRUE,
6351 add_zone_tolist, dctx);
6356 dumpcontext_destroy(struct dumpcontext *dctx) {
6357 struct viewlistentry *vle;
6358 struct zonelistentry *zle;
6360 vle = ISC_LIST_HEAD(dctx->viewlist);
6361 while (vle != NULL) {
6362 ISC_LIST_UNLINK(dctx->viewlist, vle, link);
6363 zle = ISC_LIST_HEAD(vle->zonelist);
6364 while (zle != NULL) {
6365 ISC_LIST_UNLINK(vle->zonelist, zle, link);
6366 dns_zone_detach(&zle->zone);
6367 isc_mem_put(dctx->mctx, zle, sizeof *zle);
6368 zle = ISC_LIST_HEAD(vle->zonelist);
6370 dns_view_detach(&vle->view);
6371 isc_mem_put(dctx->mctx, vle, sizeof *vle);
6372 vle = ISC_LIST_HEAD(dctx->viewlist);
6374 if (dctx->version != NULL)
6375 dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
6376 if (dctx->db != NULL)
6377 dns_db_detach(&dctx->db);
6378 if (dctx->cache != NULL)
6379 dns_db_detach(&dctx->cache);
6380 if (dctx->task != NULL)
6381 isc_task_detach(&dctx->task);
6382 if (dctx->fp != NULL)
6383 (void)isc_stdio_close(dctx->fp);
6384 if (dctx->mdctx != NULL)
6385 dns_dumpctx_detach(&dctx->mdctx);
6386 isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
6390 dumpdone(void *arg, isc_result_t result) {
6391 struct dumpcontext *dctx = arg;
6393 const dns_master_style_t *style;
6395 if (result != ISC_R_SUCCESS)
6397 if (dctx->mdctx != NULL)
6398 dns_dumpctx_detach(&dctx->mdctx);
6399 if (dctx->view == NULL) {
6400 dctx->view = ISC_LIST_HEAD(dctx->viewlist);
6401 if (dctx->view == NULL)
6403 INSIST(dctx->zone == NULL);
6407 fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
6409 if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
6411 ";\n; Cache of view '%s' is shared as '%s'\n",
6412 dctx->view->view->name,
6413 dns_cache_getname(dctx->view->view->cache));
6414 } else if (dctx->zone == NULL && dctx->cache == NULL &&
6417 style = &dns_master_style_cache;
6418 /* start cache dump */
6419 if (dctx->view->view->cachedb != NULL)
6420 dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
6421 if (dctx->cache != NULL) {
6423 ";\n; Cache dump of view '%s' (cache %s)\n;\n",
6424 dctx->view->view->name,
6425 dns_cache_getname(dctx->view->view->cache));
6426 result = dns_master_dumptostreaminc(dctx->mctx,
6432 if (result == DNS_R_CONTINUE)
6434 if (result == ISC_R_NOTIMPLEMENTED)
6435 fprintf(dctx->fp, "; %s\n",
6436 dns_result_totext(result));
6437 else if (result != ISC_R_SUCCESS)
6441 if (dctx->cache != NULL) {
6442 dns_adb_dump(dctx->view->view->adb, dctx->fp);
6443 dns_resolver_printbadcache(dctx->view->view->resolver,
6445 dns_db_detach(&dctx->cache);
6447 if (dctx->dumpzones) {
6448 style = &dns_master_style_full;
6450 if (dctx->version != NULL)
6451 dns_db_closeversion(dctx->db, &dctx->version,
6453 if (dctx->db != NULL)
6454 dns_db_detach(&dctx->db);
6455 if (dctx->zone == NULL)
6456 dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
6458 dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
6459 if (dctx->zone != NULL) {
6460 /* start zone dump */
6461 dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
6462 fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
6463 result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
6464 if (result != ISC_R_SUCCESS) {
6465 fprintf(dctx->fp, "; %s\n",
6466 dns_result_totext(result));
6469 dns_db_currentversion(dctx->db, &dctx->version);
6470 result = dns_master_dumptostreaminc(dctx->mctx,
6477 if (result == DNS_R_CONTINUE)
6479 if (result == ISC_R_NOTIMPLEMENTED) {
6480 fprintf(dctx->fp, "; %s\n",
6481 dns_result_totext(result));
6482 result = ISC_R_SUCCESS;
6486 if (result != ISC_R_SUCCESS)
6490 if (dctx->view != NULL)
6491 dctx->view = ISC_LIST_NEXT(dctx->view, link);
6492 if (dctx->view != NULL)
6495 fprintf(dctx->fp, "; Dump complete\n");
6496 result = isc_stdio_flush(dctx->fp);
6497 if (result == ISC_R_SUCCESS)
6498 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6499 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6502 if (result != ISC_R_SUCCESS)
6503 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6504 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6505 "dumpdb failed: %s", dns_result_totext(result));
6506 dumpcontext_destroy(dctx);
6510 ns_server_dumpdb(ns_server_t *server, char *args) {
6511 struct dumpcontext *dctx = NULL;
6513 isc_result_t result;
6517 /* Skip the command name. */
6518 ptr = next_token(&args, " \t");
6520 return (ISC_R_UNEXPECTEDEND);
6522 dctx = isc_mem_get(server->mctx, sizeof(*dctx));
6524 return (ISC_R_NOMEMORY);
6526 dctx->mctx = server->mctx;
6527 dctx->dumpcache = ISC_TRUE;
6528 dctx->dumpzones = ISC_FALSE;
6530 ISC_LIST_INIT(dctx->viewlist);
6538 dctx->version = NULL;
6539 isc_task_attach(server->task, &dctx->task);
6541 CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
6542 "could not open dump file", server->dumpfile);
6544 sep = (args == NULL) ? "" : ": ";
6545 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6546 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6547 "dumpdb started%s%s", sep, (args != NULL) ? args : "");
6549 ptr = next_token(&args, " \t");
6550 if (ptr != NULL && strcmp(ptr, "-all") == 0) {
6551 dctx->dumpzones = ISC_TRUE;
6552 dctx->dumpcache = ISC_TRUE;
6553 ptr = next_token(&args, " \t");
6554 } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
6555 dctx->dumpzones = ISC_FALSE;
6556 dctx->dumpcache = ISC_TRUE;
6557 ptr = next_token(&args, " \t");
6558 } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
6559 dctx->dumpzones = ISC_TRUE;
6560 dctx->dumpcache = ISC_FALSE;
6561 ptr = next_token(&args, " \t");
6565 for (view = ISC_LIST_HEAD(server->viewlist);
6567 view = ISC_LIST_NEXT(view, link))
6569 if (ptr != NULL && strcmp(view->name, ptr) != 0)
6571 CHECK(add_view_tolist(dctx, view));
6574 ptr = next_token(&args, " \t");
6578 dumpdone(dctx, ISC_R_SUCCESS);
6579 return (ISC_R_SUCCESS);
6583 dumpcontext_destroy(dctx);
6588 ns_server_dumpsecroots(ns_server_t *server, char *args) {
6590 dns_keytable_t *secroots = NULL;
6591 isc_result_t result;
6597 /* Skip the command name. */
6598 ptr = next_token(&args, " \t");
6600 return (ISC_R_UNEXPECTEDEND);
6601 ptr = next_token(&args, " \t");
6603 CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
6604 "could not open secroots dump file", server->secrootsfile);
6606 isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
6607 fprintf(fp, "%s\n", tbuf);
6610 for (view = ISC_LIST_HEAD(server->viewlist);
6612 view = ISC_LIST_NEXT(view, link))
6614 if (ptr != NULL && strcmp(view->name, ptr) != 0)
6616 if (secroots != NULL)
6617 dns_keytable_detach(&secroots);
6618 result = dns_view_getsecroots(view, &secroots);
6619 if (result == ISC_R_NOTFOUND) {
6620 result = ISC_R_SUCCESS;
6623 fprintf(fp, "\n Start view %s\n\n", view->name);
6624 result = dns_keytable_dump(secroots, fp);
6625 if (result != ISC_R_SUCCESS)
6626 fprintf(fp, " dumpsecroots failed: %s\n",
6627 isc_result_totext(result));
6630 ptr = next_token(&args, " \t");
6631 } while (ptr != NULL);
6634 if (secroots != NULL)
6635 dns_keytable_detach(&secroots);
6637 (void)isc_stdio_close(fp);
6638 if (result == ISC_R_SUCCESS)
6639 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6640 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6641 "dumpsecroots complete");
6643 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6644 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6645 "dumpsecroots failed: %s",
6646 dns_result_totext(result));
6651 ns_server_dumprecursing(ns_server_t *server) {
6653 isc_result_t result;
6655 CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
6656 "could not open dump file", server->recfile);
6657 fprintf(fp,";\n; Recursing Queries\n;\n");
6658 ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
6659 fprintf(fp, "; Dump complete\n");
6663 result = isc_stdio_close(fp);
6664 if (result == ISC_R_SUCCESS)
6665 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6666 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6667 "dumprecursing complete");
6669 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6670 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6671 "dumprecursing failed: %s",
6672 dns_result_totext(result));
6677 ns_server_setdebuglevel(ns_server_t *server, char *args) {
6685 /* Skip the command name. */
6686 ptr = next_token(&args, " \t");
6688 return (ISC_R_UNEXPECTEDEND);
6690 /* Look for the new level name. */
6691 levelstr = next_token(&args, " \t");
6692 if (levelstr == NULL) {
6693 if (ns_g_debuglevel < 99)
6696 newlevel = strtol(levelstr, &endp, 10);
6697 if (*endp != '\0' || newlevel < 0 || newlevel > 99)
6698 return (ISC_R_RANGE);
6699 ns_g_debuglevel = (unsigned int)newlevel;
6701 isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
6702 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6703 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6704 "debug level is now %d", ns_g_debuglevel);
6705 return (ISC_R_SUCCESS);
6709 ns_server_validation(ns_server_t *server, char *args) {
6710 char *ptr, *viewname;
6712 isc_boolean_t changed = ISC_FALSE;
6713 isc_result_t result;
6714 isc_boolean_t enable;
6716 /* Skip the command name. */
6717 ptr = next_token(&args, " \t");
6719 return (ISC_R_UNEXPECTEDEND);
6721 /* Find out what we are to do. */
6722 ptr = next_token(&args, " \t");
6724 return (ISC_R_UNEXPECTEDEND);
6726 if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
6727 !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
6729 else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
6730 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
6733 return (DNS_R_SYNTAX);
6735 /* Look for the view name. */
6736 viewname = next_token(&args, " \t");
6738 result = isc_task_beginexclusive(server->task);
6739 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6740 for (view = ISC_LIST_HEAD(server->viewlist);
6742 view = ISC_LIST_NEXT(view, link))
6744 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
6746 result = dns_view_flushcache(view);
6747 if (result != ISC_R_SUCCESS)
6749 view->enablevalidation = enable;
6753 result = ISC_R_SUCCESS;
6755 result = ISC_R_FAILURE;
6757 isc_task_endexclusive(server->task);
6762 ns_server_flushcache(ns_server_t *server, char *args) {
6763 char *ptr, *viewname;
6765 isc_boolean_t flushed;
6766 isc_boolean_t found;
6767 isc_result_t result;
6770 /* Skip the command name. */
6771 ptr = next_token(&args, " \t");
6773 return (ISC_R_UNEXPECTEDEND);
6775 /* Look for the view name. */
6776 viewname = next_token(&args, " \t");
6778 result = isc_task_beginexclusive(server->task);
6779 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6784 * Flushing a cache is tricky when caches are shared by multiple views.
6785 * We first identify which caches should be flushed in the local cache
6786 * list, flush these caches, and then update other views that refer to
6787 * the flushed cache DB.
6789 if (viewname != NULL) {
6791 * Mark caches that need to be flushed. This is an O(#view^2)
6792 * operation in the very worst case, but should be normally
6793 * much more lightweight because only a few (most typically just
6794 * one) views will match.
6796 for (view = ISC_LIST_HEAD(server->viewlist);
6798 view = ISC_LIST_NEXT(view, link))
6800 if (strcasecmp(viewname, view->name) != 0)
6803 for (nsc = ISC_LIST_HEAD(server->cachelist);
6805 nsc = ISC_LIST_NEXT(nsc, link)) {
6806 if (nsc->cache == view->cache)
6809 INSIST(nsc != NULL);
6810 nsc->needflush = ISC_TRUE;
6816 for (nsc = ISC_LIST_HEAD(server->cachelist);
6818 nsc = ISC_LIST_NEXT(nsc, link)) {
6819 if (viewname != NULL && !nsc->needflush)
6821 nsc->needflush = ISC_TRUE;
6822 result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
6823 if (result != ISC_R_SUCCESS) {
6824 flushed = ISC_FALSE;
6825 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6826 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6827 "flushing cache in view '%s' failed: %s",
6828 nsc->primaryview->name,
6829 isc_result_totext(result));
6834 * Fix up views that share a flushed cache: let the views update the
6835 * cache DB they're referring to. This could also be an expensive
6836 * operation, but should typically be marginal: the inner loop is only
6837 * necessary for views that share a cache, and if there are many such
6838 * views the number of shared cache should normally be small.
6839 * A worst case is that we have n views and n/2 caches, each shared by
6840 * two views. Then this will be a O(n^2/4) operation.
6842 for (view = ISC_LIST_HEAD(server->viewlist);
6844 view = ISC_LIST_NEXT(view, link))
6846 if (!dns_view_iscacheshared(view))
6848 for (nsc = ISC_LIST_HEAD(server->cachelist);
6850 nsc = ISC_LIST_NEXT(nsc, link)) {
6851 if (!nsc->needflush || nsc->cache != view->cache)
6853 result = dns_view_flushcache2(view, ISC_TRUE);
6854 if (result != ISC_R_SUCCESS) {
6855 flushed = ISC_FALSE;
6856 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6857 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6858 "fixing cache in view '%s' "
6859 "failed: %s", view->name,
6860 isc_result_totext(result));
6865 /* Cleanup the cache list. */
6866 for (nsc = ISC_LIST_HEAD(server->cachelist);
6868 nsc = ISC_LIST_NEXT(nsc, link)) {
6869 nsc->needflush = ISC_FALSE;
6872 if (flushed && found) {
6873 if (viewname != NULL)
6874 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6875 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6876 "flushing cache in view '%s' succeeded",
6879 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6880 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6881 "flushing caches in all views succeeded");
6882 result = ISC_R_SUCCESS;
6885 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6886 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6887 "flushing cache in view '%s' failed: "
6888 "view not found", viewname);
6889 result = ISC_R_NOTFOUND;
6891 result = ISC_R_FAILURE;
6893 isc_task_endexclusive(server->task);
6898 ns_server_flushname(ns_server_t *server, char *args) {
6899 char *ptr, *target, *viewname;
6901 isc_boolean_t flushed;
6902 isc_boolean_t found;
6903 isc_result_t result;
6905 dns_fixedname_t fixed;
6908 /* Skip the command name. */
6909 ptr = next_token(&args, " \t");
6911 return (ISC_R_UNEXPECTEDEND);
6913 /* Find the domain name to flush. */
6914 target = next_token(&args, " \t");
6916 return (ISC_R_UNEXPECTEDEND);
6918 isc_buffer_constinit(&b, target, strlen(target));
6919 isc_buffer_add(&b, strlen(target));
6920 dns_fixedname_init(&fixed);
6921 name = dns_fixedname_name(&fixed);
6922 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
6923 if (result != ISC_R_SUCCESS)
6926 /* Look for the view name. */
6927 viewname = next_token(&args, " \t");
6929 result = isc_task_beginexclusive(server->task);
6930 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6933 for (view = ISC_LIST_HEAD(server->viewlist);
6935 view = ISC_LIST_NEXT(view, link))
6937 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
6941 * It's a little inefficient to try flushing name for all views
6942 * if some of the views share a single cache. But since the
6943 * operation is lightweight we prefer simplicity here.
6945 result = dns_view_flushname(view, name);
6946 if (result != ISC_R_SUCCESS) {
6947 flushed = ISC_FALSE;
6948 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6949 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6950 "flushing name '%s' in cache view '%s' "
6951 "failed: %s", target, view->name,
6952 isc_result_totext(result));
6955 if (flushed && found) {
6956 if (viewname != NULL)
6957 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6958 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6959 "flushing name '%s' in cache view '%s' "
6960 "succeeded", target, viewname);
6962 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6963 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6964 "flushing name '%s' in all cache views "
6965 "succeeded", target);
6966 result = ISC_R_SUCCESS;
6969 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6970 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6971 "flushing name '%s' in cache view '%s' "
6972 "failed: view not found", target,
6974 result = ISC_R_FAILURE;
6976 isc_task_endexclusive(server->task);
6981 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
6982 int zonecount, xferrunning, xferdeferred, soaqueries;
6984 const char *ob = "", *cb = "", *alt = "";
6986 if (ns_g_server->version_set) {
6989 if (ns_g_server->version == NULL)
6990 alt = "version.bind/txt/ch disabled";
6992 alt = ns_g_server->version;
6994 zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
6995 xferrunning = dns_zonemgr_getcount(server->zonemgr,
6996 DNS_ZONESTATE_XFERRUNNING);
6997 xferdeferred = dns_zonemgr_getcount(server->zonemgr,
6998 DNS_ZONESTATE_XFERDEFERRED);
6999 soaqueries = dns_zonemgr_getcount(server->zonemgr,
7000 DNS_ZONESTATE_SOAQUERY);
7002 n = snprintf((char *)isc_buffer_used(text),
7003 isc_buffer_availablelength(text),
7004 "version: %s%s%s%s\n"
7005 #ifdef ISC_PLATFORM_USETHREADS
7007 "worker threads: %u\n"
7009 "number of zones: %u\n"
7011 "xfers running: %u\n"
7012 "xfers deferred: %u\n"
7013 "soa queries in progress: %u\n"
7014 "query logging is %s\n"
7015 "recursive clients: %d/%d/%d\n"
7016 "tcp clients: %d/%d\n"
7017 "server is up and running",
7018 ns_g_version, ob, alt, cb,
7019 #ifdef ISC_PLATFORM_USETHREADS
7020 ns_g_cpus_detected, ns_g_cpus,
7022 zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
7023 soaqueries, server->log_queries ? "ON" : "OFF",
7024 server->recursionquota.used, server->recursionquota.soft,
7025 server->recursionquota.max,
7026 server->tcpquota.used, server->tcpquota.max);
7027 if (n >= isc_buffer_availablelength(text))
7028 return (ISC_R_NOSPACE);
7029 isc_buffer_add(text, n);
7030 return (ISC_R_SUCCESS);
7034 delete_keynames(dns_tsig_keyring_t *ring, char *target,
7035 unsigned int *foundkeys)
7037 char namestr[DNS_NAME_FORMATSIZE];
7038 isc_result_t result;
7039 dns_rbtnodechain_t chain;
7040 dns_name_t foundname;
7041 dns_fixedname_t fixedorigin;
7043 dns_rbtnode_t *node;
7044 dns_tsigkey_t *tkey;
7046 dns_name_init(&foundname, NULL);
7047 dns_fixedname_init(&fixedorigin);
7048 origin = dns_fixedname_name(&fixedorigin);
7051 dns_rbtnodechain_init(&chain, ring->mctx);
7052 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7054 if (result == ISC_R_NOTFOUND) {
7055 dns_rbtnodechain_invalidate(&chain);
7056 return (ISC_R_SUCCESS);
7058 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7059 dns_rbtnodechain_invalidate(&chain);
7065 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
7069 if (!tkey->generated)
7072 dns_name_format(&tkey->name, namestr, sizeof(namestr));
7073 if (strcmp(namestr, target) == 0) {
7075 dns_rbtnodechain_invalidate(&chain);
7076 (void)dns_rbt_deletename(ring->keys,
7084 result = dns_rbtnodechain_next(&chain, &foundname, origin);
7085 if (result == ISC_R_NOMORE)
7087 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7088 dns_rbtnodechain_invalidate(&chain);
7093 return (ISC_R_SUCCESS);
7097 ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
7098 isc_result_t result;
7101 unsigned int foundkeys = 0;
7105 (void)next_token(&command, " \t"); /* skip command name */
7106 target = next_token(&command, " \t");
7108 return (ISC_R_UNEXPECTEDEND);
7109 viewname = next_token(&command, " \t");
7111 result = isc_task_beginexclusive(server->task);
7112 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7113 for (view = ISC_LIST_HEAD(server->viewlist);
7115 view = ISC_LIST_NEXT(view, link)) {
7116 if (viewname == NULL || strcmp(view->name, viewname) == 0) {
7117 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
7118 result = delete_keynames(view->dynamickeys, target,
7120 RWUNLOCK(&view->dynamickeys->lock,
7121 isc_rwlocktype_write);
7122 if (result != ISC_R_SUCCESS) {
7123 isc_task_endexclusive(server->task);
7128 isc_task_endexclusive(server->task);
7130 n = snprintf((char *)isc_buffer_used(text),
7131 isc_buffer_availablelength(text),
7132 "%d tsig keys deleted.\n", foundkeys);
7133 if (n >= isc_buffer_availablelength(text))
7134 return (ISC_R_NOSPACE);
7135 isc_buffer_add(text, n);
7137 return (ISC_R_SUCCESS);
7141 list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
7142 unsigned int *foundkeys)
7144 char namestr[DNS_NAME_FORMATSIZE];
7145 char creatorstr[DNS_NAME_FORMATSIZE];
7146 isc_result_t result;
7147 dns_rbtnodechain_t chain;
7148 dns_name_t foundname;
7149 dns_fixedname_t fixedorigin;
7151 dns_rbtnode_t *node;
7152 dns_tsigkey_t *tkey;
7154 const char *viewname;
7157 viewname = view->name;
7159 viewname = "(global)";
7161 dns_name_init(&foundname, NULL);
7162 dns_fixedname_init(&fixedorigin);
7163 origin = dns_fixedname_name(&fixedorigin);
7164 dns_rbtnodechain_init(&chain, ring->mctx);
7165 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7167 if (result == ISC_R_NOTFOUND) {
7168 dns_rbtnodechain_invalidate(&chain);
7169 return (ISC_R_SUCCESS);
7171 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7172 dns_rbtnodechain_invalidate(&chain);
7178 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
7183 dns_name_format(&tkey->name, namestr, sizeof(namestr));
7184 if (tkey->generated) {
7185 dns_name_format(tkey->creator, creatorstr,
7186 sizeof(creatorstr));
7187 n = snprintf((char *)isc_buffer_used(text),
7188 isc_buffer_availablelength(text),
7189 "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
7190 viewname, namestr, creatorstr);
7192 n = snprintf((char *)isc_buffer_used(text),
7193 isc_buffer_availablelength(text),
7194 "view \"%s\"; type \"static\"; key \"%s\";\n",
7197 if (n >= isc_buffer_availablelength(text)) {
7198 dns_rbtnodechain_invalidate(&chain);
7199 return (ISC_R_NOSPACE);
7201 isc_buffer_add(text, n);
7203 result = dns_rbtnodechain_next(&chain, &foundname, origin);
7204 if (result == ISC_R_NOMORE)
7206 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7207 dns_rbtnodechain_invalidate(&chain);
7212 return (ISC_R_SUCCESS);
7216 ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
7217 isc_result_t result;
7220 unsigned int foundkeys = 0;
7222 result = isc_task_beginexclusive(server->task);
7223 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7224 for (view = ISC_LIST_HEAD(server->viewlist);
7226 view = ISC_LIST_NEXT(view, link)) {
7227 RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
7228 result = list_keynames(view, view->statickeys, text,
7230 RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
7231 if (result != ISC_R_SUCCESS) {
7232 isc_task_endexclusive(server->task);
7235 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
7236 result = list_keynames(view, view->dynamickeys, text,
7238 RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
7239 if (result != ISC_R_SUCCESS) {
7240 isc_task_endexclusive(server->task);
7244 isc_task_endexclusive(server->task);
7246 if (foundkeys == 0) {
7247 n = snprintf((char *)isc_buffer_used(text),
7248 isc_buffer_availablelength(text),
7249 "no tsig keys found.\n");
7250 if (n >= isc_buffer_availablelength(text))
7251 return (ISC_R_NOSPACE);
7252 isc_buffer_add(text, n);
7255 return (ISC_R_SUCCESS);
7259 * Act on a "sign" or "loadkeys" command from the command channel.
7262 ns_server_rekey(ns_server_t *server, char *args) {
7263 isc_result_t result;
7264 dns_zone_t *zone = NULL;
7265 dns_zonetype_t type;
7266 isc_uint16_t keyopts;
7267 isc_boolean_t fullsign = ISC_FALSE;
7269 if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
7270 fullsign = ISC_TRUE;
7272 result = zone_from_args(server, args, &zone, NULL);
7273 if (result != ISC_R_SUCCESS)
7276 return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
7278 type = dns_zone_gettype(zone);
7279 if (type != dns_zone_master) {
7280 dns_zone_detach(&zone);
7281 return (DNS_R_NOTMASTER);
7284 keyopts = dns_zone_getkeyopts(zone);
7286 /* "rndc loadkeys" requires "auto-dnssec maintain". */
7287 if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
7288 result = ISC_R_NOPERM;
7289 else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
7290 result = ISC_R_NOPERM;
7292 dns_zone_rekey(zone, fullsign);
7294 dns_zone_detach(&zone);
7299 * Act on a "freeze" or "thaw" command from the command channel.
7302 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
7305 isc_result_t result, tresult;
7306 dns_zone_t *zone = NULL;
7307 dns_zonetype_t type;
7308 char classstr[DNS_RDATACLASS_FORMATSIZE];
7309 char zonename[DNS_NAME_FORMATSIZE];
7312 const char *vname, *sep;
7313 isc_boolean_t frozen;
7314 const char *msg = NULL;
7316 result = zone_from_args(server, args, &zone, NULL);
7317 if (result != ISC_R_SUCCESS)
7320 result = isc_task_beginexclusive(server->task);
7321 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7322 tresult = ISC_R_SUCCESS;
7323 for (view = ISC_LIST_HEAD(server->viewlist);
7325 view = ISC_LIST_NEXT(view, link)) {
7326 result = dns_view_freezezones(view, freeze);
7327 if (result != ISC_R_SUCCESS &&
7328 tresult == ISC_R_SUCCESS)
7331 isc_task_endexclusive(server->task);
7332 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7333 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7335 freeze ? "freezing" : "thawing",
7336 isc_result_totext(tresult));
7339 type = dns_zone_gettype(zone);
7340 if (type != dns_zone_master) {
7341 dns_zone_detach(&zone);
7342 return (DNS_R_NOTMASTER);
7345 result = isc_task_beginexclusive(server->task);
7346 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7347 frozen = dns_zone_getupdatedisabled(zone);
7350 msg = "WARNING: The zone was already frozen.\n"
7351 "Someone else may be editing it or "
7352 "it may still be re-loading.";
7353 result = DNS_R_FROZEN;
7355 if (result == ISC_R_SUCCESS) {
7356 result = dns_zone_flush(zone);
7357 if (result != ISC_R_SUCCESS)
7358 msg = "Flushing the zone updates to "
7361 if (result == ISC_R_SUCCESS) {
7362 journal = dns_zone_getjournal(zone);
7363 if (journal != NULL)
7364 (void)isc_file_remove(journal);
7366 if (result == ISC_R_SUCCESS)
7367 dns_zone_setupdatedisabled(zone, freeze);
7370 result = dns_zone_loadandthaw(zone);
7373 case DNS_R_UPTODATE:
7374 msg = "The zone reload and thaw was "
7376 result = ISC_R_SUCCESS;
7378 case DNS_R_CONTINUE:
7379 msg = "A zone reload and thaw was started.\n"
7380 "Check the logs to see the result.";
7381 result = ISC_R_SUCCESS;
7386 isc_task_endexclusive(server->task);
7388 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
7389 isc_buffer_putmem(text, (const unsigned char *)msg,
7392 view = dns_zone_getview(zone);
7393 if (strcmp(view->name, "_default") == 0 ||
7394 strcmp(view->name, "_bind") == 0)
7402 dns_rdataclass_format(dns_zone_getclass(zone), classstr,
7404 dns_name_format(dns_zone_getorigin(zone),
7405 zonename, sizeof(zonename));
7406 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7407 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7408 "%s zone '%s/%s'%s%s: %s",
7409 freeze ? "freezing" : "thawing",
7410 zonename, classstr, sep, vname,
7411 isc_result_totext(result));
7412 dns_zone_detach(&zone);
7418 * This function adds a message for rndc to echo if named
7419 * is managed by smf and is also running chroot.
7422 ns_smf_add_message(isc_buffer_t *text) {
7425 n = snprintf((char *)isc_buffer_used(text),
7426 isc_buffer_availablelength(text),
7427 "use svcadm(1M) to manage named");
7428 if (n >= isc_buffer_availablelength(text))
7429 return (ISC_R_NOSPACE);
7430 isc_buffer_add(text, n);
7431 return (ISC_R_SUCCESS);
7433 #endif /* HAVE_LIBSCF */
7436 * Act on an "addzone" command from the command channel.
7439 ns_server_add_zone(ns_server_t *server, char *args) {
7440 isc_result_t result;
7441 isc_buffer_t argbuf;
7443 cfg_parser_t *parser = NULL;
7444 cfg_obj_t *config = NULL;
7445 const cfg_obj_t *vconfig = NULL;
7446 const cfg_obj_t *views = NULL;
7447 const cfg_obj_t *parms = NULL;
7448 const cfg_obj_t *obj = NULL;
7449 const cfg_listelt_t *element;
7450 const char *zonename;
7451 const char *classname = NULL;
7453 const char *viewname = NULL;
7454 dns_rdataclass_t rdclass;
7455 dns_view_t *view = 0;
7456 isc_buffer_t buf, *nbuf = NULL;
7458 dns_zone_t *zone = NULL;
7460 struct cfg_context *cfg = NULL;
7462 /* Try to parse the argument string */
7463 arglen = strlen(args);
7464 isc_buffer_init(&argbuf, args, arglen);
7465 isc_buffer_add(&argbuf, strlen(args));
7466 CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
7467 CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
7469 CHECK(cfg_map_get(config, "addzone", &parms));
7471 zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
7472 isc_buffer_constinit(&buf, zonename, strlen(zonename));
7473 isc_buffer_add(&buf, strlen(zonename));
7474 dns_name_init(&dnsname, NULL);
7475 isc_buffer_allocate(server->mctx, &nbuf, 256);
7476 dns_name_setbuffer(&dnsname, nbuf);
7477 CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
7479 /* Make sense of optional class argument */
7480 obj = cfg_tuple_get(parms, "class");
7481 CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
7482 if (rdclass != dns_rdataclass_in && obj)
7483 classname = cfg_obj_asstring(obj);
7485 /* Make sense of optional view argument */
7486 obj = cfg_tuple_get(parms, "view");
7487 if (obj && cfg_obj_isstring(obj))
7488 viewname = cfg_obj_asstring(obj);
7489 if (viewname == NULL || *viewname == '\0')
7490 viewname = "_default";
7491 CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
7493 /* Are we accepting new zones? */
7494 if (view->new_zone_file == NULL) {
7495 result = ISC_R_NOPERM;
7499 cfg = (struct cfg_context *) view->new_zone_config;
7501 result = ISC_R_FAILURE;
7505 /* Zone shouldn't already exist */
7506 result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
7507 if (result == ISC_R_SUCCESS) {
7508 result = ISC_R_EXISTS;
7510 } else if (result == DNS_R_PARTIALMATCH) {
7511 /* Create our sub-zone anyway */
7512 dns_zone_detach(&zone);
7515 else if (result != ISC_R_NOTFOUND)
7518 /* Find the view statement */
7519 cfg_map_get(cfg->config, "view", &views);
7520 for (element = cfg_list_first(views);
7522 element = cfg_list_next(element))
7525 vconfig = cfg_listelt_value(element);
7526 vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
7527 if (vname && !strcasecmp(vname, viewname))
7532 /* Open save file for write configuration */
7533 CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
7535 /* Mark view unfrozen so that zone can be added */
7536 result = isc_task_beginexclusive(server->task);
7537 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7538 dns_view_thaw(view);
7539 result = configure_zone(cfg->config, parms, vconfig,
7540 server->mctx, view, cfg->actx, ISC_FALSE);
7541 dns_view_freeze(view);
7542 isc_task_endexclusive(server->task);
7543 if (result != ISC_R_SUCCESS)
7546 /* Is it there yet? */
7547 CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
7550 * Load the zone from the master file. If this fails, we'll
7551 * need to undo the configuration we've done already.
7553 result = dns_zone_loadnew(zone);
7554 if (result != ISC_R_SUCCESS) {
7555 dns_db_t *dbp = NULL;
7557 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7558 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7559 "addzone failed; reverting.");
7561 /* If the zone loaded partially, unload it */
7562 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
7563 dns_db_detach(&dbp);
7564 dns_zone_unload(zone);
7567 /* Remove the zone from the zone table */
7568 dns_zt_unmount(view->zonetable, zone);
7572 /* Flag the zone as having been added at runtime */
7573 dns_zone_setadded(zone, ISC_TRUE);
7575 /* Emit just the zone name from args */
7576 CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
7577 CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, NULL));
7578 CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
7580 /* Classname, if not default */
7581 if (classname != NULL && *classname != '\0') {
7582 CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
7584 CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
7587 /* Find beginning of option block from args */
7588 for (argp = args; *argp; argp++, arglen--) {
7589 if (*argp == '{') { /* Assume matching '}' */
7590 /* Add that to our file */
7591 CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
7593 /* Make sure we end with a LF */
7594 if (argp[arglen-1] != '\n') {
7595 CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
7601 CHECK(isc_stdio_close(fp));
7603 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7604 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7605 "zone %s added to view %s via addzone",
7606 zonename, viewname);
7608 result = ISC_R_SUCCESS;
7612 isc_stdio_close(fp);
7613 if (parser != NULL) {
7615 cfg_obj_destroy(parser, &config);
7616 cfg_parser_destroy(&parser);
7619 dns_zone_detach(&zone);
7621 dns_view_detach(&view);
7623 isc_buffer_free(&nbuf);
7629 * Act on a "delzone" command from the command channel.
7632 ns_server_del_zone(ns_server_t *server, char *args) {
7633 isc_result_t result;
7634 dns_zone_t *zone = NULL;
7635 dns_view_t *view = NULL;
7636 dns_db_t *dbp = NULL;
7637 const char *filename = NULL;
7638 char *tmpname = NULL;
7640 const char *zonename = NULL;
7641 size_t znamelen = 0;
7642 FILE *ifp = NULL, *ofp = NULL;
7644 /* Parse parameters */
7645 CHECK(zone_from_args(server, args, &zone, &zonename));
7648 result = ISC_R_UNEXPECTEDEND;
7653 * Was this zone originally added at runtime?
7654 * If not, we can't delete it now.
7656 if (!dns_zone_getadded(zone)) {
7657 result = ISC_R_NOPERM;
7661 INSIST(zonename != NULL);
7662 znamelen = strlen(zonename);
7664 /* Dig out configuration for this zone */
7665 view = dns_zone_getview(zone);
7666 filename = view->new_zone_file;
7667 if (filename == NULL) {
7668 /* No adding zones in this view */
7669 result = ISC_R_FAILURE;
7673 /* Rewrite zone list */
7674 result = isc_stdio_open(filename, "r", &ifp);
7675 if (ifp != NULL && result == ISC_R_SUCCESS) {
7676 char *found = NULL, *p = NULL;
7679 /* Create a temporary file */
7680 CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
7682 if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
7683 result = ISC_R_NOMEMORY;
7686 CHECK(isc_stdio_open(tmpname, "w", &ofp));
7688 /* Look for the entry for that zone */
7689 while (fgets(buf, 1024, ifp)) {
7691 if (strncasecmp(buf, "zone", 4)) {
7699 ((*p == '"') || isspace((unsigned char)*p)))
7702 /* Is that the zone we're looking for */
7703 if (strncasecmp(p, zonename, znamelen)) {
7708 /* And nothing else? */
7710 if (isspace((unsigned char)*p) ||
7711 *p == '"' || *p == '{') {
7712 /* This must be the entry */
7717 /* Spit it out, keep looking */
7721 /* Skip over an option block (matching # of braces) */
7723 int obrace = 0, cbrace = 0;
7726 if (*p == '{') obrace++;
7727 if (*p == '}') cbrace++;
7730 if (obrace && (obrace == cbrace))
7732 if (!fgets(buf, 1024, ifp))
7737 /* Just spool the remainder of the file out */
7738 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
7740 if (result == ISC_R_EOF)
7741 result = ISC_R_SUCCESS;
7743 isc_stdio_write(buf, 1, n, ofp, NULL);
7744 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
7747 /* Move temporary into place */
7748 CHECK(isc_file_rename(tmpname, view->new_zone_file));
7750 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7751 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
7752 "deleted zone %s was missing from "
7753 "new zone file", zonename);
7758 /* Stop answering for this zone */
7759 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
7760 dns_db_detach(&dbp);
7761 dns_zone_unload(zone);
7764 CHECK(dns_zt_unmount(view->zonetable, zone));
7766 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7767 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7768 "zone %s removed via delzone", zonename);
7770 result = ISC_R_SUCCESS;
7774 isc_stdio_close(ifp);
7776 isc_stdio_close(ofp);
7777 isc_file_remove(tmpname);
7779 if (tmpname != NULL)
7780 isc_mem_free(server->mctx, tmpname);
7782 dns_zone_detach(&zone);
7788 newzone_cfgctx_destroy(void **cfgp) {
7789 struct cfg_context *cfg;
7791 REQUIRE(cfgp != NULL && *cfgp != NULL);
7795 if (cfg->actx != NULL)
7796 cfg_aclconfctx_detach(&cfg->actx);
7798 if (cfg->parser != NULL) {
7799 if (cfg->config != NULL)
7800 cfg_obj_destroy(cfg->parser, &cfg->config);
7801 cfg_parser_destroy(&cfg->parser);
7803 if (cfg->nzparser != NULL) {
7804 if (cfg->nzconfig != NULL)
7805 cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
7806 cfg_parser_destroy(&cfg->nzparser);
7809 isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));