From ae905b0ae1236f99a2ba4eac1e8ee499addfa0f8 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 1 Mar 2010 00:20:37 +0000 Subject: [PATCH 01/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 021947f06c..46cd84da47 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.169 2010/02/27 00:20:34 tbox Exp $ +# $Id: SRCID,v 1.170 2010/03/01 00:20:37 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/02/27 00:20:34 $ )" +SRCID="( $Date: 2010/03/01 00:20:37 $ )" From c0f0bbda1e8ab4655441f4259ebd471297e82299 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 1 Mar 2010 01:55:44 +0000 Subject: [PATCH 02/58] sync From aee54439ccab1bfb78de02a6d6a8bcc8c0faba35 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 1 Mar 2010 02:18:30 +0000 Subject: [PATCH 03/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index a5c5ed83b4..27b82f5d8e 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.81 2010/02/27 02:18:26 tbox Exp $ +# $Id: SRCID,v 1.1.4.82 2010/03/01 02:18:30 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/02/27 02:18:26 $ )" +SRCID="( $Date: 2010/03/01 02:18:30 $ )" From 2e77a957cb273056cec79bcad5cc2f138908238e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Mar 2010 05:00:53 +0000 Subject: [PATCH 04/58] dns_resolver_*badcache --- lib/dns/win32/libdns.def | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 0331c278e1..d06d9b9f72 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -520,6 +520,7 @@ dns_requestmgr_detach dns_requestmgr_shutdown dns_requestmgr_whenshutdown dns_resolver_addalternate +dns_resolver_addbadcache dns_resolver_algorithm_supported dns_resolver_attach dns_resolver_cancelfetch @@ -532,7 +533,9 @@ dns_resolver_disable_algorithm dns_resolver_dispatchmgr dns_resolver_dispatchv4 dns_resolver_dispatchv6 +dns_resolver_flushbadcache dns_resolver_freeze +dns_resolver_getbadcache dns_resolver_getlamettl dns_resolver_getoptions dns_resolver_getudpsize @@ -540,6 +543,7 @@ dns_resolver_getzeronosoattl dns_resolver_logfetch dns_resolver_nrunning dns_resolver_prime +dns_resolver_printbadcache dns_resolver_reset_algorithms dns_resolver_resetmustbesecure dns_resolver_setclientsperquery From c76ae1723fb6c97c05a5d04fb3cd040cea6b480f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Mar 2010 05:11:45 +0000 Subject: [PATCH 05/58] dns_rdataset_expire/dns_rdataset_settrust --- lib/dns/win32/libdns.def | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 547920281f..324da2b431 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -237,9 +237,9 @@ dns_keydata_fromdnskey dns_keydata_todnskey dns_keyflags_fromtext dns_keynode_attach +dns_keynode_create dns_keynode_detach dns_keynode_detachall -dns_keynode_create dns_keynode_key dns_keynode_managed dns_keytable_add @@ -500,6 +500,7 @@ dns_rdataset_clone dns_rdataset_count dns_rdataset_current dns_rdataset_disassociate +dns_rdataset_expire dns_rdataset_first dns_rdataset_getadditional dns_rdataset_getclosest @@ -511,6 +512,7 @@ dns_rdataset_makequestion dns_rdataset_next dns_rdataset_putadditional dns_rdataset_setadditional +dns_rdataset_settrust dns_rdataset_totext dns_rdataset_towire dns_rdataset_towiresorted @@ -780,8 +782,8 @@ dns_zone_notify dns_zone_notifyreceive dns_zone_nscheck dns_zone_refresh -dns_zone_replacedb dns_zone_rekey +dns_zone_replacedb dns_zone_setacache dns_zone_setalsonotify dns_zone_setaltxfrsource4 From 6f8edd57aec6fffcf77f7170619d3a6bf4c29a30 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Mar 2010 05:13:53 +0000 Subject: [PATCH 06/58] dns_resolver_*badcache --- lib/dns/win32/libdns.def | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 324da2b431..88efdbac5b 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -555,6 +555,7 @@ dns_requestmgr_detach dns_requestmgr_shutdown dns_requestmgr_whenshutdown dns_resolver_addalternate +dns_resolver_addbadcache dns_resolver_algorithm_supported dns_resolver_attach dns_resolver_cancelfetch @@ -567,7 +568,9 @@ dns_resolver_disable_algorithm dns_resolver_dispatchmgr dns_resolver_dispatchv4 dns_resolver_dispatchv6 +dns_resolver_flushbadcache dns_resolver_freeze +dns_resolver_getbadcache dns_resolver_getlamettl dns_resolver_getoptions dns_resolver_getudpsize @@ -575,6 +578,7 @@ dns_resolver_getzeronosoattl dns_resolver_logfetch dns_resolver_nrunning dns_resolver_prime +dns_resolver_printbadcache dns_resolver_reset_algorithms dns_resolver_resetmustbesecure dns_resolver_setclientsperquery From 44dc7cb1d00ace628309254ec7b8d7fa12a8bf3d Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 05:17:22 +0000 Subject: [PATCH 07/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 27b82f5d8e..db221dee68 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.82 2010/03/01 02:18:30 tbox Exp $ +# $Id: SRCID,v 1.1.4.83 2010/03/03 05:17:22 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/01 02:18:30 $ )" +SRCID="( $Date: 2010/03/03 05:17:22 $ )" From 3083bd21deccb39b94831a26820bd350a652d8b2 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 05:17:54 +0000 Subject: [PATCH 08/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 46cd84da47..1cb7b7a97f 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.170 2010/03/01 00:20:37 tbox Exp $ +# $Id: SRCID,v 1.171 2010/03/03 05:17:54 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/01 00:20:37 $ )" +SRCID="( $Date: 2010/03/03 05:17:54 $ )" From b041f0ecb7c976afbc1993d0f8ef79e63d1ee0c3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Mar 2010 06:58:30 +0000 Subject: [PATCH 09/58] dns_rdataset_expire/dns_rdataset_settrust --- lib/dns/win32/libdns.def | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index d06d9b9f72..fd3792b18e 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -467,6 +467,7 @@ dns_rdataset_clone dns_rdataset_count dns_rdataset_current dns_rdataset_disassociate +dns_rdataset_expire dns_rdataset_first dns_rdataset_getadditional dns_rdataset_getclosest @@ -478,6 +479,7 @@ dns_rdataset_makequestion dns_rdataset_next dns_rdataset_putadditional dns_rdataset_setadditional +dns_rdataset_settrust dns_rdataset_totext dns_rdataset_towire dns_rdataset_towiresorted From bf10569154ee562d791f4bf2c9486569c1c0b2f1 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 07:16:40 +0000 Subject: [PATCH 10/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index db221dee68..471c21b3c8 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.83 2010/03/03 05:17:22 tbox Exp $ +# $Id: SRCID,v 1.1.4.84 2010/03/03 07:16:40 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/03 05:17:22 $ )" +SRCID="( $Date: 2010/03/03 07:16:40 $ )" From 8d87bd79e596e206246caf96bc085b869eeefdb7 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 22:13:12 +0000 Subject: [PATCH 11/58] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index e6610e005a..8edb997954 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1885,7 +1885,7 @@ ./lib/dns/win32/gen.dsp X 2001 ./lib/dns/win32/gen.dsw X 2001 ./lib/dns/win32/gen.mak X 2001,2006 -./lib/dns/win32/libdns.def X 2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/win32/libdns.def X 2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/win32/libdns.dsp X 2001,2002,2003,2004,2005,2006,2007,2008 ./lib/dns/win32/libdns.dsw X 2001 ./lib/dns/win32/libdns.mak X 2001,2002,2003,2004,2005,2006,2007,2008 From b8cfef527157f92456737df39dbd17b94db5a2eb Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 22:14:27 +0000 Subject: [PATCH 12/58] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index cfdb82bbeb..85b633a1fe 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2144,7 +2144,7 @@ ./lib/dns/win32/gen.dsp X 2001 ./lib/dns/win32/gen.dsw X 2001 ./lib/dns/win32/gen.mak X 2001,2006 -./lib/dns/win32/libdns.def X 2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/win32/libdns.def X 2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/win32/libdns.dsp X 2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/win32/libdns.dsw X 2001 ./lib/dns/win32/libdns.mak X 2001,2002,2003,2004,2005,2006,2007,2008,2009 From a79df62abf457dc05b1215b7dc59541d3fa81926 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 22:20:24 +0000 Subject: [PATCH 13/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 471c21b3c8..19fe3ace14 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.84 2010/03/03 07:16:40 tbox Exp $ +# $Id: SRCID,v 1.1.4.85 2010/03/03 22:20:24 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/03 07:16:40 $ )" +SRCID="( $Date: 2010/03/03 22:20:24 $ )" From f16199c05690470ecf99d89ffdfd360443f2d615 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 22:24:05 +0000 Subject: [PATCH 14/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 1cb7b7a97f..9db461df49 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.171 2010/03/03 05:17:54 tbox Exp $ +# $Id: SRCID,v 1.172 2010/03/03 22:24:05 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/03 05:17:54 $ )" +SRCID="( $Date: 2010/03/03 22:24:05 $ )" From ddab8bd093642e69df97e82528d9398e57a80e68 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 3 Mar 2010 23:18:09 +0000 Subject: [PATCH 15/58] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 1cab16e0f2..41c84605bd 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -381,6 +381,7 @@ v9_6 new marka // 2008-11-30 22:53 +0000 v9_6_0_patch new marka // 2008-12-23 01:13 +0000 v9_6_1_patch new marka // 2009-07-28 14:11 +0000 v9_6_2_patch new marka // 2010-02-25 03:11 +0000 +v9_6_esv_branch new marka // 2010-03-03 21:57 +0000 v9_7 new each // 2009-12-08 20:59 +0000 v9_7_0_patch new marka // 2010-02-25 03:05 +0000 From 13396661f46572d7b94703a25721aad040fbd91a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 05:18:04 +0000 Subject: [PATCH 16/58] 2854. [func] dig: allow the final soa record in a axfr response to be suppressed, dig +onesoa. [RT #20929] --- CHANGES | 3 +++ bin/dig/dig.c | 13 +++++++++++-- bin/dig/dig.docbook | 13 ++++++++++++- lib/dns/include/dns/message.h | 12 +++++++++++- lib/dns/message.c | 12 +++++++++++- 5 files changed, 48 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 7f98f6c8cd..46a7c7ec3a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2854. [func] dig: allow the final soa record in a axfr response to + be suppressed, dig +onesoa. [RT #20929] + 2853. [bug] add_sigs() could run out of scratch space. [RT #21015] 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 9783024bc8..b729489281 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.233 2009/10/03 18:03:53 each Exp $ */ +/* $Id: dig.c,v 1.234 2010/03/04 05:18:04 marka Exp $ */ /*! \file */ @@ -68,7 +68,8 @@ static char domainopt[DNS_NAME_MAXTEXT]; static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE, ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE, - multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE; + multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE, + onesoa = ISC_FALSE; /*% opcode text */ static const char * const opcodetext[] = { @@ -225,6 +226,7 @@ help(void) { #endif #endif " +[no]multiline (Print records in an expanded format)\n" +" +[no]onesoa (AXFR prints only one soa record)\n" " global d-opts and servers (before host name) affect all queries.\n" " local d-opts and servers (after host name) affect only that lookup.\n" " -h (print help and exit)\n" @@ -471,6 +473,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { flags |= DNS_MESSAGETEXTFLAG_NOHEADERS; flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS; } + if (onesoa && query->lookup->rdtype == dns_rdatatype_axfr) + flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA : + DNS_MESSAGETEXTFLAG_OMITSOA; if (!query->lookup->comments) flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS; @@ -925,6 +930,10 @@ plus_option(char *option, isc_boolean_t is_batchfile, goto invalid_option; } break; + case 'o': + FULLCHECK("onesoa"); + onesoa = state; + break; case 'q': switch (cmd[1]) { case 'r': /* qr */ diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index de38d5949d..6ebcd37d54 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -766,6 +766,17 @@ + + + + + Print only one (starting) SOA record when performing + an AXFR. The default is to print both the starting and + ending SOA records. + + + + diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index c51d2e33dc..54ab11bc41 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.h,v 1.130 2009/10/26 23:47:35 tbox Exp $ */ +/* $Id: message.h,v 1.131 2010/03/04 05:18:04 marka Exp $ */ #ifndef DNS_MESSAGE_H #define DNS_MESSAGE_H 1 @@ -136,6 +136,8 @@ typedef int dns_pseudosection_t; typedef int dns_messagetextflag_t; #define DNS_MESSAGETEXTFLAG_NOCOMMENTS 0x0001 #define DNS_MESSAGETEXTFLAG_NOHEADERS 0x0002 +#define DNS_MESSAGETEXTFLAG_ONESOA 0x0004 +#define DNS_MESSAGETEXTFLAG_OMITSOA 0x0008 /* * Dynamic update names for these sections. @@ -371,6 +373,14 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style, * #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will * be emitted. * + * If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the + * first SOA record in the answer section. If + * #DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records + * in the answer section. These are useful for suppressing the + * display of the second SOA record in a AXFR by setting + * #DNS_MESSAGETEXTFLAG_ONESOA on the first message in a AXFR stream + * and #DNS_MESSAGETEXTFLAG_OMITSOA on subsequent messages. + * * Requires: * *\li 'msg' is a valid message. diff --git a/lib/dns/message.c b/lib/dns/message.c index b28909ac8c..42b783ee4a 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.249 2009/11/24 03:20:02 marka Exp $ */ +/* $Id: message.c,v 1.250 2010/03/04 05:18:04 marka Exp $ */ /*! \file */ @@ -3114,6 +3114,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section, dns_name_t *name, empty_name; dns_rdataset_t *rdataset; isc_result_t result; + isc_boolean_t seensoa = ISC_FALSE; REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(target != NULL); @@ -3143,6 +3144,15 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section, for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (section == DNS_SECTION_ANSWER && + rdataset->type == dns_rdatatype_soa) { + if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0) + continue; + if (seensoa && + (flags & DNS_MESSAGETEXTFLAG_ONESOA) != 0) + continue; + seensoa = ISC_TRUE; + } if (section == DNS_SECTION_QUESTION) { ADD_STRING(target, ";"); result = dns_master_questiontotext(name, From 2e20dea9fc0a84217c7debdef8b4b6c6f04d3998 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 05:24:56 +0000 Subject: [PATCH 17/58] 2854. [func] nsupdate will now preserve the entered case of domain names in update requests it sends. [RT #20928] --- CHANGES | 3 +++ bin/nsupdate/nsupdate.c | 4 ++-- lib/dns/include/dns/request.h | 9 ++++++++- lib/dns/request.c | 5 ++++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 46a7c7ec3a..a67cd5202d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2854. [func] nsupdate will now preserve the entered case of domain + names in update requests it sends. [RT #20928] + 2854. [func] dig: allow the final soa record in a axfr response to be suppressed, dig +onesoa. [RT #20929] diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index a24590ad54..f9471314cb 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.173 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: nsupdate.c,v 1.174 2010/03/04 05:24:56 marka Exp $ */ /*! \file */ @@ -2078,7 +2078,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, { isc_result_t result; dns_request_t *request = NULL; - unsigned int options = 0; + unsigned int options = DNS_REQUESTOPT_CASE; ddebug("send_update()"); diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h index adadce3ea3..69b72b3cd1 100644 --- a/lib/dns/include/dns/request.h +++ b/lib/dns/include/dns/request.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.h,v 1.29 2009/01/17 23:47:43 tbox Exp $ */ +/* $Id: request.h,v 1.30 2010/03/04 05:24:56 marka Exp $ */ #ifndef DNS_REQUEST_H #define DNS_REQUEST_H 1 @@ -47,6 +47,7 @@ #include #define DNS_REQUESTOPT_TCP 0x00000001U +#define DNS_REQUESTOPT_CASE 0x00000002U typedef struct dns_requestevent { ISC_EVENT_COMMON(struct dns_requestevent); @@ -175,6 +176,9 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message, * #DNS_REQUESTOPT_TCP option is set, TCP will be used. The request * will timeout after 'timeout' seconds. * + *\li If the #DNS_REQUESTOPT_CASE option is set, use case sensitive + * compression. + * *\li When the request completes, successfully, due to a timeout, or * because it was canceled, a completion event will be sent to 'task'. * @@ -227,6 +231,9 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message, * will timeout after 'timeout' seconds. UDP requests will be resent * at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero. * + *\li If the #DNS_REQUESTOPT_CASE option is set, use case sensitive + * compression. + * *\li When the request completes, successfully, due to a timeout, or * because it was canceled, a completion event will be sent to 'task'. * diff --git a/lib/dns/request.c b/lib/dns/request.c index ba19154b15..fbe5f3527b 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.c,v 1.85 2009/09/01 00:22:26 jinmei Exp $ */ +/* $Id: request.c,v 1.86 2010/03/04 05:24:56 marka Exp $ */ /*! \file */ @@ -1059,6 +1059,9 @@ req_render(dns_message_t *message, isc_buffer_t **bufferp, return (result); cleanup_cctx = ISC_TRUE; + if ((options & DNS_REQUESTOPT_CASE) != 0) + dns_compress_setsensitive(&cctx, ISC_TRUE); + /* * Render message. */ From d1a5fdc34a3d7caabead7bbf0cbf6fa7d89f0910 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 05:29:15 +0000 Subject: [PATCH 18/58] 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] --- CHANGES | 3 +++ lib/isc/mem.c | 13 +++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index a67cd5202d..2dfe4c04c9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2955. [bug] The size of a memory allocation was not always properly + recorded. [RT #20927] + 2854. [func] nsupdate will now preserve the entered case of domain names in update requests it sends. [RT #20928] diff --git a/lib/isc/mem.c b/lib/isc/mem.c index ef6ece0c29..6530892727 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.153 2009/09/02 23:43:54 each Exp $ */ +/* $Id: mem.c,v 1.154 2010/03/04 05:29:15 marka Exp $ */ /*! \file */ @@ -75,7 +75,7 @@ struct debuglink { }; #define FLARG_PASS , file, line -#define FLARG , const char *file, int line +#define FLARG , const char *file, unsigned int line #else #define FLARG_PASS #define FLARG @@ -394,6 +394,7 @@ add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size { debuglink_t *dl; unsigned int i; + unsigned int mysize = size; if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0) fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM, @@ -405,10 +406,10 @@ add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size if (mctx->debuglist == NULL) return; - if (size > mctx->max_size) - size = mctx->max_size; + if (mysize > mctx->max_size) + mysize = mctx->max_size; - dl = ISC_LIST_HEAD(mctx->debuglist[size]); + dl = ISC_LIST_HEAD(mctx->debuglist[mysize]); while (dl != NULL) { if (dl->count == DEBUGLIST_COUNT) goto next; @@ -443,7 +444,7 @@ add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size dl->line[0] = line; dl->count = 1; - ISC_LIST_PREPEND(mctx->debuglist[size], dl, link); + ISC_LIST_PREPEND(mctx->debuglist[mysize], dl, link); mctx->debuglistcnt++; } From 5388178e8aa12c263286caa394491903cbf9806e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 05:45:51 +0000 Subject: [PATCH 19/58] 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] --- lib/isc/include/isc/mem.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h index 6d9f606383..70d1c81dc0 100644 --- a/lib/isc/include/isc/mem.h +++ b/lib/isc/include/isc/mem.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.h,v 1.86 2009/09/04 18:51:37 jinmei Exp $ */ +/* $Id: mem.h,v 1.87 2010/03/04 05:45:51 marka Exp $ */ #ifndef ISC_MEM_H #define ISC_MEM_H 1 @@ -121,7 +121,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging; #if ISC_MEM_TRACKLINES #define _ISC_MEM_FILELINE , __FILE__, __LINE__ -#define _ISC_MEM_FLARG , const char *, int +#define _ISC_MEM_FLARG , const char *, unsigned int #else #define _ISC_MEM_FILELINE #define _ISC_MEM_FLARG From ba97097eaf33f05372a7309c5be3cf1d614f16cd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 05:59:07 +0000 Subject: [PATCH 20/58] 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] --- CHANGES | 3 +++ lib/isc/include/isc/mem.h | 4 ++-- lib/isc/mem.c | 13 +++++++------ 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index d6cb79716b..30b97d2758 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2955. [bug] The size of a memory allocation was not always properly + recorded. [RT #20927] + 2853. [bug] add_sigs() could run out of scratch space. [RT #21015] 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h index 480a934078..5c0c4e652c 100644 --- a/lib/isc/include/isc/mem.h +++ b/lib/isc/include/isc/mem.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.h,v 1.78.120.3 2009/02/11 03:07:01 jinmei Exp $ */ +/* $Id: mem.h,v 1.78.120.4 2010/03/04 05:59:07 marka Exp $ */ #ifndef ISC_MEM_H #define ISC_MEM_H 1 @@ -121,7 +121,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging; #if ISC_MEM_TRACKLINES #define _ISC_MEM_FILELINE , __FILE__, __LINE__ -#define _ISC_MEM_FLARG , const char *, int +#define _ISC_MEM_FLARG , const char *, unsigned int #else #define _ISC_MEM_FILELINE #define _ISC_MEM_FLARG diff --git a/lib/isc/mem.c b/lib/isc/mem.c index 9c37d7478b..69052cda72 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.145.120.4 2009/02/16 03:17:05 marka Exp $ */ +/* $Id: mem.c,v 1.145.120.5 2010/03/04 05:59:07 marka Exp $ */ /*! \file */ @@ -72,7 +72,7 @@ struct debuglink { }; #define FLARG_PASS , file, line -#define FLARG , const char *file, int line +#define FLARG , const char *file, unsigned int line #else #define FLARG_PASS #define FLARG @@ -220,6 +220,7 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size { debuglink_t *dl; unsigned int i; + unsigned int mysize = size; if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0) fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM, @@ -231,10 +232,10 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size if (mctx->debuglist == NULL) return; - if (size > mctx->max_size) - size = mctx->max_size; + if (mysize > mctx->max_size) + mysize = mctx->max_size; - dl = ISC_LIST_HEAD(mctx->debuglist[size]); + dl = ISC_LIST_HEAD(mctx->debuglist[mysize]); while (dl != NULL) { if (dl->count == DEBUGLIST_COUNT) goto next; @@ -269,7 +270,7 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size dl->line[0] = line; dl->count = 1; - ISC_LIST_PREPEND(mctx->debuglist[size], dl, link); + ISC_LIST_PREPEND(mctx->debuglist[mysize], dl, link); mctx->debuglistcnt++; } From 92348098ebe7ef4c26bfe2204a7364fa18735afc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 06:17:01 +0000 Subject: [PATCH 21/58] 2956. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] --- CHANGES | 3 ++ bin/named/server.c | 4 +- lib/bind9/check.c | 125 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 128 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 2dfe4c04c9..803f3a9374 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2956. [bug] named-checkconf did not fail on a bad trusted key. + [RT #20705] + 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] diff --git a/bin/named/server.c b/bin/named/server.c index 913ebe2dcb..436ce63019 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.563 2010/02/25 04:39:12 marka Exp $ */ +/* $Id: server.c,v 1.564 2010/03/04 06:17:01 marka Exp $ */ /*! \file */ @@ -479,7 +479,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, const char *initmethod; initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); - if (strcmp(initmethod, "initial-key") != 0) { + if (strcasecmp(initmethod, "initial-key") != 0) { cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, "managed key '%s': " "invalid initialization method '%s'", diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 785f583171..b6ca21821b 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.114 2009/12/04 21:09:33 marka Exp $ */ +/* $Id: check.c,v 1.115 2010/03/04 06:17:01 marka Exp $ */ /*! \file */ @@ -42,6 +42,8 @@ #include #include +#include + #include #include @@ -1739,6 +1741,78 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +static isc_result_t +check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, + isc_log_t *logctx) +{ + const char *keystr, *keynamestr; + dns_fixedname_t fkeyname; + dns_name_t *keyname; + isc_buffer_t keydatabuf; + isc_region_t r; + isc_result_t result = ISC_R_SUCCESS; + isc_result_t tresult; + isc_uint32_t flags, proto, alg; + unsigned char keydata[4096]; + + flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); + proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); + alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); + keyname = dns_fixedname_name(&fkeyname); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); + + if (flags > 0xffff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "flags too big: %u\n", flags); + result = ISC_R_FAILURE; + } + if (proto > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "protocol too big: %u\n", proto); + result = ISC_R_FAILURE; + } + if (alg > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "algorithm too big: %u\n", alg); + result = ISC_R_FAILURE; + } + + if (managed) { + const char *initmethod; + initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); + + if (strcasecmp(initmethod, "initial-key") != 0) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "managed key '%s': " + "invalid initialization method '%s'", + keynamestr, initmethod); + result = ISC_R_FAILURE; + } + } + + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + + keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); + tresult = isc_base64_decodestring(keystr, &keydatabuf); + + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "%s", isc_result_totext(tresult)); + result = ISC_R_FAILURE; + } else { + isc_buffer_usedregion(&keydatabuf, &r); + + if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "%s key '%s' has a weak exponent", + managed ? "managed" : "trusted", + keynamestr); + } + + return (result); +} + static isc_result_t check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const char *viewname, dns_rdataclass_t vclass, @@ -1746,7 +1820,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, { const cfg_obj_t *zones = NULL; const cfg_obj_t *keys = NULL; - const cfg_listelt_t *element; + const cfg_listelt_t *element, *element2; isc_symtab_t *symtab = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult = ISC_R_SUCCESS; @@ -1887,6 +1961,53 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, cfg_obj_log(obj, logctx, ISC_LOG_WARNING, "'dnssec-validation yes;' and 'dnssec-enable no;'"); + /* + * Check trusted-keys and managed-keys. + */ + keys = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "trusted-keys", &keys); + if (keys == NULL) + (void)cfg_map_get(config, "trusted-keys", &keys); + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, ISC_FALSE, logctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } + + keys = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "managed-keys", &keys); + if (keys == NULL) + (void)cfg_map_get(config, "managed-keys", &keys); + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, ISC_TRUE, logctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } + /* + * Check options. + */ if (voptions != NULL) tresult = check_options(voptions, logctx, mctx); else From 4e32ae26b81e8e3f3b444042dd23c6d5bc6d891d Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 06:19:30 +0000 Subject: [PATCH 22/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 19fe3ace14..9099d3f174 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.85 2010/03/03 22:20:24 tbox Exp $ +# $Id: SRCID,v 1.1.4.86 2010/03/04 06:19:30 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/03 22:20:24 $ )" +SRCID="( $Date: 2010/03/04 06:19:30 $ )" From d8c9997a13568a554e7976e7a879c41cb96b007e Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 06:22:28 +0000 Subject: [PATCH 23/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 9db461df49..ae7d3fecd6 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.172 2010/03/03 22:24:05 tbox Exp $ +# $Id: SRCID,v 1.173 2010/03/04 06:22:28 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/03 22:24:05 $ )" +SRCID="( $Date: 2010/03/04 06:22:28 $ )" From b52da87328546a71f2a64ad54dacf917bad26466 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 06:29:33 +0000 Subject: [PATCH 24/58] 2956. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] --- CHANGES | 3 ++ lib/bind9/check.c | 91 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 92 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 30b97d2758..183971c902 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2956. [bug] named-checkconf did not fail on a bad trusted key. + [RT #20705] + 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 753db9ce11..d661c056d7 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.95.12.4 2009/06/03 00:06:01 marka Exp $ */ +/* $Id: check.c,v 1.95.12.5 2010/03/04 06:29:33 marka Exp $ */ /*! \file */ @@ -23,6 +23,7 @@ #include +#include #include #include #include @@ -41,6 +42,8 @@ #include #include +#include + #include #include @@ -1666,6 +1669,63 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +static isc_result_t +check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx) +{ + const char *keystr, *keynamestr; + dns_fixedname_t fkeyname; + dns_name_t *keyname; + isc_buffer_t keydatabuf; + isc_region_t r; + isc_result_t result = ISC_R_SUCCESS; + isc_result_t tresult; + isc_uint32_t flags, proto, alg; + unsigned char keydata[4096]; + + flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); + proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); + alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); + keyname = dns_fixedname_name(&fkeyname); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); + + if (flags > 0xffff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "flags too big: %u\n", flags); + result = ISC_R_FAILURE; + } + if (proto > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "protocol too big: %u\n", proto); + result = ISC_R_FAILURE; + } + if (alg > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "algorithm too big: %u\n", alg); + result = ISC_R_FAILURE; + } + + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + + keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); + tresult = isc_base64_decodestring(keystr, &keydatabuf); + + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "%s", isc_result_totext(tresult)); + result = ISC_R_FAILURE; + } else { + isc_buffer_usedregion(&keydatabuf, &r); + + if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "trusted key '%s' has a weak exponent", + keynamestr); + } + + return (result); +} + static isc_result_t check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const char *viewname, dns_rdataclass_t vclass, @@ -1673,7 +1733,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, { const cfg_obj_t *zones = NULL; const cfg_obj_t *keys = NULL; - const cfg_listelt_t *element; + const cfg_listelt_t *element, *element2; isc_symtab_t *symtab = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult = ISC_R_SUCCESS; @@ -1814,6 +1874,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, cfg_obj_log(obj, logctx, ISC_LOG_WARNING, "'dnssec-validation yes;' and 'dnssec-enable no;'"); + /* + * Check trusted-keys and managed-keys. + */ + keys = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "trusted-keys", &keys); + if (keys == NULL) + (void)cfg_map_get(config, "trusted-keys", &keys); + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, logctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } + + /* + * Check options. + */ if (voptions != NULL) tresult = check_options(voptions, logctx, mctx); else From b1003ace6f6e15ffa212c7982c80845f549e6cef Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 06:43:21 +0000 Subject: [PATCH 25/58] 2957. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] --- CHANGES | 3 +++ lib/dns/resolver.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 803f3a9374..c4a232dc7a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2957. [bug] RTT estimates were not being adjusted on ICMP errors. + [RT #20772] + 2956. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 8e038162c4..41d022d8dd 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.417 2010/02/25 05:08:01 tbox Exp $ */ +/* $Id: resolver.c,v 1.418 2010/03/04 06:43:21 marka Exp $ */ /*! \file */ @@ -6412,6 +6412,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { unsigned int findoptions; isc_result_t broken_server; badnstype_t broken_type = badns_response; + isc_boolean_t no_response; REQUIRE(VALID_QUERY(query)); fctx = query->fctx; @@ -6434,6 +6435,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { resend = ISC_FALSE; truncated = ISC_FALSE; finish = NULL; + no_response = ISC_FALSE; if (fctx->res->exiting) { result = ISC_R_SHUTTINGDOWN; @@ -6482,7 +6484,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * If this is a network error on an exclusive query * socket, mark the server as bad so that we won't try - * it for this fetch again. + * it for this fetch again. Also adjust finish and + * no_response so that we penalize this address in SRTT + * adjustment later. */ if (query->exclusivesocket && (devent->result == ISC_R_HOSTUNREACH || @@ -6491,6 +6495,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { devent->result == ISC_R_CANCELED)) { broken_server = devent->result; broken_type = badns_unreachable; + finish = NULL; + no_response = ISC_TRUE; } } goto done; @@ -6993,7 +6999,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * * XXXRTH Don't cancel the query if waiting for validation? */ - fctx_cancelquery(&query, &devent, finish, ISC_FALSE); + fctx_cancelquery(&query, &devent, finish, no_response); if (keep_trying) { if (result == DNS_R_FORMERR) From b605bbbb0f1e2f5166d354fe6576eba210e62edf Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 06:49:41 +0000 Subject: [PATCH 26/58] 2957. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] --- CHANGES | 3 +++ lib/dns/resolver.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 183971c902..8bbf0a7bd0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2957. [bug] RTT estimates were not being adjusted on ICMP errors. + [RT #20772] + 2956. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5a1b3240f1..d00c88d0d5 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.22 2010/02/25 10:56:41 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.23 2010/03/04 06:49:41 marka Exp $ */ /*! \file */ @@ -6090,6 +6090,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { unsigned int findoptions; isc_result_t broken_server; badnstype_t broken_type = badns_response; + isc_boolean_t no_response; REQUIRE(VALID_QUERY(query)); fctx = query->fctx; @@ -6112,6 +6113,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { resend = ISC_FALSE; truncated = ISC_FALSE; finish = NULL; + no_response = ISC_FALSE; if (fctx->res->exiting) { result = ISC_R_SHUTTINGDOWN; @@ -6159,7 +6161,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * If this is a network error on an exclusive query * socket, mark the server as bad so that we won't try - * it for this fetch again. + * it for this fetch again. Also adjust finish and + * no_response so that we penalize this address in SRTT + * adjustment later. */ if (query->exclusivesocket && (devent->result == ISC_R_HOSTUNREACH || @@ -6168,6 +6172,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { devent->result == ISC_R_CANCELED)) { broken_server = devent->result; broken_type = badns_unreachable; + finish = NULL; + no_response = ISC_TRUE; } } goto done; @@ -6641,7 +6647,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * * XXXRTH Don't cancel the query if waiting for validation? */ - fctx_cancelquery(&query, &devent, finish, ISC_FALSE); + fctx_cancelquery(&query, &devent, finish, no_response); if (keep_trying) { if (result == DNS_R_FORMERR) From 10ed862c729b8b9f88ad15804e17ac992a2c3694 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 07:16:57 +0000 Subject: [PATCH 27/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 9099d3f174..488625d7a7 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.86 2010/03/04 06:19:30 tbox Exp $ +# $Id: SRCID,v 1.1.4.87 2010/03/04 07:16:57 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 06:19:30 $ )" +SRCID="( $Date: 2010/03/04 07:16:57 $ )" From fa291c34fb98b36d3f60ab30d060db9409043c42 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 07:17:29 +0000 Subject: [PATCH 28/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index ae7d3fecd6..487ec3b092 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.173 2010/03/04 06:22:28 tbox Exp $ +# $Id: SRCID,v 1.174 2010/03/04 07:17:29 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 06:22:28 $ )" +SRCID="( $Date: 2010/03/04 07:17:29 $ )" From 56c2c3835f56adb4cbe4af3aadf969248e53174f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 20:34:16 +0000 Subject: [PATCH 29/58] 10.53.0.1 through 10.53.0.5 -> 10.53.0.1 through 10.53.0.7 --- bin/tests/system/runall.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index 23ad53fd77..cbf297836c 100644 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: runall.sh,v 1.8 2007/06/19 23:47:00 tbox Exp $ +# $Id: runall.sh,v 1.9 2010/03/04 20:34:16 marka Exp $ # # Run all the system tests. @@ -35,7 +35,7 @@ $PERL testsock.pl || { cat <&2 I: I:NOTE: Many of the tests were skipped because they require that -I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured +I: the IP addresses 10.53.0.1 through 10.53.0.7 are configured I: as alias addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them I: and rerun the tests. From bd598c1756ffd7d8188a845c5ba89dc681e27423 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 20:34:54 +0000 Subject: [PATCH 30/58] 10.53.0.1 through 10.53.0.5 -> 10.53.0.1 through 10.53.0.7 --- bin/tests/system/runall.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index 23ad53fd77..825954bdf3 100644 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: runall.sh,v 1.8 2007/06/19 23:47:00 tbox Exp $ +# $Id: runall.sh,v 1.8.332.1 2010/03/04 20:34:54 marka Exp $ # # Run all the system tests. @@ -35,7 +35,7 @@ $PERL testsock.pl || { cat <&2 I: I:NOTE: Many of the tests were skipped because they require that -I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured +I: the IP addresses 10.53.0.1 through 10.53.0.7 are configured I: as alias addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them I: and rerun the tests. From 2d7ef7fdb7c73f2042a079b54a43e9ff6364c1ac Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 21:16:44 +0000 Subject: [PATCH 31/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 488625d7a7..285a2d9368 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.87 2010/03/04 07:16:57 tbox Exp $ +# $Id: SRCID,v 1.1.4.88 2010/03/04 21:16:44 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 07:16:57 $ )" +SRCID="( $Date: 2010/03/04 21:16:44 $ )" From 017032bb4b38f0030c92b774a54d7cbdfcfb19ff Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 21:17:24 +0000 Subject: [PATCH 32/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 487ec3b092..0e5892b1d0 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.174 2010/03/04 07:17:29 tbox Exp $ +# $Id: SRCID,v 1.175 2010/03/04 21:17:24 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 07:17:29 $ )" +SRCID="( $Date: 2010/03/04 21:17:24 $ )" From 22c4126ba51175af1453cd2254c303c6f65a766c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 22:25:31 +0000 Subject: [PATCH 33/58] 2958. [bug] When canceling validation it was possible to leak memory. [RT #20800] --- CHANGES | 3 +++ lib/dns/resolver.c | 12 ++---------- lib/dns/validator.c | 26 +++++++++++++------------- 3 files changed, 18 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index c4a232dc7a..1fe885e517 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2958. [bug] When canceling validation it was possible to leak + memory. [RT #20800] + 2957. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 41d022d8dd..12f89e68f3 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.418 2010/03/04 06:43:21 marka Exp $ */ +/* $Id: resolver.c,v 1.419 2010/03/04 22:25:31 marka Exp $ */ /*! \file */ @@ -484,7 +484,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { INSIST(fctx->validator == NULL); - fctx->validator = validator; + fctx->validator = validator; } ISC_LIST_APPEND(fctx->validators, validator, link); } else @@ -3911,14 +3911,6 @@ maybe_destroy(fetchctx_t *fctx) { validator != NULL; validator = next_validator) { next_validator = ISC_LIST_NEXT(validator, link); dns_validator_cancel(validator); - /* - * If this is a active validator wait for the cancel - * to complete before calling dns_validator_destroy(). - */ - if (validator == fctx->validator) - continue; - ISC_LIST_UNLINK(fctx->validators, validator, link); - dns_validator_destroy(&validator); } bucketnum = fctx->bucketnum; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index b693a37d73..86cdd33a7a 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.185 2010/02/25 05:08:01 tbox Exp $ */ +/* $Id: validator.c,v 1.186 2010/03/04 22:25:31 marka Exp $ */ #include @@ -3908,19 +3908,19 @@ dns_validator_cancel(dns_validator_t *validator) { validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); - if (validator->event != NULL) { - if (validator->fetch != NULL) - dns_resolver_cancelfetch(validator->fetch); - - if (validator->subvalidator != NULL) - dns_validator_cancel(validator->subvalidator); - if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { - isc_task_t *task = validator->event->ev_sender; - validator->options &= ~DNS_VALIDATOR_DEFER; - isc_event_free((isc_event_t **)&validator->event); - isc_task_detach(&task); - } + if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; + if (validator->event != NULL) { + if (validator->fetch != NULL) + dns_resolver_cancelfetch(validator->fetch); + + if (validator->subvalidator != NULL) + dns_validator_cancel(validator->subvalidator); + if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { + validator->options &= ~DNS_VALIDATOR_DEFER; + validator_done(validator, ISC_R_CANCELED); + } + } } UNLOCK(&validator->lock); } From 39131fff991e93935c311bf4e83d73324ddb8218 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 22:31:32 +0000 Subject: [PATCH 34/58] 2958. [bug] When canceling validation it was possible to leak memory. [RT #20800] --- CHANGES | 3 +++ lib/dns/resolver.c | 12 ++---------- lib/dns/validator.c | 26 +++++++++++++------------- 3 files changed, 18 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index 8bbf0a7bd0..124910817e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2958. [bug] When canceling validation it was possible to leak + memory. [RT #20800] + 2957. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index d00c88d0d5..a83c0d32c5 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.23 2010/03/04 06:49:41 marka Exp $ */ +/* $Id: resolver.c,v 1.384.14.24 2010/03/04 22:31:31 marka Exp $ */ /*! \file */ @@ -482,7 +482,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { INSIST(fctx->validator == NULL); - fctx->validator = validator; + fctx->validator = validator; } ISC_LIST_APPEND(fctx->validators, validator, link); } else @@ -3870,14 +3870,6 @@ maybe_destroy(fetchctx_t *fctx) { validator != NULL; validator = next_validator) { next_validator = ISC_LIST_NEXT(validator, link); dns_validator_cancel(validator); - /* - * If this is a active validator wait for the cancel - * to complete before calling dns_validator_destroy(). - */ - if (validator == fctx->validator) - continue; - ISC_LIST_UNLINK(fctx->validators, validator, link); - dns_validator_destroy(&validator); } bucketnum = fctx->bucketnum; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index cfa79b54a3..fddfe17d40 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.13 2010/02/25 10:56:41 tbox Exp $ */ +/* $Id: validator.c,v 1.164.12.14 2010/03/04 22:31:32 marka Exp $ */ #include @@ -3846,19 +3846,19 @@ dns_validator_cancel(dns_validator_t *validator) { validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); - if (validator->event != NULL) { - if (validator->fetch != NULL) - dns_resolver_cancelfetch(validator->fetch); - - if (validator->subvalidator != NULL) - dns_validator_cancel(validator->subvalidator); - if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { - isc_task_t *task = validator->event->ev_sender; - validator->options &= ~DNS_VALIDATOR_DEFER; - isc_event_free((isc_event_t **)&validator->event); - isc_task_detach(&task); - } + if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; + if (validator->event != NULL) { + if (validator->fetch != NULL) + dns_resolver_cancelfetch(validator->fetch); + + if (validator->subvalidator != NULL) + dns_validator_cancel(validator->subvalidator); + if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { + validator->options &= ~DNS_VALIDATOR_DEFER; + validator_done(validator, ISC_R_CANCELED); + } + } } UNLOCK(&validator->lock); } From ab273fe3ac790fd6f98365e49bf5fc153afc31aa Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:16:52 +0000 Subject: [PATCH 35/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 285a2d9368..24cd9b703d 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.88 2010/03/04 21:16:44 tbox Exp $ +# $Id: SRCID,v 1.1.4.89 2010/03/04 23:16:52 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 21:16:44 $ )" +SRCID="( $Date: 2010/03/04 23:16:52 $ )" From 4db00f967f6a49325bc541bde04ffa4f34d75af3 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:17:30 +0000 Subject: [PATCH 36/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 0e5892b1d0..6d61ae0a97 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.175 2010/03/04 21:17:24 tbox Exp $ +# $Id: SRCID,v 1.176 2010/03/04 23:17:30 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 21:17:24 $ )" +SRCID="( $Date: 2010/03/04 23:17:30 $ )" From 6d07a89f6c3974499bd5cb445eab5ffba2b93bf8 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:30:36 +0000 Subject: [PATCH 37/58] newcopyrights --- util/copyrights | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/util/copyrights b/util/copyrights index 8edb997954..48625ba23e 100644 --- a/util/copyrights +++ b/util/copyrights @@ -764,7 +764,7 @@ ./bin/tests/system/rrsetorder/ns3/named.conf CONF-C 2006,2007 ./bin/tests/system/rrsetorder/tests.sh SH 2006,2007,2008 ./bin/tests/system/run.sh SH 2000,2001,2004,2007 -./bin/tests/system/runall.sh SH 2000,2001,2004,2007 +./bin/tests/system/runall.sh SH 2000,2001,2004,2007,2010 ./bin/tests/system/send.pl PERL 2001,2004,2007 ./bin/tests/system/setup.sh SH 2000,2001,2004,2007 ./bin/tests/system/sortlist/clean.sh SH 2000,2001,2004,2007 @@ -1582,7 +1582,7 @@ ./lib/bind9/.cvsignore X 2001 ./lib/bind9/Makefile.in MAKE 2001,2004,2007 ./lib/bind9/api X 2001,2006,2008,2009 -./lib/bind9/check.c C 2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/bind9/check.c C 2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/bind9/getaddresses.c C 2001,2002,2004,2005,2007 ./lib/bind9/include/.cvsignore X 2001 ./lib/bind9/include/Makefile.in MAKE 2001,2004,2007 @@ -1965,7 +1965,7 @@ ./lib/isc/include/isc/log.h C 1999,2000,2001,2002,2004,2005,2006,2007,2009 ./lib/isc/include/isc/magic.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/isc/include/isc/md5.h C 2000,2001,2004,2005,2006,2007 -./lib/isc/include/isc/mem.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009 +./lib/isc/include/isc/mem.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010 ./lib/isc/include/isc/msgcat.h C 1999,2000,2001,2004,2005,2007 ./lib/isc/include/isc/msgs.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008 ./lib/isc/include/isc/mutexblock.h C 1999,2000,2001,2004,2005,2006,2007 @@ -2013,7 +2013,7 @@ ./lib/isc/lib.c C 1999,2000,2001,2004,2005,2007 ./lib/isc/log.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2009 ./lib/isc/md5.c C 2000,2001,2004,2005,2007 -./lib/isc/mem.c C 1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/isc/mem.c C 1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/isc/mips/.cvsignore X 2007 ./lib/isc/mips/Makefile.in MAKE 2007 ./lib/isc/mips/include/.cvsignore X 2007 From 129090f0f6f91753b4a085ab635e28549fd018ad Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:32:07 +0000 Subject: [PATCH 38/58] newcopyrights --- util/copyrights | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/util/copyrights b/util/copyrights index 85b633a1fe..c6513a7433 100644 --- a/util/copyrights +++ b/util/copyrights @@ -64,8 +64,8 @@ ./bin/dig/.cvsignore X 2000,2001 ./bin/dig/Makefile.in MAKE 2000,2001,2002,2004,2005,2007,2009 ./bin/dig/dig.1 MAN DOCBOOK -./bin/dig/dig.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./bin/dig/dig.docbook SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./bin/dig/dig.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 +./bin/dig/dig.docbook SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./bin/dig/dig.html HTML DOCBOOK ./bin/dig/dighost.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/dig/host.1 MAN DOCBOOK @@ -223,7 +223,7 @@ ./bin/nsupdate/.cvsignore X 2000,2001 ./bin/nsupdate/Makefile.in MAKE 2000,2001,2002,2004,2006,2007,2008,2009 ./bin/nsupdate/nsupdate.1 MAN DOCBOOK -./bin/nsupdate/nsupdate.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./bin/nsupdate/nsupdate.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./bin/nsupdate/nsupdate.docbook SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/nsupdate/nsupdate.html HTML DOCBOOK ./bin/nsupdate/win32/nsupdate.dsp X 2001,2004,2005,2009 @@ -896,7 +896,7 @@ ./bin/tests/system/rrsetorder/ns3/named.conf CONF-C 2006,2007 ./bin/tests/system/rrsetorder/tests.sh SH 2006,2007,2008 ./bin/tests/system/run.sh SH 2000,2001,2004,2007 -./bin/tests/system/runall.sh SH 2000,2001,2004,2007 +./bin/tests/system/runall.sh SH 2000,2001,2004,2007,2010 ./bin/tests/system/send.pl PERL 2001,2004,2007 ./bin/tests/system/setup.sh SH 2000,2001,2004,2007 ./bin/tests/system/smartsign/child.db ZONE 2010 @@ -1825,7 +1825,7 @@ ./lib/bind9/.cvsignore X 2001 ./lib/bind9/Makefile.in MAKE 2001,2004,2007,2009 ./lib/bind9/api X 2001,2006,2008,2009 -./lib/bind9/check.c C 2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/bind9/check.c C 2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/bind9/getaddresses.c C 2001,2002,2004,2005,2007 ./lib/bind9/include/.cvsignore X 2001 ./lib/bind9/include/Makefile.in MAKE 2001,2004,2007 @@ -1912,7 +1912,7 @@ ./lib/dns/include/dns/lookup.h C 2000,2001,2004,2005,2006,2007,2009 ./lib/dns/include/dns/master.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/masterdump.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008 -./lib/dns/include/dns/message.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/include/dns/message.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/include/dns/name.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009 ./lib/dns/include/dns/ncache.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/nsec.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008 @@ -1931,7 +1931,7 @@ ./lib/dns/include/dns/rdatasetiter.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/rdataslab.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008 ./lib/dns/include/dns/rdatatype.h C 1998,1999,2000,2001,2004,2005,2006,2007,2008 -./lib/dns/include/dns/request.h C 2000,2001,2002,2004,2005,2006,2007,2009 +./lib/dns/include/dns/request.h C 2000,2001,2002,2004,2005,2006,2007,2009,2010 ./lib/dns/include/dns/resolver.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/include/dns/result.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/include/dns/rootns.h C 1999,2000,2001,2004,2005,2006,2007 @@ -1974,7 +1974,7 @@ ./lib/dns/lookup.c C 2000,2001,2003,2004,2005,2007 ./lib/dns/master.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/masterdump.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./lib/dns/message.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/message.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/name.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/ncache.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2010 ./lib/dns/nsec.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009 @@ -2115,7 +2115,7 @@ ./lib/dns/rdataset.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/rdatasetiter.c C 1999,2000,2001,2004,2005,2007 ./lib/dns/rdataslab.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 -./lib/dns/request.c C 2000,2001,2002,2004,2005,2006,2007,2008,2009 +./lib/dns/request.c C 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/resolver.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/result.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2010 ./lib/dns/rootns.c C 1999,2000,2001,2002,2004,2005,2007,2008 @@ -2308,7 +2308,7 @@ ./lib/isc/include/isc/log.h C 1999,2000,2001,2002,2004,2005,2006,2007,2009 ./lib/isc/include/isc/magic.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/isc/include/isc/md5.h C 2000,2001,2004,2005,2006,2007,2009,2010 -./lib/isc/include/isc/mem.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009 +./lib/isc/include/isc/mem.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010 ./lib/isc/include/isc/msgcat.h C 1999,2000,2001,2004,2005,2007 ./lib/isc/include/isc/msgs.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/isc/include/isc/mutexblock.h C 1999,2000,2001,2004,2005,2006,2007 @@ -2357,7 +2357,7 @@ ./lib/isc/lib.c C 1999,2000,2001,2004,2005,2007,2009 ./lib/isc/log.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2009 ./lib/isc/md5.c C 2000,2001,2004,2005,2007,2009 -./lib/isc/mem.c C 1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/isc/mem.c C 1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/isc/mem_api.c C 2009 ./lib/isc/mips/.cvsignore X 2007 ./lib/isc/mips/Makefile.in MAKE 2007 From 875245e3c48e160de29f5a0bb44ce39cf62d6e84 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:47:53 +0000 Subject: [PATCH 39/58] update copyright notice --- bin/tests/system/runall.sh | 4 ++-- lib/bind9/check.c | 34 +++++++++++++++++----------------- lib/dns/validator.c | 4 ++-- lib/isc/include/isc/mem.h | 4 ++-- lib/isc/mem.c | 4 ++-- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index 825954bdf3..3f02bb26ce 100644 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: runall.sh,v 1.8.332.1 2010/03/04 20:34:54 marka Exp $ +# $Id: runall.sh,v 1.8.332.2 2010/03/04 23:47:53 tbox Exp $ # # Run all the system tests. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d661c056d7..e433b54548 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.95.12.5 2010/03/04 06:29:33 marka Exp $ */ +/* $Id: check.c,v 1.95.12.6 2010/03/04 23:47:53 tbox Exp $ */ /*! \file */ @@ -1682,35 +1682,35 @@ check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx) isc_uint32_t flags, proto, alg; unsigned char keydata[4096]; - flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); - proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); - alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); - keyname = dns_fixedname_name(&fkeyname); - keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); + flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); + proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); + alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); + keyname = dns_fixedname_name(&fkeyname); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); - if (flags > 0xffff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (flags > 0xffff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "flags too big: %u\n", flags); result = ISC_R_FAILURE; } - if (proto > 0xff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (proto > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "protocol too big: %u\n", proto); result = ISC_R_FAILURE; } - if (alg > 0xff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (alg > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "algorithm too big: %u\n", alg); result = ISC_R_FAILURE; } - isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); - keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); - tresult = isc_base64_decodestring(keystr, &keydatabuf); + keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); + tresult = isc_base64_decodestring(keystr, &keydatabuf); if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(key, logctx, ISC_LOG_ERROR, + cfg_obj_log(key, logctx, ISC_LOG_ERROR, "%s", isc_result_totext(tresult)); result = ISC_R_FAILURE; } else { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index fddfe17d40..1b95cc7973 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.14 2010/03/04 22:31:32 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.15 2010/03/04 23:47:53 tbox Exp $ */ #include @@ -3848,7 +3848,7 @@ dns_validator_cancel(dns_validator_t *validator) { if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; - if (validator->event != NULL) { + if (validator->event != NULL) { if (validator->fetch != NULL) dns_resolver_cancelfetch(validator->fetch); diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h index 5c0c4e652c..84c0724bde 100644 --- a/lib/isc/include/isc/mem.h +++ b/lib/isc/include/isc/mem.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.h,v 1.78.120.4 2010/03/04 05:59:07 marka Exp $ */ +/* $Id: mem.h,v 1.78.120.5 2010/03/04 23:47:53 tbox Exp $ */ #ifndef ISC_MEM_H #define ISC_MEM_H 1 diff --git a/lib/isc/mem.c b/lib/isc/mem.c index 69052cda72..2146983041 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.145.120.5 2010/03/04 05:59:07 marka Exp $ */ +/* $Id: mem.c,v 1.145.120.6 2010/03/04 23:47:53 tbox Exp $ */ /*! \file */ From 4d42b714be10e6f163d23507e4e3a396a8ac0364 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 4 Mar 2010 23:50:34 +0000 Subject: [PATCH 40/58] update copyright notice --- bin/dig/dig.c | 4 +-- bin/dig/dig.docbook | 5 ++-- bin/nsupdate/nsupdate.c | 4 +-- bin/tests/system/runall.sh | 4 +-- lib/bind9/check.c | 50 +++++++++++++++++------------------ lib/dns/include/dns/message.h | 4 +-- lib/dns/include/dns/request.h | 4 +-- lib/dns/message.c | 6 ++--- lib/dns/request.c | 4 +-- lib/dns/validator.c | 4 +-- lib/isc/include/isc/mem.h | 4 +-- lib/isc/mem.c | 4 +-- 12 files changed, 49 insertions(+), 48 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index b729489281..7cf751ff82 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.234 2010/03/04 05:18:04 marka Exp $ */ +/* $Id: dig.c,v 1.235 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index 6ebcd37d54..d64d038b50 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> - + @@ -44,6 +44,7 @@ 2007 2008 2009 + 2010 Internet Systems Consortium, Inc. ("ISC") diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index f9471314cb..542b62e425 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.174 2010/03/04 05:24:56 marka Exp $ */ +/* $Id: nsupdate.c,v 1.175 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index cbf297836c..bf38cd7454 100644 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: runall.sh,v 1.9 2010/03/04 20:34:16 marka Exp $ +# $Id: runall.sh,v 1.10 2010/03/04 23:50:34 tbox Exp $ # # Run all the system tests. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b6ca21821b..b678635bd5 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.115 2010/03/04 06:17:01 marka Exp $ */ +/* $Id: check.c,v 1.116 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ @@ -1755,48 +1755,48 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, isc_uint32_t flags, proto, alg; unsigned char keydata[4096]; - flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); - proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); - alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); - keyname = dns_fixedname_name(&fkeyname); - keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); + flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); + proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); + alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); + keyname = dns_fixedname_name(&fkeyname); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); - if (flags > 0xffff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (flags > 0xffff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "flags too big: %u\n", flags); result = ISC_R_FAILURE; } - if (proto > 0xff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (proto > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "protocol too big: %u\n", proto); result = ISC_R_FAILURE; } - if (alg > 0xff) { - cfg_obj_log(key, logctx, ISC_LOG_WARNING, + if (alg > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, "algorithm too big: %u\n", alg); result = ISC_R_FAILURE; } if (managed) { - const char *initmethod; - initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); + const char *initmethod; + initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); - if (strcasecmp(initmethod, "initial-key") != 0) { - cfg_obj_log(key, logctx, ISC_LOG_ERROR, - "managed key '%s': " - "invalid initialization method '%s'", - keynamestr, initmethod); - result = ISC_R_FAILURE; + if (strcasecmp(initmethod, "initial-key") != 0) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "managed key '%s': " + "invalid initialization method '%s'", + keynamestr, initmethod); + result = ISC_R_FAILURE; } } - isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); - keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); - tresult = isc_base64_decodestring(keystr, &keydatabuf); + keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); + tresult = isc_base64_decodestring(keystr, &keydatabuf); if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(key, logctx, ISC_LOG_ERROR, + cfg_obj_log(key, logctx, ISC_LOG_ERROR, "%s", isc_result_totext(tresult)); result = ISC_R_FAILURE; } else { diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index 54ab11bc41..25aceb1309 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.h,v 1.131 2010/03/04 05:18:04 marka Exp $ */ +/* $Id: message.h,v 1.132 2010/03/04 23:50:34 tbox Exp $ */ #ifndef DNS_MESSAGE_H #define DNS_MESSAGE_H 1 diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h index 69b72b3cd1..8c792ddd57 100644 --- a/lib/dns/include/dns/request.h +++ b/lib/dns/include/dns/request.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.h,v 1.30 2010/03/04 05:24:56 marka Exp $ */ +/* $Id: request.h,v 1.31 2010/03/04 23:50:34 tbox Exp $ */ #ifndef DNS_REQUEST_H #define DNS_REQUEST_H 1 diff --git a/lib/dns/message.c b/lib/dns/message.c index 42b783ee4a..1bbfe3ab8b 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.250 2010/03/04 05:18:04 marka Exp $ */ +/* $Id: message.c,v 1.251 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ @@ -3144,7 +3144,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section, for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (section == DNS_SECTION_ANSWER && + if (section == DNS_SECTION_ANSWER && rdataset->type == dns_rdatatype_soa) { if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0) continue; diff --git a/lib/dns/request.c b/lib/dns/request.c index fbe5f3527b..860af00db7 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.c,v 1.86 2010/03/04 05:24:56 marka Exp $ */ +/* $Id: request.c,v 1.87 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 86cdd33a7a..fb3c5b5df8 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.186 2010/03/04 22:25:31 marka Exp $ */ +/* $Id: validator.c,v 1.187 2010/03/04 23:50:34 tbox Exp $ */ #include @@ -3910,7 +3910,7 @@ dns_validator_cancel(dns_validator_t *validator) { if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; - if (validator->event != NULL) { + if (validator->event != NULL) { if (validator->fetch != NULL) dns_resolver_cancelfetch(validator->fetch); diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h index 70d1c81dc0..714e43fc78 100644 --- a/lib/isc/include/isc/mem.h +++ b/lib/isc/include/isc/mem.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.h,v 1.87 2010/03/04 05:45:51 marka Exp $ */ +/* $Id: mem.h,v 1.88 2010/03/04 23:50:34 tbox Exp $ */ #ifndef ISC_MEM_H #define ISC_MEM_H 1 diff --git a/lib/isc/mem.c b/lib/isc/mem.c index 6530892727..5b11d08dcf 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.154 2010/03/04 05:29:15 marka Exp $ */ +/* $Id: mem.c,v 1.155 2010/03/04 23:50:34 tbox Exp $ */ /*! \file */ From d6143438c381f1e1f487cf862d85f314a5328b6e Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 00:18:34 +0000 Subject: [PATCH 41/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 24cd9b703d..2ee844cd72 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.89 2010/03/04 23:16:52 tbox Exp $ +# $Id: SRCID,v 1.1.4.90 2010/03/05 00:18:34 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 23:16:52 $ )" +SRCID="( $Date: 2010/03/05 00:18:34 $ )" From 5488182a6965078aadb8b9c29550d2e6f67cc17d Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 00:20:54 +0000 Subject: [PATCH 42/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 6d61ae0a97..5212245702 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.176 2010/03/04 23:17:30 tbox Exp $ +# $Id: SRCID,v 1.177 2010/03/05 00:20:54 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/04 23:17:30 $ )" +SRCID="( $Date: 2010/03/05 00:20:54 $ )" From 6c8a888822cfe45f0525e7496dcaa27d341b6a5e Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 01:14:15 +0000 Subject: [PATCH 43/58] regen HEAD --- bin/dig/dig.1 | 11 ++++++++--- bin/dig/dig.html | 28 +++++++++++++++++----------- doc/arm/man.arpaname.html | 8 ++++---- doc/arm/man.ddns-confgen.html | 10 +++++----- doc/arm/man.dig.html | 26 ++++++++++++++++---------- doc/arm/man.dnssec-dsfromkey.html | 16 ++++++++-------- doc/arm/man.dnssec-keyfromlabel.html | 14 +++++++------- doc/arm/man.dnssec-keygen.html | 16 ++++++++-------- doc/arm/man.dnssec-revoke.html | 10 +++++----- doc/arm/man.dnssec-settime.html | 14 +++++++------- doc/arm/man.dnssec-signzone.html | 12 ++++++------ doc/arm/man.genrandom.html | 10 +++++----- doc/arm/man.host.html | 10 +++++----- doc/arm/man.isc-hmac-fixup.html | 10 +++++----- doc/arm/man.named-checkconf.html | 12 ++++++------ doc/arm/man.named-checkzone.html | 12 ++++++------ doc/arm/man.named-journalprint.html | 8 ++++---- doc/arm/man.named.html | 16 ++++++++-------- doc/arm/man.nsec3hash.html | 10 +++++----- doc/arm/man.nsupdate.html | 14 +++++++------- doc/arm/man.rndc-confgen.html | 12 ++++++------ doc/arm/man.rndc.conf.html | 12 ++++++------ doc/arm/man.rndc.html | 12 ++++++------ 23 files changed, 160 insertions(+), 143 deletions(-) diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 11da6c1555..db0cdc5208 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.53 2009/07/11 01:12:45 tbox Exp $ +.\" $Id: dig.1,v 1.54 2010/03/05 01:14:15 tbox Exp $ .\" .hy 0 .ad l @@ -455,6 +455,11 @@ Print records like the SOA records in a verbose multi\-line format with human\-r output. .RE .PP +\fB+[no]onesoa\fR +.RS 4 +Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records. +.RE +.PP \fB+[no]fail\fR .RS 4 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior. @@ -562,7 +567,7 @@ RFC1035. .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 5ddde98262..a1b3fa1cfd 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,5 +1,5 @@ - + @@ -34,7 +34,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -80,7 +80,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -126,7 +126,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -230,7 +230,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -499,6 +499,12 @@ each record on a single line, to facilitate machine parsing of the dig output.

+
+[no]onesoa
+

+ Print only one (starting) SOA record when performing + an AXFR. The default is to print both the starting and + ending SOA records. +

+[no]fail

Do not try the next server if you receive a SERVFAIL. The @@ -555,7 +561,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -601,7 +607,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -615,14 +621,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -630,7 +636,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index e91153d238..a27577ef54 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,20 +50,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 7615e5db12..b2d71400db 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]

-

DESCRIPTION

+

DESCRIPTION

ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -144,7 +144,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -152,7 +152,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 7b5faf6143..b43ecee34b 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -144,7 +144,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -248,7 +248,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -517,6 +517,12 @@ each record on a single line, to facilitate machine parsing of the dig output.

+
+[no]onesoa
+

+ Print only one (starting) SOA record when performing + an AXFR. The default is to print both the starting and + ending SOA records. +

+[no]fail

Do not try the next server if you receive a SERVFAIL. The @@ -573,7 +579,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -619,7 +625,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +639,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -648,7 +654,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index dbb998770d..fceecccc24 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@

dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -119,7 +119,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -134,7 +134,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -148,13 +148,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -164,7 +164,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 5e0849ba34..d1d5dec694 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -182,7 +182,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -229,7 +229,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -268,7 +268,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -276,7 +276,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 19288035aa..43c8014fc7 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -256,7 +256,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -303,7 +303,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -349,7 +349,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -370,7 +370,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -379,7 +379,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 5a66123468..741a3b9339 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -91,14 +91,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 213e0a692a..c6ff9c1ac8 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-settime [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -75,7 +75,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -106,7 +106,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -151,7 +151,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -177,7 +177,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -185,7 +185,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index efe382cce4..d7e47cbb24 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -397,7 +397,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -427,14 +427,14 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index d95bf7a8ed..b1794560db 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

genrandom {size} {filename}

-

DESCRIPTION

+

DESCRIPTION

genrandom generates a file containing a specified quantity of pseudo-random @@ -59,7 +59,7 @@

-

ARGUMENTS

+

ARGUMENTS

size

@@ -72,14 +72,14 @@

-

SEE ALSO

+

SEE ALSO

rand(3), arc4random(3)

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 146fa7974c..577744f090 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 41556f6b73..29efd4f3cc 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

isc-hmac-fixup {algorithm} {secret}

-

DESCRIPTION

+

DESCRIPTION

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@

-

SECURITY CONSIDERATIONS

+

SECURITY CONSIDERATIONS

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 2104.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index e650a57798..7832358b65 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -109,21 +109,21 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 207522cef9..c893e341f2 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-r mode] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -265,14 +265,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -280,7 +280,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 9b2dd24cef..8d2a05f501 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

named-journalprint {journal}

-

DESCRIPTION

+

DESCRIPTION

named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), @@ -84,7 +84,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 93b032da80..1eba32e480 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -246,7 +246,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -267,7 +267,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -284,7 +284,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -297,7 +297,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -310,7 +310,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index ef0dd43a2d..1a89cbf441 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@

nsec3hash {salt} {algorithm} {iterations} {domain}

-

DESCRIPTION

+

DESCRIPTION

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@

-

ARGUMENTS

+

ARGUMENTS

salt

@@ -80,14 +80,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 5155.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 3cdac586f3..664cc86a52 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -210,7 +210,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -474,7 +474,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -528,7 +528,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -551,7 +551,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -566,7 +566,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 0627875530..ecd26d17fd 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -173,7 +173,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -190,7 +190,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -198,7 +198,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 8a568fafc0..c18710ebca 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 3d54438429..0c639aae96 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -151,7 +151,7 @@

-

LIMITATIONS

+

LIMITATIONS

rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -175,7 +175,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

From 690a5f9158b9ab0b10247f0dd628671aa9d7e4ce Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 01:16:46 +0000 Subject: [PATCH 44/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 5212245702..3dbf883eee 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.177 2010/03/05 00:20:54 tbox Exp $ +# $Id: SRCID,v 1.178 2010/03/05 01:16:46 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/05 00:20:54 $ )" +SRCID="( $Date: 2010/03/05 01:16:46 $ )" From 5e95cf76e46d93d6b6c2e3cd1aca4c1ab33f827e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 5 Mar 2010 03:36:42 +0000 Subject: [PATCH 45/58] change numbers --- CHANGES | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 1fe885e517..77801fdce6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,16 +1,16 @@ -2958. [bug] When canceling validation it was possible to leak +2959. [bug] When canceling validation it was possible to leak memory. [RT #20800] -2957. [bug] RTT estimates were not being adjusted on ICMP errors. +2958. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] -2956. [bug] named-checkconf did not fail on a bad trusted key. +2957. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] -2955. [bug] The size of a memory allocation was not always properly +2956. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] -2854. [func] nsupdate will now preserve the entered case of domain +2855. [func] nsupdate will now preserve the entered case of domain names in update requests it sends. [RT #20928] 2854. [func] dig: allow the final soa record in a axfr response to From 5b976ced070a6e16e69dcce31816bd300020fcbc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 5 Mar 2010 03:40:48 +0000 Subject: [PATCH 46/58] change numbers --- CHANGES | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 124910817e..8411108561 100644 --- a/CHANGES +++ b/CHANGES @@ -1,13 +1,13 @@ -2958. [bug] When canceling validation it was possible to leak +2959. [bug] When canceling validation it was possible to leak memory. [RT #20800] -2957. [bug] RTT estimates were not being adjusted on ICMP errors. +2958. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] -2956. [bug] named-checkconf did not fail on a bad trusted key. +2957. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] -2955. [bug] The size of a memory allocation was not always properly +2956. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] 2853. [bug] add_sigs() could run out of scratch space. [RT #21015] From f8f74c4133d613d928c10c7e3b1280a6c0ab30b5 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 04:19:14 +0000 Subject: [PATCH 47/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 2ee844cd72..a499b6b8c2 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.90 2010/03/05 00:18:34 tbox Exp $ +# $Id: SRCID,v 1.1.4.91 2010/03/05 04:19:14 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/05 00:18:34 $ )" +SRCID="( $Date: 2010/03/05 04:19:14 $ )" From a5c06c85fa12fb47ffef0a7d46108087dd2c65d3 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 5 Mar 2010 04:21:39 +0000 Subject: [PATCH 48/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 3dbf883eee..e6de07de77 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.178 2010/03/05 01:16:46 tbox Exp $ +# $Id: SRCID,v 1.179 2010/03/05 04:21:39 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/05 01:16:46 $ )" +SRCID="( $Date: 2010/03/05 04:21:39 $ )" From 637a4234fab5dacacfa0d4fb8b41290b634b252f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 6 Mar 2010 05:25:36 +0000 Subject: [PATCH 49/58] change numbers --- CHANGES | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 77801fdce6..8e4d4da40b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,13 +1,13 @@ -2959. [bug] When canceling validation it was possible to leak +2859. [bug] When canceling validation it was possible to leak memory. [RT #20800] -2958. [bug] RTT estimates were not being adjusted on ICMP errors. +2858. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] -2957. [bug] named-checkconf did not fail on a bad trusted key. +2857. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] -2956. [bug] The size of a memory allocation was not always properly +2856. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] 2855. [func] nsupdate will now preserve the entered case of domain From 9860bf773655abbdc18ab75c1dc0e71cdd6ff5c8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 6 Mar 2010 05:29:07 +0000 Subject: [PATCH 50/58] change numbers --- CHANGES | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 8411108561..5666197c7f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,13 +1,13 @@ -2959. [bug] When canceling validation it was possible to leak +2859. [bug] When canceling validation it was possible to leak memory. [RT #20800] -2958. [bug] RTT estimates were not being adjusted on ICMP errors. +2858. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772] -2957. [bug] named-checkconf did not fail on a bad trusted key. +2857. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] -2956. [bug] The size of a memory allocation was not always properly +2856. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] 2853. [bug] add_sigs() could run out of scratch space. [RT #21015] From ce0a4906ad27a8743e4f59e8ea06433640d78e54 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 6 Mar 2010 05:35:50 +0000 Subject: [PATCH 51/58] spelling --- CHANGES | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 8e4d4da40b..4633f10b61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -2859. [bug] When canceling validation it was possible to leak +2859. [bug] When cancelling validation it was possible to leak memory. [RT #20800] 2858. [bug] RTT estimates were not being adjusted on ICMP errors. @@ -48,7 +48,7 @@ either of the keys has been revoked. (To override this in the case of dnssec-keyfromlabel, use the -y option. dnssec-keygen will simply create a - different, noncolliding key, so an override is + different, non-colliding key, so an override is not necessary.) [RT #20838] 2842. [func] Added "smartsign" and improved "autosign" and @@ -137,7 +137,7 @@ 2818. [cleanup] rndc could return an incorrect error code when a zone was not found. [RT #20767] -2817. [cleanup] Removed unnecessary isc_tasc_endexclusive() calls. +2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. [RT #20768] 2816. [bug] previous_closest_nsec() could fail to return From fe349528ebdfcbca8eeff3ef3100742ce7ce477f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 6 Mar 2010 05:36:14 +0000 Subject: [PATCH 52/58] spelling --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 5666197c7f..31f526ea71 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -2859. [bug] When canceling validation it was possible to leak +2859. [bug] When cancelling validation it was possible to leak memory. [RT #20800] 2858. [bug] RTT estimates were not being adjusted on ICMP errors. From 87850966d09786ba674a8b741c9c1890cb91f2db Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 6 Mar 2010 06:25:37 +0000 Subject: [PATCH 53/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index a499b6b8c2..8d28a1b4f2 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.1.4.91 2010/03/05 04:19:14 tbox Exp $ +# $Id: SRCID,v 1.1.4.92 2010/03/06 06:25:37 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/05 04:19:14 $ )" +SRCID="( $Date: 2010/03/06 06:25:37 $ )" From 44c5f7fe76153d317d54a230375506b8f99f68f5 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 6 Mar 2010 06:27:34 +0000 Subject: [PATCH 54/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index e6de07de77..7f8838345c 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.179 2010/03/05 04:21:39 tbox Exp $ +# $Id: SRCID,v 1.180 2010/03/06 06:27:34 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/05 04:21:39 $ )" +SRCID="( $Date: 2010/03/06 06:27:34 $ )" From b12035d1900ebe289dca5e00e2c64c2c3df5545f Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 6 Mar 2010 23:19:03 +0000 Subject: [PATCH 55/58] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 41c84605bd..fdefb7c014 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -321,6 +321,7 @@ rt20903 new fdupont // 2010-01-26 12:16 +0000 rt20904 new fdupont // 2010-01-18 13:55 +0000 rt20924 new fdupont // 2010-01-22 17:23 +0000 rt20945 new marka // 2010-02-03 21:47 +0000 +rt21045 new marka // 2010-03-06 05:41 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 0a1d6361d82299af24322badccc4107212835f9e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 8 Mar 2010 01:04:29 +0000 Subject: [PATCH 56/58] new draft --- ...-06.txt => draft-ietf-behave-dns64-07.txt} | 712 ++++++++++-------- ...t => draft-ietf-dnsext-dnssec-gost-07.txt} | 94 +-- 2 files changed, 461 insertions(+), 345 deletions(-) rename doc/draft/{draft-ietf-behave-dns64-06.txt => draft-ietf-behave-dns64-07.txt} (80%) rename doc/draft/{draft-ietf-dnsext-dnssec-gost-06.txt => draft-ietf-dnsext-dnssec-gost-07.txt} (84%) diff --git a/doc/draft/draft-ietf-behave-dns64-06.txt b/doc/draft/draft-ietf-behave-dns64-07.txt similarity index 80% rename from doc/draft/draft-ietf-behave-dns64-06.txt rename to doc/draft/draft-ietf-behave-dns64-07.txt index f648a21029..e287a984a8 100644 --- a/doc/draft/draft-ietf-behave-dns64-06.txt +++ b/doc/draft/draft-ietf-behave-dns64-07.txt @@ -4,17 +4,17 @@ BEHAVE WG M. Bagnulo Internet-Draft UC3M Intended status: Standards Track A. Sullivan -Expires: August 19, 2010 Shinkuro +Expires: September 6, 2010 Shinkuro P. Matthews Alcatel-Lucent I. van Beijnum IMDEA Networks - February 15, 2010 + March 5, 2010 DNS64: DNS extensions for Network Address Translation from IPv6 Clients to IPv4 Servers - draft-ietf-behave-dns64-06 + draft-ietf-behave-dns64-07 Abstract @@ -47,14 +47,14 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 19, 2010. + This Internet-Draft will expire on September 6, 2010. -Bagnulo, et al. Expires August 19, 2010 [Page 1] +Bagnulo, et al. Expires September 6, 2010 [Page 1] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 Copyright Notice @@ -108,65 +108,121 @@ Copyright Notice -Bagnulo, et al. Expires August 19, 2010 [Page 2] +Bagnulo, et al. Expires September 6, 2010 [Page 2] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 3. Background to DNS64-DNSSEC interaction . . . . . . . . . . . . 7 - 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 5. DNS64 Normative Specification . . . . . . . . . . . . . . . . 9 - 5.1. Resolving AAAA queries and the answer section . . . . . . 10 - 5.1.1. The answer when there is AAAA data available . . . . . 10 - 5.1.2. The answer when there is an error . . . . . . . . . . 10 - 5.1.3. Special exclusion set for AAAA records . . . . . . . . 10 - 5.1.4. Dealing with CNAME and DNAME . . . . . . . . . . . . . 11 - 5.1.5. Data for the answer when performing synthesis . . . . 11 - 5.1.6. Performing the synthesis . . . . . . . . . . . . . . . 12 - 5.1.7. Querying in parallel . . . . . . . . . . . . . . . . . 12 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 3. Background to DNS64-DNSSEC interaction . . . . . . . . . . . . 8 + 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 5. DNS64 Normative Specification . . . . . . . . . . . . . . . . 10 + 5.1. Resolving AAAA queries and the answer section . . . . . . 11 + 5.1.1. The answer when there is AAAA data available . . . . . 11 + 5.1.2. The answer when there is an error . . . . . . . . . . 11 + 5.1.3. Dealing with timeouts . . . . . . . . . . . . . . . . 12 + 5.1.4. Special exclusion set for AAAA records . . . . . . . . 12 + 5.1.5. Dealing with CNAME and DNAME . . . . . . . . . . . . . 12 + 5.1.6. Data for the answer when performing synthesis . . . . 13 + 5.1.7. Performing the synthesis . . . . . . . . . . . . . . . 13 + 5.1.8. Querying in parallel . . . . . . . . . . . . . . . . . 14 5.2. Generation of the IPv6 representations of IPv4 - addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 - 5.3. Handling other RRs and the Additional Section . . . . . . 13 - 5.3.1. PTR queries . . . . . . . . . . . . . . . . . . . . . 13 - 5.3.2. Handling the additional section . . . . . . . . . . . 14 - 5.3.3. Other records . . . . . . . . . . . . . . . . . . . . 15 - 5.4. Assembling a synthesized response to a AAAA query . . . . 15 - 5.5. DNSSEC processing: DNS64 in recursive server mode . . . . 16 - 6. Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.1. DNS resolvers and DNS64 . . . . . . . . . . . . . . . . . 17 - 6.2. DNSSEC validators and DNS64 . . . . . . . . . . . . . . . 17 - 6.3. DNS64 and multihomed and dual-stack hosts . . . . . . . . 17 - 6.3.1. IPv6 multihomed hosts . . . . . . . . . . . . . . . . 17 - 6.3.2. Accidental dual-stack DNS64 use . . . . . . . . . . . 18 - 6.3.3. Intentional dual-stack DNS64 use . . . . . . . . . . . 18 - 7. Deployment scenarios and examples . . . . . . . . . . . . . . 19 + addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 + 5.3. Handling other Resource Records and the Additional + Section . . . . . . . . . . . . . . . . . . . . . . . . . 15 + 5.3.1. PTR Resource Record . . . . . . . . . . . . . . . . . 15 + 5.3.2. Handling the additional section . . . . . . . . . . . 16 + 5.3.3. Other Resource Records . . . . . . . . . . . . . . . . 16 + 5.4. Assembling a synthesized response to a AAAA query . . . . 17 + 5.5. DNSSEC processing: DNS64 in recursive resolver mode . . . 17 + 6. Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 18 + 6.1. DNS resolvers and DNS64 . . . . . . . . . . . . . . . . . 18 + 6.2. DNSSEC validators and DNS64 . . . . . . . . . . . . . . . 19 + 6.3. DNS64 and multihomed and dual-stack hosts . . . . . . . . 19 + 6.3.1. IPv6 multihomed hosts . . . . . . . . . . . . . . . . 19 + 6.3.2. Accidental dual-stack DNS64 use . . . . . . . . . . . 20 + 6.3.3. Intentional dual-stack DNS64 use . . . . . . . . . . . 20 + 7. Deployment scenarios and examples . . . . . . . . . . . . . . 21 7.1. Example of An-IPv6-network-to-IPv4-Internet setup with - DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 20 + DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 22 7.2. An example of an-IPv6-network-to-IPv4-Internet setup - with DNS64 in stub-resolver mode . . . . . . . . . . . . . 21 + with DNS64 in stub-resolver mode . . . . . . . . . . . . . 23 7.3. Example of IPv6-Internet-to-an-IPv4-network setup - DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 23 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 - 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 25 - 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 - 12.1. Normative References . . . . . . . . . . . . . . . . . . . 26 - 12.2. Informative References . . . . . . . . . . . . . . . . . . 26 + DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 25 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 27 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 + 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 + 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 + 12.2. Informative References . . . . . . . . . . . . . . . . . . 28 Appendix A. Motivations and Implications of synthesizing AAAA - RR when real AAAA RR exists . . . . . . . . . . . . . 28 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 + Resource Records when real AAAA Resource Records - -Bagnulo, et al. Expires August 19, 2010 [Page 3] +Bagnulo, et al. Expires September 6, 2010 [Page 3] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 + + + exist . . . . . . . . . . . . . . . . . . . . . . . . 29 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 4] + +Internet-Draft DNS64 March 2010 1. Introduction @@ -220,9 +276,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 4] +Bagnulo, et al. Expires September 6, 2010 [Page 5] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 available to the server). Each IPv6/IPv4 translator used in @@ -276,9 +332,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 5] +Bagnulo, et al. Expires September 6, 2010 [Page 6] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 configured to be the same on both; there is no communication between @@ -305,11 +361,12 @@ Internet-Draft DNS64 February 2010 has been assigned for the specific purpose of representing IPv4 addresses in IPv6 address space. - The DNS64 function can be performed in any of three places. + The DNS64 function can be performed in any of three places. The + terms below are more formally defined in Section 4. The first option is to locate the DNS64 function in authoritative servers for a zone. In this case, the authoritative server provides - a synthetic AAAA RRs for an IPv4-only host in its zone. This is one + synthetic AAAA RRs for an IPv4-only host in its zone. This is one type of DNS64 server. Another option is to locate the DNS64 function in recursive name @@ -318,9 +375,9 @@ Internet-Draft DNS64 February 2010 server can perform the synthesis of AAAA RRs and pass them back to the IPv6-only initiator. The main advantage of this mode is that current IPv6 nodes can use this mechanism without requiring any - modification. This mode is called "DNS64 in DNS recursive mode". - This is a second type of DNS64 server, and it is also one type of - DNS64 resolver. + modification. This mode is called "DNS64 in DNS recursive resolver + mode" . This is a second type of DNS64 server, and it is also one + type of DNS64 resolver. The last option is to place the DNS64 function in the end hosts, coupled to the local (stub) resolver. In this case, the stub @@ -328,31 +385,32 @@ Internet-Draft DNS64 February 2010 available, the DNS64 function will synthesize AAAA RRs for internal usage. This mode is compatible with some advanced functions like DNSSEC validation in the end host. The main drawback of this mode is - its deployability, since it requires changes in the end hosts. This -Bagnulo, et al. Expires August 19, 2010 [Page 6] +Bagnulo, et al. Expires September 6, 2010 [Page 7] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 + its deployability, since it requires changes in the end hosts. This mode is called "DNS64 in stub-resolver mode". This is the second type of DNS64 resolver. 3. Background to DNS64-DNSSEC interaction - DNSSEC presents a special challenge for DNS64, because DNSSEC is - designed to detect changes to DNS answers, and DNS64 may alter - answers coming from an authoritative server. + DNSSEC ([RFC4033], [RFC4034], [RFC4035]) presents a special challenge + for DNS64, because DNSSEC is designed to detect changes to DNS + answers, and DNS64 may alter answers coming from an authoritative + server. A recursive resolver can be security-aware or security-oblivious. - Moreover, a security-aware recursive name server can be validating or + Moreover, a security-aware recursive resolver can be validating or non-validating, according to operator policy. In the cases below, - the recursive server is also performing DNS64, and has a local policy - to validate. We call this general case vDNS64, but in all the cases - below the DNS64 functionality should be assumed needed. + the recursive resolver is also performing DNS64, and has a local + policy to validate. We call this general case vDNS64, but in all the + cases below the DNS64 functionality should be assumed needed. DNSSEC includes some signaling bits that offer some indicators of what the query originator understands. @@ -382,17 +440,18 @@ Internet-Draft DNS64 February 2010 non-DNS64 case: the server doesn't support it, so the querying agent is out of luck. + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 8] + +Internet-Draft DNS64 March 2010 + + 3. A security-aware and non-validating DNS64 receives a query with the DO bit set and the CD bit clear. Such a resolver is not validating responses, likely due to local policy (see [RFC4035], - - - -Bagnulo, et al. Expires August 19, 2010 [Page 7] - -Internet-Draft DNS64 February 2010 - - section 4.2). For that reason, this case amounts to the same as the previous case, and no validation happens. @@ -435,20 +494,20 @@ Internet-Draft DNS64 February 2010 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. + + + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 9] + +Internet-Draft DNS64 March 2010 + + Authoritative server: A DNS server that can answer authoritatively a given DNS question. - - - - - - -Bagnulo, et al. Expires August 19, 2010 [Page 8] - -Internet-Draft DNS64 February 2010 - - DNS64: A logical function that synthesizes DNS resource records (e.g AAAA records containing IPv6 addresses) from DNS resource records actually contained in the DNS (e.g., A records containing IPv4 @@ -494,17 +553,17 @@ Internet-Draft DNS64 February 2010 multicast address handling is out of the scope of this document. A possible approach is specified in [I-D.venaas-behave-mcast46]. + + + +Bagnulo, et al. Expires September 6, 2010 [Page 10] + +Internet-Draft DNS64 March 2010 + + DNS64 also responds to PTR queries involving addresses containing any of the IPv6 prefixes it uses for synthesis of AAAA RRs. - - - -Bagnulo, et al. Expires August 19, 2010 [Page 9] - -Internet-Draft DNS64 February 2010 - - 5.1. Resolving AAAA queries and the answer section When the DNS64 receives a query for RRs of type AAAA and class IN, it @@ -520,7 +579,7 @@ Internet-Draft DNS64 February 2010 section, the result is returned to the requesting client as per normal DNS semantics, except in the case where any of the AAAA records match a special exclusion set of prefixes, considered in - Section 5.1.3. If there is (non-excluded) AAAA data available, DNS64 + Section 5.1.4. If there is (non-excluded) AAAA data available, DNS64 SHOULD NOT include synthetic AAAA RRs in the response (see Appendix A for an analysis of the motivations for and the implications of not complying with this recommendation). By default DNS64 @@ -548,19 +607,26 @@ Internet-Draft DNS64 February 2010 of the meaning of RCODE 3, and it is expected that they will decline in use as IPv6 deployment increases. -5.1.3. Special exclusion set for AAAA records + + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 11] + +Internet-Draft DNS64 March 2010 + + +5.1.3. Dealing with timeouts + + If the query receives no answer before the timeout, it is treated as + RCODE=2 (Server failure). + +5.1.4. Special exclusion set for AAAA records Some IPv6 addresses are not actually usable by IPv6-only hosts. If they are returned to IPv6-only querying agents as AAAA records, therefore, the goal of decreasing the number of failure modes will - - - -Bagnulo, et al. Expires August 19, 2010 [Page 10] - -Internet-Draft DNS64 February 2010 - - not be attained. Examples include AAAA records with addresses in the ::ffff:0:0/96 network, and possibly (depending on the context) AAAA records with the site's Pref::64/n or the Well-Known Prefix (see @@ -585,7 +651,7 @@ Internet-Draft DNS64 February 2010 answer, and proceed accordingly. It MUST NOT return the offending AAAA records as part of a response. -5.1.4. Dealing with CNAME and DNAME +5.1.5. Dealing with CNAME and DNAME If the response contains a CNAME or a DNAME, then the CNAME or DNAME chain is followed until the first terminating A or AAAA record is @@ -598,31 +664,32 @@ Internet-Draft DNS64 February 2010 included as part of the answer, and the synthetic AAAA, if appropriate, is included. -5.1.5. Data for the answer when performing synthesis + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 12] + +Internet-Draft DNS64 March 2010 + + +5.1.6. Data for the answer when performing synthesis If the query results in no error but an empty answer section in the response, the DNS64 attempts to retrieve A records for the name in question, either by performing another query or, in the case of an - authortiative server, by examining its own results. If this new A RR + authoritative server, by examining its own results. If this new A RR query results in an empty answer or in an error, then the empty result or error is used as the basis for the answer returned to the querying client. (Transient errors may result in retrying the query, depending on the mode and operation of the underlying resolver; this is just as in Section 5.1.2.) If instead the query results in one or - - - -Bagnulo, et al. Expires August 19, 2010 [Page 11] - -Internet-Draft DNS64 February 2010 - - more A RRs, the DNS64 synthesizes AAAA RRs based on the A RRs - according to the procedure outlined in Section 5.1.6. The DNS64 + according to the procedure outlined in Section 5.1.7. The DNS64 returns the synthesized AAAA records in the answer section, removing the A records that form the basis of the synthesis. -5.1.6. Performing the synthesis +5.1.7. Performing the synthesis A synthetic AAAA record is created from an A record as follows: @@ -637,7 +704,12 @@ Internet-Draft DNS64 February 2010 RR and the SOA RR for the queried domain. (Note that in order to obtain the TTL of the SOA RR, the DNS64 does not need to perform a new query, but it can remember the TTL from the SOA RR in the - negative response to the AAAA query.) + negative response to the AAAA query. If the SOA RR was not + delivered with the negative response to the AAAA query, then the + DNS64 SHOULD use a default value of 600 seconds. It is possible + instead to query explicitly for the SOA RR and use the result of + that query, but this will increase query load and time to + resolution for little additional benefit.) o The RDLENGTH field is set to 16 @@ -648,7 +720,16 @@ Internet-Draft DNS64 February 2010 See Section 5.2 for discussion of the algorithms to be used in effecting the transformation. -5.1.7. Querying in parallel + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 13] + +Internet-Draft DNS64 March 2010 + + +5.1.8. Querying in parallel The DNS64 MAY perform the query for the AAAA RR and for the A RR in parallel, in order to minimize the delay. However, this would result @@ -665,14 +746,6 @@ Internet-Draft DNS64 February 2010 DNS64 supports multiple algorithms for the generation of the IPv6 representation of an IPv4 address. The constraints imposed on the - - - -Bagnulo, et al. Expires August 19, 2010 [Page 12] - -Internet-Draft DNS64 February 2010 - - generation algorithms are the following: The same algorithm to create an IPv6 address from an IPv4 address @@ -694,16 +767,24 @@ Internet-Draft DNS64 February 2010 For each prefix Pref64::/n, n MUST the less than or equal to 96. If one or more Pref64::/n are configured in the DNS64 - through any means in the DNS64 (such as manually configured, or - other automatic means not specified in this document), the - default algorithm MUST use these prefixes (and not use the - Well-Know Prefix). If no prefix is available, the algorithm - MUST use the Well-Known prefix 64:FF9B::/96 defined in + through any means (such as manually configured, or other + automatic means not specified in this document), the default + algorithm MUST use these prefixes (and not use the Well-Known + Prefix). If no prefix is available, the algorithm MUST use the + Well-Known Prefix 64:FF9B::/96 defined in [I-D.ietf-behave-address-format] to represent the IPv4 unicast address range - [[anchor9: Note in document: The value 64:FF9B::/96 is proposed as + [[anchor8: Note in document: The value 64:FF9B::/96 is proposed as the value for the Well-Known prefix and needs to be confirmed + + + +Bagnulo, et al. Expires September 6, 2010 [Page 14] + +Internet-Draft DNS64 March 2010 + + whenis published as RFC.]][I-D.ietf-behave-address-format] A DNS64 MUST support the algorithm for generating IPv6 @@ -715,56 +796,58 @@ Internet-Draft DNS64 February 2010 algorithm and its application to different scenarios is provided in Section 7 for illustration purposes. -5.3. Handling other RRs and the Additional Section +5.3. Handling other Resource Records and the Additional Section -5.3.1. PTR queries +5.3.1. PTR Resource Record If a DNS64 server receives a PTR query for a record in the IP6.ARPA domain, it MUST strip the IP6.ARPA labels from the QNAME, reverse the - - - -Bagnulo, et al. Expires August 19, 2010 [Page 13] - -Internet-Draft DNS64 February 2010 - - address portion of the QNAME according to the encoding scheme outlined in section 2.5 of [RFC3596], and examine the resulting address to see whether its prefix matches any of the locally- configured Pref64::/n. There are two alternatives for a DNS64 server to respond to such PTR queries. A DNS64 server MUST provide one of these, and SHOULD NOT provide both at the same time unless different - IP6.ARPA zones require answers of different sorts. + IP6.ARPA zones require answers of different sorts: - The first option is for the DNS64 server to respond authoritatively - for its prefixes. If the address prefix matches any Pref64::/n used - in the site, either a NSP or the Well-Known Prefix (i.e. 64: - FF9B::/96), then the DNS64 server MAY answer the query using locally- - appropriate RDATA. The DNS64 server MAY use the same RDATA for all - answers. Note that the requirement is to match any Pref64::/n used - at the site, and not merely the locally-configured Pref64::/n. This - is because end clients could ask for a PTR record matching an address - received through a different (site-provided) DNS64, and if this - strategy is in effect, those queries should never be sent to the - global DNS. The advantage of this strategy is that it makes plain to - the querying client that the prefix is one operated by the (DNS64) - site, and that the answers the client is getting are generated by - DNS64. The disadvantage is that any useful reverse-tree information - that might be in the global DNS is unavailable to the clients - querying the DNS64. + 1. The first option is for the DNS64 server to respond + authoritatively for its prefixes. If the address prefix matches + any Pref64::/n used in the site, either a NSP or the Well-Known + Prefix (i.e. 64:FF9B::/96), then the DNS64 server MAY answer the + query using locally-appropriate RDATA. The DNS64 server MAY use + the same RDATA for all answers. Note that the requirement is to + match any Pref64::/n used at the site, and not merely the + locally-configured Pref64::/n. This is because end clients could + ask for a PTR record matching an address received through a + different (site-provided) DNS64, and if this strategy is in + effect, those queries should never be sent to the global DNS. + The advantage of this strategy is that it makes plain to the + querying client that the prefix is one operated by the (DNS64) + site, and that the answers the client is getting are generated by + DNS64. The disadvantage is that any useful reverse-tree + information that might be in the global DNS is unavailable to the + clients querying the DNS64. - The second option is for the DNS64 nameserver to synthesize a CNAME - mapping the IP6.ARPA namespace to the corresponding IN-ADDR.ARPA - name. The rest of the response would be the normal DNS processing. - The CNAME can be signed on the fly if need be. The advantage of this - approach is that any useful information in the reverse tree is - available to the querying client. The disadvantage is that it adds - additional load to the DNS64 (because CNAMEs have to be synthesized - for each PTR query that matches the Pref64::/n), and that it may - require signing on the fly. In addition, the generated CNAME could - correspond to an unpopulated in-addr.arpa zone, so the CNAME would - provide a reference to a non-existent record. + 2. The second option is for the DNS64 nameserver to synthesize a + CNAME mapping the IP6.ARPA namespace to the corresponding IN- + ADDR.ARPA name. The rest of the response would be the normal DNS + processing. The CNAME can be signed on the fly if need be. The + advantage of this approach is that any useful information in the + + + +Bagnulo, et al. Expires September 6, 2010 [Page 15] + +Internet-Draft DNS64 March 2010 + + + reverse tree is available to the querying client. The + disadvantage is that it adds additional load to the DNS64 + (because CNAMEs have to be synthesized for each PTR query that + matches the Pref64::/n), and that it may require signing on the + fly. In addition, the generated CNAME could correspond to an + unpopulated in-addr.arpa zone, so the CNAME would provide a + reference to a non-existent record. If the address prefix does not match any Pref64::/n, then the DNS64 server MUST process the query as though it were any other query; i.e. @@ -778,13 +861,6 @@ Internet-Draft DNS64 February 2010 additional section of synthesized answers. The DNS64 MUST pass the additional section unchanged. - - -Bagnulo, et al. Expires August 19, 2010 [Page 14] - -Internet-Draft DNS64 February 2010 - - It may appear that adding synthetic records to the additional section is desirable, because clients sometimes use the data in the additional section to proceed without having to re-query. There is @@ -804,12 +880,22 @@ Internet-Draft DNS64 February 2010 NAT64 in question. The result in this case will be resolution failure anyway, only later in the resolution operation. -5.3.3. Other records +5.3.3. Other Resource Records If the DNS64 is in recursive resolver mode, then considerations outlined in [I-D.ietf-dnsop-default-local-zones] may be relevant. - All other RRs MUST be returned unchanged. + All other RRs MUST be returned unchanged. This includes responses to + queries for A RRs. + + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 16] + +Internet-Draft DNS64 March 2010 + 5.4. Assembling a synthesized response to a AAAA query @@ -820,30 +906,20 @@ Internet-Draft DNS64 February 2010 an error, an answer that can be used as a basis for synthesis, or an empty (authoritative) answer. If there is an empty answer, then the DNS64 responds to the original querying client with the answer the - DNS64 received to the original AAAA query. Otherwise, the response - is assembled as follows. + DNS64 received to the original (initiator's) query. Otherwise, the + response is assembled as follows. The header fields are set according to the usual rules for recursive or authoritative servers, depending on the role that the DNS64 is - serving. The question section is copied from the original AAAA - query. The answer section is populated according to the rules in - Section 5.1.6. The authority and additional sections are copied from - the response to the A query that the DNS64 performed. + serving. The question section is copied from the original + (initiator's) query. The answer section is populated according to + the rules in Section 5.1.7. The authority and additional sections + are copied from the response to the final query that the DNS64 + performed, and used as the basis for synthesis. +5.5. DNSSEC processing: DNS64 in recursive resolver mode - - - - - -Bagnulo, et al. Expires August 19, 2010 [Page 15] - -Internet-Draft DNS64 February 2010 - - -5.5. DNSSEC processing: DNS64 in recursive server mode - - We consider the case where a recursive server that is performing + We consider the case where a recursive resolver that is performing DNS64 also has a local policy to validate the answers according to the procedures outlined in [RFC4035] Section 5. We call this general case vDNS64. @@ -853,7 +929,9 @@ Internet-Draft DNS64 February 2010 accordingly: 1. If CD is not set and DO is not set, vDNS64 SHOULD perform - validation and do synthesis as needed. + validation and do synthesis as needed. See the next item for + rules about how to do validation and synthesis. In this case, + however, vDNS64 MUST NOT set the AD bit in any response. 2. If CD is not set and DO is set, then vDNS64 SHOULD perform validation. Whenever vDNS64 performs validation, it MUST @@ -867,6 +945,14 @@ Internet-Draft DNS64 February 2010 answer to the client. This is acceptable, because [RFC4035], section 3.2.3 says that the AD bit is set by the name server side of a security-aware recursive name server if and only if it + + + +Bagnulo, et al. Expires September 6, 2010 [Page 17] + +Internet-Draft DNS64 March 2010 + + considers all the RRSets in the Answer and Authority sections to be authentic. In this case, the name server has reason to believe the RRSets are all authentic, so it SHOULD set the AD @@ -889,14 +975,6 @@ Internet-Draft DNS64 February 2010 resolver, and depend on the client to do the validation and the synthesis itself. The disadvantage to this approach is that an end point that is - - - -Bagnulo, et al. Expires August 19, 2010 [Page 16] - -Internet-Draft DNS64 February 2010 - - translation-oblivious but security-aware and validating will not be able to use the DNS64 functionality. In this case, the end point will not have the desired benefit of NAT64. In effect, @@ -923,6 +1001,14 @@ Internet-Draft DNS64 February 2010 point obtain IPv4-only glue records and attempt to use them for resolution. The result that is returned will contain only A records, and without the ability to perform the DNS64 function the resolver + + + +Bagnulo, et al. Expires September 6, 2010 [Page 18] + +Internet-Draft DNS64 March 2010 + + will be unable to answer the necessary AAAA queries. 6.2. DNSSEC validators and DNS64 @@ -945,19 +1031,19 @@ Internet-Draft DNS64 February 2010 will receive answers from a DNS64 without all of them being connected via a NAT64. For instance, suppose a system has two interfaces, i1 and i2. Whereas i1 is connected to the IPv4 Internet via NAT64, i2 - - - -Bagnulo, et al. Expires August 19, 2010 [Page 17] - -Internet-Draft DNS64 February 2010 - - has native IPv6 connectivity only. I1 might receive a AAAA answer from a DNS64 that is configured for a particular NAT64; the IPv6 address contained in that AAAA answer will not connect with anything via i2. + +---------------+ +-------------+ + | i1 (IPv6)+----NAT64--------+IPv4 Internet| + | | +-------------+ + | host | + | | +-------------+ + | i2 (IPv6)+-----------------+IPv6 Internet| + +---------------+ +-------------+ + This example illustrates why it is generally preferable that hosts treat DNS answers from one interface as local to that interface. The answer received on one interface will not work on the other @@ -969,6 +1055,16 @@ Internet-Draft DNS64 February 2010 there are two networks involved. The same results could be achieved with a single interface routed to two different networks. + + + + + +Bagnulo, et al. Expires September 6, 2010 [Page 19] + +Internet-Draft DNS64 March 2010 + + 6.3.2. Accidental dual-stack DNS64 use Similarly, suppose that i1 has IPv6 connectivity and can connect to @@ -977,40 +1073,55 @@ Internet-Draft DNS64 February 2010 that would better be reached via native IPv4. Again, it is worth emphasising that this arises because there are two networks involved. - Since it is most likely that the host will attempt AAAA resolution - first, in this arrangement the host will often use the NAT64 when - native IPv4 would be preferable. For this reason, hosts with IPv4 - connectivity to the Internet should avoid using DNS64. This can be - partly resolved by ISPs when providing DNS resolvers to clients, but - that is not a guarantee that the NAT64 will never be used when a - native IPv4 connection should be used. There is no general-purpose - mechanism to ensure that native IPv4 transit will always be - preferred, because to a DNS64-oblivious host, the DNS64 looks just - like an ordinary DNS server. Operators of a NAT64 should expect - traffic to pass through the NAT64 even when it is not necessary. + +---------------+ +-------------+ + | i1 (IPv6)+----NAT64--------+IPv4 Internet| + | | +-------------+ + | host | + | | +-------------+ + | i2 (IPv4)+-----------------+IPv4 Internet| + +---------------+ +-------------+ + + The default configuration of dual-stack hosts is that IPv6 is + preferred over IPv4 ([RFC3484]). In that arrangement the host will + often use the NAT64 when native IPv4 would be more desirable. For + this reason, hosts with IPv4 connectivity to the Internet should + avoid using DNS64. This can be partly resolved by ISPs when + providing DNS resolvers to clients, but that is not a guarantee that + the NAT64 will never be used when a native IPv4 connection should be + used. There is no general-purpose mechanism to ensure that native + IPv4 transit will always be preferred, because to a DNS64-oblivious + host, the DNS64 looks just like an ordinary DNS server. Operators of + a NAT64 should expect traffic to pass through the NAT64 even when it + is not necessary. 6.3.3. Intentional dual-stack DNS64 use Finally, consider the case where the IPv4 connectivity on i2 is only - to a LAN, with an IPv6-only connection on i1 to the Internet, - connecting to the IPv4 Internet via NAT64. Traffic to the LAN may - not be routable from the global Internet, as is often the case (for - instance) with LANs using RFC1918 addresses. In this case, it is - critical that the DNS64 not synthesize AAAA responses for hosts in - the LAN, or else that the DNS64 be aware of hosts in the LAN and - provide context-sensitive answers ("split view" DNS answers) for - hosts inside the LAN. As with any split view DNS arrangement, - operators must be prepared for data to leak from one context to + with a LAN, and not with the IPv4 Internet. The IPv4 Internet is + only accessible using the NAT64. In this case, it is critical that + the DNS64 not synthesize AAAA responses for hosts in the LAN, or else + that the DNS64 be aware of hosts in the LAN and provide context- + sensitive answers ("split view" DNS answers) for hosts inside the + LAN. As with any split view DNS arrangement, operators must be + prepared for data to leak from one context to another, and for + failures to occur because nodes accessible from one context are not + accessible from the other. + + +---------------+ +-------------+ + | i1 (IPv6)+----NAT64--------+IPv4 Internet| + | | +-------------+ + | host | + | | + | i2 (IPv4)+---(local LAN only) -Bagnulo, et al. Expires August 19, 2010 [Page 18] +Bagnulo, et al. Expires September 6, 2010 [Page 20] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 - another, and for failures to occur because nodes accessible from one - context are not accessible from the other. + +---------------+ It is important for deployers of DNS64 to realise that, in some circumstances, making the DNS64 available to a dual-stack host will @@ -1040,7 +1151,7 @@ Internet-Draft DNS64 February 2010 communication from these IPv6-only connected hosts to the IPv4 Internet. This case is called An-IPv6-network-to-IPv4-Internet [I-D.ietf-behave-v6v4-framework]. In this case, the IPv6/IPv4 - Translator is used to connect the end site or the ISP to the IPv4 + translator is used to connect the end site or the ISP to the IPv4 Internet and the DNS64 function is provided by the end site or the ISP. @@ -1060,9 +1171,10 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 19] + +Bagnulo, et al. Expires September 6, 2010 [Page 21] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 1. An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS server @@ -1116,9 +1228,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 20] +Bagnulo, et al. Expires September 6, 2010 [Page 22] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 For this example, assume the typical DNS situation where IPv6 hosts @@ -1172,9 +1284,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 21] +Bagnulo, et al. Expires September 6, 2010 [Page 23] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 +---------------------+ +---------------+ @@ -1228,9 +1340,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 22] +Bagnulo, et al. Expires September 6, 2010 [Page 24] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 IPv6 address in the AAAA record contains the prefix assigned to @@ -1284,9 +1396,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 23] +Bagnulo, et al. Expires September 6, 2010 [Page 25] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 is recommended over the second option (i.e. the synthesis upon @@ -1340,9 +1452,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 24] +Bagnulo, et al. Expires September 6, 2010 [Page 26] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 1. H1 does a DNS lookup for h2.example.com. H1 does this by sending @@ -1370,7 +1482,7 @@ Internet-Draft DNS64 February 2010 8. Security Considerations See the discussion on the usage of DNSSEC and DNS64 described in - section 3, section 5.5, and section 6.2. . + Section 3, Section 5.5, and Section 6.2. 9. IANA Considerations @@ -1392,22 +1504,22 @@ Internet-Draft DNS64 February 2010 This draft contains the result of discussions involving many people, including the participants of the IETF BEHAVE Working Group. The following IETF participants made specific contributions to parts of - the text, and their help is gratefully acknowledged: Mark Andrews, + the text, and their help is gratefully acknowledged: Jaap Akkerhuis, -Bagnulo, et al. Expires August 19, 2010 [Page 25] +Bagnulo, et al. Expires September 6, 2010 [Page 27] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 - Jari Arkko, Rob Austein, Timothy Baldwin, Fred Baker, Doug Barton, - Marc Blanchet, Cameron Byrne, Brian Carpenter, Hui Deng, Francis - Dupont, Patrik Faltstrom, Ed Jankiewicz, Peter Koch, Suresh Krishnan, - Ed Lewis, Xing Li, Bill Manning, Matthijs Mekking, Hiroshi Miyata, - Simon Perrault, Teemu Savolainen, Jyrki Soini, Dave Thaler, Mark - Townsley, Rick van Rein, Stig Venaas, Magnus Westerlund, Florian - Weimer, Dan Wing, Xu Xiaohu, Xiangsong Cui. + Mark Andrews, Jari Arkko, Rob Austein, Timothy Baldwin, Fred Baker, + Doug Barton, Marc Blanchet, Cameron Byrne, Brian Carpenter, Zhen Cao, + Hui Deng, Francis Dupont, Patrik Faltstrom, Ed Jankiewicz, Peter + Koch, Suresh Krishnan, Ed Lewis, Xing Li, Bill Manning, Matthijs + Mekking, Hiroshi Miyata, Simon Perrault, Teemu Savolainen, Jyrki + Soini, Dave Thaler, Mark Townsley, Rick van Rein, Stig Venaas, Magnus + Westerlund, Florian Weimer, Dan Wing, Xu Xiaohu, Xiangsong Cui. Marcelo Bagnulo and Iljitsch van Beijnum are partly funded by Trilogy, a research project supported by the European Commission @@ -1452,9 +1564,9 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 26] +Bagnulo, et al. Expires September 6, 2010 [Page 28] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 [RFC3484] Draves, R., "Default Address Selection for Internet @@ -1476,17 +1588,13 @@ Internet-Draft DNS64 February 2010 Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. - [RFC4966] Aoun, C. and E. Davies, "Reasons to Move the Network - Address Translator - Protocol Translator (NAT-PT) to - Historic Status", RFC 4966, July 2007. - [RFC5735] Cotton, M. and L. Vegoda, "iSpecial Use IPv4 Addresses", BCP 153, RFC 5735, January 2010. [I-D.ietf-behave-v6v4-framework] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for IPv4/IPv6 Translation", - draft-ietf-behave-v6v4-framework-06 (work in progress), + draft-ietf-behave-v6v4-framework-07 (work in progress), February 2010. [I-D.venaas-behave-mcast46] @@ -1502,22 +1610,23 @@ Internet-Draft DNS64 February 2010 [I-D.savolainen-mif-dns-server-selection] Savolainen, T., "DNS Server Selection on Multi-Homed - Hosts", draft-savolainen-mif-dns-server-selection-01 (work - in progress), October 2009. + Hosts", draft-savolainen-mif-dns-server-selection-02 (work + in progress), February 2010. + + +Appendix A. Motivations and Implications of synthesizing AAAA Resource + Records when real AAAA Resource Records exist -Bagnulo, et al. Expires August 19, 2010 [Page 27] +Bagnulo, et al. Expires September 6, 2010 [Page 29] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 -Appendix A. Motivations and Implications of synthesizing AAAA RR when - real AAAA RR exists - - The motivation for synthesizing AAAA RRs when a real AAAA RRs exist - is to support the following scenario: + The motivation for synthesizing AAAA RRs when real AAAA RRs exist is + to support the following scenario: An IPv4-only server application (e.g. web server software) is running on a dual-stack host. There may also be dual-stack server @@ -1538,7 +1647,7 @@ Appendix A. Motivations and Implications of synthesizing AAAA RR when a DNS64 service may want to enable the synthesis of AAAA RRs even when real AAAA RRs exist. - The implication of including synthetic AAAA RR when real AAAA RR + The implication of including synthetic AAAA RRs when real AAAA RRs exist is that translated connectivity may be preferred over native connectivity in some cases where the DNS64 is operated in DNS server mode. @@ -1553,26 +1662,26 @@ Appendix A. Motivations and Implications of synthesizing AAAA RR when This means that without further configuration: - In "An IPv6 network to the IPv4 Internet" scenario , the host will - prefer translated connectivity if an NSP is used. If the Well- - Known Prefix defined in [I-D.ietf-behave-address-format] is used, - it will probably prefer native connectivity. + In the "An IPv6 network to the IPv4 Internet" scenario, the host + will prefer translated connectivity if an NSP is used. If the + Well-Known Prefix defined in [I-D.ietf-behave-address-format] is + used, it will probably prefer native connectivity. In the "IPv6 Internet to an IPv4 network" scenario, it is possible to bias the selection towards the real AAAA RR if the DNS64 resolver returns the real AAAA first in the DNS reply, when an NSP - - - -Bagnulo, et al. Expires August 19, 2010 [Page 28] - -Internet-Draft DNS64 February 2010 - - is used (the Well-Known Prefix usage is not supported in this case) - In "an IPv6 network to IPv4 network" scenario, for local + + + +Bagnulo, et al. Expires September 6, 2010 [Page 30] + +Internet-Draft DNS64 March 2010 + + + In the "An IPv6 network to IPv4 network" scenario, for local destinations (i.e., target hosts inside the local site), it is likely that the NSP and the destination prefix are the same, so we can use the order of RR in the DNS reply to bias the selection @@ -1620,9 +1729,12 @@ Authors' Addresses -Bagnulo, et al. Expires August 19, 2010 [Page 29] + + + +Bagnulo, et al. Expires September 6, 2010 [Page 31] -Internet-Draft DNS64 February 2010 +Internet-Draft DNS64 March 2010 Philip Matthews @@ -1676,5 +1788,5 @@ Internet-Draft DNS64 February 2010 -Bagnulo, et al. Expires August 19, 2010 [Page 30] +Bagnulo, et al. Expires September 6, 2010 [Page 32] diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt similarity index 84% rename from doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt rename to doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt index f651d1351e..7bb5ab72f8 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt @@ -1,12 +1,12 @@ DNS Extensions working group V.Dolmatov, Ed. Internet-Draft Cryptocom Ltd. -Intended status: Standards Track December 12, 2009 -Expires: June 12, 2010 +Intended status: Standards Track March 06, 2010 +Expires: September 06, 2010 Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records for DNSSEC - draft-ietf-dnsext-dnssec-gost-06 + draft-ietf-dnsext-dnssec-gost-07 Status of this Memo @@ -29,7 +29,7 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on June 12 2010. + This Internet-Draft will expire on September 06 2010. Copyright Notice @@ -37,19 +37,23 @@ Copyright Notice document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents in effect on the date of - publication of this document (http://trustee.ietf.org/license-info). - Please review these documents carefully, as they describe your rights - and restrictions with respect to this document. + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with + respect to this document. Code Components extracted from this + document must include Simplified BSD License text as described in + Section 4.e of the Trust Legal Provisions and are provided without + warranty as described in the Simplified BSD License. Abstract - This document describes how to produce signature and hash using - GOST algorithms [DRAFT1, DRAFT2, DRAFT3] for DNSKEY, RRSIG and DS - resource records for use in the Domain Name System Security - Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). - -V.Dolmatov Expires June 12, 2010 [Page 1] + This document describes how to produce signature and hash using + GOST (R 34.10-2001, R 34.11-94) algorithms foor DNSKEY, RRSIG and DS + resource records for use in the Domain Name System Security + Extensions (DNSSEC). + +V.Dolmatov Expires September 06, 2010 [Page 1] Table of Contents @@ -98,7 +102,8 @@ Table of Contents The term "GOST" is not officially defined, but is usually used to refer to the collection of the Russian cryptographic algorithms - GOST R 34.10-2001, GOST R 34.11-94, GOST 28147-89. + GOST R 34.10-2001[DRAFT1], GOST R 34.11-94[DRAFT2], + GOST 28147-89[DRAFT3]. Since GOST 28147-89 is not used in DNSSEC, "GOST" will only refer to the GOST R 34.10-2001 and GOST R 34.11-94 in this document. @@ -106,7 +111,7 @@ Table of Contents "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. -V.Dolmatov Expires June 12, 2010 [Page 2] +V.Dolmatov Expires September 06, 2010 [Page 2] 2. DNSKEY Resource Records @@ -155,12 +160,12 @@ V.Dolmatov Expires June 12, 2010 [Page 2] private key file it must be in one line): Private-key-format: v1.2 - Algorithm: {TBA1} (GOST) + Algorithm: {TBA1} (ECC-GOST) GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgp9c t2LQaNS1vMKPLEN9zHYjLPNMIQN6QB9vt3AghZFA= -V.Dolmatov Expires June 12, 2010 [Page 3] +V.Dolmatov Expires September 06, 2010 [Page 3] The following DNSKEY RR stores a DNS zone key for example.net @@ -215,11 +220,11 @@ V.Dolmatov Expires June 12, 2010 [Page 3] Vy466khKuWEUoVvSkqI+9tvMQySQgZcEmS0W HRFSm0XS5YST5g== ) -V.Dolmatov Expires June 12, 2010 [Page 4] +V.Dolmatov Expires September 06, 2010 [Page 4] - Note: Several GOST signatures calculated for the same message text - differ because of using of a random element is used in signature - generation process. + Note: Several ECC-GOST signatures calculated for the same message text + will differ because of using of a random element is used in signature + generation process. 4. DS Resource Records @@ -269,25 +274,25 @@ V.Dolmatov Expires June 12, 2010 [Page 4] 6.1. Support for GOST signatures - DNSSEC aware implementations SHOULD be able to support RRSIG and + DNSSEC aware implementations MAY be able to support RRSIG and DNSKEY resource records created with the GOST algorithms as defined in this document. -V.Dolmatov Expires June 12, 2010 [Page 5] +V.Dolmatov Expires September 06, 2010 [Page 5] 6.2. Support for NSEC3 Denial of Existence - Any DNSSEC-GOST implementation is required to have either NSEC or - NSEC3 support. + Any DNSSEC-GOST implementation MUST support both NSEC[RFC4035] and + NSEC3 [RFC5155] 6.3 Byte order Due to the fact that all existing industry implementations of GOST - cryptographic libraries are returning GOST blobs in little-endian - format and in order to avoid the necessity for DNSSEC developers - to handle different cryptographic algorithms differently, it was - chosen to send these blobs on the wire "as is" without - transformation of endianness. + cryptographic libraries are returning GOST blobs without + transformation from little-endian format and in order to avoid the + necessity for DNSSEC developers to handle different cryptographic + algorithms differently, it was chosen to send these blobs on the + wire "as is" without transformation of endianness. 7. Security considerations @@ -307,12 +312,12 @@ V.Dolmatov Expires June 12, 2010 [Page 5] 8. IANA Considerations This document updates the IANA registry "DNS Security Algorithm - Numbers [RFC4034]" + Numbers" [RFC4034] (http://www.iana.org/assignments/dns-sec-alg-numbers). The following entries are added to the registry: Zone Trans. Value Algorithm Mnemonic Signing Sec. References Status - {TBA1} GOST R 34.10-2001 GOST Y * (this memo) OPTIONAL + {TBA1} GOST R 34.10-2001 ECC-GOST Y * (this memo) OPTIONAL This document updates the RFC 4034 Digest Types assignment (section A.2)by adding the value and status for the GOST R 34.11-94 @@ -329,7 +334,7 @@ V.Dolmatov Expires June 12, 2010 [Page 5] contributors to these documents are gratefully acknowledged for their hard work. -V.Dolmatov Expires June 12, 2010 [Page 6] +V.Dolmatov Expires September 06, 2010 [Page 6] The following people provided additional feedback and text: Dmitry Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen @@ -385,8 +390,11 @@ V.Dolmatov Expires June 12, 2010 [Page 6] Infrastructure Certificate and CRL Profile", RFC 4491, May 2006. -V.Dolmatov Expires June 12, 2010 [Page 7] - +V.Dolmatov Expires September 06, 2010 [Page 7] + +[RFC5155] B. Laurie, G. Sisson, R. Arends and D. Blacka, "DNS + Security (DNSSEC) Hashed Authenticated Denial of + Existence", RFC 5155, February 2008. 10.2. Informative References @@ -395,21 +403,21 @@ V.Dolmatov Expires June 12, 2010 [Page 7] [DRAFT1] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., "GOST R 34.10-2001 digital signature algorithm" - draft-dolmatov-cryptocom-gost34102001-07, 12.12.09 + draft-dolmatov-cryptocom-gost34102001-08, 12.12.09 work in progress. [DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., "GOST R 34.11-94 Hash function algorithm" - draft-dolmatov-cryptocom-gost341194-06, 12.12.09 + draft-dolmatov-cryptocom-gost341194-07, 12.12.09 work in progress. [DRAFT3] Dolmatov V., Kabelev D., Ustinov I., Emelyanova I., "GOST 28147-89 encryption, decryption and MAC algorithms" - draft-dolmatov-cryptocom-gost2814789-06, 12.12.09 + draft-dolmatov-cryptocom-gost2814789-08, 12.12.09 work in progress. -V.Dolmatov Expires June 12, 2010 [Page 8] +V.Dolmatov Expires September 06, 2010 [Page 8] Authors' Addresses @@ -436,9 +444,5 @@ Moscow, 117218, Russian Federation EMail: igus@cryptocom.ru -V.Dolmatov Expires June 12, 2010 [Page 9] - - - - +V.Dolmatov Expires September 06, 2010 [Page 9] From 2c244f981f1edb63c8a1f77c78b65123f65a82f0 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 8 Mar 2010 01:16:27 +0000 Subject: [PATCH 57/58] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 7f8838345c..bdab80bb4c 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.180 2010/03/06 06:27:34 tbox Exp $ +# $Id: SRCID,v 1.181 2010/03/08 01:16:27 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/03/06 06:27:34 $ )" +SRCID="( $Date: 2010/03/08 01:16:27 $ )" From 39158a4c93131db13c7260253c82ece87f0cf92c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 8 Mar 2010 22:17:03 +0000 Subject: [PATCH 58/58] new draft --- ...aft-ietf-dnsext-dnssec-bis-updates-10.txt} | 433 +++++++++++------- 1 file changed, 273 insertions(+), 160 deletions(-) rename doc/draft/{draft-ietf-dnsext-dnssec-bis-updates-09.txt => draft-ietf-dnsext-dnssec-bis-updates-10.txt} (67%) diff --git a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-10.txt similarity index 67% rename from doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt rename to doc/draft/draft-ietf-dnsext-dnssec-bis-updates-10.txt index 0953e28b47..eef3308e92 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-10.txt @@ -5,12 +5,18 @@ Network Working Group S. Weiler Internet-Draft SPARTA, Inc. Updates: 4033, 4034, 4035, 5155 D. Blacka (if approved) VeriSign, Inc. -Intended status: Standards Track September 5, 2009 -Expires: March 9, 2010 +Intended status: Standards Track March 8, 2010 +Expires: September 9, 2010 Clarifications and Implementation Notes for DNSSECbis - draft-ietf-dnsext-dnssec-bis-updates-09 + draft-ietf-dnsext-dnssec-bis-updates-10 + +Abstract + + This document is a collection of technical clarifications to the + DNSSECbis document set. It is meant to serve as a resource to + implementors as well as a repository of DNSSECbis errata. Status of this Memo @@ -33,32 +39,30 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on March 9, 2010. + This Internet-Draft will expire on September 9, 2010. Copyright Notice - Copyright (c) 2009 IETF Trust and the persons identified as the + Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents in effect on the date of - publication of this document (http://trustee.ietf.org/license-info). - Please review these documents carefully, as they describe your rights - and restrictions with respect to this document. - -Abstract - - This document is a collection of technical clarifications to the + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of -Weiler & Blacka Expires March 9, 2010 [Page 1] +Weiler & Blacka Expires September 9, 2010 [Page 1] -Internet-Draft DNSSECbis Implementation Notes September 2009 +Internet-Draft DNSSECbis Implementation Notes March 2010 - DNSSECbis document set. It is meant to serve as a resource to - implementors as well as a repository of DNSSECbis errata. + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the BSD License. Table of Contents @@ -68,56 +72,54 @@ Table of Contents 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Important Additions to DNSSSECbis . . . . . . . . . . . . . . 3 2.1. NSEC3 Support . . . . . . . . . . . . . . . . . . . . . . 3 - 2.2. SHA-256 Support . . . . . . . . . . . . . . . . . . . . . 3 + 2.2. SHA-256 Support . . . . . . . . . . . . . . . . . . . . . 4 3. Security Concerns . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Clarifications on Non-Existence Proofs . . . . . . . . . . 4 - 3.2. Validating Responses to an ANY Query . . . . . . . . . . . 4 + 3.2. Validating Responses to an ANY Query . . . . . . . . . . . 5 3.3. Check for CNAME . . . . . . . . . . . . . . . . . . . . . 5 3.4. Insecure Delegation Proofs . . . . . . . . . . . . . . . . 5 4. Interoperability Concerns . . . . . . . . . . . . . . . . . . 5 4.1. Errors in Canonical Form Type Code List . . . . . . . . . 5 - 4.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 5 + 4.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 6 4.3. Private Algorithms . . . . . . . . . . . . . . . . . . . . 6 4.4. Caution About Local Policy and Multiple RRSIGs . . . . . . 7 4.5. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 7 4.6. Setting the DO Bit on Replies . . . . . . . . . . . . . . 7 - 4.7. Setting the AD bit on Replies . . . . . . . . . . . . . . 7 - 4.8. Setting the CD bit on Requests . . . . . . . . . . . . . . 8 - 4.9. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 8 - 5. Minor Corrections and Clarifications . . . . . . . . . . . . . 8 - 5.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 8 - 5.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 9 - 5.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 9 - 5.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 9 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 - 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 11 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 + 4.7. Setting the AD Bit on Queries . . . . . . . . . . . . . . 8 + 4.8. Setting the AD Bit on Replies . . . . . . . . . . . . . . 8 + 4.9. Setting the CD bit on Requests . . . . . . . . . . . . . . 8 + 4.10. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 8 + 4.10.1. Closest Encloser . . . . . . . . . . . . . . . . . . 9 + 4.10.2. Accept Any Success . . . . . . . . . . . . . . . . . 9 + 4.10.3. Preference Based on Source . . . . . . . . . . . . . 10 + 5. Minor Corrections and Clarifications . . . . . . . . . . . . . 10 + 5.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 10 + 5.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 10 + 5.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 11 + 5.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 11 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 13 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 13 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 - - - - - - - - -Weiler & Blacka Expires March 9, 2010 [Page 2] +Weiler & Blacka Expires September 9, 2010 [Page 2] -Internet-Draft DNSSECbis Implementation Notes September 2009 +Internet-Draft DNSSECbis Implementation Notes March 2010 1. Introduction and Terminology This document lists some additions, clarifications and corrections to the core DNSSECbis specification, as originally described in - [RFC4033], [RFC4034], and [RFC4035]. + [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. + (See section Section 2 for more recent additions to that core + document set.) It is intended to serve as a resource for implementors and as a repository of items that need to be addressed when advancing the @@ -139,8 +141,9 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 2. Important Additions to DNSSSECbis - This section updates the set of core DNSSEC protocol documents - originally specified in Section 10 of [RFC4033]. + This section lists some documents that should be considered core + DNSSEC protocol documents in addition to those originally specified + in Section 10 of [RFC4033]. 2.1. NSEC3 Support @@ -154,24 +157,30 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 [RFC5155] should be considered part of the DNS Security Document Family as described by [RFC4033], Section 10. + Note that the algorithm identifiers defined in RFC5155 (DSA-NSEC3- + SHA1 and RSASHA1-NSEC3-SHA1) signal that a zone MAY be using NSEC3, + rather than NSEC. The zone MAY indeed be using either and validators + supporting these algorithms MUST support both NSEC3 and NSEC + + + +Weiler & Blacka Expires September 9, 2010 [Page 3] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + + responses. + 2.2. SHA-256 Support - [RFC4509] describes the use of SHA-256 as a digest algorithm for use - with Delegation Signer (DS) RRs. [I-D.ietf-dnsext-dnssec-rsasha256] - describes the use of the RSASHA256 algorithm for use in DNSKEY and - RRSIG RRs. Validator implementations are strongly encouraged to - include support for this algorithm for DS, DNSKEY, and RRSIG records. + [RFC4509] describes the use of SHA-256 as a digest algorithm in + Delegation Signer (DS) RRs. [RFC5702] describes the use of the + RSASHA256 algorithm in DNSKEY and RRSIG RRs. Validator + implementations are strongly encouraged to include support for this + algorithm for DS, DNSKEY, and RRSIG records. - - -Weiler & Blacka Expires March 9, 2010 [Page 3] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - - Both [RFC4509] and [I-D.ietf-dnsext-dnssec-rsasha256] should also be - considered part of the DNS Security Document Family as described by - [RFC4033], Section 10. + Both [RFC4509] and [RFC5702] should also be considered part of the + DNS Security Document Family as described by [RFC4033], Section 10. 3. Security Concerns @@ -205,6 +214,17 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 to assume the non-existence of any subdomain of that NSEC/NSEC3 RR's (original) owner name. + + + + + + +Weiler & Blacka Expires September 9, 2010 [Page 4] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + 3.2. Validating Responses to an ANY Query [RFC4035] does not address how to validate responses when QTYPE=*. @@ -217,14 +237,6 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 QNAME and QCLASS MUST be validated. If any of those RRsets fail validation, the answer is considered Bogus. If there are no RRsets matching QNAME and QCLASS, that fact MUST be validated according to - - - -Weiler & Blacka Expires March 9, 2010 [Page 4] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - the rules in [RFC4035] Section 5.4 (as clarified in this document). To be clear, a validator must not expect to receive all records at the QNAME in response to QTYPE=*. @@ -261,6 +273,14 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 [RFC4034] Section 6.2 item 3 has a list of resource record types for which DNS names in the RDATA are downcased for purposes of DNSSEC canonical form (for both ordering and signing). That list + + + +Weiler & Blacka Expires September 9, 2010 [Page 5] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + erroneously contains NSEC and RRSIG. According to [RFC3755], DNS names in the RDATA of NSEC and RRSIG should not be downcased. @@ -273,14 +293,6 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 Section 5.2 of [RFC4035] includes rules for how to handle delegations to zones that are signed with entirely unsupported public key algorithms, as indicated by the key algorithms shown in those zone's - - - -Weiler & Blacka Expires March 9, 2010 [Page 5] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - DS RRsets. It does not explicitly address how to handle DS records that use unsupported message digest algorithms. In brief, DS records using unknown or unsupported message digest algorithms MUST be @@ -317,6 +329,14 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 If no private algorithms appear in the DS set or if any supported algorithm appears in the DS set, no special processing will be needed. In the remaining cases, the security status of the zone + + + +Weiler & Blacka Expires September 9, 2010 [Page 6] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + depends on whether or not the resolver supports any of the private algorithms in use (provided that these DS records use supported hash functions, as discussed in Section 4.2). In these cases, the @@ -329,14 +349,6 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 discussed in [RFC4035]. This clarification facilitates the broader use of private algorithms, - - - -Weiler & Blacka Expires March 9, 2010 [Page 6] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - as suggested by [RFC4955]. 4.4. Caution About Local Policy and Multiple RRSIGs @@ -369,14 +381,27 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 4.6. Setting the DO Bit on Replies - [RFC4035] does not provide any instructions to servers as to how to - set the DO bit. Some authoritative server implementations have - chosen to copy the DO bit settings from the incoming query to the - outgoing response. Others have chosen to never set the DO bit in - responses. Either behavior is permitted. To be clear, in replies to - queries with the DO-bit set servers may or may not set the DO bit. + As stated in [RFC3225], the DO bit of the query MUST be copied in the + response. At least one implementation has done something different, + so it may be wise for resolvers to be liberal in what they accept. -4.7. Setting the AD bit on Replies + + + +Weiler & Blacka Expires September 9, 2010 [Page 7] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + +4.7. Setting the AD Bit on Queries + + The use of the AD bit in the query was previously undefined. This + document defines it as a signal indicating that the requester + understands and is interested in the value of the AD bit in the + response. This allows a requestor to indicate that it understands + the AD bit without also requesting DNSSEC data via the DO bit. + +4.8. Setting the AD Bit on Replies Section 3.2.3 of [RFC4035] describes under which conditions a validating resolver should set or clear the AD bit in a response. In @@ -385,27 +410,29 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 conditions listed in RFC 4035, section 3.2.3, and the request contained either a set DO bit or a set AD bit. +4.9. Setting the CD bit on Requests + When processing a request with the CD bit set, a resolver SHOULD + attempt to return all responsive data, even data that has failed + DNSSEC validation. RFC4035 section 3.2.2 requires a resolver + processing a request with the CD bit set to set the CD bit on its + upstream queries. + The guidance in RFC4035 is ambiguous about what to do when a cached + response was obtained with the CD bit not set. In the typical case, + no new query is required, nor does the cache need to track the state + of the CD bit used to make a given query. The problem arises when + the cached response is a server failure (RCODE 2), which may indicate + that the requested data failed DNSSEC validation at an upstream + validating resolver. (RFC2308 permits caching of server failures for + up to five minutes.) In these cases, a new query with the CD bit set + is required. -Weiler & Blacka Expires March 9, 2010 [Page 7] - -Internet-Draft DNSSECbis Implementation Notes September 2009 + For efficiency, a validator may wish to set the CD bit on all + upstream queries when it has a trust anchor at or above the QNAME + (and thus can reasonably expect to be able to validate the response). - - Note that the use of the AD bit in the query was previously - undefined. This document defines it as a signal indicating that the - requester understands and is interested in the value of the AD bit in - the response. This allows a requestor to indicate that it - understands the AD bit without also requesting DNSSEC data via the DO - bit. - -4.8. Setting the CD bit on Requests - - When processing a request with the CD bit set, the resolver MUST set - the CD bit on its upstream queries. - -4.9. Nested Trust Anchors +4.10. Nested Trust Anchors A DNSSEC validator may be configured such that, for a given response, more than one trust anchor could be used to validate the chain of @@ -414,13 +441,95 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 When the validator is asked to validate a response to "www.sub.zone.example.", either trust anchor could apply. - When presented with this situation, DNSSEC validators SHOULD try all - applicable trust anchors until one succeeds. - There are some scenarios where different behaviors, such as choosing - the trust anchor closest to the QNAME of the response, may be - desired. A DNSSEC validator MAY enable such behaviors as - configurable overrides. + + +Weiler & Blacka Expires September 9, 2010 [Page 8] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + + When presented with this situation, DNSSEC validators have a choice + of which trust anchor(s) to use. Which to use is a matter of + implementation choice. It is possible and perhaps advisable to + expose the choice of policy as a configuration option. The rest of + this section discusses some possible policies. As a default, we + suggest that validators implement the "Accept Any Success" policy + described below in Section 4.10.2 while exposing other policies as + configuration options. + +4.10.1. Closest Encloser + + One policy is to choose the trust anchor closest to the QNAME of the + response. In our example, that would be the "zone.example." trust + anchor. + + This policy has the advantage of allowing the operator to trivially + override a parent zone's trust anchor with one that the operator can + validate in a stronger way, perhaps because the resolver operator is + affiliated with the zone in question. This policy also minimizes the + number of public key operations needed, which may be of benefit in + resource-constrained environments. + + This policy has the disadvantage of possibly giving the user some + unexpected and unnecessary validation failures when sub-zone trust + anchors are neglected. As a concrete example, consider a validator + that configured a trust anchor for "zone.example." in 2009 and one + for "example." in 2011. In 2012, "zone.example." rolls its KSK and + updates its DS records, but the validator operator doesn't update its + trust anchor. With the "closest encloser" policy, the validator gets + validation failures. + +4.10.2. Accept Any Success + + Another policy is to try all applicable trust anchors until one gives + a validation result of Secure, in which case the final validation + result is Secure. If and only if all applicable trust anchors give a + result of Insecure, the final validation result is Insecure. If one + or more trust anchors lead to a Bogus result and there is no Secure + result, then the final validation result is Bogus. + + This has the advantage of causing the fewer validation failures, + which may deliver a better user experience. If one trust anchor is + out of date (as in our above example), the user may still be able to + get a Secure validation result (and see DNS responses). + + This policy has the disadvantage of making the validator subject to + compromise of the weakest of these trust anchors while making its + relatively painless to keep old trust anchors configured in + + + +Weiler & Blacka Expires September 9, 2010 [Page 9] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + + perpetuity. + +4.10.3. Preference Based on Source + + When the trust anchors have come from different sources (e.g. + automated updates ([RFC5011]), one or more DLV registries + ([RFC5074]), and manually configured), a validator may wish to choose + between them based on the perceived reliability of those sources. + The order of precedence might be exposed as a configuration option. + + For example, a validator might choose to prefer trust anchors found + in a DLV registry over those manually configured on the theory that + the manually configured ones will not be as aggressively maintained. + + Conversely, a validator might choose to prefer manually configured + trust anchors over those obtained from a DLV registry on the theory + that the manually configured ones have been more carefully + authenticated. + + Or the validator might do something more complicated: prefer a sub- + set of manually configured trust anchors (based on a configuration + option), then trust anchors that have been updated using the RFC5011 + mechanism, then trust anchors from one DLV registry, then trust + anchors from a different DLV registry, then the rest of the manually + configured trust anchors. 5. Minor Corrections and Clarifications @@ -438,23 +547,20 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 does not already have the parent's NS RRset. Section 4.2 of [RFC4035] specifies a mechanism for doing that. - - - - - - -Weiler & Blacka Expires March 9, 2010 [Page 8] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - 5.2. Clarifications on DNSKEY Usage Questions of the form "can I use a different DNSKEY for signing this RRset" have occasionally arisen. The short answer is "yes, absolutely". You can even use a different + + + +Weiler & Blacka Expires September 9, 2010 [Page 10] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + DNSKEY for each RRset in a zone, subject only to practical limits on the size of the DNSKEY RRset. However, be aware that there is no way to tell resolvers what a particularly DNSKEY is supposed to be used @@ -498,18 +604,19 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 However, the same section contains a regular expression: - - -Weiler & Blacka Expires March 9, 2010 [Page 9] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+ The plus sign in the regular expression indicates that there is one or more of the preceding element. This means that there must be at least one window block. If this window block has no types, it + + + +Weiler & Blacka Expires September 9, 2010 [Page 11] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + contradicts with the first statement. Therefore, the correct text in RFC 5155 3.2.1 should be: @@ -538,29 +645,19 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 8.1. Normative References - [I-D.ietf-dnsext-dnssec-rsasha256] - Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY - and RRSIG Resource Records for DNSSEC", - draft-ietf-dnsext-dnssec-rsasha256-14 (work in progress), - June 2009. - [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", - RFC 1034, STD 13, November 1987. + STD 13, RFC 1034, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", RFC 2119, BCP 14, March 1997. + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", + RFC 3225, December 2001. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005. - - -Weiler & Blacka Expires March 9, 2010 [Page 10] - -Internet-Draft DNSSECbis Implementation Notes September 2009 - - [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. @@ -569,6 +666,13 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. + + +Weiler & Blacka Expires September 9, 2010 [Page 12] + +Internet-Draft DNSSECbis Implementation Notes March 2010 + + [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)", RFC 4509, May 2006. @@ -576,6 +680,10 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, March 2008. + [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY + and RRSIG Resource Records for DNSSEC", RFC 5702, + October 2009. + 8.2. Informative References [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation @@ -587,6 +695,12 @@ Internet-Draft DNSSECbis Implementation Notes September 2009 [RFC4955] Blacka, D., "DNS Security (DNSSEC) Experiments", RFC 4955, July 2007. + [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) + Trust Anchors", RFC 5011, September 2007. + + [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, + November 2007. + Appendix A. Acknowledgments @@ -607,22 +721,22 @@ Appendix A. Acknowledgments contributed text for Section 4.5. The bug relating to delegation NSEC RR's in Section 3.1 was found by - Roy Badami. Roy Arends found the related problem with DNAME. - -Weiler & Blacka Expires March 9, 2010 [Page 11] +Weiler & Blacka Expires September 9, 2010 [Page 13] -Internet-Draft DNSSECbis Implementation Notes September 2009 +Internet-Draft DNSSECbis Implementation Notes March 2010 + Roy Badami. Roy Arends found the related problem with DNAME. + The errors in the [RFC4035] examples were found by Roy Arends, who also contributed text for Section 5.3 of this document. - The editors would like to thank Ed Lewis, Danny Mayer, Olafur - Gudmundsson, Suzanne Woolf, and Scott Rose for their substantive - comments on the text of this document. + The editors would like to thank Alfred Hoenes, Ed Lewis, Danny Mayer, + Olafur Gudmundsson, Suzanne Woolf, and Scott Rose for their + substantive comments on the text of this document. Authors' Addresses @@ -666,7 +780,6 @@ Authors' Addresses - - -Weiler & Blacka Expires March 9, 2010 [Page 12] +Weiler & Blacka Expires September 9, 2010 [Page 14] +