ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Respinning to fix memory leak in dnssec-signzone. (Also adopting doc changes.)

Browse Source
This commit is contained in:
Evan Hunt
2009-10-16 02:59:41 +00:00
parent 102ccdd2c0
commit 8f7de3db7e
7 changed files with 93 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,8 +1,8 @@
--- 9.7.0b1 released ---
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
--- 9.7.0b1 released ---
2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone

4
bin/named/bind.keys.h
View File

@@ -1,6 +1,6 @@
#define TRUSTED_KEYS "\
trusted-keys {\n\
# NOTE: This key is current as of September 2009.\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
@@ -9,7 +9,7 @@ trusted-keys {\n\
#define MANAGED_KEYS "\
managed-keys {\n\
# NOTE: This key is current as of September 2009.\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\

31
bin/named/named.conf.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.42 2009/10/10 01:47:59 each Exp $ -->
<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
@@ -132,6 +132,15 @@ trusted-keys {
</literallayout>
</refsect1>
<refsect1>
<title>MANAGED-KEYS</title>
<literallayout>
managed-keys {
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
<refsect1>
<title>CONTROLS</title>
<literallayout>
@@ -273,6 +282,7 @@ options {
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
@@ -339,10 +349,17 @@ options {
zone-statistics <replaceable>boolean</replaceable>;
key-directory <replaceable>quoted_string</replaceable>;
auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
deny-answer-aliases {
<replaceable>namelist</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
@@ -384,7 +401,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
};
trusted-keys {
<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
<optional>...</optional>
};
allow-recursion { <replaceable>address_match_element</replaceable>; ... };
@@ -545,13 +563,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-policy {
update-policy <replaceable>local</replaceable> | <replaceable> {
( grant | deny ) <replaceable>string</replaceable>
( name | subdomain | wildcard | self | selfsub | selfwild |
krb5-self | ms-self | krb5-subdomain | ms-subdomain |
tcp-self | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>; ...
};
tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>;
<optional>...</optional>
}</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;

50
bin/nsupdate/nsupdate.docbook
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.40 2009/08/26 21:34:44 jreed Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.41 2009/10/16 02:59:41 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Aug 25, 2009</date>
@@ -76,7 +76,7 @@
<refsect1>
<title>DESCRIPTION</title>
<para><command>nsupdate</command>
is used to submit Dynamic DNS Update requests as defined in RFC2136
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
without manually editing the zone file.
@@ -118,8 +118,8 @@
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC2845 or the SIG(0) record described in RFC3535 and
RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on
in RFC 2845 or the SIG(0) record described in RFC 2535 and
RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
a shared secret that should only be known to
<command>nsupdate</command> and the name server. Currently,
the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -136,7 +136,12 @@
record in a zone served by the name server.
<command>nsupdate</command> does not read
<filename>/etc/named.conf</filename>.
GSS-TSIG uses Kerberos credentials.
</para>
<para>
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
is switched on with the <option>-g</option> flag. A
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <option>-o</option> flag.
</para>
<para><command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> option
@@ -629,9 +634,9 @@
If there are, the update request fails.
If this name does not exist, a CNAME for it is added.
This ensures that when the CNAME is added, it cannot conflict with the
long-standing rule in RFC1034 that a name must not exist as any other
long-standing rule in RFC 1034 that a name must not exist as any other
record type if it exists as a CNAME.
(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</para>
</refsect1>
@@ -687,27 +692,14 @@
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>RFC2136</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC3007</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2104</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2845</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC1034</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2535</refentrytitle>
</citerefentry>,
<citerefentry>
<refentrytitle>RFC2931</refentrytitle>
</citerefentry>,
<para>
<citetitle>RFC 2136</citetitle>,
<citetitle>RFC 3007</citetitle>,
<citetitle>RFC 2104</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 2535</citetitle>,
<citetitle>RFC 2931</citetitle>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@@ -718,8 +710,8 @@
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>BUGS</title>
<para>

2
bind.keys
View File

@@ -1,5 +1,5 @@
managed-keys {
# NOTE: This key is current as of September 2009.
# NOTE: This key is current as of October 2009.
# If it fails to initialize correctly, it may have expired;
# see https://www.isc.org/solutions/dlv for a replacement.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";

40
doc/arm/Bv9ARM-book.xml
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.436 2009/10/14 12:49:11 jreed Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.437 2009/10/16 02:59:41 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -5509,24 +5509,42 @@ options {
validator with an alternate method to validate DNSKEY
records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest
<command>dnssec-lookaside</command>, and the normal dnssec
<command>dnssec-lookaside</command>, and the normal DNSSEC
validation has left the key untrusted, the trust-anchor
will be append to the key name and a DLV record will be
will be appended to the key name and a DLV record will be
looked up to see if it can validate the key. If the DLV
record validates a DNSKEY (similarly to the way a DS record
does) the DNSKEY RRset is deemed to be trusted.
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>auto</userinput>, then built-in default
values for the domain and trust anchor will be
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
</para>
<para>
NOTE: Since the built-in key may expire, it can be
overridden without recompiling <command>named</command>
by placing a new key in the file
<filename>bind.keys</filename>.
<para>
The default DLV key is stored in the file
<filename>bind.keys</filename>, which
<command>named</command> loads at startup if
<command>dnssec-lookaside</command> is set to
<constant>auto</constant>. A copy of that file is
installed along with <acronym>BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <filename>bind.keys</filename> can be downloaded
from <ulink>https://www.isc.org/solutions/dlv</ulink>.
</para>
<para>
(To prevent problems if <filename>bind.keys</filename> is
not found, the current key is also compiled in to
<command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
to be recompiled with a new key when the DLV key expires.)
</para>
<para>
NOTE: Using <filename>bind.keys</filename> to store
locally-configured keys is possible, but not
recommended, as the file will be overwritten whenever
<acronym>BIND</acronym> 9 is re-installed or upgraded.
</para>
</listitem>
</varlistentry>

26
lib/dns/dnssec.c
View File

@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
* $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
*/
/*! \file */
@@ -1256,15 +1256,15 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
continue;
goto again;
/* Corrupted .key file? */
if (!dns_name_equal(origin, dst_key_name(pubkey)))
continue;
goto again;
if (public) {
addkey(keylist, &pubkey, savekeys, mctx);
continue;
goto again;
}
result = dst_key_fromfile(dst_key_name(pubkey),
@@ -1274,20 +1274,20 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
directory, mctx, &privkey);
if (result == ISC_R_FILENOTFOUND) {
addkey(keylist, &pubkey, savekeys, mctx);
continue;
goto again;
}
RETERR(result);
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
/* We should never get here. */
dst_key_free(&pubkey);
dst_key_free(&privkey);
continue;
}
/* This should never happen. */
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto again;
addkey(keylist, &privkey, savekeys, mctx);
dst_key_free(&pubkey);
again:
if (pubkey != NULL)
dst_key_free(&pubkey);
if (privkey != NULL)
dst_key_free(&privkey);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;