2 * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: zoneconf.c,v 1.147.50.2 2009/01/29 23:47:44 tbox Exp $ */
24 #include <isc/buffer.h>
27 #include <isc/print.h>
28 #include <isc/stats.h>
29 #include <isc/string.h> /* Required for HP/UX (and others?) */
33 #include <dns/fixedname.h>
36 #include <dns/rdatatype.h>
38 #include <dns/stats.h>
42 #include <named/client.h>
43 #include <named/config.h>
44 #include <named/globals.h>
45 #include <named/log.h>
46 #include <named/server.h>
47 #include <named/zoneconf.h>
49 /* ACLs associated with zone */
55 allow_update_forwarding
59 * These are BIND9 server defaults, not necessarily identical to the
60 * library defaults defined in zone.c.
62 #define RETERR(x) do { \
63 isc_result_t _r = (x); \
64 if (_r != ISC_R_SUCCESS) \
69 * Convenience function for configuring a single zone ACL.
72 configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
73 const cfg_obj_t *config, acl_type_t acltype,
74 cfg_aclconfctx_t *actx, dns_zone_t *zone,
75 void (*setzacl)(dns_zone_t *, dns_acl_t *),
76 void (*clearzacl)(dns_zone_t *))
79 const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL};
80 const cfg_obj_t *aclobj = NULL;
82 dns_acl_t **aclp = NULL, *acl = NULL;
86 view = dns_zone_getview(zone);
91 aclp = &view->notifyacl;
92 aclname = "allow-notify";
96 aclp = &view->queryacl;
97 aclname = "allow-query";
101 aclp = &view->transferacl;
102 aclname = "allow-transfer";
106 aclp = &view->updateacl;
107 aclname = "allow-update";
109 case allow_update_forwarding:
111 aclp = &view->upfwdacl;
112 aclname = "allow-update-forwarding";
116 return (ISC_R_FAILURE);
119 /* First check to see if ACL is defined within the zone */
120 if (zconfig != NULL) {
121 maps[0] = cfg_tuple_get(zconfig, "options");
122 ns_config_get(maps, aclname, &aclobj);
123 if (aclobj != NULL) {
129 /* Failing that, see if there's a default ACL already in the view */
130 if (aclp != NULL && *aclp != NULL) {
131 (*setzacl)(zone, *aclp);
132 return (ISC_R_SUCCESS);
135 /* Check for default ACLs that haven't been parsed yet */
137 maps[i++] = cfg_tuple_get(vconfig, "options");
138 if (config != NULL) {
139 const cfg_obj_t *options = NULL;
140 (void)cfg_map_get(config, "options", &options);
144 maps[i++] = ns_g_defaults;
147 result = ns_config_get(maps, aclname, &aclobj);
148 if (aclobj == NULL) {
150 return (ISC_R_SUCCESS);
154 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
155 dns_zone_getmctx(zone), 0, &acl);
156 if (result != ISC_R_SUCCESS)
158 (*setzacl)(zone, acl);
160 /* Set the view default now */
162 dns_acl_attach(acl, aclp);
164 dns_acl_detach(&acl);
165 return (ISC_R_SUCCESS);
169 * Parse the zone update-policy statement.
172 configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
173 const cfg_obj_t *updatepolicy = NULL;
174 const cfg_listelt_t *element, *element2;
175 dns_ssutable_t *table = NULL;
176 isc_mem_t *mctx = dns_zone_getmctx(zone);
179 (void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
180 if (updatepolicy == NULL) {
181 dns_zone_setssutable(zone, NULL);
182 return (ISC_R_SUCCESS);
185 result = dns_ssutable_create(mctx, &table);
186 if (result != ISC_R_SUCCESS)
189 for (element = cfg_list_first(updatepolicy);
191 element = cfg_list_next(element))
193 const cfg_obj_t *stmt = cfg_listelt_value(element);
194 const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
195 const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
196 const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
197 const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
198 const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
200 isc_boolean_t grant = ISC_FALSE;
201 unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
202 dns_fixedname_t fname, fident;
204 dns_rdatatype_t *types;
207 str = cfg_obj_asstring(mode);
208 if (strcasecmp(str, "grant") == 0)
210 else if (strcasecmp(str, "deny") == 0)
215 str = cfg_obj_asstring(matchtype);
216 if (strcasecmp(str, "name") == 0)
217 mtype = DNS_SSUMATCHTYPE_NAME;
218 else if (strcasecmp(str, "subdomain") == 0)
219 mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
220 else if (strcasecmp(str, "wildcard") == 0)
221 mtype = DNS_SSUMATCHTYPE_WILDCARD;
222 else if (strcasecmp(str, "self") == 0)
223 mtype = DNS_SSUMATCHTYPE_SELF;
224 else if (strcasecmp(str, "selfsub") == 0)
225 mtype = DNS_SSUMATCHTYPE_SELFSUB;
226 else if (strcasecmp(str, "selfwild") == 0)
227 mtype = DNS_SSUMATCHTYPE_SELFWILD;
228 else if (strcasecmp(str, "ms-self") == 0)
229 mtype = DNS_SSUMATCHTYPE_SELFMS;
230 else if (strcasecmp(str, "krb5-self") == 0)
231 mtype = DNS_SSUMATCHTYPE_SELFKRB5;
232 else if (strcasecmp(str, "ms-subdomain") == 0)
233 mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
234 else if (strcasecmp(str, "krb5-subdomain") == 0)
235 mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
236 else if (strcasecmp(str, "tcp-self") == 0)
237 mtype = DNS_SSUMATCHTYPE_TCPSELF;
238 else if (strcasecmp(str, "6to4-self") == 0)
239 mtype = DNS_SSUMATCHTYPE_6TO4SELF;
243 dns_fixedname_init(&fident);
244 str = cfg_obj_asstring(identity);
245 isc_buffer_init(&b, str, strlen(str));
246 isc_buffer_add(&b, strlen(str));
247 result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
248 dns_rootname, ISC_FALSE, NULL);
249 if (result != ISC_R_SUCCESS) {
250 cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
251 "'%s' is not a valid name", str);
255 dns_fixedname_init(&fname);
256 str = cfg_obj_asstring(dname);
257 isc_buffer_init(&b, str, strlen(str));
258 isc_buffer_add(&b, strlen(str));
259 result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
260 dns_rootname, ISC_FALSE, NULL);
261 if (result != ISC_R_SUCCESS) {
262 cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
263 "'%s' is not a valid name", str);
267 n = ns_config_listcount(typelist);
271 types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
273 result = ISC_R_NOMEMORY;
279 for (element2 = cfg_list_first(typelist);
281 element2 = cfg_list_next(element2))
283 const cfg_obj_t *typeobj;
288 typeobj = cfg_listelt_value(element2);
289 str = cfg_obj_asstring(typeobj);
290 DE_CONST(str, r.base);
291 r.length = strlen(str);
293 result = dns_rdatatype_fromtext(&types[i++], &r);
294 if (result != ISC_R_SUCCESS) {
295 cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
296 "'%s' is not a valid type", str);
297 isc_mem_put(mctx, types,
298 n * sizeof(dns_rdatatype_t));
304 result = dns_ssutable_addrule(table, grant,
305 dns_fixedname_name(&fident),
307 dns_fixedname_name(&fname),
310 isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
311 if (result != ISC_R_SUCCESS) {
317 result = ISC_R_SUCCESS;
318 dns_zone_setssutable(zone, table);
321 dns_ssutable_detach(&table);
326 * Convert a config file zone type into a server zone type.
328 static inline dns_zonetype_t
329 zonetype_fromconfig(const cfg_obj_t *map) {
330 const cfg_obj_t *obj = NULL;
333 result = cfg_map_get(map, "type", &obj);
334 INSIST(result == ISC_R_SUCCESS);
335 return (ns_config_getzonetype(obj));
339 * Helper function for strtoargv(). Pardon the gratuitous recursion.
342 strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
343 char ***argvp, unsigned int n)
347 /* Discard leading whitespace. */
348 while (*s == ' ' || *s == '\t')
352 /* We have reached the end of the string. */
354 *argvp = isc_mem_get(mctx, n * sizeof(char *));
356 return (ISC_R_NOMEMORY);
359 while (*p != ' ' && *p != '\t' && *p != '\0')
364 result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
365 if (result != ISC_R_SUCCESS)
369 return (ISC_R_SUCCESS);
373 * Tokenize the string "s" into whitespace-separated words,
374 * return the number of words in '*argcp' and an array
375 * of pointers to the words in '*argvp'. The caller
376 * must free the array using isc_mem_put(). The string
377 * is modified in-place.
380 strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
381 return (strtoargvsub(mctx, s, argcp, argvp, 0));
385 checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
386 const cfg_obj_t **objp)
388 const char *zone = NULL;
392 case dns_zone_slave: zone = "slave"; break;
393 case dns_zone_master: zone = "master"; break;
397 result = ns_checknames_get(maps, zone, objp);
398 INSIST(result == ISC_R_SUCCESS);
402 ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
403 const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
408 dns_rdataclass_t zclass;
409 dns_rdataclass_t vclass;
410 const cfg_obj_t *maps[5];
411 const cfg_obj_t *zoptions = NULL;
412 const cfg_obj_t *options = NULL;
413 const cfg_obj_t *obj;
414 const char *filename = NULL;
415 dns_notifytype_t notifytype = dns_notifytype_yes;
416 isc_sockaddr_t *addrs;
417 dns_name_t **keynames;
422 static char default_dbtype[] = "rbt";
423 isc_mem_t *mctx = dns_zone_getmctx(zone);
424 dns_dialuptype_t dialup = dns_dialuptype_no;
425 dns_zonetype_t ztype;
427 isc_int32_t journal_size;
431 isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
432 isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
433 isc_boolean_t ixfrdiff;
434 dns_masterformat_t masterformat;
435 isc_stats_t *zoneqrystats;
436 isc_boolean_t zonestats_on;
440 if (zconfig != NULL) {
441 zoptions = cfg_tuple_get(zconfig, "options");
442 maps[i++] = zoptions;
445 maps[i++] = cfg_tuple_get(vconfig, "options");
446 if (config != NULL) {
447 (void)cfg_map_get(config, "options", &options);
451 maps[i++] = ns_g_defaults;
455 RETERR(ns_config_getclass(cfg_tuple_get(vconfig, "class"),
456 dns_rdataclass_in, &vclass));
458 vclass = dns_rdataclass_in;
461 * Configure values common to all zone types.
464 zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
466 RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
468 dns_zone_setclass(zone, zclass);
470 ztype = zonetype_fromconfig(zoptions);
471 dns_zone_settype(zone, ztype);
474 result = cfg_map_get(zoptions, "database", &obj);
475 if (result == ISC_R_SUCCESS)
476 cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
478 cpval = default_dbtype;
481 return(ISC_R_NOMEMORY);
483 result = strtoargv(mctx, cpval, &dbargc, &dbargv);
484 if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
485 isc_mem_free(mctx, cpval);
490 * ANSI C is strange here. There is no logical reason why (char **)
491 * cannot be promoted automatically to (const char * const *) by the
492 * compiler w/o generating a warning.
494 result = dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv);
495 isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
496 if (cpval != default_dbtype)
497 isc_mem_free(mctx, cpval);
498 if (result != ISC_R_SUCCESS)
502 result = cfg_map_get(zoptions, "file", &obj);
503 if (result == ISC_R_SUCCESS)
504 filename = cfg_obj_asstring(obj);
506 masterformat = dns_masterformat_text;
508 result= ns_config_get(maps, "masterfile-format", &obj);
509 if (result == ISC_R_SUCCESS) {
510 const char *masterformatstr = cfg_obj_asstring(obj);
512 if (strcasecmp(masterformatstr, "text") == 0)
513 masterformat = dns_masterformat_text;
514 else if (strcasecmp(masterformatstr, "raw") == 0)
515 masterformat = dns_masterformat_raw;
519 RETERR(dns_zone_setfile2(zone, filename, masterformat));
522 result = cfg_map_get(zoptions, "journal", &obj);
523 if (result == ISC_R_SUCCESS)
524 RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj)));
526 if (ztype == dns_zone_slave)
527 RETERR(configure_zone_acl(zconfig, vconfig, config,
528 allow_notify, ac, zone,
529 dns_zone_setnotifyacl,
530 dns_zone_clearnotifyacl));
532 * XXXAG This probably does not make sense for stubs.
534 RETERR(configure_zone_acl(zconfig, vconfig, config,
535 allow_query, ac, zone,
536 dns_zone_setqueryacl,
537 dns_zone_clearqueryacl));
540 result = ns_config_get(maps, "dialup", &obj);
541 INSIST(result == ISC_R_SUCCESS);
542 if (cfg_obj_isboolean(obj)) {
543 if (cfg_obj_asboolean(obj))
544 dialup = dns_dialuptype_yes;
546 dialup = dns_dialuptype_no;
548 const char *dialupstr = cfg_obj_asstring(obj);
549 if (strcasecmp(dialupstr, "notify") == 0)
550 dialup = dns_dialuptype_notify;
551 else if (strcasecmp(dialupstr, "notify-passive") == 0)
552 dialup = dns_dialuptype_notifypassive;
553 else if (strcasecmp(dialupstr, "refresh") == 0)
554 dialup = dns_dialuptype_refresh;
555 else if (strcasecmp(dialupstr, "passive") == 0)
556 dialup = dns_dialuptype_passive;
560 dns_zone_setdialup(zone, dialup);
563 result = ns_config_get(maps, "zone-statistics", &obj);
564 INSIST(result == ISC_R_SUCCESS);
565 zonestats_on = cfg_obj_asboolean(obj);
568 RETERR(isc_stats_create(mctx, &zoneqrystats,
569 dns_nsstatscounter_max));
571 dns_zone_setrequeststats(zone, zoneqrystats);
572 if (zoneqrystats != NULL)
573 isc_stats_detach(&zoneqrystats);
576 * Configure master functionality. This applies
577 * to primary masters (type "master") and slaves
578 * acting as masters (type "slave"), but not to stubs.
580 if (ztype != dns_zone_stub) {
582 result = ns_config_get(maps, "notify", &obj);
583 INSIST(result == ISC_R_SUCCESS);
584 if (cfg_obj_isboolean(obj)) {
585 if (cfg_obj_asboolean(obj))
586 notifytype = dns_notifytype_yes;
588 notifytype = dns_notifytype_no;
590 const char *notifystr = cfg_obj_asstring(obj);
591 if (strcasecmp(notifystr, "explicit") == 0)
592 notifytype = dns_notifytype_explicit;
593 else if (strcasecmp(notifystr, "master-only") == 0)
594 notifytype = dns_notifytype_masteronly;
598 dns_zone_setnotifytype(zone, notifytype);
601 result = ns_config_get(maps, "also-notify", &obj);
602 if (result == ISC_R_SUCCESS) {
603 isc_sockaddr_t *addrs = NULL;
604 isc_uint32_t addrcount;
605 result = ns_config_getiplist(config, obj, 0, mctx,
607 if (result != ISC_R_SUCCESS)
609 result = dns_zone_setalsonotify(zone, addrs,
611 ns_config_putiplist(mctx, &addrs, addrcount);
612 if (result != ISC_R_SUCCESS)
615 RETERR(dns_zone_setalsonotify(zone, NULL, 0));
618 result = ns_config_get(maps, "notify-source", &obj);
619 INSIST(result == ISC_R_SUCCESS);
620 RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
621 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
624 result = ns_config_get(maps, "notify-source-v6", &obj);
625 INSIST(result == ISC_R_SUCCESS);
626 RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
627 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
630 result = ns_config_get(maps, "notify-to-soa", &obj);
631 INSIST(result == ISC_R_SUCCESS);
632 dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA,
633 cfg_obj_asboolean(obj));
635 dns_zone_setisself(zone, ns_client_isself, NULL);
637 RETERR(configure_zone_acl(zconfig, vconfig, config,
638 allow_transfer, ac, zone,
640 dns_zone_clearxfracl));
643 result = ns_config_get(maps, "max-transfer-time-out", &obj);
644 INSIST(result == ISC_R_SUCCESS);
645 dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
648 result = ns_config_get(maps, "max-transfer-idle-out", &obj);
649 INSIST(result == ISC_R_SUCCESS);
650 dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
653 result = ns_config_get(maps, "max-journal-size", &obj);
654 INSIST(result == ISC_R_SUCCESS);
655 dns_zone_setjournalsize(zone, -1);
656 if (cfg_obj_isstring(obj)) {
657 const char *str = cfg_obj_asstring(obj);
658 INSIST(strcasecmp(str, "unlimited") == 0);
659 journal_size = ISC_UINT32_MAX / 2;
661 isc_resourcevalue_t value;
662 value = cfg_obj_asuint64(obj);
663 if (value > ISC_UINT32_MAX / 2) {
664 cfg_obj_log(obj, ns_g_lctx,
667 "%" ISC_PRINT_QUADFORMAT "d' "
672 journal_size = (isc_uint32_t)value;
674 dns_zone_setjournalsize(zone, journal_size);
677 result = ns_config_get(maps, "ixfr-from-differences", &obj);
678 INSIST(result == ISC_R_SUCCESS);
679 if (cfg_obj_isboolean(obj))
680 ixfrdiff = cfg_obj_asboolean(obj);
681 else if (strcasecmp(cfg_obj_asstring(obj), "master") &&
682 ztype == dns_zone_master)
684 else if (strcasecmp(cfg_obj_asstring(obj), "slave") &&
685 ztype == dns_zone_slave)
688 ixfrdiff = ISC_FALSE;
689 dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff);
691 checknames(ztype, maps, &obj);
693 if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
696 } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
697 fail = check = ISC_TRUE;
698 } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
699 fail = check = ISC_FALSE;
702 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
703 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
706 result = ns_config_get(maps, "notify-delay", &obj);
707 INSIST(result == ISC_R_SUCCESS);
708 dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj));
711 result = ns_config_get(maps, "check-sibling", &obj);
712 INSIST(result == ISC_R_SUCCESS);
713 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
714 cfg_obj_asboolean(obj));
717 result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
718 INSIST(result == ISC_R_SUCCESS);
719 dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
722 result = ns_config_get(maps, "nsec3-test-zone", &obj);
723 INSIST(result == ISC_R_SUCCESS);
724 dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
725 cfg_obj_asboolean(obj));
729 * Configure update-related options. These apply to
730 * primary masters only.
732 if (ztype == dns_zone_master) {
733 dns_acl_t *updateacl;
734 RETERR(configure_zone_acl(zconfig, vconfig, config,
735 allow_update, ac, zone,
736 dns_zone_setupdateacl,
737 dns_zone_clearupdateacl));
739 updateacl = dns_zone_getupdateacl(zone);
740 if (updateacl != NULL && dns_acl_isinsecure(updateacl))
741 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
742 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
743 "zone '%s' allows updates by IP "
744 "address, which is insecure",
747 RETERR(configure_zone_ssutable(zoptions, zone));
750 result = ns_config_get(maps, "sig-validity-interval", &obj);
751 INSIST(result == ISC_R_SUCCESS);
753 const cfg_obj_t *validity, *resign;
755 validity = cfg_tuple_get(obj, "validity");
756 seconds = cfg_obj_asuint32(validity) * 86400;
757 dns_zone_setsigvalidityinterval(zone, seconds);
759 resign = cfg_tuple_get(obj, "re-sign");
760 if (cfg_obj_isvoid(resign)) {
763 if (seconds > 7 * 86400)
764 seconds = cfg_obj_asuint32(resign) *
767 seconds = cfg_obj_asuint32(resign) *
770 dns_zone_setsigresigninginterval(zone, seconds);
774 result = ns_config_get(maps, "key-directory", &obj);
775 if (result == ISC_R_SUCCESS) {
776 filename = cfg_obj_asstring(obj);
777 if (!isc_file_isabsolute(filename)) {
778 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
779 "key-directory '%s' "
780 "is not absolute", filename);
781 return (ISC_R_FAILURE);
783 RETERR(dns_zone_setkeydirectory(zone, filename));
787 result = ns_config_get(maps, "sig-signing-signatures", &obj);
788 INSIST(result == ISC_R_SUCCESS);
789 dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
792 result = ns_config_get(maps, "sig-signing-nodes", &obj);
793 INSIST(result == ISC_R_SUCCESS);
794 dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
797 result = ns_config_get(maps, "sig-signing-type", &obj);
798 INSIST(result == ISC_R_SUCCESS);
799 dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
802 result = ns_config_get(maps, "update-check-ksk", &obj);
803 INSIST(result == ISC_R_SUCCESS);
804 dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
805 cfg_obj_asboolean(obj));
807 } else if (ztype == dns_zone_slave) {
808 RETERR(configure_zone_acl(zconfig, vconfig, config,
809 allow_update_forwarding, ac, zone,
810 dns_zone_setforwardacl,
811 dns_zone_clearforwardacl));
816 * Primary master functionality.
818 if (ztype == dns_zone_master) {
820 result = ns_config_get(maps, "check-wildcard", &obj);
821 if (result == ISC_R_SUCCESS)
822 check = cfg_obj_asboolean(obj);
825 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check);
828 result = ns_config_get(maps, "check-mx", &obj);
830 if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
833 } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
834 fail = check = ISC_TRUE;
835 } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
836 fail = check = ISC_FALSE;
839 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check);
840 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail);
843 result = ns_config_get(maps, "check-integrity", &obj);
845 dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY,
846 cfg_obj_asboolean(obj));
849 result = ns_config_get(maps, "check-mx-cname", &obj);
851 if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
854 } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
855 warn = ignore = ISC_FALSE;
856 } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
857 warn = ignore = ISC_TRUE;
860 dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn);
861 dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
864 result = ns_config_get(maps, "check-srv-cname", &obj);
866 if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
869 } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
870 warn = ignore = ISC_FALSE;
871 } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
872 warn = ignore = ISC_TRUE;
875 dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
876 dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
880 * Configure slave functionality.
887 result = cfg_map_get(zoptions, "masters", &obj);
891 RETERR(ns_config_getipandkeylist(config, obj, mctx,
894 result = dns_zone_setmasterswithkeys(zone, addrs,
896 ns_config_putipandkeylist(mctx, &addrs, &keynames,
899 result = dns_zone_setmasters(zone, NULL, 0);
905 result = ns_config_get(maps, "multi-master", &obj);
906 INSIST(result == ISC_R_SUCCESS);
907 multi = cfg_obj_asboolean(obj);
909 dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi);
912 result = ns_config_get(maps, "max-transfer-time-in", &obj);
913 INSIST(result == ISC_R_SUCCESS);
914 dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60);
917 result = ns_config_get(maps, "max-transfer-idle-in", &obj);
918 INSIST(result == ISC_R_SUCCESS);
919 dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60);
922 result = ns_config_get(maps, "max-refresh-time", &obj);
923 INSIST(result == ISC_R_SUCCESS);
924 dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj));
927 result = ns_config_get(maps, "min-refresh-time", &obj);
928 INSIST(result == ISC_R_SUCCESS);
929 dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj));
932 result = ns_config_get(maps, "max-retry-time", &obj);
933 INSIST(result == ISC_R_SUCCESS);
934 dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj));
937 result = ns_config_get(maps, "min-retry-time", &obj);
938 INSIST(result == ISC_R_SUCCESS);
939 dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj));
942 result = ns_config_get(maps, "transfer-source", &obj);
943 INSIST(result == ISC_R_SUCCESS);
944 RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj)));
945 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
948 result = ns_config_get(maps, "transfer-source-v6", &obj);
949 INSIST(result == ISC_R_SUCCESS);
950 RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj)));
951 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
954 result = ns_config_get(maps, "alt-transfer-source", &obj);
955 INSIST(result == ISC_R_SUCCESS);
956 RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj)));
959 result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
960 INSIST(result == ISC_R_SUCCESS);
961 RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj)));
964 (void)ns_config_get(maps, "use-alt-transfer-source", &obj);
967 * Default off when views are in use otherwise
968 * on for BIND 8 compatibility.
970 view = dns_zone_getview(zone);
971 if (view != NULL && strcmp(view->name, "_default") == 0)
976 alt = cfg_obj_asboolean(obj);
977 dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
980 (void)ns_config_get(maps, "try-tcp-refresh", &obj);
981 dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH,
982 cfg_obj_asboolean(obj));
989 return (ISC_R_SUCCESS);
993 ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
994 const cfg_obj_t *zoptions = NULL;
995 const cfg_obj_t *obj = NULL;
996 const char *cfilename;
997 const char *zfilename;
999 zoptions = cfg_tuple_get(zconfig, "options");
1001 if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone))
1005 (void)cfg_map_get(zoptions, "file", &obj);
1007 cfilename = cfg_obj_asstring(obj);
1010 zfilename = dns_zone_getfile(zone);
1011 if (!((cfilename == NULL && zfilename == NULL) ||
1012 (cfilename != NULL && zfilename != NULL &&
1013 strcmp(cfilename, zfilename) == 0)))
projects / FreeBSD / releng / 8.1.git / blob