2 * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
26 #include <sys/types.h>
30 #include <isc/base64.h>
32 #include <isc/entropy.h>
36 #include <isc/httpd.h>
38 #include <isc/parseint.h>
39 #include <isc/portset.h>
40 #include <isc/print.h>
41 #include <isc/refcount.h>
42 #include <isc/resource.h>
44 #include <isc/socket.h>
46 #include <isc/stats.h>
47 #include <isc/stdio.h>
48 #include <isc/string.h>
50 #include <isc/timer.h>
54 #include <isccfg/namedconf.h>
56 #include <bind9/check.h>
58 #include <dns/acache.h>
60 #include <dns/cache.h>
62 #include <dns/dispatch.h>
64 #include <dns/dns64.h>
65 #include <dns/forward.h>
66 #include <dns/journal.h>
67 #include <dns/keytable.h>
68 #include <dns/keyvalues.h>
70 #include <dns/master.h>
71 #include <dns/masterdump.h>
72 #include <dns/order.h>
74 #include <dns/portlist.h>
75 #include <dns/private.h>
77 #include <dns/rdataclass.h>
78 #include <dns/rdatalist.h>
79 #include <dns/rdataset.h>
80 #include <dns/rdatastruct.h>
81 #include <dns/resolver.h>
82 #include <dns/rootns.h>
83 #include <dns/secalg.h>
85 #include <dns/stats.h>
93 #include <dst/result.h>
95 #include <named/client.h>
96 #include <named/config.h>
97 #include <named/control.h>
98 #include <named/interfacemgr.h>
99 #include <named/log.h>
100 #include <named/logconf.h>
101 #include <named/lwresd.h>
102 #include <named/main.h>
103 #include <named/os.h>
104 #include <named/server.h>
105 #include <named/statschannel.h>
106 #include <named/tkeyconf.h>
107 #include <named/tsigconf.h>
108 #include <named/zoneconf.h>
110 #include <named/ns_smf_globals.h>
115 #define PATH_MAX 1024
119 #define SIZE_MAX ((size_t)-1)
123 * Check an operation for failure. Assumes that the function
124 * using it has a 'result' variable and a 'cleanup' label.
127 do { result = (op); \
128 if (result != ISC_R_SUCCESS) goto cleanup; \
132 do { tresult = (op); \
133 if (tresult != ISC_R_SUCCESS) { \
134 isc_buffer_clear(text); \
139 #define CHECKM(op, msg) \
140 do { result = (op); \
141 if (result != ISC_R_SUCCESS) { \
142 isc_log_write(ns_g_lctx, \
143 NS_LOGCATEGORY_GENERAL, \
144 NS_LOGMODULE_SERVER, \
147 isc_result_totext(result)); \
152 #define CHECKMF(op, msg, file) \
153 do { result = (op); \
154 if (result != ISC_R_SUCCESS) { \
155 isc_log_write(ns_g_lctx, \
156 NS_LOGCATEGORY_GENERAL, \
157 NS_LOGMODULE_SERVER, \
159 "%s '%s': %s", msg, file, \
160 isc_result_totext(result)); \
165 #define CHECKFATAL(op, msg) \
166 do { result = (op); \
167 if (result != ISC_R_SUCCESS) \
168 fatal(msg, result); \
172 * Maximum ADB size for views that share a cache. Use this limit to suppress
173 * the total of memory footprint, which should be the main reason for sharing
174 * a cache. Only effective when a finite max-cache-size is specified.
175 * This is currently defined to be 8MB.
177 #define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U
181 unsigned int dispatchgen;
182 dns_dispatch_t *dispatch;
183 ISC_LINK(struct ns_dispatch) link;
188 dns_view_t *primaryview;
189 isc_boolean_t needflush;
190 isc_boolean_t adbsizeadjusted;
191 dns_rdataclass_t rdclass;
192 ISC_LINK(ns_cache_t) link;
197 isc_boolean_t dumpcache;
198 isc_boolean_t dumpzones;
199 isc_boolean_t dumpadb;
200 isc_boolean_t dumpbad;
202 ISC_LIST(struct viewlistentry) viewlist;
203 struct viewlistentry *view;
204 struct zonelistentry *zone;
205 dns_dumpctx_t *mdctx;
209 dns_dbversion_t *version;
212 struct viewlistentry {
214 ISC_LINK(struct viewlistentry) link;
215 ISC_LIST(struct zonelistentry) zonelist;
218 struct zonelistentry {
220 ISC_LINK(struct zonelistentry) link;
224 * Configuration context to retain for each view that allows
225 * new zones to be added at runtime.
229 cfg_parser_t * parser;
231 cfg_parser_t * nzparser;
232 cfg_obj_t * nzconfig;
233 cfg_aclconfctx_t * actx;
237 * Holds state information for the initial zone loading process.
238 * Uses the isc_refcount structure to count the number of views
239 * with pending zone loads, dereferencing as each view finishes.
247 * These zones should not leak onto the Internet.
249 const char *empty_zones[] = {
252 "16.172.IN-ADDR.ARPA",
253 "17.172.IN-ADDR.ARPA",
254 "18.172.IN-ADDR.ARPA",
255 "19.172.IN-ADDR.ARPA",
256 "20.172.IN-ADDR.ARPA",
257 "21.172.IN-ADDR.ARPA",
258 "22.172.IN-ADDR.ARPA",
259 "23.172.IN-ADDR.ARPA",
260 "24.172.IN-ADDR.ARPA",
261 "25.172.IN-ADDR.ARPA",
262 "26.172.IN-ADDR.ARPA",
263 "27.172.IN-ADDR.ARPA",
264 "28.172.IN-ADDR.ARPA",
265 "29.172.IN-ADDR.ARPA",
266 "30.172.IN-ADDR.ARPA",
267 "31.172.IN-ADDR.ARPA",
268 "168.192.IN-ADDR.ARPA",
271 "64.100.IN-ADDR.ARPA",
272 "65.100.IN-ADDR.ARPA",
273 "66.100.IN-ADDR.ARPA",
274 "67.100.IN-ADDR.ARPA",
275 "68.100.IN-ADDR.ARPA",
276 "69.100.IN-ADDR.ARPA",
277 "70.100.IN-ADDR.ARPA",
278 "71.100.IN-ADDR.ARPA",
279 "72.100.IN-ADDR.ARPA",
280 "73.100.IN-ADDR.ARPA",
281 "74.100.IN-ADDR.ARPA",
282 "75.100.IN-ADDR.ARPA",
283 "76.100.IN-ADDR.ARPA",
284 "77.100.IN-ADDR.ARPA",
285 "78.100.IN-ADDR.ARPA",
286 "79.100.IN-ADDR.ARPA",
287 "80.100.IN-ADDR.ARPA",
288 "81.100.IN-ADDR.ARPA",
289 "82.100.IN-ADDR.ARPA",
290 "83.100.IN-ADDR.ARPA",
291 "84.100.IN-ADDR.ARPA",
292 "85.100.IN-ADDR.ARPA",
293 "86.100.IN-ADDR.ARPA",
294 "87.100.IN-ADDR.ARPA",
295 "88.100.IN-ADDR.ARPA",
296 "89.100.IN-ADDR.ARPA",
297 "90.100.IN-ADDR.ARPA",
298 "91.100.IN-ADDR.ARPA",
299 "92.100.IN-ADDR.ARPA",
300 "93.100.IN-ADDR.ARPA",
301 "94.100.IN-ADDR.ARPA",
302 "95.100.IN-ADDR.ARPA",
303 "96.100.IN-ADDR.ARPA",
304 "97.100.IN-ADDR.ARPA",
305 "98.100.IN-ADDR.ARPA",
306 "99.100.IN-ADDR.ARPA",
307 "100.100.IN-ADDR.ARPA",
308 "101.100.IN-ADDR.ARPA",
309 "102.100.IN-ADDR.ARPA",
310 "103.100.IN-ADDR.ARPA",
311 "104.100.IN-ADDR.ARPA",
312 "105.100.IN-ADDR.ARPA",
313 "106.100.IN-ADDR.ARPA",
314 "107.100.IN-ADDR.ARPA",
315 "108.100.IN-ADDR.ARPA",
316 "109.100.IN-ADDR.ARPA",
317 "110.100.IN-ADDR.ARPA",
318 "111.100.IN-ADDR.ARPA",
319 "112.100.IN-ADDR.ARPA",
320 "113.100.IN-ADDR.ARPA",
321 "114.100.IN-ADDR.ARPA",
322 "115.100.IN-ADDR.ARPA",
323 "116.100.IN-ADDR.ARPA",
324 "117.100.IN-ADDR.ARPA",
325 "118.100.IN-ADDR.ARPA",
326 "119.100.IN-ADDR.ARPA",
327 "120.100.IN-ADDR.ARPA",
328 "121.100.IN-ADDR.ARPA",
329 "122.100.IN-ADDR.ARPA",
330 "123.100.IN-ADDR.ARPA",
331 "124.100.IN-ADDR.ARPA",
332 "125.100.IN-ADDR.ARPA",
333 "126.100.IN-ADDR.ARPA",
334 "127.100.IN-ADDR.ARPA",
336 /* RFC 5735 and RFC 5737 */
337 "0.IN-ADDR.ARPA", /* THIS NETWORK */
338 "127.IN-ADDR.ARPA", /* LOOPBACK */
339 "254.169.IN-ADDR.ARPA", /* LINK LOCAL */
340 "2.0.192.IN-ADDR.ARPA", /* TEST NET */
341 "100.51.198.IN-ADDR.ARPA", /* TEST NET 2 */
342 "113.0.203.IN-ADDR.ARPA", /* TEST NET 3 */
343 "255.255.255.255.IN-ADDR.ARPA", /* BROADCAST */
345 /* Local IPv6 Unicast Addresses */
346 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
347 "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
348 /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
350 "8.E.F.IP6.ARPA", /* LINK LOCAL */
351 "9.E.F.IP6.ARPA", /* LINK LOCAL */
352 "A.E.F.IP6.ARPA", /* LINK LOCAL */
353 "B.E.F.IP6.ARPA", /* LINK LOCAL */
355 /* Example Prefix, RFC 3849. */
356 "8.B.D.0.1.0.0.2.IP6.ARPA",
364 ISC_PLATFORM_NORETURN_PRE static void
365 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
368 ns_server_reload(isc_task_t *task, isc_event_t *event);
371 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
372 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
373 isc_uint16_t family, ns_listenelt_t **target);
375 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
376 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
377 isc_uint16_t family, ns_listenlist_t **target);
380 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
381 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
384 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
385 const cfg_obj_t *alternates);
388 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
389 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
390 cfg_aclconfctx_t *aclconf, isc_boolean_t added);
393 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
396 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
399 newzone_cfgctx_destroy(void **cfgp);
402 putstr(isc_buffer_t *b, const char *str);
405 putnull(isc_buffer_t *b);
408 add_comment(FILE *fp, const char *viewname);
411 * Configure a single view ACL at '*aclp'. Get its configuration from
412 * 'vconfig' (for per-view configuration) and maybe from 'config'
415 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
416 const char *aclname, const char *acltuplename,
417 cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
420 const cfg_obj_t *maps[3];
421 const cfg_obj_t *aclobj = NULL;
425 dns_acl_detach(aclp);
427 maps[i++] = cfg_tuple_get(vconfig, "options");
428 if (config != NULL) {
429 const cfg_obj_t *options = NULL;
430 (void)cfg_map_get(config, "options", &options);
436 (void)ns_config_get(maps, aclname, &aclobj);
439 * No value available. *aclp == NULL.
441 return (ISC_R_SUCCESS);
443 if (acltuplename != NULL) {
445 * If the ACL is given in an optional tuple, retrieve it.
446 * The parser should have ensured that a valid object be
449 aclobj = cfg_tuple_get(aclobj, acltuplename);
452 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
453 actx, mctx, 0, aclp);
459 * Configure a sortlist at '*aclp'. Essentially the same as
460 * configure_view_acl() except it calls cfg_acl_fromconfig with a
461 * nest_level value of 2.
464 configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
465 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
469 const cfg_obj_t *maps[3];
470 const cfg_obj_t *aclobj = NULL;
474 dns_acl_detach(aclp);
476 maps[i++] = cfg_tuple_get(vconfig, "options");
477 if (config != NULL) {
478 const cfg_obj_t *options = NULL;
479 (void)cfg_map_get(config, "options", &options);
485 (void)ns_config_get(maps, "sortlist", &aclobj);
487 return (ISC_R_SUCCESS);
490 * Use a nest level of 3 for the "top level" of the sortlist;
491 * this means each entry in the top three levels will be stored
492 * as lists of separate, nested ACLs, rather than merged together
493 * into IP tables as is usually done with ACLs.
495 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
496 actx, mctx, 3, aclp);
502 configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
503 const char *confname, const char *conftuplename,
504 isc_mem_t *mctx, dns_rbt_t **rbtp)
507 const cfg_obj_t *maps[3];
508 const cfg_obj_t *obj = NULL;
509 const cfg_listelt_t *element;
511 dns_fixedname_t fixed;
515 const cfg_obj_t *nameobj;
518 dns_rbt_destroy(rbtp);
520 maps[i++] = cfg_tuple_get(vconfig, "options");
521 if (config != NULL) {
522 const cfg_obj_t *options = NULL;
523 (void)cfg_map_get(config, "options", &options);
529 (void)ns_config_get(maps, confname, &obj);
532 * No value available. *rbtp == NULL.
534 return (ISC_R_SUCCESS);
536 if (conftuplename != NULL) {
537 obj = cfg_tuple_get(obj, conftuplename);
538 if (cfg_obj_isvoid(obj))
539 return (ISC_R_SUCCESS);
542 result = dns_rbt_create(mctx, NULL, NULL, rbtp);
543 if (result != ISC_R_SUCCESS)
546 dns_fixedname_init(&fixed);
547 name = dns_fixedname_name(&fixed);
548 for (element = cfg_list_first(obj);
550 element = cfg_list_next(element)) {
551 nameobj = cfg_listelt_value(element);
552 str = cfg_obj_asstring(nameobj);
553 isc_buffer_constinit(&b, str, strlen(str));
554 isc_buffer_add(&b, strlen(str));
555 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
557 * We don't need the node data, but need to set dummy data to
558 * avoid a partial match with an empty node. For example, if
559 * we have foo.example.com and bar.example.com, we'd get a match
560 * for baz.example.com, which is not the expected result.
561 * We simply use (void *)1 as the dummy data.
563 result = dns_rbt_addname(*rbtp, name, (void *)1);
564 if (result != ISC_R_SUCCESS) {
565 cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
566 "failed to add %s for %s: %s",
567 str, confname, isc_result_totext(result));
576 dns_rbt_destroy(rbtp);
582 dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
583 isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
585 dns_rdataclass_t viewclass;
586 dns_rdata_dnskey_t keystruct;
587 isc_uint32_t flags, proto, alg;
588 const char *keystr, *keynamestr;
589 unsigned char keydata[4096];
590 isc_buffer_t keydatabuf;
591 unsigned char rrdata[4096];
592 isc_buffer_t rrdatabuf;
594 dns_fixedname_t fkeyname;
596 isc_buffer_t namebuf;
598 dst_key_t *dstkey = NULL;
600 INSIST(target != NULL && *target == NULL);
602 flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
603 proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
604 alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
605 keyname = dns_fixedname_name(&fkeyname);
606 keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
609 const char *initmethod;
610 initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
612 if (strcasecmp(initmethod, "initial-key") != 0) {
613 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
615 "invalid initialization method '%s'",
616 keynamestr, initmethod);
617 result = ISC_R_FAILURE;
623 viewclass = dns_rdataclass_in;
625 const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
626 CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
629 keystruct.common.rdclass = viewclass;
630 keystruct.common.rdtype = dns_rdatatype_dnskey;
632 * The key data in keystruct is not dynamically allocated.
634 keystruct.mctx = NULL;
636 ISC_LINK_INIT(&keystruct.common, link);
639 CHECKM(ISC_R_RANGE, "key flags");
641 CHECKM(ISC_R_RANGE, "key protocol");
643 CHECKM(ISC_R_RANGE, "key algorithm");
644 keystruct.flags = (isc_uint16_t)flags;
645 keystruct.protocol = (isc_uint8_t)proto;
646 keystruct.algorithm = (isc_uint8_t)alg;
648 isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
649 isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
651 keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
652 CHECK(isc_base64_decodestring(keystr, &keydatabuf));
653 isc_buffer_usedregion(&keydatabuf, &r);
654 keystruct.datalen = r.length;
655 keystruct.data = r.base;
657 if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
658 keystruct.algorithm == DST_ALG_RSAMD5) &&
659 r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
660 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
661 "%s key '%s' has a weak exponent",
662 managed ? "managed" : "trusted",
665 CHECK(dns_rdata_fromstruct(NULL,
666 keystruct.common.rdclass,
667 keystruct.common.rdtype,
668 &keystruct, &rrdatabuf));
669 dns_fixedname_init(&fkeyname);
670 isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
671 isc_buffer_add(&namebuf, strlen(keynamestr));
672 CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
673 CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
677 return (ISC_R_SUCCESS);
680 if (result == DST_R_NOCRYPTO) {
681 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
682 "ignoring %s key for '%s': no crypto support",
683 managed ? "managed" : "trusted",
685 } else if (result == DST_R_UNSUPPORTEDALG) {
686 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
687 "skipping %s key for '%s': %s",
688 managed ? "managed" : "trusted",
689 keynamestr, isc_result_totext(result));
691 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
692 "configuring %s key for '%s': %s",
693 managed ? "managed" : "trusted",
694 keynamestr, isc_result_totext(result));
695 result = ISC_R_FAILURE;
699 dst_key_free(&dstkey);
705 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
706 dns_view_t *view, isc_boolean_t managed,
707 dns_name_t *keyname, isc_mem_t *mctx)
709 const cfg_listelt_t *elt, *elt2;
710 const cfg_obj_t *key, *keylist;
711 dst_key_t *dstkey = NULL;
713 dns_keytable_t *secroots = NULL;
715 CHECK(dns_view_getsecroots(view, &secroots));
717 for (elt = cfg_list_first(keys);
719 elt = cfg_list_next(elt)) {
720 keylist = cfg_listelt_value(elt);
722 for (elt2 = cfg_list_first(keylist);
724 elt2 = cfg_list_next(elt2)) {
725 key = cfg_listelt_value(elt2);
726 result = dstkey_fromconfig(vconfig, key, managed,
728 if (result == DST_R_UNSUPPORTEDALG) {
729 result = ISC_R_SUCCESS;
732 if (result != ISC_R_SUCCESS)
736 * If keyname was specified, we only add that key.
738 if (keyname != NULL &&
739 !dns_name_equal(keyname, dst_key_name(dstkey)))
741 dst_key_free(&dstkey);
745 CHECK(dns_keytable_add(secroots, managed, &dstkey));
751 dst_key_free(&dstkey);
752 if (secroots != NULL)
753 dns_keytable_detach(&secroots);
754 if (result == DST_R_NOCRYPTO)
755 result = ISC_R_SUCCESS;
760 * Configure DNSSEC keys for a view.
762 * The per-view configuration values and the server-global defaults are read
763 * from 'vconfig' and 'config'.
766 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
767 const cfg_obj_t *config, const cfg_obj_t *bindkeys,
768 isc_boolean_t auto_dlv, isc_boolean_t auto_root,
771 isc_result_t result = ISC_R_SUCCESS;
772 const cfg_obj_t *view_keys = NULL;
773 const cfg_obj_t *global_keys = NULL;
774 const cfg_obj_t *view_managed_keys = NULL;
775 const cfg_obj_t *global_managed_keys = NULL;
776 const cfg_obj_t *maps[4];
777 const cfg_obj_t *voptions = NULL;
778 const cfg_obj_t *options = NULL;
779 const cfg_obj_t *obj = NULL;
780 const char *directory;
783 /* We don't need trust anchors for the _bind view */
784 if (strcmp(view->name, "_bind") == 0 &&
785 view->rdclass == dns_rdataclass_chaos) {
786 return (ISC_R_SUCCESS);
789 if (vconfig != NULL) {
790 voptions = cfg_tuple_get(vconfig, "options");
791 if (voptions != NULL) {
792 (void) cfg_map_get(voptions, "trusted-keys",
794 (void) cfg_map_get(voptions, "managed-keys",
796 maps[i++] = voptions;
800 if (config != NULL) {
801 (void)cfg_map_get(config, "trusted-keys", &global_keys);
802 (void)cfg_map_get(config, "managed-keys", &global_managed_keys);
803 (void)cfg_map_get(config, "options", &options);
804 if (options != NULL) {
809 maps[i++] = ns_g_defaults;
812 result = dns_view_initsecroots(view, mctx);
813 if (result != ISC_R_SUCCESS) {
814 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
815 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
816 "couldn't create keytable");
817 return (ISC_R_UNEXPECTED);
820 if (auto_dlv && view->rdclass == dns_rdataclass_in) {
821 const cfg_obj_t *builtin_keys = NULL;
822 const cfg_obj_t *builtin_managed_keys = NULL;
824 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
825 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
826 "using built-in DLV key for view %s",
830 * If bind.keys exists, it overrides the managed-keys
831 * clause hard-coded in ns_g_config.
833 if (bindkeys != NULL) {
834 (void)cfg_map_get(bindkeys, "trusted-keys",
836 (void)cfg_map_get(bindkeys, "managed-keys",
837 &builtin_managed_keys);
839 (void)cfg_map_get(ns_g_config, "trusted-keys",
841 (void)cfg_map_get(ns_g_config, "managed-keys",
842 &builtin_managed_keys);
845 if (builtin_keys != NULL)
846 CHECK(load_view_keys(builtin_keys, vconfig, view,
847 ISC_FALSE, view->dlv, mctx));
848 if (builtin_managed_keys != NULL)
849 CHECK(load_view_keys(builtin_managed_keys, vconfig,
850 view, ISC_TRUE, view->dlv, mctx));
853 if (auto_root && view->rdclass == dns_rdataclass_in) {
854 const cfg_obj_t *builtin_keys = NULL;
855 const cfg_obj_t *builtin_managed_keys = NULL;
857 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
858 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
859 "using built-in root key for view %s",
863 * If bind.keys exists, it overrides the managed-keys
864 * clause hard-coded in ns_g_config.
866 if (bindkeys != NULL) {
867 (void)cfg_map_get(bindkeys, "trusted-keys",
869 (void)cfg_map_get(bindkeys, "managed-keys",
870 &builtin_managed_keys);
872 (void)cfg_map_get(ns_g_config, "trusted-keys",
874 (void)cfg_map_get(ns_g_config, "managed-keys",
875 &builtin_managed_keys);
878 if (builtin_keys != NULL)
879 CHECK(load_view_keys(builtin_keys, vconfig, view,
880 ISC_FALSE, dns_rootname, mctx));
881 if (builtin_managed_keys != NULL)
882 CHECK(load_view_keys(builtin_managed_keys, vconfig,
883 view, ISC_TRUE, dns_rootname,
887 CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
889 CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
892 if (view->rdclass == dns_rdataclass_in) {
893 CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
895 CHECK(load_view_keys(global_managed_keys, vconfig, view,
896 ISC_TRUE, NULL, mctx));
900 * Add key zone for managed-keys.
903 (void)ns_config_get(maps, "managed-keys-directory", &obj);
904 directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
905 if (directory != NULL)
906 result = isc_file_isdirectory(directory);
907 if (result != ISC_R_SUCCESS) {
908 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
909 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
910 "invalid managed-keys-directory %s: %s",
911 directory, isc_result_totext(result));
915 CHECK(add_keydata_zone(view, directory, ns_g_mctx));
922 mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
923 const cfg_listelt_t *element;
924 const cfg_obj_t *obj;
926 dns_fixedname_t fixed;
932 dns_fixedname_init(&fixed);
933 name = dns_fixedname_name(&fixed);
934 for (element = cfg_list_first(mbs);
936 element = cfg_list_next(element))
938 obj = cfg_listelt_value(element);
939 str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
940 isc_buffer_constinit(&b, str, strlen(str));
941 isc_buffer_add(&b, strlen(str));
942 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
943 value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
944 CHECK(dns_resolver_setmustbesecure(resolver, name, value));
947 result = ISC_R_SUCCESS;
954 * Get a dispatch appropriate for the resolver of a given view.
957 get_view_querysource_dispatch(const cfg_obj_t **maps,
958 int af, dns_dispatch_t **dispatchp,
959 isc_boolean_t is_firstview)
961 isc_result_t result = ISC_R_FAILURE;
962 dns_dispatch_t *disp;
964 unsigned int attrs, attrmask;
965 const cfg_obj_t *obj = NULL;
966 unsigned int maxdispatchbuffers;
970 result = ns_config_get(maps, "query-source", &obj);
971 INSIST(result == ISC_R_SUCCESS);
974 result = ns_config_get(maps, "query-source-v6", &obj);
975 INSIST(result == ISC_R_SUCCESS);
981 sa = *(cfg_obj_assockaddr(obj));
982 INSIST(isc_sockaddr_pf(&sa) == af);
985 * If we don't support this address family, we're done!
989 result = isc_net_probeipv4();
992 result = isc_net_probeipv6();
997 if (result != ISC_R_SUCCESS)
998 return (ISC_R_SUCCESS);
1001 * Try to find a dispatcher that we can share.
1004 attrs |= DNS_DISPATCHATTR_UDP;
1007 attrs |= DNS_DISPATCHATTR_IPV4;
1010 attrs |= DNS_DISPATCHATTR_IPV6;
1013 if (isc_sockaddr_getport(&sa) == 0) {
1014 attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
1015 maxdispatchbuffers = 4096;
1017 INSIST(obj != NULL);
1019 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
1020 "using specific query-source port "
1021 "suppresses port randomization and can be "
1024 maxdispatchbuffers = 1000;
1028 attrmask |= DNS_DISPATCHATTR_UDP;
1029 attrmask |= DNS_DISPATCHATTR_TCP;
1030 attrmask |= DNS_DISPATCHATTR_IPV4;
1031 attrmask |= DNS_DISPATCHATTR_IPV6;
1034 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
1035 ns_g_taskmgr, &sa, 4096,
1036 maxdispatchbuffers, 32768, 16411, 16433,
1037 attrs, attrmask, &disp);
1038 if (result != ISC_R_SUCCESS) {
1040 char buf[ISC_SOCKADDR_FORMATSIZE];
1044 isc_sockaddr_any(&any);
1047 isc_sockaddr_any6(&any);
1050 if (isc_sockaddr_equal(&sa, &any))
1051 return (ISC_R_SUCCESS);
1052 isc_sockaddr_format(&sa, buf, sizeof(buf));
1053 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1054 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
1055 "could not get query source dispatcher (%s)",
1062 return (ISC_R_SUCCESS);
1066 configure_order(dns_order_t *order, const cfg_obj_t *ent) {
1067 dns_rdataclass_t rdclass;
1068 dns_rdatatype_t rdtype;
1069 const cfg_obj_t *obj;
1070 dns_fixedname_t fixed;
1071 unsigned int mode = 0;
1074 isc_result_t result;
1075 isc_boolean_t addroot;
1077 result = ns_config_getclass(cfg_tuple_get(ent, "class"),
1078 dns_rdataclass_any, &rdclass);
1079 if (result != ISC_R_SUCCESS)
1082 result = ns_config_gettype(cfg_tuple_get(ent, "type"),
1083 dns_rdatatype_any, &rdtype);
1084 if (result != ISC_R_SUCCESS)
1087 obj = cfg_tuple_get(ent, "name");
1088 if (cfg_obj_isstring(obj))
1089 str = cfg_obj_asstring(obj);
1092 addroot = ISC_TF(strcmp(str, "*") == 0);
1093 isc_buffer_constinit(&b, str, strlen(str));
1094 isc_buffer_add(&b, strlen(str));
1095 dns_fixedname_init(&fixed);
1096 result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
1097 dns_rootname, 0, NULL);
1098 if (result != ISC_R_SUCCESS)
1101 obj = cfg_tuple_get(ent, "ordering");
1102 INSIST(cfg_obj_isstring(obj));
1103 str = cfg_obj_asstring(obj);
1104 if (!strcasecmp(str, "fixed"))
1105 mode = DNS_RDATASETATTR_FIXEDORDER;
1106 else if (!strcasecmp(str, "random"))
1107 mode = DNS_RDATASETATTR_RANDOMIZE;
1108 else if (!strcasecmp(str, "cyclic"))
1114 * "*" should match everything including the root (BIND 8 compat).
1115 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
1116 * explicit entry for "." when the name is "*".
1119 result = dns_order_add(order, dns_rootname,
1120 rdtype, rdclass, mode);
1121 if (result != ISC_R_SUCCESS)
1125 return (dns_order_add(order, dns_fixedname_name(&fixed),
1126 rdtype, rdclass, mode));
1130 configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
1133 const cfg_obj_t *obj;
1135 isc_result_t result;
1136 unsigned int prefixlen;
1138 cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
1141 result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
1142 if (result != ISC_R_SUCCESS)
1146 (void)cfg_map_get(cpeer, "bogus", &obj);
1148 CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
1151 (void)cfg_map_get(cpeer, "provide-ixfr", &obj);
1153 CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
1156 (void)cfg_map_get(cpeer, "request-ixfr", &obj);
1158 CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
1161 (void)cfg_map_get(cpeer, "request-nsid", &obj);
1163 CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
1166 (void)cfg_map_get(cpeer, "edns", &obj);
1168 CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
1171 (void)cfg_map_get(cpeer, "edns-udp-size", &obj);
1173 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1178 CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
1182 (void)cfg_map_get(cpeer, "max-udp-size", &obj);
1184 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1189 CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
1193 (void)cfg_map_get(cpeer, "transfers", &obj);
1195 CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
1198 (void)cfg_map_get(cpeer, "transfer-format", &obj);
1200 str = cfg_obj_asstring(obj);
1201 if (strcasecmp(str, "many-answers") == 0)
1202 CHECK(dns_peer_settransferformat(peer,
1204 else if (strcasecmp(str, "one-answer") == 0)
1205 CHECK(dns_peer_settransferformat(peer,
1212 (void)cfg_map_get(cpeer, "keys", &obj);
1214 result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
1215 if (result != ISC_R_SUCCESS)
1220 if (na.family == AF_INET)
1221 (void)cfg_map_get(cpeer, "transfer-source", &obj);
1223 (void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
1225 result = dns_peer_settransfersource(peer,
1226 cfg_obj_assockaddr(obj));
1227 if (result != ISC_R_SUCCESS)
1229 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1233 if (na.family == AF_INET)
1234 (void)cfg_map_get(cpeer, "notify-source", &obj);
1236 (void)cfg_map_get(cpeer, "notify-source-v6", &obj);
1238 result = dns_peer_setnotifysource(peer,
1239 cfg_obj_assockaddr(obj));
1240 if (result != ISC_R_SUCCESS)
1242 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1246 if (na.family == AF_INET)
1247 (void)cfg_map_get(cpeer, "query-source", &obj);
1249 (void)cfg_map_get(cpeer, "query-source-v6", &obj);
1251 result = dns_peer_setquerysource(peer,
1252 cfg_obj_assockaddr(obj));
1253 if (result != ISC_R_SUCCESS)
1255 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1259 return (ISC_R_SUCCESS);
1262 dns_peer_detach(&peer);
1267 disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
1268 isc_result_t result;
1269 const cfg_obj_t *algorithms;
1270 const cfg_listelt_t *element;
1272 dns_fixedname_t fixed;
1276 dns_fixedname_init(&fixed);
1277 name = dns_fixedname_name(&fixed);
1278 str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
1279 isc_buffer_constinit(&b, str, strlen(str));
1280 isc_buffer_add(&b, strlen(str));
1281 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1283 algorithms = cfg_tuple_get(disabled, "algorithms");
1284 for (element = cfg_list_first(algorithms);
1286 element = cfg_list_next(element))
1291 DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
1292 r.length = strlen(r.base);
1294 result = dns_secalg_fromtext(&alg, &r);
1295 if (result != ISC_R_SUCCESS) {
1297 result = isc_parse_uint8(&ui, r.base, 10);
1300 if (result != ISC_R_SUCCESS) {
1301 cfg_obj_log(cfg_listelt_value(element),
1302 ns_g_lctx, ISC_LOG_ERROR,
1303 "invalid algorithm");
1306 CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
1312 static isc_boolean_t
1313 on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
1314 const cfg_listelt_t *element;
1315 dns_fixedname_t fixed;
1317 isc_result_t result;
1318 const cfg_obj_t *value;
1322 dns_fixedname_init(&fixed);
1323 name = dns_fixedname_name(&fixed);
1325 for (element = cfg_list_first(disablelist);
1327 element = cfg_list_next(element))
1329 value = cfg_listelt_value(element);
1330 str = cfg_obj_asstring(value);
1331 isc_buffer_constinit(&b, str, strlen(str));
1332 isc_buffer_add(&b, strlen(str));
1333 result = dns_name_fromtext(name, &b, dns_rootname,
1335 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1336 if (dns_name_equal(name, zonename))
1343 check_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv,
1348 isc_result_t result = ISC_R_SUCCESS;
1350 CHECK(dns_zone_getdbtype(zone, &argv, mctx));
1353 * Check that all the arguments match.
1355 for (i = 0; i < dbtypec; i++)
1356 if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0)
1357 CHECK(ISC_R_FAILURE);
1360 * Check that there are not extra arguments.
1362 if (i == dbtypec && argv[i] != NULL)
1363 result = ISC_R_FAILURE;
1366 isc_mem_free(mctx, argv);
1371 setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
1372 isc_result_t result;
1373 isc_stats_t *zoneqrystats;
1375 dns_zone_setstatlevel(zone, level);
1377 zoneqrystats = NULL;
1378 if (level == dns_zonestat_full) {
1379 result = isc_stats_create(mctx, &zoneqrystats,
1380 dns_nsstatscounter_max);
1381 if (result != ISC_R_SUCCESS)
1384 dns_zone_setrequeststats(zone, zoneqrystats);
1385 if (zoneqrystats != NULL)
1386 isc_stats_detach(&zoneqrystats);
1388 return (ISC_R_SUCCESS);
1392 cachelist_find(ns_cachelist_t *cachelist, const char *cachename,
1393 dns_rdataclass_t rdclass)
1397 for (nsc = ISC_LIST_HEAD(*cachelist);
1399 nsc = ISC_LIST_NEXT(nsc, link)) {
1400 if (nsc->rdclass == rdclass &&
1401 strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
1408 static isc_boolean_t
1409 cache_reusable(dns_view_t *originview, dns_view_t *view,
1410 isc_boolean_t new_zero_no_soattl)
1412 if (originview->rdclass != view->rdclass ||
1413 originview->checknames != view->checknames ||
1414 dns_resolver_getzeronosoattl(originview->resolver) !=
1415 new_zero_no_soattl ||
1416 originview->acceptexpired != view->acceptexpired ||
1417 originview->enablevalidation != view->enablevalidation ||
1418 originview->maxcachettl != view->maxcachettl ||
1419 originview->maxncachettl != view->maxncachettl) {
1426 static isc_boolean_t
1427 cache_sharable(dns_view_t *originview, dns_view_t *view,
1428 isc_boolean_t new_zero_no_soattl,
1429 unsigned int new_cleaning_interval,
1430 isc_uint64_t new_max_cache_size)
1433 * If the cache cannot even reused for the same view, it cannot be
1434 * shared with other views.
1436 if (!cache_reusable(originview, view, new_zero_no_soattl))
1440 * Check other cache related parameters that must be consistent among
1441 * the sharing views.
1443 if (dns_cache_getcleaninginterval(originview->cache) !=
1444 new_cleaning_interval ||
1445 dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
1453 * Callback from DLZ configure when the driver sets up a writeable zone
1456 dlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
1457 dns_name_t *origin = dns_zone_getorigin(zone);
1458 dns_rdataclass_t zclass = view->rdclass;
1459 isc_result_t result;
1461 result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
1462 if (result != ISC_R_SUCCESS)
1464 dns_zone_setstats(zone, ns_g_server->zonestats);
1466 return (ns_zone_configure_writeable_dlz(view->dlzdatabase,
1467 zone, zclass, origin));
1471 dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
1472 unsigned int prefixlen, const char *server,
1473 const char *contact)
1476 char reverse[48+sizeof("ip6.arpa.")];
1477 const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
1478 const char *sep = ": view ";
1479 const char *viewname = view->name;
1480 const unsigned char *s6;
1481 dns_fixedname_t fixed;
1483 dns_zone_t *zone = NULL;
1484 int dns64_dbtypec = 4;
1486 isc_result_t result;
1488 REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
1489 prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
1491 if (!strcmp(viewname, "_default")) {
1497 * Construct the reverse name of the zone.
1500 s6 = na->type.in6.s6_addr;
1501 while (prefixlen > 0) {
1503 sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
1504 (s6[prefixlen/8] >> 4) & 0xf);
1507 strcat(cp, "ip6.arpa.");
1510 * Create the actual zone.
1513 dns64_dbtype[2] = server;
1514 if (contact != NULL)
1515 dns64_dbtype[3] = contact;
1516 dns_fixedname_init(&fixed);
1517 name = dns_fixedname_name(&fixed);
1518 isc_buffer_constinit(&b, reverse, strlen(reverse));
1519 isc_buffer_add(&b, strlen(reverse));
1520 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1521 CHECK(dns_zone_create(&zone, mctx));
1522 CHECK(dns_zone_setorigin(zone, name));
1523 dns_zone_setview(zone, view);
1524 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
1525 dns_zone_setclass(zone, view->rdclass);
1526 dns_zone_settype(zone, dns_zone_master);
1527 dns_zone_setstats(zone, ns_g_server->zonestats);
1528 CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
1529 if (view->queryacl != NULL)
1530 dns_zone_setqueryacl(zone, view->queryacl);
1531 if (view->queryonacl != NULL)
1532 dns_zone_setqueryonacl(zone, view->queryonacl);
1533 dns_zone_setdialup(zone, dns_dialuptype_no);
1534 dns_zone_setnotifytype(zone, dns_notifytype_no);
1535 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
1536 CHECK(setquerystats(zone, mctx, dns_zonestat_none)); /* XXXMPA */
1537 CHECK(dns_view_addzone(view, zone));
1538 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
1539 ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
1544 dns_zone_detach(&zone);
1549 configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1550 const char *str, const char *msg)
1552 isc_result_t result;
1554 result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
1555 if (result != ISC_R_SUCCESS)
1556 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1557 "invalid %s '%s'", msg, str);
1562 configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1563 const char *str, const dns_name_t *origin)
1565 isc_result_t result;
1567 result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
1569 if (result != ISC_R_SUCCESS)
1570 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1571 "invalid zone '%s'", str);
1576 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
1577 isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
1579 const cfg_obj_t *rpz_obj, *obj;
1581 dns_rpz_zone_t *old, *new;
1582 isc_result_t result;
1584 rpz_obj = cfg_listelt_value(element);
1586 new = isc_mem_get(view->mctx, sizeof(*new));
1588 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1589 "no memory for response policy zones");
1590 return (ISC_R_NOMEMORY);
1593 memset(new, 0, sizeof(*new));
1594 dns_name_init(&new->origin, NULL);
1595 dns_name_init(&new->nsdname, NULL);
1596 dns_name_init(&new->passthru, NULL);
1597 dns_name_init(&new->cname, NULL);
1598 ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
1600 obj = cfg_tuple_get(rpz_obj, "recursive-only");
1601 if (cfg_obj_isvoid(obj)) {
1602 new->recursive_only = recursive_only_def;
1604 new->recursive_only = cfg_obj_asboolean(obj);
1606 if (!new->recursive_only)
1607 view->rpz_recursive_only = ISC_FALSE;
1609 obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
1610 if (cfg_obj_isuint32(obj)) {
1611 new->max_policy_ttl = cfg_obj_asuint32(obj);
1613 new->max_policy_ttl = ttl_def;
1616 str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
1617 result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
1618 if (result != ISC_R_SUCCESS)
1620 if (dns_name_equal(&new->origin, dns_rootname)) {
1621 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1622 "invalid zone name '%s'", str);
1623 return (DNS_R_EMPTYLABEL);
1625 for (old = ISC_LIST_HEAD(view->rpz_zones);
1627 old = ISC_LIST_NEXT(old, link)) {
1629 if (dns_name_equal(&old->origin, &new->origin)) {
1630 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1631 "duplicate '%s'", str);
1632 result = DNS_R_DUPLICATE;
1637 result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
1638 DNS_RPZ_NSDNAME_ZONE, &new->origin);
1639 if (result != ISC_R_SUCCESS)
1642 result = configure_rpz_name(view, rpz_obj, &new->passthru,
1643 DNS_RPZ_PASSTHRU_ZONE, "zone");
1644 if (result != ISC_R_SUCCESS)
1647 obj = cfg_tuple_get(rpz_obj, "policy");
1648 if (cfg_obj_isvoid(obj)) {
1649 new->policy = DNS_RPZ_POLICY_GIVEN;
1651 str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
1652 new->policy = dns_rpz_str2policy(str);
1653 INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
1654 if (new->policy == DNS_RPZ_POLICY_CNAME) {
1655 str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
1656 result = configure_rpz_name(view, rpz_obj, &new->cname,
1658 if (result != ISC_R_SUCCESS)
1663 return (ISC_R_SUCCESS);
1667 #define CHECK_RRL(cond, pat, val1, val2) \
1670 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, \
1672 result = ISC_R_RANGE; \
1677 #define CHECK_RRL_RATE(rate, def, max_rate, name) \
1680 rrl->rate.str = name; \
1681 result = cfg_map_get(map, name, &obj); \
1682 if (result == ISC_R_SUCCESS) { \
1683 rrl->rate.r = cfg_obj_asuint32(obj); \
1684 CHECK_RRL(rrl->rate.r <= max_rate, \
1686 rrl->rate.r, max_rate); \
1688 rrl->rate.r = def; \
1690 rrl->rate.scaled = rrl->rate.r; \
1694 configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
1695 const cfg_obj_t *obj;
1697 isc_result_t result;
1698 int min_entries, i, j;
1701 * Most DNS servers have few clients, but intentinally open
1702 * recursive and authoritative servers often have many.
1703 * So start with a small number of entries unless told otherwise
1704 * to reduce cold-start costs.
1708 result = cfg_map_get(map, "min-table-size", &obj);
1709 if (result == ISC_R_SUCCESS) {
1710 min_entries = cfg_obj_asuint32(obj);
1711 if (min_entries < 1)
1714 result = dns_rrl_init(&rrl, view, min_entries);
1715 if (result != ISC_R_SUCCESS)
1718 i = ISC_MAX(20000, min_entries);
1720 result = cfg_map_get(map, "max-table-size", &obj);
1721 if (result == ISC_R_SUCCESS) {
1722 i = cfg_obj_asuint32(obj);
1723 CHECK_RRL(i >= min_entries,
1724 "max-table-size %d < min-table-size %d",
1727 rrl->max_entries = i;
1729 CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
1730 "responses-per-second");
1731 CHECK_RRL_RATE(referrals_per_second,
1732 rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
1733 "referrals-per-second");
1734 CHECK_RRL_RATE(nodata_per_second,
1735 rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
1736 "nodata-per-second");
1737 CHECK_RRL_RATE(nxdomains_per_second,
1738 rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
1739 "nxdomains-per-second");
1740 CHECK_RRL_RATE(errors_per_second,
1741 rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
1742 "errors-per-second");
1744 CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE,
1747 CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP,
1752 result = cfg_map_get(map, "window", &obj);
1753 if (result == ISC_R_SUCCESS) {
1754 i = cfg_obj_asuint32(obj);
1755 CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
1756 "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
1762 result = cfg_map_get(map, "qps-scale", &obj);
1763 if (result == ISC_R_SUCCESS) {
1764 i = cfg_obj_asuint32(obj);
1765 CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
1772 result = cfg_map_get(map, "ipv4-prefix-length", &obj);
1773 if (result == ISC_R_SUCCESS) {
1774 i = cfg_obj_asuint32(obj);
1775 CHECK_RRL(i >= 8 && i <= 32,
1776 "invalid 'ipv4-prefix-length %d'%s", i, "");
1778 rrl->ipv4_prefixlen = i;
1780 rrl->ipv4_mask = 0xffffffff;
1782 rrl->ipv4_mask = htonl(0xffffffff << (32-i));
1786 result = cfg_map_get(map, "ipv6-prefix-length", &obj);
1787 if (result == ISC_R_SUCCESS) {
1788 i = cfg_obj_asuint32(obj);
1789 CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
1790 "ipv6-prefix-length %d < 16 or > %d",
1791 i, DNS_RRL_MAX_PREFIX);
1793 rrl->ipv6_prefixlen = i;
1794 for (j = 0; j < 4; ++j) {
1796 rrl->ipv6_mask[j] = 0;
1797 } else if (i < 32) {
1798 rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i));
1800 rrl->ipv6_mask[j] = 0xffffffff;
1806 result = cfg_map_get(map, "exempt-clients", &obj);
1807 if (result == ISC_R_SUCCESS) {
1808 result = cfg_acl_fromconfig(obj, config, ns_g_lctx,
1809 ns_g_aclconfctx, ns_g_mctx,
1811 CHECK_RRL(result == ISC_R_SUCCESS,
1812 "invalid %s%s", "address match list", "");
1816 result = cfg_map_get(map, "log-only", &obj);
1817 if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj))
1818 rrl->log_only = ISC_TRUE;
1820 rrl->log_only = ISC_FALSE;
1822 return (ISC_R_SUCCESS);
1825 dns_rrl_view_destroy(view);
1828 #endif /* USE_RRL */
1831 add_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1832 dns_name_t *origin, dns_name_t *contact)
1834 dns_dbnode_t *node = NULL;
1835 dns_rdata_t rdata = DNS_RDATA_INIT;
1836 dns_rdatalist_t rdatalist;
1837 dns_rdataset_t rdataset;
1838 isc_result_t result;
1839 unsigned char buf[DNS_SOA_BUFFERSIZE];
1841 CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db),
1842 0, 28800, 7200, 604800, 86400, buf, &rdata));
1844 dns_rdatalist_init(&rdatalist);
1845 rdatalist.type = rdata.type;
1846 rdatalist.rdclass = rdata.rdclass;
1847 rdatalist.ttl = 86400;
1848 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
1850 dns_rdataset_init(&rdataset);
1851 CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
1852 CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
1853 CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
1857 dns_db_detachnode(db, &node);
1862 add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1865 dns_dbnode_t *node = NULL;
1867 dns_rdata_t rdata = DNS_RDATA_INIT;
1868 dns_rdatalist_t rdatalist;
1869 dns_rdataset_t rdataset;
1870 isc_result_t result;
1872 unsigned char buf[DNS_NAME_MAXWIRE];
1874 isc_buffer_init(&b, buf, sizeof(buf));
1876 ns.common.rdtype = dns_rdatatype_ns;
1877 ns.common.rdclass = dns_db_class(db);
1879 dns_name_init(&ns.name, NULL);
1880 dns_name_clone(nsname, &ns.name);
1881 CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
1884 dns_rdatalist_init(&rdatalist);
1885 rdatalist.type = rdata.type;
1886 rdatalist.rdclass = rdata.rdclass;
1887 rdatalist.ttl = 86400;
1888 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
1890 dns_rdataset_init(&rdataset);
1891 CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
1892 CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
1893 CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
1897 dns_db_detachnode(db, &node);
1902 create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
1903 const cfg_obj_t *zonelist, const char **empty_dbtype,
1904 int empty_dbtypec, dns_zonestat_level_t statlevel)
1906 char namebuf[DNS_NAME_FORMATSIZE];
1907 const cfg_listelt_t *element;
1908 const cfg_obj_t *obj;
1909 const cfg_obj_t *zconfig;
1910 const cfg_obj_t *zoptions;
1911 const char *rbt_dbtype[4] = { "rbt" };
1912 const char *sep = ": view ";
1914 const char *viewname = view->name;
1915 dns_db_t *db = NULL;
1916 dns_dbversion_t *version = NULL;
1917 dns_fixedname_t cfixed;
1918 dns_fixedname_t fixed;
1919 dns_fixedname_t nsfixed;
1920 dns_name_t *contact;
1923 dns_zone_t *myzone = NULL;
1924 int rbt_dbtypec = 1;
1925 isc_result_t result;
1926 dns_namereln_t namereln;
1928 unsigned int nlabels;
1930 dns_fixedname_init(&fixed);
1931 zname = dns_fixedname_name(&fixed);
1932 dns_fixedname_init(&nsfixed);
1933 ns = dns_fixedname_name(&nsfixed);
1934 dns_fixedname_init(&cfixed);
1935 contact = dns_fixedname_name(&cfixed);
1938 * Look for forward "zones" beneath this empty zone and if so
1939 * create a custom db for the empty zone.
1941 for (element = cfg_list_first(zonelist);
1943 element = cfg_list_next(element)) {
1945 zconfig = cfg_listelt_value(element);
1946 str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
1947 CHECK(dns_name_fromstring(zname, str, 0, NULL));
1948 namereln = dns_name_fullcompare(zname, name, &order, &nlabels);
1949 if (namereln != dns_namereln_subdomain)
1952 zoptions = cfg_tuple_get(zconfig, "options");
1955 (void)cfg_map_get(zoptions, "type", &obj);
1956 INSIST(obj != NULL);
1957 if (strcasecmp(cfg_obj_asstring(obj), "forward") == 0) {
1959 (void)cfg_map_get(zoptions, "forward", &obj);
1962 if (strcasecmp(cfg_obj_asstring(obj), "only") != 0)
1966 CHECK(dns_db_create(view->mctx, "rbt", name,
1967 dns_dbtype_zone, view->rdclass,
1969 CHECK(dns_db_newversion(db, &version));
1970 if (strcmp(empty_dbtype[2], "@") == 0)
1971 dns_name_clone(name, ns);
1973 CHECK(dns_name_fromstring(ns, empty_dbtype[2],
1975 CHECK(dns_name_fromstring(contact, empty_dbtype[3],
1977 CHECK(add_soa(db, version, name, ns, contact));
1978 CHECK(add_ns(db, version, name, ns));
1980 CHECK(add_ns(db, version, zname, dns_rootname));
1984 * Is the existing zone the ok to use?
1988 const char **dbargv;
1991 typec = rbt_dbtypec;
1992 dbargv = rbt_dbtype;
1994 typec = empty_dbtypec;
1995 dbargv = empty_dbtype;
1998 result = check_dbtype(zone, typec, dbargv, view->mctx);
1999 if (result != ISC_R_SUCCESS)
2002 if (zone != NULL && dns_zone_gettype(zone) != dns_zone_master)
2004 if (zone != NULL && dns_zone_getfile(zone) != NULL)
2007 dns_zone_getraw(zone, &myzone);
2008 if (myzone != NULL) {
2009 dns_zone_detach(&myzone);
2016 CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &myzone));
2018 CHECK(dns_zone_setorigin(zone, name));
2019 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2021 CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
2023 dns_zone_setclass(zone, view->rdclass);
2024 dns_zone_settype(zone, dns_zone_master);
2025 dns_zone_setstats(zone, ns_g_server->zonestats);
2028 dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, ISC_FALSE);
2029 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
2030 dns_zone_setnotifytype(zone, dns_notifytype_no);
2031 dns_zone_setdialup(zone, dns_dialuptype_no);
2032 if (view->queryacl != NULL)
2033 dns_zone_setqueryacl(zone, view->queryacl);
2035 dns_zone_clearqueryacl(zone);
2036 if (view->queryonacl != NULL)
2037 dns_zone_setqueryonacl(zone, view->queryonacl);
2039 dns_zone_clearqueryonacl(zone);
2040 dns_zone_clearupdateacl(zone);
2041 if (view->transferacl != NULL)
2042 dns_zone_setxfracl(zone, view->transferacl);
2044 dns_zone_clearxfracl(zone);
2046 CHECK(setquerystats(zone, view->mctx, statlevel));
2048 dns_db_closeversion(db, &version, ISC_TRUE);
2049 CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
2051 dns_zone_setview(zone, view);
2052 CHECK(dns_view_addzone(view, zone));
2054 if (!strcmp(viewname, "_default")) {
2058 dns_name_format(name, namebuf, sizeof(namebuf));
2059 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
2060 ISC_LOG_INFO, "automatic empty zone%s%s: %s",
2061 sep, viewname, namebuf);
2065 dns_zone_detach(&myzone);
2066 if (version != NULL)
2067 dns_db_closeversion(db, &version, ISC_FALSE);
2071 INSIST(version == NULL);
2077 * Configure 'view' according to 'vconfig', taking defaults from 'config'
2078 * where values are missing in 'vconfig'.
2080 * When configuring the default view, 'vconfig' will be NULL and the
2081 * global defaults in 'config' used exclusively.
2084 configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
2085 ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
2086 isc_mem_t *mctx, cfg_aclconfctx_t *actx,
2087 isc_boolean_t need_hints)
2089 const cfg_obj_t *maps[4];
2090 const cfg_obj_t *cfgmaps[3];
2091 const cfg_obj_t *optionmaps[3];
2092 const cfg_obj_t *options = NULL;
2093 const cfg_obj_t *voptions = NULL;
2094 const cfg_obj_t *forwardtype;
2095 const cfg_obj_t *forwarders;
2096 const cfg_obj_t *alternates;
2097 const cfg_obj_t *zonelist;
2098 const cfg_obj_t *dlz;
2099 unsigned int dlzargc;
2101 const cfg_obj_t *disabled;
2102 const cfg_obj_t *obj;
2103 #ifdef ENABLE_FETCHLIMIT
2104 const cfg_obj_t *obj2;
2105 #endif /* ENABLE_FETCHLIMIT */
2106 const cfg_listelt_t *element;
2108 dns_cache_t *cache = NULL;
2109 isc_result_t result;
2110 unsigned int cleaning_interval;
2111 size_t max_cache_size;
2112 size_t max_acache_size;
2113 size_t max_adb_size;
2114 isc_uint32_t lame_ttl;
2115 dns_tsig_keyring_t *ring = NULL;
2116 dns_view_t *pview = NULL; /* Production view */
2117 isc_mem_t *cmctx = NULL, *hmctx = NULL;
2118 dns_dispatch_t *dispatch4 = NULL;
2119 dns_dispatch_t *dispatch6 = NULL;
2120 isc_boolean_t reused_cache = ISC_FALSE;
2121 isc_boolean_t shared_cache = ISC_FALSE;
2122 int i = 0, j = 0, k = 0;
2124 const char *cachename = NULL;
2125 dns_order_t *order = NULL;
2126 isc_uint32_t udpsize;
2127 isc_uint32_t maxbits;
2128 unsigned int resopts = 0;
2129 dns_zone_t *zone = NULL;
2130 isc_uint32_t max_clients_per_query;
2131 isc_boolean_t empty_zones_enable;
2132 const cfg_obj_t *disablelist = NULL;
2133 isc_stats_t *resstats = NULL;
2134 dns_stats_t *resquerystats = NULL;
2135 isc_boolean_t auto_dlv = ISC_FALSE;
2136 isc_boolean_t auto_root = ISC_FALSE;
2138 isc_boolean_t zero_no_soattl;
2139 dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
2140 unsigned int query_timeout, ndisp;
2141 struct cfg_context *nzctx;
2142 dns_rpz_zone_t *rpz;
2144 REQUIRE(DNS_VIEW_VALID(view));
2147 (void)cfg_map_get(config, "options", &options);
2150 * maps: view options, options, defaults
2151 * cfgmaps: view options, config
2152 * optionmaps: view options, options
2154 if (vconfig != NULL) {
2155 voptions = cfg_tuple_get(vconfig, "options");
2156 maps[i++] = voptions;
2157 optionmaps[j++] = voptions;
2158 cfgmaps[k++] = voptions;
2160 if (options != NULL) {
2161 maps[i++] = options;
2162 optionmaps[j++] = options;
2165 maps[i++] = ns_g_defaults;
2167 optionmaps[j] = NULL;
2169 cfgmaps[k++] = config;
2173 * Set the view's port number for outgoing queries.
2175 CHECKM(ns_config_getport(config, &port), "port");
2176 dns_view_setdstport(view, port);
2179 * Create additional cache for this view and zones under the view
2180 * if explicitly enabled.
2181 * XXX950 default to on.
2184 (void)ns_config_get(maps, "acache-enable", &obj);
2185 if (obj != NULL && cfg_obj_asboolean(obj)) {
2187 CHECK(isc_mem_create(0, 0, &cmctx));
2188 CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
2190 isc_mem_setname(cmctx, "acache", NULL);
2191 isc_mem_detach(&cmctx);
2193 if (view->acache != NULL) {
2195 result = ns_config_get(maps, "acache-cleaning-interval", &obj);
2196 INSIST(result == ISC_R_SUCCESS);
2197 dns_acache_setcleaninginterval(view->acache,
2198 cfg_obj_asuint32(obj) * 60);
2201 result = ns_config_get(maps, "max-acache-size", &obj);
2202 INSIST(result == ISC_R_SUCCESS);
2203 if (cfg_obj_isstring(obj)) {
2204 str = cfg_obj_asstring(obj);
2205 INSIST(strcasecmp(str, "unlimited") == 0);
2206 max_acache_size = ISC_UINT32_MAX;
2208 isc_resourcevalue_t value;
2209 value = cfg_obj_asuint64(obj);
2210 if (value > SIZE_MAX) {
2211 cfg_obj_log(obj, ns_g_lctx,
2214 "%" ISC_PRINT_QUADFORMAT "u' "
2215 "is too large for this "
2216 "system; reducing to %lu",
2217 value, (unsigned long)SIZE_MAX);
2220 max_acache_size = (size_t) value;
2222 dns_acache_setcachesize(view->acache, max_acache_size);
2225 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
2226 ns_g_mctx, &view->queryacl));
2227 if (view->queryacl == NULL) {
2228 CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
2229 NULL, actx, ns_g_mctx,
2234 * Make the list of response policy zone names for a view that
2235 * is used for real lookups and so cares about hints.
2238 if (view->rdclass == dns_rdataclass_in && need_hints &&
2239 ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
2240 const cfg_obj_t *rpz_obj;
2241 isc_boolean_t recursive_only_def;
2244 rpz_obj = cfg_tuple_get(obj, "recursive-only");
2245 if (!cfg_obj_isvoid(rpz_obj) &&
2246 !cfg_obj_asboolean(rpz_obj))
2247 recursive_only_def = ISC_FALSE;
2249 recursive_only_def = ISC_TRUE;
2251 rpz_obj = cfg_tuple_get(obj, "break-dnssec");
2252 if (!cfg_obj_isvoid(rpz_obj) &&
2253 cfg_obj_asboolean(rpz_obj))
2254 view->rpz_break_dnssec = ISC_TRUE;
2256 view->rpz_break_dnssec = ISC_FALSE;
2258 rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
2259 if (cfg_obj_isuint32(rpz_obj))
2260 ttl_def = cfg_obj_asuint32(rpz_obj);
2262 ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
2264 rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
2265 if (cfg_obj_isuint32(rpz_obj))
2266 view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
2268 view->rpz_min_ns_labels = 2;
2270 element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
2271 while (element != NULL) {
2272 result = configure_rpz(view, element,
2273 recursive_only_def, ttl_def);
2274 if (result != ISC_R_SUCCESS)
2276 element = cfg_list_next(element);
2281 * Configure the zones.
2284 if (voptions != NULL)
2285 (void)cfg_map_get(voptions, "zone", &zonelist);
2287 (void)cfg_map_get(config, "zone", &zonelist);
2290 * Load zone configuration
2292 for (element = cfg_list_first(zonelist);
2294 element = cfg_list_next(element))
2296 const cfg_obj_t *zconfig = cfg_listelt_value(element);
2297 CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
2301 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
2303 rpz = ISC_LIST_NEXT(rpz, link))
2305 if (!rpz->defined) {
2306 char namebuf[DNS_NAME_FORMATSIZE];
2308 dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
2309 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
2310 "'%s' is not a master or slave zone",
2312 result = ISC_R_NOTFOUND;
2318 * If we're allowing added zones, then load zone configuration
2319 * from the newzone file for zones that were added during previous
2322 nzctx = view->new_zone_config;
2323 if (nzctx != NULL && nzctx->nzconfig != NULL) {
2324 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2325 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
2326 "loading additional zones for view '%s'",
2330 cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
2332 for (element = cfg_list_first(zonelist);
2334 element = cfg_list_next(element))
2336 const cfg_obj_t *zconfig = cfg_listelt_value(element);
2337 CHECK(configure_zone(config, zconfig, vconfig,
2344 * Create Dynamically Loadable Zone driver.
2347 if (voptions != NULL)
2348 (void)cfg_map_get(voptions, "dlz", &dlz);
2350 (void)cfg_map_get(config, "dlz", &dlz);
2354 (void)cfg_map_get(dlz, "database", &obj);
2356 const cfg_obj_t *name;
2357 char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
2359 result = ISC_R_NOMEMORY;
2363 result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
2364 if (result != ISC_R_SUCCESS) {
2365 isc_mem_free(mctx, s);
2369 name = cfg_map_getname(dlz);
2370 result = dns_dlzcreate(mctx, cfg_obj_asstring(name),
2371 dlzargv[0], dlzargc, dlzargv,
2372 &view->dlzdatabase);
2373 isc_mem_free(mctx, s);
2374 isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
2375 if (result != ISC_R_SUCCESS)
2379 * If the dlz backend supports configuration,
2380 * then call its configure method now.
2382 result = dns_dlzconfigure(view, dlzconfigure_callback);
2383 if (result != ISC_R_SUCCESS)
2389 * Obtain configuration parameters that affect the decision of whether
2390 * we can reuse/share an existing cache.
2393 result = ns_config_get(maps, "cleaning-interval", &obj);
2394 INSIST(result == ISC_R_SUCCESS);
2395 cleaning_interval = cfg_obj_asuint32(obj) * 60;
2398 result = ns_config_get(maps, "max-cache-size", &obj);
2399 INSIST(result == ISC_R_SUCCESS);
2400 if (cfg_obj_isstring(obj)) {
2401 str = cfg_obj_asstring(obj);
2402 INSIST(strcasecmp(str, "unlimited") == 0);
2403 max_cache_size = ISC_UINT32_MAX;
2405 isc_resourcevalue_t value;
2406 value = cfg_obj_asuint64(obj);
2407 if (value > SIZE_MAX) {
2408 cfg_obj_log(obj, ns_g_lctx,
2411 "%" ISC_PRINT_QUADFORMAT "u' "
2412 "is too large for this "
2413 "system; reducing to %lu",
2414 value, (unsigned long)SIZE_MAX);
2417 max_cache_size = (size_t) value;
2422 result = ns_checknames_get(maps, "response", &obj);
2423 INSIST(result == ISC_R_SUCCESS);
2425 str = cfg_obj_asstring(obj);
2426 if (strcasecmp(str, "fail") == 0) {
2427 resopts |= DNS_RESOLVER_CHECKNAMES |
2428 DNS_RESOLVER_CHECKNAMESFAIL;
2429 view->checknames = ISC_TRUE;
2430 } else if (strcasecmp(str, "warn") == 0) {
2431 resopts |= DNS_RESOLVER_CHECKNAMES;
2432 view->checknames = ISC_FALSE;
2433 } else if (strcasecmp(str, "ignore") == 0) {
2434 view->checknames = ISC_FALSE;
2439 result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
2440 INSIST(result == ISC_R_SUCCESS);
2441 zero_no_soattl = cfg_obj_asboolean(obj);
2444 result = ns_config_get(maps, "dns64", &obj);
2445 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
2446 strcmp(view->name, "_meta")) {
2447 isc_netaddr_t na, suffix, *sp;
2448 unsigned int prefixlen;
2449 const char *server, *contact;
2450 const cfg_obj_t *myobj;
2453 result = ns_config_get(maps, "dns64-server", &myobj);
2454 if (result == ISC_R_SUCCESS)
2455 server = cfg_obj_asstring(myobj);
2460 result = ns_config_get(maps, "dns64-contact", &myobj);
2461 if (result == ISC_R_SUCCESS)
2462 contact = cfg_obj_asstring(myobj);
2466 for (element = cfg_list_first(obj);
2468 element = cfg_list_next(element))
2470 const cfg_obj_t *map = cfg_listelt_value(element);
2471 dns_dns64_t *dns64 = NULL;
2472 unsigned int dns64options = 0;
2474 cfg_obj_asnetprefix(cfg_map_getname(map), &na,
2478 (void)cfg_map_get(map, "suffix", &obj);
2481 isc_netaddr_fromsockaddr(sp,
2482 cfg_obj_assockaddr(obj));
2486 clients = mapped = excluded = NULL;
2488 (void)cfg_map_get(map, "clients", &obj);
2490 result = cfg_acl_fromconfig(obj, config,
2493 if (result != ISC_R_SUCCESS)
2497 (void)cfg_map_get(map, "mapped", &obj);
2499 result = cfg_acl_fromconfig(obj, config,
2502 if (result != ISC_R_SUCCESS)
2506 (void)cfg_map_get(map, "exclude", &obj);
2508 result = cfg_acl_fromconfig(obj, config,
2510 mctx, 0, &excluded);
2511 if (result != ISC_R_SUCCESS)
2516 (void)cfg_map_get(map, "recursive-only", &obj);
2517 if (obj != NULL && cfg_obj_asboolean(obj))
2518 dns64options |= DNS_DNS64_RECURSIVE_ONLY;
2521 (void)cfg_map_get(map, "break-dnssec", &obj);
2522 if (obj != NULL && cfg_obj_asboolean(obj))
2523 dns64options |= DNS_DNS64_BREAK_DNSSEC;
2525 result = dns_dns64_create(mctx, &na, prefixlen, sp,
2526 clients, mapped, excluded,
2527 dns64options, &dns64);
2528 if (result != ISC_R_SUCCESS)
2530 dns_dns64_append(&view->dns64, dns64);
2532 result = dns64_reverse(view, mctx, &na, prefixlen,
2534 if (result != ISC_R_SUCCESS)
2536 if (clients != NULL)
2537 dns_acl_detach(&clients);
2539 dns_acl_detach(&mapped);
2540 if (excluded != NULL)
2541 dns_acl_detach(&excluded);
2546 result = ns_config_get(maps, "dnssec-accept-expired", &obj);
2547 INSIST(result == ISC_R_SUCCESS);
2548 view->acceptexpired = cfg_obj_asboolean(obj);
2551 result = ns_config_get(maps, "dnssec-validation", &obj);
2552 INSIST(result == ISC_R_SUCCESS);
2553 if (cfg_obj_isboolean(obj)) {
2554 view->enablevalidation = cfg_obj_asboolean(obj);
2556 /* If dnssec-validation is not boolean, it must be "auto" */
2557 view->enablevalidation = ISC_TRUE;
2558 auto_root = ISC_TRUE;
2562 result = ns_config_get(maps, "max-cache-ttl", &obj);
2563 INSIST(result == ISC_R_SUCCESS);
2564 view->maxcachettl = cfg_obj_asuint32(obj);
2567 result = ns_config_get(maps, "max-ncache-ttl", &obj);
2568 INSIST(result == ISC_R_SUCCESS);
2569 view->maxncachettl = cfg_obj_asuint32(obj);
2570 if (view->maxncachettl > 7 * 24 * 3600)
2571 view->maxncachettl = 7 * 24 * 3600;
2574 * Configure the view's cache.
2576 * First, check to see if there are any attach-cache options. If yes,
2577 * attempt to lookup an existing cache at attach it to the view. If
2578 * there is not one, then try to reuse an existing cache if possible;
2579 * otherwise create a new cache.
2581 * Note that the ADB is not preserved or shared in either case.
2583 * When a matching view is found, the associated statistics are also
2584 * retrieved and reused.
2586 * XXX Determining when it is safe to reuse or share a cache is tricky.
2587 * When the view's configuration changes, the cached data may become
2588 * invalid because it reflects our old view of the world. We check
2589 * some of the configuration parameters that could invalidate the cache
2590 * or otherwise make it unsharable, but there are other configuration
2591 * options that should be checked. For example, if a view uses a
2592 * forwarder, changes in the forwarder configuration may invalidate
2593 * the cache. At the moment, it's the administrator's responsibility to
2594 * ensure these configuration options don't invalidate reusing/sharing.
2597 result = ns_config_get(maps, "attach-cache", &obj);
2598 if (result == ISC_R_SUCCESS)
2599 cachename = cfg_obj_asstring(obj);
2601 cachename = view->name;
2603 nsc = cachelist_find(cachelist, cachename, view->rdclass);
2605 if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
2606 cleaning_interval, max_cache_size)) {
2607 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2608 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2609 "views %s and %s can't share the cache "
2610 "due to configuration parameter mismatch",
2611 nsc->primaryview->name, view->name);
2612 result = ISC_R_FAILURE;
2615 dns_cache_attach(nsc->cache, &cache);
2616 shared_cache = ISC_TRUE;
2618 if (strcmp(cachename, view->name) == 0) {
2619 result = dns_viewlist_find(&ns_g_server->viewlist,
2620 cachename, view->rdclass,
2622 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2624 if (pview != NULL) {
2625 if (!cache_reusable(pview, view,
2627 isc_log_write(ns_g_lctx,
2628 NS_LOGCATEGORY_GENERAL,
2629 NS_LOGMODULE_SERVER,
2631 "cache cannot be reused "
2632 "for view %s due to "
2633 "configuration parameter "
2634 "mismatch", view->name);
2636 INSIST(pview->cache != NULL);
2637 isc_log_write(ns_g_lctx,
2638 NS_LOGCATEGORY_GENERAL,
2639 NS_LOGMODULE_SERVER,
2641 "reusing existing cache");
2642 reused_cache = ISC_TRUE;
2643 dns_cache_attach(pview->cache, &cache);
2645 dns_view_getresstats(pview, &resstats);
2646 dns_view_getresquerystats(pview,
2648 dns_view_detach(&pview);
2651 if (cache == NULL) {
2653 * Create a cache with the desired name. This normally
2654 * equals the view name, but may also be a forward
2655 * reference to a view that share the cache with this
2656 * view but is not yet configured. If it is not the
2657 * view name but not a forward reference either, then it
2658 * is simply a named cache that is not shared.
2660 * We use two separate memory contexts for the
2661 * cache, for the main cache memory and the heap
2664 CHECK(isc_mem_create(0, 0, &cmctx));
2665 isc_mem_setname(cmctx, "cache", NULL);
2666 CHECK(isc_mem_create(0, 0, &hmctx));
2667 isc_mem_setname(hmctx, "cache_heap", NULL);
2668 CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
2669 ns_g_timermgr, view->rdclass,
2670 cachename, "rbt", 0, NULL,
2672 isc_mem_detach(&cmctx);
2673 isc_mem_detach(&hmctx);
2675 nsc = isc_mem_get(mctx, sizeof(*nsc));
2677 result = ISC_R_NOMEMORY;
2681 dns_cache_attach(cache, &nsc->cache);
2682 nsc->primaryview = view;
2683 nsc->needflush = ISC_FALSE;
2684 nsc->adbsizeadjusted = ISC_FALSE;
2685 nsc->rdclass = view->rdclass;
2686 ISC_LINK_INIT(nsc, link);
2687 ISC_LIST_APPEND(*cachelist, nsc, link);
2689 dns_view_setcache2(view, cache, shared_cache);
2692 * cache-file cannot be inherited if views are present, but this
2693 * should be caught by the configuration checking stage.
2696 result = ns_config_get(maps, "cache-file", &obj);
2697 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
2698 CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
2699 if (!reused_cache && !shared_cache)
2700 CHECK(dns_cache_load(cache));
2703 dns_cache_setcleaninginterval(cache, cleaning_interval);
2704 dns_cache_setcachesize(cache, max_cache_size);
2706 dns_cache_detach(&cache);
2711 * XXXRTH Hardwired number of tasks.
2713 CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
2714 ISC_TF(ISC_LIST_PREV(view, link)
2716 CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
2717 ISC_TF(ISC_LIST_PREV(view, link)
2719 if (dispatch4 == NULL && dispatch6 == NULL) {
2720 UNEXPECTED_ERROR(__FILE__, __LINE__,
2721 "unable to obtain neither an IPv4 nor"
2722 " an IPv6 dispatch");
2723 result = ISC_R_UNEXPECTED;
2727 ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
2728 CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
2729 ns_g_socketmgr, ns_g_timermgr,
2730 resopts, ns_g_dispatchmgr,
2731 dispatch4, dispatch6));
2733 if (resstats == NULL) {
2734 CHECK(isc_stats_create(mctx, &resstats,
2735 dns_resstatscounter_max));
2737 dns_view_setresstats(view, resstats);
2738 if (resquerystats == NULL)
2739 CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
2740 dns_view_setresquerystats(view, resquerystats);
2743 * Set the ADB cache size to 1/8th of the max-cache-size or
2744 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
2747 if (max_cache_size != 0U) {
2748 max_adb_size = max_cache_size / 8;
2749 if (max_adb_size == 0U)
2750 max_adb_size = 1; /* Force minimum. */
2751 if (view != nsc->primaryview &&
2752 max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
2753 max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
2754 if (!nsc->adbsizeadjusted) {
2755 dns_adb_setadbsize(nsc->primaryview->adb,
2756 MAX_ADB_SIZE_FOR_CACHESHARE);
2757 nsc->adbsizeadjusted = ISC_TRUE;
2761 dns_adb_setadbsize(view->adb, max_adb_size);
2763 #ifdef ENABLE_FETCHLIMIT
2768 isc_uint32_t fps, freq;
2769 double low, high, discount;
2772 result = ns_config_get(maps, "fetches-per-server", &obj);
2773 INSIST(result == ISC_R_SUCCESS);
2774 obj2 = cfg_tuple_get(obj, "fetches");
2775 fps = cfg_obj_asuint32(obj2);
2776 obj2 = cfg_tuple_get(obj, "response");
2777 if (!cfg_obj_isvoid(obj2)) {
2778 const char *resp = cfg_obj_asstring(obj2);
2781 if (strcasecmp(resp, "drop") == 0)
2783 else if (strcasecmp(resp, "fail") == 0)
2788 dns_resolver_setquotaresponse(view->resolver,
2789 dns_quotatype_server, r);
2793 result = ns_config_get(maps, "fetch-quota-params", &obj);
2794 INSIST(result == ISC_R_SUCCESS);
2796 obj2 = cfg_tuple_get(obj, "frequency");
2797 freq = cfg_obj_asuint32(obj2);
2799 obj2 = cfg_tuple_get(obj, "low");
2800 low = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
2802 obj2 = cfg_tuple_get(obj, "high");
2803 high = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
2805 obj2 = cfg_tuple_get(obj, "discount");
2806 discount = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
2808 dns_adb_setquota(view->adb, fps, freq, low, high, discount);
2810 #endif /* ENABLE_FETCHLIMIT */
2813 * Set resolver's lame-ttl.
2816 result = ns_config_get(maps, "lame-ttl", &obj);
2817 INSIST(result == ISC_R_SUCCESS);
2818 lame_ttl = cfg_obj_asuint32(obj);
2819 if (lame_ttl > 1800)
2821 dns_resolver_setlamettl(view->resolver, lame_ttl);
2824 * Set the resolver's query timeout.
2827 result = ns_config_get(maps, "resolver-query-timeout", &obj);
2828 INSIST(result == ISC_R_SUCCESS);
2829 query_timeout = cfg_obj_asuint32(obj);
2830 dns_resolver_settimeout(view->resolver, query_timeout);
2832 /* Specify whether to use 0-TTL for negative response for SOA query */
2833 dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
2836 * Set the resolver's EDNS UDP size.
2839 result = ns_config_get(maps, "edns-udp-size", &obj);
2840 INSIST(result == ISC_R_SUCCESS);
2841 udpsize = cfg_obj_asuint32(obj);
2846 dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
2849 * Set the maximum UDP response size.
2852 result = ns_config_get(maps, "max-udp-size", &obj);
2853 INSIST(result == ISC_R_SUCCESS);
2854 udpsize = cfg_obj_asuint32(obj);
2859 view->maxudp = udpsize;
2862 * Set the maximum rsa exponent bits.
2865 result = ns_config_get(maps, "max-rsa-exponent-size", &obj);
2866 INSIST(result == ISC_R_SUCCESS);
2867 maxbits = cfg_obj_asuint32(obj);
2868 if (maxbits != 0 && maxbits < 35)
2872 view->maxbits = maxbits;
2875 * Set supported DNSSEC algorithms.
2877 dns_resolver_reset_algorithms(view->resolver);
2879 (void)ns_config_get(maps, "disable-algorithms", &disabled);
2880 if (disabled != NULL) {
2881 for (element = cfg_list_first(disabled);
2883 element = cfg_list_next(element))
2884 CHECK(disable_algorithms(cfg_listelt_value(element),
2889 * A global or view "forwarders" option, if present,
2890 * creates an entry for "." in the forwarding table.
2894 (void)ns_config_get(maps, "forward", &forwardtype);
2895 (void)ns_config_get(maps, "forwarders", &forwarders);
2896 if (forwarders != NULL)
2897 CHECK(configure_forward(config, view, dns_rootname,
2898 forwarders, forwardtype));
2901 * Dual Stack Servers.
2904 (void)ns_config_get(maps, "dual-stack-servers", &alternates);
2905 if (alternates != NULL)
2906 CHECK(configure_alternates(config, view, alternates));
2909 * We have default hints for class IN if we need them.
2911 if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
2912 dns_view_sethints(view, ns_g_server->in_roothints);
2915 * If we still have no hints, this is a non-IN view with no
2916 * "hints zone" configured. Issue a warning, except if this
2917 * is a root server. Root servers never need to consult
2918 * their hints, so it's no point requiring users to configure
2921 if (view->hints == NULL) {
2922 dns_zone_t *rootzone = NULL;
2923 (void)dns_view_findzone(view, dns_rootname, &rootzone);
2924 if (rootzone != NULL) {
2925 dns_zone_detach(&rootzone);
2926 need_hints = ISC_FALSE;
2929 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2930 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
2931 "no root hints for view '%s'",
2936 * Configure the view's TSIG keys.
2938 CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
2939 if (ns_g_server->sessionkey != NULL) {
2940 CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
2941 ns_g_server->sessionkey));
2943 dns_view_setkeyring(view, ring);
2944 dns_tsigkeyring_detach(&ring);
2947 * See if we can re-use a dynamic key ring.
2949 result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
2950 view->rdclass, &pview);
2951 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2953 if (pview != NULL) {
2954 dns_view_getdynamickeyring(pview, &ring);
2956 dns_view_setdynamickeyring(view, ring);
2957 dns_tsigkeyring_detach(&ring);
2958 dns_view_detach(&pview);
2960 dns_view_restorekeyring(view);
2963 * Configure the view's peer list.
2966 const cfg_obj_t *peers = NULL;
2967 dns_peerlist_t *newpeers = NULL;
2969 (void)ns_config_get(cfgmaps, "server", &peers);
2970 CHECK(dns_peerlist_new(mctx, &newpeers));
2971 for (element = cfg_list_first(peers);
2973 element = cfg_list_next(element))
2975 const cfg_obj_t *cpeer = cfg_listelt_value(element);
2978 CHECK(configure_peer(cpeer, mctx, &peer));
2979 dns_peerlist_addpeer(newpeers, peer);
2980 dns_peer_detach(&peer);
2982 dns_peerlist_detach(&view->peers);
2983 view->peers = newpeers; /* Transfer ownership. */
2987 * Configure the views rrset-order.
2990 const cfg_obj_t *rrsetorder = NULL;
2992 (void)ns_config_get(maps, "rrset-order", &rrsetorder);
2993 CHECK(dns_order_create(mctx, &order));
2994 for (element = cfg_list_first(rrsetorder);
2996 element = cfg_list_next(element))
2998 const cfg_obj_t *ent = cfg_listelt_value(element);
3000 CHECK(configure_order(order, ent));
3002 if (view->order != NULL)
3003 dns_order_detach(&view->order);
3004 dns_order_attach(order, &view->order);
3005 dns_order_detach(&order);
3008 * Copy the aclenv object.
3010 dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
3013 * Configure the "match-clients" and "match-destinations" ACL.
3015 CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
3016 ns_g_mctx, &view->matchclients));
3017 CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
3018 actx, ns_g_mctx, &view->matchdestinations));
3021 * Configure the "match-recursive-only" option.
3024 (void)ns_config_get(maps, "match-recursive-only", &obj);
3025 if (obj != NULL && cfg_obj_asboolean(obj))
3026 view->matchrecursiveonly = ISC_TRUE;
3028 view->matchrecursiveonly = ISC_FALSE;
3031 * Configure other configurable data.
3034 result = ns_config_get(maps, "recursion", &obj);
3035 INSIST(result == ISC_R_SUCCESS);
3036 view->recursion = cfg_obj_asboolean(obj);
3039 result = ns_config_get(maps, "auth-nxdomain", &obj);
3040 INSIST(result == ISC_R_SUCCESS);
3041 view->auth_nxdomain = cfg_obj_asboolean(obj);
3044 result = ns_config_get(maps, "minimal-responses", &obj);
3045 INSIST(result == ISC_R_SUCCESS);
3046 view->minimalresponses = cfg_obj_asboolean(obj);
3049 result = ns_config_get(maps, "transfer-format", &obj);
3050 INSIST(result == ISC_R_SUCCESS);
3051 str = cfg_obj_asstring(obj);
3052 if (strcasecmp(str, "many-answers") == 0)
3053 view->transfer_format = dns_many_answers;
3054 else if (strcasecmp(str, "one-answer") == 0)
3055 view->transfer_format = dns_one_answer;
3060 * Set sources where additional data and CNAME/DNAME
3061 * targets for authoritative answers may be found.
3064 result = ns_config_get(maps, "additional-from-auth", &obj);
3065 INSIST(result == ISC_R_SUCCESS);
3066 view->additionalfromauth = cfg_obj_asboolean(obj);
3067 if (view->recursion && ! view->additionalfromauth) {
3068 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3069 "'additional-from-auth no' is only supported "
3070 "with 'recursion no'");
3071 view->additionalfromauth = ISC_TRUE;
3075 result = ns_config_get(maps, "additional-from-cache", &obj);
3076 INSIST(result == ISC_R_SUCCESS);
3077 view->additionalfromcache = cfg_obj_asboolean(obj);
3078 if (view->recursion && ! view->additionalfromcache) {
3079 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3080 "'additional-from-cache no' is only supported "
3081 "with 'recursion no'");
3082 view->additionalfromcache = ISC_TRUE;
3086 * Set "allow-query-cache", "allow-query-cache-on",
3087 * "allow-recursion", and "allow-recursion-on" acls if
3088 * configured in named.conf.
3090 CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
3091 actx, ns_g_mctx, &view->cacheacl));
3092 CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
3093 actx, ns_g_mctx, &view->cacheonacl));
3094 if (view->cacheonacl == NULL)
3095 CHECK(configure_view_acl(NULL, ns_g_config,
3096 "allow-query-cache-on", NULL, actx,
3097 ns_g_mctx, &view->cacheonacl));
3098 if (strcmp(view->name, "_bind") != 0) {
3099 CHECK(configure_view_acl(vconfig, config, "allow-recursion",
3100 NULL, actx, ns_g_mctx,
3101 &view->recursionacl));
3102 CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
3103 NULL, actx, ns_g_mctx,
3104 &view->recursiononacl));
3108 * "allow-query-cache" inherits from "allow-recursion" if set,
3109 * otherwise from "allow-query" if set.
3110 * "allow-recursion" inherits from "allow-query-cache" if set,
3111 * otherwise from "allow-query" if set.
3113 if (view->cacheacl == NULL && view->recursionacl != NULL)
3114 dns_acl_attach(view->recursionacl, &view->cacheacl);
3116 * XXXEACH: This call to configure_view_acl() is redundant. We
3117 * are leaving it as it is because we are making a minimal change
3118 * for a patch release. In the future this should be changed to
3119 * dns_acl_attach(view->queryacl, &view->cacheacl).
3121 if (view->cacheacl == NULL && view->recursion)
3122 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
3123 actx, ns_g_mctx, &view->cacheacl));
3124 if (view->recursion &&
3125 view->recursionacl == NULL && view->cacheacl != NULL)
3126 dns_acl_attach(view->cacheacl, &view->recursionacl);
3129 * Set default "allow-recursion", "allow-recursion-on" and
3130 * "allow-query-cache" acls.
3132 if (view->recursionacl == NULL && view->recursion)
3133 CHECK(configure_view_acl(NULL, ns_g_config,
3134 "allow-recursion", NULL,
3136 &view->recursionacl));
3137 if (view->recursiononacl == NULL && view->recursion)
3138 CHECK(configure_view_acl(NULL, ns_g_config,
3139 "allow-recursion-on", NULL,
3141 &view->recursiononacl));
3142 if (view->cacheacl == NULL) {
3143 if (view->recursion)
3144 CHECK(configure_view_acl(NULL, ns_g_config,
3145 "allow-query-cache", NULL,
3149 CHECK(dns_acl_none(mctx, &view->cacheacl));
3153 * Ignore case when compressing responses to the specified
3154 * clients. This causes case not always to be preserved,
3155 * and is needed by some broken clients.
3157 CHECK(configure_view_acl(vconfig, config, "no-case-compress", NULL,
3158 actx, ns_g_mctx, &view->nocasecompress));
3161 * Filter setting on addresses in the answer section.
3163 CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
3164 "acl", actx, ns_g_mctx, &view->denyansweracl));
3165 CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
3166 "except-from", ns_g_mctx,
3167 &view->answeracl_exclude));
3170 * Filter setting on names (CNAME/DNAME targets) in the answer section.
3172 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
3174 &view->denyanswernames));
3175 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
3176 "except-from", ns_g_mctx,
3177 &view->answernames_exclude));
3180 * Configure sortlist, if set
3182 CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
3186 * Configure default allow-transfer, allow-notify, allow-update
3187 * and allow-update-forwarding ACLs, if set, so they can be
3188 * inherited by zones.
3190 if (view->notifyacl == NULL)
3191 CHECK(configure_view_acl(NULL, ns_g_config,
3192 "allow-notify", NULL, actx,
3193 ns_g_mctx, &view->notifyacl));
3194 if (view->transferacl == NULL)
3195 CHECK(configure_view_acl(NULL, ns_g_config,
3196 "allow-transfer", NULL, actx,
3197 ns_g_mctx, &view->transferacl));
3198 if (view->updateacl == NULL)
3199 CHECK(configure_view_acl(NULL, ns_g_config,
3200 "allow-update", NULL, actx,
3201 ns_g_mctx, &view->updateacl));
3202 if (view->upfwdacl == NULL)
3203 CHECK(configure_view_acl(NULL, ns_g_config,
3204 "allow-update-forwarding", NULL, actx,
3205 ns_g_mctx, &view->upfwdacl));
3208 result = ns_config_get(maps, "provide-ixfr", &obj);
3209 INSIST(result == ISC_R_SUCCESS);
3210 view->provideixfr = cfg_obj_asboolean(obj);
3213 result = ns_config_get(maps, "request-nsid", &obj);
3214 INSIST(result == ISC_R_SUCCESS);
3215 view->requestnsid = cfg_obj_asboolean(obj);
3218 result = ns_config_get(maps, "max-clients-per-query", &obj);
3219 INSIST(result == ISC_R_SUCCESS);
3220 max_clients_per_query = cfg_obj_asuint32(obj);
3223 result = ns_config_get(maps, "clients-per-query", &obj);
3224 INSIST(result == ISC_R_SUCCESS);
3225 dns_resolver_setclientsperquery(view->resolver,
3226 cfg_obj_asuint32(obj),
3227 max_clients_per_query);
3230 result = ns_config_get(maps, "max-recursion-depth", &obj);
3231 INSIST(result == ISC_R_SUCCESS);
3232 dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
3235 result = ns_config_get(maps, "max-recursion-queries", &obj);
3236 INSIST(result == ISC_R_SUCCESS);
3237 dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
3239 #ifdef ENABLE_FETCHLIMIT
3241 result = ns_config_get(maps, "fetches-per-zone", &obj);
3242 INSIST(result == ISC_R_SUCCESS);
3243 obj2 = cfg_tuple_get(obj, "fetches");
3244 dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2));
3245 obj2 = cfg_tuple_get(obj, "response");
3246 if (!cfg_obj_isvoid(obj2)) {
3247 const char *resp = cfg_obj_asstring(obj2);
3250 if (strcasecmp(resp, "drop") == 0)
3252 else if (strcasecmp(resp, "fail") == 0)
3257 dns_resolver_setquotaresponse(view->resolver,
3258 dns_quotatype_zone, r);
3260 #endif /* ENABLE_FETCHLIMIT */
3262 #ifdef ALLOW_FILTER_AAAA_ON_V4
3264 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
3265 INSIST(result == ISC_R_SUCCESS);
3266 if (cfg_obj_isboolean(obj)) {
3267 if (cfg_obj_asboolean(obj))
3268 view->v4_aaaa = dns_v4_aaaa_filter;
3270 view->v4_aaaa = dns_v4_aaaa_ok;
3272 const char *v4_aaaastr = cfg_obj_asstring(obj);
3273 if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
3274 view->v4_aaaa = dns_v4_aaaa_break_dnssec;
3278 CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
3279 actx, ns_g_mctx, &view->v4_aaaa_acl));
3283 result = ns_config_get(maps, "dnssec-enable", &obj);
3284 INSIST(result == ISC_R_SUCCESS);
3285 view->enablednssec = cfg_obj_asboolean(obj);
3288 result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
3289 if (result == ISC_R_SUCCESS) {
3290 /* If set to "auto", use the version from the defaults */
3291 const cfg_obj_t *dlvobj;
3293 dlvobj = cfg_listelt_value(cfg_list_first(obj));
3294 dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
3295 if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
3296 /* If "no", skip; if "auto", use global default */
3297 if (!strcasecmp(dom, "no"))
3298 result = ISC_R_NOTFOUND;
3299 else if (!strcasecmp(dom, "auto")) {
3300 auto_dlv = ISC_TRUE;
3302 result = cfg_map_get(ns_g_defaults,
3303 "dnssec-lookaside", &obj);
3308 if (result == ISC_R_SUCCESS) {
3309 for (element = cfg_list_first(obj);
3311 element = cfg_list_next(element))
3315 obj = cfg_listelt_value(element);
3316 obj = cfg_tuple_get(obj, "trust-anchor");
3317 dlv = dns_fixedname_name(&view->dlv_fixed);
3318 CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
3319 DNS_NAME_DOWNCASE, NULL));
3320 view->dlv = dns_fixedname_name(&view->dlv_fixed);
3326 * For now, there is only one kind of trusted keys, the
3329 CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
3330 auto_dlv, auto_root, mctx));
3331 dns_resolver_resetmustbesecure(view->resolver);
3333 result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
3334 if (result == ISC_R_SUCCESS)
3335 CHECK(mustbesecure(obj, view->resolver));
3338 result = ns_config_get(maps, "preferred-glue", &obj);
3339 if (result == ISC_R_SUCCESS) {
3340 str = cfg_obj_asstring(obj);
3341 if (strcasecmp(str, "a") == 0)
3342 view->preferred_glue = dns_rdatatype_a;
3343 else if (strcasecmp(str, "aaaa") == 0)
3344 view->preferred_glue = dns_rdatatype_aaaa;
3346 view->preferred_glue = 0;
3348 view->preferred_glue = 0;
3351 result = ns_config_get(maps, "root-delegation-only", &obj);
3352 if (result == ISC_R_SUCCESS)
3353 dns_view_setrootdelonly(view, ISC_TRUE);
3354 if (result == ISC_R_SUCCESS && ! cfg_obj_isvoid(obj)) {
3355 const cfg_obj_t *exclude;
3356 dns_fixedname_t fixed;
3359 dns_fixedname_init(&fixed);
3360 name = dns_fixedname_name(&fixed);
3361 for (element = cfg_list_first(obj);
3363 element = cfg_list_next(element))
3365 exclude = cfg_listelt_value(element);
3366 CHECK(dns_name_fromstring(name,
3367 cfg_obj_asstring(exclude),
3369 CHECK(dns_view_excludedelegationonly(view, name));
3372 dns_view_setrootdelonly(view, ISC_FALSE);
3375 * Setup automatic empty zones. If recursion is off then
3376 * they are disabled by default.
3379 (void)ns_config_get(maps, "empty-zones-enable", &obj);
3380 (void)ns_config_get(maps, "disable-empty-zone", &disablelist);
3381 if (obj == NULL && disablelist == NULL &&
3382 view->rdclass == dns_rdataclass_in) {
3383 empty_zones_enable = view->recursion;
3384 } else if (view->rdclass == dns_rdataclass_in) {
3386 empty_zones_enable = cfg_obj_asboolean(obj);
3388 empty_zones_enable = view->recursion;
3390 empty_zones_enable = ISC_FALSE;
3392 if (empty_zones_enable && !lwresd_g_useresolvconf) {
3395 dns_fixedname_t fixed;
3397 isc_buffer_t buffer;
3398 char server[DNS_NAME_FORMATSIZE + 1];
3399 char contact[DNS_NAME_FORMATSIZE + 1];
3400 const char *empty_dbtype[4] =
3401 { "_builtin", "empty", NULL, NULL };
3402 int empty_dbtypec = 4;
3403 dns_zonestat_level_t statlevel;
3405 dns_fixedname_init(&fixed);
3406 name = dns_fixedname_name(&fixed);
3409 result = ns_config_get(maps, "empty-server", &obj);
3410 if (result == ISC_R_SUCCESS) {
3411 CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
3413 isc_buffer_init(&buffer, server, sizeof(server) - 1);
3414 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
3415 server[isc_buffer_usedlength(&buffer)] = 0;
3416 empty_dbtype[2] = server;
3418 empty_dbtype[2] = "@";
3421 result = ns_config_get(maps, "empty-contact", &obj);
3422 if (result == ISC_R_SUCCESS) {
3423 CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
3425 isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
3426 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
3427 contact[isc_buffer_usedlength(&buffer)] = 0;
3428 empty_dbtype[3] = contact;
3430 empty_dbtype[3] = ".";
3433 result = ns_config_get(maps, "zone-statistics", &obj);
3434 INSIST(result == ISC_R_SUCCESS);
3435 if (cfg_obj_isboolean(obj)) {
3436 if (cfg_obj_asboolean(obj))
3437 statlevel = dns_zonestat_full;
3439 statlevel = dns_zonestat_terse; /* XXX */
3441 const char *levelstr = cfg_obj_asstring(obj);
3442 if (strcasecmp(levelstr, "full") == 0)
3443 statlevel = dns_zonestat_full;
3444 else if (strcasecmp(levelstr, "terse") == 0)
3445 statlevel = dns_zonestat_terse;
3446 else if (strcasecmp(levelstr, "none") == 0)
3447 statlevel = dns_zonestat_none;
3452 for (empty = empty_zones[empty_zone];
3454 empty = empty_zones[++empty_zone])
3456 dns_forwarders_t *dnsforwarders = NULL;
3459 * Look for zone on drop list.
3461 CHECK(dns_name_fromstring(name, empty, 0, NULL));
3462 if (disablelist != NULL &&
3463 on_disable_list(disablelist, name))
3467 * This zone already exists.
3469 (void)dns_view_findzone(view, name, &zone);
3471 dns_zone_detach(&zone);
3476 * If we would forward this name don't add a
3477 * empty zone for it.
3479 result = dns_fwdtable_find(view->fwdtable, name,
3481 if (result == ISC_R_SUCCESS &&
3482 dnsforwarders->fwdpolicy == dns_fwdpolicy_only)
3486 * See if we can re-use a existing zone.
3488 result = dns_viewlist_find(&ns_g_server->viewlist,
3489 view->name, view->rdclass,
3491 if (result != ISC_R_NOTFOUND &&
3492 result != ISC_R_SUCCESS)
3495 if (pview != NULL) {
3496 (void)dns_view_findzone(pview, name, &zone);
3497 dns_view_detach(&pview);
3500 CHECK(create_empty_zone(zone, name, view, zonelist,
3501 empty_dbtype, empty_dbtypec,
3504 dns_zone_detach(&zone);
3510 result = ns_config_get(maps, "rate-limit", &obj);
3511 if (result == ISC_R_SUCCESS) {
3512 result = configure_rrl(view, config, obj);
3513 if (result != ISC_R_SUCCESS)
3516 #endif /* USE_RRL */
3518 result = ISC_R_SUCCESS;
3521 if (clients != NULL)
3522 dns_acl_detach(&clients);
3524 dns_acl_detach(&mapped);
3525 if (excluded != NULL)
3526 dns_acl_detach(&excluded);
3528 dns_tsigkeyring_detach(&ring);
3530 dns_zone_detach(&zone);
3531 if (dispatch4 != NULL)
3532 dns_dispatch_detach(&dispatch4);
3533 if (dispatch6 != NULL)
3534 dns_dispatch_detach(&dispatch6);
3535 if (resstats != NULL)
3536 isc_stats_detach(&resstats);
3537 if (resquerystats != NULL)
3538 dns_stats_detach(&resquerystats);
3540 dns_order_detach(&order);
3542 isc_mem_detach(&cmctx);
3544 isc_mem_detach(&hmctx);
3547 dns_cache_detach(&cache);
3553 configure_hints(dns_view_t *view, const char *filename) {
3554 isc_result_t result;
3558 result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
3559 if (result == ISC_R_SUCCESS) {
3560 dns_view_sethints(view, db);
3568 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
3569 const cfg_obj_t *alternates)
3571 const cfg_obj_t *portobj;
3572 const cfg_obj_t *addresses;
3573 const cfg_listelt_t *element;
3574 isc_result_t result = ISC_R_SUCCESS;
3578 * Determine which port to send requests to.
3580 if (ns_g_lwresdonly && ns_g_port != 0)
3583 CHECKM(ns_config_getport(config, &port), "port");
3585 if (alternates != NULL) {
3586 portobj = cfg_tuple_get(alternates, "port");
3587 if (cfg_obj_isuint32(portobj)) {
3588 isc_uint32_t val = cfg_obj_asuint32(portobj);
3589 if (val > ISC_UINT16_MAX) {
3590 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3591 "port '%u' out of range", val);
3592 return (ISC_R_RANGE);
3594 port = (in_port_t) val;
3599 if (alternates != NULL)
3600 addresses = cfg_tuple_get(alternates, "addresses");
3602 for (element = cfg_list_first(addresses);
3604 element = cfg_list_next(element))
3606 const cfg_obj_t *alternate = cfg_listelt_value(element);
3609 if (!cfg_obj_issockaddr(alternate)) {
3610 dns_fixedname_t fixed;
3612 const char *str = cfg_obj_asstring(cfg_tuple_get(
3613 alternate, "name"));
3614 isc_buffer_t buffer;
3615 in_port_t myport = port;
3617 isc_buffer_constinit(&buffer, str, strlen(str));
3618 isc_buffer_add(&buffer, strlen(str));
3619 dns_fixedname_init(&fixed);
3620 name = dns_fixedname_name(&fixed);
3621 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3624 portobj = cfg_tuple_get(alternate, "port");
3625 if (cfg_obj_isuint32(portobj)) {
3626 isc_uint32_t val = cfg_obj_asuint32(portobj);
3627 if (val > ISC_UINT16_MAX) {
3628 cfg_obj_log(portobj, ns_g_lctx,
3630 "port '%u' out of range",
3632 return (ISC_R_RANGE);
3634 myport = (in_port_t) val;
3636 CHECK(dns_resolver_addalternate(view->resolver, NULL,
3641 sa = *cfg_obj_assockaddr(alternate);
3642 if (isc_sockaddr_getport(&sa) == 0)
3643 isc_sockaddr_setport(&sa, port);
3644 CHECK(dns_resolver_addalternate(view->resolver, &sa,
3653 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
3654 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
3656 const cfg_obj_t *portobj;
3657 const cfg_obj_t *faddresses;
3658 const cfg_listelt_t *element;
3659 dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
3660 isc_sockaddrlist_t addresses;
3662 isc_result_t result;
3665 ISC_LIST_INIT(addresses);
3668 * Determine which port to send forwarded requests to.
3670 if (ns_g_lwresdonly && ns_g_port != 0)
3673 CHECKM(ns_config_getport(config, &port), "port");
3675 if (forwarders != NULL) {
3676 portobj = cfg_tuple_get(forwarders, "port");
3677 if (cfg_obj_isuint32(portobj)) {
3678 isc_uint32_t val = cfg_obj_asuint32(portobj);
3679 if (val > ISC_UINT16_MAX) {
3680 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3681 "port '%u' out of range", val);
3682 return (ISC_R_RANGE);
3684 port = (in_port_t) val;
3689 if (forwarders != NULL)
3690 faddresses = cfg_tuple_get(forwarders, "addresses");
3692 for (element = cfg_list_first(faddresses);
3694 element = cfg_list_next(element))
3696 const cfg_obj_t *forwarder = cfg_listelt_value(element);
3697 sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
3699 result = ISC_R_NOMEMORY;
3702 *sa = *cfg_obj_assockaddr(forwarder);
3703 if (isc_sockaddr_getport(sa) == 0)
3704 isc_sockaddr_setport(sa, port);
3705 ISC_LINK_INIT(sa, link);
3706 ISC_LIST_APPEND(addresses, sa, link);
3709 if (ISC_LIST_EMPTY(addresses)) {
3710 if (forwardtype != NULL)
3711 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3712 "no forwarders seen; disabling "
3714 fwdpolicy = dns_fwdpolicy_none;
3716 if (forwardtype == NULL)
3717 fwdpolicy = dns_fwdpolicy_first;
3719 const char *forwardstr = cfg_obj_asstring(forwardtype);
3720 if (strcasecmp(forwardstr, "first") == 0)
3721 fwdpolicy = dns_fwdpolicy_first;
3722 else if (strcasecmp(forwardstr, "only") == 0)
3723 fwdpolicy = dns_fwdpolicy_only;
3729 result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
3731 if (result != ISC_R_SUCCESS) {
3732 char namebuf[DNS_NAME_FORMATSIZE];
3733 dns_name_format(origin, namebuf, sizeof(namebuf));
3734 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3735 "could not set up forwarding for domain '%s': %s",
3736 namebuf, isc_result_totext(result));
3740 result = ISC_R_SUCCESS;
3744 while (!ISC_LIST_EMPTY(addresses)) {
3745 sa = ISC_LIST_HEAD(addresses);
3746 ISC_LIST_UNLINK(addresses, sa, link);
3747 isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
3754 get_viewinfo(const cfg_obj_t *vconfig, const char **namep,
3755 dns_rdataclass_t *classp)
3757 isc_result_t result = ISC_R_SUCCESS;
3758 const char *viewname;
3759 dns_rdataclass_t viewclass;
3761 REQUIRE(namep != NULL && *namep == NULL);
3762 REQUIRE(classp != NULL);
3764 if (vconfig != NULL) {
3765 const cfg_obj_t *classobj = NULL;
3767 viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
3768 classobj = cfg_tuple_get(vconfig, "class");
3769 CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
3771 if (dns_rdataclass_ismeta(viewclass)) {
3772 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3773 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3774 "view '%s': class must not be meta",
3776 CHECK(ISC_R_FAILURE);
3779 viewname = "_default";
3780 viewclass = dns_rdataclass_in;
3784 *classp = viewclass;
3791 * Find a view based on its configuration info and attach to it.
3793 * If 'vconfig' is NULL, attach to the default view.
3796 find_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3799 isc_result_t result;
3800 const char *viewname = NULL;
3801 dns_rdataclass_t viewclass;
3802 dns_view_t *view = NULL;
3804 result = get_viewinfo(vconfig, &viewname, &viewclass);
3805 if (result != ISC_R_SUCCESS)
3808 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3809 if (result != ISC_R_SUCCESS)
3813 return (ISC_R_SUCCESS);
3817 * Create a new view and add it to the list.
3819 * If 'vconfig' is NULL, create the default view.
3821 * The view created is attached to '*viewp'.
3824 create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3827 isc_result_t result;
3828 const char *viewname = NULL;
3829 dns_rdataclass_t viewclass;
3830 dns_view_t *view = NULL;
3832 result = get_viewinfo(vconfig, &viewname, &viewclass);
3833 if (result != ISC_R_SUCCESS)
3836 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3837 if (result == ISC_R_SUCCESS)
3838 return (ISC_R_EXISTS);
3839 if (result != ISC_R_NOTFOUND)
3841 INSIST(view == NULL);
3843 result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
3844 if (result != ISC_R_SUCCESS)
3847 ISC_LIST_APPEND(*viewlist, view, link);
3848 dns_view_attach(view, viewp);
3849 return (ISC_R_SUCCESS);
3853 * Configure or reconfigure a zone.
3856 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
3857 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
3858 cfg_aclconfctx_t *aclconf, isc_boolean_t added)
3860 dns_view_t *pview = NULL; /* Production view */
3861 dns_zone_t *zone = NULL; /* New or reused zone */
3862 dns_zone_t *raw = NULL; /* New or reused raw zone */
3863 dns_zone_t *dupzone = NULL;
3864 const cfg_obj_t *options = NULL;
3865 const cfg_obj_t *zoptions = NULL;
3866 const cfg_obj_t *typeobj = NULL;
3867 const cfg_obj_t *forwarders = NULL;
3868 const cfg_obj_t *forwardtype = NULL;
3869 const cfg_obj_t *only = NULL;
3870 const cfg_obj_t *signing = NULL;
3871 isc_result_t result;
3872 isc_result_t tresult;
3873 isc_buffer_t buffer;
3874 dns_fixedname_t fixorigin;
3877 dns_rdataclass_t zclass;
3878 const char *ztypestr;
3879 isc_boolean_t is_rpz;
3880 dns_rpz_zone_t *rpz;
3883 (void)cfg_map_get(config, "options", &options);
3885 zoptions = cfg_tuple_get(zconfig, "options");
3888 * Get the zone origin as a dns_name_t.
3890 zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
3891 isc_buffer_constinit(&buffer, zname, strlen(zname));
3892 isc_buffer_add(&buffer, strlen(zname));
3893 dns_fixedname_init(&fixorigin);
3894 CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
3895 &buffer, dns_rootname, 0, NULL));
3896 origin = dns_fixedname_name(&fixorigin);
3898 CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
3899 view->rdclass, &zclass));
3900 if (zclass != view->rdclass) {
3901 const char *vname = NULL;
3902 if (vconfig != NULL)
3903 vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
3906 vname = "<default view>";
3908 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3909 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3910 "zone '%s': wrong class for view '%s'",
3912 result = ISC_R_FAILURE;
3916 (void)cfg_map_get(zoptions, "type", &typeobj);
3917 if (typeobj == NULL) {
3918 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3919 "zone '%s' 'type' not specified", zname);
3920 return (ISC_R_FAILURE);
3922 ztypestr = cfg_obj_asstring(typeobj);
3925 * "hints zones" aren't zones. If we've got one,
3926 * configure it and return.
3928 if (strcasecmp(ztypestr, "hint") == 0) {
3929 const cfg_obj_t *fileobj = NULL;
3930 if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
3931 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3932 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3933 "zone '%s': 'file' not specified",
3935 result = ISC_R_FAILURE;
3938 if (dns_name_equal(origin, dns_rootname)) {
3939 const char *hintsfile = cfg_obj_asstring(fileobj);
3941 CHECK(configure_hints(view, hintsfile));
3944 * Hint zones may also refer to delegation only points.
3947 tresult = cfg_map_get(zoptions, "delegation-only",
3949 if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
3950 CHECK(dns_view_adddelegationonly(view, origin));
3952 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3953 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3954 "ignoring non-root hint zone '%s'",
3956 result = ISC_R_SUCCESS;
3958 /* Skip ordinary zone processing. */
3963 * "forward zones" aren't zones either. Translate this syntax into
3964 * the appropriate selective forwarding configuration and return.
3966 if (strcasecmp(ztypestr, "forward") == 0) {
3970 (void)cfg_map_get(zoptions, "forward", &forwardtype);
3971 (void)cfg_map_get(zoptions, "forwarders", &forwarders);
3972 CHECK(configure_forward(config, view, origin, forwarders,
3976 * Forward zones may also set delegation only.
3979 tresult = cfg_map_get(zoptions, "delegation-only", &only);
3980 if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
3981 CHECK(dns_view_adddelegationonly(view, origin));
3986 * "delegation-only zones" aren't zones either.
3988 if (strcasecmp(ztypestr, "delegation-only") == 0) {
3989 result = dns_view_adddelegationonly(view, origin);
3994 * Redirect zones only require minimal configuration.
3996 if (strcasecmp(ztypestr, "redirect") == 0) {
3997 if (view->redirect != NULL) {
3998 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3999 "redirect zone already exists");
4000 result = ISC_R_EXISTS;
4003 result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
4004 view->rdclass, &pview);
4005 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
4007 if (pview != NULL && pview->redirect != NULL) {
4008 dns_zone_attach(pview->redirect, &zone);
4009 dns_zone_setview(zone, view);
4011 CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
4013 CHECK(dns_zone_setorigin(zone, origin));
4014 dns_zone_setview(zone, view);
4015 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
4017 dns_zone_setstats(zone, ns_g_server->zonestats);
4019 CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf,
4021 dns_zone_attach(zone, &view->redirect);
4026 * Check for duplicates in the new zone table.
4028 result = dns_view_findzone(view, origin, &dupzone);
4029 if (result == ISC_R_SUCCESS) {
4031 * We already have this zone!
4033 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
4034 "zone '%s' already exists", zname);
4035 dns_zone_detach(&dupzone);
4036 result = ISC_R_EXISTS;
4039 INSIST(dupzone == NULL);
4042 * Note whether this is a response policy zone.
4045 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
4047 rpz = ISC_LIST_NEXT(rpz, link))
4049 if (dns_name_equal(&rpz->origin, origin)) {
4051 rpz->defined = ISC_TRUE;
4057 * See if we can reuse an existing zone. This is
4058 * only possible if all of these are true:
4059 * - The zone's view exists
4060 * - A zone with the right name exists in the view
4061 * - The zone is compatible with the config
4062 * options (e.g., an existing master zone cannot
4063 * be reused if the options specify a slave zone)
4064 * - The zone was and is or was not and is not a policy zone
4066 result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
4067 view->rdclass, &pview);
4068 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
4071 result = dns_view_findzone(pview, origin, &zone);
4072 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
4075 if (zone != NULL && !ns_zone_reusable(zone, zconfig))
4076 dns_zone_detach(&zone);
4078 if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
4079 dns_zone_detach(&zone);
4083 * We found a reusable zone. Make it use the
4086 dns_zone_setview(zone, view);
4087 if (view->acache != NULL)
4088 dns_zone_setacache(zone, view->acache);
4091 * We cannot reuse an existing zone, we have
4092 * to create a new one.
4094 CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
4095 CHECK(dns_zone_setorigin(zone, origin));
4096 dns_zone_setview(zone, view);
4097 if (view->acache != NULL)
4098 dns_zone_setacache(zone, view->acache);
4099 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
4100 dns_zone_setstats(zone, ns_g_server->zonestats);
4104 result = dns_zone_rpz_enable(zone);
4105 if (result != ISC_R_SUCCESS) {
4106 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4107 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4108 "zone '%s': incompatible"
4109 " masterfile-format or database"
4110 " for a response policy zone",
4117 * If the zone contains a 'forwarders' statement, configure
4118 * selective forwarding.
4121 if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
4124 (void)cfg_map_get(zoptions, "forward", &forwardtype);
4125 CHECK(configure_forward(config, view, origin, forwarders,
4130 * Stub and forward zones may also refer to delegation only points.
4133 if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
4135 if (cfg_obj_asboolean(only))
4136 CHECK(dns_view_adddelegationonly(view, origin));
4140 * Mark whether the zone was originally added at runtime or not
4142 dns_zone_setadded(zone, added);
4145 if ((strcasecmp(ztypestr, "master") == 0 ||
4146 strcasecmp(ztypestr, "slave") == 0) &&
4147 cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
4148 cfg_obj_asboolean(signing))
4150 dns_zone_getraw(zone, &raw);
4152 CHECK(dns_zone_create(&raw, mctx));
4153 CHECK(dns_zone_setorigin(raw, origin));
4154 dns_zone_setview(raw, view);
4155 if (view->acache != NULL)
4156 dns_zone_setacache(raw, view->acache);
4157 dns_zone_setstats(raw, ns_g_server->zonestats);
4158 CHECK(dns_zone_link(zone, raw));
4163 * Configure the zone.
4165 CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone, raw));
4168 * Add the zone to its view in the new view list.
4170 CHECK(dns_view_addzone(view, zone));
4173 * Ensure that zone keys are reloaded on reconfig
4175 if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
4176 dns_zone_rekey(zone, ISC_FALSE);
4180 dns_zone_detach(&zone);
4182 dns_zone_detach(&raw);
4184 dns_view_detach(&pview);
4190 * Configure built-in zone for storing managed-key data.
4193 #define KEYZONE "managed-keys.bind"
4194 #define MKEYS ".mkeys"
4197 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
4198 isc_result_t result;
4199 dns_view_t *pview = NULL;
4200 dns_zone_t *zone = NULL;
4201 dns_acl_t *none = NULL;
4202 char filename[PATH_MAX];
4203 char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
4206 REQUIRE(view != NULL);
4208 /* See if we can re-use an existing keydata zone. */
4209 result = dns_viewlist_find(&ns_g_server->viewlist,
4210 view->name, view->rdclass,
4212 if (result != ISC_R_NOTFOUND &&
4213 result != ISC_R_SUCCESS)
4216 if (pview != NULL && pview->managed_keys != NULL) {
4217 dns_zone_attach(pview->managed_keys, &view->managed_keys);
4218 dns_zone_setview(pview->managed_keys, view);
4219 dns_view_detach(&pview);
4220 dns_zone_synckeyzone(view->managed_keys);
4221 return (ISC_R_SUCCESS);
4224 /* No existing keydata zone was found; create one */
4225 CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
4226 CHECK(dns_zone_setorigin(zone, dns_rootname));
4228 isc_sha256_data((void *)view->name, strlen(view->name), buffer);
4229 strcat(buffer, MKEYS);
4230 n = snprintf(filename, sizeof(filename), "%s%s%s",
4231 directory ? directory : "", directory ? "/" : "",
4232 strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
4233 if (n < 0 || (size_t)n >= sizeof(filename)) {
4234 result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
4237 CHECK(dns_zone_setfile(zone, filename));
4239 dns_zone_setview(zone, view);
4240 dns_zone_settype(zone, dns_zone_key);
4241 dns_zone_setclass(zone, view->rdclass);
4243 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
4245 if (view->acache != NULL)
4246 dns_zone_setacache(zone, view->acache);
4248 CHECK(dns_acl_none(mctx, &none));
4249 dns_zone_setqueryacl(zone, none);
4250 dns_zone_setqueryonacl(zone, none);
4251 dns_acl_detach(&none);
4253 dns_zone_setdialup(zone, dns_dialuptype_no);
4254 dns_zone_setnotifytype(zone, dns_notifytype_no);
4255 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
4256 dns_zone_setjournalsize(zone, 0);
4258 dns_zone_setstats(zone, ns_g_server->zonestats);
4259 CHECK(setquerystats(zone, mctx, dns_zonestat_none));
4261 if (view->managed_keys != NULL)
4262 dns_zone_detach(&view->managed_keys);
4263 dns_zone_attach(zone, &view->managed_keys);
4265 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4266 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4267 "set up managed keys zone for view %s, file '%s'",
4268 view->name, filename);
4272 dns_zone_detach(&zone);
4274 dns_acl_detach(&none);
4280 * Configure a single server quota.
4283 configure_server_quota(const cfg_obj_t **maps, const char *name,
4286 const cfg_obj_t *obj = NULL;
4287 isc_result_t result;
4289 result = ns_config_get(maps, name, &obj);
4290 INSIST(result == ISC_R_SUCCESS);
4291 isc_quota_max(quota, cfg_obj_asuint32(obj));
4295 * This function is called as soon as the 'directory' statement has been
4296 * parsed. This can be extended to support other options if necessary.
4299 directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
4300 isc_result_t result;
4301 const char *directory;
4303 REQUIRE(strcasecmp("directory", clausename) == 0);
4311 directory = cfg_obj_asstring(obj);
4313 if (! isc_file_ischdiridempotent(directory))
4314 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
4315 "option 'directory' contains relative path '%s'",
4318 result = isc_dir_chdir(directory);
4319 if (result != ISC_R_SUCCESS) {
4320 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
4321 "change directory to '%s' failed: %s",
4322 directory, isc_result_totext(result));
4326 return (ISC_R_SUCCESS);
4330 scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
4331 isc_boolean_t match_mapped = server->aclenv.match_mapped;
4333 ns_interfacemgr_scan(server->interfacemgr, verbose);
4335 * Update the "localhost" and "localnets" ACLs to match the
4336 * current set of network interfaces.
4338 dns_aclenv_copy(&server->aclenv,
4339 ns_interfacemgr_getaclenv(server->interfacemgr));
4341 server->aclenv.match_mapped = match_mapped;
4345 add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
4346 isc_boolean_t wcardport_ok)
4348 ns_listenelt_t *lelt = NULL;
4349 dns_acl_t *src_acl = NULL;
4350 isc_result_t result;
4351 isc_sockaddr_t any_sa6;
4352 isc_netaddr_t netaddr;
4354 REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
4356 isc_sockaddr_any6(&any_sa6);
4357 if (!isc_sockaddr_equal(&any_sa6, addr) &&
4358 (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
4359 isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
4361 result = dns_acl_create(mctx, 0, &src_acl);
4362 if (result != ISC_R_SUCCESS)
4365 result = dns_iptable_addprefix(src_acl->iptable,
4366 &netaddr, 128, ISC_TRUE);
4367 if (result != ISC_R_SUCCESS)
4370 result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
4372 if (result != ISC_R_SUCCESS)
4374 ISC_LIST_APPEND(list->elts, lelt, link);
4377 return (ISC_R_SUCCESS);
4380 INSIST(lelt == NULL);
4381 dns_acl_detach(&src_acl);
4387 * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
4388 * to update the listening interfaces accordingly.
4389 * We currently only consider IPv6, because this only affects IPv6 wildcard
4393 adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
4394 isc_result_t result;
4395 ns_listenlist_t *list = NULL;
4397 dns_zone_t *zone, *next;
4398 isc_sockaddr_t addr, *addrp;
4400 result = ns_listenlist_create(mctx, &list);
4401 if (result != ISC_R_SUCCESS)
4404 for (view = ISC_LIST_HEAD(server->viewlist);
4406 view = ISC_LIST_NEXT(view, link)) {
4407 dns_dispatch_t *dispatch6;
4409 dispatch6 = dns_resolver_dispatchv6(view->resolver);
4410 if (dispatch6 == NULL)
4412 result = dns_dispatch_getlocaladdress(dispatch6, &addr);
4413 if (result != ISC_R_SUCCESS)
4417 * We always add non-wildcard address regardless of whether
4418 * the port is 'any' (the fourth arg is TRUE): if the port is
4419 * specific, we need to add it since it may conflict with a
4420 * listening interface; if it's zero, we'll dynamically open
4421 * query ports, and some of them may override an existing
4422 * wildcard IPv6 port.
4424 result = add_listenelt(mctx, list, &addr, ISC_TRUE);
4425 if (result != ISC_R_SUCCESS)
4430 for (result = dns_zone_first(server->zonemgr, &zone);
4431 result == ISC_R_SUCCESS;
4432 next = NULL, result = dns_zone_next(zone, &next), zone = next) {
4433 dns_view_t *zoneview;
4436 * At this point the zone list may contain a stale zone
4437 * just removed from the configuration. To see the validity,
4438 * check if the corresponding view is in our current view list.
4439 * There may also be old zones that are still in the process
4440 * of shutting down and have detached from their old view
4441 * (zoneview == NULL).
4443 zoneview = dns_zone_getview(zone);
4444 if (zoneview == NULL)
4446 for (view = ISC_LIST_HEAD(server->viewlist);
4447 view != NULL && view != zoneview;
4448 view = ISC_LIST_NEXT(view, link))
4453 addrp = dns_zone_getnotifysrc6(zone);
4454 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
4455 if (result != ISC_R_SUCCESS)
4458 addrp = dns_zone_getxfrsource6(zone);
4459 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
4460 if (result != ISC_R_SUCCESS)
4464 ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
4467 ns_listenlist_detach(&list);
4472 * Even when we failed the procedure, most of other interfaces
4473 * should work correctly. We therefore just warn it.
4475 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4476 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4477 "could not adjust the listen-on list; "
4478 "some interfaces may not work");
4483 * This event callback is invoked to do periodic network
4484 * interface scanning.
4487 interface_timer_tick(isc_task_t *task, isc_event_t *event) {
4488 isc_result_t result;
4489 ns_server_t *server = (ns_server_t *) event->ev_arg;
4490 INSIST(task == server->task);
4492 isc_event_free(&event);
4494 * XXX should scan interfaces unlocked and get exclusive access
4495 * only to replace ACLs.
4497 result = isc_task_beginexclusive(server->task);
4498 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4499 scan_interfaces(server, ISC_FALSE);
4500 isc_task_endexclusive(server->task);
4504 heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
4505 ns_server_t *server = (ns_server_t *) event->ev_arg;
4509 isc_event_free(&event);
4510 view = ISC_LIST_HEAD(server->viewlist);
4511 while (view != NULL) {
4512 dns_view_dialup(view);
4513 view = ISC_LIST_NEXT(view, link);
4518 pps_timer_tick(isc_task_t *task, isc_event_t *event) {
4519 static unsigned int oldrequests = 0;
4520 unsigned int requests = ns_client_requests;
4523 isc_event_free(&event);
4526 * Don't worry about wrapping as the overflow result will be right.
4528 dns_pps = (requests - oldrequests) / 1200;
4529 oldrequests = requests;
4533 * Replace the current value of '*field', a dynamically allocated
4534 * string or NULL, with a dynamically allocated copy of the
4535 * null-terminated string pointed to by 'value', or NULL.
4538 setstring(ns_server_t *server, char **field, const char *value) {
4541 if (value != NULL) {
4542 copy = isc_mem_strdup(server->mctx, value);
4544 return (ISC_R_NOMEMORY);
4550 isc_mem_free(server->mctx, *field);
4553 return (ISC_R_SUCCESS);
4557 * Replace the current value of '*field', a dynamically allocated
4558 * string or NULL, with another dynamically allocated string
4559 * or NULL if whether 'obj' is a string or void value, respectively.
4562 setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
4563 if (cfg_obj_isvoid(obj))
4564 return (setstring(server, field, NULL));
4566 return (setstring(server, field, cfg_obj_asstring(obj)));
4570 set_limit(const cfg_obj_t **maps, const char *configname,
4571 const char *description, isc_resource_t resourceid,
4572 isc_resourcevalue_t defaultvalue)
4574 const cfg_obj_t *obj = NULL;
4575 const char *resource;
4576 isc_resourcevalue_t value;
4577 isc_result_t result;
4579 if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
4582 if (cfg_obj_isstring(obj)) {
4583 resource = cfg_obj_asstring(obj);
4584 if (strcasecmp(resource, "unlimited") == 0)
4585 value = ISC_RESOURCE_UNLIMITED;
4587 INSIST(strcasecmp(resource, "default") == 0);
4588 value = defaultvalue;
4591 value = cfg_obj_asuint64(obj);
4593 result = isc_resource_setlimit(resourceid, value);
4594 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4595 result == ISC_R_SUCCESS ?
4596 ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
4597 "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
4598 description, value, isc_result_totext(result));
4601 #define SETLIMIT(cfgvar, resource, description) \
4602 set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
4603 ns_g_init ## resource)
4606 set_limits(const cfg_obj_t **maps) {
4607 SETLIMIT("stacksize", stacksize, "stack size");
4608 SETLIMIT("datasize", datasize, "data size");
4609 SETLIMIT("coresize", coresize, "core size");
4610 SETLIMIT("files", openfiles, "open files");
4614 portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
4615 isc_boolean_t positive)
4617 const cfg_listelt_t *element;
4619 for (element = cfg_list_first(ports);
4621 element = cfg_list_next(element)) {
4622 const cfg_obj_t *obj = cfg_listelt_value(element);
4624 if (cfg_obj_isuint32(obj)) {
4625 in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
4628 isc_portset_add(portset, port);
4630 isc_portset_remove(portset, port);
4632 const cfg_obj_t *obj_loport, *obj_hiport;
4633 in_port_t loport, hiport;
4635 obj_loport = cfg_tuple_get(obj, "loport");
4636 loport = (in_port_t)cfg_obj_asuint32(obj_loport);
4637 obj_hiport = cfg_tuple_get(obj, "hiport");
4638 hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
4641 isc_portset_addrange(portset, loport, hiport);
4643 isc_portset_removerange(portset, loport,
4651 removed(dns_zone_t *zone, void *uap) {
4654 if (dns_zone_getview(zone) != uap)
4655 return (ISC_R_SUCCESS);
4657 switch (dns_zone_gettype(zone)) {
4658 case dns_zone_master:
4661 case dns_zone_slave:
4667 case dns_zone_staticstub:
4668 type = "static-stub";
4670 case dns_zone_redirect:
4677 dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
4678 return (ISC_R_SUCCESS);
4682 cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
4683 if (server->session_keyfile != NULL) {
4684 isc_file_remove(server->session_keyfile);
4685 isc_mem_free(mctx, server->session_keyfile);
4686 server->session_keyfile = NULL;
4689 if (server->session_keyname != NULL) {
4690 if (dns_name_dynamic(server->session_keyname))
4691 dns_name_free(server->session_keyname, mctx);
4692 isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
4693 server->session_keyname = NULL;
4696 if (server->sessionkey != NULL)
4697 dns_tsigkey_detach(&server->sessionkey);
4699 server->session_keyalg = DST_ALG_UNKNOWN;
4700 server->session_keybits = 0;
4704 generate_session_key(const char *filename, const char *keynamestr,
4705 dns_name_t *keyname, const char *algstr,
4706 dns_name_t *algname, unsigned int algtype,
4707 isc_uint16_t bits, isc_mem_t *mctx,
4708 dns_tsigkey_t **tsigkeyp)
4710 isc_result_t result = ISC_R_SUCCESS;
4711 dst_key_t *key = NULL;
4712 isc_buffer_t key_txtbuffer;
4713 isc_buffer_t key_rawbuffer;
4714 char key_txtsecret[256];
4715 char key_rawsecret[64];
4716 isc_region_t key_rawregion;
4718 dns_tsigkey_t *tsigkey = NULL;
4721 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4722 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4723 "generating session key for dynamic DNS");
4726 result = dst_key_generate(keyname, algtype, bits, 1, 0,
4727 DNS_KEYPROTO_ANY, dns_rdataclass_in,
4729 if (result != ISC_R_SUCCESS)
4733 * Dump the key to the buffer for later use. Should be done before
4734 * we transfer the ownership of key to tsigkey.
4736 isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
4737 CHECK(dst_key_tobuffer(key, &key_rawbuffer));
4739 isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
4740 isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
4741 CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
4743 /* Store the key in tsigkey. */
4744 isc_stdtime_get(&now);
4745 CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
4746 ISC_FALSE, NULL, now, now, mctx, NULL,
4749 /* Dump the key to the key file. */
4750 fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
4752 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4753 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4754 "could not create %s", filename);
4755 result = ISC_R_NOPERM;
4759 fprintf(fp, "key \"%s\" {\n"
4761 "\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
4762 (int) isc_buffer_usedlength(&key_txtbuffer),
4763 (char*) isc_buffer_base(&key_txtbuffer));
4765 CHECK(isc_stdio_flush(fp));
4766 CHECK(isc_stdio_close(fp));
4770 *tsigkeyp = tsigkey;
4772 return (ISC_R_SUCCESS);
4775 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4776 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4777 "failed to generate session key "
4778 "for dynamic DNS: %s", isc_result_totext(result));
4780 if (isc_file_exists(filename))
4781 (void)isc_file_remove(filename);
4782 (void)isc_stdio_close(fp);
4784 if (tsigkey != NULL)
4785 dns_tsigkey_detach(&tsigkey);
4793 configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
4796 const char *keyfile, *keynamestr, *algstr;
4797 unsigned int algtype;
4798 dns_fixedname_t fname;
4799 dns_name_t *keyname, *algname;
4800 isc_buffer_t buffer;
4802 const cfg_obj_t *obj;
4803 isc_boolean_t need_deleteold = ISC_FALSE;
4804 isc_boolean_t need_createnew = ISC_FALSE;
4805 isc_result_t result;
4808 result = ns_config_get(maps, "session-keyfile", &obj);
4809 if (result == ISC_R_SUCCESS) {
4810 if (cfg_obj_isvoid(obj))
4811 keyfile = NULL; /* disable it */
4813 keyfile = cfg_obj_asstring(obj);
4815 keyfile = ns_g_defaultsessionkeyfile;
4818 result = ns_config_get(maps, "session-keyname", &obj);
4819 INSIST(result == ISC_R_SUCCESS);
4820 keynamestr = cfg_obj_asstring(obj);
4821 dns_fixedname_init(&fname);
4822 isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
4823 isc_buffer_add(&buffer, strlen(keynamestr));
4824 keyname = dns_fixedname_name(&fname);
4825 result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
4826 if (result != ISC_R_SUCCESS)
4830 result = ns_config_get(maps, "session-keyalg", &obj);
4831 INSIST(result == ISC_R_SUCCESS);
4832 algstr = cfg_obj_asstring(obj);
4834 result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
4835 if (result != ISC_R_SUCCESS) {
4836 const char *s = " (keeping current key)";
4838 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
4839 "unsupported or unknown algorithm '%s'%s",
4841 server->session_keyfile != NULL ? s : "");
4845 /* See if we need to (re)generate a new key. */
4846 if (keyfile == NULL) {
4847 if (server->session_keyfile != NULL)
4848 need_deleteold = ISC_TRUE;
4849 } else if (server->session_keyfile == NULL)
4850 need_createnew = ISC_TRUE;
4851 else if (strcmp(keyfile, server->session_keyfile) != 0 ||
4852 !dns_name_equal(server->session_keyname, keyname) ||
4853 server->session_keyalg != algtype ||
4854 server->session_keybits != bits) {
4855 need_deleteold = ISC_TRUE;
4856 need_createnew = ISC_TRUE;
4859 if (need_deleteold) {
4860 INSIST(server->session_keyfile != NULL);
4861 INSIST(server->session_keyname != NULL);
4862 INSIST(server->sessionkey != NULL);
4864 cleanup_session_key(server, mctx);
4867 if (need_createnew) {
4868 INSIST(server->sessionkey == NULL);
4869 INSIST(server->session_keyfile == NULL);
4870 INSIST(server->session_keyname == NULL);
4871 INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
4872 INSIST(server->session_keybits == 0);
4874 server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
4875 if (server->session_keyname == NULL)
4877 dns_name_init(server->session_keyname, NULL);
4878 CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
4880 server->session_keyfile = isc_mem_strdup(mctx, keyfile);
4881 if (server->session_keyfile == NULL)
4884 server->session_keyalg = algtype;
4885 server->session_keybits = bits;
4887 CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
4888 algname, algtype, bits, mctx,
4889 &server->sessionkey));
4895 cleanup_session_key(server, mctx);
4900 setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
4901 cfg_parser_t *parser, cfg_aclconfctx_t *actx)
4903 isc_result_t result = ISC_R_SUCCESS;
4904 isc_boolean_t allow = ISC_FALSE;
4905 struct cfg_context *nzcfg = NULL;
4906 cfg_parser_t *nzparser = NULL;
4907 cfg_obj_t *nzconfig = NULL;
4908 const cfg_obj_t *maps[4];
4909 const cfg_obj_t *options = NULL, *voptions = NULL;
4910 const cfg_obj_t *nz = NULL;
4913 REQUIRE (config != NULL);
4915 if (vconfig != NULL)
4916 voptions = cfg_tuple_get(vconfig, "options");
4917 if (voptions != NULL)
4918 maps[i++] = voptions;
4919 result = cfg_map_get(config, "options", &options);
4920 if (result == ISC_R_SUCCESS)
4921 maps[i++] = options;
4922 maps[i++] = ns_g_defaults;
4925 result = ns_config_get(maps, "allow-new-zones", &nz);
4926 if (result == ISC_R_SUCCESS)
4927 allow = cfg_obj_asboolean(nz);
4930 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4931 return (ISC_R_SUCCESS);
4934 nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
4935 if (nzcfg == NULL) {
4936 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4937 return (ISC_R_NOMEMORY);
4940 dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
4942 memset(nzcfg, 0, sizeof(*nzcfg));
4943 isc_mem_attach(view->mctx, &nzcfg->mctx);
4944 cfg_obj_attach(config, &nzcfg->config);
4945 cfg_parser_attach(parser, &nzcfg->parser);
4946 cfg_aclconfctx_attach(actx, &nzcfg->actx);
4949 * Attempt to create a parser and parse the newzones
4950 * file. If successful, preserve both; otherwise leave
4953 result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
4954 if (result == ISC_R_SUCCESS)
4955 result = cfg_parse_file(nzparser, view->new_zone_file,
4956 &cfg_type_newzones, &nzconfig);
4957 if (result == ISC_R_SUCCESS) {
4958 cfg_parser_attach(nzparser, &nzcfg->nzparser);
4959 cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
4962 if (nzparser != NULL) {
4963 if (nzconfig != NULL)
4964 cfg_obj_destroy(nzparser, &nzconfig);
4965 cfg_parser_destroy(&nzparser);
4968 return (ISC_R_SUCCESS);
4972 count_zones(const cfg_obj_t *conf) {
4973 const cfg_obj_t *zonelist = NULL;
4974 const cfg_listelt_t *element;
4977 REQUIRE(conf != NULL);
4979 cfg_map_get(conf, "zone", &zonelist);
4980 for (element = cfg_list_first(zonelist);
4982 element = cfg_list_next(element))
4989 load_configuration(const char *filename, ns_server_t *server,
4990 isc_boolean_t first_time)
4992 cfg_obj_t *config = NULL, *bindkeys = NULL;
4993 cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
4994 const cfg_listelt_t *element;
4995 const cfg_obj_t *builtin_views;
4996 const cfg_obj_t *maps[3];
4997 const cfg_obj_t *obj;
4998 const cfg_obj_t *options;
4999 const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
5000 const cfg_obj_t *views;
5001 dns_view_t *view = NULL;
5002 dns_view_t *view_next;
5003 dns_viewlist_t tmpviewlist;
5004 dns_viewlist_t viewlist, builtin_viewlist;
5005 in_port_t listen_port, udpport_low, udpport_high;
5008 isc_boolean_t exclusive = ISC_FALSE;
5009 isc_interval_t interval;
5010 isc_logconfig_t *logc = NULL;
5011 isc_portset_t *v4portset = NULL;
5012 isc_portset_t *v6portset = NULL;
5013 isc_resourcevalue_t nfiles;
5014 isc_result_t result;
5015 isc_uint32_t heartbeat_interval;
5016 isc_uint32_t interface_interval;
5017 isc_uint32_t reserved;
5018 isc_uint32_t udpsize;
5020 ns_cachelist_t cachelist, tmpcachelist;
5021 struct cfg_context *nzctx;
5022 unsigned int maxsocks;
5023 #ifdef ENABLE_FETCHLIMIT
5024 isc_uint32_t softquota = 0;
5025 #endif /* ENABLE_FETCHLIMIT */
5027 ISC_LIST_INIT(viewlist);
5028 ISC_LIST_INIT(builtin_viewlist);
5029 ISC_LIST_INIT(cachelist);
5031 /* Create the ACL configuration context */
5032 if (ns_g_aclconfctx != NULL)
5033 cfg_aclconfctx_detach(&ns_g_aclconfctx);
5034 CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
5037 * Parse the global default pseudo-config file.
5040 CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
5041 RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
5042 &ns_g_defaults) == ISC_R_SUCCESS);
5046 * Parse the configuration file using the new config code.
5048 result = ISC_R_FAILURE;
5052 * Unless this is lwresd with the -C option, parse the config file.
5054 if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
5055 isc_log_write(ns_g_lctx,
5056 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5057 ISC_LOG_INFO, "loading configuration from '%s'",
5059 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
5060 cfg_parser_setcallback(conf_parser, directory_callback, NULL);
5061 result = cfg_parse_file(conf_parser, filename,
5062 &cfg_type_namedconf, &config);
5066 * If this is lwresd with the -C option, or lwresd with no -C or -c
5067 * option where the above parsing failed, parse resolv.conf.
5069 if (ns_g_lwresdonly &&
5070 (lwresd_g_useresolvconf ||
5071 (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
5073 isc_log_write(ns_g_lctx,
5074 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5075 ISC_LOG_INFO, "loading configuration from '%s'",
5076 lwresd_g_resolvconffile);
5077 if (conf_parser != NULL)
5078 cfg_parser_destroy(&conf_parser);
5079 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
5080 result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
5086 * Check the validity of the configuration.
5088 CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
5091 * Fill in the maps array, used for resolving defaults.
5095 result = cfg_map_get(config, "options", &options);
5096 if (result == ISC_R_SUCCESS)
5097 maps[i++] = options;
5098 maps[i++] = ns_g_defaults;
5102 * If bind.keys exists, load it. If "dnssec-lookaside auto"
5103 * is turned on, the keys found there will be used as default
5107 result = ns_config_get(maps, "bindkeys-file", &obj);
5108 INSIST(result == ISC_R_SUCCESS);
5109 CHECKM(setstring(server, &server->bindkeysfile,
5110 cfg_obj_asstring(obj)), "strdup");
5112 if (access(server->bindkeysfile, R_OK) == 0) {
5113 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5114 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5115 "reading built-in trusted "
5116 "keys from file '%s'", server->bindkeysfile);
5118 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
5121 result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
5122 &cfg_type_bindkeys, &bindkeys);
5126 /* Ensure exclusive access to configuration data. */
5128 result = isc_task_beginexclusive(server->task);
5129 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5130 exclusive = ISC_TRUE;
5134 * Set process limits, which (usually) needs to be done as root.
5139 * Check if max number of open sockets that the system allows is
5140 * sufficiently large. Failing this condition is not necessarily fatal,
5141 * but may cause subsequent runtime failures for a busy recursive
5144 result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
5145 if (result != ISC_R_SUCCESS)
5147 result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
5148 if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
5149 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5150 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
5151 "max open files (%" ISC_PRINT_QUADFORMAT "u)"
5152 " is smaller than max sockets (%u)",
5157 * Set the number of socket reserved for TCP, stdio etc.
5160 result = ns_config_get(maps, "reserved-sockets", &obj);
5161 INSIST(result == ISC_R_SUCCESS);
5162 reserved = cfg_obj_asuint32(obj);
5163 if (maxsocks != 0) {
5164 if (maxsocks < 128U) /* Prevent underflow. */
5166 else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
5167 reserved = maxsocks - 128;
5169 /* Minimum TCP/stdio space. */
5170 if (reserved < 128U)
5172 if (reserved + 128U > maxsocks && maxsocks != 0) {
5173 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5174 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
5175 "less than 128 UDP sockets available after "
5176 "applying 'reserved-sockets' and 'maxsockets'");
5178 isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
5181 * Configure various server options.
5183 configure_server_quota(maps, "transfers-out", &server->xfroutquota);
5184 configure_server_quota(maps, "tcp-clients", &server->tcpquota);
5185 configure_server_quota(maps, "recursive-clients",
5186 &server->recursionquota);
5188 #ifdef ENABLE_FETCHLIMIT
5189 if (server->recursionquota.max > 1000) {
5190 int margin = ISC_MAX(100, ns_g_cpus + 1);
5191 if (margin > server->recursionquota.max - 100) {
5192 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5193 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5194 "'recursive-clients %d' too low when "
5195 "running with %d worker threads",
5196 server->recursionquota.max, ns_g_cpus);
5199 softquota = server->recursionquota.max - margin;
5201 softquota = (server->recursionquota.max * 90) / 100;
5203 isc_quota_soft(&server->recursionquota, softquota);
5205 if (server->recursionquota.max > 1000) {
5206 isc_quota_soft(&server->recursionquota,
5207 server->recursionquota.max - 100);
5209 isc_quota_soft(&server->recursionquota, 0);
5210 #endif /* !ENABLE_FETCHLIMIT */
5212 CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
5213 ns_g_aclconfctx, ns_g_mctx,
5214 &server->blackholeacl));
5215 if (server->blackholeacl != NULL)
5216 dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
5217 server->blackholeacl);
5220 result = ns_config_get(maps, "match-mapped-addresses", &obj);
5221 INSIST(result == ISC_R_SUCCESS);
5222 server->aclenv.match_mapped = cfg_obj_asboolean(obj);
5224 CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
5225 "configuring statistics server(s)");
5228 * Configure sets of UDP query source ports.
5230 CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
5231 "creating UDP port set");
5232 CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
5233 "creating UDP port set");
5237 avoidv4ports = NULL;
5238 avoidv6ports = NULL;
5240 (void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
5241 if (usev4ports != NULL)
5242 portset_fromconf(v4portset, usev4ports, ISC_TRUE);
5244 CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
5246 "get the default UDP/IPv4 port range");
5247 if (udpport_low == udpport_high)
5248 isc_portset_add(v4portset, udpport_low);
5250 isc_portset_addrange(v4portset, udpport_low,
5254 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5255 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5256 "using default UDP/IPv4 port range: "
5257 "[%d, %d]", udpport_low, udpport_high);
5259 (void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
5260 if (avoidv4ports != NULL)
5261 portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
5263 (void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
5264 if (usev6ports != NULL)
5265 portset_fromconf(v6portset, usev6ports, ISC_TRUE);
5267 CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
5269 "get the default UDP/IPv6 port range");
5270 if (udpport_low == udpport_high)
5271 isc_portset_add(v6portset, udpport_low);
5273 isc_portset_addrange(v6portset, udpport_low,
5277 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5278 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5279 "using default UDP/IPv6 port range: "
5280 "[%d, %d]", udpport_low, udpport_high);
5282 (void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
5283 if (avoidv6ports != NULL)
5284 portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
5286 dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
5289 * Set the EDNS UDP size when we don't match a view.
5292 result = ns_config_get(maps, "edns-udp-size", &obj);
5293 INSIST(result == ISC_R_SUCCESS);
5294 udpsize = cfg_obj_asuint32(obj);
5299 ns_g_udpsize = (isc_uint16_t)udpsize;
5302 * Configure the zone manager.
5305 result = ns_config_get(maps, "transfers-in", &obj);
5306 INSIST(result == ISC_R_SUCCESS);
5307 dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
5310 result = ns_config_get(maps, "transfers-per-ns", &obj);
5311 INSIST(result == ISC_R_SUCCESS);
5312 dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
5315 result = ns_config_get(maps, "serial-query-rate", &obj);
5316 INSIST(result == ISC_R_SUCCESS);
5317 dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
5320 * Determine which port to use for listening for incoming connections.
5323 listen_port = ns_g_port;
5325 CHECKM(ns_config_getport(config, &listen_port), "port");
5328 * Find the listen queue depth.
5331 result = ns_config_get(maps, "tcp-listen-queue", &obj);
5332 INSIST(result == ISC_R_SUCCESS);
5333 ns_g_listen = cfg_obj_asuint32(obj);
5334 if ((ns_g_listen > 0) && (ns_g_listen < 10))
5338 * Configure the interface manager according to the "listen-on"
5342 const cfg_obj_t *clistenon = NULL;
5343 ns_listenlist_t *listenon = NULL;
5347 * Even though listen-on is present in the default
5348 * configuration, we can't use it here, since it isn't
5349 * used if we're in lwresd mode. This way is easier.
5351 if (options != NULL)
5352 (void)cfg_map_get(options, "listen-on", &clistenon);
5353 if (clistenon != NULL) {
5354 /* check return code? */
5355 (void)ns_listenlist_fromconfig(clistenon, config,
5359 } else if (!ns_g_lwresdonly) {
5361 * Not specified, use default.
5363 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
5364 ISC_TRUE, &listenon));
5366 if (listenon != NULL) {
5367 ns_interfacemgr_setlistenon4(server->interfacemgr,
5369 ns_listenlist_detach(&listenon);
5376 const cfg_obj_t *clistenon = NULL;
5377 ns_listenlist_t *listenon = NULL;
5379 if (options != NULL)
5380 (void)cfg_map_get(options, "listen-on-v6", &clistenon);
5381 if (clistenon != NULL) {
5382 /* check return code? */
5383 (void)ns_listenlist_fromconfig(clistenon, config,
5385 ns_g_mctx, AF_INET6,
5387 } else if (!ns_g_lwresdonly) {
5388 isc_boolean_t enable;
5390 * Not specified, use default.
5392 enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
5393 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
5394 enable, &listenon));
5396 if (listenon != NULL) {
5397 ns_interfacemgr_setlistenon6(server->interfacemgr,
5399 ns_listenlist_detach(&listenon);
5404 * Rescan the interface list to pick up changes in the
5405 * listen-on option. It's important that we do this before we try
5406 * to configure the query source, since the dispatcher we use might
5407 * be shared with an interface.
5409 scan_interfaces(server, ISC_TRUE);
5412 * Arrange for further interface scanning to occur periodically
5413 * as specified by the "interface-interval" option.
5416 result = ns_config_get(maps, "interface-interval", &obj);
5417 INSIST(result == ISC_R_SUCCESS);
5418 interface_interval = cfg_obj_asuint32(obj) * 60;
5419 if (interface_interval == 0) {
5420 CHECK(isc_timer_reset(server->interface_timer,
5421 isc_timertype_inactive,
5422 NULL, NULL, ISC_TRUE));
5423 } else if (server->interface_interval != interface_interval) {
5424 isc_interval_set(&interval, interface_interval, 0);
5425 CHECK(isc_timer_reset(server->interface_timer,
5426 isc_timertype_ticker,
5427 NULL, &interval, ISC_FALSE));
5429 server->interface_interval = interface_interval;
5432 * Configure the dialup heartbeat timer.
5435 result = ns_config_get(maps, "heartbeat-interval", &obj);
5436 INSIST(result == ISC_R_SUCCESS);
5437 heartbeat_interval = cfg_obj_asuint32(obj) * 60;
5438 if (heartbeat_interval == 0) {
5439 CHECK(isc_timer_reset(server->heartbeat_timer,
5440 isc_timertype_inactive,
5441 NULL, NULL, ISC_TRUE));
5442 } else if (server->heartbeat_interval != heartbeat_interval) {
5443 isc_interval_set(&interval, heartbeat_interval, 0);
5444 CHECK(isc_timer_reset(server->heartbeat_timer,
5445 isc_timertype_ticker,
5446 NULL, &interval, ISC_FALSE));
5448 server->heartbeat_interval = heartbeat_interval;
5450 isc_interval_set(&interval, 1200, 0);
5451 CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
5452 &interval, ISC_FALSE));
5455 * Write the PID file.
5458 if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
5459 if (cfg_obj_isvoid(obj))
5460 ns_os_writepidfile(NULL, first_time);
5462 ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
5463 else if (ns_g_lwresdonly)
5464 ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
5466 ns_os_writepidfile(ns_g_defaultpidfile, first_time);
5469 * Configure the server-wide session key. This must be done before
5470 * configure views because zone configuration may need to know
5473 * Failure of session key generation isn't fatal at this time; if it
5474 * turns out that a session key is really needed but doesn't exist,
5475 * we'll treat it as a fatal error then.
5477 (void)configure_session_key(maps, server, ns_g_mctx);
5480 (void)cfg_map_get(config, "view", &views);
5483 * Create the views and count all the configured zones in
5484 * order to correctly size the zone manager's task table.
5485 * (We only count zones for configured views; the built-in
5486 * "bind" view can be ignored as it only adds a negligible
5489 * If we're allowing new zones, we need to be able to find the
5490 * new zone file and count those as well. So we setup the new
5491 * zone configuration context, but otherwise view configuration
5492 * waits until after the zone manager's task list has been sized.
5494 for (element = cfg_list_first(views);
5496 element = cfg_list_next(element))
5498 cfg_obj_t *vconfig = cfg_listelt_value(element);
5499 const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
5502 CHECK(create_view(vconfig, &viewlist, &view));
5503 INSIST(view != NULL);
5505 num_zones += count_zones(voptions);
5506 CHECK(setup_newzones(view, config, vconfig, conf_parser,
5509 nzctx = view->new_zone_config;
5510 if (nzctx != NULL && nzctx->nzconfig != NULL)
5511 num_zones += count_zones(nzctx->nzconfig);
5513 dns_view_detach(&view);
5517 * If there were no explicit views then we do the default
5520 if (views == NULL) {
5521 CHECK(create_view(NULL, &viewlist, &view));
5522 INSIST(view != NULL);
5524 num_zones = count_zones(config);
5526 CHECK(setup_newzones(view, config, NULL, conf_parser,
5529 nzctx = view->new_zone_config;
5530 if (nzctx != NULL && nzctx->nzconfig != NULL)
5531 num_zones += count_zones(nzctx->nzconfig);
5533 dns_view_detach(&view);
5537 * Zones have been counted; set the zone manager task pool size.
5539 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5540 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5541 "sizing zone task pool based on %d zones", num_zones);
5542 CHECK(dns_zonemgr_setsize(ns_g_server->zonemgr, num_zones));
5545 * Configure and freeze all explicit views. Explicit
5546 * views that have zones were already created at parsing
5547 * time, but views with no zones must be created here.
5549 for (element = cfg_list_first(views);
5551 element = cfg_list_next(element))
5553 cfg_obj_t *vconfig = cfg_listelt_value(element);
5556 CHECK(find_view(vconfig, &viewlist, &view));
5557 CHECK(configure_view(view, config, vconfig,
5558 &cachelist, bindkeys, ns_g_mctx,
5559 ns_g_aclconfctx, ISC_TRUE));
5560 dns_view_freeze(view);
5561 dns_view_detach(&view);
5565 * Make sure we have a default view if and only if there
5566 * were no explicit views.
5568 if (views == NULL) {
5570 CHECK(find_view(NULL, &viewlist, &view));
5571 CHECK(configure_view(view, config, NULL,
5572 &cachelist, bindkeys,
5573 ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
5574 dns_view_freeze(view);
5575 dns_view_detach(&view);
5579 * Create (or recreate) the built-in views.
5581 builtin_views = NULL;
5582 RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
5583 &builtin_views) == ISC_R_SUCCESS);
5584 for (element = cfg_list_first(builtin_views);
5586 element = cfg_list_next(element))
5588 cfg_obj_t *vconfig = cfg_listelt_value(element);
5590 CHECK(create_view(vconfig, &builtin_viewlist, &view));
5591 CHECK(configure_view(view, config, vconfig,
5592 &cachelist, bindkeys,
5593 ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
5594 dns_view_freeze(view);
5595 dns_view_detach(&view);
5599 /* Now combine the two viewlists into one */
5600 ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
5602 /* Swap our new view list with the production one. */
5603 tmpviewlist = server->viewlist;
5604 server->viewlist = viewlist;
5605 viewlist = tmpviewlist;
5607 /* Make the view list available to each of the views */
5608 view = ISC_LIST_HEAD(server->viewlist);
5609 while (view != NULL) {
5610 view->viewlist = &server->viewlist;
5611 view = ISC_LIST_NEXT(view, link);
5614 /* Swap our new cache list with the production one. */
5615 tmpcachelist = server->cachelist;
5616 server->cachelist = cachelist;
5617 cachelist = tmpcachelist;
5619 /* Load the TKEY information from the configuration. */
5620 if (options != NULL) {
5621 dns_tkeyctx_t *t = NULL;
5622 CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
5624 "configuring TKEY");
5625 if (server->tkeyctx != NULL)
5626 dns_tkeyctx_destroy(&server->tkeyctx);
5627 server->tkeyctx = t;
5631 * Bind the control port(s).
5633 CHECKM(ns_controls_configure(ns_g_server->controls, config,
5635 "binding control channel(s)");
5638 * Bind the lwresd port(s).
5640 CHECKM(ns_lwresd_configure(ns_g_mctx, config),
5641 "binding lightweight resolver ports");
5644 * Open the source of entropy.
5648 result = ns_config_get(maps, "random-device", &obj);
5649 if (result != ISC_R_SUCCESS) {
5650 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5651 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5652 "no source of entropy found");
5654 const char *randomdev = cfg_obj_asstring(obj);
5655 result = isc_entropy_createfilesource(ns_g_entropy,
5657 if (result != ISC_R_SUCCESS)
5658 isc_log_write(ns_g_lctx,
5659 NS_LOGCATEGORY_GENERAL,
5660 NS_LOGMODULE_SERVER,
5662 "could not open entropy source "
5665 isc_result_totext(result));
5666 #ifdef PATH_RANDOMDEV
5667 if (ns_g_fallbackentropy != NULL) {
5668 if (result != ISC_R_SUCCESS) {
5669 isc_log_write(ns_g_lctx,
5670 NS_LOGCATEGORY_GENERAL,
5671 NS_LOGMODULE_SERVER,
5673 "using pre-chroot entropy source "
5676 isc_entropy_detach(&ns_g_entropy);
5677 isc_entropy_attach(ns_g_fallbackentropy,
5680 isc_entropy_detach(&ns_g_fallbackentropy);
5687 * Relinquish root privileges.
5693 * Check that the working directory is writable.
5695 if (access(".", W_OK) != 0) {
5696 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5697 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5698 "the working directory is not writable");
5702 * Configure the logging system.
5704 * Do this after changing UID to make sure that any log
5705 * files specified in named.conf get created by the
5706 * unprivileged user, not root.
5708 if (ns_g_logstderr) {
5709 const cfg_obj_t *logobj = NULL;
5711 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5712 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5713 "not using config file logging "
5714 "statement for logging due to "
5717 (void)cfg_map_get(config, "logging", &logobj);
5718 if (logobj != NULL) {
5719 result = ns_log_configure(NULL, logobj);
5720 if (result != ISC_R_SUCCESS) {
5721 isc_log_write(ns_g_lctx,
5722 NS_LOGCATEGORY_GENERAL,
5723 NS_LOGMODULE_SERVER,
5725 "checking logging configuration "
5727 isc_result_totext(result));
5732 const cfg_obj_t *logobj = NULL;
5734 CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
5735 "creating new logging configuration");
5738 (void)cfg_map_get(config, "logging", &logobj);
5739 if (logobj != NULL) {
5740 CHECKM(ns_log_configure(logc, logobj),
5741 "configuring logging");
5743 CHECKM(ns_log_setdefaultchannels(logc),
5744 "setting up default logging channels");
5745 CHECKM(ns_log_setunmatchedcategory(logc),
5746 "setting up default 'category unmatched'");
5747 CHECKM(ns_log_setdefaultcategory(logc),
5748 "setting up default 'category default'");
5751 CHECKM(isc_logconfig_use(ns_g_lctx, logc),
5752 "installing logging configuration");
5755 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5756 NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
5757 "now using logging configuration from "
5762 * Set the default value of the query logging flag depending
5763 * whether a "queries" category has been defined. This is
5764 * a disgusting hack, but we need to do this for BIND 8
5768 const cfg_obj_t *logobj = NULL;
5769 const cfg_obj_t *categories = NULL;
5772 if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
5773 server->log_queries = cfg_obj_asboolean(obj);
5776 (void)cfg_map_get(config, "logging", &logobj);
5778 (void)cfg_map_get(logobj, "category",
5780 if (categories != NULL) {
5781 for (element = cfg_list_first(categories);
5783 element = cfg_list_next(element))
5785 const cfg_obj_t *catobj;
5788 obj = cfg_listelt_value(element);
5789 catobj = cfg_tuple_get(obj, "name");
5790 str = cfg_obj_asstring(catobj);
5791 if (strcasecmp(str, "queries") == 0)
5792 server->log_queries = ISC_TRUE;
5800 if (options != NULL &&
5801 cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
5802 ns_g_memstatistics = cfg_obj_asboolean(obj);
5804 ns_g_memstatistics =
5805 ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
5808 if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
5809 ns_main_setmemstats(cfg_obj_asstring(obj));
5810 else if (ns_g_memstatistics)
5811 ns_main_setmemstats("named.memstats");
5813 ns_main_setmemstats(NULL);
5816 result = ns_config_get(maps, "statistics-file", &obj);
5817 INSIST(result == ISC_R_SUCCESS);
5818 CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
5822 result = ns_config_get(maps, "dump-file", &obj);
5823 INSIST(result == ISC_R_SUCCESS);
5824 CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
5828 result = ns_config_get(maps, "secroots-file", &obj);
5829 INSIST(result == ISC_R_SUCCESS);
5830 CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
5834 result = ns_config_get(maps, "recursing-file", &obj);
5835 INSIST(result == ISC_R_SUCCESS);
5836 CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
5840 result = ns_config_get(maps, "version", &obj);
5841 if (result == ISC_R_SUCCESS) {
5842 CHECKM(setoptstring(server, &server->version, obj), "strdup");
5843 server->version_set = ISC_TRUE;
5845 server->version_set = ISC_FALSE;
5849 result = ns_config_get(maps, "hostname", &obj);
5850 if (result == ISC_R_SUCCESS) {
5851 CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
5852 server->hostname_set = ISC_TRUE;
5854 server->hostname_set = ISC_FALSE;
5858 result = ns_config_get(maps, "server-id", &obj);
5859 server->server_usehostname = ISC_FALSE;
5860 if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
5861 /* The parser translates "hostname" to ISC_TRUE */
5862 server->server_usehostname = cfg_obj_asboolean(obj);
5863 result = setstring(server, &server->server_id, NULL);
5864 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5865 } else if (result == ISC_R_SUCCESS) {
5866 /* Found a quoted string */
5867 CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
5869 result = setstring(server, &server->server_id, NULL);
5870 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5874 result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
5875 if (result == ISC_R_SUCCESS) {
5876 server->flushonshutdown = cfg_obj_asboolean(obj);
5878 server->flushonshutdown = ISC_FALSE;
5881 result = ISC_R_SUCCESS;
5885 isc_logconfig_destroy(&logc);
5887 if (v4portset != NULL)
5888 isc_portset_destroy(ns_g_mctx, &v4portset);
5890 if (v6portset != NULL)
5891 isc_portset_destroy(ns_g_mctx, &v6portset);
5893 if (conf_parser != NULL) {
5895 cfg_obj_destroy(conf_parser, &config);
5896 cfg_parser_destroy(&conf_parser);
5899 if (bindkeys_parser != NULL) {
5900 if (bindkeys != NULL)
5901 cfg_obj_destroy(bindkeys_parser, &bindkeys);
5902 cfg_parser_destroy(&bindkeys_parser);
5906 dns_view_detach(&view);
5908 ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
5911 * This cleans up either the old production view list
5912 * or our temporary list depending on whether they
5913 * were swapped above or not.
5915 for (view = ISC_LIST_HEAD(viewlist);
5918 view_next = ISC_LIST_NEXT(view, link);
5919 ISC_LIST_UNLINK(viewlist, view, link);
5920 if (result == ISC_R_SUCCESS &&
5921 strcmp(view->name, "_bind") != 0)
5922 (void)dns_zt_apply(view->zonetable, ISC_FALSE,
5924 dns_view_detach(&view);
5927 /* Same cleanup for cache list. */
5928 while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
5929 ISC_LIST_UNLINK(cachelist, nsc, link);
5930 dns_cache_detach(&nsc->cache);
5931 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
5935 * Adjust the listening interfaces in accordance with the source
5936 * addresses specified in views and zones.
5938 if (isc_net_probeipv6() == ISC_R_SUCCESS)
5939 adjust_interfaces(server, ns_g_mctx);
5941 /* Relinquish exclusive access to configuration data. */
5943 isc_task_endexclusive(server->task);
5945 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5946 ISC_LOG_DEBUG(1), "load_configuration: %s",
5947 isc_result_totext(result));
5953 view_loaded(void *arg) {
5954 isc_result_t result;
5955 ns_zoneload_t *zl = (ns_zoneload_t *) arg;
5956 ns_server_t *server = zl->server;
5961 * Force zone maintenance. Do this after loading
5962 * so that we know when we need to force AXFR of
5963 * slave zones whose master files are missing.
5965 * We use the zoneload reference counter to let us
5966 * know when all views are finished.
5968 isc_refcount_decrement(&zl->refs, &refs);
5970 return (ISC_R_SUCCESS);
5972 isc_refcount_destroy(&zl->refs);
5973 isc_mem_put(server->mctx, zl, sizeof (*zl));
5975 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5976 ISC_LOG_NOTICE, "all zones loaded");
5977 CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
5978 "forcing zone maintenance");
5981 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5982 ISC_LOG_NOTICE, "running");
5984 return (ISC_R_SUCCESS);
5988 load_zones(ns_server_t *server, isc_boolean_t init) {
5989 isc_result_t result;
5992 unsigned int refs = 0;
5994 zl = isc_mem_get(server->mctx, sizeof (*zl));
5996 return (ISC_R_NOMEMORY);
5997 zl->server = server;
5999 result = isc_task_beginexclusive(server->task);
6000 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6002 isc_refcount_init(&zl->refs, 1);
6005 * Schedule zones to be loaded from disk.
6007 for (view = ISC_LIST_HEAD(server->viewlist);
6009 view = ISC_LIST_NEXT(view, link))
6011 if (view->managed_keys != NULL) {
6012 result = dns_zone_load(view->managed_keys);
6013 if (result != ISC_R_SUCCESS &&
6014 result != DNS_R_UPTODATE &&
6015 result != DNS_R_CONTINUE)
6018 if (view->redirect != NULL) {
6019 result = dns_zone_load(view->redirect);
6020 if (result != ISC_R_SUCCESS &&
6021 result != DNS_R_UPTODATE &&
6022 result != DNS_R_CONTINUE)
6027 * 'dns_view_asyncload' calls view_loaded if there are no
6030 isc_refcount_increment(&zl->refs, NULL);
6031 CHECK(dns_view_asyncload(view, view_loaded, zl));
6035 isc_refcount_decrement(&zl->refs, &refs);
6037 isc_refcount_destroy(&zl->refs);
6038 isc_mem_put(server->mctx, zl, sizeof (*zl));
6041 * Place the task manager into privileged mode. This
6042 * ensures that after we leave task-exclusive mode, no
6043 * other tasks will be able to run except for the ones
6044 * that are loading zones. (This should only be done during
6045 * the initial server setup; it isn't necessary during
6048 isc_taskmgr_setmode(ns_g_taskmgr, isc_taskmgrmode_privileged);
6051 isc_task_endexclusive(server->task);
6056 load_new_zones(ns_server_t *server, isc_boolean_t stop) {
6057 isc_result_t result;
6060 result = isc_task_beginexclusive(server->task);
6061 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6064 * Load zone data from disk.
6066 for (view = ISC_LIST_HEAD(server->viewlist);
6068 view = ISC_LIST_NEXT(view, link))
6070 CHECK(dns_view_loadnew(view, stop));
6072 /* Load managed-keys data */
6073 if (view->managed_keys != NULL)
6074 CHECK(dns_zone_loadnew(view->managed_keys));
6075 if (view->redirect != NULL)
6076 CHECK(dns_zone_loadnew(view->redirect));
6082 dns_zonemgr_resumexfrs(server->zonemgr);
6084 isc_task_endexclusive(server->task);
6089 run_server(isc_task_t *task, isc_event_t *event) {
6090 isc_result_t result;
6091 ns_server_t *server = (ns_server_t *)event->ev_arg;
6093 INSIST(task == server->task);
6095 isc_event_free(&event);
6097 CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
6099 "creating dispatch manager");
6101 dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
6103 CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
6104 ns_g_socketmgr, ns_g_dispatchmgr,
6105 &server->interfacemgr),
6106 "creating interface manager");
6108 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
6109 NULL, NULL, server->task,
6110 interface_timer_tick,
6111 server, &server->interface_timer),
6112 "creating interface timer");
6114 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
6115 NULL, NULL, server->task,
6116 heartbeat_timer_tick,
6117 server, &server->heartbeat_timer),
6118 "creating heartbeat timer");
6120 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
6121 NULL, NULL, server->task, pps_timer_tick,
6122 server, &server->pps_timer),
6123 "creating pps timer");
6125 CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
6126 "creating default configuration parser");
6128 if (ns_g_lwresdonly)
6129 CHECKFATAL(load_configuration(lwresd_g_conffile, server,
6131 "loading configuration");
6133 CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
6134 "loading configuration");
6138 CHECKFATAL(load_zones(server, ISC_TRUE), "loading zones");
6142 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
6144 REQUIRE(NS_SERVER_VALID(server));
6146 server->flushonshutdown = flush;
6150 shutdown_server(isc_task_t *task, isc_event_t *event) {
6151 isc_result_t result;
6152 dns_view_t *view, *view_next;
6153 ns_server_t *server = (ns_server_t *)event->ev_arg;
6154 isc_boolean_t flush = server->flushonshutdown;
6158 INSIST(task == server->task);
6160 result = isc_task_beginexclusive(server->task);
6161 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6163 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
6164 ISC_LOG_INFO, "shutting down%s",
6165 flush ? ": flushing changes" : "");
6167 ns_statschannels_shutdown(server);
6168 ns_controls_shutdown(server->controls);
6169 end_reserved_dispatches(server, ISC_TRUE);
6170 cleanup_session_key(server, server->mctx);
6172 if (ns_g_aclconfctx != NULL)
6173 cfg_aclconfctx_detach(&ns_g_aclconfctx);
6175 cfg_obj_destroy(ns_g_parser, &ns_g_config);
6176 cfg_parser_destroy(&ns_g_parser);
6178 for (view = ISC_LIST_HEAD(server->viewlist);
6181 view_next = ISC_LIST_NEXT(view, link);
6182 ISC_LIST_UNLINK(server->viewlist, view, link);
6184 dns_view_flushanddetach(&view);
6186 dns_view_detach(&view);
6189 while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
6190 ISC_LIST_UNLINK(server->cachelist, nsc, link);
6191 dns_cache_detach(&nsc->cache);
6192 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
6195 isc_timer_detach(&server->interface_timer);
6196 isc_timer_detach(&server->heartbeat_timer);
6197 isc_timer_detach(&server->pps_timer);
6199 ns_interfacemgr_shutdown(server->interfacemgr);
6200 ns_interfacemgr_detach(&server->interfacemgr);
6202 dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
6204 dns_zonemgr_shutdown(server->zonemgr);
6206 if (ns_g_sessionkey != NULL) {
6207 dns_tsigkey_detach(&ns_g_sessionkey);
6208 dns_name_free(&ns_g_sessionkeyname, server->mctx);
6211 if (server->blackholeacl != NULL)
6212 dns_acl_detach(&server->blackholeacl);
6214 dns_db_detach(&server->in_roothints);
6216 isc_task_endexclusive(server->task);
6218 isc_task_detach(&server->task);
6220 isc_event_free(&event);
6224 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
6225 isc_result_t result;
6226 ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
6229 fatal("allocating server object", ISC_R_NOMEMORY);
6231 server->mctx = mctx;
6232 server->task = NULL;
6234 /* Initialize configuration data with default values. */
6236 result = isc_quota_init(&server->xfroutquota, 10);
6237 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6238 result = isc_quota_init(&server->tcpquota, 10);
6239 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6240 result = isc_quota_init(&server->recursionquota, 100);
6241 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6243 result = dns_aclenv_init(mctx, &server->aclenv);
6244 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6246 /* Initialize server data structures. */
6247 server->zonemgr = NULL;
6248 server->interfacemgr = NULL;
6249 ISC_LIST_INIT(server->viewlist);
6250 server->in_roothints = NULL;
6251 server->blackholeacl = NULL;
6253 CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
6254 &server->in_roothints),
6255 "setting up root hints");
6257 CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
6258 "initializing reload event lock");
6259 server->reload_event =
6260 isc_event_allocate(ns_g_mctx, server,
6264 sizeof(isc_event_t));
6265 CHECKFATAL(server->reload_event == NULL ?
6266 ISC_R_NOMEMORY : ISC_R_SUCCESS,
6267 "allocating reload event");
6269 CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
6270 ns_g_engine, ISC_ENTROPY_GOODONLY),
6271 "initializing DST");
6273 server->tkeyctx = NULL;
6274 CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
6276 "creating TKEY context");
6279 * Setup the server task, which is responsible for coordinating
6280 * startup and shutdown of the server, as well as all exclusive
6283 CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
6284 "creating server task");
6285 isc_task_setname(server->task, "server", server);
6286 isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
6287 CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
6288 "isc_task_onshutdown");
6289 CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
6292 server->interface_timer = NULL;
6293 server->heartbeat_timer = NULL;
6294 server->pps_timer = NULL;
6296 server->interface_interval = 0;
6297 server->heartbeat_interval = 0;
6299 CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
6300 ns_g_socketmgr, &server->zonemgr),
6301 "dns_zonemgr_create");
6302 CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000),
6303 "dns_zonemgr_setsize");
6305 server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
6306 CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
6308 server->nsstats = NULL;
6309 server->rcvquerystats = NULL;
6310 server->opcodestats = NULL;
6311 server->zonestats = NULL;
6312 server->resolverstats = NULL;
6313 server->sockstats = NULL;
6314 CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
6315 isc_sockstatscounter_max),
6316 "isc_stats_create");
6317 isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
6319 server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
6320 CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
6324 server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
6325 CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
6328 server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
6329 CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
6333 server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
6334 CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
6337 server->hostname_set = ISC_FALSE;
6338 server->hostname = NULL;
6339 server->version_set = ISC_FALSE;
6340 server->version = NULL;
6341 server->server_usehostname = ISC_FALSE;
6342 server->server_id = NULL;
6344 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
6345 dns_nsstatscounter_max),
6346 "dns_stats_create (server)");
6348 CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
6349 &server->rcvquerystats),
6350 "dns_stats_create (rcvquery)");
6352 CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
6353 "dns_stats_create (opcode)");
6355 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
6356 dns_zonestatscounter_max),
6357 "dns_stats_create (zone)");
6359 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
6360 dns_resstatscounter_max),
6361 "dns_stats_create (resolver)");
6363 server->flushonshutdown = ISC_FALSE;
6364 server->log_queries = ISC_FALSE;
6366 server->controls = NULL;
6367 CHECKFATAL(ns_controls_create(server, &server->controls),
6368 "ns_controls_create");
6369 server->dispatchgen = 0;
6370 ISC_LIST_INIT(server->dispatches);
6372 ISC_LIST_INIT(server->statschannels);
6374 ISC_LIST_INIT(server->cachelist);
6376 server->sessionkey = NULL;
6377 server->session_keyfile = NULL;
6378 server->session_keyname = NULL;
6379 server->session_keyalg = DST_ALG_UNKNOWN;
6380 server->session_keybits = 0;
6382 server->magic = NS_SERVER_MAGIC;
6387 ns_server_destroy(ns_server_t **serverp) {
6388 ns_server_t *server = *serverp;
6389 REQUIRE(NS_SERVER_VALID(server));
6391 ns_controls_destroy(&server->controls);
6393 isc_stats_detach(&server->nsstats);
6394 dns_stats_detach(&server->rcvquerystats);
6395 dns_stats_detach(&server->opcodestats);
6396 isc_stats_detach(&server->zonestats);
6397 isc_stats_detach(&server->resolverstats);
6398 isc_stats_detach(&server->sockstats);
6400 isc_mem_free(server->mctx, server->statsfile);
6401 isc_mem_free(server->mctx, server->bindkeysfile);
6402 isc_mem_free(server->mctx, server->dumpfile);
6403 isc_mem_free(server->mctx, server->secrootsfile);
6404 isc_mem_free(server->mctx, server->recfile);
6406 if (server->version != NULL)
6407 isc_mem_free(server->mctx, server->version);
6408 if (server->hostname != NULL)
6409 isc_mem_free(server->mctx, server->hostname);
6410 if (server->server_id != NULL)
6411 isc_mem_free(server->mctx, server->server_id);
6413 if (server->zonemgr != NULL)
6414 dns_zonemgr_detach(&server->zonemgr);
6416 if (server->tkeyctx != NULL)
6417 dns_tkeyctx_destroy(&server->tkeyctx);
6421 isc_event_free(&server->reload_event);
6423 INSIST(ISC_LIST_EMPTY(server->viewlist));
6424 INSIST(ISC_LIST_EMPTY(server->cachelist));
6426 dns_aclenv_destroy(&server->aclenv);
6428 isc_quota_destroy(&server->recursionquota);
6429 isc_quota_destroy(&server->tcpquota);
6430 isc_quota_destroy(&server->xfroutquota);
6433 isc_mem_put(server->mctx, server, sizeof(*server));
6438 fatal(const char *msg, isc_result_t result) {
6439 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
6440 ISC_LOG_CRITICAL, "%s: %s", msg,
6441 isc_result_totext(result));
6442 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
6443 ISC_LOG_CRITICAL, "exiting (due to fatal error)");
6448 start_reserved_dispatches(ns_server_t *server) {
6450 REQUIRE(NS_SERVER_VALID(server));
6452 server->dispatchgen++;
6456 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
6457 ns_dispatch_t *dispatch, *nextdispatch;
6459 REQUIRE(NS_SERVER_VALID(server));
6461 for (dispatch = ISC_LIST_HEAD(server->dispatches);
6463 dispatch = nextdispatch) {
6464 nextdispatch = ISC_LIST_NEXT(dispatch, link);
6465 if (!all && server->dispatchgen == dispatch-> dispatchgen)
6467 ISC_LIST_UNLINK(server->dispatches, dispatch, link);
6468 dns_dispatch_detach(&dispatch->dispatch);
6469 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
6474 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
6475 ns_dispatch_t *dispatch;
6477 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
6478 isc_result_t result;
6479 unsigned int attrs, attrmask;
6481 REQUIRE(NS_SERVER_VALID(server));
6483 port = isc_sockaddr_getport(addr);
6484 if (port == 0 || port >= 1024)
6487 for (dispatch = ISC_LIST_HEAD(server->dispatches);
6489 dispatch = ISC_LIST_NEXT(dispatch, link)) {
6490 if (isc_sockaddr_equal(&dispatch->addr, addr))
6493 if (dispatch != NULL) {
6494 dispatch->dispatchgen = server->dispatchgen;
6498 dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
6499 if (dispatch == NULL) {
6500 result = ISC_R_NOMEMORY;
6504 dispatch->addr = *addr;
6505 dispatch->dispatchgen = server->dispatchgen;
6506 dispatch->dispatch = NULL;
6509 attrs |= DNS_DISPATCHATTR_UDP;
6510 switch (isc_sockaddr_pf(addr)) {
6512 attrs |= DNS_DISPATCHATTR_IPV4;
6515 attrs |= DNS_DISPATCHATTR_IPV6;
6518 result = ISC_R_NOTIMPLEMENTED;
6522 attrmask |= DNS_DISPATCHATTR_UDP;
6523 attrmask |= DNS_DISPATCHATTR_TCP;
6524 attrmask |= DNS_DISPATCHATTR_IPV4;
6525 attrmask |= DNS_DISPATCHATTR_IPV6;
6527 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
6528 ns_g_taskmgr, &dispatch->addr, 4096,
6529 1000, 32768, 16411, 16433,
6530 attrs, attrmask, &dispatch->dispatch);
6531 if (result != ISC_R_SUCCESS)
6534 ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
6539 if (dispatch != NULL)
6540 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
6541 isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
6542 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6543 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
6544 "unable to create dispatch for reserved port %s: %s",
6545 addrbuf, isc_result_totext(result));
6550 loadconfig(ns_server_t *server) {
6551 isc_result_t result;
6552 start_reserved_dispatches(server);
6553 result = load_configuration(ns_g_lwresdonly ?
6554 lwresd_g_conffile : ns_g_conffile,
6556 if (result == ISC_R_SUCCESS) {
6557 end_reserved_dispatches(server, ISC_FALSE);
6558 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6559 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6560 "reloading configuration succeeded");
6562 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6563 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6564 "reloading configuration failed: %s",
6565 isc_result_totext(result));
6571 reload(ns_server_t *server) {
6572 isc_result_t result;
6573 CHECK(loadconfig(server));
6575 result = load_zones(server, ISC_FALSE);
6576 if (result == ISC_R_SUCCESS)
6577 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6578 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6579 "reloading zones succeeded");
6581 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6582 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6583 "reloading zones failed: %s",
6584 isc_result_totext(result));
6591 * Handle a reload event (from SIGHUP).
6594 ns_server_reload(isc_task_t *task, isc_event_t *event) {
6595 ns_server_t *server = (ns_server_t *)event->ev_arg;
6597 INSIST(task = server->task);
6600 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6601 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6602 "received SIGHUP signal to reload zones");
6603 (void)reload(server);
6605 LOCK(&server->reload_event_lock);
6606 INSIST(server->reload_event == NULL);
6607 server->reload_event = event;
6608 UNLOCK(&server->reload_event_lock);
6612 ns_server_reloadwanted(ns_server_t *server) {
6613 LOCK(&server->reload_event_lock);
6614 if (server->reload_event != NULL)
6615 isc_task_send(server->task, &server->reload_event);
6616 UNLOCK(&server->reload_event_lock);
6620 next_token(isc_lex_t *lex, isc_buffer_t *text) {
6621 isc_result_t result;
6624 token.type = isc_tokentype_unknown;
6625 result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF|ISC_LEXOPT_QSTRING,
6630 (void) isc_lex_close(lex);
6633 if (token.type == isc_tokentype_eof)
6634 (void) isc_lex_close(lex);
6638 (void) putstr(text, "token too large");
6639 (void) putnull(text);
6644 (void) putstr(text, isc_result_totext(result));
6645 (void) putnull(text);
6650 if (token.type == isc_tokentype_string ||
6651 token.type == isc_tokentype_qstring)
6652 return (token.value.as_textregion.base);
6658 * Find the zone specified in the control channel command, if any.
6659 * If a zone is specified, point '*zonep' at it, otherwise
6660 * set '*zonep' to NULL, and f 'zonename' is not NULL, copy
6661 * the zone name into it (N.B. 'zonename' must have space to hold
6664 * If 'zonetxt' is set, the caller has already pulled a token
6665 * off the command line that is to be used as the zone name. (This
6666 * is sometimes done when it's necessary to check for an optional
6667 * argument before the zone name, as in "rndc sync [-clean] zone".)
6670 zone_from_args(ns_server_t *server, isc_lex_t *lex, const char *zonetxt,
6671 dns_zone_t **zonep, char *zonename,
6672 isc_buffer_t *text, isc_boolean_t skip)
6676 const char *viewtxt = NULL;
6677 dns_fixedname_t fname;
6679 isc_result_t result;
6680 dns_view_t *view = NULL;
6681 dns_rdataclass_t rdclass;
6682 char problem[DNS_NAME_FORMATSIZE + 500] = "";
6683 char zonebuf[DNS_NAME_FORMATSIZE];
6685 REQUIRE(zonep != NULL && *zonep == NULL);
6688 /* Skip the command name. */
6689 ptr = next_token(lex, text);
6691 return (ISC_R_UNEXPECTEDEND);
6694 /* Look for the zone name. */
6695 if (zonetxt == NULL)
6696 zonetxt = next_token(lex, text);
6697 if (zonetxt == NULL)
6698 return (ISC_R_SUCCESS);
6700 /* Copy zonetxt because it'll be overwritten by next_token() */
6701 strlcpy(zonebuf, zonetxt, DNS_NAME_FORMATSIZE);
6702 if (zonename != NULL)
6703 strlcpy(zonename, zonetxt, DNS_NAME_FORMATSIZE);
6705 dns_fixedname_init(&fname);
6706 name = dns_fixedname_name(&fname);
6707 CHECK(dns_name_fromstring(name, zonebuf, 0, NULL));
6709 /* Look for the optional class name. */
6710 classtxt = next_token(lex, text);
6711 if (classtxt != NULL) {
6714 r.length = strlen(classtxt);
6715 CHECK(dns_rdataclass_fromtext(&rdclass, &r));
6717 /* Look for the optional view name. */
6718 viewtxt = next_token(lex, text);
6720 rdclass = dns_rdataclass_in;
6722 if (viewtxt == NULL) {
6723 result = dns_viewlist_findzone(&server->viewlist, name,
6724 ISC_TF(classtxt == NULL),
6726 if (result == ISC_R_NOTFOUND)
6727 snprintf(problem, sizeof(problem),
6728 "no matching zone '%s' in any view",
6730 else if (result == ISC_R_MULTIPLE)
6731 snprintf(problem, sizeof(problem),
6732 "zone '%s' was found in multiple views",
6735 result = dns_viewlist_find(&server->viewlist, viewtxt,
6737 if (result != ISC_R_SUCCESS) {
6738 snprintf(problem, sizeof(problem),
6739 "no matching view '%s'", viewtxt);
6743 result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
6744 if (result != ISC_R_SUCCESS)
6745 snprintf(problem, sizeof(problem),
6746 "no matching zone '%s' in view '%s'",
6750 /* Partial match? */
6751 if (result != ISC_R_SUCCESS && *zonep != NULL)
6752 dns_zone_detach(zonep);
6753 if (result == DNS_R_PARTIALMATCH)
6754 result = ISC_R_NOTFOUND;
6756 if (result != ISC_R_SUCCESS) {
6757 isc_result_t tresult;
6759 tresult = putstr(text, problem);
6760 if (tresult == ISC_R_SUCCESS)
6761 (void) putnull(text);
6766 dns_view_detach(&view);
6772 * Act on a "retransfer" command from the command channel.
6775 ns_server_retransfercommand(ns_server_t *server, isc_lex_t *lex,
6778 isc_result_t result;
6779 dns_zone_t *zone = NULL;
6780 dns_zone_t *raw = NULL;
6781 dns_zonetype_t type;
6783 result = zone_from_args(server, lex, NULL, &zone, NULL,
6785 if (result != ISC_R_SUCCESS)
6788 return (ISC_R_UNEXPECTEDEND);
6789 dns_zone_getraw(zone, &raw);
6791 dns_zone_detach(&zone);
6792 dns_zone_attach(raw, &zone);
6793 dns_zone_detach(&raw);
6795 type = dns_zone_gettype(zone);
6796 if (type == dns_zone_slave || type == dns_zone_stub)
6797 dns_zone_forcereload(zone);
6799 result = ISC_R_NOTFOUND;
6800 dns_zone_detach(&zone);
6805 * Act on a "reload" command from the command channel.
6808 ns_server_reloadcommand(ns_server_t *server, isc_lex_t *lex,
6811 isc_result_t result;
6812 dns_zone_t *zone = NULL;
6813 dns_zonetype_t type;
6814 const char *msg = NULL;
6816 result = zone_from_args(server, lex, NULL, &zone, NULL,
6818 if (result != ISC_R_SUCCESS)
6821 result = reload(server);
6822 if (result == ISC_R_SUCCESS)
6823 msg = "server reload successful";
6825 type = dns_zone_gettype(zone);
6826 if (type == dns_zone_slave || type == dns_zone_stub) {
6827 dns_zone_refresh(zone);
6828 dns_zone_detach(&zone);
6829 msg = "zone refresh queued";
6831 result = dns_zone_load(zone);
6832 dns_zone_detach(&zone);
6835 msg = "zone reload successful";
6837 case DNS_R_CONTINUE:
6838 msg = "zone reload queued";
6839 result = ISC_R_SUCCESS;
6841 case DNS_R_UPTODATE:
6842 msg = "zone reload up-to-date";
6843 result = ISC_R_SUCCESS;
6846 /* failure message will be generated by rndc */
6851 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
6852 isc_buffer_putmem(text, (const unsigned char *)msg,
6858 * Act on a "reconfig" command from the command channel.
6861 ns_server_reconfigcommand(ns_server_t *server) {
6862 isc_result_t result;
6864 CHECK(loadconfig(server));
6866 result = load_new_zones(server, ISC_FALSE);
6867 if (result == ISC_R_SUCCESS)
6868 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6869 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6870 "any newly configured zones are now loaded");
6872 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6873 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6874 "loading new zones failed: %s",
6875 isc_result_totext(result));
6881 * Act on a "notify" command from the command channel.
6884 ns_server_notifycommand(ns_server_t *server, isc_lex_t *lex,
6887 isc_result_t result;
6888 dns_zone_t *zone = NULL;
6889 const unsigned char msg[] = "zone notify queued";
6891 result = zone_from_args(server, lex, NULL, &zone, NULL,
6893 if (result != ISC_R_SUCCESS)
6896 return (ISC_R_UNEXPECTEDEND);
6898 dns_zone_notify(zone);
6899 dns_zone_detach(&zone);
6900 if (sizeof(msg) <= isc_buffer_availablelength(text))
6901 isc_buffer_putmem(text, msg, sizeof(msg));
6903 return (ISC_R_SUCCESS);
6907 * Act on a "refresh" command from the command channel.
6910 ns_server_refreshcommand(ns_server_t *server, isc_lex_t *lex,
6913 isc_result_t result;
6914 dns_zone_t *zone = NULL, *raw = NULL;
6915 const unsigned char msg1[] = "zone refresh queued";
6916 const unsigned char msg2[] = "not a slave or stub zone";
6917 dns_zonetype_t type;
6919 result = zone_from_args(server, lex, NULL, &zone, NULL,
6921 if (result != ISC_R_SUCCESS)
6924 return (ISC_R_UNEXPECTEDEND);
6926 dns_zone_getraw(zone, &raw);
6928 dns_zone_detach(&zone);
6929 dns_zone_attach(raw, &zone);
6930 dns_zone_detach(&raw);
6933 type = dns_zone_gettype(zone);
6934 if (type == dns_zone_slave || type == dns_zone_stub) {
6935 dns_zone_refresh(zone);
6936 dns_zone_detach(&zone);
6937 if (sizeof(msg1) <= isc_buffer_availablelength(text))
6938 isc_buffer_putmem(text, msg1, sizeof(msg1));
6939 return (ISC_R_SUCCESS);
6942 dns_zone_detach(&zone);
6943 if (sizeof(msg2) <= isc_buffer_availablelength(text))
6944 isc_buffer_putmem(text, msg2, sizeof(msg2));
6945 return (ISC_R_FAILURE);
6949 ns_server_togglequerylog(ns_server_t *server, isc_lex_t *lex) {
6950 isc_boolean_t value;
6953 /* Skip the command name. */
6954 ptr = next_token(lex, NULL);
6956 return (ISC_R_UNEXPECTEDEND);
6958 ptr = next_token(lex, NULL);
6960 value = server->log_queries ? ISC_FALSE : ISC_TRUE;
6961 else if (strcasecmp(ptr, "yes") == 0 || strcasecmp(ptr, "on") == 0)
6963 else if (strcasecmp(ptr, "no") == 0 || strcasecmp(ptr, "off") == 0)
6966 return (ISC_R_NOTFOUND);
6968 if (server->log_queries == value)
6969 return (ISC_R_SUCCESS);
6971 server->log_queries = value;
6973 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6974 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6975 "query logging is now %s",
6976 server->log_queries ? "on" : "off");
6977 return (ISC_R_SUCCESS);
6981 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
6982 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
6983 isc_uint16_t family, ns_listenlist_t **target)
6985 isc_result_t result;
6986 const cfg_listelt_t *element;
6987 ns_listenlist_t *dlist = NULL;
6989 REQUIRE(target != NULL && *target == NULL);
6991 result = ns_listenlist_create(mctx, &dlist);
6992 if (result != ISC_R_SUCCESS)
6995 for (element = cfg_list_first(listenlist);
6997 element = cfg_list_next(element))
6999 ns_listenelt_t *delt = NULL;
7000 const cfg_obj_t *listener = cfg_listelt_value(element);
7001 result = ns_listenelt_fromconfig(listener, config, actx,
7002 mctx, family, &delt);
7003 if (result != ISC_R_SUCCESS)
7005 ISC_LIST_APPEND(dlist->elts, delt, link);
7008 return (ISC_R_SUCCESS);
7011 ns_listenlist_detach(&dlist);
7016 * Create a listen list from the corresponding configuration
7020 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
7021 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
7022 isc_uint16_t family, ns_listenelt_t **target)
7024 isc_result_t result;
7025 const cfg_obj_t *portobj;
7027 ns_listenelt_t *delt = NULL;
7028 REQUIRE(target != NULL && *target == NULL);
7030 portobj = cfg_tuple_get(listener, "port");
7031 if (!cfg_obj_isuint32(portobj)) {
7032 if (ns_g_port != 0) {
7035 result = ns_config_getport(config, &port);
7036 if (result != ISC_R_SUCCESS)
7040 if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
7041 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
7042 "port value '%u' is out of range",
7043 cfg_obj_asuint32(portobj));
7044 return (ISC_R_RANGE);
7046 port = (in_port_t)cfg_obj_asuint32(portobj);
7049 result = ns_listenelt_create(mctx, port, NULL, &delt);
7050 if (result != ISC_R_SUCCESS)
7053 result = cfg_acl_fromconfig2(cfg_tuple_get(listener, "acl"),
7054 config, ns_g_lctx, actx, mctx, 0,
7055 family, &delt->acl);
7056 if (result != ISC_R_SUCCESS) {
7057 ns_listenelt_destroy(delt);
7061 return (ISC_R_SUCCESS);
7065 ns_server_dumpstats(ns_server_t *server) {
7066 isc_result_t result;
7069 CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
7070 "could not open statistics dump file", server->statsfile);
7072 result = ns_stats_dump(server, fp);
7076 (void)isc_stdio_close(fp);
7077 if (result == ISC_R_SUCCESS)
7078 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7079 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7080 "dumpstats complete");
7082 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7083 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7084 "dumpstats failed: %s",
7085 dns_result_totext(result));
7090 add_zone_tolist(dns_zone_t *zone, void *uap) {
7091 struct dumpcontext *dctx = uap;
7092 struct zonelistentry *zle;
7094 zle = isc_mem_get(dctx->mctx, sizeof *zle);
7096 return (ISC_R_NOMEMORY);
7098 dns_zone_attach(zone, &zle->zone);
7099 ISC_LINK_INIT(zle, link);
7100 ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
7101 return (ISC_R_SUCCESS);
7105 add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
7106 struct viewlistentry *vle;
7107 isc_result_t result = ISC_R_SUCCESS;
7110 * Prevent duplicate views.
7112 for (vle = ISC_LIST_HEAD(dctx->viewlist);
7114 vle = ISC_LIST_NEXT(vle, link))
7115 if (vle->view == view)
7116 return (ISC_R_SUCCESS);
7118 vle = isc_mem_get(dctx->mctx, sizeof *vle);
7120 return (ISC_R_NOMEMORY);
7122 dns_view_attach(view, &vle->view);
7123 ISC_LINK_INIT(vle, link);
7124 ISC_LIST_INIT(vle->zonelist);
7125 ISC_LIST_APPEND(dctx->viewlist, vle, link);
7126 if (dctx->dumpzones)
7127 result = dns_zt_apply(view->zonetable, ISC_TRUE,
7128 add_zone_tolist, dctx);
7133 dumpcontext_destroy(struct dumpcontext *dctx) {
7134 struct viewlistentry *vle;
7135 struct zonelistentry *zle;
7137 vle = ISC_LIST_HEAD(dctx->viewlist);
7138 while (vle != NULL) {
7139 ISC_LIST_UNLINK(dctx->viewlist, vle, link);
7140 zle = ISC_LIST_HEAD(vle->zonelist);
7141 while (zle != NULL) {
7142 ISC_LIST_UNLINK(vle->zonelist, zle, link);
7143 dns_zone_detach(&zle->zone);
7144 isc_mem_put(dctx->mctx, zle, sizeof *zle);
7145 zle = ISC_LIST_HEAD(vle->zonelist);
7147 dns_view_detach(&vle->view);
7148 isc_mem_put(dctx->mctx, vle, sizeof *vle);
7149 vle = ISC_LIST_HEAD(dctx->viewlist);
7151 if (dctx->version != NULL)
7152 dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
7153 if (dctx->db != NULL)
7154 dns_db_detach(&dctx->db);
7155 if (dctx->cache != NULL)
7156 dns_db_detach(&dctx->cache);
7157 if (dctx->task != NULL)
7158 isc_task_detach(&dctx->task);
7159 if (dctx->fp != NULL)
7160 (void)isc_stdio_close(dctx->fp);
7161 if (dctx->mdctx != NULL)
7162 dns_dumpctx_detach(&dctx->mdctx);
7163 isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
7167 dumpdone(void *arg, isc_result_t result) {
7168 struct dumpcontext *dctx = arg;
7170 const dns_master_style_t *style;
7172 if (result != ISC_R_SUCCESS)
7174 if (dctx->mdctx != NULL)
7175 dns_dumpctx_detach(&dctx->mdctx);
7176 if (dctx->view == NULL) {
7177 dctx->view = ISC_LIST_HEAD(dctx->viewlist);
7178 if (dctx->view == NULL)
7180 INSIST(dctx->zone == NULL);
7184 fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
7186 if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
7188 ";\n; Cache of view '%s' is shared as '%s'\n",
7189 dctx->view->view->name,
7190 dns_cache_getname(dctx->view->view->cache));
7191 } else if (dctx->zone == NULL && dctx->cache == NULL &&
7194 style = &dns_master_style_cache;
7195 /* start cache dump */
7196 if (dctx->view->view->cachedb != NULL)
7197 dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
7198 if (dctx->cache != NULL) {
7200 ";\n; Cache dump of view '%s' (cache %s)\n;\n",
7201 dctx->view->view->name,
7202 dns_cache_getname(dctx->view->view->cache));
7203 result = dns_master_dumptostreaminc(dctx->mctx,
7209 if (result == DNS_R_CONTINUE)
7211 if (result == ISC_R_NOTIMPLEMENTED)
7212 fprintf(dctx->fp, "; %s\n",
7213 dns_result_totext(result));
7214 else if (result != ISC_R_SUCCESS)
7219 if ((dctx->dumpadb || dctx->dumpbad) &&
7220 dctx->cache == NULL && dctx->view->view->cachedb != NULL)
7221 dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
7223 if (dctx->cache != NULL) {
7225 dns_adb_dump(dctx->view->view->adb, dctx->fp);
7227 dns_resolver_printbadcache(dctx->view->view->resolver,
7229 dns_db_detach(&dctx->cache);
7231 if (dctx->dumpzones) {
7232 style = &dns_master_style_full;
7234 if (dctx->version != NULL)
7235 dns_db_closeversion(dctx->db, &dctx->version,
7237 if (dctx->db != NULL)
7238 dns_db_detach(&dctx->db);
7239 if (dctx->zone == NULL)
7240 dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
7242 dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
7243 if (dctx->zone != NULL) {
7244 /* start zone dump */
7245 dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
7246 fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
7247 result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
7248 if (result != ISC_R_SUCCESS) {
7249 fprintf(dctx->fp, "; %s\n",
7250 dns_result_totext(result));
7253 dns_db_currentversion(dctx->db, &dctx->version);
7254 result = dns_master_dumptostreaminc(dctx->mctx,
7261 if (result == DNS_R_CONTINUE)
7263 if (result == ISC_R_NOTIMPLEMENTED) {
7264 fprintf(dctx->fp, "; %s\n",
7265 dns_result_totext(result));
7266 result = ISC_R_SUCCESS;
7270 if (result != ISC_R_SUCCESS)
7274 if (dctx->view != NULL)
7275 dctx->view = ISC_LIST_NEXT(dctx->view, link);
7276 if (dctx->view != NULL)
7279 fprintf(dctx->fp, "; Dump complete\n");
7280 result = isc_stdio_flush(dctx->fp);
7281 if (result == ISC_R_SUCCESS)
7282 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7283 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7286 if (result != ISC_R_SUCCESS)
7287 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7288 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7289 "dumpdb failed: %s", dns_result_totext(result));
7290 dumpcontext_destroy(dctx);
7294 ns_server_dumpdb(ns_server_t *server, isc_lex_t *lex) {
7295 struct dumpcontext *dctx = NULL;
7297 isc_result_t result;
7301 /* Skip the command name. */
7302 ptr = next_token(lex, NULL);
7304 return (ISC_R_UNEXPECTEDEND);
7306 dctx = isc_mem_get(server->mctx, sizeof(*dctx));
7308 return (ISC_R_NOMEMORY);
7310 dctx->mctx = server->mctx;
7311 dctx->dumpcache = ISC_TRUE;
7312 dctx->dumpadb = ISC_TRUE;
7313 dctx->dumpbad = ISC_TRUE;
7314 dctx->dumpzones = ISC_FALSE;
7316 ISC_LIST_INIT(dctx->viewlist);
7324 dctx->version = NULL;
7325 isc_task_attach(server->task, &dctx->task);
7327 CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
7328 "could not open dump file", server->dumpfile);
7330 ptr = next_token(lex, NULL);
7331 sep = (ptr == NULL) ? "" : ": ";
7332 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7333 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7334 "dumpdb started%s%s", sep, (ptr != NULL) ? ptr : "");
7336 if (ptr != NULL && strcmp(ptr, "-all") == 0) {
7337 /* also dump zones */
7338 dctx->dumpzones = ISC_TRUE;
7339 ptr = next_token(lex, NULL);
7340 } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
7341 /* this is the default */
7342 ptr = next_token(lex, NULL);
7343 } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
7344 /* only dump zones, suppress caches */
7345 dctx->dumpadb = ISC_FALSE;
7346 dctx->dumpbad = ISC_FALSE;
7347 dctx->dumpcache = ISC_FALSE;
7348 dctx->dumpzones = ISC_TRUE;
7349 ptr = next_token(lex, NULL);
7350 #ifdef ENABLE_FETCHLIMIT
7351 } else if (ptr != NULL && strcmp(ptr, "-adb") == 0) {
7352 /* only dump adb, suppress other caches */
7353 dctx->dumpbad = ISC_FALSE;
7354 dctx->dumpcache = ISC_FALSE;
7355 ptr = next_token(lex, NULL);
7356 } else if (ptr != NULL && strcmp(ptr, "-bad") == 0) {
7357 /* only dump badcache, suppress other caches */
7358 dctx->dumpadb = ISC_FALSE;
7359 dctx->dumpcache = ISC_FALSE;
7360 ptr = next_token(lex, NULL);
7361 #endif /* ENABLE_FETCHLIMIT */
7365 for (view = ISC_LIST_HEAD(server->viewlist);
7367 view = ISC_LIST_NEXT(view, link))
7369 if (ptr != NULL && strcmp(view->name, ptr) != 0)
7371 CHECK(add_view_tolist(dctx, view));
7374 ptr = next_token(lex, NULL);
7378 dumpdone(dctx, ISC_R_SUCCESS);
7379 return (ISC_R_SUCCESS);
7383 dumpcontext_destroy(dctx);
7388 ns_server_dumpsecroots(ns_server_t *server, isc_lex_t *lex) {
7390 dns_keytable_t *secroots = NULL;
7391 isc_result_t result;
7397 /* Skip the command name. */
7398 ptr = next_token(lex, NULL);
7400 return (ISC_R_UNEXPECTEDEND);
7402 ptr = next_token(lex, NULL);
7404 CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
7405 "could not open secroots dump file", server->secrootsfile);
7407 isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
7408 fprintf(fp, "%s\n", tbuf);
7411 for (view = ISC_LIST_HEAD(server->viewlist);
7413 view = ISC_LIST_NEXT(view, link))
7415 if (ptr != NULL && strcmp(view->name, ptr) != 0)
7417 if (secroots != NULL)
7418 dns_keytable_detach(&secroots);
7419 result = dns_view_getsecroots(view, &secroots);
7420 if (result == ISC_R_NOTFOUND) {
7421 result = ISC_R_SUCCESS;
7424 fprintf(fp, "\n Start view %s\n\n", view->name);
7425 result = dns_keytable_dump(secroots, fp);
7426 if (result != ISC_R_SUCCESS)
7427 fprintf(fp, " dumpsecroots failed: %s\n",
7428 isc_result_totext(result));
7431 ptr = next_token(lex, NULL);
7432 } while (ptr != NULL);
7435 if (secroots != NULL)
7436 dns_keytable_detach(&secroots);
7438 (void)isc_stdio_close(fp);
7439 if (result == ISC_R_SUCCESS)
7440 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7441 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7442 "dumpsecroots complete");
7444 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7445 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7446 "dumpsecroots failed: %s",
7447 dns_result_totext(result));
7452 ns_server_dumprecursing(ns_server_t *server) {
7454 isc_result_t result;
7455 #ifdef ENABLE_FETCHLIMIT
7457 #endif /* ENABLE_FETCHLIMIT */
7459 CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
7460 "could not open dump file", server->recfile);
7461 fprintf(fp, ";\n; Recursing Queries\n;\n");
7462 ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
7464 #ifdef ENABLE_FETCHLIMIT
7465 for (view = ISC_LIST_HEAD(server->viewlist);
7467 view = ISC_LIST_NEXT(view, link))
7469 fprintf(fp, ";\n; Active fetch domains [view: %s]\n;\n",
7471 dns_resolver_dumpfetches(view->resolver, fp);
7473 #endif /* ENABLE_FETCHLIMIT */
7475 fprintf(fp, "; Dump complete\n");
7479 result = isc_stdio_close(fp);
7480 if (result == ISC_R_SUCCESS)
7481 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7482 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7483 "dumprecursing complete");
7485 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7486 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7487 "dumprecursing failed: %s",
7488 dns_result_totext(result));
7493 ns_server_setdebuglevel(ns_server_t *server, isc_lex_t *lex) {
7500 /* Skip the command name. */
7501 ptr = next_token(lex, NULL);
7503 return (ISC_R_UNEXPECTEDEND);
7505 /* Look for the new level name. */
7506 ptr = next_token(lex, NULL);
7508 if (ns_g_debuglevel < 99)
7511 newlevel = strtol(ptr, &endp, 10);
7512 if (*endp != '\0' || newlevel < 0 || newlevel > 99)
7513 return (ISC_R_RANGE);
7514 ns_g_debuglevel = (unsigned int)newlevel;
7516 isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
7517 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7518 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7519 "debug level is now %d", ns_g_debuglevel);
7520 return (ISC_R_SUCCESS);
7524 ns_server_validation(ns_server_t *server, isc_lex_t *lex) {
7527 isc_boolean_t changed = ISC_FALSE;
7528 isc_result_t result;
7529 isc_boolean_t enable;
7531 /* Skip the command name. */
7532 ptr = next_token(lex, NULL);
7534 return (ISC_R_UNEXPECTEDEND);
7536 /* Find out what we are to do. */
7537 ptr = next_token(lex, NULL);
7539 return (ISC_R_UNEXPECTEDEND);
7541 if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
7542 !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
7544 else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
7545 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
7548 return (DNS_R_SYNTAX);
7550 /* Look for the view name. */
7551 ptr = next_token(lex, NULL);
7553 result = isc_task_beginexclusive(server->task);
7554 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7555 for (view = ISC_LIST_HEAD(server->viewlist);
7557 view = ISC_LIST_NEXT(view, link))
7559 if (ptr != NULL && strcasecmp(ptr, view->name) != 0)
7561 result = dns_view_flushcache(view);
7562 if (result != ISC_R_SUCCESS)
7564 view->enablevalidation = enable;
7568 result = ISC_R_SUCCESS;
7570 result = ISC_R_FAILURE;
7572 isc_task_endexclusive(server->task);
7577 ns_server_flushcache(ns_server_t *server, isc_lex_t *lex) {
7580 isc_boolean_t flushed;
7581 isc_boolean_t found;
7582 isc_result_t result;
7585 /* Skip the command name. */
7586 ptr = next_token(lex, NULL);
7588 return (ISC_R_UNEXPECTEDEND);
7590 /* Look for the view name. */
7591 ptr = next_token(lex, NULL);
7593 result = isc_task_beginexclusive(server->task);
7594 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7599 * Flushing a cache is tricky when caches are shared by multiple views.
7600 * We first identify which caches should be flushed in the local cache
7601 * list, flush these caches, and then update other views that refer to
7602 * the flushed cache DB.
7606 * Mark caches that need to be flushed. This is an O(#view^2)
7607 * operation in the very worst case, but should be normally
7608 * much more lightweight because only a few (most typically just
7609 * one) views will match.
7611 for (view = ISC_LIST_HEAD(server->viewlist);
7613 view = ISC_LIST_NEXT(view, link))
7615 if (strcasecmp(ptr, view->name) != 0)
7618 for (nsc = ISC_LIST_HEAD(server->cachelist);
7620 nsc = ISC_LIST_NEXT(nsc, link)) {
7621 if (nsc->cache == view->cache)
7624 INSIST(nsc != NULL);
7625 nsc->needflush = ISC_TRUE;
7631 for (nsc = ISC_LIST_HEAD(server->cachelist);
7633 nsc = ISC_LIST_NEXT(nsc, link)) {
7634 if (ptr != NULL && !nsc->needflush)
7636 nsc->needflush = ISC_TRUE;
7637 result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
7638 if (result != ISC_R_SUCCESS) {
7639 flushed = ISC_FALSE;
7640 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7641 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7642 "flushing cache in view '%s' failed: %s",
7643 nsc->primaryview->name,
7644 isc_result_totext(result));
7649 * Fix up views that share a flushed cache: let the views update the
7650 * cache DB they're referring to. This could also be an expensive
7651 * operation, but should typically be marginal: the inner loop is only
7652 * necessary for views that share a cache, and if there are many such
7653 * views the number of shared cache should normally be small.
7654 * A worst case is that we have n views and n/2 caches, each shared by
7655 * two views. Then this will be a O(n^2/4) operation.
7657 for (view = ISC_LIST_HEAD(server->viewlist);
7659 view = ISC_LIST_NEXT(view, link))
7661 if (!dns_view_iscacheshared(view))
7663 for (nsc = ISC_LIST_HEAD(server->cachelist);
7665 nsc = ISC_LIST_NEXT(nsc, link)) {
7666 if (!nsc->needflush || nsc->cache != view->cache)
7668 result = dns_view_flushcache2(view, ISC_TRUE);
7669 if (result != ISC_R_SUCCESS) {
7670 flushed = ISC_FALSE;
7671 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7672 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7673 "fixing cache in view '%s' "
7674 "failed: %s", view->name,
7675 isc_result_totext(result));
7680 /* Cleanup the cache list. */
7681 for (nsc = ISC_LIST_HEAD(server->cachelist);
7683 nsc = ISC_LIST_NEXT(nsc, link)) {
7684 nsc->needflush = ISC_FALSE;
7687 if (flushed && found) {
7689 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7690 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7691 "flushing cache in view '%s' succeeded",
7694 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7695 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7696 "flushing caches in all views succeeded");
7697 result = ISC_R_SUCCESS;
7700 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7701 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7702 "flushing cache in view '%s' failed: "
7703 "view not found", ptr);
7704 result = ISC_R_NOTFOUND;
7706 result = ISC_R_FAILURE;
7708 isc_task_endexclusive(server->task);
7713 ns_server_flushnode(ns_server_t *server, isc_lex_t *lex, isc_boolean_t tree) {
7714 char *ptr, *viewname;
7715 char target[DNS_NAME_FORMATSIZE];
7717 isc_boolean_t flushed;
7718 isc_boolean_t found;
7719 isc_result_t result;
7721 dns_fixedname_t fixed;
7724 /* Skip the command name. */
7725 ptr = next_token(lex, NULL);
7727 return (ISC_R_UNEXPECTEDEND);
7729 /* Find the domain name to flush. */
7730 ptr = next_token(lex, NULL);
7732 return (ISC_R_UNEXPECTEDEND);
7734 strlcpy(target, ptr, DNS_NAME_FORMATSIZE);
7735 isc_buffer_constinit(&b, target, strlen(target));
7736 isc_buffer_add(&b, strlen(target));
7737 dns_fixedname_init(&fixed);
7738 name = dns_fixedname_name(&fixed);
7739 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
7740 if (result != ISC_R_SUCCESS)
7743 /* Look for the view name. */
7744 viewname = next_token(lex, NULL);
7746 result = isc_task_beginexclusive(server->task);
7747 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7750 for (view = ISC_LIST_HEAD(server->viewlist);
7752 view = ISC_LIST_NEXT(view, link))
7754 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
7758 * It's a little inefficient to try flushing name for all views
7759 * if some of the views share a single cache. But since the
7760 * operation is lightweight we prefer simplicity here.
7762 result = dns_view_flushnode(view, name, tree);
7763 if (result != ISC_R_SUCCESS) {
7764 flushed = ISC_FALSE;
7765 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7766 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7767 "flushing %s '%s' in cache view '%s' "
7769 tree ? "tree" : "name",
7771 isc_result_totext(result));
7774 if (flushed && found) {
7775 if (viewname != NULL)
7776 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7777 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7778 "flushing %s '%s' in cache view '%s' "
7780 tree ? "tree" : "name",
7783 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7784 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7785 "flushing %s '%s' in all cache views "
7787 tree ? "tree" : "name",
7789 result = ISC_R_SUCCESS;
7792 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7793 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7794 "flushing %s '%s' in cache view '%s' "
7795 "failed: view not found",
7796 tree ? "tree" : "name",
7798 result = ISC_R_FAILURE;
7800 isc_task_endexclusive(server->task);
7805 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
7806 int zonecount, xferrunning, xferdeferred, soaqueries;
7808 const char *ob = "", *cb = "", *alt = "";
7810 if (ns_g_server->version_set) {
7813 if (ns_g_server->version == NULL)
7814 alt = "version.bind/txt/ch disabled";
7816 alt = ns_g_server->version;
7818 zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
7819 xferrunning = dns_zonemgr_getcount(server->zonemgr,
7820 DNS_ZONESTATE_XFERRUNNING);
7821 xferdeferred = dns_zonemgr_getcount(server->zonemgr,
7822 DNS_ZONESTATE_XFERDEFERRED);
7823 soaqueries = dns_zonemgr_getcount(server->zonemgr,
7824 DNS_ZONESTATE_SOAQUERY);
7826 n = snprintf((char *)isc_buffer_used(text),
7827 isc_buffer_availablelength(text),
7828 "version: %s %s%s%s <id:%s>%s%s%s\n"
7829 #ifdef ISC_PLATFORM_USETHREADS
7831 "worker threads: %u\n"
7832 "UDP listeners per interface: %u\n"
7834 "number of zones: %u\n"
7836 "xfers running: %u\n"
7837 "xfers deferred: %u\n"
7838 "soa queries in progress: %u\n"
7839 "query logging is %s\n"
7840 "recursive clients: %d/%d/%d\n"
7841 "tcp clients: %d/%d\n"
7842 "server is up and running",
7843 ns_g_product, ns_g_version,
7844 (*ns_g_description != '\0') ? " " : "",
7845 ns_g_description, ns_g_srcid, ob, alt, cb,
7846 #ifdef ISC_PLATFORM_USETHREADS
7847 ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp,
7849 zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
7850 soaqueries, server->log_queries ? "ON" : "OFF",
7851 server->recursionquota.used, server->recursionquota.soft,
7852 server->recursionquota.max,
7853 server->tcpquota.used, server->tcpquota.max);
7854 if (n >= isc_buffer_availablelength(text))
7855 return (ISC_R_NOSPACE);
7856 isc_buffer_add(text, n);
7857 return (ISC_R_SUCCESS);
7861 delete_keynames(dns_tsig_keyring_t *ring, char *target,
7862 unsigned int *foundkeys)
7864 char namestr[DNS_NAME_FORMATSIZE];
7865 isc_result_t result;
7866 dns_rbtnodechain_t chain;
7867 dns_name_t foundname;
7868 dns_fixedname_t fixedorigin;
7870 dns_rbtnode_t *node;
7871 dns_tsigkey_t *tkey;
7873 dns_name_init(&foundname, NULL);
7874 dns_fixedname_init(&fixedorigin);
7875 origin = dns_fixedname_name(&fixedorigin);
7878 dns_rbtnodechain_init(&chain, ring->mctx);
7879 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7881 if (result == ISC_R_NOTFOUND) {
7882 dns_rbtnodechain_invalidate(&chain);
7883 return (ISC_R_SUCCESS);
7885 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7886 dns_rbtnodechain_invalidate(&chain);
7892 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
7896 if (!tkey->generated)
7899 dns_name_format(&tkey->name, namestr, sizeof(namestr));
7900 if (strcmp(namestr, target) == 0) {
7902 dns_rbtnodechain_invalidate(&chain);
7903 (void)dns_rbt_deletename(ring->keys,
7911 result = dns_rbtnodechain_next(&chain, &foundname, origin);
7912 if (result == ISC_R_NOMORE)
7914 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7915 dns_rbtnodechain_invalidate(&chain);
7920 return (ISC_R_SUCCESS);
7924 ns_server_tsigdelete(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) {
7925 isc_result_t result;
7928 unsigned int foundkeys = 0;
7929 char *ptr, *viewname;
7930 char target[DNS_NAME_FORMATSIZE];
7932 (void)next_token(lex, text); /* skip command name */
7934 ptr = next_token(lex, text);
7936 return (ISC_R_UNEXPECTEDEND);
7937 strlcpy(target, ptr, DNS_NAME_FORMATSIZE);
7939 viewname = next_token(lex, text);
7941 result = isc_task_beginexclusive(server->task);
7942 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7943 for (view = ISC_LIST_HEAD(server->viewlist);
7945 view = ISC_LIST_NEXT(view, link)) {
7946 if (viewname == NULL || strcmp(view->name, viewname) == 0) {
7947 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
7948 result = delete_keynames(view->dynamickeys, target,
7950 RWUNLOCK(&view->dynamickeys->lock,
7951 isc_rwlocktype_write);
7952 if (result != ISC_R_SUCCESS) {
7953 isc_task_endexclusive(server->task);
7958 isc_task_endexclusive(server->task);
7960 n = snprintf((char *)isc_buffer_used(text),
7961 isc_buffer_availablelength(text),
7962 "%d tsig keys deleted.\n", foundkeys);
7963 if (n >= isc_buffer_availablelength(text))
7964 return (ISC_R_NOSPACE);
7965 isc_buffer_add(text, n);
7967 return (ISC_R_SUCCESS);
7971 list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
7972 unsigned int *foundkeys)
7974 char namestr[DNS_NAME_FORMATSIZE];
7975 char creatorstr[DNS_NAME_FORMATSIZE];
7976 isc_result_t result;
7977 dns_rbtnodechain_t chain;
7978 dns_name_t foundname;
7979 dns_fixedname_t fixedorigin;
7981 dns_rbtnode_t *node;
7982 dns_tsigkey_t *tkey;
7983 const char *viewname;
7986 viewname = view->name;
7988 viewname = "(global)";
7990 dns_name_init(&foundname, NULL);
7991 dns_fixedname_init(&fixedorigin);
7992 origin = dns_fixedname_name(&fixedorigin);
7993 dns_rbtnodechain_init(&chain, ring->mctx);
7994 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7996 if (result == ISC_R_NOTFOUND) {
7997 dns_rbtnodechain_invalidate(&chain);
7998 return (ISC_R_SUCCESS);
8000 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
8001 dns_rbtnodechain_invalidate(&chain);
8007 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
8012 dns_name_format(&tkey->name, namestr, sizeof(namestr));
8013 if (tkey->generated) {
8014 dns_name_format(tkey->creator, creatorstr,
8015 sizeof(creatorstr));
8016 if (*foundkeys != 0)
8017 CHECK(putstr(text, "\n"));
8018 CHECK(putstr(text, "view \""));
8019 CHECK(putstr(text, viewname));
8021 "\"; type \"dynamic\"; key \""));
8022 CHECK(putstr(text, namestr));
8023 CHECK(putstr(text, "\"; creator \""));
8024 CHECK(putstr(text, creatorstr));
8025 CHECK(putstr(text, "\";"));
8027 if (*foundkeys != 0)
8028 CHECK(putstr(text, "\n"));
8029 CHECK(putstr(text, "view \""));
8030 CHECK(putstr(text, viewname));
8032 "\"; type \"static\"; key \""));
8033 CHECK(putstr(text, namestr));
8034 CHECK(putstr(text, "\";"));
8037 result = dns_rbtnodechain_next(&chain, &foundname, origin);
8038 if (result == ISC_R_NOMORE)
8040 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
8041 dns_rbtnodechain_invalidate(&chain);
8046 return (ISC_R_SUCCESS);
8053 ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
8054 isc_result_t result;
8056 unsigned int foundkeys = 0;
8058 result = isc_task_beginexclusive(server->task);
8059 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8060 for (view = ISC_LIST_HEAD(server->viewlist);
8062 view = ISC_LIST_NEXT(view, link)) {
8063 RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
8064 result = list_keynames(view, view->statickeys, text,
8066 RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
8067 if (result != ISC_R_SUCCESS) {
8068 isc_task_endexclusive(server->task);
8071 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
8072 result = list_keynames(view, view->dynamickeys, text,
8074 RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
8075 if (result != ISC_R_SUCCESS) {
8076 isc_task_endexclusive(server->task);
8080 isc_task_endexclusive(server->task);
8083 CHECK(putstr(text, "no tsig keys found."));
8085 if (isc_buffer_usedlength(text) > 0)
8086 CHECK(putnull(text));
8088 return (ISC_R_SUCCESS);
8095 * Act on a "sign" or "loadkeys" command from the command channel.
8098 ns_server_rekey(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) {
8099 isc_result_t result;
8100 dns_zone_t *zone = NULL;
8101 dns_zonetype_t type;
8102 isc_uint16_t keyopts;
8103 isc_boolean_t fullsign = ISC_FALSE;
8106 ptr = next_token(lex, text);
8108 return (ISC_R_UNEXPECTEDEND);
8110 if (strcasecmp(ptr, NS_COMMAND_SIGN) == 0)
8111 fullsign = ISC_TRUE;
8113 result = zone_from_args(server, lex, NULL, &zone, NULL,
8115 if (result != ISC_R_SUCCESS)
8118 return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
8120 type = dns_zone_gettype(zone);
8121 if (type != dns_zone_master) {
8122 dns_zone_detach(&zone);
8123 return (DNS_R_NOTMASTER);
8126 keyopts = dns_zone_getkeyopts(zone);
8128 /* "rndc loadkeys" requires "auto-dnssec maintain". */
8129 if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
8130 result = ISC_R_NOPERM;
8131 else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
8132 result = ISC_R_NOPERM;
8134 dns_zone_rekey(zone, fullsign);
8136 dns_zone_detach(&zone);
8141 * Act on a "sync" command from the command channel.
8144 synczone(dns_zone_t *zone, void *uap) {
8145 isc_boolean_t cleanup = *(isc_boolean_t *)uap;
8146 isc_result_t result;
8147 dns_zone_t *raw = NULL;
8150 dns_zone_getraw(zone, &raw);
8153 dns_zone_detach(&raw);
8156 result = dns_zone_flush(zone);
8157 if (result != ISC_R_SUCCESS)
8158 cleanup = ISC_FALSE;
8160 journal = dns_zone_getjournal(zone);
8161 if (journal != NULL)
8162 (void)isc_file_remove(journal);
8169 ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) {
8170 isc_result_t result, tresult;
8172 dns_zone_t *zone = NULL;
8173 char classstr[DNS_RDATACLASS_FORMATSIZE];
8174 char zonename[DNS_NAME_FORMATSIZE];
8175 const char *vname, *sep, *msg = NULL, *arg;
8176 isc_boolean_t cleanup = ISC_FALSE;
8178 (void) next_token(lex, text);
8180 arg = next_token(lex, text);
8182 (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0)) {
8184 arg = next_token(lex, text);
8187 result = zone_from_args(server, lex, arg, &zone, NULL,
8189 if (result != ISC_R_SUCCESS)
8193 result = isc_task_beginexclusive(server->task);
8194 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8195 tresult = ISC_R_SUCCESS;
8196 for (view = ISC_LIST_HEAD(server->viewlist);
8198 view = ISC_LIST_NEXT(view, link)) {
8199 result = dns_zt_apply(view->zonetable, ISC_FALSE,
8200 synczone, &cleanup);
8201 if (result != ISC_R_SUCCESS &&
8202 tresult == ISC_R_SUCCESS)
8205 isc_task_endexclusive(server->task);
8206 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8207 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8208 "dumping all zones%s: %s",
8209 cleanup ? ", removing journal files" : "",
8210 isc_result_totext(result));
8214 result = isc_task_beginexclusive(server->task);
8215 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8216 result = synczone(zone, &cleanup);
8217 isc_task_endexclusive(server->task);
8219 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
8220 isc_buffer_putmem(text, (const unsigned char *)msg,
8223 view = dns_zone_getview(zone);
8224 if (strcmp(view->name, "_default") == 0 ||
8225 strcmp(view->name, "_bind") == 0)
8233 dns_rdataclass_format(dns_zone_getclass(zone), classstr,
8235 dns_name_format(dns_zone_getorigin(zone),
8236 zonename, sizeof(zonename));
8237 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8238 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8239 "sync: dumping zone '%s/%s'%s%s%s: %s",
8240 zonename, classstr, sep, vname,
8241 cleanup ? ", removing journal file" : "",
8242 isc_result_totext(result));
8243 dns_zone_detach(&zone);
8248 * Act on a "freeze" or "thaw" command from the command channel.
8251 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze,
8252 isc_lex_t *lex, isc_buffer_t *text)
8254 isc_result_t result, tresult;
8255 dns_zone_t *zone = NULL, *raw = NULL;
8256 dns_zonetype_t type;
8257 char classstr[DNS_RDATACLASS_FORMATSIZE];
8258 char zonename[DNS_NAME_FORMATSIZE];
8260 const char *vname, *sep;
8261 isc_boolean_t frozen;
8262 const char *msg = NULL;
8264 result = zone_from_args(server, lex, NULL, &zone, NULL,
8266 if (result != ISC_R_SUCCESS)
8269 result = isc_task_beginexclusive(server->task);
8270 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8271 tresult = ISC_R_SUCCESS;
8272 for (view = ISC_LIST_HEAD(server->viewlist);
8274 view = ISC_LIST_NEXT(view, link)) {
8275 result = dns_view_freezezones(view, freeze);
8276 if (result != ISC_R_SUCCESS &&
8277 tresult == ISC_R_SUCCESS)
8280 isc_task_endexclusive(server->task);
8281 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8282 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8284 freeze ? "freezing" : "thawing",
8285 isc_result_totext(tresult));
8288 dns_zone_getraw(zone, &raw);
8290 dns_zone_detach(&zone);
8291 dns_zone_attach(raw, &zone);
8292 dns_zone_detach(&raw);
8294 type = dns_zone_gettype(zone);
8295 if (type != dns_zone_master) {
8296 dns_zone_detach(&zone);
8297 return (DNS_R_NOTMASTER);
8300 if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) {
8301 dns_zone_detach(&zone);
8302 return (DNS_R_NOTDYNAMIC);
8305 result = isc_task_beginexclusive(server->task);
8306 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8307 frozen = dns_zone_getupdatedisabled(zone);
8310 msg = "WARNING: The zone was already frozen.\n"
8311 "Someone else may be editing it or "
8312 "it may still be re-loading.";
8313 result = DNS_R_FROZEN;
8315 if (result == ISC_R_SUCCESS) {
8316 result = dns_zone_flush(zone);
8317 if (result != ISC_R_SUCCESS)
8318 msg = "Flushing the zone updates to "
8321 if (result == ISC_R_SUCCESS)
8322 dns_zone_setupdatedisabled(zone, freeze);
8325 result = dns_zone_loadandthaw(zone);
8328 case DNS_R_UPTODATE:
8329 msg = "The zone reload and thaw was "
8331 result = ISC_R_SUCCESS;
8333 case DNS_R_CONTINUE:
8334 msg = "A zone reload and thaw was started.\n"
8335 "Check the logs to see the result.";
8336 result = ISC_R_SUCCESS;
8341 isc_task_endexclusive(server->task);
8343 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
8344 isc_buffer_putmem(text, (const unsigned char *)msg,
8347 view = dns_zone_getview(zone);
8348 if (strcmp(view->name, "_default") == 0 ||
8349 strcmp(view->name, "_bind") == 0)
8357 dns_rdataclass_format(dns_zone_getclass(zone), classstr,
8359 dns_name_format(dns_zone_getorigin(zone),
8360 zonename, sizeof(zonename));
8361 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8362 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8363 "%s zone '%s/%s'%s%s: %s",
8364 freeze ? "freezing" : "thawing",
8365 zonename, classstr, sep, vname,
8366 isc_result_totext(result));
8367 dns_zone_detach(&zone);
8373 * This function adds a message for rndc to echo if named
8374 * is managed by smf and is also running chroot.
8377 ns_smf_add_message(isc_buffer_t *text) {
8380 n = snprintf((char *)isc_buffer_used(text),
8381 isc_buffer_availablelength(text),
8382 "use svcadm(1M) to manage named");
8383 if (n >= isc_buffer_availablelength(text))
8384 return (ISC_R_NOSPACE);
8385 isc_buffer_add(text, n);
8386 return (ISC_R_SUCCESS);
8388 #endif /* HAVE_LIBSCF */
8391 * Emit a comment at the top of the nzf file containing the viewname
8392 * Expects the fp to already be open for writing
8394 #define HEADER1 "# New zone file for view: "
8395 #define HEADER2 "\n# This file contains configuration for zones added by\n" \
8396 "# the 'rndc addzone' command. DO NOT EDIT BY HAND.\n"
8398 add_comment(FILE *fp, const char *viewname) {
8399 isc_result_t result;
8400 CHECK(isc_stdio_write(HEADER1, sizeof(HEADER1) - 1, 1, fp, NULL));
8401 CHECK(isc_stdio_write(viewname, strlen(viewname), 1, fp, NULL));
8402 CHECK(isc_stdio_write(HEADER2, sizeof(HEADER2) - 1, 1, fp, NULL));
8408 * Act on an "addzone" command from the command channel.
8411 ns_server_add_zone(ns_server_t *server, char *args, isc_buffer_t *text) {
8412 isc_result_t result, tresult;
8413 isc_buffer_t argbuf;
8415 cfg_parser_t *parser = NULL;
8416 cfg_obj_t *config = NULL;
8417 const cfg_obj_t *vconfig = NULL;
8418 const cfg_obj_t *views = NULL;
8419 const cfg_obj_t *parms = NULL;
8420 const cfg_obj_t *obj = NULL;
8421 const cfg_listelt_t *element;
8422 const char *zonename;
8423 const char *classname = NULL;
8425 const char *viewname = NULL;
8426 dns_rdataclass_t rdclass;
8427 dns_view_t *view = NULL;
8429 dns_fixedname_t fname;
8430 dns_name_t *dnsname;
8431 dns_zone_t *zone = NULL;
8433 struct cfg_context *cfg = NULL;
8434 char namebuf[DNS_NAME_FORMATSIZE];
8437 /* Try to parse the argument string */
8438 arglen = strlen(args);
8439 isc_buffer_init(&argbuf, args, (unsigned int)arglen);
8440 isc_buffer_add(&argbuf, strlen(args));
8441 CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
8442 CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
8444 CHECK(cfg_map_get(config, "addzone", &parms));
8446 zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
8447 isc_buffer_constinit(&buf, zonename, strlen(zonename));
8448 isc_buffer_add(&buf, strlen(zonename));
8450 dns_fixedname_init(&fname);
8451 dnsname = dns_fixedname_name(&fname);
8452 CHECK(dns_name_fromtext(dnsname, &buf, dns_rootname, 0, NULL));
8454 /* Make sense of optional class argument */
8455 obj = cfg_tuple_get(parms, "class");
8456 CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
8457 if (rdclass != dns_rdataclass_in && obj)
8458 classname = cfg_obj_asstring(obj);
8460 /* Make sense of optional view argument */
8461 obj = cfg_tuple_get(parms, "view");
8462 if (obj && cfg_obj_isstring(obj))
8463 viewname = cfg_obj_asstring(obj);
8464 if (viewname == NULL || *viewname == '\0')
8465 viewname = "_default";
8466 CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
8468 /* Are we accepting new zones? */
8469 if (view->new_zone_file == NULL) {
8470 result = ISC_R_NOPERM;
8474 cfg = (struct cfg_context *) view->new_zone_config;
8476 result = ISC_R_FAILURE;
8480 /* Zone shouldn't already exist */
8481 result = dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone);
8482 if (result == ISC_R_SUCCESS) {
8483 result = ISC_R_EXISTS;
8485 } else if (result == DNS_R_PARTIALMATCH) {
8486 /* Create our sub-zone anyway */
8487 dns_zone_detach(&zone);
8490 else if (result != ISC_R_NOTFOUND)
8493 /* Find the view statement */
8494 cfg_map_get(cfg->config, "view", &views);
8495 for (element = cfg_list_first(views);
8497 element = cfg_list_next(element))
8500 vconfig = cfg_listelt_value(element);
8501 vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
8502 if (vname && !strcasecmp(vname, viewname))
8507 /* Open save file for write configuration */
8508 result = isc_stdio_open(view->new_zone_file, "a", &fp);
8509 if (result != ISC_R_SUCCESS) {
8510 TCHECK(putstr(text, "unable to open '"));
8511 TCHECK(putstr(text, view->new_zone_file));
8512 TCHECK(putstr(text, "': "));
8513 TCHECK(putstr(text, isc_result_totext(result)));
8516 CHECK(isc_stdio_tell(fp, &offset));
8518 CHECK(add_comment(fp, view->name));
8520 /* Mark view unfrozen so that zone can be added */
8521 result = isc_task_beginexclusive(server->task);
8522 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8523 dns_view_thaw(view);
8524 result = configure_zone(cfg->config, parms, vconfig,
8525 server->mctx, view, cfg->actx, ISC_FALSE);
8526 dns_view_freeze(view);
8527 isc_task_endexclusive(server->task);
8528 if (result != ISC_R_SUCCESS) {
8529 TCHECK(putstr(text, "configure_zone failed: "));
8530 TCHECK(putstr(text, isc_result_totext(result)));
8534 /* Is it there yet? */
8535 CHECK(dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone));
8538 * Load the zone from the master file. If this fails, we'll
8539 * need to undo the configuration we've done already.
8541 result = dns_zone_loadnew(zone);
8542 if (result != ISC_R_SUCCESS) {
8543 dns_db_t *dbp = NULL;
8545 TCHECK(putstr(text, "dns_zone_loadnew failed: "));
8546 TCHECK(putstr(text, isc_result_totext(result)));
8548 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8549 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8550 "addzone failed; reverting.");
8552 /* If the zone loaded partially, unload it */
8553 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
8554 dns_db_detach(&dbp);
8555 dns_zone_unload(zone);
8558 /* Remove the zone from the zone table */
8559 dns_zt_unmount(view->zonetable, zone);
8563 /* Flag the zone as having been added at runtime */
8564 dns_zone_setadded(zone, ISC_TRUE);
8566 /* Emit the zone name, quoted and escaped */
8567 isc_buffer_init(&buf, namebuf, sizeof(namebuf));
8568 CHECK(dns_name_totext(dnsname, ISC_TRUE, &buf));
8570 CHECK(isc_stdio_write("zone \"", 6, 1, fp, NULL));
8571 CHECK(isc_stdio_write(namebuf, strlen(namebuf), 1, fp, NULL));
8572 CHECK(isc_stdio_write("\" ", 2, 1, fp, NULL));
8574 /* Classname, if not default */
8575 if (classname != NULL && *classname != '\0') {
8576 CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
8578 CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
8581 /* Find beginning of option block from args */
8582 for (argp = args; *argp; argp++, arglen--) {
8583 if (*argp == '{') { /* Assume matching '}' */
8584 /* Add that to our file */
8585 CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
8587 /* Make sure we end with a LF */
8588 if (argp[arglen-1] != '\n') {
8589 CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
8595 CHECK(isc_stdio_close(fp));
8597 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8598 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8599 "zone %s added to view %s via addzone",
8600 zonename, viewname);
8602 result = ISC_R_SUCCESS;
8605 if (isc_buffer_usedlength(text) > 0)
8608 isc_stdio_close(fp);
8609 if (parser != NULL) {
8611 cfg_obj_destroy(parser, &config);
8612 cfg_parser_destroy(&parser);
8615 dns_zone_detach(&zone);
8617 dns_view_detach(&view);
8623 * Act on a "delzone" command from the command channel.
8626 ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) {
8627 isc_result_t result, tresult;
8628 dns_zone_t *zone = NULL;
8629 dns_view_t *view = NULL;
8630 dns_db_t *dbp = NULL;
8631 const char *filename = NULL;
8632 char *tmpname = NULL;
8634 char zonename[DNS_NAME_FORMATSIZE];
8635 size_t znamelen = 0;
8636 FILE *ifp = NULL, *ofp = NULL;
8637 isc_boolean_t inheader = ISC_TRUE;
8639 /* Parse parameters */
8640 CHECK(zone_from_args(server, lex, NULL, &zone, zonename,
8644 result = ISC_R_UNEXPECTEDEND;
8649 * Was this zone originally added at runtime?
8650 * If not, we can't delete it now.
8652 if (!dns_zone_getadded(zone)) {
8653 result = ISC_R_NOPERM;
8657 /* Is this a policy zone? */
8658 if (dns_zone_get_rpz(zone)) {
8659 TCHECK(putstr(text, "zone '"));
8660 TCHECK(putstr(text, zonename));
8662 "' cannot be deleted: response-policy zone."));
8663 result = ISC_R_FAILURE;
8667 znamelen = strlen(zonename);
8669 /* Dig out configuration for this zone */
8670 view = dns_zone_getview(zone);
8671 filename = view->new_zone_file;
8672 if (filename == NULL) {
8673 /* No adding zones in this view */
8674 result = ISC_R_FAILURE;
8678 /* Rewrite zone list */
8679 result = isc_stdio_open(filename, "r", &ifp);
8680 if (ifp != NULL && result == ISC_R_SUCCESS) {
8681 char *found = NULL, *p = NULL;
8684 /* Create a temporary file */
8685 CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
8687 if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
8688 result = ISC_R_NOMEMORY;
8691 CHECK(isc_stdio_open(tmpname, "w", &ofp));
8692 CHECK(add_comment(ofp, view->name));
8694 /* Look for the entry for that zone */
8695 while (fgets(buf, 1024, ifp)) {
8696 /* Skip initial comment, if any */
8697 if (inheader && *buf == '#')
8700 inheader = ISC_FALSE;
8703 * Any other lines not starting with zone, copy
8704 * them out and continue.
8706 if (strncasecmp(buf, "zone", 4) != 0) {
8712 /* This is a zone; find its name. */
8714 ((*p == '"') || isspace((unsigned char)*p)))
8718 * If it's not the zone we're looking for, copy
8719 * it out and continue
8721 if (strncasecmp(p, zonename, znamelen) != 0) {
8727 * But if it is the zone we want, skip over it
8728 * so it will be omitted from the new file
8731 if (isspace((unsigned char)*p) ||
8732 *p == '"' || *p == '{') {
8733 /* This must be the entry */
8738 /* Copy the rest of the buffer out and continue */
8742 /* Skip over an option block (matching # of braces) */
8744 int obrace = 0, cbrace = 0;
8747 if (*p == '{') obrace++;
8748 if (*p == '}') cbrace++;
8751 if (obrace && (obrace == cbrace))
8753 if (!fgets(buf, 1024, ifp))
8758 /* Just spool the remainder of the file out */
8759 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
8761 if (result == ISC_R_EOF)
8762 result = ISC_R_SUCCESS;
8764 isc_stdio_write(buf, 1, n, ofp, NULL);
8765 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
8769 * Close files before overwriting the nzfile
8770 * with the temporary file as it's necessary on
8771 * some platforms (win32).
8773 (void) isc_stdio_close(ifp);
8775 (void) isc_stdio_close(ofp);
8778 /* Move temporary into place */
8779 CHECK(isc_file_rename(tmpname, view->new_zone_file));
8781 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8782 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
8783 "deleted zone %s was missing from "
8784 "new zone file", zonename);
8789 /* Stop answering for this zone */
8790 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
8791 dns_db_detach(&dbp);
8792 dns_zone_unload(zone);
8795 CHECK(dns_zt_unmount(view->zonetable, zone));
8797 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8798 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8799 "zone %s removed via delzone", zonename);
8801 result = ISC_R_SUCCESS;
8804 if (isc_buffer_usedlength(text) > 0)
8807 isc_stdio_close(ifp);
8809 isc_stdio_close(ofp);
8810 if (tmpname != NULL) {
8811 isc_file_remove(tmpname);
8812 isc_mem_free(server->mctx, tmpname);
8815 dns_zone_detach(&zone);
8821 newzone_cfgctx_destroy(void **cfgp) {
8822 struct cfg_context *cfg;
8824 REQUIRE(cfgp != NULL && *cfgp != NULL);
8828 if (cfg->actx != NULL)
8829 cfg_aclconfctx_detach(&cfg->actx);
8831 if (cfg->parser != NULL) {
8832 if (cfg->config != NULL)
8833 cfg_obj_destroy(cfg->parser, &cfg->config);
8834 cfg_parser_destroy(&cfg->parser);
8836 if (cfg->nzparser != NULL) {
8837 if (cfg->nzconfig != NULL)
8838 cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
8839 cfg_parser_destroy(&cfg->nzparser);
8842 isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
8847 ns_server_signing(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) {
8848 isc_result_t result = ISC_R_SUCCESS;
8849 dns_zone_t *zone = NULL;
8851 dns_db_t *db = NULL;
8852 dns_dbnode_t *node = NULL;
8853 dns_dbversion_t *version = NULL;
8854 dns_rdatatype_t privatetype;
8855 dns_rdataset_t privset;
8856 isc_boolean_t first = ISC_TRUE;
8857 isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
8858 isc_boolean_t chain = ISC_FALSE;
8859 char keystr[DNS_SECALG_FORMATSIZE + 7]; /* <5-digit keyid>/<alg> */
8860 unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
8861 unsigned char salt[255];
8865 dns_rdataset_init(&privset);
8867 /* Skip the command name. */
8868 ptr = next_token(lex, text);
8870 return (ISC_R_UNEXPECTEDEND);
8872 /* Find out what we are to do. */
8873 ptr = next_token(lex, text);
8875 return (ISC_R_UNEXPECTEDEND);
8877 if (strcasecmp(ptr, "-list") == 0)
8879 else if ((strcasecmp(ptr, "-clear") == 0) ||
8880 (strcasecmp(ptr, "-clean") == 0))
8883 ptr = next_token(lex, text);
8885 return (ISC_R_UNEXPECTEDEND);
8886 strlcpy(keystr, ptr, sizeof(keystr));
8887 } else if (strcasecmp(ptr, "-nsec3param") == 0) {
8888 char hashbuf[64], flagbuf[64], iterbuf[64];
8892 ptr = next_token(lex, text);
8894 return (ISC_R_UNEXPECTEDEND);
8896 if (strcasecmp(ptr, "none") == 0)
8899 strlcpy(hashbuf, ptr, sizeof(hashbuf));
8901 ptr = next_token(lex, text);
8903 return (ISC_R_UNEXPECTEDEND);
8904 strlcpy(flagbuf, ptr, sizeof(flagbuf));
8906 ptr = next_token(lex, text);
8908 return (ISC_R_UNEXPECTEDEND);
8909 strlcpy(iterbuf, ptr, sizeof(iterbuf));
8911 n = snprintf(nbuf, sizeof(nbuf), "%s %s %s",
8912 hashbuf, flagbuf, iterbuf);
8913 if (n == sizeof(nbuf))
8914 return (ISC_R_NOSPACE);
8915 n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
8917 return (ISC_R_BADNUMBER);
8919 if (hash > 0xffU || flags > 0xffU)
8920 return (ISC_R_RANGE);
8922 ptr = next_token(lex, text);
8924 return (ISC_R_UNEXPECTEDEND);
8925 if (strcmp(ptr, "-") != 0) {
8928 isc_buffer_init(&buf, salt, sizeof(salt));
8929 CHECK(isc_hex_decodestring(ptr, &buf));
8930 saltlen = isc_buffer_usedlength(&buf);
8934 CHECK(DNS_R_SYNTAX);
8936 CHECK(zone_from_args(server, lex, NULL, &zone, NULL,
8939 CHECK(ISC_R_UNEXPECTEDEND);
8942 CHECK(dns_zone_keydone(zone, keystr));
8943 putstr(text, "request queued");
8946 CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash,
8947 (isc_uint8_t)flags, iter,
8948 (isc_uint8_t)saltlen, salt,
8950 putstr(text, "request queued");
8953 privatetype = dns_zone_getprivatetype(zone);
8954 origin = dns_zone_getorigin(zone);
8955 CHECK(dns_zone_getdb(zone, &db));
8956 CHECK(dns_db_findnode(db, origin, ISC_FALSE, &node));
8957 dns_db_currentversion(db, &version);
8959 result = dns_db_findrdataset(db, node, version, privatetype,
8960 dns_rdatatype_none, 0,
8962 if (result == ISC_R_NOTFOUND) {
8963 putstr(text, "No signing records found");
8965 result = ISC_R_SUCCESS;
8969 for (result = dns_rdataset_first(&privset);
8970 result == ISC_R_SUCCESS;
8971 result = dns_rdataset_next(&privset))
8973 dns_rdata_t priv = DNS_RDATA_INIT;
8974 char output[BUFSIZ];
8977 dns_rdataset_current(&privset, &priv);
8979 isc_buffer_init(&buf, output, sizeof(output));
8980 CHECK(dns_private_totext(&priv, &buf));
8986 n = snprintf((char *)isc_buffer_used(text),
8987 isc_buffer_availablelength(text),
8989 if (n >= isc_buffer_availablelength(text))
8990 CHECK(ISC_R_NOSPACE);
8992 isc_buffer_add(text, (unsigned int)n);
8997 if (result == ISC_R_NOMORE)
8998 result = ISC_R_SUCCESS;
9002 if (dns_rdataset_isassociated(&privset))
9003 dns_rdataset_disassociate(&privset);
9005 dns_db_detachnode(db, &node);
9006 if (version != NULL)
9007 dns_db_closeversion(db, &version, ISC_FALSE);
9011 dns_zone_detach(&zone);
9017 putstr(isc_buffer_t *b, const char *str) {
9018 unsigned int l = strlen(str);
9021 * Use >= to leave space for NUL termination.
9023 if (l >= isc_buffer_availablelength(b))
9024 return (ISC_R_NOSPACE);
9026 isc_buffer_putmem(b, (const unsigned char *)str, l);
9027 return (ISC_R_SUCCESS);
9031 putnull(isc_buffer_t *b) {
9032 if (isc_buffer_availablelength(b) == 0)
9033 return (ISC_R_NOSPACE);
9035 isc_buffer_putuint8(b, 0);
9036 return (ISC_R_SUCCESS);