2
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
3
* Copyright (C) 1999-2003 Internet Software Consortium.
5
* Permission to use, copy, modify, and/or distribute this software for any
6
* purpose with or without fee is hereby granted, provided that the above
7
* copyright notice and this permission notice appear in all copies.
9
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15
* PERFORMANCE OF THIS SOFTWARE.
18
/* $Id: server.c,v 1.556.8.12 2010/05/18 00:29:31 marka Exp $ */
29
#include <isc/base64.h>
31
#include <isc/entropy.h>
34
#include <isc/httpd.h>
36
#include <isc/parseint.h>
37
#include <isc/portset.h>
38
#include <isc/print.h>
39
#include <isc/resource.h>
41
#include <isc/socket.h>
43
#include <isc/stats.h>
44
#include <isc/stdio.h>
45
#include <isc/string.h>
47
#include <isc/timer.h>
51
#include <isccfg/namedconf.h>
53
#include <bind9/check.h>
55
#include <dns/acache.h>
57
#include <dns/cache.h>
59
#include <dns/dispatch.h>
63
#include <dns/forward.h>
64
#include <dns/journal.h>
65
#include <dns/keytable.h>
66
#include <dns/keyvalues.h>
68
#include <dns/master.h>
69
#include <dns/masterdump.h>
70
#include <dns/order.h>
72
#include <dns/portlist.h>
74
#include <dns/rdataclass.h>
75
#include <dns/rdataset.h>
76
#include <dns/rdatastruct.h>
77
#include <dns/resolver.h>
78
#include <dns/rootns.h>
79
#include <dns/secalg.h>
80
#include <dns/stats.h>
88
#include <dst/result.h>
90
#include <named/client.h>
91
#include <named/config.h>
92
#include <named/control.h>
93
#include <named/interfacemgr.h>
94
#include <named/log.h>
95
#include <named/logconf.h>
96
#include <named/lwresd.h>
97
#include <named/main.h>
99
#include <named/server.h>
100
#include <named/statschannel.h>
101
#include <named/tkeyconf.h>
102
#include <named/tsigconf.h>
103
#include <named/zoneconf.h>
105
#include <named/ns_smf_globals.h>
110
#define PATH_MAX 1024
114
* Check an operation for failure. Assumes that the function
115
* using it has a 'result' variable and a 'cleanup' label.
118
do { result = (op); \
119
if (result != ISC_R_SUCCESS) goto cleanup; \
122
#define CHECKM(op, msg) \
123
do { result = (op); \
124
if (result != ISC_R_SUCCESS) { \
125
isc_log_write(ns_g_lctx, \
126
NS_LOGCATEGORY_GENERAL, \
127
NS_LOGMODULE_SERVER, \
130
isc_result_totext(result)); \
135
#define CHECKMF(op, msg, file) \
136
do { result = (op); \
137
if (result != ISC_R_SUCCESS) { \
138
isc_log_write(ns_g_lctx, \
139
NS_LOGCATEGORY_GENERAL, \
140
NS_LOGMODULE_SERVER, \
142
"%s '%s': %s", msg, file, \
143
isc_result_totext(result)); \
148
#define CHECKFATAL(op, msg) \
149
do { result = (op); \
150
if (result != ISC_R_SUCCESS) \
151
fatal(msg, result); \
155
* Maximum ADB size for views that share a cache. Use this limit to suppress
156
* the total of memory footprint, which should be the main reason for sharing
157
* a cache. Only effective when a finite max-cache-size is specified.
158
* This is currently defined to be 8MB.
160
#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
164
unsigned int dispatchgen;
165
dns_dispatch_t *dispatch;
166
ISC_LINK(struct ns_dispatch) link;
171
dns_view_t *primaryview;
172
isc_boolean_t needflush;
173
isc_boolean_t adbsizeadjusted;
174
ISC_LINK(ns_cache_t) link;
179
isc_boolean_t dumpcache;
180
isc_boolean_t dumpzones;
182
ISC_LIST(struct viewlistentry) viewlist;
183
struct viewlistentry *view;
184
struct zonelistentry *zone;
185
dns_dumpctx_t *mdctx;
189
dns_dbversion_t *version;
192
struct viewlistentry {
194
ISC_LINK(struct viewlistentry) link;
195
ISC_LIST(struct zonelistentry) zonelist;
198
struct zonelistentry {
200
ISC_LINK(struct zonelistentry) link;
204
* These zones should not leak onto the Internet.
206
static const struct {
208
isc_boolean_t rfc1918;
212
{ "10.IN-ADDR.ARPA", ISC_TRUE },
213
{ "16.172.IN-ADDR.ARPA", ISC_TRUE },
214
{ "17.172.IN-ADDR.ARPA", ISC_TRUE },
215
{ "18.172.IN-ADDR.ARPA", ISC_TRUE },
216
{ "19.172.IN-ADDR.ARPA", ISC_TRUE },
217
{ "20.172.IN-ADDR.ARPA", ISC_TRUE },
218
{ "21.172.IN-ADDR.ARPA", ISC_TRUE },
219
{ "22.172.IN-ADDR.ARPA", ISC_TRUE },
220
{ "23.172.IN-ADDR.ARPA", ISC_TRUE },
221
{ "24.172.IN-ADDR.ARPA", ISC_TRUE },
222
{ "25.172.IN-ADDR.ARPA", ISC_TRUE },
223
{ "26.172.IN-ADDR.ARPA", ISC_TRUE },
224
{ "27.172.IN-ADDR.ARPA", ISC_TRUE },
225
{ "28.172.IN-ADDR.ARPA", ISC_TRUE },
226
{ "29.172.IN-ADDR.ARPA", ISC_TRUE },
227
{ "30.172.IN-ADDR.ARPA", ISC_TRUE },
228
{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
229
{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
232
/* RFC 5735 and RFC 5737 */
233
{ "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */
234
{ "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */
235
{ "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */
236
{ "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */
237
{ "100.51.198.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 2 */
238
{ "113.0.203.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 3 */
239
{ "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */
241
/* Local IPv6 Unicast Addresses */
242
{ "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
243
{ "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
244
/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
245
{ "D.F.IP6.ARPA", ISC_FALSE },
246
{ "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
247
{ "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
248
{ "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
249
{ "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
251
/* Example Prefix, RFC 3849. */
252
{ "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
254
/* ORCHID Prefix, RFC 4843. */
255
{ "0.1.1.0.0.2.IP6.ARPA", ISC_FALSE },
260
ISC_PLATFORM_NORETURN_PRE static void
261
fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
264
ns_server_reload(isc_task_t *task, isc_event_t *event);
267
ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
268
cfg_aclconfctx_t *actx,
269
isc_mem_t *mctx, ns_listenelt_t **target);
271
ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
272
cfg_aclconfctx_t *actx,
273
isc_mem_t *mctx, ns_listenlist_t **target);
276
configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
277
const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
280
configure_alternates(const cfg_obj_t *config, dns_view_t *view,
281
const cfg_obj_t *alternates);
284
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
285
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
286
cfg_aclconfctx_t *aclconf);
289
add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
292
end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
295
* Configure a single view ACL at '*aclp'. Get its configuration from
296
* 'vconfig' (for per-view configuration) and maybe from 'config'
299
configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
300
const char *aclname, const char *acltuplename,
301
cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
304
const cfg_obj_t *maps[3];
305
const cfg_obj_t *aclobj = NULL;
309
dns_acl_detach(aclp);
311
maps[i++] = cfg_tuple_get(vconfig, "options");
312
if (config != NULL) {
313
const cfg_obj_t *options = NULL;
314
(void)cfg_map_get(config, "options", &options);
320
(void)ns_config_get(maps, aclname, &aclobj);
323
* No value available. *aclp == NULL.
325
return (ISC_R_SUCCESS);
327
if (acltuplename != NULL) {
329
* If the ACL is given in an optional tuple, retrieve it.
330
* The parser should have ensured that a valid object be
333
aclobj = cfg_tuple_get(aclobj, acltuplename);
336
result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
337
actx, mctx, 0, aclp);
343
* Configure a sortlist at '*aclp'. Essentially the same as
344
* configure_view_acl() except it calls cfg_acl_fromconfig with a
345
* nest_level value of 2.
348
configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
349
cfg_aclconfctx_t *actx, isc_mem_t *mctx,
353
const cfg_obj_t *maps[3];
354
const cfg_obj_t *aclobj = NULL;
358
dns_acl_detach(aclp);
360
maps[i++] = cfg_tuple_get(vconfig, "options");
361
if (config != NULL) {
362
const cfg_obj_t *options = NULL;
363
(void)cfg_map_get(config, "options", &options);
369
(void)ns_config_get(maps, "sortlist", &aclobj);
371
return (ISC_R_SUCCESS);
374
* Use a nest level of 3 for the "top level" of the sortlist;
375
* this means each entry in the top three levels will be stored
376
* as lists of separate, nested ACLs, rather than merged together
377
* into IP tables as is usually done with ACLs.
379
result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
380
actx, mctx, 3, aclp);
386
configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
387
const char *confname, const char *conftuplename,
388
isc_mem_t *mctx, dns_rbt_t **rbtp)
391
const cfg_obj_t *maps[3];
392
const cfg_obj_t *obj = NULL;
393
const cfg_listelt_t *element;
395
dns_fixedname_t fixed;
399
const cfg_obj_t *nameobj;
402
dns_rbt_destroy(rbtp);
404
maps[i++] = cfg_tuple_get(vconfig, "options");
405
if (config != NULL) {
406
const cfg_obj_t *options = NULL;
407
(void)cfg_map_get(config, "options", &options);
413
(void)ns_config_get(maps, confname, &obj);
416
* No value available. *rbtp == NULL.
418
return (ISC_R_SUCCESS);
420
if (conftuplename != NULL) {
421
obj = cfg_tuple_get(obj, conftuplename);
422
if (cfg_obj_isvoid(obj))
423
return (ISC_R_SUCCESS);
426
result = dns_rbt_create(mctx, NULL, NULL, rbtp);
427
if (result != ISC_R_SUCCESS)
430
dns_fixedname_init(&fixed);
431
name = dns_fixedname_name(&fixed);
432
for (element = cfg_list_first(obj);
434
element = cfg_list_next(element)) {
435
nameobj = cfg_listelt_value(element);
436
str = cfg_obj_asstring(nameobj);
437
isc_buffer_init(&b, str, strlen(str));
438
isc_buffer_add(&b, strlen(str));
439
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
441
* We don't need the node data, but need to set dummy data to
442
* avoid a partial match with an empty node. For example, if
443
* we have foo.example.com and bar.example.com, we'd get a match
444
* for baz.example.com, which is not the expected result.
445
* We simply use (void *)1 as the dummy data.
447
result = dns_rbt_addname(*rbtp, name, (void *)1);
448
if (result != ISC_R_SUCCESS) {
449
cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
450
"failed to add %s for %s: %s",
451
str, confname, isc_result_totext(result));
460
dns_rbt_destroy(rbtp);
466
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
467
isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
469
dns_rdataclass_t viewclass;
470
dns_rdata_dnskey_t keystruct;
471
isc_uint32_t flags, proto, alg;
472
const char *keystr, *keynamestr;
473
unsigned char keydata[4096];
474
isc_buffer_t keydatabuf;
475
unsigned char rrdata[4096];
476
isc_buffer_t rrdatabuf;
478
dns_fixedname_t fkeyname;
480
isc_buffer_t namebuf;
482
dst_key_t *dstkey = NULL;
484
INSIST(target != NULL && *target == NULL);
486
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
487
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
488
alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
489
keyname = dns_fixedname_name(&fkeyname);
490
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
493
const char *initmethod;
494
initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
496
if (strcasecmp(initmethod, "initial-key") != 0) {
497
cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
499
"invalid initialization method '%s'",
500
keynamestr, initmethod);
501
result = ISC_R_FAILURE;
507
viewclass = dns_rdataclass_in;
509
const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
510
CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
513
keystruct.common.rdclass = viewclass;
514
keystruct.common.rdtype = dns_rdatatype_dnskey;
516
* The key data in keystruct is not dynamically allocated.
518
keystruct.mctx = NULL;
520
ISC_LINK_INIT(&keystruct.common, link);
523
CHECKM(ISC_R_RANGE, "key flags");
525
CHECKM(ISC_R_RANGE, "key protocol");
527
CHECKM(ISC_R_RANGE, "key algorithm");
528
keystruct.flags = (isc_uint16_t)flags;
529
keystruct.protocol = (isc_uint8_t)proto;
530
keystruct.algorithm = (isc_uint8_t)alg;
532
isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
533
isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
535
keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
536
CHECK(isc_base64_decodestring(keystr, &keydatabuf));
537
isc_buffer_usedregion(&keydatabuf, &r);
538
keystruct.datalen = r.length;
539
keystruct.data = r.base;
541
if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
542
keystruct.algorithm == DST_ALG_RSAMD5) &&
543
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
544
cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
545
"%s key '%s' has a weak exponent",
546
managed ? "managed" : "trusted",
549
CHECK(dns_rdata_fromstruct(NULL,
550
keystruct.common.rdclass,
551
keystruct.common.rdtype,
552
&keystruct, &rrdatabuf));
553
dns_fixedname_init(&fkeyname);
554
isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
555
isc_buffer_add(&namebuf, strlen(keynamestr));
556
CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
557
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
561
return (ISC_R_SUCCESS);
564
if (result == DST_R_NOCRYPTO) {
565
cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
566
"ignoring %s key for '%s': no crypto support",
567
managed ? "managed" : "trusted",
569
} else if (result == DST_R_UNSUPPORTEDALG) {
570
cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
571
"skipping %s key for '%s': %s",
572
managed ? "managed" : "trusted",
573
keynamestr, isc_result_totext(result));
575
cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
576
"configuring %s key for '%s': %s",
577
managed ? "managed" : "trusted",
578
keynamestr, isc_result_totext(result));
579
result = ISC_R_FAILURE;
583
dst_key_free(&dstkey);
589
load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
590
dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx)
592
const cfg_listelt_t *elt, *elt2;
593
const cfg_obj_t *key, *keylist;
594
dst_key_t *dstkey = NULL;
596
dns_keytable_t *secroots = NULL;
598
CHECK(dns_view_getsecroots(view, &secroots));
600
for (elt = cfg_list_first(keys);
602
elt = cfg_list_next(elt)) {
603
keylist = cfg_listelt_value(elt);
605
for (elt2 = cfg_list_first(keylist);
607
elt2 = cfg_list_next(elt2)) {
608
key = cfg_listelt_value(elt2);
609
result = dstkey_fromconfig(vconfig, key, managed,
611
if (result == DST_R_UNSUPPORTEDALG) {
612
result = ISC_R_SUCCESS;
615
if (result != ISC_R_SUCCESS)
618
CHECK(dns_keytable_add(secroots, managed, &dstkey));
623
if (secroots != NULL)
624
dns_keytable_detach(&secroots);
625
if (result == DST_R_NOCRYPTO)
626
result = ISC_R_SUCCESS;
631
* Configure DNSSEC keys for a view.
633
* The per-view configuration values and the server-global defaults are read
634
* from 'vconfig' and 'config'.
637
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
638
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
639
isc_boolean_t auto_dlv, isc_mem_t *mctx)
641
isc_result_t result = ISC_R_SUCCESS;
642
const cfg_obj_t *view_keys = NULL;
643
const cfg_obj_t *global_keys = NULL;
644
const cfg_obj_t *view_managed_keys = NULL;
645
const cfg_obj_t *global_managed_keys = NULL;
646
const cfg_obj_t *builtin_keys = NULL;
647
const cfg_obj_t *builtin_managed_keys = NULL;
648
const cfg_obj_t *maps[4];
649
const cfg_obj_t *voptions = NULL;
650
const cfg_obj_t *options = NULL;
651
const cfg_obj_t *obj = NULL;
652
const char *directory;
655
/* We don't need trust anchors for the _bind view */
656
if (strcmp(view->name, "_bind") == 0 &&
657
view->rdclass == dns_rdataclass_chaos) {
658
return (ISC_R_SUCCESS);
661
if (vconfig != NULL) {
662
voptions = cfg_tuple_get(vconfig, "options");
663
if (voptions != NULL) {
664
(void) cfg_map_get(voptions, "trusted-keys",
666
(void) cfg_map_get(voptions, "managed-keys",
668
maps[i++] = voptions;
672
if (config != NULL) {
673
(void)cfg_map_get(config, "trusted-keys", &global_keys);
674
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
675
(void)cfg_map_get(config, "options", &options);
676
if (options != NULL) {
681
maps[i++] = ns_g_defaults;
684
result = dns_view_initsecroots(view, mctx);
685
if (result != ISC_R_SUCCESS) {
686
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
687
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
688
"couldn't create keytable");
689
return (ISC_R_UNEXPECTED);
692
if (auto_dlv && view->rdclass == dns_rdataclass_in) {
693
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
694
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
695
"using built-in trusted-keys for view %s",
699
* If bind.keys exists, it overrides the managed-keys
700
* clause hard-coded in ns_g_config.
702
if (bindkeys != NULL) {
703
(void)cfg_map_get(bindkeys, "trusted-keys",
705
(void)cfg_map_get(bindkeys, "managed-keys",
706
&builtin_managed_keys);
708
(void)cfg_map_get(ns_g_config, "trusted-keys",
710
(void)cfg_map_get(ns_g_config, "managed-keys",
711
&builtin_managed_keys);
714
if (builtin_keys != NULL)
715
CHECK(load_view_keys(builtin_keys, vconfig, view,
717
if (builtin_managed_keys != NULL)
718
CHECK(load_view_keys(builtin_managed_keys, vconfig,
719
view, ISC_TRUE, mctx));
722
CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
723
CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
724
if (view->rdclass == dns_rdataclass_in) {
725
CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
727
CHECK(load_view_keys(global_managed_keys, vconfig, view,
732
* Add key zone for managed-keys.
735
(void)ns_config_get(maps, "managed-keys-directory", &obj);
736
directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
737
CHECK(add_keydata_zone(view, directory, ns_g_mctx));
744
mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
745
const cfg_listelt_t *element;
746
const cfg_obj_t *obj;
748
dns_fixedname_t fixed;
754
dns_fixedname_init(&fixed);
755
name = dns_fixedname_name(&fixed);
756
for (element = cfg_list_first(mbs);
758
element = cfg_list_next(element))
760
obj = cfg_listelt_value(element);
761
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
762
isc_buffer_init(&b, str, strlen(str));
763
isc_buffer_add(&b, strlen(str));
764
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
765
value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
766
CHECK(dns_resolver_setmustbesecure(resolver, name, value));
769
result = ISC_R_SUCCESS;
776
* Get a dispatch appropriate for the resolver of a given view.
779
get_view_querysource_dispatch(const cfg_obj_t **maps,
780
int af, dns_dispatch_t **dispatchp,
781
isc_boolean_t is_firstview)
784
dns_dispatch_t *disp;
786
unsigned int attrs, attrmask;
787
const cfg_obj_t *obj = NULL;
788
unsigned int maxdispatchbuffers;
791
* Make compiler happy.
793
result = ISC_R_FAILURE;
797
result = ns_config_get(maps, "query-source", &obj);
798
INSIST(result == ISC_R_SUCCESS);
801
result = ns_config_get(maps, "query-source-v6", &obj);
802
INSIST(result == ISC_R_SUCCESS);
808
sa = *(cfg_obj_assockaddr(obj));
809
INSIST(isc_sockaddr_pf(&sa) == af);
812
* If we don't support this address family, we're done!
816
result = isc_net_probeipv4();
819
result = isc_net_probeipv6();
824
if (result != ISC_R_SUCCESS)
825
return (ISC_R_SUCCESS);
828
* Try to find a dispatcher that we can share.
831
attrs |= DNS_DISPATCHATTR_UDP;
834
attrs |= DNS_DISPATCHATTR_IPV4;
837
attrs |= DNS_DISPATCHATTR_IPV6;
840
if (isc_sockaddr_getport(&sa) == 0) {
841
attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
842
maxdispatchbuffers = 4096;
846
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
847
"using specific query-source port "
848
"suppresses port randomization and can be "
851
maxdispatchbuffers = 1000;
855
attrmask |= DNS_DISPATCHATTR_UDP;
856
attrmask |= DNS_DISPATCHATTR_TCP;
857
attrmask |= DNS_DISPATCHATTR_IPV4;
858
attrmask |= DNS_DISPATCHATTR_IPV6;
861
result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
862
ns_g_taskmgr, &sa, 4096,
863
maxdispatchbuffers, 32768, 16411, 16433,
864
attrs, attrmask, &disp);
865
if (result != ISC_R_SUCCESS) {
867
char buf[ISC_SOCKADDR_FORMATSIZE];
871
isc_sockaddr_any(&any);
874
isc_sockaddr_any6(&any);
877
if (isc_sockaddr_equal(&sa, &any))
878
return (ISC_R_SUCCESS);
879
isc_sockaddr_format(&sa, buf, sizeof(buf));
880
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
881
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
882
"could not get query source dispatcher (%s)",
889
return (ISC_R_SUCCESS);
893
configure_order(dns_order_t *order, const cfg_obj_t *ent) {
894
dns_rdataclass_t rdclass;
895
dns_rdatatype_t rdtype;
896
const cfg_obj_t *obj;
897
dns_fixedname_t fixed;
898
unsigned int mode = 0;
902
isc_boolean_t addroot;
904
result = ns_config_getclass(cfg_tuple_get(ent, "class"),
905
dns_rdataclass_any, &rdclass);
906
if (result != ISC_R_SUCCESS)
909
result = ns_config_gettype(cfg_tuple_get(ent, "type"),
910
dns_rdatatype_any, &rdtype);
911
if (result != ISC_R_SUCCESS)
914
obj = cfg_tuple_get(ent, "name");
915
if (cfg_obj_isstring(obj))
916
str = cfg_obj_asstring(obj);
919
addroot = ISC_TF(strcmp(str, "*") == 0);
920
isc_buffer_init(&b, str, strlen(str));
921
isc_buffer_add(&b, strlen(str));
922
dns_fixedname_init(&fixed);
923
result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
924
dns_rootname, 0, NULL);
925
if (result != ISC_R_SUCCESS)
928
obj = cfg_tuple_get(ent, "ordering");
929
INSIST(cfg_obj_isstring(obj));
930
str = cfg_obj_asstring(obj);
931
if (!strcasecmp(str, "fixed"))
932
mode = DNS_RDATASETATTR_FIXEDORDER;
933
else if (!strcasecmp(str, "random"))
934
mode = DNS_RDATASETATTR_RANDOMIZE;
935
else if (!strcasecmp(str, "cyclic"))
941
* "*" should match everything including the root (BIND 8 compat).
942
* As dns_name_matcheswildcard(".", "*.") returns FALSE add a
943
* explicit entry for "." when the name is "*".
946
result = dns_order_add(order, dns_rootname,
947
rdtype, rdclass, mode);
948
if (result != ISC_R_SUCCESS)
952
return (dns_order_add(order, dns_fixedname_name(&fixed),
953
rdtype, rdclass, mode));
957
configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
960
const cfg_obj_t *obj;
963
unsigned int prefixlen;
965
cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
968
result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
969
if (result != ISC_R_SUCCESS)
973
(void)cfg_map_get(cpeer, "bogus", &obj);
975
CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
978
(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
980
CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
983
(void)cfg_map_get(cpeer, "request-ixfr", &obj);
985
CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
988
(void)cfg_map_get(cpeer, "request-nsid", &obj);
990
CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
993
(void)cfg_map_get(cpeer, "edns", &obj);
995
CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
998
(void)cfg_map_get(cpeer, "edns-udp-size", &obj);
1000
isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1005
CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
1009
(void)cfg_map_get(cpeer, "max-udp-size", &obj);
1011
isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1016
CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
1020
(void)cfg_map_get(cpeer, "transfers", &obj);
1022
CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
1025
(void)cfg_map_get(cpeer, "transfer-format", &obj);
1027
str = cfg_obj_asstring(obj);
1028
if (strcasecmp(str, "many-answers") == 0)
1029
CHECK(dns_peer_settransferformat(peer,
1031
else if (strcasecmp(str, "one-answer") == 0)
1032
CHECK(dns_peer_settransferformat(peer,
1039
(void)cfg_map_get(cpeer, "keys", &obj);
1041
result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
1042
if (result != ISC_R_SUCCESS)
1047
if (na.family == AF_INET)
1048
(void)cfg_map_get(cpeer, "transfer-source", &obj);
1050
(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
1052
result = dns_peer_settransfersource(peer,
1053
cfg_obj_assockaddr(obj));
1054
if (result != ISC_R_SUCCESS)
1056
ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1060
if (na.family == AF_INET)
1061
(void)cfg_map_get(cpeer, "notify-source", &obj);
1063
(void)cfg_map_get(cpeer, "notify-source-v6", &obj);
1065
result = dns_peer_setnotifysource(peer,
1066
cfg_obj_assockaddr(obj));
1067
if (result != ISC_R_SUCCESS)
1069
ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1073
if (na.family == AF_INET)
1074
(void)cfg_map_get(cpeer, "query-source", &obj);
1076
(void)cfg_map_get(cpeer, "query-source-v6", &obj);
1078
result = dns_peer_setquerysource(peer,
1079
cfg_obj_assockaddr(obj));
1080
if (result != ISC_R_SUCCESS)
1082
ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1086
return (ISC_R_SUCCESS);
1089
dns_peer_detach(&peer);
1094
disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
1095
isc_result_t result;
1096
const cfg_obj_t *algorithms;
1097
const cfg_listelt_t *element;
1099
dns_fixedname_t fixed;
1103
dns_fixedname_init(&fixed);
1104
name = dns_fixedname_name(&fixed);
1105
str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
1106
isc_buffer_init(&b, str, strlen(str));
1107
isc_buffer_add(&b, strlen(str));
1108
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1110
algorithms = cfg_tuple_get(disabled, "algorithms");
1111
for (element = cfg_list_first(algorithms);
1113
element = cfg_list_next(element))
1118
DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
1119
r.length = strlen(r.base);
1121
result = dns_secalg_fromtext(&alg, &r);
1122
if (result != ISC_R_SUCCESS) {
1124
result = isc_parse_uint8(&ui, r.base, 10);
1127
if (result != ISC_R_SUCCESS) {
1128
cfg_obj_log(cfg_listelt_value(element),
1129
ns_g_lctx, ISC_LOG_ERROR,
1130
"invalid algorithm");
1133
CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
1139
static isc_boolean_t
1140
on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
1141
const cfg_listelt_t *element;
1142
dns_fixedname_t fixed;
1144
isc_result_t result;
1145
const cfg_obj_t *value;
1149
dns_fixedname_init(&fixed);
1150
name = dns_fixedname_name(&fixed);
1152
for (element = cfg_list_first(disablelist);
1154
element = cfg_list_next(element))
1156
value = cfg_listelt_value(element);
1157
str = cfg_obj_asstring(value);
1158
isc_buffer_init(&b, str, strlen(str));
1159
isc_buffer_add(&b, strlen(str));
1160
result = dns_name_fromtext(name, &b, dns_rootname,
1162
RUNTIME_CHECK(result == ISC_R_SUCCESS);
1163
if (dns_name_equal(name, zonename))
1170
check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
1175
isc_result_t result;
1177
result = dns_zone_getdbtype(*zonep, &argv, mctx);
1178
if (result != ISC_R_SUCCESS) {
1179
dns_zone_detach(zonep);
1184
* Check that all the arguments match.
1186
for (i = 0; i < dbtypec; i++)
1187
if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
1188
dns_zone_detach(zonep);
1193
* Check that there are not extra arguments.
1195
if (i == dbtypec && argv[i] != NULL)
1196
dns_zone_detach(zonep);
1197
isc_mem_free(mctx, argv);
1201
setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
1202
isc_result_t result;
1203
isc_stats_t *zoneqrystats;
1205
zoneqrystats = NULL;
1207
result = isc_stats_create(mctx, &zoneqrystats,
1208
dns_nsstatscounter_max);
1209
if (result != ISC_R_SUCCESS)
1212
dns_zone_setrequeststats(zone, zoneqrystats);
1213
if (zoneqrystats != NULL)
1214
isc_stats_detach(&zoneqrystats);
1216
return (ISC_R_SUCCESS);
1220
cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
1223
for (nsc = ISC_LIST_HEAD(*cachelist);
1225
nsc = ISC_LIST_NEXT(nsc, link)) {
1226
if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
1233
static isc_boolean_t
1234
cache_reusable(dns_view_t *originview, dns_view_t *view,
1235
isc_boolean_t new_zero_no_soattl)
1237
if (originview->checknames != view->checknames ||
1238
dns_resolver_getzeronosoattl(originview->resolver) !=
1239
new_zero_no_soattl ||
1240
originview->acceptexpired != view->acceptexpired ||
1241
originview->enablevalidation != view->enablevalidation ||
1242
originview->maxcachettl != view->maxcachettl ||
1243
originview->maxncachettl != view->maxncachettl) {
1250
static isc_boolean_t
1251
cache_sharable(dns_view_t *originview, dns_view_t *view,
1252
isc_boolean_t new_zero_no_soattl,
1253
unsigned int new_cleaning_interval,
1254
isc_uint32_t new_max_cache_size)
1257
* If the cache cannot even reused for the same view, it cannot be
1258
* shared with other views.
1260
if (!cache_reusable(originview, view, new_zero_no_soattl))
1264
* Check other cache related parameters that must be consistent among
1265
* the sharing views.
1267
if (dns_cache_getcleaninginterval(originview->cache) !=
1268
new_cleaning_interval ||
1269
dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
1277
* Configure 'view' according to 'vconfig', taking defaults from 'config'
1278
* where values are missing in 'vconfig'.
1280
* When configuring the default view, 'vconfig' will be NULL and the
1281
* global defaults in 'config' used exclusively.
1284
configure_view(dns_view_t *view, const cfg_obj_t *config,
1285
const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
1286
const cfg_obj_t *bindkeys, isc_mem_t *mctx,
1287
cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
1289
const cfg_obj_t *maps[4];
1290
const cfg_obj_t *cfgmaps[3];
1291
const cfg_obj_t *optionmaps[3];
1292
const cfg_obj_t *options = NULL;
1293
const cfg_obj_t *voptions = NULL;
1294
const cfg_obj_t *forwardtype;
1295
const cfg_obj_t *forwarders;
1296
const cfg_obj_t *alternates;
1297
const cfg_obj_t *zonelist;
1299
const cfg_obj_t *dlz;
1300
unsigned int dlzargc;
1303
const cfg_obj_t *disabled;
1304
const cfg_obj_t *obj;
1305
const cfg_listelt_t *element;
1307
dns_cache_t *cache = NULL;
1308
isc_result_t result;
1309
isc_uint32_t max_adb_size;
1310
unsigned int cleaning_interval;
1311
isc_uint32_t max_cache_size;
1312
isc_uint32_t max_acache_size;
1313
isc_uint32_t lame_ttl;
1314
dns_tsig_keyring_t *ring = NULL;
1315
dns_view_t *pview = NULL; /* Production view */
1317
dns_dispatch_t *dispatch4 = NULL;
1318
dns_dispatch_t *dispatch6 = NULL;
1319
isc_boolean_t reused_cache = ISC_FALSE;
1320
isc_boolean_t shared_cache = ISC_FALSE;
1321
int i = 0, j = 0, k = 0;
1323
const char *cachename = NULL;
1324
dns_order_t *order = NULL;
1325
isc_uint32_t udpsize;
1326
unsigned int resopts = 0;
1327
dns_zone_t *zone = NULL;
1328
isc_uint32_t max_clients_per_query;
1329
const char *sep = ": view ";
1330
const char *viewname = view->name;
1331
const char *forview = " for view ";
1332
isc_boolean_t rfc1918;
1333
isc_boolean_t empty_zones_enable;
1334
const cfg_obj_t *disablelist = NULL;
1335
isc_stats_t *resstats = NULL;
1336
dns_stats_t *resquerystats = NULL;
1337
isc_boolean_t auto_dlv = ISC_FALSE;
1339
isc_boolean_t zero_no_soattl;
1341
REQUIRE(DNS_VIEW_VALID(view));
1346
(void)cfg_map_get(config, "options", &options);
1349
* maps: view options, options, defaults
1350
* cfgmaps: view options, config
1351
* optionmaps: view options, options
1353
if (vconfig != NULL) {
1354
voptions = cfg_tuple_get(vconfig, "options");
1355
maps[i++] = voptions;
1356
optionmaps[j++] = voptions;
1357
cfgmaps[k++] = voptions;
1359
if (options != NULL) {
1360
maps[i++] = options;
1361
optionmaps[j++] = options;
1364
maps[i++] = ns_g_defaults;
1366
optionmaps[j] = NULL;
1368
cfgmaps[k++] = config;
1371
if (!strcmp(viewname, "_default")) {
1378
* Set the view's port number for outgoing queries.
1380
CHECKM(ns_config_getport(config, &port), "port");
1381
dns_view_setdstport(view, port);
1384
* Create additional cache for this view and zones under the view
1385
* if explicitly enabled.
1386
* XXX950 default to on.
1389
(void)ns_config_get(maps, "acache-enable", &obj);
1390
if (obj != NULL && cfg_obj_asboolean(obj)) {
1392
CHECK(isc_mem_create(0, 0, &cmctx));
1393
CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
1395
isc_mem_setname(cmctx, "acache", NULL);
1396
isc_mem_detach(&cmctx);
1398
if (view->acache != NULL) {
1400
result = ns_config_get(maps, "acache-cleaning-interval", &obj);
1401
INSIST(result == ISC_R_SUCCESS);
1402
dns_acache_setcleaninginterval(view->acache,
1403
cfg_obj_asuint32(obj) * 60);
1406
result = ns_config_get(maps, "max-acache-size", &obj);
1407
INSIST(result == ISC_R_SUCCESS);
1408
if (cfg_obj_isstring(obj)) {
1409
str = cfg_obj_asstring(obj);
1410
INSIST(strcasecmp(str, "unlimited") == 0);
1411
max_acache_size = ISC_UINT32_MAX;
1413
isc_resourcevalue_t value;
1415
value = cfg_obj_asuint64(obj);
1416
if (value > ISC_UINT32_MAX) {
1417
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1419
"%" ISC_PRINT_QUADFORMAT
1422
result = ISC_R_RANGE;
1425
max_acache_size = (isc_uint32_t)value;
1427
dns_acache_setcachesize(view->acache, max_acache_size);
1431
* Configure the zones.
1434
if (voptions != NULL)
1435
(void)cfg_map_get(voptions, "zone", &zonelist);
1437
(void)cfg_map_get(config, "zone", &zonelist);
1438
for (element = cfg_list_first(zonelist);
1440
element = cfg_list_next(element))
1442
const cfg_obj_t *zconfig = cfg_listelt_value(element);
1443
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
1449
* Create Dynamically Loadable Zone driver.
1452
if (voptions != NULL)
1453
(void)cfg_map_get(voptions, "dlz", &dlz);
1455
(void)cfg_map_get(config, "dlz", &dlz);
1459
(void)cfg_map_get(cfg_tuple_get(dlz, "options"),
1462
char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
1464
result = ISC_R_NOMEMORY;
1468
result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
1469
if (result != ISC_R_SUCCESS) {
1470
isc_mem_free(mctx, s);
1474
obj = cfg_tuple_get(dlz, "name");
1475
result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
1476
dlzargv[0], dlzargc, dlzargv,
1477
&view->dlzdatabase);
1478
isc_mem_free(mctx, s);
1479
isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
1480
if (result != ISC_R_SUCCESS)
1487
* Obtain configuration parameters that affect the decision of whether
1488
* we can reuse/share an existing cache.
1491
result = ns_config_get(maps, "cleaning-interval", &obj);
1492
INSIST(result == ISC_R_SUCCESS);
1493
cleaning_interval = cfg_obj_asuint32(obj) * 60;
1496
result = ns_config_get(maps, "max-cache-size", &obj);
1497
INSIST(result == ISC_R_SUCCESS);
1498
if (cfg_obj_isstring(obj)) {
1499
str = cfg_obj_asstring(obj);
1500
INSIST(strcasecmp(str, "unlimited") == 0);
1501
max_cache_size = ISC_UINT32_MAX;
1503
isc_resourcevalue_t value;
1504
value = cfg_obj_asuint64(obj);
1505
if (value > ISC_UINT32_MAX) {
1506
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1508
"%" ISC_PRINT_QUADFORMAT "d' is too large",
1510
result = ISC_R_RANGE;
1513
max_cache_size = (isc_uint32_t)value;
1518
result = ns_checknames_get(maps, "response", &obj);
1519
INSIST(result == ISC_R_SUCCESS);
1521
str = cfg_obj_asstring(obj);
1522
if (strcasecmp(str, "fail") == 0) {
1523
resopts |= DNS_RESOLVER_CHECKNAMES |
1524
DNS_RESOLVER_CHECKNAMESFAIL;
1525
view->checknames = ISC_TRUE;
1526
} else if (strcasecmp(str, "warn") == 0) {
1527
resopts |= DNS_RESOLVER_CHECKNAMES;
1528
view->checknames = ISC_FALSE;
1529
} else if (strcasecmp(str, "ignore") == 0) {
1530
view->checknames = ISC_FALSE;
1535
result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
1536
INSIST(result == ISC_R_SUCCESS);
1537
zero_no_soattl = cfg_obj_asboolean(obj);
1540
result = ns_config_get(maps, "dnssec-accept-expired", &obj);
1541
INSIST(result == ISC_R_SUCCESS);
1542
view->acceptexpired = cfg_obj_asboolean(obj);
1545
result = ns_config_get(maps, "dnssec-validation", &obj);
1546
INSIST(result == ISC_R_SUCCESS);
1547
view->enablevalidation = cfg_obj_asboolean(obj);
1550
result = ns_config_get(maps, "max-cache-ttl", &obj);
1551
INSIST(result == ISC_R_SUCCESS);
1552
view->maxcachettl = cfg_obj_asuint32(obj);
1555
result = ns_config_get(maps, "max-ncache-ttl", &obj);
1556
INSIST(result == ISC_R_SUCCESS);
1557
view->maxncachettl = cfg_obj_asuint32(obj);
1558
if (view->maxncachettl > 7 * 24 * 3600)
1559
view->maxncachettl = 7 * 24 * 3600;
1562
* Configure the view's cache.
1564
* First, check to see if there are any attach-cache options. If yes,
1565
* attempt to lookup an existing cache at attach it to the view. If
1566
* there is not one, then try to reuse an existing cache if possible;
1567
* otherwise create a new cache.
1569
* Note that the ADB is not preserved or shared in either case.
1571
* When a matching view is found, the associated statistics are also
1572
* retrieved and reused.
1574
* XXX Determining when it is safe to reuse or share a cache is tricky.
1575
* When the view's configuration changes, the cached data may become
1576
* invalid because it reflects our old view of the world. We check
1577
* some of the configuration parameters that could invalidate the cache
1578
* or otherwise make it unsharable, but there are other configuration
1579
* options that should be checked. For example, if a view uses a
1580
* forwarder, changes in the forwarder configuration may invalidate
1581
* the cache. At the moment, it's the administrator's responsibility to
1582
* ensure these configuration options don't invalidate reusing/sharing.
1585
result = ns_config_get(maps, "attach-cache", &obj);
1586
if (result == ISC_R_SUCCESS)
1587
cachename = cfg_obj_asstring(obj);
1589
cachename = view->name;
1591
nsc = cachelist_find(cachelist, cachename);
1593
if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
1594
cleaning_interval, max_cache_size)) {
1595
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1596
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
1597
"views %s and %s can't share the cache "
1598
"due to configuration parameter mismatch",
1599
nsc->primaryview->name, view->name);
1600
result = ISC_R_FAILURE;
1603
dns_cache_attach(nsc->cache, &cache);
1604
shared_cache = ISC_TRUE;
1606
if (strcmp(cachename, view->name) == 0) {
1607
result = dns_viewlist_find(&ns_g_server->viewlist,
1608
cachename, view->rdclass,
1610
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
1612
if (pview != NULL) {
1613
if (!cache_reusable(pview, view,
1615
isc_log_write(ns_g_lctx,
1616
NS_LOGCATEGORY_GENERAL,
1617
NS_LOGMODULE_SERVER,
1619
"cache cannot be reused "
1620
"for view %s due to "
1621
"configuration parameter "
1622
"mismatch", view->name);
1624
INSIST(pview->cache != NULL);
1625
isc_log_write(ns_g_lctx,
1626
NS_LOGCATEGORY_GENERAL,
1627
NS_LOGMODULE_SERVER,
1629
"reusing existing cache");
1630
reused_cache = ISC_TRUE;
1631
dns_cache_attach(pview->cache, &cache);
1633
dns_view_getresstats(pview, &resstats);
1634
dns_view_getresquerystats(pview,
1636
dns_view_detach(&pview);
1639
if (cache == NULL) {
1641
* Create a cache with the desired name. This normally
1642
* equals the view name, but may also be a forward
1643
* reference to a view that share the cache with this
1644
* view but is not yet configured. If it is not the
1645
* view name but not a forward reference either, then it
1646
* is simply a named cache that is not shared.
1648
CHECK(isc_mem_create(0, 0, &cmctx));
1649
isc_mem_setname(cmctx, "cache", NULL);
1650
CHECK(dns_cache_create2(cmctx, ns_g_taskmgr,
1651
ns_g_timermgr, view->rdclass,
1652
cachename, "rbt", 0, NULL,
1655
nsc = isc_mem_get(mctx, sizeof(*nsc));
1657
result = ISC_R_NOMEMORY;
1661
dns_cache_attach(cache, &nsc->cache);
1662
nsc->primaryview = view;
1663
nsc->needflush = ISC_FALSE;
1664
nsc->adbsizeadjusted = ISC_FALSE;
1665
ISC_LINK_INIT(nsc, link);
1666
ISC_LIST_APPEND(*cachelist, nsc, link);
1668
dns_view_setcache2(view, cache, shared_cache);
1671
* cache-file cannot be inherited if views are present, but this
1672
* should be caught by the configuration checking stage.
1675
result = ns_config_get(maps, "cache-file", &obj);
1676
if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
1677
CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
1678
if (!reused_cache && !shared_cache)
1679
CHECK(dns_cache_load(cache));
1682
dns_cache_setcleaninginterval(cache, cleaning_interval);
1683
dns_cache_setcachesize(cache, max_cache_size);
1685
dns_cache_detach(&cache);
1690
* XXXRTH Hardwired number of tasks.
1692
CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
1693
ISC_TF(ISC_LIST_PREV(view, link)
1695
CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
1696
ISC_TF(ISC_LIST_PREV(view, link)
1698
if (dispatch4 == NULL && dispatch6 == NULL) {
1699
UNEXPECTED_ERROR(__FILE__, __LINE__,
1700
"unable to obtain neither an IPv4 nor"
1701
" an IPv6 dispatch");
1702
result = ISC_R_UNEXPECTED;
1705
CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
1706
ns_g_socketmgr, ns_g_timermgr,
1707
resopts, ns_g_dispatchmgr,
1708
dispatch4, dispatch6));
1710
if (resstats == NULL) {
1711
CHECK(isc_stats_create(mctx, &resstats,
1712
dns_resstatscounter_max));
1714
dns_view_setresstats(view, resstats);
1715
if (resquerystats == NULL)
1716
CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
1717
dns_view_setresquerystats(view, resquerystats);
1720
* Set the ADB cache size to 1/8th of the max-cache-size or
1721
* MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
1724
if (max_cache_size != 0) {
1725
max_adb_size = max_cache_size / 8;
1726
if (max_adb_size == 0)
1727
max_adb_size = 1; /* Force minimum. */
1728
if (view != nsc->primaryview &&
1729
max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
1730
max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
1731
if (!nsc->adbsizeadjusted) {
1732
dns_adb_setadbsize(nsc->primaryview->adb,
1733
MAX_ADB_SIZE_FOR_CACHESHARE);
1734
nsc->adbsizeadjusted = ISC_TRUE;
1738
dns_adb_setadbsize(view->adb, max_adb_size);
1741
* Set resolver's lame-ttl.
1744
result = ns_config_get(maps, "lame-ttl", &obj);
1745
INSIST(result == ISC_R_SUCCESS);
1746
lame_ttl = cfg_obj_asuint32(obj);
1747
if (lame_ttl > 1800)
1749
dns_resolver_setlamettl(view->resolver, lame_ttl);
1751
/* Specify whether to use 0-TTL for negative response for SOA query */
1752
dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
1755
* Set the resolver's EDNS UDP size.
1758
result = ns_config_get(maps, "edns-udp-size", &obj);
1759
INSIST(result == ISC_R_SUCCESS);
1760
udpsize = cfg_obj_asuint32(obj);
1765
dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
1768
* Set the maximum UDP response size.
1771
result = ns_config_get(maps, "max-udp-size", &obj);
1772
INSIST(result == ISC_R_SUCCESS);
1773
udpsize = cfg_obj_asuint32(obj);
1778
view->maxudp = udpsize;
1781
* Set supported DNSSEC algorithms.
1783
dns_resolver_reset_algorithms(view->resolver);
1785
(void)ns_config_get(maps, "disable-algorithms", &disabled);
1786
if (disabled != NULL) {
1787
for (element = cfg_list_first(disabled);
1789
element = cfg_list_next(element))
1790
CHECK(disable_algorithms(cfg_listelt_value(element),
1795
* A global or view "forwarders" option, if present,
1796
* creates an entry for "." in the forwarding table.
1800
(void)ns_config_get(maps, "forward", &forwardtype);
1801
(void)ns_config_get(maps, "forwarders", &forwarders);
1802
if (forwarders != NULL)
1803
CHECK(configure_forward(config, view, dns_rootname,
1804
forwarders, forwardtype));
1807
* Dual Stack Servers.
1810
(void)ns_config_get(maps, "dual-stack-servers", &alternates);
1811
if (alternates != NULL)
1812
CHECK(configure_alternates(config, view, alternates));
1815
* We have default hints for class IN if we need them.
1817
if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
1818
dns_view_sethints(view, ns_g_server->in_roothints);
1821
* If we still have no hints, this is a non-IN view with no
1822
* "hints zone" configured. Issue a warning, except if this
1823
* is a root server. Root servers never need to consult
1824
* their hints, so it's no point requiring users to configure
1827
if (view->hints == NULL) {
1828
dns_zone_t *rootzone = NULL;
1829
(void)dns_view_findzone(view, dns_rootname, &rootzone);
1830
if (rootzone != NULL) {
1831
dns_zone_detach(&rootzone);
1832
need_hints = ISC_FALSE;
1835
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1836
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
1837
"no root hints for view '%s'",
1842
* Configure the view's TSIG keys.
1844
CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
1845
if (ns_g_server->sessionkey != NULL) {
1846
CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
1847
ns_g_server->sessionkey));
1849
dns_view_setkeyring(view, ring);
1850
ring = NULL; /* ownership transferred */
1853
* Configure the view's peer list.
1856
const cfg_obj_t *peers = NULL;
1857
const cfg_listelt_t *element;
1858
dns_peerlist_t *newpeers = NULL;
1860
(void)ns_config_get(cfgmaps, "server", &peers);
1861
CHECK(dns_peerlist_new(mctx, &newpeers));
1862
for (element = cfg_list_first(peers);
1864
element = cfg_list_next(element))
1866
const cfg_obj_t *cpeer = cfg_listelt_value(element);
1869
CHECK(configure_peer(cpeer, mctx, &peer));
1870
dns_peerlist_addpeer(newpeers, peer);
1871
dns_peer_detach(&peer);
1873
dns_peerlist_detach(&view->peers);
1874
view->peers = newpeers; /* Transfer ownership. */
1878
* Configure the views rrset-order.
1881
const cfg_obj_t *rrsetorder = NULL;
1882
const cfg_listelt_t *element;
1884
(void)ns_config_get(maps, "rrset-order", &rrsetorder);
1885
CHECK(dns_order_create(mctx, &order));
1886
for (element = cfg_list_first(rrsetorder);
1888
element = cfg_list_next(element))
1890
const cfg_obj_t *ent = cfg_listelt_value(element);
1892
CHECK(configure_order(order, ent));
1894
if (view->order != NULL)
1895
dns_order_detach(&view->order);
1896
dns_order_attach(order, &view->order);
1897
dns_order_detach(&order);
1900
* Copy the aclenv object.
1902
dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
1905
* Configure the "match-clients" and "match-destinations" ACL.
1907
CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
1908
ns_g_mctx, &view->matchclients));
1909
CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
1910
actx, ns_g_mctx, &view->matchdestinations));
1913
* Configure the "match-recursive-only" option.
1916
(void)ns_config_get(maps, "match-recursive-only", &obj);
1917
if (obj != NULL && cfg_obj_asboolean(obj))
1918
view->matchrecursiveonly = ISC_TRUE;
1920
view->matchrecursiveonly = ISC_FALSE;
1923
* Configure other configurable data.
1926
result = ns_config_get(maps, "recursion", &obj);
1927
INSIST(result == ISC_R_SUCCESS);
1928
view->recursion = cfg_obj_asboolean(obj);
1931
result = ns_config_get(maps, "auth-nxdomain", &obj);
1932
INSIST(result == ISC_R_SUCCESS);
1933
view->auth_nxdomain = cfg_obj_asboolean(obj);
1936
result = ns_config_get(maps, "minimal-responses", &obj);
1937
INSIST(result == ISC_R_SUCCESS);
1938
view->minimalresponses = cfg_obj_asboolean(obj);
1941
result = ns_config_get(maps, "transfer-format", &obj);
1942
INSIST(result == ISC_R_SUCCESS);
1943
str = cfg_obj_asstring(obj);
1944
if (strcasecmp(str, "many-answers") == 0)
1945
view->transfer_format = dns_many_answers;
1946
else if (strcasecmp(str, "one-answer") == 0)
1947
view->transfer_format = dns_one_answer;
1952
* Set sources where additional data and CNAME/DNAME
1953
* targets for authoritative answers may be found.
1956
result = ns_config_get(maps, "additional-from-auth", &obj);
1957
INSIST(result == ISC_R_SUCCESS);
1958
view->additionalfromauth = cfg_obj_asboolean(obj);
1959
if (view->recursion && ! view->additionalfromauth) {
1960
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
1961
"'additional-from-auth no' is only supported "
1962
"with 'recursion no'");
1963
view->additionalfromauth = ISC_TRUE;
1967
result = ns_config_get(maps, "additional-from-cache", &obj);
1968
INSIST(result == ISC_R_SUCCESS);
1969
view->additionalfromcache = cfg_obj_asboolean(obj);
1970
if (view->recursion && ! view->additionalfromcache) {
1971
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
1972
"'additional-from-cache no' is only supported "
1973
"with 'recursion no'");
1974
view->additionalfromcache = ISC_TRUE;
1978
* Set "allow-query-cache", "allow-query-cache-on",
1979
* "allow-recursion", and "allow-recursion-on" acls if
1980
* configured in named.conf.
1982
CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
1983
actx, ns_g_mctx, &view->queryacl));
1984
CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
1985
actx, ns_g_mctx, &view->queryonacl));
1986
if (view->queryonacl == NULL)
1987
CHECK(configure_view_acl(NULL, ns_g_config,
1988
"allow-query-cache-on", NULL, actx,
1989
ns_g_mctx, &view->queryonacl));
1990
if (strcmp(view->name, "_bind") != 0) {
1991
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
1992
NULL, actx, ns_g_mctx,
1993
&view->recursionacl));
1994
CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
1995
NULL, actx, ns_g_mctx,
1996
&view->recursiononacl));
2000
* "allow-query-cache" inherits from "allow-recursion" if set,
2001
* otherwise from "allow-query" if set.
2002
* "allow-recursion" inherits from "allow-query-cache" if set,
2003
* otherwise from "allow-query" if set.
2005
if (view->queryacl == NULL && view->recursionacl != NULL)
2006
dns_acl_attach(view->recursionacl, &view->queryacl);
2007
if (view->queryacl == NULL && view->recursion)
2008
CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
2009
actx, ns_g_mctx, &view->queryacl));
2010
if (view->recursion &&
2011
view->recursionacl == NULL && view->queryacl != NULL)
2012
dns_acl_attach(view->queryacl, &view->recursionacl);
2015
* Set default "allow-recursion", "allow-recursion-on" and
2016
* "allow-query-cache" acls.
2018
if (view->recursionacl == NULL && view->recursion)
2019
CHECK(configure_view_acl(NULL, ns_g_config,
2020
"allow-recursion", NULL,
2022
&view->recursionacl));
2023
if (view->recursiononacl == NULL && view->recursion)
2024
CHECK(configure_view_acl(NULL, ns_g_config,
2025
"allow-recursion-on", NULL,
2027
&view->recursiononacl));
2028
if (view->queryacl == NULL) {
2029
if (view->recursion)
2030
CHECK(configure_view_acl(NULL, ns_g_config,
2031
"allow-query-cache", NULL,
2035
if (view->queryacl != NULL)
2036
dns_acl_detach(&view->queryacl);
2037
CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
2042
* Filter setting on addresses in the answer section.
2044
CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
2045
"acl", actx, ns_g_mctx, &view->denyansweracl));
2046
CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
2047
"except-from", ns_g_mctx,
2048
&view->answeracl_exclude));
2051
* Filter setting on names (CNAME/DNAME targets) in the answer section.
2053
CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2055
&view->denyanswernames));
2056
CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2057
"except-from", ns_g_mctx,
2058
&view->answernames_exclude));
2061
* Configure sortlist, if set
2063
CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
2067
* Configure default allow-transfer, allow-notify, allow-update
2068
* and allow-update-forwarding ACLs, if set, so they can be
2069
* inherited by zones.
2071
if (view->notifyacl == NULL)
2072
CHECK(configure_view_acl(NULL, ns_g_config,
2073
"allow-notify", NULL, actx,
2074
ns_g_mctx, &view->notifyacl));
2075
if (view->transferacl == NULL)
2076
CHECK(configure_view_acl(NULL, ns_g_config,
2077
"allow-transfer", NULL, actx,
2078
ns_g_mctx, &view->transferacl));
2079
if (view->updateacl == NULL)
2080
CHECK(configure_view_acl(NULL, ns_g_config,
2081
"allow-update", NULL, actx,
2082
ns_g_mctx, &view->updateacl));
2083
if (view->upfwdacl == NULL)
2084
CHECK(configure_view_acl(NULL, ns_g_config,
2085
"allow-update-forwarding", NULL, actx,
2086
ns_g_mctx, &view->upfwdacl));
2089
result = ns_config_get(maps, "request-ixfr", &obj);
2090
INSIST(result == ISC_R_SUCCESS);
2091
view->requestixfr = cfg_obj_asboolean(obj);
2094
result = ns_config_get(maps, "provide-ixfr", &obj);
2095
INSIST(result == ISC_R_SUCCESS);
2096
view->provideixfr = cfg_obj_asboolean(obj);
2099
result = ns_config_get(maps, "request-nsid", &obj);
2100
INSIST(result == ISC_R_SUCCESS);
2101
view->requestnsid = cfg_obj_asboolean(obj);
2104
result = ns_config_get(maps, "max-clients-per-query", &obj);
2105
INSIST(result == ISC_R_SUCCESS);
2106
max_clients_per_query = cfg_obj_asuint32(obj);
2109
result = ns_config_get(maps, "clients-per-query", &obj);
2110
INSIST(result == ISC_R_SUCCESS);
2111
dns_resolver_setclientsperquery(view->resolver,
2112
cfg_obj_asuint32(obj),
2113
max_clients_per_query);
2115
#ifdef ALLOW_FILTER_AAAA_ON_V4
2117
result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
2118
INSIST(result == ISC_R_SUCCESS);
2119
if (cfg_obj_isboolean(obj)) {
2120
if (cfg_obj_asboolean(obj))
2121
view->v4_aaaa = dns_v4_aaaa_filter;
2123
view->v4_aaaa = dns_v4_aaaa_ok;
2125
const char *v4_aaaastr = cfg_obj_asstring(obj);
2126
if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
2127
view->v4_aaaa = dns_v4_aaaa_break_dnssec;
2134
result = ns_config_get(maps, "dnssec-enable", &obj);
2135
INSIST(result == ISC_R_SUCCESS);
2136
view->enablednssec = cfg_obj_asboolean(obj);
2139
result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
2140
if (result == ISC_R_SUCCESS) {
2141
/* If set to "auto", use the version from the defaults */
2142
const cfg_obj_t *dlvobj;
2143
dlvobj = cfg_listelt_value(cfg_list_first(obj));
2144
if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
2146
cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
2147
auto_dlv = ISC_TRUE;
2149
result = cfg_map_get(ns_g_defaults,
2150
"dnssec-lookaside", &obj);
2154
if (result == ISC_R_SUCCESS) {
2155
for (element = cfg_list_first(obj);
2157
element = cfg_list_next(element))
2163
obj = cfg_listelt_value(element);
2165
dns_fixedname_t fixed;
2169
* When we support multiple dnssec-lookaside
2170
* entries this is how to find the domain to be
2173
dns_fixedname_init(&fixed);
2174
name = dns_fixedname_name(&fixed);
2175
str = cfg_obj_asstring(cfg_tuple_get(obj,
2177
isc_buffer_init(&b, str, strlen(str));
2178
isc_buffer_add(&b, strlen(str));
2179
CHECK(dns_name_fromtext(name, &b, dns_rootname,
2182
str = cfg_obj_asstring(cfg_tuple_get(obj,
2184
isc_buffer_init(&b, str, strlen(str));
2185
isc_buffer_add(&b, strlen(str));
2186
dlv = dns_fixedname_name(&view->dlv_fixed);
2187
CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
2188
DNS_NAME_DOWNCASE, NULL));
2189
view->dlv = dns_fixedname_name(&view->dlv_fixed);
2195
* For now, there is only one kind of trusted keys, the
2198
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
2200
dns_resolver_resetmustbesecure(view->resolver);
2202
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
2203
if (result == ISC_R_SUCCESS)
2204
CHECK(mustbesecure(obj, view->resolver));
2207
result = ns_config_get(maps, "preferred-glue", &obj);
2208
if (result == ISC_R_SUCCESS) {
2209
str = cfg_obj_asstring(obj);
2210
if (strcasecmp(str, "a") == 0)
2211
view->preferred_glue = dns_rdatatype_a;
2212
else if (strcasecmp(str, "aaaa") == 0)
2213
view->preferred_glue = dns_rdatatype_aaaa;
2215
view->preferred_glue = 0;
2217
view->preferred_glue = 0;
2220
result = ns_config_get(maps, "root-delegation-only", &obj);
2221
if (result == ISC_R_SUCCESS) {
2222
dns_view_setrootdelonly(view, ISC_TRUE);
2223
if (!cfg_obj_isvoid(obj)) {
2224
dns_fixedname_t fixed;
2228
const cfg_obj_t *exclude;
2230
dns_fixedname_init(&fixed);
2231
name = dns_fixedname_name(&fixed);
2232
for (element = cfg_list_first(obj);
2234
element = cfg_list_next(element)) {
2235
exclude = cfg_listelt_value(element);
2236
str = cfg_obj_asstring(exclude);
2237
isc_buffer_init(&b, str, strlen(str));
2238
isc_buffer_add(&b, strlen(str));
2239
CHECK(dns_name_fromtext(name, &b, dns_rootname,
2241
CHECK(dns_view_excludedelegationonly(view,
2246
dns_view_setrootdelonly(view, ISC_FALSE);
2249
* Setup automatic empty zones. If recursion is off then
2250
* they are disabled by default.
2253
(void)ns_config_get(maps, "empty-zones-enable", &obj);
2254
(void)ns_config_get(maps, "disable-empty-zone", &disablelist);
2255
if (obj == NULL && disablelist == NULL &&
2256
view->rdclass == dns_rdataclass_in) {
2257
rfc1918 = ISC_FALSE;
2258
empty_zones_enable = view->recursion;
2259
} else if (view->rdclass == dns_rdataclass_in) {
2262
empty_zones_enable = cfg_obj_asboolean(obj);
2264
empty_zones_enable = view->recursion;
2266
rfc1918 = ISC_FALSE;
2267
empty_zones_enable = ISC_FALSE;
2269
if (empty_zones_enable) {
2272
dns_fixedname_t fixed;
2274
isc_buffer_t buffer;
2276
char server[DNS_NAME_FORMATSIZE + 1];
2277
char contact[DNS_NAME_FORMATSIZE + 1];
2278
isc_boolean_t logit;
2279
const char *empty_dbtype[4] =
2280
{ "_builtin", "empty", NULL, NULL };
2281
int empty_dbtypec = 4;
2282
isc_boolean_t zonestats_on;
2284
dns_fixedname_init(&fixed);
2285
name = dns_fixedname_name(&fixed);
2288
result = ns_config_get(maps, "empty-server", &obj);
2289
if (result == ISC_R_SUCCESS) {
2290
str = cfg_obj_asstring(obj);
2291
isc_buffer_init(&buffer, str, strlen(str));
2292
isc_buffer_add(&buffer, strlen(str));
2293
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2295
isc_buffer_init(&buffer, server, sizeof(server) - 1);
2296
CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2297
server[isc_buffer_usedlength(&buffer)] = 0;
2298
empty_dbtype[2] = server;
2300
empty_dbtype[2] = "@";
2303
result = ns_config_get(maps, "empty-contact", &obj);
2304
if (result == ISC_R_SUCCESS) {
2305
str = cfg_obj_asstring(obj);
2306
isc_buffer_init(&buffer, str, strlen(str));
2307
isc_buffer_add(&buffer, strlen(str));
2308
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2310
isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
2311
CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2312
contact[isc_buffer_usedlength(&buffer)] = 0;
2313
empty_dbtype[3] = contact;
2315
empty_dbtype[3] = ".";
2318
result = ns_config_get(maps, "zone-statistics", &obj);
2319
INSIST(result == ISC_R_SUCCESS);
2320
zonestats_on = cfg_obj_asboolean(obj);
2323
for (empty = empty_zones[empty_zone].zone;
2325
empty = empty_zones[++empty_zone].zone)
2327
dns_forwarders_t *forwarders = NULL;
2328
dns_view_t *pview = NULL;
2330
isc_buffer_init(&buffer, empty, strlen(empty));
2331
isc_buffer_add(&buffer, strlen(empty));
2333
* Look for zone on drop list.
2335
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2337
if (disablelist != NULL &&
2338
on_disable_list(disablelist, name))
2342
* This zone already exists.
2344
(void)dns_view_findzone(view, name, &zone);
2346
CHECK(setquerystats(zone, mctx, zonestats_on));
2347
dns_zone_detach(&zone);
2352
* If we would forward this name don't add a
2353
* empty zone for it.
2355
result = dns_fwdtable_find(view->fwdtable, name,
2357
if (result == ISC_R_SUCCESS &&
2358
forwarders->fwdpolicy == dns_fwdpolicy_only)
2361
if (!rfc1918 && empty_zones[empty_zone].rfc1918) {
2363
isc_log_write(ns_g_lctx,
2364
NS_LOGCATEGORY_GENERAL,
2365
NS_LOGMODULE_SERVER,
2368
"'empty-zones-enable/"
2369
"disable-empty-zone' "
2370
"not set: disabling "
2371
"RFC 1918 empty zones",
2379
* See if we can re-use a existing zone.
2381
result = dns_viewlist_find(&ns_g_server->viewlist,
2382
view->name, view->rdclass,
2384
if (result != ISC_R_NOTFOUND &&
2385
result != ISC_R_SUCCESS)
2388
if (pview != NULL) {
2389
(void)dns_view_findzone(pview, name, &zone);
2390
dns_view_detach(&pview);
2392
check_dbtype(&zone, empty_dbtypec,
2393
empty_dbtype, mctx);
2395
dns_zone_setview(zone, view);
2396
CHECK(dns_view_addzone(view, zone));
2397
CHECK(setquerystats(zone, mctx,
2399
dns_zone_detach(&zone);
2404
CHECK(dns_zone_create(&zone, mctx));
2405
CHECK(dns_zone_setorigin(zone, name));
2406
dns_zone_setview(zone, view);
2407
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2408
dns_zone_setclass(zone, view->rdclass);
2409
dns_zone_settype(zone, dns_zone_master);
2410
dns_zone_setstats(zone, ns_g_server->zonestats);
2411
CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
2413
if (view->queryacl != NULL)
2414
dns_zone_setqueryacl(zone, view->queryacl);
2415
if (view->queryonacl != NULL)
2416
dns_zone_setqueryonacl(zone, view->queryonacl);
2417
dns_zone_setdialup(zone, dns_dialuptype_no);
2418
dns_zone_setnotifytype(zone, dns_notifytype_no);
2419
dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
2421
CHECK(setquerystats(zone, mctx, zonestats_on));
2422
CHECK(dns_view_addzone(view, zone));
2423
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2424
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
2425
"automatic empty zone%s%s: %s",
2426
sep, viewname, empty);
2427
dns_zone_detach(&zone);
2431
result = ISC_R_SUCCESS;
2435
dns_tsigkeyring_destroy(&ring);
2437
dns_zone_detach(&zone);
2438
if (dispatch4 != NULL)
2439
dns_dispatch_detach(&dispatch4);
2440
if (dispatch6 != NULL)
2441
dns_dispatch_detach(&dispatch6);
2442
if (resstats != NULL)
2443
isc_stats_detach(&resstats);
2444
if (resquerystats != NULL)
2445
dns_stats_detach(&resquerystats);
2447
dns_order_detach(&order);
2449
isc_mem_detach(&cmctx);
2452
dns_cache_detach(&cache);
2458
configure_hints(dns_view_t *view, const char *filename) {
2459
isc_result_t result;
2463
result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
2464
if (result == ISC_R_SUCCESS) {
2465
dns_view_sethints(view, db);
2473
configure_alternates(const cfg_obj_t *config, dns_view_t *view,
2474
const cfg_obj_t *alternates)
2476
const cfg_obj_t *portobj;
2477
const cfg_obj_t *addresses;
2478
const cfg_listelt_t *element;
2479
isc_result_t result = ISC_R_SUCCESS;
2483
* Determine which port to send requests to.
2485
if (ns_g_lwresdonly && ns_g_port != 0)
2488
CHECKM(ns_config_getport(config, &port), "port");
2490
if (alternates != NULL) {
2491
portobj = cfg_tuple_get(alternates, "port");
2492
if (cfg_obj_isuint32(portobj)) {
2493
isc_uint32_t val = cfg_obj_asuint32(portobj);
2494
if (val > ISC_UINT16_MAX) {
2495
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
2496
"port '%u' out of range", val);
2497
return (ISC_R_RANGE);
2499
port = (in_port_t) val;
2504
if (alternates != NULL)
2505
addresses = cfg_tuple_get(alternates, "addresses");
2507
for (element = cfg_list_first(addresses);
2509
element = cfg_list_next(element))
2511
const cfg_obj_t *alternate = cfg_listelt_value(element);
2514
if (!cfg_obj_issockaddr(alternate)) {
2515
dns_fixedname_t fixed;
2517
const char *str = cfg_obj_asstring(cfg_tuple_get(
2518
alternate, "name"));
2519
isc_buffer_t buffer;
2520
in_port_t myport = port;
2522
isc_buffer_init(&buffer, str, strlen(str));
2523
isc_buffer_add(&buffer, strlen(str));
2524
dns_fixedname_init(&fixed);
2525
name = dns_fixedname_name(&fixed);
2526
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2529
portobj = cfg_tuple_get(alternate, "port");
2530
if (cfg_obj_isuint32(portobj)) {
2531
isc_uint32_t val = cfg_obj_asuint32(portobj);
2532
if (val > ISC_UINT16_MAX) {
2533
cfg_obj_log(portobj, ns_g_lctx,
2535
"port '%u' out of range",
2537
return (ISC_R_RANGE);
2539
myport = (in_port_t) val;
2541
CHECK(dns_resolver_addalternate(view->resolver, NULL,
2546
sa = *cfg_obj_assockaddr(alternate);
2547
if (isc_sockaddr_getport(&sa) == 0)
2548
isc_sockaddr_setport(&sa, port);
2549
CHECK(dns_resolver_addalternate(view->resolver, &sa,
2558
configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
2559
const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
2561
const cfg_obj_t *portobj;
2562
const cfg_obj_t *faddresses;
2563
const cfg_listelt_t *element;
2564
dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
2565
isc_sockaddrlist_t addresses;
2567
isc_result_t result;
2570
ISC_LIST_INIT(addresses);
2573
* Determine which port to send forwarded requests to.
2575
if (ns_g_lwresdonly && ns_g_port != 0)
2578
CHECKM(ns_config_getport(config, &port), "port");
2580
if (forwarders != NULL) {
2581
portobj = cfg_tuple_get(forwarders, "port");
2582
if (cfg_obj_isuint32(portobj)) {
2583
isc_uint32_t val = cfg_obj_asuint32(portobj);
2584
if (val > ISC_UINT16_MAX) {
2585
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
2586
"port '%u' out of range", val);
2587
return (ISC_R_RANGE);
2589
port = (in_port_t) val;
2594
if (forwarders != NULL)
2595
faddresses = cfg_tuple_get(forwarders, "addresses");
2597
for (element = cfg_list_first(faddresses);
2599
element = cfg_list_next(element))
2601
const cfg_obj_t *forwarder = cfg_listelt_value(element);
2602
sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
2604
result = ISC_R_NOMEMORY;
2607
*sa = *cfg_obj_assockaddr(forwarder);
2608
if (isc_sockaddr_getport(sa) == 0)
2609
isc_sockaddr_setport(sa, port);
2610
ISC_LINK_INIT(sa, link);
2611
ISC_LIST_APPEND(addresses, sa, link);
2614
if (ISC_LIST_EMPTY(addresses)) {
2615
if (forwardtype != NULL)
2616
cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
2617
"no forwarders seen; disabling "
2619
fwdpolicy = dns_fwdpolicy_none;
2621
if (forwardtype == NULL)
2622
fwdpolicy = dns_fwdpolicy_first;
2624
const char *forwardstr = cfg_obj_asstring(forwardtype);
2625
if (strcasecmp(forwardstr, "first") == 0)
2626
fwdpolicy = dns_fwdpolicy_first;
2627
else if (strcasecmp(forwardstr, "only") == 0)
2628
fwdpolicy = dns_fwdpolicy_only;
2634
result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
2636
if (result != ISC_R_SUCCESS) {
2637
char namebuf[DNS_NAME_FORMATSIZE];
2638
dns_name_format(origin, namebuf, sizeof(namebuf));
2639
cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
2640
"could not set up forwarding for domain '%s': %s",
2641
namebuf, isc_result_totext(result));
2645
result = ISC_R_SUCCESS;
2649
while (!ISC_LIST_EMPTY(addresses)) {
2650
sa = ISC_LIST_HEAD(addresses);
2651
ISC_LIST_UNLINK(addresses, sa, link);
2652
isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
2659
* Create a new view and add it to the list.
2661
* If 'vconfig' is NULL, create the default view.
2663
* The view created is attached to '*viewp'.
2666
create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
2669
isc_result_t result;
2670
const char *viewname;
2671
dns_rdataclass_t viewclass;
2672
dns_view_t *view = NULL;
2674
if (vconfig != NULL) {
2675
const cfg_obj_t *classobj = NULL;
2677
viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
2678
classobj = cfg_tuple_get(vconfig, "class");
2679
result = ns_config_getclass(classobj, dns_rdataclass_in,
2682
viewname = "_default";
2683
viewclass = dns_rdataclass_in;
2685
result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
2686
if (result == ISC_R_SUCCESS)
2687
return (ISC_R_EXISTS);
2688
if (result != ISC_R_NOTFOUND)
2690
INSIST(view == NULL);
2692
result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
2693
if (result != ISC_R_SUCCESS)
2696
ISC_LIST_APPEND(*viewlist, view, link);
2697
dns_view_attach(view, viewp);
2698
return (ISC_R_SUCCESS);
2702
* Configure or reconfigure a zone.
2705
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
2706
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
2707
cfg_aclconfctx_t *aclconf)
2709
dns_view_t *pview = NULL; /* Production view */
2710
dns_zone_t *zone = NULL; /* New or reused zone */
2711
dns_zone_t *dupzone = NULL;
2712
const cfg_obj_t *options = NULL;
2713
const cfg_obj_t *zoptions = NULL;
2714
const cfg_obj_t *typeobj = NULL;
2715
const cfg_obj_t *forwarders = NULL;
2716
const cfg_obj_t *forwardtype = NULL;
2717
const cfg_obj_t *only = NULL;
2718
isc_result_t result;
2719
isc_result_t tresult;
2720
isc_buffer_t buffer;
2721
dns_fixedname_t fixorigin;
2724
dns_rdataclass_t zclass;
2725
const char *ztypestr;
2728
(void)cfg_map_get(config, "options", &options);
2730
zoptions = cfg_tuple_get(zconfig, "options");
2733
* Get the zone origin as a dns_name_t.
2735
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
2736
isc_buffer_init(&buffer, zname, strlen(zname));
2737
isc_buffer_add(&buffer, strlen(zname));
2738
dns_fixedname_init(&fixorigin);
2739
CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
2740
&buffer, dns_rootname, 0, NULL));
2741
origin = dns_fixedname_name(&fixorigin);
2743
CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
2744
view->rdclass, &zclass));
2745
if (zclass != view->rdclass) {
2746
const char *vname = NULL;
2747
if (vconfig != NULL)
2748
vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
2751
vname = "<default view>";
2753
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2754
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2755
"zone '%s': wrong class for view '%s'",
2757
result = ISC_R_FAILURE;
2761
(void)cfg_map_get(zoptions, "type", &typeobj);
2762
if (typeobj == NULL) {
2763
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
2764
"zone '%s' 'type' not specified", zname);
2765
return (ISC_R_FAILURE);
2767
ztypestr = cfg_obj_asstring(typeobj);
2770
* "hints zones" aren't zones. If we've got one,
2771
* configure it and return.
2773
if (strcasecmp(ztypestr, "hint") == 0) {
2774
const cfg_obj_t *fileobj = NULL;
2775
if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
2776
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2777
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2778
"zone '%s': 'file' not specified",
2780
result = ISC_R_FAILURE;
2783
if (dns_name_equal(origin, dns_rootname)) {
2784
const char *hintsfile = cfg_obj_asstring(fileobj);
2786
result = configure_hints(view, hintsfile);
2787
if (result != ISC_R_SUCCESS) {
2788
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2789
NS_LOGMODULE_SERVER,
2791
"could not configure root hints "
2792
"from '%s': %s", hintsfile,
2793
isc_result_totext(result));
2797
* Hint zones may also refer to delegation only points.
2800
tresult = cfg_map_get(zoptions, "delegation-only",
2802
if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
2803
CHECK(dns_view_adddelegationonly(view, origin));
2805
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2806
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
2807
"ignoring non-root hint zone '%s'",
2809
result = ISC_R_SUCCESS;
2811
/* Skip ordinary zone processing. */
2816
* "forward zones" aren't zones either. Translate this syntax into
2817
* the appropriate selective forwarding configuration and return.
2819
if (strcasecmp(ztypestr, "forward") == 0) {
2823
(void)cfg_map_get(zoptions, "forward", &forwardtype);
2824
(void)cfg_map_get(zoptions, "forwarders", &forwarders);
2825
result = configure_forward(config, view, origin, forwarders,
2831
* "delegation-only zones" aren't zones either.
2833
if (strcasecmp(ztypestr, "delegation-only") == 0) {
2834
result = dns_view_adddelegationonly(view, origin);
2839
* Check for duplicates in the new zone table.
2841
result = dns_view_findzone(view, origin, &dupzone);
2842
if (result == ISC_R_SUCCESS) {
2844
* We already have this zone!
2846
cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
2847
"zone '%s' already exists", zname);
2848
dns_zone_detach(&dupzone);
2849
result = ISC_R_EXISTS;
2852
INSIST(dupzone == NULL);
2855
* See if we can reuse an existing zone. This is
2856
* only possible if all of these are true:
2857
* - The zone's view exists
2858
* - A zone with the right name exists in the view
2859
* - The zone is compatible with the config
2860
* options (e.g., an existing master zone cannot
2861
* be reused if the options specify a slave zone)
2863
result = dns_viewlist_find(&ns_g_server->viewlist,
2864
view->name, view->rdclass,
2866
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2869
result = dns_view_findzone(pview, origin, &zone);
2870
if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2872
if (zone != NULL && !ns_zone_reusable(zone, zconfig))
2873
dns_zone_detach(&zone);
2877
* We found a reusable zone. Make it use the
2880
dns_zone_setview(zone, view);
2881
if (view->acache != NULL)
2882
dns_zone_setacache(zone, view->acache);
2885
* We cannot reuse an existing zone, we have
2886
* to create a new one.
2888
CHECK(dns_zone_create(&zone, mctx));
2889
CHECK(dns_zone_setorigin(zone, origin));
2890
dns_zone_setview(zone, view);
2891
if (view->acache != NULL)
2892
dns_zone_setacache(zone, view->acache);
2893
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2894
dns_zone_setstats(zone, ns_g_server->zonestats);
2898
* If the zone contains a 'forwarders' statement, configure
2899
* selective forwarding.
2902
if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
2905
(void)cfg_map_get(zoptions, "forward", &forwardtype);
2906
CHECK(configure_forward(config, view, origin, forwarders,
2911
* Stub and forward zones may also refer to delegation only points.
2914
if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
2916
if (cfg_obj_asboolean(only))
2917
CHECK(dns_view_adddelegationonly(view, origin));
2921
* Configure the zone.
2923
CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
2926
* Add the zone to its view in the new view list.
2928
CHECK(dns_view_addzone(view, zone));
2932
dns_zone_detach(&zone);
2934
dns_view_detach(&pview);
2940
* Configure built-in zone for storing managed-key data.
2943
#define KEYZONE "managed-keys.bind"
2944
#define MKEYS ".mkeys"
2947
add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
2948
isc_result_t result;
2949
dns_zone_t *zone = NULL;
2950
dns_acl_t *none = NULL;
2951
char filename[PATH_MAX];
2952
char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
2955
REQUIRE(view != NULL);
2957
CHECK(dns_zone_create(&zone, mctx));
2959
CHECK(dns_zone_setorigin(zone, dns_rootname));
2961
isc_sha256_data((void *)view->name, strlen(view->name), buffer);
2962
strcat(buffer, MKEYS);
2963
n = snprintf(filename, sizeof(filename), "%s%s%s",
2964
directory ? directory : "", directory ? "/" : "",
2965
strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
2966
if (n < 0 || (size_t)n >= sizeof(filename)) {
2967
result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
2970
CHECK(dns_zone_setfile(zone, filename));
2972
dns_zone_setview(zone, view);
2973
dns_zone_settype(zone, dns_zone_key);
2974
dns_zone_setclass(zone, view->rdclass);
2976
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2978
if (view->acache != NULL)
2979
dns_zone_setacache(zone, view->acache);
2981
CHECK(dns_acl_none(mctx, &none));
2982
dns_zone_setqueryacl(zone, none);
2983
dns_zone_setqueryonacl(zone, none);
2984
dns_acl_detach(&none);
2986
dns_zone_setdialup(zone, dns_dialuptype_no);
2987
dns_zone_setnotifytype(zone, dns_notifytype_no);
2988
dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
2989
dns_zone_setjournalsize(zone, 0);
2991
dns_zone_setstats(zone, ns_g_server->zonestats);
2992
CHECK(setquerystats(zone, mctx, ISC_FALSE));
2994
if (view->managed_keys != NULL)
2995
dns_zone_detach(&view->managed_keys);
2996
dns_zone_attach(zone, &view->managed_keys);
2998
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2999
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3000
"set up managed keys zone for view %s, file '%s'",
3001
view->name, filename);
3005
dns_zone_detach(&zone);
3007
dns_acl_detach(&none);
3013
* Configure a single server quota.
3016
configure_server_quota(const cfg_obj_t **maps, const char *name,
3019
const cfg_obj_t *obj = NULL;
3020
isc_result_t result;
3022
result = ns_config_get(maps, name, &obj);
3023
INSIST(result == ISC_R_SUCCESS);
3024
isc_quota_max(quota, cfg_obj_asuint32(obj));
3028
* This function is called as soon as the 'directory' statement has been
3029
* parsed. This can be extended to support other options if necessary.
3032
directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
3033
isc_result_t result;
3034
const char *directory;
3036
REQUIRE(strcasecmp("directory", clausename) == 0);
3044
directory = cfg_obj_asstring(obj);
3046
if (! isc_file_ischdiridempotent(directory))
3047
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3048
"option 'directory' contains relative path '%s'",
3051
result = isc_dir_chdir(directory);
3052
if (result != ISC_R_SUCCESS) {
3053
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
3054
"change directory to '%s' failed: %s",
3055
directory, isc_result_totext(result));
3059
return (ISC_R_SUCCESS);
3063
scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
3064
isc_boolean_t match_mapped = server->aclenv.match_mapped;
3066
ns_interfacemgr_scan(server->interfacemgr, verbose);
3068
* Update the "localhost" and "localnets" ACLs to match the
3069
* current set of network interfaces.
3071
dns_aclenv_copy(&server->aclenv,
3072
ns_interfacemgr_getaclenv(server->interfacemgr));
3074
server->aclenv.match_mapped = match_mapped;
3078
add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
3079
isc_boolean_t wcardport_ok)
3081
ns_listenelt_t *lelt = NULL;
3082
dns_acl_t *src_acl = NULL;
3083
isc_result_t result;
3084
isc_sockaddr_t any_sa6;
3085
isc_netaddr_t netaddr;
3087
REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
3089
isc_sockaddr_any6(&any_sa6);
3090
if (!isc_sockaddr_equal(&any_sa6, addr) &&
3091
(wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
3092
isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
3094
result = dns_acl_create(mctx, 0, &src_acl);
3095
if (result != ISC_R_SUCCESS)
3098
result = dns_iptable_addprefix(src_acl->iptable,
3099
&netaddr, 128, ISC_TRUE);
3100
if (result != ISC_R_SUCCESS)
3103
result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
3105
if (result != ISC_R_SUCCESS)
3107
ISC_LIST_APPEND(list->elts, lelt, link);
3110
return (ISC_R_SUCCESS);
3113
INSIST(lelt == NULL);
3114
dns_acl_detach(&src_acl);
3120
* Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
3121
* to update the listening interfaces accordingly.
3122
* We currently only consider IPv6, because this only affects IPv6 wildcard
3126
adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
3127
isc_result_t result;
3128
ns_listenlist_t *list = NULL;
3130
dns_zone_t *zone, *next;
3131
isc_sockaddr_t addr, *addrp;
3133
result = ns_listenlist_create(mctx, &list);
3134
if (result != ISC_R_SUCCESS)
3137
for (view = ISC_LIST_HEAD(server->viewlist);
3139
view = ISC_LIST_NEXT(view, link)) {
3140
dns_dispatch_t *dispatch6;
3142
dispatch6 = dns_resolver_dispatchv6(view->resolver);
3143
if (dispatch6 == NULL)
3145
result = dns_dispatch_getlocaladdress(dispatch6, &addr);
3146
if (result != ISC_R_SUCCESS)
3150
* We always add non-wildcard address regardless of whether
3151
* the port is 'any' (the fourth arg is TRUE): if the port is
3152
* specific, we need to add it since it may conflict with a
3153
* listening interface; if it's zero, we'll dynamically open
3154
* query ports, and some of them may override an existing
3155
* wildcard IPv6 port.
3157
result = add_listenelt(mctx, list, &addr, ISC_TRUE);
3158
if (result != ISC_R_SUCCESS)
3163
for (result = dns_zone_first(server->zonemgr, &zone);
3164
result == ISC_R_SUCCESS;
3165
next = NULL, result = dns_zone_next(zone, &next), zone = next) {
3166
dns_view_t *zoneview;
3169
* At this point the zone list may contain a stale zone
3170
* just removed from the configuration. To see the validity,
3171
* check if the corresponding view is in our current view list.
3172
* There may also be old zones that are still in the process
3173
* of shutting down and have detached from their old view
3174
* (zoneview == NULL).
3176
zoneview = dns_zone_getview(zone);
3177
if (zoneview == NULL)
3179
for (view = ISC_LIST_HEAD(server->viewlist);
3180
view != NULL && view != zoneview;
3181
view = ISC_LIST_NEXT(view, link))
3186
addrp = dns_zone_getnotifysrc6(zone);
3187
result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3188
if (result != ISC_R_SUCCESS)
3191
addrp = dns_zone_getxfrsource6(zone);
3192
result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3193
if (result != ISC_R_SUCCESS)
3197
ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
3200
ns_listenlist_detach(&list);
3205
* Even when we failed the procedure, most of other interfaces
3206
* should work correctly. We therefore just warn it.
3208
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3209
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3210
"could not adjust the listen-on list; "
3211
"some interfaces may not work");
3216
* This event callback is invoked to do periodic network
3217
* interface scanning.
3220
interface_timer_tick(isc_task_t *task, isc_event_t *event) {
3221
isc_result_t result;
3222
ns_server_t *server = (ns_server_t *) event->ev_arg;
3223
INSIST(task == server->task);
3225
isc_event_free(&event);
3227
* XXX should scan interfaces unlocked and get exclusive access
3228
* only to replace ACLs.
3230
result = isc_task_beginexclusive(server->task);
3231
RUNTIME_CHECK(result == ISC_R_SUCCESS);
3232
scan_interfaces(server, ISC_FALSE);
3233
isc_task_endexclusive(server->task);
3237
heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
3238
ns_server_t *server = (ns_server_t *) event->ev_arg;
3242
isc_event_free(&event);
3243
view = ISC_LIST_HEAD(server->viewlist);
3244
while (view != NULL) {
3245
dns_view_dialup(view);
3246
view = ISC_LIST_NEXT(view, link);
3251
pps_timer_tick(isc_task_t *task, isc_event_t *event) {
3252
static unsigned int oldrequests = 0;
3253
unsigned int requests = ns_client_requests;
3256
isc_event_free(&event);
3259
* Don't worry about wrapping as the overflow result will be right.
3261
dns_pps = (requests - oldrequests) / 1200;
3262
oldrequests = requests;
3266
* Replace the current value of '*field', a dynamically allocated
3267
* string or NULL, with a dynamically allocated copy of the
3268
* null-terminated string pointed to by 'value', or NULL.
3271
setstring(ns_server_t *server, char **field, const char *value) {
3274
if (value != NULL) {
3275
copy = isc_mem_strdup(server->mctx, value);
3277
return (ISC_R_NOMEMORY);
3283
isc_mem_free(server->mctx, *field);
3286
return (ISC_R_SUCCESS);
3290
* Replace the current value of '*field', a dynamically allocated
3291
* string or NULL, with another dynamically allocated string
3292
* or NULL if whether 'obj' is a string or void value, respectively.
3295
setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
3296
if (cfg_obj_isvoid(obj))
3297
return (setstring(server, field, NULL));
3299
return (setstring(server, field, cfg_obj_asstring(obj)));
3303
set_limit(const cfg_obj_t **maps, const char *configname,
3304
const char *description, isc_resource_t resourceid,
3305
isc_resourcevalue_t defaultvalue)
3307
const cfg_obj_t *obj = NULL;
3308
const char *resource;
3309
isc_resourcevalue_t value;
3310
isc_result_t result;
3312
if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
3315
if (cfg_obj_isstring(obj)) {
3316
resource = cfg_obj_asstring(obj);
3317
if (strcasecmp(resource, "unlimited") == 0)
3318
value = ISC_RESOURCE_UNLIMITED;
3320
INSIST(strcasecmp(resource, "default") == 0);
3321
value = defaultvalue;
3324
value = cfg_obj_asuint64(obj);
3326
result = isc_resource_setlimit(resourceid, value);
3327
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3328
result == ISC_R_SUCCESS ?
3329
ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
3330
"set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
3331
description, value, isc_result_totext(result));
3334
#define SETLIMIT(cfgvar, resource, description) \
3335
set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
3336
ns_g_init ## resource)
3339
set_limits(const cfg_obj_t **maps) {
3340
SETLIMIT("stacksize", stacksize, "stack size");
3341
SETLIMIT("datasize", datasize, "data size");
3342
SETLIMIT("coresize", coresize, "core size");
3343
SETLIMIT("files", openfiles, "open files");
3347
portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
3348
isc_boolean_t positive)
3350
const cfg_listelt_t *element;
3352
for (element = cfg_list_first(ports);
3354
element = cfg_list_next(element)) {
3355
const cfg_obj_t *obj = cfg_listelt_value(element);
3357
if (cfg_obj_isuint32(obj)) {
3358
in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
3361
isc_portset_add(portset, port);
3363
isc_portset_remove(portset, port);
3365
const cfg_obj_t *obj_loport, *obj_hiport;
3366
in_port_t loport, hiport;
3368
obj_loport = cfg_tuple_get(obj, "loport");
3369
loport = (in_port_t)cfg_obj_asuint32(obj_loport);
3370
obj_hiport = cfg_tuple_get(obj, "hiport");
3371
hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
3374
isc_portset_addrange(portset, loport, hiport);
3376
isc_portset_removerange(portset, loport,
3384
removed(dns_zone_t *zone, void *uap) {
3387
if (dns_zone_getview(zone) != uap)
3388
return (ISC_R_SUCCESS);
3390
switch (dns_zone_gettype(zone)) {
3391
case dns_zone_master:
3394
case dns_zone_slave:
3404
dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
3405
return (ISC_R_SUCCESS);
3409
cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
3410
if (server->session_keyfile != NULL) {
3411
isc_file_remove(server->session_keyfile);
3412
isc_mem_free(mctx, server->session_keyfile);
3413
server->session_keyfile = NULL;
3416
if (server->session_keyname != NULL) {
3417
if (dns_name_dynamic(server->session_keyname))
3418
dns_name_free(server->session_keyname, mctx);
3419
isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
3420
server->session_keyname = NULL;
3423
if (server->sessionkey != NULL)
3424
dns_tsigkey_detach(&server->sessionkey);
3426
server->session_keyalg = DST_ALG_UNKNOWN;
3427
server->session_keybits = 0;
3431
generate_session_key(const char *filename, const char *keynamestr,
3432
dns_name_t *keyname, const char *algstr,
3433
dns_name_t *algname, unsigned int algtype,
3434
isc_uint16_t bits, isc_mem_t *mctx,
3435
dns_tsigkey_t **tsigkeyp)
3437
isc_result_t result = ISC_R_SUCCESS;
3438
dst_key_t *key = NULL;
3439
isc_buffer_t key_txtbuffer;
3440
isc_buffer_t key_rawbuffer;
3441
char key_txtsecret[256];
3442
char key_rawsecret[64];
3443
isc_region_t key_rawregion;
3445
dns_tsigkey_t *tsigkey = NULL;
3448
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3449
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3450
"generating session key for dynamic DNS");
3453
result = dst_key_generate(keyname, algtype, bits, 1, 0,
3454
DNS_KEYPROTO_ANY, dns_rdataclass_in,
3456
if (result != ISC_R_SUCCESS)
3460
* Dump the key to the buffer for later use. Should be done before
3461
* we transfer the ownership of key to tsigkey.
3463
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
3464
CHECK(dst_key_tobuffer(key, &key_rawbuffer));
3466
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
3467
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
3468
CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
3470
/* Store the key in tsigkey. */
3471
isc_stdtime_get(&now);
3472
CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
3473
ISC_FALSE, NULL, now, now, mctx, NULL,
3475
key = NULL; /* ownership of key has been transferred */
3477
/* Dump the key to the key file. */
3478
fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
3480
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3481
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3482
"could not create %s", filename);
3483
result = ISC_R_NOPERM;
3487
fprintf(fp, "key \"%s\" {\n"
3489
"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
3490
(int) isc_buffer_usedlength(&key_txtbuffer),
3491
(char*) isc_buffer_base(&key_txtbuffer));
3493
RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
3494
RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
3496
*tsigkeyp = tsigkey;
3498
return (ISC_R_SUCCESS);
3501
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3502
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3503
"failed to generate session key "
3504
"for dynamic DNS: %s", isc_result_totext(result));
3505
if (tsigkey != NULL)
3506
dns_tsigkey_detach(&tsigkey);
3514
configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
3517
const char *keyfile, *keynamestr, *algstr;
3518
unsigned int algtype;
3519
dns_fixedname_t fname;
3520
dns_name_t *keyname, *algname;
3521
isc_buffer_t buffer;
3523
const cfg_obj_t *obj;
3524
isc_boolean_t need_deleteold = ISC_FALSE;
3525
isc_boolean_t need_createnew = ISC_FALSE;
3526
isc_result_t result;
3529
result = ns_config_get(maps, "session-keyfile", &obj);
3530
if (result == ISC_R_SUCCESS) {
3531
if (cfg_obj_isvoid(obj))
3532
keyfile = NULL; /* disable it */
3534
keyfile = cfg_obj_asstring(obj);
3536
keyfile = ns_g_defaultsessionkeyfile;
3539
result = ns_config_get(maps, "session-keyname", &obj);
3540
INSIST(result == ISC_R_SUCCESS);
3541
keynamestr = cfg_obj_asstring(obj);
3542
dns_fixedname_init(&fname);
3543
isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
3544
isc_buffer_add(&buffer, strlen(keynamestr));
3545
keyname = dns_fixedname_name(&fname);
3546
result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
3547
if (result != ISC_R_SUCCESS)
3551
result = ns_config_get(maps, "session-keyalg", &obj);
3552
INSIST(result == ISC_R_SUCCESS);
3553
algstr = cfg_obj_asstring(obj);
3555
result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
3556
if (result != ISC_R_SUCCESS) {
3557
const char *s = " (keeping current key)";
3559
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
3560
"unsupported or unknown algorithm '%s'%s",
3562
server->session_keyfile != NULL ? s : "");
3566
/* See if we need to (re)generate a new key. */
3567
if (keyfile == NULL) {
3568
if (server->session_keyfile != NULL)
3569
need_deleteold = ISC_TRUE;
3570
} else if (server->session_keyfile == NULL)
3571
need_createnew = ISC_TRUE;
3572
else if (strcmp(keyfile, server->session_keyfile) != 0 ||
3573
!dns_name_equal(server->session_keyname, keyname) ||
3574
server->session_keyalg != algtype ||
3575
server->session_keybits != bits) {
3576
need_deleteold = ISC_TRUE;
3577
need_createnew = ISC_TRUE;
3580
if (need_deleteold) {
3581
INSIST(server->session_keyfile != NULL);
3582
INSIST(server->session_keyname != NULL);
3583
INSIST(server->sessionkey != NULL);
3585
cleanup_session_key(server, mctx);
3588
if (need_createnew) {
3589
INSIST(server->sessionkey == NULL);
3590
INSIST(server->session_keyfile == NULL);
3591
INSIST(server->session_keyname == NULL);
3592
INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
3593
INSIST(server->session_keybits == 0);
3595
server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
3596
if (server->session_keyname == NULL)
3598
dns_name_init(server->session_keyname, NULL);
3599
CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
3601
server->session_keyfile = isc_mem_strdup(mctx, keyfile);
3602
if (server->session_keyfile == NULL)
3605
server->session_keyalg = algtype;
3606
server->session_keybits = bits;
3608
CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
3609
algname, algtype, bits, mctx,
3610
&server->sessionkey));
3616
cleanup_session_key(server, mctx);
3621
load_configuration(const char *filename, ns_server_t *server,
3622
isc_boolean_t first_time)
3624
cfg_aclconfctx_t aclconfctx;
3625
cfg_obj_t *config = NULL, *bindkeys = NULL;
3626
cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
3627
const cfg_listelt_t *element;
3628
const cfg_obj_t *builtin_views;
3629
const cfg_obj_t *maps[3];
3630
const cfg_obj_t *obj;
3631
const cfg_obj_t *options;
3632
const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
3633
const cfg_obj_t *views;
3634
dns_view_t *view = NULL;
3635
dns_view_t *view_next;
3636
dns_viewlist_t tmpviewlist;
3637
dns_viewlist_t viewlist, builtin_viewlist;
3638
in_port_t listen_port, udpport_low, udpport_high;
3640
isc_interval_t interval;
3641
isc_portset_t *v4portset = NULL;
3642
isc_portset_t *v6portset = NULL;
3643
isc_resourcevalue_t nfiles;
3644
isc_result_t result;
3645
isc_uint32_t heartbeat_interval;
3646
isc_uint32_t interface_interval;
3647
isc_uint32_t reserved;
3648
isc_uint32_t udpsize;
3649
ns_cachelist_t cachelist, tmpcachelist;
3650
unsigned int maxsocks;
3653
cfg_aclconfctx_init(&aclconfctx);
3654
ISC_LIST_INIT(viewlist);
3655
ISC_LIST_INIT(builtin_viewlist);
3656
ISC_LIST_INIT(cachelist);
3658
/* Ensure exclusive access to configuration data. */
3659
result = isc_task_beginexclusive(server->task);
3660
RUNTIME_CHECK(result == ISC_R_SUCCESS);
3663
* Parse the global default pseudo-config file.
3666
CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
3667
RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
3668
&ns_g_defaults) == ISC_R_SUCCESS);
3672
* Parse the configuration file using the new config code.
3674
result = ISC_R_FAILURE;
3678
* Unless this is lwresd with the -C option, parse the config file.
3680
if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
3681
isc_log_write(ns_g_lctx,
3682
NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3683
ISC_LOG_INFO, "loading configuration from '%s'",
3685
CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
3686
cfg_parser_setcallback(conf_parser, directory_callback, NULL);
3687
result = cfg_parse_file(conf_parser, filename,
3688
&cfg_type_namedconf, &config);
3692
* If this is lwresd with the -C option, or lwresd with no -C or -c
3693
* option where the above parsing failed, parse resolv.conf.
3695
if (ns_g_lwresdonly &&
3696
(lwresd_g_useresolvconf ||
3697
(!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
3699
isc_log_write(ns_g_lctx,
3700
NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3701
ISC_LOG_INFO, "loading configuration from '%s'",
3702
lwresd_g_resolvconffile);
3703
if (conf_parser != NULL)
3704
cfg_parser_destroy(&conf_parser);
3705
CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
3706
result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
3712
* Check the validity of the configuration.
3714
CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
3717
* Fill in the maps array, used for resolving defaults.
3721
result = cfg_map_get(config, "options", &options);
3722
if (result == ISC_R_SUCCESS)
3723
maps[i++] = options;
3724
maps[i++] = ns_g_defaults;
3728
* If bind.keys exists, load it. If "dnssec-lookaside auto"
3729
* is turned on, the keys found there will be used as default
3733
result = ns_config_get(maps, "bindkeys-file", &obj);
3734
INSIST(result == ISC_R_SUCCESS);
3735
CHECKM(setstring(server, &server->bindkeysfile,
3736
cfg_obj_asstring(obj)), "strdup");
3738
if (access(server->bindkeysfile, R_OK) == 0) {
3739
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3740
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3741
"reading built-in trusted "
3742
"keys from file '%s'", server->bindkeysfile);
3744
CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
3747
result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
3748
&cfg_type_bindkeys, &bindkeys);
3753
* Set process limits, which (usually) needs to be done as root.
3758
* Check if max number of open sockets that the system allows is
3759
* sufficiently large. Failing this condition is not necessarily fatal,
3760
* but may cause subsequent runtime failures for a busy recursive
3763
result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
3764
if (result != ISC_R_SUCCESS)
3766
result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
3767
if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
3768
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3769
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3770
"max open files (%" ISC_PRINT_QUADFORMAT "u)"
3771
" is smaller than max sockets (%u)",
3776
* Set the number of socket reserved for TCP, stdio etc.
3779
result = ns_config_get(maps, "reserved-sockets", &obj);
3780
INSIST(result == ISC_R_SUCCESS);
3781
reserved = cfg_obj_asuint32(obj);
3782
if (maxsocks != 0) {
3783
if (maxsocks < 128U) /* Prevent underflow. */
3785
else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
3786
reserved = maxsocks - 128;
3788
/* Minimum TCP/stdio space. */
3789
if (reserved < 128U)
3791
if (reserved + 128U > maxsocks && maxsocks != 0) {
3792
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3793
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3794
"less than 128 UDP sockets available after "
3795
"applying 'reserved-sockets' and 'maxsockets'");
3797
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
3800
* Configure various server options.
3802
configure_server_quota(maps, "transfers-out", &server->xfroutquota);
3803
configure_server_quota(maps, "tcp-clients", &server->tcpquota);
3804
configure_server_quota(maps, "recursive-clients",
3805
&server->recursionquota);
3806
if (server->recursionquota.max > 1000)
3807
isc_quota_soft(&server->recursionquota,
3808
server->recursionquota.max - 100);
3810
isc_quota_soft(&server->recursionquota, 0);
3812
CHECK(configure_view_acl(NULL, config, "blackhole", NULL, &aclconfctx,
3813
ns_g_mctx, &server->blackholeacl));
3814
if (server->blackholeacl != NULL)
3815
dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
3816
server->blackholeacl);
3819
result = ns_config_get(maps, "match-mapped-addresses", &obj);
3820
INSIST(result == ISC_R_SUCCESS);
3821
server->aclenv.match_mapped = cfg_obj_asboolean(obj);
3823
CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
3824
"configuring statistics server(s)");
3827
* Configure sets of UDP query source ports.
3829
CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
3830
"creating UDP port set");
3831
CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
3832
"creating UDP port set");
3836
avoidv4ports = NULL;
3837
avoidv6ports = NULL;
3839
(void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
3840
if (usev4ports != NULL)
3841
portset_fromconf(v4portset, usev4ports, ISC_TRUE);
3843
CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
3845
"get the default UDP/IPv4 port range");
3846
if (udpport_low == udpport_high)
3847
isc_portset_add(v4portset, udpport_low);
3849
isc_portset_addrange(v4portset, udpport_low,
3852
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3853
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3854
"using default UDP/IPv4 port range: [%d, %d]",
3855
udpport_low, udpport_high);
3857
(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
3858
if (avoidv4ports != NULL)
3859
portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
3861
(void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
3862
if (usev6ports != NULL)
3863
portset_fromconf(v6portset, usev6ports, ISC_TRUE);
3865
CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
3867
"get the default UDP/IPv6 port range");
3868
if (udpport_low == udpport_high)
3869
isc_portset_add(v6portset, udpport_low);
3871
isc_portset_addrange(v6portset, udpport_low,
3874
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3875
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3876
"using default UDP/IPv6 port range: [%d, %d]",
3877
udpport_low, udpport_high);
3879
(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
3880
if (avoidv6ports != NULL)
3881
portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
3883
dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
3886
* Set the EDNS UDP size when we don't match a view.
3889
result = ns_config_get(maps, "edns-udp-size", &obj);
3890
INSIST(result == ISC_R_SUCCESS);
3891
udpsize = cfg_obj_asuint32(obj);
3896
ns_g_udpsize = (isc_uint16_t)udpsize;
3899
* Configure the zone manager.
3902
result = ns_config_get(maps, "transfers-in", &obj);
3903
INSIST(result == ISC_R_SUCCESS);
3904
dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
3907
result = ns_config_get(maps, "transfers-per-ns", &obj);
3908
INSIST(result == ISC_R_SUCCESS);
3909
dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
3912
result = ns_config_get(maps, "serial-query-rate", &obj);
3913
INSIST(result == ISC_R_SUCCESS);
3914
dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
3917
* Determine which port to use for listening for incoming connections.
3920
listen_port = ns_g_port;
3922
CHECKM(ns_config_getport(config, &listen_port), "port");
3925
* Find the listen queue depth.
3928
result = ns_config_get(maps, "tcp-listen-queue", &obj);
3929
INSIST(result == ISC_R_SUCCESS);
3930
ns_g_listen = cfg_obj_asuint32(obj);
3931
if (ns_g_listen < 3)
3935
* Configure the interface manager according to the "listen-on"
3939
const cfg_obj_t *clistenon = NULL;
3940
ns_listenlist_t *listenon = NULL;
3944
* Even though listen-on is present in the default
3945
* configuration, we can't use it here, since it isn't
3946
* used if we're in lwresd mode. This way is easier.
3948
if (options != NULL)
3949
(void)cfg_map_get(options, "listen-on", &clistenon);
3950
if (clistenon != NULL) {
3951
result = ns_listenlist_fromconfig(clistenon,
3956
} else if (!ns_g_lwresdonly) {
3958
* Not specified, use default.
3960
CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
3961
ISC_TRUE, &listenon));
3963
if (listenon != NULL) {
3964
ns_interfacemgr_setlistenon4(server->interfacemgr,
3966
ns_listenlist_detach(&listenon);
3973
const cfg_obj_t *clistenon = NULL;
3974
ns_listenlist_t *listenon = NULL;
3976
if (options != NULL)
3977
(void)cfg_map_get(options, "listen-on-v6", &clistenon);
3978
if (clistenon != NULL) {
3979
result = ns_listenlist_fromconfig(clistenon,
3984
} else if (!ns_g_lwresdonly) {
3985
isc_boolean_t enable;
3987
* Not specified, use default.
3989
enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
3990
CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
3991
enable, &listenon));
3993
if (listenon != NULL) {
3994
ns_interfacemgr_setlistenon6(server->interfacemgr,
3996
ns_listenlist_detach(&listenon);
4001
* Rescan the interface list to pick up changes in the
4002
* listen-on option. It's important that we do this before we try
4003
* to configure the query source, since the dispatcher we use might
4004
* be shared with an interface.
4006
scan_interfaces(server, ISC_TRUE);
4009
* Arrange for further interface scanning to occur periodically
4010
* as specified by the "interface-interval" option.
4013
result = ns_config_get(maps, "interface-interval", &obj);
4014
INSIST(result == ISC_R_SUCCESS);
4015
interface_interval = cfg_obj_asuint32(obj) * 60;
4016
if (interface_interval == 0) {
4017
CHECK(isc_timer_reset(server->interface_timer,
4018
isc_timertype_inactive,
4019
NULL, NULL, ISC_TRUE));
4020
} else if (server->interface_interval != interface_interval) {
4021
isc_interval_set(&interval, interface_interval, 0);
4022
CHECK(isc_timer_reset(server->interface_timer,
4023
isc_timertype_ticker,
4024
NULL, &interval, ISC_FALSE));
4026
server->interface_interval = interface_interval;
4029
* Configure the dialup heartbeat timer.
4032
result = ns_config_get(maps, "heartbeat-interval", &obj);
4033
INSIST(result == ISC_R_SUCCESS);
4034
heartbeat_interval = cfg_obj_asuint32(obj) * 60;
4035
if (heartbeat_interval == 0) {
4036
CHECK(isc_timer_reset(server->heartbeat_timer,
4037
isc_timertype_inactive,
4038
NULL, NULL, ISC_TRUE));
4039
} else if (server->heartbeat_interval != heartbeat_interval) {
4040
isc_interval_set(&interval, heartbeat_interval, 0);
4041
CHECK(isc_timer_reset(server->heartbeat_timer,
4042
isc_timertype_ticker,
4043
NULL, &interval, ISC_FALSE));
4045
server->heartbeat_interval = heartbeat_interval;
4047
isc_interval_set(&interval, 1200, 0);
4048
CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
4049
&interval, ISC_FALSE));
4052
* Write the PID file.
4055
if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
4056
if (cfg_obj_isvoid(obj))
4057
ns_os_writepidfile(NULL, first_time);
4059
ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
4060
else if (ns_g_lwresdonly)
4061
ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
4063
ns_os_writepidfile(ns_g_defaultpidfile, first_time);
4066
* Configure the server-wide session key. This must be done before
4067
* configure views because zone configuration may need to know
4070
* Failure of session key generation isn't fatal at this time; if it
4071
* turns out that a session key is really needed but doesn't exist,
4072
* we'll treat it as a fatal error then.
4074
(void)configure_session_key(maps, server, ns_g_mctx);
4077
* Configure and freeze all explicit views. Explicit
4078
* views that have zones were already created at parsing
4079
* time, but views with no zones must be created here.
4082
(void)cfg_map_get(config, "view", &views);
4083
for (element = cfg_list_first(views);
4085
element = cfg_list_next(element))
4087
const cfg_obj_t *vconfig = cfg_listelt_value(element);
4090
CHECK(create_view(vconfig, &viewlist, &view));
4091
INSIST(view != NULL);
4092
CHECK(configure_view(view, config, vconfig,
4093
&cachelist, bindkeys,
4094
ns_g_mctx, &aclconfctx, ISC_TRUE));
4095
dns_view_freeze(view);
4096
dns_view_detach(&view);
4100
* Make sure we have a default view if and only if there
4101
* were no explicit views.
4103
if (views == NULL) {
4105
* No explicit views; there ought to be a default view.
4106
* There may already be one created as a side effect
4107
* of zone statements, or we may have to create one.
4108
* In either case, we need to configure and freeze it.
4110
CHECK(create_view(NULL, &viewlist, &view));
4111
CHECK(configure_view(view, config, NULL,
4112
&cachelist, bindkeys,
4113
ns_g_mctx, &aclconfctx, ISC_TRUE));
4114
dns_view_freeze(view);
4115
dns_view_detach(&view);
4119
* Create (or recreate) the built-in views.
4121
builtin_views = NULL;
4122
RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
4123
&builtin_views) == ISC_R_SUCCESS);
4124
for (element = cfg_list_first(builtin_views);
4126
element = cfg_list_next(element))
4128
const cfg_obj_t *vconfig = cfg_listelt_value(element);
4130
CHECK(create_view(vconfig, &builtin_viewlist, &view));
4131
CHECK(configure_view(view, config, vconfig,
4132
&cachelist, bindkeys,
4133
ns_g_mctx, &aclconfctx, ISC_FALSE));
4134
dns_view_freeze(view);
4135
dns_view_detach(&view);
4139
/* Now combine the two viewlists into one */
4140
ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
4142
/* Swap our new view list with the production one. */
4143
tmpviewlist = server->viewlist;
4144
server->viewlist = viewlist;
4145
viewlist = tmpviewlist;
4147
/* Make the view list available to each of the views */
4148
view = ISC_LIST_HEAD(server->viewlist);
4149
while (view != NULL) {
4150
view->viewlist = &server->viewlist;
4151
view = ISC_LIST_NEXT(view, link);
4154
/* Swap our new cache list with the production one. */
4155
tmpcachelist = server->cachelist;
4156
server->cachelist = cachelist;
4157
cachelist = tmpcachelist;
4159
/* Load the TKEY information from the configuration. */
4160
if (options != NULL) {
4161
dns_tkeyctx_t *t = NULL;
4162
CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
4164
"configuring TKEY");
4165
if (server->tkeyctx != NULL)
4166
dns_tkeyctx_destroy(&server->tkeyctx);
4167
server->tkeyctx = t;
4171
* Bind the control port(s).
4173
CHECKM(ns_controls_configure(ns_g_server->controls, config,
4175
"binding control channel(s)");
4178
* Bind the lwresd port(s).
4180
CHECKM(ns_lwresd_configure(ns_g_mctx, config),
4181
"binding lightweight resolver ports");
4184
* Open the source of entropy.
4188
result = ns_config_get(maps, "random-device", &obj);
4189
if (result != ISC_R_SUCCESS) {
4190
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4191
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4192
"no source of entropy found");
4194
const char *randomdev = cfg_obj_asstring(obj);
4195
result = isc_entropy_createfilesource(ns_g_entropy,
4197
if (result != ISC_R_SUCCESS)
4198
isc_log_write(ns_g_lctx,
4199
NS_LOGCATEGORY_GENERAL,
4200
NS_LOGMODULE_SERVER,
4202
"could not open entropy source "
4205
isc_result_totext(result));
4206
#ifdef PATH_RANDOMDEV
4207
if (ns_g_fallbackentropy != NULL) {
4208
if (result != ISC_R_SUCCESS) {
4209
isc_log_write(ns_g_lctx,
4210
NS_LOGCATEGORY_GENERAL,
4211
NS_LOGMODULE_SERVER,
4213
"using pre-chroot entropy source "
4216
isc_entropy_detach(&ns_g_entropy);
4217
isc_entropy_attach(ns_g_fallbackentropy,
4220
isc_entropy_detach(&ns_g_fallbackentropy);
4227
* Relinquish root privileges.
4233
* Check that the working directory is writable.
4235
if (access(".", W_OK) != 0) {
4236
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4237
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4238
"the working directory is not writable");
4242
* Configure the logging system.
4244
* Do this after changing UID to make sure that any log
4245
* files specified in named.conf get created by the
4246
* unprivileged user, not root.
4248
if (ns_g_logstderr) {
4249
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4250
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4251
"ignoring config file logging "
4252
"statement due to -g option");
4254
const cfg_obj_t *logobj = NULL;
4255
isc_logconfig_t *logc = NULL;
4257
CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
4258
"creating new logging configuration");
4261
(void)cfg_map_get(config, "logging", &logobj);
4262
if (logobj != NULL) {
4263
CHECKM(ns_log_configure(logc, logobj),
4264
"configuring logging");
4266
CHECKM(ns_log_setdefaultchannels(logc),
4267
"setting up default logging channels");
4268
CHECKM(ns_log_setunmatchedcategory(logc),
4269
"setting up default 'category unmatched'");
4270
CHECKM(ns_log_setdefaultcategory(logc),
4271
"setting up default 'category default'");
4274
result = isc_logconfig_use(ns_g_lctx, logc);
4275
if (result != ISC_R_SUCCESS) {
4276
isc_logconfig_destroy(&logc);
4277
CHECKM(result, "installing logging configuration");
4280
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4281
NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
4282
"now using logging configuration from "
4287
* Set the default value of the query logging flag depending
4288
* whether a "queries" category has been defined. This is
4289
* a disgusting hack, but we need to do this for BIND 8
4293
const cfg_obj_t *logobj = NULL;
4294
const cfg_obj_t *categories = NULL;
4297
if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
4298
server->log_queries = cfg_obj_asboolean(obj);
4301
(void)cfg_map_get(config, "logging", &logobj);
4303
(void)cfg_map_get(logobj, "category",
4305
if (categories != NULL) {
4306
const cfg_listelt_t *element;
4307
for (element = cfg_list_first(categories);
4309
element = cfg_list_next(element))
4311
const cfg_obj_t *catobj;
4314
obj = cfg_listelt_value(element);
4315
catobj = cfg_tuple_get(obj, "name");
4316
str = cfg_obj_asstring(catobj);
4317
if (strcasecmp(str, "queries") == 0)
4318
server->log_queries = ISC_TRUE;
4326
if (options != NULL &&
4327
cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
4328
ns_g_memstatistics = cfg_obj_asboolean(obj);
4330
ns_g_memstatistics =
4331
ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
4334
if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
4335
ns_main_setmemstats(cfg_obj_asstring(obj));
4336
else if (ns_g_memstatistics)
4337
ns_main_setmemstats("named.memstats");
4339
ns_main_setmemstats(NULL);
4342
result = ns_config_get(maps, "statistics-file", &obj);
4343
INSIST(result == ISC_R_SUCCESS);
4344
CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
4348
result = ns_config_get(maps, "dump-file", &obj);
4349
INSIST(result == ISC_R_SUCCESS);
4350
CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
4354
result = ns_config_get(maps, "recursing-file", &obj);
4355
INSIST(result == ISC_R_SUCCESS);
4356
CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
4360
result = ns_config_get(maps, "version", &obj);
4361
if (result == ISC_R_SUCCESS) {
4362
CHECKM(setoptstring(server, &server->version, obj), "strdup");
4363
server->version_set = ISC_TRUE;
4365
server->version_set = ISC_FALSE;
4369
result = ns_config_get(maps, "hostname", &obj);
4370
if (result == ISC_R_SUCCESS) {
4371
CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
4372
server->hostname_set = ISC_TRUE;
4374
server->hostname_set = ISC_FALSE;
4378
result = ns_config_get(maps, "server-id", &obj);
4379
server->server_usehostname = ISC_FALSE;
4380
if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
4381
/* The parser translates "hostname" to ISC_TRUE */
4382
server->server_usehostname = cfg_obj_asboolean(obj);
4383
result = setstring(server, &server->server_id, NULL);
4384
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4385
} else if (result == ISC_R_SUCCESS) {
4386
/* Found a quoted string */
4387
CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
4389
result = setstring(server, &server->server_id, NULL);
4390
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4394
result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
4395
if (result == ISC_R_SUCCESS) {
4396
server->flushonshutdown = cfg_obj_asboolean(obj);
4398
server->flushonshutdown = ISC_FALSE;
4401
result = ISC_R_SUCCESS;
4404
if (v4portset != NULL)
4405
isc_portset_destroy(ns_g_mctx, &v4portset);
4407
if (v6portset != NULL)
4408
isc_portset_destroy(ns_g_mctx, &v6portset);
4410
cfg_aclconfctx_destroy(&aclconfctx);
4412
if (conf_parser != NULL) {
4414
cfg_obj_destroy(conf_parser, &config);
4415
cfg_parser_destroy(&conf_parser);
4418
if (bindkeys_parser != NULL) {
4419
if (bindkeys != NULL)
4420
cfg_obj_destroy(bindkeys_parser, &bindkeys);
4421
cfg_parser_destroy(&bindkeys_parser);
4425
dns_view_detach(&view);
4428
* This cleans up either the old production view list
4429
* or our temporary list depending on whether they
4430
* were swapped above or not.
4432
for (view = ISC_LIST_HEAD(viewlist);
4435
view_next = ISC_LIST_NEXT(view, link);
4436
ISC_LIST_UNLINK(viewlist, view, link);
4437
if (result == ISC_R_SUCCESS &&
4438
strcmp(view->name, "_bind") != 0)
4439
(void)dns_zt_apply(view->zonetable, ISC_FALSE,
4441
dns_view_detach(&view);
4444
/* Same cleanup for cache list. */
4445
while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
4446
ISC_LIST_UNLINK(cachelist, nsc, link);
4447
dns_cache_detach(&nsc->cache);
4448
isc_mem_put(server->mctx, nsc, sizeof(*nsc));
4452
* Adjust the listening interfaces in accordance with the source
4453
* addresses specified in views and zones.
4455
if (isc_net_probeipv6() == ISC_R_SUCCESS)
4456
adjust_interfaces(server, ns_g_mctx);
4458
/* Relinquish exclusive access to configuration data. */
4459
isc_task_endexclusive(server->task);
4461
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4462
ISC_LOG_DEBUG(1), "load_configuration: %s",
4463
isc_result_totext(result));
4469
load_zones(ns_server_t *server, isc_boolean_t stop) {
4470
isc_result_t result;
4473
result = isc_task_beginexclusive(server->task);
4474
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4477
* Load zone data from disk.
4479
for (view = ISC_LIST_HEAD(server->viewlist);
4481
view = ISC_LIST_NEXT(view, link))
4483
CHECK(dns_view_load(view, stop));
4484
if (view->managed_keys != NULL)
4485
CHECK(dns_zone_load(view->managed_keys));
4489
* Force zone maintenance. Do this after loading
4490
* so that we know when we need to force AXFR of
4491
* slave zones whose master files are missing.
4493
CHECK(dns_zonemgr_forcemaint(server->zonemgr));
4495
isc_task_endexclusive(server->task);
4500
load_new_zones(ns_server_t *server, isc_boolean_t stop) {
4501
isc_result_t result;
4504
result = isc_task_beginexclusive(server->task);
4505
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4508
* Load zone data from disk.
4510
for (view = ISC_LIST_HEAD(server->viewlist);
4512
view = ISC_LIST_NEXT(view, link))
4514
CHECK(dns_view_loadnew(view, stop));
4517
* Force zone maintenance. Do this after loading
4518
* so that we know when we need to force AXFR of
4519
* slave zones whose master files are missing.
4521
dns_zonemgr_resumexfrs(server->zonemgr);
4523
isc_task_endexclusive(server->task);
4528
run_server(isc_task_t *task, isc_event_t *event) {
4529
isc_result_t result;
4530
ns_server_t *server = (ns_server_t *)event->ev_arg;
4532
INSIST(task == server->task);
4534
isc_event_free(&event);
4536
CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
4538
"creating dispatch manager");
4540
dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
4542
CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
4543
ns_g_socketmgr, ns_g_dispatchmgr,
4544
&server->interfacemgr),
4545
"creating interface manager");
4547
CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4548
NULL, NULL, server->task,
4549
interface_timer_tick,
4550
server, &server->interface_timer),
4551
"creating interface timer");
4553
CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4554
NULL, NULL, server->task,
4555
heartbeat_timer_tick,
4556
server, &server->heartbeat_timer),
4557
"creating heartbeat timer");
4559
CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4560
NULL, NULL, server->task, pps_timer_tick,
4561
server, &server->pps_timer),
4562
"creating pps timer");
4564
CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
4565
"creating default configuration parser");
4567
if (ns_g_lwresdonly)
4568
CHECKFATAL(load_configuration(lwresd_g_conffile, server,
4570
"loading configuration");
4572
CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
4573
"loading configuration");
4577
CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
4580
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4581
ISC_LOG_NOTICE, "running");
4585
ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
4587
REQUIRE(NS_SERVER_VALID(server));
4589
server->flushonshutdown = flush;
4593
shutdown_server(isc_task_t *task, isc_event_t *event) {
4594
isc_result_t result;
4595
dns_view_t *view, *view_next;
4596
ns_server_t *server = (ns_server_t *)event->ev_arg;
4597
isc_boolean_t flush = server->flushonshutdown;
4601
INSIST(task == server->task);
4603
result = isc_task_beginexclusive(server->task);
4604
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4606
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4607
ISC_LOG_INFO, "shutting down%s",
4608
flush ? ": flushing changes" : "");
4610
ns_statschannels_shutdown(server);
4611
ns_controls_shutdown(server->controls);
4612
end_reserved_dispatches(server, ISC_TRUE);
4613
cleanup_session_key(server, server->mctx);
4615
cfg_obj_destroy(ns_g_parser, &ns_g_config);
4616
cfg_parser_destroy(&ns_g_parser);
4618
for (view = ISC_LIST_HEAD(server->viewlist);
4621
view_next = ISC_LIST_NEXT(view, link);
4622
ISC_LIST_UNLINK(server->viewlist, view, link);
4624
dns_view_flushanddetach(&view);
4626
dns_view_detach(&view);
4629
while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
4630
ISC_LIST_UNLINK(server->cachelist, nsc, link);
4631
dns_cache_detach(&nsc->cache);
4632
isc_mem_put(server->mctx, nsc, sizeof(*nsc));
4635
isc_timer_detach(&server->interface_timer);
4636
isc_timer_detach(&server->heartbeat_timer);
4637
isc_timer_detach(&server->pps_timer);
4639
ns_interfacemgr_shutdown(server->interfacemgr);
4640
ns_interfacemgr_detach(&server->interfacemgr);
4642
dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
4644
dns_zonemgr_shutdown(server->zonemgr);
4646
if (ns_g_sessionkey != NULL) {
4647
dns_tsigkey_detach(&ns_g_sessionkey);
4648
dns_name_free(&ns_g_sessionkeyname, server->mctx);
4651
if (server->blackholeacl != NULL)
4652
dns_acl_detach(&server->blackholeacl);
4654
dns_db_detach(&server->in_roothints);
4656
isc_task_endexclusive(server->task);
4658
isc_task_detach(&server->task);
4660
isc_event_free(&event);
4664
ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
4665
isc_result_t result;
4667
ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
4669
fatal("allocating server object", ISC_R_NOMEMORY);
4671
server->mctx = mctx;
4672
server->task = NULL;
4674
/* Initialize configuration data with default values. */
4676
result = isc_quota_init(&server->xfroutquota, 10);
4677
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4678
result = isc_quota_init(&server->tcpquota, 10);
4679
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4680
result = isc_quota_init(&server->recursionquota, 100);
4681
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4683
result = dns_aclenv_init(mctx, &server->aclenv);
4684
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4686
/* Initialize server data structures. */
4687
server->zonemgr = NULL;
4688
server->interfacemgr = NULL;
4689
ISC_LIST_INIT(server->viewlist);
4690
server->in_roothints = NULL;
4691
server->blackholeacl = NULL;
4693
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
4694
&server->in_roothints),
4695
"setting up root hints");
4697
CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
4698
"initializing reload event lock");
4699
server->reload_event =
4700
isc_event_allocate(ns_g_mctx, server,
4704
sizeof(isc_event_t));
4705
CHECKFATAL(server->reload_event == NULL ?
4706
ISC_R_NOMEMORY : ISC_R_SUCCESS,
4707
"allocating reload event");
4709
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
4710
ns_g_engine, ISC_ENTROPY_GOODONLY),
4711
"initializing DST");
4713
server->tkeyctx = NULL;
4714
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
4716
"creating TKEY context");
4719
* Setup the server task, which is responsible for coordinating
4720
* startup and shutdown of the server.
4722
CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
4723
"creating server task");
4724
isc_task_setname(server->task, "server", server);
4725
CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
4726
"isc_task_onshutdown");
4727
CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
4730
server->interface_timer = NULL;
4731
server->heartbeat_timer = NULL;
4732
server->pps_timer = NULL;
4734
server->interface_interval = 0;
4735
server->heartbeat_interval = 0;
4737
CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
4738
ns_g_socketmgr, &server->zonemgr),
4739
"dns_zonemgr_create");
4741
server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
4742
CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4744
server->nsstats = NULL;
4745
server->rcvquerystats = NULL;
4746
server->opcodestats = NULL;
4747
server->zonestats = NULL;
4748
server->resolverstats = NULL;
4749
server->sockstats = NULL;
4750
CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
4751
isc_sockstatscounter_max),
4752
"isc_stats_create");
4753
isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
4755
server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
4756
CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
4760
server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
4761
CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4764
server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
4765
CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4768
server->hostname_set = ISC_FALSE;
4769
server->hostname = NULL;
4770
server->version_set = ISC_FALSE;
4771
server->version = NULL;
4772
server->server_usehostname = ISC_FALSE;
4773
server->server_id = NULL;
4775
CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
4776
dns_nsstatscounter_max),
4777
"dns_stats_create (server)");
4779
CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
4780
&server->rcvquerystats),
4781
"dns_stats_create (rcvquery)");
4783
CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
4784
"dns_stats_create (opcode)");
4786
CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
4787
dns_zonestatscounter_max),
4788
"dns_stats_create (zone)");
4790
CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
4791
dns_resstatscounter_max),
4792
"dns_stats_create (resolver)");
4794
server->flushonshutdown = ISC_FALSE;
4795
server->log_queries = ISC_FALSE;
4797
server->controls = NULL;
4798
CHECKFATAL(ns_controls_create(server, &server->controls),
4799
"ns_controls_create");
4800
server->dispatchgen = 0;
4801
ISC_LIST_INIT(server->dispatches);
4803
ISC_LIST_INIT(server->statschannels);
4805
ISC_LIST_INIT(server->cachelist);
4807
server->sessionkey = NULL;
4808
server->session_keyfile = NULL;
4809
server->session_keyname = NULL;
4810
server->session_keyalg = DST_ALG_UNKNOWN;
4811
server->session_keybits = 0;
4813
server->magic = NS_SERVER_MAGIC;
4818
ns_server_destroy(ns_server_t **serverp) {
4819
ns_server_t *server = *serverp;
4820
REQUIRE(NS_SERVER_VALID(server));
4822
ns_controls_destroy(&server->controls);
4824
isc_stats_detach(&server->nsstats);
4825
dns_stats_detach(&server->rcvquerystats);
4826
dns_stats_detach(&server->opcodestats);
4827
isc_stats_detach(&server->zonestats);
4828
isc_stats_detach(&server->resolverstats);
4829
isc_stats_detach(&server->sockstats);
4831
isc_mem_free(server->mctx, server->statsfile);
4832
isc_mem_free(server->mctx, server->bindkeysfile);
4833
isc_mem_free(server->mctx, server->dumpfile);
4834
isc_mem_free(server->mctx, server->recfile);
4836
if (server->version != NULL)
4837
isc_mem_free(server->mctx, server->version);
4838
if (server->hostname != NULL)
4839
isc_mem_free(server->mctx, server->hostname);
4840
if (server->server_id != NULL)
4841
isc_mem_free(server->mctx, server->server_id);
4843
dns_zonemgr_detach(&server->zonemgr);
4845
if (server->tkeyctx != NULL)
4846
dns_tkeyctx_destroy(&server->tkeyctx);
4850
isc_event_free(&server->reload_event);
4852
INSIST(ISC_LIST_EMPTY(server->viewlist));
4853
INSIST(ISC_LIST_EMPTY(server->cachelist));
4855
dns_aclenv_destroy(&server->aclenv);
4857
isc_quota_destroy(&server->recursionquota);
4858
isc_quota_destroy(&server->tcpquota);
4859
isc_quota_destroy(&server->xfroutquota);
4862
isc_mem_put(server->mctx, server, sizeof(*server));
4867
fatal(const char *msg, isc_result_t result) {
4868
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4869
ISC_LOG_CRITICAL, "%s: %s", msg,
4870
isc_result_totext(result));
4871
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4872
ISC_LOG_CRITICAL, "exiting (due to fatal error)");
4877
start_reserved_dispatches(ns_server_t *server) {
4879
REQUIRE(NS_SERVER_VALID(server));
4881
server->dispatchgen++;
4885
end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
4886
ns_dispatch_t *dispatch, *nextdispatch;
4888
REQUIRE(NS_SERVER_VALID(server));
4890
for (dispatch = ISC_LIST_HEAD(server->dispatches);
4892
dispatch = nextdispatch) {
4893
nextdispatch = ISC_LIST_NEXT(dispatch, link);
4894
if (!all && server->dispatchgen == dispatch-> dispatchgen)
4896
ISC_LIST_UNLINK(server->dispatches, dispatch, link);
4897
dns_dispatch_detach(&dispatch->dispatch);
4898
isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
4903
ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
4904
ns_dispatch_t *dispatch;
4906
char addrbuf[ISC_SOCKADDR_FORMATSIZE];
4907
isc_result_t result;
4908
unsigned int attrs, attrmask;
4910
REQUIRE(NS_SERVER_VALID(server));
4912
port = isc_sockaddr_getport(addr);
4913
if (port == 0 || port >= 1024)
4916
for (dispatch = ISC_LIST_HEAD(server->dispatches);
4918
dispatch = ISC_LIST_NEXT(dispatch, link)) {
4919
if (isc_sockaddr_equal(&dispatch->addr, addr))
4922
if (dispatch != NULL) {
4923
dispatch->dispatchgen = server->dispatchgen;
4927
dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
4928
if (dispatch == NULL) {
4929
result = ISC_R_NOMEMORY;
4933
dispatch->addr = *addr;
4934
dispatch->dispatchgen = server->dispatchgen;
4935
dispatch->dispatch = NULL;
4938
attrs |= DNS_DISPATCHATTR_UDP;
4939
switch (isc_sockaddr_pf(addr)) {
4941
attrs |= DNS_DISPATCHATTR_IPV4;
4944
attrs |= DNS_DISPATCHATTR_IPV6;
4947
result = ISC_R_NOTIMPLEMENTED;
4951
attrmask |= DNS_DISPATCHATTR_UDP;
4952
attrmask |= DNS_DISPATCHATTR_TCP;
4953
attrmask |= DNS_DISPATCHATTR_IPV4;
4954
attrmask |= DNS_DISPATCHATTR_IPV6;
4956
result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
4957
ns_g_taskmgr, &dispatch->addr, 4096,
4958
1000, 32768, 16411, 16433,
4959
attrs, attrmask, &dispatch->dispatch);
4960
if (result != ISC_R_SUCCESS)
4963
ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
4968
if (dispatch != NULL)
4969
isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
4970
isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
4971
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4972
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4973
"unable to create dispatch for reserved port %s: %s",
4974
addrbuf, isc_result_totext(result));
4979
loadconfig(ns_server_t *server) {
4980
isc_result_t result;
4981
start_reserved_dispatches(server);
4982
result = load_configuration(ns_g_lwresdonly ?
4983
lwresd_g_conffile : ns_g_conffile,
4985
if (result == ISC_R_SUCCESS) {
4986
end_reserved_dispatches(server, ISC_FALSE);
4987
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4988
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4989
"reloading configuration succeeded");
4991
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4992
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4993
"reloading configuration failed: %s",
4994
isc_result_totext(result));
5000
reload(ns_server_t *server) {
5001
isc_result_t result;
5002
CHECK(loadconfig(server));
5004
result = load_zones(server, ISC_FALSE);
5005
if (result == ISC_R_SUCCESS)
5006
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5007
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5008
"reloading zones succeeded");
5010
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5011
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5012
"reloading zones failed: %s",
5013
isc_result_totext(result));
5020
reconfig(ns_server_t *server) {
5021
isc_result_t result;
5022
CHECK(loadconfig(server));
5024
result = load_new_zones(server, ISC_FALSE);
5025
if (result == ISC_R_SUCCESS)
5026
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5027
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5028
"any newly configured zones are now loaded");
5030
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5031
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5032
"loading new zones failed: %s",
5033
isc_result_totext(result));
5039
* Handle a reload event (from SIGHUP).
5042
ns_server_reload(isc_task_t *task, isc_event_t *event) {
5043
ns_server_t *server = (ns_server_t *)event->ev_arg;
5045
INSIST(task = server->task);
5048
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5049
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5050
"received SIGHUP signal to reload zones");
5051
(void)reload(server);
5053
LOCK(&server->reload_event_lock);
5054
INSIST(server->reload_event == NULL);
5055
server->reload_event = event;
5056
UNLOCK(&server->reload_event_lock);
5060
ns_server_reloadwanted(ns_server_t *server) {
5061
LOCK(&server->reload_event_lock);
5062
if (server->reload_event != NULL)
5063
isc_task_send(server->task, &server->reload_event);
5064
UNLOCK(&server->reload_event_lock);
5068
next_token(char **stringp, const char *delim) {
5072
res = strsep(stringp, delim);
5075
} while (*res == '\0');
5080
* Find the zone specified in the control channel command 'args',
5081
* if any. If a zone is specified, point '*zonep' at it, otherwise
5082
* set '*zonep' to NULL.
5085
zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
5087
const char *zonetxt;
5089
const char *viewtxt = NULL;
5090
dns_fixedname_t name;
5091
isc_result_t result;
5093
dns_view_t *view = NULL;
5094
dns_rdataclass_t rdclass;
5096
REQUIRE(zonep != NULL && *zonep == NULL);
5100
/* Skip the command name. */
5101
ptr = next_token(&input, " \t");
5103
return (ISC_R_UNEXPECTEDEND);
5105
/* Look for the zone name. */
5106
zonetxt = next_token(&input, " \t");
5107
if (zonetxt == NULL)
5108
return (ISC_R_SUCCESS);
5110
/* Look for the optional class name. */
5111
classtxt = next_token(&input, " \t");
5112
if (classtxt != NULL) {
5113
/* Look for the optional view name. */
5114
viewtxt = next_token(&input, " \t");
5117
isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
5118
isc_buffer_add(&buf, strlen(zonetxt));
5119
dns_fixedname_init(&name);
5120
result = dns_name_fromtext(dns_fixedname_name(&name),
5121
&buf, dns_rootname, 0, NULL);
5122
if (result != ISC_R_SUCCESS)
5125
if (classtxt != NULL) {
5128
r.length = strlen(classtxt);
5129
result = dns_rdataclass_fromtext(&rdclass, &r);
5130
if (result != ISC_R_SUCCESS)
5133
rdclass = dns_rdataclass_in;
5135
if (viewtxt == NULL) {
5136
result = dns_viewlist_findzone(&server->viewlist,
5137
dns_fixedname_name(&name),
5138
ISC_TF(classtxt == NULL),
5141
result = dns_viewlist_find(&server->viewlist, viewtxt,
5143
if (result != ISC_R_SUCCESS)
5146
result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
5148
dns_view_detach(&view);
5151
/* Partial match? */
5152
if (result != ISC_R_SUCCESS && *zonep != NULL)
5153
dns_zone_detach(zonep);
5154
if (result == DNS_R_PARTIALMATCH)
5155
result = ISC_R_NOTFOUND;
5161
* Act on a "retransfer" command from the command channel.
5164
ns_server_retransfercommand(ns_server_t *server, char *args) {
5165
isc_result_t result;
5166
dns_zone_t *zone = NULL;
5167
dns_zonetype_t type;
5169
result = zone_from_args(server, args, &zone);
5170
if (result != ISC_R_SUCCESS)
5173
return (ISC_R_UNEXPECTEDEND);
5174
type = dns_zone_gettype(zone);
5175
if (type == dns_zone_slave || type == dns_zone_stub)
5176
dns_zone_forcereload(zone);
5178
result = ISC_R_NOTFOUND;
5179
dns_zone_detach(&zone);
5184
* Act on a "reload" command from the command channel.
5187
ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5188
isc_result_t result;
5189
dns_zone_t *zone = NULL;
5190
dns_zonetype_t type;
5191
const char *msg = NULL;
5193
result = zone_from_args(server, args, &zone);
5194
if (result != ISC_R_SUCCESS)
5197
result = reload(server);
5198
if (result == ISC_R_SUCCESS)
5199
msg = "server reload successful";
5201
type = dns_zone_gettype(zone);
5202
if (type == dns_zone_slave || type == dns_zone_stub) {
5203
dns_zone_refresh(zone);
5204
dns_zone_detach(&zone);
5205
msg = "zone refresh queued";
5207
result = dns_zone_load(zone);
5208
dns_zone_detach(&zone);
5211
msg = "zone reload successful";
5213
case DNS_R_CONTINUE:
5214
msg = "zone reload queued";
5215
result = ISC_R_SUCCESS;
5217
case DNS_R_UPTODATE:
5218
msg = "zone reload up-to-date";
5219
result = ISC_R_SUCCESS;
5222
/* failure message will be generated by rndc */
5227
if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
5228
isc_buffer_putmem(text, (const unsigned char *)msg,
5234
* Act on a "reconfig" command from the command channel.
5237
ns_server_reconfigcommand(ns_server_t *server, char *args) {
5241
return (ISC_R_SUCCESS);
5245
* Act on a "notify" command from the command channel.
5248
ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5249
isc_result_t result;
5250
dns_zone_t *zone = NULL;
5251
const unsigned char msg[] = "zone notify queued";
5253
result = zone_from_args(server, args, &zone);
5254
if (result != ISC_R_SUCCESS)
5257
return (ISC_R_UNEXPECTEDEND);
5259
dns_zone_notify(zone);
5260
dns_zone_detach(&zone);
5261
if (sizeof(msg) <= isc_buffer_availablelength(text))
5262
isc_buffer_putmem(text, msg, sizeof(msg));
5264
return (ISC_R_SUCCESS);
5268
* Act on a "refresh" command from the command channel.
5271
ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5272
isc_result_t result;
5273
dns_zone_t *zone = NULL;
5274
const unsigned char msg1[] = "zone refresh queued";
5275
const unsigned char msg2[] = "not a slave or stub zone";
5276
dns_zonetype_t type;
5278
result = zone_from_args(server, args, &zone);
5279
if (result != ISC_R_SUCCESS)
5282
return (ISC_R_UNEXPECTEDEND);
5284
type = dns_zone_gettype(zone);
5285
if (type == dns_zone_slave || type == dns_zone_stub) {
5286
dns_zone_refresh(zone);
5287
dns_zone_detach(&zone);
5288
if (sizeof(msg1) <= isc_buffer_availablelength(text))
5289
isc_buffer_putmem(text, msg1, sizeof(msg1));
5290
return (ISC_R_SUCCESS);
5293
dns_zone_detach(&zone);
5294
if (sizeof(msg2) <= isc_buffer_availablelength(text))
5295
isc_buffer_putmem(text, msg2, sizeof(msg2));
5296
return (ISC_R_FAILURE);
5300
ns_server_togglequerylog(ns_server_t *server) {
5301
server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
5303
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5304
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5305
"query logging is now %s",
5306
server->log_queries ? "on" : "off");
5307
return (ISC_R_SUCCESS);
5311
ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
5312
cfg_aclconfctx_t *actx,
5313
isc_mem_t *mctx, ns_listenlist_t **target)
5315
isc_result_t result;
5316
const cfg_listelt_t *element;
5317
ns_listenlist_t *dlist = NULL;
5319
REQUIRE(target != NULL && *target == NULL);
5321
result = ns_listenlist_create(mctx, &dlist);
5322
if (result != ISC_R_SUCCESS)
5325
for (element = cfg_list_first(listenlist);
5327
element = cfg_list_next(element))
5329
ns_listenelt_t *delt = NULL;
5330
const cfg_obj_t *listener = cfg_listelt_value(element);
5331
result = ns_listenelt_fromconfig(listener, config, actx,
5333
if (result != ISC_R_SUCCESS)
5335
ISC_LIST_APPEND(dlist->elts, delt, link);
5338
return (ISC_R_SUCCESS);
5341
ns_listenlist_detach(&dlist);
5346
* Create a listen list from the corresponding configuration
5350
ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
5351
cfg_aclconfctx_t *actx,
5352
isc_mem_t *mctx, ns_listenelt_t **target)
5354
isc_result_t result;
5355
const cfg_obj_t *portobj;
5357
ns_listenelt_t *delt = NULL;
5358
REQUIRE(target != NULL && *target == NULL);
5360
portobj = cfg_tuple_get(listener, "port");
5361
if (!cfg_obj_isuint32(portobj)) {
5362
if (ns_g_port != 0) {
5365
result = ns_config_getport(config, &port);
5366
if (result != ISC_R_SUCCESS)
5370
if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
5371
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
5372
"port value '%u' is out of range",
5373
cfg_obj_asuint32(portobj));
5374
return (ISC_R_RANGE);
5376
port = (in_port_t)cfg_obj_asuint32(portobj);
5379
result = ns_listenelt_create(mctx, port, NULL, &delt);
5380
if (result != ISC_R_SUCCESS)
5383
result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
5384
config, ns_g_lctx, actx, mctx, 0,
5386
if (result != ISC_R_SUCCESS) {
5387
ns_listenelt_destroy(delt);
5391
return (ISC_R_SUCCESS);
5395
ns_server_dumpstats(ns_server_t *server) {
5396
isc_result_t result;
5399
CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
5400
"could not open statistics dump file", server->statsfile);
5402
result = ns_stats_dump(server, fp);
5407
(void)isc_stdio_close(fp);
5408
if (result == ISC_R_SUCCESS)
5409
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5410
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5411
"dumpstats complete");
5413
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5414
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5415
"dumpstats failed: %s",
5416
dns_result_totext(result));
5421
add_zone_tolist(dns_zone_t *zone, void *uap) {
5422
struct dumpcontext *dctx = uap;
5423
struct zonelistentry *zle;
5425
zle = isc_mem_get(dctx->mctx, sizeof *zle);
5427
return (ISC_R_NOMEMORY);
5429
dns_zone_attach(zone, &zle->zone);
5430
ISC_LINK_INIT(zle, link);
5431
ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
5432
return (ISC_R_SUCCESS);
5436
add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
5437
struct viewlistentry *vle;
5438
isc_result_t result = ISC_R_SUCCESS;
5441
* Prevent duplicate views.
5443
for (vle = ISC_LIST_HEAD(dctx->viewlist);
5445
vle = ISC_LIST_NEXT(vle, link))
5446
if (vle->view == view)
5447
return (ISC_R_SUCCESS);
5449
vle = isc_mem_get(dctx->mctx, sizeof *vle);
5451
return (ISC_R_NOMEMORY);
5453
dns_view_attach(view, &vle->view);
5454
ISC_LINK_INIT(vle, link);
5455
ISC_LIST_INIT(vle->zonelist);
5456
ISC_LIST_APPEND(dctx->viewlist, vle, link);
5457
if (dctx->dumpzones)
5458
result = dns_zt_apply(view->zonetable, ISC_TRUE,
5459
add_zone_tolist, dctx);
5464
dumpcontext_destroy(struct dumpcontext *dctx) {
5465
struct viewlistentry *vle;
5466
struct zonelistentry *zle;
5468
vle = ISC_LIST_HEAD(dctx->viewlist);
5469
while (vle != NULL) {
5470
ISC_LIST_UNLINK(dctx->viewlist, vle, link);
5471
zle = ISC_LIST_HEAD(vle->zonelist);
5472
while (zle != NULL) {
5473
ISC_LIST_UNLINK(vle->zonelist, zle, link);
5474
dns_zone_detach(&zle->zone);
5475
isc_mem_put(dctx->mctx, zle, sizeof *zle);
5476
zle = ISC_LIST_HEAD(vle->zonelist);
5478
dns_view_detach(&vle->view);
5479
isc_mem_put(dctx->mctx, vle, sizeof *vle);
5480
vle = ISC_LIST_HEAD(dctx->viewlist);
5482
if (dctx->version != NULL)
5483
dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
5484
if (dctx->db != NULL)
5485
dns_db_detach(&dctx->db);
5486
if (dctx->cache != NULL)
5487
dns_db_detach(&dctx->cache);
5488
if (dctx->task != NULL)
5489
isc_task_detach(&dctx->task);
5490
if (dctx->fp != NULL)
5491
(void)isc_stdio_close(dctx->fp);
5492
if (dctx->mdctx != NULL)
5493
dns_dumpctx_detach(&dctx->mdctx);
5494
isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
5498
dumpdone(void *arg, isc_result_t result) {
5499
struct dumpcontext *dctx = arg;
5501
const dns_master_style_t *style;
5503
if (result != ISC_R_SUCCESS)
5505
if (dctx->mdctx != NULL)
5506
dns_dumpctx_detach(&dctx->mdctx);
5507
if (dctx->view == NULL) {
5508
dctx->view = ISC_LIST_HEAD(dctx->viewlist);
5509
if (dctx->view == NULL)
5511
INSIST(dctx->zone == NULL);
5515
fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
5517
if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
5519
";\n; Cache of view '%s' is shared as '%s'\n",
5520
dctx->view->view->name,
5521
dns_cache_getname(dctx->view->view->cache));
5522
} else if (dctx->zone == NULL && dctx->cache == NULL &&
5525
style = &dns_master_style_cache;
5526
/* start cache dump */
5527
if (dctx->view->view->cachedb != NULL)
5528
dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
5529
if (dctx->cache != NULL) {
5531
";\n; Cache dump of view '%s' (cache %s)\n;\n",
5532
dctx->view->view->name,
5533
dns_cache_getname(dctx->view->view->cache));
5534
result = dns_master_dumptostreaminc(dctx->mctx,
5540
if (result == DNS_R_CONTINUE)
5542
if (result == ISC_R_NOTIMPLEMENTED)
5543
fprintf(dctx->fp, "; %s\n",
5544
dns_result_totext(result));
5545
else if (result != ISC_R_SUCCESS)
5549
if (dctx->cache != NULL) {
5550
dns_adb_dump(dctx->view->view->adb, dctx->fp);
5551
dns_resolver_printbadcache(dctx->view->view->resolver,
5553
dns_db_detach(&dctx->cache);
5555
if (dctx->dumpzones) {
5556
style = &dns_master_style_full;
5558
if (dctx->version != NULL)
5559
dns_db_closeversion(dctx->db, &dctx->version,
5561
if (dctx->db != NULL)
5562
dns_db_detach(&dctx->db);
5563
if (dctx->zone == NULL)
5564
dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
5566
dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
5567
if (dctx->zone != NULL) {
5568
/* start zone dump */
5569
dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
5570
fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
5571
result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
5572
if (result != ISC_R_SUCCESS) {
5573
fprintf(dctx->fp, "; %s\n",
5574
dns_result_totext(result));
5577
dns_db_currentversion(dctx->db, &dctx->version);
5578
result = dns_master_dumptostreaminc(dctx->mctx,
5585
if (result == DNS_R_CONTINUE)
5587
if (result == ISC_R_NOTIMPLEMENTED) {
5588
fprintf(dctx->fp, "; %s\n",
5589
dns_result_totext(result));
5590
result = ISC_R_SUCCESS;
5593
if (result != ISC_R_SUCCESS)
5597
if (dctx->view != NULL)
5598
dctx->view = ISC_LIST_NEXT(dctx->view, link);
5599
if (dctx->view != NULL)
5602
fprintf(dctx->fp, "; Dump complete\n");
5603
result = isc_stdio_flush(dctx->fp);
5604
if (result == ISC_R_SUCCESS)
5605
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5606
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5609
if (result != ISC_R_SUCCESS)
5610
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5611
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5612
"dumpdb failed: %s", dns_result_totext(result));
5613
dumpcontext_destroy(dctx);
5617
ns_server_dumpdb(ns_server_t *server, char *args) {
5618
struct dumpcontext *dctx = NULL;
5620
isc_result_t result;
5624
/* Skip the command name. */
5625
ptr = next_token(&args, " \t");
5627
return (ISC_R_UNEXPECTEDEND);
5629
dctx = isc_mem_get(server->mctx, sizeof(*dctx));
5631
return (ISC_R_NOMEMORY);
5633
dctx->mctx = server->mctx;
5634
dctx->dumpcache = ISC_TRUE;
5635
dctx->dumpzones = ISC_FALSE;
5637
ISC_LIST_INIT(dctx->viewlist);
5645
dctx->version = NULL;
5646
isc_task_attach(server->task, &dctx->task);
5648
CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
5649
"could not open dump file", server->dumpfile);
5651
sep = (args == NULL) ? "" : ": ";
5652
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5653
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5654
"dumpdb started%s%s", sep, (args != NULL) ? args : "");
5656
ptr = next_token(&args, " \t");
5657
if (ptr != NULL && strcmp(ptr, "-all") == 0) {
5658
dctx->dumpzones = ISC_TRUE;
5659
dctx->dumpcache = ISC_TRUE;
5660
ptr = next_token(&args, " \t");
5661
} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
5662
dctx->dumpzones = ISC_FALSE;
5663
dctx->dumpcache = ISC_TRUE;
5664
ptr = next_token(&args, " \t");
5665
} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
5666
dctx->dumpzones = ISC_TRUE;
5667
dctx->dumpcache = ISC_FALSE;
5668
ptr = next_token(&args, " \t");
5672
for (view = ISC_LIST_HEAD(server->viewlist);
5674
view = ISC_LIST_NEXT(view, link))
5676
if (ptr != NULL && strcmp(view->name, ptr) != 0)
5678
CHECK(add_view_tolist(dctx, view));
5681
ptr = next_token(&args, " \t");
5685
dumpdone(dctx, ISC_R_SUCCESS);
5686
return (ISC_R_SUCCESS);
5690
dumpcontext_destroy(dctx);
5695
ns_server_dumprecursing(ns_server_t *server) {
5697
isc_result_t result;
5699
CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
5700
"could not open dump file", server->recfile);
5701
fprintf(fp,";\n; Recursing Queries\n;\n");
5702
ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
5703
fprintf(fp, "; Dump complete\n");
5707
result = isc_stdio_close(fp);
5708
if (result == ISC_R_SUCCESS)
5709
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5710
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5711
"dumprecursing complete");
5713
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5714
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5715
"dumprecursing failed: %s",
5716
dns_result_totext(result));
5721
ns_server_setdebuglevel(ns_server_t *server, char *args) {
5729
/* Skip the command name. */
5730
ptr = next_token(&args, " \t");
5732
return (ISC_R_UNEXPECTEDEND);
5734
/* Look for the new level name. */
5735
levelstr = next_token(&args, " \t");
5736
if (levelstr == NULL) {
5737
if (ns_g_debuglevel < 99)
5740
newlevel = strtol(levelstr, &endp, 10);
5741
if (*endp != '\0' || newlevel < 0 || newlevel > 99)
5742
return (ISC_R_RANGE);
5743
ns_g_debuglevel = (unsigned int)newlevel;
5745
isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
5746
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5747
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5748
"debug level is now %d", ns_g_debuglevel);
5749
return (ISC_R_SUCCESS);
5753
ns_server_validation(ns_server_t *server, char *args) {
5754
char *ptr, *viewname;
5756
isc_boolean_t changed = ISC_FALSE;
5757
isc_result_t result;
5758
isc_boolean_t enable;
5760
/* Skip the command name. */
5761
ptr = next_token(&args, " \t");
5763
return (ISC_R_UNEXPECTEDEND);
5765
/* Find out what we are to do. */
5766
ptr = next_token(&args, " \t");
5768
return (ISC_R_UNEXPECTEDEND);
5770
if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
5771
!strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
5773
else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
5774
!strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
5777
return (DNS_R_SYNTAX);
5779
/* Look for the view name. */
5780
viewname = next_token(&args, " \t");
5782
result = isc_task_beginexclusive(server->task);
5783
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5784
for (view = ISC_LIST_HEAD(server->viewlist);
5786
view = ISC_LIST_NEXT(view, link))
5788
if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
5790
result = dns_view_flushcache(view);
5791
if (result != ISC_R_SUCCESS)
5793
view->enablevalidation = enable;
5797
result = ISC_R_SUCCESS;
5799
result = ISC_R_FAILURE;
5801
isc_task_endexclusive(server->task);
5806
ns_server_flushcache(ns_server_t *server, char *args) {
5807
char *ptr, *viewname;
5809
isc_boolean_t flushed;
5810
isc_boolean_t found;
5811
isc_result_t result;
5814
/* Skip the command name. */
5815
ptr = next_token(&args, " \t");
5817
return (ISC_R_UNEXPECTEDEND);
5819
/* Look for the view name. */
5820
viewname = next_token(&args, " \t");
5822
result = isc_task_beginexclusive(server->task);
5823
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5828
* Flushing a cache is tricky when caches are shared by multiple views.
5829
* We first identify which caches should be flushed in the local cache
5830
* list, flush these caches, and then update other views that refer to
5831
* the flushed cache DB.
5833
if (viewname != NULL) {
5835
* Mark caches that need to be flushed. This is an O(#view^2)
5836
* operation in the very worst case, but should be normally
5837
* much more lightweight because only a few (most typically just
5838
* one) views will match.
5840
for (view = ISC_LIST_HEAD(server->viewlist);
5842
view = ISC_LIST_NEXT(view, link))
5844
if (strcasecmp(viewname, view->name) != 0)
5847
for (nsc = ISC_LIST_HEAD(server->cachelist);
5849
nsc = ISC_LIST_NEXT(nsc, link)) {
5850
if (nsc->cache == view->cache)
5853
INSIST(nsc != NULL);
5854
nsc->needflush = ISC_TRUE;
5860
for (nsc = ISC_LIST_HEAD(server->cachelist);
5862
nsc = ISC_LIST_NEXT(nsc, link)) {
5863
if (viewname != NULL && !nsc->needflush)
5865
nsc->needflush = ISC_TRUE;
5866
result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
5867
if (result != ISC_R_SUCCESS) {
5868
flushed = ISC_FALSE;
5869
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5870
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5871
"flushing cache in view '%s' failed: %s",
5872
nsc->primaryview->name,
5873
isc_result_totext(result));
5878
* Fix up views that share a flushed cache: let the views update the
5879
* cache DB they're referring to. This could also be an expensive
5880
* operation, but should typically be marginal: the inner loop is only
5881
* necessary for views that share a cache, and if there are many such
5882
* views the number of shared cache should normally be small.
5883
* A worst case is that we have n views and n/2 caches, each shared by
5884
* two views. Then this will be a O(n^2/4) operation.
5886
for (view = ISC_LIST_HEAD(server->viewlist);
5888
view = ISC_LIST_NEXT(view, link))
5890
if (!dns_view_iscacheshared(view))
5892
for (nsc = ISC_LIST_HEAD(server->cachelist);
5894
nsc = ISC_LIST_NEXT(nsc, link)) {
5895
if (!nsc->needflush || nsc->cache != view->cache)
5897
result = dns_view_flushcache2(view, ISC_TRUE);
5898
if (result != ISC_R_SUCCESS) {
5899
flushed = ISC_FALSE;
5900
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5901
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5902
"fixing cache in view '%s' "
5903
"failed: %s", view->name,
5904
isc_result_totext(result));
5909
/* Cleanup the cache list. */
5910
for (nsc = ISC_LIST_HEAD(server->cachelist);
5912
nsc = ISC_LIST_NEXT(nsc, link)) {
5913
nsc->needflush = ISC_FALSE;
5916
if (flushed && found) {
5917
if (viewname != NULL)
5918
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5919
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5920
"flushing cache in view '%s' succeeded",
5923
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5924
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5925
"flushing caches in all views succeeded");
5926
result = ISC_R_SUCCESS;
5929
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5930
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5931
"flushing cache in view '%s' failed: "
5932
"view not found", viewname);
5933
result = ISC_R_NOTFOUND;
5935
result = ISC_R_FAILURE;
5937
isc_task_endexclusive(server->task);
5942
ns_server_flushname(ns_server_t *server, char *args) {
5943
char *ptr, *target, *viewname;
5945
isc_boolean_t flushed;
5946
isc_boolean_t found;
5947
isc_result_t result;
5949
dns_fixedname_t fixed;
5952
/* Skip the command name. */
5953
ptr = next_token(&args, " \t");
5955
return (ISC_R_UNEXPECTEDEND);
5957
/* Find the domain name to flush. */
5958
target = next_token(&args, " \t");
5960
return (ISC_R_UNEXPECTEDEND);
5962
isc_buffer_init(&b, target, strlen(target));
5963
isc_buffer_add(&b, strlen(target));
5964
dns_fixedname_init(&fixed);
5965
name = dns_fixedname_name(&fixed);
5966
result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
5967
if (result != ISC_R_SUCCESS)
5970
/* Look for the view name. */
5971
viewname = next_token(&args, " \t");
5973
result = isc_task_beginexclusive(server->task);
5974
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5977
for (view = ISC_LIST_HEAD(server->viewlist);
5979
view = ISC_LIST_NEXT(view, link))
5981
if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
5985
* It's a little inefficient to try flushing name for all views
5986
* if some of the views share a single cache. But since the
5987
* operation is lightweight we prefer simplicity here.
5989
result = dns_view_flushname(view, name);
5990
if (result != ISC_R_SUCCESS) {
5991
flushed = ISC_FALSE;
5992
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5993
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5994
"flushing name '%s' in cache view '%s' "
5995
"failed: %s", target, view->name,
5996
isc_result_totext(result));
5999
if (flushed && found) {
6000
if (viewname != NULL)
6001
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6002
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6003
"flushing name '%s' in cache view '%s' "
6004
"succeeded", target, viewname);
6006
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6007
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6008
"flushing name '%s' in all cache views "
6009
"succeeded", target);
6010
result = ISC_R_SUCCESS;
6013
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6014
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6015
"flushing name '%s' in cache view '%s' "
6016
"failed: view not found", target,
6018
result = ISC_R_FAILURE;
6020
isc_task_endexclusive(server->task);
6025
ns_server_status(ns_server_t *server, isc_buffer_t *text) {
6026
int zonecount, xferrunning, xferdeferred, soaqueries;
6028
const char *ob = "", *cb = "", *alt = "";
6030
if (ns_g_server->version_set) {
6033
if (ns_g_server->version == NULL)
6034
alt = "version.bind/txt/ch disabled";
6036
alt = ns_g_server->version;
6038
zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
6039
xferrunning = dns_zonemgr_getcount(server->zonemgr,
6040
DNS_ZONESTATE_XFERRUNNING);
6041
xferdeferred = dns_zonemgr_getcount(server->zonemgr,
6042
DNS_ZONESTATE_XFERDEFERRED);
6043
soaqueries = dns_zonemgr_getcount(server->zonemgr,
6044
DNS_ZONESTATE_SOAQUERY);
6046
n = snprintf((char *)isc_buffer_used(text),
6047
isc_buffer_availablelength(text),
6048
"version: %s%s%s%s\n"
6049
#ifdef ISC_PLATFORM_USETHREADS
6051
"worker threads: %u\n"
6053
"number of zones: %u\n"
6055
"xfers running: %u\n"
6056
"xfers deferred: %u\n"
6057
"soa queries in progress: %u\n"
6058
"query logging is %s\n"
6059
"recursive clients: %d/%d/%d\n"
6060
"tcp clients: %d/%d\n"
6061
"server is up and running",
6062
ns_g_version, ob, alt, cb,
6063
#ifdef ISC_PLATFORM_USETHREADS
6064
ns_g_cpus_detected, ns_g_cpus,
6066
zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
6067
soaqueries, server->log_queries ? "ON" : "OFF",
6068
server->recursionquota.used, server->recursionquota.soft,
6069
server->recursionquota.max,
6070
server->tcpquota.used, server->tcpquota.max);
6071
if (n >= isc_buffer_availablelength(text))
6072
return (ISC_R_NOSPACE);
6073
isc_buffer_add(text, n);
6074
return (ISC_R_SUCCESS);
6078
delete_keynames(dns_tsig_keyring_t *ring, char *target,
6079
unsigned int *foundkeys)
6081
char namestr[DNS_NAME_FORMATSIZE];
6082
isc_result_t result;
6083
dns_rbtnodechain_t chain;
6084
dns_name_t foundname;
6085
dns_fixedname_t fixedorigin;
6087
dns_rbtnode_t *node;
6088
dns_tsigkey_t *tkey;
6090
dns_name_init(&foundname, NULL);
6091
dns_fixedname_init(&fixedorigin);
6092
origin = dns_fixedname_name(&fixedorigin);
6095
dns_rbtnodechain_init(&chain, ring->mctx);
6096
result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
6098
if (result == ISC_R_NOTFOUND) {
6099
dns_rbtnodechain_invalidate(&chain);
6100
return (ISC_R_SUCCESS);
6102
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6103
dns_rbtnodechain_invalidate(&chain);
6109
dns_rbtnodechain_current(&chain, &foundname, origin, &node);
6113
if (!tkey->generated)
6116
dns_name_format(&tkey->name, namestr, sizeof(namestr));
6117
if (strcmp(namestr, target) == 0) {
6119
dns_rbtnodechain_invalidate(&chain);
6120
(void)dns_rbt_deletename(ring->keys,
6128
result = dns_rbtnodechain_next(&chain, &foundname, origin);
6129
if (result == ISC_R_NOMORE)
6131
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6132
dns_rbtnodechain_invalidate(&chain);
6137
return (ISC_R_SUCCESS);
6141
ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
6142
isc_result_t result;
6145
unsigned int foundkeys = 0;
6149
(void)next_token(&command, " \t"); /* skip command name */
6150
target = next_token(&command, " \t");
6152
return (ISC_R_UNEXPECTEDEND);
6153
viewname = next_token(&command, " \t");
6155
result = isc_task_beginexclusive(server->task);
6156
RUNTIME_CHECK(result == ISC_R_SUCCESS);
6157
for (view = ISC_LIST_HEAD(server->viewlist);
6159
view = ISC_LIST_NEXT(view, link)) {
6160
if (viewname == NULL || strcmp(view->name, viewname) == 0) {
6161
RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
6162
result = delete_keynames(view->dynamickeys, target,
6164
RWUNLOCK(&view->dynamickeys->lock,
6165
isc_rwlocktype_write);
6166
if (result != ISC_R_SUCCESS) {
6167
isc_task_endexclusive(server->task);
6172
isc_task_endexclusive(server->task);
6174
n = snprintf((char *)isc_buffer_used(text),
6175
isc_buffer_availablelength(text),
6176
"%d tsig keys deleted.\n", foundkeys);
6177
if (n >= isc_buffer_availablelength(text))
6178
return (ISC_R_NOSPACE);
6179
isc_buffer_add(text, n);
6181
return (ISC_R_SUCCESS);
6185
list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
6186
unsigned int *foundkeys)
6188
char namestr[DNS_NAME_FORMATSIZE];
6189
char creatorstr[DNS_NAME_FORMATSIZE];
6190
isc_result_t result;
6191
dns_rbtnodechain_t chain;
6192
dns_name_t foundname;
6193
dns_fixedname_t fixedorigin;
6195
dns_rbtnode_t *node;
6196
dns_tsigkey_t *tkey;
6198
const char *viewname;
6201
viewname = view->name;
6203
viewname = "(global)";
6205
dns_name_init(&foundname, NULL);
6206
dns_fixedname_init(&fixedorigin);
6207
origin = dns_fixedname_name(&fixedorigin);
6208
dns_rbtnodechain_init(&chain, ring->mctx);
6209
result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
6211
if (result == ISC_R_NOTFOUND) {
6212
dns_rbtnodechain_invalidate(&chain);
6213
return (ISC_R_SUCCESS);
6215
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6216
dns_rbtnodechain_invalidate(&chain);
6222
dns_rbtnodechain_current(&chain, &foundname, origin, &node);
6227
dns_name_format(&tkey->name, namestr, sizeof(namestr));
6228
if (tkey->generated) {
6229
dns_name_format(tkey->creator, creatorstr,
6230
sizeof(creatorstr));
6231
n = snprintf((char *)isc_buffer_used(text),
6232
isc_buffer_availablelength(text),
6233
"view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
6234
viewname, namestr, creatorstr);
6236
n = snprintf((char *)isc_buffer_used(text),
6237
isc_buffer_availablelength(text),
6238
"view \"%s\"; type \"static\"; key \"%s\";\n",
6241
if (n >= isc_buffer_availablelength(text)) {
6242
dns_rbtnodechain_invalidate(&chain);
6243
return (ISC_R_NOSPACE);
6245
isc_buffer_add(text, n);
6247
result = dns_rbtnodechain_next(&chain, &foundname, origin);
6248
if (result == ISC_R_NOMORE)
6250
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6251
dns_rbtnodechain_invalidate(&chain);
6256
return (ISC_R_SUCCESS);
6260
ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
6261
isc_result_t result;
6264
unsigned int foundkeys = 0;
6266
result = isc_task_beginexclusive(server->task);
6267
RUNTIME_CHECK(result == ISC_R_SUCCESS);
6268
for (view = ISC_LIST_HEAD(server->viewlist);
6270
view = ISC_LIST_NEXT(view, link)) {
6271
RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
6272
result = list_keynames(view, view->statickeys, text,
6274
RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
6275
if (result != ISC_R_SUCCESS) {
6276
isc_task_endexclusive(server->task);
6279
RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
6280
result = list_keynames(view, view->dynamickeys, text,
6282
RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
6283
if (result != ISC_R_SUCCESS) {
6284
isc_task_endexclusive(server->task);
6288
isc_task_endexclusive(server->task);
6290
if (foundkeys == 0) {
6291
n = snprintf((char *)isc_buffer_used(text),
6292
isc_buffer_availablelength(text),
6293
"no tsig keys found.\n");
6294
if (n >= isc_buffer_availablelength(text))
6295
return (ISC_R_NOSPACE);
6296
isc_buffer_add(text, n);
6299
return (ISC_R_SUCCESS);
6303
* Act on a "sign" command from the command channel.
6306
ns_server_sign(ns_server_t *server, char *args) {
6307
isc_result_t result;
6308
dns_zone_t *zone = NULL;
6309
dns_zonetype_t type;
6310
isc_uint16_t keyopts;
6312
result = zone_from_args(server, args, &zone);
6313
if (result != ISC_R_SUCCESS)
6316
return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
6318
type = dns_zone_gettype(zone);
6319
if (type != dns_zone_master) {
6320
dns_zone_detach(&zone);
6321
return (DNS_R_NOTMASTER);
6324
keyopts = dns_zone_getkeyopts(zone);
6325
if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
6326
dns_zone_rekey(zone);
6328
result = ISC_R_NOPERM;
6330
dns_zone_detach(&zone);
6335
* Act on a "freeze" or "thaw" command from the command channel.
6338
ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
6341
isc_result_t result, tresult;
6342
dns_zone_t *zone = NULL;
6343
dns_zonetype_t type;
6344
char classstr[DNS_RDATACLASS_FORMATSIZE];
6345
char zonename[DNS_NAME_FORMATSIZE];
6348
const char *vname, *sep;
6349
isc_boolean_t frozen;
6350
const char *msg = NULL;
6352
result = zone_from_args(server, args, &zone);
6353
if (result != ISC_R_SUCCESS)
6356
result = isc_task_beginexclusive(server->task);
6357
RUNTIME_CHECK(result == ISC_R_SUCCESS);
6358
tresult = ISC_R_SUCCESS;
6359
for (view = ISC_LIST_HEAD(server->viewlist);
6361
view = ISC_LIST_NEXT(view, link)) {
6362
result = dns_view_freezezones(view, freeze);
6363
if (result != ISC_R_SUCCESS &&
6364
tresult == ISC_R_SUCCESS)
6367
isc_task_endexclusive(server->task);
6368
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6369
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6371
freeze ? "freezing" : "thawing",
6372
isc_result_totext(tresult));
6375
type = dns_zone_gettype(zone);
6376
if (type != dns_zone_master) {
6377
dns_zone_detach(&zone);
6378
return (DNS_R_NOTMASTER);
6381
result = isc_task_beginexclusive(server->task);
6382
RUNTIME_CHECK(result == ISC_R_SUCCESS);
6383
frozen = dns_zone_getupdatedisabled(zone);
6386
msg = "WARNING: The zone was already frozen.\n"
6387
"Someone else may be editing it or "
6388
"it may still be re-loading.";
6389
result = DNS_R_FROZEN;
6391
if (result == ISC_R_SUCCESS) {
6392
result = dns_zone_flush(zone);
6393
if (result != ISC_R_SUCCESS)
6394
msg = "Flushing the zone updates to "
6397
if (result == ISC_R_SUCCESS) {
6398
journal = dns_zone_getjournal(zone);
6399
if (journal != NULL)
6400
(void)isc_file_remove(journal);
6402
if (result == ISC_R_SUCCESS)
6403
dns_zone_setupdatedisabled(zone, freeze);
6406
result = dns_zone_loadandthaw(zone);
6409
case DNS_R_UPTODATE:
6410
msg = "The zone reload and thaw was "
6412
result = ISC_R_SUCCESS;
6414
case DNS_R_CONTINUE:
6415
msg = "A zone reload and thaw was started.\n"
6416
"Check the logs to see the result.";
6417
result = ISC_R_SUCCESS;
6422
isc_task_endexclusive(server->task);
6424
if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
6425
isc_buffer_putmem(text, (const unsigned char *)msg,
6428
view = dns_zone_getview(zone);
6429
if (strcmp(view->name, "_default") == 0 ||
6430
strcmp(view->name, "_bind") == 0)
6438
dns_rdataclass_format(dns_zone_getclass(zone), classstr,
6440
dns_name_format(dns_zone_getorigin(zone),
6441
zonename, sizeof(zonename));
6442
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6443
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6444
"%s zone '%s/%s'%s%s: %s",
6445
freeze ? "freezing" : "thawing",
6446
zonename, classstr, sep, vname,
6447
isc_result_totext(result));
6448
dns_zone_detach(&zone);
6454
* This function adds a message for rndc to echo if named
6455
* is managed by smf and is also running chroot.
6458
ns_smf_add_message(isc_buffer_t *text) {
6461
n = snprintf((char *)isc_buffer_used(text),
6462
isc_buffer_availablelength(text),
6463
"use svcadm(1M) to manage named");
6464
if (n >= isc_buffer_availablelength(text))
6465
return (ISC_R_NOSPACE);
6466
isc_buffer_add(text, n);
6467
return (ISC_R_SUCCESS);
6469
#endif /* HAVE_LIBSCF */