2 * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: server.c,v 1.599.8.19 2012/02/22 00:33:32 each Exp $ */
28 #include <sys/types.h>
32 #include <isc/base64.h>
34 #include <isc/entropy.h>
37 #include <isc/httpd.h>
39 #include <isc/parseint.h>
40 #include <isc/portset.h>
41 #include <isc/print.h>
42 #include <isc/resource.h>
44 #include <isc/socket.h>
46 #include <isc/stats.h>
47 #include <isc/stdio.h>
48 #include <isc/string.h>
50 #include <isc/timer.h>
54 #include <isccfg/namedconf.h>
56 #include <bind9/check.h>
58 #include <dns/acache.h>
60 #include <dns/cache.h>
62 #include <dns/dispatch.h>
64 #include <dns/dns64.h>
65 #include <dns/forward.h>
66 #include <dns/journal.h>
67 #include <dns/keytable.h>
68 #include <dns/keyvalues.h>
70 #include <dns/master.h>
71 #include <dns/masterdump.h>
72 #include <dns/order.h>
74 #include <dns/portlist.h>
76 #include <dns/rdataclass.h>
77 #include <dns/rdatalist.h>
78 #include <dns/rdataset.h>
79 #include <dns/rdatastruct.h>
80 #include <dns/resolver.h>
81 #include <dns/rootns.h>
82 #include <dns/secalg.h>
84 #include <dns/stats.h>
92 #include <dst/result.h>
94 #include <named/client.h>
95 #include <named/config.h>
96 #include <named/control.h>
97 #include <named/interfacemgr.h>
98 #include <named/log.h>
99 #include <named/logconf.h>
100 #include <named/lwresd.h>
101 #include <named/main.h>
102 #include <named/os.h>
103 #include <named/server.h>
104 #include <named/statschannel.h>
105 #include <named/tkeyconf.h>
106 #include <named/tsigconf.h>
107 #include <named/zoneconf.h>
109 #include <named/ns_smf_globals.h>
114 #define PATH_MAX 1024
118 * Check an operation for failure. Assumes that the function
119 * using it has a 'result' variable and a 'cleanup' label.
122 do { result = (op); \
123 if (result != ISC_R_SUCCESS) goto cleanup; \
126 #define CHECKM(op, msg) \
127 do { result = (op); \
128 if (result != ISC_R_SUCCESS) { \
129 isc_log_write(ns_g_lctx, \
130 NS_LOGCATEGORY_GENERAL, \
131 NS_LOGMODULE_SERVER, \
134 isc_result_totext(result)); \
139 #define CHECKMF(op, msg, file) \
140 do { result = (op); \
141 if (result != ISC_R_SUCCESS) { \
142 isc_log_write(ns_g_lctx, \
143 NS_LOGCATEGORY_GENERAL, \
144 NS_LOGMODULE_SERVER, \
146 "%s '%s': %s", msg, file, \
147 isc_result_totext(result)); \
152 #define CHECKFATAL(op, msg) \
153 do { result = (op); \
154 if (result != ISC_R_SUCCESS) \
155 fatal(msg, result); \
159 * Maximum ADB size for views that share a cache. Use this limit to suppress
160 * the total of memory footprint, which should be the main reason for sharing
161 * a cache. Only effective when a finite max-cache-size is specified.
162 * This is currently defined to be 8MB.
164 #define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U
168 unsigned int dispatchgen;
169 dns_dispatch_t *dispatch;
170 ISC_LINK(struct ns_dispatch) link;
175 dns_view_t *primaryview;
176 isc_boolean_t needflush;
177 isc_boolean_t adbsizeadjusted;
178 ISC_LINK(ns_cache_t) link;
183 isc_boolean_t dumpcache;
184 isc_boolean_t dumpzones;
186 ISC_LIST(struct viewlistentry) viewlist;
187 struct viewlistentry *view;
188 struct zonelistentry *zone;
189 dns_dumpctx_t *mdctx;
193 dns_dbversion_t *version;
196 struct viewlistentry {
198 ISC_LINK(struct viewlistentry) link;
199 ISC_LIST(struct zonelistentry) zonelist;
202 struct zonelistentry {
204 ISC_LINK(struct zonelistentry) link;
208 * Configuration context to retain for each view that allows
209 * new zones to be added at runtime.
213 cfg_parser_t * parser;
215 cfg_parser_t * nzparser;
216 cfg_obj_t * nzconfig;
217 cfg_aclconfctx_t * actx;
221 * These zones should not leak onto the Internet.
223 static const struct {
225 isc_boolean_t rfc1918;
228 { "10.IN-ADDR.ARPA", ISC_TRUE },
229 { "16.172.IN-ADDR.ARPA", ISC_TRUE },
230 { "17.172.IN-ADDR.ARPA", ISC_TRUE },
231 { "18.172.IN-ADDR.ARPA", ISC_TRUE },
232 { "19.172.IN-ADDR.ARPA", ISC_TRUE },
233 { "20.172.IN-ADDR.ARPA", ISC_TRUE },
234 { "21.172.IN-ADDR.ARPA", ISC_TRUE },
235 { "22.172.IN-ADDR.ARPA", ISC_TRUE },
236 { "23.172.IN-ADDR.ARPA", ISC_TRUE },
237 { "24.172.IN-ADDR.ARPA", ISC_TRUE },
238 { "25.172.IN-ADDR.ARPA", ISC_TRUE },
239 { "26.172.IN-ADDR.ARPA", ISC_TRUE },
240 { "27.172.IN-ADDR.ARPA", ISC_TRUE },
241 { "28.172.IN-ADDR.ARPA", ISC_TRUE },
242 { "29.172.IN-ADDR.ARPA", ISC_TRUE },
243 { "30.172.IN-ADDR.ARPA", ISC_TRUE },
244 { "31.172.IN-ADDR.ARPA", ISC_TRUE },
245 { "168.192.IN-ADDR.ARPA", ISC_TRUE },
248 { "64.100.IN-ADDR.ARPA", ISC_FALSE },
249 { "65.100.IN-ADDR.ARPA", ISC_FALSE },
250 { "66.100.IN-ADDR.ARPA", ISC_FALSE },
251 { "67.100.IN-ADDR.ARPA", ISC_FALSE },
252 { "68.100.IN-ADDR.ARPA", ISC_FALSE },
253 { "69.100.IN-ADDR.ARPA", ISC_FALSE },
254 { "70.100.IN-ADDR.ARPA", ISC_FALSE },
255 { "71.100.IN-ADDR.ARPA", ISC_FALSE },
256 { "72.100.IN-ADDR.ARPA", ISC_FALSE },
257 { "73.100.IN-ADDR.ARPA", ISC_FALSE },
258 { "74.100.IN-ADDR.ARPA", ISC_FALSE },
259 { "75.100.IN-ADDR.ARPA", ISC_FALSE },
260 { "76.100.IN-ADDR.ARPA", ISC_FALSE },
261 { "77.100.IN-ADDR.ARPA", ISC_FALSE },
262 { "78.100.IN-ADDR.ARPA", ISC_FALSE },
263 { "79.100.IN-ADDR.ARPA", ISC_FALSE },
264 { "80.100.IN-ADDR.ARPA", ISC_FALSE },
265 { "81.100.IN-ADDR.ARPA", ISC_FALSE },
266 { "82.100.IN-ADDR.ARPA", ISC_FALSE },
267 { "83.100.IN-ADDR.ARPA", ISC_FALSE },
268 { "84.100.IN-ADDR.ARPA", ISC_FALSE },
269 { "85.100.IN-ADDR.ARPA", ISC_FALSE },
270 { "86.100.IN-ADDR.ARPA", ISC_FALSE },
271 { "87.100.IN-ADDR.ARPA", ISC_FALSE },
272 { "88.100.IN-ADDR.ARPA", ISC_FALSE },
273 { "89.100.IN-ADDR.ARPA", ISC_FALSE },
274 { "90.100.IN-ADDR.ARPA", ISC_FALSE },
275 { "91.100.IN-ADDR.ARPA", ISC_FALSE },
276 { "92.100.IN-ADDR.ARPA", ISC_FALSE },
277 { "93.100.IN-ADDR.ARPA", ISC_FALSE },
278 { "94.100.IN-ADDR.ARPA", ISC_FALSE },
279 { "95.100.IN-ADDR.ARPA", ISC_FALSE },
280 { "96.100.IN-ADDR.ARPA", ISC_FALSE },
281 { "97.100.IN-ADDR.ARPA", ISC_FALSE },
282 { "98.100.IN-ADDR.ARPA", ISC_FALSE },
283 { "99.100.IN-ADDR.ARPA", ISC_FALSE },
284 { "100.100.IN-ADDR.ARPA", ISC_FALSE },
285 { "101.100.IN-ADDR.ARPA", ISC_FALSE },
286 { "102.100.IN-ADDR.ARPA", ISC_FALSE },
287 { "103.100.IN-ADDR.ARPA", ISC_FALSE },
288 { "104.100.IN-ADDR.ARPA", ISC_FALSE },
289 { "105.100.IN-ADDR.ARPA", ISC_FALSE },
290 { "106.100.IN-ADDR.ARPA", ISC_FALSE },
291 { "107.100.IN-ADDR.ARPA", ISC_FALSE },
292 { "108.100.IN-ADDR.ARPA", ISC_FALSE },
293 { "109.100.IN-ADDR.ARPA", ISC_FALSE },
294 { "110.100.IN-ADDR.ARPA", ISC_FALSE },
295 { "111.100.IN-ADDR.ARPA", ISC_FALSE },
296 { "112.100.IN-ADDR.ARPA", ISC_FALSE },
297 { "113.100.IN-ADDR.ARPA", ISC_FALSE },
298 { "114.100.IN-ADDR.ARPA", ISC_FALSE },
299 { "115.100.IN-ADDR.ARPA", ISC_FALSE },
300 { "116.100.IN-ADDR.ARPA", ISC_FALSE },
301 { "117.100.IN-ADDR.ARPA", ISC_FALSE },
302 { "118.100.IN-ADDR.ARPA", ISC_FALSE },
303 { "119.100.IN-ADDR.ARPA", ISC_FALSE },
304 { "120.100.IN-ADDR.ARPA", ISC_FALSE },
305 { "121.100.IN-ADDR.ARPA", ISC_FALSE },
306 { "122.100.IN-ADDR.ARPA", ISC_FALSE },
307 { "123.100.IN-ADDR.ARPA", ISC_FALSE },
308 { "124.100.IN-ADDR.ARPA", ISC_FALSE },
309 { "125.100.IN-ADDR.ARPA", ISC_FALSE },
310 { "126.100.IN-ADDR.ARPA", ISC_FALSE },
311 { "127.100.IN-ADDR.ARPA", ISC_FALSE },
313 /* RFC 5735 and RFC 5737 */
314 { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */
315 { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */
316 { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */
317 { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */
318 { "100.51.198.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 2 */
319 { "113.0.203.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 3 */
320 { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */
322 /* Local IPv6 Unicast Addresses */
323 { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
324 { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
325 /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
326 { "D.F.IP6.ARPA", ISC_FALSE },
327 { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
328 { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
329 { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
330 { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
332 /* Example Prefix, RFC 3849. */
333 { "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
338 ISC_PLATFORM_NORETURN_PRE static void
339 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
342 ns_server_reload(isc_task_t *task, isc_event_t *event);
345 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
346 cfg_aclconfctx_t *actx,
347 isc_mem_t *mctx, ns_listenelt_t **target);
349 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
350 cfg_aclconfctx_t *actx,
351 isc_mem_t *mctx, ns_listenlist_t **target);
354 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
355 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
358 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
359 const cfg_obj_t *alternates);
362 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
363 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
364 cfg_aclconfctx_t *aclconf, isc_boolean_t added);
367 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
370 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
373 newzone_cfgctx_destroy(void **cfgp);
376 putstr(isc_buffer_t *b, const char *str);
379 add_comment(FILE *fp, const char *viewname);
382 * Configure a single view ACL at '*aclp'. Get its configuration from
383 * 'vconfig' (for per-view configuration) and maybe from 'config'
386 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
387 const char *aclname, const char *acltuplename,
388 cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
391 const cfg_obj_t *maps[3];
392 const cfg_obj_t *aclobj = NULL;
396 dns_acl_detach(aclp);
398 maps[i++] = cfg_tuple_get(vconfig, "options");
399 if (config != NULL) {
400 const cfg_obj_t *options = NULL;
401 (void)cfg_map_get(config, "options", &options);
407 (void)ns_config_get(maps, aclname, &aclobj);
410 * No value available. *aclp == NULL.
412 return (ISC_R_SUCCESS);
414 if (acltuplename != NULL) {
416 * If the ACL is given in an optional tuple, retrieve it.
417 * The parser should have ensured that a valid object be
420 aclobj = cfg_tuple_get(aclobj, acltuplename);
423 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
424 actx, mctx, 0, aclp);
430 * Configure a sortlist at '*aclp'. Essentially the same as
431 * configure_view_acl() except it calls cfg_acl_fromconfig with a
432 * nest_level value of 2.
435 configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
436 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
440 const cfg_obj_t *maps[3];
441 const cfg_obj_t *aclobj = NULL;
445 dns_acl_detach(aclp);
447 maps[i++] = cfg_tuple_get(vconfig, "options");
448 if (config != NULL) {
449 const cfg_obj_t *options = NULL;
450 (void)cfg_map_get(config, "options", &options);
456 (void)ns_config_get(maps, "sortlist", &aclobj);
458 return (ISC_R_SUCCESS);
461 * Use a nest level of 3 for the "top level" of the sortlist;
462 * this means each entry in the top three levels will be stored
463 * as lists of separate, nested ACLs, rather than merged together
464 * into IP tables as is usually done with ACLs.
466 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
467 actx, mctx, 3, aclp);
473 configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
474 const char *confname, const char *conftuplename,
475 isc_mem_t *mctx, dns_rbt_t **rbtp)
478 const cfg_obj_t *maps[3];
479 const cfg_obj_t *obj = NULL;
480 const cfg_listelt_t *element;
482 dns_fixedname_t fixed;
486 const cfg_obj_t *nameobj;
489 dns_rbt_destroy(rbtp);
491 maps[i++] = cfg_tuple_get(vconfig, "options");
492 if (config != NULL) {
493 const cfg_obj_t *options = NULL;
494 (void)cfg_map_get(config, "options", &options);
500 (void)ns_config_get(maps, confname, &obj);
503 * No value available. *rbtp == NULL.
505 return (ISC_R_SUCCESS);
507 if (conftuplename != NULL) {
508 obj = cfg_tuple_get(obj, conftuplename);
509 if (cfg_obj_isvoid(obj))
510 return (ISC_R_SUCCESS);
513 result = dns_rbt_create(mctx, NULL, NULL, rbtp);
514 if (result != ISC_R_SUCCESS)
517 dns_fixedname_init(&fixed);
518 name = dns_fixedname_name(&fixed);
519 for (element = cfg_list_first(obj);
521 element = cfg_list_next(element)) {
522 nameobj = cfg_listelt_value(element);
523 str = cfg_obj_asstring(nameobj);
524 isc_buffer_constinit(&b, str, strlen(str));
525 isc_buffer_add(&b, strlen(str));
526 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
528 * We don't need the node data, but need to set dummy data to
529 * avoid a partial match with an empty node. For example, if
530 * we have foo.example.com and bar.example.com, we'd get a match
531 * for baz.example.com, which is not the expected result.
532 * We simply use (void *)1 as the dummy data.
534 result = dns_rbt_addname(*rbtp, name, (void *)1);
535 if (result != ISC_R_SUCCESS) {
536 cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
537 "failed to add %s for %s: %s",
538 str, confname, isc_result_totext(result));
547 dns_rbt_destroy(rbtp);
553 dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
554 isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
556 dns_rdataclass_t viewclass;
557 dns_rdata_dnskey_t keystruct;
558 isc_uint32_t flags, proto, alg;
559 const char *keystr, *keynamestr;
560 unsigned char keydata[4096];
561 isc_buffer_t keydatabuf;
562 unsigned char rrdata[4096];
563 isc_buffer_t rrdatabuf;
565 dns_fixedname_t fkeyname;
567 isc_buffer_t namebuf;
569 dst_key_t *dstkey = NULL;
571 INSIST(target != NULL && *target == NULL);
573 flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
574 proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
575 alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
576 keyname = dns_fixedname_name(&fkeyname);
577 keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
580 const char *initmethod;
581 initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
583 if (strcasecmp(initmethod, "initial-key") != 0) {
584 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
586 "invalid initialization method '%s'",
587 keynamestr, initmethod);
588 result = ISC_R_FAILURE;
594 viewclass = dns_rdataclass_in;
596 const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
597 CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
600 keystruct.common.rdclass = viewclass;
601 keystruct.common.rdtype = dns_rdatatype_dnskey;
603 * The key data in keystruct is not dynamically allocated.
605 keystruct.mctx = NULL;
607 ISC_LINK_INIT(&keystruct.common, link);
610 CHECKM(ISC_R_RANGE, "key flags");
612 CHECKM(ISC_R_RANGE, "key protocol");
614 CHECKM(ISC_R_RANGE, "key algorithm");
615 keystruct.flags = (isc_uint16_t)flags;
616 keystruct.protocol = (isc_uint8_t)proto;
617 keystruct.algorithm = (isc_uint8_t)alg;
619 isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
620 isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
622 keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
623 CHECK(isc_base64_decodestring(keystr, &keydatabuf));
624 isc_buffer_usedregion(&keydatabuf, &r);
625 keystruct.datalen = r.length;
626 keystruct.data = r.base;
628 if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
629 keystruct.algorithm == DST_ALG_RSAMD5) &&
630 r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
631 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
632 "%s key '%s' has a weak exponent",
633 managed ? "managed" : "trusted",
636 CHECK(dns_rdata_fromstruct(NULL,
637 keystruct.common.rdclass,
638 keystruct.common.rdtype,
639 &keystruct, &rrdatabuf));
640 dns_fixedname_init(&fkeyname);
641 isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
642 isc_buffer_add(&namebuf, strlen(keynamestr));
643 CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
644 CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
648 return (ISC_R_SUCCESS);
651 if (result == DST_R_NOCRYPTO) {
652 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
653 "ignoring %s key for '%s': no crypto support",
654 managed ? "managed" : "trusted",
656 } else if (result == DST_R_UNSUPPORTEDALG) {
657 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
658 "skipping %s key for '%s': %s",
659 managed ? "managed" : "trusted",
660 keynamestr, isc_result_totext(result));
662 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
663 "configuring %s key for '%s': %s",
664 managed ? "managed" : "trusted",
665 keynamestr, isc_result_totext(result));
666 result = ISC_R_FAILURE;
670 dst_key_free(&dstkey);
676 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
677 dns_view_t *view, isc_boolean_t managed,
678 dns_name_t *keyname, isc_mem_t *mctx)
680 const cfg_listelt_t *elt, *elt2;
681 const cfg_obj_t *key, *keylist;
682 dst_key_t *dstkey = NULL;
684 dns_keytable_t *secroots = NULL;
686 CHECK(dns_view_getsecroots(view, &secroots));
688 for (elt = cfg_list_first(keys);
690 elt = cfg_list_next(elt)) {
691 keylist = cfg_listelt_value(elt);
693 for (elt2 = cfg_list_first(keylist);
695 elt2 = cfg_list_next(elt2)) {
696 key = cfg_listelt_value(elt2);
697 result = dstkey_fromconfig(vconfig, key, managed,
699 if (result == DST_R_UNSUPPORTEDALG) {
700 result = ISC_R_SUCCESS;
703 if (result != ISC_R_SUCCESS)
707 * If keyname was specified, we only add that key.
709 if (keyname != NULL &&
710 !dns_name_equal(keyname, dst_key_name(dstkey)))
712 dst_key_free(&dstkey);
716 CHECK(dns_keytable_add(secroots, managed, &dstkey));
722 dst_key_free(&dstkey);
723 if (secroots != NULL)
724 dns_keytable_detach(&secroots);
725 if (result == DST_R_NOCRYPTO)
726 result = ISC_R_SUCCESS;
731 * Configure DNSSEC keys for a view.
733 * The per-view configuration values and the server-global defaults are read
734 * from 'vconfig' and 'config'.
737 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
738 const cfg_obj_t *config, const cfg_obj_t *bindkeys,
739 isc_boolean_t auto_dlv, isc_boolean_t auto_root,
742 isc_result_t result = ISC_R_SUCCESS;
743 const cfg_obj_t *view_keys = NULL;
744 const cfg_obj_t *global_keys = NULL;
745 const cfg_obj_t *view_managed_keys = NULL;
746 const cfg_obj_t *global_managed_keys = NULL;
747 const cfg_obj_t *maps[4];
748 const cfg_obj_t *voptions = NULL;
749 const cfg_obj_t *options = NULL;
750 const cfg_obj_t *obj = NULL;
751 const char *directory;
754 /* We don't need trust anchors for the _bind view */
755 if (strcmp(view->name, "_bind") == 0 &&
756 view->rdclass == dns_rdataclass_chaos) {
757 return (ISC_R_SUCCESS);
760 if (vconfig != NULL) {
761 voptions = cfg_tuple_get(vconfig, "options");
762 if (voptions != NULL) {
763 (void) cfg_map_get(voptions, "trusted-keys",
765 (void) cfg_map_get(voptions, "managed-keys",
767 maps[i++] = voptions;
771 if (config != NULL) {
772 (void)cfg_map_get(config, "trusted-keys", &global_keys);
773 (void)cfg_map_get(config, "managed-keys", &global_managed_keys);
774 (void)cfg_map_get(config, "options", &options);
775 if (options != NULL) {
780 maps[i++] = ns_g_defaults;
783 result = dns_view_initsecroots(view, mctx);
784 if (result != ISC_R_SUCCESS) {
785 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
786 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
787 "couldn't create keytable");
788 return (ISC_R_UNEXPECTED);
791 if (auto_dlv && view->rdclass == dns_rdataclass_in) {
792 const cfg_obj_t *builtin_keys = NULL;
793 const cfg_obj_t *builtin_managed_keys = NULL;
795 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
796 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
797 "using built-in DLV key for view %s",
801 * If bind.keys exists, it overrides the managed-keys
802 * clause hard-coded in ns_g_config.
804 if (bindkeys != NULL) {
805 (void)cfg_map_get(bindkeys, "trusted-keys",
807 (void)cfg_map_get(bindkeys, "managed-keys",
808 &builtin_managed_keys);
810 (void)cfg_map_get(ns_g_config, "trusted-keys",
812 (void)cfg_map_get(ns_g_config, "managed-keys",
813 &builtin_managed_keys);
816 if (builtin_keys != NULL)
817 CHECK(load_view_keys(builtin_keys, vconfig, view,
818 ISC_FALSE, view->dlv, mctx));
819 if (builtin_managed_keys != NULL)
820 CHECK(load_view_keys(builtin_managed_keys, vconfig,
821 view, ISC_TRUE, view->dlv, mctx));
824 if (auto_root && view->rdclass == dns_rdataclass_in) {
825 const cfg_obj_t *builtin_keys = NULL;
826 const cfg_obj_t *builtin_managed_keys = NULL;
828 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
829 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
830 "using built-in root key for view %s",
834 * If bind.keys exists, it overrides the managed-keys
835 * clause hard-coded in ns_g_config.
837 if (bindkeys != NULL) {
838 (void)cfg_map_get(bindkeys, "trusted-keys",
840 (void)cfg_map_get(bindkeys, "managed-keys",
841 &builtin_managed_keys);
843 (void)cfg_map_get(ns_g_config, "trusted-keys",
845 (void)cfg_map_get(ns_g_config, "managed-keys",
846 &builtin_managed_keys);
849 if (builtin_keys != NULL)
850 CHECK(load_view_keys(builtin_keys, vconfig, view,
851 ISC_FALSE, dns_rootname, mctx));
852 if (builtin_managed_keys != NULL)
853 CHECK(load_view_keys(builtin_managed_keys, vconfig,
854 view, ISC_TRUE, dns_rootname,
858 CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
860 CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
863 if (view->rdclass == dns_rdataclass_in) {
864 CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
866 CHECK(load_view_keys(global_managed_keys, vconfig, view,
867 ISC_TRUE, NULL, mctx));
871 * Add key zone for managed-keys.
874 (void)ns_config_get(maps, "managed-keys-directory", &obj);
875 directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
876 if (directory != NULL)
877 result = isc_file_isdirectory(directory);
878 if (result != ISC_R_SUCCESS) {
879 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
880 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
881 "invalid managed-keys-directory %s: %s",
882 directory, isc_result_totext(result));
886 CHECK(add_keydata_zone(view, directory, ns_g_mctx));
893 mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
894 const cfg_listelt_t *element;
895 const cfg_obj_t *obj;
897 dns_fixedname_t fixed;
903 dns_fixedname_init(&fixed);
904 name = dns_fixedname_name(&fixed);
905 for (element = cfg_list_first(mbs);
907 element = cfg_list_next(element))
909 obj = cfg_listelt_value(element);
910 str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
911 isc_buffer_constinit(&b, str, strlen(str));
912 isc_buffer_add(&b, strlen(str));
913 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
914 value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
915 CHECK(dns_resolver_setmustbesecure(resolver, name, value));
918 result = ISC_R_SUCCESS;
925 * Get a dispatch appropriate for the resolver of a given view.
928 get_view_querysource_dispatch(const cfg_obj_t **maps,
929 int af, dns_dispatch_t **dispatchp,
930 isc_boolean_t is_firstview)
932 isc_result_t result = ISC_R_FAILURE;
933 dns_dispatch_t *disp;
935 unsigned int attrs, attrmask;
936 const cfg_obj_t *obj = NULL;
937 unsigned int maxdispatchbuffers;
941 result = ns_config_get(maps, "query-source", &obj);
942 INSIST(result == ISC_R_SUCCESS);
945 result = ns_config_get(maps, "query-source-v6", &obj);
946 INSIST(result == ISC_R_SUCCESS);
952 sa = *(cfg_obj_assockaddr(obj));
953 INSIST(isc_sockaddr_pf(&sa) == af);
956 * If we don't support this address family, we're done!
960 result = isc_net_probeipv4();
963 result = isc_net_probeipv6();
968 if (result != ISC_R_SUCCESS)
969 return (ISC_R_SUCCESS);
972 * Try to find a dispatcher that we can share.
975 attrs |= DNS_DISPATCHATTR_UDP;
978 attrs |= DNS_DISPATCHATTR_IPV4;
981 attrs |= DNS_DISPATCHATTR_IPV6;
984 if (isc_sockaddr_getport(&sa) == 0) {
985 attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
986 maxdispatchbuffers = 4096;
990 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
991 "using specific query-source port "
992 "suppresses port randomization and can be "
995 maxdispatchbuffers = 1000;
999 attrmask |= DNS_DISPATCHATTR_UDP;
1000 attrmask |= DNS_DISPATCHATTR_TCP;
1001 attrmask |= DNS_DISPATCHATTR_IPV4;
1002 attrmask |= DNS_DISPATCHATTR_IPV6;
1005 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
1006 ns_g_taskmgr, &sa, 4096,
1007 maxdispatchbuffers, 32768, 16411, 16433,
1008 attrs, attrmask, &disp);
1009 if (result != ISC_R_SUCCESS) {
1011 char buf[ISC_SOCKADDR_FORMATSIZE];
1015 isc_sockaddr_any(&any);
1018 isc_sockaddr_any6(&any);
1021 if (isc_sockaddr_equal(&sa, &any))
1022 return (ISC_R_SUCCESS);
1023 isc_sockaddr_format(&sa, buf, sizeof(buf));
1024 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1025 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
1026 "could not get query source dispatcher (%s)",
1033 return (ISC_R_SUCCESS);
1037 configure_order(dns_order_t *order, const cfg_obj_t *ent) {
1038 dns_rdataclass_t rdclass;
1039 dns_rdatatype_t rdtype;
1040 const cfg_obj_t *obj;
1041 dns_fixedname_t fixed;
1042 unsigned int mode = 0;
1045 isc_result_t result;
1046 isc_boolean_t addroot;
1048 result = ns_config_getclass(cfg_tuple_get(ent, "class"),
1049 dns_rdataclass_any, &rdclass);
1050 if (result != ISC_R_SUCCESS)
1053 result = ns_config_gettype(cfg_tuple_get(ent, "type"),
1054 dns_rdatatype_any, &rdtype);
1055 if (result != ISC_R_SUCCESS)
1058 obj = cfg_tuple_get(ent, "name");
1059 if (cfg_obj_isstring(obj))
1060 str = cfg_obj_asstring(obj);
1063 addroot = ISC_TF(strcmp(str, "*") == 0);
1064 isc_buffer_constinit(&b, str, strlen(str));
1065 isc_buffer_add(&b, strlen(str));
1066 dns_fixedname_init(&fixed);
1067 result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
1068 dns_rootname, 0, NULL);
1069 if (result != ISC_R_SUCCESS)
1072 obj = cfg_tuple_get(ent, "ordering");
1073 INSIST(cfg_obj_isstring(obj));
1074 str = cfg_obj_asstring(obj);
1075 if (!strcasecmp(str, "fixed"))
1076 mode = DNS_RDATASETATTR_FIXEDORDER;
1077 else if (!strcasecmp(str, "random"))
1078 mode = DNS_RDATASETATTR_RANDOMIZE;
1079 else if (!strcasecmp(str, "cyclic"))
1085 * "*" should match everything including the root (BIND 8 compat).
1086 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
1087 * explicit entry for "." when the name is "*".
1090 result = dns_order_add(order, dns_rootname,
1091 rdtype, rdclass, mode);
1092 if (result != ISC_R_SUCCESS)
1096 return (dns_order_add(order, dns_fixedname_name(&fixed),
1097 rdtype, rdclass, mode));
1101 configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
1104 const cfg_obj_t *obj;
1106 isc_result_t result;
1107 unsigned int prefixlen;
1109 cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
1112 result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
1113 if (result != ISC_R_SUCCESS)
1117 (void)cfg_map_get(cpeer, "bogus", &obj);
1119 CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
1122 (void)cfg_map_get(cpeer, "provide-ixfr", &obj);
1124 CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
1127 (void)cfg_map_get(cpeer, "request-ixfr", &obj);
1129 CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
1132 (void)cfg_map_get(cpeer, "request-nsid", &obj);
1134 CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
1137 (void)cfg_map_get(cpeer, "edns", &obj);
1139 CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
1142 (void)cfg_map_get(cpeer, "edns-udp-size", &obj);
1144 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1149 CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
1153 (void)cfg_map_get(cpeer, "max-udp-size", &obj);
1155 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1160 CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
1164 (void)cfg_map_get(cpeer, "transfers", &obj);
1166 CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
1169 (void)cfg_map_get(cpeer, "transfer-format", &obj);
1171 str = cfg_obj_asstring(obj);
1172 if (strcasecmp(str, "many-answers") == 0)
1173 CHECK(dns_peer_settransferformat(peer,
1175 else if (strcasecmp(str, "one-answer") == 0)
1176 CHECK(dns_peer_settransferformat(peer,
1183 (void)cfg_map_get(cpeer, "keys", &obj);
1185 result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
1186 if (result != ISC_R_SUCCESS)
1191 if (na.family == AF_INET)
1192 (void)cfg_map_get(cpeer, "transfer-source", &obj);
1194 (void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
1196 result = dns_peer_settransfersource(peer,
1197 cfg_obj_assockaddr(obj));
1198 if (result != ISC_R_SUCCESS)
1200 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1204 if (na.family == AF_INET)
1205 (void)cfg_map_get(cpeer, "notify-source", &obj);
1207 (void)cfg_map_get(cpeer, "notify-source-v6", &obj);
1209 result = dns_peer_setnotifysource(peer,
1210 cfg_obj_assockaddr(obj));
1211 if (result != ISC_R_SUCCESS)
1213 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1217 if (na.family == AF_INET)
1218 (void)cfg_map_get(cpeer, "query-source", &obj);
1220 (void)cfg_map_get(cpeer, "query-source-v6", &obj);
1222 result = dns_peer_setquerysource(peer,
1223 cfg_obj_assockaddr(obj));
1224 if (result != ISC_R_SUCCESS)
1226 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1230 return (ISC_R_SUCCESS);
1233 dns_peer_detach(&peer);
1238 disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
1239 isc_result_t result;
1240 const cfg_obj_t *algorithms;
1241 const cfg_listelt_t *element;
1243 dns_fixedname_t fixed;
1247 dns_fixedname_init(&fixed);
1248 name = dns_fixedname_name(&fixed);
1249 str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
1250 isc_buffer_constinit(&b, str, strlen(str));
1251 isc_buffer_add(&b, strlen(str));
1252 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1254 algorithms = cfg_tuple_get(disabled, "algorithms");
1255 for (element = cfg_list_first(algorithms);
1257 element = cfg_list_next(element))
1262 DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
1263 r.length = strlen(r.base);
1265 result = dns_secalg_fromtext(&alg, &r);
1266 if (result != ISC_R_SUCCESS) {
1268 result = isc_parse_uint8(&ui, r.base, 10);
1271 if (result != ISC_R_SUCCESS) {
1272 cfg_obj_log(cfg_listelt_value(element),
1273 ns_g_lctx, ISC_LOG_ERROR,
1274 "invalid algorithm");
1277 CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
1283 static isc_boolean_t
1284 on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
1285 const cfg_listelt_t *element;
1286 dns_fixedname_t fixed;
1288 isc_result_t result;
1289 const cfg_obj_t *value;
1293 dns_fixedname_init(&fixed);
1294 name = dns_fixedname_name(&fixed);
1296 for (element = cfg_list_first(disablelist);
1298 element = cfg_list_next(element))
1300 value = cfg_listelt_value(element);
1301 str = cfg_obj_asstring(value);
1302 isc_buffer_constinit(&b, str, strlen(str));
1303 isc_buffer_add(&b, strlen(str));
1304 result = dns_name_fromtext(name, &b, dns_rootname,
1306 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1307 if (dns_name_equal(name, zonename))
1314 check_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv,
1319 isc_result_t result = ISC_R_SUCCESS;
1321 CHECK(dns_zone_getdbtype(zone, &argv, mctx));
1324 * Check that all the arguments match.
1326 for (i = 0; i < dbtypec; i++)
1327 if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
1328 CHECK(ISC_R_FAILURE);
1333 * Check that there are not extra arguments.
1335 if (i == dbtypec && argv[i] != NULL)
1336 result = ISC_R_FAILURE;
1339 isc_mem_free(mctx, argv);
1344 setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
1345 isc_result_t result;
1346 isc_stats_t *zoneqrystats;
1348 zoneqrystats = NULL;
1350 result = isc_stats_create(mctx, &zoneqrystats,
1351 dns_nsstatscounter_max);
1352 if (result != ISC_R_SUCCESS)
1355 dns_zone_setrequeststats(zone, zoneqrystats);
1356 if (zoneqrystats != NULL)
1357 isc_stats_detach(&zoneqrystats);
1359 return (ISC_R_SUCCESS);
1363 cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
1366 for (nsc = ISC_LIST_HEAD(*cachelist);
1368 nsc = ISC_LIST_NEXT(nsc, link)) {
1369 if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
1376 static isc_boolean_t
1377 cache_reusable(dns_view_t *originview, dns_view_t *view,
1378 isc_boolean_t new_zero_no_soattl)
1380 if (originview->checknames != view->checknames ||
1381 dns_resolver_getzeronosoattl(originview->resolver) !=
1382 new_zero_no_soattl ||
1383 originview->acceptexpired != view->acceptexpired ||
1384 originview->enablevalidation != view->enablevalidation ||
1385 originview->maxcachettl != view->maxcachettl ||
1386 originview->maxncachettl != view->maxncachettl) {
1393 static isc_boolean_t
1394 cache_sharable(dns_view_t *originview, dns_view_t *view,
1395 isc_boolean_t new_zero_no_soattl,
1396 unsigned int new_cleaning_interval,
1397 isc_uint32_t new_max_cache_size)
1400 * If the cache cannot even reused for the same view, it cannot be
1401 * shared with other views.
1403 if (!cache_reusable(originview, view, new_zero_no_soattl))
1407 * Check other cache related parameters that must be consistent among
1408 * the sharing views.
1410 if (dns_cache_getcleaninginterval(originview->cache) !=
1411 new_cleaning_interval ||
1412 dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
1420 * Callback from DLZ configure when the driver sets up a writeable zone
1423 dlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
1424 dns_name_t *origin = dns_zone_getorigin(zone);
1425 dns_rdataclass_t zclass = view->rdclass;
1426 isc_result_t result;
1428 result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
1429 if (result != ISC_R_SUCCESS)
1431 dns_zone_setstats(zone, ns_g_server->zonestats);
1433 return ns_zone_configure_writeable_dlz(view->dlzdatabase,
1434 zone, zclass, origin);
1438 dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
1439 unsigned int prefixlen, const char *server,
1440 const char *contact)
1443 char reverse[48+sizeof("ip6.arpa.")];
1444 const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
1445 const char *sep = ": view ";
1446 const char *viewname = view->name;
1447 const unsigned char *s6;
1448 dns_fixedname_t fixed;
1450 dns_zone_t *zone = NULL;
1451 int dns64_dbtypec = 4;
1453 isc_result_t result;
1455 REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
1456 prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
1458 if (!strcmp(viewname, "_default")) {
1464 * Construct the reverse name of the zone.
1467 s6 = na->type.in6.s6_addr;
1468 while (prefixlen > 0) {
1470 sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
1471 (s6[prefixlen/8] >> 4) & 0xf);
1474 strcat(cp, "ip6.arpa.");
1477 * Create the actual zone.
1480 dns64_dbtype[2] = server;
1481 if (contact != NULL)
1482 dns64_dbtype[3] = contact;
1483 dns_fixedname_init(&fixed);
1484 name = dns_fixedname_name(&fixed);
1485 isc_buffer_constinit(&b, reverse, strlen(reverse));
1486 isc_buffer_add(&b, strlen(reverse));
1487 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1488 CHECK(dns_zone_create(&zone, mctx));
1489 CHECK(dns_zone_setorigin(zone, name));
1490 dns_zone_setview(zone, view);
1491 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
1492 dns_zone_setclass(zone, view->rdclass);
1493 dns_zone_settype(zone, dns_zone_master);
1494 dns_zone_setstats(zone, ns_g_server->zonestats);
1495 CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
1496 if (view->queryacl != NULL)
1497 dns_zone_setqueryacl(zone, view->queryacl);
1498 if (view->queryonacl != NULL)
1499 dns_zone_setqueryonacl(zone, view->queryonacl);
1500 dns_zone_setdialup(zone, dns_dialuptype_no);
1501 dns_zone_setnotifytype(zone, dns_notifytype_no);
1502 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
1503 CHECK(setquerystats(zone, mctx, ISC_FALSE)); /* XXXMPA */
1504 CHECK(dns_view_addzone(view, zone));
1505 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
1506 ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
1511 dns_zone_detach(&zone);
1516 configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1517 const char *str, const char *msg)
1519 isc_result_t result;
1521 result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
1522 if (result != ISC_R_SUCCESS)
1523 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1524 "invalid %s '%s'", msg, str);
1529 configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
1530 const char *str, const dns_name_t *origin)
1532 isc_result_t result;
1534 result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
1536 if (result != ISC_R_SUCCESS)
1537 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1538 "invalid zone '%s'", str);
1543 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
1544 isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
1546 const cfg_obj_t *rpz_obj, *obj;
1548 dns_rpz_zone_t *old, *new;
1549 isc_result_t result;
1551 rpz_obj = cfg_listelt_value(element);
1553 new = isc_mem_get(view->mctx, sizeof(*new));
1555 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1556 "no memory for response policy zones");
1557 return (ISC_R_NOMEMORY);
1560 memset(new, 0, sizeof(*new));
1561 dns_name_init(&new->origin, NULL);
1562 dns_name_init(&new->nsdname, NULL);
1563 dns_name_init(&new->passthru, NULL);
1564 dns_name_init(&new->cname, NULL);
1565 ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
1567 obj = cfg_tuple_get(rpz_obj, "recursive-only");
1568 if (cfg_obj_isvoid(obj)) {
1569 new->recursive_only = recursive_only_def;
1571 new->recursive_only = cfg_obj_asboolean(obj);
1573 if (!new->recursive_only)
1574 view->rpz_recursive_only = ISC_FALSE;
1576 obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
1577 if (cfg_obj_isuint32(obj)) {
1578 new->max_policy_ttl = cfg_obj_asuint32(obj);
1580 new->max_policy_ttl = ttl_def;
1583 str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
1584 result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
1585 if (result != ISC_R_SUCCESS)
1587 if (dns_name_equal(&new->origin, dns_rootname)) {
1588 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1589 "invalid zone name '%s'", str);
1590 return (DNS_R_EMPTYLABEL);
1592 for (old = ISC_LIST_HEAD(view->rpz_zones);
1594 old = ISC_LIST_NEXT(old, link)) {
1596 if (dns_name_equal(&old->origin, &new->origin)) {
1597 cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
1598 "duplicate '%s'", str);
1599 result = DNS_R_DUPLICATE;
1604 result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
1605 DNS_RPZ_NSDNAME_ZONE, &new->origin);
1606 if (result != ISC_R_SUCCESS)
1609 result = configure_rpz_name(view, rpz_obj, &new->passthru,
1610 DNS_RPZ_PASSTHRU_ZONE, "zone");
1611 if (result != ISC_R_SUCCESS)
1614 obj = cfg_tuple_get(rpz_obj, "policy");
1615 if (cfg_obj_isvoid(obj)) {
1616 new->policy = DNS_RPZ_POLICY_GIVEN;
1618 str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
1619 new->policy = dns_rpz_str2policy(str);
1620 INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
1621 if (new->policy == DNS_RPZ_POLICY_CNAME) {
1622 str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
1623 result = configure_rpz_name(view, rpz_obj, &new->cname,
1625 if (result != ISC_R_SUCCESS)
1630 return (ISC_R_SUCCESS);
1634 add_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1635 dns_name_t *origin, dns_name_t *contact)
1637 dns_dbnode_t *node = NULL;
1638 dns_rdata_t rdata = DNS_RDATA_INIT;
1639 dns_rdatalist_t rdatalist;
1640 dns_rdataset_t rdataset;
1641 isc_result_t result;
1642 unsigned char buf[DNS_SOA_BUFFERSIZE];
1644 dns_rdataset_init(&rdataset);
1645 dns_rdatalist_init(&rdatalist);
1646 CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db),
1647 0, 28800, 7200, 604800, 86400, buf, &rdata));
1648 rdatalist.type = rdata.type;
1649 rdatalist.covers = 0;
1650 rdatalist.rdclass = rdata.rdclass;
1651 rdatalist.ttl = 86400;
1652 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
1653 CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
1654 CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
1655 CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
1658 dns_db_detachnode(db, &node);
1663 add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1666 dns_dbnode_t *node = NULL;
1668 dns_rdata_t rdata = DNS_RDATA_INIT;
1669 dns_rdatalist_t rdatalist;
1670 dns_rdataset_t rdataset;
1671 isc_result_t result;
1673 unsigned char buf[DNS_NAME_MAXWIRE];
1675 isc_buffer_init(&b, buf, sizeof(buf));
1677 dns_rdataset_init(&rdataset);
1678 dns_rdatalist_init(&rdatalist);
1679 ns.common.rdtype = dns_rdatatype_ns;
1680 ns.common.rdclass = dns_db_class(db);
1682 dns_name_init(&ns.name, NULL);
1683 dns_name_clone(nsname, &ns.name);
1684 CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
1686 rdatalist.type = rdata.type;
1687 rdatalist.covers = 0;
1688 rdatalist.rdclass = rdata.rdclass;
1689 rdatalist.ttl = 86400;
1690 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
1691 CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
1692 CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
1693 CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
1696 dns_db_detachnode(db, &node);
1701 create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
1702 const cfg_obj_t *zonelist, const char **empty_dbtype,
1703 int empty_dbtypec, isc_boolean_t zonestats_on)
1705 char namebuf[DNS_NAME_FORMATSIZE];
1706 const cfg_listelt_t *element;
1707 const cfg_obj_t *obj;
1708 const cfg_obj_t *zconfig;
1709 const cfg_obj_t *zoptions;
1710 const char *rbt_dbtype[4] = { "rbt" };
1711 const char *sep = ": view ";
1713 const char *viewname = view->name;
1714 dns_db_t *db = NULL;
1715 dns_dbversion_t *version = NULL;
1716 dns_fixedname_t cfixed;
1717 dns_fixedname_t fixed;
1718 dns_fixedname_t nsfixed;
1719 dns_name_t *contact;
1722 dns_zone_t *myzone = NULL;
1723 int rbt_dbtypec = 1;
1724 isc_result_t result;
1725 dns_namereln_t namereln;
1727 unsigned int nlabels;
1729 dns_fixedname_init(&fixed);
1730 zname = dns_fixedname_name(&fixed);
1731 dns_fixedname_init(&nsfixed);
1732 ns = dns_fixedname_name(&nsfixed);
1733 dns_fixedname_init(&cfixed);
1734 contact = dns_fixedname_name(&cfixed);
1737 * Look for forward "zones" beneath this empty zone and if so
1738 * create a custom db for the empty zone.
1740 for (element = cfg_list_first(zonelist);
1742 element = cfg_list_next(element)) {
1744 zconfig = cfg_listelt_value(element);
1745 str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
1746 CHECK(dns_name_fromstring(zname, str, 0, NULL));
1747 namereln = dns_name_fullcompare(zname, name, &order, &nlabels);
1748 if (namereln != dns_namereln_subdomain)
1751 zoptions = cfg_tuple_get(zconfig, "options");
1754 (void)cfg_map_get(zoptions, "type", &obj);
1755 INSIST(obj != NULL);
1756 if (strcasecmp(cfg_obj_asstring(obj), "forward") == 0) {
1758 (void)cfg_map_get(zoptions, "forward", &obj);
1761 if (strcasecmp(cfg_obj_asstring(obj), "only") != 0)
1765 CHECK(dns_db_create(view->mctx, "rbt", name,
1766 dns_dbtype_zone, view->rdclass,
1768 CHECK(dns_db_newversion(db, &version));
1769 if (strcmp(empty_dbtype[2], "@") == 0)
1770 dns_name_clone(name, ns);
1772 CHECK(dns_name_fromstring(ns, empty_dbtype[2],
1774 CHECK(dns_name_fromstring(contact, empty_dbtype[3],
1776 CHECK(add_soa(db, version, name, ns, contact));
1777 CHECK(add_ns(db, version, name, ns));
1779 CHECK(add_ns(db, version, zname, dns_rootname));
1783 * Is the existing zone the ok to use?
1787 const char **dbargv;
1790 typec = rbt_dbtypec;
1791 dbargv = rbt_dbtype;
1793 typec = empty_dbtypec;
1794 dbargv = empty_dbtype;
1797 result = check_dbtype(zone, typec, dbargv, view->mctx);
1798 if (result != ISC_R_SUCCESS)
1801 if (zone != NULL && dns_zone_gettype(zone) != dns_zone_master)
1803 if (zone != NULL && dns_zone_getfile(zone) != NULL)
1808 CHECK(dns_zone_create(&myzone, view->mctx));
1810 CHECK(dns_zone_setorigin(zone, name));
1811 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
1813 CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
1815 dns_zone_setclass(zone, view->rdclass);
1816 dns_zone_settype(zone, dns_zone_master);
1817 dns_zone_setstats(zone, ns_g_server->zonestats);
1820 dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, ISC_FALSE);
1821 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
1822 dns_zone_setnotifytype(zone, dns_notifytype_no);
1823 dns_zone_setdialup(zone, dns_dialuptype_no);
1825 dns_zone_setqueryacl(zone, view->queryacl);
1827 dns_zone_clearqueryacl(zone);
1828 if (view->queryonacl)
1829 dns_zone_setqueryonacl(zone, view->queryonacl);
1831 dns_zone_clearqueryonacl(zone);
1832 dns_zone_clearupdateacl(zone);
1833 dns_zone_clearxfracl(zone);
1835 CHECK(setquerystats(zone, view->mctx, zonestats_on));
1837 dns_db_closeversion(db, &version, ISC_TRUE);
1838 CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
1840 dns_zone_setview(zone, view);
1841 CHECK(dns_view_addzone(view, zone));
1843 if (!strcmp(viewname, "_default")) {
1847 dns_name_format(name, namebuf, sizeof(namebuf));
1848 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
1849 ISC_LOG_INFO, "automatic empty zone%s%s: %s",
1850 sep, viewname, namebuf);
1854 dns_zone_detach(&myzone);
1855 if (version != NULL)
1856 dns_db_closeversion(db, &version, ISC_FALSE);
1863 * Configure 'view' according to 'vconfig', taking defaults from 'config'
1864 * where values are missing in 'vconfig'.
1866 * When configuring the default view, 'vconfig' will be NULL and the
1867 * global defaults in 'config' used exclusively.
1870 configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
1871 ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
1872 isc_mem_t *mctx, cfg_aclconfctx_t *actx,
1873 isc_boolean_t need_hints)
1875 const cfg_obj_t *maps[4];
1876 const cfg_obj_t *cfgmaps[3];
1877 const cfg_obj_t *optionmaps[3];
1878 const cfg_obj_t *options = NULL;
1879 const cfg_obj_t *voptions = NULL;
1880 const cfg_obj_t *forwardtype;
1881 const cfg_obj_t *forwarders;
1882 const cfg_obj_t *alternates;
1883 const cfg_obj_t *zonelist;
1884 const cfg_obj_t *dlz;
1885 unsigned int dlzargc;
1887 const cfg_obj_t *disabled;
1888 const cfg_obj_t *obj;
1889 const cfg_listelt_t *element;
1891 dns_cache_t *cache = NULL;
1892 isc_result_t result;
1893 isc_uint32_t max_adb_size;
1894 unsigned int cleaning_interval;
1895 isc_uint32_t max_cache_size;
1896 isc_uint32_t max_acache_size;
1897 isc_uint32_t lame_ttl;
1898 dns_tsig_keyring_t *ring = NULL;
1899 dns_view_t *pview = NULL; /* Production view */
1900 isc_mem_t *cmctx = NULL, *hmctx = NULL;
1901 dns_dispatch_t *dispatch4 = NULL;
1902 dns_dispatch_t *dispatch6 = NULL;
1903 isc_boolean_t reused_cache = ISC_FALSE;
1904 isc_boolean_t shared_cache = ISC_FALSE;
1905 int i = 0, j = 0, k = 0;
1907 const char *cachename = NULL;
1908 dns_order_t *order = NULL;
1909 isc_uint32_t udpsize;
1910 unsigned int resopts = 0;
1911 dns_zone_t *zone = NULL;
1912 isc_uint32_t max_clients_per_query;
1913 const char *sep = ": view ";
1914 const char *viewname = view->name;
1915 isc_boolean_t rfc1918;
1916 isc_boolean_t empty_zones_enable;
1917 const cfg_obj_t *disablelist = NULL;
1918 isc_stats_t *resstats = NULL;
1919 dns_stats_t *resquerystats = NULL;
1920 isc_boolean_t auto_dlv = ISC_FALSE;
1921 isc_boolean_t auto_root = ISC_FALSE;
1923 isc_boolean_t zero_no_soattl;
1924 dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
1925 unsigned int query_timeout;
1926 struct cfg_context *nzctx;
1927 dns_rpz_zone_t *rpz;
1929 REQUIRE(DNS_VIEW_VALID(view));
1932 (void)cfg_map_get(config, "options", &options);
1935 * maps: view options, options, defaults
1936 * cfgmaps: view options, config
1937 * optionmaps: view options, options
1939 if (vconfig != NULL) {
1940 voptions = cfg_tuple_get(vconfig, "options");
1941 maps[i++] = voptions;
1942 optionmaps[j++] = voptions;
1943 cfgmaps[k++] = voptions;
1945 if (options != NULL) {
1946 maps[i++] = options;
1947 optionmaps[j++] = options;
1950 maps[i++] = ns_g_defaults;
1952 optionmaps[j] = NULL;
1954 cfgmaps[k++] = config;
1957 if (!strcmp(viewname, "_default")) {
1963 * Set the view's port number for outgoing queries.
1965 CHECKM(ns_config_getport(config, &port), "port");
1966 dns_view_setdstport(view, port);
1969 * Create additional cache for this view and zones under the view
1970 * if explicitly enabled.
1971 * XXX950 default to on.
1974 (void)ns_config_get(maps, "acache-enable", &obj);
1975 if (obj != NULL && cfg_obj_asboolean(obj)) {
1977 CHECK(isc_mem_create(0, 0, &cmctx));
1978 CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
1980 isc_mem_setname(cmctx, "acache", NULL);
1981 isc_mem_detach(&cmctx);
1983 if (view->acache != NULL) {
1985 result = ns_config_get(maps, "acache-cleaning-interval", &obj);
1986 INSIST(result == ISC_R_SUCCESS);
1987 dns_acache_setcleaninginterval(view->acache,
1988 cfg_obj_asuint32(obj) * 60);
1991 result = ns_config_get(maps, "max-acache-size", &obj);
1992 INSIST(result == ISC_R_SUCCESS);
1993 if (cfg_obj_isstring(obj)) {
1994 str = cfg_obj_asstring(obj);
1995 INSIST(strcasecmp(str, "unlimited") == 0);
1996 max_acache_size = ISC_UINT32_MAX;
1998 isc_resourcevalue_t value;
2000 value = cfg_obj_asuint64(obj);
2001 if (value > ISC_UINT32_MAX) {
2002 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
2004 "%" ISC_PRINT_QUADFORMAT
2007 result = ISC_R_RANGE;
2010 max_acache_size = (isc_uint32_t)value;
2012 dns_acache_setcachesize(view->acache, max_acache_size);
2015 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
2016 ns_g_mctx, &view->queryacl));
2017 if (view->queryacl == NULL) {
2018 CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
2019 NULL, actx, ns_g_mctx,
2024 * Make the list of response policy zone names for a view that
2025 * is used for real lookups and so cares about hints.
2028 if (view->rdclass == dns_rdataclass_in && need_hints &&
2029 ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
2030 const cfg_obj_t *rpz_obj;
2031 isc_boolean_t recursive_only_def;
2034 rpz_obj = cfg_tuple_get(obj, "recursive-only");
2035 if (!cfg_obj_isvoid(rpz_obj) &&
2036 !cfg_obj_asboolean(rpz_obj))
2037 recursive_only_def = ISC_FALSE;
2039 recursive_only_def = ISC_TRUE;
2041 rpz_obj = cfg_tuple_get(obj, "break-dnssec");
2042 if (!cfg_obj_isvoid(rpz_obj) &&
2043 cfg_obj_asboolean(rpz_obj))
2044 view->rpz_break_dnssec = ISC_TRUE;
2046 view->rpz_break_dnssec = ISC_FALSE;
2048 rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
2049 if (cfg_obj_isuint32(rpz_obj))
2050 ttl_def = cfg_obj_asuint32(rpz_obj);
2052 ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
2054 rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
2055 if (cfg_obj_isuint32(rpz_obj))
2056 view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
2058 view->rpz_min_ns_labels = 2;
2060 element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
2061 while (element != NULL) {
2062 result = configure_rpz(view, element,
2063 recursive_only_def, ttl_def);
2064 if (result != ISC_R_SUCCESS)
2066 element = cfg_list_next(element);
2071 * Configure the zones.
2074 if (voptions != NULL)
2075 (void)cfg_map_get(voptions, "zone", &zonelist);
2077 (void)cfg_map_get(config, "zone", &zonelist);
2080 * Load zone configuration
2082 for (element = cfg_list_first(zonelist);
2084 element = cfg_list_next(element))
2086 const cfg_obj_t *zconfig = cfg_listelt_value(element);
2087 CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
2091 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
2093 rpz = ISC_LIST_NEXT(rpz, link))
2095 if (!rpz->defined) {
2096 char namebuf[DNS_NAME_FORMATSIZE];
2098 dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
2099 cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
2100 "'%s' is not a master or slave zone",
2102 result = ISC_R_NOTFOUND;
2108 * If we're allowing added zones, then load zone configuration
2109 * from the newzone file for zones that were added during previous
2112 nzctx = view->new_zone_config;
2113 if (nzctx != NULL && nzctx->nzconfig != NULL) {
2114 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2115 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
2116 "loading additional zones for view '%s'",
2120 cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
2122 for (element = cfg_list_first(zonelist);
2124 element = cfg_list_next(element))
2126 const cfg_obj_t *zconfig = cfg_listelt_value(element);
2127 CHECK(configure_zone(config, zconfig, vconfig,
2134 * Create Dynamically Loadable Zone driver.
2137 if (voptions != NULL)
2138 (void)cfg_map_get(voptions, "dlz", &dlz);
2140 (void)cfg_map_get(config, "dlz", &dlz);
2144 (void)cfg_map_get(cfg_tuple_get(dlz, "options"),
2147 char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
2149 result = ISC_R_NOMEMORY;
2153 result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
2154 if (result != ISC_R_SUCCESS) {
2155 isc_mem_free(mctx, s);
2159 obj = cfg_tuple_get(dlz, "name");
2160 result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
2161 dlzargv[0], dlzargc, dlzargv,
2162 &view->dlzdatabase);
2163 isc_mem_free(mctx, s);
2164 isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
2165 if (result != ISC_R_SUCCESS)
2169 * If the dlz backend supports configuration,
2170 * then call its configure method now.
2172 result = dns_dlzconfigure(view, dlzconfigure_callback);
2173 if (result != ISC_R_SUCCESS)
2179 * Obtain configuration parameters that affect the decision of whether
2180 * we can reuse/share an existing cache.
2183 result = ns_config_get(maps, "cleaning-interval", &obj);
2184 INSIST(result == ISC_R_SUCCESS);
2185 cleaning_interval = cfg_obj_asuint32(obj) * 60;
2188 result = ns_config_get(maps, "max-cache-size", &obj);
2189 INSIST(result == ISC_R_SUCCESS);
2190 if (cfg_obj_isstring(obj)) {
2191 str = cfg_obj_asstring(obj);
2192 INSIST(strcasecmp(str, "unlimited") == 0);
2193 max_cache_size = ISC_UINT32_MAX;
2195 isc_resourcevalue_t value;
2196 value = cfg_obj_asuint64(obj);
2197 if (value > ISC_UINT32_MAX) {
2198 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
2200 "%" ISC_PRINT_QUADFORMAT "d' is too large",
2202 result = ISC_R_RANGE;
2205 max_cache_size = (isc_uint32_t)value;
2210 result = ns_checknames_get(maps, "response", &obj);
2211 INSIST(result == ISC_R_SUCCESS);
2213 str = cfg_obj_asstring(obj);
2214 if (strcasecmp(str, "fail") == 0) {
2215 resopts |= DNS_RESOLVER_CHECKNAMES |
2216 DNS_RESOLVER_CHECKNAMESFAIL;
2217 view->checknames = ISC_TRUE;
2218 } else if (strcasecmp(str, "warn") == 0) {
2219 resopts |= DNS_RESOLVER_CHECKNAMES;
2220 view->checknames = ISC_FALSE;
2221 } else if (strcasecmp(str, "ignore") == 0) {
2222 view->checknames = ISC_FALSE;
2227 result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
2228 INSIST(result == ISC_R_SUCCESS);
2229 zero_no_soattl = cfg_obj_asboolean(obj);
2232 result = ns_config_get(maps, "dns64", &obj);
2233 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
2234 strcmp(view->name, "_meta")) {
2235 const cfg_listelt_t *element;
2236 isc_netaddr_t na, suffix, *sp;
2237 unsigned int prefixlen;
2238 const char *server, *contact;
2239 const cfg_obj_t *myobj;
2242 result = ns_config_get(maps, "dns64-server", &myobj);
2243 if (result == ISC_R_SUCCESS)
2244 server = cfg_obj_asstring(myobj);
2249 result = ns_config_get(maps, "dns64-contact", &myobj);
2250 if (result == ISC_R_SUCCESS)
2251 contact = cfg_obj_asstring(myobj);
2255 for (element = cfg_list_first(obj);
2257 element = cfg_list_next(element))
2259 const cfg_obj_t *map = cfg_listelt_value(element);
2260 dns_dns64_t *dns64 = NULL;
2261 unsigned int dns64options = 0;
2263 cfg_obj_asnetprefix(cfg_map_getname(map), &na,
2267 (void)cfg_map_get(map, "suffix", &obj);
2270 isc_netaddr_fromsockaddr(sp,
2271 cfg_obj_assockaddr(obj));
2275 clients = mapped = excluded = NULL;
2277 (void)cfg_map_get(map, "clients", &obj);
2279 result = cfg_acl_fromconfig(obj, config,
2282 if (result != ISC_R_SUCCESS)
2286 (void)cfg_map_get(map, "mapped", &obj);
2288 result = cfg_acl_fromconfig(obj, config,
2291 if (result != ISC_R_SUCCESS)
2295 (void)cfg_map_get(map, "exclude", &obj);
2297 result = cfg_acl_fromconfig(obj, config,
2299 mctx, 0, &excluded);
2300 if (result != ISC_R_SUCCESS)
2305 (void)cfg_map_get(map, "recursive-only", &obj);
2306 if (obj != NULL && cfg_obj_asboolean(obj))
2307 dns64options |= DNS_DNS64_RECURSIVE_ONLY;
2310 (void)cfg_map_get(map, "break-dnssec", &obj);
2311 if (obj != NULL && cfg_obj_asboolean(obj))
2312 dns64options |= DNS_DNS64_BREAK_DNSSEC;
2314 result = dns_dns64_create(mctx, &na, prefixlen, sp,
2315 clients, mapped, excluded,
2316 dns64options, &dns64);
2317 if (result != ISC_R_SUCCESS)
2319 dns_dns64_append(&view->dns64, dns64);
2321 result = dns64_reverse(view, mctx, &na, prefixlen,
2323 if (result != ISC_R_SUCCESS)
2325 if (clients != NULL)
2326 dns_acl_detach(&clients);
2328 dns_acl_detach(&mapped);
2329 if (excluded != NULL)
2330 dns_acl_detach(&excluded);
2335 result = ns_config_get(maps, "dnssec-accept-expired", &obj);
2336 INSIST(result == ISC_R_SUCCESS);
2337 view->acceptexpired = cfg_obj_asboolean(obj);
2340 result = ns_config_get(maps, "dnssec-validation", &obj);
2341 INSIST(result == ISC_R_SUCCESS);
2342 if (cfg_obj_isboolean(obj)) {
2343 view->enablevalidation = cfg_obj_asboolean(obj);
2345 /* If dnssec-validation is not boolean, it must be "auto" */
2346 view->enablevalidation = ISC_TRUE;
2347 auto_root = ISC_TRUE;
2351 result = ns_config_get(maps, "max-cache-ttl", &obj);
2352 INSIST(result == ISC_R_SUCCESS);
2353 view->maxcachettl = cfg_obj_asuint32(obj);
2356 result = ns_config_get(maps, "max-ncache-ttl", &obj);
2357 INSIST(result == ISC_R_SUCCESS);
2358 view->maxncachettl = cfg_obj_asuint32(obj);
2359 if (view->maxncachettl > 7 * 24 * 3600)
2360 view->maxncachettl = 7 * 24 * 3600;
2363 * Configure the view's cache.
2365 * First, check to see if there are any attach-cache options. If yes,
2366 * attempt to lookup an existing cache at attach it to the view. If
2367 * there is not one, then try to reuse an existing cache if possible;
2368 * otherwise create a new cache.
2370 * Note that the ADB is not preserved or shared in either case.
2372 * When a matching view is found, the associated statistics are also
2373 * retrieved and reused.
2375 * XXX Determining when it is safe to reuse or share a cache is tricky.
2376 * When the view's configuration changes, the cached data may become
2377 * invalid because it reflects our old view of the world. We check
2378 * some of the configuration parameters that could invalidate the cache
2379 * or otherwise make it unsharable, but there are other configuration
2380 * options that should be checked. For example, if a view uses a
2381 * forwarder, changes in the forwarder configuration may invalidate
2382 * the cache. At the moment, it's the administrator's responsibility to
2383 * ensure these configuration options don't invalidate reusing/sharing.
2386 result = ns_config_get(maps, "attach-cache", &obj);
2387 if (result == ISC_R_SUCCESS)
2388 cachename = cfg_obj_asstring(obj);
2390 cachename = view->name;
2392 nsc = cachelist_find(cachelist, cachename);
2394 if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
2395 cleaning_interval, max_cache_size)) {
2396 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2397 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2398 "views %s and %s can't share the cache "
2399 "due to configuration parameter mismatch",
2400 nsc->primaryview->name, view->name);
2401 result = ISC_R_FAILURE;
2404 dns_cache_attach(nsc->cache, &cache);
2405 shared_cache = ISC_TRUE;
2407 if (strcmp(cachename, view->name) == 0) {
2408 result = dns_viewlist_find(&ns_g_server->viewlist,
2409 cachename, view->rdclass,
2411 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2413 if (pview != NULL) {
2414 if (!cache_reusable(pview, view,
2416 isc_log_write(ns_g_lctx,
2417 NS_LOGCATEGORY_GENERAL,
2418 NS_LOGMODULE_SERVER,
2420 "cache cannot be reused "
2421 "for view %s due to "
2422 "configuration parameter "
2423 "mismatch", view->name);
2425 INSIST(pview->cache != NULL);
2426 isc_log_write(ns_g_lctx,
2427 NS_LOGCATEGORY_GENERAL,
2428 NS_LOGMODULE_SERVER,
2430 "reusing existing cache");
2431 reused_cache = ISC_TRUE;
2432 dns_cache_attach(pview->cache, &cache);
2434 dns_view_getresstats(pview, &resstats);
2435 dns_view_getresquerystats(pview,
2437 dns_view_detach(&pview);
2440 if (cache == NULL) {
2442 * Create a cache with the desired name. This normally
2443 * equals the view name, but may also be a forward
2444 * reference to a view that share the cache with this
2445 * view but is not yet configured. If it is not the
2446 * view name but not a forward reference either, then it
2447 * is simply a named cache that is not shared.
2449 * We use two separate memory contexts for the
2450 * cache, for the main cache memory and the heap
2453 CHECK(isc_mem_create(0, 0, &cmctx));
2454 isc_mem_setname(cmctx, "cache", NULL);
2455 CHECK(isc_mem_create(0, 0, &hmctx));
2456 isc_mem_setname(hmctx, "cache_heap", NULL);
2457 CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
2458 ns_g_timermgr, view->rdclass,
2459 cachename, "rbt", 0, NULL,
2461 isc_mem_detach(&cmctx);
2462 isc_mem_detach(&hmctx);
2464 nsc = isc_mem_get(mctx, sizeof(*nsc));
2466 result = ISC_R_NOMEMORY;
2470 dns_cache_attach(cache, &nsc->cache);
2471 nsc->primaryview = view;
2472 nsc->needflush = ISC_FALSE;
2473 nsc->adbsizeadjusted = ISC_FALSE;
2474 ISC_LINK_INIT(nsc, link);
2475 ISC_LIST_APPEND(*cachelist, nsc, link);
2477 dns_view_setcache2(view, cache, shared_cache);
2480 * cache-file cannot be inherited if views are present, but this
2481 * should be caught by the configuration checking stage.
2484 result = ns_config_get(maps, "cache-file", &obj);
2485 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
2486 CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
2487 if (!reused_cache && !shared_cache)
2488 CHECK(dns_cache_load(cache));
2491 dns_cache_setcleaninginterval(cache, cleaning_interval);
2492 dns_cache_setcachesize(cache, max_cache_size);
2494 dns_cache_detach(&cache);
2499 * XXXRTH Hardwired number of tasks.
2501 CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
2502 ISC_TF(ISC_LIST_PREV(view, link)
2504 CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
2505 ISC_TF(ISC_LIST_PREV(view, link)
2507 if (dispatch4 == NULL && dispatch6 == NULL) {
2508 UNEXPECTED_ERROR(__FILE__, __LINE__,
2509 "unable to obtain neither an IPv4 nor"
2510 " an IPv6 dispatch");
2511 result = ISC_R_UNEXPECTED;
2514 CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
2515 ns_g_socketmgr, ns_g_timermgr,
2516 resopts, ns_g_dispatchmgr,
2517 dispatch4, dispatch6));
2519 if (resstats == NULL) {
2520 CHECK(isc_stats_create(mctx, &resstats,
2521 dns_resstatscounter_max));
2523 dns_view_setresstats(view, resstats);
2524 if (resquerystats == NULL)
2525 CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
2526 dns_view_setresquerystats(view, resquerystats);
2529 * Set the ADB cache size to 1/8th of the max-cache-size or
2530 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
2533 if (max_cache_size != 0U) {
2534 max_adb_size = max_cache_size / 8;
2535 if (max_adb_size == 0U)
2536 max_adb_size = 1; /* Force minimum. */
2537 if (view != nsc->primaryview &&
2538 max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
2539 max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
2540 if (!nsc->adbsizeadjusted) {
2541 dns_adb_setadbsize(nsc->primaryview->adb,
2542 MAX_ADB_SIZE_FOR_CACHESHARE);
2543 nsc->adbsizeadjusted = ISC_TRUE;
2547 dns_adb_setadbsize(view->adb, max_adb_size);
2550 * Set resolver's lame-ttl.
2553 result = ns_config_get(maps, "lame-ttl", &obj);
2554 INSIST(result == ISC_R_SUCCESS);
2555 lame_ttl = cfg_obj_asuint32(obj);
2556 if (lame_ttl > 1800)
2558 dns_resolver_setlamettl(view->resolver, lame_ttl);
2561 * Set the resolver's query timeout.
2564 result = ns_config_get(maps, "resolver-query-timeout", &obj);
2565 INSIST(result == ISC_R_SUCCESS);
2566 query_timeout = cfg_obj_asuint32(obj);
2567 dns_resolver_settimeout(view->resolver, query_timeout);
2569 /* Specify whether to use 0-TTL for negative response for SOA query */
2570 dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
2573 * Set the resolver's EDNS UDP size.
2576 result = ns_config_get(maps, "edns-udp-size", &obj);
2577 INSIST(result == ISC_R_SUCCESS);
2578 udpsize = cfg_obj_asuint32(obj);
2583 dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
2586 * Set the maximum UDP response size.
2589 result = ns_config_get(maps, "max-udp-size", &obj);
2590 INSIST(result == ISC_R_SUCCESS);
2591 udpsize = cfg_obj_asuint32(obj);
2596 view->maxudp = udpsize;
2599 * Set supported DNSSEC algorithms.
2601 dns_resolver_reset_algorithms(view->resolver);
2603 (void)ns_config_get(maps, "disable-algorithms", &disabled);
2604 if (disabled != NULL) {
2605 for (element = cfg_list_first(disabled);
2607 element = cfg_list_next(element))
2608 CHECK(disable_algorithms(cfg_listelt_value(element),
2613 * A global or view "forwarders" option, if present,
2614 * creates an entry for "." in the forwarding table.
2618 (void)ns_config_get(maps, "forward", &forwardtype);
2619 (void)ns_config_get(maps, "forwarders", &forwarders);
2620 if (forwarders != NULL)
2621 CHECK(configure_forward(config, view, dns_rootname,
2622 forwarders, forwardtype));
2625 * Dual Stack Servers.
2628 (void)ns_config_get(maps, "dual-stack-servers", &alternates);
2629 if (alternates != NULL)
2630 CHECK(configure_alternates(config, view, alternates));
2633 * We have default hints for class IN if we need them.
2635 if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
2636 dns_view_sethints(view, ns_g_server->in_roothints);
2639 * If we still have no hints, this is a non-IN view with no
2640 * "hints zone" configured. Issue a warning, except if this
2641 * is a root server. Root servers never need to consult
2642 * their hints, so it's no point requiring users to configure
2645 if (view->hints == NULL) {
2646 dns_zone_t *rootzone = NULL;
2647 (void)dns_view_findzone(view, dns_rootname, &rootzone);
2648 if (rootzone != NULL) {
2649 dns_zone_detach(&rootzone);
2650 need_hints = ISC_FALSE;
2653 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2654 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
2655 "no root hints for view '%s'",
2660 * Configure the view's TSIG keys.
2662 CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
2663 if (ns_g_server->sessionkey != NULL) {
2664 CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
2665 ns_g_server->sessionkey));
2667 dns_view_setkeyring(view, ring);
2668 dns_tsigkeyring_detach(&ring);
2671 * See if we can re-use a dynamic key ring.
2673 result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
2674 view->rdclass, &pview);
2675 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2677 if (pview != NULL) {
2678 dns_view_getdynamickeyring(pview, &ring);
2680 dns_view_setdynamickeyring(view, ring);
2681 dns_tsigkeyring_detach(&ring);
2682 dns_view_detach(&pview);
2684 dns_view_restorekeyring(view);
2687 * Configure the view's peer list.
2690 const cfg_obj_t *peers = NULL;
2691 const cfg_listelt_t *element;
2692 dns_peerlist_t *newpeers = NULL;
2694 (void)ns_config_get(cfgmaps, "server", &peers);
2695 CHECK(dns_peerlist_new(mctx, &newpeers));
2696 for (element = cfg_list_first(peers);
2698 element = cfg_list_next(element))
2700 const cfg_obj_t *cpeer = cfg_listelt_value(element);
2703 CHECK(configure_peer(cpeer, mctx, &peer));
2704 dns_peerlist_addpeer(newpeers, peer);
2705 dns_peer_detach(&peer);
2707 dns_peerlist_detach(&view->peers);
2708 view->peers = newpeers; /* Transfer ownership. */
2712 * Configure the views rrset-order.
2715 const cfg_obj_t *rrsetorder = NULL;
2716 const cfg_listelt_t *element;
2718 (void)ns_config_get(maps, "rrset-order", &rrsetorder);
2719 CHECK(dns_order_create(mctx, &order));
2720 for (element = cfg_list_first(rrsetorder);
2722 element = cfg_list_next(element))
2724 const cfg_obj_t *ent = cfg_listelt_value(element);
2726 CHECK(configure_order(order, ent));
2728 if (view->order != NULL)
2729 dns_order_detach(&view->order);
2730 dns_order_attach(order, &view->order);
2731 dns_order_detach(&order);
2734 * Copy the aclenv object.
2736 dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
2739 * Configure the "match-clients" and "match-destinations" ACL.
2741 CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
2742 ns_g_mctx, &view->matchclients));
2743 CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
2744 actx, ns_g_mctx, &view->matchdestinations));
2747 * Configure the "match-recursive-only" option.
2750 (void)ns_config_get(maps, "match-recursive-only", &obj);
2751 if (obj != NULL && cfg_obj_asboolean(obj))
2752 view->matchrecursiveonly = ISC_TRUE;
2754 view->matchrecursiveonly = ISC_FALSE;
2757 * Configure other configurable data.
2760 result = ns_config_get(maps, "recursion", &obj);
2761 INSIST(result == ISC_R_SUCCESS);
2762 view->recursion = cfg_obj_asboolean(obj);
2765 result = ns_config_get(maps, "auth-nxdomain", &obj);
2766 INSIST(result == ISC_R_SUCCESS);
2767 view->auth_nxdomain = cfg_obj_asboolean(obj);
2770 result = ns_config_get(maps, "minimal-responses", &obj);
2771 INSIST(result == ISC_R_SUCCESS);
2772 view->minimalresponses = cfg_obj_asboolean(obj);
2775 result = ns_config_get(maps, "transfer-format", &obj);
2776 INSIST(result == ISC_R_SUCCESS);
2777 str = cfg_obj_asstring(obj);
2778 if (strcasecmp(str, "many-answers") == 0)
2779 view->transfer_format = dns_many_answers;
2780 else if (strcasecmp(str, "one-answer") == 0)
2781 view->transfer_format = dns_one_answer;
2786 * Set sources where additional data and CNAME/DNAME
2787 * targets for authoritative answers may be found.
2790 result = ns_config_get(maps, "additional-from-auth", &obj);
2791 INSIST(result == ISC_R_SUCCESS);
2792 view->additionalfromauth = cfg_obj_asboolean(obj);
2793 if (view->recursion && ! view->additionalfromauth) {
2794 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
2795 "'additional-from-auth no' is only supported "
2796 "with 'recursion no'");
2797 view->additionalfromauth = ISC_TRUE;
2801 result = ns_config_get(maps, "additional-from-cache", &obj);
2802 INSIST(result == ISC_R_SUCCESS);
2803 view->additionalfromcache = cfg_obj_asboolean(obj);
2804 if (view->recursion && ! view->additionalfromcache) {
2805 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
2806 "'additional-from-cache no' is only supported "
2807 "with 'recursion no'");
2808 view->additionalfromcache = ISC_TRUE;
2812 * Set "allow-query-cache", "allow-query-cache-on",
2813 * "allow-recursion", and "allow-recursion-on" acls if
2814 * configured in named.conf.
2816 CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
2817 actx, ns_g_mctx, &view->cacheacl));
2818 CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
2819 actx, ns_g_mctx, &view->cacheonacl));
2820 if (view->cacheonacl == NULL)
2821 CHECK(configure_view_acl(NULL, ns_g_config,
2822 "allow-query-cache-on", NULL, actx,
2823 ns_g_mctx, &view->cacheonacl));
2824 if (strcmp(view->name, "_bind") != 0) {
2825 CHECK(configure_view_acl(vconfig, config, "allow-recursion",
2826 NULL, actx, ns_g_mctx,
2827 &view->recursionacl));
2828 CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
2829 NULL, actx, ns_g_mctx,
2830 &view->recursiononacl));
2834 * "allow-query-cache" inherits from "allow-recursion" if set,
2835 * otherwise from "allow-query" if set.
2836 * "allow-recursion" inherits from "allow-query-cache" if set,
2837 * otherwise from "allow-query" if set.
2839 if (view->cacheacl == NULL && view->recursionacl != NULL)
2840 dns_acl_attach(view->recursionacl, &view->cacheacl);
2842 * XXXEACH: This call to configure_view_acl() is redundant. We
2843 * are leaving it as it is because we are making a minimal change
2844 * for a patch release. In the future this should be changed to
2845 * dns_acl_attach(view->queryacl, &view->cacheacl).
2847 if (view->cacheacl == NULL && view->recursion)
2848 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
2849 actx, ns_g_mctx, &view->cacheacl));
2850 if (view->recursion &&
2851 view->recursionacl == NULL && view->cacheacl != NULL)
2852 dns_acl_attach(view->cacheacl, &view->recursionacl);
2855 * Set default "allow-recursion", "allow-recursion-on" and
2856 * "allow-query-cache" acls.
2858 if (view->recursionacl == NULL && view->recursion)
2859 CHECK(configure_view_acl(NULL, ns_g_config,
2860 "allow-recursion", NULL,
2862 &view->recursionacl));
2863 if (view->recursiononacl == NULL && view->recursion)
2864 CHECK(configure_view_acl(NULL, ns_g_config,
2865 "allow-recursion-on", NULL,
2867 &view->recursiononacl));
2868 if (view->cacheacl == NULL) {
2869 if (view->recursion)
2870 CHECK(configure_view_acl(NULL, ns_g_config,
2871 "allow-query-cache", NULL,
2875 CHECK(dns_acl_none(mctx, &view->cacheacl));
2879 * Filter setting on addresses in the answer section.
2881 CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
2882 "acl", actx, ns_g_mctx, &view->denyansweracl));
2883 CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
2884 "except-from", ns_g_mctx,
2885 &view->answeracl_exclude));
2888 * Filter setting on names (CNAME/DNAME targets) in the answer section.
2890 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2892 &view->denyanswernames));
2893 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2894 "except-from", ns_g_mctx,
2895 &view->answernames_exclude));
2898 * Configure sortlist, if set
2900 CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
2904 * Configure default allow-transfer, allow-notify, allow-update
2905 * and allow-update-forwarding ACLs, if set, so they can be
2906 * inherited by zones.
2908 if (view->notifyacl == NULL)
2909 CHECK(configure_view_acl(NULL, ns_g_config,
2910 "allow-notify", NULL, actx,
2911 ns_g_mctx, &view->notifyacl));
2912 if (view->transferacl == NULL)
2913 CHECK(configure_view_acl(NULL, ns_g_config,
2914 "allow-transfer", NULL, actx,
2915 ns_g_mctx, &view->transferacl));
2916 if (view->updateacl == NULL)
2917 CHECK(configure_view_acl(NULL, ns_g_config,
2918 "allow-update", NULL, actx,
2919 ns_g_mctx, &view->updateacl));
2920 if (view->upfwdacl == NULL)
2921 CHECK(configure_view_acl(NULL, ns_g_config,
2922 "allow-update-forwarding", NULL, actx,
2923 ns_g_mctx, &view->upfwdacl));
2926 result = ns_config_get(maps, "request-ixfr", &obj);
2927 INSIST(result == ISC_R_SUCCESS);
2928 view->requestixfr = cfg_obj_asboolean(obj);
2931 result = ns_config_get(maps, "provide-ixfr", &obj);
2932 INSIST(result == ISC_R_SUCCESS);
2933 view->provideixfr = cfg_obj_asboolean(obj);
2936 result = ns_config_get(maps, "request-nsid", &obj);
2937 INSIST(result == ISC_R_SUCCESS);
2938 view->requestnsid = cfg_obj_asboolean(obj);
2941 result = ns_config_get(maps, "max-clients-per-query", &obj);
2942 INSIST(result == ISC_R_SUCCESS);
2943 max_clients_per_query = cfg_obj_asuint32(obj);
2946 result = ns_config_get(maps, "clients-per-query", &obj);
2947 INSIST(result == ISC_R_SUCCESS);
2948 dns_resolver_setclientsperquery(view->resolver,
2949 cfg_obj_asuint32(obj),
2950 max_clients_per_query);
2953 result = ns_config_get(maps, "max-recursion-depth", &obj);
2954 INSIST(result == ISC_R_SUCCESS);
2955 dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
2958 result = ns_config_get(maps, "max-recursion-queries", &obj);
2959 INSIST(result == ISC_R_SUCCESS);
2960 dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
2962 #ifdef ALLOW_FILTER_AAAA_ON_V4
2964 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
2965 INSIST(result == ISC_R_SUCCESS);
2966 if (cfg_obj_isboolean(obj)) {
2967 if (cfg_obj_asboolean(obj))
2968 view->v4_aaaa = dns_v4_aaaa_filter;
2970 view->v4_aaaa = dns_v4_aaaa_ok;
2972 const char *v4_aaaastr = cfg_obj_asstring(obj);
2973 if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
2974 view->v4_aaaa = dns_v4_aaaa_break_dnssec;
2978 CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
2979 actx, ns_g_mctx, &view->v4_aaaa_acl));
2983 result = ns_config_get(maps, "dnssec-enable", &obj);
2984 INSIST(result == ISC_R_SUCCESS);
2985 view->enablednssec = cfg_obj_asboolean(obj);
2988 result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
2989 if (result == ISC_R_SUCCESS) {
2990 /* If set to "auto", use the version from the defaults */
2991 const cfg_obj_t *dlvobj;
2993 dlvobj = cfg_listelt_value(cfg_list_first(obj));
2994 dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
2995 if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
2996 /* If "no", skip; if "auto", use global default */
2997 if (!strcasecmp(dom, "no"))
2998 result = ISC_R_NOTFOUND;
2999 else if (!strcasecmp(dom, "auto")) {
3000 auto_dlv = ISC_TRUE;
3002 result = cfg_map_get(ns_g_defaults,
3003 "dnssec-lookaside", &obj);
3008 if (result == ISC_R_SUCCESS) {
3009 for (element = cfg_list_first(obj);
3011 element = cfg_list_next(element))
3017 obj = cfg_listelt_value(element);
3018 str = cfg_obj_asstring(cfg_tuple_get(obj,
3020 isc_buffer_constinit(&b, str, strlen(str));
3021 isc_buffer_add(&b, strlen(str));
3022 dlv = dns_fixedname_name(&view->dlv_fixed);
3023 CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
3024 DNS_NAME_DOWNCASE, NULL));
3025 view->dlv = dns_fixedname_name(&view->dlv_fixed);
3031 * For now, there is only one kind of trusted keys, the
3034 CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
3035 auto_dlv, auto_root, mctx));
3036 dns_resolver_resetmustbesecure(view->resolver);
3038 result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
3039 if (result == ISC_R_SUCCESS)
3040 CHECK(mustbesecure(obj, view->resolver));
3043 result = ns_config_get(maps, "preferred-glue", &obj);
3044 if (result == ISC_R_SUCCESS) {
3045 str = cfg_obj_asstring(obj);
3046 if (strcasecmp(str, "a") == 0)
3047 view->preferred_glue = dns_rdatatype_a;
3048 else if (strcasecmp(str, "aaaa") == 0)
3049 view->preferred_glue = dns_rdatatype_aaaa;
3051 view->preferred_glue = 0;
3053 view->preferred_glue = 0;
3056 result = ns_config_get(maps, "root-delegation-only", &obj);
3057 if (result == ISC_R_SUCCESS) {
3058 dns_view_setrootdelonly(view, ISC_TRUE);
3059 if (!cfg_obj_isvoid(obj)) {
3060 dns_fixedname_t fixed;
3064 const cfg_obj_t *exclude;
3066 dns_fixedname_init(&fixed);
3067 name = dns_fixedname_name(&fixed);
3068 for (element = cfg_list_first(obj);
3070 element = cfg_list_next(element)) {
3071 exclude = cfg_listelt_value(element);
3072 str = cfg_obj_asstring(exclude);
3073 isc_buffer_constinit(&b, str, strlen(str));
3074 isc_buffer_add(&b, strlen(str));
3075 CHECK(dns_name_fromtext(name, &b, dns_rootname,
3077 CHECK(dns_view_excludedelegationonly(view,
3082 dns_view_setrootdelonly(view, ISC_FALSE);
3085 * Setup automatic empty zones. If recursion is off then
3086 * they are disabled by default.
3089 (void)ns_config_get(maps, "empty-zones-enable", &obj);
3090 (void)ns_config_get(maps, "disable-empty-zone", &disablelist);
3091 if (obj == NULL && disablelist == NULL &&
3092 view->rdclass == dns_rdataclass_in) {
3093 rfc1918 = ISC_FALSE;
3094 empty_zones_enable = view->recursion;
3095 } else if (view->rdclass == dns_rdataclass_in) {
3098 empty_zones_enable = cfg_obj_asboolean(obj);
3100 empty_zones_enable = view->recursion;
3102 rfc1918 = ISC_FALSE;
3103 empty_zones_enable = ISC_FALSE;
3105 if (empty_zones_enable && !lwresd_g_useresolvconf) {
3108 dns_fixedname_t fixed;
3110 isc_buffer_t buffer;
3112 char server[DNS_NAME_FORMATSIZE + 1];
3113 char contact[DNS_NAME_FORMATSIZE + 1];
3114 isc_boolean_t logit;
3115 const char *empty_dbtype[4] =
3116 { "_builtin", "empty", NULL, NULL };
3117 int empty_dbtypec = 4;
3118 isc_boolean_t zonestats_on;
3120 dns_fixedname_init(&fixed);
3121 name = dns_fixedname_name(&fixed);
3124 result = ns_config_get(maps, "empty-server", &obj);
3125 if (result == ISC_R_SUCCESS) {
3126 str = cfg_obj_asstring(obj);
3127 isc_buffer_constinit(&buffer, str, strlen(str));
3128 isc_buffer_add(&buffer, strlen(str));
3129 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3131 isc_buffer_init(&buffer, server, sizeof(server) - 1);
3132 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
3133 server[isc_buffer_usedlength(&buffer)] = 0;
3134 empty_dbtype[2] = server;
3136 empty_dbtype[2] = "@";
3139 result = ns_config_get(maps, "empty-contact", &obj);
3140 if (result == ISC_R_SUCCESS) {
3141 str = cfg_obj_asstring(obj);
3142 isc_buffer_constinit(&buffer, str, strlen(str));
3143 isc_buffer_add(&buffer, strlen(str));
3144 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3146 isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
3147 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
3148 contact[isc_buffer_usedlength(&buffer)] = 0;
3149 empty_dbtype[3] = contact;
3151 empty_dbtype[3] = ".";
3154 result = ns_config_get(maps, "zone-statistics", &obj);
3155 INSIST(result == ISC_R_SUCCESS);
3156 zonestats_on = cfg_obj_asboolean(obj);
3159 for (empty = empty_zones[empty_zone].zone;
3161 empty = empty_zones[++empty_zone].zone)
3163 dns_forwarders_t *forwarders = NULL;
3164 dns_view_t *pview = NULL;
3166 isc_buffer_constinit(&buffer, empty, strlen(empty));
3167 isc_buffer_add(&buffer, strlen(empty));
3169 * Look for zone on drop list.
3171 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3173 if (disablelist != NULL &&
3174 on_disable_list(disablelist, name))
3178 * This zone already exists.
3180 (void)dns_view_findzone(view, name, &zone);
3182 dns_zone_detach(&zone);
3187 * If we would forward this name don't add a
3188 * empty zone for it.
3190 result = dns_fwdtable_find(view->fwdtable, name,
3192 if (result == ISC_R_SUCCESS &&
3193 forwarders->fwdpolicy == dns_fwdpolicy_only)
3196 if (!rfc1918 && empty_zones[empty_zone].rfc1918) {
3198 isc_log_write(ns_g_lctx,
3199 NS_LOGCATEGORY_GENERAL,
3200 NS_LOGMODULE_SERVER,
3203 "'empty-zones-enable/"
3204 "disable-empty-zone' "
3205 "not set: disabling "
3206 "RFC 1918 empty zones",
3214 * See if we can re-use a existing zone.
3216 result = dns_viewlist_find(&ns_g_server->viewlist,
3217 view->name, view->rdclass,
3219 if (result != ISC_R_NOTFOUND &&
3220 result != ISC_R_SUCCESS)
3223 if (pview != NULL) {
3224 (void)dns_view_findzone(pview, name, &zone);
3225 dns_view_detach(&pview);
3228 CHECK(create_empty_zone(zone, name, view, zonelist,
3229 empty_dbtype, empty_dbtypec,
3232 dns_zone_detach(&zone);
3236 result = ISC_R_SUCCESS;
3239 if (clients != NULL)
3240 dns_acl_detach(&clients);
3242 dns_acl_detach(&mapped);
3243 if (excluded != NULL)
3244 dns_acl_detach(&excluded);
3246 dns_tsigkeyring_detach(&ring);
3248 dns_zone_detach(&zone);
3249 if (dispatch4 != NULL)
3250 dns_dispatch_detach(&dispatch4);
3251 if (dispatch6 != NULL)
3252 dns_dispatch_detach(&dispatch6);
3253 if (resstats != NULL)
3254 isc_stats_detach(&resstats);
3255 if (resquerystats != NULL)
3256 dns_stats_detach(&resquerystats);
3258 dns_order_detach(&order);
3260 isc_mem_detach(&cmctx);
3262 isc_mem_detach(&hmctx);
3265 dns_cache_detach(&cache);
3271 configure_hints(dns_view_t *view, const char *filename) {
3272 isc_result_t result;
3276 result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
3277 if (result == ISC_R_SUCCESS) {
3278 dns_view_sethints(view, db);
3286 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
3287 const cfg_obj_t *alternates)
3289 const cfg_obj_t *portobj;
3290 const cfg_obj_t *addresses;
3291 const cfg_listelt_t *element;
3292 isc_result_t result = ISC_R_SUCCESS;
3296 * Determine which port to send requests to.
3298 if (ns_g_lwresdonly && ns_g_port != 0)
3301 CHECKM(ns_config_getport(config, &port), "port");
3303 if (alternates != NULL) {
3304 portobj = cfg_tuple_get(alternates, "port");
3305 if (cfg_obj_isuint32(portobj)) {
3306 isc_uint32_t val = cfg_obj_asuint32(portobj);
3307 if (val > ISC_UINT16_MAX) {
3308 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3309 "port '%u' out of range", val);
3310 return (ISC_R_RANGE);
3312 port = (in_port_t) val;
3317 if (alternates != NULL)
3318 addresses = cfg_tuple_get(alternates, "addresses");
3320 for (element = cfg_list_first(addresses);
3322 element = cfg_list_next(element))
3324 const cfg_obj_t *alternate = cfg_listelt_value(element);
3327 if (!cfg_obj_issockaddr(alternate)) {
3328 dns_fixedname_t fixed;
3330 const char *str = cfg_obj_asstring(cfg_tuple_get(
3331 alternate, "name"));
3332 isc_buffer_t buffer;
3333 in_port_t myport = port;
3335 isc_buffer_constinit(&buffer, str, strlen(str));
3336 isc_buffer_add(&buffer, strlen(str));
3337 dns_fixedname_init(&fixed);
3338 name = dns_fixedname_name(&fixed);
3339 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
3342 portobj = cfg_tuple_get(alternate, "port");
3343 if (cfg_obj_isuint32(portobj)) {
3344 isc_uint32_t val = cfg_obj_asuint32(portobj);
3345 if (val > ISC_UINT16_MAX) {
3346 cfg_obj_log(portobj, ns_g_lctx,
3348 "port '%u' out of range",
3350 return (ISC_R_RANGE);
3352 myport = (in_port_t) val;
3354 CHECK(dns_resolver_addalternate(view->resolver, NULL,
3359 sa = *cfg_obj_assockaddr(alternate);
3360 if (isc_sockaddr_getport(&sa) == 0)
3361 isc_sockaddr_setport(&sa, port);
3362 CHECK(dns_resolver_addalternate(view->resolver, &sa,
3371 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
3372 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
3374 const cfg_obj_t *portobj;
3375 const cfg_obj_t *faddresses;
3376 const cfg_listelt_t *element;
3377 dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
3378 isc_sockaddrlist_t addresses;
3380 isc_result_t result;
3383 ISC_LIST_INIT(addresses);
3386 * Determine which port to send forwarded requests to.
3388 if (ns_g_lwresdonly && ns_g_port != 0)
3391 CHECKM(ns_config_getport(config, &port), "port");
3393 if (forwarders != NULL) {
3394 portobj = cfg_tuple_get(forwarders, "port");
3395 if (cfg_obj_isuint32(portobj)) {
3396 isc_uint32_t val = cfg_obj_asuint32(portobj);
3397 if (val > ISC_UINT16_MAX) {
3398 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
3399 "port '%u' out of range", val);
3400 return (ISC_R_RANGE);
3402 port = (in_port_t) val;
3407 if (forwarders != NULL)
3408 faddresses = cfg_tuple_get(forwarders, "addresses");
3410 for (element = cfg_list_first(faddresses);
3412 element = cfg_list_next(element))
3414 const cfg_obj_t *forwarder = cfg_listelt_value(element);
3415 sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
3417 result = ISC_R_NOMEMORY;
3420 *sa = *cfg_obj_assockaddr(forwarder);
3421 if (isc_sockaddr_getport(sa) == 0)
3422 isc_sockaddr_setport(sa, port);
3423 ISC_LINK_INIT(sa, link);
3424 ISC_LIST_APPEND(addresses, sa, link);
3427 if (ISC_LIST_EMPTY(addresses)) {
3428 if (forwardtype != NULL)
3429 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3430 "no forwarders seen; disabling "
3432 fwdpolicy = dns_fwdpolicy_none;
3434 if (forwardtype == NULL)
3435 fwdpolicy = dns_fwdpolicy_first;
3437 const char *forwardstr = cfg_obj_asstring(forwardtype);
3438 if (strcasecmp(forwardstr, "first") == 0)
3439 fwdpolicy = dns_fwdpolicy_first;
3440 else if (strcasecmp(forwardstr, "only") == 0)
3441 fwdpolicy = dns_fwdpolicy_only;
3447 result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
3449 if (result != ISC_R_SUCCESS) {
3450 char namebuf[DNS_NAME_FORMATSIZE];
3451 dns_name_format(origin, namebuf, sizeof(namebuf));
3452 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
3453 "could not set up forwarding for domain '%s': %s",
3454 namebuf, isc_result_totext(result));
3458 result = ISC_R_SUCCESS;
3462 while (!ISC_LIST_EMPTY(addresses)) {
3463 sa = ISC_LIST_HEAD(addresses);
3464 ISC_LIST_UNLINK(addresses, sa, link);
3465 isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
3472 get_viewinfo(const cfg_obj_t *vconfig, const char **namep,
3473 dns_rdataclass_t *classp)
3475 isc_result_t result = ISC_R_SUCCESS;
3476 const char *viewname;
3477 dns_rdataclass_t viewclass;
3479 REQUIRE(namep != NULL && *namep == NULL);
3480 REQUIRE(classp != NULL);
3482 if (vconfig != NULL) {
3483 const cfg_obj_t *classobj = NULL;
3485 viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
3486 classobj = cfg_tuple_get(vconfig, "class");
3487 result = ns_config_getclass(classobj, dns_rdataclass_in,
3490 viewname = "_default";
3491 viewclass = dns_rdataclass_in;
3495 *classp = viewclass;
3501 * Find a view based on its configuration info and attach to it.
3503 * If 'vconfig' is NULL, attach to the default view.
3506 find_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3509 isc_result_t result;
3510 const char *viewname = NULL;
3511 dns_rdataclass_t viewclass;
3512 dns_view_t *view = NULL;
3514 result = get_viewinfo(vconfig, &viewname, &viewclass);
3515 if (result != ISC_R_SUCCESS)
3518 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3519 if (result != ISC_R_SUCCESS)
3523 return (ISC_R_SUCCESS);
3527 * Create a new view and add it to the list.
3529 * If 'vconfig' is NULL, create the default view.
3531 * The view created is attached to '*viewp'.
3534 create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
3537 isc_result_t result;
3538 const char *viewname = NULL;
3539 dns_rdataclass_t viewclass;
3540 dns_view_t *view = NULL;
3542 result = get_viewinfo(vconfig, &viewname, &viewclass);
3543 if (result != ISC_R_SUCCESS)
3546 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
3547 if (result == ISC_R_SUCCESS)
3548 return (ISC_R_EXISTS);
3549 if (result != ISC_R_NOTFOUND)
3551 INSIST(view == NULL);
3553 result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
3554 if (result != ISC_R_SUCCESS)
3557 ISC_LIST_APPEND(*viewlist, view, link);
3558 dns_view_attach(view, viewp);
3559 return (ISC_R_SUCCESS);
3563 * Configure or reconfigure a zone.
3566 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
3567 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
3568 cfg_aclconfctx_t *aclconf, isc_boolean_t added)
3570 dns_view_t *pview = NULL; /* Production view */
3571 dns_zone_t *zone = NULL; /* New or reused zone */
3572 dns_zone_t *dupzone = NULL;
3573 const cfg_obj_t *options = NULL;
3574 const cfg_obj_t *zoptions = NULL;
3575 const cfg_obj_t *typeobj = NULL;
3576 const cfg_obj_t *forwarders = NULL;
3577 const cfg_obj_t *forwardtype = NULL;
3578 const cfg_obj_t *only = NULL;
3579 isc_result_t result;
3580 isc_result_t tresult;
3581 isc_buffer_t buffer;
3582 dns_fixedname_t fixorigin;
3585 dns_rdataclass_t zclass;
3586 const char *ztypestr;
3587 isc_boolean_t is_rpz;
3588 dns_rpz_zone_t *rpz;
3591 (void)cfg_map_get(config, "options", &options);
3593 zoptions = cfg_tuple_get(zconfig, "options");
3596 * Get the zone origin as a dns_name_t.
3598 zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
3599 isc_buffer_constinit(&buffer, zname, strlen(zname));
3600 isc_buffer_add(&buffer, strlen(zname));
3601 dns_fixedname_init(&fixorigin);
3602 CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
3603 &buffer, dns_rootname, 0, NULL));
3604 origin = dns_fixedname_name(&fixorigin);
3606 CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
3607 view->rdclass, &zclass));
3608 if (zclass != view->rdclass) {
3609 const char *vname = NULL;
3610 if (vconfig != NULL)
3611 vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
3614 vname = "<default view>";
3616 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3617 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3618 "zone '%s': wrong class for view '%s'",
3620 result = ISC_R_FAILURE;
3624 (void)cfg_map_get(zoptions, "type", &typeobj);
3625 if (typeobj == NULL) {
3626 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3627 "zone '%s' 'type' not specified", zname);
3628 return (ISC_R_FAILURE);
3630 ztypestr = cfg_obj_asstring(typeobj);
3633 * "hints zones" aren't zones. If we've got one,
3634 * configure it and return.
3636 if (strcasecmp(ztypestr, "hint") == 0) {
3637 const cfg_obj_t *fileobj = NULL;
3638 if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
3639 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3640 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3641 "zone '%s': 'file' not specified",
3643 result = ISC_R_FAILURE;
3646 if (dns_name_equal(origin, dns_rootname)) {
3647 const char *hintsfile = cfg_obj_asstring(fileobj);
3649 result = configure_hints(view, hintsfile);
3650 if (result != ISC_R_SUCCESS) {
3651 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3652 NS_LOGMODULE_SERVER,
3654 "could not configure root hints "
3655 "from '%s': %s", hintsfile,
3656 isc_result_totext(result));
3660 * Hint zones may also refer to delegation only points.
3663 tresult = cfg_map_get(zoptions, "delegation-only",
3665 if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
3666 CHECK(dns_view_adddelegationonly(view, origin));
3668 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3669 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3670 "ignoring non-root hint zone '%s'",
3672 result = ISC_R_SUCCESS;
3674 /* Skip ordinary zone processing. */
3679 * "forward zones" aren't zones either. Translate this syntax into
3680 * the appropriate selective forwarding configuration and return.
3682 if (strcasecmp(ztypestr, "forward") == 0) {
3686 (void)cfg_map_get(zoptions, "forward", &forwardtype);
3687 (void)cfg_map_get(zoptions, "forwarders", &forwarders);
3688 result = configure_forward(config, view, origin, forwarders,
3694 * "delegation-only zones" aren't zones either.
3696 if (strcasecmp(ztypestr, "delegation-only") == 0) {
3697 result = dns_view_adddelegationonly(view, origin);
3702 * Check for duplicates in the new zone table.
3704 result = dns_view_findzone(view, origin, &dupzone);
3705 if (result == ISC_R_SUCCESS) {
3707 * We already have this zone!
3709 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
3710 "zone '%s' already exists", zname);
3711 dns_zone_detach(&dupzone);
3712 result = ISC_R_EXISTS;
3715 INSIST(dupzone == NULL);
3718 * Note whether this is a response policy zone.
3721 for (rpz = ISC_LIST_HEAD(view->rpz_zones);
3723 rpz = ISC_LIST_NEXT(rpz, link))
3725 if (dns_name_equal(&rpz->origin, origin)) {
3727 rpz->defined = ISC_TRUE;
3733 * See if we can reuse an existing zone. This is
3734 * only possible if all of these are true:
3735 * - The zone's view exists
3736 * - A zone with the right name exists in the view
3737 * - The zone is compatible with the config
3738 * options (e.g., an existing master zone cannot
3739 * be reused if the options specify a slave zone)
3740 * - The zone was and is or was not and is not a policy zone
3742 result = dns_viewlist_find(&ns_g_server->viewlist,
3743 view->name, view->rdclass,
3745 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
3748 result = dns_view_findzone(pview, origin, &zone);
3749 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
3751 if (zone != NULL && !ns_zone_reusable(zone, zconfig))
3752 dns_zone_detach(&zone);
3754 if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
3755 dns_zone_detach(&zone);
3759 * We found a reusable zone. Make it use the
3762 dns_zone_setview(zone, view);
3763 if (view->acache != NULL)
3764 dns_zone_setacache(zone, view->acache);
3767 * We cannot reuse an existing zone, we have
3768 * to create a new one.
3770 CHECK(dns_zone_create(&zone, mctx));
3771 CHECK(dns_zone_setorigin(zone, origin));
3772 dns_zone_setview(zone, view);
3773 if (view->acache != NULL)
3774 dns_zone_setacache(zone, view->acache);
3775 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
3776 dns_zone_setstats(zone, ns_g_server->zonestats);
3780 result = dns_zone_rpz_enable(zone);
3781 if (result != ISC_R_SUCCESS) {
3782 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3783 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3784 "zone '%s': incompatible"
3785 " masterfile-format or database"
3786 " for a response policy zone",
3793 * If the zone contains a 'forwarders' statement, configure
3794 * selective forwarding.
3797 if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
3800 (void)cfg_map_get(zoptions, "forward", &forwardtype);
3801 CHECK(configure_forward(config, view, origin, forwarders,
3806 * Stub and forward zones may also refer to delegation only points.
3809 if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
3811 if (cfg_obj_asboolean(only))
3812 CHECK(dns_view_adddelegationonly(view, origin));
3816 * Mark whether the zone was originally added at runtime or not
3818 dns_zone_setadded(zone, added);
3821 * Configure the zone.
3823 CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
3826 * Add the zone to its view in the new view list.
3828 CHECK(dns_view_addzone(view, zone));
3831 * Ensure that zone keys are reloaded on reconfig
3833 if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
3834 dns_zone_rekey(zone, ISC_FALSE);
3838 dns_zone_detach(&zone);
3840 dns_view_detach(&pview);
3846 * Configure built-in zone for storing managed-key data.
3849 #define KEYZONE "managed-keys.bind"
3850 #define MKEYS ".mkeys"
3853 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
3854 isc_result_t result;
3855 dns_view_t *pview = NULL;
3856 dns_zone_t *zone = NULL;
3857 dns_acl_t *none = NULL;
3858 char filename[PATH_MAX];
3859 char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
3862 REQUIRE(view != NULL);
3864 /* See if we can re-use an existing keydata zone. */
3865 result = dns_viewlist_find(&ns_g_server->viewlist,
3866 view->name, view->rdclass,
3868 if (result != ISC_R_NOTFOUND &&
3869 result != ISC_R_SUCCESS)
3872 if (pview != NULL && pview->managed_keys != NULL) {
3873 dns_zone_attach(pview->managed_keys, &view->managed_keys);
3874 dns_zone_setview(pview->managed_keys, view);
3875 dns_view_detach(&pview);
3876 dns_zone_synckeyzone(view->managed_keys);
3877 return (ISC_R_SUCCESS);
3880 /* No existing keydata zone was found; create one */
3881 CHECK(dns_zone_create(&zone, mctx));
3882 CHECK(dns_zone_setorigin(zone, dns_rootname));
3884 isc_sha256_data((void *)view->name, strlen(view->name), buffer);
3885 strcat(buffer, MKEYS);
3886 n = snprintf(filename, sizeof(filename), "%s%s%s",
3887 directory ? directory : "", directory ? "/" : "",
3888 strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
3889 if (n < 0 || (size_t)n >= sizeof(filename)) {
3890 result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
3893 CHECK(dns_zone_setfile(zone, filename));
3895 dns_zone_setview(zone, view);
3896 dns_zone_settype(zone, dns_zone_key);
3897 dns_zone_setclass(zone, view->rdclass);
3899 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
3901 if (view->acache != NULL)
3902 dns_zone_setacache(zone, view->acache);
3904 CHECK(dns_acl_none(mctx, &none));
3905 dns_zone_setqueryacl(zone, none);
3906 dns_zone_setqueryonacl(zone, none);
3907 dns_acl_detach(&none);
3909 dns_zone_setdialup(zone, dns_dialuptype_no);
3910 dns_zone_setnotifytype(zone, dns_notifytype_no);
3911 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
3912 dns_zone_setjournalsize(zone, 0);
3914 dns_zone_setstats(zone, ns_g_server->zonestats);
3915 CHECK(setquerystats(zone, mctx, ISC_FALSE));
3917 if (view->managed_keys != NULL)
3918 dns_zone_detach(&view->managed_keys);
3919 dns_zone_attach(zone, &view->managed_keys);
3921 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3922 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3923 "set up managed keys zone for view %s, file '%s'",
3924 view->name, filename);
3928 dns_zone_detach(&zone);
3930 dns_acl_detach(&none);
3936 * Configure a single server quota.
3939 configure_server_quota(const cfg_obj_t **maps, const char *name,
3942 const cfg_obj_t *obj = NULL;
3943 isc_result_t result;
3945 result = ns_config_get(maps, name, &obj);
3946 INSIST(result == ISC_R_SUCCESS);
3947 isc_quota_max(quota, cfg_obj_asuint32(obj));
3951 * This function is called as soon as the 'directory' statement has been
3952 * parsed. This can be extended to support other options if necessary.
3955 directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
3956 isc_result_t result;
3957 const char *directory;
3959 REQUIRE(strcasecmp("directory", clausename) == 0);
3967 directory = cfg_obj_asstring(obj);
3969 if (! isc_file_ischdiridempotent(directory))
3970 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3971 "option 'directory' contains relative path '%s'",
3974 result = isc_dir_chdir(directory);
3975 if (result != ISC_R_SUCCESS) {
3976 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
3977 "change directory to '%s' failed: %s",
3978 directory, isc_result_totext(result));
3982 return (ISC_R_SUCCESS);
3986 scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
3987 isc_boolean_t match_mapped = server->aclenv.match_mapped;
3989 ns_interfacemgr_scan(server->interfacemgr, verbose);
3991 * Update the "localhost" and "localnets" ACLs to match the
3992 * current set of network interfaces.
3994 dns_aclenv_copy(&server->aclenv,
3995 ns_interfacemgr_getaclenv(server->interfacemgr));
3997 server->aclenv.match_mapped = match_mapped;
4001 add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
4002 isc_boolean_t wcardport_ok)
4004 ns_listenelt_t *lelt = NULL;
4005 dns_acl_t *src_acl = NULL;
4006 isc_result_t result;
4007 isc_sockaddr_t any_sa6;
4008 isc_netaddr_t netaddr;
4010 REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
4012 isc_sockaddr_any6(&any_sa6);
4013 if (!isc_sockaddr_equal(&any_sa6, addr) &&
4014 (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
4015 isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
4017 result = dns_acl_create(mctx, 0, &src_acl);
4018 if (result != ISC_R_SUCCESS)
4021 result = dns_iptable_addprefix(src_acl->iptable,
4022 &netaddr, 128, ISC_TRUE);
4023 if (result != ISC_R_SUCCESS)
4026 result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
4028 if (result != ISC_R_SUCCESS)
4030 ISC_LIST_APPEND(list->elts, lelt, link);
4033 return (ISC_R_SUCCESS);
4036 INSIST(lelt == NULL);
4037 dns_acl_detach(&src_acl);
4043 * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
4044 * to update the listening interfaces accordingly.
4045 * We currently only consider IPv6, because this only affects IPv6 wildcard
4049 adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
4050 isc_result_t result;
4051 ns_listenlist_t *list = NULL;
4053 dns_zone_t *zone, *next;
4054 isc_sockaddr_t addr, *addrp;
4056 result = ns_listenlist_create(mctx, &list);
4057 if (result != ISC_R_SUCCESS)
4060 for (view = ISC_LIST_HEAD(server->viewlist);
4062 view = ISC_LIST_NEXT(view, link)) {
4063 dns_dispatch_t *dispatch6;
4065 dispatch6 = dns_resolver_dispatchv6(view->resolver);
4066 if (dispatch6 == NULL)
4068 result = dns_dispatch_getlocaladdress(dispatch6, &addr);
4069 if (result != ISC_R_SUCCESS)
4073 * We always add non-wildcard address regardless of whether
4074 * the port is 'any' (the fourth arg is TRUE): if the port is
4075 * specific, we need to add it since it may conflict with a
4076 * listening interface; if it's zero, we'll dynamically open
4077 * query ports, and some of them may override an existing
4078 * wildcard IPv6 port.
4080 result = add_listenelt(mctx, list, &addr, ISC_TRUE);
4081 if (result != ISC_R_SUCCESS)
4086 for (result = dns_zone_first(server->zonemgr, &zone);
4087 result == ISC_R_SUCCESS;
4088 next = NULL, result = dns_zone_next(zone, &next), zone = next) {
4089 dns_view_t *zoneview;
4092 * At this point the zone list may contain a stale zone
4093 * just removed from the configuration. To see the validity,
4094 * check if the corresponding view is in our current view list.
4095 * There may also be old zones that are still in the process
4096 * of shutting down and have detached from their old view
4097 * (zoneview == NULL).
4099 zoneview = dns_zone_getview(zone);
4100 if (zoneview == NULL)
4102 for (view = ISC_LIST_HEAD(server->viewlist);
4103 view != NULL && view != zoneview;
4104 view = ISC_LIST_NEXT(view, link))
4109 addrp = dns_zone_getnotifysrc6(zone);
4110 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
4111 if (result != ISC_R_SUCCESS)
4114 addrp = dns_zone_getxfrsource6(zone);
4115 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
4116 if (result != ISC_R_SUCCESS)
4120 ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
4123 ns_listenlist_detach(&list);
4128 * Even when we failed the procedure, most of other interfaces
4129 * should work correctly. We therefore just warn it.
4131 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4132 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4133 "could not adjust the listen-on list; "
4134 "some interfaces may not work");
4139 * This event callback is invoked to do periodic network
4140 * interface scanning.
4143 interface_timer_tick(isc_task_t *task, isc_event_t *event) {
4144 isc_result_t result;
4145 ns_server_t *server = (ns_server_t *) event->ev_arg;
4146 INSIST(task == server->task);
4148 isc_event_free(&event);
4150 * XXX should scan interfaces unlocked and get exclusive access
4151 * only to replace ACLs.
4153 result = isc_task_beginexclusive(server->task);
4154 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4155 scan_interfaces(server, ISC_FALSE);
4156 isc_task_endexclusive(server->task);
4160 heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
4161 ns_server_t *server = (ns_server_t *) event->ev_arg;
4165 isc_event_free(&event);
4166 view = ISC_LIST_HEAD(server->viewlist);
4167 while (view != NULL) {
4168 dns_view_dialup(view);
4169 view = ISC_LIST_NEXT(view, link);
4174 pps_timer_tick(isc_task_t *task, isc_event_t *event) {
4175 static unsigned int oldrequests = 0;
4176 unsigned int requests = ns_client_requests;
4179 isc_event_free(&event);
4182 * Don't worry about wrapping as the overflow result will be right.
4184 dns_pps = (requests - oldrequests) / 1200;
4185 oldrequests = requests;
4189 * Replace the current value of '*field', a dynamically allocated
4190 * string or NULL, with a dynamically allocated copy of the
4191 * null-terminated string pointed to by 'value', or NULL.
4194 setstring(ns_server_t *server, char **field, const char *value) {
4197 if (value != NULL) {
4198 copy = isc_mem_strdup(server->mctx, value);
4200 return (ISC_R_NOMEMORY);
4206 isc_mem_free(server->mctx, *field);
4209 return (ISC_R_SUCCESS);
4213 * Replace the current value of '*field', a dynamically allocated
4214 * string or NULL, with another dynamically allocated string
4215 * or NULL if whether 'obj' is a string or void value, respectively.
4218 setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
4219 if (cfg_obj_isvoid(obj))
4220 return (setstring(server, field, NULL));
4222 return (setstring(server, field, cfg_obj_asstring(obj)));
4226 set_limit(const cfg_obj_t **maps, const char *configname,
4227 const char *description, isc_resource_t resourceid,
4228 isc_resourcevalue_t defaultvalue)
4230 const cfg_obj_t *obj = NULL;
4231 const char *resource;
4232 isc_resourcevalue_t value;
4233 isc_result_t result;
4235 if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
4238 if (cfg_obj_isstring(obj)) {
4239 resource = cfg_obj_asstring(obj);
4240 if (strcasecmp(resource, "unlimited") == 0)
4241 value = ISC_RESOURCE_UNLIMITED;
4243 INSIST(strcasecmp(resource, "default") == 0);
4244 value = defaultvalue;
4247 value = cfg_obj_asuint64(obj);
4249 result = isc_resource_setlimit(resourceid, value);
4250 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4251 result == ISC_R_SUCCESS ?
4252 ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
4253 "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
4254 description, value, isc_result_totext(result));
4257 #define SETLIMIT(cfgvar, resource, description) \
4258 set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
4259 ns_g_init ## resource)
4262 set_limits(const cfg_obj_t **maps) {
4263 SETLIMIT("stacksize", stacksize, "stack size");
4264 SETLIMIT("datasize", datasize, "data size");
4265 SETLIMIT("coresize", coresize, "core size");
4266 SETLIMIT("files", openfiles, "open files");
4270 portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
4271 isc_boolean_t positive)
4273 const cfg_listelt_t *element;
4275 for (element = cfg_list_first(ports);
4277 element = cfg_list_next(element)) {
4278 const cfg_obj_t *obj = cfg_listelt_value(element);
4280 if (cfg_obj_isuint32(obj)) {
4281 in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
4284 isc_portset_add(portset, port);
4286 isc_portset_remove(portset, port);
4288 const cfg_obj_t *obj_loport, *obj_hiport;
4289 in_port_t loport, hiport;
4291 obj_loport = cfg_tuple_get(obj, "loport");
4292 loport = (in_port_t)cfg_obj_asuint32(obj_loport);
4293 obj_hiport = cfg_tuple_get(obj, "hiport");
4294 hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
4297 isc_portset_addrange(portset, loport, hiport);
4299 isc_portset_removerange(portset, loport,
4307 removed(dns_zone_t *zone, void *uap) {
4310 if (dns_zone_getview(zone) != uap)
4311 return (ISC_R_SUCCESS);
4313 switch (dns_zone_gettype(zone)) {
4314 case dns_zone_master:
4317 case dns_zone_slave:
4327 dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
4328 return (ISC_R_SUCCESS);
4332 cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
4333 if (server->session_keyfile != NULL) {
4334 isc_file_remove(server->session_keyfile);
4335 isc_mem_free(mctx, server->session_keyfile);
4336 server->session_keyfile = NULL;
4339 if (server->session_keyname != NULL) {
4340 if (dns_name_dynamic(server->session_keyname))
4341 dns_name_free(server->session_keyname, mctx);
4342 isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
4343 server->session_keyname = NULL;
4346 if (server->sessionkey != NULL)
4347 dns_tsigkey_detach(&server->sessionkey);
4349 server->session_keyalg = DST_ALG_UNKNOWN;
4350 server->session_keybits = 0;
4354 generate_session_key(const char *filename, const char *keynamestr,
4355 dns_name_t *keyname, const char *algstr,
4356 dns_name_t *algname, unsigned int algtype,
4357 isc_uint16_t bits, isc_mem_t *mctx,
4358 dns_tsigkey_t **tsigkeyp)
4360 isc_result_t result = ISC_R_SUCCESS;
4361 dst_key_t *key = NULL;
4362 isc_buffer_t key_txtbuffer;
4363 isc_buffer_t key_rawbuffer;
4364 char key_txtsecret[256];
4365 char key_rawsecret[64];
4366 isc_region_t key_rawregion;
4368 dns_tsigkey_t *tsigkey = NULL;
4371 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4372 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4373 "generating session key for dynamic DNS");
4376 result = dst_key_generate(keyname, algtype, bits, 1, 0,
4377 DNS_KEYPROTO_ANY, dns_rdataclass_in,
4379 if (result != ISC_R_SUCCESS)
4383 * Dump the key to the buffer for later use. Should be done before
4384 * we transfer the ownership of key to tsigkey.
4386 isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
4387 CHECK(dst_key_tobuffer(key, &key_rawbuffer));
4389 isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
4390 isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
4391 CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
4393 /* Store the key in tsigkey. */
4394 isc_stdtime_get(&now);
4395 CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
4396 ISC_FALSE, NULL, now, now, mctx, NULL,
4399 /* Dump the key to the key file. */
4400 fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
4402 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4403 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4404 "could not create %s", filename);
4405 result = ISC_R_NOPERM;
4409 fprintf(fp, "key \"%s\" {\n"
4411 "\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
4412 (int) isc_buffer_usedlength(&key_txtbuffer),
4413 (char*) isc_buffer_base(&key_txtbuffer));
4415 RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
4416 RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
4420 *tsigkeyp = tsigkey;
4422 return (ISC_R_SUCCESS);
4425 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4426 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4427 "failed to generate session key "
4428 "for dynamic DNS: %s", isc_result_totext(result));
4429 if (tsigkey != NULL)
4430 dns_tsigkey_detach(&tsigkey);
4438 configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
4441 const char *keyfile, *keynamestr, *algstr;
4442 unsigned int algtype;
4443 dns_fixedname_t fname;
4444 dns_name_t *keyname, *algname;
4445 isc_buffer_t buffer;
4447 const cfg_obj_t *obj;
4448 isc_boolean_t need_deleteold = ISC_FALSE;
4449 isc_boolean_t need_createnew = ISC_FALSE;
4450 isc_result_t result;
4453 result = ns_config_get(maps, "session-keyfile", &obj);
4454 if (result == ISC_R_SUCCESS) {
4455 if (cfg_obj_isvoid(obj))
4456 keyfile = NULL; /* disable it */
4458 keyfile = cfg_obj_asstring(obj);
4460 keyfile = ns_g_defaultsessionkeyfile;
4463 result = ns_config_get(maps, "session-keyname", &obj);
4464 INSIST(result == ISC_R_SUCCESS);
4465 keynamestr = cfg_obj_asstring(obj);
4466 dns_fixedname_init(&fname);
4467 isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
4468 isc_buffer_add(&buffer, strlen(keynamestr));
4469 keyname = dns_fixedname_name(&fname);
4470 result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
4471 if (result != ISC_R_SUCCESS)
4475 result = ns_config_get(maps, "session-keyalg", &obj);
4476 INSIST(result == ISC_R_SUCCESS);
4477 algstr = cfg_obj_asstring(obj);
4479 result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
4480 if (result != ISC_R_SUCCESS) {
4481 const char *s = " (keeping current key)";
4483 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
4484 "unsupported or unknown algorithm '%s'%s",
4486 server->session_keyfile != NULL ? s : "");
4490 /* See if we need to (re)generate a new key. */
4491 if (keyfile == NULL) {
4492 if (server->session_keyfile != NULL)
4493 need_deleteold = ISC_TRUE;
4494 } else if (server->session_keyfile == NULL)
4495 need_createnew = ISC_TRUE;
4496 else if (strcmp(keyfile, server->session_keyfile) != 0 ||
4497 !dns_name_equal(server->session_keyname, keyname) ||
4498 server->session_keyalg != algtype ||
4499 server->session_keybits != bits) {
4500 need_deleteold = ISC_TRUE;
4501 need_createnew = ISC_TRUE;
4504 if (need_deleteold) {
4505 INSIST(server->session_keyfile != NULL);
4506 INSIST(server->session_keyname != NULL);
4507 INSIST(server->sessionkey != NULL);
4509 cleanup_session_key(server, mctx);
4512 if (need_createnew) {
4513 INSIST(server->sessionkey == NULL);
4514 INSIST(server->session_keyfile == NULL);
4515 INSIST(server->session_keyname == NULL);
4516 INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
4517 INSIST(server->session_keybits == 0);
4519 server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
4520 if (server->session_keyname == NULL)
4522 dns_name_init(server->session_keyname, NULL);
4523 CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
4525 server->session_keyfile = isc_mem_strdup(mctx, keyfile);
4526 if (server->session_keyfile == NULL)
4529 server->session_keyalg = algtype;
4530 server->session_keybits = bits;
4532 CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
4533 algname, algtype, bits, mctx,
4534 &server->sessionkey));
4540 cleanup_session_key(server, mctx);
4545 setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
4546 cfg_parser_t *parser, cfg_aclconfctx_t *actx)
4548 isc_result_t result = ISC_R_SUCCESS;
4549 isc_boolean_t allow = ISC_FALSE;
4550 struct cfg_context *nzcfg = NULL;
4551 cfg_parser_t *nzparser = NULL;
4552 cfg_obj_t *nzconfig = NULL;
4553 const cfg_obj_t *maps[4];
4554 const cfg_obj_t *options = NULL, *voptions = NULL;
4555 const cfg_obj_t *nz = NULL;
4558 REQUIRE (config != NULL);
4560 if (vconfig != NULL)
4561 voptions = cfg_tuple_get(vconfig, "options");
4562 if (voptions != NULL)
4563 maps[i++] = voptions;
4564 result = cfg_map_get(config, "options", &options);
4565 if (result == ISC_R_SUCCESS)
4566 maps[i++] = options;
4567 maps[i++] = ns_g_defaults;
4570 result = ns_config_get(maps, "allow-new-zones", &nz);
4571 if (result == ISC_R_SUCCESS)
4572 allow = cfg_obj_asboolean(nz);
4575 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4576 return (ISC_R_SUCCESS);
4579 nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
4580 if (nzcfg == NULL) {
4581 dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
4582 return (ISC_R_NOMEMORY);
4585 dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
4587 memset(nzcfg, 0, sizeof(*nzcfg));
4588 isc_mem_attach(view->mctx, &nzcfg->mctx);
4589 cfg_obj_attach(config, &nzcfg->config);
4590 cfg_parser_attach(parser, &nzcfg->parser);
4591 cfg_aclconfctx_attach(actx, &nzcfg->actx);
4594 * Attempt to create a parser and parse the newzones
4595 * file. If successful, preserve both; otherwise leave
4598 result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
4599 if (result == ISC_R_SUCCESS)
4600 result = cfg_parse_file(nzparser, view->new_zone_file,
4601 &cfg_type_newzones, &nzconfig);
4602 if (result == ISC_R_SUCCESS) {
4603 cfg_parser_attach(nzparser, &nzcfg->nzparser);
4604 cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
4607 if (nzparser != NULL) {
4608 if (nzconfig != NULL)
4609 cfg_obj_destroy(nzparser, &nzconfig);
4610 cfg_parser_destroy(&nzparser);
4613 return (ISC_R_SUCCESS);
4617 count_zones(const cfg_obj_t *conf) {
4618 const cfg_obj_t *zonelist = NULL;
4619 const cfg_listelt_t *element;
4622 REQUIRE(conf != NULL);
4624 cfg_map_get(conf, "zone", &zonelist);
4625 for (element = cfg_list_first(zonelist);
4627 element = cfg_list_next(element))
4634 load_configuration(const char *filename, ns_server_t *server,
4635 isc_boolean_t first_time)
4637 cfg_obj_t *config = NULL, *bindkeys = NULL;
4638 cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
4639 const cfg_listelt_t *element;
4640 const cfg_obj_t *builtin_views;
4641 const cfg_obj_t *maps[3];
4642 const cfg_obj_t *obj;
4643 const cfg_obj_t *options;
4644 const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
4645 const cfg_obj_t *views;
4646 dns_view_t *view = NULL;
4647 dns_view_t *view_next;
4648 dns_viewlist_t tmpviewlist;
4649 dns_viewlist_t viewlist, builtin_viewlist;
4650 in_port_t listen_port, udpport_low, udpport_high;
4653 isc_boolean_t exclusive = ISC_FALSE;
4654 isc_interval_t interval;
4655 isc_logconfig_t *logc = NULL;
4656 isc_portset_t *v4portset = NULL;
4657 isc_portset_t *v6portset = NULL;
4658 isc_resourcevalue_t nfiles;
4659 isc_result_t result;
4660 isc_uint32_t heartbeat_interval;
4661 isc_uint32_t interface_interval;
4662 isc_uint32_t reserved;
4663 isc_uint32_t udpsize;
4665 ns_cachelist_t cachelist, tmpcachelist;
4666 struct cfg_context *nzctx;
4667 unsigned int maxsocks;
4669 ISC_LIST_INIT(viewlist);
4670 ISC_LIST_INIT(builtin_viewlist);
4671 ISC_LIST_INIT(cachelist);
4673 /* Create the ACL configuration context */
4674 if (ns_g_aclconfctx != NULL)
4675 cfg_aclconfctx_detach(&ns_g_aclconfctx);
4676 CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
4679 * Parse the global default pseudo-config file.
4682 CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
4683 RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
4684 &ns_g_defaults) == ISC_R_SUCCESS);
4688 * Parse the configuration file using the new config code.
4690 result = ISC_R_FAILURE;
4694 * Unless this is lwresd with the -C option, parse the config file.
4696 if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
4697 isc_log_write(ns_g_lctx,
4698 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4699 ISC_LOG_INFO, "loading configuration from '%s'",
4701 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
4702 cfg_parser_setcallback(conf_parser, directory_callback, NULL);
4703 result = cfg_parse_file(conf_parser, filename,
4704 &cfg_type_namedconf, &config);
4708 * If this is lwresd with the -C option, or lwresd with no -C or -c
4709 * option where the above parsing failed, parse resolv.conf.
4711 if (ns_g_lwresdonly &&
4712 (lwresd_g_useresolvconf ||
4713 (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
4715 isc_log_write(ns_g_lctx,
4716 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4717 ISC_LOG_INFO, "loading configuration from '%s'",
4718 lwresd_g_resolvconffile);
4719 if (conf_parser != NULL)
4720 cfg_parser_destroy(&conf_parser);
4721 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
4722 result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
4728 * Check the validity of the configuration.
4730 CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
4733 * Fill in the maps array, used for resolving defaults.
4737 result = cfg_map_get(config, "options", &options);
4738 if (result == ISC_R_SUCCESS)
4739 maps[i++] = options;
4740 maps[i++] = ns_g_defaults;
4744 * If bind.keys exists, load it. If "dnssec-lookaside auto"
4745 * is turned on, the keys found there will be used as default
4749 result = ns_config_get(maps, "bindkeys-file", &obj);
4750 INSIST(result == ISC_R_SUCCESS);
4751 CHECKM(setstring(server, &server->bindkeysfile,
4752 cfg_obj_asstring(obj)), "strdup");
4754 if (access(server->bindkeysfile, R_OK) == 0) {
4755 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4756 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4757 "reading built-in trusted "
4758 "keys from file '%s'", server->bindkeysfile);
4760 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
4763 result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
4764 &cfg_type_bindkeys, &bindkeys);
4768 /* Ensure exclusive access to configuration data. */
4770 result = isc_task_beginexclusive(server->task);
4771 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4772 exclusive = ISC_TRUE;
4776 * Set process limits, which (usually) needs to be done as root.
4781 * Check if max number of open sockets that the system allows is
4782 * sufficiently large. Failing this condition is not necessarily fatal,
4783 * but may cause subsequent runtime failures for a busy recursive
4786 result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
4787 if (result != ISC_R_SUCCESS)
4789 result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
4790 if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
4791 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4792 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4793 "max open files (%" ISC_PRINT_QUADFORMAT "u)"
4794 " is smaller than max sockets (%u)",
4799 * Set the number of socket reserved for TCP, stdio etc.
4802 result = ns_config_get(maps, "reserved-sockets", &obj);
4803 INSIST(result == ISC_R_SUCCESS);
4804 reserved = cfg_obj_asuint32(obj);
4805 if (maxsocks != 0) {
4806 if (maxsocks < 128U) /* Prevent underflow. */
4808 else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
4809 reserved = maxsocks - 128;
4811 /* Minimum TCP/stdio space. */
4812 if (reserved < 128U)
4814 if (reserved + 128U > maxsocks && maxsocks != 0) {
4815 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4816 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4817 "less than 128 UDP sockets available after "
4818 "applying 'reserved-sockets' and 'maxsockets'");
4820 isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
4823 * Configure various server options.
4825 configure_server_quota(maps, "transfers-out", &server->xfroutquota);
4826 configure_server_quota(maps, "tcp-clients", &server->tcpquota);
4827 configure_server_quota(maps, "recursive-clients",
4828 &server->recursionquota);
4829 if (server->recursionquota.max > 1000)
4830 isc_quota_soft(&server->recursionquota,
4831 server->recursionquota.max - 100);
4833 isc_quota_soft(&server->recursionquota, 0);
4835 CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
4836 ns_g_aclconfctx, ns_g_mctx,
4837 &server->blackholeacl));
4838 if (server->blackholeacl != NULL)
4839 dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
4840 server->blackholeacl);
4843 result = ns_config_get(maps, "match-mapped-addresses", &obj);
4844 INSIST(result == ISC_R_SUCCESS);
4845 server->aclenv.match_mapped = cfg_obj_asboolean(obj);
4847 CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
4848 "configuring statistics server(s)");
4851 * Configure sets of UDP query source ports.
4853 CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
4854 "creating UDP port set");
4855 CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
4856 "creating UDP port set");
4860 avoidv4ports = NULL;
4861 avoidv6ports = NULL;
4863 (void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
4864 if (usev4ports != NULL)
4865 portset_fromconf(v4portset, usev4ports, ISC_TRUE);
4867 CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
4869 "get the default UDP/IPv4 port range");
4870 if (udpport_low == udpport_high)
4871 isc_portset_add(v4portset, udpport_low);
4873 isc_portset_addrange(v4portset, udpport_low,
4876 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4877 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4878 "using default UDP/IPv4 port range: [%d, %d]",
4879 udpport_low, udpport_high);
4881 (void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
4882 if (avoidv4ports != NULL)
4883 portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
4885 (void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
4886 if (usev6ports != NULL)
4887 portset_fromconf(v6portset, usev6ports, ISC_TRUE);
4889 CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
4891 "get the default UDP/IPv6 port range");
4892 if (udpport_low == udpport_high)
4893 isc_portset_add(v6portset, udpport_low);
4895 isc_portset_addrange(v6portset, udpport_low,
4898 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4899 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4900 "using default UDP/IPv6 port range: [%d, %d]",
4901 udpport_low, udpport_high);
4903 (void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
4904 if (avoidv6ports != NULL)
4905 portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
4907 dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
4910 * Set the EDNS UDP size when we don't match a view.
4913 result = ns_config_get(maps, "edns-udp-size", &obj);
4914 INSIST(result == ISC_R_SUCCESS);
4915 udpsize = cfg_obj_asuint32(obj);
4920 ns_g_udpsize = (isc_uint16_t)udpsize;
4923 * Configure the zone manager.
4926 result = ns_config_get(maps, "transfers-in", &obj);
4927 INSIST(result == ISC_R_SUCCESS);
4928 dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
4931 result = ns_config_get(maps, "transfers-per-ns", &obj);
4932 INSIST(result == ISC_R_SUCCESS);
4933 dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
4936 result = ns_config_get(maps, "serial-query-rate", &obj);
4937 INSIST(result == ISC_R_SUCCESS);
4938 dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
4941 * Determine which port to use for listening for incoming connections.
4944 listen_port = ns_g_port;
4946 CHECKM(ns_config_getport(config, &listen_port), "port");
4949 * Find the listen queue depth.
4952 result = ns_config_get(maps, "tcp-listen-queue", &obj);
4953 INSIST(result == ISC_R_SUCCESS);
4954 ns_g_listen = cfg_obj_asuint32(obj);
4955 if ((ns_g_listen > 0) && (ns_g_listen < 10))
4959 * Configure the interface manager according to the "listen-on"
4963 const cfg_obj_t *clistenon = NULL;
4964 ns_listenlist_t *listenon = NULL;
4968 * Even though listen-on is present in the default
4969 * configuration, we can't use it here, since it isn't
4970 * used if we're in lwresd mode. This way is easier.
4972 if (options != NULL)
4973 (void)cfg_map_get(options, "listen-on", &clistenon);
4974 if (clistenon != NULL) {
4975 /* check return code? */
4976 (void)ns_listenlist_fromconfig(clistenon, config,
4978 ns_g_mctx, &listenon);
4979 } else if (!ns_g_lwresdonly) {
4981 * Not specified, use default.
4983 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
4984 ISC_TRUE, &listenon));
4986 if (listenon != NULL) {
4987 ns_interfacemgr_setlistenon4(server->interfacemgr,
4989 ns_listenlist_detach(&listenon);
4996 const cfg_obj_t *clistenon = NULL;
4997 ns_listenlist_t *listenon = NULL;
4999 if (options != NULL)
5000 (void)cfg_map_get(options, "listen-on-v6", &clistenon);
5001 if (clistenon != NULL) {
5002 /* check return code? */
5003 (void)ns_listenlist_fromconfig(clistenon, config,
5005 ns_g_mctx, &listenon);
5006 } else if (!ns_g_lwresdonly) {
5007 isc_boolean_t enable;
5009 * Not specified, use default.
5011 enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
5012 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
5013 enable, &listenon));
5015 if (listenon != NULL) {
5016 ns_interfacemgr_setlistenon6(server->interfacemgr,
5018 ns_listenlist_detach(&listenon);
5023 * Rescan the interface list to pick up changes in the
5024 * listen-on option. It's important that we do this before we try
5025 * to configure the query source, since the dispatcher we use might
5026 * be shared with an interface.
5028 scan_interfaces(server, ISC_TRUE);
5031 * Arrange for further interface scanning to occur periodically
5032 * as specified by the "interface-interval" option.
5035 result = ns_config_get(maps, "interface-interval", &obj);
5036 INSIST(result == ISC_R_SUCCESS);
5037 interface_interval = cfg_obj_asuint32(obj) * 60;
5038 if (interface_interval == 0) {
5039 CHECK(isc_timer_reset(server->interface_timer,
5040 isc_timertype_inactive,
5041 NULL, NULL, ISC_TRUE));
5042 } else if (server->interface_interval != interface_interval) {
5043 isc_interval_set(&interval, interface_interval, 0);
5044 CHECK(isc_timer_reset(server->interface_timer,
5045 isc_timertype_ticker,
5046 NULL, &interval, ISC_FALSE));
5048 server->interface_interval = interface_interval;
5051 * Configure the dialup heartbeat timer.
5054 result = ns_config_get(maps, "heartbeat-interval", &obj);
5055 INSIST(result == ISC_R_SUCCESS);
5056 heartbeat_interval = cfg_obj_asuint32(obj) * 60;
5057 if (heartbeat_interval == 0) {
5058 CHECK(isc_timer_reset(server->heartbeat_timer,
5059 isc_timertype_inactive,
5060 NULL, NULL, ISC_TRUE));
5061 } else if (server->heartbeat_interval != heartbeat_interval) {
5062 isc_interval_set(&interval, heartbeat_interval, 0);
5063 CHECK(isc_timer_reset(server->heartbeat_timer,
5064 isc_timertype_ticker,
5065 NULL, &interval, ISC_FALSE));
5067 server->heartbeat_interval = heartbeat_interval;
5069 isc_interval_set(&interval, 1200, 0);
5070 CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
5071 &interval, ISC_FALSE));
5074 * Write the PID file.
5077 if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
5078 if (cfg_obj_isvoid(obj))
5079 ns_os_writepidfile(NULL, first_time);
5081 ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
5082 else if (ns_g_lwresdonly)
5083 ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
5085 ns_os_writepidfile(ns_g_defaultpidfile, first_time);
5088 * Configure the server-wide session key. This must be done before
5089 * configure views because zone configuration may need to know
5092 * Failure of session key generation isn't fatal at this time; if it
5093 * turns out that a session key is really needed but doesn't exist,
5094 * we'll treat it as a fatal error then.
5096 (void)configure_session_key(maps, server, ns_g_mctx);
5099 (void)cfg_map_get(config, "view", &views);
5102 * Create the views and count all the configured zones in
5103 * order to correctly size the zone manager's task table.
5104 * (We only count zones for configured views; the built-in
5105 * "bind" view can be ignored as it only adds a negligible
5108 * If we're allowing new zones, we need to be able to find the
5109 * new zone file and count those as well. So we setup the new
5110 * zone configuration context, but otherwise view configuration
5111 * waits until after the zone manager's task list has been sized.
5113 for (element = cfg_list_first(views);
5115 element = cfg_list_next(element))
5117 cfg_obj_t *vconfig = cfg_listelt_value(element);
5118 const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
5121 CHECK(create_view(vconfig, &viewlist, &view));
5122 INSIST(view != NULL);
5124 num_zones += count_zones(voptions);
5125 CHECK(setup_newzones(view, config, vconfig, conf_parser,
5128 nzctx = view->new_zone_config;
5129 if (nzctx != NULL && nzctx->nzconfig != NULL)
5130 num_zones += count_zones(nzctx->nzconfig);
5132 dns_view_detach(&view);
5136 * If there were no explicit views then we do the default
5139 if (views == NULL) {
5140 CHECK(create_view(NULL, &viewlist, &view));
5141 INSIST(view != NULL);
5143 num_zones = count_zones(config);
5145 CHECK(setup_newzones(view, config, NULL, conf_parser,
5148 nzctx = view->new_zone_config;
5149 if (nzctx != NULL && nzctx->nzconfig != NULL)
5150 num_zones += count_zones(nzctx->nzconfig);
5152 dns_view_detach(&view);
5156 * Zones have been counted; set the zone manager task pool size.
5158 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5159 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5160 "sizing zone task pool based on %d zones", num_zones);
5161 CHECK(dns_zonemgr_setsize(ns_g_server->zonemgr, num_zones));
5164 * Configure and freeze all explicit views. Explicit
5165 * views that have zones were already created at parsing
5166 * time, but views with no zones must be created here.
5168 for (element = cfg_list_first(views);
5170 element = cfg_list_next(element))
5172 cfg_obj_t *vconfig = cfg_listelt_value(element);
5175 CHECK(find_view(vconfig, &viewlist, &view));
5176 CHECK(configure_view(view, config, vconfig,
5177 &cachelist, bindkeys, ns_g_mctx,
5178 ns_g_aclconfctx, ISC_TRUE));
5179 dns_view_freeze(view);
5180 dns_view_detach(&view);
5184 * Make sure we have a default view if and only if there
5185 * were no explicit views.
5187 if (views == NULL) {
5189 CHECK(find_view(NULL, &viewlist, &view));
5190 CHECK(configure_view(view, config, NULL,
5191 &cachelist, bindkeys,
5192 ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
5193 dns_view_freeze(view);
5194 dns_view_detach(&view);
5198 * Create (or recreate) the built-in views.
5200 builtin_views = NULL;
5201 RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
5202 &builtin_views) == ISC_R_SUCCESS);
5203 for (element = cfg_list_first(builtin_views);
5205 element = cfg_list_next(element))
5207 cfg_obj_t *vconfig = cfg_listelt_value(element);
5209 CHECK(create_view(vconfig, &builtin_viewlist, &view));
5210 CHECK(configure_view(view, config, vconfig,
5211 &cachelist, bindkeys,
5212 ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
5213 dns_view_freeze(view);
5214 dns_view_detach(&view);
5218 /* Now combine the two viewlists into one */
5219 ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
5221 /* Swap our new view list with the production one. */
5222 tmpviewlist = server->viewlist;
5223 server->viewlist = viewlist;
5224 viewlist = tmpviewlist;
5226 /* Make the view list available to each of the views */
5227 view = ISC_LIST_HEAD(server->viewlist);
5228 while (view != NULL) {
5229 view->viewlist = &server->viewlist;
5230 view = ISC_LIST_NEXT(view, link);
5233 /* Swap our new cache list with the production one. */
5234 tmpcachelist = server->cachelist;
5235 server->cachelist = cachelist;
5236 cachelist = tmpcachelist;
5238 /* Load the TKEY information from the configuration. */
5239 if (options != NULL) {
5240 dns_tkeyctx_t *t = NULL;
5241 CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
5243 "configuring TKEY");
5244 if (server->tkeyctx != NULL)
5245 dns_tkeyctx_destroy(&server->tkeyctx);
5246 server->tkeyctx = t;
5250 * Bind the control port(s).
5252 CHECKM(ns_controls_configure(ns_g_server->controls, config,
5254 "binding control channel(s)");
5257 * Bind the lwresd port(s).
5259 CHECKM(ns_lwresd_configure(ns_g_mctx, config),
5260 "binding lightweight resolver ports");
5263 * Open the source of entropy.
5267 result = ns_config_get(maps, "random-device", &obj);
5268 if (result != ISC_R_SUCCESS) {
5269 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5270 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5271 "no source of entropy found");
5273 const char *randomdev = cfg_obj_asstring(obj);
5274 result = isc_entropy_createfilesource(ns_g_entropy,
5276 if (result != ISC_R_SUCCESS)
5277 isc_log_write(ns_g_lctx,
5278 NS_LOGCATEGORY_GENERAL,
5279 NS_LOGMODULE_SERVER,
5281 "could not open entropy source "
5284 isc_result_totext(result));
5285 #ifdef PATH_RANDOMDEV
5286 if (ns_g_fallbackentropy != NULL) {
5287 if (result != ISC_R_SUCCESS) {
5288 isc_log_write(ns_g_lctx,
5289 NS_LOGCATEGORY_GENERAL,
5290 NS_LOGMODULE_SERVER,
5292 "using pre-chroot entropy source "
5295 isc_entropy_detach(&ns_g_entropy);
5296 isc_entropy_attach(ns_g_fallbackentropy,
5299 isc_entropy_detach(&ns_g_fallbackentropy);
5306 * Relinquish root privileges.
5312 * Check that the working directory is writable.
5314 if (access(".", W_OK) != 0) {
5315 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5316 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5317 "the working directory is not writable");
5321 * Configure the logging system.
5323 * Do this after changing UID to make sure that any log
5324 * files specified in named.conf get created by the
5325 * unprivileged user, not root.
5327 if (ns_g_logstderr) {
5328 const cfg_obj_t *logobj = NULL;
5330 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5331 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5332 "not using config file logging "
5333 "statement for logging due to "
5336 (void)cfg_map_get(config, "logging", &logobj);
5337 if (logobj != NULL) {
5338 result = ns_log_configure(NULL, logobj);
5339 if (result != ISC_R_SUCCESS) {
5340 isc_log_write(ns_g_lctx,
5341 NS_LOGCATEGORY_GENERAL,
5342 NS_LOGMODULE_SERVER,
5344 "checking logging configuration "
5346 isc_result_totext(result));
5351 const cfg_obj_t *logobj = NULL;
5353 CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
5354 "creating new logging configuration");
5357 (void)cfg_map_get(config, "logging", &logobj);
5358 if (logobj != NULL) {
5359 CHECKM(ns_log_configure(logc, logobj),
5360 "configuring logging");
5362 CHECKM(ns_log_setdefaultchannels(logc),
5363 "setting up default logging channels");
5364 CHECKM(ns_log_setunmatchedcategory(logc),
5365 "setting up default 'category unmatched'");
5366 CHECKM(ns_log_setdefaultcategory(logc),
5367 "setting up default 'category default'");
5370 CHECKM(isc_logconfig_use(ns_g_lctx, logc),
5371 "installing logging configuration");
5374 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5375 NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
5376 "now using logging configuration from "
5381 * Set the default value of the query logging flag depending
5382 * whether a "queries" category has been defined. This is
5383 * a disgusting hack, but we need to do this for BIND 8
5387 const cfg_obj_t *logobj = NULL;
5388 const cfg_obj_t *categories = NULL;
5391 if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
5392 server->log_queries = cfg_obj_asboolean(obj);
5395 (void)cfg_map_get(config, "logging", &logobj);
5397 (void)cfg_map_get(logobj, "category",
5399 if (categories != NULL) {
5400 const cfg_listelt_t *element;
5401 for (element = cfg_list_first(categories);
5403 element = cfg_list_next(element))
5405 const cfg_obj_t *catobj;
5408 obj = cfg_listelt_value(element);
5409 catobj = cfg_tuple_get(obj, "name");
5410 str = cfg_obj_asstring(catobj);
5411 if (strcasecmp(str, "queries") == 0)
5412 server->log_queries = ISC_TRUE;
5420 if (options != NULL &&
5421 cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
5422 ns_g_memstatistics = cfg_obj_asboolean(obj);
5424 ns_g_memstatistics =
5425 ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
5428 if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
5429 ns_main_setmemstats(cfg_obj_asstring(obj));
5430 else if (ns_g_memstatistics)
5431 ns_main_setmemstats("named.memstats");
5433 ns_main_setmemstats(NULL);
5436 result = ns_config_get(maps, "statistics-file", &obj);
5437 INSIST(result == ISC_R_SUCCESS);
5438 CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
5442 result = ns_config_get(maps, "dump-file", &obj);
5443 INSIST(result == ISC_R_SUCCESS);
5444 CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
5448 result = ns_config_get(maps, "secroots-file", &obj);
5449 INSIST(result == ISC_R_SUCCESS);
5450 CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
5454 result = ns_config_get(maps, "recursing-file", &obj);
5455 INSIST(result == ISC_R_SUCCESS);
5456 CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
5460 result = ns_config_get(maps, "version", &obj);
5461 if (result == ISC_R_SUCCESS) {
5462 CHECKM(setoptstring(server, &server->version, obj), "strdup");
5463 server->version_set = ISC_TRUE;
5465 server->version_set = ISC_FALSE;
5469 result = ns_config_get(maps, "hostname", &obj);
5470 if (result == ISC_R_SUCCESS) {
5471 CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
5472 server->hostname_set = ISC_TRUE;
5474 server->hostname_set = ISC_FALSE;
5478 result = ns_config_get(maps, "server-id", &obj);
5479 server->server_usehostname = ISC_FALSE;
5480 if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
5481 /* The parser translates "hostname" to ISC_TRUE */
5482 server->server_usehostname = cfg_obj_asboolean(obj);
5483 result = setstring(server, &server->server_id, NULL);
5484 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5485 } else if (result == ISC_R_SUCCESS) {
5486 /* Found a quoted string */
5487 CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
5489 result = setstring(server, &server->server_id, NULL);
5490 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5494 result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
5495 if (result == ISC_R_SUCCESS) {
5496 server->flushonshutdown = cfg_obj_asboolean(obj);
5498 server->flushonshutdown = ISC_FALSE;
5501 result = ISC_R_SUCCESS;
5505 isc_logconfig_destroy(&logc);
5507 if (v4portset != NULL)
5508 isc_portset_destroy(ns_g_mctx, &v4portset);
5510 if (v6portset != NULL)
5511 isc_portset_destroy(ns_g_mctx, &v6portset);
5513 if (conf_parser != NULL) {
5515 cfg_obj_destroy(conf_parser, &config);
5516 cfg_parser_destroy(&conf_parser);
5519 if (bindkeys_parser != NULL) {
5520 if (bindkeys != NULL)
5521 cfg_obj_destroy(bindkeys_parser, &bindkeys);
5522 cfg_parser_destroy(&bindkeys_parser);
5526 dns_view_detach(&view);
5529 * This cleans up either the old production view list
5530 * or our temporary list depending on whether they
5531 * were swapped above or not.
5533 for (view = ISC_LIST_HEAD(viewlist);
5536 view_next = ISC_LIST_NEXT(view, link);
5537 ISC_LIST_UNLINK(viewlist, view, link);
5538 if (result == ISC_R_SUCCESS &&
5539 strcmp(view->name, "_bind") != 0)
5540 (void)dns_zt_apply(view->zonetable, ISC_FALSE,
5542 dns_view_detach(&view);
5545 /* Same cleanup for cache list. */
5546 while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
5547 ISC_LIST_UNLINK(cachelist, nsc, link);
5548 dns_cache_detach(&nsc->cache);
5549 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
5553 * Adjust the listening interfaces in accordance with the source
5554 * addresses specified in views and zones.
5556 if (isc_net_probeipv6() == ISC_R_SUCCESS)
5557 adjust_interfaces(server, ns_g_mctx);
5559 /* Relinquish exclusive access to configuration data. */
5561 isc_task_endexclusive(server->task);
5563 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5564 ISC_LOG_DEBUG(1), "load_configuration: %s",
5565 isc_result_totext(result));
5571 load_zones(ns_server_t *server, isc_boolean_t stop) {
5572 isc_result_t result;
5575 result = isc_task_beginexclusive(server->task);
5576 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5579 * Load zone data from disk.
5581 for (view = ISC_LIST_HEAD(server->viewlist);
5583 view = ISC_LIST_NEXT(view, link))
5585 CHECK(dns_view_load(view, stop));
5586 if (view->managed_keys != NULL)
5587 CHECK(dns_zone_load(view->managed_keys));
5591 * Force zone maintenance. Do this after loading
5592 * so that we know when we need to force AXFR of
5593 * slave zones whose master files are missing.
5595 CHECK(dns_zonemgr_forcemaint(server->zonemgr));
5597 isc_task_endexclusive(server->task);
5602 load_new_zones(ns_server_t *server, isc_boolean_t stop) {
5603 isc_result_t result;
5606 result = isc_task_beginexclusive(server->task);
5607 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5610 * Load zone data from disk.
5612 for (view = ISC_LIST_HEAD(server->viewlist);
5614 view = ISC_LIST_NEXT(view, link))
5616 CHECK(dns_view_loadnew(view, stop));
5618 /* Load managed-keys data */
5619 if (view->managed_keys != NULL)
5620 CHECK(dns_zone_loadnew(view->managed_keys));
5626 dns_zonemgr_resumexfrs(server->zonemgr);
5628 isc_task_endexclusive(server->task);
5633 run_server(isc_task_t *task, isc_event_t *event) {
5634 isc_result_t result;
5635 ns_server_t *server = (ns_server_t *)event->ev_arg;
5637 INSIST(task == server->task);
5639 isc_event_free(&event);
5641 CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
5643 "creating dispatch manager");
5645 dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
5647 CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
5648 ns_g_socketmgr, ns_g_dispatchmgr,
5649 &server->interfacemgr),
5650 "creating interface manager");
5652 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5653 NULL, NULL, server->task,
5654 interface_timer_tick,
5655 server, &server->interface_timer),
5656 "creating interface timer");
5658 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5659 NULL, NULL, server->task,
5660 heartbeat_timer_tick,
5661 server, &server->heartbeat_timer),
5662 "creating heartbeat timer");
5664 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
5665 NULL, NULL, server->task, pps_timer_tick,
5666 server, &server->pps_timer),
5667 "creating pps timer");
5669 CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
5670 "creating default configuration parser");
5672 if (ns_g_lwresdonly)
5673 CHECKFATAL(load_configuration(lwresd_g_conffile, server,
5675 "loading configuration");
5677 CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
5678 "loading configuration");
5682 CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
5685 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5686 ISC_LOG_NOTICE, "running");
5690 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
5692 REQUIRE(NS_SERVER_VALID(server));
5694 server->flushonshutdown = flush;
5698 shutdown_server(isc_task_t *task, isc_event_t *event) {
5699 isc_result_t result;
5700 dns_view_t *view, *view_next;
5701 ns_server_t *server = (ns_server_t *)event->ev_arg;
5702 isc_boolean_t flush = server->flushonshutdown;
5706 INSIST(task == server->task);
5708 result = isc_task_beginexclusive(server->task);
5709 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5711 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5712 ISC_LOG_INFO, "shutting down%s",
5713 flush ? ": flushing changes" : "");
5715 ns_statschannels_shutdown(server);
5716 ns_controls_shutdown(server->controls);
5717 end_reserved_dispatches(server, ISC_TRUE);
5718 cleanup_session_key(server, server->mctx);
5720 if (ns_g_aclconfctx != NULL)
5721 cfg_aclconfctx_detach(&ns_g_aclconfctx);
5723 cfg_obj_destroy(ns_g_parser, &ns_g_config);
5724 cfg_parser_destroy(&ns_g_parser);
5726 for (view = ISC_LIST_HEAD(server->viewlist);
5729 view_next = ISC_LIST_NEXT(view, link);
5730 ISC_LIST_UNLINK(server->viewlist, view, link);
5732 dns_view_flushanddetach(&view);
5734 dns_view_detach(&view);
5737 while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
5738 ISC_LIST_UNLINK(server->cachelist, nsc, link);
5739 dns_cache_detach(&nsc->cache);
5740 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
5743 isc_timer_detach(&server->interface_timer);
5744 isc_timer_detach(&server->heartbeat_timer);
5745 isc_timer_detach(&server->pps_timer);
5747 ns_interfacemgr_shutdown(server->interfacemgr);
5748 ns_interfacemgr_detach(&server->interfacemgr);
5750 dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
5752 dns_zonemgr_shutdown(server->zonemgr);
5754 if (ns_g_sessionkey != NULL) {
5755 dns_tsigkey_detach(&ns_g_sessionkey);
5756 dns_name_free(&ns_g_sessionkeyname, server->mctx);
5759 if (server->blackholeacl != NULL)
5760 dns_acl_detach(&server->blackholeacl);
5762 dns_db_detach(&server->in_roothints);
5764 isc_task_endexclusive(server->task);
5766 isc_task_detach(&server->task);
5768 isc_event_free(&event);
5772 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
5773 isc_result_t result;
5774 ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
5777 fatal("allocating server object", ISC_R_NOMEMORY);
5779 server->mctx = mctx;
5780 server->task = NULL;
5782 /* Initialize configuration data with default values. */
5784 result = isc_quota_init(&server->xfroutquota, 10);
5785 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5786 result = isc_quota_init(&server->tcpquota, 10);
5787 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5788 result = isc_quota_init(&server->recursionquota, 100);
5789 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5791 result = dns_aclenv_init(mctx, &server->aclenv);
5792 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5794 /* Initialize server data structures. */
5795 server->zonemgr = NULL;
5796 server->interfacemgr = NULL;
5797 ISC_LIST_INIT(server->viewlist);
5798 server->in_roothints = NULL;
5799 server->blackholeacl = NULL;
5801 CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
5802 &server->in_roothints),
5803 "setting up root hints");
5805 CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
5806 "initializing reload event lock");
5807 server->reload_event =
5808 isc_event_allocate(ns_g_mctx, server,
5812 sizeof(isc_event_t));
5813 CHECKFATAL(server->reload_event == NULL ?
5814 ISC_R_NOMEMORY : ISC_R_SUCCESS,
5815 "allocating reload event");
5817 CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
5818 ns_g_engine, ISC_ENTROPY_GOODONLY),
5819 "initializing DST");
5821 server->tkeyctx = NULL;
5822 CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
5824 "creating TKEY context");
5827 * Setup the server task, which is responsible for coordinating
5828 * startup and shutdown of the server, as well as all exclusive
5831 CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
5832 "creating server task");
5833 isc_task_setname(server->task, "server", server);
5834 isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
5835 CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
5836 "isc_task_onshutdown");
5837 CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
5840 server->interface_timer = NULL;
5841 server->heartbeat_timer = NULL;
5842 server->pps_timer = NULL;
5844 server->interface_interval = 0;
5845 server->heartbeat_interval = 0;
5847 CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
5848 ns_g_socketmgr, &server->zonemgr),
5849 "dns_zonemgr_create");
5850 CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000),
5851 "dns_zonemgr_setsize");
5853 server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
5854 CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5856 server->nsstats = NULL;
5857 server->rcvquerystats = NULL;
5858 server->opcodestats = NULL;
5859 server->zonestats = NULL;
5860 server->resolverstats = NULL;
5861 server->sockstats = NULL;
5862 CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
5863 isc_sockstatscounter_max),
5864 "isc_stats_create");
5865 isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
5867 server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
5868 CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
5872 server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
5873 CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5876 server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
5877 CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
5881 server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
5882 CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
5885 server->hostname_set = ISC_FALSE;
5886 server->hostname = NULL;
5887 server->version_set = ISC_FALSE;
5888 server->version = NULL;
5889 server->server_usehostname = ISC_FALSE;
5890 server->server_id = NULL;
5892 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
5893 dns_nsstatscounter_max),
5894 "dns_stats_create (server)");
5896 CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
5897 &server->rcvquerystats),
5898 "dns_stats_create (rcvquery)");
5900 CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
5901 "dns_stats_create (opcode)");
5903 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
5904 dns_zonestatscounter_max),
5905 "dns_stats_create (zone)");
5907 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
5908 dns_resstatscounter_max),
5909 "dns_stats_create (resolver)");
5911 server->flushonshutdown = ISC_FALSE;
5912 server->log_queries = ISC_FALSE;
5914 server->controls = NULL;
5915 CHECKFATAL(ns_controls_create(server, &server->controls),
5916 "ns_controls_create");
5917 server->dispatchgen = 0;
5918 ISC_LIST_INIT(server->dispatches);
5920 ISC_LIST_INIT(server->statschannels);
5922 ISC_LIST_INIT(server->cachelist);
5924 server->sessionkey = NULL;
5925 server->session_keyfile = NULL;
5926 server->session_keyname = NULL;
5927 server->session_keyalg = DST_ALG_UNKNOWN;
5928 server->session_keybits = 0;
5930 server->magic = NS_SERVER_MAGIC;
5935 ns_server_destroy(ns_server_t **serverp) {
5936 ns_server_t *server = *serverp;
5937 REQUIRE(NS_SERVER_VALID(server));
5939 ns_controls_destroy(&server->controls);
5941 isc_stats_detach(&server->nsstats);
5942 dns_stats_detach(&server->rcvquerystats);
5943 dns_stats_detach(&server->opcodestats);
5944 isc_stats_detach(&server->zonestats);
5945 isc_stats_detach(&server->resolverstats);
5946 isc_stats_detach(&server->sockstats);
5948 isc_mem_free(server->mctx, server->statsfile);
5949 isc_mem_free(server->mctx, server->bindkeysfile);
5950 isc_mem_free(server->mctx, server->dumpfile);
5951 isc_mem_free(server->mctx, server->secrootsfile);
5952 isc_mem_free(server->mctx, server->recfile);
5954 if (server->version != NULL)
5955 isc_mem_free(server->mctx, server->version);
5956 if (server->hostname != NULL)
5957 isc_mem_free(server->mctx, server->hostname);
5958 if (server->server_id != NULL)
5959 isc_mem_free(server->mctx, server->server_id);
5961 if (server->zonemgr != NULL)
5962 dns_zonemgr_detach(&server->zonemgr);
5964 if (server->tkeyctx != NULL)
5965 dns_tkeyctx_destroy(&server->tkeyctx);
5969 isc_event_free(&server->reload_event);
5971 INSIST(ISC_LIST_EMPTY(server->viewlist));
5972 INSIST(ISC_LIST_EMPTY(server->cachelist));
5974 dns_aclenv_destroy(&server->aclenv);
5976 isc_quota_destroy(&server->recursionquota);
5977 isc_quota_destroy(&server->tcpquota);
5978 isc_quota_destroy(&server->xfroutquota);
5981 isc_mem_put(server->mctx, server, sizeof(*server));
5986 fatal(const char *msg, isc_result_t result) {
5987 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5988 ISC_LOG_CRITICAL, "%s: %s", msg,
5989 isc_result_totext(result));
5990 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
5991 ISC_LOG_CRITICAL, "exiting (due to fatal error)");
5996 start_reserved_dispatches(ns_server_t *server) {
5998 REQUIRE(NS_SERVER_VALID(server));
6000 server->dispatchgen++;
6004 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
6005 ns_dispatch_t *dispatch, *nextdispatch;
6007 REQUIRE(NS_SERVER_VALID(server));
6009 for (dispatch = ISC_LIST_HEAD(server->dispatches);
6011 dispatch = nextdispatch) {
6012 nextdispatch = ISC_LIST_NEXT(dispatch, link);
6013 if (!all && server->dispatchgen == dispatch-> dispatchgen)
6015 ISC_LIST_UNLINK(server->dispatches, dispatch, link);
6016 dns_dispatch_detach(&dispatch->dispatch);
6017 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
6022 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
6023 ns_dispatch_t *dispatch;
6025 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
6026 isc_result_t result;
6027 unsigned int attrs, attrmask;
6029 REQUIRE(NS_SERVER_VALID(server));
6031 port = isc_sockaddr_getport(addr);
6032 if (port == 0 || port >= 1024)
6035 for (dispatch = ISC_LIST_HEAD(server->dispatches);
6037 dispatch = ISC_LIST_NEXT(dispatch, link)) {
6038 if (isc_sockaddr_equal(&dispatch->addr, addr))
6041 if (dispatch != NULL) {
6042 dispatch->dispatchgen = server->dispatchgen;
6046 dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
6047 if (dispatch == NULL) {
6048 result = ISC_R_NOMEMORY;
6052 dispatch->addr = *addr;
6053 dispatch->dispatchgen = server->dispatchgen;
6054 dispatch->dispatch = NULL;
6057 attrs |= DNS_DISPATCHATTR_UDP;
6058 switch (isc_sockaddr_pf(addr)) {
6060 attrs |= DNS_DISPATCHATTR_IPV4;
6063 attrs |= DNS_DISPATCHATTR_IPV6;
6066 result = ISC_R_NOTIMPLEMENTED;
6070 attrmask |= DNS_DISPATCHATTR_UDP;
6071 attrmask |= DNS_DISPATCHATTR_TCP;
6072 attrmask |= DNS_DISPATCHATTR_IPV4;
6073 attrmask |= DNS_DISPATCHATTR_IPV6;
6075 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
6076 ns_g_taskmgr, &dispatch->addr, 4096,
6077 1000, 32768, 16411, 16433,
6078 attrs, attrmask, &dispatch->dispatch);
6079 if (result != ISC_R_SUCCESS)
6082 ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
6087 if (dispatch != NULL)
6088 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
6089 isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
6090 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6091 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
6092 "unable to create dispatch for reserved port %s: %s",
6093 addrbuf, isc_result_totext(result));
6098 loadconfig(ns_server_t *server) {
6099 isc_result_t result;
6100 start_reserved_dispatches(server);
6101 result = load_configuration(ns_g_lwresdonly ?
6102 lwresd_g_conffile : ns_g_conffile,
6104 if (result == ISC_R_SUCCESS) {
6105 end_reserved_dispatches(server, ISC_FALSE);
6106 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6107 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6108 "reloading configuration succeeded");
6110 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6111 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6112 "reloading configuration failed: %s",
6113 isc_result_totext(result));
6119 reload(ns_server_t *server) {
6120 isc_result_t result;
6121 CHECK(loadconfig(server));
6123 result = load_zones(server, ISC_FALSE);
6124 if (result == ISC_R_SUCCESS)
6125 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6126 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6127 "reloading zones succeeded");
6129 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6130 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6131 "reloading zones failed: %s",
6132 isc_result_totext(result));
6139 reconfig(ns_server_t *server) {
6140 isc_result_t result;
6141 CHECK(loadconfig(server));
6143 result = load_new_zones(server, ISC_FALSE);
6144 if (result == ISC_R_SUCCESS)
6145 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6146 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6147 "any newly configured zones are now loaded");
6149 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6150 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6151 "loading new zones failed: %s",
6152 isc_result_totext(result));
6158 * Handle a reload event (from SIGHUP).
6161 ns_server_reload(isc_task_t *task, isc_event_t *event) {
6162 ns_server_t *server = (ns_server_t *)event->ev_arg;
6164 INSIST(task = server->task);
6167 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6168 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6169 "received SIGHUP signal to reload zones");
6170 (void)reload(server);
6172 LOCK(&server->reload_event_lock);
6173 INSIST(server->reload_event == NULL);
6174 server->reload_event = event;
6175 UNLOCK(&server->reload_event_lock);
6179 ns_server_reloadwanted(ns_server_t *server) {
6180 LOCK(&server->reload_event_lock);
6181 if (server->reload_event != NULL)
6182 isc_task_send(server->task, &server->reload_event);
6183 UNLOCK(&server->reload_event_lock);
6187 next_token(char **stringp, const char *delim) {
6191 res = strsep(stringp, delim);
6194 } while (*res == '\0');
6199 * Find the zone specified in the control channel command 'args',
6200 * if any. If a zone is specified, point '*zonep' at it, otherwise
6201 * set '*zonep' to NULL.
6204 zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
6205 const char **zonename, isc_buffer_t *text)
6208 const char *zonetxt;
6210 const char *viewtxt = NULL;
6211 dns_fixedname_t fname;
6213 isc_result_t result;
6214 dns_view_t *view = NULL;
6215 dns_rdataclass_t rdclass;
6216 char problem[DNS_NAME_FORMATSIZE + 500] = "";
6218 REQUIRE(zonep != NULL && *zonep == NULL);
6219 REQUIRE(zonename == NULL || *zonename == NULL);
6223 /* Skip the command name. */
6224 ptr = next_token(&input, " \t");
6226 return (ISC_R_UNEXPECTEDEND);
6228 /* Look for the zone name. */
6229 zonetxt = next_token(&input, " \t");
6230 if (zonetxt == NULL)
6231 return (ISC_R_SUCCESS);
6232 if (zonename != NULL)
6233 *zonename = zonetxt;
6235 /* Look for the optional class name. */
6236 classtxt = next_token(&input, " \t");
6237 if (classtxt != NULL) {
6238 /* Look for the optional view name. */
6239 viewtxt = next_token(&input, " \t");
6242 dns_fixedname_init(&fname);
6243 name = dns_fixedname_name(&fname);
6244 CHECK(dns_name_fromstring(name, zonetxt, 0, NULL));
6246 if (classtxt != NULL) {
6249 r.length = strlen(classtxt);
6250 CHECK(dns_rdataclass_fromtext(&rdclass, &r));
6252 rdclass = dns_rdataclass_in;
6254 if (viewtxt == NULL) {
6255 result = dns_viewlist_findzone(&server->viewlist, name,
6256 ISC_TF(classtxt == NULL),
6258 if (result == ISC_R_NOTFOUND)
6259 snprintf(problem, sizeof(problem),
6260 "no matching zone '%s' in any view",
6263 result = dns_viewlist_find(&server->viewlist, viewtxt,
6265 if (result != ISC_R_SUCCESS) {
6266 snprintf(problem, sizeof(problem),
6267 "no matching view '%s'", viewtxt);
6271 result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
6272 if (result != ISC_R_SUCCESS)
6273 snprintf(problem, sizeof(problem),
6274 "no matching zone '%s' in view '%s'",
6278 /* Partial match? */
6279 if (result != ISC_R_SUCCESS && *zonep != NULL)
6280 dns_zone_detach(zonep);
6281 if (result == DNS_R_PARTIALMATCH)
6282 result = ISC_R_NOTFOUND;
6284 if (result != ISC_R_SUCCESS) {
6285 isc_result_t tresult;
6287 tresult = putstr(text, problem);
6288 if (tresult == ISC_R_SUCCESS &&
6289 isc_buffer_availablelength(text) > 0U)
6290 isc_buffer_putuint8(text, 0);
6295 dns_view_detach(&view);
6301 * Act on a "retransfer" command from the command channel.
6304 ns_server_retransfercommand(ns_server_t *server, char *args,
6307 isc_result_t result;
6308 dns_zone_t *zone = NULL;
6309 dns_zonetype_t type;
6311 result = zone_from_args(server, args, &zone, NULL, text);
6312 if (result != ISC_R_SUCCESS)
6315 return (ISC_R_UNEXPECTEDEND);
6316 type = dns_zone_gettype(zone);
6317 if (type == dns_zone_slave || type == dns_zone_stub)
6318 dns_zone_forcereload(zone);
6320 result = ISC_R_NOTFOUND;
6321 dns_zone_detach(&zone);
6326 * Act on a "reload" command from the command channel.
6329 ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6330 isc_result_t result;
6331 dns_zone_t *zone = NULL;
6332 dns_zonetype_t type;
6333 const char *msg = NULL;
6335 result = zone_from_args(server, args, &zone, NULL, text);
6336 if (result != ISC_R_SUCCESS)
6339 result = reload(server);
6340 if (result == ISC_R_SUCCESS)
6341 msg = "server reload successful";
6343 type = dns_zone_gettype(zone);
6344 if (type == dns_zone_slave || type == dns_zone_stub) {
6345 dns_zone_refresh(zone);
6346 dns_zone_detach(&zone);
6347 msg = "zone refresh queued";
6349 result = dns_zone_load(zone);
6350 dns_zone_detach(&zone);
6353 msg = "zone reload successful";
6355 case DNS_R_CONTINUE:
6356 msg = "zone reload queued";
6357 result = ISC_R_SUCCESS;
6359 case DNS_R_UPTODATE:
6360 msg = "zone reload up-to-date";
6361 result = ISC_R_SUCCESS;
6364 /* failure message will be generated by rndc */
6369 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
6370 isc_buffer_putmem(text, (const unsigned char *)msg,
6376 * Act on a "reconfig" command from the command channel.
6379 ns_server_reconfigcommand(ns_server_t *server, char *args) {
6383 return (ISC_R_SUCCESS);
6387 * Act on a "notify" command from the command channel.
6390 ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6391 isc_result_t result;
6392 dns_zone_t *zone = NULL;
6393 const unsigned char msg[] = "zone notify queued";
6395 result = zone_from_args(server, args, &zone, NULL, text);
6396 if (result != ISC_R_SUCCESS)
6399 return (ISC_R_UNEXPECTEDEND);
6401 dns_zone_notify(zone);
6402 dns_zone_detach(&zone);
6403 if (sizeof(msg) <= isc_buffer_availablelength(text))
6404 isc_buffer_putmem(text, msg, sizeof(msg));
6406 return (ISC_R_SUCCESS);
6410 * Act on a "refresh" command from the command channel.
6413 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
6414 isc_result_t result;
6415 dns_zone_t *zone = NULL;
6416 const unsigned char msg1[] = "zone refresh queued";
6417 const unsigned char msg2[] = "not a slave or stub zone";
6418 dns_zonetype_t type;
6420 result = zone_from_args(server, args, &zone, NULL, text);
6421 if (result != ISC_R_SUCCESS)
6424 return (ISC_R_UNEXPECTEDEND);
6426 type = dns_zone_gettype(zone);
6427 if (type == dns_zone_slave || type == dns_zone_stub) {
6428 dns_zone_refresh(zone);
6429 dns_zone_detach(&zone);
6430 if (sizeof(msg1) <= isc_buffer_availablelength(text))
6431 isc_buffer_putmem(text, msg1, sizeof(msg1));
6432 return (ISC_R_SUCCESS);
6435 dns_zone_detach(&zone);
6436 if (sizeof(msg2) <= isc_buffer_availablelength(text))
6437 isc_buffer_putmem(text, msg2, sizeof(msg2));
6438 return (ISC_R_FAILURE);
6442 ns_server_togglequerylog(ns_server_t *server) {
6443 server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
6445 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6446 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6447 "query logging is now %s",
6448 server->log_queries ? "on" : "off");
6449 return (ISC_R_SUCCESS);
6453 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
6454 cfg_aclconfctx_t *actx,
6455 isc_mem_t *mctx, ns_listenlist_t **target)
6457 isc_result_t result;
6458 const cfg_listelt_t *element;
6459 ns_listenlist_t *dlist = NULL;
6461 REQUIRE(target != NULL && *target == NULL);
6463 result = ns_listenlist_create(mctx, &dlist);
6464 if (result != ISC_R_SUCCESS)
6467 for (element = cfg_list_first(listenlist);
6469 element = cfg_list_next(element))
6471 ns_listenelt_t *delt = NULL;
6472 const cfg_obj_t *listener = cfg_listelt_value(element);
6473 result = ns_listenelt_fromconfig(listener, config, actx,
6475 if (result != ISC_R_SUCCESS)
6477 ISC_LIST_APPEND(dlist->elts, delt, link);
6480 return (ISC_R_SUCCESS);
6483 ns_listenlist_detach(&dlist);
6488 * Create a listen list from the corresponding configuration
6492 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
6493 cfg_aclconfctx_t *actx,
6494 isc_mem_t *mctx, ns_listenelt_t **target)
6496 isc_result_t result;
6497 const cfg_obj_t *portobj;
6499 ns_listenelt_t *delt = NULL;
6500 REQUIRE(target != NULL && *target == NULL);
6502 portobj = cfg_tuple_get(listener, "port");
6503 if (!cfg_obj_isuint32(portobj)) {
6504 if (ns_g_port != 0) {
6507 result = ns_config_getport(config, &port);
6508 if (result != ISC_R_SUCCESS)
6512 if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
6513 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
6514 "port value '%u' is out of range",
6515 cfg_obj_asuint32(portobj));
6516 return (ISC_R_RANGE);
6518 port = (in_port_t)cfg_obj_asuint32(portobj);
6521 result = ns_listenelt_create(mctx, port, NULL, &delt);
6522 if (result != ISC_R_SUCCESS)
6525 result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
6526 config, ns_g_lctx, actx, mctx, 0,
6528 if (result != ISC_R_SUCCESS) {
6529 ns_listenelt_destroy(delt);
6533 return (ISC_R_SUCCESS);
6537 ns_server_dumpstats(ns_server_t *server) {
6538 isc_result_t result;
6541 CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
6542 "could not open statistics dump file", server->statsfile);
6544 result = ns_stats_dump(server, fp);
6548 (void)isc_stdio_close(fp);
6549 if (result == ISC_R_SUCCESS)
6550 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6551 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6552 "dumpstats complete");
6554 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6555 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6556 "dumpstats failed: %s",
6557 dns_result_totext(result));
6562 add_zone_tolist(dns_zone_t *zone, void *uap) {
6563 struct dumpcontext *dctx = uap;
6564 struct zonelistentry *zle;
6566 zle = isc_mem_get(dctx->mctx, sizeof *zle);
6568 return (ISC_R_NOMEMORY);
6570 dns_zone_attach(zone, &zle->zone);
6571 ISC_LINK_INIT(zle, link);
6572 ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
6573 return (ISC_R_SUCCESS);
6577 add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
6578 struct viewlistentry *vle;
6579 isc_result_t result = ISC_R_SUCCESS;
6582 * Prevent duplicate views.
6584 for (vle = ISC_LIST_HEAD(dctx->viewlist);
6586 vle = ISC_LIST_NEXT(vle, link))
6587 if (vle->view == view)
6588 return (ISC_R_SUCCESS);
6590 vle = isc_mem_get(dctx->mctx, sizeof *vle);
6592 return (ISC_R_NOMEMORY);
6594 dns_view_attach(view, &vle->view);
6595 ISC_LINK_INIT(vle, link);
6596 ISC_LIST_INIT(vle->zonelist);
6597 ISC_LIST_APPEND(dctx->viewlist, vle, link);
6598 if (dctx->dumpzones)
6599 result = dns_zt_apply(view->zonetable, ISC_TRUE,
6600 add_zone_tolist, dctx);
6605 dumpcontext_destroy(struct dumpcontext *dctx) {
6606 struct viewlistentry *vle;
6607 struct zonelistentry *zle;
6609 vle = ISC_LIST_HEAD(dctx->viewlist);
6610 while (vle != NULL) {
6611 ISC_LIST_UNLINK(dctx->viewlist, vle, link);
6612 zle = ISC_LIST_HEAD(vle->zonelist);
6613 while (zle != NULL) {
6614 ISC_LIST_UNLINK(vle->zonelist, zle, link);
6615 dns_zone_detach(&zle->zone);
6616 isc_mem_put(dctx->mctx, zle, sizeof *zle);
6617 zle = ISC_LIST_HEAD(vle->zonelist);
6619 dns_view_detach(&vle->view);
6620 isc_mem_put(dctx->mctx, vle, sizeof *vle);
6621 vle = ISC_LIST_HEAD(dctx->viewlist);
6623 if (dctx->version != NULL)
6624 dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
6625 if (dctx->db != NULL)
6626 dns_db_detach(&dctx->db);
6627 if (dctx->cache != NULL)
6628 dns_db_detach(&dctx->cache);
6629 if (dctx->task != NULL)
6630 isc_task_detach(&dctx->task);
6631 if (dctx->fp != NULL)
6632 (void)isc_stdio_close(dctx->fp);
6633 if (dctx->mdctx != NULL)
6634 dns_dumpctx_detach(&dctx->mdctx);
6635 isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
6639 dumpdone(void *arg, isc_result_t result) {
6640 struct dumpcontext *dctx = arg;
6642 const dns_master_style_t *style;
6644 if (result != ISC_R_SUCCESS)
6646 if (dctx->mdctx != NULL)
6647 dns_dumpctx_detach(&dctx->mdctx);
6648 if (dctx->view == NULL) {
6649 dctx->view = ISC_LIST_HEAD(dctx->viewlist);
6650 if (dctx->view == NULL)
6652 INSIST(dctx->zone == NULL);
6656 fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
6658 if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
6660 ";\n; Cache of view '%s' is shared as '%s'\n",
6661 dctx->view->view->name,
6662 dns_cache_getname(dctx->view->view->cache));
6663 } else if (dctx->zone == NULL && dctx->cache == NULL &&
6666 style = &dns_master_style_cache;
6667 /* start cache dump */
6668 if (dctx->view->view->cachedb != NULL)
6669 dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
6670 if (dctx->cache != NULL) {
6672 ";\n; Cache dump of view '%s' (cache %s)\n;\n",
6673 dctx->view->view->name,
6674 dns_cache_getname(dctx->view->view->cache));
6675 result = dns_master_dumptostreaminc(dctx->mctx,
6681 if (result == DNS_R_CONTINUE)
6683 if (result == ISC_R_NOTIMPLEMENTED)
6684 fprintf(dctx->fp, "; %s\n",
6685 dns_result_totext(result));
6686 else if (result != ISC_R_SUCCESS)
6690 if (dctx->cache != NULL) {
6691 dns_adb_dump(dctx->view->view->adb, dctx->fp);
6692 dns_resolver_printbadcache(dctx->view->view->resolver,
6694 dns_db_detach(&dctx->cache);
6696 if (dctx->dumpzones) {
6697 style = &dns_master_style_full;
6699 if (dctx->version != NULL)
6700 dns_db_closeversion(dctx->db, &dctx->version,
6702 if (dctx->db != NULL)
6703 dns_db_detach(&dctx->db);
6704 if (dctx->zone == NULL)
6705 dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
6707 dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
6708 if (dctx->zone != NULL) {
6709 /* start zone dump */
6710 dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
6711 fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
6712 result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
6713 if (result != ISC_R_SUCCESS) {
6714 fprintf(dctx->fp, "; %s\n",
6715 dns_result_totext(result));
6718 dns_db_currentversion(dctx->db, &dctx->version);
6719 result = dns_master_dumptostreaminc(dctx->mctx,
6726 if (result == DNS_R_CONTINUE)
6728 if (result == ISC_R_NOTIMPLEMENTED) {
6729 fprintf(dctx->fp, "; %s\n",
6730 dns_result_totext(result));
6731 result = ISC_R_SUCCESS;
6735 if (result != ISC_R_SUCCESS)
6739 if (dctx->view != NULL)
6740 dctx->view = ISC_LIST_NEXT(dctx->view, link);
6741 if (dctx->view != NULL)
6744 fprintf(dctx->fp, "; Dump complete\n");
6745 result = isc_stdio_flush(dctx->fp);
6746 if (result == ISC_R_SUCCESS)
6747 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6748 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6751 if (result != ISC_R_SUCCESS)
6752 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6753 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6754 "dumpdb failed: %s", dns_result_totext(result));
6755 dumpcontext_destroy(dctx);
6759 ns_server_dumpdb(ns_server_t *server, char *args) {
6760 struct dumpcontext *dctx = NULL;
6762 isc_result_t result;
6766 /* Skip the command name. */
6767 ptr = next_token(&args, " \t");
6769 return (ISC_R_UNEXPECTEDEND);
6771 dctx = isc_mem_get(server->mctx, sizeof(*dctx));
6773 return (ISC_R_NOMEMORY);
6775 dctx->mctx = server->mctx;
6776 dctx->dumpcache = ISC_TRUE;
6777 dctx->dumpzones = ISC_FALSE;
6779 ISC_LIST_INIT(dctx->viewlist);
6787 dctx->version = NULL;
6788 isc_task_attach(server->task, &dctx->task);
6790 CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
6791 "could not open dump file", server->dumpfile);
6793 sep = (args == NULL) ? "" : ": ";
6794 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6795 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6796 "dumpdb started%s%s", sep, (args != NULL) ? args : "");
6798 ptr = next_token(&args, " \t");
6799 if (ptr != NULL && strcmp(ptr, "-all") == 0) {
6800 dctx->dumpzones = ISC_TRUE;
6801 dctx->dumpcache = ISC_TRUE;
6802 ptr = next_token(&args, " \t");
6803 } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
6804 dctx->dumpzones = ISC_FALSE;
6805 dctx->dumpcache = ISC_TRUE;
6806 ptr = next_token(&args, " \t");
6807 } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
6808 dctx->dumpzones = ISC_TRUE;
6809 dctx->dumpcache = ISC_FALSE;
6810 ptr = next_token(&args, " \t");
6814 for (view = ISC_LIST_HEAD(server->viewlist);
6816 view = ISC_LIST_NEXT(view, link))
6818 if (ptr != NULL && strcmp(view->name, ptr) != 0)
6820 CHECK(add_view_tolist(dctx, view));
6823 ptr = next_token(&args, " \t");
6827 dumpdone(dctx, ISC_R_SUCCESS);
6828 return (ISC_R_SUCCESS);
6832 dumpcontext_destroy(dctx);
6837 ns_server_dumpsecroots(ns_server_t *server, char *args) {
6839 dns_keytable_t *secroots = NULL;
6840 isc_result_t result;
6846 /* Skip the command name. */
6847 ptr = next_token(&args, " \t");
6849 return (ISC_R_UNEXPECTEDEND);
6850 ptr = next_token(&args, " \t");
6852 CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
6853 "could not open secroots dump file", server->secrootsfile);
6855 isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
6856 fprintf(fp, "%s\n", tbuf);
6859 for (view = ISC_LIST_HEAD(server->viewlist);
6861 view = ISC_LIST_NEXT(view, link))
6863 if (ptr != NULL && strcmp(view->name, ptr) != 0)
6865 if (secroots != NULL)
6866 dns_keytable_detach(&secroots);
6867 result = dns_view_getsecroots(view, &secroots);
6868 if (result == ISC_R_NOTFOUND) {
6869 result = ISC_R_SUCCESS;
6872 fprintf(fp, "\n Start view %s\n\n", view->name);
6873 result = dns_keytable_dump(secroots, fp);
6874 if (result != ISC_R_SUCCESS)
6875 fprintf(fp, " dumpsecroots failed: %s\n",
6876 isc_result_totext(result));
6879 ptr = next_token(&args, " \t");
6880 } while (ptr != NULL);
6883 if (secroots != NULL)
6884 dns_keytable_detach(&secroots);
6886 (void)isc_stdio_close(fp);
6887 if (result == ISC_R_SUCCESS)
6888 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6889 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6890 "dumpsecroots complete");
6892 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6893 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6894 "dumpsecroots failed: %s",
6895 dns_result_totext(result));
6900 ns_server_dumprecursing(ns_server_t *server) {
6902 isc_result_t result;
6904 CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
6905 "could not open dump file", server->recfile);
6906 fprintf(fp,";\n; Recursing Queries\n;\n");
6907 ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
6908 fprintf(fp, "; Dump complete\n");
6912 result = isc_stdio_close(fp);
6913 if (result == ISC_R_SUCCESS)
6914 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6915 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6916 "dumprecursing complete");
6918 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6919 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6920 "dumprecursing failed: %s",
6921 dns_result_totext(result));
6926 ns_server_setdebuglevel(ns_server_t *server, char *args) {
6934 /* Skip the command name. */
6935 ptr = next_token(&args, " \t");
6937 return (ISC_R_UNEXPECTEDEND);
6939 /* Look for the new level name. */
6940 levelstr = next_token(&args, " \t");
6941 if (levelstr == NULL) {
6942 if (ns_g_debuglevel < 99)
6945 newlevel = strtol(levelstr, &endp, 10);
6946 if (*endp != '\0' || newlevel < 0 || newlevel > 99)
6947 return (ISC_R_RANGE);
6948 ns_g_debuglevel = (unsigned int)newlevel;
6950 isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
6951 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6952 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6953 "debug level is now %d", ns_g_debuglevel);
6954 return (ISC_R_SUCCESS);
6958 ns_server_validation(ns_server_t *server, char *args) {
6959 char *ptr, *viewname;
6961 isc_boolean_t changed = ISC_FALSE;
6962 isc_result_t result;
6963 isc_boolean_t enable;
6965 /* Skip the command name. */
6966 ptr = next_token(&args, " \t");
6968 return (ISC_R_UNEXPECTEDEND);
6970 /* Find out what we are to do. */
6971 ptr = next_token(&args, " \t");
6973 return (ISC_R_UNEXPECTEDEND);
6975 if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
6976 !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
6978 else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
6979 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
6982 return (DNS_R_SYNTAX);
6984 /* Look for the view name. */
6985 viewname = next_token(&args, " \t");
6987 result = isc_task_beginexclusive(server->task);
6988 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6989 for (view = ISC_LIST_HEAD(server->viewlist);
6991 view = ISC_LIST_NEXT(view, link))
6993 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
6995 result = dns_view_flushcache(view);
6996 if (result != ISC_R_SUCCESS)
6998 view->enablevalidation = enable;
7002 result = ISC_R_SUCCESS;
7004 result = ISC_R_FAILURE;
7006 isc_task_endexclusive(server->task);
7011 ns_server_flushcache(ns_server_t *server, char *args) {
7012 char *ptr, *viewname;
7014 isc_boolean_t flushed;
7015 isc_boolean_t found;
7016 isc_result_t result;
7019 /* Skip the command name. */
7020 ptr = next_token(&args, " \t");
7022 return (ISC_R_UNEXPECTEDEND);
7024 /* Look for the view name. */
7025 viewname = next_token(&args, " \t");
7027 result = isc_task_beginexclusive(server->task);
7028 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7033 * Flushing a cache is tricky when caches are shared by multiple views.
7034 * We first identify which caches should be flushed in the local cache
7035 * list, flush these caches, and then update other views that refer to
7036 * the flushed cache DB.
7038 if (viewname != NULL) {
7040 * Mark caches that need to be flushed. This is an O(#view^2)
7041 * operation in the very worst case, but should be normally
7042 * much more lightweight because only a few (most typically just
7043 * one) views will match.
7045 for (view = ISC_LIST_HEAD(server->viewlist);
7047 view = ISC_LIST_NEXT(view, link))
7049 if (strcasecmp(viewname, view->name) != 0)
7052 for (nsc = ISC_LIST_HEAD(server->cachelist);
7054 nsc = ISC_LIST_NEXT(nsc, link)) {
7055 if (nsc->cache == view->cache)
7058 INSIST(nsc != NULL);
7059 nsc->needflush = ISC_TRUE;
7065 for (nsc = ISC_LIST_HEAD(server->cachelist);
7067 nsc = ISC_LIST_NEXT(nsc, link)) {
7068 if (viewname != NULL && !nsc->needflush)
7070 nsc->needflush = ISC_TRUE;
7071 result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
7072 if (result != ISC_R_SUCCESS) {
7073 flushed = ISC_FALSE;
7074 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7075 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7076 "flushing cache in view '%s' failed: %s",
7077 nsc->primaryview->name,
7078 isc_result_totext(result));
7083 * Fix up views that share a flushed cache: let the views update the
7084 * cache DB they're referring to. This could also be an expensive
7085 * operation, but should typically be marginal: the inner loop is only
7086 * necessary for views that share a cache, and if there are many such
7087 * views the number of shared cache should normally be small.
7088 * A worst case is that we have n views and n/2 caches, each shared by
7089 * two views. Then this will be a O(n^2/4) operation.
7091 for (view = ISC_LIST_HEAD(server->viewlist);
7093 view = ISC_LIST_NEXT(view, link))
7095 if (!dns_view_iscacheshared(view))
7097 for (nsc = ISC_LIST_HEAD(server->cachelist);
7099 nsc = ISC_LIST_NEXT(nsc, link)) {
7100 if (!nsc->needflush || nsc->cache != view->cache)
7102 result = dns_view_flushcache2(view, ISC_TRUE);
7103 if (result != ISC_R_SUCCESS) {
7104 flushed = ISC_FALSE;
7105 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7106 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7107 "fixing cache in view '%s' "
7108 "failed: %s", view->name,
7109 isc_result_totext(result));
7114 /* Cleanup the cache list. */
7115 for (nsc = ISC_LIST_HEAD(server->cachelist);
7117 nsc = ISC_LIST_NEXT(nsc, link)) {
7118 nsc->needflush = ISC_FALSE;
7121 if (flushed && found) {
7122 if (viewname != NULL)
7123 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7124 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7125 "flushing cache in view '%s' succeeded",
7128 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7129 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7130 "flushing caches in all views succeeded");
7131 result = ISC_R_SUCCESS;
7134 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7135 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7136 "flushing cache in view '%s' failed: "
7137 "view not found", viewname);
7138 result = ISC_R_NOTFOUND;
7140 result = ISC_R_FAILURE;
7142 isc_task_endexclusive(server->task);
7147 ns_server_flushname(ns_server_t *server, char *args) {
7148 char *ptr, *target, *viewname;
7150 isc_boolean_t flushed;
7151 isc_boolean_t found;
7152 isc_result_t result;
7154 dns_fixedname_t fixed;
7157 /* Skip the command name. */
7158 ptr = next_token(&args, " \t");
7160 return (ISC_R_UNEXPECTEDEND);
7162 /* Find the domain name to flush. */
7163 target = next_token(&args, " \t");
7165 return (ISC_R_UNEXPECTEDEND);
7167 isc_buffer_constinit(&b, target, strlen(target));
7168 isc_buffer_add(&b, strlen(target));
7169 dns_fixedname_init(&fixed);
7170 name = dns_fixedname_name(&fixed);
7171 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
7172 if (result != ISC_R_SUCCESS)
7175 /* Look for the view name. */
7176 viewname = next_token(&args, " \t");
7178 result = isc_task_beginexclusive(server->task);
7179 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7182 for (view = ISC_LIST_HEAD(server->viewlist);
7184 view = ISC_LIST_NEXT(view, link))
7186 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
7190 * It's a little inefficient to try flushing name for all views
7191 * if some of the views share a single cache. But since the
7192 * operation is lightweight we prefer simplicity here.
7194 result = dns_view_flushname(view, name);
7195 if (result != ISC_R_SUCCESS) {
7196 flushed = ISC_FALSE;
7197 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7198 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7199 "flushing name '%s' in cache view '%s' "
7200 "failed: %s", target, view->name,
7201 isc_result_totext(result));
7204 if (flushed && found) {
7205 if (viewname != NULL)
7206 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7207 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7208 "flushing name '%s' in cache view '%s' "
7209 "succeeded", target, viewname);
7211 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7212 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7213 "flushing name '%s' in all cache views "
7214 "succeeded", target);
7215 result = ISC_R_SUCCESS;
7218 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7219 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
7220 "flushing name '%s' in cache view '%s' "
7221 "failed: view not found", target,
7223 result = ISC_R_FAILURE;
7225 isc_task_endexclusive(server->task);
7230 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
7231 int zonecount, xferrunning, xferdeferred, soaqueries;
7233 const char *ob = "", *cb = "", *alt = "";
7235 if (ns_g_server->version_set) {
7238 if (ns_g_server->version == NULL)
7239 alt = "version.bind/txt/ch disabled";
7241 alt = ns_g_server->version;
7243 zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
7244 xferrunning = dns_zonemgr_getcount(server->zonemgr,
7245 DNS_ZONESTATE_XFERRUNNING);
7246 xferdeferred = dns_zonemgr_getcount(server->zonemgr,
7247 DNS_ZONESTATE_XFERDEFERRED);
7248 soaqueries = dns_zonemgr_getcount(server->zonemgr,
7249 DNS_ZONESTATE_SOAQUERY);
7251 n = snprintf((char *)isc_buffer_used(text),
7252 isc_buffer_availablelength(text),
7253 "version: %s%s%s%s <id:%s>\n"
7254 #ifdef ISC_PLATFORM_USETHREADS
7256 "worker threads: %u\n"
7258 "number of zones: %u\n"
7260 "xfers running: %u\n"
7261 "xfers deferred: %u\n"
7262 "soa queries in progress: %u\n"
7263 "query logging is %s\n"
7264 "recursive clients: %d/%d/%d\n"
7265 "tcp clients: %d/%d\n"
7266 "server is up and running",
7267 ns_g_version, ob, alt, cb, ns_g_srcid,
7268 #ifdef ISC_PLATFORM_USETHREADS
7269 ns_g_cpus_detected, ns_g_cpus,
7271 zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
7272 soaqueries, server->log_queries ? "ON" : "OFF",
7273 server->recursionquota.used, server->recursionquota.soft,
7274 server->recursionquota.max,
7275 server->tcpquota.used, server->tcpquota.max);
7276 if (n >= isc_buffer_availablelength(text))
7277 return (ISC_R_NOSPACE);
7278 isc_buffer_add(text, n);
7279 return (ISC_R_SUCCESS);
7283 delete_keynames(dns_tsig_keyring_t *ring, char *target,
7284 unsigned int *foundkeys)
7286 char namestr[DNS_NAME_FORMATSIZE];
7287 isc_result_t result;
7288 dns_rbtnodechain_t chain;
7289 dns_name_t foundname;
7290 dns_fixedname_t fixedorigin;
7292 dns_rbtnode_t *node;
7293 dns_tsigkey_t *tkey;
7295 dns_name_init(&foundname, NULL);
7296 dns_fixedname_init(&fixedorigin);
7297 origin = dns_fixedname_name(&fixedorigin);
7300 dns_rbtnodechain_init(&chain, ring->mctx);
7301 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7303 if (result == ISC_R_NOTFOUND) {
7304 dns_rbtnodechain_invalidate(&chain);
7305 return (ISC_R_SUCCESS);
7307 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7308 dns_rbtnodechain_invalidate(&chain);
7314 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
7318 if (!tkey->generated)
7321 dns_name_format(&tkey->name, namestr, sizeof(namestr));
7322 if (strcmp(namestr, target) == 0) {
7324 dns_rbtnodechain_invalidate(&chain);
7325 (void)dns_rbt_deletename(ring->keys,
7333 result = dns_rbtnodechain_next(&chain, &foundname, origin);
7334 if (result == ISC_R_NOMORE)
7336 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7337 dns_rbtnodechain_invalidate(&chain);
7342 return (ISC_R_SUCCESS);
7346 ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
7347 isc_result_t result;
7350 unsigned int foundkeys = 0;
7354 (void)next_token(&command, " \t"); /* skip command name */
7355 target = next_token(&command, " \t");
7357 return (ISC_R_UNEXPECTEDEND);
7358 viewname = next_token(&command, " \t");
7360 result = isc_task_beginexclusive(server->task);
7361 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7362 for (view = ISC_LIST_HEAD(server->viewlist);
7364 view = ISC_LIST_NEXT(view, link)) {
7365 if (viewname == NULL || strcmp(view->name, viewname) == 0) {
7366 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
7367 result = delete_keynames(view->dynamickeys, target,
7369 RWUNLOCK(&view->dynamickeys->lock,
7370 isc_rwlocktype_write);
7371 if (result != ISC_R_SUCCESS) {
7372 isc_task_endexclusive(server->task);
7377 isc_task_endexclusive(server->task);
7379 n = snprintf((char *)isc_buffer_used(text),
7380 isc_buffer_availablelength(text),
7381 "%d tsig keys deleted.\n", foundkeys);
7382 if (n >= isc_buffer_availablelength(text))
7383 return (ISC_R_NOSPACE);
7384 isc_buffer_add(text, n);
7386 return (ISC_R_SUCCESS);
7390 list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
7391 unsigned int *foundkeys)
7393 char namestr[DNS_NAME_FORMATSIZE];
7394 char creatorstr[DNS_NAME_FORMATSIZE];
7395 isc_result_t result;
7396 dns_rbtnodechain_t chain;
7397 dns_name_t foundname;
7398 dns_fixedname_t fixedorigin;
7400 dns_rbtnode_t *node;
7401 dns_tsigkey_t *tkey;
7403 const char *viewname;
7406 viewname = view->name;
7408 viewname = "(global)";
7410 dns_name_init(&foundname, NULL);
7411 dns_fixedname_init(&fixedorigin);
7412 origin = dns_fixedname_name(&fixedorigin);
7413 dns_rbtnodechain_init(&chain, ring->mctx);
7414 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
7416 if (result == ISC_R_NOTFOUND) {
7417 dns_rbtnodechain_invalidate(&chain);
7418 return (ISC_R_SUCCESS);
7420 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7421 dns_rbtnodechain_invalidate(&chain);
7427 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
7432 dns_name_format(&tkey->name, namestr, sizeof(namestr));
7433 if (tkey->generated) {
7434 dns_name_format(tkey->creator, creatorstr,
7435 sizeof(creatorstr));
7436 n = snprintf((char *)isc_buffer_used(text),
7437 isc_buffer_availablelength(text),
7438 "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
7439 viewname, namestr, creatorstr);
7441 n = snprintf((char *)isc_buffer_used(text),
7442 isc_buffer_availablelength(text),
7443 "view \"%s\"; type \"static\"; key \"%s\";\n",
7446 if (n >= isc_buffer_availablelength(text)) {
7447 dns_rbtnodechain_invalidate(&chain);
7448 return (ISC_R_NOSPACE);
7450 isc_buffer_add(text, n);
7452 result = dns_rbtnodechain_next(&chain, &foundname, origin);
7453 if (result == ISC_R_NOMORE)
7455 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
7456 dns_rbtnodechain_invalidate(&chain);
7461 return (ISC_R_SUCCESS);
7465 ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
7466 isc_result_t result;
7469 unsigned int foundkeys = 0;
7471 result = isc_task_beginexclusive(server->task);
7472 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7473 for (view = ISC_LIST_HEAD(server->viewlist);
7475 view = ISC_LIST_NEXT(view, link)) {
7476 RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
7477 result = list_keynames(view, view->statickeys, text,
7479 RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
7480 if (result != ISC_R_SUCCESS) {
7481 isc_task_endexclusive(server->task);
7484 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
7485 result = list_keynames(view, view->dynamickeys, text,
7487 RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
7488 if (result != ISC_R_SUCCESS) {
7489 isc_task_endexclusive(server->task);
7493 isc_task_endexclusive(server->task);
7495 if (foundkeys == 0) {
7496 n = snprintf((char *)isc_buffer_used(text),
7497 isc_buffer_availablelength(text),
7498 "no tsig keys found.\n");
7499 if (n >= isc_buffer_availablelength(text))
7500 return (ISC_R_NOSPACE);
7501 isc_buffer_add(text, n);
7504 return (ISC_R_SUCCESS);
7508 * Act on a "sign" or "loadkeys" command from the command channel.
7511 ns_server_rekey(ns_server_t *server, char *args, isc_buffer_t *text) {
7512 isc_result_t result;
7513 dns_zone_t *zone = NULL;
7514 dns_zonetype_t type;
7515 isc_uint16_t keyopts;
7516 isc_boolean_t fullsign = ISC_FALSE;
7518 if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
7519 fullsign = ISC_TRUE;
7521 result = zone_from_args(server, args, &zone, NULL, text);
7522 if (result != ISC_R_SUCCESS)
7525 return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
7527 type = dns_zone_gettype(zone);
7528 if (type != dns_zone_master) {
7529 dns_zone_detach(&zone);
7530 return (DNS_R_NOTMASTER);
7533 keyopts = dns_zone_getkeyopts(zone);
7535 /* "rndc loadkeys" requires "auto-dnssec maintain". */
7536 if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
7537 result = ISC_R_NOPERM;
7538 else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
7539 result = ISC_R_NOPERM;
7541 dns_zone_rekey(zone, fullsign);
7543 dns_zone_detach(&zone);
7548 * Act on a "freeze" or "thaw" command from the command channel.
7551 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
7554 isc_result_t result, tresult;
7555 dns_zone_t *zone = NULL;
7556 dns_zonetype_t type;
7557 char classstr[DNS_RDATACLASS_FORMATSIZE];
7558 char zonename[DNS_NAME_FORMATSIZE];
7561 const char *vname, *sep;
7562 isc_boolean_t frozen;
7563 const char *msg = NULL;
7565 result = zone_from_args(server, args, &zone, NULL, text);
7566 if (result != ISC_R_SUCCESS)
7569 result = isc_task_beginexclusive(server->task);
7570 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7571 tresult = ISC_R_SUCCESS;
7572 for (view = ISC_LIST_HEAD(server->viewlist);
7574 view = ISC_LIST_NEXT(view, link)) {
7575 result = dns_view_freezezones(view, freeze);
7576 if (result != ISC_R_SUCCESS &&
7577 tresult == ISC_R_SUCCESS)
7580 isc_task_endexclusive(server->task);
7581 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7582 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7584 freeze ? "freezing" : "thawing",
7585 isc_result_totext(tresult));
7588 type = dns_zone_gettype(zone);
7589 if (type != dns_zone_master) {
7590 dns_zone_detach(&zone);
7591 return (DNS_R_NOTMASTER);
7594 result = isc_task_beginexclusive(server->task);
7595 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7596 frozen = dns_zone_getupdatedisabled(zone);
7599 msg = "WARNING: The zone was already frozen.\n"
7600 "Someone else may be editing it or "
7601 "it may still be re-loading.";
7602 result = DNS_R_FROZEN;
7604 if (result == ISC_R_SUCCESS) {
7605 result = dns_zone_flush(zone);
7606 if (result != ISC_R_SUCCESS)
7607 msg = "Flushing the zone updates to "
7610 if (result == ISC_R_SUCCESS) {
7611 journal = dns_zone_getjournal(zone);
7612 if (journal != NULL)
7613 (void)isc_file_remove(journal);
7615 if (result == ISC_R_SUCCESS)
7616 dns_zone_setupdatedisabled(zone, freeze);
7619 result = dns_zone_loadandthaw(zone);
7622 case DNS_R_UPTODATE:
7623 msg = "The zone reload and thaw was "
7625 result = ISC_R_SUCCESS;
7627 case DNS_R_CONTINUE:
7628 msg = "A zone reload and thaw was started.\n"
7629 "Check the logs to see the result.";
7630 result = ISC_R_SUCCESS;
7635 isc_task_endexclusive(server->task);
7637 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
7638 isc_buffer_putmem(text, (const unsigned char *)msg,
7641 view = dns_zone_getview(zone);
7642 if (strcmp(view->name, "_default") == 0 ||
7643 strcmp(view->name, "_bind") == 0)
7651 dns_rdataclass_format(dns_zone_getclass(zone), classstr,
7653 dns_name_format(dns_zone_getorigin(zone),
7654 zonename, sizeof(zonename));
7655 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7656 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7657 "%s zone '%s/%s'%s%s: %s",
7658 freeze ? "freezing" : "thawing",
7659 zonename, classstr, sep, vname,
7660 isc_result_totext(result));
7661 dns_zone_detach(&zone);
7667 * This function adds a message for rndc to echo if named
7668 * is managed by smf and is also running chroot.
7671 ns_smf_add_message(isc_buffer_t *text) {
7674 n = snprintf((char *)isc_buffer_used(text),
7675 isc_buffer_availablelength(text),
7676 "use svcadm(1M) to manage named");
7677 if (n >= isc_buffer_availablelength(text))
7678 return (ISC_R_NOSPACE);
7679 isc_buffer_add(text, n);
7680 return (ISC_R_SUCCESS);
7682 #endif /* HAVE_LIBSCF */
7685 * Emit a comment at the top of the nzf file containing the viewname
7686 * Expects the fp to already be open for writing
7688 #define HEADER1 "# New zone file for view: "
7689 #define HEADER2 "\n# This file contains configuration for zones added by\n" \
7690 "# the 'rndc addzone' command. DO NOT EDIT BY HAND.\n"
7692 add_comment(FILE *fp, const char *viewname) {
7693 isc_result_t result;
7694 CHECK(isc_stdio_write(HEADER1, sizeof(HEADER1) - 1, 1, fp, NULL));
7695 CHECK(isc_stdio_write(viewname, strlen(viewname), 1, fp, NULL));
7696 CHECK(isc_stdio_write(HEADER2, sizeof(HEADER2) - 1, 1, fp, NULL));
7702 * Act on an "addzone" command from the command channel.
7705 ns_server_add_zone(ns_server_t *server, char *args) {
7706 isc_result_t result;
7707 isc_buffer_t argbuf;
7709 cfg_parser_t *parser = NULL;
7710 cfg_obj_t *config = NULL;
7711 const cfg_obj_t *vconfig = NULL;
7712 const cfg_obj_t *views = NULL;
7713 const cfg_obj_t *parms = NULL;
7714 const cfg_obj_t *obj = NULL;
7715 const cfg_listelt_t *element;
7716 const char *zonename;
7717 const char *classname = NULL;
7719 const char *viewname = NULL;
7720 dns_rdataclass_t rdclass;
7721 dns_view_t *view = 0;
7723 dns_fixedname_t fname;
7724 dns_name_t *dnsname;
7725 dns_zone_t *zone = NULL;
7727 struct cfg_context *cfg = NULL;
7728 char namebuf[DNS_NAME_FORMATSIZE];
7731 /* Try to parse the argument string */
7732 arglen = strlen(args);
7733 isc_buffer_init(&argbuf, args, (unsigned int)arglen);
7734 isc_buffer_add(&argbuf, strlen(args));
7735 CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
7736 CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
7738 CHECK(cfg_map_get(config, "addzone", &parms));
7740 zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
7741 isc_buffer_constinit(&buf, zonename, strlen(zonename));
7742 isc_buffer_add(&buf, strlen(zonename));
7744 dns_fixedname_init(&fname);
7745 dnsname = dns_fixedname_name(&fname);
7746 CHECK(dns_name_fromtext(dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
7748 /* Make sense of optional class argument */
7749 obj = cfg_tuple_get(parms, "class");
7750 CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
7751 if (rdclass != dns_rdataclass_in && obj)
7752 classname = cfg_obj_asstring(obj);
7754 /* Make sense of optional view argument */
7755 obj = cfg_tuple_get(parms, "view");
7756 if (obj && cfg_obj_isstring(obj))
7757 viewname = cfg_obj_asstring(obj);
7758 if (viewname == NULL || *viewname == '\0')
7759 viewname = "_default";
7760 CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
7762 /* Are we accepting new zones? */
7763 if (view->new_zone_file == NULL) {
7764 result = ISC_R_NOPERM;
7768 cfg = (struct cfg_context *) view->new_zone_config;
7770 result = ISC_R_FAILURE;
7774 /* Zone shouldn't already exist */
7775 result = dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone);
7776 if (result == ISC_R_SUCCESS) {
7777 result = ISC_R_EXISTS;
7779 } else if (result == DNS_R_PARTIALMATCH) {
7780 /* Create our sub-zone anyway */
7781 dns_zone_detach(&zone);
7784 else if (result != ISC_R_NOTFOUND)
7787 /* Find the view statement */
7788 cfg_map_get(cfg->config, "view", &views);
7789 for (element = cfg_list_first(views);
7791 element = cfg_list_next(element))
7794 vconfig = cfg_listelt_value(element);
7795 vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
7796 if (vname && !strcasecmp(vname, viewname))
7801 /* Open save file for write configuration */
7802 CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
7803 CHECK(isc_stdio_tell(fp, &offset));
7805 CHECK(add_comment(fp, view->name));
7807 /* Mark view unfrozen so that zone can be added */
7808 result = isc_task_beginexclusive(server->task);
7809 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7810 dns_view_thaw(view);
7811 result = configure_zone(cfg->config, parms, vconfig,
7812 server->mctx, view, cfg->actx, ISC_FALSE);
7813 dns_view_freeze(view);
7814 isc_task_endexclusive(server->task);
7815 if (result != ISC_R_SUCCESS)
7818 /* Is it there yet? */
7819 CHECK(dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone));
7822 * Load the zone from the master file. If this fails, we'll
7823 * need to undo the configuration we've done already.
7825 result = dns_zone_loadnew(zone);
7826 if (result != ISC_R_SUCCESS) {
7827 dns_db_t *dbp = NULL;
7829 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7830 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7831 "addzone failed; reverting.");
7833 /* If the zone loaded partially, unload it */
7834 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
7835 dns_db_detach(&dbp);
7836 dns_zone_unload(zone);
7839 /* Remove the zone from the zone table */
7840 dns_zt_unmount(view->zonetable, zone);
7844 /* Flag the zone as having been added at runtime */
7845 dns_zone_setadded(zone, ISC_TRUE);
7847 /* Emit the zone name, quoted and escaped */
7848 isc_buffer_init(&buf, namebuf, sizeof(namebuf));
7849 CHECK(dns_name_totext(dnsname, ISC_TRUE, &buf));
7850 isc_buffer_putuint8(&buf, 0);
7851 CHECK(isc_stdio_write("zone \"", 6, 1, fp, NULL));
7852 CHECK(isc_stdio_write(namebuf, strlen(namebuf), 1, fp, NULL));
7853 CHECK(isc_stdio_write("\" ", 2, 1, fp, NULL));
7855 /* Classname, if not default */
7856 if (classname != NULL && *classname != '\0') {
7857 CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
7859 CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
7862 /* Find beginning of option block from args */
7863 for (argp = args; *argp; argp++, arglen--) {
7864 if (*argp == '{') { /* Assume matching '}' */
7865 /* Add that to our file */
7866 CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
7868 /* Make sure we end with a LF */
7869 if (argp[arglen-1] != '\n') {
7870 CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
7876 CHECK(isc_stdio_close(fp));
7878 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7879 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
7880 "zone %s added to view %s via addzone",
7881 zonename, viewname);
7883 result = ISC_R_SUCCESS;
7887 isc_stdio_close(fp);
7888 if (parser != NULL) {
7890 cfg_obj_destroy(parser, &config);
7891 cfg_parser_destroy(&parser);
7894 dns_zone_detach(&zone);
7896 dns_view_detach(&view);
7902 * Act on a "delzone" command from the command channel.
7905 ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) {
7906 isc_result_t result;
7907 dns_zone_t *zone = NULL;
7908 dns_view_t *view = NULL;
7909 dns_db_t *dbp = NULL;
7910 const char *filename = NULL;
7911 char *tmpname = NULL;
7913 const char *zonename = NULL;
7914 size_t znamelen = 0;
7915 FILE *ifp = NULL, *ofp = NULL;
7916 isc_boolean_t inheader = ISC_TRUE;
7918 /* Parse parameters */
7919 CHECK(zone_from_args(server, args, &zone, &zonename, text));
7922 result = ISC_R_UNEXPECTEDEND;
7927 * Was this zone originally added at runtime?
7928 * If not, we can't delete it now.
7930 if (!dns_zone_getadded(zone)) {
7931 result = ISC_R_NOPERM;
7935 INSIST(zonename != NULL);
7936 znamelen = strlen(zonename);
7938 /* Dig out configuration for this zone */
7939 view = dns_zone_getview(zone);
7940 filename = view->new_zone_file;
7941 if (filename == NULL) {
7942 /* No adding zones in this view */
7943 result = ISC_R_FAILURE;
7947 /* Rewrite zone list */
7948 result = isc_stdio_open(filename, "r", &ifp);
7949 if (ifp != NULL && result == ISC_R_SUCCESS) {
7950 char *found = NULL, *p = NULL;
7953 /* Create a temporary file */
7954 CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
7956 if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
7957 result = ISC_R_NOMEMORY;
7960 CHECK(isc_stdio_open(tmpname, "w", &ofp));
7961 CHECK(add_comment(ofp, view->name));
7963 /* Look for the entry for that zone */
7964 while (fgets(buf, 1024, ifp)) {
7965 /* Skip initial comment, if any */
7966 if (inheader && *buf == '#')
7969 inheader = ISC_FALSE;
7972 * Any other lines not starting with zone, copy
7973 * them out and continue.
7975 if (strncasecmp(buf, "zone", 4) != 0) {
7981 /* This is a zone; find its name. */
7983 ((*p == '"') || isspace((unsigned char)*p)))
7987 * If it's not the zone we're looking for, copy
7988 * it out and continue
7990 if (strncasecmp(p, zonename, znamelen) != 0) {
7996 * But if it is the zone we want, skip over it
7997 * so it will be omitted from the new file
8000 if (isspace((unsigned char)*p) ||
8001 *p == '"' || *p == '{') {
8002 /* This must be the entry */
8007 /* Copy the rest of the buffer out and continue */
8011 /* Skip over an option block (matching # of braces) */
8013 int obrace = 0, cbrace = 0;
8016 if (*p == '{') obrace++;
8017 if (*p == '}') cbrace++;
8020 if (obrace && (obrace == cbrace))
8022 if (!fgets(buf, 1024, ifp))
8027 /* Just spool the remainder of the file out */
8028 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
8030 if (result == ISC_R_EOF)
8031 result = ISC_R_SUCCESS;
8033 isc_stdio_write(buf, 1, n, ofp, NULL);
8034 result = isc_stdio_read(buf, 1, 1024, ifp, &n);
8037 /* Move temporary into place */
8038 CHECK(isc_file_rename(tmpname, view->new_zone_file));
8040 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8041 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
8042 "deleted zone %s was missing from "
8043 "new zone file", zonename);
8048 /* Stop answering for this zone */
8049 if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
8050 dns_db_detach(&dbp);
8051 dns_zone_unload(zone);
8054 CHECK(dns_zt_unmount(view->zonetable, zone));
8056 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
8057 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
8058 "zone %s removed via delzone", zonename);
8060 result = ISC_R_SUCCESS;
8064 isc_stdio_close(ifp);
8066 isc_stdio_close(ofp);
8067 isc_file_remove(tmpname);
8069 if (tmpname != NULL)
8070 isc_mem_free(server->mctx, tmpname);
8072 dns_zone_detach(&zone);
8078 newzone_cfgctx_destroy(void **cfgp) {
8079 struct cfg_context *cfg;
8081 REQUIRE(cfgp != NULL && *cfgp != NULL);
8085 if (cfg->actx != NULL)
8086 cfg_aclconfctx_detach(&cfg->actx);
8088 if (cfg->parser != NULL) {
8089 if (cfg->config != NULL)
8090 cfg_obj_destroy(cfg->parser, &cfg->config);
8091 cfg_parser_destroy(&cfg->parser);
8093 if (cfg->nzparser != NULL) {
8094 if (cfg->nzconfig != NULL)
8095 cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
8096 cfg_parser_destroy(&cfg->nzparser);
8099 isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
8104 putstr(isc_buffer_t *b, const char *str) {
8105 size_t l = strlen(str);
8108 * Use >= to leave space for NUL termination.
8110 if (l >= isc_buffer_availablelength(b))
8111 return (ISC_R_NOSPACE);
8113 isc_buffer_putmem(b, (const unsigned char *)str, l);
8114 return (ISC_R_SUCCESS);